|
|
|
| Does anyone pipe out ICMP to a null int as opposed to creating just a specific access list to block scans?
Just wondering what is the most preferred method. | |
| MadChef 2002-04-09, 5:41 am |
| I can't think of any time where I've used null interfaces to filter traffic instead of an ACL. An ACL is more granular and it's easier for me to do all my filtering in one place rather than send some traffic to null and filter the rest of the stuff I can't catch by rerouting it.
I think you'd have to be pushing a whole lot of packets to ever find an advantage using a null interface, but I've never taken the time to accurately measure.
MadChef | |
| Cobby 2002-04-09, 10:04 am |
| I was told that using a null int for ICMP could leave the individual with no echo response. <icmp protocol denied>
Therefore someone scans your network and echo's go to the big bit bucket in the sky.
That's the theory anyhow I have not yet tested it out. | |
| MadChef 2002-04-09, 12:35 pm |
| quote:
Originally posted by Cobby
Therefore someone scans your network and echo's go to the big bit bucket in the sky.
That's the theory anyhow I have not yet tested it out.
Wouldn't you achieve the same result by not permitting icmp to leave your network?
Seems a lot easier than matching all icmp and setting the next hop as /dev/null.
MC | |
| Cobby 2002-04-09, 12:57 pm |
| Actually I was advised to do just that.
When I tried it our proprietary trading software bonked saying the trade server was offline.
Sorry I did not point that out earlier. | |
| doctorcisco 2002-04-09, 5:41 pm |
| quote:
Originally posted by MadChef
Wouldn't you achieve the same result by not permitting icmp to leave your network?
Seems a lot easier than matching all icmp and setting the next hop as /dev/null.
MC
Just an off-the-wall question: If you kill off ICMP with an inbound access list, wouldn't the sender get back an "administratively denied" ICMP message? And if you routed the stuff to Null0, he'd get back nothing? I've never done what the original poster is talking about, but this occurs to me as a possible advantage ...
doc | |
|
| Yea!
That's the benefit of sending ICMP to null0.
The person scanning your network gets no response.
But I have only heard this in theory and have never tried it.
So I was seeking someone who had and could share their results.
I will implement this on a test router this weekend at work and post the config/acl and result.
I work for a trading company that is unoccupied on the weekend and could make good use of this security implementation. | |
|
| The benefit of the null int is that the packets are dropped and there is no ICMP response. | |
| MadChef 2002-04-10, 5:55 am |
| quote:
Originally posted by doctorcisco
Just an off-the-wall question: If you kill off ICMP with an inbound access list, wouldn't the sender get back an "administratively denied" ICMP message?
Yes. And if you denied outbound like I said in my post, they wouldn't. 
MC | |
| Yeti-GBR1 2002-04-10, 6:00 am |
| Sheeesh its called "Black Hole security" ...it may go in but it can never come back. | |
|
| Using a null int over just an acl uses less Cpu Cycles,
Or does it?
Anyways that is what the Cisco rep said.
But you cannot always listen to those guys.
Comment? | |
| MadChef 2002-04-10, 11:24 am |
| quote:
Originally posted by Cobby
Using a null int over just an acl uses less Cpu Cycles,
Or does it?
Yes, it definately does. But this only makes sense if you want to route entire networks to null. If you want to route certain traffic (http, for example) to hosts and all the rest of the traffic (or just icmp as was initiated in this thread) then you have to create an access list to match the appropriate traffic and policy route the traffic to either the host or null0. By doing that you just created a lot more work for your router than you would have by just applying an ACL. If you're set on denying icmp messages out, then filter icmp from leaving your network.
The only real use I've ever seen from doing this (in a general sense; there are always exceptions) is to route martian networks to null0 on your perimeter router. It just makes the job of your firewall or ACL easier sense it quickly and painlessly eliminates known bad packets.
MadChef | |
| Yeti-GBR1 2002-04-10, 11:32 am |
| MC pls no not Appletalk...run away, run away  | |
| MadChef 2002-04-10, 8:11 pm |
| quote:
Originally posted by Yeti-GBR1
MC pls no not Appletalk...run away, run away
I have to do this on my current project. I have to move a flat Appletalk network to a routed network. I'm not thrilled.
MC |
|
|
|