Some of the obvious are: 1) firewall rulebase 2) underlying OS access lists, etc. 3) next-hop router ACLs 4) anti-spoofing rules
----- Original Message ----- From: "Ramakrishnan" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, October 01, 2002 11:01 AM Subject: Re: [FW-1] Check point firewall open ports > Thanks. > > Issues are two folds. > > Recommendations for hardening the box has already been > given. The contentious ports are - > > FW used ports and the secure remote ports. Is there a > way to restrict the FW specific ports to internal > interface. > > Regards > Rama > --- Lars Troen <[EMAIL PROTECTED]> wrote: > > With some afterthought.. I don't think I would sleep > > to well using a firewall that have been open to the > > internet like this. I think I would have unplugged > > the box and given it a reinstall ASAP. > > > > Lars > > > > > -----Original Message----- > > > From: Roelandts, Guy [mailto:[EMAIL PROTECTED]] > > > Sent: Tuesday, October 01, 2002 08:06 > > > To: [EMAIL PROTECTED] > > > Subject: Re: [FW-1] Check point firewall open > > ports > > > > > > > > > Hi, > > > > > > As the others stated you need a stealth rule, > > but as this > > > seems to be > > > a Windoze box, it looks like you didn't do > > anything to harden it, all > > > those 13* ports should be there. Refer to one of > > the hardening guides > > > that are available a bit everywhere and disable > > all those > > > un-necessary > > > services before going any further. > > > > > > Met vriendelijke groeten - Bien � vous - Kind > > regards > > > Guy ROELANDTS > > > EMEA GS Internet Expertise Centre - CCSE-NG > > > Compaq BeLux - now part of the New HP > > > E-mail : [EMAIL PROTECTED] > > > Tel: +32(02)729.77.44 (options 3 - 3 - 1) > > > Fax: +32(02)729.77.65 > > > > > > ========================================================== > > > This message may contain confidential and/or > > proprietary information, > > > and is intended only for the person/entity to whom > > it was originally > > > addressed. The content of this message may contain > > private views and > > > opinions which do not constitute a formal > > disclosure or commitment > > > unless specifically stated. Should you receive > > this message by mistake > > > please inform the sender immediately. > > > > > > ========================================================== > > > > > > > > > -----Original Message----- > > > From: Ramakrishnan [mailto:[EMAIL PROTECTED]] > > > Sent: 01 October 2002 00:44 > > > To: [EMAIL PROTECTED] > > > Subject: [FW-1] Check point firewall open ports > > > > > > > > > Hi all, > > > > > > I did a port scan of my customer's firewall with > > Sync > > > connect on TCP and UDP ports. I find that these > > ports > > > are open. > > > > > > 135/tcp open loc-srv > > > 135/udp open loc-srv > > > 137/udp open netbios-ns > > > 138/udp open netbios-dgm > > > 139/tcp open netbios-ssn > > > 161/udp open snmp > > > 256/tcp open FW1-secureremote > > > 259/tcp open esro-gen > > > 259/udp open firewall1-rdp > > > 262/tcp open arcisdms > > > 264/tcp open bgmp > > > 265/tcp open maybeFW1 > > > 500/udp open isakmp > > > 900/tcp open unknown > > > 1027/udp open unknown > > > 2746/udp open unknown > > > 4985/tcp open unknown > > > 4986/tcp open unknown > > > 4987/tcp open maybeveritas > > > 4988/tcp open unknown > > > 4989/tcp open unknown > > > 4990/tcp open unknown > > > 18183/tcp open unknown > > > 18184/tcp open unknown > > > 18187/tcp open unknown > > > 19190/tcp open unknown > > > > > > I find that all these ports - barring a few need > > not > > > be open. I want to be sure that if I disable these > > > ports on external interface , Management console > > > should work from internal interface. My customer's > > > firewall admin opines that these are required for > > > Management workstation. They do not connect > > Management > > > station from external interface. > > > > > > I request the list's opinion on this. Has anybody > > > faced this before. > > > > > > Regards > > > Rama > > > > > > __________________________________________________ > > > Do you Yahoo!? > > > New DSL Internet Access from SBC & Yahoo! > > > http://sbc.yahoo.com > > > > > > ================================================= > > > To set vacation, Out Of Office, or away messages, > > > send an email to [EMAIL PROTECTED] > > > in the BODY of the email add: > > > set fw-1-mailinglist nomail > > > ================================================= > > > To unsubscribe from this mailing list, > > > please see the instructions at > > > http://www.checkpoint.com/services/mailing.html > > > ================================================= > > > If you have any questions on how to change your > > > subscription options, email > > > [EMAIL PROTECTED] > > > ================================================= > > > > > > ================================================= > > > To set vacation, Out Of Office, or away messages, > > > send an email to [EMAIL PROTECTED] > > > in the BODY of the email add: > > > set fw-1-mailinglist nomail > > > ================================================= > > > To unsubscribe from this mailing list, > > > please see the instructions at > > > http://www.checkpoint.com/services/mailing.html > > > ================================================= > > > If you have any questions on how to change your > > > subscription options, email > > > [EMAIL PROTECTED] > > > ================================================= > > > > > > > ================================================= > > To set vacation, Out Of Office, or away messages, > > send an email to [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [EMAIL PROTECTED] > > ================================================= > > > __________________________________________________ > Do you Yahoo!? > New DSL Internet Access from SBC & Yahoo! > http://sbc.yahoo.com > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
