Re: [FW1] Nokia HA options

2000-11-30 Thread Emmanuel Bailleul
Hi, Depends. Do you need to preserve active connections when switching occurs ? Emmanuel Bailleul Ascom Adilan SA Parc des Glaisins 14, Rue du Pré-Paillard 74940 ANNECY-LE-VIEUX Tel. +33 (0)4 50 64 02 49 Fax. +33 (0)4 50 64 09 98 WEB: http://www.adilan.fr "S'il n'y a pas de solution, c'est qu'i

RE: [FW1] Need help

2000-11-30 Thread Deny Fahruddin
Title: RE: [FW1] Need help Thanks for all those help..it solve now Thanks, deny f

RE: [FW1] Need help

2000-11-30 Thread Andre van der Lans
Have you configured the web/mail server to use your firewall as your default gateway ? Regards, Andre -- From: Deny Fahruddin[SMTP:[EMAIL PROTECTED]] Sent: Friday, December 01, 2000 5:46 AM To: '[EMAIL PROTECTED]' Subject:[FW1] Need help <> Hi, Need help asap. 1. Firew

RE: [FW1] subnet option?

2000-11-30 Thread Andre van der Lans
The "Support key exchange for subnets" checkbox can be found in the firewall workstation object properties. Firewall object -> VPN Tab -> Edit IKE -> Right below in the corner Regards, Andre -- From: Elaine Lolos[SMTP:[EMAIL PROTECTED]] Sent: Friday, December 01, 2000 1:06 AM To:

[FW1] Need help

2000-11-30 Thread Deny Fahruddin
Title: Need help Hi, Need help asap. 1. Firewall-1 4.0 (NT based) 2. Web Server  - NAT 3. Mail server -NAT I can ping the public ip to MailServer from firewall and also from outside world BUT  I cannot ping the webserver from outside world, only can ping from firewall. Thanks. Deny Fah

Re: [FW1] Partition off a class C within a 10.x.x.x RFC 1918net

2000-11-30 Thread Robert MacDonald
Greg, Create a network object for the 250 network with the appropriate mask. Then place a new rule with the 250 network object before the general 10 object. You shouldn't need to make any routing changes, since all traffic for the 10.x.x.x that comes to the fw, will be sent to the appropriate i

Re: [FW1] Nokia HA options

2000-11-30 Thread Jason Witty
I have one config with Sun/Foundry switches/OSPF, one config with Nokia/VRRP/OSPF+FDRY for Server load bal., and am toying with one just using Nokia/VRRP/Static routes. All of them could work great, but as usual, it depends on what you're trying to accomplish, how large your budget is, the ski

[FW1] Oracle FTP Problem

2000-11-30 Thread Raymond Tuggle
Hello We are running FW1 4.0 SP 6 on Solaris 2.6. We are having ftp problems connecting to oracle-ftp.oracle.com. The problem is related to the large welcome banner that the ftp site has. The banner is split over several packets. Thus the first packet containing the banner doesn't end w

RE: [FW1] NT or Unix

2000-11-30 Thread Tom Sevy
This all assumes you are only concerned about throughput to/from the Internet. If you have an internal segment and a DMZ segment, you may care more about throughput since traffic between those two would be bottlenecked at the FW-1 box(es). -Original Message- From: Mark Decker [mailto:[

Re: [FW1] Interoperability issues with CacheFlow server

2000-11-30 Thread Jason Witty
I'm running this exact configuration with no troubles at all. I have the internal side of the CacheFlow plugged intop the internal FDRY switch, and the external leg of the CacheFlow plugged into my publically IPed DMZ. Then I just had to allow the CF's external IPs to leave the network via a sim

[FW1] moving firewall to a different machine

2000-11-30 Thread Rajesh Bandar
Hi, I am planning to move the firewall (Checkpoint ver 4.0) to a different machine. Basically I am moving the firewall from Utra-1 to a E250 machine. Is there any documentation to move Firewall from one machine to another machine. I am planning to do the following steps: 1. Install Firewall-

RE: [FW1] subnet option?

