ICMP blocking, bad idea or security improvement?

Please give your personal reviews on that......



http://www.matousec.com/matousec/blog.php?blog=24-ICMP-blocking_-bad-idea-or-security-improvement_

 

I agree 100 % with the arguments exposed by Matousec.

 

Hi mack_guy911

They write:

« Is this a security improvement? No! In fact disabling ICMP can only cause problems. There is no known bug in implementation of ICMP handling on current versions of major operating systems including Microsoft Windows. There is no sensitive information provided by standard ICMP handlers and thus it has no security impact to leave your machine response to ICMP correctly. »

Totally stupid.

The purpose of the ICMP is to inform network administrator of some events in the network: Local network AND Internet ...

Let's talk about Internet since it's not a safe place compare to a home LAN (I'm not discussing corporate LAN here.)

One of the best protection against malicious attemps against your computer is to keep it stealth. Stealth means that your computer never give any feed-back to unsollicited packets of any kind and this included ICMP Types/Codes.

With a stealth computer the IP address corresponding to this computer is "mute" : is this an IP used by a PC or not? There is no possibility to have an answer ... No feed-back answer to unsollicited TCP, UDP. IGMP, ICMP. Period.

A PC responding to an unsollicitated ICMP actually provided to the source of this packet a sensitive information: somebody is there: this IP addr. is related to an active computer.

No bug in ICMP implemetation? Wrong! Here an example: http://kerneltrap.org/node/5382

No impact leaving ICMP respond "correctly" ? What is a "correct" answer please? Any answer to unsollicitated ICMP packets ? Totally absurd!

Heres the correct way to implement ICMP over Internet in your firewall:

Authorise Type 8 code 0 outgoing only (echo)
Authorise Type 0 code 0 incoming only (echo respond)
Authorise Type 11 code 0 incoming only (timeout) used by trace route

Block incoming and outgoing all the other type/code of the ICMP.

PERIOD.


I challenge anybody to prove here that this setup for ICMP cause any problem to a PC connected to Internet. I'm waiting !

Is it true that Matousec is related in some way to Comodo, now a firewall provider and formally a spyware provider... Is it true also that Comodo phone home ?

Don't only focus to leak test: check with packet sniffer what this FW send over the internet. (May be not only ICMP packets...)

I confess I have a very bad feeling about this Comodo / Matousec bunch...

May be I'm wrong but... I'm an "Old Monkey".
When it's too good to be true.. hmmm hmmm...

 

When you erase this, i'll erase my post. Until then, i have to say i'm disappointed.

 

How is this a security problem? Stealth status adds nothing to security, IMO.

Right

 

Hi Pedro

No Sir.
I will not erase this post.
The information about ICMP on the matousec web site is misleading and drive me totally furious.

And about Comodo I still have some doubt.
This prove nothing pro or cons but I believed this FW must be checked in depth.

 

I'm not refering to Matousec, your post is just fine (it's your opinion) until the Comodo part. Unless you have something to show us, don't say that. Coming form a "Look 'n' Stop Expert", this gives the wrong impression too.

I think you have much to share, you have contributed always in a positive way, and people learn from you. I think this is not good.
Am i saying i'm a better man? Hell no, i also make big mistakes, i'm saying that i appreciate all you've done here, and i don't want to read this from you of all people, unless backed up.

 

Hello lucas

I agree, on closed ports, no. But when a port is opened (a process/service listening) it may be a good idea to have it stealthted, as it will give a small degree of better protection. But basically you are right, stealthed port with listening process aren't really "invisible".

Hello Climenole.

You do have your way with posting, don't you?
I had (and still have) the exact same feeling But I'll say no more, or I too will be promptly blanked by fans of both C & M... as I have been before.

Cheers

 

The fans argument, of course, how could i forget.. My time here is coming to an end.
Why is the fans argument ridiculous: you're saying the firewall i use on XP phones home, not only that, that they used to make spyware !! , and provide no proof. Nothing to do with fans, but with FUD about my firewall installed right now.

 

Climenole, I have one quick question. If you are such an advocate of "stealth", then why do you suggest allowing some forms of ICMP? Wouldn't that eradicate the argument that if you don't respond there is no pc there? I don't think the non-existence of a computer is quite the point of "stealth" (or shall we use "filtered" or "dropped" since that is a much better and more accurate term).

By the way, I am not a proponent of stealth, and I prefer to return a port closed message instead of merely dropping the packets. However, each approach has pros and cons, and since I am not really worried with any huge DDoS being mounted against my personal computer, I am not going to worry about saturation of my upload bringing down my internet connection. But for those with this problem, then there is an advantage to just dropping the packets, with hope that your CPU and downstream can keep up as well .

Cheers,

Alphalutra1

 

hi Climenole,Pedro and Seer

thanks again for you reviews i also feel some thing strange about company C AND Mr.M

and regarding calling home i bet outpost also call home through agnitum improvenet....LOL

 

Hello

Pedro buddy, I know you're not addressing me, as I didn't said that...

EDIT:

What on earth do you mean by this?

 

Hi Pedro

But Pedro: I have that feeling about Comodo (and ZA btw...)
Nothing else... I say that's prove nothings...

