NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] any



This is true, but not when you want to pass encrypted
traffic as a SERVICE, such as:

MyPC -- ExternalServer -- PPTP Accept
ExternalServer -- MyPC -- PPTP Accept

Or:

InternalNortel -- VendorNortel -- IPSec -- Accept
VendorNortel -- InternalNortel -- IPSec -- Accept

I have such a Nortel VPN setup, for example.

This is what I thought was being asked -- hence, the
question about the Service. Perhaps I jumped on it too
quickly :)

Thanks -- Chris


--- Scott Friedman <[email protected]> wrote:
> remote_domain ¯>  local_domain ¯> any ¯> encrypt   
> works fine.
> 
> Scott J. Friedman, MCSE CCSE
> Security Engineer
> Ideal Technology Solutions, Inc
> Email : [email protected]
> Phone :> 
> 
> >>> Chris F <[email protected]> 06/05/01 02:44PM
> >>>
> 
> Hi,
> 
> In my experience, FW1 will not handle encrypted
> packets correctly unless you explicitly list the
> service (e.g. PPTP).
> 
> I would recommend explicitly listing any and all
> encryption rules *and* have them at the TOP of your
> rulebase. I also had some FW1 confusion with some
> "Any" rules when I had encryption rules listed after
> it. This is the only exception that I know of to
> "put
> your most used rules first".
> 
> HTH -- Chris
> 
> 
> --- "Goetz, Jarrett" <[email protected]> wrote:
> > I am not positive what you are asking, but if I am
> > understanding you
> > clearly, as long as your encryption rule is
> > configured properly in terms of
> > the action (i.e. client encrypt, encrypt, etc.)
> then
> > yes, from what I
> > understand those services would be "included" so
> to
> > speak if you put ANY in
> > the service column.
> > 
> > Always keep in mind, ANY in your rulebase is not a
> > good thing :), from a
> > security perspective your best off to strive to
> keep
> > the amount of ANY's in
> > your rulebase to a minimum.
> > 
> > Jarrett
> > 
> > -----Original Message-----
> > From: Casey DeBerry [mailto:[email protected]] 
> > Sent: Friday, June 01, 2001 13:15
> > To: firewall-1 mailing list
> > Subject: [FW1] any
> > 
> > 
> > Is ipsec encryption and all other modules (AH,
> ESP,
> > IKE etc.) contained
> > in "ANY" service?
> > 
> > Thanks,
> > Casey DeBerry
> > [email protected] 
> > 
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Get personalized email addresses from Yahoo! Mail -
> only $35 
> a year!  http://personal.mail.yahoo.com/ 
> 
> 
>
================================================================================
>      To unsubscribe from this mailing list, please
> see the instructions at
>               
> http://www.checkpoint.com/services/mailing.html 
>
================================================================================
> 
> 


__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 
a year!  http://personal.mail.yahoo.com/


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.