We allow pings to our internet servers. I consider this a minimal risk
since I don't know of any harm a ping packet can cause us.
Downside:
The firewall doesn't allow ping to any machines other than internet
servers, so it can't be used to map networks. ICMP packets can carry
information, but only to machines already compromised, so I don't consider
that an additional risk.
Upside:
If remote users/clients can ping our servers, they bother us less with
problems. For example, we have gotten complaints that a web server is not
functioning since they can't reach it with http or ping; the reality is
that their browser/router/something was misconfigured. It doesn't take
long to determine we have no problems, but it does take time to convince
the client we don't have a problem and I prefer to not hear about it at all.
hermit1
At 09:14 AM 5/23/00 -0700, Rui Pereira wrote:
>The Tribe Flood Network (TFN) DDOS tool uses ICMP echo reply packets to
>send instructions between TFN masters and daemons. I seem to recall an
>article on Prack describing a tool called LOKI(?) which tunnelled non-ICMP
>traffic over ICMP. I would not allow pings into my DMZ from the Internet.
>
>Just my 2c worth.
>
>Regards
>Rui Pereira
>WaveFront Consulting Group
>>----- Original Message -----
>>From: <mailto:[EMAIL PROTECTED]>Murray, Mike L.
>>To:
>><mailto:[EMAIL PROTECTED]>[EMAIL PROTECTED]
>>.checkpoint.com
>>Sent: Tuesday, May 23, 2000 7:46 AM
>>Subject: RE: [FW1] Allow pinging or not?
>>
>>
>>I'm not sure I see it like that. Ping is not exactly harmful, unless
>>you're on an older service pack of NT where the "ping of death" could get
>>you. I allow ping into my DMZ, but not into my internal network. It's
>>far more useful as a troubleshooting tool.
>>
>>Mike Murray
>>Network Administrator
>>Pier 1 imports
>><mailto:[EMAIL PROTECTED]>[EMAIL PROTECTED]
>>817-252-8963
>>
>> -----Original Message-----
>>From: Robert MacDonald
>>[<mailto:[EMAIL PROTECTED]>mailto:[EMAIL PROTECTED]]
>>Sent: Tuesday, May 23, 2000 9:12 AM
>>To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
>>Subject: Re: [FW1] Allow pinging or not?
>>
>>No. If they feel they are having troubles, I would have them conact you -
>>AFTER they have verified that their systems and net access are OK. They
>>should be able to conclude that it's at your end, just by verifying that
>>all of their systems and net access is OK all the way to you.
>>
>>If your systems are having trouble, then your local management systems
>>should notify you, not your business partner. You want to run only what
>>you must and no more. Don't allow services or protocols thru, just so
>>your business partner can manage your systems as if they were theirs.
>>
>>Best of luck!
>>Robert
>>
>>- -
>>Robert P. MacDonald, Network Engineer
>>G o r d o n F o o d S e r v i c e
>>Voice: +1.616.261.7987 email: [EMAIL PROTECTED]
>>
>> >>> "Ralf G�nthner" <[EMAIL PROTECTED]> 5/23/00 9:29:57 AM >>>
>> >
>> >We have a certain e-business server in a DMZ. Until now, I dropped any
>> ping packets directed at this
>> >system's public address from the outside world.
>> >
>> >Now customer service wants me to allow echo request packets to reach
>> the public address, so customers
>> >who have access problems can verify the reachability of our server.
>> >
>> >Should I allow this or not? I'm afraid of opening up routes for
>> exploits not to mention tools like nmap asf.
>> >
>> >Any opinions very much welcome
>> >
>> >Ralf G.
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
