RE: PIX firewall and ICMP
From: rogue (rogue_at_nocdemon.net)
Date: 09/29/03
- Previous message: Kerbl Thomas Rudolf: "Re: HTTP Method?"
- In reply to: dave hartnell: "RE: PIX firewall and ICMP"
- Next in thread: Cat Thrasher: "RE: PIX firewall and ICMP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 29 Sep 2003 12:55:02 -0400 (EDT) To: dave hartnell <dihartnell@xtra.co.nz>
why dont you just create rules to ping all your known subnets only? this
locks down pings rfom the outside world and allows your users to
"troubleshoot" inter-office connectivity all they want.
-------------------
rogue@nocdemon.net
On Mon, 29 Sep 2003, dave hartnell wrote:
>
> I agree with Brian. Any Any is always going to be a huge risk. It pays to be
> very specific with your rules and the ports you open, who opens them and
> where they go.
>
> Stick to your guns on this. It's you who will wind up being shot when it
> turns to custard.
>
>
> Cheers
>
> Dave.
>
> -----Original Message-----
> From: Brian Ford [mailto:brford@cisco.com]
> Sent: Saturday, 27 September 2003 8:20 a.m.
> To: Cat Thrasher
> Cc: Security-Basics (E-mail)
> Subject: Re: PIX firewall and ICMP
>
> Cat,
>
> I hope you recognize that the "any any" was a big mistake.
>
> This is an excellent example of the trade offs of implementing a security
> solution. You need to weigh the worm clean up costs against the decision
> to allow users to use ping for troubleshooting.
>
> Liberty for All,
>
> Brian
>
> At 10:21 AM 9/24/2003 -0700, Cat Thrasher wrote:
> >Please advise your opinions on my problem. I had a permit statement on the
> >PIX that would allow ICMP from any to any. Since being hit with Nachi, I
> >turned it off. I am being asked my policy on when it will be turned back
> >on. I have a rather large network and many "divisions" who work
> >independently, yet access the internet thru "my" PIX. They like to use
> >ping when trouble-shooting.
> >Can I get an opinion on whether or not I should turn this back on...
> >Thanks
> >
> >Cat Thrasher
> >Network Support Analyst
> >County of Santa Cruz
> >831-454-5367
> >cat.thrasher@co.santa-cruz.ca.us
> >
> >
> >---------------------------------------------------------------------------
> >---------------------------------------------------------------------------
> -
>
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------
>
>
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------
>
--
==================
rogue@nocdemon.net
{\o0|
==================
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Kerbl Thomas Rudolf: "Re: HTTP Method?"
- In reply to: dave hartnell: "RE: PIX firewall and ICMP"
- Next in thread: Cat Thrasher: "RE: PIX firewall and ICMP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
