Security Basics mailing list archives
RE: PIX firewall and ICMP
From: Charlie Winckless <CharlieW () netarch com>
Date: Wed, 24 Sep 2003 13:14:37 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Please advise your opinions on my problem. I had a permit statement on the PIX that would allow ICMP from any to any. Since being hit with Nachi, I turned it off. I am being asked my policy on when it will be turned back on. I have a rather large network and many "divisions" who work independently, yet access the internet thru "my" PIX. They like to use ping when trouble-shooting.
With the PIX, I generally only allow a very limited subset of ICMP types back into my network. Commonly, this is (using PIX speak) echo-reply, unreachable, time-exceeded, parameter-problem. This will allow ping outbound, but won't allow it in, and will limit the exposure by other ICMP types. In the case of not wanting replies from ping's sent out (you've not mentioned if you restrict this) then drop echo-reply and position some form of WWW interfaced box in a controlled DMZ and have them use that. I would continue to allow parameter problem and others.
Can I get an opinion on whether or not I should turn this back on... Thanks Cat Thrasher Network Support Analyst County of Santa Cruz 831-454-5367 cat.thrasher () co santa-cruz ca us -------------------------------------------------------------- ------------- -------------------------------------------------------------- --------------
-----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBP3HtHMrtF6HAen5cEQICOQCeP0zurOX1ElV0ct5jQYwNQ/qDBmAAoKQU pNK4RG80mvIQ4ehf6SWHZbmO =XlY3 -----END PGP SIGNATURE----- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- PIX firewall and ICMP Cat Thrasher (Sep 24)
- Re: PIX firewall and ICMP Daniel Williams (Sep 24)
- Re: PIX firewall and ICMP gregh (Sep 26)
- Re: PIX firewall and ICMP rogue (Sep 29)
- Re: PIX firewall and ICMP John Hollyoak (Sep 29)
- <Possible follow-ups>
- RE: PIX firewall and ICMP Tenorio, Leandro (Sep 24)
- RE: PIX firewall and ICMP Charlie Winckless (Sep 24)
- Re: PIX firewall and ICMP Darrell Porter (Sep 25)
- RE: PIX firewall and ICMP Maher Odeh (Sep 25)
- RE: PIX firewall and ICMP Steve Marin (Sep 26)
- Re: PIX firewall and ICMP Brian Ford (Sep 26)
- RE: PIX firewall and ICMP dave hartnell (Sep 29)
- RE: PIX firewall and ICMP rogue (Sep 29)
- RE: PIX firewall and ICMP Cat Thrasher (Sep 29)