For the past week I have been re-involving myself in the Security Catalyst Community. While wading through some of the posts I had yet to read I came across one titled ICMP Tunneling by Donald Tabone. I decided to do some quick research and post a response. After reading it Andy Willingham suggested I post it here. So here it goes.
Donald’s question:
Hi All,
There has been an impending problem with MS ISA server that I have trouble defending against: ICMP tunneling which doesn’t seem to be stopped(firewalled). To my understanding it can be used for remote access and denial of service attack tools which use ICMP to establish covert communication channels.
Question is: What is the best approach to protect against something like what is described in the article quoted below using ISA Firewall.?
http://nulldigital.net/articles/stealinginternet.pdfThanks,
D.
My response:
Your best bet is to determine your ICMP requirements, determine how you can limit ICMP within your organization, create policies that specifically state what ICMP is permitted and not permitted, and then implement protection and detection in your countermeasures (routers, layer 3 switches, firewalls, and IDS/IPS).
Rational Security http://rationalsecurity.typepad.com/blog/2006/08/icmp_internet_c.html said people who do not limit ICMP “officially belong to the LBNaSOAC (Lazy Bastard Network and Security Operators and Administrators Consortium.)”. They then pointed to an article that briefly explains ICMP Attacks http://javvin.com/networksecurity/ICMPAttacks.html.
Your ISA should not be your first line of defense to the Internet. You should have countermeasure in place between the “wild” and this application firewall. Use those countermeasures to provide the protections the ISA firewall cannot and increase your defense in depth.
Go forth and do good things,
Cutaway
Policy is definitely the way to start. One thing I have thought of after posting this response is that I should have made it a little more clear about where ICMP should be in the policy. Although some organizations may have a specific ICMP policy, more than likely ICMP will be just one piece of the network or firewall policy. Certainly if you do not have any policies then you do not just want to start the time consuming process of whipping up a new policy before mitigating some of the risks involved with not locking down ICMP. Rather, come up with a solution (in this case for ICMP) and document how you have decided to handle it. Once you start working on your policies then you can use what you have documented as a starting point.
Go forth and do good things,
Cutaway
AndyITGuy, ICMP, ISA, SCC, Security Ripcord, ICMP Tunneling, ICMP Attacks, Rational Security, Donald Tabone, Malta Info Security 







