make sure you add a stealth rule for the box itself At 03:18 PM 2/26/2002 -0400, Fredy Santana wrote: >Well, some time ago I did a little research about that. These are some >guidelines: > >General recomendations: > >1.- Keep your firewall updated >2.- Secure all the machines involved (magement module, firewall module, >etc) >3.- You must have backup and recovery procedures >4.- Mantain a logging policy for post analisis >5.- Change the admin password periodically > > >Configuration recommentadions: > >1.- Set the IP Spoofing, maybe you'll need study the situation, 'cause the >network could be complex > >2.- Set the SYN Defender >3.- In the top of the rulebase you must add the rule: > >any -- firewal-1 drop > >In order to hide the firewall > >If you're using VPN or user authentication or whathever service that needs >communication with the fw module you must place this rule below of them. > >I hope this could help you. > > >[EMAIL PROTECTED] writes: > >Hi All, > > > >I have FW-1 on Nokia. > >I have implemented VRRP as part of the fw-1/Nokia failover solution, and > >therefore have both "real" and "virual" addresses for my interfaces. > >I have closed the firewall as best as I am allowed (I need to let some > >remote systems "ping"), but still the "real" IP address of each interface > >is being shown in traceroutes !! What have I missed ? - how do I make > >my fw-1 totally anonymous ? > > > >Just in case I missed anything else, what are the general guidelines for > >securing the fw-1 ?? > >I have all my management activity limited to a completely separate, > >secured > >lan and I only have specific rules (ie. the only "any" destinations I have > >are either for port 80 or for "drop" actions). I have anti-spoofing set as > >recommended, but i do not have SYNdefender active as yet. > >Anything else ? ............................. > > > >Cheers, Gordon > > > >_______________________________________________ > >Firewalls mailing list > >[EMAIL PROTECTED] > >http://lists.gnac.net/mailman/listinfo/firewalls > > > >Saludos >Fredy R. Santana V. >Ingeniero Civil El�ctrico - CCSA - CCDA >Orion 2000 - Servicios Profesionales en Seguridad Inform�tica >La Concepcion 322 piso 12, Providencia. >Santiago, Chile >Fono: 56-2-6403944, Fax: 56-2-6403990 >e-mail: [EMAIL PROTECTED] >http://www.orion.cl > > >_______________________________________________ >Firewalls mailing list >[EMAIL PROTECTED] >http://lists.gnac.net/mailman/listinfo/firewalls
_______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
