NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] ICMP Stateful or NOT ?



That is good information. It kind of bridges the statefullness with allowing
only specific ICMP. I will have to try it out to see if it works.

Thanks,
Daniel Gaughan

-----Original Message-----
From: Byoung Sun Yu [mailto:[email protected]]
Sent: Wednesday, January 10, 2001 11:43 AM
To: Gaughan, Daniel; 'Carl E. Mankinen';
[email protected]
Subject: RE: [FW1] ICMP Stateful or NOT ?


Thanks for the information.
I agree that allowing all icmp is not pleasant. However, there is a kind of
limited tweak you can do that I once heard. I didn't have a chance to test
this and don't know for sure it'll work or not. But it has a chance.

Turn on Accept ICMP on the properties and set it to Last(in other words,
after the clean up rule).
Then have a rule to allow outgoing ICMP. Then incoming ICMP-reply will not
be allowed unless there was an echo request went out within a minute past.
Does this make sense? If you can generate echo reply with some tool, you can
see if it works or not. I couldn't do that part. But who suggested this as
better solution claims that it works.

Finally, this is all from my old memory so it might be slightly incorrect in
some part. Sorry for that.

Thanks,

Sun Yu, CISSP
Lucent Worldwide Services


> -----Original Message-----
> From: Gaughan, Daniel [mailto:[email protected]]
> Sent: Wednesday, January 10, 2001 10:10 AM
> To: '[email protected]'; 'Carl E. Mankinen';
> [email protected]
> Subject: RE: [FW1] ICMP Stateful or NOT ?
>
>
> So that means it is stateful, but only if I allow all icmp?
> Interesting, but
> not very useful.
>
> There is code out there that makes stateful icmp with INSPECT
> code. I have a
> sample by Bill Burns from 1997/1999, and I have seen others
> on the net.
> Search for ICMP CHECKPOINT on the Internet and you should be
> able to find
> it, I don't have the source URL with me. I don't know why
> Checkpoint hasn't
> adopted it or something like it yet.
>
> Daniel Gaughan
>
> -----Original Message-----
> From: Byoung Sun Yu [mailto:[email protected]]
> Sent: Wednesday, January 10, 2001 10:30 AM
> To: 'Carl E. Mankinen'; [email protected]
> Subject: RE: [FW1] ICMP Stateful or NOT ?
>
>
>
> FW-1 4.0 or later keeps the state of ICMP IF and ONLY IF
> Accept ICMP option
> is checked in the Properties.
>
> Sun Yu, CISSP
> Lucent Worldwide Services
>
>
> > -----Original Message-----
> > From: [email protected]
> > [mailto:[email protected]]On
> > Behalf Of Carl
> > E. Mankinen
> > Sent: Wednesday, January 10, 2001 9:00 AM
> > To: [email protected]
> > Subject: [FW1] ICMP Stateful or NOT ?
> >
> >
> >
> > I seem to be reading quite a bit that even 4.X does not use
> > stateful inspection
> > for ICMP requests. Is this in fact the case, or has
> > CheckPoint corrected this
> > in the latest releases?
> >
> > For them to say that ICMP packets are harmless and thus do
> not require
> > stateful inspection is beyond belief (having my doubts they
> > actually said this...)
> > ICMP is a perfect method for tunneling control connections
> > for trojans, or
> > for sending obscured hashed data containing information you
> > wouldn't like exposed.
> >
> >
> >
> >
> >
> > ==============================================================
> > ==================
> >      To unsubscribe from this mailing list, please see the
> > instructions at
> >                http://www.checkpoint.com/services/mailing.html
> > ==============================================================
> > ==================
> >
>
>
>
> ==============================================================
> ==============
> ====
>      To unsubscribe from this mailing list, please see the
> instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==============================================================
> ==============
> ====
>


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.