Security Basics mailing list archives
Re: PIX firewall and ICMP
From: "John Hollyoak" <mail () jhollyoak com>
Date: Sat, 27 Sep 2003 13:03:24 -0400
Cat Thrasher, Perhaps instead of using a permit ANY to ANY rule for ICMP traffic, you could make the rules more granular, using specific IP's and ranges. Have people provide a valid justification as to why they need to propagate this type of traffic over your PIX. Our company has specific policies on ICMP traffic, and you need to justify beyond a 'shadow of a doubt' why it is worth the risk. Just a thought... John ----- Original Message ----- From: "Cat Thrasher" <isd607 () co santa-cruz ca us> To: "Security-Basics (E-mail)" <security-basics () securityfocus com> Sent: Wednesday, September 24, 2003 1:21 PM Subject: PIX firewall and ICMP Please advise your opinions on my problem. I had a permit statement on the PIX that would allow ICMP from any to any. Since being hit with Nachi, I turned it off. I am being asked my policy on when it will be turned back on. I have a rather large network and many "divisions" who work independently, yet access the internet thru "my" PIX. They like to use ping when trouble-shooting. Can I get an opinion on whether or not I should turn this back on... Thanks Cat Thrasher Network Support Analyst County of Santa Cruz 831-454-5367 cat.thrasher () co santa-cruz ca us --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- PIX firewall and ICMP Cat Thrasher (Sep 24)
- Re: PIX firewall and ICMP Daniel Williams (Sep 24)
- Re: PIX firewall and ICMP gregh (Sep 26)
- Re: PIX firewall and ICMP rogue (Sep 29)
- Re: PIX firewall and ICMP John Hollyoak (Sep 29)
- <Possible follow-ups>
- RE: PIX firewall and ICMP Tenorio, Leandro (Sep 24)
- RE: PIX firewall and ICMP Charlie Winckless (Sep 24)
- Re: PIX firewall and ICMP Darrell Porter (Sep 25)
- RE: PIX firewall and ICMP Maher Odeh (Sep 25)
- RE: PIX firewall and ICMP Steve Marin (Sep 26)
- Re: PIX firewall and ICMP Brian Ford (Sep 26)
- RE: PIX firewall and ICMP dave hartnell (Sep 29)
- RE: PIX firewall and ICMP rogue (Sep 29)
- RE: PIX firewall and ICMP Cat Thrasher (Sep 29)