I recently engaged a CP Partner to upgrade my 4.1 firewall to a pair of NG
enforcement modules running ClusterXL. The next day when all hell started
breaking loose (VPNs not working, no SMTP traffic allowed, interfaces
bouncing), I took a look at the way the firewalls and policy were set up and
discovered what I believe to be some pretty major no-no's. I think I know
the answers to the following questions, but I'd appreciate opinions and a
"sanity check" from some of the experts out there on the following:
1) In a CP NG fp2 cluster running on Win2K, what would be the effect or risk
of the following rule?
ANY---{both firewalls and the management station}---ANY---ACCEPT
2) Given the previous condition, what would be the effect or
risk of having the following services running on both firewalls?
(output from port scanner):
Open Ports (7)
21 [ Ftp ]
220 {system name} Microsoft FTP Service (Version 5.0).
25 [ Smtp ]
220 {system name} Microsoft ESMTP MAIL Service, Version:
5.0.2195.4905 ready at Wed, 9 Oct 2002 12:56:58 -0400
80 [ Http ]
135 [ epmap ]
139 [ Netbios-ssn ]
443 [ HttpS ]
445 [ Microsoft-Ds ]
3) The big question: Should a CheckPoint authorized "Value Added Solution
Provider" who set up a firewall in this manner be considered competent?
This was their second attempt at this upgrade-- should I give them another
another chance to get it right or cut my losses and move on?
Thanks for your input and insights.
_________________________________________________________________
Surf the Web without missing calls! Get MSN Broadband.
http://resourcecenter.msn.com/access/plans/freeactivation.asp
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
