Security Basics mailing list archives
Re: Removing ping/icmp from a network
From: "Mark Owen" <mr.markowen () gmail com>
Date: Tue, 25 Mar 2008 13:53:28 -0400
On Tue, Mar 25, 2008 at 12:29 PM, Secure This <lists () securethis net> wrote:
I have a variety of clients with data centres who all make use of icmp/ping to monitor their servers/appliances/devices (often with poorly configured snmp versions 1 and 2). Could anybody kindly advise me of tools and strategies for minimising or removing the use of icmp/ping on a supposedly secure network? Thanks in advance
Basic monitoring of a server should utilize ICMP to determine if it is online or not. If properly configured, traffic is very minimal and is used exactly as what it was designed for. Per RFC 1122, any host that receives an echo-request must respond with an echo-reply, making it very easy to determine if a host is up or not. Advanced monitoring, such as probing services' ports or SNMP, will be far more accurate but will require additional resources and traffic, though still fairly minute. To minimize ICMP traffic used for monitoring, you can set your monitoring software to check at a higher interval of time, check the service port for a response, or check SNMP instead. Overall, ICMP is a core essential of the Internet Protocol suite and is usually pointless to remove, especially seeing how the only way to generally remove ICMP is to actually block it with a hardware or software firewall. That said, within the same subnet I can not see any major issues with blocking ICMP if you absolutely had your mind set on it. Most firewalls will easily allow you to block ICMP. -- Mark Owen
Current thread:
- Re: Removing ping/icmp from a network, (continued)
- Re: Removing ping/icmp from a network Secure This (Mar 26)
- DoD aproved disk wiping tool JP Vicente (Mar 27)
- RE: DoD aproved disk wiping tool Timmothy Lester (Mar 27)
- Re: DoD aproved disk wiping tool John Syers (Mar 27)
- Re: DoD aproved disk wiping tool postmaster (Mar 27)
- Re: DoD aproved disk wiping tool Tremaine Lea (Mar 27)
- Re: Removing ping/icmp from a network Secure This (Mar 26)
- RE: DoD aproved disk wiping tool Kevin Ortloff (Mar 27)
- RE: DoD aproved disk wiping tool Arbogast, Paul (Citco) (Mar 28)
- RE: DoD approved disk wiping tool Steve Armstrong (Mar 28)
- Re: DoD approved disk wiping tool Hattrickinc (Mar 28)
- RE: Removing ping/icmp from a network Murda Mcloud (Mar 27)
- RE: Removing ping/icmp from a network Murda Mcloud (Mar 27)
- RE: Removing ping/icmp from a network Worrell, Brian (Mar 26)
- Re: Removing ping/icmp from a network Ansgar -59cobalt- Wiechers (Mar 26)
- RE: Removing ping/icmp from a network Craig Wright (Mar 26)
- Re: Removing ping/icmp from a network Jason (Mar 27)
- Re: Removing ping/icmp from a network Mark Owen (Mar 27)