1) You can use any type of scanning tool that you want, personally I've used both as well as several others, generally I use Nessus as it seems to allow more configuration and is generally quicker to get into an environment (plus the licensing issues are less).
2) Scanning _THOUGH_ a firewall is mainly testing the firewall not really your servers/app. Even with the firewall wide open allowing all ports 1-65535 udp/tcp it will generally still stop some traffic. Generally I run two scans. One through the firewall with normal rules on the firewall. This helps me verify the firewall policy. Then I run another scan against the server from within the environment this tells me what the server actually has open. By comparing these you get a much better view of the environment. 3) as mentioned before if you are going to try and scan through a firewall you have to create an object that specifically lists all ports (1-65535) both for tcp & udp. As the 'Any' dynamic object is _NOT_ any port. But in so doing most firewalls will still drop / stop / hide information and you will lose the benefit to audit your firewall rules as they are in real-life). Steve -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Nick Brandson Sent: Monday, January 23, 2006 22:02 To: [email protected] Subject: [FW-1] Scanning host thru Check Point Dear guru, I need to pass the IT audit requirements(e.g.SOX), scanning our public server (web,ftp..) thru our CP firewall. 1. What tools we should use? (Nessus, Internet Scanner) 2. Would the penestration test/VA scanning be successful thru fw? 2. Is there any add'l ports need to be opened? Please help, Thanks, Nick __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= *************************************************************************** The information contained in this communication is confidential, is intended only for the use of the recipient named above, and may be legally privileged. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please resend this communication to the sender and delete the original message or any copy of it from your computer system. Thank You. **************************************************************************** ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
