Comments in line
At 12:00 PM 10/21/02 -0400, you wrote:
I recently engaged a CP Partner to upgrade my 4.1 firewall to a pair of NG
enforcement modules running ClusterXL. The next day when all hell started
breaking loose (VPNs not working, no SMTP traffic allowed, interfaces
bouncing), I took a look at the way the firewalls and policy were set up and
discovered what I believe to be some pretty major no-no's. I think I know
the answers to the following questions, but I'd appreciate opinions and a
"sanity check" from some of the experts out there on the following:
1) In a CP NG fp2 cluster running on Win2K, what would be the effect or risk
of the following rule?
ANY---{both firewalls and the management station}---ANY---ACCEPT
The answer depends on what is before this rule. I'll assume it is
the very first one.....
(tongue firmly planted in cheek) So, why did you get a firewall?
2) Given the previous condition, what would be the effect or
risk of having the following services running on both firewalls?
(output from port scanner):
Open Ports (7)
21 [ Ftp ]
220 {system name} Microsoft FTP Service (Version 5.0).
25 [ Smtp ]
220 {system name} Microsoft ESMTP MAIL Service, Version:
5.0.2195.4905 ready at Wed, 9 Oct 2002 12:56:58 -0400
80 [ Http ]
135 [ epmap ]
139 [ Netbios-ssn ]
443 [ HttpS ]
445 [ Microsoft-Ds ]
Who was responsible for hardening the machines that the Firewall
was installed on, previous to Firewall installation?
Why do all of these services need to be running? A Firewall is intended to
be a dedicated device, not support the universe.
Once again (tongue firmly planted in cheek) So, why did you get a firewall?
Is this part of a Hacker challenge?
3) The big question: Should a CheckPoint authorized "Value Added Solution
Provider" who set up a firewall in this manner be considered competent?
This was their second attempt at this upgrade-- should I give them another
another chance to get it right or cut my losses and move on?
Correct it, don't pay their bill, and send them a bill at
$150/hour X hours taken to fix it, and when they come back, asking for
their money, ask if they want to contribute any additional funds for the
downtime they caused. I'd be moving on,,,, in a hurry.
ov
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
