Re: Ports 256,257,258 open on FW-1

[Neil Buckley <nbuckley () wsi com>]

Hi All,

Since there was an official security advisory issued, that would mean to me that
someone noticed a rising trend in exploits coming from these misconfigured
firewalls.  If that is true then awareness needed to be raised, I.E..  the public
needed to be educated.  If the information was widely known then the administrators
configuring these firewalls had no idea of the compromising position they placed
themselves in when they left  these services available and again the public needed
to be educated.

The painful truth is that if your going to make a security product that ANYONE can
configure with the click of the mouse it should be secure "Out of the Box", because
eventually someone with little to no experience will be charged with getting it
setup and unless you have been working in the security arena for a while or happen
to subscribe to mailing lists like this one, you would miss the ramification and
liability of your configuration selections.  So, the Advisory in question may not
have stated anything new, but it did raise awareness and possibly reached an
uneducated administrator, which I believe is a "good thing" and should continue with
any security product or OS.

--Neil

PS.  The nokia platform has all the same security issues that are inherent in the
other platforms that  checkpoint runs on.

jgalvin () cs loyola edu wrote:

> > Jenn:
> > Very few FW vendors discuss much about how to harden the OS running the
> > FW. The Checkpoint SysAdm course covers mostly how to manage FWs and
> > policies, not
> > much on OS configs. One of the best ways to verify your OS config and FW
> > is to run
> > a good scanner against it.  I always run an "as designed" scan, then
> > harden down the
> > FW/OS in conjunction with the customer policy.  It helps take guess work
> > out and
> > add consistency to the FW design.
>
>         Issueing
>         a security advisory on a default setting is not a discussion of
>         security or  OS
>         hardening, it's a misrepresentation of widely known information.
>
>         The reason OS configs and hardening is not covered in a Checkpoint
>         training class is that Firewall-1 is a software package. Checkpoint does
>         issue it as a
>         firewall, true, but it is common knowledge that, unless you buy a
>         dedicated hardware platform, like Nokia, most of  the default
>         settings on
>         your workstation (which are also widely known information) will
>         be a problem from a security standpoint.
>
>         Should we next issue a security advisory for all the default
>         settings on an out-of-box install for Solaris, like NT?  How about
>         default settings in general?
>
>         A security advisory is meant for a loophole in a package that is
>         supposed to NOT do what the advisory states.  Checkpoint
>         Firewall-1 has the capability to either reject or accept the types
>         of connections specified in the Properties window, depending on
>         the user preference.  So the security advisory in question is only
>         a misrepresentation of widely known information.
>
> Regards,
> Jenn