1. Absolute no-no. Normally, you have a stealth rule at the top of the rule base doing the exact opposite; any to firewalls drop.
2. 135, 139 and 445 should NOT be open, unless they are specifically used. This is a sign that the installer did not "Harden" the servers. 3. It would probably pay to get the install reviewed by an experienced CCSE qualified engineer, since you picked up on these but there may be other things that an experienced CCSE will probably find. These signs are indicative of inexperience. Cheers, Symon -----Original Message----- From: LAN Guy [mailto:enzo_the_baker@;HOTMAIL.COM] Sent: 21 October 2002 17:00 To: [EMAIL PROTECTED] Subject: [FW-1] Incompetent Checkpoint Partner?? I recently engaged a CP Partner to upgrade my 4.1 firewall to a pair of NG enforcement modules running ClusterXL. The next day when all hell started breaking loose (VPNs not working, no SMTP traffic allowed, interfaces bouncing), I took a look at the way the firewalls and policy were set up and discovered what I believe to be some pretty major no-no's. I think I know the answers to the following questions, but I'd appreciate opinions and a "sanity check" from some of the experts out there on the following: 1) In a CP NG fp2 cluster running on Win2K, what would be the effect or risk of the following rule? ANY---{both firewalls and the management station}---ANY---ACCEPT 2) Given the previous condition, what would be the effect or risk of having the following services running on both firewalls? (output from port scanner): Open Ports (7) 21 [ Ftp ] 220 {system name} Microsoft FTP Service (Version 5.0). 25 [ Smtp ] 220 {system name} Microsoft ESMTP MAIL Service, Version: 5.0.2195.4905 ready at Wed, 9 Oct 2002 12:56:58 -0400 80 [ Http ] 135 [ epmap ] 139 [ Netbios-ssn ] 443 [ HttpS ] 445 [ Microsoft-Ds ] 3) The big question: Should a CheckPoint authorized "Value Added Solution Provider" who set up a firewall in this manner be considered competent? This was their second attempt at this upgrade-- should I give them another another chance to get it right or cut my losses and move on? Thanks for your input and insights. _________________________________________________________________ Surf the Web without missing calls! Get MSN Broadband. http://resourcecenter.msn.com/access/plans/freeactivation.asp ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ######################################################################## ############# Scanned for Viruses and Content and cleared by the Webvein Mail Gateway ######################################################################## ############# ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
