> > ICMP tunneling,
>
> Any kind of packet can be (mis-)used for tunneling. That's not limited
> to ICMP. To prevent that you'd have to whitelist outbound connections,
> which is simply not feasible in most scenarios.

Yes, but its likely to go unnoticed as many vendors configure
firewalls to allow and not log ICMP due to heavy network noise. And
ICMP is trusted by most admins. "What harm could possibly come from
ping?". In security you learn to trust nothing.

>
> > host discovery to see if a device is active
>
> So, what if the device is active? If it shouldn't be accessible from the
> outside: don't make it accessible from the outside. If it shouldn't be
> accessible from parts of your network: do proper segmentation, so those
> who should have access are inside the segment and those who shouldn't
> have access are not. However, if the device should be accessible,
> there's no point in suppressing ICMP.

Think about this though... If an attacker attempts to sweep the
outside using ICMP to see if hosts are active, and some do, and they
don't find that server running on port whatever, they will move on to
more tempting targets like the ones that do respond. Why on earth
would you open a service that will increase your capability of being
discovered by those with malicious intent if the service isn't
required?

>
> > The idea is to limit your Internet footprint to make it as difficult
> > as possible for an attacker.
>
> Nonsense. What you really want to do is to separate your publicly
> accessible servers from your internal network (in a DMZ) and do proper
> firewalling between your network segments. Snake-oil like dropping ICMP
> packets is *not* helping.
>

Would you agree that opening ports that aren't necessary is a bad
practice? Then why open ICMP which also serves no real purpose for web
services? Properly firewalled actually means blocking unnecessary
services as well as infrastructure layout.

>
> > There is no need for a web server to respond to ping from the Internet
> > for example.
>
> Of course there is. ping is the easiest (or rather: the appropriate) way
> to determine if the server is online. And yes, that is relevant
> information when someone runs into problems accessing your webserver.
>

Well MS hasn't been able to be pinged for x years, they seem to be
getting along just fine. What about all the other web sites on the net
that don't respond to ping, and the majority don't, are you saying
that they are all wrong and that blocking ping is the wrong thing to
do? They all seem to get along just fine. And when I, and I am sure
many other technical people, can't ping a web site and response to it
is very slow they don't throw their hands up in the air and say their
servers are unreliable and they are breaking the Internet, they say
that it is likely being blocked like most sites do, and try to use
other means of determining the problem. Like using tcpdump or other
monitoring and troubleshooting tools.

We're not talking what's easy here. We're talking what's secure.

> > This is a security forum after all?
>
> This is a mailing list, not a forum, and yes, it is about security.
> Snake-oil does not qualify as such, though.
>

Lol.. ok..

> > Try to remember, there is NO security built into the Internet Protocol
> > suite, which was developed in the 60's. Just because something is
> > there for a reason, doesn't mean it should not be subject to scrutiny.
>
> Last time I checked "scrutiny" was not defined as "ignoring the reason
> why something was invented to begin with".
>

Lots of things were 'invented for a reason'. SNMP for example. Does
that mean that if something was invented for a reason it has to be
allowed? No. Again, these protocols were invented when security was
not a consideration at all. Granted ICMP doesn't have near the issues
that nasty little beast has, but it is still not needed.

Take a survey of security professionals and even the more seasoned
network admins and ask how many of them depend on ICMP to determine if
a web site, or ANYTHING, is up or not. I guarantee the answer you will
get is: "I use it, but if it doesn't respond I use other methods
because most vendors block ping to their web servers anyway".

Please don't get me wrong, I am not saying that ping is useless, its
not, and you're right it makes life a little easier for network
admins. But I believe, and I am sure others do as well, the mild
convenience caused by allowing it to a web server or other Internet
facing device does not justify the increased exposure.

-J

[ reply ]