NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] ICMP redirect



I discuss ICMP Redirects and their risks in my book (Network Application
Frameworks, page 129). It is intended for situations where a LAN has
more than one connected router, and an IP device such as a workstation
is configured to always direct datagrams destined for another IP
subnetwork to a  single default router on its connected LAN.  If this
default router recognizes that it does not have the lowest-cost route to
the destination, it will inform the workstation via an ICMP redirect
packet to send its datagrams to the other IP router on the same IP
subnetwork having the lower-cost route. The workstation will extract the
IP address of the lower-cost IP router from the ICMP redirect packet,
send an ARP request on the LAN to determine the physical address of the
lower-cost IP router, and then forward the appropriate datagrams to it.

Despite its good intentions, the ICMP redirect feature can present a
security risk.  If you don't need it, it should be disabled in your
routers/network.  It can allow a hacker to send phony redirect messages
to your routers and workstations, forcing them to route traffic through
the hacker's computer.
Regards,
Eric

-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of
Reed Mohn, Anders
Sent: Tuesday, July 10, 2001 8:53 AM
To: Fw-1-Mailinglist (E-mail)
Subject: [FW1] ICMP redirect




I've already configured our FW to only accept
certain ICMP-packets, but what about ICMP redirect ?  
Is there any compelling reason not to allow this?
(apart from the same reasons as for other ICMP packets...)

I need to let through ICMP redirect from a specific router,
but would like to avoid creating a separate rule for it (my rule base is
growing too much..). 
I'm hoping to get away with just adding it to the my "generally
accepted" incoming ICMP-types.

Cheers,
Anders :)


========================================================================
========
     To unsubscribe from this mailing list, please see the instructions
at
               http://www.checkpoint.com/services/mailing.html
========================================================================
========




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.