[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] CERT Advisory and SecuRemote
Plus, as I've always noted, you need to use a packet filter in front of and behind your firewall as a safeguard. You can use your routers as packet filters, if you're wary of new hardware. The one behind your firewall should be a mean, stupid piece of hardware that only allows certain inbound packets. RDP problem? No problem. Any any [service] allow problem? No problem. Sort of like a "firewall sandwich with packet filter bread and fast ethernet mustard". No pickles, please. --Regis > -----Original Message----- > From: [email protected] > [mailto:[email protected]]On Behalf Of > Patrick Lotti > Sent: Wednesday, July 11, 2001 11:43 PM > To: '[email protected]' > Subject: Re: [FW1] CERT Advisory and SecuRemote > > > > No, there's no problem with "any firewall [service] allow" rules. > (Ok, it's possible to attack your firewall with many IKE requests, > and RDP packets. But there's no way to send data through the firewall, > from any source to any destination.) > > I just wondered why there was an "any any rdp allow" rule in the > implied rules, as everybody nows that "any any [service] allow" > is a bad idea and can be always avoided. So I just disabled the > implied rules, not thinking to open up a case... > > With or without patch, stupid guys (in this case the developers) > can always add "any any [service] allow" rules to the rulebase, > and fw-1 won't even complain about such rules. I think the next > patch should completely reject such rules. > > Patrick > > > ================================================================== > ============== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================== > ============== > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|