1 - implies no stealth rule since the port scanner was able to get results.
2 - an any accept rules are IMHO sloppy & dangerous
3 - win2K server install was not hardened..
first 1 is worst IMHO.. FW should not be taking conn from anything except a mgt
server, and
then only on FW1 ports...
2 is maybe inexperience, but is still bad.
3 could have been a budget issue? ut trying to keep an open mind. Have seen many
consultants
who don't quote the "full" cost of "best practice" instll bc they are afraid of not
getting the gig.
They should bring this cost to your attention however, and with the NSA scripts
available etc
it is not as bad as it might be to do the hardening. This is not too good either..
either inexperience
or poor judgement.
my 2 cents - have them come in.. tech and your acct rep and lay this out for them and
see what they say.
and take it from there..
>>> LAN Guy <[EMAIL PROTECTED]> 10/21/02 12:00PM >>>
I recently engaged a CP Partner to upgrade my 4.1 firewall to a pair of NG
enforcement modules running ClusterXL. The next day when all hell started
breaking loose (VPNs not working, no SMTP traffic allowed, interfaces
bouncing), I took a look at the way the firewalls and policy were set up and
discovered what I believe to be some pretty major no-no's. I think I know
the answers to the following questions, but I'd appreciate opinions and a
"sanity check" from some of the experts out there on the following:
1) In a CP NG fp2 cluster running on Win2K, what would be the effect or risk
of the following rule?
ANY---{both firewalls and the management station}---ANY---ACCEPT
2) Given the previous condition, what would be the effect or
risk of having the following services running on both firewalls?
(output from port scanner):
Open Ports (7)
21 [ Ftp ]
220 {system name} Microsoft FTP Service (Version 5.0).
25 [ Smtp ]
220 {system name} Microsoft ESMTP MAIL Service, Version:
5.0.2195.4905 ready at Wed, 9 Oct 2002 12:56:58 -0400
80 [ Http ]
135 [ epmap ]
139 [ Netbios-ssn ]
443 [ HttpS ]
445 [ Microsoft-Ds ]
3) The big question: Should a CheckPoint authorized "Value Added Solution
Provider" who set up a firewall in this manner be considered competent?
This was their second attempt at this upgrade-- should I give them another
another chance to get it right or cut my losses and move on?
Thanks for your input and insights.
_________________________________________________________________
Surf the Web without missing calls! Get MSN Broadband.
http://resourcecenter.msn.com/access/plans/freeactivation.asp
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.mimesweeper.com
**********************************************************************
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
