I did find a good security paper that says incoming ICMP redirects should be filtered at routers. It says this:
"An ICMP redirect message instructs an end node to use a specific router as its path to a particular destination. In a properly functioning IP network, a router will send redirects only to hosts on its own local subnets, no end node will ever send a redirect, and no redirect will ever be traversed more than one network hop. However, an attacker may violate these rules; some attacks are based on this. It's a good idea to filter out incoming ICMP redirects at the input interfaces of any router that lies at a border between administrative domains, and it's not unreasonable for any access list that's applied on the input side of a Cisco router interface to filter out all ICMP redirects. This will cause no operational impact in a correctly configured network. Note that this filtering prevents only redirect attacks launched by remote attackers. It's still possible for attackers to cause significant trouble using redirects if their host is directly connected to the same segment as a host that's under attack." The paper is "Improving Security on Cisco Routers" and is well worth a read. The URL is: http://www.cisco.com/warp/public/707/21.html _______________________________ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com > > Sounds like a good approach. > > I tried to find a paper at Cisco's site that has > recommendations with regards to security, ICMP, and access > lists, and couldn't find one. I hate being thwarted like this! > ;-) Anyone have a URL? > > Thanks, > > Priscilla > > Brian wrote: > > > > there are a ton of icmp message types, the block is likely > > preventing you > > from getting some errors. A former coworker had a good idea > > that went like > > this, in this order. > > > > Permit all icmp from trusted monitoring hosts > > deny icmp echo/echo-request from all > > permit icmp from all > > > > Its a middle of the road approach, and some folks will > tell > > you its too > > open. But, I happen to believe that receiving and processing > > icmp errors is > > better than putting them in the bit bucket. > > > > Brian > > > > ----- Original Message ----- > > From: "ramesh c" > > To: > > Sent: Wednesday, January 08, 2003 5:32 AM > > Subject: icmp messages [7:60602] > > > > > > > I got access list as follows on my router > > > > > > access-list 100 permit icmp host any host xyz ttl-exceed > > > access-list 100 deny icmp any any > > > > > > when I do a traceroute from host xyz,I get reply only from > > some hosts .The > > > Hitcounts on deny icmp icmp increases.the access-group is > > applied to the > > "in" > > > > > > > > > Am I missing any other icmp messages?Is there a way to allow > > all icmp > > > messages for the host? > > > > > > Cheers > > > > > > > > > > _____________________________________________________________ > > > Get 25MB, POP3, Spam Filtering with LYCOS MAIL PLUS for > > $19.95/year. > > > > > > http://login.mail.lycos.com/brandPage.shtml?pageId=plus&ref=lmtplus > > > > > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=60652&t=60602 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
