Dag Richards wrote: > Such a user can use http or >> better yet https as a transport as well or a floppy, usb hard drive, >> usb tump >> drive, and email (especially with an encrypted attachment so that your >> filter >> can see what it is). Hell they can print it out and carry it in their >> briefcase if they wanted. > > Thats what I do ;) >
Dang, I just take the whole server. Don't even have to reload the data that way. By the way, the only little quibble I've had with this discussion is that some of the responses have been remarkably imprecise in the distinction between "icmp" and "icmp echo-requests." I find that such imprecision causes no end of trouble when specifying security policies. I, for example, am not the biggest fan of random people sending me icmp redirects, but don't block many other icmp packets. I'll also point out that opinions differ. For example, the official recommendation of the U.S. NIST (National Institute of Standards and Technology) is: "block incoming echo request (ping and Windows traceroute) block outgoing echo replies, time exceeded, and destination unreachable messages except "packet too big" messages (type 3, code 4). This item assumes that you are willing to forego the legitimate uses of ICMP echo request to block some known malicious uses." (Special Publication 800-41, p. 61.) I suppose it all comes down to such unresolvable matters such as "is making it harder for outsiders to map your network merely security through obscurity, which is naturally below the dignity of any right thinking network engineer, or does it have value in today's Internet?" :-) --Jon Radel [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
