Re: Basic External Firewall Testing?

From: x y (
Date: 06/29/02

From: "x y" <>
Date: Sat, 29 Jun 2002 09:23:31 -0400

I guess there are good reasons for either setup, but I would have considered
putting the checkpoint firewall on the inside. The problem I would worry
about with checkpoint v3 is to search google,, checkpoint
support newsgroups, and various other firewall and security
vulnerability websites for known vulnerabilities. These won't necessarily
show up as open ports in any port scan, and may require other tests, such as
possibly downloading certain hacker tools that specifically target these
vulnerabilities, to see if you are vulnerable.

Also, as you may already know, securing checkpoint firewall-1 involves being
very careful about disabling a lot of the default options under toolbase,
properties, as these add hidden implicit rules that open ports you may not
know are open. You can unhide the implicit rules, of course, to see all the
rules open at the moment.

In my mind, the advantage to putting firewall-1 inside the ISA server would
be to help protect it against some of the vulnerabilities for which there
may be no patch or workaround. Also, if the area between the two firewalls
is your DMZ, I would feel the DMZ would be more secure with the newer
firewall protecting it. Also, since you're probably permitting inbound web,
SMTP and maybe VPN traffic etc. to go right through the fw-1 to the isa
server with minimal or no inspection, having the fw-1 behind the ISA server
could possibly be helpful in seeing the traffic that gets through the ISA
server. I could be wrong.

"Paul Hutchings" <paul.hutchings@gmx.netNOSPAM> wrote in message
> Guess this is one of those questions that may not get answered as i maybe
> asking for the wrong reasons, but....
> I've setup Microsoft ISA server behind a Checkpoint FW-1 3.0b at the
> perimeter.
> I know this is an old version of Checkpoint and it is up for replacement
> soon.
> Given that it's an old version, does anyone know of any specific things I
> should be worried about? Our rulesets are nothing complex, basically they
> allow http/ftp to our DMZ and http/smtp to some servers which are
> behind ISA. I've followed the FAQs to make sure that the FW-1 control
> ports aren't open, which they are by default.
> Every so often I run portscans on the Checkpoints external address, and
> addresses that have services opened to them using NTO Scanner, Superscan,
> and Nmap for Win32 and the only ports that show are the one's I've
> explicitly opened.
> I also use the free tool n-stealth to regularly check our websites for
> common vunerabilities.
> I guess it's easy to be paranoid, but given there's two different
> & platforms between the Internet and our Internal network is there
> else I should be testing?
> I suspect nowadays the biggest risk is internal users, and vulnerabilities
> in the services you want to have on the internet (webserver bugs etc...)
> Paul
> --
> Paul Hutchings
> ****Remove NOSPAM when replying****