RE: PIX firewall and ICMP

• Previous message: vam: "Re: Student-Degree valuable or not?"
• Next in thread: rogue: "RE: PIX firewall and ICMP"
• Reply: rogue: "RE: PIX firewall and ICMP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <dihartnell@xtra.co.nz>, "Brian Ford" <brford@cisco.com>, "Cat Thrasher" <isd607@co.santa-cruz.ca.us>
Date: Mon, 29 Sep 2003 21:57:17 +1200

I agree with Brian. Any Any is always going to be a huge risk. It pays to be
very specific with your rules and the ports you open, who opens them and
where they go.

Stick to your guns on this. It's you who will wind up being shot when it
turns to custard.

Cheers

Dave.

-----Original Message-----
From: Brian Ford [mailto:brford@cisco.com]
Sent: Saturday, 27 September 2003 8:20 a.m.
To: Cat Thrasher
Cc: Security-Basics (E-mail)
Subject: Re: PIX firewall and ICMP

Cat,

I hope you recognize that the "any any" was a big mistake.

This is an excellent example of the trade offs of implementing a security
solution. You need to weigh the worm clean up costs against the decision
to allow users to use ping for troubleshooting.

Liberty for All,

Brian

At 10:21 AM 9/24/2003 -0700, Cat Thrasher wrote:
>Please advise your opinions on my problem. I had a permit statement on the
>PIX that would allow ICMP from any to any. Since being hit with Nachi, I
>turned it off. I am being asked my policy on when it will be turned back
>on. I have a rather large network and many "divisions" who work
>independently, yet access the internet thru "my" PIX. They like to use
>ping when trouble-shooting.
>Can I get an opinion on whether or not I should turn this back on...
>Thanks
>
>Cat Thrasher
>Network Support Analyst
>County of Santa Cruz
>831-454-5367
>cat.thrasher@co.santa-cruz.ca.us
>
>
>---------------------------------------------------------------------------
>---------------------------------------------------------------------------
-

---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Previous message: vam: "Re: Student-Degree valuable or not?"
• Next in thread: rogue: "RE: PIX firewall and ICMP"
• Reply: rogue: "RE: PIX firewall and ICMP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: PIX firewall and ICMP ... This is an excellent example of the trade offs of implementing a security ... to allow users to use ping for troubleshooting. ... >Please advise your opinions on my problem. ... (Security-Basics) Re: Auto steering gear ... >>As to offering opinions - it is indeed a strange thing, ... >>Brian Whatcott Altus, OK ... >- Lauri Tarkkonen ... Wind vanes fail from wearout and from wind gusts. ... (rec.boats.cruising) Re: Bauers Ethical Conflict ... Brian Lafferty wrote:Randy Bauer wrote: ... Brian, you are hardly neutral on this matter. ... least three and probably four experts in with preliminary opinions ready to ... (rec.games.chess.politics) Re: Historical track diagrams ... Brian, with respect, you have little idea what my opinions are on most ... is a civilised forum and should be kept that way. ... Just got an email from a retired bobby who claims to have a lot of information about the track layout on the Pudsey loop. ... (uk.railway) Re: Historical track diagrams ... Brian, with respect, you have little idea what my opinions are on most ... is a civilised forum and should be kept that way. ... have a lot of information about the track layout on the Pudsey loop. ... (uk.railway)