Unless you have a requirement or a compelling reason, you would never use a rule as in #1. Using "any" as a catchall is a poor setup, especially with your firewalls. That is like begging for problems.
As far as #2 it looks like they did a default install of 2000 (IIS and all) which is gigantic no-no. This is gray area for a consultant though. Best practices would dictate that they should harden 2000 and remove unnecessary services and software (like IIS). However, they may take the line that hardening the OS is an "extra service". It seems that whoever set up your solution is new to checkpoint and security or did not finish the job. If they claim that is completed solution, you should find someone else for your security work, immediately. -----Original Message----- From: LAN Guy [mailto:enzo_the_baker@;HOTMAIL.COM] Sent: Monday, October 21, 2002 12:00 PM To: [EMAIL PROTECTED] Subject: [FW-1] Incompetent Checkpoint Partner?? I recently engaged a CP Partner to upgrade my 4.1 firewall to a pair of NG enforcement modules running ClusterXL. The next day when all hell started breaking loose (VPNs not working, no SMTP traffic allowed, interfaces bouncing), I took a look at the way the firewalls and policy were set up and discovered what I believe to be some pretty major no-no's. I think I know the answers to the following questions, but I'd appreciate opinions and a "sanity check" from some of the experts out there on the following: 1) In a CP NG fp2 cluster running on Win2K, what would be the effect or risk of the following rule? ANY---{both firewalls and the management station}---ANY---ACCEPT 2) Given the previous condition, what would be the effect or risk of having the following services running on both firewalls? (output from port scanner): Open Ports (7) 21 [ Ftp ] 220 {system name} Microsoft FTP Service (Version 5.0). 25 [ Smtp ] 220 {system name} Microsoft ESMTP MAIL Service, Version: 5.0.2195.4905 ready at Wed, 9 Oct 2002 12:56:58 -0400 80 [ Http ] 135 [ epmap ] 139 [ Netbios-ssn ] 443 [ HttpS ] 445 [ Microsoft-Ds ] 3) The big question: Should a CheckPoint authorized "Value Added Solution Provider" who set up a firewall in this manner be considered competent? This was their second attempt at this upgrade-- should I give them another another chance to get it right or cut my losses and move on? Thanks for your input and insights. _________________________________________________________________ Surf the Web without missing calls! Get MSN Broadband. http://resourcecenter.msn.com/access/plans/freeactivation.asp ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
