Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PIX firewall and ICMP

From: Brian Ford <brford () cisco com>
Date: Fri, 26 Sep 2003 16:20:01 -0400
Cat,

I hope you recognize that the "any any" was a big mistake.
This is an excellent example of the trade offs of implementing a security solution. You need to weigh the worm clean up costs against the decision to allow users to use ping for troubleshooting. 

Liberty for All,

Brian

At 10:21 AM 9/24/2003 -0700, Cat Thrasher wrote:
Please advise your opinions on my problem. I had a permit statement on the PIX that would allow ICMP from any to any. Since being hit with Nachi, I turned it off. I am being asked my policy on when it will be turned back on. I have a rather large network and many "divisions" who work independently, yet access the internet thru "my" PIX. They like to use ping when trouble-shooting. 
Can I get an opinion on whether or not I should turn this back on...
Thanks

Cat Thrasher
Network Support Analyst
County of Santa Cruz
831-454-5367
cat.thrasher () co santa-cruz ca us


---------------------------------------------------------------------------
----------------------------------------------------------------------------



---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: