| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] FW-1 Rulebase
- To: [email protected]
- Subject: Re: [FW-1] FW-1 Rulebase
- From: Steven Schuster <[email protected]>
- Date: Mon, 4 Mar 2002 17:03:15 -0500
- Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
- Sender: Mailing list for discussion of Firewall-1 <[email protected]>
- Thread-index: AcHDxOnASX9sdeZaTG6CktqnxY2w+AAAsDow
- Thread-topic: Re: [FW-1] FW-1 Rulebase
Before diving in to a firewall, do a lot of reading first, get truly paranoid, then set up your rules. Read RFC2196, read Hacking Exposed, read every security book you can find and get a feel for best practices (probably what you are looking for by this posting). You probably won't find anyone willing to take on the "what rules should I put in" on this list, as every network is different, and should be viewed accordingly. (not trying to start a battle....)
Good rule of thumb...be as granular as possible....allow machines, not entire networks when possible.
If you are really unsure, hire a consultant...that is there job, to learn your network, and help you secure it.
I am not a consultant, so I am not pushing my own services, but I have been one, and when in the private sector, I have employed them.
my $.02
Steve Schuster
Midwest ISO
Security Analyst
-----Original Message-----
From: Jonathan Bautista [mailto:[email protected]]
Sent: Monday, March 04, 2002 4:15 PM
To: [email protected]
Subject: Re: [FW-1] FW-1 Rulebase
What would be considered as the best practice in implementing your RULES
then? What RULES would you consider minimum security requirement in
setting up your FIREWALL.
Thanks again. All the info that you have provided are helpful.
Regards,
Jonathan
Amin Tora <[email protected]>@beethoven.us.checkpoint.com> on 2002/03/04
03:35:01 PM
Please respond to Mailing list for discussion of Firewall-1
<[email protected]>
Sent by: Mailing list for discussion of Firewall-1
<[email protected]>
To: [email protected]
cc:
Subject: Re: [FW-1] FW-1 Rulebase
You don't want to drop all NBT packets...
What if people outside of the firewall are scanning your network for NBT
services ??...
It would be good to see them in your logs. And also, CPMAD will only pick
up scans when you LOG. ;)
What you really would want to do in case of the NBT packets:
Using workstation objects, make objects to represent limited broadcast
(255.255.255.255) and your net-directed network broadcast ranges that are
local to the fw segment... then drop NBT only from those ranges. Then all
other NBT packets coming inbound from untrusted sources will still be
logged
by the drop rule.
Example:
firewall:
eth0 192.168.1.1 /24
eth1 25.25.25.2 /24
internal net: 192.168.1.0 /24 (net_internal)
internal net-directed broadcast is: 192.168.1.255 (int_netdbcast)
limited broadcast {standard}: 255.255.255.255 (lim_bcast)
make a WORKSTATION object for limited broadcast: lim_bcast :
255.255.255.255
make a WORKSTATION object for net directed broadcast: int_netdbcast :
192.168.1.255
Rule to drop NBT only from internal range with no logging:
SRC DST SRVC ACTION LOG
net_internal int_netdbcast,lim_bcast NBT DROP <no log>
You would follow the same for all other nets, etc... same principle.
I would make a point here also that in instructional material it is taught:
ANY ANY NBT DROP <NO LOG>
... this works, but remember it is not really "best practice" in terms of
auditing for scans, etc. from external, untrusted nets.... on NBT ports.
-Amin
> -----Original Message-----
> From: Scott Friedman [mailto:[email protected]]
> Sent: Monday, March 04, 2002 3:01 PM
> To: [email protected]
> Subject: Re: [FW-1] FW-1 Rulebase
>
>
> Required in all firewalls should be
>
> any any any drop long (last rule in rulebase)
> any any NBT/rip drop nolog (first in rulebase)
>
> after any IKE rules, put
> any <FW1 Gateway Object> any drop long (stealth rule)
>
> everything else is dependent on your configuration....
>
> Scott J. Friedman, MCSE CCSE CCNA
> Security & Cisco Routing Engineer
> LDMI / Ideal Technology Solutions, U.S.
> Email : [email protected]
> Phone :> www.itsusnow.com
> www.ldmi.com
>
> >>> [email protected] 03/04/02 01:34PM >>>
> Hi Everybody,
>
> I have just took the ownership of maintaining the rulebase for FW-1.
> I
> will be embarking the task in down sizing our rulebase in to a
> manageble
> number of rules. I need some guidelines and direction in making my
> rulebase simple and secure. Based on your experience, what do you
> think is
> a must have RULE implemented in FW-1 or any other firewall (i.e
> lockdown,
> Drop All and Log, etc...). Any other advice you can give me in
> maintaining
> my rulebase and securing my firewall would be greatly appreciated.
>
> Thanks,
> Jonathan
>
> --------------------------------------------------------------
> -------------
> This e-mail message (including attachments, if any) is
> intended for the
> use
> of the individual or entity to which it is addressed and may contain
> information that is privileged, proprietary , confidential and exempt
> from
> disclosure. If you are not the intended recipient, you are notified
> that
> any dissemination, distribution or copying of this communication is
> strictly prohibited. If you have received this communication in
> error,
> please notify the sender and erase this e-mail message immediately.
> --------------------------------------------------------------
> -------------
> Le présent message électronique (y compris les pièces qui y sont
> annexées,
> le cas échéant) s'adresse au destinataire indiqué et peut contenir des
> renseignements de caractère privé ou confidentiel. Si vous n'êtes pas
> le
> destinataire de ce document, nous vous signalons qu'il est strictement
> interdit de le diffuser, de le distribuer ou de le reproduire. Si ce
> message vous a été transmis par erreur, veuillez en informer
> l'expéditeur
> et le supprimer immédiatement.
> --------------------------------------------------------------
> -------------
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
---------------------------------------------------------------------------
This e-mail message (including attachments, if any) is intended for the use
of the individual or entity to which it is addressed and may contain
information that is privileged, proprietary , confidential and exempt from
disclosure. If you are not the intended recipient, you are notified that
any dissemination, distribution or copying of this communication is
strictly prohibited. If you have received this communication in error,
please notify the sender and erase this e-mail message immediately.
---------------------------------------------------------------------------
Le présent message électronique (y compris les pièces qui y sont annexées,
le cas échéant) s'adresse au destinataire indiqué et peut contenir des
renseignements de caractère privé ou confidentiel. Si vous n'êtes pas le
destinataire de ce document, nous vous signalons qu'il est strictement
interdit de le diffuser, de le distribuer ou de le reproduire. Si ce
message vous a été transmis par erreur, veuillez en informer l'expéditeur
et le supprimer immédiatement.
---------------------------------------------------------------------------
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
|
|
