Re: ICMP Packets.

[Henry Hertz Hobbit <hhhobbit () icarus weber edu>]

On Tue, 2 Jun 1998, James R Grinter wrote:

> On Tue 2 Jun, 1998, Henry Hertz Hobbit <hhhobbit () icarus weber edu> wrote:
> > said it before, if you don't need it, block it, both ways. In
> > other words, this applies to *everything*. If you don't NEED
> > the ICMP packets (all of them, not just the echo/echo-reply)
> > to go out, block them. Your actual needs, not somebody else's
>
> this is sound advice - but - beware of ICMP packet types that are
> fundamental to the correct operation of some protocols.

I understand that. I guess what I am saying is that EACH
firewall vendor should send the product out such that the
minimum number of protocols (anything based on IP), protocol
packet types, and ports needed for the firewall to function
are the ONLY thing that are delivered out of the box ready
to go. Yes, I know, with IPX, etc this is sometimes a tough
call. I would hold them to anything based on IP, and have
them tell you the minimum amounts of enabling necesarry for
other protocols.

Also, some talk has been made of what must be done to secure
the firewall itself, eg, no routed (gated ok with FW1, etc),
almost all of the services stripped, sendmail (sorry folks,
I have been hacked into TOO much with that program) and for
that any matter removal of any other mail program that has
been installed (actually - do a fresh clean install of the OS)
and even in some  cases no floppy drives in the machine, etc.

I think it would be a good idea for the firewall vendors to
take an active role in closing down the services, etc, so that
the implementor doesn't have to do all of it. But then again,
I have said that this is the way Unix machines (Win-NT buffs
pick your own poison of how to secure) should have been delivered
YEARS ago. In other words, this is more a responsibility of the
system vendors rather than firewall vendor,

I guess what I am getting at here is a working philosophy that
states that how open you are should be a CONSCIOUS decision,
no matter how badly informed the person is making the decision.
When hackers have abandoned the long time honored tradition that
if you are experienced you are not to attack schools and other
places that are non-profit, what can you assume?

To wit - any firewall vendor in my opinion should deliver the
product with the security screws tightened down until they almost
bleed. Part of the problem in doing  this is the variability of
what each particular installation is going to do with it, and
what the powers that be (management) push them into doing, loss
of security be damned to get what they want. In others words,
firewalls are not at the commodity level they need to be at.
I guess that means more business for all of us until something
changes ;^)


HHH