|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Slighter, Tim (tslighter_at_itc.nrcs.usda.gov)
Date: Mon Nov 04 2002 - 10:37:05 CST
Wish to reopen a thread for anyone working on OPSEC with ISS Network Sensor
and Checkpoint Firewall NG FP3. Has anyone experimented enough to change
the sam_server auth_port to 0 to see if clear text is allowed ? Otherwise,
for all those out there who claim that they did manage to get an NG firewall
working COMPLETELY with ISS Network Sensor 6.5...even though your acclaimed
source of expertise is from a document drawn upon a Checkpoint Firewall 4.1
configuration....please enlighten the user forum on what exactly the
fwopsec.conf file looks like on the firewall module....as well as the
contents of the fwopsec.conf file on the firewall management server...and if
not too much trouble, please attach a few fw logs that show evidence of an
actual FW_SAM command working....this does not mean that you see a green
FW_SAM log that shows the connection taking place and that occurs pretty
much every 1-2 minutes for quite some time. What we really wish to see is
this:
Based upon a pre-configured event where ISS sends an OPSEC over to the
firewall module or the firewall management server, the fw log will show a
green FW_SAM connection....based on the OPSEC specifying at least a 1 minute
inhibit, reproduce the event and if OPSEC is working correctly, the fw logs
should now show red rejects for this particular event or host.
I am mostly curious how many people claim emphatically that they have
managed to get this OPSEC functionality working on a NG firewall using the
OFFICIAL document from "Agapitos Chrysochoos" that is specifically targeted
toward a 4.1 Checkpoint Firewall. More specifically, if you are not just
basing the "yes it is working" upon seeing green FW_SAM connections from
either the management server to the firewall module or from the ISS Network
Sensor to the Firewall module...rather than showing logs evidencing
subsequent "rejects" as a result of the FW_SAM command actually being
issued, then please share your configuration files and findings with the
user forum.
Why force everyone to resort to Checkpoint or ISS user suppot when they do
NOT have the answer ? Anyone out there support this proposal ? And for
those who "claim" they have OPSEC working between a NG firewall and 6.5
Network Sensor, that they provide the contents of the fwopsec.conf files as
well as logs proving that the FW_SAM commands (inhibt or inhibit and
close...etc..) were actually issued ?
It is my belief that far too many people are eschewing providing answers and
solutions for this particular topic. For those who state they have this
working but refuse to provide any answers or proof, there is an air of
skepticism about the authenticity of their claims. If you have OPSEC
working between NG and 6.5 NS....PROVE IT !!
_______________________________________________
ISSForum mailing list
ISSForum
iss.net
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]