Re: PIX firewall and ICMP
From: Brian Ford (brford_at_cisco.com)
Date: 09/26/03
- Previous message: Steve McLaughlin: "RE: protect MS Windows 95/98/Me"
- Maybe in reply to: Cat Thrasher: "PIX firewall and ICMP"
- Next in thread: John Hollyoak: "Re: PIX firewall and ICMP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 26 Sep 2003 16:20:01 -0400 To: "Cat Thrasher" <isd607@co.santa-cruz.ca.us>
Cat,
I hope you recognize that the "any any" was a big mistake.
This is an excellent example of the trade offs of implementing a security
solution. You need to weigh the worm clean up costs against the decision
to allow users to use ping for troubleshooting.
Liberty for All,
Brian
At 10:21 AM 9/24/2003 -0700, Cat Thrasher wrote:
>Please advise your opinions on my problem. I had a permit statement on the
>PIX that would allow ICMP from any to any. Since being hit with Nachi, I
>turned it off. I am being asked my policy on when it will be turned back
>on. I have a rather large network and many "divisions" who work
>independently, yet access the internet thru "my" PIX. They like to use
>ping when trouble-shooting.
>Can I get an opinion on whether or not I should turn this back on...
>Thanks
>
>Cat Thrasher
>Network Support Analyst
>County of Santa Cruz
>831-454-5367
>cat.thrasher@co.santa-cruz.ca.us
>
>
>---------------------------------------------------------------------------
>----------------------------------------------------------------------------
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Steve McLaughlin: "RE: protect MS Windows 95/98/Me"
- Maybe in reply to: Cat Thrasher: "PIX firewall and ICMP"
- Next in thread: John Hollyoak: "Re: PIX firewall and ICMP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
