Timothy, > I was running nmap against a client's Checkpoint FW-1 > when they called to inform me that it had crashed. I > was not on site so unfortunately I have little > details. I have seen this befor where a high speed port scanner running against a FW-1 on NT seems to crash it. FW-1 does not exhibit this behaviour on Sun. You may want to check and make sure you have the most recent patch level. That information is on the FW-1 site. > I DO know that they were running it on a NT > box and it was behind a Cisco 3640. Since they are running this behind a Cisco, why not do something creative like install and access list on the external interface to help protect the FW-1. Suppose for example, you have the following situation. fw-1 external interface 209.111.222.10 work stations hide behind .12. the SMTP server is on .50 and the WEB server is on .50 ( port translated to diff machines ) You use an external mail relay at the ISP at 192.167.10.1 and You use for DNS servers on the same network as the SMTP as forwarders in a split horizion. On the inbound interface of your cisco you could add the following. Cisco does not allow for these comments, they are just there to help. # short cut established packetes access-list 101 permit ip any 209.111.222.0 0.0.0.255 established # prevent non-routed address, anti-spoofing access-list 101 deny ip any 10.0.0.0 0.255.255.255 access-list 101 deny ip any 172.16.0.0 0.15.255.255 access-list 101 deny ip any 192.168.0.0 0.0.255.255 # allow high ports access-list 101 permit tcp any 209.111.222.0 0.0.0.255 gt 1023 # allow web service and email. Note the email is to the relay. access-list 101 permit tcp any host 209.111.222.50 eq http access-list 101 permit tcp host 192.167.10.1 host 209.111.222.50 eq smtp # only allow udp to the network with the DNS on it access-list 101 permit udp 209.111.222.0 0.0.0.255 192.167.10.1 0.0.0.255 # don't allow ping (echo) to any port but the smtp/http server # people are funny if they can't ping the hosts... access-list 101 permit icmp any host 209.111.222.50 eq echo access-list 101 deny icmp any any eq echo access-list 101 permit icmp any any # only allow access to 12 and 50 in any case. access-list 101 permit ip any host 209.111.222.12 access-list 101 permit ip any host 209.111.222.50 interface serial0.1 point-to-point ip address 209.111.221.252 no ip directed-broadcast ip access-group 101 in # And on the inbound access list, I normally put a set that only allows # the two interesting interfaces out... access-list 103 permit ip host 209.111.222.12 any access-list 103 permit ip host 209.111.222.50 any interface ethernet0 ip address 209.111.222.254 no ip directed-broadcast ip access-group 103 in This of course does not prevent a DOS attack against your FW-1, but it does make attacking it much more difficult. It also has some good things, because the only interfaces that can be accessed are virtual numbers and not the real interface of cards. Also by overloading a single address and doing port translation, for all of your inbound services lets your write far simpler rules in the router. There is no ping requests to any address on any address including the router and FW-1. Of course the only down-side is nmap recognizes that this is Firewalled because of all of the rejects going out. So you might want to suppress all outbound unreachables on the serial interface. I think that would fix it. Even if you are not this agressive, your router can add a good layer of security by just chucking stupid scanner requests. I hope CISCO comes up with a DROP for there access list. The flags that go red in your FW-1 have additional meaning as most of the crap is gone now... regards:jamie PLEASE NOTE::: This access list was typed directly from my head, and you would need to test it before using it...
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:34:26 PDT