Re: firewall question

From: Rzac` (bugtrack@mail.ru)
Date: 02/14/02


Date: Thu, 14 Feb 2002 21:11:46 +0100
From: Rzac` <bugtrack@mail.ru>
To: pen-test@securityfocus.com

Hi there,

On 14/Feb/2002, leon wrote:
l> (...)
l> So to reiterate; is there a way to configure pix or checkpoint to
l> judge the connection based on protocol as opposed to arbitrary
l> things like source ip, destination IP or port numbers?
l> (...)

I'm no Pix or Firewall-1 expert, but I do not think you could readily
setup that kind of filtering in them.

As a work around, I suggest to add a proxy server to your network and
configure your firewall to reject outgoing connections coming from
boxes other than the proxy server. I did that kind of setup with
OpenBSD and squid at a small business -- it worked like a charm. :)

Also, relying on a proxy server eases enforcement of your site's
Internet access policy (i.e. disallowing *.mp3, *.mpeg, *.exe, etc.)
It does not offer as many possibilities as a dedicated Internet
filtering solution (i.e. Websense), but it is still better than
nothing!

Setting up the proxy server as transparent avoided me to define proxy
server settings in any of my client's Internet browsers.

Regards,
Rzac`.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/