Educause Security Discussion mailing list archives

Re: ICMP blocking

From: Jeff Kell <jeff-kell () UTC EDU>
Date: Wed, 6 Dec 2006 16:57:40 -0500

Gary Dobbins wrote:

Quick survey:  Who's blocking ICMP subsets (like echo requests,
traceroutes) at their borders?  Who's not?  Strong feelings about why in
either case?


We are, sort of :-)

Our legacy router filters [digging through CVS repo...] had a filter based on notes best summarized by cymru.  This is 
what we were using inbound:

 remark Secure ICMP (http://www.cymru.com/Documents/icmp-messages.html)
 remark Specifically block ICMP fragments
 deny   icmp any any fragments
 remark permit inbound ping response
 permit icmp any any echo-reply
 remark permit Path MTU to function
 permit icmp any any packet-too-big
 remark permit flow control
 permit icmp any any source-quench
 remark permit time exceeded messages for traceroute and loops
 permit icmp any any time-exceeded
 permit icmp any any unreachable
 remark And explicitly block all other ICMP packets
 deny   icmp any any


and outbound:

 remark Secure ICMP (http://www.cymru.com/Documents/icmp-messages.html)
 remark Specifically block ICMP fragments
 deny   icmp any any fragments
 remark Permit outbound ping
 permit icmp any any echo
 remark Permit outbound ping response
 permit icmp any any echo-reply
 remark Permit Path MTU to function
 permit icmp any any packet-too-big
 remark Permit flow control
 permit icmp any any source-quench
 remark Permit time exceeded messages for traceroute and loops
 permit icmp any any time-exceeded
 remark And explicitly block all other ICMP packets
 deny   icmp any any


The idea was to allow ping/traceroute to work outbound, but not inbound (who said life was fair?)

Currently we're using Cisco ASA inspection (icmp/icmp-error) to handle everything except a few "public" addresses where 
we have explicitly insured that ping/traceroute will work, although if you want windows traceroute to work you'll have 
to accomodate the icmp traceroute function into the above lists.

Certainly, doing so is not a huge security gain, but the alternative
means you're giving away the map anonymously.
How polar is the community on this?


Blocking icmp outright causes nefarious problems (PMTU in particular).  Permitting icmp outright gives away the farm.  
Our answer is somewhere in the middle.

Jeff

Current thread:

ICMP blocking Gary Dobbins (Dec 06)
- <Possible follow-ups>
- Re: ICMP blocking ken lindahl (Dec 06)
- Re: ICMP blocking Jeff Kell (Dec 06)
- Re: ICMP blocking Constantakos, William (Dec 06)
- Re: ICMP blocking Randy Marchany (Dec 06)
- Re: ICMP blocking David Gillett (Dec 06)
- Re: ICMP blocking John Ladwig (Dec 06)
- Re: ICMP blocking David Lundy (Dec 06)
- Re: ICMP blocking Gary Flynn (Dec 06)
- Re: ICMP blocking Ken Connelly (Dec 06)
- Re: ICMP blocking Russell Fulton (Dec 07)
- Re: ICMP blocking Joe St Sauver (Dec 07)