Link to home
Avatar of goldylamont

asked on

help with Netscreen Policies/Screening

Hi, I'm looking for advice on what policies i need and what screening to turn on for a Netscreen 5xp device (or Netscreens in general). Can you please confirm or refute my beliefs below and provide explanations? My network setup is very simple--one MS SBS2003 server running Exchange 2003 with 10 XP clients using one Netscreen 5xp as gateway/firewall. I'm only using trust and untrust virtual routers.

1) I only need to make "Allow" policies? All other traffic is denied by default?

Trust->Untrust to allow outbound traffic for LAN users and Server. All I need to allow on Trust-Untrust are network protocols needed: Blackberry Ent. Server, DNS, FTP, HTTP, HTTPS, ICMP-ANY, IMAP, MAIL, PING, POP3, SSH
am I missing any common protocols? i think i have all the common ones

Untrust->Trust to allow Exchange server to work: HTTP, SMTP, PING

So, I only need these two "Allow" policies. I don't need any "Deny" policies since anything other than these port openings are by default denied anyway??

2) Screening??

Trust Zone Screening: I check all Screening options for Trust zone except for "Block HTTP Components" section (I want to allow users to download Java apps, .exe files, etc.). Is this correct? Any reason to NOT check off everything in Trust Zone?

Untrust zone screening: I left only the default screening options checked for the Untrust zone:
SYN Flood Protection
Ping of Death Attack Protection
Land Attack Protection
IP Source Route Option Filter
**Should I check off everything in Untrust Zone or just leave these defaults? Why are these defaults?

So, that's all i have set up right now. Two "Allow" policies and screening as stated above. Any suggestions much appreciated.

Avatar of Qlemo
Flag of Germany image

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of goldylamont


ok, so I selected all screening options for Untrust except for:
Block HTTP Components
      Block Java Component
      Block ActiveX Component
      Block ZIP Component
      Block EXE Component
...because I do want to allow people to install ActiveX and send/recieve .zip files, etc.

Is that all i have to do and I'm set?

Yessir, that should be all.
Please close question