Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
729 Views 5 Replies Latest reply: Apr 16, 2013 5:22 AM by oreeh RSS
PhilM Champion 528 posts since
Jan 7, 2010
Currently Being Moderated

Apr 11, 2013 2:55 AM

Is ICMP not audited?

While helping one of my customers yesterday, I ended up trying something with my own MFE 8.3.0 Firewall.

 

The scenario was very simple:-

 

A host on Zone A was trying to ping a host on Zone B. When that failed, the Zone A host then tried to ping the Firewall's IP address on Zone B which also failed.

 

The reason for the failure was, ultimately, very simple - there was no rule in place allowing ICMP from Zone A to Zone B.

 

When running through some diagnositcs with my customer, I immediately turned to the Audit Viewer and suggested that he look at this while trying to run the ping test. He claimed at the time that there was nothing in the audit to suggest the traffic was being denied, which was why I ended up trying the test myself. A tcpdump on Zone A's interface confirmed the ICMP echo requests were arriving from the source host, and the lack of echo responses strongly indicated that the traffic was being blocked.

 

Sure enough, when I tested this scenario myself, I was surprised to find no evidence in the Audit Viewer of my ping attempts. When I tried to FTP from the source host (knowing it too would fail due to the lack of an access rule) I was able to see netprobe audit entries confirming this fact. But with the ping tests - nothing.

 

As soon as I put a rule in place to allow ICMP, the ping tests naturally worked. But the lack of any visible audit came as a surprise and I wondered if this was by design?

 

-Phil.

  • sliedl McAfee SME 535 posts since
    Nov 3, 2009
    Currently Being Moderated
    1. Apr 11, 2013 2:49 PM (in response to PhilM)
    Re: Is ICMP not audited?

    With tongue-firmly-in-cheek I would say "Of course it's by design if that's how it works!"

     

    I have been wondering this myself as I tried this out last year sometime.  I imagine we do not audit this simply to not clutter up the audit stream.  I can't figure out myself how or even if you can make the firewall audit this.  I have put the question to Engineering for an answer.

  • sliedl McAfee SME 535 posts since
    Nov 3, 2009
    Currently Being Moderated
    3. Apr 12, 2013 1:44 PM (in response to PhilM)
    Re: Is ICMP not audited?

    There is a sysctl value to turn this auditing on but the sysctl does not work any longer.  I have filed a request to get that fixed.

  • packetmonkey Newcomer 22 posts since
    Mar 1, 2013
    Currently Being Moderated
    4. Apr 16, 2013 5:19 AM (in response to sliedl)
    Re: Is ICMP not audited?

    That makes sense I don't know why you would want to audit ICMP. It's a candidate for a DoS if everything is logged, and it's better to focus on what rules could cause a compromise (auditing of TCP/UDP where data can be transfered).

     

    It would be interesting to hear the engineering response though to see if they have the same conclusion from a security standpoint.

  • oreeh Apprentice 76 posts since
    Nov 24, 2009
    Currently Being Moderated
    5. Apr 16, 2013 5:22 AM (in response to packetmonkey)
    Re: Is ICMP not audited?

    Any protocol is in theory a candidate for DoS.

    It really doesn't make a difference from an audit point of view if you send ICMP messages, do a port scan or a syn-flooding.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points