You are probably right :) OK, one last time and I will shut up !! I keep stirring it up in the hope someone listens for the next ISA (like control of all NICs). I have a largish network (by Pacific standards anyway :) that covers 2 countries with dial up's in the other country that I have almost zero control over, trying to secure EVERYTHING against Nachi was nigh on impossible, I got about 98% of the machines here patched in time but one or 2 got it, the entry point was someone from outside who waltzed in and connected their laptop onto the network, till that point I had been doing well. I tend to take issue a little with people who keep throwing the blame at me and think I am trashing ISA, I like ISA a lot and I don't want to change, but I have ICMP off on the internal NIC's right now and that’s a pain but maybe something I have to live with, I have found other ways to stop attacks from the dial ups, like blocking ICMP at the dial ups router and access lists to let them only have what they need to the destinations they need, I guess someone is going to say this should have already been in place, and maybe they are right, but I have limited resources and time and until Nachi no real problems (2 AV on mail system, 2 AV on firewall, different AV on desktops + SUS). Anyway, life goes on and Nachi on my network is my fault, fine :) Merry Christmas to all and a pox on virus writers everywhere !! Cheers Phill -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Wednesday, 24 December 2003 1:26 AM To: [ISAserver.org Discussion List] Subject: [isalist] Re: FW: CISCO ALERT - Cisco warns of holes in PIX firewalls http://www.ISAserver.org Phil, Phil, Phil... Don't you know that in this forum everything but ISA sucks the chrome off a '57 Chevy? Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! On Tue, 23 Dec 2003 21:03:29 +1100 "Phill Hardstaff - SPC" <phillh@xxxxxxx> wrote: http://www.ISAserver.org Nachi behind ISA kills it stone dead (just one infected machine is enough), the point is every system has it's weaknesses, don't get too cocky guys. Maybe PIX handles Nachi OK :) Cheers Phill --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.554 / Virus Database: 346 - Release Date: 20/12/2003