Security Basics mailing list archives

RE: PIX firewall and ICMP

From: Steve Marin <steve () skabnmarin com>
Date: Thu, 25 Sep 2003 17:24:42 EST

Hi guys, I could not help but notice you said you were hit with the 
Nachi worm, while a PIX box was in place. If you would like a 
Firewall that cannot be penetrated by those worms let me know. I 
offer a managed firewall that does both IDS and Proxy. I have over 
140 of them in place in buisnesses from large manufactures to banks 
to small businesses. Not one of them were infected by the blaster, 
Nachia or SoBig.

Matter of fact I have the industy leading guarantee, that if any of 
your servers get's hacked while my Firewall is in place we will pay 
you 1,000 US dollars per incident.

Kindest regards,



Steve Marin

Hi 
If your divisions uses ping to trouble shoot you can allow a

specific

type of ICMP and not ICMP as all , how about something like this : 

access-list outside permit icmp any any echo-reply

this way you can allow only Echo-reply to the system without the

need to

open all types of ICMP toward the network.

Hope this been helpful

-----Original Message-----
From: Cat Thrasher [mailto:isd607 () co santa-cruz ca us] 
Sent: Wednesday, September 24, 2003 7:22 PM
To: Security-Basics (E-mail)
Subject: PIX firewall and ICMP

Please advise your opinions on my problem. I had a permit statement

on

the PIX that would allow ICMP from any to any. Since being hit with
Nachi, I turned it off. I am being asked my policy on when it will

be

turned back on. I have a rather large network and many "divisions"

who

work independently, yet access the internet thru "my" PIX. They

like to

use ping when trouble-shooting.
Can I get an opinion on whether or not I should turn this back on...
Thanks 

Cat Thrasher
Network Support Analyst
County of Santa Cruz
831-454-5367
cat.thrasher () co santa-cruz ca us


--------------------------------------------------------------------

----

---
--------------------------------------------------------------------

----

----

 

--------------------------------------------------------------------

-------

--------------------------------------------------------------------

--------





---------------------------------------------
This message was sent using the UIA Web Mail Server.
ULTIMATE Internet Access, Inc http://www.uia.net/



---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

PIX firewall and ICMP Cat Thrasher (Sep 24)
- Re: PIX firewall and ICMP Daniel Williams (Sep 24)
- Re: PIX firewall and ICMP gregh (Sep 26)
  - Re: PIX firewall and ICMP rogue (Sep 29)
- Re: PIX firewall and ICMP John Hollyoak (Sep 29)
- <Possible follow-ups>
- RE: PIX firewall and ICMP Tenorio, Leandro (Sep 24)
- RE: PIX firewall and ICMP Charlie Winckless (Sep 24)
- Re: PIX firewall and ICMP Darrell Porter (Sep 25)
- RE: PIX firewall and ICMP Maher Odeh (Sep 25)
- RE: PIX firewall and ICMP Steve Marin (Sep 26)
- Re: PIX firewall and ICMP Brian Ford (Sep 26)
- RE: PIX firewall and ICMP dave hartnell (Sep 29)
  - RE: PIX firewall and ICMP rogue (Sep 29)
- RE: PIX firewall and ICMP Cat Thrasher (Sep 29)