Thanks for your advice. I believe network
object means the CheckPoint Host (Firewall) and opened it to Topology tab in
Policy Editor. There were two interfaces: eth-s1p1co and
eth-s2p1co inside the table.
[Bill] In the "topology" sectin there is
a summary section which lists the interfaces. In the columns to the
right, you will see what anti-spoofing option (if any) is already selected
for each interface.
The first one is connected to internet using a
public IP and the second one to the local LAN using a private IP for the
firewall. After I clicked "Get Topology .." button, a caution showed
that "Topology and anti-spoofing settings that are already defined will be
overwritten by results of this operation that contradict them, if any.
Do you want to continue?" It seems the anti-spoofing has been set
before. I have a query about the IPs to be filled in before I continue
and seek your further advice.
[Bill] First of all, that message is a
default. You will always see it "just in case." Anyway, you can
view or edit settings by selecting the interface (i believe you can
double-click or hit the "edit" button after selecting). This will
allow you to select an interface and view the current configuration.
From here you can change the options without "getting" your interfaces
again. You will only need to "get" the interfaces again if they are
not correct. Use your Nokia Voyager to verify that the interfaces are
correct.
1. For the interface to internet, what
should I put in the IP column?
[Bill] You should choose the "external
interface" option in general. This is what most people would do.
If the firewall is only used for limited purposes AND external ip
addresses, you could limit this further by creating a network object which
contains the necessary ip addresses and select that.
2. For local LAN interface, our
workstations are in the range of 192.168.0.11 to 192.168.0.40. How can
I put a range of IP as there is only one space available? Other IPs,
i.e., network printer IPs, are not needed to be included here since
they do not need to pass thru the firewall.
[Bill] There are various ways to deal
with interfaces in general. You can choose the option which allows for
all ip addresses contained within the configuration of the interface.
If for example your interface was configured as 192.168.0.1/24 it would
allow any 192.168.0.1 through 192.168.0.255 addresses through. You can
also choose the option which allws for selecting a "single" network
object. I am not sure about the total list of what type of objects can
be used here maybe somebody else can help you there. One option
though, is to create a group with all the individual workstations (in your
case 11 through 40) and select that group. This does not scale well,
but it is an option. Another option might be able to create an "ip
address range" object and use that here. I am not sure if this
option is allowed. The "ip address range object" had very specific
uses in the past. Another option would be to create a network object
or objects which is/are a subset of the actual network which would account
for the necessary ip addresses. This can also be tedious and is
probably not necessary. In your case, I would probably recommend using
the network interface option and using the policy rulebase to further limit
that to necessary objects. No point in making your life more difficult
than necessary for minimal gains ;~}. Use your common sense
here. Use the principle of least privilege where
possible.
Thanks,
Ray
From:
Bill
Sent: Wednesday, 25 September, 2002
03:27 a
Open up the network object in the policy manager. Click on the topology
tab. "Get" all your interfaces and verify that they are correct. Then drill
down into each interface and choose from the options. I believe they are
(not necessarily in the same order or words):
--network defined by your interface configuration
--a network object or group which would define all allowable
networks
--external interface
The anti-spoofing is used to tell the firewall what source ip addresses
are valide for traffic INBOUND on the port/interface in question. Be very
careful and make sure that you are accounting for all necessary networks. I
would recommend that you log this information as well so you can "see" when
something is not being allowed through and determine the cause -- right or
otherwise.
----- Original Message -----
From:
Ray
Li
To:
[EMAIL PROTECTED]
Sent: Tuesday, September 24, 2002
12:38 PM
Subject: [FW-1] Anti-spoofing
warning
I notice that my Nokia firewall shows a warning that "The 2 interface is
not protected by the anti-spoofing feature. Your network may be at risk. In
the future, it is recommended that you define anti-spoofing protection
before installing the Security Policy." during bootup. I am using CheckPoint
VPN Pro NG. To fix this problem, can someone help me configure the
anti-spoofing on the CheckPoint NG version.
Thanks,
Ray
