|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] ICMP Traffic Security Issues
Just a couple of thoughts on this. It seems to me that I have heard people say that Checkpoint does have code the treat ICMP "Statefully" in the same manner as it does UDP, but it only includes this code in the ruleset when the accept ICMP property is set. Since normally, you would not want to allow this across the board, the suggestions I have seen are to enable the property, set it to "LAST", so it compiles behind your "drop all" rule and then add what ever rule you originally intended to add to allow the pings you wanted in the first place. Since doing this would cause ICMP to be "Statefull", responses should be allowed to any ping that is allowed. With regard to the topic of hackers using ICMP: ICMP allows for various size packets to be send when doing ping. The firewall does not look at the contents of that packet - just that it is ICMP. It is possible for a Trojan horse program to craft it's own packet and put whatever it wants in the payload then simply use ICMP to send it. This has been done to the extent that someone out in hackerdome actually was able to establish the equivalent of a telnet session tunneled entirely through ICMP. I don't have the specifics, but I do remember reading about it. Perhaps someone can point out that this was simply an Urban myth - that would be great, but it sounds possible to me. Bill CryptoTech wrote: > Jaime, > In the current release, (and I believe in all previous releases of FireWall-1,) ICMP > packets are inspected on an instance by instance basis. So simply having a rule in > that says internal any icmp-proto accept will not allow responses to those > same pings. My Check Point rep has informed me that a new release will allow for > 'intelligent/stateful' handling of ping requests as well. > > I am most likely not as up to date as some of the ISS or intrusion specialists here, > but I have never heard of 'smuggling' over icmp, but icmp does give attackers a > clear and easy way to see what devices you have to start probing for an attack. > Also remember that CheckPoint is only allowing a subset of icmp packet types (I > believe icmp type 8 (echo request) and type 0 (echo response.)) > > Cheers, > CryptoTech > > "Fontelera, Jaime C." wrote: > > > I'm currently blocking both incoming/outgoing ICMP packets from our network. > > I have a net admin who wants pinging and traceroute packet enabled going > > out. But I'm kind of hesitant at this point because the security issues. > > > > I've read in a book some where that ICMP packets can be exploited by an > > attacker to smuggle data through a site who's firewall ONLY allows outbound > > echo request by sending echo responses even when they haven't seen a > > request. It is a way for the attacker to maintain connections to a > > compromised site. > > > > What's your opinion on this ? > > > > Thanks. > > Jaime > > > > ================================================================================ > > To unsubscribe from this mailing list, please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================================================ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
