RE: Remote Access (Again)

[Scott Klement <klemscot@xxxxxxxxxxxx>]

On Wed, 4 Dec 2002, Justin Haase wrote:
>
> If you disagree, that's fine.  I am going from direct experience, as
> well as input from numerous audits by internationally-recognized
> auditing firms.
>

I'm going from an in-depth knowledge of the TCP/IP protocol, as well as
input from numerous engineers who designed the protocols, and the input
of hackers who exploit them.

As well as direct experience exploiting them myself.

I've never dealt with an auditor, because I'm comfortable with my own
knowledge of internet security.


> > It doesn't matter if your iSeries is directly connected to the internet,
> > or if it goes through a few routers first... as long as the packets get
> > there, they can be sniffed.
>
> Perhaps I wasn't clear.  Internal network with no direct internet access was
> meaning either NAT or PAT, or perhaps even virtual IPs.  Not just a router
> and firewall inbetween.  I apologize for the vagueness.  It could also mean
> NO internet access.  Take it as you will.
>

NAT only partially protects you from a sniffer.   You can still get the
passwords, etc, but you can't get the IP of the machine.   Instead you get
the public IP used by NAT.

> > Turning off ICMP is a really bad idea.   Without it, the TCP/IP protocol
> cannot work as it was designed to.
>
> I and every auditor on the planet disagree with you on this statement.  (and
> it works just fine w/o it)

If you only use your internet connection for simple things, then the only
thing you'll notice immediately will be that you have to wait for
connections to time out, instead of immediately failing with no useful
error messages.

If you do more complex things, you'll find that ICMP is important.

At any rate, ICMP limiting, and blocking ICMP echo and echo reply packets
will solve the problems you describe without breaking any functionality.
I'm sorry if you don't believe me, but it's true.