Thanks for your advice. I believe network
object means the CheckPoint Host (Firewall) and opened it to Topology tab in
Policy Editor. There were two interfaces: eth-s1p1co and
eth-s2p1co inside the table.
[Bill] In the "topology" sectin there is a
summary section which lists the interfaces. In the columns to the right,
you will see what anti-spoofing option (if any) is already selected for each
interface.
The first one is connected to internet using a
public IP and the second one to the local LAN using a private IP for the
firewall. After I clicked "Get Topology .." button, a caution showed
that "Topology and anti-spoofing settings that are already defined will be
overwritten by results of this operation that contradict them, if any.
Do you want to continue?" It seems the anti-spoofing has been set
before. I have a query about the IPs to be filled in before I continue
and seek your further advice.
[Bill] First of all, that message is a
default. You will always see it "just in case." Anyway, you can
view or edit settings by selecting the interface (i believe you can
double-click or hit the "edit" button after selecting). This will allow
you to select an interface and view the current configuration. From here
you can change the options without "getting" your interfaces again. You
will only need to "get" the interfaces again if they are not correct.
Use your Nokia Voyager to verify that the interfaces are correct.
1. For the interface to internet, what
should I put in the IP column?
[Bill] You should choose the "external
interface" option in general. This is what most people would do. If
the firewall is only used for limited purposes AND external ip addresses, you
could limit this further by creating a network object which contains the
necessary ip addresses and select that.
2. For local LAN interface, our
workstations are in the range of 192.168.0.11 to 192.168.0.40. How can I
put a range of IP as there is only one space available? Other IPs, i.e.,
network printer IPs, are not needed to be included here since they do not
need to pass thru the firewall.
[Bill] There are various ways to deal with
interfaces in general. You can choose the option which allows for all ip
addresses contained within the configuration of the interface. If for
example your interface was configured as 192.168.0.1/24 it would allow any
192.168.0.1 through 192.168.0.255 addresses through. You can also choose
the option which allws for selecting a "single" network object. I am not
sure about the total list of what type of objects can be used here maybe
somebody else can help you there. One option though, is to create a
group with all the individual workstations (in your case 11 through 40) and
select that group. This does not scale well, but it is an option.
Another option might be able to create an "ip address range" object and
use that here. I am not sure if this option is allowed. The "ip
address range object" had very specific uses in the past. Another option
would be to create a network object or objects which is/are a subset of the
actual network which would account for the necessary ip addresses. This
can also be tedious and is probably not necessary. In your case, I would
probably recommend using the network interface option and using the policy
rulebase to further limit that to necessary objects. No point in making
your life more difficult than necessary for minimal gains ;~}. Use
your common sense here. Use the principle of least privilege where
possible.
Thanks,
Ray
From:
Bill
Sent: Wednesday, 25 September, 2002
03:27 a
Open up the network object in the policy manager. Click on the topology
tab. "Get" all your interfaces and verify that they are correct. Then drill
down into each interface and choose from the options. I believe they are (not
necessarily in the same order or words):
--network defined by your interface configuration
--a network object or group which would define all allowable
networks
--external interface
The anti-spoofing is used to tell the firewall what source ip addresses are
valide for traffic INBOUND on the port/interface in question. Be very careful
and make sure that you are accounting for all necessary networks. I would
recommend that you log this information as well so you can "see" when
something is not being allowed through and determine the cause -- right or
otherwise.
----- Original Message -----
From:
Ray
Li
To:
[EMAIL PROTECTED]
Sent: Tuesday, September 24, 2002
12:38 PM
Subject: [FW-1] Anti-spoofing
warning
I notice that my Nokia firewall shows a warning that "The 2 interface is
not protected by the anti-spoofing feature. Your network may be at risk. In
the future, it is recommended that you define anti-spoofing protection before
installing the Security Policy." during bootup. I am using CheckPoint VPN Pro
NG. To fix this problem, can someone help me configure the anti-spoofing on
the CheckPoint NG version.
Thanks,
Ray
