Re: Removing ping/icmp from a network

[Jason <securitux () gmail com>]

Alright, one more crack at it.

>  Then what does "finding a server on port whetever" have to do with a
>  ping-sweep?
Misunderstanding, sorry. What I meant by "using ICMP to find a server
running on port whatever" is that using ICMP to find an active live
device, which also likely has ports open.

>  That's just obscurity, which won't gain you any security. At all. Not
>  worth the time or effort you put into it.

It's not much effort, and it may... I'll describe below.

>  Obscurity is NOT a replacement for due diligence. Which includes
>  hardening Internet-facing systems.

You're absolutely correct. But if you've ever done any work outside of
a few companies, you'd see just how often this is done... and we can
recommend it until our face turns red but how often will it be done?

>  ???
>
>  By running additional services you increase the code base that's exposed
>  to other networks.

Your first statement did not mention exposure. I'm saying it doesn't
increase the code base, it simply exposes it. I understand what you
mean though.

ICMP is part of the code base of the OS IP stack FYI. It's ALL
software and sits in the kernel. So you ARE increasing the exposed
code base by allowing the software module which controls ICMP to be
exposed. Although the IP stack is already exposed, the ICMP module may
have the vulnerability, possibly allowing it to be exposed for
exploit, see below.

>  As a matter of fact you *did* say it wouldn't. You even quoted the
>  respective part (underlined above).

I said it serves no purpose for web services. Not that it serves no
purpose period.

>  External firewalls are exposed anyway (by definition). As are Internet-
>  facing servers. Your point being? You can't hide *and* expose a system
>  at the same time. Not to mention that IP simply doesn't have the option
>  to hide a system that's supposed to be accessible.

Not hide completely, but reduce the exposure.

>  Ummm... no, as a matter of fact you can't. You can try to establish a
>  connection to a TCP port, but that's completely different from ping.

nmap options -PA / -PS

tcping

hping3

These and a dozen others are just ways to check if a host is alive using TCP.

If you want to argue semantics, it is considered a ping by most. But
I'm not going to haul out Websters.

>  Any "seasoned network admins" worth their money are also (network)
>  security professionals. You don't run a network without security
>  considerations. Not successfully, that is.

I'd think so too...

>  Again: either a host IS exposed, or it's NOT exposed. ICMP doesn't
>  change anything AT ALL about that. It's merely adding some obscurity,
>  which you don't need if you have security in the first place. And if you
>  don't have security, then *that's* what you want to fix instead of
>  applying snake-oil.
>
>
>  > ICMP is not a required protocol for a web server, sorry. Convenient,
>  > yes. Required, no. If you believe it is then thats okay. That's the
>  > beauty of the Internet, everyone has an opinion.
>
>  So basically you're justifying obscurity instead of security, because
>  there are so many stup^Wintellectually challenged admins out there? What
>  kind of argument do you think that is? You do realize that this list is
>  about security, don't you?

I am not at all, please understand. What I am saying is that security
by design comes first, and other steps might be required if some
design is not immediately possible. Do you have any idea, ANY idea,
how many organizations have difficulty integrating security into their
business? To cite an example, a few companies could not install
patches on their systems because their custom developed app was
running a number of modules whose version wouldn't be supported if
patches beyond a certain level were installed, so what, they are
supposed to throw their support out the window and install the
patches, possibly breaking a core app and bringing the business down?
Or do they put some other measures in place to partially mitigate the
risk for a time until the next version of the app comes out / is
developed and supports the patches? You do realize that many networks
are for businesses that use information systems as a means to
accomplish their business goals, information systems is not most
companies' business.

And even if they do consider themselves hardened and secure, etc consider this:

It doesn't take more than a few Google searches to find plenty of ways
to use ICMP as a tunnel or find any number of worms (Welchia for one)
which used ping to discover hosts. I mean there is a vast history of
this, and although people believe the IP stack is well secured now,
there was another vulnerability (and subsequent exploit to be sure)
discovered against the Windows IP stack just a few months ago. It
makes you wonder how many exploits are unknown.

Check out MS08-001:

http://www.microsoft.com/technet/security/Bulletin/MS08-001.mspx

Covers a few known Windows IP stack issues, exploitable via ICMP as
well, I might add (router discovery)... in fact it's apparently bad
enough that a number of articles posted stated this could lead to the
next big worm (a questionable statement, IMO). Remember patches
against SQL slammer were available 4-6 months before the worm was
written.

Now I don't necessarily believe that personally, but who knows. Yes it
may need to be turned on, but at the same time, I wonder if there
isn't another way to take advantage of this. No matter how good you
might think you are, there's always someone out there better than you
and with a lot more time on their hands.

Fact is so many people depend on the vulnerabilities and exploits they
KNOW about, and I guarantee there are a ton of vulnerabilities and
exploits that are not public knowledge.

So with ALL that being said, from my personal standpoint, I'd much
rather err on the side of caution myself and don't really care if 'x'
can't ping my web server anyway. Of course I don't think that someone
who's web server I can ping is crazy, or that a web server reachable
via ping is a big issue, but it is just another one of those little
things that just isn't necessary.

-J