Ok to let all ICMP traffic through firewall?

Discussion in 'Computer Security' started by Franklin, Sep 22, 2005.

  1. Franklin

    Leythos Guest

    I already said we allow ICMP with partners and have no problems with
    VPN's, we do not allow ICMP with the world as a general rule, just with
    approved partners.
    Leythos, Sep 24, 2005
    1. Advertisements

  2. Franklin

    Leythos Guest

    My ISP is in the business that requires they provide it - I don't see
    how you can't understand that part. We don't offer services to the world
    and have exceptions for our partners so that ICMP is not blocked to
    them. Why can't you seem to grasp the simple concept of allowing for
    business needs and blocking for all others?
    Leythos, Sep 24, 2005
    1. Advertisements

  3. Franklin

    Leythos Guest

    Which does not change the fact that I can limit ICMP to my non-partners
    without impact on our communications.
    Leythos, Sep 24, 2005
  4. Franklin

    Bob Eager Guest

    By bundling the two together, you indicated a lack of understanding of
    the difference...

    "Blocking Ping is very common, as is blocking inbound 135~139, 445, FTP,
    As I said before...do what you like...it'll be your problem, not mine.
    Oh, and I probably read the RFC long before you, anyway.
    Bob Eager, Sep 24, 2005
  5. Franklin

    Bob Eager Guest

    Well, you think you can.
    Bob Eager, Sep 24, 2005
  6. Franklin

    Dave Dowson Guest

    I still can't understand why you would want to deliberately break a
    valuable feature of IP - and do so in a way such that a user will have
    no idea why their connection to a specific site on the Internet may
    work in some cases but not in others. It's your choice how you
    configure your network, of course, but it seems a rather idiotic
    configuration to me.
    Dave Dowson, Sep 24, 2005
  7. I should have clarified (thought that it was clear from the context.. ah
    well ;o)

    This is monitorin my services from *outside* of the network.

    Like most non-ISPs, I don't have a dedicated 24x7 staff to monitor systems
    (this is a home network, before someone starts slinging companies that *do*
    have this requirement).

    On the Ping front, you'll find that the companies that you're hosting
    (assuming that's what your part of the network does) are unlikely to appear
    on many search engines - at least, that *used* to be the case - a "cheap"
    PING before even attempting an HTTP GET.

    Together, those made a pretty compelling case for me to switch ICMP back
    on - I didn't (and still don't) see it as a major way threat to my firewall
    (and, after all, that's as far as the packet's going to get, right?
    Certainly not into the DMZ...)

    Hairy One Kenobi, Sep 24, 2005
  8. Franklin

    Chris Guest

    By bundling the two together, you indicated a lack of understanding of
    I think that it's a bit of a stretch to suggest that someone stating that
    blocking ping is very common, as is blocking inbound traffic to "135~139,
    445, FTP, etc..." shows a lack of understanding of the difference. I think
    that you've missed his point.

    I like Chinese food as well as the occasional Indian but just because they
    are mentioned in the same sentence shouldn't lead anyone to the conclusion
    that I don't understand the difference between the two.
    Chris, Sep 24, 2005
  9. Franklin

    Leythos Guest

    You may thing that it breaks things for "users on the internet", but
    since we don't really care about "users" on the internet, since we only
    care about partners being able to connect with our public facing
    services, we're not really breaking anything as they (partners) don't
    have ICMP blocked - so, back to reality, we're not breaking anything for
    our accepted/targeted audience, we're closing possible security holes
    that may or may not be a threat.

    Now do you understand - it's actually rather simple - the "users" that
    need to have ICMP responses form our networks get it, ones that don't do
    not get it.
    Leythos, Sep 24, 2005
  10. Franklin

    Leythos Guest

    Like I've said many times before - ICMP is exposed to partner
    sites/companies, blocked to the rest of the world. If we have no
    communications need with you then we don't expose anything to you.

    Your example of Ping would fall into a business need - so there would be
    a rule exception allowing PING from your designated monitoring service.
    Leythos, Sep 24, 2005
  11. Franklin

    Dave Dowson Guest

    Hang on a minute, so now you are saying that you block outgoing ICMP
    (i.e. responses) ito selected parties - earlier you said you blocked
    incoming ICMP. So maybe you block both.

    Tell me - what is the risk of sending an ICMP packet to anyone?
    You've said that you block such responses - but why? What is the risk
    you perceive in sending a messages which (in general) does not require
    a response and so cannot have any impact on your network? Or are you
    suggesting that your networks are so insecure that you need to protect
    them from things that would not even be a threat to the clueless
    newbie home computer user? I haven't a clue what services you
    provide, but please let me know - just so I can make sure I never use

    And no, I don't understand your screwed up interpretation of the risks
    associated with what is a relatively simple out-of-band signalling
    Dave Dowson, Sep 24, 2005
  12. Franklin

    Leythos Guest

    This is the easy part for you - you don't have to understand my
    reasoning. I block all traffic not needed for the business. By blocking
    all traffic not needed for the business I EXPOSE LESS, which puts me one
    step closer to not having to worry about some unknown exploit. That's
    all the reason for it, nothing else, simple concept - block what you
    don't need.

    Here's another thing, and don't confuse this with my blocking ICMP, I
    also block all access from IP lists that resolve to various countries
    for other networks - for instance, if we have a mail server, in-bound
    SMTP is filtered for content and a master block list is also applied
    against it for filtering email from lots of IP ranges that resolve to
    known geographical locations.

    It's all about exposing ONLY WHAT YOU NEED and ONLY WHAT YOUR TARGET
    NEEDS - if you expose more than what's needed you expose yourself to
    exploits that you may or may not already know about.
    Leythos, Sep 25, 2005
  13. Actually, it's not that simple (I'll stress again that this is *my*
    particular need, but not one that is particularly uncommon)

    My monitoring service is me, with either my phone or a laptop.

    I need to be able to connect from a variety of countries, and a (for my
    purposes) essentially random series of ISPs and routing networks.

    I understand completely that this isn't the same as /your/ need - you are
    obviously providing a specific service to a very geographically limited set
    of known users. Although I'd be wary, once one of them attempts DR. 'Tis
    amazing what comes out of the woodwork when that happens... I've had to do
    it for real, courtesy of the PIRA.

    Hairy One Kenobi, Sep 25, 2005
  14. :Tell me - what is the risk of sending an ICMP packet to anyone?
    :You've said that you block such responses - but why? What is the risk
    :you perceive in sending a messages which (in general) does not require
    :a response and so cannot have any impact on your network? Or are you
    :suggesting that your networks are so insecure that you need to protect
    :them from things that would not even be a threat to the clueless
    :newbie home computer user?

    There was an attack publicized within the last few years, in
    which attackers sent ICMP Network Redirect and Host Redirect
    (which don't require responses...) specifying IP addresses
    of major banking sites. Networks whose administrators were not
    blocking ICMP Redirects had their users redirected to clone
    sites made to -look- like the banking sites, but which copied
    the username and passwords entered; the perpetrators then
    proceeded to steal from peoples' bank accounts and credit cards.
    Walter Roberson, Sep 25, 2005
  15. Franklin

    Mike Civil Guest

    I'm sorry but I don't think you know what you're talking about. As
    you've previously quoted, without apparently understanding it, ICMP is
    predominantly a mechanism for reporting an error in IP. If you block it,
    and don't (or rarely) have an error at the IP level, then your setup
    will work - beacause there are no errors and ICMP simply isn't
    involved. If an error should occur then your blocking of ICMP could
    then prevent you from detecting and diagnosing faults, or allowing your
    application(s) to handle them.

    But it's your setup, and I think we'll just have to agree to differ.

    Mike Civil, Sep 25, 2005
  16. Franklin

    Leythos Guest

    Are you unable to connect via VPN of some form?
    Leythos, Sep 25, 2005
  17. Franklin

    Mark Guest

    Hopefully I'm not going to stray too far from the subject of ICMPs, but
    I feel there could be a risk in allowing any IP packet to be sent to
    anyone. No, it's not a general risk to your network because they
    couldn't infect a machine on your network. But, they could be a
    liability risk or just a risk of embarrassment.

    For instance, what if a user on your internal network has knowledge of
    malware that used covert channels to receive it's instructions about
    what to do? Then, that user used that knowledge to attack someone
    else's network. Or, a machine on your network is infected with this
    type of malware and is used in an attack because it received
    instructions over a covert channel.
    That sounds like layered security to me. Why expose one thing just
    because you think everything behind it is secured?
    There are ways to send information or instructions to processes
    listening on systems that allow any IP packet. It could be in an ICMP
    or TCP or UDP or ESP or GRE (doesn't matter) payload. But, it doesn't
    have to be in the payload. It could just be the timing between the
    packets. It could be a particular sequence of IP IDs. Or, the use of
    still undefined or experimental IP options.

    But on a practical note, when it comes to ICMPs, I tend to block
    everything except errors that are related to established connections.
    But, that's just me. Obviously, there are many opinions on this subject.

    Mark, Sep 25, 2005
  18. Franklin

    Somebody. Guest

    You just make diagnosis more difficult when things go wrong obviously, since
    you can't ping. Also some devices that use ping for link monitoring will be
    unhappy and need to be reconfigured or will have reduced functionality. If
    you can live with this, and many people can, there is no big cost to you, to
    block all ping at the firewall.

    For example when ISP's block ping, it drives me crazy because when I deploy
    NetScreens in the field with failover internet connections, they need to use
    ping to determine if the link is up. So I can't enable failover when the
    ISP blocks ping. Inevitably somebody re-enables auto failover detection and
    it immediately fails over to dialup because it thinks the highspeed link is

    Somebody., Sep 25, 2005
  19. Franklin

    Dave Dowson Guest

    We were talking bout outgoing ICMP messages, not incoming ones, but
    never mind.

    As far as ICMP redirects are concerned they provide a facility to
    inform a network node of the 'best' local gateway, i.e. which next hop
    router to use for a particular desinstation. If you sent a spoofed
    ICMP redirect to a workstation on my local network then (a) it would
    have to appear to come from the default gateway (easy to spoof if you
    know the internal network configuration, although maybe a little
    difficult to inject if ingress filtering is employed on external
    interfaces), (b) it would need to contain the first 8 bytes of the
    outgoing IP message it related to (not quite so easy to spoof unless
    you can monitor the traffic on my local network), and (c) it could
    only specify an IP address of a different node on the same LAN segment
    for the 'new' next hop router for that destination.

    So god only knows how the compromise you mentioned above worked, but I
    can only assume that either the 'attack' was internal (i.e. the bogus
    servers were on the same LAN as the victims) or that the network was
    already compromised and that the ICMP redirects were of little
    significance to the true nature of the attack.
    Dave Dowson, Sep 25, 2005
  20. Franklin

    Leythos Guest

    If you understand this simple fact: If I block ICMP to non-partners,
    then I don't really care if they get ICMP messages, which means I don't
    care what NON-PARTNERS SEE.

    If we allow ICMP with Partners then there is no issue with ICMP, so,
    we're back to you seeming to miss that we block EVERYTHING TO NON-
    PARTNERS, but we secure the network according to partner needs.

    What parts are you missing about ICMP being permitted for PARTNERS?
    Leythos, Sep 25, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.