On Wed, Oct 28, 1998 at 08:02:52AM +1000, Gary Gaskell wrote: : And what about the default of the ports 256, 257, 258 and 259 appearing on : every interface? A little concerning, since they are not listed in the : table of ports in the main manual. Even more concerning when I'm told : they are for secure remote support, logging and configuration control! : This obscurity makes one rather nervous. What's so obscure? If you take a moment, and examine the services in your services database, and pay attention to the ones in the group called "Firewall-1", you would know what services are used by FW-1 for it's internal functions. Also, if you would bother to take the time to properly configure your FW-1 installation, you wouldn't see these issues. From the FW GUI, go to the Policy menu, and choose Properties. Turn on/off what you want/need. I'm of the opinion that you should turn off: Accept FW-1 Control Connections Accept RIP Accept DNS Queries Accept DNS Download Accept ICMP (consider Bill Burns' stateful ICMP inspect code) Of course, by doing this, you'll need rules in your rulebase to permit the appropriate types of FW1 control connections between your firewall modules (aka PFMs) and Management Console. Possibly also to allow your fw managers using the FW1 GUI to connect to the Management Console if it lives on the same box as the PFM. If you are using something to do log analysis using LEA, you'll need to permit the LEA service to get to the Management Console (if it's on the same box as the PFM). As with *any* firewall, taking the default settings is a problem. I found the advisory humorous, in that anyone who has read the documentation section on the policy properties knows what they are getting. I also noticed that someone took FW-1 training and didn't get told about this. My company does FW-1 training, and I've taught several classes of CCSE's. The information contained in this "advisory" is also covered in Chapter 5 of the CCSA course cirriculum. Anyone who has installed FW-1, and has (hopefully) read the documentation, and has been to training on the product should know this. There's no excuse for not knowing it. -- Jason Costomiris <>< | Linux... jcostomat_private | "Find out what you've been missing http://www.jasons.org/~jcostom/ | while you've been rebooting Windows NT." #include <disclaimer.h> | --Infoworld
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:21:31 PDT