Exam CISSP topic 1 question 192 discussion

CISSP Official Study Guide pg 824 " Active Response Active responses can modify the environment using several different methods. Typical responses include modifying firewall ACLs to block traffic based on ports, protocols, and source addresses, and even disabling all communications over specific cable segments. For example, if an IDS detects a SYN flood attack from a single IP address, the IDS can change the ACL to block all traffic from this IP address. Similarly, if the IDS detects a ping flood attack from multiple IP addresses, it can change the ACL to block all ICMP traffic."

Answer A) Although I found interesting articles about egress filtering and ICMP attacks, the fact still remains that network ACLs can both do Ingress and Egress filtering at the network boundary. Here is the interesting article: https://www.ietf.org/rfc/rfc5927.html#section-4:~:text=As%20with

https://www.giac.org/paper/gsec/705/egress-filtering-keeping-internet-safe-systems/101588 Best Practices and Considerations in Egress Filtering (cmu.edu) it looks like D for me

Implementing egress filtering at the organization's network boundary refers to the practice of controlling outgoing traffic from an organization's network to the Internet. While egress filtering can help prevent some types of attacks, such as data theft and malware propagation, it may not necessarily reduce exposure to ICMP-based attacks. ICMP-based attacks typically involve sending ICMP packets to a victim's IP address or network, causing it to become overwhelmed with requests and making it unavailable for legitimate users. The primary way to mitigate these types of attacks is by restricting or blocking certain types of ICMP traffic using network access control lists (ACL). Therefore, implementing egress filtering at the organization's network boundary alone might not be as effective in preventing ICMP-based attacks compared with implementing network ACLs that can specifically block unwanted/unnecessary ICMP traffic based on their characteristics such as source/destination IP address or port numbers.

A is correct

Ambiguous. Depends on which type of attack. Smurf attack would be A - ACL. ICMP covert channels would be D - egress blocks.

It's got to be D. The question says 'first step' in reducing the risk. Blacklisting an IP that is sending your bad traffic is a response, not a first step. The egress filtering is preventative and stop the formation of a covert ICMP channel.

D. Implement egress filtering at the organization's network boundary. The first step in reducing the exposure of a network to Internet Control Message Protocol (ICMP) based attacks is to implement egress filtering at the organization's network boundary. Egress filtering is the process of monitoring and controlling outbound traffic from the organization's network. It can be used to block or limit the types of traffic that can leave the network, such as ICMP traffic. By implementing egress filtering, the organization can prevent malicious ICMP traffic from leaving the network and reaching its intended target.

I will go with D. We should filter egress traffic to respond ICMP message from WAN while keep the ICMP message enabled or responding from LAN. reference : https://blog.paessler.com/disabling-icmp-and-snmp-wont-increase-security-but-will-impact-network-monitoring

The first step in reducing the exposure of a network to ICMP based attacks according to CISSP is to implement egress filtering at the organization's network boundary. This involves setting up rules that determine which types of traffic are allowed to leave the network and which are not. Egress filtering can help to prevent attackers from using ICMP to exfiltrate data from the network or to launch other types of attacks. Other measures, such as implementing network access control lists (ACLs) and an intrusion prevention system (IPS), may also be effective in mitigating the risk of ICMP based attacks, but implementing egress filtering at the network boundary is typically the first step in this process.

D. Implement egress filtering at the organization's network boundary. Egress filtering involves checking outgoing traffic from a network to ensure that it conforms to the organization's security policies. This can help to reduce the exposure of the network to Internet Control Message Protocol (ICMP) based attacks by blocking or limiting the types of ICMP messages that are allowed to leave the network. This can help to prevent attackers from using ICMP messages to probe the network for vulnerabilities or to carry out other types of attacks. Egress filtering should be implemented at the organization's network boundary, such as at a firewall or router, to ensure that all outgoing traffic is checked.

Common ingress filters and egress filters can be used to block spoofed packets that often relate to malware, botnets, and other unwanted activities. Egress filtering prevents any unauthorized or malicious traffic to leave the internal network. Information flowing from the internal network to the internet is monitored and controlled. TCP/IP packets that are being sent out of the internal network are examined through a router, firewall, or a similar edge device. ! Example: Payment Card Industry Data Security Standard (PCI DSS) requires egress filtering from any server in the cardholder environment.

I am going to disagree with A. An ICMP attack is more than likely coming from the outside of the network, an ACL would do nothing to stop this from happening. An ACL is used to control access to this file or that server, and attacker is not going to be on the ACL.

Icmp can be needed and is not only to be covert by ping. Tvere are also reroute issues by icmp. Recognice attacks by ips, because they are known.

You can prevent Ping Attacks by: Configuring your firewall to block ICMP pings from entering your network at the perimeter. Adding filters to tell your router to detect and drop malformed data packets or those coming from suspicious sources. - Looking for spoofed packets that do not originate from within your network, also known as egress filtering. Installing network monitoring software to alert for traffic patterns that are not ordinary. Scanning your network for open ports on a regular basis that is outside of your baseline.

A is correct

By setting your perimeter firewall to block pings, you can effectively prevent attacks launched from outside your network.