Bugtraq mailing list archives
Re: Firewall-1 Security Advisory
From: jcostom () JASONS ORG (Jason Costomiris)
Date: Fri, 30 Oct 1998 10:18:28 -0500
On Wed, Oct 28, 1998 at 08:02:52AM +1000, Gary Gaskell wrote: : And what about the default of the ports 256, 257, 258 and 259 appearing on : every interface? A little concerning, since they are not listed in the : table of ports in the main manual. Even more concerning when I'm told : they are for secure remote support, logging and configuration control! : This obscurity makes one rather nervous. What's so obscure? If you take a moment, and examine the services in your services database, and pay attention to the ones in the group called "Firewall-1", you would know what services are used by FW-1 for it's internal functions. Also, if you would bother to take the time to properly configure your FW-1 installation, you wouldn't see these issues. From the FW GUI, go to the Policy menu, and choose Properties. Turn on/off what you want/need. I'm of the opinion that you should turn off: Accept FW-1 Control Connections Accept RIP Accept DNS Queries Accept DNS Download Accept ICMP (consider Bill Burns' stateful ICMP inspect code) Of course, by doing this, you'll need rules in your rulebase to permit the appropriate types of FW1 control connections between your firewall modules (aka PFMs) and Management Console. Possibly also to allow your fw managers using the FW1 GUI to connect to the Management Console if it lives on the same box as the PFM. If you are using something to do log analysis using LEA, you'll need to permit the LEA service to get to the Management Console (if it's on the same box as the PFM). As with *any* firewall, taking the default settings is a problem. I found the advisory humorous, in that anyone who has read the documentation section on the policy properties knows what they are getting. I also noticed that someone took FW-1 training and didn't get told about this. My company does FW-1 training, and I've taught several classes of CCSE's. The information contained in this "advisory" is also covered in Chapter 5 of the CCSA course cirriculum. Anyone who has installed FW-1, and has (hopefully) read the documentation, and has been to training on the product should know this. There's no excuse for not knowing it. -- Jason Costomiris <>< | Linux... jcostom () jasons org | "Find out what you've been missing http://www.jasons.org/~jcostom/ | while you've been rebooting Windows NT." #include <disclaimer.h> | --Infoworld
Current thread:
- Sendmail, lynx, Netscape, sshd, Linux kernel (twice), (continued)
- Sendmail, lynx, Netscape, sshd, Linux kernel (twice) Michal Zalewski (Sep 05)
- Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice) Nick Andrew (Oct 28)
- Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice) brian j. pardy (Oct 28)
- [L0pht Advisory] MacOS - FWB passwords easily bypassed Space Rogue (Oct 30)
- Re: Firewall-1 Security Advisory John Horn (Oct 28)
- rootshell hacked via ssh-1.2.26 Felix von Leitner (Oct 28)
- Sendmail, lynx, Netscape, sshd, Linux kernel (twice) Michal Zalewski (Sep 05)
- Re: Firewall-1 Security Advisory David S. Goldberg (Oct 27)
- Re: Firewall-1 Security Advisory Gary Gaskell (Oct 27)
- Re: Firewall-1 Security Advisory Ejovi Nuwere (Oct 29)
- Summary of Printer Sharing and M1CR0S0FT Windows98 Paul Leach (Oct 29)
- Re: Firewall-1 Security Advisory Jason Costomiris (Oct 30)
- Firewall-1 insecurity. Darren Reed (Oct 29)
- Bug in Solaris 2.6 ??? Daniel Ezekiel (Oct 29)
- WatchGuard Firewall internal D.O.S Who Wants To Live Forever ... (Oct 29)
- Re: Firewall-1 Security Advisory Gary Gaskell (Oct 27)
- Re: Firewall-1 Security Advisory Larry Pingree (Oct 27)
- Re: Firewall-1 Security Advisory Simon Finn (Oct 29)
- Re: Firewall-1 Security Advisory Keith Young (Oct 29)