I might be wrong with Windows 2003 clustering, but I recall that 2000
clustering required ICMP for Failover purposes.
Might be other things along those lines, that may require it, or have to
configured to do it another way.
Brian
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Jason Thompson
Sent: Wednesday, March 26, 2008 10:55 AM
To: security-basics@securityfocus.com
Subject: Re: Removing ping/icmp from a network
ICMP is not vital for network operation, though it is convenient. PING
isn't required at all, ICMP unreachable messages don't do anything other
than notify the receiver to stop trying to connect to a destination as
it isn't alive (the receiver should get a hint of this when his SYN's
don't get a SYN ACK), ICMP redirects shouldn't happen if your network is
structured properly, and even if it's not, it just adds an extra hop.
I don't see any ICMP messages that are a MUST for network operation.
That being said, if network monitoring is being done via SNMPv1 or v2
which isn't secure at all, ICMP is the least of your problems. I agree
with a few here that you allow ICMP from trusted to untrusted, but not
vice versa. And definitely NO ICMP from the Internet.
Keep in mind, if you give ICMP the boot on your internal network, expect
a lot more support calls as most users don't consider a device up and
working unless they can ping it.
-J
On Tue, Mar 25, 2008 at 12:29 PM, Secure This <lists@securethis.net>
wrote:
I have a variety of clients with data centres who all make use of
icmp/ping to monitor their servers/appliances/devices (often with
poorly configured snmp versions 1 and 2).
Could anybody kindly advise me of tools and strategies for minimising
or removing the use of icmp/ping on a supposedly secure network?
Thanks in advance
