?
Solved

Urgent firewall help

Posted on 2001-07-09
17
Medium Priority
?
398 Views
Last Modified: 2013-11-16
We have checkpoint firewall 1. The system crashed and we lost all our scripts. No one knowes how create a good internal script for access to the internet so we are quite open at the moment. Therefor i have had to disconect the company from the internet.

I want to create a script that will only:

    Allow web surfing to the users.

    Allow the flow of smtp mail inbound and outbound.

    Allow name resolution and other ESSENTIAL internet
    tasks.

    Block file downloads to only the IT department.

Starting from a system with all ports blocked, what should I enable to achive this.

Also, any advise on making it a very secure system, but very quick to implement as I need to be up and running within 24 hours at no cost. (we are already using IP address translation and have a DMZ).

Thanks in advance

Jason




0
Comment
Question by:ducados
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
  • +5
17 Comments
 
LVL 11

Expert Comment

by:geoffryn
ID: 6266791
What OS is the Checkpoint running on?  What version of the firewall is it?
0
 

Author Comment

by:ducados
ID: 6266814
Hi geoff. It is on NT4.0 SP6a. I am not sure of the version as I am out of the office. But it is more than 2 years old.
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6266852
Then you are probably using version 4.0 or earlier.  It uses and object based GUI in order to create the firewall rule base.  First you have to define all of your network objects and then create NAT and firewall rules.  Are you familiar with FW-1, if not it will be very difficult for you to get this working.  The proxy ARP alone is a pain.  A good resource is http://www.phoneboy.com.  Once you have defined the network objects, we can start creating a rule base.
0
Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

 

Author Comment

by:ducados
ID: 6266891
Yes I am familiar with FW-1 and have already created the NAT rules. They seem to work OK and I think I have done it corectly. Are there any security risks if I get this part wrong?
0
 
LVL 11

Accepted Solution

by:
geoffryn earned 800 total points
ID: 6266984
Yes, you could be directing traffic inbound to incorrect boxes or exposing the internal IP structure to outside hosts.  Anti-spoofing is also a tricky thing.  Can you post a summary of your current rule base?
0
 

Author Comment

by:ducados
ID: 6266991
YEP OK, its 22:48 uk time at the moment. I will do it tommorow when back in the office. Thanks so far Geoff.
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6267017
Ok.  See you tomorrow. Live from Redmond.
0
 

Author Comment

by:ducados
ID: 6272541
Thanks for your help geoff. I think we are are now in good shape. One more question. I have set up a group for the IT department that will have full access on outbound. In order to allow ping and traceroute responses I need to enbale some inbound ports. Do you know which ones?.

Thanks

Jason
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6272977
You don't need to enable any ports.  ICMP, which is the protocol of ping and traceroute is not a port service.  It is a type of packet.  It can usually be enabled in the system policy or implied pseudo-rules.  
0
 

Expert Comment

by:rgpta
ID: 6299594
I would be very reluctant to allow trace route or ping from the outside. Many attackers have used pings of death to bring down customer sites. FW-1 has default services that include icmp. Trace route is icmp that expires the ttl in the ip header. I would not allow icmp, though. Check the latest CVE from NSA concerning security vulnerabilities and sounds like you need a good security policy and process put in place.
0
 

Expert Comment

by:jmsr
ID: 6330434
If you alredy allow all traffic from that machines outbound you can add a rule acceptting a service called echo-reply (the rule will be: Any - ITDep - echo-reply - Accept) to receive the ping and traceroute replies. This will still not allow ping request to machines behind the firewall.
I also think that's not a very good idea to enable ICMP in the implied rules.
0
 
LVL 2

Expert Comment

by:ritupatel112699
ID: 6645617
download ssecurity check sfotware from eeye.com called RETINA and then use it to check out yr firewall settings and security risks and then put your companies network bak on the net.

This will help you to find out diffrent possible hacks either in OS or in application.
0
 
LVL 24

Expert Comment

by:SunBow
ID: 6789103
I think you must also add ZoneAlarm (or similar) to the firewall concept, for it handles outbound traffic that your initial configuration is missing. Note that an ISP will disconnect you if your setup sends them junk, virus, worm, or spam.
0
 
LVL 3

Expert Comment

by:FlamingSword
ID: 6866507
> Urgent firewall help
<uh> how urgent was that again?
0
 
LVL 3

Expert Comment

by:FlamingSword
ID: 6866511
> Block file downloads to only the IT department.

try using block file tranfer utilities, they're a cream
0
 
LVL 24

Expert Comment

by:SunBow
ID: 6948792
Urgent comment supply depot
0
 
LVL 5

Expert Comment

by:zenlion420
ID: 9706116
Hey people,

No comment has been added in roughly 1.5 years, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question
be PAQ'd and pts be awarded to geoffryn.
Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Zenlion420
EE Page Editor
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question