|
At 09:25 AM 6/14/00 -0700, Drew Streib wrote:
>On Wed, Jun 14, 2000 at 09:08:19AM -0700, Wayne wrote:
> > In reality, many security audit advisors warn companies to
> > block ICMP message totally, either at their router or firewall.
> > So ICMP messages from clients will never get to servers anyway.
>
>In reality, this is also considered bad practice and isn't compliant
>with several standards. ICMP route detection is extremely important
>to some networks. Turning off specific ICMP message types is more
>courteous. :)
Then you may want to make some suggestions to ICSA -- International
Computer Security Association which certify sites to be ICSA certified,
they require you to turn ICMP off, unless your site can not work without
it, otherwise they will not certify you. The reason is that ICMP is
not authenticated, so that the intruders can use it as well.
|
