Firewall advice

[guddler]

Quick one...

Just setting a new web server at work. This used to be done by someone else but now there's no-one else left it's down to me!

On the firewall (Cisco PIX 525 running image v7.1) I've enabled port 443 only (HTTPS) as that's all my application needs. Should I disable PING too? Or not worry about it. At the moment you get a ping response from the NAT'd IP address.

Martin.

guddler2010-12-01 16:23:07

 

[trm]

I'd consider blocking all inbound ICMP traffic completely. Back in the day you used to be able to obtain quite a lot of information using ICMP with various tricks like setting don't-fragment bit and sending too large packets, along with ICMP redirection attacks.

And there used to be a sweet trick where you'd send cleverly crafted packets, set the fragmentation bit, frig the offsets in the packet so you could get a malicious packet past a packet-inspection system and then own the system due to bugs in various OSes regarding how they reassembled fragmented packets (IOW, each fragment of the packet is innocent, but by including hints inside the packet you could get it reassembled into something which was different to just concatenating all the payloads together and the end result would let you do a stack overflow on the target).

So I vote for full paranoia and block everything bar what your app needs. You'll know if the system is down without being able to ping or traceroute it.

 

[guddler]

Fair enough. I'll look into it then.

Don't know why it's pinging at all really as there's no ACL rule to allow it, and everything else is meant to be denied unless explicitly allowed.