Re: Removing ping/icmp from a network

[Jason <securitux () gmail com>]

Ok, back to this...

>  What do you mean by "many vendors configure firewalls"? Any admin who
>  doesn't tailor his firewall configuration to the particular needs of his
>  network has already lost.

Vendors have firewalls too. But what I mean is really many customers /
vendors / admins / whatever.

>  I call bullshit.
>
>  a) A ping sweep isn't the only way to do network exploration. I'll refer
>    you to the man-page of nmap for more details.
>  b) You can't hide computers on the Internet. IP simply doesn't work that
>    way. Not responding to echo requests does *not* mean "host isn't
>    there".
>  c) ICMP doesn't care about ports. Like, at all. Thus a ping sweep is
>    entirely unsuitable to "find that server running on port whatever".

Never said it was (??)

>  If the host is supposed to be accessible: why whould you care about
>  someone discovering it?
>
>  If the host is not supposed to be accessible: why is it accessible in
>  the first place?

You can't hide them, but you can make them more difficult to discover
by those who may wish to cause damage. And I said IF an attacker ping
sweeps, I didnt say at all that it was the only way. Any attacker
worth their salt will USUALLY find the hosts, but the idea is to
reduce the possibility, not remove it.


>  ICMP is a protocol, not a service. And why would I care about "those
>  with malicious intent" finding a server that is supposed to be
>  accessible? Rather than wasting my time and effort on security by
>  obscurity (and not responding to echo requests is just that) I'd put it
>  into hardening the systems and exposing only those systems and services
>  that are supposed to be accessible.

Security by design is always best, but hiding the presence of a device
may sometimes be desired. And hardening those systems is a process
that RARELY happens unfortunately. If you harden the systems, good for
you. But you'd be surprised how many do not.

>  > Would you agree that opening ports that aren't necessary is a bad
>  > practice?
>
>  Yes, because they increase the code base without serving a purpose, thus
>  increasing your potential risk of being exploited.

Umm increases your code base? I could nitpick but I wont.

>  > Then why open ICMP which also serves no real purpose for web
>  > services?
>
>  ICMP is still a protocol, not a service. And unlike unnecessary services
>  it has a purpose.

I am not saying it doesn't again, its just not necessary.

>  > Properly firewalled actually means blocking unnecessary services as
>  > well as infrastructure layout.
>
>  ICMP. Is. Not. Unnecessary.

Agree to disagree.

>  And could you please explain why your infrastructure is exposed to the
>  outside in the first place?

Layout of the infrastructure for secure internet access. If you want
to nitpick, technically your external firewall(s) is/are part of the
infrastructure.

>  > Well MS hasn't been able to be pinged for x years, they seem to be
>  > getting along just fine.
>
>  *sigh*
>
>  Yeah. Except for everyone else who's trying to troubleshoot connection
>  problems to their servers. Bad practice doesn't magically become good
>  practice just because Microsoft does it.

LOL a lot more sites than MS do it.

>  > What about all the other web sites on the net that don't respond to
>  > ping, and the majority don't, are you saying that they are all wrong
>  > and that blocking ping is the wrong thing to do?
>
>  As a matter of fact: yes, I am.
>
>
>  > They all seem to get along just fine.
>
>  Yeah. Being an idiot tends to hurt others rather than oneself.

Being idiots? Wow..

>  > And when I, and I am sure many other technical people, can't ping a
>  > web site and response to it is very slow they don't throw their hands
>  > up in the air and say their servers are unreliable and they are
>  > breaking the Internet, they say that it is likely being blocked like
>  > most sites do, and try to use other means of determining the problem.
>  > Like using tcpdump or other monitoring and troubleshooting tools.
>
>  You did not just suggest to use tcpdump instead of ping, did you?

There are many ways to troubleshoot issues, tcpdump (yes, packet
capturing) is one. And you can ping a TCP port too you know. If ping
is unavailable to test latency, there are other ways. I am suggesting
options. And ping is not a must for all troubleshooting. I'm sorry but
if an admin relies solely on ping to do troubleshooting....

>  > We're not talking what's easy here. We're talking what's secure.
>
>  You still have to explain what's so insecure about ping.

I was not saying its the most insecure thing on the Internet. I am
saying it's not needed. You don't agree... ok.

>  >
>  > Lots of things were 'invented for a reason'. SNMP for example. Does
>  > that mean that if something was invented for a reason it has to be
>  > allowed? No. Again, these protocols were invented when security was
>  > not a consideration at all. Granted ICMP doesn't have near the issues
>  > that nasty little beast has, but it is still not needed.
>
>  The reason for ICMP being there doesn't magically go away just because
>  you wish so. Without ICMP network troubleshooting becomes a major pain
>  in the ass. Meaning that it should not be discarded without a damn good
>  reason (which you still have to give).

Again, see above.

>  > Take a survey of security professionals and even the more seasoned
>  > network admins and ask how many of them depend on ICMP to determine if
>  > a web site, or ANYTHING, is up or not. I guarantee the answer you will
>  > get is: "I use it, but if it doesn't respond I use other methods
>  > because most vendors block ping to their web servers anyway".
>
>  Ummm... yeah. So? That makes it a good idea how?
>
>  And while you're taking your survey, ask the network admins if they'd
>  prefer ICMP enabled or disabled, and how they handle ICMP in their own
>  networks. I have a strong suspicion you'll get answers similar to mine.

I didn't ask what network admins 'prefer'. If a security professional
just does what the net admins prefer, attackers would have a much
easier life :) Again, its not the end of the Internet if its disabled.
And it doesn't confuse most admins when it is.

>  ICMP does not increase your exposure. That's plain and utter nonsense.
>  Either your hosts are epxosed or they're not. ICMP doesn't change the
>  least about this. Security by obscurity will not help and is not a
>  replacement for actual security. What is so hard to understand about
>  that?

It's not a replacement, I never said it was. You have to understand
that security by design is sometimes not the way things are done, and
I am being generous. And before you say how wrong that is, yes, you're
right it is wrong. But its life. The idea is to minimize the exposure
of a host and not affect required services or protocols. ICMP is not a
required protocol for a web server, sorry. Convenient, yes. Required,
no. If you believe it is then thats okay. That's the beauty of the
Internet, everyone has an opinion.

You need to stop taking things so personally which you have been
throughout this entire discussion. And calling bullshit, being
condescending, and calling people who disable ping "idiots" doesn't go
a long way to proving your point. The "my way is right and everyone
else who thinks otherwise is stupid" approach just descends to a level
I am not willing to go.

On that note, if you still don't agree and want to continue to attempt
to prove how wrong I am, by all means go ahead.

Good luck.

-J