Checkpoint FW-1 identification

[hirst () ROCKETMAIL COM (Tim Hirst)]

Hi all,

This is not a bug but is instead a common procedural error.
If a remote attacker performs a port scan on a network and
finds a machine with ports 256, 257, and 258 open then it is
a sure bet that they are running a Checkpoint FW-1 firewall.
Since increased awareness about the brand and location of a
firewall can greatly help an attacker, providing this
information is a *bad* thing.

Solution: Don't give them the info. Don't allow any
connections to the firewall itself, accept for the firewall
protocol, and only allow that from trusted sources. Of
course this means that your firewall should not be running
any other services, but that should be a given. Also make
sure that you disable the appropriate sections in the
*hidden* properties page. If you have a router then add a
ACL that disallows unauthorized systems from scanning or
even seeing these ports.


-- 
Tim Hirst                          <thirst () hiverworld com>
Audit Team Leader                http://www.hiverworld.com
Hiverworld, Inc.               Enterprise Network Security
Network Forensics, Intrusion Detection and Risk Management