[8348] in bugtraq
Re: Firewall-1 Security Advisory
daemon@ATHENA.MIT.EDU (Keith Young)
Fri Oct 30 16:34:33 1998
Date: Thu, 29 Oct 1998 11:11:30 -0500
Reply-To: youngk@TTC.COM
From: Keith Young <youngk@TTC.COM>
X-To: Gary Gaskell <gaskell@FIT.QUT.EDU.AU>
To: BUGTRAQ@NETSPACE.ORG
And don't forget that if you have 3.0B patch level 3064 or above, ports
18181, 18182, 18183, and 18184
are also open for OPSEC. This is *on* by default. However, unlike the other
ports, you must allow
access to these ports in your rulebase.
The ports can be turned off by editing your $fw-1_src_dir/conf/fwopsec.conf
file.
--Keith Young / Avenger
-youngk@ttc.com
>And what about the default of the ports 256, 257, 258 and 259 appearing on
>every interface? A little concerning, since they are not listed in the
>table of ports in the main manual. Even more concerning when I'm told
>they are for secure remote support, logging and configuration control!
>This obscurity makes one rather nervous.
>
>Cheers, Gary
>
>On Tue, 27 Oct 1998, David S. Goldberg wrote:
>
>>> So the closest thing to a warning, comes not in the manuals that
>>> come with the software - but you have to pay to go on a course for
>>> this info. I may be wrong about this - if you know of any other
>>> place where this is documented please let me know.
>>
>>The "Managing Firewall-1 Using the Windows GUI" book that comes with
>>the firewall (both in hardcopy and pdf on the CD) covers this in
>>Chapter 8. In Chapter 9 (page 170 in my copy) they list in order the
>>bits a packet is matched against.
>>
>>Unfortunately, this documentation is insufficient. They don't give
>>any advice as to the implications of doing DNS and ICMP before the
>>rule base. In spite of what they might consider a complete
>>description of how it work, it's easy to miss the security implication
>>of their default settings, especially when they declare some things
>>essential, making it seem to the administrator that she'd better leave
>>the services wide open rather than handle them explicitly in the
>>rules.
>>
>>--
>>Dave Goldberg
>>Post: The Mitre Corporation\MS B305\202 Burlington Rd.\Bedford, MA 01730
>>Phone: 781-271-3887
>>Email: dsg@mitre.org
