Kurt Kayser <[email protected]> writes: Kurt,
> you surely know that every enabled protocol/port is a potential threat. <rant> Yes. Many years ago we had a ping of death implemented in Windows 98(?). And then in some other IP implementations as well. So ping is evil!!1!!! Somebody could easily and with little overhead diagnose problems or just do simple monitoring. The additional overhead of using TCP is absolutely no problem for a modern system! Even if more then half of the users setup a check in their monitoring every minute or so. Please disable ICMP(v6) everywhere! Nobody needs PMTUD, ping and diagnostic messages! And disabling ICMPv6 makes IPv6 networks so much more secure. And we shouldn't stop there. Everybody who wants to access a service should have a written contract to do so. Every connection should be allowed with a packet filter *and* a router ACLs. Also there should be no direct connection to the service itself. Everything has to go through a proxy! Because proxies no any protocol better than the service itself. </rant> Jens -- ---------------------------------------------------------------------------- | Delbrueckstr. 41 | 12051 Berlin, Germany | +49-151-18721264 | | http://blog.quux.de | jabber: [email protected] | --------------- | ----------------------------------------------------------------------------
