1. Home
  2. Security Hardening
  3. DISA STIG Cisco IOS Switch RTR V2R1
  4. CISC-RT-000170 – The Cisco switch must be configured to have Internet Control Message Protocol (ICMP) unreachable messages disabled on all external interfaces – ip unreachables
Searching...

CISC-RT-000170 – The Cisco switch must be configured to have Internet Control Message Protocol (ICMP) unreachable messages disabled on all external interfaces – ip unreachables

Details

The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Switches automatically send ICMP messages under a wide variety of conditions. Host unreachable ICMP messages are commonly used by attackers for network mapping and diagnosis.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Step 1: Disable ip unreachables on all external interfaces.

SW1(config)#int g0/1
SW1(config-if)#no ip unreachables

Step 2: Disable ip unreachables on the Null0 interface if it is used to backhole packets.

SW1(config-if)#int null 0
SW1(config-if)#no ip unreachables

Alternative – DODIN Backbone:

Configure the PE switch to rate limit ICMP unreachable messages as shown in the example below:

SW1(config)#ip icmp rate-limit unreachable df 100
SW1(config)#ip icmp rate-limit unreachable 100000
SW1(config)#end

Alternative – Non-DODIN Backbone:

An alternative for non-backbone networks (e.g., enclave, base, camp, etc.) is to filter messages generated by the switch and silently drop ICMP Administratively Prohibited and Host Unreachable messages using the following configuration steps:

Step 1: Configure ACL to include ICMP Type 3 Code 1 (Host Unreachable) and Code 13 (Administratively Prohibited) as shown in the example below:

SW1(config)#ip access-list ext ICMP_T3C1C13
SW1(config-ext-nacl)#permit icmp any any host-unreachable
SW1(config-ext-nacl)#permit icmp any any administratively-prohibited
SW1(config-ext-nacl)#exit

Step 2: Create a route-map to forward these ICMP messages to the Null0 interface.

SW1(config)#route-map LOCAL_POLICY
SW1(config-route-map)#match ip address ICMP_T3C1C13
SW1(config-route-map)#set interface Null0
SW1(config-route-map)#exit

Step 3: Configure no ip unreachables on the Null0 interface.

SW1(config)#int null 0
SW1(config-if)#no ip unreachables
SW1(config-if)#exit

Step 4: Apply the policy to filter messages generated by the switch.

SW1(config)#ip local policy route-map LOCAL_POLICY
SW1(config)#end

Supportive Information

The following resource is also helpful.

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Cisco.

References

Source

Updated on July 16, 2022
Was this article helpful?
Yes No

Related Articles