Re: Understanding Firewall-1 Configs

• Previous message: Robert Buel: "RE: Network Scan"
• In reply to: amy_morgan@hushmail.com: "Understanding Firewall-1 Configs"
• Next in thread: Ivan Coric: "Re: Understanding Firewall-1 Configs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 12 Jan 2003 18:43:35 +0200
From: theog <theog@theog.org>
To: amy_morgan@hushmail.com

I'll start from the end - :)

to scan with no ping , you can use: nmap -P0 -sT %ip subnet%
%ipsubnet%= the subnet you want to scan i.e. 192.168.0.0/24 (while 24 is
the number of network asigned bits).

To the more complex section for you my friend , I would not use Windows
systems infront of the internet , let alone checkpoint firewall-1 4.1
SP1 - Upgrade to NG (or at least SP6).

You should not fear of an attack taking down the firewall , as I see it
it will be much simpler to exploit what your firewall doesnt check -
port 53 to the DNS server (check for microsoft DNS exploits) port 80 and
443 on your web server (check for IIS exploits).

I would recommend using Nessus (at www.nessus.org) to check for vuln. of
your machines.

TheOg

amy_morgan@hushmail.com wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>
>Our network engineer just left the company and all of his responsibilities have been transferred to me, including the firewall.
>
>So, here's what I'm trying to find out...
>
>
>This is a general diagram.
>
>
> Internet
> |
> |
> V
> Border Router (Cisco)
> |
> |
> V
> Firewall--->DMZ: DNS(NT4), www(NT4), mail scanner
> |
> |
> V
> Core Switch (Cisco)-------Frame Relay Connection
> |
> |
> Internal Network
>
>
>
>
>Here are the details on the firewall:
>
>CheckPoint Firewall-1 4.1 SP1 on NT4 SP5
>You are not able to ping the firewall from the Internet.
>All public IP addresses (located in the DMZ) are NAT'd to internal 172.16.x.x
>A separate workstation object is created for each box that needs a public IP address and then another workstation object is created for it's internal IP address counterpart. The public IP address/port is then then NAT'd over to the internal IP address/port.
>
>For example: The web server has two workstation objects, the one with the public IP address and one with the internal IP address. Incoming packets on port 80 & 443 to the public IP address are then NAT'd over to the internal IP address/port. Correct..?
>All inbound ports are blocked by default except requests made to specific IP address/port:
>
>Inbound...
>- -on port 25 to public IP address of mail scanner is NAT'd to internal IP address of mail scanner
>- -on port 80 to public ip address of IIS is NAT's to internal IP address of IIS
>- -on port 443 to public ip address of IIS is NAT's to internal IP address of IIS
>- -on port 1494 to public ip address of Citrix box is NAT'd to internal ip address of Citrix
>
>
>Questions:
>
>1. On a scale of 1 - 10 (10 is most secure), how secure is this firewall configuration? Why?
>2. What can get through and how? Any specific exploits?
>3. What is it that is allowing it to get by the firewall? What part of the config?
>
>Right now, I'm just concerned about what can get by the firewall and how does that happen? What are the mechanics of how it gets through? I already have someone dealing with the NT service pack levels. My concern right now is the firewall.
>
>
>Is it possible to scan all ports on all the IP addresses of a netblock?
>Even though you are not able to ping my firewall from the Internet, could you scan all ports on each of the IP addresses in my netblock and once you hit port 25 on the public ip address of the mail scanner, you'll get a 'listening' response? Another way to put that is even though you are not able to ping my firewall from the Internet, can you still Nmap the public IP addresses (publicly accessible servers) that are NAT'd behind my firewall? If so, how does that work and can I do anything to prevent it?
>
>
>Links to sites/articles/docs/pdfs would be great. I just need to get a better understanding of
>this...
>
>
>
>Thanks,
>Amy Morgan
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: Hush 2.2 (Java)
>Note: This signature can be verified at https://www.hushtools.com/verify
>
>wl8EARECAB8FAj4c9GsYHGFteV9tb3JnYW5AaHVzaG1haWwuY29tAAoJEAS2WQxW3/uw
>7/8AmwZRykD+t54ZoDXRJ+PrOpTsCAF/AKCwc/XG8gX8Cy3YQUOwAV4vhecD8Q==
>=wWJy
>-----END PGP SIGNATURE-----
>
>
>
>
>Concerned about your privacy? Follow this link to get
>FREE encrypted email: https://www.hushmail.com/?l=2
>
>Big $$$ to be made with the HushMail Affiliate Program:
>https://www.hushmail.com/about.php?subloc=affiliate&l=427
>
>

• Next message: Lubrano di Ciccone, Christophe (DEF): "RE: Account lockout"
• Previous message: Robert Buel: "RE: Network Scan"
• In reply to: amy_morgan@hushmail.com: "Understanding Firewall-1 Configs"
• Next in thread: Ivan Coric: "Re: Understanding Firewall-1 Configs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]