RE: PIX firewall and ICMP

From: Cat Thrasher (isd607_at_co.santa-cruz.ca.us)
Date: 09/29/03

  • Next message: Donald Voss: "RE: Locking down a stand-alone 2000 Server with Group Policy" 
    Date: Mon, 29 Sep 2003 12:15:01 -0700
To: "John Hollyoak" <mail@jhollyoak.com>, "Security-Basics (E-mail)" <security-basics@securityfocus.com>

    Thanks for all the responses to my post. I am using NAT on my PIX, so the specific allow statements
    are only valid if the trouble-shooting they are doing is to a specific host that has an outside address mapped to an inside address.
    Thanks again for your replies. I have been looking on the Cisco site for help in doing an ACL for the PIX and ICMP but the problem again is that I am doing NAT.

    Cat

    -----Original Message-----
    From: John Hollyoak [mailto:mail@jhollyoak.com]
    Sent: Saturday, September 27, 2003 10:03 AM
    To: Cat Thrasher; Security-Basics (E-mail)
    Subject: Re: PIX firewall and ICMP

    Cat Thrasher,

    Perhaps instead of using a permit ANY to ANY rule for ICMP traffic, you
    could make the rules more granular, using specific IP's and ranges. Have
    people provide a valid justification as to why they need to propagate this
    type of traffic over your PIX. Our company has specific policies on ICMP
    traffic, and you need to justify beyond a 'shadow of a doubt' why it is
    worth the risk.

    Just a thought...

    John
    ----- Original Message -----
    From: "Cat Thrasher" <isd607@co.santa-cruz.ca.us>
    To: "Security-Basics (E-mail)" <security-basics@securityfocus.com>
    Sent: Wednesday, September 24, 2003 1:21 PM
    Subject: PIX firewall and ICMP

    Please advise your opinions on my problem. I had a permit statement on the
    PIX that would allow ICMP from any to any. Since being hit with Nachi, I
    turned it off. I am being asked my policy on when it will be turned back on.
    I have a rather large network and many "divisions" who work independently,
    yet access the internet thru "my" PIX. They like to use ping when
    trouble-shooting.
    Can I get an opinion on whether or not I should turn this back on...
    Thanks

    Cat Thrasher
    Network Support Analyst
    County of Santa Cruz
    831-454-5367
    cat.thrasher@co.santa-cruz.ca.us

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Donald Voss: "RE: Locking down a stand-alone 2000 Server with Group Policy"

    Relevant Pages

    • PIX 501 QUESTIONS...what am I doing wrong here?
      ... We got a PIX 501 to ... I went through the simple setup wizard. ... Just get ICMP working. ... decided to use the web port of 8080. ...
      (comp.security.firewalls)
    • Re: Pix Debug Commands
      ... I am trying to figure out why my pix is blocking ICMP ... as would pushing your logging level up to 6 and ... syslog server. ...
      (comp.dcom.sys.cisco)
    • Re: [OT]: Hilfe bei Access-Liste
      ... Ich kann mich dunkel daran erinnern das es Tools gab die per ICMP die ... hintern dem Router / Firewall liegenden Netze auspähen konnten. ... Da die PIX mit der verwendeten Version von PIXOS *grundsaetzlich* NAT ... es sei denn, du haettest eine "nat 0" Regel in der Konfiguration, ...
      (de.comp.os.unix.networking.misc)
    • Re: Disable ICMP & SNMP community string
      ... >How can I disable inbound ICMP to a PIX 506 6.3? ... just don't permit it;-) Or, ... >Are there any rules of thumb for the SNMP community string? ...
      (comp.dcom.sys.cisco)
    • RE: PIX firewall and ICMP
      ... > statement on the PIX that would allow ICMP from any to any. ... I would continue to allow parameter problem and ... > Network Support Analyst ...
      (Security-Basics)