How to Configure Security Policies to Allow Ping and Tracert

Ping

For network diagnosis, you may need to allow the firewall to proactively ping upstream and downstream devices or allow the ping packets from upstream and downstream devices to traverse the firewall. Table 7-4 lists the security policies.

However, ICMP is also often used by attackers to spy on the network or establish covert channels. If you have high security requirements, you can permit ICMP messages of only specific types.

Ping requires two types of ICMP messages: ICMP Echo Request (Type 8) and ICMP Echo Reply (Type 0). The source sends several consecutive ICMP Echo Request messages to the destination. After receiving the messages, the destination replies with ICMP Echo Reply messages. If the source receives the ICMP Echo Reply messages within a specified period, the destination is reachable. When receiving an Echo Request message from the source, the firewall creates a session entry and forwards the message. When the Echo Reply messages returned by the destination match the session entry, the firewall will forward these messages.

Figure 7-2 Ping fundamentals

Generally, ping packets from specified intranet hosts to an external network need to be permitted to check connectivity with the external network. In some cases, trusted partners need to be allowed to ping devices on the internal network.

In the preceding example, icmp-type8 is not a service predefined on the firewall and needs to be customized.

Tracert

Tracert is used to display the path along which a data packet is sent to the destination host. Tracert uses three types of ICMP messages: ICMP Echo Reply (Type 0), ICMP Echo Request (Type 8), and ICMP Time Exceeded (Type 11). Figure 7-3 shows the tracert process initiated by a PC. The following uses a PC sending tracert packets to a router as an example. When the PC initiates a tracert process, it uses the local IP address as the source address and the router IP address as the destination address to encapsulate ICMP Echo Request messages.

Figure 7-3 Tracert process initiated by a PC

The TTL value of the first ICMP Echo Request message is 1. After receiving the message, the switch decreases the TTL value by 1. The TTL value becomes 0. The switch then discards the message and returns an ICMP Time Exceeded message with its IP address as the source address. After receiving the message, the PC knows the IP address of the first hop.

The PC sends a second ICMP Echo Request message with the TTL value being 2. After receiving the message, the switch decreases the TTL value by 1 and forwards the message to the firewall. The firewall decreases the TTL value of the message by 1 and the TTL value becomes 0. The firewall discards the message and returns an ICMP Time Exceeded message with its IP address as the source address and the ICMP Echo Request message sent by the PC as the payload. After receiving the ICMP Time Exceeded message, the PC knows the IP address of the second hop.

The PC keeps sending ICMP Echo Request messages with the TTL value incremented by 1 in each message until an ICMP Echo Request message reaches the destination. The router then returns an ICMP Echo Reply message to the PC.

During the tracert process, the source sends an ICMP Echo Request message, and the destination returns an ICMP Echo Reply message. The session entry establishment and matching process on the firewall is the same as that in the ping process. For the ICMP Time Exceeded messages returned by intermediate devices, the firewall extracts the original packets from the payload to match the session table. According to the stateful inspection mechanism, you only need to configure a security policy for the traffic from the source to the destination. As both the ping and tracert processes use ICMP messages, after the security policy is configured to permit the ping service, the tracert service is also available.

The preceding tracert process is applicable only to Windows operating systems. In a UNIX-like operating system, the tool with the same function as tracert is traceroute. By default, traceroute uses UDP packets to detect the destination address and uses the destination port ranging from 33434 to 33534. Generally, the first detection uses port 33434, the second detection uses port 33435, and so on. Because these ports do not exist, the destination host returns an ICMP Port Unreachable message (type 3 code 3) after receiving the UDP packet. Many network devices, such as Huawei firewalls and switches, use UDP packets to initiate detection. Some UNIX-like operating systems also provide parameter options in traceroute commands. You can specify ICMP Echo Request messages or other protocol packets through these parameter options to initiate detection.

When locating faults, network engineers can use either ICMP-based tracert or UDP-based traceroute. Therefore, you need to permit the UDP packets with ports ranging from 33434 to 33534 from the detection initiator. Table 7-6 shows the complete security policy list.

Pay attention to the following points about tracert:

The tracert function varies according to the operating system and network device vendor. The preceding security policies apply only to mainstream products.

For security purposes, network devices may not respond to tracert packets. For example, Huawei firewalls do not send ICMP Time Exceeded messages by default (the tracert result is displayed as *), and the function of returning ICMP Port Unreachable messages can be disabled using a command on these firewalls.