Security Basics mailing list archives
RE: Removing ping/icmp from a network
From: Craig Wright <Craig.Wright () bdo com au>
Date: Thu, 27 Mar 2008 08:47:25 +1100
The simple answer is to limit ICMP. It is not needed by all hosts to all hosts. It is needed for selected purposes. As such, on a Windows network for instance GPEDIT.MSC may be used to create "IP Security Policies on Local Machine" with IP filters for ICMP. Allow Ping internally and block internet connections. Restrict other ICMP types to selected systems. See http://www.securityfocus.com/infocus/1559 Regards, Craig Wright (GSE-Compliance) -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Ansgar -59cobalt- Wiechers Sent: Thursday, 27 March 2008 6:08 AM To: security-basics () securityfocus com Subject: Re: Removing ping/icmp from a network On 2008-03-26 Jason Thompson wrote:
ICMP is not vital for network operation, though it is convenient. PING isn't required at all,
Neither is traceroute. Yet I'd hate to be without without either of them.
ICMP unreachable messages don't do anything other than notify the receiver to stop trying to connect to a destination as it isn't alive (the receiver should get a hint of this when his SYN's don't get a SYN ACK),
Destination unreachable messages do quite a bit more than "notify the receiver to stop trying to connect", since they code field carries the information *why* the destination wasn't reached. Maybe that's not so important for joe.average@home, but it's pretty darn important for any network admin.
ICMP redirects shouldn't happen if your network is structured properly, and even if it's not, it just adds an extra hop.
What about "time exceeded"? What about "parameter problem"? What about "source quench"?
I don't see any ICMP messages that are a MUST for network operation.
No, they're not a MUST. Connections can also just silently fail, leaving you as a network admin at a total loss as to *why* they're failing. Brilliant idea, really.
That being said, if network monitoring is being done via SNMPv1 or v2 which isn't secure at all, ICMP is the least of your problems. I agree with a few here that you allow ICMP from trusted to untrusted, but not vice versa. And definitely NO ICMP from the Internet.
What the heck is so freakin' scary about inbound echo requests? (to public IP addresses, that is) ICMP is not "teh evil(tm)". It's a part of the Internet Protocol suite, and it's there for a reason. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- RE: DoD approved disk wiping tool, (continued)
- RE: DoD approved disk wiping tool Steve Armstrong (Mar 28)
- Re: DoD approved disk wiping tool Hattrickinc (Mar 28)
- Re: Removing ping/icmp from a network Mark Owen (Mar 25)
- Re: Removing ping/icmp from a network Ivan . (Mar 26)
- RE: Removing ping/icmp from a network Strykar (Mar 26)
- RE: Removing ping/icmp from a network Murda Mcloud (Mar 27)
- RE: Removing ping/icmp from a network Murda Mcloud (Mar 27)
- Re: Removing ping/icmp from a network Jason Thompson (Mar 26)
- RE: Removing ping/icmp from a network Worrell, Brian (Mar 26)
- Re: Removing ping/icmp from a network Ansgar -59cobalt- Wiechers (Mar 26)
- RE: Removing ping/icmp from a network Craig Wright (Mar 26)
- Re: Removing ping/icmp from a network Jason (Mar 27)
- Re: Removing ping/icmp from a network Mark Owen (Mar 27)
- R: Removing ping/icmp from a network Vega - Brunello Ivan (Mar 27)
- Re: Removing ping/icmp from a network Jason (Mar 27)
- Re: Removing ping/icmp from a network Michael Painter (Mar 27)
- Re: Removing ping/icmp from a network Razi Shaban (Mar 28)
- Re: Removing ping/icmp from a network Michael Painter (Mar 28)
- Re: Removing ping/icmp from a network Ansgar -59cobalt- Wiechers (Mar 28)
- Re: Removing ping/icmp from a network Michael Painter (Mar 31)
- RE: Removing ping/icmp from a network Ric Messier (Mar 28)