RE: Removing ping/icmp from a network
- From: Craig Wright <Craig.Wright@xxxxxxxxxx>
- Date: Thu, 27 Mar 2008 08:47:25 +1100
The simple answer is to limit ICMP. It is not needed by all hosts to all hosts. It is needed for selected purposes.
As such, on a Windows network for instance GPEDIT.MSC may be used to create "IP Security Policies on Local Machine" with IP filters for ICMP. Allow Ping internally and block internet connections. Restrict other ICMP types to selected systems.
See http://www.securityfocus.com/infocus/1559
Regards,
Craig Wright (GSE-Compliance)
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Ansgar -59cobalt- Wiechers
Sent: Thursday, 27 March 2008 6:08 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Removing ping/icmp from a network
On 2008-03-26 Jason Thompson wrote:
ICMP is not vital for network operation, though it is convenient. PING
isn't required at all,
Neither is traceroute. Yet I'd hate to be without without either of
them.
ICMP unreachable messages don't do anything other than notify the
receiver to stop trying to connect to a destination as it isn't alive
(the receiver should get a hint of this when his SYN's don't get a SYN
ACK),
Destination unreachable messages do quite a bit more than "notify the
receiver to stop trying to connect", since they code field carries the
information *why* the destination wasn't reached. Maybe that's not so
important for joe.average@home, but it's pretty darn important for any
network admin.
ICMP redirects shouldn't happen if your network is structured
properly, and even if it's not, it just adds an extra hop.
What about "time exceeded"? What about "parameter problem"? What about
"source quench"?
I don't see any ICMP messages that are a MUST for network operation.
No, they're not a MUST. Connections can also just silently fail, leaving
you as a network admin at a total loss as to *why* they're failing.
Brilliant idea, really.
That being said, if network monitoring is being done via SNMPv1 or v2
which isn't secure at all, ICMP is the least of your problems. I agree
with a few here that you allow ICMP from trusted to untrusted, but not
vice versa. And definitely NO ICMP from the Internet.
What the heck is so freakin' scary about inbound echo requests? (to
public IP addresses, that is)
ICMP is not "teh evil(tm)". It's a part of the Internet Protocol suite,
and it's there for a reason.
Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq
- References:
- Removing ping/icmp from a network
- From: Secure This
- Re: Removing ping/icmp from a network
- From: Jason Thompson
- Re: Removing ping/icmp from a network
- From: Ansgar -59cobalt- Wiechers
- Removing ping/icmp from a network
- Prev by Date: Re: Removing ping/icmp from a network
- Next by Date: Re: File sharing with Bittorrent: what possible security threads?
- Previous by thread: Re: Removing ping/icmp from a network
- Next by thread: Re: Removing ping/icmp from a network
- Index(es):
Relevant Pages
|
