[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Urgent firewall help

Posted on 2001-07-09
17
Medium Priority
?
400 Views
Last Modified: 2013-11-16
We have checkpoint firewall 1. The system crashed and we lost all our scripts. No one knowes how create a good internal script for access to the internet so we are quite open at the moment. Therefor i have had to disconect the company from the internet.

I want to create a script that will only:

    Allow web surfing to the users.

    Allow the flow of smtp mail inbound and outbound.

    Allow name resolution and other ESSENTIAL internet
    tasks.

    Block file downloads to only the IT department.

Starting from a system with all ports blocked, what should I enable to achive this.

Also, any advise on making it a very secure system, but very quick to implement as I need to be up and running within 24 hours at no cost. (we are already using IP address translation and have a DMZ).

Thanks in advance

Jason




0
Comment
Question by:ducados
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
  • +5
17 Comments
 
LVL 11

Expert Comment

by:geoffryn
ID: 6266791
What OS is the Checkpoint running on?  What version of the firewall is it?
0
 

Author Comment

by:ducados
ID: 6266814
Hi geoff. It is on NT4.0 SP6a. I am not sure of the version as I am out of the office. But it is more than 2 years old.
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6266852
Then you are probably using version 4.0 or earlier.  It uses and object based GUI in order to create the firewall rule base.  First you have to define all of your network objects and then create NAT and firewall rules.  Are you familiar with FW-1, if not it will be very difficult for you to get this working.  The proxy ARP alone is a pain.  A good resource is http://www.phoneboy.com.  Once you have defined the network objects, we can start creating a rule base.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:ducados
ID: 6266891
Yes I am familiar with FW-1 and have already created the NAT rules. They seem to work OK and I think I have done it corectly. Are there any security risks if I get this part wrong?
0
 
LVL 11

Accepted Solution

by:
geoffryn earned 800 total points
ID: 6266984
Yes, you could be directing traffic inbound to incorrect boxes or exposing the internal IP structure to outside hosts.  Anti-spoofing is also a tricky thing.  Can you post a summary of your current rule base?
0
 

Author Comment

by:ducados
ID: 6266991
YEP OK, its 22:48 uk time at the moment. I will do it tommorow when back in the office. Thanks so far Geoff.
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6267017
Ok.  See you tomorrow. Live from Redmond.
0
 

Author Comment

by:ducados
ID: 6272541
Thanks for your help geoff. I think we are are now in good shape. One more question. I have set up a group for the IT department that will have full access on outbound. In order to allow ping and traceroute responses I need to enbale some inbound ports. Do you know which ones?.

Thanks

Jason
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6272977
You don't need to enable any ports.  ICMP, which is the protocol of ping and traceroute is not a port service.  It is a type of packet.  It can usually be enabled in the system policy or implied pseudo-rules.  
0
 

Expert Comment

by:rgpta
ID: 6299594
I would be very reluctant to allow trace route or ping from the outside. Many attackers have used pings of death to bring down customer sites. FW-1 has default services that include icmp. Trace route is icmp that expires the ttl in the ip header. I would not allow icmp, though. Check the latest CVE from NSA concerning security vulnerabilities and sounds like you need a good security policy and process put in place.
0
 

Expert Comment

by:jmsr
ID: 6330434
If you alredy allow all traffic from that machines outbound you can add a rule acceptting a service called echo-reply (the rule will be: Any - ITDep - echo-reply - Accept) to receive the ping and traceroute replies. This will still not allow ping request to machines behind the firewall.
I also think that's not a very good idea to enable ICMP in the implied rules.
0
 
LVL 2

Expert Comment

by:ritupatel112699
ID: 6645617
download ssecurity check sfotware from eeye.com called RETINA and then use it to check out yr firewall settings and security risks and then put your companies network bak on the net.

This will help you to find out diffrent possible hacks either in OS or in application.
0
 
LVL 24

Expert Comment

by:SunBow
ID: 6789103
I think you must also add ZoneAlarm (or similar) to the firewall concept, for it handles outbound traffic that your initial configuration is missing. Note that an ISP will disconnect you if your setup sends them junk, virus, worm, or spam.
0
 
LVL 3

Expert Comment

by:FlamingSword
ID: 6866507
> Urgent firewall help
<uh> how urgent was that again?
0
 
LVL 3

Expert Comment

by:FlamingSword
ID: 6866511
> Block file downloads to only the IT department.

try using block file tranfer utilities, they're a cream
0
 
LVL 24

Expert Comment

by:SunBow
ID: 6948792
Urgent comment supply depot
0
 
LVL 5

Expert Comment

by:zenlion420
ID: 9706116
Hey people,

No comment has been added in roughly 1.5 years, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question
be PAQ'd and pts be awarded to geoffryn.
Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Zenlion420
EE Page Editor
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question