| |
PA2AGA > TCPDIG 09.07.97 11:14l 141 Lines 5010 Bytes #-10571 (0) @ EU
BID : TCP_97_39A
Read: GUEST
Subj: TCP-Group Digest 97/39A
Path: DB0RGB<DB0ABH<DB0SRS<DB0ZDF<DB0AIS<DB0NDK<DB0RWI<PI8JOP<PI8ZAA<PI8HWB<
PI8VAD<PI8VNW
Sent: 970709/0201Z @:PI8VNW.#ZH2.NLD.EU #:10353 [Hoek v Holland] FBB5.15c
From: PA2AGA@PI8VNW.#ZH2.NLD.EU
To : TCPDIG@EU
Received: from pa2aga by pi1hvh with SMTP
id AA37867 ; Wed, 09 Jul 97 00:44:54 UTC
Received: from pa2aga by pa2aga (NET/Mac 2.3.62/7.1) with SMTP
id AA00002500 ; Tue, 15 Apr 97 22:14:57 MET
Received: from pa2aga-1 by pa2aga with SMTP
id AA00002471 ; Tue, 15 Apr 97 22:11:04 MET
Received: from pa2aga-1 by pa2aga-1 (NET/Mac 2.3.62/7.6.1) with SMTP
id AA00009369 ; Tue, 15 Apr 97 22:11:03 MET
Date: Tue, 15 Apr 97 22:05:19 MET
Message-Id: <tcp_97_39A>
From: pa2aga
To: tcp_broadcast@pa2aga-1
Subject: TCP-Group Digest 97/39A
X-BBS-Msg-Type: B
TCP-Group Digest Tue, 15 Apr 97 Volume 97 : Issue 39
Today's Topics:
TCP-Group Digest V97 #38
What Protocole traceroute use ? (5 msgs)
Send Replies or notes for publication to: <TCP-Group@UCSD.Edu>.
Subscription requests to <TCP-Group-REQUEST@UCSD.Edu>.
Problems you can't solve otherwise to brian@ucsd.edu.
Archives of past issues of the TCP-Group Digest are available
(by FTP only) from ftp.UCSD.Edu in directory "mailarchives".
We trust that readers are intelligent enough to realize that all text
herein consists of personal comments and does not represent the official
policies or positions of any party. Your mileage may vary. So there.
----------------------------------------------------------------------
Date: Mon, 14 Apr 1997 23:08:06 -0700 (PDT)
From: jmorriso@bogomips.com (John Paul Morrison)
Subject: TCP-Group Digest V97 #38
>
> Date: Sun, 13 Apr 1997 23:43:27 +0000 (UTC)
> From: Phil Karn <karn@qualcomm.com>
> Subject: What Protocole traceroute use ?
>
> >Actually it's a good idea to block ICMP at firewalls for security reasons.
>
> Why?
>
> Aside from being able to tell how many computers you have on your
> network, and possibly mounting a denial-of-service attack if your link
> is a slow one, I don't really see the problem with ICMP. And it's quite
> handy to be able to see ICMP unreachables when you're trying to diagnose
> a network problem.
They could also send ICMP redirects that could confuse the hell
out of your hosts. Filtering routers can block redirects though,
and pass the more harmless ICMP. Plenty of "mature" Unixes can
still be crashed by simple pings from lowly Windows 95 boxes,
unless you have the right patches.
>
> I still dream of the day when firewalls are obsoleted by decent host
security.
Between Sendmail, most other default Unix network software and
protocols, and anything written by Microsoft, this day will
probabably be never.
(I share your sentiment though)
>
> Phil
>
>
---------------------------------------------------------------------------
BogoMIPS Research Labs -- bogosity research & simulation -- VE7JPM --
jmorriso@bogomips.com ve7jpm@ve7jpm.ampr.org jmorriso@ve7ubc.ampr.org
---------------------------------------------------------------------------
------------------------------
Date: Mon, 14 Apr 97 14:54:00 -0000
From: mikebw@bilow.bilow.uu.ids.net (Mike Bilow)
Subject: What Protocole traceroute use ?
Phil Karn wrote in a message to Mike Bilow:
>Actually it's a good idea to block ICMP at firewalls for security reasons.
PK> Why?
PK> Aside from being able to tell how many computers you have on
PK> your network, and possibly mounting a denial-of-service
PK> attack if your link is a slow one, I don't really see the
PK> problem with ICMP. And it's quite handy to be able to see
PK> ICMP unreachables when you're trying to diagnose a network
PK> problem.
I agree with Phil on this: ICMP generally need not be restricted. There is a
vulnerability to a denial-of-service attack, but even this is really only an
issue if the firewall does not protect against fake source IP addresses. In
particular, frames claiming to be originated from the local subnet should not
be routed through the firewall destined for the local subnet, but this is a
protection applicable to all IP frames and not specific to ICMP.
PK> I still dream of the day when firewalls are obsoleted by
PK> decent host security.
I don't think this can ever happen. If nothing else, a firewall centralizes
many of the security concerns into one place, and it is inherently easier to
manage. If host security is relied upon, then a single host out of thousands
could lead to a security compromise of the entire network.
-- Mike
------------------------------
Date: Mon, 14 Apr 1997 20:34:58 +0000 (GMT)
From: Ron Atkinson <n8fow@hamgate.cc.wayne.edu>
Subject: What Protocole traceroute use ?
My mailer said Phil Karn said this:
>
> >Actually it's a good idea to block ICMP at firewalls for security reasons.
>
> Why?
>
> Aside from being able to tell how many computers you have on your
> network, and possibly mounting a denial-of-service attack if your link
> is a slow one, I don't really see the problem with ICMP. And it's quite
> handy to be able to see ICMP unreachables when you're trying to diagnose
To be continued in digest: tcp_97_39B
Read previous mail | Read next mail
| |
