NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] AW: [FW-1] NBT-happy 4.0SP8 FW-1 on NT



Title: RE: [FW-1] NBT-happy 4.0SP8 FW-1 on NT
Russell,
    i'm mostly a lurker, because i'm not really a FW-1 expert, but it occurs to me that You could have Your firewall set to check inbound packets rather than outbound or eitherbound. In that case, packets originating from the firewall will never pass through the rulebase. Is this a possibility?
 
                -&
 
-----Ursprüngliche Nachricht-----
Von: Russell Washington [mailto:[email protected]]
Gesendet am: Donnerstag, 7. Februar 2002 22:36
An: [email protected]
Betreff: Re: [FW-1] NBT-happy 4.0SP8 FW-1 on NT

Ok Dan,
 
I think you have the right idea but our firewall doesn't seem to agree with either of us.  First though, you're correct that the real issue is stopping the traffic and I will throw a project on the list to harden the firewall's config.
 
In the meantime, since major jiggling of the box will require consent from 'management' (translation: undetermined amount of time before approval) I decided to check your other ideas.  There *is* an implied rule to let the traffic out.  But it doesn't explain our problem (at least not completely) and here's why.
 
First, the implied "Accept outgoing packets" rule is set to 'last' in the Policy Properties and it accordingly is the dead-last rule in the rulebase.  I put in an explicitly-defined rule well above it, at position #1, as follows:
 
source=firewall object
dest=host object w/external broadcast address
traffic type=NBT (group that includes the traffic we're seeing)
action="">
log=long
 
Somehow this traffic is bypassing my diagnostic rule #1, and getting out of the firewall anyway.  If it is going out via the implicit policy we're discussing, it's bypassing the top explicit rule in the rulebase to do it (and bypassing being logged in the process).
 
Second, it appears that on this particular version/service pack combo for Firewall-1 there is no option in the policy properties to turn on logging of implied rules.  I know what you're referring to, I've seen it in version 4.1, but I can't find it on the 4.0 box and the helpfile says the only way to log implied rules is to handle the traffic in question with explicit rules instead.
 
Basically I have two objectives.  One is to fix the problem of NBT coming out of our firewall, but the other is to determine why this firewall is letting *any* traffic through in a manner which suggests that the rulebase is being bypassed.  What do you think?
 
-----Original Message-----
From: Dan Hitchcock [mailto:[email protected]]
Sent: Thursday, February 07, 2002 12:36 PM
To: [email protected]
Subject: Re: [FW-1] NBT-happy 4.0SP8 FW-1 on NT

Although there's a good chance that the traffic is passing on rule 0 (allow outgoing packets originating from gateway (in Policy->Properties) and you're not logging implied rules, the real issue is making that traffic stop.  The Workstation and Computer Browser services, which are implicated in the generation of this traffic, really should *not* run on any internet-connected system, firewall or otherwise.  Please see Lance Spitzner's excellent article on "armoring" Windows NT (http://www.enteract.com/~lspitz/nt.html).

HTH

Dan Hitchcock
CCNP, CCSE, MCSE
Security Operations Technical Lead
Breakwater Security Associates, Inc.
"Safe Harbor for E-Business"
dhitchcock (at) breakwatersecurity (dot) com
http://www.breakwatersecurity.com
work

The information contained in this email message may be privileged, confidential and protected from disclosure.  If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited.  If you think you have received this email message in error, please email the sender at [email protected]


-----Original Message-----
From: Russell Washington [mailto:[email protected]]
Sent: Thursday, February 07, 2002 11:36 AM
To: [email protected]
Subject: [FW-1] NBT-happy 4.0SP8 FW-1 on NT


I have a Checkpoint firewall on my watch that is firing off NBT traffic to
the broadcast address on its external interface even though there is *no*
rule that we can find that allows this traffic.  The firewall is not using
its external IP in any hidden NAT rules, express or implied, and in fact it
has no hidden NAT rules at all.

Because the traffic (as best as we can tell) is not going out under any
defined rules, we can't log it to learn anything about how it is being
handled.  In short, we're completely out of ideas.  We even went so far as
to set up rule #1 to *allow* NBT traffic and log it, and nothing shows up in
the log even though other devices are detecting the traffic emanating from
this box.

The box is running Firewall-1 4.0, SP8, on an NT 4.0 server that is
up-to-date on its service packs.  Any suggestions?

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.