Security Basics mailing list archives
Re: Removing ping/icmp from a network
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Sat, 29 Mar 2008 20:35:23 +0100
On 2008-03-28 Jason wrote:
ICMP tunneling,Any kind of packet can be (mis-)used for tunneling. That's not limited to ICMP. To prevent that you'd have to whitelist outbound connections, which is simply not feasible in most scenarios.Yes, but its likely to go unnoticed as many vendors configure firewalls to allow and not log ICMP due to heavy network noise. And ICMP is trusted by most admins. "What harm could possibly come from ping?". In security you learn to trust nothing.
What do you mean by "many vendors configure firewalls"? Any admin who doesn't tailor his firewall configuration to the particular needs of his network has already lost.
host discovery to see if a device is activeSo, what if the device is active? If it shouldn't be accessible from the outside: don't make it accessible from the outside. If it shouldn't be accessible from parts of your network: do proper segmentation, so those who should have access are inside the segment and those who shouldn't have access are not. However, if the device should be accessible, there's no point in suppressing ICMP.Think about this though... If an attacker attempts to sweep the outside using ICMP to see if hosts are active, and some do, and they don't find that server running on port whatever, they will move on to more tempting targets like the ones that do respond.
I call bullshit. a) A ping sweep isn't the only way to do network exploration. I'll refer you to the man-page of nmap for more details. b) You can't hide computers on the Internet. IP simply doesn't work that way. Not responding to echo requests does *not* mean "host isn't there". c) ICMP doesn't care about ports. Like, at all. Thus a ping sweep is entirely unsuitable to "find that server running on port whatever". If the host is supposed to be accessible: why whould you care about someone discovering it? If the host is not supposed to be accessible: why is it accessible in the first place?
Why on earth would you open a service that will increase your capability of being discovered by those with malicious intent if the service isn't required?
ICMP is a protocol, not a service. And why would I care about "those with malicious intent" finding a server that is supposed to be accessible? Rather than wasting my time and effort on security by obscurity (and not responding to echo requests is just that) I'd put it into hardening the systems and exposing only those systems and services that are supposed to be accessible.
The idea is to limit your Internet footprint to make it as difficult as possible for an attacker.Nonsense. What you really want to do is to separate your publicly accessible servers from your internal network (in a DMZ) and do proper firewalling between your network segments. Snake-oil like dropping ICMP packets is *not* helping.Would you agree that opening ports that aren't necessary is a bad practice?
Yes, because they increase the code base without serving a purpose, thus increasing your potential risk of being exploited.
Then why open ICMP which also serves no real purpose for web services?
ICMP is still a protocol, not a service. And unlike unnecessary services it has a purpose.
Properly firewalled actually means blocking unnecessary services as well as infrastructure layout.
ICMP. Is. Not. Unnecessary. And could you please explain why your infrastructure is exposed to the outside in the first place?
There is no need for a web server to respond to ping from the Internet for example.Of course there is. ping is the easiest (or rather: the appropriate) way to determine if the server is online. And yes, that is relevant information when someone runs into problems accessing your webserver.Well MS hasn't been able to be pinged for x years, they seem to be getting along just fine.
*sigh* Yeah. Except for everyone else who's trying to troubleshoot connection problems to their servers. Bad practice doesn't magically become good practice just because Microsoft does it.
What about all the other web sites on the net that don't respond to ping, and the majority don't, are you saying that they are all wrong and that blocking ping is the wrong thing to do?
As a matter of fact: yes, I am.
They all seem to get along just fine.
Yeah. Being an idiot tends to hurt others rather than oneself.
And when I, and I am sure many other technical people, can't ping a web site and response to it is very slow they don't throw their hands up in the air and say their servers are unreliable and they are breaking the Internet, they say that it is likely being blocked like most sites do, and try to use other means of determining the problem. Like using tcpdump or other monitoring and troubleshooting tools.
You did not just suggest to use tcpdump instead of ping, did you?
We're not talking what's easy here. We're talking what's secure.
You still have to explain what's so insecure about ping.
Try to remember, there is NO security built into the Internet Protocol suite, which was developed in the 60's. Just because something is there for a reason, doesn't mean it should not be subject to scrutiny.Last time I checked "scrutiny" was not defined as "ignoring the reason why something was invented to begin with".Lots of things were 'invented for a reason'. SNMP for example. Does that mean that if something was invented for a reason it has to be allowed? No. Again, these protocols were invented when security was not a consideration at all. Granted ICMP doesn't have near the issues that nasty little beast has, but it is still not needed.
The reason for ICMP being there doesn't magically go away just because you wish so. Without ICMP network troubleshooting becomes a major pain in the ass. Meaning that it should not be discarded without a damn good reason (which you still have to give).
Take a survey of security professionals and even the more seasoned network admins and ask how many of them depend on ICMP to determine if a web site, or ANYTHING, is up or not. I guarantee the answer you will get is: "I use it, but if it doesn't respond I use other methods because most vendors block ping to their web servers anyway".
Ummm... yeah. So? That makes it a good idea how? And while you're taking your survey, ask the network admins if they'd prefer ICMP enabled or disabled, and how they handle ICMP in their own networks. I have a strong suspicion you'll get answers similar to mine.
Please don't get me wrong, I am not saying that ping is useless, its not, and you're right it makes life a little easier for network admins. But I believe, and I am sure others do as well, the mild convenience caused by allowing it to a web server or other Internet facing device does not justify the increased exposure.
ICMP does not increase your exposure. That's plain and utter nonsense. Either your hosts are epxosed or they're not. ICMP doesn't change the least about this. Security by obscurity will not help and is not a replacement for actual security. What is so hard to understand about that? Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- Re: Removing ping/icmp from a network, (continued)
- Re: Removing ping/icmp from a network Michael Painter (Mar 27)
- Re: Removing ping/icmp from a network Razi Shaban (Mar 28)
- Re: Removing ping/icmp from a network Michael Painter (Mar 28)
- Re: Removing ping/icmp from a network Ansgar -59cobalt- Wiechers (Mar 28)
- Re: Removing ping/icmp from a network Michael Painter (Mar 31)
- RE: Removing ping/icmp from a network Ric Messier (Mar 28)
- RE: Removing ping/icmp from a network Adewale, Akin (IT Services - Infosec Team) (Mar 28)
- RE: Removing ping/icmp from a network Craig Wright (Mar 28)
- Re: Removing ping/icmp from a network Ansgar -59cobalt- Wiechers (Mar 28)
- Re: Removing ping/icmp from a network Jason (Mar 28)
- Re: Removing ping/icmp from a network Ansgar -59cobalt- Wiechers (Mar 31)
- Re: Removing ping/icmp from a network Jon R. Kibler (Mar 26)
- Re: Removing ping/icmp from a network Jason (Mar 26)