|
I have always been told what Drew suggests. Rusty Nelson I believe
covered this on the netfilter list some time back. ICMP are used for very
useful things and can actually hurt your network if blocked completely. I
like Rusty's explanation better. I'm sure someone on here can get more
specific.
-jeremy
> At 09:25 AM 6/14/00 -0700, Drew Streib wrote:
> >On Wed, Jun 14, 2000 at 09:08:19AM -0700, Wayne wrote:
> > > In reality, many security audit advisors warn companies to
> > > block ICMP message totally, either at their router or firewall.
> > > So ICMP messages from clients will never get to servers anyway.
> >
> >In reality, this is also considered bad practice and isn't compliant
> >with several standards. ICMP route detection is extremely important
> >to some networks. Turning off specific ICMP message types is more
> >courteous. :)
>
>
> Then you may want to make some suggestions to ICSA -- International
> Computer Security Association which certify sites to be ICSA certified,
> they require you to turn ICMP off, unless your site can not work without
> it, otherwise they will not certify you. The reason is that ICMP is
> not authenticated, so that the intruders can use it as well.
>
>
>
--
http://www.xxedgexx.com | jeremy@xxxxxxxxxxxx
---------------------------------------------
|
