Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Firewall names

To: "iden fw" <[email protected]>
Subject: Re: [FW1] Firewall names
From: "Bob Webber/Markham/Contr/AT&T/IJV" <[email protected]>
Date: Thu, 1 Mar 2001 09:24:31 -0500
Cc: [email protected]
Importance: Normal
Sender: [email protected]


I agree, there are lots of ways to find out if there is a host at a IP
address, and what kind of host it is, particularly if you know lots about
how different OS's respond to ICMP. I just would not make it any easier for
someone looking for a gateway into another network.

In my opinion (whatever that is worth), nobody should ever allow traceroute
into their network. And if secure remote is being used, the source should
be a range of specific IP addresses, not ANY. And yes, the security servers
do have a default response and we cannot get around that. It is not always
possible (nor practical) to make your firewall a complete black hole, but
there is no point in doing anything to draw un-necessary attention to
yourself. If you make it obvious that a host is a firewall, somebody might
take that as a dare to find out just how secure you made it.

That's my 2 cents worth...

Bob Webber
AT&T Global Network Services
Tel:Fax:Notes: Bob Webber/Markham/IBM@IBMCA
Internet: [email protected]

"Logic merely enables one to be wrong with authority" - Doctor Who


"iden fw" <[email protected]> on 02/28/2001 09:20:33 PM

Please respond to "iden fw" <[email protected]>

To:   Bob Webber/Markham/Contr/AT&T/IJV@IBMCA, [email protected]
cc:   [email protected]
Subject:  Re: [FW1] Firewall names





Ideally, it would be nice to not have it in DNS.  But, in reality I don't
think it is going to matter much:

1) Do they allow traceroute in-bound?  If they allow traceroute, it will
probably be easy to identify the firewall as the hop past their gateway
router - UUNet, Sprint, etc usually put customer access routers in DNS as
XXXXX-gw.  So it is (usually) the next hop after that.

2) Is your client going to have SecuRemote connections to the firewall?  If
so, port 264/tcp and/or 256/tcp will be open -- easy enough to identify it
is a Checkpoint firewall.

3) If they are using Security Servers, they have known default text.

... I'm sure there are more ways.  And that is just external.

-iden_fw

>From: "Bob Webber/Markham/Contr/AT&T/IJV"
>To: "Brian Mulford"
>CC: [email protected]
>Subject: Re: [FW1] Firewall names
>Date: Wed, 28 Feb 2001 14:28:09 -0500
>
>
>
>Hello Brian:
>
>Well, it all depends. If it is just the hostname, it is probably no big
>deal. If it is associated with an IP address that is advertised to the
>world via DNS, then it would be just asking for trouble. There is no
reason
>to draw attention to your firewalls. IMHO a firewall should be a black
hole
>to the outside world. If your customer wants to associate the name with an
>IP address on the secure network that is not advertised to the world, that
>would not be the end of the world, but keep in mind that most security
>incidents originate from within the organization.
>
>Regards.
>
>Bob Webber
>AT&T Global Network Services
>Tel:>Fax:>Notes: Bob Webber/Markham/IBM@IBMCA
>Internet: [email protected]
>
>"Logic merely enables one to be wrong with authority" - Doctor Who
>
>
>"Brian Mulford"@lists.us.checkpoint.com on
>02/28/2001 01:14:14 PM
>
>Please respond to "Brian Mulford"
>
>Sent by: [email protected]
>
>
>To: "Check Point FW List (E-mail)"
>
>cc:
>Subject: [FW1] Firewall names
>
>
>
>
>Everyone,
>
>I have a client that insists on naming firewalls FW1 and FW2 or
>Firewall1 and Firewall2(NT machines). I advised that its not good
>practice to name firewalls anything that could indicate to the outside
>world that this is indeed a firewall. Am I off the wall think that?
>
>Brian
>
>
>
================================================================================ 


>
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>
================================================================================ 


>
>
>
>
>
>
================================================================================ 


> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>
================================================================================ 




Get your FREE download of MSN Explorer at http://explorer.msn.com






================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] topology with vpn-1 and router
Next by Date: RE: [FW1] OS Commands for NOKIA
Previous by thread: RE: [FW1] SecureClient for Win2K - Initialization error
Next by thread: Re: [FW1] Firewall names
Index(es):
- Date
- Thread