Re: Detecting Connection Attempts

From: Eirik Seim (eirik@mi.uib.no)
Date: 05/26/02 

From: eirik@mi.uib.no (Eirik Seim)
Date: 25 May 2002 23:33:09 GMT

On Sat, 25 May 2002 19:11:13 +0200, Wolfgang Kueter wrote:
> Bernie M wrote:
>
>
> > Allowing "port/destination unreachable's" provides a hostile body a
> > way of mapping your internal hosts. If they don't receive these
> > messages it tells them nothing.
> >
> > See this article ..
> > http://www.networkmagazine.com/article/NMG20000829S0003
>
> Typical security by obscurity snake oil nonsense.
>
> There is nothing wrong with clear error codes.

Not necessarily, but they might very well represent an information leakage.
Remote 'stealth' OS fingerprinting can be pretty efficient with ICMP, making
for an even bigger information leakage.

I _do_ think the firewall for most systems (or at least the router before
the firewall) should send tcp rst's and icmp unreach, ttl expired and such,
in order not to break network traffic, but I would never permit outside
hosts to probe addresses _behind_ my firewall with icmp.

I agree on this beeing obscurity, but not letting evil hackers from Poland
map your networks, hosts and operating systems is one type of obscurity I
think is actually kind of useful :)

As for inbound ICMP packets in response to an outgoing connection, they
should _of cause_ be allowed, given they are considered harmless (0, 3, 4,
8, 11 and 12).

- Eirik 

-- 
New and exciting signature!

Relevant Pages

  • Re: Detecting Connection Attempts
    ... Remote 'stealth' OS fingerprinting can be pretty efficient with ICMP, ... I _do_ think the firewall for most systems (or at least the router before ... hosts to probe addresses _behind_ my firewall with icmp. ... I agree on this beeing obscurity, but not letting evil hackers from Poland ...
    (comp.security.firewalls)
  • RE: [fw-wiz] Vulnerability Response
    ... >>two evolving solution spaces that solve real problems. ... > management effort scales with the number of hosts. ... change control is an _enemy_ when talking about rank and file ... but not even the mjr perfectly secure firewall will work ...
    (Firewall-Wizards)
  • Re: Using netmask ffffffff
    ... The most important thing these new hosts need is connection to the outside world, for internet browsing, webmail access, fetch some documents from remote sites they forgot to bring with them for the conference, etc. ... the new hosts should not be able to directly contact each-other or the majority of my internal network. ... The trouble is that even if I set-up firewall rules to filter their traffic, they can still communicate behind the firewall directly through the switch they are all connected to, as only their internet traffic will go through the firewall. ...
    (comp.unix.bsd.freebsd.misc)
  • Re: XP vulnerabilities?
    ... Note that I also questioned your use of the "Corporate Edition" of Windows. ... If you were indeed running a network of 5 or more hosts for which you ... firewall host running the firewall software through which all your intranet ... export their rules so you can migrate them easily to another host, but NIS ...
    (alt.computer.security)
  • Re: HELP ! ipfw et natd
    ... > So the problem for me was to remark that the DNS of my IPS (193.252.19.3 it ... I don't think the nameserver's IP changed because of the firewall. ... Propagation of the change to your LAN hosts is another thing. ... well) and pointing the LAN hosts to the FreeBSD box as their nameserver. ...
    (comp.unix.bsd.freebsd.misc)
Quantcast