Firewall Wizards mailing list archives
Re: Ports 256,257,258 open on FW-1
From: Neil Buckley <nbuckley () wsi com>
Date: Mon, 28 Dec 1998 09:27:10 -0500
Hi All, Since there was an official security advisory issued, that would mean to me that someone noticed a rising trend in exploits coming from these misconfigured firewalls. If that is true then awareness needed to be raised, I.E.. the public needed to be educated. If the information was widely known then the administrators configuring these firewalls had no idea of the compromising position they placed themselves in when they left these services available and again the public needed to be educated. The painful truth is that if your going to make a security product that ANYONE can configure with the click of the mouse it should be secure "Out of the Box", because eventually someone with little to no experience will be charged with getting it setup and unless you have been working in the security arena for a while or happen to subscribe to mailing lists like this one, you would miss the ramification and liability of your configuration selections. So, the Advisory in question may not have stated anything new, but it did raise awareness and possibly reached an uneducated administrator, which I believe is a "good thing" and should continue with any security product or OS. --Neil PS. The nokia platform has all the same security issues that are inherent in the other platforms that checkpoint runs on. jgalvin () cs loyola edu wrote:
Jenn: Very few FW vendors discuss much about how to harden the OS running the FW. The Checkpoint SysAdm course covers mostly how to manage FWs and policies, not much on OS configs. One of the best ways to verify your OS config and FW is to run a good scanner against it. I always run an "as designed" scan, then harden down the FW/OS in conjunction with the customer policy. It helps take guess work out and add consistency to the FW design.Issueing a security advisory on a default setting is not a discussion of security or OS hardening, it's a misrepresentation of widely known information. The reason OS configs and hardening is not covered in a Checkpoint training class is that Firewall-1 is a software package. Checkpoint does issue it as a firewall, true, but it is common knowledge that, unless you buy a dedicated hardware platform, like Nokia, most of the default settings on your workstation (which are also widely known information) will be a problem from a security standpoint. Should we next issue a security advisory for all the default settings on an out-of-box install for Solaris, like NT? How about default settings in general? A security advisory is meant for a loophole in a package that is supposed to NOT do what the advisory states. Checkpoint Firewall-1 has the capability to either reject or accept the types of connections specified in the Properties window, depending on the user preference. So the security advisory in question is only a misrepresentation of widely known information. Regards, Jenn
Current thread:
- Re: Ports 256,257,258 open on FW-1, (continued)
- Re: Ports 256,257,258 open on FW-1 Lart (Dec 15)
- RE: Ports 256,257,258 open on FW-1 Joe Ippolito (Dec 18)
- Re: Ports 256,257,258 open on FW-1 mark s. kassem (Dec 12)
- RE: Ports 256,257,258 open on FW-1 Houser David DW (Dec 14)
- Re: Ports 256,257,258 open on FW-1 Ryan Russell (Dec 14)
- Re: Ports 256,257,258 open on FW-1 Bruce B. Platt (Dec 18)
- Re: Ports 256,257,258 open on FW-1 jgalvin (Dec 22)
- RE: Ports 256,257,258 open on FW-1 Bruce B. Platt (Dec 24)
- Re: Ports 256,257,258 open on FW-1 jgalvin (Dec 22)
- RE: Ports 256,257,258 open on FW-1 jgalvin (Dec 24)
- RE: Ports 256,257,258 open on FW-1 Scot Anderson (Dec 26)
- Re: Ports 256,257,258 open on FW-1 Neil Buckley (Dec 28)
- RE: Ports 256,257,258 open on FW-1 Moser, Stefan (Dec 29)
- Re: Ports 256,257,258 open on FW-1 Lart (Dec 15)