Great Circle Associates Firewalls
(April 1998)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: RE: socks versus fw-1 [Part I/II]
From: Kevin Brown - NetComm <Kevin . Brown @ NetComm . ie>
Date: Sat, 11 Apr 1998 22:56:46 +0100
To: "Moser, Stefan" <stefan . moser @ csfb . com>
Cc: firewalls @ GreatCircle . COM
In-reply-to: <21D8314B439ED111A4690000F8AE45E5036B6B @ slon00302 . gb . csfp . csh . com>

At 17:28 +0100 10/4/98, Moser, Stefan wrote:

>
>What worries me actually more about the Checkpoint approach is that
>you can switch on/off certain often used services like DNS, ICMP
>etc. in the property settings. Confuses the hell out of people
>since it prevents you from having an all-in-one view of your
>security policy. This is really bad and unnecessary. I actually
>confronted a high-level Checkpoint rep in front of a lot of people
>once, but I don't think he got my point. I think best practice is to
>deny everything in the properties and put *everything* into the policy
>proper instead.


To many cooks spoil the broth. Once where there were several bodies setting the
rules, someone allowed in DNS to the inside root with the properties, and the
internal fake root dns got wind of the outside, and the outside got wind of the
inside.

Trash! I agree, beware of the properties. Bad design, as you might not look at the
properties when reading the rules.

Kevin




References:
Indexed By Date Previous: Re: How can I detect packet sniffer
From: Antonio Paulo Salgado Forster <forster @ na-cp . rnp . br>
Next: Re: DMZ config question
From: Josh Richards <jrichard @ livingston . com>
Indexed By Thread Previous: RE: socks versus fw-1 [Part I/II]
From: "Moser, Stefan" <stefan . moser @ csfb . com>
Next: the dog ate my homework
From: George Planansky <george @ deas . harvard . edu>

Google
 
Search Internet Search www.greatcircle.com