Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Possible NT IpForwarding Security Issue.

To: <[email protected]>, <[email protected]>
Subject: Re: [FW1] Possible NT IpForwarding Security Issue.
From: [email protected] (Carl E. Mankinen)
Date: Thu, 18 Jan 2001 17:15:35 -0500
References: <852569D8.00721458.00@btg_hub01.bombardier.com>
Sender: [email protected]

You should use RFC1918 addresses for your DMZ/Bastion hosts. (10.0.0.0, 192.168.0.0, etc etc)
Set your router to block RFC1918 with an access list. (they shouldn't be coming in/out anyway, but
just in case...)
Setup FW-1 to arp for the "outside/routeable" address of each DMZ/bastion host and use NAT
to get the packets to the right host. (this involves local.arp entry, static host route on FW-1, and the
appropriate rules/nat rules)

This way if you stop the fw services, no NAT can occur even if routing can.
(NAT is performed by the FW-1 process)

If someone is hitting 200.200.200.200 and FW-1 crashes, it's no longer going to be natted to
10.10.10.10, and that means the host will toss it. They can't reach 10.10.10.10 because RFC1918
is blocked at router.

(make sure the ONLY default route you have is to the INTERNET, btw).


----- Original Message ----- 
From: <[email protected]>
To: <[email protected]>
Sent: Thursday, January 18, 2001 3:46 PM
Subject: [FW1] Possible NT IpForwarding Security Issue.


> 
> 
> 
> Hi,
> 
> One question has been occupied us for the past day:
> 
> If the Firewall service goes down or is stop by mistake, Windows NT is Still
> Alive
> and IPforwarding is enable, would the nt server route packet to the protected
> server in the internal network or in the DMZ ?
> 
> Sylvain
> 
> 
> 
> 
> 
> 
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================
> 



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW1] Possible NT IpForwarding Security Issue.
  - From: [email protected]

Prev by Date: [FW1] Rules Export
Next by Date: [FW1] SecureClient WINS resolution.
Previous by thread: Re: [FW1] Rules Export
Next by thread: RE: [FW1] Possible NT IpForwarding Security Issue.
Index(es):
- Date
- Thread