Is it risky for firewall to block ICMP?

261    Asked by AndreaBailey in Cyber Security , Asked on Mar 23, 2022

 I read this sentence - The generic firewall manifest file finishes off by dropping everything I didn't otherwise allow (besides ICMP. Don't turn off ICMP). But, is it truly a good practice for a firewall to allow ICMP? What are the security implications, and are there cases where ICMP should be turned off?

Answered by Anisha Dalal

Compared to other IP protocols ICMP is fairly small, but it does serve a large number of disparate functions. At its core ICMP was designed as the debugging, troubleshooting, and error reporting mechanism for IP. This makes it insanely valuable so a lot of thought needs to go into shutting it down. It would be a bit like tacking >/dev/null 2>&1 to the end of all your cron entries. Most of the time when I talk to people about block ICMP they're really talking about ping and traceroute. This translates into 3 types

  • 0 - Echo Reply (ping response)
  • 8 - Echo Request (ping request)

11 - Time Exceeded

  • That's 3 types out of 16. Let's look at a couple of the other ICMP types that are available.
  • 4 - Source Quench (send by a router to ask a host to slow down its transmissions)
  • 3 - Destination Unreachable (consists of 16 different kinds of messages ranging from reporting a fragmentation problem up to a firewall reporting that a port is closed)

Both of which can be invaluable for keeping non-malicious hosts operating properly on a network. In fact there are two (probably more but these are the most obvious to me) very good cases where you don't want to restrict ICMP. Path MTU Discovery - We use a combination of the Don't Fragment flag and type 3 code 4 (Destination Unreachable - Fragmentation required, and DF flag set) to determine the smallest MTU on the path between the hosts. This way we avoid fragmentation during the transmission.

Active Directory requires clients ping the domain controllers in order to pull down GPOs. They use ping to determine the "closest" controller and if none response, then it is assumed that none are close enough. So the policy update doesn't happen. That's not to say that we should necessarily leave everything open for all the world to see. Reconnaissance is possible with ICMP and that is generally the reason given for blocking. One can use pings to determine if a host is actually on, or Time Exceeds (as part of a traceroute) to map out network architectures, or Rory forbid a Redirect (type 5 code 0) to change the default route of a host. Given all that, my advice is, as always, take a measured and thoughtful approach to your protections. Blocking ICMP in its entirety is probably not the best idea, but picking and choosing what you block and to/from where probably will get you what you want.



Your Answer

Online Course

Tutorials

Salesforce Tutorial

Software Testing Tutorial

SQL Tutorial

Business Analyst Tutorial

Devops Tutorial

Data Science Tutorial

AWS Tutorial

Hadoop Tutorial

SSRS Tutorial

AWS S3 Tutorial

Functional Testing Tutorial

SSAS Tutorial

Automation Testing Tutorial

Manual Testing Tutorial

Selenium Tutorial

Kubernetes Tutorial

Scala Tutorial

ETL Testing Tutorial

Python Tutorial

Pyspark Tutorial

R Tutorial

Unit Testing Tutorial

API Testing Tutorial

Puppet Tutorial

Integration Testing Tutorial

Chef Tutorial

Jenkins Tutorial

Ansible Tutorial

Vagrant Tutorial

Docker Tutorial

Interviews

Parent Categories

Copyright | JanBaskTraining.com