>Is there any way in FW-1 Ver 4.0 to block users from telneting or ftp'ing
>out on port 80? Port 80 is enabled for http access, and the users need
telnet / ftp
>access to our DMZ. However they are also telneting out to boxes their own
>outside servers that are listening on port 80. So far FW-1 can't
distinguish
>between an ftp/telnet session and an http session.
Easy, Only allow external (non dmz) port 80 access out from an internal
proxy server & force all users to use the proxy for internet browsing.
Better still put a proxy into the DMZ also & chain the internal proxy off
it.
Put explicit rules in the policy such as the following (rough example).
internal-proxy ext-proxy http accept
ext-proxy !internal-nets any accept
internal-nets dmz-subnet http accept
Greg
--
Greg Hennessy
E-Security Mechanic Merrill Lynch - HSBC LTD
+44 020 7570 3046
--
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the [EMAIL PROTECTED]
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
**********************************************************************
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
