[AusNOG] network security Question
Mark Newton
newton at atdot.dotat.org
Wed May 21 09:27:06 EST 2014
On 20 May 2014, at 8:23 pm, Chris Ricks <chris.ricks at securepay.com.au> wrote:
> There are reasons beyond those you've described I'm afraid.
>
> Some security policies and/or standards either make explicit the requirements around ICMP traffic being blocked. Further, some of the tools involved in qualifying compliance with such policies and/or standards flag *any* ICMP traffic being passed or responded to as a non-negotiable item for remediation to get the sacred tick.
ICMP is not and never has been an optional part of the TCP/IP protocol suite. Any
auditor who tells you that exchanging ICMP is a non-compliance clearly has literally
no idea what they're doing, and should be listened to for entertainment purposes only.
> For some of the private networks I've seen used between parties (still IP but over non-public carriage) explicit allow is the rule, and traffic is dropped unless it is explicitly justified by a particular application.
Unless you're an HFT org running an entirely custom application exchanging raw IP
datagrams (UDP and TCP headers just add latency, y'know) then you'll absolutely
require ICMP to avoid malfunctions.
There's your justification.
There are hundreds of thousands of companies out there who have successfully passed
PCI/DSS whilst allowing ICMP. If you aren't one of them, perhaps it'd be a good idea
to inquire into why you're a uniquely disabled special case.
See also: http://tools.ietf.org/html/draft-ietf-opsec-icmp-filtering-04
- mark
More information about the AusNOG
mailing list