Firewall Wizards mailing list archives

Re: Open ports on FW1

From: "Jayson Broughton" <jbroughton () allcovered com>
Date: Tue, 18 Jan 2000 11:38:45 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Simon,
The following ports are used by Firewall-1, I believe that all of
these ports should remain open, unless one thinks that it would
provide a means in breaching security.
*TCP 259 is used for Client Authentication, the UDP port of 259 is
used as encryption to manage an encrypted session.
*TCP 258 is used for the Firewall administration GUI via remote
administration. aka FWpolicy Remote GUI.
* TCP 257 is used for the Remote Firewall program(module?) to send
logs to a Manager console.
* port 256 is used too for encryption, that of CS & DH key exchange
in the FWZ encryption.  Some say this is also used by
securemote.  I have no recollection of this, but someone out in the
audience might be able to help you there
*UDP 161 & 260 used by Firewall-1's SNMP Daemon.

Once again, if your job/ability, is useful for remotely administering
the firewall, then I would keep all of these active.  I believe
that Checkpoint wants these ports open at all times.  But once again,
a speculation.
    One last thing, if you do use remote administration of your
firewall, be smart and use a Randomly generated, or Really
bloomin' hard to guess password with random #'s and Characters.
There are crackers out there that can rip through weak
passwords like a knife through butter.


Jayson Broughton
HQ-All Bases Covered
Network & Security Admin.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>

iQA/AwUBOITBEKe75Wq9veF/EQLi0gCg199VWfkcTxuiSg1YnAM7CLubbrEAnAvG
cTj7xEy3MyeYu0rJ7Vueoa/V
=88ED
-----END PGP SIGNATURE-----




Simon Elliot wrote:

Hi

I was interested in a previous messge you received
regarding TCP ports 256,257,258 on Firewall 1.
What security implication can rise from these ports being open?

Thanks for your time
Any help will be gratefully received.

______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com

Current thread:

Open ports on FW1 Simon Elliot (Jan 17)
- Re: Open ports on FW1 Chris Brenton (Jan 18)
- Re: Open ports on FW1 Lance Spitzner (Jan 18)
- Re: Open ports on FW1 Jayson Broughton (Jan 18)
- Re: Open ports on FW1 beldridg (Jan 20)