Educause Security Discussion mailing list archives
Re: ICMP blocking
From: Randy Marchany <marchany () VT EDU>
Date: Wed, 6 Dec 2006 17:16:24 -0500
Quick survey: Who's blocking ICMP subsets (like echo requests, traceroutes) at their borders? Who's not? Strong feelings about why in either case?
We don't block at the network level. Individual users may block ICMP using
their host based firewalls.
Personally, I don't believe blocking ICMP accomplishes anything from a
security standpoint. If the goal is to prevent someone from mapping your
network, this doesn't work. Networks can be mapped using other protocols. For
example, map a net using port 80 scans. Shoot, I can use inverse mapping
techniques to find out what's NOT there and use that info to determine what IS
there. Blocking ICMP doesn't prevent anyone from mapping your net. It doesn't
even make it more difficult to map your net.
If the goal is to prevent unused fields from being used for covert payloads,
well, other protocols suffer from the same problem.
IF (big capital IF) your hosts are reasonably secured, then so what if someone
can ping you.
What real security goal is achieved by blocking ICMP and no other protocols?
Nothing worthwhile, I suspect.
-Randy Marchany
VA Tech IT Security Office/Lab
VA Tech
Blacksburg, VA 24060
marchany () vt edu
540-231-9523
Current thread:
- ICMP blocking Gary Dobbins (Dec 06)
- <Possible follow-ups>
- Re: ICMP blocking ken lindahl (Dec 06)
- Re: ICMP blocking Jeff Kell (Dec 06)
- Re: ICMP blocking Constantakos, William (Dec 06)
- Re: ICMP blocking Randy Marchany (Dec 06)
- Re: ICMP blocking David Gillett (Dec 06)
- Re: ICMP blocking John Ladwig (Dec 06)
- Re: ICMP blocking David Lundy (Dec 06)
- Re: ICMP blocking Gary Flynn (Dec 06)
- Re: ICMP blocking Ken Connelly (Dec 06)
- Re: ICMP blocking Russell Fulton (Dec 07)
- Re: ICMP blocking Joe St Sauver (Dec 07)