RE: how to block ICMP tunneling?

[Kevin Steves <stevesk () sweden hp com>]

On Mon, 19 Jul 1999, Jason Diesel wrote:
: Unless you have an application based firewall! Where the firewall is
: actually scanning the contents of the pay load to check which commands for
: that associated application protocol are coming in. If they are unrecognised
: for say... DNS, then the firewall will not let them in. The firewall will
: then log and alert as necessary.

I think Adam was referring to the issues of tunneling in general (he did
mention SSH and SSL).  CONNECT tends to be my favorite tunneling method.  
Does the Raptor CONNECT proxy try to examine the initial connection for
valid SSL handshake messages?  Even if it did, there are only limited
checks that can be performed to try to determine that it's really
tunneling an SSL session vs. BO2K, and then it could be fooled, so I
suspect you don't even bother.  Or we can also just do BO2K over
real-SSL.

Application firewall products are not the silver bullet here--one needs
to look at the overall requirements and deploy multiple methods and
techniques to implement a given policy (insert all Adam's original
comments here...).