Jaime,
In the current release, (and I believe in all previous releases of FireWall-1,) ICMP
packets are inspected on an instance by instance basis. So simply having a rule in
that says internal any icmp-proto accept will not allow responses to those
same pings. My Check Point rep has informed me that a new release will allow for
'intelligent/stateful' handling of ping requests as well.
I am most likely not as up to date as some of the ISS or intrusion specialists here,
but I have never heard of 'smuggling' over icmp, but icmp does give attackers a
clear and easy way to see what devices you have to start probing for an attack.
Also remember that CheckPoint is only allowing a subset of icmp packet types (I
believe icmp type 8 (echo request) and type 0 (echo response.))
Cheers,
CryptoTech
"Fontelera, Jaime C." wrote:
> I'm currently blocking both incoming/outgoing ICMP packets from our network.
> I have a net admin who wants pinging and traceroute packet enabled going
> out. But I'm kind of hesitant at this point because the security issues.
>
> I've read in a book some where that ICMP packets can be exploited by an
> attacker to smuggle data through a site who's firewall ONLY allows outbound
> echo request by sending echo responses even when they haven't seen a
> request. It is a way for the attacker to maintain connections to a
> compromised site.
>
> What's your opinion on this ?
>
> Thanks.
> Jaime
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
S/MIME Cryptographic Signature
