My apologies, but if you have been following this thread closely, ISS and
Checkpoint have provided little to no support whatsoever. The best I could
get out of either of them is an outdated document for Checkpoint Firewall-1
Version 4.1 and ISS Network Sensor 6.5. I did manage to dig up some
additional source from Phoneboy and other sites that provided more details
on how to setup the OPSEC with NG and ISS Network Sensor 6.5. This should
not be about the unwillingness to share ideas but instead about the
willingness to share findings and discoveries about discrepancies and
unusual configurations pertaining specifically to ISS related products.
Furthermore, if you were to take it upon yourself and contact ISS support
directly yourself about this issue, you would find that the assistance you
require would not be met satisfactorily. If you are an integral part of
this mailing list and in some shape or form a subsidiary of ISS, then why
have you not presented your findings to ISS so that they would have this
useful information available for their userbase ? Perhaps I am wrong, but
it seems apparent that posting this type of material to this mailing list
would be very appropriate and beneficial to the userbase. Failure to offer
this information could be construed asdetrimental. Let's say for example
you discovered some strange anomaly with ISS Network Sensor 7.0 where
certain alerts caused the ISSED database to crash. And Let's say that I had
discovered an unusual workaround or fix for this strange issue and had
tested this and managed to get everything to work and function on a highly
acceptable basis. Allow us to further say that you posted your issue to the
ISS mailing list and asked about this. Would it be ethical and reasonable
for me to say that I am unwilling to share this information with you and
even more, refuse to present my findings to ISS ???

-----Original Message-----
From: Falck, Axel (ISS Paris) [mailto:AFalckiss.net]
Sent: Monday, October 07, 2002 5:35 AM
To: Jeroen Veeren; issforumiss.net
Cc: kroseljhancock.com; Slighter, Tim; Brooks, Darrell W.; Nelson
Fernando Aranzazu
Subject: RE: [ISSForum] RE: Configuring RealSecure to use OPSEC with
FireW all-1

Jeroen,

The best way now, is to contact the ISS technical support at supportiss.net
and probably Check Point support to investigate the issue

I cannot do tech support on the ISSforum, which is not really the best way
to do that. We can sharing our ideas to try to solve your issue.

Hope this helps

Nota: Long time ago, I have personnaly reconfigure Firewall NG with
RealSecure 6.x on customer site with any trouble.

Regards

Axel FALCK

-----Message d'origine-----
De : Jeroen Veeren [mailto:J.VeerenVeilig.NET]
Envoyé : lundi 7 octobre 2002 10:37
À : Falck, Axel (ISS Paris); issforumiss.net
Cc : 'kroseljhancock.com'; 'Slighter, Tim'; Brooks, Darrell W.; Nelson
Fernando Aranzazu
Objet : RE: [ISSForum] RE: Configuring RealSecure to use OPSEC with
FireW all-1

Axel,

I think the big question is here:
Do you have a working solution out there or not?
Then we simply get things to buisiness;
1. If you have it working, please share your config so we can duplicate it.
2. If you don't get it to work, please contact checkpoint (don't let your
customers do that!) and mail the list as soon as there is a solution.

I sadly have to admit I share kevin's conclusions about just settling for
the kills instead of the -IMHO- much more powerfull/desirable OPSEC
mechanism.

On a site note: Can I start asking about my options when I implement my
second fw management server for redundancy.
I don't see any options in the response settings, but I guess if it is not
working wih one management server, it'll certainly be a dead end with two
management servers...:o)

Cheers,
Jeroen.
   

-----Oorspronkelijk bericht-----
Van: Slighter, Tim [mailto:tslighteritc.nrcs.usda.gov]
Verzonden: vrijdag 4 oktober 2002 18:02
Aan: 'Falck, Axel (ISS Paris)'; Brooks, Darrell W.; Nelson Fernando
Aranzazu; issforumiss.net
Onderwerp: RE: [ISSForum] RE: Configuring RealSecure to use OPSEC with FireW
all-1

Aside from your recommendations. Did you meet with any success getting the
network sensor to successfully generate an OPSEC command to the NG firewall
?

