System administrators can perform diagnostics and troubleshooting using the Internet Control Message Protocol (ICMP), which enables Internet hosts to communicate with one another about errors. Some network administrators block all ICMP traffic as a network hardening measure due to historical denial-of-service bugs in flawed ICMP implementations and the fact that ICMP can also be used by a potential adversary to perform reconnaissance against a target network. In this blog post, I examine the rationale behind administrators’ motivations for blocking ICMP, the inadequacies of this security measure against even the most sophisticated targeted attacks, and the unintended consequences of blocking ICMP, such as disruption of legitimate network functionality. Finally, for networks where this is a problem, I offer solutions to block just the portions of ICMP that enable network discovery and a Guide, Network Security Hardening (ICMP) with Microsoft Intune.
Table of Contents
Codes & Types
ICMP is also used by network devices to send error messages back to the source host if an error or event requiring warning has occurred. For example, if a gateway or destination host encounters a problem, it will send an ICMP message to the source host to indicate what the problem is (e.g., destination is unreachable, packet loss, etc.). Network administrators can then use these messages to troubleshoot connectivity issues and determine the root cause of any problems.
Today, ten types of ICMP messages are most relevant to modern networks. Within each message type, there are several codes to identify a specific condition or request.
In summary, while Ping and Traceroute are well-known utilities that use ICMP, it is important to understand that ICMP has a broader range of functions beyond these tools.
Attack Surfaces – Methods
To avoid being detected by adversarial network mapping software (Scanning with Nmap and Nessus). With ICMP enabled, it is possible to carry out erroneous operations like network discovery attacks, covert communication channels, and network traffic redirection, including but not restricted to:
- Ping sweep: A kind of attack that counts the active hosts on a network by sending ICMP echo request messages.
- ICMP tunneling is a technique for creating a secret channel of communication between distant systems, typically between a client and a proxy.
- Ping flood: A method for launching a denial of service (DoS) attack in which the attacker sends multiple ICMP requests quickly and repeatedly without waiting for the targeted system to respond. Ping floods try to degrade the system’s performance by consuming both incoming and outgoing bandwidth as well as CPU resources.
Network administrators sometimes disable ICMP traffic on their firewalls as a “quick fix” security measure due to the numerous ICMP-related attacks that can occur and the fact that TCP/IP “mostly” functions even when ICMP traffic is disabled.
Windows 11 Endpoint security firewall rules in Intune
Since the latest Intune Services release, it is now possible to make specific adjustments to the code and types of the ICMP protocol (IcmpTypesAndCodes) in the Windows Firewall.
The new settings can be found in the Intune portal under Endpoint Security. After creating a new policy, the settings can configured as desired in the rules (at the bottom).
The example image describes the following two possibilities of a configuration. However, these must be adapted as desired in your own environment. Be careful at the moment of the Creation this Policy only applies for Windows 11 Devices. Network Security Hardening (ICMP) with Microsoft Intune.
Windows 11 Endpoint security firewall rules (manually)
The restriction of the ICMP protocol has been around for a long time, the image below (unfortunately in German) shows how this can configured manually. (Microsoft Guide)
A practical tip could certainly be to first test the policy on targeted devices before considering a global rollout. Better to be too careful than to have unhappy users afterwards.
The topic of network security is definitely very important in IT. Generally because many resources nowadays outsourced. That is why Microsoft is gradually offering more and more functions in the Intune portal to ensure that the security of the company meets the standard. By disabling the ICMP protocol, diagnostics, reliability, and network performance may suffer as a result. Important mechanisms are disabled when the ICMP protocol is restricted.
In my opinion, the topic is important but definitely needs enough time/resources for implementation.