Re: Firewall-1 Security Advisory

[youngk () TTC COM (Keith Young)]

And don't forget that if you have 3.0B patch level 3064 or above, ports
18181, 18182, 18183, and 18184
are also open for OPSEC. This is *on* by default. However, unlike the other
ports, you must allow
access to these ports in your rulebase.

The ports can be turned off by editing your $fw-1_src_dir/conf/fwopsec.conf
file.

--Keith Young / Avenger
-youngk () ttc com

> And what about the default of the ports 256, 257, 258 and 259 appearing on
> every interface?  A little concerning, since they are not listed in the
> table of ports in the main manual.  Even more concerning when I'm told
> they are for secure remote support, logging and configuration control!
> This obscurity makes one rather nervous.
>
> Cheers, Gary
>
> On Tue, 27 Oct 1998, David S. Goldberg wrote:
>
> > > So the closest thing to a warning, comes not in the manuals that
> > > come with the software - but you have to pay to go on a course for
> > > this info. I may be wrong about this - if you know of any other
> > > place where this is documented please let me know.
> >
> > The "Managing Firewall-1 Using the Windows GUI" book that comes with
> > the firewall (both in hardcopy and pdf on the CD) covers this in
> > Chapter 8.  In Chapter 9 (page 170 in my copy) they list in order the
> > bits a packet is matched against.
> >
> > Unfortunately, this documentation is insufficient.  They don't give
> > any advice as to the implications of doing DNS and ICMP before the
> > rule base.  In spite of what they might consider a complete
> > description of how it work, it's easy to miss the security implication
> > of their default settings, especially when they declare some things
> > essential, making it seem to the administrator that she'd better leave
> > the services wide open rather than handle them explicitly in the
> > rules.
> >
> > --
> > Dave Goldberg
> > Post: The Mitre Corporation\MS B305\202 Burlington Rd.\Bedford, MA 01730
> > Phone: 781-271-3887
> > Email: dsg () mitre org