What is the danger in allowing internal hosts to ping the Internet?

by Jason "Hiner MCSE, CCNA" | Dec 28, 2004 8:00:00 AM

Tags: Firewalls, Workstations, Network security, NETWORKING, SECURITY, Jason Hiner MCSE, CCNA, firewall, network, workstation, Internet

3 comment(s)

Takeaway: See how a TechRepublic member surprisingly discovered that his network hosts could ping the Internet and asked other IT pros about the dangers in that. Learn how to block that capability and the security implications involved.

Problem

TechRepublic member computer_blues recently made a startling discovery on his network and used the Technical Q&A to ask other IT pros about it. He posted: "I noticed that my internal workstations can ping locations outside of the firewall, like www.yahoo.com, even though these workstations are not set up with Internet (http) access on the firewall. Am I exposing my internal network to possible attacks, or what risk is involved in allowing internal workstations to ping outside the network? I thought my firewall rules prohibited this, until now."

Solution

This question received a trio of helpful answers.

BFilmFan responded, "If you are running IP and didn't set a specific DENY on the subnet, they can indeed ping out of the network. Did you check to make sure that telnet was removed from the workstations also? The real question is can someone ping into your network from outside?"

Member markusfrei@gmx.net provided a useful suggestion for disabling the ability to ping outside of the network. He wrote, "Remove the firewall's IP address from the 'gateway' section in the NIC setup of the PCs, then they should no longer be able to get out to the Internet."

To further enhance security, member gavin@afiintra.com suggested, "The main reason for not allowing ping is to avoid virus attacks to the router. You should configure your firewall to deny all the ICMP traffic or deny port 7 UPD to block all the echo traffic."