Re: ICMP and Traceroute

[Robert McMahon <rmcm001 () us net>]

This is an interesting problem - security design personnel wanting to reduce
your level of security.  If you cannot altogether discourage this or at least
come up with a compromise (e.g., hardened workstation on perimeter that would
log users trying to use these tools) you may want to look at packet
filtering.  If your hosts are using Win NT hosts, then you can get away with
ICMP only filtering for both ping and traceroute.

Regarding a traceroute type filter, Windows NT Tracert is the only
implementation of traceroute that I know of that uses ICMP "both ways" -
others may exist.  Regarding most implementations of traceroute, you would
have to filter on both UDP (outbound) and ICMP (inbound).  See if your packet
filter implementation will restrict inbound  ICMP messages types 3
(destination unreachable: host, and network, port or other) and 11 (time
exceeded).  You might deny inbound UDP to protect outside-to-inside attacks.

Regarding ping type filters, hopefully your packet filter will permit
filtering the particular kinds of ICMP packets (e.g., for Cisco router, it
would be "echo" and "echo- reply").  You may want to deny inbound ICMP echo
requests in your access list in order to prevent inbound scans.

You could then log the access-list line matches (for both permit and deny
statements) to a syslog server.

rm

Deepak Vaidya wrote:

> Two more questions that came from the same group who need access to dns
> outbound.  They would like to be able to ping and traceroute external
> hosts from all the clients.
>
> We currently do not allow icmp and traceroute packets in or out bound.  We
> block all those at the router level.  The group is responsible for
> client network and security design and they would like ping and
> traceroute for troubleshooting networks.
>
> Thanks
> - Deepak

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature