Enable ICMP (ECHO) PING on WAN
There seems to have been discussion of a need to hide the device by blocking ping (remove ICMP echo-reply response) in various threads over the last year, and in a recent version of the firmware the device appears to default deny on all inbound ICMP responses.
I am speaking as a credentialed Certified Information Systems Security Professional (CISSP) and I am not aware of security research or best practices which indicates blocking WAN Ping on routers.
While I understand denying ICMP means network scanners have to work a little bit harder to find "active" devices, blackholing ICMP is a practice typically recommended for network hosts (not routers).
Denying ICMP actually results in breaking security functionality in some important ways:
Security Availability Vulnerability (fundamental security concept):
- In the case of port forwarding, denying ICMP breaks PMTU scans from clients outside the local network damaging window scaling and ultimately breaking network connectivity when an MTU of 1500 is not compatible with the local loop.
Network Access Control Vulnerability (security control category):
- In the case of an enterprise network administrator, the fact the device does not respond to pings makes it more difficult for a cyber asset inventory scan to determine whether there may be a rogue device on the network.
Security Availability Vulnerability (fundamental security concept):
- Blocking ping makes it difficult for a WAN-side DHCP host to perform IP deconflict checks.
What is the value of this feature?
ICMP processing stacks (whether commercial or open source) have been stable and basically unbreakable (from a security standpoint) for decades. Malformed packets sometimes root routers, but as Cisco will tell you, a firewall rule never protected the L3 stack from breakage.
The only possible justification I can think of is a user has placed a totally insecure protocol on a random port (of which there are only 30-60k available -- so not very random) -- and is hoping the fact their device doesn't respond to ICMP will somehow make up for the fact RDP is regularly rooted, free VNC software is the security equivelant of a speed bump, and the webserver on their multi-function NAS is riddled known vulnerabilities.
My case? I'd simply like to place a network monitor (outside) on the internet on my Deco so I can monitor availability (a security concept). It appears my only option is to forward a port inside breaking the security perimeter so I can do a TCP PING?
Someone please tell me there's a hidden configuration option to enable ping?
ps .. Apparently port 22 is running an ssh server and the firmware has a hardcoded root password (yes! root login enabled!) that can provide access to the ash shell. Default remote login passwords would be a "Critical" CVSS score I believe.