Re: Removing ping/icmp from a network

Neither is traceroute. Yet I'd hate to be without without either of
them.



Agreed, that's why I said vital.


Destination unreachable messages do quite a bit more than "notify the
receiver to stop trying to connect", since they code field carries the
information *why* the destination wasn't reached. Maybe that's not so
important for joe.average@home, but it's pretty darn important for any
network admin.

What about "time exceeded"? What about "parameter problem"? What about
"source quench"?


Yes, agreed, again, why I said the word 'vital'... And there are other
avenues at an admins disposal if those messages aren't allowed.


> I don't see any ICMP messages that are a MUST for network operation.

No, they're not a MUST. Connections can also just silently fail, leaving
you as a network admin at a total loss as to *why* they're failing.
Brilliant idea, really.


You can limit ICMP. It doesn't have to be everything on or everything
off. And I did say, as well as others, allow from trusted sources. The
issue is whether strong limits could be set on ICMP without destroying
the network and the answer is: yes.


> That being said, if network monitoring is being done via SNMPv1 or v2
> which isn't secure at all, ICMP is the least of your problems. I agree
> with a few here that you allow ICMP from trusted to untrusted, but not
> vice versa. And definitely NO ICMP from the Internet.

What the heck is so freakin' scary about inbound echo requests? (to
public IP addresses, that is)

ICMP is not "teh evil(tm)". It's a part of the Internet Protocol suite,
and it's there for a reason.

ICMP tunneling, host discovery to see if a device is active are two of
the issues with ICMP from the Internet. Flooding, though more rare
now, is still possible.

The idea is to limit your Internet footprint to make it as difficult
as possible for an attacker. There is no need for a web server to
respond to ping from the Internet for example.

I realize that some net admins are getting rather defensive on this
topic but there is no need. I believe a balance is required between
security and functionality and am not saying that ICMP should be
killed. Just limited. This is a security forum after all?

Try to remember, there is NO security built into the Internet Protocol
suite, which was developed in the 60's. Just because something is
there for a reason, doesn't mean it should not be subject to scrutiny.

-J

Relevant Pages

  • Re: Removing ping/icmp from a network
    ... what about network analysis and application monitoring ... We have a customer in Australia who's ISP blocks all ICMP to and from ... manage the server of course). ... too much of a blanket statement when saying no ICMP from the Internet ...
    (Security-Basics)
  • RE: ICMP (Ping)
    ... You are correct about the kinder and gentler internet. ... network to deal with I might share your opinion. ... I believe you meant ICMP echo ... Subject: ICMP (Ping) ...
    (Security-Basics)
  • RE: Removing ping/icmp from a network
    ... A complaint from an ad network who used ICMP responses when configuring targeted "spam" that broke. ... A complaint from a network monitoring company who wanted to test the ASX as a baseline for their reports to other companies. ... too much of a blanket statement when saying no ICMP from the Internet ...
    (Security-Basics)
  • Re: Windows Server 2003 and ICF on a domain controller
    ... internet then enable ICF only on this card. ... It is not recommended configuration if you enable ICF on DC towards your ... Also note that blocking ICMP ... Still if you would like a list of ports and protocols here it is ...
    (microsoft.public.windows.server.general)
  • Re: Removing ping/icmp from a network
    ... OrgName: Internet Assigned Numbers Authority ... > ICMP is allowed throughout most Internet routers, ... > manage the server of course). ... > if they can ping it or not if they can't access their data through SSL ...
    (Security-Basics)