Details

Prevent routers from responding with unreachable notifications can be implemented at router and service interface. For interfaces such as IES or VPRN, the service interface is used to configure the ICMP parameters. ICMP mask replies are commonly used for network mapping and information gathering. These messages do not provide any legitimately required services so should be disabled. Redirects and unreachables can either be turned off or rate-limited.

NOTE: Alcatel-Lucent TiMOS/Nokia SR-OS devices only support Proxy ARP in network mode; Proxy ARP in access-uplink mode is not supported. You will need to manually confirm that Proxy ARP on this device is configured according to your organization’s policies.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Disable Proxy ARP if not required by your organization.

Supportive Information

The following resource is also helpful.

• https://infoproducts.alcatel-lucent.com/aces/cgi-bin/dbaccessfilename.cgi/9305050101_V1_SR-OS Security Best Practices v2.0.pdfhttps://infoproducts.alcatel-lucent.com/aces/cgi-bin/dbaccessfilename.cgi/9305050101_V1_SR-OS Security Best Practices v2.0.pdf

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Alcatel.

References

• 800-53|SC-7

Source

• Tenable.com/audits