Firewall Wizards mailing list archives
Re: how to block ICMP tunneling?
From: Adam Shostack <adam () homeport org>
Date: Sun, 18 Jul 1999 13:01:43 -0400
First, let me ask if you already proxy DNS, and block SSH and SSL? If not, then theres no reason to expect that BO2k scripts to randomly connect out over those ports will not be created, and you'll be out of luck. (Note, I'm looking 6-12 months down the line, when BO2k in ICMP, and a whole zoo of plug-ins and scripts are available.) BO2k is, to me, a demonstration of where firewalls stop being useful. The attacker gets his back door onto your network, converting a trusted machine into his base of operations. You now have a problem that an 'insider' can start doing nasty stuff inside your firewall. You need security tools such as log analysers, network instrusion detection systems, and vulnerability and virus scanners deployed inside your network. You also need really decent security management policies and procedures in place to make sure all of this stuff works. Yes, this is all expensive. Yes, this is a pain in the butt. But since the market will take dancing bunnies over security every time, we're left with a whole bunch of reactive measures. Adam On Fri, Jul 16, 1999 at 12:07:41PM -0400, Razvan Peteanu wrote: | BO2K has the ability to use ICMP tunneling for its traffic so I'm interested | in what types of ICMP messages should be blocked to prevent this traffic. | | Thanks, | Razvan -- "It is seldom that liberty of any kind is lost all at once." -Hume
Current thread:
- how to block ICMP tunneling? Razvan Peteanu (Jul 16)
- Re: how to block ICMP tunneling? Darren Reed (Jul 18)
- Re: how to block ICMP tunneling? Sebastian Krahmer (Jul 19)
- Re: how to block ICMP tunneling? Ted Doty (Jul 18)
- Re: how to block ICMP tunneling? Adam Shostack (Jul 19)
- BO2k : was (Re: how to block ICMP tunneling?) Jason Brvenik (Jul 20)
- <Possible follow-ups>
- RE: how to block ICMP tunneling? Jason Diesel (Jul 19)
- RE: how to block ICMP tunneling? Kevin Steves (Jul 26)
- RE: how to block ICMP tunneling? Kyle Starkey (Jul 19)
- Re: how to block ICMP tunneling? Joseph S D Yao (Jul 20)
- Re: how to block ICMP tunneling? Chris Brenton (Jul 20)
- Re: how to block ICMP tunneling? carson (Jul 21)
- Re: how to block ICMP tunneling? Geva Patz (Jul 20)
- RE: how to block ICMP tunneling? Marcus J. Ranum (Jul 19)
- Re: how to block ICMP tunneling? Steven M. Bellovin (Jul 20)
(Thread continues...)
- Re: how to block ICMP tunneling? Darren Reed (Jul 18)