blocking icmp traffic

[bn2hunt]

I have a question to pose if this is the wrong forum please let me know and I will try to find a more appropiate place to post this question.

I work on a help desk for a mid sized company and our networking staff wants to block internal icmp traffic. I can understand blocking traffic coming from the outside the firewall but I don't understand what blocking the internal traffic will accomplish other than making my job harder. One of the first things we do when a end user calls and says they can't access the network is ping there pc and see if they are connected. Blocking this traffic will really limit the amount of trouble shooting we can do without actually visiting the end users desk. So can someone please explain what there logic is on this.

Thanks

DDNWolff

 

[lgarner]

Beats me. At a minimum I'd leave echo, echo-reply, time-exceeded and unreachable open. Some things, like redirects, can generally be blocked as long as it doesn't interfere with routers.

 

[nawlej]

There is really no advantage to blocking ICMP traffic inside the firewall, unless you have someone doing a DoS attack from the inside (unlikely).

___________________________________
[morse]--... ...--[/morse], Eric.

 

[tom11011]

possibly virus' that create a dos. (the old welchia comes to mind)

 

[bierhunter]

I've gotten into the habit of blocking ICMP in both directions for the exact reason that tom11011 stated. If a user ends up with something on his PC doing an attack, at least your company won't look like an idiot to the outside world. I found our company's VP DoSing the Dept of State one time due to a virus after I first took over as their IT manager. Not good seeing how it was a defense contracting company.

However, when I block ICMP, I enable if for the IT staff only. Like the original poster said, it is a useful troubleshooting tool. By limiting ICMP to only authorized stations, we can help control the traffic and keep it legit.

BierHunter
CNE, MCSE, CCNP

 

[bn2hunt]

Thanks for all the help, I have a better understanding on why we are going to block the traffic now. Bierhunter, do you have a link on where I can find out more info on limiting the traffic to a specific ip range. So I can go into the meeting later this week with some more knowledge on how we can both obtain the access that we are looking for.

Thanks

Ddnwolff

 

[bierhunter]

Be glad to help out. The way you control it will of course depend upon the equipment you have...Cisco, etc.

Basically, you want to block all incoming ICMP. Allow outgoing ICMP enabled for the workstation IPs you select and block all other outgoing. The firewall/router settings should allow replies to come in when requested, but not allow unsolicted ICMP to come in.

That part I do in the firewall/router depending upon the equipment in use.

Then, you'll want to make sure that the IPs for the specified workstations don't change. I prefer to reserve them in DHCP rather than to exclude them and statically assign them. That way when I look in the DHCP server, I can see why an address is set aside; and it is also easier to change if the need ever arises.

Oh yes, also block "administratively-prohibited" ICMP from going back out. This will prevent replies from going back to a possible attacker and telling them that there is something there but it's blocked. If someone pings you, you pretty much want the packet to just die. No replies or anything.

I hope that made sense. Without knowing what you are working with, it's hard to go into details. Good luck. I'll be glad to help out if I can.

BierHunter
CNE, MCSE, CCNP