Firewall Wizards mailing list archives
RE: how to block ICMP tunneling?
From: "Marcus J. Ranum" <mjr () nfr net>
Date: Mon, 19 Jul 1999 18:19:20 -0400
Unless you have an application based firewall! Where the firewall is actually scanning the contents of the pay load to check which commands for that associated application protocol are coming in.
Most of the application proxy firewalls I know (I wrote a couple, in the past) don't _really_ do much content/payload scanning. Most of that stuff was theoretical, rather than actually implemented. For example, Gauntlet only looked for a couple of well-known attacks in HTTP URLs (which are now hopelessly outdated) and a few well-known attacks in E-mail addresses (which are now hopelessly outdated). Application level firewalls don't typically process ICMP at layer 7. Does Raptor's? Do you scan the contents of echo request/reply packets and do state preservation across parts of a ping? Originally, the myth of proxy firewall superiority was partially driven by the "content scanning" concept, even though most of the proxy firewalls did only a tiny bit more content scanning than a router does. Now that I'm not in the firewall business anymore, I like trying to get proxy firewall vendors to enumerate the checks they actually do make. I've had little success. I suspect because they make laughably few checks. mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
Current thread:
- Re: how to block ICMP tunneling?, (continued)
- Re: how to block ICMP tunneling? Ted Doty (Jul 18)
- Re: how to block ICMP tunneling? Adam Shostack (Jul 19)
- BO2k : was (Re: how to block ICMP tunneling?) Jason Brvenik (Jul 20)
- RE: how to block ICMP tunneling? Jason Diesel (Jul 19)
- RE: how to block ICMP tunneling? Kevin Steves (Jul 26)
- RE: how to block ICMP tunneling? Kyle Starkey (Jul 19)
- Re: how to block ICMP tunneling? Joseph S D Yao (Jul 20)
- Re: how to block ICMP tunneling? Chris Brenton (Jul 20)
- Re: how to block ICMP tunneling? carson (Jul 21)
- Re: how to block ICMP tunneling? Geva Patz (Jul 20)
- RE: how to block ICMP tunneling? Marcus J. Ranum (Jul 19)
- Re: how to block ICMP tunneling? Steven M. Bellovin (Jul 20)
- RE: how to block ICMP tunneling? Ben Nagy (Jul 20)
- Re: how to block ICMP tunneling? Ryan Russell (Jul 21)
- Re: how to block ICMP tunneling? Dru (Jul 26)
- RE: how to block ICMP tunneling? Jason Diesel (Jul 21)
- Re: how to block ICMP tunneling? Adam Shostack (Jul 23)
- RE: how to block ICMP tunneling? Marcus J. Ranum (Jul 23)
- Re: how to block ICMP tunneling? Sean Costello (Jul 29)
- Re: how to block ICMP tunneling? Sean Costello (Jul 29)
- Fw: how to block ICMP tunneling? Sean Costello (Jul 30)