NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] p2p in NG FP2


  • To: [email protected]
  • Subject: Re: [FW-1] p2p in NG FP2
  • From: "Laidlaw, Rob" <[email protected]>
  • Date: Wed, 24 Sep 2003 14:08:26 -0500
  • Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
  • Sender: Mailing list for discussion of Firewall-1 <[email protected]>
  • Thread-index: AcOCzXDJFJpTi3juSze86hEEaDHahwAARibQ
  • Thread-topic: [FW-1] p2p in NG FP2

You cannot stop them by ports alone.  They will just morph to use other ports.  AI has code that will look into http packets looking for messenger and p2p apps, but in order for that to work, the p2p apps have to use port 80.  For that to happen, and this is checkpoints design recommendations, is that you restrict your workstations to only a few services that are needed.  Like port 80 can go anywhere, because AI will look into the packets to find p2p.  Other services that may be needed like telnet or ftp should be restricted to only certain machines or only certain destination subnets if possible.  If you leave ftp open to anywhere, the p2p app will use it and ai won't be able to find the p2p app to stop it.  You basically need an almost air tight security policy for your work stations which doesn't always go over well with users/managers.

There are third party apps that are more robust like L7 from akonix, but they will cost you a little bit and require hardware to run on.  They still have design requirements.

Good luck.

Rob

-----Original Message-----
From: mcabrera [mailto:[email protected]]
Sent: Tuesday, September 23, 2003 3:05 PM
To: [email protected]
Subject: [FW-1] p2p in NG FP2


I can deny p2p aplications, in NG FP2 over NOKIA IP71?


thaks, a lot

loop.-

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
Disclaimer - 09/24/2003
This information in this email is confidential and may be legally privileged. It is intended solely for Mailing list for discussion of Firewall-1.  Access to this Internet email by anyone else is unauthorized.

EnvestnetPMC, Inc. does not accept time-sensitive transactional messages, including orders to buy and sell securities, account allocation instructions, or any other instructions affecting a client account, via e-mail.

If you are not the intended recipient of this email, any disclosure, copying, or distribution of it is prohibited and may be unlawful.  If you have received this email in error, please notify the sender and immediately and permanently delete it and destroy any copies of it that were printed out.  When addressed to our clients, any opinions or advice contained in this email is subject to the terms and conditions expressed in any applicable governing EnvestnetPMC terms of business or agreements.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.