Re: Basic External Firewall Testing?

From: x y (
Date: 06/29/02

From: "x y" <>
Date: Sat, 29 Jun 2002 09:23:31 -0400

I guess there are good reasons for either setup, but I would have considered
putting the checkpoint firewall on the inside. The problem I would worry
about with checkpoint v3 is to search google,, checkpoint
support newsgroups, and various other firewall and security
vulnerability websites for known vulnerabilities. These won't necessarily
show up as open ports in any port scan, and may require other tests, such as
possibly downloading certain hacker tools that specifically target these
vulnerabilities, to see if you are vulnerable.

Also, as you may already know, securing checkpoint firewall-1 involves being
very careful about disabling a lot of the default options under toolbase,
properties, as these add hidden implicit rules that open ports you may not
know are open. You can unhide the implicit rules, of course, to see all the
rules open at the moment.

In my mind, the advantage to putting firewall-1 inside the ISA server would
be to help protect it against some of the vulnerabilities for which there
may be no patch or workaround. Also, if the area between the two firewalls
is your DMZ, I would feel the DMZ would be more secure with the newer
firewall protecting it. Also, since you're probably permitting inbound web,
SMTP and maybe VPN traffic etc. to go right through the fw-1 to the isa
server with minimal or no inspection, having the fw-1 behind the ISA server
could possibly be helpful in seeing the traffic that gets through the ISA
server. I could be wrong.

"Paul Hutchings" <paul.hutchings@gmx.netNOSPAM> wrote in message
> Guess this is one of those questions that may not get answered as i maybe
> asking for the wrong reasons, but....
> I've setup Microsoft ISA server behind a Checkpoint FW-1 3.0b at the
> perimeter.
> I know this is an old version of Checkpoint and it is up for replacement
> soon.
> Given that it's an old version, does anyone know of any specific things I
> should be worried about? Our rulesets are nothing complex, basically they
> allow http/ftp to our DMZ and http/smtp to some servers which are
> behind ISA. I've followed the FAQs to make sure that the FW-1 control
> ports aren't open, which they are by default.
> Every so often I run portscans on the Checkpoints external address, and
> addresses that have services opened to them using NTO Scanner, Superscan,
> and Nmap for Win32 and the only ports that show are the one's I've
> explicitly opened.
> I also use the free tool n-stealth to regularly check our websites for
> common vunerabilities.
> I guess it's easy to be paranoid, but given there's two different
> & platforms between the Internet and our Internal network is there
> else I should be testing?
> I suspect nowadays the biggest risk is internal users, and vulnerabilities
> in the services you want to have on the internet (webserver bugs etc...)
> Paul
> --
> Paul Hutchings
> ****Remove NOSPAM when replying****

Relevant Pages

  • Re: Basic External Firewall Testing?
    ... putting the checkpoint firewall on the inside. ... vulnerability websites for known vulnerabilities. ... the advantage to putting firewall-1 inside the ISA server would ...
  • Re: ISA Server versus Checkpoint Firewall
    ... Also, there is more to "stateful" than you describe; it goes all the way to L7, something Checkpoint doesn't yet do. ... Checkpoint is only recently starting to realize the value of application-layer filtering; something ISA has had for years. ... ISA Server can be fairly easy to just plug in, ... Unfortunately that can often be a bad thing as it is very easy to misconfigure a firewall and the ...
  • Coexisting with another firewall?
    ... Does anyone know if you can bring up an ISA server within an existing network ... which all ready has a firewall (CheckPoint)? ...
  • RE: Something about ISA Server 2000...
    ... Something about ISA Server 2000... ... play around with ISA 2000 a while ago, and now I run 3 CheckPoint FW-1's. ... you want to have to deal with.......and I'm a Microsoft fan. ... as firewall? ...
  • Re: Something about ISA Server 2000...
    ... Something about ISA Server 2000... ... vulnerabilities that did allow passage through ISA to the internal network? ... I can assure anybody that all a firewall does against a dedicated cracker is ...