Re: Removing ping/icmp from a network

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2008-03-28 Jason wrote:
> > > ICMP tunneling,
> >
> > Any kind of packet can be (mis-)used for tunneling. That's not limited
> > to ICMP. To prevent that you'd have to whitelist outbound connections,
> > which is simply not feasible in most scenarios.
>
> Yes, but its likely to go unnoticed as many vendors configure
> firewalls to allow and not log ICMP due to heavy network noise. And
> ICMP is trusted by most admins. "What harm could possibly come from
> ping?". In security you learn to trust nothing.

What do you mean by "many vendors configure firewalls"? Any admin who
doesn't tailor his firewall configuration to the particular needs of his
network has already lost.

> > > host discovery to see if a device is active
> >
> > So, what if the device is active? If it shouldn't be accessible from
> > the outside: don't make it accessible from the outside. If it
> > shouldn't be accessible from parts of your network: do proper
> > segmentation, so those who should have access are inside the segment
> > and those who shouldn't have access are not. However, if the device
> > should be accessible, there's no point in suppressing ICMP.
>
> Think about this though... If an attacker attempts to sweep the
> outside using ICMP to see if hosts are active, and some do, and they
> don't find that server running on port whatever, they will move on to
> more tempting targets like the ones that do respond.

I call bullshit.

a) A ping sweep isn't the only way to do network exploration. I'll refer
   you to the man-page of nmap for more details.
b) You can't hide computers on the Internet. IP simply doesn't work that
   way. Not responding to echo requests does *not* mean "host isn't
   there".
c) ICMP doesn't care about ports. Like, at all. Thus a ping sweep is
   entirely unsuitable to "find that server running on port whatever".

If the host is supposed to be accessible: why whould you care about
someone discovering it?

If the host is not supposed to be accessible: why is it accessible in
the first place?

> Why on earth would you open a service that will increase your
> capability of being discovered by those with malicious intent if the
> service isn't required?

ICMP is a protocol, not a service. And why would I care about "those
with malicious intent" finding a server that is supposed to be
accessible? Rather than wasting my time and effort on security by
obscurity (and not responding to echo requests is just that) I'd put it
into hardening the systems and exposing only those systems and services
that are supposed to be accessible.

> > > The idea is to limit your Internet footprint to make it as difficult
> > > as possible for an attacker.
> >
> > Nonsense. What you really want to do is to separate your publicly
> > accessible servers from your internal network (in a DMZ) and do
> > proper firewalling between your network segments. Snake-oil like
> > dropping ICMP packets is *not* helping.
>
> Would you agree that opening ports that aren't necessary is a bad
> practice?

Yes, because they increase the code base without serving a purpose, thus
increasing your potential risk of being exploited.

> Then why open ICMP which also serves no real purpose for web
> services?

ICMP is still a protocol, not a service. And unlike unnecessary services
it has a purpose.

> Properly firewalled actually means blocking unnecessary services as
> well as infrastructure layout.

ICMP. Is. Not. Unnecessary.

And could you please explain why your infrastructure is exposed to the
outside in the first place?

> > > There is no need for a web server to respond to ping from the
> > > Internet for example.
> >
> > Of course there is. ping is the easiest (or rather: the appropriate)
> > way to determine if the server is online. And yes, that is relevant
> > information when someone runs into problems accessing your webserver.
>
> Well MS hasn't been able to be pinged for x years, they seem to be
> getting along just fine.

*sigh*

Yeah. Except for everyone else who's trying to troubleshoot connection
problems to their servers. Bad practice doesn't magically become good
practice just because Microsoft does it.

> What about all the other web sites on the net that don't respond to
> ping, and the majority don't, are you saying that they are all wrong
> and that blocking ping is the wrong thing to do?

As a matter of fact: yes, I am.

> They all seem to get along just fine.

Yeah. Being an idiot tends to hurt others rather than oneself.

> And when I, and I am sure many other technical people, can't ping a
> web site and response to it is very slow they don't throw their hands
> up in the air and say their servers are unreliable and they are
> breaking the Internet, they say that it is likely being blocked like
> most sites do, and try to use other means of determining the problem.
> Like using tcpdump or other monitoring and troubleshooting tools.

You did not just suggest to use tcpdump instead of ping, did you?

> We're not talking what's easy here. We're talking what's secure.

You still have to explain what's so insecure about ping.

> > > Try to remember, there is NO security built into the Internet
> > > Protocol suite, which was developed in the 60's. Just because
> > > something is there for a reason, doesn't mean it should not be
> > > subject to scrutiny.
> >
> > Last time I checked "scrutiny" was not defined as "ignoring the
> > reason why something was invented to begin with".
>
> Lots of things were 'invented for a reason'. SNMP for example. Does
> that mean that if something was invented for a reason it has to be
> allowed? No. Again, these protocols were invented when security was
> not a consideration at all. Granted ICMP doesn't have near the issues
> that nasty little beast has, but it is still not needed.

The reason for ICMP being there doesn't magically go away just because
you wish so. Without ICMP network troubleshooting becomes a major pain
in the ass. Meaning that it should not be discarded without a damn good
reason (which you still have to give).

> Take a survey of security professionals and even the more seasoned
> network admins and ask how many of them depend on ICMP to determine if
> a web site, or ANYTHING, is up or not. I guarantee the answer you will
> get is: "I use it, but if it doesn't respond I use other methods
> because most vendors block ping to their web servers anyway".

Ummm... yeah. So? That makes it a good idea how?

And while you're taking your survey, ask the network admins if they'd
prefer ICMP enabled or disabled, and how they handle ICMP in their own
networks. I have a strong suspicion you'll get answers similar to mine.

> Please don't get me wrong, I am not saying that ping is useless, its
> not, and you're right it makes life a little easier for network
> admins. But I believe, and I am sure others do as well, the mild
> convenience caused by allowing it to a web server or other Internet
> facing device does not justify the increased exposure.

ICMP does not increase your exposure. That's plain and utter nonsense.
Either your hosts are epxosed or they're not. ICMP doesn't change the
least about this. Security by obscurity will not help and is not a
replacement for actual security. What is so hard to understand about
that?

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq