Use a negated internal object instead. For example, lets say this is
your current Internet access rule:
SRC DEST PROTOCOL
internal-net ANY HTTP,FTP,HTTPS,SMTP
Change it to something more like:
SRC DEST PROTOCOL
internal-net NOT(internal-net) HTTP,FTP,HTTPS,SMTP
I know it seems trivial, but it does make a difference in the way that
the exploits abuse the state table as well as multicast broadcasts.
Also, it's very important that you don't give outbound Internet access
to machines that don't need it. For example, www.yourdmzwebsite.com
should have no reason to need to use HTTP/FTP/IRC/etc. TO the Internet.
A lot of people make the mistake of allowing outbound access from web
servers, etc. that really don't need it, and this can be significantly
abused by an attacker. Another common mistake would be to use an
outbound internet rule that blindly allows all protocols out. That can
get you into huge amounts of trouble as well. Hope this helps (sorry
for the rant...), let me know if I can be of further assistance.
Jason
Cedric Amand wrote:
>
> Hello Jason,
>
> JW> have spoof protection enabled, never allow "ANY" objects in your source
> JW> or destination fields,
>
> How do you do a service accessible to anyone then ?
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
