This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
In a previous article on basic Cisco router security, I described my concern about a client who didn't use a firewall with its Internet-connected Cisco router. Even though I demonstrated how vulnerable the router was and recommended using a firewall, the client countered with all sorts of reasons why that was not feasible.
In this article and video, I want to share a configuration change that I recommended to the customer in lieu of a firewall. Of course nothing is a proper substitute for a real firewall, but sometimes we need to make do with what we have. There are quite a few documents out there explaining how to harden your router. This tip protects you specifically from ICMP attacks or ping flooding.
My client did not want to block pings altogether since the company uses ping for troubleshooting and monitoring. At first I suggested a simple access list to allow only their management stations IP address, but soon realized that wouldn’t work in their environment. For example, the IT staff sometimes pings from home after hours or from phones, which makes the IP address fairly random.
I showed them that they can limit the ping rate the router will accept and suggested we test it to make sure it works as expected.
In the video below, I used hrPing, which is a free download from cFos Software, to ping the router excessively. Microsoft pings with a one-second interval, but with hrPing, I can go as low as one millisecond.
As SD-WAN implementations continue to increase, it is critical to re-think the importance of advanced security functionalities that should be proactively integrated instead of attempting to retrofit them.