[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

icmp allowed by cert or ??? only?

Posted on 2014-07-14
8
Medium Priority
?
350 Views
Last Modified: 2014-07-15
I have several hundred logging devices out in the field which need to send an icmp request now and then to their home server.

I know I could limit icmp using IPs but I don't know the logger IPs since they would be getting it from a dhcp server.

How could I block icmp to only those devices and nothing else?
0
Comment
Question by:projects
  • 3
  • 3
  • 2
8 Comments
 
LVL 62

Expert Comment

by:gheist
ID: 40195689
DHCP server keeps list of issued addresses, or has a IP range it issues. Import either to iptables and you are fine.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40195738
Is there something you could put in the payload to distinguish the ICMP traffic you want to allow from the general background noise?

For that matter - if its just a ping, do you really care that much? I know zonealarm made a big fuss about "stealth" and blocking pings, but on the whole, its not usually a big deal if your IP is pingable.
0
 

Author Comment

by:projects
ID: 40196008
Gheist: Not sure what you mean. Can you explain please.

Dave, I could put something in the payload and in fact, the first connection from the device is always using curl https. Perhaps this is the key?

You are right that icmp should not be a big issue but my thinking is that there will be many connections as it is and my server won't know what is legit and not so when I am trying to block bad traffic, I won't be able to as easily. If for example someone was trying to use icmp to cause problems, I could not respond by disabling icmp.
0
Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

 
LVL 62

Expert Comment

by:gheist
ID: 40196240
Maximum extent of "these devices" is all addresses handed out by your DHCP server.
Yse that address range for blocking/passing.
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 2000 total points
ID: 40196331
@projects:
You could certainly use the fact that the first connection is curl - this is commonly called "port knocking" or a "knock sequence" - using a connection on one port to trigger a rule to allow other traffic (Cisco ASAs can even do that out of the box these days).

But that just makes me even more curious as to why the nodes even need to do ICMP if they are already able to confirm your server is there with the tcp/443 handshake.  Further, ICMP usually has a payload that is not processed by the recipient (this is commonly used and abused for Wake on Lan, to give one example) although some ICMP traffic (type 5 "redirect" packets usually quote the packet they are relevant to, to give another example)

@gheist:
"out in the field" and the fact the OP is concerned about inbound ICMP from the internet implies these are on other (customer) LANs, so odds are good many have the same local address (probably RFC1918) and are NATted to a public IP for that customer.  Its possible I am wrong, but it seems the most probable setup.
0
 

Author Comment

by:projects
ID: 40197197
gheist. All devices are on internet, not dhcp addresses.

Correct Dave, no dhcp.
I cannot get into complete specifics and your answer is interesting but the curl and icmp connections are separate. However, this gives me an idea for a solution based on what you've said so I will award.

Thank you very much.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40197224
but I don't know the logger IPs since they would be getting it from a dhcp server.
Come on.
0
 

Author Comment

by:projects
ID: 40197266
Why would you be upset? Dave made the correct assumption that's all.

>I know I could limit icmp using IPs but I don't know the logger IPs since
>they would be getting it from a dhcp server.

If I knew which dhcp servers they were getting their IPs from and was controlling them, I would not need to find a way of preventing hackers since that implies all would be in some closed network.

Each client will be getting it's IP from some local dhcp server on networks all over the place, which I have no control over.

Hope this clears it up.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Fine Tune your automatic Updates for Ubuntu / Debian
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question