nerdexam
(ISC)2

CISSP · Question #1154

What is the FIRST step in reducing the exposure of a network to Internet Control Message Protocol (ICMP) based attacks?

The correct answer is A. Implement egress filtering at the organization's network boundary.. Reducing ICMP-based attack exposure begins with egress filtering at the network boundary to prevent malicious or spoofed ICMP traffic from leaving the organization and being used in amplification or reconnaissance attacks.

Submitted by anjalisingh· Mar 5, 2026Communication and Network Security

Question

What is the FIRST step in reducing the exposure of a network to Internet Control Message Protocol (ICMP) based attacks?

Options

  • AImplement egress filtering at the organization's network boundary.
  • BImplement network access control lists (ACL).
  • CImplement a web application firewall (WAF).
  • DImplement an intrusion prevention system (IPS).

How the community answered

(26 responses)
  • A
    81% (21)
  • B
    4% (1)
  • C
    4% (1)
  • D
    12% (3)

Why each option

Reducing ICMP-based attack exposure begins with egress filtering at the network boundary to prevent malicious or spoofed ICMP traffic from leaving the organization and being used in amplification or reconnaissance attacks.

AImplement egress filtering at the organization's network boundary.Correct

Egress filtering at the network boundary is the first and most foundational step because it prevents internally sourced spoofed ICMP packets from leaving the network, which are commonly exploited in reflection and amplification attacks such as Smurf attacks. By controlling what ICMP traffic exits the organization, you reduce the network's participation in and exposure to these attack vectors before any deeper inspection mechanisms are needed. This boundary-level control is a prerequisite that makes subsequent controls like ACLs or IPS more effective.

BImplement network access control lists (ACL).

Network ACLs are a valid complementary control but are typically applied at internal segment boundaries rather than the network perimeter, making them a secondary measure rather than the first step in reducing ICMP attack exposure.

CImplement a web application firewall (WAF).

A Web Application Firewall (WAF) is designed to filter HTTP/HTTPS application-layer traffic and does not address ICMP-based attacks, which operate at the network layer (Layer 3), making it irrelevant as a first step here.

DImplement an intrusion prevention system (IPS).

An IPS is a detection and response tool that can identify ICMP-based attacks in progress, but it does not proactively prevent ICMP traffic from leaving or entering the network boundary, making it a reactive measure rather than the first step.

Concept tested: Egress filtering to mitigate ICMP-based network attacks

Source: https://www.cisecurity.org/insights/blog/the-importance-of-egress-filtering

Topics

#network security#ICMP attacks#egress filtering#network boundary

Community Discussion

No community discussion yet for this question.

Full CISSP Practice