Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Nimda Uri

To: [email protected]
Subject: Re: [FW-1] Nimda Uri
From: "Chontzopoulos, Dimitris" <[email protected]>
Date: Tue, 12 Mar 2002 10:55:14 +0200
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Title: RE: [FW-1] Nimda Uri

If the web servers in the DMZ have static legal ip address (not private 10.0.0.0, 172.16.0.0-172.32.0.0, 192.168.0.0) then you shouldn't have any problems. But no matter what you must make sure that the Web Servers in the DMZ can handle connections even if there are no HTTP-Resources and stuff like that. Just make some rules permitting traffic to the WEB servers (do not use URI) and try to see if it works. If it does work unload the policy (unplug the cables from the Web servers before doing that), reload the policy, delete the uri resources and the web servers objects, install the policy, create the URI resources and the Web servers objects, create the rules at the TOP of your rule base (1. Nimda block, 2. HTTP permit), and install the policy again. If you say that the rules work in another FW with clean install then i suspect it has something to do with the Network Objects (the Web servers objects). It is rather a strange case... What happens to you now has happened to me 1 year ago. We tried to do the same things as you did and had the exact case you did (the same result). What did i do? I reinstalled the FW from scratch (FW and M$ server). If you decide to reinstall the FW and M$ server keep in mind that you should back up first the "Conf" directory, so you will not have to create everything from scratch again... Give a try at the "No URI" thought and let me know. See ya.

-----Original Message-----
From: Joe Bloggs [mailto:[email protected]]
Sent: Monday, March 11, 2002 7:39 PM
To: [email protected]
Subject: Re: [FW-1] Nimda Uri

Dimitris,

I'm wondering if I have to enable static NAT in order for it work, is this
the case ?

>From: "Chontzopoulos, Dimitris" <[email protected]>
>Reply-To: Mailing list for discussion of Firewall-1
><[email protected]>
>To: [email protected]
>Subject: Re: [FW-1] Nimda Uri
>Date: Mon, 11 Mar 2002 10:19:42 +0200
>
>I have created the following:
>
>"General" Tab
>==========
>Name                                    :       Block-Exploits-Http
>Comment                         :       Nimda-Sand-CodeRed
>Connection Methods                      :       Transparent, Proxy
>Exception Track                 :       Log
>URI Match Specification Type    :       Wild Cards
>
>"Match Tab"
>=========
>Schemes                         :       http, ftp, gopher, mailto, news,
>wais, Other: *
>Methods                         :       GET, POST, HEAD, PUT, Other: *
>Host                                    :       *
>Path                                    :
>{*default.ida?*,*cmd.exe*,*root.exe*,*admin.dll*,*readme.exe*,*.eml*,*.nws*,
>*sample.exe*,*csrss.exe*,*httpodbc.dll*}
>Query                                   :       *
>
>"Action" Tab
>=========
>Replacement Unit                        :
>http://no.exploits.allowed.com (This way you send a redirect to the host
>trying to exploit you, so the connection he initiated does not time out on
>your firewall. You send a redirection that doesn't exist, so the attacker
>times out while trying to resolve the non-existent domain)
>All others                              :       none, blank
>
>The most important follows:
>1.      The "Nimda HTTP-Resource" must be placed at the top of your rule
>base
>2.      After the "Nimda HTTP-Resource" you should place all other
>"HTTP-Resources" you may want to use in order to block downloads,
>Web-Sites,
>etc
>3.      After the other HTTP-Resources you may define you must create a
>rule
>that will accept all other "Legal" HTTP/FTP browsing etc
>
>Sample Configuration
>================
>No.1    Any     Any                             http-> Block-Exploits-Http
>Drop            Long    Firewall
>No.2    Any     DMZ_Web_Servers_Group   Http, Https, Ftp
>Accept          Long    Firewall
>
>I am using the exact scenario in the company i am working for and it works
>like a charm. If you define a Resource Droping traffice, you should also
>create a rule permiting the rest of the traffic. I had the same problem as
>you did when i first something similar to yours. Don't forget to put the
>non-existent redirection. Please let me know either it works or not. Thanx.
>
>-----Original Message-----
>From: Joe Bloggs [mailto:[email protected]]
>Sent: Sunday, March 10, 2002 12:23 PM
>To: [email protected]
>Subject: [FW-1] Nimda Uri
>
>
>We have a checkpoint firewall 4.1 sp5. Web servers in a DMZ with legal IP's
>therefore FW is not doing any NAT. Problem is that if I enable the
>recommended rule to block nimda/code red ie create uri and add to resource
>with rule any->any>http>nimda_uri, it blockes all access to the web servers
>from internally and externally and the log does not show anything. Any help
>appreciated.
>
>Our platform: Win2K SP2, FW-1 4.1 SP5
>
>_________________________________________________________________
>MSN Photos is the easiest way to share and print your photos:
>http://photos.msn.com/support/worldwide.aspx
>
>=================================================
>To set vacation, Out Of Office, or away messages,
>send an email to [email protected]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[email protected]
>=================================================
>
>=================================================
>To set vacation, Out Of Office, or away messages,
>send an email to [email protected]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[email protected]
>=================================================

_________________________________________________________________
Join the world's largest e-mail service with MSN Hotmail.
http://www.hotmail.com

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: [FW-1] How to clear the internal hosts count on NG
Next by Date: Re: [FW-1] Content - Encoding type not allowed
Previous by thread: Re: [FW-1] Nimda Uri
Next by thread: Re: [FW-1] Nimda Uri
Index(es):
- Date
- Thread