5 Replies Latest reply: Apr 16, 2013 5:22 AM by oreeh RSS

    Is ICMP not audited?


      While helping one of my customers yesterday, I ended up trying something with my own MFE 8.3.0 Firewall.


      The scenario was very simple:-


      A host on Zone A was trying to ping a host on Zone B. When that failed, the Zone A host then tried to ping the Firewall's IP address on Zone B which also failed.


      The reason for the failure was, ultimately, very simple - there was no rule in place allowing ICMP from Zone A to Zone B.


      When running through some diagnositcs with my customer, I immediately turned to the Audit Viewer and suggested that he look at this while trying to run the ping test. He claimed at the time that there was nothing in the audit to suggest the traffic was being denied, which was why I ended up trying the test myself. A tcpdump on Zone A's interface confirmed the ICMP echo requests were arriving from the source host, and the lack of echo responses strongly indicated that the traffic was being blocked.


      Sure enough, when I tested this scenario myself, I was surprised to find no evidence in the Audit Viewer of my ping attempts. When I tried to FTP from the source host (knowing it too would fail due to the lack of an access rule) I was able to see netprobe audit entries confirming this fact. But with the ping tests - nothing.


      As soon as I put a rule in place to allow ICMP, the ping tests naturally worked. But the lack of any visible audit came as a surprise and I wondered if this was by design?



        • 1. Re: Is ICMP not audited?

          With tongue-firmly-in-cheek I would say "Of course it's by design if that's how it works!"


          I have been wondering this myself as I tried this out last year sometime.  I imagine we do not audit this simply to not clutter up the audit stream.  I can't figure out myself how or even if you can make the firewall audit this.  I have put the question to Engineering for an answer.

          • 2. Re: Is ICMP not audited?

            I'd be interested to know what they come up with.


            Having spent more years that I can remember preaching to customer's "This solution audits everything. If there's nothing in the audit, then it didn't happen", this little situation has caught me out.


            When I asked the customer to check his own audit and he told me there was no sign of an acl_deny or a netprobe entry from the source IP address, I questioned whether the source host had its default gateway pointing to the correct address. When a tcpdump on the Firewall's interface showed the echo responses arriving, I felt a little foolish - more so when I came up with the same results on my own installation.



            • 3. Re: Is ICMP not audited?

              There is a sysctl value to turn this auditing on but the sysctl does not work any longer.  I have filed a request to get that fixed.

              • 4. Re: Is ICMP not audited?

                That makes sense I don't know why you would want to audit ICMP. It's a candidate for a DoS if everything is logged, and it's better to focus on what rules could cause a compromise (auditing of TCP/UDP where data can be transfered).


                It would be interesting to hear the engineering response though to see if they have the same conclusion from a security standpoint.

                • 5. Re: Is ICMP not audited?

                  Any protocol is in theory a candidate for DoS.

                  It really doesn't make a difference from an audit point of view if you send ICMP messages, do a port scan or a syn-flooding.