RE: ICMP, NT and IIS: What is a safe cocktail?

From: Kevin Brown (kbrownfox@home.com)
Date: 10/04/01


From: "Kevin Brown" <kbrownfox@home.com>
To: "Kevin Kaminski" <Kevin.Kaminski@telus.com>, <focus-ms@securityfocus.com>
Subject: RE: ICMP, NT and IIS: What is a safe cocktail?
Date: Wed, 3 Oct 2001 19:06:10 -0400
Message-ID: <NEBBIFJCILKEKMJKGMFIMEIKCOAA.kbrownfox@home.com>

Hmmm, my understanding was you would want to block Type 0, ECHO REPLY and
Type 8, ECHO REQUEST. This essentially blocks pings and will mitigate the
damage from many common DoS attacks. But you risk breaking things like Path
MTU Discovery if you block all of ICMP, and this could lead to other
problems as well. Especially if your FW is configured to not pass
fragments. That's my 2 cents FWIW.

RFC 1700 should give you more insight into each Type if this will help you
make a decision. Not sure that this is the kind of answer you were looking
for, but it might help.

http://www.ietf.org/rfc/rfc1700.txt?number=1700

Brownfox

-----Original Message-----
From: Kevin Kaminski [mailto:Kevin.Kaminski@telus.com]
Sent: Wednesday, October 03, 2001 3:51 PM
To: 'focus-ms@securityfocus.com'
Subject: ICMP, NT and IIS: What is a safe cocktail?

I am looking at deploying a Win2K IIS server on the Internet. The only
services offered are IIS on port 80 and IPSec for administration. While
researching this I had found ICMP to be somewhat of a grey area. My initial
question was to allow ICMP or not in this Internet scenario. After talking
to Microsoft they suggested I filter ICMP to Types 3,4,5 and 11 to allow for
proper operation of the server. That seemed fair because I was told systems
may not be able to communicate with the server if they are using a smaller
MTU than the server. With the ICMP filters I was worried that ICMP redirects
would not be filtered and could leave the system open to DOS attacks. Going
back to the NSA document on IIS5 they leave all ICMP traffic blocked. Is
Win2K to be trusted with ICMP or is this too problematic to deal with? Left
somewhat unsure I thought I would ask a community of versed security experts
for their opinions on ICMP and Win2K. What is a safe ICMP configuration in
the real world that will not affect client connectivity? Or maybe I should
leave it more open as to what is your policy on ICMP with Win2K and why?



Relevant Pages