Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ICMP Best Practices for Firewall

Hello,

Is there a such Cisco documentation for ICMP best practices for firewall?

Thanks

2 REPLIES

ICMP Best Practices for Firewall

Hello Joe,

I havent look for such a document but what I can tell you is the following?

ICMP is a protocol that let us troubleshoot or test whether IP routing is good on our network or if a host is live on our network so I can tell you that from that perspective this is definetly something good (Not to mention some of the other good usage that we can provide to this protocol such for PATH MTU Discovery, etc).

But you also have to be careful with this protocol as we all know it's also used to scan or discover hosts on our network.. Even to perform DoS attacks (Smurf attack, etc).

So what's the whole point of this post:

Well at least on my opinion I would allow ICMP on my network but I would definetly permit only the right ICMP code messages and I would protect my network against any known vulnerability regarding DoS attacks with ICMP, In this case I will still take advantage of the really useful protocol while protecting my enviroment,

Hope that I could help

For Networking Posts check my blog at http://laguiadelnetworking.com/

Cheers,

Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com

Re: ICMP Best Practices for Firewall

As mentioned above, I'd allow only the specific ICMP types/code for troubleshooting. Echo, Echo Reply, Packet-Too-Big, etc. This way all others are blocked. I'd block ICMP fragments as well. You'd also want an IPS to block specific types of attacks.

For IPv4, IPv6 relies on ICMP for much more and you'll need to be much more careful.

Network Security Architectures is a pretty decent book for questions like this,

I did a quick blog post about this some time ago
http://ccie-or-null.net/2012/02/13/dont-block-icmp/

Sent from Cisco Technical Support iPad App

-- CCNP, CCIP, CCDP, CCNA: Security/Wireless Blog: http://ccie-or-null.net/
375
Views
0
Helpful
2
Replies