[olug] help with iptables firewall

Dave Hull dphull at gmail.com
Fri Jul 27 16:22:31 UTC 2007


We'll have to agree to disagree. SANS has a good reputation in the
information security space and if the recommendation is made by them,
you can bet it's been vetted by security professionals around the
world.

I do information security for a living and I've seen literally dozens
of environments where the  info sec professionals in companies and
organizations block ICMP at the border of their network except for
machines in a DMZ. There's simply no reason to allow attackers to use
ping to map your internal network.

Blocking ICMP echo requests for machines behind a firewall is not
security by obscurity anymore than keeping the doors to the machine
room locked is security by obscurity. There's a common misconception
about security by obscurity. Obscurity if fine if it's an additional
layer in your defense in depth. What you don't want is for obscurity
to be your only layer of defense.

Great tacticians use obscurity all of the time to disguise troop
movements in battle or to foil moles in a company with bogus product
development plans, etc.

Why should an individual in Korea be allowed to ping a host behind
your firewall? What purpose does it serve besides giving them
information about your internal network? If your network is
sufficiently large, say a /16 but you only occupy 20K of the 65K
addresses, why would you want to give an attacker definitive
information about which of the 65K addresses you're using?

Would you also hang a sign on the door of your house telling burglars
that the valuables are stored on the top closet shelf in your room?

-- 
Dave Hull



More information about the OLUG mailing list