relying on nat for security is also not a good idea. If you do not have a
translation setup today, you should not have an outside access list. But if for
some reason you do, and allow icmp echo from the outside, all it takes is for
you to forget the rules you have applied, and you to apply a translation into
your internal network at a later date. I can understand if you only have 10
rules in your access list, then reviewing these rules is not a big concern.
However, if you have an access list with hundreds of entries, and you have
several firewalls to maintain, it is very easy to overlook security holes you
have coming into your orginization. This should be a leason of best practices,
and you should be concentrating on obtaining good habits as it will pay off in
the long run. I know I have been burnt several times myself from bad habits
that I picked up.
----- Original Message -----
From: [email protected]
Sent: Fri, November 6, 2009, 8:47 AM
Subject: Re: [OSL | CCIE_Security] ICMP from outside: which types should be
allowed?
ICMP echo inbound is something that should be evaluated for your particular
network. I allow ICMP so I can test to dmz & inside hosts through my
firewall from outside. None of these devices are accessible from the Internet
because there is no public NAT for them so for my network it is perfectly safe.
At the end of the day icmp echo is something that can be good or bad depending
on the network. There are other controls like rate limiting or filtering by
source address that will make icmp inbound more secure.
Regards,
Roger
On Fri, Nov 6, 2009 at 10:37 AM, Simon Baumann
>;[email protected];[email protected]
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
