Educause Security Discussion mailing list archives
Re: ICMP blocking
From: Randy Marchany <marchany () VT EDU>
Date: Wed, 6 Dec 2006 17:16:24 -0500
Quick survey: Who's blocking ICMP subsets (like echo requests, traceroutes) at their borders? Who's not? Strong feelings about why in either case?
We don't block at the network level. Individual users may block ICMP using their host based firewalls. Personally, I don't believe blocking ICMP accomplishes anything from a security standpoint. If the goal is to prevent someone from mapping your network, this doesn't work. Networks can be mapped using other protocols. For example, map a net using port 80 scans. Shoot, I can use inverse mapping techniques to find out what's NOT there and use that info to determine what IS there. Blocking ICMP doesn't prevent anyone from mapping your net. It doesn't even make it more difficult to map your net. If the goal is to prevent unused fields from being used for covert payloads, well, other protocols suffer from the same problem. IF (big capital IF) your hosts are reasonably secured, then so what if someone can ping you. What real security goal is achieved by blocking ICMP and no other protocols? Nothing worthwhile, I suspect. -Randy Marchany VA Tech IT Security Office/Lab VA Tech Blacksburg, VA 24060 marchany () vt edu 540-231-9523
Current thread:
- ICMP blocking Gary Dobbins (Dec 06)
- <Possible follow-ups>
- Re: ICMP blocking ken lindahl (Dec 06)
- Re: ICMP blocking Jeff Kell (Dec 06)
- Re: ICMP blocking Constantakos, William (Dec 06)
- Re: ICMP blocking Randy Marchany (Dec 06)
- Re: ICMP blocking David Gillett (Dec 06)
- Re: ICMP blocking John Ladwig (Dec 06)
- Re: ICMP blocking David Lundy (Dec 06)
- Re: ICMP blocking Gary Flynn (Dec 06)
- Re: ICMP blocking Ken Connelly (Dec 06)
- Re: ICMP blocking Russell Fulton (Dec 07)
- Re: ICMP blocking Joe St Sauver (Dec 07)