NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1]



Hello,

We instituted a rule that blocks inbound Nimda/Code Red attacks based upon a Checkpoint KB article on how to setup a URI for Nimda/Code Red.   (any internal -> any external reject if http(nimda URI))

We are running Checkpoint 4.1 SP1 on a Nokia IP 440 (w/ a Win2k mgmt station running 4.1 SP5)  We have 3mbps of Internet speed

However, after we instituted this rule, we began receiving several complaints about specific sites being horribly slow (several minutes between page loads).  I did some investigating, and found that if I turn the rule off, the pages load very quickly.  Turn the rule back on, and they take forever.  Every other site that I've seen (and used personally) works fine.  Digging deeper, the pages in question seem to "POST" forms, some of which are large.    I've been able to restore speed by putting a second rule (in front of the NIMDA block, specific to the site in question) that allows HTTP.  (I know this bypasses the Nimda check; but the sites I've done this for are required for academics here, and I would much rather limit my exposure to a few specific hosts (rather than get rid of the rule entirely)

The URI we are using (as I read the Checkpoint KB article) is:
Conn Methods (Transparent, proxy)
URI Match Spec: Wildcards
Exception Track: None
Match: http GET -
Path - {*cmd.exe,*root.exe,*admin.dll,*readme.exe,*default.ida}

Anyone else seen this?

TIA

_________________________________________________
Arron King
Network & Systems Administrator
Ohio Dominican College
[email protected]
http:\\www.odc.edu\~kinga

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.