As a reseller of FW-1 I think I should add something to this discussion. It is indeed possible to do something bad during this time. You have about 10 seconds when the FW-1 answers ping and if you portscan for something that you know is open on the machine (of course, a correct configured FW-1 has no services available) you will see that you can reach this service for about 2-3 seconds. I tried to delay the FW-1 so that we could have some more time then just 2-3 seconds with a combination of a ping- and fragmentation-flood and yes, I got more time. About 20-30 seconds. During this time the machine is very slow but I succeeded to do something "bad" on this time since I mapped the c: which is shared by default on NT. What I could have done more was to replace the binary for the rule-set with a "any any any accept" rule-base and NOW we've done something bad! I also tried to route packets through the FW-1 during this period but did not succeed. It's not very hard no write a program in for example perl to do all the above automatically. You got to know the login-name for administrator and the password of course so we got to have that first. What we also want is to be able to reboot the FW-1/NT-server remotly with some kind of DoS-attack but this is indeed possible when running on NT. No details here but there are problems in NT that causes the machine to BSoD. I'm pretty sure that someone soon will post something about this issue 8-). I've recently been in touch with Checkpoint regarding this issue and their answer is that they cannot control this because of the underlaying operating system. What they can control is IP Forwarding (thank god). So what do we learn? 1) Don't run FW-1 on NT. 2) If you do it anyway, be very careful with the configuration and strip it from every service not needed!!!!!! Cheers, Robert Ståhlbrand, Salcom AB Cristiano Lincoln Mattos wrote: > Quoting Christoforos Karatzinis <chkaat_private>: > > Hi, > The FW1 documentation clearly states that there is > a small delay after the interface initialize's and the > FW starts acting on it. It is possible to do something > "bad" to it in this period... > > Regards, > Cristiano Lincoln Mattos > Recife / Brazil > > > The first 25 packets were lost before the interface's > initialization. The > > packets with sequence number greater than 34 are droped > from the firewall. > > What about the packets with sequence number 25-34? Is it > possible that > > someone can use this time (after the interface's > initialization and before > > the firewall's initialization) to do something bad? > > > > Regards, > > Christofer
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:42:15 PDT