dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
857
share rss forum feed


Steve
I know your IP address
Consultant
join:2001-03-10
Yorba Linda, CA
kudos:5

1 edit

Data center indemnification for allowing ping through firewa

A customer of mine is about to host financially-related line-of-biz servers at a commercial data center, and though the data center tech staff are happy to set up firewall rules for this or that port, they initially refused to allow ICMP echo requests at all (claiming their auditors didn't allow it), but later came back and said they would if the customer signed an indemnification about it.

They claim that allowing echo requests could allow a hacker to enumerate a network, and their "best practices" don't typically allow this. I had to look at my watch to remind myself that this is 2013.

I find this beyond ridiculous; has anybody ever seen such a thing?

Edit - clarify that it's the data center imposing this requirement.



leibold
Premium,MVM
join:2002-07-09
Sunnyvale, CA
kudos:9
Reviews:
·SONIC.NET

What is the customer relationship with the data center ?
I'm mostly familiar with colocation services (rented rackspace, dedicated cabinets or cages). Even when Internet connectivity was provided by the data center itself (some permit or even require colo customers to make their own connectivity arrangements with one of the onsite providers), I never encountered anything like this (blocked ICMP Echo requests/responses is something I would have noticed).

However I could see different rules applying to leased servers and managed services (or nowadays cloud services) where more of the responsibility resides with the data center operator.
--
Got some spare cpu cycles ? Join Team Helix or Team Starfire!


AsherN
Premium
join:2010-08-23
Thornhill, ON
reply to Steve

It is proper security practice to open as few ports as possible, ICMP included. Unless you have a business reason to need ICMP, why would you leave it on?


TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
East Stroudsburg, PA
kudos:3
Reviews:
·Optimum Online
reply to Steve

Well Steve, I know your feelings on this and I know you have little tolerance for those of us who feel that blocking Ping is not a negative. So ducking for cover

Google seems to agree with you and allows you to ping their servers but both Microsoft/Akaimai and Sans.org block incoming ping. It may be they just have not configured their firewalls to allow it or in the case of Sans maybe it is their host. Still, obviously not everybody agrees that allowing ICMP is the best security practice.

Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Windows\system32>ping www.goggle.com

Pinging www.goggle.com [75.101.216.99] with 32 bytes of data:
Reply from 75.101.216.99: bytes=32 time=60ms TTL=41
Reply from 75.101.216.99: bytes=32 time=53ms TTL=41
Reply from 75.101.216.99: bytes=32 time=52ms TTL=41
Reply from 75.101.216.99: bytes=32 time=51ms TTL=41

Ping statistics for 75.101.216.99:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 51ms, Maximum = 60ms, Average = 54ms

C:\Windows\system32>ping www.sans.org

Pinging www.sans.org [66.35.59.202] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 66.35.59.202:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Windows\system32>ping www.microsoft.com

Pinging lb1.www.ms.akadns.net [65.55.57.27] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 65.55.57.27:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Windows\system32>
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore.



Steve
I know your IP address
Consultant
join:2001-03-10
Yorba Linda, CA
kudos:5
reply to AsherN

said by AsherN:

It is proper security practice to open as few ports as possible, ICMP included. Unless you have a business reason to need ICMP, why would you leave it on?

1) I have a business reason for having it open; the line-of-biz software has a public service that the customer's customers use, and being able to ping the endpoint is a common part of troubleshooting. I don't care about ICMP to any of the other servers, just the one.

2) The data center didn't question any other firewall rules, but they require a legal indemnification for ping?


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 recommendation

IMO a commercial (publicly visible) site should be pingable for troubleshooting purposes.

As for individuals--personal preference. I'm not. IMO there's no good reason for anyone to be pinging me.
--
Don't feed trolls--it only makes them grow!


HELLFIRE
Premium
join:2009-11-25
kudos:12
reply to Steve

said by Steve:

[The Data Center] claim(s) that allowing echo requests could allow a hacker to enumerate a network, and their "best practices" don't typically allow this.

I find this beyond ridiculous; has anybody ever seen such a thing?

It's the Data Center's infrastructure, so their sandbox, their rules.

I do alot of support for inter-company traffic between financial institutions, and Standard Ticket often
comes in claiming slow connectivity. Can fully ping / traceroute through our core network, but once
I hit our DMZ or get into the first hop out of our network, both are denied.

It takes all kinds.

said by Steve:

but later came back and said they would if the customer signed an indemnification about it.

Give em credit AT LEAST they're willing to work with your customer.

Regards


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Time Warner Cable
·Clearwire Wireless

1 edit

said by HELLFIRE:

Give em credit AT LEAST they're willing to work with your customer.

Yes, someone needs to sign off on it & if their not willing then who?


chrisretusn
Retired
Premium
join:2007-08-13
Philippines
kudos:1
Reviews:
·PLDT
·Comcast
reply to Steve

said by Steve:

They claim that allowing echo requests could allow a hacker to enumerate a network, and their "best practices" don't typically allow this.

