NET0800 - Filter ICMP on external interface. - 'Null0 - no ip unreachables'

Information

The administrator must ensure ICMP unreachable notifications, mask replies, and redirects are disabled on all external interfaces of the premise router.

The Internet Control Message Protocol (ICMP) supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Three ICMP messages are commonly used by attackers for network mapping and diagnosis- Host unreachable, Redirect, and Mask Reply.

NOTE: For IOS version 12.0 and later review the running configuration of the premise router and ensure the following commands are not present on all external interfaces: ip unreachables, ip redirects, and ip mask-reply. For versions prior to 12.0, ensure the following commands are present: no ip unreachable, no ip redirects, and no ip mask-reply.

Solution

The administrator must change the router configuration files to ensue 'no ip unreachables', 'no ip redirects' and 'no ip mask-reply' are enabled in the OS.

An alternative to configuring no ip unreachables is to filter Host Unreachable messages generated by the router and drop these messages using the following configuration steps-

1) Configure a named ACL with a deny icmp any any for type3 code 4 followed by a permit icmp any any. This ACL will
exclude PTB messages from being dropped by the local policy.
2) Configure a route-map to match on this named ACL.
3) For any matches, set the interface to null0.
4) Apply the route-map as local policy (for router generated traffic).
5) Configure no ip unreachables on the null0 interface.

See Also

https://iasecontent.disa.mil/stigs/zip/U_Network_Perimeter_Router_L3_Switch_V8R32_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(16), CAT|II, Rule-ID|SV-3084r2_rule, STIG-ID|NET0800, Vuln-ID|V-3084

Plugin: Cisco

Control ID: 855c514ebfcf7df6149e0850698dc81b3cd00171c944c81ae29655c901aa1897