RE: [FW1] Blocking ICMP

[Carl E. Mankinen]

1) regardless of ANY configuration you have....if you only have a single T1 for your internet connection and someone sends 50megabits/sec of data to ANY address on your subnet, your entire internet connection will be DoS'd...a firewall will NOT help you.   2) If someone gleans some information about your internal network and should decide to target a particular host in your network they can spoof the RFC1918 address of the internal victim and use that as the source address in a packet sent to host that you have made public. This is one reason why you need to have anti-spoofing configured properly and why you need to not allow bastions to talk to your internal network...and also a reason why you should use a SMTP security server and slap new headers on all your email traffic since the internal relays have likely put their RFC1918 addresses in the headers.   Stuff like: Received: from guru (dialup-63.214.70.156.Dial1.Boston1.Level3.net [63.214.70.156]) Only you are using a dialup connection and if you were sending from office exchange server you would likely see it's address in the headers had you not cleaned them up... -----Original Message----- From: Juan Concepcion [mailto:[EMAIL PROTECTED]] Sent: Monday, June 11, 2001 7:50 PM To: Carl E. Mankinen; [EMAIL PROTECTED] Subject: RE: [FW1] Blocking ICMP Carl,       I must be losing you somewhere.  Please explain to me how someone would be able to flood any address on your internal network if you are using illegal ip addresses.  From my experiences when we, sitting on the outside network, even try to hit and RFC address a router somewhere along the way sends back a reply message stating that the network is unreachable.  If you're running a network with all routable IP's that can be reached from the outside world then I can understand your point, but if that is the case is this not the reason why you put a firewall between yourself and the outside world.  A properly configured firewall, while not able to provide 100% protection but used in conjunction with the assistance of one or another intrusion detection device, should be able to provide against such attacks.  With these two in place a service connect scan would give you open ports the firewall is listening for on behalf of the internal machines, and once again I say a properly configured FW can help prevent from people being able to exploit these.        A security policy will only give you ample protection from the people you've kept in mind while configuring it, but of course this is something that we all, as the security minded professionals that we are, always keep in mind, right.   Juan Concepcion Network Engineer/Security Consultant CCSA/CCSE E-Mail: [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Carl E. Mankinen Sent: Monday, June 11, 2001 8:40 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [FW1] Blocking ICMP If it's just a DDoS, they can flood a single address (in use or not) on your subnet and have the affect of killing your entire subnet if you can't handle the traffic load.   There are other ways of scanning/finding hosts than just using ICMP.   1) you can just do a service connect scan.   2) you can dig into their DNS zone and see what you can find. Often people will use a naming scheme which you can infer other hostnames from. etc. Sometimes they might just return ALL records... -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Juan Concepcion Sent: Saturday, June 09, 2001 9:10 PM To: Tony Wong; [EMAIL PROTECTED] Subject: RE: [FW1] Blocking ICMP People can't attack what they can't see/detect.   Juan Concepcion Network Engineer/Security Consultant CCSA/CCSE E-Mail: [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tony Wong Sent: Friday, June 08, 2001 11:55 AM To: [EMAIL PROTECTED] Subject: [FW1] Blocking ICMP How does blocking ICMP make my firewall more secure?