Re: remote crash possibility of FW-1?

["Ryan Russell" <Ryan.Russell () sybase com>]

> Hi there.
> We use Checkpoints Firewall-I release 4.0 SP 4 running on a SUN U2/200
> Solaris 2.6 with up-to-date patchlevel. For several weeks now the box
> crashes or reboots without any hint left in the logfiles. SUN service
> replaced all components (FDDI, RAM, CPUs, ...) except for the mirrored
> disks. Since most of the crashes happen during the weekend we also suspect
> some DOS attack. Are there any known DOS attacks than leave the box
> unusable till someone does a power-off-on cycle?

They're quite capable of crashing all by themselves.  I've had FW-1 installs
crash regularly due to lack of memory tuning.

Read these two to learn about some memory stuff:
http://www.phoneboy.com/fw1/faq/0088.html
http://www.phoneboy.com/fw1/faq/0296.html

Now, assuming it is some sort of malicious attack that isn't widely
known...

Have you shut off allow control connections, accept ICMP, accept RIP,
accept established connections, etc.. ?  I'm aware of some nasty potential
problems with those.

To fix, read:

http://www.enteract.com/~lspitz/audit.html

If you are experiencing a DoS of some sort, it would almost certainly be due to
your
having left exposed some service which you shouldn't, that Checkpoint tells
you not to if you read the docs carefully, yet they leave open by default
anyway.

                              Ryan