"I don't see any ICMP messages that are a MUST for network operation."
Not necessarily a MUST but tracert and pathping are pretty handy
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Jason Thompson
Sent: 26 March 2008 14:32
To: security-basics@securityfocus.com
Subject: Re: Removing ping/icmp from a network
ICMP is not vital for network operation, though it is convenient. PING
isn't required at all, ICMP unreachable messages don't do anything
other than notify the receiver to stop trying to connect to a
destination as it isn't alive (the receiver should get a hint of this
when his SYN's don't get a SYN ACK), ICMP redirects shouldn't happen
if your network is structured properly, and even if it's not, it just
adds an extra hop.
I don't see any ICMP messages that are a MUST for network operation.
That being said, if network monitoring is being done via SNMPv1 or v2
which isn't secure at all, ICMP is the least of your problems. I agree
with a few here that you allow ICMP from trusted to untrusted, but not
vice versa. And definitely NO ICMP from the Internet.
Keep in mind, if you give ICMP the boot on your internal network,
expect a lot more support calls as most users don't consider a device
up and working unless they can ping it.
-J
On Tue, Mar 25, 2008 at 12:29 PM, Secure This <lists@securethis.net>
wrote:
I have a variety of clients with data centres who all make use of
icmp/ping to monitor their servers/appliances/devices (often with
poorly
configured snmp versions 1 and 2).
Could anybody kindly advise me of tools and strategies for minimising
or
removing the use of icmp/ping on a supposedly secure network?
Thanks in advance
