Ah, but you DO recognize that ICMP is a threat, and so you have set access-rules on it. That was my main point. And as Sandy pointed out, there are many firewalls out there that do NOT allow you to set access-rules other than allow ICMP globally or disallow ICMP globally. For an admin that must put up with one of those firewalls for one reason or another, the only secure setting is to disallow ICMP. Normally I disallow all ICMP traffic inbound, even though I can get more granular. If I have need of ICMP for one reason or another, I do as Scott Fisher did and allow it while it is needed and then disable it again.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff (Lists) Sent: Friday, July 09, 2004 2:23 PM To: [EMAIL PROTECTED] Subject: RE: [Declude.JunkMail] Fw: New Multiple Threat Lookup Database test for Declude JunkMail Dan, while you make a good point, there is a balance to everything. A couple of years ago I attended a MS security seminar in Irvine. They brought up a very good point Security is like a triangle. The three points are cost, function and safety. The point inside the triangle where your security setting is extremely difficult to plot easily. What I do is allow ICMP traffic to my DMZ servers from the Internet, and to other servers by source, and to LAN only as needed. John Tolmachoff Engineer/Consultant/Owner eServices For You > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- > [EMAIL PROTECTED] On Behalf Of Dan Horne > Sent: Friday, July 09, 2004 11:08 AM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.JunkMail] Fw: New Multiple Threat Lookup > Database test for > Declude JunkMail > > "a good admin will allow ICMP traffic through, *unless* they believe > it to be a specific security risk" > > Sorry, disagree there. A *good* admin will recognize that ICMP *IS* a > security risk. It allows remote computers to build a map of your > network and find out what IP addresses are valid. While "security > through obscurity" is not enough by itself, blocking ICMP traffic is > pretty standard > practice these days. ICMP is also used for many DOS attacks. Here is > a quote from HACKING EXPOSED (which should be required reading for all network > admins, IMO): > > "As discussed throughout this book, we reiterate that ICMP traffic is > dangerous. While ICMP serves a valuable diagnostic purpose, ICMP is easily > abused and is often the 'bullet' used for bandwidth consumption attacks." > > And another: > > "Ping sweeps (or ICMP ECHO packets) are only the tip of the iceberg > when it > comes to ICMP information about a system. You can gather all kinds of > valuable information about a system by simply sending an ICMP packet > to it." > > Now, in my configuration, I am able to block only incoming ICMP > packets while allowing outgoing, so I was able to install without a > problem. Many admins do not have that option, though. > > -Dan Horne > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of R. Scott > Perry > Sent: Friday, July 09, 2004 1:43 PM > To: [EMAIL PROTECTED] > Subject: RE: [Declude.JunkMail] Fw: New Multiple Threat Lookup > Database test > for Declude JunkMail > > [Responding to two posts] > > >So - if some dial-up/dynamic PC gets infected, that IP address will > >likely be assigned to someone else who happens to connect tomorrow? > >Is your test eliminating any "dial-up/dynamic" IPs, since by > >definition the infected/spam workstation will change IPs? > > But, by definition, those IPs are guaranteed to be dynamic -- and therefore > shouldn't be sending E-mail directly, without the assistance of an MTA. > > >How do you account for businesses using Internet gateways, firewalls, > >NAT routers etc where one IP address could feasible represent a large > >number of different workstations? > > If a business has infected computers, and the business allows those infected > computers to send out viruses through the firewall on the same IP that > outgoing legitimate E-mail goes on, they have serious problems. They would > need to fix the problems, and request removal of their IP. > > > Considering that most administrators will block ANY TCP/IP traffic > from/to a > server and only open exactly those 2 or 3 ports that are needed > for its > primary function, you can assume that trying to "ping" will > not be permitted > - thus preventing install. > > Not true -- a good admin will allow ICMP traffic through, *unless* > they believe it to be a specific security risk. > > As a rule of thumb, when people ask me for assistance regarding > troubles reaching a computer and I can't ping it, I tell them that it > can't be pinged, and they have to take care of it from there. If you > disable a vital > networking tool, you need to accept the consequences. > > On the other hand, I don't believe an install program should need to > use ICMP traffic, and I have passed this information on to the > developer of the > install program. > > -Scott > --- > Declude JunkMail: The advanced anti-spam solution for IMail > mailservers since 2000. > Declude Virus: Ultra reliable virus detection and the leader in > mailserver vulnerability detection. > Find out what you've been missing: Ask for a free 30-day evaluation. > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > "unsubscribe Declude.JunkMail". The archives can be found at > http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type > "unsubscribe Declude.JunkMail". The archives can be found at > http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
