mailing list archives
Checkpoint FW-1 identification
From: hirst () ROCKETMAIL COM (Tim Hirst)
Date: Fri, 16 Jul 1999 08:26:52 -0000
This is not a bug but is instead a common procedural error.
If a remote attacker performs a port scan on a network and
finds a machine with ports 256, 257, and 258 open then it is
a sure bet that they are running a Checkpoint FW-1 firewall.
Since increased awareness about the brand and location of a
firewall can greatly help an attacker, providing this
information is a *bad* thing.
Solution: Don't give them the info. Don't allow any
connections to the firewall itself, accept for the firewall
protocol, and only allow that from trusted sources. Of
course this means that your firewall should not be running
any other services, but that should be a given. Also make
sure that you disable the appropriate sections in the
*hidden* properties page. If you have a router then add a
ACL that disallows unauthorized systems from scanning or
even seeing these ports.
Tim Hirst <thirst () hiverworld com>
Audit Team Leader http://www.hiverworld.com
Hiverworld, Inc. Enterprise Network Security
Network Forensics, Intrusion Detection and Risk Management
- Checkpoint FW-1 identification Tim Hirst (Jul 16)