RE: Ports 256,257,258 open on FW-1

[jgalvin () cs loyola edu]

> Jenn:
> Very few FW vendors discuss much about how to harden the OS running the 
> FW. The Checkpoint SysAdm course covers mostly how to manage FWs and
> policies, not 
> much on OS configs. One of the best ways to verify your OS config and FW
> is to run 
> a good scanner against it.  I always run an "as designed" scan, then
> harden down the 
> FW/OS in conjunction with the customer policy.  It helps take guess work
> out and 
> add consistency to the FW design. 

        Issueing
        a security advisory on a default setting is not a discussion of
        security or  OS
        hardening, it's a misrepresentation of widely known information.  
        
        The reason OS configs and hardening is not covered in a Checkpoint
        training class is that Firewall-1 is a software package. Checkpoint does
        issue it as a
        firewall, true, but it is common knowledge that, unless you buy a
        dedicated hardware platform, like Nokia, most of  the default
        settings on
        your workstation (which are also widely known information) will
        be a problem from a security standpoint.
        
        Should we next issue a security advisory for all the default
        settings on an out-of-box install for Solaris, like NT?  How about
        default settings in general?  

        A security advisory is meant for a loophole in a package that is
        supposed to NOT do what the advisory states.  Checkpoint
        Firewall-1 has the capability to either reject or accept the types
        of connections specified in the Properties window, depending on
        the user preference.  So the security advisory in question is only
        a misrepresentation of widely known information.

Regards,
Jenn