Security Basics mailing list archives
RE: Fw rule set question
From: "Justin Ross" <jross () cricketcommunications com>
Date: Tue, 31 Jul 2007 15:09:59 -0700
It actually looks like it's going from WAN to LAN, per his comment "is allowed from the internet to the internal network". This is a debate I have seen many times in the security/network arena. From a security perspective, I would say ICMP (and enumeration) present risk (risk to your internal network, your security posture, etc.). Having said that, from a network support/engineer perspective, troubleshooting connectivity issues is easier with certain ICMP types enabled. The question is really, is the value of having unreachable and time exceeded enabled through the firewall worth the risk? That's something you have to weigh based on the sensitivity and value of the resources you're protecting, and the likelihood of the risk being exploited, etc. For example, I don't think very many security or network support people would want the server that stores their bank account information being enumerated via ICMP or any other protocol. Since data/information could be tunneled through ICMP regardless of it's type, I would be reluctant to give a generic answer of "it's fine" without knowing what the firewall is protecting/positioned in front of. Justin.Ross Security Engineer -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Craig Van Tassle Sent: Tuesday, July 31, 2007 10:36 AM To: security basics Subject: Re: Fw rule set question They are not that big of an issue. What way are these going? Are they going form the LAN to the WAN. Over all Source Quench is needed for TCP flow control. Unreachable and time execeeded are also fine. Unreachable, well that should be obvious. Time Exceeded is usually used for trace routes and finding a routing loop. The only possible risk I can see from these ICMP's is that it may allow for internal host enumeration, other then that the risk is minimal with ICMP. I recommend that you look at RFC 792, http://www.faqs.org/rfcs/rfc792.html That will help you understand ICMP a lot better and what it's uses are for. Juan B wrote:
hi, I am evaluating a Fw rule set. I see that source quench,icmp unreacheble and time execeeded (all icmp) is allowed from the internet to the internal network. this is a cisco pix. is it a requirmnet that those rules will be opened? what happened if I disbale them? is there a security risk here? I dont rememmber seeing those rules opened in any fw I saw.. thanks a lot ! Juan ______________________________________________________________________ ______________ Got a little couch potato? Check out fun summer activities for kids. http://search.yahoo.com/search?fr=oni_on_mail&p=summer+activities+for+ kids&cs=bz
Current thread:
- Fw rule set question Juan B (Jul 31)
- Re: Fw rule set question Craig Van Tassle (Jul 31)
- RE: Fw rule set question Justin Ross (Jul 31)
- Re: Fw rule set question Craig Van Tassle (Jul 31)