NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] ICMP Stateful or NOT ?



Yeah, I have the stevens books and they are the bibles for me (funny they have very
little coverage of bootp/dhcp in volume 1&2) but anyway....

I already do define icmp rules for request in one direction, reply only in the other etc etc.
but that is not my point.....my point is that from what I have been reading you must
write some custom inspect code to make this occur in a statefull manner.

In other words, a REPLY should not be allowed to be sent unless a state entry has
already been defined for a prior REQUEST which it is in reply to.
It sounds to me like if I define a rule that allows icmp-reply from the outside, I could
fabricate icmp packets with the proper type code and it would just forward them
right thru my firewall without any stateful inspection.

Am I missing something here?

As far as I am concerned, ICMP is far too easy a way to move data around under
the radar, but it is really hard to just completely turn it off. 


----- Original Message ----- 
From: "Jon Vandiveer" <[email protected]>
To: <[email protected]>
Sent: Wednesday, January 10, 2001 2:45 PM
Subject: [FW1] ICMP Stateful or NOT ?


> 
> ICMP, statefully inspected, ummm  NO
> 
> Check out TCP/IP Illustrated... (i.e. read it......)
> 
> There are ~17 types of ICMP messages ( that I know of)
> 
> If you want to controll ICMP, YOU will need to setup a rule of your own
> devising:
> maybe something like this.....
> 
> S    D    S                                    A
> X    Y    ICMP Echo Request    Allow
> Y    X    ICMP Echo Reply        Allow
> 
> 
> 
> Date: Wed, 10 Jan 2001 09:59:40 -0500
> From: [email protected] (Carl E. Mankinen)
> Subject: [FW1] ICMP Stateful or NOT ?
> 
> I seem to be reading quite a bit that even 4.X does not use stateful
> inspection
> for ICMP requests. Is this in fact the case, or has CheckPoint corrected
> this
> in the latest releases?
> 
> For them to say that ICMP packets are harmless and thus do not require
> stateful inspection is beyond belief (having my doubts they actually said
> this...)
> ICMP is a perfect method for tunneling control connections for trojans, or
> for sending obscured hashed data containing information you wouldn't like
> exposed.
> 
> 
> 
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================
> 



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.