Search This Blog

Thursday, August 27, 2009

firewall-wizards Digest, Vol 40, Issue 10

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: checkpoint authentication on external interface
(Francois Yang)


----------------------------------------------------------------------

Message: 1
Date: Tue, 25 Aug 2009 16:37:06 -0500
From: Francois Yang <francois.y@gmail.com>
Subject: Re: [fw-wiz] checkpoint authentication on external interface
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<7a3963cb0908251437x502b7840xaf41422436f1fa36@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8

It is accepting the packets.
I can get to the page from the outside world.
I don't see any logs for bad attempts.
I can sit here all day and put in bad passwords.

Frank


On Tue, Aug 25, 2009 at 6:28 AM, Jacson Querubin<spacial@gmail.com> wrote:
> Frank,
>
> The Checkpoint FW1 Gateways don't accept to apply the rule base from
> external interface.
>
> you can always do a fw monitor to see if it is droping or accepting the packets.
>
> cheers
>
> Jacson
>
> On Mon, Aug 24, 2009 at 13:21, Francois Yang<francois.y@gmail.com> wrote:
>> I have looked at the implied rules and I do have an explicit rule to
>> deny all and I don't see anything that would allow this connection.
>> I even created a rule to block this and put it at the top and still
>> don't see any changes.
>>
>> To answer the other emails, Yes, I'm sure I could put an ACL in the
>> front router to block access, but I was hoping to find a better
>> solution.
>>
>> Frank
>>
>>>>
>>>>
>>>
>>> Hi Frank,
>>> Even if the daemon is listening on the port, you still have to go through
>>> the rulebase to be able to connect.
>>> You should verify if the ports are allowed either in implied or explicit
>>> rules. (try to enable the logs on the implied rules
>>> for a short time to get some logs about the auth).
>>>
>>> I recommend to use explicit rules and allow only from explicit sources.
>>>
>>> I agree it's better if the daemon accepts connections only on internal IPs,
>>> but for this you have to ask checkpoint how to do.
>>>>
>>>> thanks
>>>>
>>>> Frank
>>>> _______________________________________________
>>>> firewall-wizards mailing list
>>>> firewall-wizards@listserv.icsalabs.com
>>>> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> firewall-wizards mailing list
>>> firewall-wizards@listserv.icsalabs.com
>>> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>>>
>>
>>
>>
>> --
>> If you spend more on coffee than on IT security, you will be hacked.
>> What's more, you deserve to be hacked. ? White House Cybersecurity
>> Advisor, Richard Clarke
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@listserv.icsalabs.com
>> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>

--
If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked. ? White House Cybersecurity
Advisor, Richard Clarke


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 40, Issue 10
************************************************

No comments: