Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Understanding Firewall-1 Configs

From: amy_morgan () hushmail com
Date: Wed, 8 Jan 2003 20:04:23 -0800

-----BEGIN PGP SIGNED MESSAGE-----

Our network engineer just left the company and all of his responsibilities have been transferred to me, including the 
firewall.

So, here's what I'm trying to find out...


This is a general diagram.


            Internet
                |
                |
                V
          Border Router (Cisco)
                |
                |
                V
            Firewall--->DMZ: DNS(NT4), www(NT4), mail scanner
                |
                |
                V
         Core Switch (Cisco)-------Frame Relay Connection
                |
                |
         Internal Network




Here are the details on the firewall:

CheckPoint Firewall-1  4.1 SP1 on NT4 SP5
You are not able to ping the firewall from the Internet.
All public IP addresses (located in the DMZ) are NAT'd to internal 172.16.x.x
A separate workstation object is created for each box that needs a public IP address and then another workstation 
object is created for it's internal IP address counterpart.  The public IP address/port is then then NAT'd over to the 
internal IP address/port.

For example:  The web server has two workstation objects, the one with the public IP address and one with the internal 
IP address.  Incoming packets on port 80 & 443 to the public IP address are then NAT'd over to the internal IP 
address/port. Correct..?
All inbound ports are blocked by default except requests made to specific IP address/port:

Inbound...
- -on port 25 to public IP address of mail scanner is NAT'd to internal IP address of mail scanner
- -on port 80 to public ip address of IIS is NAT's to internal IP address of IIS
- -on port 443 to public ip address of IIS is NAT's to internal IP address of IIS
- -on port 1494 to public ip address of Citrix box is NAT'd to internal ip address of Citrix


Questions:

1. On a scale of 1 - 10 (10 is most secure), how secure is this firewall configuration?  Why?
2. What can get through and how?  Any specific exploits?
3. What is it that is allowing it to get by the firewall?  What part of the config?

Right now, I'm just concerned about what can get by the firewall and how does that happen?  What are the mechanics of 
how it gets through?  I already have someone dealing with the NT service pack levels.  My concern right now is the 
firewall.


Is it possible to scan all ports on all the IP addresses of a netblock?
Even though you are not able to ping my firewall from the Internet, could you scan all ports on each of the IP 
addresses in my netblock and once you hit port 25 on the public ip address of the mail scanner, you'll get a 
'listening' response?  Another way to put that is even though you are not able to ping my firewall from the Internet, 
can you still Nmap the public IP addresses (publicly accessible servers) that are NAT'd behind my firewall?  If so, how 
does that work and can I do anything to prevent it?


Links to sites/articles/docs/pdfs would be great.  I just need to get a better understanding of
this...



Thanks,
Amy Morgan


-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wl8EARECAB8FAj4c9GsYHGFteV9tb3JnYW5AaHVzaG1haWwuY29tAAoJEAS2WQxW3/uw
7/8AmwZRykD+t54ZoDXRJ+PrOpTsCAF/AKCwc/XG8gX8Cy3YQUOwAV4vhecD8Q==
=wWJy
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2 

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427
Previous By Date Next
Previous By Thread Next

Current thread: