RE: PIX firewall and ICMP

From: dave hartnell (dihartnell_at_xtra.co.nz)
Date: 09/29/03

  • Next message: dave hartnell: "RE: protect MS Windows 95/98/Me" 
    To: <dihartnell@xtra.co.nz>, "Brian Ford" <brford@cisco.com>, "Cat Thrasher" <isd607@co.santa-cruz.ca.us>
Date: Mon, 29 Sep 2003 21:57:17 +1200

    I agree with Brian. Any Any is always going to be a huge risk. It pays to be
    very specific with your rules and the ports you open, who opens them and
    where they go.

    Stick to your guns on this. It's you who will wind up being shot when it
    turns to custard.

    Cheers

    Dave.

    -----Original Message-----
    From: Brian Ford [mailto:brford@cisco.com]
    Sent: Saturday, 27 September 2003 8:20 a.m.
    To: Cat Thrasher
    Cc: Security-Basics (E-mail)
    Subject: Re: PIX firewall and ICMP

    Cat,

    I hope you recognize that the "any any" was a big mistake.

    This is an excellent example of the trade offs of implementing a security
    solution. You need to weigh the worm clean up costs against the decision
    to allow users to use ping for troubleshooting.

    Liberty for All,

    Brian

    At 10:21 AM 9/24/2003 -0700, Cat Thrasher wrote:
    >Please advise your opinions on my problem. I had a permit statement on the
    >PIX that would allow ICMP from any to any. Since being hit with Nachi, I
    >turned it off. I am being asked my policy on when it will be turned back
    >on. I have a rather large network and many "divisions" who work
    >independently, yet access the internet thru "my" PIX. They like to use
    >ping when trouble-shooting.
    >Can I get an opinion on whether or not I should turn this back on...
    >Thanks
    >
    >Cat Thrasher
    >Network Support Analyst
    >County of Santa Cruz
    >831-454-5367
    >cat.thrasher@co.santa-cruz.ca.us
    >
    >
    >---------------------------------------------------------------------------
    >---------------------------------------------------------------------------
    -

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: dave hartnell: "RE: protect MS Windows 95/98/Me"

    Relevant Pages

    • Re: PIX firewall and ICMP
      ... This is an excellent example of the trade offs of implementing a security ... to allow users to use ping for troubleshooting. ... >Please advise your opinions on my problem. ...
      (Security-Basics)
    • Re: Auto steering gear
      ... >>As to offering opinions - it is indeed a strange thing, ... >>Brian Whatcott Altus, OK ... >- Lauri Tarkkonen ... Wind vanes fail from wearout and from wind gusts. ...
      (rec.boats.cruising)
    • Re: Bauers Ethical Conflict
      ... Brian Lafferty wrote:Randy Bauer wrote: ... Brian, you are hardly neutral on this matter. ... least three and probably four experts in with preliminary opinions ready to ...
      (rec.games.chess.politics)
    • Re: Historical track diagrams
      ... Brian, with respect, you have little idea what my opinions are on most ... is a civilised forum and should be kept that way. ... Just got an email from a retired bobby who claims to have a lot of information about the track layout on the Pudsey loop. ...
      (uk.railway)
    • Re: Historical track diagrams
      ... Brian, with respect, you have little idea what my opinions are on most ... is a civilised forum and should be kept that way. ... have a lot of information about the track layout on the Pudsey loop. ...
      (uk.railway)