Security Basics mailing list archives
RE: PIX firewall and ICMP
From: rogue <rogue () nocdemon net>
Date: Mon, 29 Sep 2003 12:55:02 -0400 (EDT)
why dont you just create rules to ping all your known subnets only? this locks down pings rfom the outside world and allows your users to "troubleshoot" inter-office connectivity all they want. ------------------- rogue () nocdemon net On Mon, 29 Sep 2003, dave hartnell wrote:
I agree with Brian. Any Any is always going to be a huge risk. It pays to be very specific with your rules and the ports you open, who opens them and where they go. Stick to your guns on this. It's you who will wind up being shot when it turns to custard. Cheers Dave. -----Original Message----- From: Brian Ford [mailto:brford () cisco com] Sent: Saturday, 27 September 2003 8:20 a.m. To: Cat Thrasher Cc: Security-Basics (E-mail) Subject: Re: PIX firewall and ICMP Cat, I hope you recognize that the "any any" was a big mistake. This is an excellent example of the trade offs of implementing a security solution. You need to weigh the worm clean up costs against the decision to allow users to use ping for troubleshooting. Liberty for All, Brian At 10:21 AM 9/24/2003 -0700, Cat Thrasher wrote:Please advise your opinions on my problem. I had a permit statement on the PIX that would allow ICMP from any to any. Since being hit with Nachi, I turned it off. I am being asked my policy on when it will be turned back on. I have a rather large network and many "divisions" who work independently, yet access the internet thru "my" PIX. They like to use ping when trouble-shooting. Can I get an opinion on whether or not I should turn this back on... Thanks Cat Thrasher Network Support Analyst County of Santa Cruz 831-454-5367 cat.thrasher () co santa-cruz ca us --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
--
==================
rogue () nocdemon net
{\o0|
==================
---------------------------------------------------------------------------
----------------------------------------------------------------------------
Current thread:
- Re: PIX firewall and ICMP, (continued)
- Re: PIX firewall and ICMP gregh (Sep 26)
- Re: PIX firewall and ICMP rogue (Sep 29)
- Re: PIX firewall and ICMP John Hollyoak (Sep 29)
- RE: PIX firewall and ICMP Tenorio, Leandro (Sep 24)
- RE: PIX firewall and ICMP Charlie Winckless (Sep 24)
- Re: PIX firewall and ICMP Darrell Porter (Sep 25)
- RE: PIX firewall and ICMP Maher Odeh (Sep 25)
- RE: PIX firewall and ICMP Steve Marin (Sep 26)
- Re: PIX firewall and ICMP Brian Ford (Sep 26)
- RE: PIX firewall and ICMP dave hartnell (Sep 29)
- RE: PIX firewall and ICMP rogue (Sep 29)
- RE: PIX firewall and ICMP Cat Thrasher (Sep 29)
- Re: PIX firewall and ICMP gregh (Sep 26)