-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
One thing I like to put in my rules is to reject outgoing NetBIOS
traffic (even though the binding is disabled). I had seen cases
where, even with the binding disabled, it would leak some packets
(don't remember if it was an nbname lookup or announcement. I since
then just made it a rule :) That applies of course to NT only.
Secondly, without the outgoing filtering on the external I/F, you can
not catch any illegitimate traffic originating from your firewall. If
someone is able to sneak a trojan in the firewall it would show up in
the FW logs (as well as in your, hopefully present, Intact/TripWire
logs).
In addition, if you have a VPN that terminates on the firewall, and
you want to enforce outgoing traffic, don't you need to have the
enforcement set to eitherbound since the traffic originates from the
firewall?
Regards,
Frank
> -----Original Message-----
> From: Carric Dooley [mailto:[EMAIL PROTECTED]]
> Sent: Monday, August 14, 2000 12:46 PM
>
> My understanding of eitherbound is on which interface the
> policy is applied
> to the traffic.... example:
>
> If you have IF_A as your internal interface, and IF_B as
> your external, if
> you set your policy for "Inbound", packets coming from the
> public network
> would be filtered at IF_B (the inbound interface for that
> direction). An
> outbound policy would evaluate the traffic from the outside
> at IF_A as the
> traffic leaves the firewall. "Eitherbound" means the packets
> have to pass
> through the policy at BOTH interfaces doubling the amount of
> work for the
> firewall (at least from policy perspective) for each packet.
> This is the
> most secure, but if you are pushing a lot of traffic, not
> ideal. I would
> typically set that property for "inbound" myself. If you set it
> for "outbound" a DoS (from the outside) would affect the firewall
> itself because the traffic is not analyzed until it hits the
> internal interface (IF_A). Eitherbound is overkill in a lot of
> situations, but inbound means if someone attacks the firewall, it
> has to make it through the policy, and the same would apply for
> traffic from the internal network out (evaluated before it passes
> through the firewall).
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1
Comment: PGP or S/MIME (X.509) encrypted email preferred.
iQA/AwUBOZgya0RKym0LjhFcEQJ4gwCfUtH7EEPDoGC9UaGjZWr3jJmpCEAAnR9E
rMtxNdIpf4lQo5e5JB/9TSrA
=zqSA
-----END PGP SIGNATURE-----
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
