Educause Security Discussion mailing list archives
Re: ICMP blocking
From: Gary Flynn <flynngn () JMU EDU>
Date: Wed, 6 Dec 2006 18:23:16 -0500
Gary Dobbins wrote:
Quick survey: Who's blocking ICMP subsets (like echo requests, traceroutes) at their borders? Who's not? Strong feelings about why in either case?
I don't have any strong feelings other than a tendency these days to eliminate unnecessary risk ( i.e. default deny ). We're more than happy to open access to something that is needed.
Certainly, doing so is not a huge security gain, but the alternative means you're giving away the map anonymously.
ICMP redirects and router advertisements make me nervous too :) Not sending type 3 "administratively prohibited" or "port unreachable" messages may slow down scanning and automated exploit attempts. Not sending "administratively prohibited" messages may slow someone down trying to map your access policies. No security is perfect. Not implementing a simple security measure with high ROI ( because the I is so low ) would seem to me to be ignoring low hanging fruit unnecessarily. Inbound, we generally block all ICMP except the following: echo reply time-exceeded destination unreachable source quench time exceeded timestamp reply echo-requests to a few public systems and our border router interfaces Outbound, we generally block all ICMP except the following: timestamp time-exceeded packet-too-big reassembly-timeout source quench destination unreachable - fragmentation needed and don't fragment was set If someone sees something in those rules that may be screwing things up, I'd be more than happy to hear about it.
How polar is the community on this?
Heh. I suspect you'll get an earful. :) -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Current thread:
- ICMP blocking Gary Dobbins (Dec 06)
- <Possible follow-ups>
- Re: ICMP blocking ken lindahl (Dec 06)
- Re: ICMP blocking Jeff Kell (Dec 06)
- Re: ICMP blocking Constantakos, William (Dec 06)
- Re: ICMP blocking Randy Marchany (Dec 06)
- Re: ICMP blocking David Gillett (Dec 06)
- Re: ICMP blocking John Ladwig (Dec 06)
- Re: ICMP blocking David Lundy (Dec 06)
- Re: ICMP blocking Gary Flynn (Dec 06)
- Re: ICMP blocking Ken Connelly (Dec 06)
- Re: ICMP blocking Russell Fulton (Dec 07)
- Re: ICMP blocking Joe St Sauver (Dec 07)