grc shields-up results

[Tash]

I am using Barricade SMC7004BR router and even installed zonealarm and I am still getting this message testing the firewall with shields-up:

Ping Reply: RECEIVED (FAILED) ? Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation

I set zonealarm to internet zone to 'high' and trusted zone to 'high'. How can I eliminate this? What problems can it cause if I do?

Thanks.

 

[Buddha Bart]

man you know your hat is made of shiny tinfoil when you won't even provide the common courtesy of an icmp echo reply.

 

[JackMDS]

The Router is not suppose to block everything.

More here: Basic Protection for Broadband Internet Installation.

 

[dw58]

If you take the router out of the system, you will find that the 'ping' is blocked by Zone Alarm. The router is more than likely answering the ping. Most routers have a setting that you can change so that the router does not answer.

 

[Tash]

I have "Discard ping from WAN side" enabled on the router.

 

[Nothinman]

man you know your hat is made of shiny tinfoil when you won't even provide the common courtesy of an icmp echo reply.

Just that one little setting makes a lot of automated attack scripts pass right over you, it's well worth it.

 

[Mitzi]

Originally posted by: Buddha Bart
man you know your hat is made of shiny tinfoil when you won't even provide the common courtesy of an icmp echo reply.

Had to smile when I read that...reminds me of that bit in Signs where they are all sitting on the couch with those custom made tin foil hats....

 

[Tash]

No, I mean I have "Discard ping from WAN side" enabled on the router, and I'm still having the problem!!

 

[gunrunnerjohn]

Your router is broken, I've turned that off, and the PING gets no response, this works at other installations too.

I agree that it's a good thing to do, there's no reason to let anyone know that there's anything at the end of the wire.

 

[Rainsford]

Interestingly enough, my Smoothwall responds to pings on the WAN interface, but GRC says it doesn't. Since I can go to an outside computer in a computer lab on campus or something and ping my smoothwall and get a response, I'm pretty sure I have no idea what GRC is doing. It's kind of weird.

 

[cmetz]

Tash, Gibson's well known and not well respected in the security community - he and his advice on what is and isn't secure should not be taken as correct. In particular he treats his opinions as hard fact and doesn't explain the trade-offs. Security is often complex.

There is no inherent problem with responding to ICMP echo requests. Yes, it does make it easier to determine that a particular IP address is in use - that can be used for good or for evil. There are other ways to determine whether a particular IP address is in use, depending on what firewall you have and what all you're running (for example, you're telling lots of web servers you exist and what your address is every time you fire up your favorite client). Simply knowing you exist should not allow an attacker to get anywhere - if they can, you've got much greater problems.

Now, if you as an administrator configure your firewall not to respond to ICMP echo requests and it does anyway, then it is broken and you should fix and/or replace it immediately. It is critical that your firewall do what you configure it to - or it's demonstrated to be untrustworthy and thus most of its value goes away (a firewall is typically used as a trusted component, though rarely do people think a whole lot about how trustworthy they are...).

 

[Buddha Bart]

do you fold it up like a sailor hat? or kinda mold it onto your head like a beanie?

 

[Dennis Travis]

have you tried setting it the other way to disable? Maybe SMC has it backwards or something. I have not ever worked with a SMC router, just Linksys, Dlink and CompUSAs, Belkin and one other old router. Worth a try. Who knows! I went to Gibsons site with my linksys and I am totally stealth and no Ping of my WAN port. I tried two other routers I have here all with ping disabled for WAN and got the same results as with my Linksys. What does the manual say for the SMC about that setting?