Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4791
Views
0
Helpful
9
Replies

Should I block icmp on my edge router or my firewall?

Go to solution
ttrevino1
Level 1
Level 1

‎10-09-2007 07:41 AM - edited ‎03-09-2019 06:59 PM

Originally, we were blocking icmp traffic on our edge router (2811), but recently we changed this to block on the firewall (ASA) instead. I've been told that blocking on the router would cause too much overhead on the router, since it's now having to inspect all traffic, and the firewall was better equipped for this.

What is industry standard? What does Cisco recommend?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mhellman
Level 7
Level 7
In response to ttrevino1

‎10-09-2007 11:20 AM

Something like this, although I would recommend posting this to the firewall forum for confirmation.

! deny non-initial ICMP Fragments

access-list 101 deny icmp any any fragments

! permit "dest unreachable" messages

access-list 101 permit icmp any any 3

! permit "Time exceeded" message

access-list 101 permit icmp any any 11

! permit "source quench" message

access-list 101 permit icmp any any 4

! permit "parameter problem" message

access-list 101 permit icmp any any 12

! permit "echo reply" messages

access-list 101 permit icmp any any 0

! deny all other icmp

access-list 101 deny icmp any any

You might consider tightening up the destination unreachables too. They would look something like this for each type and code you want to allow:

! permit "dest unreach - port unreach" messages

acccess-list 101 permit icmp any any 3 3

see here:

http://www.iana.org/assignments/icmp-parameters

View solution in original post

0 Helpful
9 Replies 9

Go to solution
mhellman
Level 7
Level 7

‎10-09-2007 07:58 AM

There is no industry standard, however I would say that many companies do perform 'sanity' check ingress filtering at the edge. In any event, if blocking specific ICMP on the edge router really does cause too much overhead (I suspect you mean 'could' and not 'would') then what choice do you have short of getting a bigger router?

If your firewall is just the next hop in the network, blocking on the firewall might be acceptable. Your edge router can be protected against some attacks by simply having a hardened config (preventing ICMP redirects, etc).

0 Helpful

Go to solution
ttrevino1
Level 1
Level 1
In response to mhellman

‎10-09-2007 08:23 AM

I actually need to make a correction. I verified and we are currently allowing icmp to the outside interface of our firewall.

The router we have was just replaced Sunday, and is now the 2811 I mentioned. I haven't noticed any additional slowness either before or after the change, other than ping sweeps in the firewall logs.

So at a minimum, this type of traffic needs to be blocked on the firewall? There are 2 differing opinions here on where to block this traffic, such as router routes traffic, and shouldn't be used to block traffic, that's the firewalls job. Others, as you mentioned, say harden the outside as well, to minimize the amount of "malicious" traffic getting to the firewall. I don't want to overload the router, but do want to do what's best for the company.

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to ttrevino1

‎10-09-2007 08:37 AM

We are required by our security policy (and the DoD) to block certain incoming ICMP at the border router. All firewalls block/drop ICMP packets. When in doubt, we follow NIST standards. Check out http://iase.disa.mil/stigs/stig/index.html for more information.

HTH and please rate.

0 Helpful

Go to solution
mhellman
Level 7
Level 7
In response to ttrevino1

‎10-09-2007 08:44 AM

We're speaking very broadly about traffic, ICMP in particular. ICMP is a required and useful network protocol. Do you mean ICMP echo requests specifically?

My point about ingress filtering is that it is not uncommon to do limited filtering at the edge anyway (drop RFC1918 sources, etc). If you have an ACL already, adding a couple entries for specific ICMP types should not add that much of a burden. If your firewall is the next hope in the path to your internal or DMZ networks, then doing this on the firewall instead of the edge router may also be acceptable. You'd just need to carefully configure and protect the router.

0 Helpful

Go to solution
ttrevino1
Level 1
Level 1
In response to mhellman

‎10-09-2007 08:49 AM

This is the portion of the acl that was related to icmp, aside from a couple of specific IPs being allowed to ping each other. The firewall is the next hop after the edge router, and I do plan on adding icmp blocking on there sometime soon.

access-list 101 deny icmp any any

access-list 101 deny icmp any any timestamp-request

access-list 101 deny icmp any any mask-request

0 Helpful

Go to solution
mhellman
Level 7
Level 7
In response to ttrevino1

‎10-09-2007 09:03 AM

That's an interesting ACL;-)

You shouldn't need lines 2 and 3, since line 1 already denies any ICMP. But perhaps something was lost in the translation. You might consider allowing the following and then having a "deny icmp any any":

destination unreach (host,network,port,MTU) = type 3

time exceeded = type 11

source quench = type 4

parameter problem = type 12

echo replies (maybe) = type 0

0 Helpful

Go to solution
ttrevino1
Level 1
Level 1
In response to mhellman

‎10-09-2007 10:18 AM

Thanks for the advice, I did figure the top line covered the other 2, but am still getting used to acls. :)

How would you put your suggestion into an acl? In other words, what would the commands be for this? Thanks again, T

0 Helpful

Go to solution
mhellman
Level 7
Level 7
In response to ttrevino1

‎10-09-2007 11:20 AM

Something like this, although I would recommend posting this to the firewall forum for confirmation.

! deny non-initial ICMP Fragments

access-list 101 deny icmp any any fragments

! permit "dest unreachable" messages

access-list 101 permit icmp any any 3

! permit "Time exceeded" message

access-list 101 permit icmp any any 11

! permit "source quench" message

access-list 101 permit icmp any any 4

! permit "parameter problem" message

access-list 101 permit icmp any any 12

! permit "echo reply" messages

access-list 101 permit icmp any any 0

! deny all other icmp

access-list 101 deny icmp any any

You might consider tightening up the destination unreachables too. They would look something like this for each type and code you want to allow:

! permit "dest unreach - port unreach" messages

acccess-list 101 permit icmp any any 3 3

see here:

http://www.iana.org/assignments/icmp-parameters

0 Helpful

Go to solution
ttrevino1
Level 1
Level 1
In response to mhellman

‎10-09-2007 11:23 AM

Thanks for the help, that really does make it more clear. I appreciate the help!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents