On Tue, Mar 25, 2008 at 12:29 PM, Secure This <lists (at) securethis (dot) net [email concealed]> wrote:
> I have a variety of clients with data centres who all make use of
> icmp/ping to monitor their servers/appliances/devices (often with poorly
> configured snmp versions 1 and 2).
>
> Could anybody kindly advise me of tools and strategies for minimising or
> removing the use of icmp/ping on a supposedly secure network?
>
> Thanks in advance
>

Basic monitoring of a server should utilize ICMP to determine if it is
online or not. If properly configured, traffic is very minimal and is
used exactly as what it was designed for. Per RFC 1122, any host that
receives an echo-request must respond with an echo-reply, making it
very easy to determine if a host is up or not. Advanced monitoring,
such as probing services' ports or SNMP, will be far more accurate but
will require additional resources and traffic, though still fairly
minute.

To minimize ICMP traffic used for monitoring, you can set your
monitoring software to check at a higher interval of time, check the
service port for a response, or check SNMP instead.
Overall, ICMP is a core essential of the Internet Protocol suite and
is usually pointless to remove, especially seeing how the only way to
generally remove ICMP is to actually block it with a hardware or
software firewall.

That said, within the same subnet I can not see any major issues with
blocking ICMP if you absolutely had your mind set on it. Most
firewalls will easily allow you to block ICMP.

--
Mark Owen

[ reply ]