1)
regardless of ANY configuration you have....if you only have a single T1 for
your internet connection and someone sends 50megabits/sec
of
data
to ANY address on your subnet, your entire internet connection will be
DoS'd...a firewall will NOT help you.
2)
If someone gleans some information about your internal network and should
decide to target a particular host in your network they
can
spoof the RFC1918 address of the internal victim and
use that as the source address in a packet sent to host that you have made
public.
This
is one reason why you need to have anti-spoofing configured properly and why
you need to not allow bastions to talk to your internal
network...and also a reason why you should use a SMTP
security server and slap new headers on all your email traffic since the
internal
relays have likely put their RFC1918 addresses in the
headers.
Stuff like:
Received: from guru
(dialup-63.214.70.156.Dial1.Boston1.Level3.net
[63.214.70.156])
Only
you are using a dialup connection and if you were sending from office exchange
server you would likely see it's address in the
headers had you not cleaned them
up...
Carl,
I must be losing you
somewhere. Please explain to me how someone would be able to flood any
address on your internal network if you are using illegal ip
addresses. From my experiences when we, sitting on the outside
network, even try to hit and RFC address a router somewhere along the way
sends back a reply message stating that the network is unreachable. If
you're running a network with all routable IP's that can be reached from the
outside world then I can understand your point, but if that is the case is
this not the reason why you put a firewall between yourself and the outside
world. A properly configured firewall, while not able to provide 100%
protection but used in conjunction with the assistance of one or
another intrusion detection device, should be able to provide against such
attacks. With these two in place a service connect scan would give you
open ports the firewall is listening for on behalf of
the internal machines, and once again I say a properly
configured FW can help prevent from people being able to exploit
these.
A security policy will only give
you ample protection from the people you've kept in mind while configuring
it, but of course this is something that we all, as the security minded
professionals that we are, always keep in mind,
right.
Juan Concepcion Network Engineer/Security Consultant CCSA/CCSE E-Mail:
[email protected]
If it's just a DDoS, they can flood a single
address (in use or not) on your subnet and
have the affect of killing your entire subnet if
you can't handle the traffic load.
There are other ways of scanning/finding hosts
than just using ICMP.
1) you can just do a service connect
scan.
2) you can dig into their DNS zone and see what
you can find. Often people will use a
naming scheme which you can infer other hostnames
from. etc. Sometimes they
might just return ALL
records...
People can't attack what they can't
see/detect.
Juan Concepcion
Network Engineer/Security Consultant
CCSA/CCSE
E-Mail:
[email protected]
How does blocking ICMP make my firewall
more secure?