| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] FW-1 Rulebase
There is no "one answer Rulebase" ...
As Steven mentioned, you have to do A LOT OF READING and TESTING in a test
network. You need to grasp a strong understanding of TCP/IP, security
theory, and all read some books out there{Building Internet Firewalls}... it
takes time and patience.
Also, some SANS courses on Firewalls is good too.
-Amin
> -----Original Message-----
> From: Jonathan Bautista [mailto:[email protected]]
> Sent: Monday, March 04, 2002 4:15 PM
> To: [email protected]
> Subject: Re: [FW-1] FW-1 Rulebase
>
>
> What would be considered as the best practice in implementing
> your RULES
> then? What RULES would you consider minimum security requirement in
> setting up your FIREWALL.
>
> Thanks again. All the info that you have provided are helpful.
>
> Regards,
> Jonathan
>
>
>
> Amin Tora <[email protected]>@beethoven.us.checkpoint.com> on 2002/03/04
> 03:35:01 PM
>
> Please respond to Mailing list for discussion of Firewall-1
> <[email protected]>
>
> Sent by: Mailing list for discussion of Firewall-1
> <[email protected]>
>
>
> To: [email protected]
> cc:
> Subject: Re: [FW-1] FW-1 Rulebase
>
>
> You don't want to drop all NBT packets...
>
> What if people outside of the firewall are scanning your
> network for NBT
> services ??...
> It would be good to see them in your logs. And also, CPMAD
> will only pick
> up scans when you LOG. ;)
>
> What you really would want to do in case of the NBT packets:
>
> Using workstation objects, make objects to represent limited broadcast
> (255.255.255.255) and your net-directed network broadcast
> ranges that are
> local to the fw segment... then drop NBT only from those
> ranges. Then all
> other NBT packets coming inbound from untrusted sources will still be
> logged
> by the drop rule.
>
> Example:
>
> firewall:
> eth0 192.168.1.1 /24
> eth1 25.25.25.2 /24
>
> internal net: 192.168.1.0 /24 (net_internal)
> internal net-directed broadcast is: 192.168.1.255 (int_netdbcast)
> limited broadcast {standard}: 255.255.255.255 (lim_bcast)
>
> make a WORKSTATION object for limited broadcast: lim_bcast :
> 255.255.255.255
> make a WORKSTATION object for net directed broadcast: int_netdbcast :
> 192.168.1.255
>
> Rule to drop NBT only from internal range with no logging:
>
> SRC DST SRVC ACTION LOG
> net_internal int_netdbcast,lim_bcast NBT DROP <no log>
>
>
> You would follow the same for all other nets, etc... same principle.
>
>
> I would make a point here also that in instructional material
> it is taught:
>
> ANY ANY NBT DROP <NO LOG>
>
> ... this works, but remember it is not really "best practice"
> in terms of
> auditing for scans, etc. from external, untrusted nets.... on
> NBT ports.
>
>
> -Amin
>
>
>
> > -----Original Message-----
> > From: Scott Friedman [mailto:[email protected]]
> > Sent: Monday, March 04, 2002 3:01 PM
> > To: [email protected]
> > Subject: Re: [FW-1] FW-1 Rulebase
> >
> >
> > Required in all firewalls should be
> >
> > any any any drop long (last rule in rulebase)
> > any any NBT/rip drop nolog (first in rulebase)
> >
> > after any IKE rules, put
> > any <FW1 Gateway Object> any drop long (stealth rule)
> >
> > everything else is dependent on your configuration....
> >
> > Scott J. Friedman, MCSE CCSE CCNA
> > Security & Cisco Routing Engineer
> > LDMI / Ideal Technology Solutions, U.S.
> > Email : [email protected]
> > Phone :> > www.itsusnow.com
> > www.ldmi.com
> >
> > >>> [email protected] 03/04/02 01:34PM >>>
> > Hi Everybody,
> >
> > I have just took the ownership of maintaining the rulebase for FW-1.
> > I
> > will be embarking the task in down sizing our rulebase in to a
> > manageble
> > number of rules. I need some guidelines and direction in making my
> > rulebase simple and secure. Based on your experience, what do you
> > think is
> > a must have RULE implemented in FW-1 or any other firewall (i.e
> > lockdown,
> > Drop All and Log, etc...). Any other advice you can give me in
> > maintaining
> > my rulebase and securing my firewall would be greatly appreciated.
> >
> > Thanks,
> > Jonathan
> >
> > --------------------------------------------------------------
> > -------------
> > This e-mail message (including attachments, if any) is
> > intended for the
> > use
> > of the individual or entity to which it is addressed and may contain
> > information that is privileged, proprietary , confidential
> and exempt
> > from
> > disclosure. If you are not the intended recipient, you are notified
> > that
> > any dissemination, distribution or copying of this communication is
> > strictly prohibited. If you have received this communication in
> > error,
> > please notify the sender and erase this e-mail message immediately.
> > --------------------------------------------------------------
> > -------------
> > Le présent message électronique (y compris les pièces qui y sont
> > annexées,
> > le cas échéant) s'adresse au destinataire indiqué et peut
> contenir des
> > renseignements de caractère privé ou confidentiel. Si vous
> n'êtes pas
> > le
> > destinataire de ce document, nous vous signalons qu'il est
> strictement
> > interdit de le diffuser, de le distribuer ou de le reproduire. Si ce
> > message vous a été transmis par erreur, veuillez en informer
> > l'expéditeur
> > et le supprimer immédiatement.
> > --------------------------------------------------------------
> > -------------
> >
> > =================================================
> > To set vacation, Out Of Office, or away messages,
> > send an email to [email protected]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > [email protected]
> > =================================================
> >
> > =================================================
> > To set vacation, Out Of Office, or away messages,
> > send an email to [email protected]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > [email protected]
> > =================================================
> >
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
>
>
> --------------------------------------------------------------
> -------------
> This e-mail message (including attachments, if any) is
> intended for the use
> of the individual or entity to which it is addressed and may contain
> information that is privileged, proprietary , confidential
> and exempt from
> disclosure. If you are not the intended recipient, you are
> notified that
> any dissemination, distribution or copying of this communication is
> strictly prohibited. If you have received this communication
> in error,
> please notify the sender and erase this e-mail message immediately.
> --------------------------------------------------------------
> -------------
> Le présent message électronique (y compris les pièces qui y
> sont annexées,
> le cas échéant) s'adresse au destinataire indiqué et peut contenir des
> renseignements de caractère privé ou confidentiel. Si vous
> n'êtes pas le
> destinataire de ce document, nous vous signalons qu'il est strictement
> interdit de le diffuser, de le distribuer ou de le reproduire. Si ce
> message vous a été transmis par erreur, veuillez en informer
> l'expéditeur
> et le supprimer immédiatement.
> --------------------------------------------------------------
> -------------
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
|
|
