RE: how to block ICMP tunneling?

["Marcus J. Ranum" <mjr () nfr net>]

> Unless you have an application based firewall! Where the firewall is
> actually scanning the contents of the pay load to check which commands for
> that associated application protocol are coming in.

Most of the application proxy firewalls I know (I wrote a couple,
in the past) don't _really_ do much content/payload scanning.  Most
of that stuff was theoretical, rather than actually implemented.
For example, Gauntlet only looked for a couple of well-known
attacks in HTTP URLs (which are now hopelessly outdated) and a
few well-known attacks in E-mail addresses (which are now hopelessly
outdated).  Application level firewalls don't typically process
ICMP at layer 7. Does Raptor's? Do you scan the contents of
echo request/reply packets and do state preservation across
parts of a ping?

Originally, the myth of proxy firewall superiority was partially
driven by the "content scanning" concept, even though most of
the proxy firewalls did only a tiny bit more content scanning
than a router does. Now that I'm not in the firewall business
anymore, I like trying to get proxy firewall vendors to enumerate
the checks they actually do make. I've had little success. I suspect
because they make laughably few checks.

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr