At the risk of rehashing old news.

The security unit at my company seems rather intent on not allowing ping through the firewall, personally I don't see an issue.

What am I missing that they're so concerned about?

I work at CN rail.

You're not missing anything.

ICMP Echo Requests can be used as a primitive tool for mapping a network, but it only tells you if a host is up or not, not which services are running.

On systems with a seriously broken IP stack, a malformed ICMP packet can cause kernel panics/BSODs.

If broadcast pings are allowed through a router (no broadcast anything should be allowed through a router), a Smurf DoS attack is possible.

None of the scenarios above are specific to ICMP Echo Requests. Blocking ping packets does not improve security.

Never heard of Ping of death?

How about IP spoofing?

Now combine those 2.

That only works if the IP stack on the receiving end is badly broken.

The so-called "Ping of Death" is nothing more than an exploit targeting a classic buffer overflow bug in some older IP stacks. No modern OS is affected by it.

A buffer overflow vulnerability could just as easily exist in the part of the IP stack handling TCP, or in any number of applications. The solution is not to block every protocol, but rather to evaluate the usefulness and risks associated with each protocol. There are currently no risks associated with allowing ICMP Echo Requests, and on the other hand "ping" is a useful diagnostic tool.

IP spoofing works regardless of protocol, and is not really a security issue in and by itself.

The only way to deal with IP spoofing is to do egress filtering as the ISP level.

Lot of companies around the world seem to have in their IT policy that systems are not allowed to ping requests.
If this topic is discussed with the IT security guys I sometimes received unofficial statements that this came from the non-techy management and was backed up with something like "With ping you can find out there is a box. If you didn't know there was one you couldn't attack it".
Technically this is crap, any box in a network can be found as long as it is doing something. Only a box without cables/network connection if 100% save. If a box is communicating to a network it may always be a target for attacks, doesn't matter if it replies to ICMP or not.
Disabling ICMP makes it only harder to manage networks as long as there isn't something setup providing similar functionality.

But... if that's yout company's policy you are unlikely to change it unless you are the CIO...

Does ping flooding not work as a DOS tool then?

Of course it does. Just like a TCP SYN flood, or ACK flood, or a UDP packet flood, or basically any type of packet flooding regardless of protool. Bandwidth throttling is recommended, but if someone manages to fill the entire pipe with rubbish (which is trivially easy for botnet operators), neither throttling nor firewall settings will be of any help.

If the choice is between letting nothing through or letting nothing except ICMP Echo Requests through, then blocking ICMP Echo Requests may have some marginal value. As long as you're allowing any inbound traffic at all, blocking pings won't make any difference in preventing DoS attacks.

I meant more that it's just another thing you don't need rules for. Block ICMP and use CPU cycles for connection-based firewalling of other protocols? I'll admit though my networking knowledge isn't the best so I'm just thinking out loud here.

One of the task of firewalling is to prevent threats unknown at present time. Currently there is no risk, but nobody can guarantee this for future. Crackers are smart people and will utilize all available "things" to compromise the securities. One more security step can save in case of discovering new vulnerability in deeper levels. In my opinion only services, protocols, resources that are needed/used should be exposed outside. All others should be blocked. And ping is a utility for administrators, I do not see a reason to some worker ping any company computer from home even if he is allowed to connect to it for example by ssh.

1 members found this post helpful.

I would agree that the "implicit deny" principle is the appropriate approach for most environments.

The OP indicated that he needed to use the ping utility, and hence there seemed to be a genuine use case for ICMP Echo Requests in that particular network. He then asked if allowing ICMP has any security implications, and currently the answer to that question is "no".

One could argue that there might be unknown security vulnerabilities related to the ICMP protocol in the IP stack of some operating systems, and that allowing ICMP Echo Request might then make it possible for an attacker to exploit such a vulnerability should one ever be discovered. While that is technically true, the same can be said about any protocol.

ICMP Echo Requests are very simple beasts, and vulnerabilities related to the handling of "ping" packets in the IP stack are much less likely to exist than vulnerabilities in, say, the TCP code, not to mention vulnerabilities due to bugs in complex application software like web servers.

If someone has a genuine need to send ICMP Echo Requests, I see very few valid reasons not to allow them through the firewall. If you're concerned about flooding or unapproved tunnels, throttle them or limit the maximum packet size.

1 members found this post helpful.

Just to add to Ser Olmy's post:
There are possibilities to mis-use ICMP, e.g. HTTP over ICMP, but that's true for other protocols as well, e.g. DNS. Would you not allow DNS in your network only because there is the potential for things like this? And by the way the attacker would need to have access to both ends of such a tunnel anyway before it can be brought up, I doubt that the needed software will be implemented and running on your production systems by default.

But you talking about known technics of breaking security (errors in IP stack, etc.). I talk about currently unknown. For example, if anybody could have expect some time ago that cryptographic keys can be discovered by measuring time of response packets? Maybe I have too much imagination, but I didn't. I mean that now we cannot imagine risk of allowing something looking as safe, but hackers have a much more imaginative than usual people or network administrator.

As other than ICMP protocols offer more opportunities for hackers, I don't see any reason to facilitate their job. It is a matter of choice between security and needs or comfort. About not allowing exemplary DNS, answer is yes - if it not needed in my network or outside, yes. Usually hackers exploits few holes to get into system, one to break encryption or guess password, other to trick firewall, another to increase privilages, one more to escape from jail, etc. Not just one and voilà, he is inside. All known and unknown minor bugs or lowered securities can decide that your system will be hacked... or not, because one last sentry of insignificant component will block intruder.

Thanks to all for their answers, I'm a little smarter now. It isn't as simple an issue as I'd thought, but I suppose nothing IT related rarely ever is.

I can understand misgivings about enabling ping.

I have enough information to go on.

Thanks again.