Thanks Warrinton!
Thank you for your detail explanation. It's very helpful. That's exactly
what I am after. I will have to re-think the policy to plug any security
hole.
Again your explanation is very clear! I got exactly what you meant.
Cheers!
On 30/01/13 15:09, Warrington Bruce - bwarri wrote:
You can define the internet for your rule, but it's similar to how the firewall figures out what IP's
are allowed through anti-spoofing for your internet interface when you check "external" in
your topology configuration - it's anything that's NOT your other internal or DMZ segments. If you
want your "internal" networks group to only go to the internet, and not allowed into your
DMZ's, you define the destination in your rule as a negated object, listing your DMZ network(s) or
groups. The internet is simply NOT (internal, & DMZ groups).
Of course, that all relies on doing decent config and group coding on your groups, rules,
and topology. I know nobody ever gets rushed on the initial build, defines the internal
network as "10.0.0.0/8" to start, and forgets about it when you build a DMZ on
10.200.0.0/24, etc, right? You get the idea - keeping the config straight all the time
makes a big difference in your ability to code stuff like this easily, and get it correct.
That's a common misunderstanding I've run into on other firewalls for the DMZ servers as well. To
let the DMZ servers get to the internet for patches, I've seen rules that allow the DMZ to go to
"any" on 80/443, thinking that was the only way to allow internet access, which then
allows the DMZ servers to connect to the internal network ranges as well, and destroys the security
of the DMZ being separated from spreading attacks to the inside. Usually if the admin really
doesn't know what they're doing, after the auditor sees that, they add a drop rule above that one,
specifying DMZ to internal for any ports, with an action of "drop". Completely
unnecessary, and sloppy.
Do the same thing there, by allowing DMZ servers to go to NOT (internal) as a negated destination,
or NOT (internal, other DMZ's, etc) depending on your interfaces. Only one rule, and it follows
the usual advice of "deny unless explicitly allowed" (which by definition, means any
"drop" rules you find in the policy other than the cleanup rule are proof that you have
rules that are allowing more than they should, and you're trying to prune that access with a few
specific drop rules.)
Does that make sense, or did I explain the concept badly?
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM] On Behalf Of Clive Luk
Sent: Tuesday, January 29, 2013 16:29
To: FW-1-MAILINGLIST@AMADEUS.US.CHECKPOINT.COM
Subject: Re: [FW-1] CP UTM-1 R70.5 policy question
thanks! what if I only want public internal to access internet on http and
https but not the web servers on dmz or staff internal.
I can't really define a group for internet right?
So does that mean I need to have a bunch of drop rules setting at the very
beginning?
Thanks!
On 30/01/13 01:13, Independent IT Consultant wrote:
Indirectly, you can accomplish this. Create a group with the relevant
wireless nets, then define a single rule as follows:
Source: {wireless nets}
Destination: NOT {Internal nets}
Service: HTTP, HTTPS
Action: Allow
Bear in mind that you're talking about fundamental differences in
architecture between Juniper (and Cisco, for that matter) and Check Point.
Juniper and Cisco use interface-centric ACLs, whereas Check Point is
an object-oriented firewall.
On Tue, Jan 29, 2013 at 1:09 AM, Clive Luk <cl...@sl.nsw.gov.au> wrote:
Hi all,
I am just wondering if I can define a policy restricted by zone. As I
can see on the CP tracker there is inzone, outzone.
I have UTM-1 with multiple interfaces.
1 x Internet
1 x DMZ
1 x Staff internal
1 x Wireless
1 x Public internal
I am wondering if I can have a policy define to allow all wireless to
access internet and DMZ via http and https but not to other interface.
I have seen a juniper firewall can define policy base on zone.
Cheers,
Clive
Email secured by Check Point
==============================**===================
To set vacation, Out-Of-Office, or away messages, send an email to
lists...@amadeus.us.**checkpoint.com<lists...@amadeus.us.checkpoint.c
om>
in the BODY of the email add:
set fw-1-mailinglist nomail
==============================**===================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/**services/mailing.html<http://www.checkpoi
nt.com/services/mailing.html>
==============================**===================
If you have any questions on how to change your subscription options,
email fw-1-ow...@ts.checkpoint.com
==============================**===================
Email secured by Check Point
=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options,
email fw-1-ow...@ts.checkpoint.com
=================================================
Email secured by Check Point
=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options, email
fw-1-ow...@ts.checkpoint.com =================================================
***************************************************************************
The information contained in this communication is confidential, is
intended only for the use of the recipient named above, and may be legally
privileged.
If the reader of this message is not the intended recipient, you are
hereby notified that any dissemination, distribution or copying of this
communication is strictly prohibited.
If you have received this communication in error, please resend this
communication to the sender and delete the original message or any copy
of it from your computer system.
Thank You.
****************************************************************************
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ow...@ts.checkpoint.com
=================================================
Email secured by Check Point
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to lists...@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ow...@ts.checkpoint.com
=================================================
