I have a few questions regarding securing interfaces. I have an 806 DSL router and was advised for security purposes to disable ICMP redirects, ICMP directed broadcasts, mask replies, unreachables, and Proxy ARP..among doing other things.
I was told these involve running the specific commands on every interface. My router has an e0, e1 and a dialer1. When I run "show int", I also see 2 virtual-access interfaces. The e1 is the one connected physically to the DSL modem and hence outside, e0 is for my inside network. I notice in the running config that there's an access list which permits icmp echo, echo reply, packet too big, etc.. and it is applied to the dialer1 interface not the e1 which is connected to the modem.
My questions are:
1)If I turn off IMCP directed broadcasts, mask replies, etc.. should I run the commands on just on the dialer interface which is the one that has the ACL applied to, and hence, Im guessing the one that actually faces the internet, or should I apply them on e0 and e1 as well.
2)If I create an access list to block all ICMP packets except for "packet too big" should I still worry about the redirects, mask repliets, etc...or by blocking ICMP packets i take care of that too. Again, which interface should I apply this ACL to? should it be the dialer1 interface or e1 which is the one physically connected to the dsl modem.
1) At the least turn off icmp directed broadcasts, etc. on all interfaces that face the internet (i.e. e1 and your dialer interface), but you could and probably should also place them on your internal interfaces as well. In the absence of any real need, turn them off on all your interfaces (if for a test you found you needed it, you could turn that feature on temporarily).
2) Use the commands to block redirects/directed broadcasts/etc as well as the acl to block all icmp except for "packet too big". Better safe than sorry. Place the acl on the dialer interface.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...