Yes and no.. Just turn off "Accept FW-1 Control Connections" and most
of them go away.. You'll, however, need to add specific rules for
management and VPN stuff (which is where the kink is).. For example, if
you want people to be able to be offsite and update their SecureClient
configuration a) they'll need to be able to connect to FW1_topo for
topology downloads; and b) You'll need to allow FW1_pslogon for them to
log onto the policy server.. IOW, if you're doing Client-To-Site VPN's,
you'll just have to deal with those ports being open unless you have a
configuration you dist out to people or make them get the policy from a
known location (i.e. onsite).
Responding to Brenno Hiemstra's comment:
> Just block all the FW-1 management ports on you border router
That's the firewall's job.. In addition, depending on what vendor and
version your router is, this could be easily circumvented by FIN or ACK
scanning the firewall's IP address (not for making the connection, but
for identifying that the port is open and thereby fingerprinting the
firewall as a FW-1).
// Chris
[EMAIL PROTECTED]
-----Original Message-----
From: Russell Aspinwall [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 12, 2001 5:36 AM
To: Chris Tobkin
Cc: Cessna, Michael; Eric Johnson; [EMAIL PROTECTED]
Subject: Re: Hacking FW-1 programs
Hi,
Can fingerprinting a Checkpoint FW be made more difficult by using a
packet filtering router on the Internet facing interface, so that all
the only selected IP addresses can access the ports < 1023.
Regards
Russell
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
