Re: how to block ICMP tunneling?

[Adam Shostack <adam () homeport org>]

First, let me ask if you already proxy DNS, and block SSH and SSL?

If not, then theres no reason to expect that BO2k scripts to randomly
connect out over those ports will not be created, and you'll be
out of luck.  (Note, I'm looking 6-12 months down the line, when BO2k
in ICMP, and a whole zoo of plug-ins and scripts are available.)

BO2k is, to me, a demonstration of where firewalls stop being useful.
The attacker gets his back door onto your network, converting a
trusted machine into his base of operations.  You now have a problem
that an 'insider' can start doing nasty stuff inside your firewall.

You need security tools such as log analysers, network instrusion
detection systems, and vulnerability and virus scanners deployed
inside your network.  You also need really decent security management
policies and procedures in place to make sure all of this stuff
works.  Yes, this is all expensive.  Yes, this is a pain in the butt.
But since the market will take dancing bunnies over security every
time, we're left with a whole bunch of reactive measures.

Adam


On Fri, Jul 16, 1999 at 12:07:41PM -0400, Razvan Peteanu wrote:
| BO2K has the ability to use ICMP tunneling for its traffic so I'm interested
| in what types of ICMP messages should be blocked to prevent this traffic.
| 
| Thanks,
| Razvan

-- 
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume