RE: Fw rule set question

["Justin Ross" <jross () cricketcommunications com>]

It actually looks like it's going from WAN to LAN, per his comment "is
allowed from the internet to the internal network". This is a debate I
have seen many times in the security/network arena. From a security
perspective, I would say ICMP (and enumeration) present risk (risk to
your internal network, your security posture, etc.). Having said that,
from a network support/engineer perspective, troubleshooting
connectivity issues is easier with certain ICMP types enabled.

The question is really, is the value of having unreachable and time
exceeded enabled through the firewall worth the risk? That's something
you have to weigh based on the sensitivity and value of the resources
you're protecting, and the likelihood of the risk being exploited, etc.
For example, I don't think very many security or network support people
would want the server that stores their bank account information being
enumerated via ICMP or any other protocol. 

Since data/information could be tunneled through ICMP regardless of it's
type, I would be reluctant to give a generic answer of "it's fine"
without knowing what the firewall is protecting/positioned in front of.

Justin.Ross
Security Engineer



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Craig Van Tassle
Sent: Tuesday, July 31, 2007 10:36 AM
To: security basics
Subject: Re: Fw rule set question

They are not that big of an issue. What way are these going? Are they
going form the LAN to the WAN.
Over all Source Quench is needed for TCP flow control. Unreachable and
time execeeded are also fine.
Unreachable, well that should be obvious. Time Exceeded is usually used
for trace routes and finding a routing loop.

The only possible risk I can see from these ICMP's is that it may allow
for internal host enumeration, other then that the risk is minimal with
ICMP.

I recommend that you look at RFC 792,
http://www.faqs.org/rfcs/rfc792.html
That will help you understand ICMP a lot better and what it's uses are
for.

Juan B wrote:
> hi,
>
> I am evaluating a Fw rule set.
>
> I see that source quench,icmp unreacheble and time execeeded (all 
> icmp) is allowed from the internet to the internal network. this is a 
> cisco pix. is it a requirmnet that those rules will be opened? what 
> happened if I disbale them? is there a security risk here? I dont 
> rememmber seeing those rules opened in any fw I saw..
>
> thanks a lot !
>
> Juan
>
>
>        
> ______________________________________________________________________
> ______________
> Got a little couch potato? 
> Check out fun summer activities for kids.
> http://search.yahoo.com/search?fr=oni_on_mail&p=summer+activities+for+
> kids&cs=bz