Well that a first for me. I agree, beyond ridiculous.
--
Chris
Living in Paradise!!


sivran
Opera ex-pat
Premium
join:2003-09-15
Irving, TX
kudos:1
reply to Steve

I'd like to see a case study on a hack that could've been prevented if ICMP had been blocked.


nonymous
Premium
join:2003-09-08
Glendale, AZ
reply to Steve

If there is no issue then just sign off on it.



Steve
I know your IP address
Consultant
join:2001-03-10
Yorba Linda, CA
kudos:5

1 edit

1 recommendation

reply to Steve

I'm sorry, I have not been able to convey the full bozo-ness of these guys.

Most here know that I have an opinion about the pro and con of blocking ICMP at the border, and though many don't understand it well enough to make an informed choice ("enamour with stealth is inversely related to knowledge of TCP/IP" - me), it's a fair discussion for security professionals.

But these folks have put allowing ICMP through the firewall in its own separate category that requires legal indemnification to permit. It's surreal.

They had no problem with any of the other requested firewall rules: https, secure shell, application-specific protocol ports. Not even a discussion about what they're for, what are the security implications, etc.

But ICMP is different because "the bad guys can use it to enumerate a network". I had to blink a few times at that; the bad guy industry hasn't needed ICMP to enumerate a network in a really long time.

For production access I'll be getting in via Secure Shell (keys, no passwords) to a Linux system, but in order to build that machine, I need to get on a neighboring Windows box that the data center has built, and use Dell's DRAC (a hardware remote access interface) to boot the box and configure Linux.

I had originally proposed using LogMeIn Rescue - like WebEx or GotoMeeting, secure remote access - to temporarily get me on the Windows box, but on their own they decided to open Remote Desktop instead.

So here they are, terrified of ICMP, but they're willing to open RDP without our asking?

Misunderstanding security makes you less safe, and in this case, it makes my customer less safe.

Edit - To be fair: turns out I had put RDP on our list of requested rules, though restricted to my own home IP. This wasn't to be used for initial setup, but for emergency access in case the SSH server were down. I'm not excited about RDP, but if it's IP limited it can be tolerated.

And I've just seen the actual indemnification, it's explicit about echo request. Wow.


nonymous
Premium
join:2003-09-08
Glendale, AZ
reply to Steve

Their reasoning is questionable. Still their datacenter. Other choice is to find another datacenter and let them know why leaving vote with your money.


nonymous
Premium
join:2003-09-08
Glendale, AZ
reply to Steve

IPv6 could be fun if every device on an internal network is given a routable and pingable IP address.



Steve
I know your IP address
Consultant
join:2001-03-10
Yorba Linda, CA
kudos:5

said by nonymous:

IPv6 could be fun if every device on an internal network is given a routable and pingable IP address.

What makes you think that IPv6 won't have firewalls?

nonymous
Premium
join:2003-09-08
Glendale, AZ
reply to Steve

Sorry bad sarcasm. Just saying if really like ping IPv6 could really allow it if not setup correctly. This datacenter would really freak out then.



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Time Warner Cable
·Clearwire Wireless
reply to Steve

said by Steve:

But ICMP is different because "the bad guys can use it to enumerate a network".

OK, their talking about the other ICMP.
ICann Mapping Protocol.
I can do, you can do, anyone dat believes in demselves can do.
You just need da confidence.
You can do Steve See Profile!!

SpHeRe31459

join:2002-10-09
Sacramento, CA
kudos:1
reply to Steve

said by Steve:

I had originally proposed using LogMeIn Rescue - like WebEx or GotoMeeting, secure remote access - to temporarily get me on the Windows box, but on their own they decided to open Remote Desktop instead.

So here they are, terrified of ICMP, but they're willing to open RDP without our asking?

ROFL, wow so RDP is no problem to them... yikes... I agree with the others, it might be time to vote with your wallet and, if possible, find another hosting provider.


Steve
I know your IP address
Consultant
join:2001-03-10
Yorba Linda, CA
kudos:5

said by SpHeRe31459:

ROFL, wow so RDP is no problem to them... yikes... I agree with the others, it might be time to vote with your wallet and, if possible, find another hosting provider.

I edited my post while you were replying; I had requested RDP limited to my narrow IP range, something I reluctantly do to provide emergency access. I wasn't willing to leave my mistake floating around once I realized it.

Anyway: if a data center wants to have a general indemnity for honoring a customer's requested firewall rules, that seems fine to me, but to single out ICMP is bizarre.

Turns out they have all kinds of other default security policies (highly restrictive egress, for one), most of which appear to be supportable even if I don't agree, but I don't like that none of this was disclosed in advance.

The contract was signed a long time ago, and there's no chance the customer would care enough about any of this to give even a passing thought to going elsewhere.

SpHeRe31459

join:2002-10-09
Sacramento, CA
kudos:1

1 recommendation

Even with your edit, I stand by my ROFL
They have no problem with a customer request for RDP, but can't do ICMP. Maybe the various security bulletins on RDP vulns and papers on what ICMP can and cannot be used to do need to forwarded to their admins?

About the contract, if none of the restrictions were told to you up front, you may have some grounds to cancel it with no penalty or some similar action, since they did not disclose them to you at the time of the contract signing. I realize it's probably a dead in the water issue, since as you say no customer would care about the nuances of this.