How does preventing telnet or traceroute make the firewall more secure?

Is this part of Cisco's claim that the PIX doesn't have a full TCP/IP stack for some reason? I'm not trying to pick a fight here, just wish I could friggin traceroute or telnet to other machines while working on the PIX.

Sure - I understand your points. Let's hope a DE will respond to give their viewpoint.

One feature introduced in 6.3 was a management interface command. This command permits pinging or telneting to the inside interface on the pix over a vpn tunnel.

I was told by DEs that this was not permitted by design. Enough people asked for the command to modify this default behavior if they understood and accepted the risks.

Maybe the same can be done for traceroute and telnet.

How do others feel? I can submit an enhancement request for the next Pix version and we can see where it goes.

peter

Please do submit an enhancement request. I like how the default on PIX is always "No" (keeps me from shooting myself in the foot), but I'd like to be able to choose to enable other features at my own risk- for example, I like how you can't telnet to the outside interface by default, but I'd like to be able to choose to enable this feature if I want. I'm a big boy, I know the risks.

If I could turn on telnet or traceroute for testing and troubleshooting, I can always turn it back off when I'm done.