On Sun, 17 Dec 2006 20:03:08 -0800, Dag Richards wrote > Jason Dixon wrote: > > On Dec 17, 2006, at 6:28 PM, Dag Richards wrote: > > > >> Jason Dixon wrote: > >> > >>> Your security staff is clueless. I bet they like to block icmp > >>> echo- request too. > >> > >> > >> Erm, I am don't think I am clueless, often a sign of cluelessness I > >> am sure ... However. I block inbound icmp, well actually inbound > >> anything not shown to be required for specific 'services'. > >> > >> What about this is cluelez? I ask in a tone not of belligerence, but > >> a desire to be informed by my betters. > > > > > > Why would you block icmp echo-request? What does that gain you in > > terms of security? > > > > -- > > Jason Dixon > > DixonGroup Consulting > > http://www.dixongroup.net > > > I block all inbound traffic to my networks not required for operations. > > I have a dns server I allow inbound udp / tcp 53, if its not running > other services thats all I allow. I run rules on the dns server > that block it from making outbound connections except to 53 on > servers off my network, and ntp to the time servers. > > Why would I let icmp in? I have telnet turned off on all the servers, > but I still block port 23, or actually fail to open it. > > Tools can be written to use icmp as a transport, obviously anything > can be used as a transport which is why we only allow traffic > inbound to servers with services running we want public. Why should > I allow someone to ping my dns server? > > If you need to see if the server is up telnet to port 53, a > traceroute will die at the hop above the firewall, I know which ip > that is. I don't care/need others to do so.
Blocking icmp violates RFC rules which means in a nutshell weird things will happen on your network. i.e. icmp helps negotiate traffic throughput when two nodes are communication over networks with various amounts of bandwidth. If you have firewall rules that allowed udp/tcp 53 and icmp to your dns server, you would not violate RFC rules. For someone to transport traffic through icmp with these rules means that they would have to root your dns server. At that point, icmp isn't your problem. Let me restate by saying if anyone on your network tries to send traffic out via icmp, icmp isn't the problem, it's the security of that computer that's the problem. Oh and if you're trying to prevent your users from sending out confidential information to an external source, let's face it, that's almost impossible. Such a user can use http or better yet https as a transport as well or a floppy, usb hard drive, usb tump drive, and email (especially with an encrypted attachment so that your filter can see what it is). Hell they can print it out and carry it in their briefcase if they wanted.
