-----BEGIN PGP SIGNED MESSAGE-----
Our network engineer just left the company and all of his responsibilities have been
transferred to me, including the firewall.
So, here's what I'm trying to find out...
This is a general diagram.
Internet
|
|
V
Border Router (Cisco)
|
|
V
Firewall--->DMZ: DNS(NT4), www(NT4), mail scanner
|
|
V
Core Switch (Cisco)-------Frame Relay Connection
|
|
Internal Network
Here are the details on the firewall:
CheckPoint Firewall-1 4.1 SP1 on NT4 SP5
You are not able to ping the firewall from the Internet.
All public IP addresses (located in the DMZ) are NAT'd to internal 172.16.x.x
A separate workstation object is created for each box that needs a public IP address
and then another workstation object is created for it's internal IP address
counterpart. The public IP address/port is then then NAT'd over to the internal IP
address/port.
For example: The web server has two workstation objects, the one with the public IP
address and one with the internal IP address. Incoming packets on port 80 & 443 to
the public IP address are then NAT'd over to the internal IP address/port. Correct..?
All inbound ports are blocked by default except requests made to specific IP
address/port:
Inbound...
- -on port 25 to public IP address of mail scanner is NAT'd to internal IP address of
mail scanner
- -on port 80 to public ip address of IIS is NAT's to internal IP address of IIS
- -on port 443 to public ip address of IIS is NAT's to internal IP address of IIS
- -on port 1494 to public ip address of Citrix box is NAT'd to internal ip address of
Citrix
Questions:
1. On a scale of 1 - 10 (10 is most secure), how secure is this firewall
configuration? Why?
2. What can get through and how? Any specific exploits?
3. What is it that is allowing it to get by the firewall? What part of the config?
Right now, I'm just concerned about what can get by the firewall and how does that
happen? What are the mechanics of how it gets through? I already have someone
dealing with the NT service pack levels. My concern right now is the firewall.
Is it possible to scan all ports on all the IP addresses of a netblock?
Even though you are not able to ping my firewall from the Internet, could you scan all
ports on each of the IP addresses in my netblock and once you hit port 25 on the
public ip address of the mail scanner, you'll get a 'listening' response? Another way
to put that is even though you are not able to ping my firewall from the Internet, can
you still Nmap the public IP addresses (publicly accessible servers) that are NAT'd
behind my firewall? If so, how does that work and can I do anything to prevent it?
Links to sites/articles/docs/pdfs would be great. I just need to get a better
understanding of
this...
Thanks,
Amy Morgan
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify
wl8EARECAB8FAj4c9GsYHGFteV9tb3JnYW5AaHVzaG1haWwuY29tAAoJEAS2WQxW3/uw
7/8AmwZRykD+t54ZoDXRJ+PrOpTsCAF/AKCwc/XG8gX8Cy3YQUOwAV4vhecD8Q==
=wWJy
-----END PGP SIGNATURE-----
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Big $$$ to be made with the HushMail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
