[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] FW-1 Rulebase
There is no "one answer Rulebase" ... As Steven mentioned, you have to do A LOT OF READING and TESTING in a test network. You need to grasp a strong understanding of TCP/IP, security theory, and all read some books out there{Building Internet Firewalls}... it takes time and patience. Also, some SANS courses on Firewalls is good too. -Amin > -----Original Message----- > From: Jonathan Bautista [mailto:[email protected]] > Sent: Monday, March 04, 2002 4:15 PM > To: [email protected] > Subject: Re: [FW-1] FW-1 Rulebase > > > What would be considered as the best practice in implementing > your RULES > then? What RULES would you consider minimum security requirement in > setting up your FIREWALL. > > Thanks again. All the info that you have provided are helpful. > > Regards, > Jonathan > > > > Amin Tora <[email protected]>@beethoven.us.checkpoint.com> on 2002/03/04 > 03:35:01 PM > > Please respond to Mailing list for discussion of Firewall-1 > <[email protected]> > > Sent by: Mailing list for discussion of Firewall-1 > <[email protected]> > > > To: [email protected] > cc: > Subject: Re: [FW-1] FW-1 Rulebase > > > You don't want to drop all NBT packets... > > What if people outside of the firewall are scanning your > network for NBT > services ??... > It would be good to see them in your logs. And also, CPMAD > will only pick > up scans when you LOG. ;) > > What you really would want to do in case of the NBT packets: > > Using workstation objects, make objects to represent limited broadcast > (255.255.255.255) and your net-directed network broadcast > ranges that are > local to the fw segment... then drop NBT only from those > ranges. Then all > other NBT packets coming inbound from untrusted sources will still be > logged > by the drop rule. > > Example: > > firewall: > eth0 192.168.1.1 /24 > eth1 25.25.25.2 /24 > > internal net: 192.168.1.0 /24 (net_internal) > internal net-directed broadcast is: 192.168.1.255 (int_netdbcast) > limited broadcast {standard}: 255.255.255.255 (lim_bcast) > > make a WORKSTATION object for limited broadcast: lim_bcast : > 255.255.255.255 > make a WORKSTATION object for net directed broadcast: int_netdbcast : > 192.168.1.255 > > Rule to drop NBT only from internal range with no logging: > > SRC DST SRVC ACTION LOG > net_internal int_netdbcast,lim_bcast NBT DROP <no log> > > > You would follow the same for all other nets, etc... same principle. > > > I would make a point here also that in instructional material > it is taught: > > ANY ANY NBT DROP <NO LOG> > > ... this works, but remember it is not really "best practice" > in terms of > auditing for scans, etc. from external, untrusted nets.... on > NBT ports. > > > -Amin > > > > > -----Original Message----- > > From: Scott Friedman [mailto:[email protected]] > > Sent: Monday, March 04, 2002 3:01 PM > > To: [email protected] > > Subject: Re: [FW-1] FW-1 Rulebase > > > > > > Required in all firewalls should be > > > > any any any drop long (last rule in rulebase) > > any any NBT/rip drop nolog (first in rulebase) > > > > after any IKE rules, put > > any <FW1 Gateway Object> any drop long (stealth rule) > > > > everything else is dependent on your configuration.... > > > > Scott J. Friedman, MCSE CCSE CCNA > > Security & Cisco Routing Engineer > > LDMI / Ideal Technology Solutions, U.S. > > Email : [email protected] > > Phone :> > www.itsusnow.com > > www.ldmi.com > > > > >>> [email protected] 03/04/02 01:34PM >>> > > Hi Everybody, > > > > I have just took the ownership of maintaining the rulebase for FW-1. > > I > > will be embarking the task in down sizing our rulebase in to a > > manageble > > number of rules. I need some guidelines and direction in making my > > rulebase simple and secure. Based on your experience, what do you > > think is > > a must have RULE implemented in FW-1 or any other firewall (i.e > > lockdown, > > Drop All and Log, etc...). Any other advice you can give me in > > maintaining > > my rulebase and securing my firewall would be greatly appreciated. > > > > Thanks, > > Jonathan > > > > -------------------------------------------------------------- > > ------------- > > This e-mail message (including attachments, if any) is > > intended for the > > use > > of the individual or entity to which it is addressed and may contain > > information that is privileged, proprietary , confidential > and exempt > > from > > disclosure. If you are not the intended recipient, you are notified > > that > > any dissemination, distribution or copying of this communication is > > strictly prohibited. If you have received this communication in > > error, > > please notify the sender and erase this e-mail message immediately. > > -------------------------------------------------------------- > > ------------- > > Le présent message électronique (y compris les pièces qui y sont > > annexées, > > le cas échéant) s'adresse au destinataire indiqué et peut > contenir des > > renseignements de caractère privé ou confidentiel. Si vous > n'êtes pas > > le > > destinataire de ce document, nous vous signalons qu'il est > strictement > > interdit de le diffuser, de le distribuer ou de le reproduire. Si ce > > message vous a été transmis par erreur, veuillez en informer > > l'expéditeur > > et le supprimer immédiatement. > > -------------------------------------------------------------- > > ------------- > > > > ================================================= > > To set vacation, Out Of Office, or away messages, > > send an email to [email protected] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [email protected] > > ================================================= > > > > ================================================= > > To set vacation, Out Of Office, or away messages, > > send an email to [email protected] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [email protected] > > ================================================= > > > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > > > -------------------------------------------------------------- > ------------- > This e-mail message (including attachments, if any) is > intended for the use > of the individual or entity to which it is addressed and may contain > information that is privileged, proprietary , confidential > and exempt from > disclosure. If you are not the intended recipient, you are > notified that > any dissemination, distribution or copying of this communication is > strictly prohibited. If you have received this communication > in error, > please notify the sender and erase this e-mail message immediately. > -------------------------------------------------------------- > ------------- > Le présent message électronique (y compris les pièces qui y > sont annexées, > le cas échéant) s'adresse au destinataire indiqué et peut contenir des > renseignements de caractère privé ou confidentiel. Si vous > n'êtes pas le > destinataire de ce document, nous vous signalons qu'il est strictement > interdit de le diffuser, de le distribuer ou de le reproduire. Si ce > message vous a été transmis par erreur, veuillez en informer > l'expéditeur > et le supprimer immédiatement. > -------------------------------------------------------------- > ------------- > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|