Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Fw rule set question

from [Justin Ross] Network Security [Permanent Link]
Subject: RE: Fw rule set question
Date: Tue, 31 Jul 2007 15:09:59 -0700 
It actually looks like it's going from WAN to LAN, per his comment "is
allowed from the internet to the internal network". This is a debate I
have seen many times in the security/network arena. From a security
perspective, I would say ICMP (and enumeration) present risk (risk to
your internal network, your security posture, etc.). Having said that,
from a network support/engineer perspective, troubleshooting
connectivity issues is easier with certain ICMP types enabled.

The question is really, is the value of having unreachable and time
exceeded enabled through the firewall worth the risk? That's something
you have to weigh based on the sensitivity and value of the resources
you're protecting, and the likelihood of the risk being exploited, etc.
For example, I don't think very many security or network support people
would want the server that stores their bank account information being
enumerated via ICMP or any other protocol. 

Since data/information could be tunneled through ICMP regardless of it's
type, I would be reluctant to give a generic answer of "it's fine"
without knowing what the firewall is protecting/positioned in front of.

Justin.Ross
Security Engineer



-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Craig Van Tassle
Sent: Tuesday, July 31, 2007 10:36 AM
To: security basics
Subject: Re: Fw rule set question

They are not that big of an issue. What way are these going? Are they
going form the LAN to the WAN.
Over all Source Quench is needed for TCP flow control. Unreachable and
time execeeded are also fine.
Unreachable, well that should be obvious. Time Exceeded is usually used
for trace routes and finding a routing loop.

The only possible risk I can see from these ICMP's is that it may allow
for internal host enumeration, other then that the risk is minimal with
ICMP.

I recommend that you look at RFC 792,
http://www.faqs.org/rfcs/rfc792.html
That will help you understand ICMP a lot better and what it's uses are
for.

Juan B wrote:

hi,

I am evaluating a Fw rule set.

I see that source quench,icmp unreacheble and time execeeded (all 
icmp) is allowed from the internet to the internal network. this is a 
cisco pix. is it a requirmnet that those rules will be opened? what 
happened if I disbale them? is there a security risk here? I dont 
rememmber seeing those rules opened in any fw I saw..

thanks a lot !

Juan


       
______________________________________________________________________
______________
Got a little couch potato? 
Check out fun summer activities for kids.
http://search.yahoo.com/search?fr=oni_on_mail&p=summer+activities+for+
kids&cs=bz
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Fw rule set question, Craig Van Tassle
Previous by Thread:  Re: Fw rule set question, Craig Van Tassle
Indexes:  [Date] [Thread] [Top] [All Lists]