Dimitris,
I agree with your assessment, that icmp can be used for all sorts of nasty
things.
The solution I usually implement is this: Allow only certain users/hosts to
use outbound ping and allow only the necessary icmp reply packets back in.
There's a FAQ at www.phoneboy.com on how to set this up exactly.
I think, since version 4.0 FW-1 is even able to do stateful inspection for
imcp?!
Cheers
Ralf G.
z+z+z+z+z++z++z+z+z+++z+z++z++z+++z+++z+++z++z+z+z+z++z
Ralf Guenthner, Senior IT Security Consultant
Zentric GmbH & Co. KG - IT Security & Groupware Solutions
Office Phone: +49-6101-556060
Fax: +49-6101-556065
mailto:[EMAIL PROTECTED]
http://www.zentric.com
+z+z+z+z+z++z++z+z+z+++z+z++z++z+++z+++z+++z++z+z+z+z++z
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
