Tag Archives: Network Design

Why Ping is no Security Flaw! (But your Friend)

2014-09-18Design/Policy, Ping/Traceroute, SecurityDMZ, echo request, Firewall, ICMP, Network Design, Ping, Reconnaissance Phase, Security vs. Usability, Traceroute, UntrustJohannes Weber

One core topic when designing firewall policies is the following question: Is ping a security attack? Should ICMP echo-request messages be blocked in almost any directions?

My short answer: Ping is your friend. :) You won’t block hackers if you block ping. Instead, ping is quite useful for network administrators checking basic network connectivity. That is: I suggest allowing ping anywhere around, accept incoming connections from the Internet to the trusted networks.

Here comes a discussion:

Continue reading Why Ping is no Security Flaw! (But your Friend) →

Why NAT has nothing to do with Security!

2013-05-21Design/Policy, NAT, Privacy, SecurityFirewall, NAT, Network Design, PATJohannes Weber

During my job I am frequently discussing with people why they use NAT or why they believe that NAT adds any security to their networks, mainly some obscurity as NAT (PAT) hides the internal network structure. However, NAT does not add any real security to a network while it breaks almost any good concepts of a structured network design. To emphasize this thesis, here is a discussion:

Continue reading Why NAT has nothing to do with Security! →

Weberblog.net

IT-Security, Networks, IPv6, VPN, DNSSEC, NTP

Tag Archives: Network Design

Why Ping is no Security Flaw! (But your Friend)

Why NAT has nothing to do with Security!