How can you achieve this?

You are the security administrator for a large network. You want to prevent attackers from running any sort of traceroute into your DMZ and discovering the internal structure of publicly accessible areas of the network. How can you achieve this?

You are the security administrator for a large network. You want to prevent attackers from running any sort of traceroute into your DMZ and discovering the internal structure of publicly accessible areas of the network. How can you achieve this?

A.
Block TCP at the firewall

B.
Block UDP at the firewall

C.
Block ICMP at the firewall

D.
There is no way to completely block tracerouting into this area

Explanation:
If you create rules that prevents attackers to perform traceroutes to your DMZ then you’ll also prevent anyone from accessing the DMZ from outside the company network and in that case it is not a DMZ you have.



Leave a Reply 2

Your email address will not be published. Required fields are marked *


jaffar

jaffar

why is your DMZ wide open?
Shouldn’t you be blocking UDP? (that will stop most Unix traceroutes)
You can also block ICMP in/out; or at least restrict requests and replies.
ex. deny outbound
An ICMP Time Exceeded message – this means the host responding is not the destination.
An ICMP Destination Unreachable – this means the host responding doesn’t know how to get to the destination IP address in the traceroute packets.

http://www.inetdaemon.com/tutorials/troubleshooting/tools/traceroute/definition.shtml