[clug] Dropped icmp packets - means what?

Sat Aug 23 22:19:19 EST 2003

On Fri, Aug 22, 2003 at 05:31:36PM +1000, Sam Couter wrote:
> Peter Barker <pbarker at barker.dropbear.id.au> wrote:
> > Does the phrase, "Security by obscurity" ring a bell here? It should not
> > matter whether they can detect you're there with a ping; if you fear being
> > detected, resolve the cause of the fear. If you happen to have, say, an
> > open RPC port, blocking pings is not going to help you :-)
> 
> But it increases the cost of any attack, and decreases the chances of an
> attack being launched in the first place.

Exactly. As there is no real mechanism to make a system 100% secure, you make 
it as secure as it needs to be (or more usually, as secure as you can afford!).

Any security process should start with a Threat/Risk Analysis. For the average
home user, they're unlikely to be singled out as a target. Most small 
businesses aren't likely to be either. What's more likely, is for an automated
process looking for vulnerable systems to spot you. Blocking pings is 
potentially a very effective measure here.

With regards to the concept of "Security by obscurity", certainly this isn't 
something to be relied on. However, this doesn't mean there's no place for it.
"Defense in depth" is probably an apt term to use here. The idea here, is that
no single mechanism is to be relied on, but is to be used as part of an overall
security strategy.

For example, if there is a vulnerabilty in a system you administer that your
not able to patch immediately for whatever reason (a pretty common occurance),
it's nice (to put it mildly!) if an automated scanner overlooks your system. 
Ok, this isn't always going to work (e.g. if the scanner looks at open ports 
rather than ping responses), but it does provide some measure of security,
which can be combined with other measures to increase the overall security of
the system.

> > ICMP is a useful tool. Removing a tool because it can be abused is not a
> > good idea IMHO.
> 
> Nobody other than me needs to know if my machine is working or not.

So in this case, removing an unused service is a *very* good idea. When looking
at the security of systems, the old usability vs. security often rears its
ugly head. This is when the TRA comes in. Is it worth the security risk to run
the service. If not, don't do it. If you can reduce the risk to a workable 
level, half you luck. Security = Compromise.

Cheers,
Paul.