Re: How to prevent system from replying to Ping (ICMP Echo) requests?
From: Richard H Miller (rick_at_bcm.tmc.edu)
Date: 09/28/04
- Next message: T. Sean Weintz: "Re: Sonicwall TZ170 to Netware"
- Previous message: Dan Tseng - WallWatcher author: "Re: WallWatcher - Spyware?"
- In reply to:(deleted message) Leythos: "Re: How to prevent system from replying to Ping (ICMP Echo) requests?"
- Next in thread: Kaptain Krunch: "Re: How to prevent system from replying to Ping (ICMP Echo) requests?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 28 Sep 2004 21:41:11 GMT
Leythos (void@nowhere.org) wrote:
: In article <e6azxmunckx2@x02x67invalid.net>,
: synesthesia@ix02x67invalid.net says...
: > If you have some specific need to manage given traffic then of course
: > you have to deal with it.
: I guess it comes down to this - I believe in managing all traffic in/out
: of the network at all times.
: While I'm sure that you can find instances where ICMP traffic might be
: needed, I can also suggest that it's not needed for those same
: instances, as there are always alternative products. Anything that
: relies on an echo to ensure communications on some other layer is a
: broken idea to begin with.
Agree but some partners still use ping as a keep-alive. However, in the cases I have
run into where this is an issue, the ICMP traffic is encrypted by the VPN tunnel and
is used to keep the two devices communicating through the VPN tunnel so we define an
appropriate policy rule to allow ICMP traffic via the tunnel but not allow unencrypted
ICMP traffic.
General Observation here:
Many of the 'requirements' existing in some of the RFCs may need to be examine in
light of the hostile environment that exists now. ICMP traffic is one of those. Some
site may choose to allow it [and in most cases they have protection in place for many
of the ICMP DOS attacks]. As you said,
The same with 'stealth mode' Strickly speaking it is a violation of RFC but it really
is not an issue. If you choose to drop rather than reject a packet, it is a choice of
how you manage your network. Just do not make the mistake that you are hiding anything
by the drop. The identical information is returned from a 'stealth' port as a 'closed'
port;something is there...
However, for large sites, dropping out-of-policy packets is a good thing since the
firewall does not have to build a reject packet but can simply drop it. When you are
dealing in millions of rejected packets/day this is not an insignificiant savings.
Rick
- Next message: T. Sean Weintz: "Re: Sonicwall TZ170 to Netware"
- Previous message: Dan Tseng - WallWatcher author: "Re: WallWatcher - Spyware?"
- In reply to:(deleted message) Leythos: "Re: How to prevent system from replying to Ping (ICMP Echo) requests?"
- Next in thread: Kaptain Krunch: "Re: How to prevent system from replying to Ping (ICMP Echo) requests?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
