Re: how to block ICMP tunneling?

[Chris Brenton <cbrenton () sover net>]

Kyle Starkey wrote:
> I was under the impression that ICMP should be blocked coming from the
> outside.  I can't think of any reason you would want some one from the
> outside PINGing, TRACRTing or otherwise Probing your internal network for
> active hosts.  IMHO you should simply block the entire proctocol from the
> outside.

Humm. This may be a bit drastic. 

For example source quench (type 4) is pretty useful and can keep you
from dropping packets. Without it, you may see a lot of hung
connections. 

Destination unreachable (type 3) is used for error reporting if you
attempt to contact an unreachable host. In fact, UDP also uses it to
report active systems which are not offering services on the port
specified. Again, loss of type 3 can result in hung connections. 

Blocking Time Exceeded (type 11) will prevent you from being able to
trace out from your network. Then again this could be a feature. ;)

Also, blocking MTU discovery (type 3, code 4) can cause a complete
breakdown in communications, especially if your environment uses a token
based topology. 

This is just a few off the top of my head. There are probably others but
you get the idea. Not all ICMP is "bad"(TM).

Of course the bottom line is "what does your security policy say about
ICMP?". ;)

Cheers,
Chris
-- 
**************************************
cbrenton () sover net

* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet