[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Firewall names
I agree, there are lots of ways to find out if there is a host at a IP address, and what kind of host it is, particularly if you know lots about how different OS's respond to ICMP. I just would not make it any easier for someone looking for a gateway into another network. In my opinion (whatever that is worth), nobody should ever allow traceroute into their network. And if secure remote is being used, the source should be a range of specific IP addresses, not ANY. And yes, the security servers do have a default response and we cannot get around that. It is not always possible (nor practical) to make your firewall a complete black hole, but there is no point in doing anything to draw un-necessary attention to yourself. If you make it obvious that a host is a firewall, somebody might take that as a dare to find out just how secure you made it. That's my 2 cents worth... Bob Webber AT&T Global Network Services Tel:Fax:Notes: Bob Webber/Markham/IBM@IBMCA Internet: [email protected] "Logic merely enables one to be wrong with authority" - Doctor Who "iden fw" <[email protected]> on 02/28/2001 09:20:33 PM Please respond to "iden fw" <[email protected]> To: Bob Webber/Markham/Contr/AT&T/IJV@IBMCA, [email protected] cc: [email protected] Subject: Re: [FW1] Firewall names Ideally, it would be nice to not have it in DNS. But, in reality I don't think it is going to matter much: 1) Do they allow traceroute in-bound? If they allow traceroute, it will probably be easy to identify the firewall as the hop past their gateway router - UUNet, Sprint, etc usually put customer access routers in DNS as XXXXX-gw. So it is (usually) the next hop after that. 2) Is your client going to have SecuRemote connections to the firewall? If so, port 264/tcp and/or 256/tcp will be open -- easy enough to identify it is a Checkpoint firewall. 3) If they are using Security Servers, they have known default text. ... I'm sure there are more ways. And that is just external. -iden_fw >From: "Bob Webber/Markham/Contr/AT&T/IJV" >To: "Brian Mulford" >CC: [email protected] >Subject: Re: [FW1] Firewall names >Date: Wed, 28 Feb 2001 14:28:09 -0500 > > > >Hello Brian: > >Well, it all depends. If it is just the hostname, it is probably no big >deal. If it is associated with an IP address that is advertised to the >world via DNS, then it would be just asking for trouble. There is no reason >to draw attention to your firewalls. IMHO a firewall should be a black hole >to the outside world. If your customer wants to associate the name with an >IP address on the secure network that is not advertised to the world, that >would not be the end of the world, but keep in mind that most security >incidents originate from within the organization. > >Regards. > >Bob Webber >AT&T Global Network Services >Tel:>Fax:>Notes: Bob Webber/Markham/IBM@IBMCA >Internet: [email protected] > >"Logic merely enables one to be wrong with authority" - Doctor Who > > >"Brian Mulford"@lists.us.checkpoint.com on >02/28/2001 01:14:14 PM > >Please respond to "Brian Mulford" > >Sent by: [email protected] > > >To: "Check Point FW List (E-mail)" > >cc: >Subject: [FW1] Firewall names > > > > >Everyone, > >I have a client that insists on naming firewalls FW1 and FW2 or >Firewall1 and Firewall2(NT machines). I advised that its not good >practice to name firewalls anything that could indicate to the outside >world that this is indeed a firewall. Am I off the wall think that? > >Brian > > > ================================================================================ > > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ > > > > > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ Get your FREE download of MSN Explorer at http://explorer.msn.com ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|