I can't say i agree with you. The reason is simple. If you allow ICMP
traffic you are making your FW-1 Box (even if it has NT, Solaris, whatever
OS is installed), vulnerable to exploits based on bad TCP/UDP packets sent
with ping, DoS attacks based on pinging you with extremely big packets etc,
etc (Unless of course if you have configured your router not to accept big
packets). In my opinion you should have Ping disabled and enable it only for
a few seconds just to do the tests you are saying. In most cases, i think,
and i may be wrong, that attacks start by Port scanning you, TCP pinging
you, UDP pinging you etc, etc. Not only that, but also an experienced
attacker could/should/would/must try to spoof you when he finds out you
permit ICMP traffic. Thus, in my opinion, and i may be wrong you MUST DENY
ICMP traffic. After all, the thing you are trying to do here is PERMIT THE
ABSOLUTE NECESSARY SERVICES TO RUN, rather than allowing everything and than
start "cutting down" services. I think you should create a rule permiting
your workstation to accept and send ICMP traffic to the mainframe and that's
it, nothing more. Do a search at http://astalavista.box.sk using the word
ICMP and find out yourself how many exploits and "BAD" programs exist that
can "F--K" up a system accepting ICMP. You should not let anyone gather
information on your external, or worse, internal network. Hope i helped you
out.
P.S. I apologise for my bad English
Kind Regards,
Dimitris Chontzopoulos
IS Administrator
Megatrust Securities S.A.
4, Kapsali Str.
Athens, Greece
Telephone : +3 01 7262403
Fax : +3 01 7262095
e-mail : [EMAIL PROTECTED]
IT Help Desk Support : +3 01 7262400
DISCLAIMER
----------------------------------------------------------------------------
---------
- This message is intended only for the use of the person(s)
("Intended -
- Recipient") to whom it is addressed. It may contain information,
which is -
- privileged and confidential. Accordingly any dissemination,
distribution, -
- copying or other use of this message or any of its content by any
person -
- other than the Intended Recipient may constitute a breach of civil
or -
- criminal law and is strictly prohibited. If you are not the Intended
-
- Recipient, lease contact the sender as soon as possible.
-
----------------------------------------------------------------------------
---------
-----Original Message-----
From: Ingo Heinscher [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 05, 2001 1:18 PM
To: [EMAIL PROTECTED]
Subject: Antwort: [FW1] OT - newbie question about PING
Well, that depends on your security policy.
Personally, I cannot see any reason why to disallow ICMP traffic through
the Firewall. Some people prefer to do this in order to make spying out the
target network harder- but then again, it also blocks the local Admin from
"spying out" the network in case of any problems...
Ingo Heinscher
Would someone please explain the reasoning to not allow PING through the
Firewall to our internal networks? I've having a problem justifiying to the
mainframe systems group why I will not globaly enable PING.
Your thoughts would be appreciated.
JEH
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
