CISC-RT-000170 - The Cisco router must be configured to have Internet Control Message Protocol (ICMP) unreachable messages disabled on all external interfaces.

Information

The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Host unreachable ICMP messages are commonly used by attackers for network mapping and diagnosis.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Step 1: Disable ip unreachables on all external interfaces.

R4(config)#int g0/1
R4(config-if)#no ip unreachables

Step 2: Disable ip unreachables on the Null0 interface if it is used to backhole packets.

R4(config-if)#int null 0
R4(config-if)#no ip unreachables

Alternative - DODIN Backbone:

Configure the PE router to rate limit ICMP unreachable messages as shown in the example below:

R4(config)#ip icmp rate-limit unreachable df 100
R4(config)#ip icmp rate-limit unreachable 100000
R4(config)#end

Alternative - Non DODIN Backbone.

An alternative for non-backbone networks (i.e. enclave, base, camp, etc.) is to filter messages generated by the router and silently drop ICMP Administratively Prohibited and Host Unreachable messages using the following configuration steps:

Step 1: Configure ACL to include ICMP Type 3 Code 1 (Host Unreachable) and Code 13 (Administratively Prohibited) as shown in the example below:

R2(config)#ip access-list ext ICMP_T3C1C13
R2(config-ext-nacl)#permit icmp any any host-unreachable
R2(config-ext-nacl)#permit icmp any any administratively-prohibited
R2(config-ext-nacl)#exit

Step 2: Create a route map to forward these ICMP messages to the Null0 interface.

R2(config)#route-map LOCAL_POLICY
R2(config-route-map)#match ip address ICMP_T3C1C13
R2(config-route-map)#set interface Null0
R2(config-route-map)#exit

Step 3: Configure no ip unreachables on the Null0 interface.

R2(config)#int null 0
R2(config-if)#no ip unreachables
R2(config-if)#exit

Step 4: Apply the policy to filter messages generated by the router.

R2(config)#ip local policy route-map LOCAL_POLICY
R2(config)#end

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Cisco_IOS_Router_Y22M07_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5, CAT|II, CCI|CCI-002385, Rule-ID|SV-216565r531085_rule, STIG-ID|CISC-RT-000170, STIG-Legacy|SV-105669, STIG-Legacy|V-96531, Vuln-ID|V-216565

Plugin: Cisco

Control ID: 9cdba41b2211e92eb02b6925a1b60ee4f13dc8abe4b54bd708f979cf791b2704