TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Stephen,
http://www.enteract.com/~lspitz/intrusion.html contains some information
about how to get FW-1 to raise alerts based on the entries in the log files.
This could be a possible approach with alert.sh modified to send a SNMP trap
? but it seems be based around calling a script from a FW rule.
Otherwise you could give them read-only access to the firewall GUI to
confirm the temp rules are in place ?
Stephen.
-----Original Message-----
From: Stephen Cooper [mailto:[EMAIL PROTECTED]]
Sent: 06 November 2000 09:39
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: ISS Realsecure Network Engine and CP Firewall-1
***********************************************************************
IMPORTANT - This email originates from the Internet & therefore may not
be from the apparent sender.
If you have any doubts about the origin or content of the email please
contact PC Support on ext. 2288.
***********************************************************************
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
Hello,
I have read with interest the recent thread on SNMP and Email, I have
nothing to add to this other than to say that the mechanism that Mark
suggests works well:
Engine -> Trap -> IT/O -> Escalation via Interface or Email.
Using an Email you can also feed the response into a Problem Tracking
database if you see fit.
============================================================================
=======
Now I have a question! Especially for those of you who integrate Firewall-1
and Realsecure from ISS.
If, in addition to other responses we request that the Engine performs an
OPSEC "FIREWALL" response to a Checkpoint Firewall and performs an "Inhibit
and Close" on the source IP address.
How can I be sure that the action is successful?
Looking at the Realsecure data it is very easy to see that, yes, the IDS
sent a request to the firewall (response FIREWALL is sent in the trap)
On the other side how do we know that the firewall actually actioned the
request?
Looking at the Checkpoint log we find two entries
(In this case, fwm and fwd are co-located in the test environment)
Entry 1
3679;25Sep2000;19:35:36;ip_of_cpfwm;log;accept;;lan0;inbound;tcp;ip_of_rseng
ine;ip_of_cpfwm;FW1_sam;4364;44;9; ; ; ; ; ;
Entry 2
3680;25Sep2000;19:36:57;ip_of_cpfwm;control;ctl;;daemon;inbound;;;;;;;;;;;;;
SAM 'inhibit + close' (no connections closed) src 202.157.130.32 expire
600 (sent from ip_of_rsengine to if_of_fwm on port 18183)
It can be seen that the second entry confirms that the Realsecure request is
successful. Also that the log entry is not created in response to a Firewall
rule condition and not directly able to assign an SNMP response on the
Checkpoint GUI.
How would I inform Openview via SNMP that the reconfiguration was successful
and reassure operations that the IDS actually worked?
Stephen
Stephen J. Cooper
Senior Systems Analyst
Bank for International Settlements
Phone: +41 61 2806792
Fax: +41 61 2809100
This user's PGP Public Keys can be
obtained from certserver.pgp.com
DISCLAIMER: Any e-mail messages from the Bank for International Settlements
are sent in good faith, but shall not be binding nor construed as
constituting any obligation on the part of the Bank.
CONFIDENTIALITY NOTICE: This e-mail contains confidential information, which
is intended only for the use of the recipient(s) named above. If you have
received this communication in error, please notify the sender immediately
via e-mail and return the entire message. Thank you for your assistance.
----------------------------------------------------------------------
The information contained in this e-mail is confidential and solely for
the intended addressee(s). Unauthorised reproduction, disclosure, modification,
and/or distribution of this email may be unlawful. If you have received
this email in error, please notify the sender immediately and delete it
from your system. The views expressed in this message do not necessarily
reflect those of LIFFE (Holdings) Plc or any of its subsidiary companies.
----------------------------------------------------------------------
