Firewall-1 Configuration guide
Updated 8/31/98
 
This configuration guide will be presented in many stages.  This gives me time to get things started right away without having to have the whole document done, and you time to work on and understand one thing at a time if you're following along from the beginning.  Hopefully you won't find any earth-shattering revelations here, but if you do, then now you know how to fix it.  Obviously, I can make a mistake just as easy as anyone (and I have) so please inform me about mistakes I make.  Engage me in a debate about what the best way to do something is.  If I'm wrong, I'll fix it.  If we can't agree, I'll present multiple viewpoints.  This guide won't do anyone any good if mine are the only critical eyes looking at it.  One can't proof their own work effectively.
 
My experience with Firewall-1 is almost exclusivly with the filtering module on Solaris on Sparc.  My examples reflect that.

I'm starting with example of the "right way" to configure Firewall-1 first.  I thought it only fair that I did that before I started in on how to get past FW-1 if the admin didn't configure it this way.

I'll add structure to the document as it gets larger.

Just for confusion's sake, I'll jump into the middle:


 

This is the Security Policy tab of the Properties section.  This is from the Windows gui.  I'll be presenting all of my examples from the Windows gui, but setting up the same thing in the X app ought to be straightforward.  The exception to that is the address translation setup, and it's for that reason I recommend that one use the Windows gui if you're going to remotely admin a unix gateway.

What I want to focus on here is the checkboxes.  Please take careful note of the ones I have checked off, because you want them checked off too.

Let's go through them one at a time:

- Accept FireWall-1 Control Connections:  Off! Possible root compromise of firewall.
This one is REALLY important.  I'll provide more detail later, but start with this:

http://www.checkpoint.com/techsupport/snmp/config/snmpindex.html

Note that this is contrary to the on-line help:

Accept FW-1 Control Connections - FireWall-1 uses these connections for downloading Inspection Code.

You can disable this option if the only FireWalled host is the Management Station.

If you can get away with doing your management from the actual console of the gateway machine, even better.  Most of us can't.  The Checkpoint document above tells you how uncheck that box and still retain remote management capabilities.  Follow their advice.

- Accept UDP Replies: Unknown.
As far as I know (so far) this is OK to leave on as long as you intend to do UDP through your FW-1.  I will be investigating further.

- Accept Outgoing Packets: Unknown.
According to the on-line help, this is outgoing packets from the gateway itself.  This deserves more investigation, but doesn't appear to be a problem.

- Enable Decryption on Accept: Unknown.
Presumably for decrypting connections from encrypting machines that happen to match before your decrypt rule (i.e. if the whole world is allowed at a particular rule, decrypt the SecuRemote user and let him in, too.)  I'd be curious to know if you check it off, if the SR user gets dropped, or passed down to the decrypt rule.

- Use FASTPATH: Off!
Get faster performance by turning off most of the security.  Must be off for encryption or authtication.  I haven't tried to see how bad it is yet.  I've seen a number of e-mails flying across the FW-1 mailing list that indicate it may be REALY bad.

- Accept RIP: Off! Possible root compromise of firewall and inside machines.
You want this off.  Put tighter rules in the rulebase if you need to use RIP.  More later.

- Accept Domain Name Queries (UDP): Off! PROBABLE root compromise of firewall and inside machines.
Turn it off right now.  Put rules in the rulebase to handle DNS.  Never run DNS on your firewall machine, religiously patch your offboard DNS server and read your Bugtraq.

- Accept Domain Name Queries (TCP): Off! See above.  Probably slightly less bad than the UDP version, but the same issues apply.

- Accept ICMP: Off. Probably DoS of inside machines and Internet victims.
The right way to handle this is to install the code at:

http://people.netscape.com/shadow/work/inspect/fw1_icmp.html

If you aren't willing to go quite as far as installing the code, you can infer which ICMP servers to let in and out from his document.  I'll elaborate on which those are a bit more another time.

If you don't fix your ICMP settings, you probably won't suffer an intrusion, but you'll get machines crashed, and you will become a smurf relay.

Hopefully I've scared you enough to fix these items right away.  I'm quite serious about the above warnings.

As always, make sure you keep backups and have a backup access method (especially important when screwing with the control connections settings.  Easy to lock yourself out.)

I chose that set of items to start with since it seems to be VERY common for FW-1 admins to get them wrong.  It's especially bad from a conceptual point-of-view because those settings are essentially outside of the ruleset, and can override it.  That's it for right this second.  There's more to fix... lots more!

                                                                                                                                BB



Back to the top