On Tue, Mar 25, 2008 at 3:39 PM, Fabio Fagundes
<fabio.fagundes (at) gmail (dot) com [email concealed]> wrote:
> Hi all,
>
> Please consider the risk of an intruder using ICMP as a Covert Channel
> (http://en.wikipedia.org/wiki/Covert_channel).
>
> Should one configure corporate routers to inspect and to rewrite ICMP
> packets to avoid / reduce this risk ?
>
> Regards,
> Fabio.
ICMP packets are fairly small and transparent and by adding any
additional information to them would make them malformed and obvious.
Given that ICMP traffic can easily stand out from other traffic, an
intruder would probably be more likely to utilize TCP and a common
service, such as SSL.
For the security of my network, I would be more inclined to monitor
for excess or malformed ICMP traffic instead of blocking it.
<fabio.fagundes (at) gmail (dot) com [email concealed]> wrote:
> Hi all,
>
> Please consider the risk of an intruder using ICMP as a Covert Channel
> (http://en.wikipedia.org/wiki/Covert_channel).
>
> Should one configure corporate routers to inspect and to rewrite ICMP
> packets to avoid / reduce this risk ?
>
> Regards,
> Fabio.
ICMP packets are fairly small and transparent and by adding any
additional information to them would make them malformed and obvious.
Given that ICMP traffic can easily stand out from other traffic, an
intruder would probably be more likely to utilize TCP and a common
service, such as SSL.
For the security of my network, I would be more inclined to monitor
for excess or malformed ICMP traffic instead of blocking it.
--
Mark Owen
[ reply ]