It’s a firewalls job to protect the network behind, based in the policy implemented by the administrator. Therefore, a firewall can only be as good as the guy behind. There are mostly two rules considered as substantial, and for the “clean-up” rule I think this is true. That rule is the last one in the policy, and drops (or rejects) all connections that have not been allowed so far. The second one is the “stealth rule”, blocking any kind of communication with the firewall. Of course, the administrator has to take care of not locking out himself. In common systems, this happens by implied rules, allowing communication with the firewalls management initiated by miscellaneous computers.

Well, I’m not a totally friend of this rule. Of course one should avoid unnecessary risk and block for example ssh from the outside world as long as not using this, ’cause why should an attacker get the chance of guessing this password? It’s also a fact that there should be no other daemon running on the firewall. But what about ICMP? Is this one necessary? It’s quite easy to gain quite a lot of information based on ICMP with common tools (ping, nmap). There are also known attacks from the past, the “ping of death” is widely known. So why take a risk of an attack, and giving information about the system to the world? But there are voices claming that ICMP is absolutely important, and needs to be untouched. Well, indeed, troubleshooting without ICMP is not that easy.

I’d like to discuss the advantages, and disadvantages, of the stealth rule. I hope that you have a minute to propagate your opinion.

Bookmark to:

m.schmidt am 11. November, 2006 um 6.37 pm

Tags: Firewall