I'm not sure how much to make of this problem, but I know it makes me feel uneasy. Perhaps this has been discussed a lot, but I suspect the problem is not well known; it was certainly a surprise to the on- duty technician at the company that does our firewall support.
Unless you tell the FW-1 log viewer not to resolve IP addresses, it appears it goes through the following process to resolve an IP address. (I *think* I have this order correct; someone PLEASE speak up if I've got it wrong.) 1. It looks in its list of Network Objects to see if you've given a name to this IP address. If it finds one, it will use this one, regardless of other methods of resolving the address. 2. It queries the IP address in question trying to resolve its Netbios name. 3. It queries DNS to reverse-resolve the IP address. The problem is #2. It appears there is no way to tell the FW-1 log viewer to continue to try to resolve IP addresses using 1 and 3 but to turn off 2. I would very much like to be able to do this. In my opinion, trying to resolve the Netbios name is a complete botch, on several counts: 1. It is generally speaking *USELESS* information. (I suppose it could be quite useful to crackers, but what good does it do *ME* in defending my system against flying infectious space junk to know that someone scanning me has named their computer PLUTO or hasn't changed it from OEMCOMPUTER?) 2. The Netbios query goes directly to the computer that is scanning me (unless the IP address is spoofed, of course ...) There are lots of reasons not to want to do this. It turns *me* into a Netbios scanner. Some people might think this impolite. It RADIATES information to the scanner. This is the part I *really* don't like. 3. As currently implemented, the Netbios name -- if one is found -- actually *HIDES* information I *do* want: the DNS information. Oh of course I can get that if I want to take the trouble to do it, but then in this case I could also turn off address resolution completely and resolve IP addresses myself one by one -- what a pain. I'm sure there's a scripted solution to this problem -- turn off address resolution and filter the log through a little bit of Perl will do the trick -- but since I've presumably paid decent money for the log viewer, I sure wish it would do the right thing ... Of course if a cracker has taken down an entire network, you "radiate" information just by making a DNS qurery too, but this is far less common than a cracked machine using an ISP where the DNS servers may be OK. A DNS query goes only as far as the DNS servers, but a Netbios query goes straight back to the exact machine one is concerned about: you're talking straight back to the cracker or zombie or hapless victim -- whoever sent you the scan. If I want to talk back to a machine scanning me, that should be my decision, it shouldn't happen by default just because I'm trying to make sense out of my firewall logs. I got tipped off to this problem while trying to pay attention to a particular IP address that has been scanning me on a particular port I pay careful attention to. I started noticing consistently that whenever I set a selection filter to look at just this IP address, within a few seconds I would see *NEW* ICMP entries in my log from this guy. At first this unnerved me, until I finally realized he was sending me ICMP messages in response to my Netbios queries to resolve his IP address. This particular kind of "conversation" with some unknown party I'm trying to keep at arm's length is profoundly uncomfortable. I sure wish Checkpoint would give me a way of turning of **JUST** Netbios name resolution!! --- #include <disclaimer.h> Jim Rosenberg Ross Mould E-mail: [EMAIL PROTECTED] _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
