I took the Firewall-1 course and this was most definitely not covered. As it happens, we filter bi-directionally and do not appear to be affected by this but it is nice to know. On Tue, 27 Oct 1998, Mnemonix wrote: > ---------- > > From: Paul Sears <Paul_Searsat_private> > > To: BUGTRAQat_private > > Subject: Re: Firewall-1 Security Advisory > > Date: Monday, October 26, 1998 8:58 PM > > > > Diligence Risks wrote: > > > > > Diligence Security Advisory > > > > > > Issue: Checkpoint's Firewall-1 has a "feature" that can allow an > external > > > intruder to pass through the firewall and attack machines, unihibited, > on > > > the protected side. > > > > > -SNIP- > > > >This is documented in the administration guide and CCSE training > > classes also cover these. > > According to Check Point sources this is undocumented. Having also read > through the CCSE manuals the only thing close to a caveat I can find is the > following > (CCSA manual- Page 5-49 - Configuring Control Properties) > > Begin Quote > > Currently, the most common errors during implementation of Firewall-1 are > made in the Control Properties. The reason for these errors are: > > 1) Misunderstanding the importance of direction when packets are inspected, > and > 2) Misunderstanding of how the Control Properties and the Rule Base > Matching Order work together. > > End Quote > > So the closest thing to a warning, comes not in the manuals that come with > the software - but you have to pay to go on a course for this info. I may > be wrong about this - if you know of any other place where this is > documented please let me know. > > Cheers, > David Litchfield > MCP+Internet > Information Security Specialist > Regards: John Horn Unix Systems Administrator City of Tucson, Tucson Arizona jhorn1at_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:21:23 PDT