Firewall Wizards mailing list archives
Re: ICMP blocking on PIX .4.4.1
From: User nawk <nawk () real-secure com>
Date: Sat, 29 Apr 2000 12:57:13 -0400
Hi, That is exactly how it should be done. You want ICMP and spoofing stopped on the router. Firewalls are a great device, but not perfect. Cisco's ACL do a much better job on blocking. Just make sure the lists are not to long so the CPU of the router does not get saturated. Think of it as what if you or someone makes a mistake on the firewall and now you opened yourself up. All it is are layers of defense. If you really want to be anal, setup ACL on your border routers, then apply your rules on the firewall and last setup another router behind the firewall with ACL again. This way the attacker has to pass all three to get into your network. Thanks ----- Original Message ----- From: "R. DuFresne" <dufresne () sysinfo com> To: "Jim Seymour" <jseymour () LinxNet com> Cc: <nawk () real-secure com>; <firewall-wizards () nfr net>; <phred () pacificwest com> Sent: Thursday, April 27, 2000 6:06 PM Subject: Re: [fw-wiz] ICMP blocking on PIX .4.4.1
It's always been our impression that veiwing security as an 'onion' on pulls all the onoins skins together to form as tight a security system as possible to deal with the security policy at hand. This would include ACL's in routers to deal with ICMP/UDP and spoofing there, as well as backup those rules in the firewalls rule sets, just in case one device barfed up and packets slipped by it. Even the most recent issue of sysadmin mag has an article titled: The Use of Routers in Firewall Setup May 2000 vol 9 # 5 Thanks, Ron DuFresne On Thu, 27 Apr 2000, Jim Seymour wrote:nawk <nawk () real-secure com> wrote:I think it's best practice to block things like icmp and spoofing on your routers not firewall. The firewall is just to block things
like
ports and provent access to your internal network.Two schools of thought on that. The consultant that installed our first Gauntlet firewall (TIS was offering at the time free installs and one day of training for up to three people) recommended that the router be stripped of *all* packet filtering rules so that the firewall would see everything. His logic was that Gauntlet was much more capable at detecting and reporting activity than was the firewall router. My feeling was that sufficient rules to protect the *router* itself had to remain. So that's what I did: the router has only enough rules in it to protect *it*. The firewall gets everything else. (Except when I get really fed up with something. Then I block it at the router.) Note also that there is a potential problem in simply out-right blocking all ICMP at the router. If you're running a mail gateway on the firewall (as I do [Postfix]), blocking ICMP path MTU discovery can lead to SMTP sessions timing-out on large emails. (See, for example: http://msgs.SecurePoint.com/cgi-bin/get/postfix9904/37/1.html.) And I don't see any particular reason why others shouldn't be allowed to ping my firewall. Allowing ICMP (or any connection-less protocol, such as UDP) *through* the firewall is another issue entirely. Connection-less protocols are not safe. Cannot be made safe. Other than perhaps allowing syslog from the router to a syslog host, specifically, I don't see any particular reason to allow any UDP through a firewall. As regards the original poster's query: I don't know the PIX firewall, but wouldn't it be possible to log on to the PIX and run your pings and traceroutes from there? Less convenient, to be sure. But far safer than allowing UDP through it, I should think. I'll take safety over convenience any day. Regards, Jim-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior consultant: darkstar.sysinfo.com http://darkstar.sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too!
Current thread:
- Re: ICMP blocking on PIX .4.4.1 Jim Seymour (May 04)
- <Possible follow-ups>
- Re: ICMP blocking on PIX .4.4.1 User nawk (May 04)
- Re: ICMP blocking on PIX .4.4.1 Lorens Kockum (May 12)
- Re: ICMP blocking on PIX .4.4.1 dominik . ratajski (May 05)
- RE: ICMP blocking on PIX .4.4.1 GibsonB (May 05)
- RE: ICMP blocking on PIX .4.4.1 R. DuFresne (May 12)
- RE: ICMP blocking on PIX .4.4.1 Henry B. Tindall, Jr. (May 12)
- Stefan Savage : Hacking the TCP stack R. DuFresne (May 12)
- Re: Stefan Savage : Hacking the TCP stack Frederick N. Chase (May 17)
- Re: ICMP blocking on PIX .4.4.1 Lorens Kockum (May 12)
- RE: ICMP blocking on PIX .4.4.1 GibsonB (May 12)
- RE: ICMP blocking on PIX .4.4.1 Jeff B Boles (May 15)