Tue, 22 Aug 2006
Enable ICMP Internally - Or I'll Find You...
When designing internal firewalls and filtering policies *PLEASE* stop
and think about ICMP Echo Request and ICMP Echo Reply (the ICMP types
used by ping). If you turn these off you're not really
gaining any real security (especially on your internal network, and to
be honest you want to think long and hard about what turning it off on
the external facing machines gets you) and you're making life much
harder than it needs to be in the long run.
Network diagnostics and host discovery are two simple, and quite common, tasks that become a hell of a lot harder to do, and consume more time and resources, if you turn ICMP off. And it annoys the hell out of new staff as they try and learn about your networks, it also irks people you ask to do you a "quick favour".
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2006/08/22 23:34 | /misctech | Permanent link to this entry | This entry and same date
Copyright © 2000-2010 Dean Wilson
