Re: ICMP blocking

[Gary Flynn <flynngn () JMU EDU>]

Gary Dobbins wrote:

> Quick survey:  Who's blocking ICMP subsets (like echo requests,
> traceroutes) at their borders?  Who's not?  Strong feelings about why in
> either case?

I don't have any strong feelings other than a tendency these
days to eliminate unnecessary risk ( i.e. default deny ). We're
more than happy to open access to something that is needed.

> Certainly, doing so is not a huge security gain, but the alternative
> means you're giving away the map anonymously.

ICMP redirects and router advertisements make me nervous too :)

Not sending type 3 "administratively prohibited" or "port
unreachable" messages may slow down scanning and automated
exploit attempts.

Not sending "administratively prohibited" messages may slow
someone down trying to map your access policies.

No security is perfect. Not implementing a simple security
measure with high ROI ( because the I is so low ) would seem
to me to be ignoring low hanging fruit unnecessarily.

Inbound, we generally block all ICMP except the following:

echo reply
time-exceeded
destination unreachable
source quench
time exceeded
timestamp reply
echo-requests to a few public systems and our border router
  interfaces

Outbound, we generally block all ICMP except the following:

timestamp
time-exceeded
packet-too-big
reassembly-timeout
source quench
destination unreachable - fragmentation needed and don't
  fragment was set

If someone sees something in those rules that may be screwing
things up, I'd be more than happy to hear about it.


> How polar is the community on this?

Heh. I suspect you'll get an earful. :)



--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security