|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1]
Yes. I have seen this one Arron and after a long drawn out battle with Checkpoint, Nokia, and our 3rd party support crew, we at Kennesaw State University are not going to use FW-1 to filter url's. ... if you really want to use FW-1 to filter url's in the manner described by "How to mitigate the effects of the Nimda worm/Concept Virus, and Prevent Further Infection" ... here is what you need to do. Through Nokia support, we have been able to locate a document that addresses the nimda problem. For the most part, it is a repeat of the Checkpoint Nimda document, but requires the use of Checkpoint 4.1 SP5a with a hotfix(341581) applied. The Nokia support article is labeled internal only, thus a support ticket has to be opened to gain access to it. We have opened a ticket with Nokia support. Nokia Support Article # 8405 We have done these upgrades and applied the hotfix.. and it does seem to work. ...BUT..... if you didn't get the FW-1-MAILINGLIST messages around 02/18/02 to 02/24/02.. check this out >From: [email protected] >To: <[email protected]> >Date: 2/18/02 8:08PM >Subject: [FW-1] HTTP Proxy Security Hole!!! > >Try this on your firewall if you are running HTTP Proxy! Checkpoint has yet >to release a fix. >Step one: telnet to a machine behind the checkpoint firewall on port 80 > (it can be a fake machine that doesn't exist, as long as the name >resolves) > >Step two: Type the following: >CONNECT mailserver.somecompany.com:25 / HTTP/1.0 >User-Agent: eeep >Cache-Control: private,no-cache >Pragma: no-cache > >Step three: wait a moment for your SMTP banner to pop up. >You can then send SPAM email, and it looks like it came from your firewall. >I also found out that one can telnet to machines on a network that are >protected by the Firewall. Now ... if yer still reading .... THIS HACK STILL WORKS .. even after the patches and hotfixes .. and all the nonsense that Ive gone through.. and yes I tried everything that was listed as a response to RSnyder's original email .... To quote the words from the most famous hacker movie "War Games" .... "After careful consideration.. Ive come to the conclusion that this 'Http->Resource' Sucks..." I have one more thing to say to this list.. Ive been monitoring everything here for over 3 months now.. and all you fools that like to respond to people here with one or 2 words ... stfu... yer not helping. Jonathan Higgins Network Service Specialist IV [email protected] >>> [email protected] 03/28/02 01:15PM >>> Hello, We instituted a rule that blocks inbound Nimda/Code Red attacks based upon a Checkpoint KB article on how to setup a URI for Nimda/Code Red. (any internal -> any external reject if http(nimda URI)) We are running Checkpoint 4.1 SP1 on a Nokia IP 440 (w/ a Win2k mgmt station running 4.1 SP5) We have 3mbps of Internet speed However, after we instituted this rule, we began receiving several complaints about specific sites being horribly slow (several minutes between page loads). I did some investigating, and found that if I turn the rule off, the pages load very quickly. Turn the rule back on, and they take forever. Every other site that I've seen (and used personally) works fine. Digging deeper, the pages in question seem to "POST" forms, some of which are large. I've been able to restore speed by putting a second rule (in front of the NIMDA block, specific to the site in question) that allows HTTP. (I know this bypasses the Nimda check; but the sites I've done this for are required for academics here, and I would much rather limit my exposure to a few specific hosts (rather than get rid of the rule entirely) The URI we are using (as I read the Checkpoint KB article) is: Conn Methods (Transparent, proxy) URI Match Spec: Wildcards Exception Track: None Match: http GET - Path - {*cmd.exe,*root.exe,*admin.dll,*readme.exe,*default.ida} Anyone else seen this? TIA _________________________________________________ Arron King Network & Systems Administrator Ohio Dominican College [email protected] http:\\www.odc.edu\~kinga ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
