Contributor
•
21 Messages
Disable Ping on WAN Router Setting
We have a Comcast Business IP Gateway (SMC 3DG) and one Comcast-provided fixed IP address. To make our router/network more secure from outside intrusion, I am planning to enable the "Disable Ping on WAN" setting in the router's firewall firmware. Other than occasional employee remote access (via port 443) we do not need any public presence on the Internet (no web site, mail server, etc.).
Do you recommend disabling WAN ping capability like this? Does it provide better security? Are there any potential drawbacks or problems making this change?
Thanks very much for your help with this.
Accepted Solution
train_wreck
Gold Problem solver
•
610 Messages
9 years ago
To be honest, it's not too much of a security risk to leave ping enabled. It IS true that if you leave ping enabled, then someone could remotely ping you & get a response, signifying to them that there is SOME device present at that address. But since you say you already have a service available on port 443 (a very common port), if an attacker did a port scan of your IP they would also see that. To an attacker, a service listening on port 443 is MUCH more interesting than a reply to a ping. In my server/router logs, I see many more port scans from random addresses on the internet to TCP 80 & 443 than I do pings.
There is conceptually a risk of someone performing a "ping flood" as a crude denial-of-service, but I know that Comcast (and many other ISPs) filter these if/when they happen.
Overall, I usually recommend leaving it enabled, since the benefits (you, as an admin, being able to remotely know if the device is up/responding) outweigh the potential drawbacks. That said, you will find many admins who say that keeping it off reduces your internet presence. Personally, I don't see too much of a problem with keeping it on, since as I said someone could already portscan you & see that listening 443 service.
I would be more concerned with how secure your "employee remote access" service on port 443 is. Presumably it's a web server? Which one? Is it updated fully? Is it properly safeguarded to prevent remote injection attacks/password guesses?
0
JN_92
Contributor
•
21 Messages
9 years ago
Thanks for your reply. My interest in considering this came from one of the scanning services found on Steve Gibson's security web site. They test for response to ping from an Internet (external) source and warn if one is received. We got such a warning on the server.
As far as the "remote access" function goes, we do not host a web server. The remote access function is provided by the server operating system (Windows Server 2012 R2 Essentials). I belive it is called "Anywhere Access" in Server 2012. A similar function has been offered in all of the Windows small business server operating systems since SBS 2003, I believe.
0
0
train_wreck
Gold Problem solver
•
610 Messages
9 years ago
So "Anywhere Access" is a combination of "Remote Web Access", "DirectAccess", and IPsec VPN technologies. The components use IIS underneath (IIS is Microsoft's web server engine.) You'll want to make sure this server has security updates installed as frequently as possible.
0
0