> smith wrote:
Blocking icmp violates RFC rules which means in a nutshell weird things will
happen on your network.
Buda says :
"Amen... obey RFC 1122. "
RFC compliance is almost always a good reason to do something.
So I have learned something I apparently should already have known.
i.e. icmp helps negotiate traffic throughput when two
nodes are communication over networks with various amounts of bandwidth. If
you have firewall rules that allowed udp/tcp 53 and icmp to your dns server,
you would not violate RFC rules. For someone to transport traffic through
icmp with these rules means that they would have to root your dns server. At
that point, icmp isn't your problem. Let me restate by saying if anyone on
your network tries to send traffic out via icmp, icmp isn't the problem, it's
the security of that computer that's the problem.
We let users send out pretty much any traffic they want from their
network, this "debate" was for me about what to allow _in_ to the dmz.
Oh and if you're trying to
prevent your users from sending out confidential information to an external
source, let's face it, that's almost impossible.
Yup, too true. Not trying to stop confidential info flow. Just trying to
make illicit shell shipping harder.
Such a user can use http or
better yet https as a transport as well or a floppy, usb hard drive, usb tump
drive, and email (especially with an encrypted attachment so that your filter
can see what it is). Hell they can print it out and carry it in their
briefcase if they wanted.
Thats what I do ;)
