Firewall Wizards mailing list archives
Re: ICMP and Traceroute
From: Robert McMahon <rmcm001 () us net>
Date: Tue, 18 May 1999 22:02:24 -0400
This is an interesting problem - security design personnel wanting to reduce your level of security. If you cannot altogether discourage this or at least come up with a compromise (e.g., hardened workstation on perimeter that would log users trying to use these tools) you may want to look at packet filtering. If your hosts are using Win NT hosts, then you can get away with ICMP only filtering for both ping and traceroute. Regarding a traceroute type filter, Windows NT Tracert is the only implementation of traceroute that I know of that uses ICMP "both ways" - others may exist. Regarding most implementations of traceroute, you would have to filter on both UDP (outbound) and ICMP (inbound). See if your packet filter implementation will restrict inbound ICMP messages types 3 (destination unreachable: host, and network, port or other) and 11 (time exceeded). You might deny inbound UDP to protect outside-to-inside attacks. Regarding ping type filters, hopefully your packet filter will permit filtering the particular kinds of ICMP packets (e.g., for Cisco router, it would be "echo" and "echo- reply"). You may want to deny inbound ICMP echo requests in your access list in order to prevent inbound scans. You could then log the access-list line matches (for both permit and deny statements) to a syslog server. rm Deepak Vaidya wrote:
Two more questions that came from the same group who need access to dns outbound. They would like to be able to ping and traceroute external hosts from all the clients. We currently do not allow icmp and traceroute packets in or out bound. We block all those at the router level. The group is responsible for client network and security design and they would like ping and traceroute for troubleshooting networks. Thanks - Deepak
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- ICMP and Traceroute Deepak Vaidya (May 17)
- Re: ICMP and Traceroute Robert McMahon (May 19)
- Re: ICMP and Traceroute Deepak Vaidya (May 19)
- Re: ICMP and Traceroute Kevin Steves (May 22)
- Re: ICMP and Traceroute Jan B. Koum (May 23)
- Re: ICMP and Traceroute Kevin Steves (May 23)
- Re: ICMP and Traceroute Robert McMahon (May 19)
- <Possible follow-ups>
- Re: ICMP and Traceroute Ryan Russell (May 18)
- RE: ICMP and Traceroute Houser David DW (May 18)
- RE: ICMP and Traceroute Frank W. Keeney (May 18)
- RE: ICMP and Traceroute David Gillett (May 19)
- RE: ICMP and Traceroute M. Dodge Mumford (May 21)
- Re: ICMP and Traceroute Joseph S D Yao (May 21)
- RE: ICMP and Traceroute David Gillett (May 19)