Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Removing ping/icmp from a network

From: "Jon R. Kibler" <Jon.Kibler () aset com>
Date: Tue, 25 Mar 2008 17:17:54 +0000
Secure This wrote:
I have a variety of clients with data centres who all make use of icmp/ping to monitor their servers/appliances/devices (often with poorly configured snmp versions 1 and 2).
Could anybody kindly advise me of tools and strategies for minimising or removing the use of icmp/ping on a supposedly secure network? 

Thanks in advance


If you have any switches with layer 3 capabilities, block all icmp traffic
in ACLs. For example, from a Cisco 3750:

ip access-list extended foo
 permit icmp any any packet-too-big
 deny   icmp any any
 permit ip any any
!
interface GigabitEthernet1/0/whatever
 switchport access vlan 999
 switchport mode access
 ip access-group foo in
 spanning-tree portfast
 spanning-tree bpduguard enable


Hope this helps!

Jon K.
--
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
(843) 849-8214





==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.
Previous By Date Next
Previous By Thread Next

Current thread: