ICMP Best Practices for Firewall

Hello,
Is there a such Cisco documentation for ICMP best practices for firewall?
Thanks

Hello Joe,
I havent look for such a document but what I can tell you is the following?
ICMP is a protocol that let us troubleshoot or test whether IP routing is good on our network or if a host is live on our network so I can tell you that from that perspective this is definetly something good (Not to mention some of the other good usage that we can provide to this protocol such for PATH MTU Discovery, etc).
But you also have to be careful with this protocol as we all know it's also used to scan or discover hosts on our network.. Even to perform DoS attacks (Smurf attack, etc).
So what's the whole point of this post:
Well at least on my opinion I would allow ICMP on my network but I would definetly permit only the right ICMP code messages and I would protect my network against any known vulnerability regarding DoS attacks with ICMP, In this case I will still take advantage of the really useful protocol while protecting my enviroment,
Hope that I could help
For Networking Posts check my blog at http://laguiadelnetworking.com/
Cheers,
Julio Carvajal Segura

Similar Messages

Best practices for firewall external interface addressing

Hi all,
Can anyone explain what is more secure when addressing the outside interface of a firewall in a network diagram?
1st option:
                          ISP router:
                               interface 1 (connected to the internet).
                               interface 2 to the firewall with public ip address.
                           Firewall:
                               interface 1 (connected to the router): public ip address
                               interface 2 (connected to internal network): private ip address (RFC1918)
2nd option:
                         ISP router:
                              interface 2 (connected to the internet (ISP)).
                              interface 1 to the firewall with private ip address (RFC1918).
                         Firewall:
                             outside interface 2 (connected to the router): private ip address (RFC1918)
                             inside interface 1 (connected to internal network): private ip address (RFC1918)
Any response is welcome.

It's not so much what is more secure as where you want to do the NAT and how may public IPs you have.
So if you only has a small block of public IPs and you wanted to use them for NAT on the firewall then you could use a private link between the ISP router and the firewall.
Usually though an ISP gives you two blocks, a /30 for the point to point link and then a larger subnet for actual use on the firewall.
For a single ISP setup doing the NAT on the firewall is usually the way it is done especially if you are using VPNs as if you NAT on the router it can interfere with the VPN.
If you end up with multiple ISPs then you may need to move some or all of the NAT configuration to the routers although it is not always necessary and you may still do it on the firewall. It depends on a lot of other things such as IP addressing, ISP advertisement of public IPs etc.
Jon

Best practice for RDGW placement in RDS 2012 R2 deployment

Hi,
I have been setting up a RDS 2012 R2 farm deployment and the time has come for setting up the RDGW servers. I have a farm with 4 SH servers, 2 WA servers, 2 CB servers and 1 LS.
Farm works great for LAN and VPN users.
Now i want to add two domain joined RDGW servers.
The question is; I've read a lot on technet and different sites about how to set the thing up, but no one mentions any best practices for where to place them.
Should i:
- set up WAP in my DMZ with ADFS in LAN, then place the RDGW in the LAN and reverse proxy in
- place RDGW in the DMZ, opening all those required ports into the LAN
- place the RDGW in the LAN, then port forward port 443 into it from internet
Any help is greatly appreciated.
This posting is provided "AS IS" with no warranties or guarantees and confers no rights

Hi,
The deployment is totally depends on your & company requirements as many things to taken care such as Hardware, Network, Security and other related stuff. Personally to setup RD Gateway server I would not prefer you to select 1st option. But as per my research,
for best result you can use option 2 (To place RDG server in DMZ and then allowed the required ports). Because by doing so outside network can’t directly connect to your internal server and it’s difficult to break the network by any attackers. A perimeter
network (DMZ) is a small network that is set up separately from an organization's private network and the Internet. In a network, the hosts most vulnerable to attack are those that provide services to users outside of the LAN, such as e-mail, web, RD Gateway,
RD Web Access and DNS servers. Because of the increased potential of these hosts being compromised, they are placed into their own sub-network called a perimeter network in order to protect the rest of the network if an intruder were to succeed. You can refer
beneath article for more information.
RD Gateway deployment in a perimeter network & Firewall rules
http://blogs.msdn.com/b/rds/archive/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules.aspx
Hope it helps!
Thanks.
Dharmesh Solanki
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

Best practice for install oracle 11g r2 on Windows Server 2008 r2

Dear all,
May I know what is the best practice for install oracle 11g r2 on windows server 2008 r2. Should I create a special account for windows for the oracle database installation? What permission should I grant to the folders where Oracle installed and the database related files located (datafiles, controlfiles, etc.)
Just grant Full for Administrators and System and remove permissions for all others accounts?
Also how should I configure windows firewall to allow client connect to the database.
Thanks for your help.

Hi Christian,
Check this on MOS
*RAC Assurance Support Team: RAC Starter Kit and Best Practices (Windows) [ID 811271.1]*
https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&doctype=BULLETIN&id=811271.1
DOC Modified: 14-DEC-2010
Regards,
Levi Pereira

Best practice for OSB to OSB communication

Cross posting this message:
I am currently in a project where we have two OSB that have to communicate. The OSBs are located in different security zones ("internal" and "secure"). All communication on a network level must be initiated from the secure zone to the internal zone. The message flow should be initated from the internal zone to the secure zone. Ideally we should establish a tcp connection from the secure zone to the internal zone, and then use SOAP over HTTP on this pre-established connection. Is this at all possible?
Our best approach now, is to establish a jms-queue in the internal zone and let both OSBs connect to this. All communication between the zone is then done over JMS. This is an approach that would work, but is it the only solution?
Can the t3/t3s protocol be used to achieve our goal? I.e. To have synchronous commincation over a pre-established connection (that is established the in opposite direction of the communication)?
Is there any other approach that might work?
What is considered best practice for sending messages from a OSB to another OSB in a more secure zone?
Edited by: hilmersen on 11.jun.2009 00:59

Hi,
In my experience in a live project, we have used secured communication (https) between internal service bus and DMZ/external service bus.
We also used two way SSL with customers.
The ports were also secured by firewall in between them.
If you wish more details, please email [email protected]
Ganapathi.V.Subramanian[VG]
Sydney, Australia
Edited by: Ganapathi.V.Subramanian[VG] on Aug 28, 2009 10:50 AM

Best Practice for trimming content in Sharepoint Hosted Apps?

Hey there,
I'm developing a Sharepoint 2013 App that is set to be Sharepoint Hosted. I have a section within the app that I'd like to be Configuration-related, so I would like to only allow certain users or roles to be able to access this content or even see
that it exists (i.e. an Admin button, if you will). What is the best practice for accomplishing this in Sharepoint 2013 Apps? Thusfar, I've been doing everything using jQuery and the REST api and I'm hoping there's a standard within this that I
should be using.
Thanks in advance to anyone who can weigh in here.
Mike

Hi,
According to
this documentation, “You must configure a new name in Domain Name Services (DNS) to host the apps. To help improve security, the domain name should not be a subdomain
of the domain that hosts the SharePoint sites. For example, if the SharePoint sites are at Contoso.com, consider ContosoApps.com instead of App.Contoso.com as the domain name”.
More information:
http://technet.microsoft.com/en-us/library/fp161237(v=office.15)
For production hosting scenarios, you would still have to create a DNS routing strategy within your intranet and optionally configure your firewall.
The link below will show how to create and configure a production environment for apps for SharePoint:
http://technet.microsoft.com/en-us/library/fp161232(v=office.15)
Thanks
Patrick Liang
Forum Support
Please remember to mark the replies as answers if they
help and unmark them if they provide no help. If you have feedback for TechNet
Subscriber Support, contact [email protected]
Patrick Liang
TechNet Community Support

Best practice for logging

Hi All,
I would like to know if there is any best practice document for Firewall logging. This would include
1. What level of logging is ideal
2. If a log is stored in a logging server, how long is it best to store the logs and retain the logs by a backup tape etc.
This can include for various industries like IT, Banking etc.
Any document pertaining to these would be helpful. Thanks in advance.
Regards,
Manoj

Hi All,
I would like to know if there is any best practice document for Firewall logging. This would include
1. What level of logging is ideal
2. If a log is stored in a logging server, how long is it best to store the logs and retain the logs by a backup tape etc.
This can include for various industries like IT, Banking etc.
Any document pertaining to these would be helpful. Thanks in advance.
Regards,
Manoj
Manoj,
Check out the below link for best practice for logging and prerequiste in cisco devices.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml#logbest
http://www.ciscopartner.biz/en/US/docs/security/asa/asa82/configuration/guide/monitor_syslog.html#wp1110908
Hope to Help !!
Ganesh.H
Remember to rate the helpful post

Best practice for ASA Active/Standby failover

Hi,
I have configured a pair of Cisco ASA in Active/ Standby mode (see attached). What can be done to allow traffic to go from R1 to R2 via ASA2 when ASA1 inside or outside interface is down?
Currently this happens only when ASA1 is down (shutdown). Is there any recommended best practice for such network redundancy? Thanks in advanced!

Hi Vibhor,
I test ping from R1 to R2 and ping drop when I shutdown either inside (g1) or outside (g0) interface of the Active ASA. Below is the ASA 'show' failover' and 'show run',
ASSA1# conf t
ASSA1(config)# int g1
ASSA1(config-if)# shut
ASSA1(config-if)# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 60 maximum
Version: Ours 8.4(2), Mate 8.4(2)
Last Failover at: 14:20:00 SGT Nov 18 2014
This host: Primary - Active
Active time: 7862 (sec)
Interface outside (100.100.100.1): Normal (Monitored)
Interface inside (192.168.1.1): Link Down (Monitored)
Interface mgmt (10.101.50.100): Normal (Waiting)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
Interface outside (100.100.100.2): Normal (Monitored)
Interface inside (192.168.1.2): Link Down (Monitored)
Interface mgmt (0.0.0.0): Normal (Waiting)
Stateful Failover Logical Update Statistics
Link : FAILOVER GigabitEthernet2 (up)
Stateful Obj xmit xerr rcv rerr
General 1053 0 1045 0
sys cmd 1045 0 1045 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 2 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 5 0 0 0
User-Identity 1 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 9 1045
Xmit Q: 0 30 10226
ASSA1(config-if)#
ASSA1# sh run
: Saved
ASA Version 8.4(2)
hostname ASSA1
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface GigabitEthernet0
nameif outside
security-level 0
ip address 100.100.100.1 255.255.255.0 standby 100.100.100.2
ospf message-digest-key 20 md5 *****
ospf authentication message-digest
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
ospf message-digest-key 20 md5 *****
ospf authentication message-digest
interface GigabitEthernet2
description LAN/STATE Failover Interface
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet4
nameif mgmt
security-level 0
ip address 10.101.50.100 255.255.255.0
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
ftp mode passive
clock timezone SGT 8
access-list OUTSIDE_ACCESS_IN extended permit icmp any any
pager lines 24
logging timestamp
logging console debugging
logging monitor debugging
mtu outside 1500
mtu inside 1500
mtu mgmt 1500
failover
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet2
failover link FAILOVER GigabitEthernet2
failover interface ip FAILOVER 192.168.99.1 255.255.255.0 standby 192.168.99.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715-100.bin
no asdm history enable
arp timeout 14400
access-group OUTSIDE_ACCESS_IN in interface outside
router ospf 10
network 100.100.100.0 255.255.255.0 area 1
network 192.168.1.0 255.255.255.0 area 0
area 0 authentication message-digest
area 1 authentication message-digest
log-adj-changes
default-information originate always
route outside 0.0.0.0 0.0.0.0 100.100.100.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.101.50.0 255.255.255.0 mgmt
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 10.101.50.0 255.255.255.0 mgmt
ssh timeout 5
console timeout 0
tls-proxy maximum-session 10000
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:fafd8a885033aeac12a2f682260f57e9
: end
ASSA1#

Best practice for intervlan routing?

are there some best practices for intervlan routing ?
I've been reading allot and I have seen these scenarios
router on a stick
intervlan at core layer
intervlan at distribution layer.
or is intervlan needed at all if the switches will do the routing?
I've done all of the above but I just want to know what's current.

The simple answer is it depends because there is no one right solution for everyone.
So there are no specific best practices. For example in a small setup where you may only need a couple of vlans you could use a L2 switch connected to a router or firewall using subinterfaces to route between the vlans.
But that is not a scalable solution. The commonest approach in any network where there are multiple vlans is to use L3 switches to do this. This could be a pair of switches interconnected and using HSRP/GLBP/VRRP for the vlans or it could be stacked switches/VSS etc. You would then dual connect your access layer switches to them.
In terms of core/distro/access layer in general if you have separate switches performing each function you would have the inter vlan routing done on the distribution switches for all the vlans on the access layer switches. The core switches would be used to route between the disribution switches and other devices eg. WAN routers, firewalls, maybe other distribution switch pairs.
Again, generally speaking, you may well not need vlans on the core switches at all ie. you can simply use routed links between the core switches and everything else.
The above is quite a common setup but there are variations eg. -
1) a collapsed core design where the core and distribution switches are the same pair. For a single building with maybe a WAN connection plus internet this is quite a common design because having a completely separate core is usually quite hard to justify in terms of cost etc.
2) a routed access layer. Here the access layer switches are L3 and the vlans are routed at the access layer. In this instance you may not not even need vlans on the distribution switches although again to save cost often servers are deployed onto those switches so you may.
So a lot of it comes down to the size of the network and the budget involved as to which solution you go with.
All of the above is really concerned with non DC environments.
In the DC the traditional core/distro or aggregation/access layer was also used and still is widely deployed but in relatively recent times new designs and technologies are changing the environment which could have a big impact on vlans.
It's mainly to do with network virtualisation, where the vlans are defined and where they are not only routed but where the network services such as firewalling, load balancing etc. are performed.
It's quite a big subject so i didn't want to confuse the general answer by going into it but feel free to ask if you want more details.
Jon

Best practices for setting up users on a small office network?

Hello,
I am setting up a small office and am wondering what the best practices/steps are to setup/manage the admin, user logins and sharing privileges for the below setup:
Users: 5 users on new iMacs (x3) and upgraded G4s (x2)
Video Editing Suite: Want to connect a new iMac and a Mac Pro, on an open login (multiple users)
All machines are to be able to connect to the network, peripherals and external hard drive. Also, I would like to setup drop boxes as well to easily share files between the computers (I was thinking of using the external harddrive for this).
Thank you,

Hi,
Thanks for your posting.
When you install AD DS in the hub or staging site, disconnect the installed domain controller, and then ship the computer to the remote site, you are disconnecting a viable domain controller from the replication topology.
For more and detail information, please refer to:
Best Practices for Adding Domain Controllers in Remote Sites
http://technet.microsoft.com/en-us/library/cc794962(v=ws.10).aspx
Regards.
Vivian Wang

Best-practice for Catalog Views ? :|

Hello community,
A best practice question:
The situtation: I have several product categories (110), several items in those categories (4000) and 300 end-users. I would like to know which is the best practice for segment the catalog. I mean, some users should only see categories 10,20 & 30. Other users only category 80, etc. The problem is how can I implement this ?
My first idea is:
1. Create 110 Procurement Catalogs (1 for every prod.category). Each catalog should contain only its product category.
2. Assign in my Org Model, in a user-level all the "catalogs" that the user should access.
Do you have any idea in order to improve this ?
Saludos desde Mexico,
Diego

