GIAC
GCIH · Question #501
GCIH Question #501: Real Exam Question with Answer & Explanation
The correct answer is D: Filter ICMP at the perimeter, allowing ICMP only from trusted sources. Filtering ICMP at the network perimeter and permitting it only from trusted sources prevents untrusted parties from using ICMP-based mapping while preserving legitimate ping functionality for trusted hosts.
Reconnaissance, Scanning, and Enumeration
Question
Which of the following will best protect your network from being mapped by untrusted, external sources, while still allowing trusted sources to verify network connectivity with ping requests and replies?
Options
- AUse settings on a network mapping tool to limit inbound ICMP and protect your network
- BEstablish an IDS on the DMZ to alert on all inbound ICMP requests
- CShut down ICMP and traceroute on your internal servers
- DFilter ICMP at the perimeter, allowing ICMP only from trusted sources
Explanation
Filtering ICMP at the network perimeter and permitting it only from trusted sources prevents untrusted parties from using ICMP-based mapping while preserving legitimate ping functionality for trusted hosts.
Common mistakes.
- A. Network mapping tool settings control the outbound scanning behavior of that tool and do not restrict inbound ICMP packets arriving from untrusted external sources.
- B. An IDS can detect and alert on ICMP traffic but does not block or filter it, so untrusted sources can still complete network mapping attempts unimpeded.
- C. Disabling ICMP on internal servers does not prevent external mapping of the network perimeter and removes legitimate diagnostic capability for all sources including trusted ones.
Concept tested. Perimeter ICMP filtering to prevent network reconnaissance
Reference. https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html
Topics
#ICMP filtering#perimeter security#network mapping defense#trusted sources
Community Discussion
No community discussion yet for this question.