Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PIX firewall and ICMP

From: "John Hollyoak" <mail () jhollyoak com>
Date: Sat, 27 Sep 2003 13:03:24 -0400
Cat Thrasher,

Perhaps instead of using a permit ANY to ANY rule for ICMP traffic, you
could make the rules more granular, using specific IP's and ranges.  Have
people provide a valid justification as to why they need to propagate this
type of traffic over your PIX.  Our company has specific policies on ICMP
traffic, and you need to justify beyond a 'shadow of a doubt' why it is
worth the risk.

Just a thought...

John
----- Original Message -----
From: "Cat Thrasher" <isd607 () co santa-cruz ca us>
To: "Security-Basics (E-mail)" <security-basics () securityfocus com>
Sent: Wednesday, September 24, 2003 1:21 PM
Subject: PIX firewall and ICMP


Please advise your opinions on my problem. I had a permit statement on the
PIX that would allow ICMP from any to any. Since being hit with Nachi, I
turned it off. I am being asked my policy on when it will be turned back on.
I have a rather large network and many "divisions" who work independently,
yet access the internet thru "my" PIX. They like to use ping when
trouble-shooting.
Can I get an opinion on whether or not I should turn this back on...
Thanks

Cat Thrasher
Network Support Analyst
County of Santa Cruz
831-454-5367
cat.thrasher () co santa-cruz ca us


---------------------------------------------------------------------------
----------------------------------------------------------------------------




---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: