I agree 100%. I don't allow people from outside to ping me and if they have
problems, the first thing they tell me is that they can't ping me. I say,
"That's right, we don't allow pinging thru our firewall." 100% of the time
they say, "That's what I thought." and we go from there. I have never had
anyone yell at me or demand the ability to ping me, everyone who has been
around for more than a few days knows how easy ICMP is to exploit and how
useful a hacking tool it is. One ping packet to your network broadcast
address will map your entire network.
Ask your Customer Service department if they would rather work with you to
figure out some other way to troubleshoot or explain to their customers why
your system was hacked and all your customers credit card numbers are now
public information.
Jim Edwards
-----Original Message-----
From: Robert MacDonald [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 23, 2000 9:12 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: [FW1] Allow pinging or not?
No. If they feel they are having troubles, I would have them conact you -
AFTER they have verified that their systems and net access are OK. They
should be able to conclude that it's at your end, just by verifying that all
of their systems and net access is OK all the way to you.
If your systems are having trouble, then your local management systems
should notify you, not your business partner. You want to run only what you
must and no more. Don't allow services or protocols thru, just so your
business partner can manage your systems as if they were theirs.
Best of luck!
Robert
- -
Robert P. MacDonald, Network Engineer
G o r d o n F o o d S e r v i c e
Voice: +1.616.261.7987 email: [EMAIL PROTECTED]
>>> "Ralf G�nthner" <[EMAIL PROTECTED]> 5/23/00 9:29:57 AM >>>
>
>We have a certain e-business server in a DMZ. Until now, I dropped any ping
packets directed at this
>system's public address from the outside world.
>
>Now customer service wants me to allow echo request packets to reach the
public address, so customers
>who have access problems can verify the reachability of our server.
>
>Should I allow this or not? I'm afraid of opening up routes for exploits
not to mention tools like nmap asf.
>
>Any opinions very much welcome
>
>Ralf G.
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
