Ensure ICMP is restricted for untrusted interfaces

Information

Allows ICMP traffic for specific hosts or subnets and denies ICMP traffic for all other sources

Rationale:

ICMP is an important troubleshooting tool that can also be used to perform ICMP attacks on untrusted interfaces. For these interfaces, the ICMP traffic should be allowed only for specific hosts or subnets that are trusted by the Enterprise and should be denied for all other sources.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Configure ICMP using Firepower Management Center:

Step 1 - Select Devices > Platform Settings and create or edit a FTD policy
Step 2 - Select ICMP.

https://www.cisco.com/c/en/us/td/docs/security/firepower/621/configuration/guide/fpmc-config-guide-v621/platform_settings_for_firepower_threat_defense.html#task_42BBA666CD604517ADA18B32CA162F62

See Also

https://www.cisco.com/c/en/us/td/docs/security/firepower/640/hardening/ftd/FTD_Hardening_Guide_v64.html

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(16)

Plugin: Cisco_Firepower

Control ID: ea35fc4591ee7b4a38044d64a20232f1cad932328f3cd8144118e91a85322ba6