If you use the security servers (ftp, http, smtp)
there is an additional issue with eitherbound. The
communication between client and security server
(firewall) would be handled as inbound, but the
traffic from the security server to the destination
server would be outbound. This could require extra
rules.
Also be aware that if you specify individual targets
to install the rule on, rather than the gateways
group, that traffic is handled as eitherbound
regardless of your 'global' setting.
We have run FW-1 4.0 SP1 and SP5; I cannot speak to
4.1/2000.
Larry
--- Robert MacDonald <[EMAIL PROTECTED]> wrote:
>
> Wouldn't installing an IDS outside the fw, be
> setting yourself up for alert hell? I would rather
> setup the IDS inside(agent or network based)
> the fw to monitor that which was allowed, so
> I could detect attacks that made it through.
>
> Your thoughts?
>
> Robert
>
> - -
> Robert P. MacDonald, Network Engineer
> e-Business Infrastructure
> G o r d o n F o o d S e r v i c e
> Voice: +1.616.261.7987 email: [EMAIL PROTECTED]
>
> >>> "Carric Dooley" <[EMAIL PROTECTED]> 8/17/00
> 10:57:07 PM >>>
> >
> >makes a good case for installing IDS outside your
> firewall, does it not?
> >=)
> >
> >----- Original Message -----
> >From: "Frank Knobbe" <[EMAIL PROTECTED]>
> >To: "'Carric Dooley'" <[EMAIL PROTECTED]>;
> ><[EMAIL PROTECTED]>
> >Sent: Wednesday, August 16, 2000 3:26 PM
> >Subject: RE: [FW1] Inbound, outbound, or
> eitherbound?
> >
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> Hmmm... I just read again in the FW-1 manual
> following on Accept
> >> Outgoing Packets:
> >>
> >> Accept Outgoing Packets - Accept all outgoing
> packets (from the
> >> Firewall, not from the internal network).
> >>
> >> On gateways, rules are usually enforced in the
> inbound direction
> >> only. When a packet passing through the gateway
> leaves the gateway,
> >> it will be allowed to pass only if one of the
> following conditions is
> >> true:
> >>
> >> * The Accept Outgoing Packets property is
> checked.
> >> * Rules are enforced both directions
> (eitherbound), and there is a
> >> rule which allowed the packet to leave the
> gateway.
> >>
> >> Then it references the drawing and addtl
> information in the
> >> Architecture manual, which basically states what
> you have written.
> >>
> >> Given that, am I the only one feeling
> uncomfortable with Inbound only
> >> since packets originating from the firewall to
> the outside would go
> >> unchecked? Assuming that usually (!) nothing is
> running on the
> >> firewall and no user is working on it, there are
> still packets that
> >> the FW itself creates and sends out, as in
> authentication and VPN
> >> traffic. Wouldn't it be possible for exploits to
> go unnoticed if no
> >> rules has been set to monitor/filter outgoing
> data? In order to
> >> enforce those rules, Eitherbound would need to be
> selected.
> >>
> >> Am I just too paranoid, or does anyone else think
> it might be a good
> >> idea to keep an eye on traffic leaving the
> firewall, and hence use
> >> Eitherbound?
> >>
> >> Regards,
> >> Frank
> >>
> >> > -----Original Message-----
> >> > From: Carric Dooley [mailto:[EMAIL PROTECTED]]
>
> >> > Sent: Monday, August 14, 2000 12:46 PM
> >> > To: Frank Knobbe; 'Padden, Greg';
> >> > [EMAIL PROTECTED]
> >> > Subject: Re: [FW1] Inbound, outbound, or
> eitherbound?
> >> >
> >> >
> >> > My understanding of eitherbound is on which
> interface the
> >> > policy is applied
> >> > to the traffic.... example:
> >> >
> >> > If you have IF_A as your internal interface,
> and IF_B as
> >> > your external, if
> >> > you set your policy for "Inbound", packets
> coming from the
> >> > public network
> >> > would be filtered at IF_B (the inbound
> interface for that
> >> > direction). An
> >> > outbound policy would evaluate the traffic from
> the outside
> >> > at IF_A as the
> >> > traffic leaves the firewall. "Eitherbound"
> means the packets
> >> > have to pass
> >> > through the policy at BOTH interfaces doubling
> the amount of
> >> > work for the
> >> > firewall (at least from policy perspective) for
> each packet.
> >> > This is the
> >> > most secure, but if you are pushing a lot of
> traffic, not
> >> > ideal. I would
> >> > typically set that property for "inbound"
> myself. If you set it
> >> > for "outbound" a DoS (from the outside) would
> affect the firewall
> >> > itself because the traffic is not analyzed
> until it hits the
> >> > internal interface (IF_A). Eitherbound is
> overkill in a lot of
> >> > situations, but inbound means if someone
> attacks the firewall, it
> >> > has to make it through the policy, and the
> same would apply for
> >> > traffic from the internal network out
> (evaluated before it passes
> >> > through the firewall).
>
>
>
>
>
================================================================================
> To unsubscribe from this mailing list, please
> see the instructions at
>
> http://www.checkpoint.com/services/mailing.html
>
================================================================================
__________________________________________________
Do You Yahoo!?
Send instant messages & get email alerts with Yahoo! Messenger.
http://im.yahoo.com/
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