And I'm not the first one asking question in public about this...

For the "Title": I don't care of this and I hope you do the same.
I'm also a MS MVP: I prefer to keep silence on this.

Be sure I'm not bashing any firewall to push LnS in any way.

Just check the posts here: when a WS Forum ask question about which FW to choose,
I always closed my big mouth by respect for the users and because I'm identify with LnS...

Poeple have the right to choose the FW who fit to their needs and wishes. Any.

I'm not a perfect man and do not overestimate me please.

(Overestimate ? hmmm is it the correct english word?
I don't care: this is a new word I created today )

I'm barking not bitting.

Keep smile.

 

I´have read your posts about networking and I respect your knowledge and try to follow your advices when you talk about Look´n´stop (the firewall that I use), but "having doubts" and "bad feelings" about comodo doesnt say anything. Others have also said that comodo must be doing something bad because they offer a decent firewall for free, but no one have yet put their money where their mouth is.

Wouldnt it be a breeze for you, with all your knowledge about networking, to find the evil stuff that comodo "must" do? "feelings" and "doubts" doesnt prove anything, every one has them. I have my "feelings" and "doubts" about Norton and FBI, but no one wont believe me because all I have is some internet pages. I would just look like silly conspiracy theorist if I kept on nagging about Nortons connections without any proof.
Please do some sniffing on comodo traffic and report back what you find. When you find it, Comodo will be out of business and you will be famous. No doubt many will start looking at Look´n´stop instead.

 

I don't think that either. But i could have a feeling it's exactly that. See where i'm getting at?

I can link you to a recent post. I don't presume you do it on purpose, but there it is.

This is who i think you are . A good person. I can make all my posts go away, as i said. I don't enjoy this either.

 

I have done this many, many times, and also ran comodo for a number of weeks simply to attempt to find any unauthorized connections. I have found nothing.

@Climenole,
You are posting FUD concerning Comodo and this "relationship" between comodo and Matousec, either put up (proof of this) or shut up.

 

Missed this post,

Seer, sorry, the post you quoted certainly makes that impression.

Probably just another rash statement. It's hard not to reply, and i get irritated over a forum post. Go figure.

 

Hi Stern

I don't trust a company making this:
http://www.ca.com/us/securityadvisor/pest/pest.aspx?id=453074930

and a firewall...

And I don't shut my big mouth.

 

Hi Pedro

This:
http://www.ca.com/us/securityadvisor/pest/pest.aspx?id=453074930

How the same poeple can make a spyware "toolbar" and in the same time make a firewall to protect user ...

How it's possible to trust these guy?

I still have a bad feeling. That's hurt believers ? Fine: Good bye !

Period.

 

I remember this,.... and looking into this,.... and the reasons it was added..., and then these "spyware" programs then removed this from their lists.

I have noticed

 

Climenole, researching provides me another answer.
First time i searched this, took me 1 minute. I wasn't aware of the issue, and the fact that it's buried already..

 

There's advantages and disadvantages to blocking different ICMP packets, to what extent depends on some things, Workstation or Server? Networking? Software used?

Matousec boldly mentions "Attacking software is usually implemented to attack services on their TCP and UDP ports directly without checking whether the host is alive using pings.", this is accurate statement, but for instances, LAN attacks, regardless the machines count, PINGs followed by attacks are fairly common from my observations.

ICMP can be taking advantage of, one example is the ICMP Tunneling http://www.phrack.org/issues.html?issue=49&id=6&mode=txt ...

And what about the old +++ATH0 exploit? http://www.securityspace.com/smysecure/catid.html?id=10020

And more ways of being misused, ICMP: Smurf DoS https://services.netscreen.com/restricted/sigupdates/nsm-updates/HTML/ICMP:EXPLOIT:LAN-SMURF.html

And Climenole have already posted URL for others...


Regarding invisibility, I rather have invisibility then visibility, I seen many cases where visibility lead to more curiosity, invisibility however indicates protected / firewalled user, meaning to most, usually a complete waste of time and resources unless user specifically targeted, then more dedication and time can very well be spent regardless.


As for Comodo PF and it's reputation, I have followed back in 2006 the topic 'Is Trusttoolbar Spyware?' on the COMODO forum (follow the the link in Pedro post #21), and I have to say, I'm one of many who believes what's being said by Melih. Melih has to much to loose, and everyone knows, and this is why COMODO being examined on a daily-bases by skilled folks in hopes of bringing COMODO down. If COMODO has ANY unusual activity, we here be among the first to know, and surely by now!!

 

Hi Pedro

I read this too...

trust toolbar is not a spyware ? And who answer to this question:

Melih
Comodo's Hero
Administrator
Comodo's Hero




CastleCops:
http://www.castlecops.com/atxlist-786.html

They are wrong too ?

Have a Nice week end.

 

Hi Phant0m

First thank you for your post. (I feel a bit less alone...)

I hope this is true and there's nothings wrong with this FW.

(Still have the same "feeling" for that one and ZA. May be I'm now a paranoiac and a security nut. This happen sometimes ... ;-)

Have a nice week end.

 

The same source, CA:

There is a lot of paranoia and people believe everything their AV/AS says.