Firewall Wizards mailing list archives
Re: ICMP Packets.
From: Henry Hertz Hobbit <hhhobbit () icarus weber edu>
Date: Wed, 3 Jun 1998 19:02:25 -0600 (MDT)
On Tue, 2 Jun 1998, James R Grinter wrote:
On Tue 2 Jun, 1998, Henry Hertz Hobbit <hhhobbit () icarus weber edu> wrote:said it before, if you don't need it, block it, both ways. In other words, this applies to *everything*. If you don't NEED the ICMP packets (all of them, not just the echo/echo-reply) to go out, block them. Your actual needs, not somebody else'sthis is sound advice - but - beware of ICMP packet types that are fundamental to the correct operation of some protocols.
I understand that. I guess what I am saying is that EACH firewall vendor should send the product out such that the minimum number of protocols (anything based on IP), protocol packet types, and ports needed for the firewall to function are the ONLY thing that are delivered out of the box ready to go. Yes, I know, with IPX, etc this is sometimes a tough call. I would hold them to anything based on IP, and have them tell you the minimum amounts of enabling necesarry for other protocols. Also, some talk has been made of what must be done to secure the firewall itself, eg, no routed (gated ok with FW1, etc), almost all of the services stripped, sendmail (sorry folks, I have been hacked into TOO much with that program) and for that any matter removal of any other mail program that has been installed (actually - do a fresh clean install of the OS) and even in some cases no floppy drives in the machine, etc. I think it would be a good idea for the firewall vendors to take an active role in closing down the services, etc, so that the implementor doesn't have to do all of it. But then again, I have said that this is the way Unix machines (Win-NT buffs pick your own poison of how to secure) should have been delivered YEARS ago. In other words, this is more a responsibility of the system vendors rather than firewall vendor, I guess what I am getting at here is a working philosophy that states that how open you are should be a CONSCIOUS decision, no matter how badly informed the person is making the decision. When hackers have abandoned the long time honored tradition that if you are experienced you are not to attack schools and other places that are non-profit, what can you assume? To wit - any firewall vendor in my opinion should deliver the product with the security screws tightened down until they almost bleed. Part of the problem in doing this is the variability of what each particular installation is going to do with it, and what the powers that be (management) push them into doing, loss of security be damned to get what they want. In others words, firewalls are not at the commodity level they need to be at. I guess that means more business for all of us until something changes ;^) HHH
Current thread:
- ICMP Packets. Toddb (Jun 01)
- Re: ICMP Packets. Henry Hertz Hobbit (Jun 02)
- Re: ICMP Packets. Bennett Todd (Jun 02)
- Re: ICMP Packets. Perry E. Metzger (Jun 02)
- Re: ICMP Packets. tqbf (Jun 02)
- Re: ICMP Packets. Darren Reed (Jun 03)
- <Possible follow-ups>
- Re: ICMP Packets. Don Kendrick (Jun 02)
- Re: ICMP Packets. Perry E. Metzger (Jun 02)
- Re: ICMP Packets. Alec Muffett - SunLabs (Jun 02)
- Re: ICMP Packets. James R Grinter (Jun 02)
- Re: ICMP Packets. Henry Hertz Hobbit (Jun 03)
- Re: ICMP Packets. Don Kendrick (Jun 02)
- Re: ICMP Packets. Perry E. Metzger (Jun 02)
- Re: ICMP Packets. Perry E. Metzger (Jun 03)
- Re: ICMP Packets. Bennett Todd (Jun 04)
- Re: ICMP Packets. Paul D. Robertson (Jun 05)
- Re: ICMP Packets. Don Kendrick (Jun 02)
- Re: ICMP Packets. Perry E. Metzger (Jun 03)
- Re: ICMP Packets. matthew green (Jun 04)
- Re: ICMP Packets. Bennett Todd (Jun 04)
- Re: ICMP Packets. Darren Reed (Jun 05)
- Re: ICMP Packets. Perry E. Metzger (Jun 03)
- Re: ICMP Packets. Henry Hertz Hobbit (Jun 02)