Programs use some of these messages; others are used for
network management and so are automatically generated by the router.
ICMP echo packets can be used to discover subnets and hosts on the protected network and
can also be used to generate DoS ?¬‚oods. ICMP redirect messages can be used to alter host
routing tables. The router should block both ICMP echo and redirect messages that are
inbound.
Refer to Figure 5-12 for the network topology upon which the following con?¬?gurations are
based.
Edge(config-if)#ip access-group 105 in Takes all access list lines
that are de?¬?ned as being
part of group 105 and
applies them in an
inbound manner
Edge(config-if)#exit Returns to global
con?¬?guration mode
Edge(config)#interface fastethernet 0/1 Moves to interface
con?¬?guration mode
Edge(config-if)#ip access-group 106 in Takes all access list lines
that are de?¬?ned as being
part of group 106 and
applies them in an
inbound manner
Edge(config-if)#exit Returns to global
con?¬?guration mode
Edge(config)#
Edge(config)#access-list 107 deny icmp any any
echo log
Blocks echo packets from
anywhere going to
anywhere, and logs any
instance in which this
statement was used
Edge(config)#access-list 107 deny icmp any any
redirect log
Blocks redirect packets
from anywhere going to
anywhere, and logs any
instance in which this
statement was used
Using ACLs to Filter Network Traf?¬?c to Mitigate Threats 111
Filtering ICMP Messages: Outbound
The following ICMP messages are required for proper network operation and should be
allowed outbound:
??? Echo??”Allows users to ping external hosts
??? Parameter problem??”Informs host of packet header problems
??? Packet too big??”Required for packet maximum transmission unit (MTU) discovery
??? Source quench??”Throttles down traf?¬?c when necessary
As a general rule, you should block all other ICMP message types that are outbound.
Pages:
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105