Re: [FW1] Opened port at Firewall-1

[Carl E. Mankinen]

The topo request will expose your addressing behind your firewall to the world, but only if you have selected the "respond to unauthenticated topo requests" checkbox from what I have been told. I am unconvinced.   I think the "accept firewall-1 control connections" implied rule checkbox presents a problem as well. Turn it on, then look at implied rules. You will see a rule "any, fw1 host, fw1_topo, accept".   What I recommend is to first have the implied rule enabled (you have to in order to have the mgmt server communicate with the enforcement servers during installation). Then put rules in place at top of rule base to allow the firewall-1 components to talk to each other as needed, THEN turn off the implied rule. This way you can lock down that actual sources allowed to do fw1_topo requests.   Anyone think this is a good/bad idea? (you definitely need to make sure your rules are properly defined or you will be dead in the water once you push that policy)     ----- Original Message ----- From: Alonzo Vera To: '[EMAIL PROTECTED]' Sent: Monday, July 09, 2001 1:13 PM Subject: [FW1] Opened port at Firewall-1 Hi all!,   Last weekend someone did a scan to our firewall and found port 264 and 265 opened. Those ports are "Check Point VPN-1 Public Key Transfer Protocol" and "Check Point VPN-1 SecuRemote Topology Requests" and belong to the first implied rule: Checkpoint Control Connections.   My question is: Does those ports represent a security problem? We don't use VPN yet, so, I don't need them. But to close those ports I will need to eliminate the Checkpoint Control Connections implied rule, and recreate it manually, as first rule. Does anyone know if this is recommendable? Which reasons may I have to keep the configuration as it is now, with those ports open to the world?   Thanks a lot,   Alnz.      Ing. Alonzo Vera Rojas Consultor en Seguridad de Redes Cosapi Soft S.A. Av. Javier Prado Este 4491-Surco. Lima 33, Per�. Tel�fonos: (511) 3133200 anx 234; Fax: (511) 437-1606; Nextel: 81.22612 mailto:[EMAIL PROTECTED] http://www.cosapisoft.com.pe                                       The truth is out there...