Security Basics mailing list archives
RE: PIX firewall and ICMP
From: "Cat Thrasher" <isd607 () co santa-cruz ca us>
Date: Mon, 29 Sep 2003 12:15:01 -0700
Thanks for all the responses to my post. I am using NAT on my PIX, so the specific allow statements are only valid if the trouble-shooting they are doing is to a specific host that has an outside address mapped to an inside address. Thanks again for your replies. I have been looking on the Cisco site for help in doing an ACL for the PIX and ICMP but the problem again is that I am doing NAT. Cat -----Original Message----- From: John Hollyoak [mailto:mail () jhollyoak com] Sent: Saturday, September 27, 2003 10:03 AM To: Cat Thrasher; Security-Basics (E-mail) Subject: Re: PIX firewall and ICMP Cat Thrasher, Perhaps instead of using a permit ANY to ANY rule for ICMP traffic, you could make the rules more granular, using specific IP's and ranges. Have people provide a valid justification as to why they need to propagate this type of traffic over your PIX. Our company has specific policies on ICMP traffic, and you need to justify beyond a 'shadow of a doubt' why it is worth the risk. Just a thought... John ----- Original Message ----- From: "Cat Thrasher" <isd607 () co santa-cruz ca us> To: "Security-Basics (E-mail)" <security-basics () securityfocus com> Sent: Wednesday, September 24, 2003 1:21 PM Subject: PIX firewall and ICMP Please advise your opinions on my problem. I had a permit statement on the PIX that would allow ICMP from any to any. Since being hit with Nachi, I turned it off. I am being asked my policy on when it will be turned back on. I have a rather large network and many "divisions" who work independently, yet access the internet thru "my" PIX. They like to use ping when trouble-shooting. Can I get an opinion on whether or not I should turn this back on... Thanks Cat Thrasher Network Support Analyst County of Santa Cruz 831-454-5367 cat.thrasher () co santa-cruz ca us --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: PIX firewall and ICMP, (continued)
- Re: PIX firewall and ICMP rogue (Sep 29)
- Re: PIX firewall and ICMP John Hollyoak (Sep 29)
- RE: PIX firewall and ICMP Tenorio, Leandro (Sep 24)
- RE: PIX firewall and ICMP Charlie Winckless (Sep 24)
- Re: PIX firewall and ICMP Darrell Porter (Sep 25)
- RE: PIX firewall and ICMP Maher Odeh (Sep 25)
- RE: PIX firewall and ICMP Steve Marin (Sep 26)
- Re: PIX firewall and ICMP Brian Ford (Sep 26)
- RE: PIX firewall and ICMP dave hartnell (Sep 29)
- RE: PIX firewall and ICMP rogue (Sep 29)
- RE: PIX firewall and ICMP Cat Thrasher (Sep 29)