Nathan Anderson/FSR wrote: > Nevertheless, the person I have been in contact with is naturally not > the final decision-maker on this issue and is going to continue to pass > the issue on up the chain of command for me. So although this issue is > not over and I do not have a final verdict from MS yet, I felt that, > given that I don't know how much time to expect to pass between now and > when that final verdict is rendered, it would be appropriate to let > everybody here know what I have learned thus far. Hopefully public > dissemination of this information factoid will prevent others in a > position similar to mine from having to helplessly beat their heads into > their keyboards.
Let's also not ignore the generally overworked IT administrator at any small or medium sized enterprise. He/she may not be (as many folks I've run into are) of the mistaken impression that ICMP *is* bad and leaves you vulnerable to all sorts of things like SMURF. There are even tools out there that "test" your vulnerability by "pinging" you and do other investigations. I know of a tool that a major financial institution uses when certifying your networks security -- that scrapes the version number from your ESTMP banner to decide whether you comply or not (and other banners). (Rather than actually testing for a specific vulnerability). Simply blocking all of these packets from their test host gives you a high passing score; possibly a perfect one. [Irony and humor aside...] Many non-SP IT folks think they understand TCP, grudgingly accept UDP for DNS from external sources and think everything else is bollocks. Many *might* have a fit if they saw Microsoft accepting ICMPs because that seems inconsistent with their knowledge of turn-the-knob network security. To their view, their Linksys/Netgear/whathaveyou COTS firewalls block everything too. I don't think I'm exaggerating here. Just a thought, not saying its a good one or whose fault it is... Deepak Jain AiNET _______________________________________________ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
