NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > ISS> 2000-q4

Subject: RNE 5.0 and CheckPoint
From: Alexey V. Lukatsky (lukainfosec.ru)
Date: Wed Oct 11 2000 - 03:01:48 CDT

Next message: Michael Ungar: "Telnet Auth User"
Previous message: Hoang Viet: "Re: [fw1-wizards] TCP port 9704 anyone?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any problems!
----------------------------------------------------------------------------

Hello!

At use of OPSEC action (Inhibit and Close), in the FW-1 a rule
temporarily is created. This rule:

                Src. Address Dst. Address Service Action
Track

----------------------------------------------------------------------------
-----------------------------
                Src_addr Any Any
Drop None

As in a TRACK field the NONE value is installed, then all droped
packets are not viewed in the Log Viewer.

For ISS Support: It is desirable, that the value of a TRACK field
was equal to Short Log or Long Log. And in a INFO field the information on a
working signature contained. For example:

"82959" "11Oct2000" "10:04:13" "elx1" "x.x.x.x" "alert" "drop"
"306" "x.x.x.x" "x.x.x.x" "57" "sam" "49927" "" "" "" "" "" "" ""
"" "" "reason: Suspicious activity. Connection was blocked by RealSecure
NetSensor [x.x.x.x], attack signature - IPUnknownProtocol, Info - PROTOCOL:
57(SKIP)"

Now, in the current version it is necessary to run a RealSecure
WorkGroup Manager and to look through the last events with OPSEC action.

One more remark. If sensor long did not communicate with the FW-1,
before will work a rule will pass some time for exchange by authentication
keys. For example, at an enabled rule with OPSEC Inhibit and Close droping
of the PING has taken place not at once, and after 6 packets. I have blocked
connection for 10 minutes. In the FW-1 there were no the message on attempts
of connections (because of NONE value in a TRACK field).

Best regards,
Alexey Lukatsky Tel/fax: +7 095 289 8998
Security Consultant (ICT, CCSE) E-mail: lukainfosec.ru
NIP "Informzaschita", Russia WWW: http://www.infosec.ru

Next message: Michael Ungar: "Telnet Auth User"
Previous message: Hoang Viet: "Re: [fw1-wizards] TCP port 9704 anyone?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]