07-18-2007 07:11 AM - edited 03-03-2019 05:55 PM
We have a few Cisco 837's working as L2L's. I have scanned them for vulnerabilities, and received this message, and need jelp to remove it:
ICMP Timestamp Request:
THREAT:
ICMP (Internet Control and Error Message Protocol) is a protocol encapsulated in IP packets. It's principal purpose is to provide a protocol layer able to inform gateways of the inter-connectivity and accessibility of other gateways or hosts. "ping" is a well-known program for determining if a host is up or down. It uses ICMP echo packets. ICMP timestamp packets are used to synchronize clocks between hosts.
IMPACT:
Unauthorized users can obtain information about your network by sending ICMP timestamp packets. For example, the internal systems clock should not be disclosed since some internal daemons use this value to calculate ID or sequence numbers (i.e., on SunOS servers).
SOLUTION:
You can filter ICMP messages of type "Timestamp" and "Timestamp Reply" at the firewall level. Some system administrators choose to filter most types of ICMP messages for various reasons. For example, they may want to protect their internal hosts from ICMP-based Denial Of Service attacks, such as the Ping of Death or Smurf attacks.
However, you should never filter ALL ICMP messages, as some of them ("Don't Fragment", "Destination Unreachable", "Source Quench", etc) are necessary for proper behavior of Operating System TCP/IP stacks.
It may be wiser to contact your network consultants for advice, since this issue impacts your overall network reliability and security.
07-18-2007 10:48 AM
Andy
I am not aware of any way to disable the ICMP timestamp messages in the router - and the material that you quote does not advocate that the messages be disabled. It does suggest that they could be filtered (it would make the most sense to filter them at the edges of the network).
The logic to filter them is easy to do in an extended access list:
access-list 101 deny icmp any any timestamp-request
access-list 101 deny icmp any any timestamp-reply
you could include these lines in any access list that is examing traffic entering your network.
If you are interested in information about the various types of ICMP messages this link has a very nice chart of them:
http://www.iana.org/assignments/icmp-parameters
HTH
Rick
07-19-2007 01:59 AM
I already have this line below, will it be a problem?
access-list 101 permit ip 172.20.3.0 0.0.0.255 any
07-19-2007 09:53 AM
Andy
Some information about how that access list is used, in particular is this one line the entire ACL, on which interface and in what direction is it applied, would help me give you a better answer.
If this is the entire ACL then I would assume that it was probably applied inbound on the interface where the 172.20.3.0 subnet is connected and is used as an anti-spoofing mechanism. If that is the case I doubt that ICMP timestamps would be an issue. But if you do want to filter the ICMP timestamps then the lines that I suggested need to come before the line that you gave in the ACL.
If my assumption is not correct then please clarify.
HTH
Rick
07-22-2007 11:26 PM
It's mainly on the outside interface, with info can I give you please. I really want to fix this.
07-23-2007 05:29 AM
Andy
I asked several questions that you did not answer, including:
- is the one line you posted the entire access list or are there other lines?
- is the access list applied inbound or outbound?
It would also help to know a bit about the topology of the network. In particular where (and what) is network 172.20.3.0?
HTH
Rick
07-23-2007 06:05 AM
Inbound, I scanned the Internet facing IP, here is the config:
username x password 7 hA0j23
no aaa new-model
ip subnet-zero
ip dhcp excluded-address 172.19.3.1 172.19.3.10
!
ip dhcp pool client
network 172.19.3.0 255.255.255.0
default-router 172.19.3.1
lease 0 2
!
!
ip inspect name outbound tcp
ip inspect name outbound udp
ip inspect name outbound ftp
ip inspect name outbound http
ip inspect name outbound icmp
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 0 x address x.x.x.173
!
!
crypto ipsec transform-set set esp-3des esp-md5-hmac
!
crypto map vo_t_set 10 ipsec-isakmp
set peer x.x.x.173
set transform-set set
match address 101
!
!
!
!
interface Ethernet0
ip address 172.19.3.1 255.255.255.0
ip inspect outbound in
hold-queue 100 out
!
interface ATM0
no ip address
no ip unreachables
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer1
ip address negotiated
ip access-group inbound in
no ip unreachables
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname x@x.x.com
ppp chap password 7 7404123282179
crypto map set
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
!
ip access-list extended inbound
permit udp any any eq isakmp
permit esp any any
permit icmp any any
permit udp any any eq ntp
permit tcp x.x.x.64 0.0.0.31 any eq telnet
permit tcp x.x.x.64 0.0.0.31 any eq 22
permit tcp x.x.x.64 0.0.0.31 any eq ftp-data
permit tcp x.x.x.64 0.0.0.31 any eq ftp
permit tcp x.x.x.64 0.0.0.31 any eq www
permit tcp x.x.x.64 0.0.0.31 any eq 443
permit ip 192.168.90.0 0.0.0.255 172.19.3.0 0.0.0.255
logging trap warnings
logging facility local4
logging source-interface Ethernet0
access-list 50 permit x.x.x.66
access-list 101 permit ip 172.19.3.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 50 in
exec-timeout 0 0
login local
length 0
!
scheduler max-task-time 5000
sntp server 158.43.128.33
!
end
07-23-2007 06:27 AM
Andy
Thanks for posting the config. It helps to see what the router is doing. To answer your specific question about access list 101, I note that access list 101 is used in the crypto map. Its function in the crypto map is to identify traffic to be protected by IPSec. To that extent there is no relationship between access list 101 and the issue of ICMP timestamp request and response. If you want to address that issue you would need to put 2 statements into access-list extended inbound to deny those ICMP messages.
I also note that Cisco recommends that access lists used in crypto maps generally not use "any" as one of the address specifications. Your access list 101 does this. You might want to think about re-writing that part of the config.
HTH
Rick
07-23-2007 06:29 AM
Thanks Rick, can you give me an example to the 2 statements I need to add, sorry it's all a bit new to me, I have a couple of routers to apply this to before I send out.
Thanks
07-23-2007 11:19 AM
Andy
Under ip access-list extended inbound you should add:
deny icmp any any timestamp-request
deny icmp any any timestamp-reply
you should be sure that these lines are inserted before the statement for permit icmp any any otherwise they will not work.\
HTH
Rick
07-23-2007 11:17 PM
Thank before I do this, I need to be able to ping the inside IP of the router to tell if the router is up (Monitoring software), will this effect that?
07-24-2007 06:27 AM
Andy
The changes that I suggested only affect the timestamp request and timestamp response. They should have no impact on ability to ping the inside interface.
HTH
Rick
07-24-2007 11:17 AM
Great I will try this and let you know and rate.
Many thanks
07-25-2007 06:10 AM
Hi,
I added:
deny icmp any any timestamp-request
deny icmp any any timestamp-reply
But they appear after the permit icmp any any, how can I change this?
07-25-2007 12:53 PM
Andy
New statements in an access list are added at the bottom of the access list (unless you are using the feature which numbers lines in the access list). So what you would need to do is to delete the access list and then recreate the access list with the new statements in the right position. Or you could leave the existing access list, create a new access list with the new statements in the right order and then assign the new access list on the interface.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide