Re: CheckPoint FW1 BUG

[syke () NEWHACKCITY NET (uh Clem)]

On Fri, 14 Jul 2000 Hugo.van.der.Kooij () caiw nl wrote:

> The first thing to do is to strip the host the FW-1 software is to be
> installed on. Securing the OS before even starting to install the firewall
> is essential.

When the firewall itself is dependant upon service being active, this is
somewhat difficult. See below.

> After installation you should secure the FW-1 software from any access to
> the machine you don't explicitly want. Always pay attention to the implied
> rules which can be made visible and should be thoroughly checked.

One of the other things we observed was the extremely poor state of
permissions that Firewall-1's installation leaves things in. As far as I
could tell, there was no option to run the firewall services as an
alternate user besides SYSTEM. Some would argue this is necessary, but it
really isn't; NT provides well documented APIs for adding specific
priviledges to a given user's token. These kind of mistakes are generally
present in win32 software written by people who haven't bothered to learn
the platform.

> However it is quite unclear why accessing a port would cause a firewall
> process to 100%. But FW-1 v4.0 SP4 is NOT certified for NT 4.0 SP6a and it
> is recommended you upgrade to FW-1 v4.0 SP6 asap.

Ports 1030-103x are where registered RPC services are listening, much like
32767-328xx on Solaris. The ports are assigned by the RPC mapper (port 135
on NT, port 111 on Solaris) in the order the RPC services are
started. What I think is happening here is that the firewall-1 service in
question is running as an RPC service (frightening, eh?) and only expects
local connections.

ttyl