In a previous article on basic Cisco router security, I described my concern about a client who didn't use a firewall with its Internet-connected Cisco router. Even though I demonstrated how vulnerable the router was and recommended using a firewall, the client countered with all sorts of reasons why that was not feasible.
In this article and video, I want to share a configuration change that I recommended to the customer in lieu of a firewall. Of course nothing is a proper substitute for a real firewall, but sometimes we need to make do with what we have. There are quite a few documents out there explaining how to harden your router. This tip protects you specifically from ICMP attacks or ping flooding.
My client did not want to block pings altogether since the company uses ping for troubleshooting and monitoring. At first I suggested a simple access list to allow only their management stations IP address, but soon realized that wouldn’t work in their environment. For example, the IT staff sometimes pings from home after hours or from phones, which makes the IP address fairly random.
I showed them that they can limit the ping rate the router will accept and suggested we test it to make sure it works as expected.
In the video below, I used hrPing, which is a free download from cFos Software, to ping the router excessively. Microsoft pings with a one-second interval, but with hrPing, I can go as low as one millisecond.
The Cisco commands I used are:
access-list 111 permit icmp any echo
access-list 111 permit icmp any any echo-reply
interface GigabitEthernet0/1
rate-limit input access-group 111 22000 22000 22000 conform-action transmit exceed-action drop
I used Cisco counters, Wireshark and simple observation to see the impact of the configuration and it seemed to work just fine.
As with any configuration changes, I advise monitoring the router's memory and CPU load to ensure that this change doesn’t hurt performance.
Learn more about infrastructure protection in the Security Track at Interop Las Vegas this spring. Don't miss out! Register now for Interop, May 2-6, and receive $200 off.
The most alarming takeaway from Cisco’s new Cybersecurity Readiness Index report is that even after decades of having the importance of cybersecurity driven home, cyber threats are still taken too lightly.
In today’s data-driven world, higher educational institution networks and their management must be modernized to address the needs of everyone across campus. Enterprises face similar challenges and also need to modernize their networks.
Fortinet announced updates to FortiOS and its security fabric. Interestingly, the company bucked the trend and did not lead with GenAI in this announcement.
