Educause Security Discussion mailing list archives
Re: ICMP blocking
From: Jeff Kell <jeff-kell () UTC EDU>
Date: Wed, 6 Dec 2006 16:57:40 -0500
Gary Dobbins wrote:
Quick survey: Who's blocking ICMP subsets (like echo requests, traceroutes) at their borders? Who's not? Strong feelings about why in either case?
We are, sort of :-) Our legacy router filters [digging through CVS repo...] had a filter based on notes best summarized by cymru. This is what we were using inbound:
remark Secure ICMP (http://www.cymru.com/Documents/icmp-messages.html) remark Specifically block ICMP fragments deny icmp any any fragments remark permit inbound ping response permit icmp any any echo-reply remark permit Path MTU to function permit icmp any any packet-too-big remark permit flow control permit icmp any any source-quench remark permit time exceeded messages for traceroute and loops permit icmp any any time-exceeded permit icmp any any unreachable remark And explicitly block all other ICMP packets deny icmp any any
and outbound:
remark Secure ICMP (http://www.cymru.com/Documents/icmp-messages.html) remark Specifically block ICMP fragments deny icmp any any fragments remark Permit outbound ping permit icmp any any echo remark Permit outbound ping response permit icmp any any echo-reply remark Permit Path MTU to function permit icmp any any packet-too-big remark Permit flow control permit icmp any any source-quench remark Permit time exceeded messages for traceroute and loops permit icmp any any time-exceeded remark And explicitly block all other ICMP packets deny icmp any any
The idea was to allow ping/traceroute to work outbound, but not inbound (who said life was fair?) Currently we're using Cisco ASA inspection (icmp/icmp-error) to handle everything except a few "public" addresses where we have explicitly insured that ping/traceroute will work, although if you want windows traceroute to work you'll have to accomodate the icmp traceroute function into the above lists.
Certainly, doing so is not a huge security gain, but the alternative means you're giving away the map anonymously. How polar is the community on this?
Blocking icmp outright causes nefarious problems (PMTU in particular). Permitting icmp outright gives away the farm. Our answer is somewhere in the middle. Jeff
Current thread:
- ICMP blocking Gary Dobbins (Dec 06)
- <Possible follow-ups>
- Re: ICMP blocking ken lindahl (Dec 06)
- Re: ICMP blocking Jeff Kell (Dec 06)
- Re: ICMP blocking Constantakos, William (Dec 06)
- Re: ICMP blocking Randy Marchany (Dec 06)
- Re: ICMP blocking David Gillett (Dec 06)
- Re: ICMP blocking John Ladwig (Dec 06)
- Re: ICMP blocking David Lundy (Dec 06)
- Re: ICMP blocking Gary Flynn (Dec 06)
- Re: ICMP blocking Ken Connelly (Dec 06)
- Re: ICMP blocking Russell Fulton (Dec 07)
- Re: ICMP blocking Joe St Sauver (Dec 07)