Personally, I can think of all sorts of reasons why ICMP should *NOT* be
allowed through the firewall.
The whole point of having a firewall is to protect your internal network.
Permitting anyone on the internet to ping your internal network sort of
defeats the purpose. ICMP is a rather pernicious protocol and there are
tools out there <*cough* packetstorm *cough*> that let you do interesting
things like tunnel telnet over ICMP... So why make it any easier for
someone to compromise the network you are supposed to protect?
It _is_ possible to define rules to permit selective pinging for problem
determination:
Source: Destination: Service: Action:
fw_internal_interface internal_network icmp_proto
Accept
internal_network fw_internal_interface echo_reply
Accept:
The first rule permits the firewall to send ping packets through the secure
network interface to the subnets that define the secure network, and the
second rule permits the firewall to accept the echo reply packets back from
the secure network.
There is no need to permit the entire suite of ICMP. IMHO, the point of a
security policy is to only permit specific hosts/subnets to use specific
services, and everything else should be dropped by default.
Bob Webber
AT&T Global Network Services
Tel: (905) 762-7433
Fax: (905) 762-7497
Notes: Bob Webber/Markham/IBM@IBMCA
Internet: [EMAIL PROTECTED]
"Logic merely enables one to be wrong with authority" - Doctor Who
"Ingo Heinscher" <[EMAIL PROTECTED]>@lists.us.checkpoint.com on
07/05/2001 06:18:10 AM
Please respond to "Ingo Heinscher" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
cc:
Subject: Antwort: [FW1] OT - newbie question about PING
Well, that depends on your security policy.
Personally, I cannot see any reason why to disallow ICMP traffic through
the Firewall. Some people prefer to do this in order to make spying out the
target network harder- but then again, it also blocks the local Admin from
"spying out" the network in case of any problems...
Ingo Heinscher
Would someone please explain the reasoning to not allow PING through the
Firewall to our internal networks? I've having a problem justifiying to the
mainframe systems group why I will not globaly enable PING.
Your thoughts would be appreciated.
JEH
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
Re: Antwort: [FW1] OT - newbie question about PING
Bob Webber/Markham/Contr/AT&T/IJV Fri, 06 Jul 2001 04:06:27 -0700
- Antwort: [FW1] OT - newbie question ... Ingo Heinscher
- RE: Antwort: [FW1] OT - newbie ... Juppunov, George
- RE: Antwort: [FW1] OT - newbie ... Bob Webber/Markham/Contr/AT&T/IJV
- RE: Antwort: [FW1] OT - newbie ... Chontzopoulos, Dimitris
- RE: Antwort: [FW1] OT - newbie ... Chontzopoulos, Dimitris
- RE: Antwort: [FW1] OT - newbie ... gue
- RE: Antwort: [FW1] OT - newbie ... Reed Mohn, Anders
- RE: Antwort: [FW1] OT - new... Lars Troen
