Hi all, This is not a bug but is instead a common procedural error. If a remote attacker performs a port scan on a network and finds a machine with ports 256, 257, and 258 open then it is a sure bet that they are running a Checkpoint FW-1 firewall. Since increased awareness about the brand and location of a firewall can greatly help an attacker, providing this information is a *bad* thing. Solution: Don't give them the info. Don't allow any connections to the firewall itself, accept for the firewall protocol, and only allow that from trusted sources. Of course this means that your firewall should not be running any other services, but that should be a given. Also make sure that you disable the appropriate sections in the *hidden* properties page. If you have a router then add a ACL that disallows unauthorized systems from scanning or even seeing these ports. -- Tim Hirst <thirstat_private> Audit Team Leader http://www.hiverworld.com Hiverworld, Inc. Enterprise Network Security Network Forensics, Intrusion Detection and Risk Management
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:52:29 PDT