NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] ICMP Stateful or NOT ?



Hi Lance,

You are right about ICMP ..... but only one of the Developers in Isreal
could "enlighten us" further.
I think the only effective use of those tables is CPMAD.....

Yes it would be nice to write some inspect script to tie the tables together
and include a timeout........ but that is not my strong point, i.e. I'm
going to leave that upto someone else, who doesn't mind voiding their
support contract.

Jon



Date: Wed, 10 Jan 2001 20:51:43 -0600 (CST)
From: Lance Spitzner <[email protected]>
Subject: Re: [FW1] ICMP Stateful or NOT ?

On Wed, 10 Jan 2001, Carl E. Mankinen wrote:

> I seem to be reading quite a bit that even 4.X does not use stateful
inspection
> for ICMP requests. Is this in fact the case, or has CheckPoint corrected
this
> in the latest releases?
>
> For them to say that ICMP packets are harmless and thus do not require
> stateful inspection is beyond belief (having my doubts they actually said
this...)
> ICMP is a perfect method for tunneling control connections for trojans, or
> for sending obscured hashed data containing information you wouldn't like
exposed.

To the best of my knowledge, no.  I have not been able to identify any ICMP
state
table in the kernel memory.  I have identified 4 tables within memory that
potenitally track ICMP.  However, after testing these 4 tables, they do not
appear to do any statefull tracking of ICMP.  I would greatly appreciate
anyone
who could provide more information.

The four tables in question:

firewall #fw tab -s | grep -i icmp
localhost             icmp_connections              50      0
localhost             icmp_requests                 51      4
localhost             icmp_replies                  52      4
localhost             icmp_errors                   53      5

thanks!

lance




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.