Title

The RUCKUS ICX router must be configured to have Internet Control Message Protocol (ICMP) mask replies disabled on all external interfaces. (Cat II impact)

Discussion

The ICMP supports IP traffic by relaying information about paths, routes, and network conditions. Routers automatically send ICMP messages under a wide variety of conditions. Mask Reply ICMP messages are commonly used by attackers for network mapping and diagnosis.

Check Content

Review configuration to determine whether outgoing ICMP mask replies are blocked on external interfaces. enable egress-acl-on-cpu-traffic ip access-list extended BLOCK_ICMP_OUT sequence 10 deny icmp any any unreachable sequence 20 deny icmp any any mask-reply sequence 30 permit ip any any interface ethernet 1/1/1 ip address x.0.1.2 255.255.255.252 ip access-group BLOCK_ICMP_OUT out ! If outgoing ICMP mask replies are not blocked on external interfaces, this is a finding.

Fix Text

Configure ACL to block ICMP mask replies. ICX(config)#enable egress-acl-on-cpu-traffic ICX(config)#ip access ext BLOCK_ICMP_OUT ICX(config-ext-ipacl-BLOCK_ICMP_OUT)#deny icmp any any unreachable ICX(config-ext-ipacl-BLOCK_ICMP_OUT)#deny icmp any any mask-reply ICX(config-ext-ipacl-BLOCK_ICMP_OUT)#permit ip any any Apply ACL to external interface. ICX(config)#interface ethernet 1/1/1 ICX(config-if-e1000-1/1/1)#ip access-group BLOCK_ICMP_OUT out

Additional Identifiers

Rule ID: SV-273632r1110938_rule

Vulnerability ID: V-273632

Group Title: SRG-NET-000362-RTR-000114

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.