Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Removing ping/icmp from a network

from [Jason] Network Security [Permanent Link]
Subject: Re: Removing ping/icmp from a network
Date: Thu, 27 Mar 2008 12:25:43 -0400 
 Neither is traceroute. Yet I'd hate to be without without either of
 them.




Agreed, that's why I said vital.



 Destination unreachable messages do quite a bit more than "notify the
 receiver to stop trying to connect", since they code field carries the
 information *why* the destination wasn't reached. Maybe that's not so
 important for joe.average@home, but it's pretty darn important for any
 network admin.

 What about "time exceeded"? What about "parameter problem"? What about
 "source quench"?



Yes, agreed, again, why I said the word 'vital'... And there are other
avenues at an admins disposal if those messages aren't allowed.



 > I don't see any ICMP messages that are a MUST for network operation.

 No, they're not a MUST. Connections can also just silently fail, leaving
 you as a network admin at a total loss as to *why* they're failing.
 Brilliant idea, really.



You can limit ICMP. It doesn't have to be everything on or everything
off. And I did say, as well as others, allow from trusted sources. The
issue is whether strong limits could be set on ICMP without destroying
the network and the answer is: yes.



 > That being said, if network monitoring is being done via SNMPv1 or v2
 > which isn't secure at all, ICMP is the least of your problems. I agree
 > with a few here that you allow ICMP from trusted to untrusted, but not
 > vice versa. And definitely NO ICMP from the Internet.

 What the heck is so freakin' scary about inbound echo requests? (to
 public IP addresses, that is)

 ICMP is not "teh evil(tm)". It's a part of the Internet Protocol suite,
 and it's there for a reason.


ICMP tunneling, host discovery to see if a device is active are two of
the issues with ICMP from the Internet. Flooding, though more rare
now, is still possible.

The idea is to limit your Internet footprint to make it as difficult
as possible for an attacker. There is no need for a web server to
respond to ping from the Internet for example.

I realize that some net admins are getting rather defensive on this
topic but there is no need. I believe a balance is required between
security and functionality and am not saying that ICMP should be
killed. Just limited. This is a security forum after all?

Try to remember, there is NO security built into the Internet Protocol
suite, which was developed in the 60's. Just because something is
there for a reason, doesn't mean it should not be subject to scrutiny.

-J
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: DoD aproved disk wiping tool, ragdelaed
Next by Date:  Re: File sharing with Bittorrent: what possible security threads?, Alexander Klimov
Previous by Thread:  RE: Removing ping/icmp from a network, Craig Wright
Next by Thread:  Re: Removing ping/icmp from a network, Mark Owen
Indexes:  [Date] [Thread] [Top] [All Lists]