TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
On Wed, 22 Dec 1999, Brian Tan Wee Beng wrote:
> Date: Wed, 22 Dec 1999 01:25:29 PST
> From: Brian Tan Wee Beng <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Checkpoint and RealSecure
> Hi,
> Although i know that it's possible to integrate RealSecure to work with
> Checkpoint FW-1,there's some questions which i hope i can get some answer
> on.Firstly,if RealSecure detect an intruder from the Internet and FW-1 is
> not aware of it,RealSecure should "inform" FW-1 about it and a rule will be
> configured to block out this intruder.What kind of rule is it??I was told
> that this rule will be "invisible",that means when i open the firewall
> management console,i would not be able to see this rule at all.Is it true???
Brian,
That is the case. As a response to any event, you can set an OPSEC
response from RS (a few variants are available). The response (subject
to suitable authentication) creates a new rule which the firewall
daemon will enforce. This rule is not visible in the fw-1 security
policy as it happens within the daemon and doesn't affect the
policy files.
You will see an event in the fw log.
More information on getting fw-1 and RS working together is at:
http://www.iss.net/support/rscpf1.php
> Secondly,if the above mention is true,how can i remove the rule???
You can do this three ways:
1) In RS set an expire time (in responses). I'd never take
the default of 0 (no expire) as this opens denial of
service risks (see later).
After the expire time, the firewall daemon will cancel the rule.
2) Restart the firewall daemon (a bid drastic but works)
3) There is also an 'fw xxx' command you can run on the firewall
system but I can't remember what that is. May be in the faq.
I'd recommend you stick with 1) as it takes no effort. If you set a
long expire time you protect yourself and make the attacker slow down.
That way, if some kind person does spoof attacks from root name servers
(or you make a mistake) and RS tells fw-1 to cut off your dns it will
mend itself (eventually).
Best regards,
Dave
-------------------------------------------------------------------------
Dave Whitlow Tel: +44-(0)181-861-2001
Idsec Ltd Fax: +44-(0)181-861-3433
Suite A, 31-33 College Road, Mail: [EMAIL PROTECTED]
Harrow, HA1 1EJ, UK Web: http://www.idsec.co.uk