2000-11-30 Thread Jason Maley
Subnet key exchange is supported in 4.1. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Elaine LolosSent: Thursday, November 30, 2000 7:06 PMTo: [EMAIL PROTECTED]Subject: [FW1] subnet option? Hello,   I am trying to get a VPN wor

RE: [FW1] subnet option?

2000-11-30 Thread Randy Garbrick
I think that you need Firewall-1 v4.1 for that. -Original Message-From: Elaine Lolos [mailto:[EMAIL PROTECTED]]Sent: Thursday, November 30, 2000 4:06 PMTo: [EMAIL PROTECTED]Subject: [FW1] subnet option? Hello,   I am trying to get a VPN working between a Solaris Fir

[FW1] FTP/SunRPC Probe?

2000-11-30 Thread Robert C. Wessel
A couple of hours ago my network got scanned for FTP servers, and promptly after the FTP scan ended, all of my FTP servers were probed for SunRPC. Nothing happened, of course, but I've not seen this combination before. It this some new exploit/vulnerability that I've missed hearing about, or...?

RE: [FW1] NT or Unix

2000-11-30 Thread Geoffrey Moon
Has anyone done any VPN benchmarking (especially 3DES)? I think for those of us with T1 or slower connections, that's the only place we're going to see practical performance differences, unless you're on some really old hardware. In our case, average CPU utilization was around 5% until we starte

[FW1] subnet option?

2000-11-30 Thread Elaine Lolos
Hello,   I am trying to get a VPN working between a Solaris Firewall-1 system running v4.0 SP5, and a site running FreeBSD and racoon, using ISAKMP.  I was told there was a Checkpoint option "Support key exchange for subnets" but cannot see it anywhere within the GUI.   Is there such an opti

[FW1] Suspicious entry in FW log

2000-11-30 Thread Hoang
I just saw a bunch of entries in my log generating from my internal mail server. The log show drop connections to 3.0.0.2 on UPD port 1090 and 1257. Those entries are created every minute for the whole day. I have OWA on my server, and only allow SSL and SMTP to go thru. Once I restart the WWW

RE: [FW1] NT or Unix

2000-11-30 Thread Frank Darden
sounds like bad putkeys to me -Original Message- From: Andrew Bagrin [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 30, 2000 4:18 PM To: Carl E. Mankinen; Jeff Quinonez; 'Jack Klein'; [EMAIL PROTECTED] Subject: Re: [FW1] NT or Unix I had that problem, unfortunatly bouncing the se

RE: [FW1] Partition off a class C within a 10.x.x.x RFC 1918 net

2000-11-30 Thread Reed Mohn, Anders
Uhhm.. I might be off-track here, but what happens to a client in the 10.0.0.0/8 network who wants to talk to someone in 10.250.1.0/24? Since any 10.0.0.0 address is assumed to be local, no packet ever makes it to the FW/router/gateway. Or..? Anders :) -Original Message- From: Chr

RE: [FW1] NT or Unix

2000-11-30 Thread Mark Decker
The apples-to-apples benchmarks I mentioned were performed on Penguin Computing boxes (700Mhz Intel processor, 128MB RAM) using FireWall-1 v4.1. Tests were run with both Red Hat Linux with the 2.2.16 kernel, and with NT 4.0 SP6. The Linux throughput numbers were more than 40% higher than the NT

RE: [FW1] Off-topic (somewhat): How does traceroute work, anyway?

2000-11-30 Thread Reed Mohn, Anders
Thanks, guys (and dolls). I got good descriptions of the workings of traceroute from several of you. My biggest surprise in blocking ICMP, was that Linux appears to succeed in it's traceroute even though the packet's never reach their destination (reject). Stupid little thing, that... :) C

Re: [FW1] Partition off a class C within a 10.x.x.x RFC 1918 net

2000-11-30 Thread Christine Tran
From: "Greg Winkler" <[EMAIL PROTECTED]> Subject: [FW1] Partition off a class C within a 10.x.x.x RFC 1918 net > We use a 10.x.x.x network internally per RFC 1918. Up until today I've > used a network object of 10.0.0.0 with a mask of 255.0.0.0 to refer to > all of my internal hosts. God I can

