1)
regardless of ANY configuration you have....if you only have a single T1 for
your internet connection and someone sends 50megabits/sec of
data
to ANY address on your subnet, your entire internet connection will be DoS'd...a
firewall will NOT help you.
2) If
someone gleans some information about your internal network and should decide to
target a particular host in your network they can
spoof
the RFC1918 address of the internal victim and use that as the source address in
a packet sent to host that you have made public.
This
is one reason why you need to have anti-spoofing configured properly and why you
need to not allow bastions to talk to your internal
network...and also a reason why you should use a SMTP
security server and slap new headers on all your email traffic since the
internal
relays
have likely put their RFC1918 addresses in the headers.
Stuff
like:
Received: from guru
(dialup-63.214.70.156.Dial1.Boston1.Level3.net
[63.214.70.156])
Only
you are using a dialup connection and if you were sending from office exchange
server you would likely see it's address in the
headers had you not cleaned them
up...
Carl,
I must be losing you somewhere. Please
explain to me how someone would be able to flood any address on your internal
network if you are using illegal ip addresses. From my experiences when
we, sitting on the outside network, even try to hit and RFC address a router
somewhere along the way sends back a reply message stating that the network is
unreachable. If you're running a network with all routable IP's that can
be reached from the outside world then I can understand your point, but if
that is the case is this not the reason why you put a firewall between
yourself and the outside world. A properly configured firewall, while
not able to provide 100% protection but used in conjunction with the
assistance of one or another intrusion detection device, should be able to
provide against such attacks. With these two in place a service connect
scan would give you open ports the firewall is listening for on
behalf of the internal machines, and once again I say a
properly configured FW can help prevent from people being able to exploit
these.
A security policy will only give you ample
protection from the people you've kept in mind while configuring it, but of
course this is something that we all, as the security minded
professionals that we are, always keep in mind,
right.
Juan Concepcion Network Engineer/Security Consultant CCSA/CCSE E-Mail:
[email protected]
If
it's just a DDoS, they can flood a single address (in use or not) on your
subnet and
have the affect of killing your entire subnet if
you can't handle the traffic load.
There are other ways of scanning/finding hosts than
just using ICMP.
1)
you can just do a service connect scan.
2)
you can dig into their DNS zone and see what you can find. Often people will
use a
naming scheme which you can infer other hostnames
from. etc. Sometimes they
might just return ALL
records...
People can't attack what they can't
see/detect.
Juan Concepcion Network Engineer/Security Consultant CCSA/CCSE E-Mail:
[email protected]
How does blocking ICMP make my firewall
more secure?
|