Solved

Urgent firewall help

Posted on 2001-07-09
17
392 Views
Last Modified: 2013-11-16
We have checkpoint firewall 1. The system crashed and we lost all our scripts. No one knowes how create a good internal script for access to the internet so we are quite open at the moment. Therefor i have had to disconect the company from the internet.

I want to create a script that will only:

    Allow web surfing to the users.

    Allow the flow of smtp mail inbound and outbound.

    Allow name resolution and other ESSENTIAL internet
    tasks.

    Block file downloads to only the IT department.

Starting from a system with all ports blocked, what should I enable to achive this.

Also, any advise on making it a very secure system, but very quick to implement as I need to be up and running within 24 hours at no cost. (we are already using IP address translation and have a DMZ).

Thanks in advance

Jason




0
Comment
Question by:ducados
  • 5
  • 4
  • 2
  • +5
17 Comments
 
LVL 11

Expert Comment

by:geoffryn
ID: 6266791
What OS is the Checkpoint running on?  What version of the firewall is it?
0
 

Author Comment

by:ducados
ID: 6266814
Hi geoff. It is on NT4.0 SP6a. I am not sure of the version as I am out of the office. But it is more than 2 years old.
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6266852
Then you are probably using version 4.0 or earlier.  It uses and object based GUI in order to create the firewall rule base.  First you have to define all of your network objects and then create NAT and firewall rules.  Are you familiar with FW-1, if not it will be very difficult for you to get this working.  The proxy ARP alone is a pain.  A good resource is http://www.phoneboy.com.  Once you have defined the network objects, we can start creating a rule base.
0
 

Author Comment

by:ducados
ID: 6266891
Yes I am familiar with FW-1 and have already created the NAT rules. They seem to work OK and I think I have done it corectly. Are there any security risks if I get this part wrong?
0
 
LVL 11

Accepted Solution

by:
geoffryn earned 200 total points
ID: 6266984
Yes, you could be directing traffic inbound to incorrect boxes or exposing the internal IP structure to outside hosts.  Anti-spoofing is also a tricky thing.  Can you post a summary of your current rule base?
0
 

Author Comment

by:ducados
ID: 6266991
YEP OK, its 22:48 uk time at the moment. I will do it tommorow when back in the office. Thanks so far Geoff.
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 6267017
Ok.  See you tomorrow. Live from Redmond.
0
 

Author Comment

by:ducados
ID: 6272541
Thanks for your help geoff. I think we are are now in good shape. One more question. I have set up a group for the IT department that will have full access on outbound. In order to allow ping and traceroute responses I need to enbale some inbound ports. Do you know which ones?.

Thanks

Jason
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 11

Expert Comment

by:geoffryn
ID: 6272977
You don't need to enable any ports.  ICMP, which is the protocol of ping and traceroute is not a port service.  It is a type of packet.  It can usually be enabled in the system policy or implied pseudo-rules.  
0
 

Expert Comment

by:rgpta
ID: 6299594
I would be very reluctant to allow trace route or ping from the outside. Many attackers have used pings of death to bring down customer sites. FW-1 has default services that include icmp. Trace route is icmp that expires the ttl in the ip header. I would not allow icmp, though. Check the latest CVE from NSA concerning security vulnerabilities and sounds like you need a good security policy and process put in place.
0
 

Expert Comment

by:jmsr
ID: 6330434
If you alredy allow all traffic from that machines outbound you can add a rule acceptting a service called echo-reply (the rule will be: Any - ITDep - echo-reply - Accept) to receive the ping and traceroute replies. This will still not allow ping request to machines behind the firewall.
I also think that's not a very good idea to enable ICMP in the implied rules.
0
 
LVL 2

Expert Comment

by:ritupatel112699
ID: 6645617
download ssecurity check sfotware from eeye.com called RETINA and then use it to check out yr firewall settings and security risks and then put your companies network bak on the net.

This will help you to find out diffrent possible hacks either in OS or in application.
0
 
LVL 24

Expert Comment

by:SunBow
ID: 6789103
I think you must also add ZoneAlarm (or similar) to the firewall concept, for it handles outbound traffic that your initial configuration is missing. Note that an ISP will disconnect you if your setup sends them junk, virus, worm, or spam.
0
 
LVL 3

Expert Comment

by:FlamingSword
ID: 6866507
> Urgent firewall help
<uh> how urgent was that again?
0
 
LVL 3

Expert Comment

by:FlamingSword
ID: 6866511
> Block file downloads to only the IT department.

try using block file tranfer utilities, they're a cream
0
 
LVL 24

Expert Comment

by:SunBow
ID: 6948792
Urgent comment supply depot
0
 
LVL 5

Expert Comment

by:zenlion420
ID: 9706116
Hey people,

No comment has been added in roughly 1.5 years, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question
be PAQ'd and pts be awarded to geoffryn.
Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Zenlion420
EE Page Editor
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now