One core topic when designing firewall policies is the following question: Is ping a security attack? Should ICMP echo-request messages be blocked in almost any directions?
My short answer: Ping is your friend. :) You won’t block hackers if you block ping. Instead, ping is quite useful for network administrators checking basic network connectivity. That is: I suggest allowing ping anywhere around, accept incoming connections from the Internet to the trusted networks.
Here comes a discussion:
Ping or not to Ping
It is basically the “Security vs. Usability” question: Do I want the highest security regardless of cost or do I want a useful way between usability and security?
The Big Advantage
Ping (and traceroute) allows the network administrator to check whether the network is working as expected, e.g., routing, site-to-site VPNs, etc. It further allows any person to check whether the system on the other side is alive or not. If ping is allowed through any internal networks, you are quite fast in deciding whether you have an availability problem at the network/host, or if you have a blocking firewall (for the upper-layer ports) or a crashed application in between.
If ping is allowed, anyone is able to check which systems are present and alive on the network. This might reveal several hosts that should be hidden from the public. It can be used by hackers to find vulnerable hosts (reconnaissance phase).
But only from Untrust!
But this is only true for pings from the untrust/guest networks, because:
- Inside the own Networks: Internal networks can be considered to be secure. If you have multiple user and server networks, there might be so many different applications allowed that ping won’t bring any more security concerns. E.g., almost everyone has layer-2 connectivity to the network from which much more security attacks are possible such as Man-in-the-Middle attacks, etc. Compared to that, ping is nothing. If you don’t trust your users at all, you have a general problem.
- From Trust to Untrust (Internet): Your users are allowed to browse to the Internet but you won’t allow ping? Even if your users are not allowed to browse, ping provides a basic troubleshooting tool for every application that a user might use. Your FTP connection is not working? Try ping first. You cannot email from your servers? Try ping first. But what is about covert channels in which malicious users can transfer data to the Internet with ping? My answer: If someone really wants to upload data, he will find a way – with or without ping (USB sticks, printed paged, tunnels, encrypted zip files, …).
- From Untrust (Internet) to DMZ: Now it’s getting interesting. What’s about incoming connections to the DMZ? Simple answer: Ping does not bring any security concern! Any server inside the DMZ has at least one port opened for accesses from “any” from the Internet. (Otherwise, that host should not be on the DMZ.) That is: A hacker already knows about the HTTP server in the DMZ, even without ping. If he wants to know the status of your server, he will do a TCP SYN ping on port 80 and not only an icmp echo-request. (Try httping <server> or traceroute -T -p 80 <host-address> from a Linux machine and you will even get the path inside the internal network!) Nowadays, a ping of death does not work anymore (patched systems, next-generation firewalls, …), so there is no consideration about ping other than the “is the system alive” check.
- From Untrust (Internet) to Trust: Finally, that’s the direction in which ping should be blocked. Of course, you don’t want that anyone on the Internet is able to list your active systems on the end user subnets, etc. (In IPv4 networks, this won’t be needed due to NAT castrations. But this deny rule should be in place for IPv6 with global-unicast addresses, at least if the privacy extensions are not used.)
And keep in mind: Your “normal” users don’t even know what ping is. Something like “I don’t want my users to know which servers exist” is simply not true because they don’t even know how to search for them.
In conclusion, this is my default ping policy on a firewall:
- Ping from the Internet into the DMZ is allowed,
- followed by a deny statement for pings from the Internet to any other zone.
- Finally, all other pings are globally permitted: