Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Firewall-1 Security Advisory
From: jcostom () JASONS ORG (Jason Costomiris)
Date: Fri, 30 Oct 1998 10:18:28 -0500

On Wed, Oct 28, 1998 at 08:02:52AM +1000, Gary Gaskell wrote:
: And what about the default of the ports 256, 257, 258 and 259 appearing on
: every interface?  A little concerning, since they are not listed in the
: table of ports in the main manual.  Even more concerning when I'm told
: they are for secure remote support, logging and configuration control!
: This obscurity makes one rather nervous.

What's so obscure?  If you take a moment, and examine the services in
your services database, and pay attention to the ones in the group called
"Firewall-1", you would know what services are used by FW-1 for it's
internal functions.

Also, if you would bother to take the time to properly configure your FW-1
installation, you wouldn't see these issues.  From the FW GUI, go to the
Policy menu, and choose Properties.  Turn on/off what you want/need.

I'm of the opinion that you should turn off:

Accept FW-1 Control Connections
Accept RIP
Accept DNS Queries
Accept DNS Download
Accept ICMP (consider Bill Burns' stateful ICMP inspect code)

Of course, by doing this, you'll need rules in your rulebase to permit
the appropriate types of FW1 control connections between your firewall
modules (aka PFMs) and Management Console.  Possibly also to allow your
fw managers using the FW1 GUI to connect to the Management Console if it
lives on the same box as the PFM.  If you are using something to do log
analysis using LEA, you'll need to permit the LEA service to get to the
Management Console (if it's on the same box as the PFM).

As with *any* firewall, taking the default settings is a problem.  I found
the advisory humorous, in that anyone who has read the documentation
section on the policy properties knows what they are getting.

I also noticed that someone took FW-1 training and didn't get told about
this.  My company does FW-1 training, and I've taught several classes of
CCSE's.  The information contained in this "advisory" is also covered in
Chapter 5 of the CCSA course cirriculum.

Anyone who has installed FW-1, and has (hopefully) read the documentation,
and has been to training on the product should know this.  There's no
excuse for not knowing it.

Jason Costomiris <><            | Linux...
jcostom () jasons org              | "Find out what you've been missing
http://www.jasons.org/~jcostom/ | while you've been rebooting Windows NT."
#include <disclaimer.h>         |         --Infoworld

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]