Understanding the ICMP Predefined Policy Application
When you create a policy, you can specify the ICMP predefined application for the policy.
Internet Control Message Protocol (ICMP) is a part of IP and provides a way to query a network (ICMP query messages) and to receive feedback from the network for error patterns (ICMP error messages). ICMP does not, however, guarantee error message delivery or report all lost datagrams; and it is not a reliable protocol. ICMP codes and type codes describe ICMP query messages and ICMP error messages.
You can choose to permit or deny any or specific types of ICMP messages to improve network security. Some types of ICMP messages can be exploited to gain information about your network that might compromise security. For example, ICMP, TCP, or UDP packets can be constructed to return ICMP error messages that contain information about a network, such as its topology, and access list filtering characteristics. Table 14 lists ICMP message names, the corresponding code, type, and description.
Table 14: ICMP Messages
ICMP Message Name | Type | Code | Description |
|---|---|---|---|
ICMP-ANY | all | all | ICMP-ANY affects any protocol using ICMP. Denying ICMP-ANY impairs any attempt to ping or monitor a network using ICMP. Permitting ICMP-ANY allows all ICMP messages. |
ICMP-ADDRESS-MASK
| 17 18 | 0 0 | ICMP address mask query is used for systems that need the local subnet mask from a bootstrap server. Denying ICMP address mask request messages can adversely affect diskless systems. Permitting ICMP address mask request messages might allow others to fingerprint the operating system of a host in your network. |
ICMP-DEST-UNREACH | 3 | 0 | ICMP destination unreachable error message indicates that the destination host is configured to reject the packets. Codes 0, 1, 4, or 5 can be from a gateway. Codes 2 or 3 can be from a host (RFC 792). Denying ICMP destination unreachable error messages can remove the assumption that a host is up and running behind a J Series or an SRX Series device. Permitting ICMP destination unreachable error messages can allow some assumptions, such as security filtering, to be made about the network. |
ICMP Fragment Needed | 3 | 4 | ICMP fragmentation error message indicates that fragmentation is needed but the don't fragment flag is set. We recommend denying these messages from the Internet to an internal network. |
ICMP FragmentReassembly | 11 | 1 | ICMP fragment reassembly time exceeded error indicates that a host reassembling a fragmented message ran out of time and dropped the packet. This message is sometimes sent. We recommend denying these messages from the Internet (external) to the trusted (internal) network. |
ICMP-HOST-UNREACH | 3 | 1 | ICMP host unreachable error messages indicate that routing table entries do not list or list as infinity a particular host. Sometimes this error is sent by gateways that cannot fragment when a packet requiring fragmentation is received. We recommend denying these messages from the Internet to a trusted network. Permitting these messages allows others to be able to determine your internal hosts IP addresses by a process of elimination or make assumptions about gateways and fragmentation. |
ICMP-INFO
| 15 16 | 0 0 | ICMP-INFO query messages allow diskless host systems to query the network and self-configure. Denying ICMP address mask request messages can adversely affect diskless systems. Permitting ICMP address mask request messages might allow others to broadcast information queries to a network segment to determine computer type. |
ICMP-PARAMETER-PROBLEM | 12 | 0 | ICMP parameter problem error messages notify you when incorrect header parameters are present and have caused a packet to be discarded We recommend denying these messages from the Internet to a trusted network. Permitting ICMP parameter problem error messages allows others to make assumptions about your network. |
ICMP-PORT-UNREACH | 3 | 3 | ICMP port unreachable error messages indicate that gateways processing datagrams requesting certain ports are unavailable or unsupported in the network. We recommend denying these messages from the Internet to a trusted network. Permitting ICMP port unreachable error messages can allow others to determine which ports you use for certain protocols. |
ICMP-PROTOCOL-UNREACH | 3 | 2 | ICMP protocol unreachable error messages indicate that gateways processing datagrams requesting certain protocols are unavailable or unsupported in the network. We recommend denying these messages from the Internet to a trusted network. Permitting ICMP protocol unreachable error messages can allow others to determine what protocols your network is running. |
ICMP-REDIRECT | 5 | 0 | ICMP redirect network error messages are sent by a J Series or an SRX Series device. We recommend denying these messages from the Internet to a trusted network. |
ICMP-REDIRECT-HOST | 5 | 1 | ICMP redirect messages indicate datagrams destined for the specified host to be sent along another path. |
ICMP-REDIRECT-TOS-HOST | 5 | 3 | ICMP redirect type of service (TOS) and host error is a type of message. |
ICMP-REDIRECT-TOS-NET | 5 | 2 | ICMP redirect TOS and network error is a type of message. |
ICMP-SOURCE-QUENCH | 4 | 0 | ICMP source quench error message indicates that a device does not have the buffer space available to accept, queue, and send the packets on to the next hop. Denying these messages will not help or impair internal network performance. Permitting these messages can allow others to know that a device is congested, making it a viable attack target. |
ICMP-SOURCE-ROUTE-FAIL | 3 | 5 | ICMP source route failed error message We recommend denying these messages from the Internet (external). |
ICMP-TIME-EXCEEDED | 11 | 0 | ICMP time-to-live (TTL) exceeded error message indicates that a packet's TTL setting reached zero before the packet reached its destination. This ensures that older packets are discarded before resent ones are processed. We recommend denying these messages from a trusted network out to the Internet. |
ICMP-TIMESTAMP
| 13 14 | 0 0 | ICMP-TIMESTAMP query messages provide the mechanism to synchronize time and coordinate time distribution in a large, diverse network. |
Ping (ICMP ECHO) | 8 | 0 | Ping is a utility to determine whether a specific host is accessible by its IP address. Denying ping functionality removes your ability to check to see if a host is active. Permitting ping can allow others to execute a denial-of-service (DoS) or Smurf attack. |
ICMP-ECHO-FRAGMENT-ASSEMBLY-EXPIRE | 11 | 1 | ICMP fragment echo reassembly time expired error message indicates that the reassembly time was exceeded. We recommend denying these messages. |
Traceroute
| 30 30 | 0 1 | Traceroute is a utility to indicate the path to access a specific host. We recommend denying this utility from the Internet (external) to your trusted network (internal). |
Related Topics
- JUNOS Software Feature Support Reference for SRX Series and J Series Devices
- Security Policy Applications Overview
- Default Behaviour of ICMP Unreachable Errors
- Example: Configuring Applications and Application Sets