[WEB4LIB] Network security and ICMP

Dan Lester dan at riverofdata.com
Thu Feb 8 18:35:05 EST 2001


Thursday, February 08, 2001, 3:43:39 PM, you wrote:

SP> The computer center at our college recently changed the college's
SP> firewall settings so that ICMP commands such as Ping and Traceroute
SP> cannot be sent OUT from our campus.

The same is true at Boise State and many other places.

SP> I understand why a site might want to block incoming ICMP.  Some sites
SP> do this to prevent denial-of-service attacks that are done with a flood
SP> of ping requests.  But I'm baffled as to how our security is enhanced by
SP> blocking OUTGOING pings and traceroutes.  And since I use these
SP> protocols for helping to diagnose specific problems, I'm trying to
SP> figure out if this setting is necessary or just over-cautious on the
SP> part of our IT people.

I've just talked with our university Computer Security Officer about
this, and:

1) It is a part of good citizenship on the net, which keeps your geeks
from running attacks on others.  There is upstream liability that
could cause your university serious damage.

2) There are LOKI attacks, out of band attacks,  and others that can be
done from the outside if you allow outgoing, because you'd then have
to allow reply packets, which can be hacked in ways that can be used
to flood.

I'm sure that others can explain more in detail.  If Frank (our CSO)
told you any more, he'd have to shoot you.  (He had top secret level
computer security training at a defense contractor before coming
here).  If you want to know more, I can refer you to him.

SP> Is outgoing ping and traceroute a threat to a site?  Is blocking this
SP> routine?  I don't know how other campuses are set up with regard to
SP> their firewall and security measures.

See above.
cheers
dan


-- 
Dan Lester, Data Wrangler  dan at RiverOfData.com
3577 East Pecan, Boise, Idaho  83716-7115 USA
www.riverofdata.com  www.postcard.org  www.gailndan.com 




More information about the Web4lib mailing list