Hi,
Your way of doing will work, but you'll get maintenance issues (to many catalogs, and catalog link to maintain for each user).
The other way is to built your views in CCM, and assign these views to the users, either on the roles (PFCG) or on the user (SU01). The problem is that with CCM 1.0 this is limitated, cause you'll have to assign one by one the items to each view (no dynamic or mass processes), it has been enhanced in CCM 2.0.
My advice:
-Challenge your customer about views, and try to limit the number of views, with for example strategic and non strategic
-With CCM 1.0 stick to the procurement catalogs, or implement BADIs to assign items to the views (I experienced it, it works, but is quite difficult), but with a limitated number of views
Good luck.
Vadim

Best Practice for Securing Web Services in the BPEL Workflow

What is the best practice for securing web services which are part of a larger service (a business process) and are defined through BPEL?
They are all deployed on the same oracle application server.
Defining agent for each?
Gateway for all?
BPEL security extension?
The top level service that is defined as business process is secure itself through OWSM and username and passwords, but what is the best practice for security establishment for each low level services?
Regards
Farbod

It doesnt matter whether the service is invoked as part of your larger process or not, if it is performing any business critical operation then it should be secured.
The idea of SOA / designing services is to have the services available so that it can be orchestrated as part of any other business process.
Today you may have secured your parent services and tomorrow you could come up with a new service which may use one of the existing lower level services.
If all the services are in one Application server you can make the configuration/development environment lot easier by securing them using the Gateway.
Typical probelm with any gateway architecture is that the service is available without any security enforcement when accessed directly.
You can enforce rules at your network layer to allow access to the App server only from Gateway.
When you have the liberty to use OWSM or any other WS-Security products, i would stay away from any extensions. Two things to consider
The next BPEL developer in your project may not be aware of Security extensions
Centralizing Security enforcement will make your development and security operations as loosely coupled and addresses scalability.
Thanks
Ram

Best practice for multi-language content in common areas

I've got a site with some text in header/footer/nav that needs to be translated between an English and Spanish site, which use the same design. My intention was to set up all the text as content to facilitate. However, if I use a standard dialog with the component's path set to a child of the current page node, I would need to re-enter the text on every page. If I use a design dialog, or a standard dialog with the component's path set absolutely, the Engilsh and Spanish sites will share the same text. If I use a standard dialog with the component's path set relatively (eg path="../../jcr:content/myPath"), the pages using the component would all need to be at the same level of the hierarchy.
It appears that the Geometrixx demo doesn't address this situation, and leaves copy in English. Is there a best practice for this scenario?

I'm finding that something to the effect of <cq:include path="<%= strCommonContentPath + "codeEntry" %>" resourceType ...
works fine for most components, but not for parsys, or a component containing a parsys. When I attempt that, I get a JS error that says "design.path is null or not an object". Is there a way around this?

Best Practice for utility in Sol Man 4.0

We have software component ST-ICO of release 150_700 with Patch level 5
We want a Template Selection for Utility industry. I checked in
the service market place and found that 'Baseline Package United
Kingdom V1.50, Template: BP_BLKU150' is available in the above software
component.
But we are not getting any templates other than 'BP_UTUS147 - Best Practices for Water Utility' in the 'SOLAR_PROJECT_ADMIN'
transaction.
Kindly suggest any patch needs to be applied or some configuration need to be done.
Regards
Mani

Hi Mani,
Colud u plz give me the link of "where u find the template BP_BLKU150"?
It will be helpful for me.
Thanks
Senthil

Best Practices for SRM Installation !!

Hi
can someone share the best Practices for SRM Installation ?
What is the typical timeframe to install SRM on development server and as well as on the Production server ?
Appericiate the responses
Thanks,
Arvind

Hi
I don't know whether this will help you.
See these links as well.
<b>http://help.sap.com/bp_epv170/EP_US/HTML/Portals_intro.htm
http://help.sap.com/bp_scmv150/index.htm
http://help.sap.com/bp_biv170/index.htm
http://help.sap.com/bp_crmv250/CRM_DE/index.htm</b>
Hope this will help.
Please reward suitable points.
Regards
- Atul

ICMP Best Practices for Firewall

Similar Messages

Maybe you are looking for