Re: Removing ping/icmp from a network

[Jason <securitux () gmail com>]

>  I am well aware that people are doing this kind of stuff. However, the
>  topic of this list is the basics of computer security. Which still does
>  not include obscurity, no matter how many people put their faith in it.

I don't have faith in obscurity, but I have more faith in that than
doing nothing at all :)

>  Indeed, the ICMP code may have exploitable vulnerabilities. However,
>  looking at the history of vulnerabilities in ICMP: how likely do you
>  think that is? Plus, unlike unnecessary services ICMP does serve a
>  purpose, which means that you should have a *good* reason for dropping
>  it. And no, the (not very likely) possibility that there *may* be an
>  exploitable vulnerability does not count as such.

I think the likelihood is low, but I also think that ping isn't really
needed from the Internet to DMZ'd hosts or firewalls, so I'd just as
soon see it shut down.

>  Ensuring the availability of the systems is one purpose of computer
>  security, and please don't tell me that this weren't a business
>  requirement. I know that many business people are reluctant to spend
>  money on appropriate security measures (at least until it bites them),
>  but that's no justification whatsoever. It also is no excuse at all for
>  establishing obscurity in place of security.

It's not justification, you're right, but it's the way it works.

>  Tunneling usually means outbound communication, which also means that
>  your security has already been compromised. And regarding Welchia: the
>  problem with that kind of worm is not hosts being pingable, but hosts
>  unnecessarily exposing services to other networks. Your point being?

Tunneling can be either in or out, but yes outbound is more common. In
order to establish a tunnel at times security is compromised however
its the use of tunneling as a covert channel that is a concern as well
since it makes finding that breach more difficult.

>  Quoting from the article:
>
>  | Windows Kernel TCP/IP/ICMP Vulnerability - CVE-2007-0066
>  |
>  | A denial of service vulnerability exists in TCP/IP due to the way that
>  | Windows Kernel processes fragmented router advertisement ICMP queries.
>  | ICMP Router Discovery Protocol (RDP) is not enabled by default and is
>  | required in order to exploit this vulnerability.
>
>  This is a) merely a DoS condition, not something that allows for remote
>  code execution, and b) not exploitable in the default configuration.
>
>  The remote code execution vulnerability is in the IGMP handler, which is
>  something that indeed can be safely disabled unless you run something
>  that specifically requires IGMP.

DoS condition is still not a good thing, availability is part of
security, as you mentioned. I am just using this as an example, but
the fact is the IP stack is still vulnerable.

>  Unless you can think of a way that's mere paranoia, which won't get us
>  anywhere as network admins/security people. Computer security is about
>  identifying/assessing attack scenarios and defining/implementing
>  appropriate countermeasures.

Ok... well there definitely are differing opinions here. It's not mere
paranoia. In order to assess attack scenarios you need to think
outside of whats known and think beyond the confines what's nice to
have or what's convenient.

>  Most certainly. However, that is no argument to disable something that
>  serves a purpose. It's just an argument to not run anything that
>  doesn't.

Agreed, but I guess its still the question as to whether ping to a web
server or other Internet facing device serves a valuable purpose. I
still don't think it does.

>  Like I said before: paranoia doesn't help. Security is about knowing,
>  not about believing.

Paranoia / skepticism, at least to a healthy level, is part of being
in security. Thinking outside the norm, thinking not of how something
can be fixed, but how it can be broken, etc.

I guess in my world I spend a lot of time thinking of attack
scenarios, possibilities, and how to break things, it's part of my job
and I wouldn't be any good at it if I didn't.

I think the general conclusion is based on this whole thread that
there are differing thoughts in this area based on experiences and
it's up to the company to decide if they feel some ICMP traffic can be
dropped in the interests of security or not.

That's my diplomatic response :) I think for the most part the points
made are reasonable even if there is disagreement.

-J