Security Basics mailing list archives
Re: Removing ping/icmp from a network
From: Jason <securitux () gmail com>
Date: Fri, 28 Mar 2008 12:34:10 -0400
> ICMP tunneling, Any kind of packet can be (mis-)used for tunneling. That's not limited to ICMP. To prevent that you'd have to whitelist outbound connections, which is simply not feasible in most scenarios.
Yes, but its likely to go unnoticed as many vendors configure firewalls to allow and not log ICMP due to heavy network noise. And ICMP is trusted by most admins. "What harm could possibly come from ping?". In security you learn to trust nothing.
> host discovery to see if a device is active So, what if the device is active? If it shouldn't be accessible from the outside: don't make it accessible from the outside. If it shouldn't be accessible from parts of your network: do proper segmentation, so those who should have access are inside the segment and those who shouldn't have access are not. However, if the device should be accessible, there's no point in suppressing ICMP.
Think about this though... If an attacker attempts to sweep the outside using ICMP to see if hosts are active, and some do, and they don't find that server running on port whatever, they will move on to more tempting targets like the ones that do respond. Why on earth would you open a service that will increase your capability of being discovered by those with malicious intent if the service isn't required?
> The idea is to limit your Internet footprint to make it as difficult > as possible for an attacker. Nonsense. What you really want to do is to separate your publicly accessible servers from your internal network (in a DMZ) and do proper firewalling between your network segments. Snake-oil like dropping ICMP packets is *not* helping.
Would you agree that opening ports that aren't necessary is a bad practice? Then why open ICMP which also serves no real purpose for web services? Properly firewalled actually means blocking unnecessary services as well as infrastructure layout.
> There is no need for a web server to respond to ping from the Internet > for example. Of course there is. ping is the easiest (or rather: the appropriate) way to determine if the server is online. And yes, that is relevant information when someone runs into problems accessing your webserver.
Well MS hasn't been able to be pinged for x years, they seem to be getting along just fine. What about all the other web sites on the net that don't respond to ping, and the majority don't, are you saying that they are all wrong and that blocking ping is the wrong thing to do? They all seem to get along just fine. And when I, and I am sure many other technical people, can't ping a web site and response to it is very slow they don't throw their hands up in the air and say their servers are unreliable and they are breaking the Internet, they say that it is likely being blocked like most sites do, and try to use other means of determining the problem. Like using tcpdump or other monitoring and troubleshooting tools. We're not talking what's easy here. We're talking what's secure.
> This is a security forum after all? This is a mailing list, not a forum, and yes, it is about security. Snake-oil does not qualify as such, though.
Lol.. ok..
> Try to remember, there is NO security built into the Internet Protocol > suite, which was developed in the 60's. Just because something is > there for a reason, doesn't mean it should not be subject to scrutiny. Last time I checked "scrutiny" was not defined as "ignoring the reason why something was invented to begin with".
Lots of things were 'invented for a reason'. SNMP for example. Does that mean that if something was invented for a reason it has to be allowed? No. Again, these protocols were invented when security was not a consideration at all. Granted ICMP doesn't have near the issues that nasty little beast has, but it is still not needed. Take a survey of security professionals and even the more seasoned network admins and ask how many of them depend on ICMP to determine if a web site, or ANYTHING, is up or not. I guarantee the answer you will get is: "I use it, but if it doesn't respond I use other methods because most vendors block ping to their web servers anyway". Please don't get me wrong, I am not saying that ping is useless, its not, and you're right it makes life a little easier for network admins. But I believe, and I am sure others do as well, the mild convenience caused by allowing it to a web server or other Internet facing device does not justify the increased exposure. -J
Current thread:
- Re: Removing ping/icmp from a network, (continued)
- Re: Removing ping/icmp from a network Jason (Mar 27)
- Re: Removing ping/icmp from a network Michael Painter (Mar 27)
- Re: Removing ping/icmp from a network Razi Shaban (Mar 28)
- Re: Removing ping/icmp from a network Michael Painter (Mar 28)
- Re: Removing ping/icmp from a network Ansgar -59cobalt- Wiechers (Mar 28)
- Re: Removing ping/icmp from a network Michael Painter (Mar 31)
- RE: Removing ping/icmp from a network Ric Messier (Mar 28)
- RE: Removing ping/icmp from a network Adewale, Akin (IT Services - Infosec Team) (Mar 28)
- RE: Removing ping/icmp from a network Craig Wright (Mar 28)
- Re: Removing ping/icmp from a network Ansgar -59cobalt- Wiechers (Mar 28)
- Re: Removing ping/icmp from a network Jason (Mar 28)
- Re: Removing ping/icmp from a network Ansgar -59cobalt- Wiechers (Mar 31)
- Re: Removing ping/icmp from a network Jon R. Kibler (Mar 26)
- Re: Removing ping/icmp from a network Jason (Mar 26)