[c-nsp] Router security defaults (WAS RE: Proxy ARP -- To disable, or not to disable..)
Justin Shore
justin at justinshore.com
Mon Mar 24 10:55:42 EDT 2008
Enno Rey wrote:
> Hi,
>
>> Per Interface Config
>>
>> no ip redirects
>> no ip unreachables
>
> personally, I don't like those two. what's wrong about a router _sending_ icmp redirects or (even more important/useful) icmp unreachables?
> keep in mind those commands are not about accepting those (but, as said: sending them).
To more explicitly say what everyone was dancing around, ICMPs are
classified as "receive" packets which can only be processed switched.
This leaves a wide open avenue for resource exhaustion attacks.
ICMP can be very useful for troubleshooting and diagnostics. It is also
an extremely easy and effective method with which to DoS SPs. I don't
agree with blocking it outright, even at the Interner borders, but I do
agree that much of it can be used maliciously and that it should be
controlled. Deny ICMP frags explicitly (otherwise you'll endure 2 CPU
interrupts). Permit echo requests and replies to your access edges.
Permit packet-too-big (for PMTU) and time-exceeded (traceroutes). Then
rate-limit it down to a reasonable number. On your routing devices
disable/prevent all unnecessary ICMP services and responses. Rate-limit
all necessary responses to a reasonable level. Good info on how to
accomplish all of this can be had in "Router Security Strategies" Cisco
Press book and many other resources.
Justin
More information about the cisco-nsp
mailing list