6

The company I'm currently doing work for does not allow ping requests out through their firewall, for "security reasons" and I'm baffled as to why this is a concern.

Before you point me to (e.g.) this question, note that I'm not talking about responding to ping requests made from outside the network. I'm talking about pinging from inside the corporate network.

So, for instance, I was trying to resolve a networking problem on a Linux VM, and (naively) assumed pinging google.com would tell me if I had any connectivity at all(mtr was not installed on this VM, or I would have used that), and all signs pointed to some network problem, or change in the configuration of the proxy server I had previously been able to get through (using cntlm).

Is there really a legitimate reason to prevent your own users from pinging outside servers?

Community
  • 1
iconoclast
  • 407
  • 5
  • 10
  • 1
    "_mtr was not installed on this VM, or I would have used that_" You could also install the nmap package and use `nping`. – curiousguy Jul 05 '12 at 23:08
  • IMHO any security policy which cannot be justified by the people resonsible for implementing it either does not enhance security or illustrates a lack of competences on the part of those responsible for it. There are some *potential* reasons which might explain why the policy is there we can't tell you why your security people think it is needed. – symcbean Jul 06 '12 at 13:17
  • @symcbean: I realize of course you can't tell me why *they* think it's important. That's why I asked the more generic question: "Is there really [any] legitimate reason...?" – iconoclast Jul 06 '12 at 19:21

3 Answers3

5

If you're allowing ICMP echo requests (type 8, code 0), then presumably you'll be allowing ICMP echo replies (type 0, code 0) back in. ICMP echo replies can be used for inverse mapping of a target network, even when there's a filtering device (such as a firewall on the perimeter). This is an old attack though and modern firewalls can easily block it (assuming they're correctly configured).

The Smurf DDOS attack first exploits an intermediary network that'll respond to broadcast icmp message and in turn sends out IMCP echo requests to a subsequent victim.

Here's a white paper on ICMP attacks - it's old but still valid and contains good information.

C&C communications is already well covered above but here's a another old paper on covert channels that shows some examples, specifically around Loki's use of echo requests and replies.

It's also possible to use ptunnel to set up a TCP connection using ICMP echo requests and replies, thus bypassing other firewall restrictions (if you've allowed ICMP requests out and replies in). In previous testing, this connection has been reliable and resilient.

Mark Hillick
  • 2,124
  • 11
  • 14
4

Some that come to mind:

  • Protecting against attacks (say a basic ICMP DDOS) coming from compromised machines within the company.
  • Preventing compromised machines from easily announcing their presence to C&C (botnet command & control)
  • As part of a "default deny" policy to only explicitly permit traffic. This gives you a very high security posture, at a high cost to convenience.

I'm sure there are others, but why don't you just ask them the goal of that particular security measure?

Paul van Leeuwen
  • 103
  • 4
scuzzy-delta
  • 9,303
  • 3
  • 33
  • 54
  • I asked, and the reply seemed to me to be a polite way of saying "I don't have the time and you wouldn't understand anyway." I didn't press the issue, though. I'm pretty sure they follow a "default deny" policy. There are a lot of credit card transactions that go through our network, which sounds to me like quite possibly a mistake (why have credit transactions from retail stores on the same network that Corporate HQ uses for everything else?). – iconoclast Jul 06 '12 at 19:29
3

Some attackers may use outbound ICMP packets to send data out of victim machine, read more about Covert channel.

Hamza Al-sbaihi
  • 33
  • 5