RE: ICMP, NT and IIS: What is a safe cocktail?
From: Kevin Kaminski (Kevin.Kaminski@telus.com)Date: 10/04/01
- Previous message: Damien Adams: "RE: ICMP, NT and IIS: What is a safe cocktail?"
- Maybe in reply to: Kevin Kaminski: "ICMP, NT and IIS: What is a safe cocktail?"
- Next in thread: Alderson, John: "RE: ICMP, NT and IIS: What is a safe cocktail?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <D0190EDBB1DDD211BE2F0001FA7EB102077103D0@ex1.ent.agt.ab.ca> From: "Kevin Kaminski" <Kevin.Kaminski@telus.com> To: "'Stefan Norberg'" <stefan@orbisec.com>, focus-ms@securityfocus.com Subject: RE: ICMP, NT and IIS: What is a safe cocktail? Date: Thu, 4 Oct 2001 10:54:11 -0600
That sounds valid. If I turn off PMTU (in the registry) it will default to a
MTU of 576. I think I could live with people trying to degrade my server
rather than degrading it right off the bat.
-----Original Message-----
From: Stefan Norberg [mailto:stefan@orbisec.com]
Sent: Thursday, October 04, 2001 5:49 AM
To: Kevin Kaminski; focus-ms@securityfocus.com
Subject: RE: ICMP, NT and IIS: What is a safe cocktail?
It's possible to abuse. Just send the host some spoofed ICMP type 3 code 4
and tell it to use a small MTU. I still recommend path MTU discorery enabled
on most servers since the default MTU is only 576.
-----Original Message-----
From: Kevin Kaminski [mailto:Kevin.Kaminski@telus.com]
Sent: den 4 oktober 2001 08:35
To: 'Stefan Norberg'; focus-ms@securityfocus.com
Subject: RE: ICMP, NT and IIS: What is a safe cocktail?
Microsoft KB article Q136970 suggests that is all that is needed for PMTU. I
cannot see any need to allow anything else. After reading about PMTU and
ICMP this all looks so blatantly simple. If I turn on anything else I am
just asking for problems. I cannot see any way to abuse that config.
-----Original Message-----
From: Stefan Norberg [mailto:stefan@orbisec.com]
Sent: Thursday, October 04, 2001 12:11 AM
To: Kevin Kaminski; focus-ms@securityfocus.com
Subject: RE: ICMP, NT and IIS: What is a safe cocktail?
Kevin,
Allowing only incoming type 3 code 4 (packet too big - need to fragement) is
a pretty tight config. That won't break people stilling behind links with
smaller MTUs. I don't see any obvious reason for allowing anything else in
most scenarios.
Stefan Norberg
-----Original Message-----
From: Kevin Kaminski [mailto:Kevin.Kaminski@telus.com]
Sent: den 3 oktober 2001 21:51
To: 'focus-ms@securityfocus.com'
Subject: ICMP, NT and IIS: What is a safe cocktail?
I am looking at deploying a Win2K IIS server on the Internet. The only
services offered are IIS on port 80 and IPSec for administration. While
researching this I had found ICMP to be somewhat of a grey area. My initial
question was to allow ICMP or not in this Internet scenario. After talking
to Microsoft they suggested I filter ICMP to Types 3,4,5 and 11 to allow for
proper operation of the server. That seemed fair because I was told systems
may not be able to communicate with the server if they are using a smaller
MTU than the server. With the ICMP filters I was worried that ICMP redirects
would not be filtered and could leave the system open to DOS attacks. Going
back to the NSA document on IIS5 they leave all ICMP traffic blocked. Is
Win2K to be trusted with ICMP or is this too problematic to deal with? Left
somewhat unsure I thought I would ask a community of versed security experts
for their opinions on ICMP and Win2K. What is a safe ICMP configuration in
the real world that will not affect client connectivity? Or maybe I should
leave it more open as to what is your policy on ICMP with Win2K and why?
- Previous message: Damien Adams: "RE: ICMP, NT and IIS: What is a safe cocktail?"
- Maybe in reply to: Kevin Kaminski: "ICMP, NT and IIS: What is a safe cocktail?"
- Next in thread: Alderson, John: "RE: ICMP, NT and IIS: What is a safe cocktail?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
