Dan, while you make a good point, there is a balance to everything. A couple of years ago I attended a MS security seminar in Irvine. They brought up a very good point Security is like a triangle. The three points are cost, function and safety. The point inside the triangle where your security setting is extremely difficult to plot easily.
What I do is allow ICMP traffic to my DMZ servers from the Internet, and to other servers by source, and to LAN only as needed. John Tolmachoff Engineer/Consultant/Owner eServices For You > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of Dan Horne > Sent: Friday, July 09, 2004 11:08 AM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.JunkMail] Fw: New Multiple Threat Lookup Database test for > Declude JunkMail > > "a good admin will allow ICMP traffic through, *unless* they believe it to > be a specific security risk" > > Sorry, disagree there. A *good* admin will recognize that ICMP *IS* a > security risk. It allows remote computers to build a map of your network > and find out what IP addresses are valid. While "security through > obscurity" is not enough by itself, blocking ICMP traffic is pretty standard > practice these days. ICMP is also used for many DOS attacks. Here is a > quote from HACKING EXPOSED (which should be required reading for all network > admins, IMO): > > "As discussed throughout this book, we reiterate that ICMP traffic is > dangerous. While ICMP serves a valuable diagnostic purpose, ICMP is easily > abused and is often the 'bullet' used for bandwidth consumption attacks." > > And another: > > "Ping sweeps (or ICMP ECHO packets) are only the tip of the iceberg when it > comes to ICMP information about a system. You can gather all kinds of > valuable information about a system by simply sending an ICMP packet to it." > > Now, in my configuration, I am able to block only incoming ICMP packets > while allowing outgoing, so I was able to install without a problem. Many > admins do not have that option, though. > > -Dan Horne > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott Perry > Sent: Friday, July 09, 2004 1:43 PM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.JunkMail] Fw: New Multiple Threat Lookup Database test > for Declude JunkMail > > [Responding to two posts] > > >So - if some dial-up/dynamic PC gets infected, that IP address will > >likely be assigned to someone else who happens to connect tomorrow? Is > >your test eliminating any "dial-up/dynamic" IPs, since by definition > >the infected/spam workstation will change IPs? > > But, by definition, those IPs are guaranteed to be dynamic -- and therefore > shouldn't be sending E-mail directly, without the assistance of an MTA. > > >How do you account for businesses using Internet gateways, firewalls, > >NAT routers etc where one IP address could feasible represent a large > >number of different workstations? > > If a business has infected computers, and the business allows those infected > computers to send out viruses through the firewall on the same IP that > outgoing legitimate E-mail goes on, they have serious problems. They would > need to fix the problems, and request removal of their IP. > > > Considering that most administrators will block ANY TCP/IP traffic > from/to a > server and only open exactly those 2 or 3 ports that are needed > for its > primary function, you can assume that trying to "ping" will not > be permitted > - thus preventing install. > > Not true -- a good admin will allow ICMP traffic through, *unless* they > believe it to be a specific security risk. > > As a rule of thumb, when people ask me for assistance regarding troubles > reaching a computer and I can't ping it, I tell them that it can't be > pinged, and they have to take care of it from there. If you disable a vital > networking tool, you need to accept the consequences. > > On the other hand, I don't believe an install program should need to use > ICMP traffic, and I have passed this information on to the developer of the > install program. > > -Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail mailservers > since 2000. > Declude Virus: Ultra reliable virus detection and the leader in mailserver > vulnerability detection. > Find out what you've been missing: Ask for a free 30-day evaluation. > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, > just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe > Declude.JunkMail". The archives can be found at > http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
