Re: Understanding Firewall-1 Configs

[theog <theog () theog org>]

I'll start from the end - :)

to scan with no ping , you can use: nmap -P0 -sT %ip subnet%
%ipsubnet%= the subnet you want to scan i.e. 192.168.0.0/24 (while 24 is 
the number of network asigned bits).

To the more complex section for you my friend , I would not use Windows 
systems infront of the internet , let alone checkpoint firewall-1 4.1 
SP1  - Upgrade to NG (or at least SP6).

You should not fear of an attack taking down the firewall , as I see it 
it will be much simpler to exploit what your firewall doesnt check - 
port 53 to the DNS server (check for microsoft DNS exploits) port 80 and 
443 on your web server (check for IIS exploits).

I would recommend using Nessus (at www.nessus.org) to check for vuln. of 
your machines.

TheOg



amy_morgan () hushmail com wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
>
> Our network engineer just left the company and all of his responsibilities have been transferred to me, including the 
> firewall.
>
> So, here's what I'm trying to find out...
>
>
> This is a general diagram.
>
>
>            Internet
>                |
>                |
>                V
>          Border Router (Cisco)
>                |
>                |
>                V
>            Firewall--->DMZ: DNS(NT4), www(NT4), mail scanner
>                |
>                |
>                V
>         Core Switch (Cisco)-------Frame Relay Connection
>                |
>                |
>         Internal Network
>
>
>
>
> Here are the details on the firewall:
>
> CheckPoint Firewall-1  4.1 SP1 on NT4 SP5
> You are not able to ping the firewall from the Internet.
> All public IP addresses (located in the DMZ) are NAT'd to internal 172.16.x.x
> A separate workstation object is created for each box that needs a public IP address and then another workstation object is 
> created for it's internal IP address counterpart.  The public IP address/port is then then NAT'd over to the internal 
> IP address/port.
>
> For example:  The web server has two workstation objects, the one with the public IP address and one with the internal IP 
> address.  Incoming packets on port 80 & 443 to the public IP address are then NAT'd over to the internal IP 
> address/port. Correct..?
> All inbound ports are blocked by default except requests made to specific IP address/port:
>
> Inbound...
> - -on port 25 to public IP address of mail scanner is NAT'd to internal IP address of mail scanner
> - -on port 80 to public ip address of IIS is NAT's to internal IP address of IIS
> - -on port 443 to public ip address of IIS is NAT's to internal IP address of IIS
> - -on port 1494 to public ip address of Citrix box is NAT'd to internal ip address of Citrix
>
>
> Questions:
>
> 1. On a scale of 1 - 10 (10 is most secure), how secure is this firewall configuration?  Why?
> 2. What can get through and how?  Any specific exploits?
> 3. What is it that is allowing it to get by the firewall?  What part of the config?
>
> Right now, I'm just concerned about what can get by the firewall and how does that happen?  What are the mechanics of 
> how it gets through?  I already have someone dealing with the NT service pack levels.  My concern right now is the firewall.
>
>
> Is it possible to scan all ports on all the IP addresses of a netblock?
> Even though you are not able to ping my firewall from the Internet, could you scan all ports on each of the IP addresses in my netblock and 
> once you hit port 25 on the public ip address of the mail scanner, you'll get a 'listening' response?  Another way to put 
> that is even though you are not able to ping my firewall from the Internet, can you still Nmap the public IP addresses (publicly accessible 
> servers) that are NAT'd behind my firewall?  If so, how does that work and can I do anything to prevent it?
>
>
> Links to sites/articles/docs/pdfs would be great.  I just need to get a better understanding of
> this...
>
>
>
> Thanks,
> Amy Morgan
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: Hush 2.2 (Java)
> Note: This signature can be verified at https://www.hushtools.com/verify
>
> wl8EARECAB8FAj4c9GsYHGFteV9tb3JnYW5AaHVzaG1haWwuY29tAAoJEAS2WQxW3/uw
> 7/8AmwZRykD+t54ZoDXRJ+PrOpTsCAF/AKCwc/XG8gX8Cy3YQUOwAV4vhecD8Q==
> =wWJy
> -----END PGP SIGNATURE-----
>
>
>
>
> Concerned about your privacy? Follow this link to get
> FREE encrypted email: https://www.hushmail.com/?l=2 
>
> Big $$$ to be made with the HushMail Affiliate Program: 
> https://www.hushmail.com/about.php?subloc=affiliate&l=427
>