Make sure SNMP management port 257 is blocked, preferably at
your border router.
If ports 256-259 are open, this usually means the FW is
Checkpoint.
If you want to be ultraparanoid, log all connections to these
ports.
I suppose you can go on and on, but what's the real issue
should someone find out you're using Checkpoint ?
They've got over 50% of market share, so if they can't scan
your ports, then they've a 1 in 2 chance of knowing it's a Checkpoint firewall
!
----- Original Message -----
Sent: 22 March 2001 19:55
Subject: RE: [FW1] How do you prevent the
Firewal operating system from being identified?
Disable everything you have under your policy propreties,therefore
there you will have no implied rules available be
default.
From
that point you can control 100 % your firewall, based on source
destination and service, including your management traffic (256.257.258 and so
on).
Simple as that.
Regards
If you have SecuRemote users, I believe the answer is you can't prevent
someone from finding out what OS the firewall is running on. You will
have to have 264/tcp and/or 256/tcp open to the world, unless you know the
specific IP addresses of your SecuRemote users. With those ports open
to the world, someone can fingerprint the OS using those open ports.
The security servers may pose the same issue.
-idenfw
>From: "Tim Holman"
>To: "Dave Ng Thiam Huat" , "Fernandes,
Andy (ANDF)" ,
>Subject: Re: [FW1] How do you prevent the Firewal operating
system from being identified?
>Date: Thu, 22 Mar 2001 12:22:07 -0000
>
>
>FW management modules & control connections are all
INTERNAL, so an EXTERNAL
>port scan will not pick them up, as they won't be running on
the external
>interface.
>It would be quite easily to fingerprint from the internal
LAN, but then
>again, if you're on the internal LAN, you probably know
you've a Checkpoint
>firewall anyway !
< Good stuff snipped >
> >
> > ----- Original Message -----
> > From: Fernandes, Andy (ANDF)
> > To:
> > Sent: 21 March 2001 20:40
> > Subject: [FW1] How do you prevent the Firewal operating
system from being
> > identified?
> >
> >
> > >
> > > Hello all:
> > >
> > > I have been told that it is possible to identify a
Checkpoint Firewall's
> > > operating system type, build and version type from
the outside by
> > examining
> > > banners and using various fingerprinting
techniques. How can a
>Checkpoint
> > > firewall be protected against this vulnerability?
> > >
> > > Andy
> > >
> > >
> > >
Get your FREE download of MSN Explorer at http://explorer.msn.com
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
|