ICMP: Do not return Proxy ARP requests

Information

Prevent routers from responding with unreachable notifications can be implemented at router and service interface. For interfaces such as IES or VPRN, the service interface is used to configure the ICMP parameters. ICMP mask replies are commonly used for network mapping and information gathering. These messages do not provide any legitimately required services so should be disabled. Redirects and unreachables can either be turned off or rate-limited.

NOTE: Alcatel-Lucent TiMOS/Nokia SR-OS devices only support Proxy ARP in network mode; Proxy ARP in access-uplink mode is not supported. You will need to manually confirm that Proxy ARP on this device is configured according to your organization's policies.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Consult the SR-OS Security Best Practices Guide for more information on this topic. The SR-OS Security Best Practices Guide is available from the Nokia/Alcatel-Lucent Customer Support Portal at https://support.alcatel-lucent.com/portal/web/support.

See Also

https://infoproducts.alcatel-lucent.com/aces/cgi-bin/dbaccessfilename.cgi/9305050101_V1_SR-OS Security Best Practices v2.0.pdf

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7

Plugin: Alcatel

Control ID: 1cc40d5a88a6496a55d4cb48ccabd2ffc870118a61dd6c595cd7ad96b7426a1d