-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Refer: VPN-1/FireWall-1 Administration Guide * January 2000
pp. 238-241 - Properties Setup - Security Policy
p. 625 - How is a Security Policy enforced on a host's different
interfaces?
WRT not trusting an administrator on the Firewall - none of our
firewalls are used for anything but firewalls. I.e. no DNS, no SMTP,
no Web etc. You'll be amazed at what I've seen some Firewalls used
for. They are inspection stations only. There is no need to be on the
Firewall, except to perform maintenance (new SP, changes to proxy ARP
etc.). Some people allow a web browser to be installed on the
firewall to perform service pack downloads etc. I insist on
downloading separately and burning to CD-ROM, otherwise you are
asking for trouble.
The only account defined for the server is the super-user, and only
one person knows it (and I think I trust myself!). The latest
password is written down and stored in a safe for emergency use.
Policy states that no one can make changes to the firewall alone -
another qualified (CCSA minimum) person must be present during any
configuration changes.
The management console, reporting and intrusion detection are all run
from other machines, so there is no need for the firewall to send out
unsolicited IP. For this reason, I have defined the following rules
to keep things tight and report unauthorised accesses (simplified
slightly):
Src Dst Svc Action Track
1. EncDom1 EncDom2 Any Encrypt Account
2. EncDom2 EncDom1 Any Encrypt Account
3. FW1 FW2 IPSEC Accept Log
FW2 Fw1
4. FW1 Mgmt FW1 Accept Log
FW2 FW1_log
5. Mgmt FW1 FW1 Accept Log
FW2 FW1_log
6. FW1 Any Any Reject Log
FW2
Kind Regards,
Craig Little BSc, CPD, CPI, SCJP, CCSA, CCSE
Inter-Networking / Security Consultant
Shell Services International
Phone: +64 4 462 4661
Fax: +64 4 463 4060
Mobile: +64 21 37 5858
mailto:[EMAIL PROTECTED]
http://www.shellservices.com
> -----Original Message-----
> From: Frank Knobbe [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, 17 August 2000 7:26 a.m.
> To: 'Carric Dooley'; [EMAIL PROTECTED]
> Subject: RE: [FW1] Inbound, outbound, or eitherbound?
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hmmm... I just read again in the FW-1 manual following on Accept
> Outgoing Packets:
>
> Accept Outgoing Packets - Accept all outgoing packets (from the
> Firewall, not from the internal network).
>
> On gateways, rules are usually enforced in the inbound direction
> only. When a packet passing through the gateway leaves the gateway,
> it will be allowed to pass only if one of the following conditions
> is true:
>
> * The Accept Outgoing Packets property is checked.
> * Rules are enforced both directions (eitherbound), and there is a
> rule which allowed the packet to leave the gateway.
>
> Then it references the drawing and addtl information in the
> Architecture manual, which basically states what you have written.
>
> Given that, am I the only one feeling uncomfortable with Inbound
> only since packets originating from the firewall to the outside
> would go unchecked? Assuming that usually (!) nothing is running on
> the
> firewall and no user is working on it, there are still packets that
> the FW itself creates and sends out, as in authentication and VPN
> traffic. Wouldn't it be possible for exploits to go unnoticed if no
> rules has been set to monitor/filter outgoing data? In order to
> enforce those rules, Eitherbound would need to be selected.
>
> Am I just too paranoid, or does anyone else think it might be a
> good idea to keep an eye on traffic leaving the firewall, and hence
> use Eitherbound?
>
> Regards,
> Frank
>
>
> > -----Original Message-----
> > From: Carric Dooley [mailto:[EMAIL PROTECTED]]
> > Sent: Monday, August 14, 2000 12:46 PM
> > To: Frank Knobbe; 'Padden, Greg';
> > [EMAIL PROTECTED]
> > Subject: Re: [FW1] Inbound, outbound, or eitherbound?
> >
> >
> > My understanding of eitherbound is on which interface the
> > policy is applied
> > to the traffic.... example:
> >
> > If you have IF_A as your internal interface, and IF_B as
> > your external, if
> > you set your policy for "Inbound", packets coming from the
> > public network
> > would be filtered at IF_B (the inbound interface for that
> > direction). An
> > outbound policy would evaluate the traffic from the outside
> > at IF_A as the
> > traffic leaves the firewall. "Eitherbound" means the packets
> > have to pass
> > through the policy at BOTH interfaces doubling the amount of
> > work for the
> > firewall (at least from policy perspective) for each packet.
> > This is the
> > most secure, but if you are pushing a lot of traffic, not
> > ideal. I would
> > typically set that property for "inbound" myself. If you set it
> > for "outbound" a DoS (from the outside) would affect the firewall
> > itself because the traffic is not analyzed until it hits the
> > internal interface (IF_A). Eitherbound is overkill in a lot of
> > situations, but inbound means if someone attacks the firewall,
> > it has to make it through the policy, and the same would apply
> > for traffic from the internal network out (evaluated before it
> > passes through the firewall).
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Personal Privacy 6.5.1
> Comment: PGP or S/MIME (X.509) encrypted email preferred.
>
> iQA/AwUBOZrqzkRKym0LjhFcEQIakACg2WyHMepBcqrB4Nz5+m0tXSrli1UAoMap
> H4SH0xOKQTKmXy3b/5uNcx/Q
> =WHGk
> -----END PGP SIGNATURE-----
>
>
> ==============================================================
> ==================
> To unsubscribe from this mailing list, please see the
> instructions at
> http://www.checkpoint.com/services/mailing.html
> ==============================================================
> ==================
>
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBOZqZzMkKSVawnurJEQJbYACgiNq/srmBeIygWxsBo+47Hkk8L88AnAuR
GvxWuFenRucuNFKG/3aI0xPx
=NSfS
-----END PGP SIGNATURE-----
RE: [FW1] Inbound, outbound, or eitherbound?
Little, Craig (SSI-SIAP-NP5) Wed, 16 Aug 2000 18:51:14 -0700
Craig Little (E-mail).vcf- RE: [FW1] Inbound, outbound, or eitherbound? Thomas . Poole
- RE: [FW1] Inbound, outbound, or eitherbound? Thomas . Poole
- RE: [FW1] Inbound, outbound, or eitherbound? Scott Friedman
- RE: [FW1] Inbound, outbound, or eitherbound? Scott Friedman
- Re: [FW1] Inbound, outbound, or eitherbo... Carric Dooley
- Re: [FW1] Inbound, outbound, or eitherbo... Lupinum
- RE: [FW1] Inbound, outbound, or eitherbound? Frank Knobbe
- RE: [FW1] Inbound, outbound, or eitherbound? Frank Knobbe
- Re: [FW1] Inbound, outbound, or eitherbo... Carric Dooley
- RE: [FW1] Inbound, outbound, or eitherbound? Little, Craig (SSI-SIAP-NP5)
- RE: [FW1] Inbound, outbound, or eitherbound? Little, Craig (SSI-SIAP-NP5)
- Re: [FW1] Inbound, outbound, or eitherbound? Robert MacDonald
- Re: [FW1] Inbound, outbound, or eitherbound? Lawrence Mackley
