RE: PIX firewall and ICMP

From: Maher Odeh (rax_at_netvision.net.il)
Date: 09/25/03

  • Next message: David Lanagan: "Re: Hard Drive keeps filling up" 
    Date: Thu, 25 Sep 2003 10:24:07 +0200
To: "Cat Thrasher" <isd607@co.santa-cruz.ca.us>, "Security-Basics (E-mail)" <security-basics@securityfocus.com>

    Hi
    If your divisions uses ping to trouble shoot you can allow a specific
    type of ICMP and not ICMP as all , how about something like this :

    access-list outside permit icmp any any echo-reply

    this way you can allow only Echo-reply to the system without the need to
    open all types of ICMP toward the network.

    Hope this been helpful

    -----Original Message-----
    From: Cat Thrasher [mailto:isd607@co.santa-cruz.ca.us]
    Sent: Wednesday, September 24, 2003 7:22 PM
    To: Security-Basics (E-mail)
    Subject: PIX firewall and ICMP

    Please advise your opinions on my problem. I had a permit statement on
    the PIX that would allow ICMP from any to any. Since being hit with
    Nachi, I turned it off. I am being asked my policy on when it will be
    turned back on. I have a rather large network and many "divisions" who
    work independently, yet access the internet thru "my" PIX. They like to
    use ping when trouble-shooting.
    Can I get an opinion on whether or not I should turn this back on...
    Thanks

    Cat Thrasher
    Network Support Analyst
    County of Santa Cruz
    831-454-5367
    cat.thrasher@co.santa-cruz.ca.us

    ------------------------------------------------------------------------ 

    ---
------------------------------------------------------------------------
----
 
---------------------------------------------------------------------------
----------------------------------------------------------------------------
  • Next message: David Lanagan: "Re: Hard Drive keeps filling up"

    Relevant Pages

    • Re: Removing ping/icmp from a network
      ... A ping sweep isn't the only way to do network exploration. ... ICMP is a protocol, not a service. ... Security by design is always best, but hiding the presence of a device ...
      (Security-Basics)
    • RE: ICMP (Ping)
      ... You are correct about the kinder and gentler internet. ... network to deal with I might share your opinion. ... I believe you meant ICMP echo ... Subject: ICMP (Ping) ...
      (Security-Basics)
    • Re: Dropping ping at peak times
      ... an overview of all the monitoring at peak times, ... so ICMP is apparently not a useful ... As a general rule though blocking ping stinks. ... router doesn't help in the slightest. ...
      (uk.telecom.broadband)
    • Re: help with network problem
      ... I can browser the site using http in all the other computers. ... >While ping serves to test tcp/ip connectivity, ... ICMP messages, delivered in ... >> (Only that website so far). ...
      (Security-Basics)