Security Basics mailing list archives
Re: Removing ping/icmp from a network
From: Jason <securitux () gmail com>
Date: Fri, 4 Apr 2008 20:06:38 -0400
Alright, one more crack at it.
Then what does "finding a server on port whetever" have to do with a ping-sweep?
Misunderstanding, sorry. What I meant by "using ICMP to find a server running on port whatever" is that using ICMP to find an active live device, which also likely has ports open.
That's just obscurity, which won't gain you any security. At all. Not worth the time or effort you put into it.
It's not much effort, and it may... I'll describe below.
Obscurity is NOT a replacement for due diligence. Which includes hardening Internet-facing systems.
You're absolutely correct. But if you've ever done any work outside of a few companies, you'd see just how often this is done... and we can recommend it until our face turns red but how often will it be done?
??? By running additional services you increase the code base that's exposed to other networks.
Your first statement did not mention exposure. I'm saying it doesn't increase the code base, it simply exposes it. I understand what you mean though. ICMP is part of the code base of the OS IP stack FYI. It's ALL software and sits in the kernel. So you ARE increasing the exposed code base by allowing the software module which controls ICMP to be exposed. Although the IP stack is already exposed, the ICMP module may have the vulnerability, possibly allowing it to be exposed for exploit, see below.
As a matter of fact you *did* say it wouldn't. You even quoted the respective part (underlined above).
I said it serves no purpose for web services. Not that it serves no purpose period.
External firewalls are exposed anyway (by definition). As are Internet- facing servers. Your point being? You can't hide *and* expose a system at the same time. Not to mention that IP simply doesn't have the option to hide a system that's supposed to be accessible.
Not hide completely, but reduce the exposure.
Ummm... no, as a matter of fact you can't. You can try to establish a connection to a TCP port, but that's completely different from ping.
nmap options -PA / -PS tcping hping3 These and a dozen others are just ways to check if a host is alive using TCP. If you want to argue semantics, it is considered a ping by most. But I'm not going to haul out Websters.
Any "seasoned network admins" worth their money are also (network) security professionals. You don't run a network without security considerations. Not successfully, that is.
I'd think so too...
Again: either a host IS exposed, or it's NOT exposed. ICMP doesn't change anything AT ALL about that. It's merely adding some obscurity, which you don't need if you have security in the first place. And if you don't have security, then *that's* what you want to fix instead of applying snake-oil. > ICMP is not a required protocol for a web server, sorry. Convenient, > yes. Required, no. If you believe it is then thats okay. That's the > beauty of the Internet, everyone has an opinion. So basically you're justifying obscurity instead of security, because there are so many stup^Wintellectually challenged admins out there? What kind of argument do you think that is? You do realize that this list is about security, don't you?
I am not at all, please understand. What I am saying is that security by design comes first, and other steps might be required if some design is not immediately possible. Do you have any idea, ANY idea, how many organizations have difficulty integrating security into their business? To cite an example, a few companies could not install patches on their systems because their custom developed app was running a number of modules whose version wouldn't be supported if patches beyond a certain level were installed, so what, they are supposed to throw their support out the window and install the patches, possibly breaking a core app and bringing the business down? Or do they put some other measures in place to partially mitigate the risk for a time until the next version of the app comes out / is developed and supports the patches? You do realize that many networks are for businesses that use information systems as a means to accomplish their business goals, information systems is not most companies' business. And even if they do consider themselves hardened and secure, etc consider this: It doesn't take more than a few Google searches to find plenty of ways to use ICMP as a tunnel or find any number of worms (Welchia for one) which used ping to discover hosts. I mean there is a vast history of this, and although people believe the IP stack is well secured now, there was another vulnerability (and subsequent exploit to be sure) discovered against the Windows IP stack just a few months ago. It makes you wonder how many exploits are unknown. Check out MS08-001: http://www.microsoft.com/technet/security/Bulletin/MS08-001.mspx Covers a few known Windows IP stack issues, exploitable via ICMP as well, I might add (router discovery)... in fact it's apparently bad enough that a number of articles posted stated this could lead to the next big worm (a questionable statement, IMO). Remember patches against SQL slammer were available 4-6 months before the worm was written. Now I don't necessarily believe that personally, but who knows. Yes it may need to be turned on, but at the same time, I wonder if there isn't another way to take advantage of this. No matter how good you might think you are, there's always someone out there better than you and with a lot more time on their hands. Fact is so many people depend on the vulnerabilities and exploits they KNOW about, and I guarantee there are a ton of vulnerabilities and exploits that are not public knowledge. So with ALL that being said, from my personal standpoint, I'd much rather err on the side of caution myself and don't really care if 'x' can't ping my web server anyway. Of course I don't think that someone who's web server I can ping is crazy, or that a web server reachable via ping is a big issue, but it is just another one of those little things that just isn't necessary. -J
Current thread:
- Re: Removing ping/icmp from a network Jason (Apr 01)
- Re: Removing ping/icmp from a network Ansgar -59cobalt- Wiechers (Apr 04)
- Re: Removing ping/icmp from a network Jason (Apr 07)
- Re: Removing ping/icmp from a network Ansgar -59cobalt- Wiechers (Apr 07)
- Re: Removing ping/icmp from a network Jason (Apr 07)
- Re: Removing ping/icmp from a network Jason (Apr 07)
- Re: Removing ping/icmp from a network Mark Owen (Apr 07)
- Re: Removing ping/icmp from a network Jason (Apr 07)
- Re: Removing ping/icmp from a network Ansgar -59cobalt- Wiechers (Apr 04)
- <Possible follow-ups>
- Re: Removing ping/icmp from a network Ansgar -59cobalt- Wiechers (Apr 01)
- Re: Removing ping/icmp from a network Mike Preston - Technomonk Industries (Apr 01)
- Re: Removing ping/icmp from a network Ansgar -59cobalt- Wiechers (Apr 01)
- Re: Removing ping/icmp from a network krymson (Apr 02)