Re: Ok to let all ICMP traffic through firewall?
From: Juha Laiho (Juha.Laiho_at_iki.fi)
Date: 09/25/05
- Next message: Juha Laiho: "Re: Ok to let all ICMP traffic through firewall?"
- Previous message: Art: "Re: Ok to let all ICMP traffic through firewall?"
- In reply to: jameshanley39_at_yahoo.co.uk: "Re: Ok to let all ICMP traffic through firewall?"
- Next in thread: E.: "Re: Ok to let all ICMP traffic through firewall?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 25 Sep 2005 17:26:31 +0000 (UTC)
jameshanley39@yahoo.co.uk said:
>Peter Boosten wrote:
>> In comp.security.firewalls Mark <nothere@notthere.com> wrote:
>> >
>> >
>> > Yes it is, ever heard of PING NMAP?
>> >
>> > Google it and security and firewalls.
>> >
>>
>> or PING of Death?
>>
>that is indeed a logical reason to block ping. One wouldn't expect An
>error in the ICMP protocol. But, ping of death, is probably an error
>in the software handling ICMP, rather than the ICMP protocol itself.
Pretty often the protocols themselves are solid (protocols as in protocol
definitions), but implementations are faulty - just as in the case of
ping-of-death.
The same goes for various ftp implementations, some ssh implementations,
some web server implementations, ... . Now, it's rather easy to disable
an unneeded ftp server (as to why it was enabled anyway - f.ex. that
was the vendor default, and the person doing the system installation
didn't think enough to disable it). But how do you disable ICMP handling?
You turn off the machine, more or less.
This is why you only let in those ICMP packets that affect your own
communications. F.ex., inbound ICMP echo-requests are prohibited (unless
you're facing a site that does an echo-request every time you connect
to it); allowed are only such ICMP echo replies which correspond to
a recent outbound ICMP echo request, and so on.
So, ICMP is good and needed (just as inbound TCP ack's are needed), for
such sessions that are known to exist. Rest of ICMP is noise which is
best ignored at network boundary. Just to give yourself a little more
time to patch when someone finds a new critical fault somewhere in the
network infrastructure code.
Speaking of allow/disallow, allow the things you know you need, don't
deny things you know you don't need. If you go the "deny" path, you
may overlook things like IP subprotocols other than the common three
(TCP, UDP, ICMP) - just because you didn't pay attention to the multiple
other values there can be in the subprotocol field.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)
- Next message: Juha Laiho: "Re: Ok to let all ICMP traffic through firewall?"
- Previous message: Art: "Re: Ok to let all ICMP traffic through firewall?"
- In reply to: jameshanley39_at_yahoo.co.uk: "Re: Ok to let all ICMP traffic through firewall?"
- Next in thread: E.: "Re: Ok to let all ICMP traffic through firewall?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
