Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5464
Views
0
Helpful
2
Replies

ICMP Best Practices for Firewall

captainbluff
Level 1
Level 1

‎07-15-2013 07:00 PM - last edited on ‎03-25-2019 05:51 PM by Community Manager

Hello,

Is there a such Cisco documentation for ICMP best practices for firewall?

Thanks

Labels:
0 Helpful
2 Replies 2

Julio Carvajal
VIP Alumni
VIP Alumni

‎07-15-2013 08:32 PM

Hello Joe,

I havent look for such a document but what I can tell you is the following?

ICMP is a protocol that let us troubleshoot or test whether IP routing is good on our network or if a host is live on our network so I can tell you that from that perspective this is definetly something good (Not to mention some of the other good usage that we can provide to this protocol such for PATH MTU Discovery, etc).

But you also have to be careful with this protocol as we all know it's also used to scan or discover hosts on our network.. Even to perform DoS attacks (Smurf attack, etc).

So what's the whole point of this post:

Well at least on my opinion I would allow ICMP on my network but I would definetly permit only the right ICMP code messages and I would protect my network against any known vulnerability regarding DoS attacks with ICMP, In this case I will still take advantage of the really useful protocol while protecting my enviroment,

Hope that I could help

For Networking Posts check my blog at http://laguiadelnetworking.com/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

SOcchiogrosso
Level 4
Level 4

‎07-16-2013 04:17 AM

As mentioned above, I'd allow only the specific ICMP types/code for troubleshooting. Echo, Echo Reply, Packet-Too-Big, etc. This way all others are blocked. I'd block ICMP fragments as well. You'd also want an IPS to block specific types of attacks.

For IPv4, IPv6 relies on ICMP for much more and you'll need to be much more careful.

Network Security Architectures is a pretty decent book for questions like this,

I did a quick blog post about this some time ago
http://ccie-or-null.net/2012/02/13/dont-block-icmp/

Sent from Cisco Technical Support iPad App

-- CCNP, CCIP, CCDP, CCNA: Security/Wireless Blog: http://ccie-or-null.net/
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card