Security Basics mailing list archives
Re: Removing ping/icmp from a network
From: Jason <securitux () gmail com>
Date: Mon, 7 Apr 2008 12:53:04 -0400
I am well aware that people are doing this kind of stuff. However, the topic of this list is the basics of computer security. Which still does not include obscurity, no matter how many people put their faith in it.
I don't have faith in obscurity, but I have more faith in that than doing nothing at all :)
Indeed, the ICMP code may have exploitable vulnerabilities. However, looking at the history of vulnerabilities in ICMP: how likely do you think that is? Plus, unlike unnecessary services ICMP does serve a purpose, which means that you should have a *good* reason for dropping it. And no, the (not very likely) possibility that there *may* be an exploitable vulnerability does not count as such.
I think the likelihood is low, but I also think that ping isn't really needed from the Internet to DMZ'd hosts or firewalls, so I'd just as soon see it shut down.
Ensuring the availability of the systems is one purpose of computer security, and please don't tell me that this weren't a business requirement. I know that many business people are reluctant to spend money on appropriate security measures (at least until it bites them), but that's no justification whatsoever. It also is no excuse at all for establishing obscurity in place of security.
It's not justification, you're right, but it's the way it works.
Tunneling usually means outbound communication, which also means that your security has already been compromised. And regarding Welchia: the problem with that kind of worm is not hosts being pingable, but hosts unnecessarily exposing services to other networks. Your point being?
Tunneling can be either in or out, but yes outbound is more common. In order to establish a tunnel at times security is compromised however its the use of tunneling as a covert channel that is a concern as well since it makes finding that breach more difficult.
Quoting from the article: | Windows Kernel TCP/IP/ICMP Vulnerability - CVE-2007-0066 | | A denial of service vulnerability exists in TCP/IP due to the way that | Windows Kernel processes fragmented router advertisement ICMP queries. | ICMP Router Discovery Protocol (RDP) is not enabled by default and is | required in order to exploit this vulnerability. This is a) merely a DoS condition, not something that allows for remote code execution, and b) not exploitable in the default configuration. The remote code execution vulnerability is in the IGMP handler, which is something that indeed can be safely disabled unless you run something that specifically requires IGMP.
DoS condition is still not a good thing, availability is part of security, as you mentioned. I am just using this as an example, but the fact is the IP stack is still vulnerable.
Unless you can think of a way that's mere paranoia, which won't get us anywhere as network admins/security people. Computer security is about identifying/assessing attack scenarios and defining/implementing appropriate countermeasures.
Ok... well there definitely are differing opinions here. It's not mere paranoia. In order to assess attack scenarios you need to think outside of whats known and think beyond the confines what's nice to have or what's convenient.
Most certainly. However, that is no argument to disable something that serves a purpose. It's just an argument to not run anything that doesn't.
Agreed, but I guess its still the question as to whether ping to a web server or other Internet facing device serves a valuable purpose. I still don't think it does.
Like I said before: paranoia doesn't help. Security is about knowing, not about believing.
Paranoia / skepticism, at least to a healthy level, is part of being in security. Thinking outside the norm, thinking not of how something can be fixed, but how it can be broken, etc. I guess in my world I spend a lot of time thinking of attack scenarios, possibilities, and how to break things, it's part of my job and I wouldn't be any good at it if I didn't. I think the general conclusion is based on this whole thread that there are differing thoughts in this area based on experiences and it's up to the company to decide if they feel some ICMP traffic can be dropped in the interests of security or not. That's my diplomatic response :) I think for the most part the points made are reasonable even if there is disagreement. -J
Current thread:
- Re: Removing ping/icmp from a network Jason (Apr 01)
- Re: Removing ping/icmp from a network Ansgar -59cobalt- Wiechers (Apr 04)
- Re: Removing ping/icmp from a network Jason (Apr 07)
- Re: Removing ping/icmp from a network Ansgar -59cobalt- Wiechers (Apr 07)
- Re: Removing ping/icmp from a network Jason (Apr 07)
- Re: Removing ping/icmp from a network Jason (Apr 07)
- Re: Removing ping/icmp from a network Mark Owen (Apr 07)
- Re: Removing ping/icmp from a network Jason (Apr 07)
- Re: Removing ping/icmp from a network Ansgar -59cobalt- Wiechers (Apr 04)
- <Possible follow-ups>
- Re: Removing ping/icmp from a network Ansgar -59cobalt- Wiechers (Apr 01)
- Re: Removing ping/icmp from a network Mike Preston - Technomonk Industries (Apr 01)
- Re: Removing ping/icmp from a network Ansgar -59cobalt- Wiechers (Apr 01)
- Re: Removing ping/icmp from a network krymson (Apr 02)