• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 402
  • Last Modified:

Urgent firewall help

We have checkpoint firewall 1. The system crashed and we lost all our scripts. No one knowes how create a good internal script for access to the internet so we are quite open at the moment. Therefor i have had to disconect the company from the internet.

I want to create a script that will only:

    Allow web surfing to the users.

    Allow the flow of smtp mail inbound and outbound.

    Allow name resolution and other ESSENTIAL internet
    tasks.

    Block file downloads to only the IT department.

Starting from a system with all ports blocked, what should I enable to achive this.

Also, any advise on making it a very secure system, but very quick to implement as I need to be up and running within 24 hours at no cost. (we are already using IP address translation and have a DMZ).

Thanks in advance

Jason




0
ducados
Asked:
ducados
  • 5
  • 4
  • 2
  • +5
1 Solution
 
geoffrynCommented:
What OS is the Checkpoint running on?  What version of the firewall is it?
0
 
ducadosAuthor Commented:
Hi geoff. It is on NT4.0 SP6a. I am not sure of the version as I am out of the office. But it is more than 2 years old.
0
 
geoffrynCommented:
Then you are probably using version 4.0 or earlier.  It uses and object based GUI in order to create the firewall rule base.  First you have to define all of your network objects and then create NAT and firewall rules.  Are you familiar with FW-1, if not it will be very difficult for you to get this working.  The proxy ARP alone is a pain.  A good resource is http://www.phoneboy.com.  Once you have defined the network objects, we can start creating a rule base.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
ducadosAuthor Commented:
Yes I am familiar with FW-1 and have already created the NAT rules. They seem to work OK and I think I have done it corectly. Are there any security risks if I get this part wrong?
0
 
geoffrynCommented:
Yes, you could be directing traffic inbound to incorrect boxes or exposing the internal IP structure to outside hosts.  Anti-spoofing is also a tricky thing.  Can you post a summary of your current rule base?
0
 
ducadosAuthor Commented:
YEP OK, its 22:48 uk time at the moment. I will do it tommorow when back in the office. Thanks so far Geoff.
0
 
geoffrynCommented:
Ok.  See you tomorrow. Live from Redmond.
0
 
ducadosAuthor Commented:
Thanks for your help geoff. I think we are are now in good shape. One more question. I have set up a group for the IT department that will have full access on outbound. In order to allow ping and traceroute responses I need to enbale some inbound ports. Do you know which ones?.

Thanks

Jason
0
 
geoffrynCommented:
You don't need to enable any ports.  ICMP, which is the protocol of ping and traceroute is not a port service.  It is a type of packet.  It can usually be enabled in the system policy or implied pseudo-rules.  
0
 
rgptaCommented:
I would be very reluctant to allow trace route or ping from the outside. Many attackers have used pings of death to bring down customer sites. FW-1 has default services that include icmp. Trace route is icmp that expires the ttl in the ip header. I would not allow icmp, though. Check the latest CVE from NSA concerning security vulnerabilities and sounds like you need a good security policy and process put in place.
0
 
jmsrCommented:
If you alredy allow all traffic from that machines outbound you can add a rule acceptting a service called echo-reply (the rule will be: Any - ITDep - echo-reply - Accept) to receive the ping and traceroute replies. This will still not allow ping request to machines behind the firewall.
I also think that's not a very good idea to enable ICMP in the implied rules.
0
 
ritupatel112699Commented:
download ssecurity check sfotware from eeye.com called RETINA and then use it to check out yr firewall settings and security risks and then put your companies network bak on the net.

This will help you to find out diffrent possible hacks either in OS or in application.
0
 
SunBowCommented:
I think you must also add ZoneAlarm (or similar) to the firewall concept, for it handles outbound traffic that your initial configuration is missing. Note that an ISP will disconnect you if your setup sends them junk, virus, worm, or spam.
0
 
FlamingSwordCommented:
> Urgent firewall help
<uh> how urgent was that again?
0
 
FlamingSwordCommented:
> Block file downloads to only the IT department.

try using block file tranfer utilities, they're a cream
0
 
SunBowCommented:
Urgent comment supply depot
0
 
zenlion420Commented:
Hey people,

No comment has been added in roughly 1.5 years, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question
be PAQ'd and pts be awarded to geoffryn.
Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Zenlion420
EE Page Editor
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 5
  • 4
  • 2
  • +5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now