[ICMP Covert Channel] Allow only ICMP Ping packet that has specific payload.

What I mean is that the ping packet can contain a payload which can be set randomly. If we allow the ping to pass the firewall, someone can use the payload part of the ping packet to transfer the data in a covert channel. From outside, it is just an ordinary ping packet but with a payload that is designed to silently establish a communication channel with the outside world. 

Therefore, I would like to keep the ping pass the firewall with an exception. If the payload does not match the standard payload for Windows ping or Unix ping, then the ping packet will not be able to go through the firewall. If the payload matches the standard payload, then it can go through the firewall.

Hello,

The PAN knows what the ping packet should look like. If it doesnt match the criteria, it wont be classified as ping and the security policy wont apply. Hopefully you have a eny all policy at the bottom to deny all other traffic.

Regards,

Look at two ping packets below.

1. This ping packet is generated on Windows by typing ping google.com in command prompt. Please pay attention to the Data (32 bytes) highlighted below.

2. This ping packet is generated on Ubuntu by typing ping google.com in bash shell. Please pay attention to the Data (48 bytes) highlighted below.

Both are valid ping packets and by default will be allowed to get through by the firewall although they have different data inside the packet.

My question is, how do I allow only the first type of Ping (i.e., Windows Ping) and block the second type of Ping (i.e., Ubuntu Ping)?

Hello,

In this case you might want to create a custom application for the Ubuntu ping and then use a security policy to deny it. However I think ping is a RFC standard so it might generate false postives/negatives? Also just a a security think, I never allow ping outbound or inbound, but thats just me.

Regards,

Okay, so firstly I block all of the ping application on my rule.

Then, I define new custom application as follows. I only want the Windows Ping to get through the firewall thus the pattern should be the same as Windows Ping data payload (in hexadecimal).

Then, I added the new application to my rule.

After committing, I see that both Windows ping and Ubuntu ping can still get through. I want to only allow the Windows ping.

Do I set the signature incorrectly for the new apps?

The best actually is as mentionned by @OtakarKlier : do not allow pings outbound. PaloAlto will identify the ping propery but the App-ID does not care what is inside the ping packet.

With a "harmless" ping it is not even possible to exfiltrate data, there is also software available that allows you to create a VPN connection over the icmp protocol.

I wish I could just block all of ping. But sadly, I cannot.

What about just from certain sources? i.e. IP address's or ranges? Perhaps just AD groups (if you use those)?

---

@hibagus wrote:

I wish I could just block all of ping. But sadly, I cannot.

---

For what do you need the pings exactly? Maybe for some super-admins who blame you with a not properly working firewall/network when they are not able to ping whatever they want in the internet? Would it be possible that you allow some specific "trusted" destinations (destinations where you know that they don't do anything else than simply replying to the ping)?

I am currently doing research on modeling security threats that uses ICMP to establish a covert communication channel.

I wish that I can use the deep packet inspection on the Palo Alto Firewall to inspect the ICMP packet.

Any help to define new application signature will be appreciated.

@hibagus 

Unfortunately what you're asking for is not possible. The signatures you can create do not allow you to do a pattern match on icmp-payloads - the decoder probably only checks icmp type and code and nothing else.

The only thing you can do so far is to create a feature request...

Thanks for replying.

One more question regarding this topic.

There is an application in Palo Alto Firewall called ping-tunnel as an addition to ping.

I have tried to read the documentation of the ping-tunnel and indeed it uses ICMP for tunneling.

How does the firewall differentiate the original ping and the ping-tunnel?

Maybe it is a good starting point for me.

Thanks.

Ho @hibagus 

Only paloalto knows how this is done 😛

But I found something which may be useful for you: you cannot create an app to identify linux/windows pings, but you can create an app that checks the length of the ping payload. So maybe it works if you specify a length of 0 (<1) and allow only that. This way not the default pings are allowed but you could make sure that there is no data sent put of your network.