S 5.120 Handling of ICMP on the security gateway
Initiation responsibility: IT Security Officer
Implementation responsibility: Administrator
As transport layer protocol, the task of the Internet Control Message Protocol (ICMP, specified in RFC 792) is to transport error and diagnostics information for the IP protocol. It is triggered and processed internally by the IP, TCP, or UDP protocols. ICMP recognises a number of different so-called message types for a variety of purposes. Apart from many useful functions, there are some ICMP message types through which attackers can gain important information on the network or directly use this information to mount attacks (see T 5.50 Abuse of the ICMP protocol).
However, the radical approach of always blocking ICMP at the security gateway is unfortunately not a satisfactory solution either, because this means that certain functions are no longer available. One can usually dispense with ping and traceroute commands on normal workstations and servers, but the global blocking of ICMP on the security gateway may lead to impairments that are difficult to diagnose.
It should therefore be considered to apply selective ICMP filtering both at the security gateway and at a local packet filter, if present, on the individual IT systems, insofar as this provides the corresponding options. At the same time, the operational purpose of the computer (server or workstation), the protection requirements, and the safeguards taken for the individual computers at the security gateway should be taken into consideration. For example, a greater number of message types can be allowed for the internal network than for the external network.
For example, the ICMP message Echo Request (message type 8) is sent from programs such as the ping command line tool and serves for finding out whether a computer is available in principle. The computer responds to this request using an Echo Reply (message type 0). If ICMP Echo Requests are allowed from the external to the internal network, an attacker may use these in order to "map" the internal network.
For example, the ICMP message Destination Unreachable (message type 3) is generated if a computer or a network is unavailable and may be misused in order to interrupt all connections between the computers involved. Nevertheless, the Destination Unreachable message in particular is important for the functionality of the higher layer protocols. For example, the "Fragmentation Needed but the Don't Fragment Bit was Set" sub-type (message type 3, code 4) is important for the function of determining the maximum possible packet size for a certain connection ("Path MTU Discovery").
The ICMP message Redirect (message type 5) is sent if a gateway detects that the packet may be sent directly to another gateway, i.e. the packet was sent along a circuitous route up to now. Then, the shorter route is entered into the routing table of the sender. This may be misused by attackers in order to configure routes using their own attack computers. Therefore, ICMP Redirect messages should be blocked at the security gateway.
Regarding the other messages, it must be considered whether information possibly delivered to the outside may be misused for the purpose of an attack.
Computers in the internal network
The following table shows a possible setting for a security gateway separating an organisation's internal network from the internet. These settings constitute an acceptable compromise between security and functionality for the majority of purposes.
| ICMP message | Incoming | Outgoing | Notes |
|---|---|---|---|
| Echo Request (type 8) | Block | Permit | |
| Echo Reply (type 0) | Permit | Block | Allows for "pinging" from the inside to the outside, but not vice versa, together with the setting above |
| Destination unreachable (type 3) | Permit | Permit | Possibly perform a more subtle differentiation based on the message code |
| Time exceeded (type 11) | Permit | Permit | Possibly block outgoing messages |
| Redirect (type 5) | Block | Block | |
| Other types | Block | Block |
Table 1: ICMP for computers in the internal network
Since "ping" does not play any special role for the functionality of a network, it should also be considered to completely block the types Echo Request and Echo Response in the event of normal protection requirements.
For higher security requirements, the number of admissible outgoing ICMP types should be restricted further.
"Public" servers in the DMZ:
For servers installed in a demilitarised zone of the security gateway and offering publicly accessible services, it may make sense to permit additional message types. In this case, protection against an internal network structure being "spied out" does not play any role, since these computers must be available from the outside anyway. The following table may be a point of reference for this:
| ICMP message | Incoming | Outgoing | Notes |
|---|---|---|---|
| Echo Request and Echo Reply (types 0 and 8) | Permit | Permit | |
| Destination unreachable (type 3) | Permit | Permit | Possibly perform a more subtle differentiation based on the message code |
| Time exceeded (type 11) | Permit | Permit | |
| Source Quench (type 4) | Permit | Block | |
| Redirect (type 5) | Block | Block | |
| Other types | Block | Block |
Table 2: ICMP for "public" servers in the DMZ
Components of the security gateway
Components of the security gateway itself should be as transparent as possible for normal network traffic. Therefore, it is recommendable for these systems to not generate any ICMP messages, either self-dependently or as a response to incoming ICMP messages. It makes sense to perform this setting directly at the respective system, insofar as corresponding configuration options are present. Otherwise, corresponding packets should be blocked at the outer packet filter.
ICMP in the event of specific security requirements
For IT systems and networks with special security requirements, it is recommendable to block all ICMP messages, with the possible exception of messages of message type 3, message code 4 ("Fragmentation Needed but the Don't Fragment Bit was Set"). This exception avoids problems in connection with the so-called "Path MTU Discovery" (determination of the maximum possible packet size for a certain connection).
ICMP in the internal network
In the internal network, it may also make sense to entirely or partially block ICMP. At internal security gateways separating a network with special security requirements from a network with normal protection requirements, it is recommendable to select the same settings regarding ICMP as recommended above for the separation of the internal network from the internet.
ICMP and stateful inspection
Some packet filter or security gateway manufacturers offer the option of also performing a kind of stateful inspection for ICMP in their products. However, ICMP is particularly inappropriate for stateful inspection due to its purpose. Due to the susceptibility to error of a corresponding configuration and the comparatively low benefits, it is recommended to leave the corresponding options disabled.
Review questions:
- Is the use of admissible ICMP message types limited restrictively at the security gateway?
- Are ICMP Redirect messages blocked at the security gateway?
- Are ICMP messages prevented from being sent actively by the components of the security gateway?
- Has it been documented which ICMP messages may be sent in which directions?