Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Removing ping/icmp from a network

from [Craig Wright] Network Security [Permanent Link]
Subject: RE: Removing ping/icmp from a network
Date: Thu, 27 Mar 2008 08:47:25 +1100 
The simple answer is to limit ICMP. It is not needed by all hosts to all hosts. 
It is needed for selected purposes.

As such, on a Windows network for instance GPEDIT.MSC may be used to create "IP 
Security Policies on Local Machine" with IP filters for ICMP. Allow Ping 
internally and block internet connections. Restrict other ICMP types to 
selected systems.

See http://www.securityfocus.com/infocus/1559

Regards,
Craig Wright (GSE-Compliance)

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On 
Behalf Of Ansgar -59cobalt- Wiechers
Sent: Thursday, 27 March 2008 6:08 AM
To: security-basics@securityfocus.com
Subject: Re: Removing ping/icmp from a network

On 2008-03-26 Jason Thompson wrote:

ICMP is not vital for network operation, though it is convenient. PING
isn't required at all,


Neither is traceroute. Yet I'd hate to be without without either of
them.


ICMP unreachable messages don't do anything other than notify the
receiver to stop trying to connect to a destination as it isn't alive
(the receiver should get a hint of this when his SYN's don't get a SYN
ACK),


Destination unreachable messages do quite a bit more than "notify the
receiver to stop trying to connect", since they code field carries the
information *why* the destination wasn't reached. Maybe that's not so
important for joe.average@home, but it's pretty darn important for any
network admin.


ICMP redirects shouldn't happen if your network is structured
properly, and even if it's not, it just adds an extra hop.


What about "time exceeded"? What about "parameter problem"? What about
"source quench"?


I don't see any ICMP messages that are a MUST for network operation.


No, they're not a MUST. Connections can also just silently fail, leaving
you as a network admin at a total loss as to *why* they're failing.
Brilliant idea, really.


That being said, if network monitoring is being done via SNMPv1 or v2
which isn't secure at all, ICMP is the least of your problems. I agree
with a few here that you allow ICMP from trusted to untrusted, but not
vice versa. And definitely NO ICMP from the Internet.


What the heck is so freakin' scary about inbound echo requests? (to
public IP addresses, that is)

ICMP is not "teh evil(tm)". It's a part of the Internet Protocol suite,
and it's there for a reason.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: File sharing with Bittorrent: what possible security threads?, Razi Shaban
Next by Date:  RE: Removing ping/icmp from a network, Murda Mcloud
Previous by Thread:  Re: Removing ping/icmp from a network, Ansgar -59cobalt- Wiechers
Next by Thread:  Re: Removing ping/icmp from a network, Jason
Indexes:  [Date] [Thread] [Top] [All Lists]