Information
Allows ICMP traffic for specific hosts or subnets and denies ICMP traffic for all other sources
Rationale:
ICMP is an important troubleshooting tool that can also be used to perform ICMP attacks on untrusted interfaces. For these interfaces, the ICMP traffic should be allowed only for specific hosts or subnets that are trusted by the Enterprise and should be denied for all other sources.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
* Step 1: Acquire the untrusted interface name <untrusted_interface_name>, the trusted subnet <subnet> and corresponding subnet mask <mask>
* Step 2: Run the following command to allow ICMP from the trusted subnet to the untrusted interface. Repeat the command if there are more than one trusted subnets identified.
HOSTNAME(CONFIG)# ICMP PERMIT _<subnet> <mask> <untrusted_interface_name>_
* Step 3: Run the following command to deny ICMP from all other sources to the untrusted interface.
HOSTNAME(CONFIG)# ICMP DENY ANY _<untrusted_interface_name> _