On Sun, 2004-10-17 at 12:55, Frank de Wit wrote: > I thought I asked a question ; the answer 'yes' should have been > sufficient ;-) > Just joking, let's ask two other questions: > -when you read about ICMP fingerprinting (see Ofir Arkin's great articles) > -and you see tools like Xprobe and a lot of other OS-fingerprinting tools > I might be wrong, but: > a) do you still think ICMP is a good thing in relation to security (by > obscurity)? It gains little, there are other ways to tell if you are there. Those who only use ping to identify hosts are on the low end of the skill curve and it is those on the upper end of the skill curve that may have to skills to compromise your firewall/hosts. > b) why would you need ICMP from the internet to your perimeter/DMZ-devices? > PathMTU. You will not move any packets unless your host can negotiate MTU along the path. So, blocking ***all*** ICMP ***types*** is bad but you can block some ***types*** without getting into trouble. Till you understand that all the types do in relation to networking I would leave the alone. j
Attachment:
signature.asc
Description: This is a digitally signed message part