Solved

Urgent firewall help

Posted on 2001-07-09
17
395 Views
Last Modified: 2013-11-16
We have checkpoint firewall 1. The system crashed and we lost all our scripts. No one knowes how create a good internal script for access to the internet so we are quite open at the moment. Therefor i have had to disconect the company from the internet.

I want to create a script that will only:

    Allow web surfing to the users.

    Allow the flow of smtp mail inbound and outbound.

    Allow name resolution and other ESSENTIAL internet
    tasks.

    Block file downloads to only the IT department.

Starting from a system with all ports blocked, what should I enable to achive this.

Also, any advise on making it a very secure system, but very quick to implement as I need to be up and running within 24 hours at no cost. (we are already using IP address translation and have a DMZ).

Thanks in advance

Jason




0
Comment
Question by:ducados
  • 5
  • 4
  • 2
  • +5
17 Comments
 
LVL 11

Expert Comment

by:geoffryn
ID: 6266791
What OS is the Checkpoint running on?  What version of the firewall is it?
0
 

Author Comment

by:ducados
ID: 6266814
Hi geoff. It is on NT4.0 SP6a. I am not sure of the version as I am out of the office. But it is more than 2 years old.
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6266852
Then you are probably using version 4.0 or earlier.  It uses and object based GUI in order to create the firewall rule base.  First you have to define all of your network objects and then create NAT and firewall rules.  Are you familiar with FW-1, if not it will be very difficult for you to get this working.  The proxy ARP alone is a pain.  A good resource is http://www.phoneboy.com.  Once you have defined the network objects, we can start creating a rule base.
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:ducados
ID: 6266891
Yes I am familiar with FW-1 and have already created the NAT rules. They seem to work OK and I think I have done it corectly. Are there any security risks if I get this part wrong?
0
 
LVL 11

Accepted Solution

by:
geoffryn earned 200 total points
ID: 6266984
Yes, you could be directing traffic inbound to incorrect boxes or exposing the internal IP structure to outside hosts.  Anti-spoofing is also a tricky thing.  Can you post a summary of your current rule base?
0
 

Author Comment

by:ducados
ID: 6266991
YEP OK, its 22:48 uk time at the moment. I will do it tommorow when back in the office. Thanks so far Geoff.
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6267017
Ok.  See you tomorrow. Live from Redmond.
0
 

Author Comment

by:ducados
ID: 6272541
Thanks for your help geoff. I think we are are now in good shape. One more question. I have set up a group for the IT department that will have full access on outbound. In order to allow ping and traceroute responses I need to enbale some inbound ports. Do you know which ones?.

Thanks

Jason
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6272977
You don't need to enable any ports.  ICMP, which is the protocol of ping and traceroute is not a port service.  It is a type of packet.  It can usually be enabled in the system policy or implied pseudo-rules.  
0
 

Expert Comment

by:rgpta
ID: 6299594
I would be very reluctant to allow trace route or ping from the outside. Many attackers have used pings of death to bring down customer sites. FW-1 has default services that include icmp. Trace route is icmp that expires the ttl in the ip header. I would not allow icmp, though. Check the latest CVE from NSA concerning security vulnerabilities and sounds like you need a good security policy and process put in place.
0
 

Expert Comment

by:jmsr
ID: 6330434
If you alredy allow all traffic from that machines outbound you can add a rule acceptting a service called echo-reply (the rule will be: Any - ITDep - echo-reply - Accept) to receive the ping and traceroute replies. This will still not allow ping request to machines behind the firewall.
I also think that's not a very good idea to enable ICMP in the implied rules.
0
 
LVL 2

Expert Comment

by:ritupatel112699
ID: 6645617
download ssecurity check sfotware from eeye.com called RETINA and then use it to check out yr firewall settings and security risks and then put your companies network bak on the net.

This will help you to find out diffrent possible hacks either in OS or in application.
0
 
LVL 24

Expert Comment

by:SunBow
ID: 6789103
I think you must also add ZoneAlarm (or similar) to the firewall concept, for it handles outbound traffic that your initial configuration is missing. Note that an ISP will disconnect you if your setup sends them junk, virus, worm, or spam.
0
 
LVL 3

Expert Comment

by:FlamingSword
ID: 6866507
> Urgent firewall help
<uh> how urgent was that again?
0
 
LVL 3

Expert Comment

by:FlamingSword
ID: 6866511
> Block file downloads to only the IT department.

try using block file tranfer utilities, they're a cream
0
 
LVL 24

Expert Comment

by:SunBow
ID: 6948792
Urgent comment supply depot
0
 
LVL 5

Expert Comment

by:zenlion420
ID: 9706116
Hey people,

No comment has been added in roughly 1.5 years, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question
be PAQ'd and pts be awarded to geoffryn.
Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Zenlion420
EE Page Editor
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Knowing where your website is hosted is as important as the features you receive, the monthly fee, and the support you receive. Due diligence should be done when choosing your next hosting provider.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question