2.5 Ensure ICMP is restricted for untrusted interfaces

Information

Allows ICMP traffic for specific hosts or subnets and denies ICMP traffic for all other sources

Rationale:

ICMP is an important troubleshooting tool that can also be used to perform ICMP attacks on untrusted interfaces. For these interfaces, the ICMP traffic should be allowed only for specific hosts or subnets that are trusted by the Enterprise and should be denied for all other sources.

Solution

Step 1: Acquire the untrusted interface name <untrusted_interface_name>, the trusted subnet and corresponding subnet mask

Step 2: Run the following command to allow ICMP from the trusted subnet to the untrusted interface. Repeat the command if there are more than one trusted subnets identified.

hostname(config)# icmp permit <subnet> <mask> <untrusted_interface_name>

Step 3: Run the following command to deny ICMP from all other sources to the untrusted interface.

hostname(config)# icmp deny any<untrusted_interface_name>

Default Value:

ICMP is enabled by default.

See Also

https://workbench.cisecurity.org/benchmarks/7194

Item Details

Category: CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-6, 800-53|CM-7, 800-53|CP-6, 800-53|CP-7, 800-53|PL-8, 800-53|PM-7, 800-53|SA-8, 800-53|SC-7, 800-53|SC-23, CSCv7|11.1

Plugin: Cisco

Control ID: 1b84dda2dc0fd2fcdf441826817b61f9f2103676ef58cd30b1e697f1df97212c