Re: CheckPoint FW1 BUG

[Hugo.van.der.Kooij () CAIW NL (Hugo.van.der.Kooij () CAIW NL)]

On Fri, 14 Jul 2000, uh Clem wrote:

> On Fri, 14 Jul 2000 Hugo.van.der.Kooij () caiw nl wrote:
>
> > The first thing to do is to strip the host the FW-1 software is to be
> > installed on. Securing the OS before even starting to install the firewall
> > is essential.
>
> When the firewall itself is dependant upon service being active, this is
> somewhat difficult. See below.

FW-1 does not depend on any of these services! So they shouldn't be left
alive. Lance Spitzner wrote an article on how you should harden the
system. (Basically removing all those services.)

See also: http://www.enteract.com/~lspitz/papers.html

> > After installation you should secure the FW-1 software from any access to
> > the machine you don't explicitly want. Always pay attention to the implied
> > rules which can be made visible and should be thoroughly checked.
>
> One of the other things we observed was the extremely poor state of
> permissions that Firewall-1's installation leaves things in. As far as I
> could tell, there was no option to run the firewall services as an
> alternate user besides SYSTEM. Some would argue this is necessary, but it
> really isn't; NT provides well documented APIs for adding specific
> priviledges to a given user's token. These kind of mistakes are generally
> present in win32 software written by people who haven't bothered to learn
> the platform.

The vision is that this machine is a dedicated firewall. So no services
should be running. I'm unfamiliar with NT internals but it needs to
intervene on a rather low level (between NIC and IP stack) and wether such
an installation would be feasible without running as administrators is
unknown to me.

> > However it is quite unclear why accessing a port would cause a firewall
> > process to 100%. But FW-1 v4.0 SP4 is NOT certified for NT 4.0 SP6a and it
> > is recommended you upgrade to FW-1 v4.0 SP6 asap.
>
> Ports 1030-103x are where registered RPC services are listening, much like
> 32767-328xx on Solaris. The ports are assigned by the RPC mapper (port 135
> on NT, port 111 on Solaris) in the order the RPC services are
> started. What I think is happening here is that the firewall-1 service in
> question is running as an RPC service (frightening, eh?) and only expects
> local connections.

FW-1 does not use RPC itself at all. I've seen a couple of dozen of
installations of FW-1 on just about any platform (besides Linux at present
;-) an know it runs on very bare systems.

Hugo.

--
Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ  Maasland
hvdkooij () caiw nl     http://home.kabelfoon.nl/~hvdkooij/
--------------------------------------------------------------
Quoting this tagline is illegal! (http://www.dtcc.edu/cs/rfc1855.html)