cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
18199
Views
0
Helpful
35
Replies

Remove ICMP Timestamp Request on Cisco 837

whiteford
Level 1
Level 1

We have a few Cisco 837's working as L2L's. I have scanned them for vulnerabilities, and received this message, and need jelp to remove it:

ICMP Timestamp Request:

THREAT:

ICMP (Internet Control and Error Message Protocol) is a protocol encapsulated in IP packets. It's principal purpose is to provide a protocol layer able to inform gateways of the inter-connectivity and accessibility of other gateways or hosts. "ping" is a well-known program for determining if a host is up or down. It uses ICMP echo packets. ICMP timestamp packets are used to synchronize clocks between hosts.

IMPACT:

Unauthorized users can obtain information about your network by sending ICMP timestamp packets. For example, the internal systems clock should not be disclosed since some internal daemons use this value to calculate ID or sequence numbers (i.e., on SunOS servers).

SOLUTION:

You can filter ICMP messages of type "Timestamp" and "Timestamp Reply" at the firewall level. Some system administrators choose to filter most types of ICMP messages for various reasons. For example, they may want to protect their internal hosts from ICMP-based Denial Of Service attacks, such as the Ping of Death or Smurf attacks.

However, you should never filter ALL ICMP messages, as some of them ("Don't Fragment", "Destination Unreachable", "Source Quench", etc) are necessary for proper behavior of Operating System TCP/IP stacks.

It may be wiser to contact your network consultants for advice, since this issue impacts your overall network reliability and security.

35 Replies 35

Richard Burts
Hall of Fame
Hall of Fame

Andy

I am not aware of any way to disable the ICMP timestamp messages in the router - and the material that you quote does not advocate that the messages be disabled. It does suggest that they could be filtered (it would make the most sense to filter them at the edges of the network).

The logic to filter them is easy to do in an extended access list:

access-list 101 deny icmp any any timestamp-request

access-list 101 deny icmp any any timestamp-reply

you could include these lines in any access list that is examing traffic entering your network.

If you are interested in information about the various types of ICMP messages this link has a very nice chart of them:

http://www.iana.org/assignments/icmp-parameters

HTH

Rick

HTH

Rick

I already have this line below, will it be a problem?

access-list 101 permit ip 172.20.3.0 0.0.0.255 any

Andy

Some information about how that access list is used, in particular is this one line the entire ACL, on which interface and in what direction is it applied, would help me give you a better answer.

If this is the entire ACL then I would assume that it was probably applied inbound on the interface where the 172.20.3.0 subnet is connected and is used as an anti-spoofing mechanism. If that is the case I doubt that ICMP timestamps would be an issue. But if you do want to filter the ICMP timestamps then the lines that I suggested need to come before the line that you gave in the ACL.

If my assumption is not correct then please clarify.

HTH

Rick

HTH

Rick

It's mainly on the outside interface, with info can I give you please. I really want to fix this.

Andy

I asked several questions that you did not answer, including:

- is the one line you posted the entire access list or are there other lines?

- is the access list applied inbound or outbound?

It would also help to know a bit about the topology of the network. In particular where (and what) is network 172.20.3.0?

HTH

Rick

HTH

Rick

Inbound, I scanned the Internet facing IP, here is the config:

username x password 7 hA0j23

no aaa new-model

ip subnet-zero

ip dhcp excluded-address 172.19.3.1 172.19.3.10

!

ip dhcp pool client

network 172.19.3.0 255.255.255.0

default-router 172.19.3.1

lease 0 2

!

!

ip inspect name outbound tcp

ip inspect name outbound udp

ip inspect name outbound ftp

ip inspect name outbound http

ip inspect name outbound icmp

ip audit notify log

ip audit po max-events 100

no ftp-server write-enable

!

!

!

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key 0 x address x.x.x.173

!

!

crypto ipsec transform-set set esp-3des esp-md5-hmac

!

crypto map vo_t_set 10 ipsec-isakmp

set peer x.x.x.173

set transform-set set

match address 101

!

!

!

!

interface Ethernet0

ip address 172.19.3.1 255.255.255.0

ip inspect outbound in

hold-queue 100 out

!

interface ATM0

no ip address

no ip unreachables

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

!

interface Dialer1

ip address negotiated

ip access-group inbound in

no ip unreachables

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname x@x.x.com

ppp chap password 7 7404123282179

crypto map set

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

no ip http server

no ip http secure-server

!

!

ip access-list extended inbound

permit udp any any eq isakmp

permit esp any any

permit icmp any any

permit udp any any eq ntp

permit tcp x.x.x.64 0.0.0.31 any eq telnet

permit tcp x.x.x.64 0.0.0.31 any eq 22

permit tcp x.x.x.64 0.0.0.31 any eq ftp-data

permit tcp x.x.x.64 0.0.0.31 any eq ftp

permit tcp x.x.x.64 0.0.0.31 any eq www

permit tcp x.x.x.64 0.0.0.31 any eq 443

permit ip 192.168.90.0 0.0.0.255 172.19.3.0 0.0.0.255

logging trap warnings

logging facility local4

logging source-interface Ethernet0

access-list 50 permit x.x.x.66

access-list 101 permit ip 172.19.3.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

line con 0

no modem enable

line aux 0

line vty 0 4

access-class 50 in

exec-timeout 0 0

login local

length 0

!

scheduler max-task-time 5000

sntp server 158.43.128.33

!

end

Andy

Thanks for posting the config. It helps to see what the router is doing. To answer your specific question about access list 101, I note that access list 101 is used in the crypto map. Its function in the crypto map is to identify traffic to be protected by IPSec. To that extent there is no relationship between access list 101 and the issue of ICMP timestamp request and response. If you want to address that issue you would need to put 2 statements into access-list extended inbound to deny those ICMP messages.

I also note that Cisco recommends that access lists used in crypto maps generally not use "any" as one of the address specifications. Your access list 101 does this. You might want to think about re-writing that part of the config.

HTH

Rick

HTH

Rick

Thanks Rick, can you give me an example to the 2 statements I need to add, sorry it's all a bit new to me, I have a couple of routers to apply this to before I send out.

Thanks

Andy

Under ip access-list extended inbound you should add:

deny icmp any any timestamp-request

deny icmp any any timestamp-reply

you should be sure that these lines are inserted before the statement for permit icmp any any otherwise they will not work.\

HTH

Rick

HTH

Rick

Thank before I do this, I need to be able to ping the inside IP of the router to tell if the router is up (Monitoring software), will this effect that?

Andy

The changes that I suggested only affect the timestamp request and timestamp response. They should have no impact on ability to ping the inside interface.

HTH

Rick

HTH

Rick

Great I will try this and let you know and rate.

Many thanks

Hi,

I added:

deny icmp any any timestamp-request

deny icmp any any timestamp-reply

But they appear after the permit icmp any any, how can I change this?

Andy

New statements in an access list are added at the bottom of the access list (unless you are using the feature which numbers lines in the access list). So what you would need to do is to delete the access list and then recreate the access list with the new statements in the right position. Or you could leave the existing access list, create a new access list with the new statements in the right order and then assign the new access list on the interface.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: