Security Basics mailing list archives
Re: Removing ping/icmp from a network
From: Jason <securitux () gmail com>
Date: Thu, 27 Mar 2008 12:25:43 -0400
Neither is traceroute. Yet I'd hate to be without without either of them.
Agreed, that's why I said vital.
Destination unreachable messages do quite a bit more than "notify the receiver to stop trying to connect", since they code field carries the information *why* the destination wasn't reached. Maybe that's not so important for joe.average@home, but it's pretty darn important for any network admin. What about "time exceeded"? What about "parameter problem"? What about "source quench"?
Yes, agreed, again, why I said the word 'vital'... And there are other avenues at an admins disposal if those messages aren't allowed.
> I don't see any ICMP messages that are a MUST for network operation. No, they're not a MUST. Connections can also just silently fail, leaving you as a network admin at a total loss as to *why* they're failing. Brilliant idea, really.
You can limit ICMP. It doesn't have to be everything on or everything off. And I did say, as well as others, allow from trusted sources. The issue is whether strong limits could be set on ICMP without destroying the network and the answer is: yes.
> That being said, if network monitoring is being done via SNMPv1 or v2 > which isn't secure at all, ICMP is the least of your problems. I agree > with a few here that you allow ICMP from trusted to untrusted, but not > vice versa. And definitely NO ICMP from the Internet. What the heck is so freakin' scary about inbound echo requests? (to public IP addresses, that is) ICMP is not "teh evil(tm)". It's a part of the Internet Protocol suite, and it's there for a reason.
ICMP tunneling, host discovery to see if a device is active are two of the issues with ICMP from the Internet. Flooding, though more rare now, is still possible. The idea is to limit your Internet footprint to make it as difficult as possible for an attacker. There is no need for a web server to respond to ping from the Internet for example. I realize that some net admins are getting rather defensive on this topic but there is no need. I believe a balance is required between security and functionality and am not saying that ICMP should be killed. Just limited. This is a security forum after all? Try to remember, there is NO security built into the Internet Protocol suite, which was developed in the 60's. Just because something is there for a reason, doesn't mean it should not be subject to scrutiny. -J
Current thread:
- Re: DoD approved disk wiping tool, (continued)
- Re: DoD approved disk wiping tool Hattrickinc (Mar 28)
- Re: Removing ping/icmp from a network Mark Owen (Mar 25)
- Re: Removing ping/icmp from a network Ivan . (Mar 26)
- RE: Removing ping/icmp from a network Strykar (Mar 26)
- RE: Removing ping/icmp from a network Murda Mcloud (Mar 27)
- RE: Removing ping/icmp from a network Murda Mcloud (Mar 27)
- Re: Removing ping/icmp from a network Jason Thompson (Mar 26)
- RE: Removing ping/icmp from a network Worrell, Brian (Mar 26)
- Re: Removing ping/icmp from a network Ansgar -59cobalt- Wiechers (Mar 26)
- RE: Removing ping/icmp from a network Craig Wright (Mar 26)
- Re: Removing ping/icmp from a network Jason (Mar 27)
- Re: Removing ping/icmp from a network Mark Owen (Mar 27)
- R: Removing ping/icmp from a network Vega - Brunello Ivan (Mar 27)
- Re: Removing ping/icmp from a network Jason (Mar 27)
- Re: Removing ping/icmp from a network Michael Painter (Mar 27)
- Re: Removing ping/icmp from a network Razi Shaban (Mar 28)
- Re: Removing ping/icmp from a network Michael Painter (Mar 28)
- Re: Removing ping/icmp from a network Ansgar -59cobalt- Wiechers (Mar 28)
- Re: Removing ping/icmp from a network Michael Painter (Mar 31)
- RE: Removing ping/icmp from a network Ric Messier (Mar 28)
- RE: Removing ping/icmp from a network Adewale, Akin (IT Services - Infosec Team) (Mar 28)