From owner-freebsd-chat Mon Oct 9 22:21:51 2000 Delivered-To: freebsd-chat@freebsd.org Received: from lafontaine.cybercable.fr (lafontaine.cybercable.fr [212.198.0.202]) by hub.freebsd.org (Postfix) with SMTP id 8936237B502 for ; Mon, 9 Oct 2000 22:21:46 -0700 (PDT) Received: (qmail 13574734 invoked from network); 10 Oct 2000 05:21:44 -0000 Received: from r220m132.cybercable.tm.fr (HELO cybercable.fr) ([195.132.220.132]) (envelope-sender ) by lafontaine.cybercable.fr (qmail-ldap-1.03) with SMTP for ; 10 Oct 2000 05:21:44 -0000 Message-ID: <39E2A899.3BB2151C@cybercable.fr> Date: Tue, 10 Oct 2000 07:26:49 +0200 From: Saad KADHI Organization: NEUROCOM X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.16 i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-chat@freebsd.org Subject: Re: Check Point FW-1 References: <20001008125715.T25121@149.211.6.64.reflexcom.com> <20001008225125.A25121@149.211.6.64.reflexcom.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi there, "Crist J . Clark" wrote: > On Mon, Oct 09, 2000 at 01:03:08AM +0200, Roman Shterenzon wrote: > > On Sun, 8 Oct 2000, Crist J . Clark wrote: > > > > > On Sat, Oct 07, 2000 at 01:33:04PM -0400, Brian Reichert wrote: > > > > On Fri, Oct 06, 2000 at 10:57:37PM -0700, Craig Cowen wrote: > > > > > The big cheeses at work want to use check point instead of ipf or any > > > > > other open source solution. > > > > > Can anybody help me with vunerabilities to this so that I can change > > > > > thier minds? There are a "lot" of vulnerabilities in FireWall-1 that can scare the hell out of the big cakes (or was it cheeses ?) ;-). On security-focus.com, there are at least 5 vulnerabilities (for both 4.0 and 4.1) that I have tested myself and found to be working. Just go to www.security-focus.com and click on vulnerabilities and select Check Point Software from the drop-down menu. Look at the latest 5 vulnerabilities. Try them to make sure they are still working. Also, get a look @: http://www.dataprotect.com/bh2000/blackhat-fw1.html This is a very good paper about how to bypass FireWall-1 security checkings that was discussed during the black hat conf' in Las Vegas. If the above couldn't change their minds to IPF (this is REALLY a very good piece of firewall), then nothing would! HTH > > > > > > > > > I found that Checkpoint 4.0 (this may have changed) doesn't do NAT > > > > right; it uses NAT across _all_ interfaces, instead of letting you > > > > pick one. > > > > > > Right, it determines whether to do NAT by source address, destination > > > address, and destination port. Actually, it is not possible to do > > > _anything_ per interface from the GUI. Wouldn't it be nice (and > > > wouldn't you expect a firewall to be able) to block anything not > > > destined for a small block of registered IPs at the external > > > interface? Well, you can't put a rule to do that in the GUI. > > > > That's rule 0 - it does antispoofing stuff. > > It's really simple. From the GUI. > > It's only simple if you have only a LAN behind the box. If you've got > multiple, non-adjacent logical netblocks routed behind the box, it is > non-trivial to setup the "built-in" antispoofing. > > > Now, does it have anything to do with FreeBSD-security? > > Not much anymore, redirected to -chat if anyone still cares. > -- > Crist J. Clark cjclark@alum.mit.edu > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Saad KADHI -- Security Engineer --------------------------------- perl -e 'print ($myself=pack(c2,unpack(c,EOF)-3,(((hex(0x666)/6)-666)/2)-66+4), pack(c3,((int(exp(666)/10e287)+int(log(666)*2))*2)+10,int(crypt(ski,72)),oct(12)));' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message