Details

Prevent routers from responding with unreachable notifications can be implemented at router and service interface. For interfaces such as IES or VPRN, the service interface is used to configure the ICMP parameters. ICMP mask replies are commonly used for network mapping and information gathering. These messages do not provide any legitimately required services so should be disabled. Redirects and unreachables can either be turned off or rate-limited.

Solution

Run the following command on the device to disable ICMP options for interfaces that do not require it: configure router if icmp no

Supportive Information

The following resource is also helpful.

• https://infoproducts.alcatel-lucent.com/aces/cgi-bin/dbaccessfilename.cgi/9305050101_V1_SR-OS Security Best Practices v2.0.pdfhttps://infoproducts.alcatel-lucent.com/aces/cgi-bin/dbaccessfilename.cgi/9305050101_V1_SR-OS Security Best Practices v2.0.pdf

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Alcatel.

References

• 800-53|SC-7

Source

• Tenable.com/audits