Archived from groups: comp.security.misc,alt.computer.security,comp.security.firewalls,uk.telecom.broadband (More info?)
My question is Should a firewall let all ICMP traffic through because
there is no real risk if they do?
+++++
Here is the thinking behind my question: Robin Walker's cable modem
webpages at
<http://homepage.ntlworld.com/robin.d.h.walker/cmtips/index.html>
look to me as if they are technically sound. But they are a few
years old. I would like to know what people think about the advice
he gives about ICMP traffic and if it is still true these days.
He suggests that firewalls should let all ICMP traffic through and
that there is no real risk if they do that. At
http://snipurl.com/hvox he writes the following section. I have cut
it down a bit.
------------------- START QUOTE -----------------
STEALTH-MODE FIREWALLS CONSIDERED HARMFUL
Some firewalls have a hiding mechanism they call stealth. ... In
stealth mode, the firewall causes the PC just to ignore incoming
connection attempts, rather than rejecting them, as would be normal
for incoming connection attempts to closed ports.
.... causes some difficulties. For a start, Internet standard RFC 1122
states categorically about ICMP Echoes (ping):
"3.2.2.6 Echo Request/Reply: RFC-792. Every
host MUST implement an ICMP Echo server function
that receives Echo Requests and sends
corresponding Echo Replies."
So you are strongly advised not to apply stealth techniques to the
ICMP protocol.
A commonly heard objection to allowing ICMP Echo Replies is that it
gives away information to hackers that there is a live connection on
this IP address. Such objections are not well-founded, and can be
safely ignored.
There is no evidence in practice that any hacker has been aided by
the presence of an ICMP Echo Reply.
Hackers do not typically write code that tests an address with ICMP
Echo before launching a hostile probe: they always send the hostile
probe directly: either it works or it doesn't, and information from
ICMP adds nothing to the analysis.
------------------- END QUOTE -----------------
So Should a firewall let all ICMP traffic through? Is it ok to do
that?
My question is Should a firewall let all ICMP traffic through because
there is no real risk if they do?
+++++
Here is the thinking behind my question: Robin Walker's cable modem
webpages at
<http://homepage.ntlworld.com/robin.d.h.walker/cmtips/index.html>
look to me as if they are technically sound. But they are a few
years old. I would like to know what people think about the advice
he gives about ICMP traffic and if it is still true these days.
He suggests that firewalls should let all ICMP traffic through and
that there is no real risk if they do that. At
http://snipurl.com/hvox he writes the following section. I have cut
it down a bit.
------------------- START QUOTE -----------------
STEALTH-MODE FIREWALLS CONSIDERED HARMFUL
Some firewalls have a hiding mechanism they call stealth. ... In
stealth mode, the firewall causes the PC just to ignore incoming
connection attempts, rather than rejecting them, as would be normal
for incoming connection attempts to closed ports.
.... causes some difficulties. For a start, Internet standard RFC 1122
states categorically about ICMP Echoes (ping):
"3.2.2.6 Echo Request/Reply: RFC-792. Every
host MUST implement an ICMP Echo server function
that receives Echo Requests and sends
corresponding Echo Replies."
So you are strongly advised not to apply stealth techniques to the
ICMP protocol.
A commonly heard objection to allowing ICMP Echo Replies is that it
gives away information to hackers that there is a live connection on
this IP address. Such objections are not well-founded, and can be
safely ignored.
There is no evidence in practice that any hacker has been aided by
the presence of an ICMP Echo Reply.
Hackers do not typically write code that tests an address with ICMP
Echo before launching a hostile probe: they always send the hostile
probe directly: either it works or it doesn't, and information from
ICMP adds nothing to the analysis.
------------------- END QUOTE -----------------
So Should a firewall let all ICMP traffic through? Is it ok to do
that?