Hi Amy, Your firewall config is fine. You are allowing in only what is required and I guess you have done a risk assessment and are happy providing these services.
What I would make sure off is that firstly the FW OS is patched to the latest level. (I personally wouldn't run FW-1 on NT or M$ in general) good site www.phoneboy.com If possible upgrade to NG or the latest service pack for 4.1 (as TheOg suggested) keep your mail server/relay patched keep IIS patched and maybe add urlscan to it http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools/urlscan.asp Watch bugtraq and citrix mailing lists for any vulns etc.. A good way to see what is getting past yr firewall would be to put an ids behind it and in the dmz. www.snort.org > Firewall--->DMZ: DNS(NT4), www(NT4), mail scanner > | /\ > |<-----|-------------snort ids sensor > V > Core Switch (Cisco)-------Frame Relay Connection cheers Ivan Coric IT Security Officer Information Technology WorkCover Queensland Ph: (07) 30066414 Fax: (07) 30066424 Email: [EMAIL PROTECTED] >>> theog <[EMAIL PROTECTED]> 01/13/03 02:43am >>> I'll start from the end - :) to scan with no ping , you can use: nmap -P0 -sT %ip subnet% %ipsubnet%= the subnet you want to scan i.e. 192.168.0.0/24 (while 24 is the number of network asigned bits). To the more complex section for you my friend , I would not use Windows systems infront of the internet , let alone checkpoint firewall-1 4.1 SP1 - Upgrade to NG (or at least SP6). You should not fear of an attack taking down the firewall , as I see it it will be much simpler to exploit what your firewall doesnt check - port 53 to the DNS server (check for microsoft DNS exploits) port 80 and 443 on your web server (check for IIS exploits). I would recommend using Nessus (at www.nessus.org) to check for vuln. of your machines. TheOg [EMAIL PROTECTED] wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >Our network engineer just left the company and all of his responsibilities have been transferred to me, including the firewall. > >So, here's what I'm trying to find out... > > >This is a general diagram. > > > Internet > | > | > V > Border Router (Cisco) > | > | > V > Firewall--->DMZ: DNS(NT4), www(NT4), mail scanner > | > | > V > Core Switch (Cisco)-------Frame Relay Connection > | > | > Internal Network > > > > >Here are the details on the firewall: > >CheckPoint Firewall-1 4.1 SP1 on NT4 SP5 >You are not able to ping the firewall from the Internet. >All public IP addresses (located in the DMZ) are NAT'd to internal 172.16.x.x >A separate workstation object is created for each box that needs a public IP address and then another workstation object is created for it's internal IP address counterpart. The public IP address/port is then then NAT'd over to the internal IP address/port. > >For example: The web server has two workstation objects, the one with the public IP address and one with the internal IP address. Incoming packets on port 80 & 443 to the public IP address are then NAT'd over to the internal IP address/port. Correct..? >All inbound ports are blocked by default except requests made to specific IP address/port: > >Inbound... >- -on port 25 to public IP address of mail scanner is NAT'd to internal IP address of mail scanner >- -on port 80 to public ip address of IIS is NAT's to internal IP address of IIS >- -on port 443 to public ip address of IIS is NAT's to internal IP address of IIS >- -on port 1494 to public ip address of Citrix box is NAT'd to internal ip address of Citrix > > >Questions: > >1. On a scale of 1 - 10 (10 is most secure), how secure is this firewall configuration? Why? >2. What can get through and how? Any specific exploits? >3. What is it that is allowing it to get by the firewall? What part of the config? > >Right now, I'm just concerned about what can get by the firewall and how does that happen? What are the mechanics of how it gets through? I already have someone dealing with the NT service pack levels. My concern right now is the firewall. > > >Is it possible to scan all ports on all the IP addresses of a netblock? >Even though you are not able to ping my firewall from the Internet, could you scan all ports on each of the IP addresses in my netblock and once you hit port 25 on the public ip address of the mail scanner, you'll get a 'listening' response? Another way to put that is even though you are not able to ping my firewall from the Internet, can you still Nmap the public IP addresses (publicly accessible servers) that are NAT'd behind my firewall? If so, how does that work and can I do anything to prevent it? > > >Links to sites/articles/docs/pdfs would be great. I just need to get a better understanding of >this... > > > >Thanks, >Amy Morgan > > >-----BEGIN PGP SIGNATURE----- >Version: Hush 2.2 (Java) >Note: This signature can be verified at https://www.hushtools.com/verify > >wl8EARECAB8FAj4c9GsYHGFteV9tb3JnYW5AaHVzaG1haWwuY29tAAoJEAS2WQxW3/uw >7/8AmwZRykD+t54ZoDXRJ+PrOpTsCAF/AKCwc/XG8gX8Cy3YQUOwAV4vhecD8Q== >=wWJy >-----END PGP SIGNATURE----- > > > > >Concerned about your privacy? Follow this link to get >FREE encrypted email: https://www.hushmail.com/?l=2 > >Big $$$ to be made with the HushMail Affiliate Program: >https://www.hushmail.com/about.php?subloc=affiliate&l=427 > > *************************************************************************** Messages included in this e-mail and any of its attachments are those of the author unless specifically stated to represent WorkCover Queensland. The contents of this message are to be used for the intended purpose only and are to be kept confidential at all times. This message may contain privileged information directed only to the intended addressee/s. Accidental receipt of this information should be deleted promptly and the sender notified. This e-mail has been scanned by Sophos for known viruses. However, no warranty nor liability is implied in this respect. **********************************************************************
