[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] NBT-happy 4.0SP8 FW-1 on NT
Title: RE: [FW-1] NBT-happy 4.0SP8 FW-1 on NT
Ok
Dan,
I
think you have the right idea but our firewall doesn't seem to agree with either
of us. First though, you're correct that the real issue is stopping the
traffic and I will throw a project on the list to harden the firewall's
config.
In the
meantime, since major jiggling of the box will require consent
from 'management' (translation: undetermined amount of time before
approval) I decided to check your other ideas. There *is* an implied
rule to let the traffic out. But it doesn't explain our problem (at least
not completely) and here's why.
First,
the implied "Accept outgoing packets" rule is set to 'last' in the Policy
Properties and it accordingly is the dead-last rule in the rulebase. I put
in an explicitly-defined rule well above it, at position #1, as
follows:
source=firewall object
dest=host object w/external broadcast address
traffic type=NBT (group that includes the traffic we're
seeing)
action="">
log=long
Somehow this traffic is bypassing my diagnostic rule #1, and getting out
of the firewall anyway. If it is going out via the implicit policy we're
discussing, it's bypassing the top explicit rule in the rulebase to do it (and
bypassing being logged in the process).
Second, it appears that on this particular version/service pack combo for
Firewall-1 there is no option in the policy properties to turn on logging of
implied rules. I know what you're referring to, I've seen it in version
4.1, but I can't find it on the 4.0 box and the helpfile says the only way to
log implied rules is to handle the traffic in question with explicit rules
instead.
Basically I have two objectives. One is to fix the problem of NBT
coming out of our firewall, but the other is to determine why this firewall is
letting *any* traffic through in a manner which suggests that the rulebase is
being bypassed. What do you think?
Although there's a good chance that the traffic is passing on
rule 0 (allow outgoing packets originating from gateway (in
Policy->Properties) and you're not logging implied rules, the real issue is
making that traffic stop. The Workstation and Computer Browser services,
which are implicated in the generation of this traffic, really should *not*
run on any internet-connected system, firewall or otherwise. Please see
Lance Spitzner's excellent article on "armoring" Windows NT (http://www.enteract.com/~lspitz/nt.html).
HTH
Dan Hitchcock
CCNP, CCSE, MCSE
Security Operations Technical Lead
Breakwater Security Associates, Inc.
"Safe
Harbor for E-Business"
dhitchcock (at)
breakwatersecurity (dot) com
http://www.breakwatersecurity.com
work
The information contained in this email message may be
privileged, confidential and protected from disclosure. If you are not
the intended recipient, any dissemination, distribution or copying is strictly
prohibited. If you think you have received this email message in error,
please email the sender at [email protected]
-----Original Message-----
From:
Russell Washington [mailto:[email protected]]
Sent: Thursday, February 07, 2002 11:36 AM
To: [email protected]
Subject: [FW-1] NBT-happy 4.0SP8 FW-1 on NT
I have a Checkpoint firewall on my watch that is firing off
NBT traffic to
the broadcast address on its external
interface even though there is *no*
rule that we can
find that allows this traffic. The firewall is not using
its external IP in any hidden NAT rules, express or implied,
and in fact it
has no hidden NAT rules at all.
Because the traffic (as best as we can tell) is not going out
under any
defined rules, we can't log it to learn
anything about how it is being
handled. In
short, we're completely out of ideas. We even went so far as
to set up rule #1 to *allow* NBT traffic and log it, and
nothing shows up in
the log even though other devices
are detecting the traffic emanating from
this
box.
The box is running Firewall-1 4.0, SP8, on an NT 4.0 server
that is
up-to-date on its service packs. Any
suggestions?
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set
fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please
see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================