RE: [FW1] Partition off a class C within a 10.x.x.x RFC 1918 net

2000-11-30 Thread Longman, Bill
Yup, use 172.16.0.0 or 192.168.0.0. The easy way wins. -Original Message- From: Greg Winkler [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 30, 2000 12:32 PM To: [EMAIL PROTECTED] Subject: [FW1] Partition off a class C within a 10.x.x.x RFC 1918 net We use a 10.x.x.x network inte

RE: [FW1] Partition off a class C within a 10.x.x.x RFC 1918 net

2000-11-30 Thread Reed Mohn, Anders
If you want to "partition off" a piece of that 10.x.x.x net, you will have to change the subnet mask internally. That sort of answers it, doesn't it? Go with the 192.168.x.y ... Cheers, Anders :) -Original Message- From: Greg Winkler [mailto:[EMAIL PROTECTED]] Sent: 30. november 20

RE: [FW1] NT or Unix

2000-11-30 Thread Jeff Quinonez
Suh weet. What type of hardware are you speaking of on the Linux side? Also what flav of Linux? We have a Redhat box, um 6.2 (for shites and giggles) running on an lowend HP E60 and it hauls. I always bring up Linux solutions to my IT Director, but he like others, fear the penguins. -Origina

RE: [FW1] Adding rule for echo-request.

2000-11-30 Thread Reed Mohn, Anders
Thanks, all of you who answered, though I think I didn't really make my qestion clear. What I wondered was if the two different ways of allow outgoing echo-requests (forget the replies) would cause FW-1 to treat the packets any differently. Anyway, I thought about it, and I'm pretty sure now t

Re: [FW1] NT or Unix

2000-11-30 Thread Andrew Bagrin
I had that problem, unfortunatly bouncing the service didn't help. I had to clear the state dir. Andrew Bagrin Secure-1 865-803-2748 www.secure-1.com - Original Message - From: Carl E. Mankinen <[EMAIL PROTECTED]> To: Jeff Quinonez <[EMAIL PROTECTED]>; 'Jack Klein' <[EMAIL PROTECTED]>; <

RE: [FW1] NT or Unix

2000-11-30 Thread Dean Cunningham
The linux version has been recently ported , which has ment some stability/installation issues. It will settle down, as did other ports like NT. If performance is not an issue then NT/linux is fine. If your are expecting to use say 4 100MB cards with NAT and get high throughput then Sun or Nokia

Re: [FW1] Securemote issue

2000-11-30 Thread Robert MacDonald
Kimberly, One way would be to have DHCP and configure it to release on shutdown(I think you have to reg hack for this??) You may have to deal with an error message while out of the office, but just answer 'No' to the DHCP prompt about looking for a server. Robert (p.s. We just came off a 14hr

Re: [FW1] Adapting rules from 4.0 to 4.1

2000-11-30 Thread Robert MacDonald
No it doesn't work between the two GUI's, but does work while within the same GUI and moving between two policies. It's not like the Windows cut-&-paste. Robert >Hello all, > >is the way to copy/paste rules between the 4.0 and an >other 4.1 fw1, the same as between a 4.0 and an other >4.0 ? >

[FW1] Nokia VRRP vs. Checkpoint HA

2000-11-30 Thread Tom Sevy
Can anyone point me to a contrast or comparison of the HA features in FW-1 4.1 vs. Nokia's VRRP implementation? To unsubscribe from this mailing list, please see the instructions at http://www.c

Re: [FW1] Partition off a class C within a 10.x.x.x RFC 1918 net

2000-11-30 Thread Scott Schindler
Too easy is bad. We don't want easy security configurations. ;) (sarcasm for those that do not possess it) Yes you can get around this but the only way I know of other than re-networking and re-subnetting your network is to use another RFC 1918 network. Too many people think that using 10.x.x.

[FW1] [FW-1] Restart logging to log server

2000-11-30 Thread Jason Stout
Hi all, We've got Provider running here with all clients logging to the provider box. Everytime our link goes down (thankfully not often) the clients start logging locally. Is there anyway to get the client to restart logging to the Provider box without restarting FWD? We had some success restar

RE: [FW1] NT or Unix

2000-11-30 Thread Steven Schuster
IMHO, if you are going to be running in a distributed environment, run the management portion on the NT box and the gateways on UNIX (either Solaris or Nokia). The UNIX boxes will give a more stable environment for the filtering. Steve Schuster, CCSA, CCSE, CCSI, CCNA Midwest ISO Security Analy

Re: [FW1] NT or Unix

2000-11-30 Thread Carl E. Mankinen
Well, I just had a problem on NT installation that I have seen a couple times now. I am running CP2000 SP2 at this site and what happens is that I install the policy via the GUI client. It shows that it has complied it successfully and supposedly installed ok. However, my old rule base is still

RE: [FW1] dnsinfo.C & LMhosts

2000-11-30 Thread Hanke, Christian (DC)
I'm having the exact same problem. A sample posted to this list would be great! Thanks, -Original Message- From: Johnson, Dave [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 30, 2000 9:53 AM To: 'CryptoTech'; Johnson, Dave Cc: [EMAIL PROTECTED] Subject:RE: [FW

[FW1] Partition off a class C within a 10.x.x.x RFC 1918 net

2000-11-30 Thread Greg Winkler
We use a 10.x.x.x network internally per RFC 1918. Up until today I've used a network object of 10.0.0.0 with a mask of 255.0.0.0 to refer to all of my internal hosts. It has been very convenient to use this in my rules, for example "internal any http accept". I now have a need to "partition off"

RE: [FW1] NT or Unix

2000-11-30 Thread Mark Decker
I can vouch for Dan on this point. I've seen several different benchmark results that give Unix a 20-40% advantage over NT on max throughput, depending on the Unix flavor. Solaris performance is hard to compare fairly because the HW platforms used to test are always different, but you can do a

Re: [FW1] Securemote issue

2000-11-30 Thread Andrew Bagrin
Thats how all Regals users are setup and we don't have any complaints Andrew Bagrin Secure-1 865-803-2748 www.secure-1.com - Original Message - From: Dan Guinn <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, November 30, 2000 3:02 PM Subject: RE: [FW1] Securemote issue > > G

RE: [FW1] NT or Unix

2000-11-30 Thread Dan Guinn
IMHO: Both NT and Unix/Linux are viable platforms, mainly it's just which one you feel more comfortable administering. There are pros and cons for both, but I have installed several FW-1 machines on Linux, and several on NT4. Both seem to work about the same (unless you put them under a lot of

RE: [FW1] Securemote issue

2000-11-30 Thread Dan Guinn
Good point...DHCP could make life much easier, but it could also make the machine complain that it can't get an IP when it's remote. Dan Guinn NetStar Communications -Original Message- From: Andrew Bagrin [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 30, 2000 1:39 PM To: Kimberly

RE: [FW1] 1 minute VPN Outages

2000-11-30 Thread Tim Cullen
I saw the same issues. For me it was the link "across the pond". It would hiccup every so often and make the tunnel go down. I tried turning the renegotiate times down but still had the issue. Finally I got the provider to own up to the link instability, he resolved his issue and it resolved

RE: [FW1] 4.1 SP2 Build Number??

2000-11-30 Thread Marc Jacquard
The build number for SP2 is 41716. Marc Jacquard SR. Systems Engineer Fujitsu America, INC. Hilo Office email: [EMAIL PROTECTED] Telephone: 808-934-4103 Pager: 888-787-5814 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jason Witty Sent: Thursday, Nove

Re: [FW1] NT or Unix

2000-11-30 Thread Scott Schindler
Nokia. Due to cost, ease of setup, Unix-based and somewhat armored when shipped. Also, free HA and scalable system design. (oh and we sell it too) ;) As Jeff mentioned, this is like asking Floridians who should be President. Just pick the one your team is most comfortable with. Technical and

Re: [FW1] 1 minute VPN Outages

2000-11-30 Thread Chris H
Not using perfect forward secrecy. --- CryptoTech <[EMAIL PROTECTED]> wrote: > Perhaps key exchanges. Are you using Perfect > Forward Secrecy? > > CryptoTech > > Chris H wrote: > > > Running IKE VPN to one of our overseas offices. > 4.1 > > SP2 Enterprise server and management module in US

RE: [FW1] Solaris and IP-Forwarding and 64bit kernel

2000-11-30 Thread Marc Jacquard
Disable 64-bit mode An easy way to do this would be to cd /platform/sun4u and edit the boot.conf file. You would just comment out the line for 64-bit mode and reboot the machine. As for IP forwarding, if you do not disable IP forwarding in the OS the system has a window when the firewall is no

RE: [FW1] NT or Unix

2000-11-30 Thread Jeff Quinonez
Flamebait! LOL Kidding of course... I would choose Solaris, if for nothing else because of IP forwarding. -Original Message- From: Jack Klein [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 30, 2000 11:04 AM To: '[EMAIL PROTECTED]' Subject: [FW1] NT or Unix We are in the midst of

[FW1] 4.1 SP2 Build Number??

2000-11-30 Thread Jason Witty
All, Can someone please post the build number for 4.1 SP2? It's not on Phoneboy's site yet. All he has is: Build V.SP - 30833.0b SP8 30963.0b SP9 40314.0 SP1 40344.0 SP2 40564.0 SP3 40644.0 SP3 + hotfix 40664.0 SP4 40944.0 SP5 41439 4.1 SP0 4

[FW1] NT or Unix

2000-11-30 Thread Jack Klein
We are in the midst of a controversy and would like to hear some opinions. Should we install a FW-1 on an NT or a Unix machine? Why? Thanks for all of your opinions. To unsubscribe from this mailing list, ple

RE: [FW1] Nokia HA options

2000-11-30 Thread Mark Decker
Like many 3rd party apps, software HA/LB solutions such as RainWall and StoneBeat don't run on the Nokia platform because it uses a proprietary operating system (IPSO). VRRP is adequate if you only want basic failover to a standby unit. If you want load balancing in addition to HA, you'll have

Re: [FW1] Solaris and IP-Forwarding and 64bit kernel

2000-11-30 Thread Allen Pomeroy
To change modes, enter the following at the "ok>" prompt: To set up booting 32-bit mode: setenv boot-file kernel/unix To set up booting 64-bit mode: setenv boot-file kernel/sparcv9/unix Or, after booting Solaris, login as root and enter the following: To setup booting 32-bit mode:eeprom

RE: [FW1] Blocking vbs

2000-11-30 Thread Goldoff, Erik
Here's the Kixtart code in my login script (nothing confidential, I actually got the idea from one of the list-servs (not this one)) ; **module to change default VBS double-click to Notepad instead of WScript.exe Existkey("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\Shell")

Re: [FW1] Securemote issue

2000-11-30 Thread Andrew Bagrin
Why don't you put them on DHCP in the office? Andrew Bagrin Secure-1 865-803-2748 www.secure-1.com - Original Message - From: Kimberly Newton <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Thursday, November 30, 2000 5:21 P

RE: [FW1] Solaris and IP-Forwarding and 64bit kernel

2000-11-30 Thread Longman, Bill
I, too, have a question about the install on Solaris. When installing on Solaris 2.7, it (CP2000) complains that it won't run with the 64bit kernel. Does anyone know how to disable that and run 32bits? Bill -Original Message- From: Alonzo Vera [mailto:[EMAIL PROTECTED]] Sent: Wednesday,

[FW1] SMTP Store and Forward Server resource

2000-11-30 Thread Toth, David
I went to phoneboys FAQ and read a question concerning how to use FW-1 as a store and forward SMTP server. The rule it shows has a service called : SMTP->Store_and_Forward When I display my resources, in my rule base, there is no resource that looks like this. Where do I get one? Thank

[FW1] Hybrid mode auth tips?

2000-11-30 Thread Ian Campbell
Hi all, I'm going to make the changes in CP's doc regarding hybrid mode auth for SR users using IKE as the encryption scheme tonite. Anybody done this before that wants to share any tips or problems they had while making the change? Thanks, Ian

Re: [FW1] Securemote issue

2000-11-30 Thread Kimberly Newton
I have a question regarding this, also. I went ahead and took the IP address off and it worked wonderfully. Thank you very much, Dan. However, now what do we do when the people are back in the office and need to be on the network with an IP address? Is there a way to make this work without hav

RE: [FW1] SR behind NAting device

2000-11-30 Thread Yim Lee
I talked with CheckPoint and this is a known problem. Currently, there is no known fix. Yim --- Idan Dolev <[EMAIL PROTECTED]> wrote: > > some additional info : > > my network is ; > > station A-firewall Afirewall B--station > B > > LAN A is 10.0.0.0 LAN B 11.0.0.0 between A and

Re: [FW1] intrusion detection - benifits?

2000-11-30 Thread Drew Simonis
Scott Schindler wrote: > > To everyone, regarding the CISSP and security certifications. > > > * The CISSP is a security-officer level program. It is what CSOs and high > level Consultants need to know. It is based upon information above the > "implementation" level. ISC2 does not necessari

[FW1] Check Point expert certification

2000-11-30 Thread Scott Schindler
What do you think the value of the expert exam will be?   What does being a CCS expert (X?) offer to a security professional? Will it add to the value of a resume? Access to a Check Point "experts" mailing list for beta news and program discussion? Discounts to the CP conference each year? 

RE: [FW1] intrusion detection - benifits? FINI

2000-11-30 Thread Pellowski, Tom
Agreed, Thanks to all for your inputs and refernces. Alas to no avail. See my second message 7 hours after my first one. Thanks again. Tom -Original Message- From: Tim Cullen [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 30, 2000 09:53 To: [EMAIL PROTECTED] Subject: RE: [FW1] i

RE: [FW1] Nokia HA options

2000-11-30 Thread Cihan Subasi (Garanti Teknoloji)
It is not only HA also LB...and works perfect so far -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Sent: Thursday, November 30, 2000 3:20 PMTo: Cihan Subasi (Garanti Teknoloji)Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]Subject: RE

Re: [FW1] intrusion detection - benifits?

2000-11-30 Thread Scott Schindler
To everyone, regarding the CISSP and security certifications. Many of you are interested in rounding out your security credentials beyond that of the CCSE. The CISSP is regarded, currently, as the highest level IT security certification. I have some issues with that that I will discuss within,

RE: [FW1] Adapting rules from 4.0 to 4.1

2000-11-30 Thread Keith M Brogan
What kind of machine is this on, I have done it on a Nokia IP440. -Keith -Original Message- From: rle xxx [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 30, 2000 5:05 AM To: Fw-1-Mailinglist (E-mail) Subject: [FW1] Adapting rules from 4.0 to 4.1 Hello all, is the way to cop

RE: [FW1] intrusion detection - benifits?

2000-11-30 Thread Tim Cullen
That WAS Scott, and it was NOT you Shindler. Look just below my response. Just a note, there are many decaffinated brands on the market that are just as tasty as the caffinated kinds. (couldn't resist) -Original Message- From: Scott Schindler [mailto:[EMAIL PROTECTED]] Sent: Wednesday,

[FW1] Secure-Remote

2000-11-30 Thread manfred . steinbacher
Hallo I will install Secure-Remote or Secure-Client! What System is the better choice. I think the Secure-Remote-System haven´t enough security for use or is it possible to increase the security on these clients with a software or same settings! Thanks manfred ==

[FW1] "switching from installed to disconnected"

2000-11-30 Thread Scott Murray
This morning I came in and saw the System Status alert showing "firewall switching from old state 'installed' to new state 'disconnected'. 16 minutes later, it showed switching from old state 'disconnected' to new state 'installed'. The firewall in question is and was currently a hot spare,

RE: [FW1] Nokia HA options

2000-11-30 Thread Tim Cullen
[Tim Cullen]    Neil, The products that work well with Nokia and Checkpoint that I have been able to test are F5 Networks Big-IP and RadWare for actual load balancing.  If you just want failover, the VRRP solution is great.  -Original Message-From: Neil Pike [mailto:[EMAIL PROTECTED]

RE: [FW1] Penetration Testing/Security Auditing

2000-11-30 Thread Tim Cullen
ChillDon't get so defensive. We all throw shameless plugs in from time to time. Where else can we get business? We all thank you for your valuable responses to our issues and we ask for a little leeway too. Just my humble opinion. -Original Message- From: Scott Schindler [mailto:[

RE: [FW1] dnsinfo.C & LMhosts

2000-11-30 Thread Johnson, Dave
Crypto, I hate to impose but that would be very helpful. I would also like to thank all those who responded !! Thanks Crypto, Dave -Original Message- From: CryptoTech [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 30, 2000 8:39 AM To: Johnson, Dave Cc: [EMAIL PROTECTED] Subject:

RE: [FW1] intrusion detection - benifits?

2000-11-30 Thread Tim Cullen
I think we have beaten this thread to death guys and gals. We are all saying the same thing. IDS inside good. Outside even better. -Original Message- From: Chilton Tim [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 30, 2000 4:42 AM To: Pellowski, Tom; [EMAIL PROTECTED] Subject: RE:

[FW1] Looking for example of rule to output to authenticated Secure Remote Client from Encryption domain...

2000-11-30 Thread Wayne Graves
I remember seeing something on phoneboy but can't find it. I need to create a general rule to allow some services to go to any existing active Secure Remote Client. Something for allowing connections to clients with active user state, originating from encryption domain. Has anyone got any pointe

RE: [FW1] Nokia HA options

2000-11-30 Thread c_siddika
I use VRRP and it works great. Kamran -Original Message- From: Neil Pike [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 30, 2000 6:40 AM To: [EMAIL PROTECTED] Subject: [FW1] Nokia HA options What are people using on Nokia's for HA solutions (FW-1 only, no VPN needed). VRRP?

Re: [FW1] 1 minute VPN Outages

2000-11-30 Thread CryptoTech
Perhaps key exchanges. Are you using Perfect Forward Secrecy? CryptoTech Chris H wrote: > Running IKE VPN to one of our overseas offices. 4.1 > SP2 Enterprise server and management module in US 4.0 > latest SP VPN-1 module overseas. The VPN drops for > about a minute every couple of days a

RE: [FW1] SR behind NAting device

2000-11-30 Thread Idan Dolev
some additional info : my network is ; station A-firewall Afirewall B--station B LAN A is 10.0.0.0 LAN B 11.0.0.0 between A and B is 13.0.0.0. I am trying from station B to get to station A. Firewall B is hiding my station B ( HIDE NAT ) When I do site update I can authenticated su

Re: [FW1] Adding HTTPS ports

2000-11-30 Thread CryptoTech
FW 4.1 provides 3 ways to specify port ranges. 1. New TCP service - fill in the PORT field with 41000-65535, but do not touch source port range field 2. Create a Port Range object, flag TCP, then enter the proper starting port and ending port on the designated lines. 3. Follow Roberts email wh

Re: [FW1] intrusion detection - benifits?

2000-11-30 Thread CryptoTech
Well, working for a small security group, I have it on very solid ground (IDC, Gartner) that 70-80% of hacks come from inside the network. Scotts initial synopsis was dead on. If you really want to be secure, trust no one. But if you are going to use an IDS, which makes more sense, to have an

Re: [FW1] dnsinfo.C & LMhosts

2000-11-30 Thread CryptoTech
Dave, Yes, the lmhosts file on the local system SHOULD be updated. I have seen this work, but as you have noted, it is very syntax sensitive, one wrong space, one space instead of a tab. It would be nice if check point would come out with a utility to generate this file based on a gui or a comm

Re: [FW1] Penetration Testing/Security Auditing

2000-11-30 Thread CryptoTech
I think it's great that there are people out here who work for companies that do penetration testing/auditing. This at least ensures that we have people here who know what they are talking about. --- Didn't we have this same conversation about Rainfinity's valuable input (not joking Mark, I'm s

