09-24-2007 05:21 AM - edited 03-11-2019 04:15 AM
Hello:
I just wanted to ask opinion, would denying ICMP from host inside the network to the Internet be considered a Best Practice? If so, could someone tell me why.
Thanks
Amin
09-24-2007 06:56 AM
Amin
I do not believe that a blanket deny of all ICMP is ever a best practice. If there are some ICMP messages that you believe are security weaknesses then block those specific messages. But there are many ICMP messages that have useful (sometimes almost necessary) information that you would give up if you did a deny icmp any any. For example blocking the ICMP message about Fragmentation required but DF set is what frequently breaks Path MTU Discovery.
HTH
Rick
09-24-2007 07:22 AM
I would think this would not be a best practice. How would you troubleshoot connectivity issues? For example, you can't connect to www.cisco.com. Is Cisco's site down, is you LAN down, is your WAN down, is your ISP down, is your DNS server down? How would you answer these questions if you deny ICMP? If you are thinking of just blocking ICMP for Joe user, I don't think that you would gain anything. You can put QOS on routers to throttle icmp traffic, maybe that is the route :) to go. Or, you need to be looking at bandwidth issues from Skype, Bit Torrent, and other application-layer filtering.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: