[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] ICMP Traffic Security Issues
Jaime, In the current release, (and I believe in all previous releases of FireWall-1,) ICMP packets are inspected on an instance by instance basis. So simply having a rule in that says internal any icmp-proto accept will not allow responses to those same pings. My Check Point rep has informed me that a new release will allow for 'intelligent/stateful' handling of ping requests as well. I am most likely not as up to date as some of the ISS or intrusion specialists here, but I have never heard of 'smuggling' over icmp, but icmp does give attackers a clear and easy way to see what devices you have to start probing for an attack. Also remember that CheckPoint is only allowing a subset of icmp packet types (I believe icmp type 8 (echo request) and type 0 (echo response.)) Cheers, CryptoTech "Fontelera, Jaime C." wrote: > I'm currently blocking both incoming/outgoing ICMP packets from our network. > I have a net admin who wants pinging and traceroute packet enabled going > out. But I'm kind of hesitant at this point because the security issues. > > I've read in a book some where that ICMP packets can be exploited by an > attacker to smuggle data through a site who's firewall ONLY allows outbound > echo request by sending echo responses even when they haven't seen a > request. It is a way for the attacker to maintain connections to a > compromised site. > > What's your opinion on this ? > > Thanks. > Jaime > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ Attachment:
smime.p7s
|