Bugtraq mailing list archives
Checkpoint FW-1 identification
From: hirst () ROCKETMAIL COM (Tim Hirst)
Date: Fri, 16 Jul 1999 08:26:52 -0000
Hi all, This is not a bug but is instead a common procedural error. If a remote attacker performs a port scan on a network and finds a machine with ports 256, 257, and 258 open then it is a sure bet that they are running a Checkpoint FW-1 firewall. Since increased awareness about the brand and location of a firewall can greatly help an attacker, providing this information is a *bad* thing. Solution: Don't give them the info. Don't allow any connections to the firewall itself, accept for the firewall protocol, and only allow that from trusted sources. Of course this means that your firewall should not be running any other services, but that should be a given. Also make sure that you disable the appropriate sections in the *hidden* properties page. If you have a router then add a ACL that disallows unauthorized systems from scanning or even seeing these ports. -- Tim Hirst <thirst () hiverworld com> Audit Team Leader http://www.hiverworld.com Hiverworld, Inc. Enterprise Network Security Network Forensics, Intrusion Detection and Risk Management
Current thread:
- Checkpoint FW-1 identification Tim Hirst (Jul 16)
- Re: Checkpoint FW-1 identification Jochen Bauer (Jul 17)