NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] TELNETING into the firewall??



Greetings!

"Piedade, Rick" schrieb:

> On the checkpoint firewall, we are doing a new install.
> We were using raptor and now this is the 1st setup to replace them.

Okay, common pitfalls and useful hints:

- Raptor does harden the OS during install, but Checkpoint does not.
  You will have to do the necessary bastioning manually.

- If you have a large ruleset you can transform at least your
  network entities with a small tool  (Raptor2Ckp and others, see
  http://www.wyae.de/software/ ) to be included manually into objects.C

- For the sake of better understanding always think (simplified):
  Raptor == Proxy   and   Checkpoint == Router-ACLs

- With respect to the ruleset Raptor does "best fit only",
  whereas Checkpoint does "first match".

- Do not forget the implicit rules (View / ImpliedRules) as set in
  Policy / Properties.

- NAT and routing:   Checkpoint does "Routing before NAT"

- Make sure you have the    Any --> Any :  Drop (log)
  cleanup-rule installed as last one in the FW-1 rulebase.



> We can telnet to the firewall from the outside.
> The firewall doesn't even have anything in its logs saying we tried.

See above: I guess "Implied Rules" and no hardening - and maybe a
missing  cleanup rule.

Bye
    Volker


--

Volker Tanger  <[email protected]>
 Wrangelstr. 100, 10997 Berlin, Germany
    DiSCON GmbH - Internet Solutions
         http://www.discon.de/




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.