Re: Removing ping/icmp from a network

["Jason Thompson" <securitux () gmail com>]

ICMP is not vital for network operation, though it is convenient. PING
isn't required at all, ICMP unreachable messages don't do anything
other than notify the receiver to stop trying to connect to a
destination as it isn't alive (the receiver should get a hint of this
when his SYN's don't get a SYN ACK), ICMP redirects shouldn't happen
if your network is structured properly, and even if it's not, it just
adds an extra hop.

I don't see any ICMP messages that are a MUST for network operation.

That being said, if network monitoring is being done via SNMPv1 or v2
which isn't secure at all, ICMP is the least of your problems. I agree
with a few here that you allow ICMP from trusted to untrusted, but not
vice versa. And definitely NO ICMP from the Internet.

Keep in mind, if you give ICMP the boot on your internal network,
expect a lot more support calls as most users don't consider a device
up and working unless they can ping it.

-J


On Tue, Mar 25, 2008 at 12:29 PM, Secure This <lists () securethis net> wrote:
> I have a variety of clients with data centres who all make use of
>  icmp/ping to monitor their servers/appliances/devices (often with poorly
>  configured snmp versions 1 and 2).
>
>  Could anybody kindly advise me of tools and strategies for minimising or
>  removing the use of icmp/ping on a supposedly secure network?
>
>  Thanks in advance