[olug] VNC w/Qwest
Benjamin Watson
bwatson1979 at gmail.com
Tue Oct 16 04:13:44 UTC 2007
The way I learned it, when standing up a firewall, configure it to
block everything, then slowly open up the ports you need. When it
comes to opening up ports, even that may be restricted to allow
traffic between distinct IPs/MACs/Hostnames.
As a person who works for the DoD, I can tell you that you need a
strong business justification for the IA (information assurance) shop
to open up ports on their firewall for you.
I can understand allowing ICMP traffic within your private side, but
from the outside in has been a "no no" everywhere I've worked. To
that end, I typically find that DMZ servers are themselves configured
not to respond to ICMP and have statically assigned IPs.
Just my two cents.
On 10/15/07, Dave Hull <dphull at gmail.com> wrote:
> On 10/15/07, Luke -Jr <luke at dashjr.org> wrote:
>
> > ICMP is a network infrastructure protocol. Networking standards assume it is
> > always in place. For example, DHCP uses pings to determine if an address is
> > in use. IP autoconfiguration generally will not work at all without ICMP.
> > Even if you do not need these standards, disabling ICMP is still broken.
>
> In all of the configurations I've seen, DHCP servers are behind the
> firewalls that block ICMP along with the hosts that they give
> addresses to, so the DHCP servers are able to ping hosts as needed.
> That said, I don't see very many DHCP servers that actually ping hosts
> to determine if the address is in use. The RFCs say that the servers
> MAY or SHOULD use ICMP to determine if an address is in use. It's not
> required. In fact, if you check the ISC's DHCP server, you'll see
> there's an option for turning off ping checks.
>
> If you have a DHCP server that requires ICMP, you have a broken DHCP server.
>
> Blocking ICMP at the border of your network is the same as blocking
> any other protocol at the border of your network. If there's not a
> defined business need for allowing a protocol in and out of your
> network and there are security concerns related to that protocol, then
> don't allow it.
>
> If you're living in a world where ISPs are handing out /64s, where are
> you living? Japan? IPv6 is (sadly) still a ways off for most of us.
> This goes back to something a brilliant boss of mine used to say,
> "Deployment wins." Unfortunately, IPv4 is deployed and it's working
> for the vast majority of us. Going to IPv6 is like going to Vista,
> there's no compelling need.
>
> I did read something the other day that may change this, however.
> Apparently the U.S. Government is mandating the adoption of IPv6 by
> government run agencies. Anyone know anything more about this?
>
> --
> Dave Hull
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> http://lists.olug.org/mailman/listinfo/olug
>
More information about the OLUG
mailing list