Re: PIX firewall and ICMP

• Previous message: abu then: "RE: protect MS Windows 95/98/Me"
• In reply to: Cat Thrasher: "PIX firewall and ICMP"
• Next in thread: dave hartnell: "RE: PIX firewall and ICMP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Cat Thrasher" <isd607@co.santa-cruz.ca.us>, "Security-Basics (E-mail)" <security-basics@securityfocus.com>
Date: Sat, 27 Sep 2003 13:03:24 -0400

Cat Thrasher,

Perhaps instead of using a permit ANY to ANY rule for ICMP traffic, you
could make the rules more granular, using specific IP's and ranges. Have
people provide a valid justification as to why they need to propagate this
type of traffic over your PIX. Our company has specific policies on ICMP
traffic, and you need to justify beyond a 'shadow of a doubt' why it is
worth the risk.

Just a thought...

John
----- Original Message -----
From: "Cat Thrasher" <isd607@co.santa-cruz.ca.us>
To: "Security-Basics (E-mail)" <security-basics@securityfocus.com>
Sent: Wednesday, September 24, 2003 1:21 PM
Subject: PIX firewall and ICMP

Please advise your opinions on my problem. I had a permit statement on the
PIX that would allow ICMP from any to any. Since being hit with Nachi, I
turned it off. I am being asked my policy on when it will be turned back on.
I have a rather large network and many "divisions" who work independently,
yet access the internet thru "my" PIX. They like to use ping when
trouble-shooting.
Can I get an opinion on whether or not I should turn this back on...
Thanks

Cat Thrasher
Network Support Analyst
County of Santa Cruz
831-454-5367
cat.thrasher@co.santa-cruz.ca.us

---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Previous message: abu then: "RE: protect MS Windows 95/98/Me"
• In reply to: Cat Thrasher: "PIX firewall and ICMP"
• Next in thread: dave hartnell: "RE: PIX firewall and ICMP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages PIX 501 QUESTIONS...what am I doing wrong here? ... We got a PIX 501 to ... I went through the simple setup wizard. ... Just get ICMP working. ... decided to use the web port of 8080. ... (comp.security.firewalls) Re: Pix Debug Commands ... I am trying to figure out why my pix is blocking ICMP ... as would pushing your logging level up to 6 and ... syslog server. ... (comp.dcom.sys.cisco) RE: PIX firewall and ICMP ... > statement on the PIX that would allow ICMP from any to any. ... I would continue to allow parameter problem and ... > Network Support Analyst ... (Security-Basics) Re: Disable ICMP & SNMP community string ... >How can I disable inbound ICMP to a PIX 506 6.3? ... just don't permit it;-) Or, ... >Are there any rules of thumb for the SNMP community string? ... (comp.dcom.sys.cisco) Re: traceroute from UNIX to PIX-515e not working ... The PIX Firewall does not support the initiation of the traceroute ... command as it is not part of the PIX command set. ... it can be configured to allow traceroute through it. ... hops that send Internet Control Message Protocol (ICMP) error messages, ... (comp.dcom.sys.cisco)