[snip]
>ICMP is a rather pernicious protocol and there are
>tools out there <*cough* packetstorm *cough*> that let you do interesting
>things like tunnel telnet over ICMP...
[snip]
That's interesting. Only telnet or _any_ service?
>It _is_ possible to define rules to permit selective pinging for problem
>determination:
[snip]
Of course it is.
>There is no need to permit the entire suite of ICMP. IMHO, the point of a
>security policy is to only permit specific hosts/subnets to use specific
>services, and everything else should be dropped by default.
Personally, I prefer to reject by default... any attacker will know that
his packets are dropped anyway, and those who try to use a service they're
not allowed to need exactly that information. (Either to request permission
for that service or not to waste time by seeking any misconfiguration on
their machines.)
MFG
Ingo Heinscher
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
