NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Should the use of 'any' be avoided where possible?



Carl,
 Another reason why it's dangerous to allow ICMP to all of your hosts is
because it allows for the use of a ping sweep to determine the addresses of
devices behind your firewall.  Once that has been determined, a hacker can
then begin banging away looking for additional weaknesses.

Noel T. Stafford
CCSA, CCSE, CCFE
Network Engineer
IT - Data Communications Group
Western Wireless Corporation
[email protected]



-----Original Message-----
From: Carl E. Mankinen [mailto:[email protected]]
Sent: Thursday, May 03, 2001 10:05 AM
To: [email protected]
Subject: Re: [FW1] Should the use of 'any' be avoided where possible?



NEVER use "any" in a rule, unless you are forced to....and the same should
be said for service types.

You should always start from a DENY ALL standpoint, then define only what is
necessary, and nothing more.

In some cases you would have to use "any", such as a rule to allow internet
users to access a webserver.

One battle I am having, and I suppose this is a common problem....is whether
to allow ICMP (echo etc) to all the hosts in my rules.
People jump to the conclusion that there is a "network" problem or they
might think the server is down just because they cant "ping"
it. The problem is that ICMP can be used to tunnel nastiness and control
trojans and the like, so it's dangerous to allow it.
I recommend only allowing ICMP echo to/from some management servers or
engineers that really need it, and drop it for everyone else.

----- Original Message -----
From: "Allan Pratt" <[email protected]>
To: <[email protected]>
Sent: Friday, April 27, 2001 6:28 PM
Subject: [FW1] Should the use of 'any' be avoided where possible?


>
>
> Hi,
>
> Is it considered good FW-1 practice to avoid the use of 'any' in the
source
> and destination fields wherever possible?
>
> It is preferable to use network objects in the source/destination so as to
> limit the scope of the rule?
>
> Thanks!
>
> Allan
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com
>
>
>
>
============================================================================
====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
>
============================================================================
====
>
>



============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.