We setup the entire design using the -ssl to ensure the OPSEC channel was
being used as "Authenticated" and NOT "Authenticated with encryption".
Actually, we tried it every possible way following word for word every step
and instruction from all documents from Checkpoint and ISS and Phoneboy and
the OPSEC still does NOT work. If you have been able to get this to work
successfully and witnessing actual OPSEC events in the logs as well as
actual OPSEC changes to the rules in the firewall, please share this
information with the mailing list. Thank you

-----Original Message-----
From: Falck, Axel (ISS Paris) [mailto:AFalckiss.net]
Sent: Friday, October 04, 2002 1:02 AM
To: Brooks, Darrell W.; Nelson Fernando Aranzazu; issforumiss.net
Subject: [ISSForum] RE: Configuring RealSecure to use OPSEC with FireWall-1

Did you tried http://www.phoneboy.com

And so, use the -ssl option into your fwopsec putkey command on NG. Be aware
that in any case the fwopsec putkey commanbd MUST be done in FIRST on Check
Point, and after on RealSecure

Hope this helps

Axel FALCK

-----Message d'origine-----
De : Brooks, Darrell W. [mailto:DBrooksjenkens.com]
Envoyé : jeudi 3 octobre 2002 23:42
À : Falck, Axel (ISS Paris); 'Nelson Fernando Aranzazu'; 'issforumiss.net'
Objet : RE: Configuring RealSecure to use OPSEC with FireWall-1

I have had the same issue, and Checkpoint is no help. The doc for this from
the ISS page has not been very helpful either. I have had to issue the
command from my management server to the gateway in this order:

Fw sam -v -I src <IP Address>

Modifying the fwopsec.conf file worked well on 4.1 but not on NG.

Two calls to ISS support yielded little help. I hope someone has a real fix
for this...it's a feature I really miss now that we have upgraded to NG.

Thanks,
 
 
Darrell
 

-----Original Message-----
From: Falck, Axel (ISS Paris) [mailto:AFalckiss.net]
Sent: Wednesday, October 02, 2002 12:19 PM
To: Nelson Fernando Aranzazu; issforumiss.net
Subject: RE: Configuring RealSecure to use OPSEC with FireWall-1

TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any
problems!
----------------------------------------------------------------------------

Hello,

if the command fw sam -i src "any_ip_address" -t60 doesn't works, the issue
is from CheckPoint software. This command is very usefull to check the
OPSEC implementation on FW.

it does works event no RealSecure Installed

Hope this Helps

Axel FALCK

-----Message d'origine-----
De : Nelson Fernando Aranzazu [mailto:fernando.aranzazueqnt.com]
Envoyé : mardi 1 octobre 2002 16:10
À : issforumiss.net
Objet : Configuring RealSecure to use OPSEC with FireWall-1

Hello,

I'm trying to implement OPSEC between Network Sensor 6.5 and CheckPoint
Firewall-1 NG FP2 (installed with backward compatibility) but it doesn't
work.

I have already configured the "fwopsec.conf" file in the firewall, applied
the keys and configured the network sensor to use OPSEC. But when I'm trying
to test the SAM response executing "fw sam -t 60 -i any_ip_address" the
firewall shows the follow message: "sam: Unexpected end of session. It is
possible that the SAM request for 'Inhibit src ip any_ip_address on All' was
not enforced."

Had anybody had this kind of situation?

Thanks.

________________________
Nelson Fernando Aranzazu
Administrador LAN-WAN
Equant - Data Center
Bogotá, Colombia.

- JENKENS & GILCHRIST E-MAIL NOTICE - This transmission may be: (1) subject
to the Attorney-Client Privilege, (2) an attorney work product, or (3)
strictly confidential. If you are not the intended recipient of this
message, you may not disclose, print, copy or disseminate this information.
If you have received this in error, please reply and notify the sender
(only) and delete the message. Unauthorized interception of this e-mail is a
violation of federal criminal law.

  This communication does not reflect an intention by the sender or the
sender's client or principal to conduct a transaction or make any agreement
by electronic means. Nothing contained in this message or in any attachment
shall satisfy the requirements for a writing, and nothing contained herein
shall constitute a contract or electronic signature under the Electronic
Signatures in Global and National Commerce Act, any version of the Uniform
Electronic Transactions Act or any other statute governing electronic
transactions.

_______________________________________________
ISSforum mailing list
ISSforumiss.net _______________________________________________
ISSforum mailing list
ISSforumiss.net
_______________________________________________
ISSforum mailing list
ISSforumiss.net
_______________________________________________
ISSforum mailing list
ISSforumiss.net

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]