[AusNOG] network security Question

Chris Ricks chris.ricks at securepay.com.au
Tue May 20 20:23:49 EST 2014 

There are reasons beyond those you've described I'm afraid.

Some security policies and/or standards either make explicit the requirements around ICMP traffic being blocked. Further, some of the tools involved in qualifying compliance with such policies and/or standards flag *any* ICMP traffic being passed or responded to as a non-negotiable item for remediation to get the sacred tick.

In the later case, "Use a better compliance tool" tends to be frustrated by commercial arrangements, in-place process or the pain involved in migrating (moving configurations, associated documentation, bigger issues being present in alternative tools).

For some of the private networks I've seen used between parties (still IP but over non-public carriage) explicit allow is the rule, and traffic is dropped unless it is explicitly justified by a particular application. 

I recall one example of bringing up one of these links being frustrated by some routing that was meant to route traffic via an IPSEC tunnel being set up incorrectly, thus routing it around the tunnel to other parts of the network I was trying to get to an application within. A traceroute showed this to be the case, with responses to the findings including a "thanks" from the network guys, a "don't do that" from the security guys and a "how is that traffic being allowed to any part of our network?" from the process guys.

The only thing more frowned upon than asking for visibility into the carrier's network with ICMP is asking for read-only SNMP access on the NTU being installed on premises. 

All that said though, attempting to have ICMP traffic not be dropped in the cases I've described above is similar to trying to get Telstra to hand off services via Megaport in terms of outcome.

----- Original Message ----- 
From: "Geordie Guy" <elomis at gmail.com> 
To: "Alex Samad - Yieldbroker" <Alex.Samad at yieldbroker.com> 
Cc: "<ausnog at lists.ausnog.net>" <ausnog at lists.ausnog.net> 
Sent: Tuesday, 20 May, 2014 8:04:53 PM 
Subject: Re: [AusNOG] network security Question 


The necessity to block ICMP is down to the balance between the available practical attack vectors that are ICMP based, versus its practical utility as the underlying test and verification message protocol on networks that is expected to function and be used to relay messages accurately about other traffic. 
In short if you block it universally there's a near 100% chance you don't know what your are doing. 
On 20/05/2014 1:37 PM, "Alex Samad - Yieldbroker" < Alex.Samad at yieldbroker.com > wrote: 


Hi 

Wondering what people do around 
1) letting through icmp 

I like the idea of allowing icmp through, make network diagnosis a lot easier, but I don't want to be bomb. 
What sort of rate limiting do people think is acceptable? 
What's acceptable from client to confirm connectivity? 


2) blacklisting ip's 

So I have (like a lot of others), people port scanning look for open ports, what sort of levels do people actually do something about it ? 

I asking as an end user, but I am also curious to know what providers do. 

I have heard of companies blocking entire ranges, for example say china and/or Russia as they have no clients there. Do people do that, do ISP provide that service (can that be done through the auto black hole mechanism ?) 


Alex 
_______________________________________________ 
AusNOG mailing list 
AusNOG at lists.ausnog.net 
http://lists.ausnog.net/mailman/listinfo/ausnog 




_______________________________________________ 
AusNOG mailing list 
AusNOG at lists.ausnog.net 
http://lists.ausnog.net/mailman/listinfo/ausnog

More information about the AusNOG mailing list