RE: Questions about fw-1
From: Nina Levitin (NVL@integtech.com)Date: 10/05/01
- Previous message: Don Weber: "RE: palm VIIx wireless modem"
- Maybe in reply to: Mário: "Questions about fw-1"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <B02560D1B30AD411927C0008C7F36FBBCEEE00@mail> From: Nina Levitin <NVL@integtech.com> To: 'Fabio De Maron' <fdemaron@intesis.it>, Mario Behring <mariobehring@yahoo.com>, SECURITY-BASICS@securityfocus.com Subject: RE: Questions about fw-1 Date: Fri, 5 Oct 2001 10:59:03 -0700
A couple of things to add to the bellow:
Q.1
FW1 works well because it works at the lower levels. You do not wish to
make it work as an application proxy. However you can redirect certain
traffic to a proxy. You can get quite specific as to how and where you
direct traffic. So if you had an MS proxy you could transparently redirect
all HTTP traffic to the proxy.
Q.2
While it is quite correct that FW1 performs no OS hardening, you can harden
the OS yourself. You can and should make the OS that runs the firewall as
restrictive as possible. There are plenty of sites that show you how to
harden your OS. With NT you should make sure that you remove all services
(yes this includes: server workstation, RPC and what not). You also need to
unbind netbios from all network cards.
You should be able to do a search for hardening the OS for checkpoint.
Solaris makes a far more secure OS to run Checkpoint FW1 off of than NT.
Better yet are the prehardened Nokia Boxes that Fabio has mentioned bellow.
Q.3.
No it doesn't. But then again if it is set up correctly there should be no
need for it.
If no one can get into it then no one can change it.
You can use something like Tripwire, however because you have to allow
another machine to touch the FW1 server. This leaves a hole open for
sometime to attempt to get in.
With few exceptions the first rule should always be:
From Any to FW1 drop
This prevents non-console traffic with the exception of the remote
administration from touching the firewall itself. This is called the
stealth rule.
Checkpoint does provide some very useful documentation on the CD that can
help you with this information.
-Kit
-----Original Message-----
From: Fabio De Maron [mailto:fdemaron@intesis.it]
Sent: Wednesday, October 03, 2001 3:42 AM
To: Mario Behring; SECURITY-BASICS@securityfocus.com
Subject: R: Questions about fw-1
Mario Behring wrote:
> Subject: Questions about fw-1
(...)
> 1- FW-1 works with Statefull inspection technology, but is
> there any way to
> configure fw-1 to work both as packet filter and as application
> proxy gateway,
> just like a hybrid firewall software would do ??
You can do it but I don't recommend it.
> 2- FW-1 does not perform the OS hardening at installation time like IBM
> SecureWay Firewall does, but does anybody know some CheckPoint
> product or
> module that perform this task before fw-1 installation ? Also,
> is there any
> CheckPoint tool that checks the OS for configuration problems ?
no. You can search about Firewall-1 Appliance (Nokia IP).
> 3- Do fw-1 (or CheckPoint) have an anti-tampering tool, i.e., a
> tool that
> prevents system files from being altered and verifies file
> authenticity ?
no
I think the best thing a firewall must do is... firewall.
Every software have its own scope and Firewall-1 is a good firewall
product.
It's good for enforcing bastions, natting, implementing security rules,
...
Maybe you need a complete solution with something like tripwire, hardening
OS and other but you can buy it from a system integrator or security
company.
As always "security is a process not a product".
I don't work for CheckPoint and they don't pay me.
Fabio Dema
- Previous message: Don Weber: "RE: palm VIIx wireless modem"
- Maybe in reply to: Mário: "Questions about fw-1"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