Re: [FW1] secure remote

2000-11-30 Thread CryptoTech
Dima, Am I to understand that the userid/cn for the cert reference is the same as the object ID being used in the destination?  This is obviously a problem.  This is one of a few scenarios that will yield the user is not defined properly message.  Usually, though, it is an encryption level probl

RE: [FW1] Nokia HA options

2000-11-30 Thread T . Higgins
Yes - the Alteon + Nokia appears a favoured offering from the VARs we have dealt with Tim Higgins "Cihan Subasi (Garanti Teknoloji)" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 30/11/00 12:37                 To:        "'Neil Pike'" <[EMAIL PROTECTED]>, [EMAIL PROTECTED]         cc:  

RE: [FW1] Nokia HA options

2000-11-30 Thread Cihan Subasi (Garanti Teknoloji)
I am using Alteon + Nokia -Original Message- From: Neil Pike [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 30, 2000 1:40 PM To: [EMAIL PROTECTED] Subject: [FW1] Nokia HA options What are people using on Nokia's for HA solutions (FW-1 only, no VPN needed). VRRP? Checkpoint HA?

Re: [FW1] Object data base parser for fw-1 4.0 and 4.1

2000-11-30 Thread Roy G. Culley
> > Hello everyone. For those of you interested in a > search routine that will allow you to locate objects > in the fw-1 database checkout www.preceptsoftware.com. > > During this introductory year all upgrades are free to > valid license holders. The program "Object Parser" is > the beginning

[FW1] Nokia HA options

2000-11-30 Thread Neil Pike
What are people using on Nokia's for HA solutions (FW-1 only, no VPN needed). VRRP? Checkpoint HA? Stonebeat? Rainwall? Neil Pike Protech Computing Ltd To unsubscribe from this mailing list, plea

[FW1] Nokia and ksh...

2000-11-30 Thread Cihan Subasi (Garanti Teknoloji)
Hi all, is it possible to use ksh in nokia ipso? Thanks *** Cihan Subasi Garanti Technology-Istanbul Work phone: +(90)(212) 4783426 Cellular : +(90)(532) 2211796 mailto:[EMAIL PROTECTED] http://www.garanti

[FW1] Object data base parser for fw-1 4.0 and 4.1

2000-11-30 Thread Derek Woods
Hello everyone. For those of you interested in a search routine that will allow you to locate objects in the fw-1 database checkout www.preceptsoftware.com. During this introductory year all upgrades are free to valid license holders. The program "Object Parser" is the beginning of what I hope w

[FW1] Adapting rules from 4.0 to 4.1

2000-11-30 Thread rle xxx
Hello all, is the way to copy/paste rules between the 4.0 and an other 4.1 fw1, the same as between a 4.0 and an other 4.0 ? Before making the tests, i'd like to have some information to restrict them to a simple validation. Thanks. rle _

RE: [FW1] intrusion detection - benifits?

2000-11-30 Thread Chilton Tim
Something useful without having to justify it - wow ! - Take it before they change their minds! IDS's are great and have provided me with useful information on many ocasions. If it's outside your firewall then you can see whats trying to come in, what the bad guys on the inside and outside are

[FW1] SR behind NAting device

2000-11-30 Thread Idan Dolev
> Hi guys, > > Well I am testing out the SR behind natted device and it seems not to work > for me > I can download the topology just fine, and as far as I read I should not > make any changes, it should automatically. > Any suggestions ? after installing sp2 the vpn1_encapsulation is alre

RE: [FW1] Adding rule for echo-request.

2000-11-30 Thread Roelandts, Guy
Anders, Yes it does, with the 1st rule you only allow the outgoing 'ping' packets ... but with no other rule, you'll never get a reply I think. You should add a 2d rule to allow the replies : Src DestService InternetInternalecho-reply + (?? time-exce

SV: [FW1] Check this!

2000-11-30 Thread Jan-Ivar Hansen
This is the default setting in FW-1 (at least some versions). Checkpoint has relased a "User Account Expiration" tool to change this setting on several users at the time - useful for large organisations... Jan-Ivar Hansen Network Consultant iTet System -Opprinnelig melding- Fra: Ian C