JEH,
I understand your pain completely. You are better off allowing pings,
then explaining to your mainframe people why ping is not everything.
A battle you'll never win.
Pings are not as dangerous as they seem. I hacker, that is relatively
good at computers, and most of them are really good, would map your
network with or without pings.
Think of it this way. All servers on your DMZ are meant to server the world.
Whether I will ping your www server or I'll connect to port 80, I already
have your IP address (and sometimes just do an nslookup). I would be more
weary allowing pings into your internal networks.
That said, however, make sure you only allow the corresponding ICMP message
types i.e. echo-request and echo-reply and do not select the allow ICMP in
the Rulebase properties. The implied rule allows too many message types.
Anyway. That's my .02c.
George
-----Original Message-----
From: Ingo Heinscher [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 05, 2001 3:18 AM
To: [EMAIL PROTECTED]
Subject: Antwort: [FW1] OT - newbie question about PING
Well, that depends on your security policy.
Personally, I cannot see any reason why to disallow ICMP traffic through
the Firewall. Some people prefer to do this in order to make spying out the
target network harder- but then again, it also blocks the local Admin from
"spying out" the network in case of any problems...
Ingo Heinscher
Would someone please explain the reasoning to not allow PING through the
Firewall to our internal networks? I've having a problem justifiying to the
mainframe systems group why I will not globaly enable PING.
Your thoughts would be appreciated.
JEH
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
_____________________________________________________________________
IMPORTANT NOTICES:
This message is intended only for the addressee. Please notify the
sender by e-mail if you are not the intended recipient. If you are not the
intended recipient, you may not copy, disclose, or distribute this message
or its contents to any other person and any such actions may be unlawful.
Banc of America Securities LLC("BAS") does not accept time
sensitive, action-oriented messages or transaction orders, including orders
to purchase or sell securities, via e-mail.
BAS reserves the right to monitor and review the content of all
messages sent to or from this e-mail address. Messages sent to or from this
e-mail address may be stored on the BAS e-mail system.
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
