Re: Detecting Connection Attempts

From: Bernie M (berniem_nospam@routergod.com)
Date: 05/27/02 

From: "Bernie M" <berniem_nospam@routergod.com>
Date: Tue, 28 May 2002 07:28:05 +1000

"FB" <nospam@nospam.com> wrote in message
news:3CF29D3D.8050507@nospam.com...
> Bernie M wrote:
> >>Ok for larger networks, but he has only 1 box as I understood. So where
> >>is the benefit of blocking those messages on a single machine?
> > I suppose any benefit gained is relative to the individual. I would
expect
> > his *single machine* is important to him and note that, in a *best
practice*
> > environment ie. separate firewall or firewall/router protecting host/s,
as
> > opposed to firewall software installed on host/s, the amount of
> > administrative work needed to protect one machine is the same as that
> > required to protect 10 000.
>
> Hm, I don't think that. It's a difference if you have one single box
> connected to the internet, a small network NATed behind a router or a
> whole network with thousands of systems.
> On the other hand I agree to your first statement (benefit relative
> to..). For the single machine connected to the internet: I doubt there
> is a real "technical" benefit of blocking ICMP. Even with OS
> fingerprinting in mind. An attacker could find out the OS running
> because of specific ICMP answers, and then? All ports are closed. Unless
> the tcp stack is not broken the information might be interesting for the
> stats but not really helpfull.
>

We could go one about the relative benefits but it's getting away from the
topic ;-) Can we agree that it's *best practice* to control the
input/output of ICMP messages ... relative to the importance of host/s and
any data it/they contain?

BernieM

Relevant Pages

  • Re: Detecting Connection Attempts
    ... > whole network with thousands of systems. ... For the single machine connected to the internet: ... > is a real "technical" benefit of blocking ICMP. ...
    (comp.security.firewalls)
  • Re: Non accessible web site
    ... is a strategy to help mitigate viri and ddos attacks and to reduce network ... Should be standard practice for all good hosting sites. ... This problem is usually caused by someone blocking all ICMP traffic. ...
    (alt.os.linux.suse)
  • Re: Removing ping/icmp from a network
    ... A ping sweep isn't the only way to do network exploration. ... ICMP is a protocol, not a service. ... Security by design is always best, but hiding the presence of a device ...
    (Security-Basics)
  • Re: How to prevent system from replying to Ping (ICMP Echo) requests?
    ... blocking ICMP does not impact anything useful ... large corporation broke their "VPN" by disallowing echo requests. ... > network from unknown locations, but, as I'm smarter than that, I set the ... The "stealth those pings" scenario would seem to really only ...
    (comp.security.firewalls)
  • Re: Removing ping/icmp from a network
    ... You can limit ICMP. ... And I did say, as well as others, allow from trusted sources. ... the network and the answer is: ... servers I do allow some ICMP messages to/from ...
    (Security-Basics)