|
Is easy to turn off specific ICMP messages? Maybe that is a good
suggestion we can make to ICSA.
At 01:52 PM 6/14/00 -0400, Jeremy Hansen wrote:
>I have always been told what Drew suggests. Rusty Nelson I believe
>covered this on the netfilter list some time back. ICMP are used for very
>useful things and can actually hurt your network if blocked completely. I
>like Rusty's explanation better. I'm sure someone on here can get more
>specific.
>
>-jeremy
>
> > At 09:25 AM 6/14/00 -0700, Drew Streib wrote:
> > >On Wed, Jun 14, 2000 at 09:08:19AM -0700, Wayne wrote:
> > > > In reality, many security audit advisors warn companies to
> > > > block ICMP message totally, either at their router or firewall.
> > > > So ICMP messages from clients will never get to servers anyway.
> > >
> > >In reality, this is also considered bad practice and isn't compliant
> > >with several standards. ICMP route detection is extremely important
> > >to some networks. Turning off specific ICMP message types is more
> > >courteous. :)
> >
> >
> > Then you may want to make some suggestions to ICSA -- International
> > Computer Security Association which certify sites to be ICSA certified,
> > they require you to turn ICMP off, unless your site can not work without
> > it, otherwise they will not certify you. The reason is that ICMP is
> > not authenticated, so that the intruders can use it as well.
> >
> >
> >
>
>--
>
>http://www.xxedgexx.com | jeremy@xxxxxxxxxxxx
>---------------------------------------------
>
>
|
