This issue can be fixed by simply implementing a stealthing rule on the firewall itself. The problem is in NT's stack, not the FireWalls. > Jamie Thain wrote: > > > Timothy, > > > > > I was running nmap against a client's Checkpoint FW-1 > > > when they called to inform me that it had crashed. I > > > was not on site so unfortunately I have little > > > details. > > > > I have seen this befor where a high speed port scanner running against a > > FW-1 on NT seems to crash it. FW-1 does not exhibit this behaviour on > > Sun. You may want to check and make sure you have the most recent patch > > level. That information is on the FW-1 site. > > > > > I DO know that they were running it on a NT > > > box and it was behind a Cisco 3640. > > > > Since they are running this behind a Cisco, why not do something > > creative like install and access list on the external interface to help > > protect the FW-1. Suppose for example, you have the following situation. > > > > fw-1 external interface 209.111.222.10 > > work stations hide behind .12. > > the SMTP server is on .50 > > and the WEB server is on .50 > > > > ( port translated to diff machines ) > > You use an external mail relay at the ISP at 192.167.10.1 and You use > > for DNS servers on the same network as the SMTP as forwarders in a split > > horizion. > > > > On the inbound interface of your cisco you could add the following. > > Cisco does not allow for these comments, they are just there to help. > > > > # short cut established packetes > > access-list 101 permit ip any 209.111.222.0 0.0.0.255 established > > > > # prevent non-routed address, anti-spoofing > > access-list 101 deny ip any 10.0.0.0 0.255.255.255 > > access-list 101 deny ip any 172.16.0.0 0.15.255.255 > > access-list 101 deny ip any 192.168.0.0 0.0.255.255 > > > > # allow high ports > > access-list 101 permit tcp any 209.111.222.0 0.0.0.255 gt 1023 > > > > # allow web service and email. Note the email is to the relay. > > access-list 101 permit tcp any host 209.111.222.50 eq http > > access-list 101 permit tcp host 192.167.10.1 host 209.111.222.50 eq smtp > > > > # only allow udp to the network with the DNS on it > > access-list 101 permit udp 209.111.222.0 0.0.0.255 192.167.10.1 > > 0.0.0.255 > > > > # don't allow ping (echo) to any port but the smtp/http server > > # people are funny if they can't ping the hosts... > > > > access-list 101 permit icmp any host 209.111.222.50 eq echo > > access-list 101 deny icmp any any eq echo > > access-list 101 permit icmp any any > > > > # only allow access to 12 and 50 in any case. > > > > access-list 101 permit ip any host 209.111.222.12 > > access-list 101 permit ip any host 209.111.222.50 > > > > interface serial0.1 point-to-point > > ip address 209.111.221.252 > > no ip directed-broadcast > > ip access-group 101 in > > > > # And on the inbound access list, I normally put a set that only allows > > # the two interesting interfaces out... > > > > access-list 103 permit ip host 209.111.222.12 any > > access-list 103 permit ip host 209.111.222.50 any > > > > interface ethernet0 > > ip address 209.111.222.254 > > no ip directed-broadcast > > ip access-group 103 in > > > > This of course does not prevent a DOS attack against your FW-1, but it > > does make attacking it much more difficult. It also has some good > > things, because the only interfaces that can be accessed are virtual > > numbers and not the real interface of cards. Also by overloading a > > single address and doing port translation, for all of your inbound > > services lets your write far simpler rules in the router. > > > > There is no ping requests to any address on any address including the > > router and FW-1. Of course the only down-side is nmap recognizes that > > this is Firewalled because of all of the rejects going out. So you might > > want to suppress all outbound unreachables on the serial interface. I > > think that would fix it. > > > > Even if you are not this agressive, your router can add a good layer of > > security by just chucking stupid scanner requests. I hope CISCO comes up > > with a DROP for there access list. > > > > The flags that go red in your FW-1 have additional meaning as most of > > the crap is gone now... > > > > regards:jamie > > > > PLEASE NOTE::: This access list was typed directly from my head, and you > > would need to > > test it before using it... > Jason Ihde malikaiat_private Networked Systems Consultant & Internet Systems Security PGP Key available via finger or http://interactivealien.com/~malikai/pgp Experience is what you get when you don't get what you want.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:35:06 PDT