08-17-2005 12:57 PM
Our security geeks want to know if I can turn off ICMP to our outside interface. The don't want any outsiders to hit us with a ping sweep or ping attack.
BTW, I am an "infrastructure" geek ;-)
Thanks!
08-17-2005 03:17 PM
in order to protect the concentrator from dos attack, the concentrator should be deployed behind a firewall with nat as well as acl permitting the required protocol and port e.g. udp 500.
the firewall should be capable to secure the concentrator from dos attack etc. it's probably too late to stop the attack once the attack hits the concentrator.
08-17-2005 11:43 PM
Hi Lewis,
under Configuration > interfaces > public interface is a filter assigned to this interface. This filter you can configure for your needs.
Under configuration -> policy management -> traffic management -> filters you can assign rules for your filter for the public interface. Here you can remove the ICMP rule from the current rules in filter to disallow ICMP.
Hope that helps and brgds
Thomas.
08-18-2005 01:40 AM
Hi,
As IPSec do PMTUD for all the packets, it is important that ICMP "unreachable" (Type: 3) messages are able to reach the concentrator.
Would suggest allowing this as well as ICMP "time exceeded" message (Type: 11) rather than blocking full ICMP.
Regards,
Shijo George
.
08-18-2005 05:00 AM
Thanks to for all the help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide