RE: PIX firewall and ICMP

[Charlie Winckless <CharlieW () netarch com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Please advise your opinions on my problem. I had a permit 
> statement on the PIX that would allow ICMP from any to any. 
> Since being hit with Nachi, I turned it off. I am being asked 
> my policy on when it will be turned back on. I have a rather 
> large network and many "divisions" who work independently, 
> yet access the internet thru "my" PIX. They like to use ping 
> when trouble-shooting.

With the PIX, I generally only allow a very
limited subset of ICMP types back into my
network. 

Commonly, this is (using PIX speak)
echo-reply, unreachable, time-exceeded, parameter-problem.

This will allow ping outbound, but won't allow
it in, and will limit the exposure by other
ICMP types.

In the case of not wanting replies from ping's
sent out (you've not mentioned if you restrict
this) then drop echo-reply and position some 
form of WWW interfaced box in a controlled DMZ
and have them use that.

I would continue to allow parameter problem and
others.
> Can I get an opinion on whether or not I should turn this back
> on... Thanks 
>
> Cat Thrasher
> Network Support Analyst
> County of Santa Cruz
> 831-454-5367
> cat.thrasher () co santa-cruz ca us
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> --------------

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBP3HtHMrtF6HAen5cEQICOQCeP0zurOX1ElV0ct5jQYwNQ/qDBmAAoKQU
pNK4RG80mvIQ4ehf6SWHZbmO
=XlY3
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
----------------------------------------------------------------------------