Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Question regarding rules and grouping best practices in Check Point

from [Pablo Hauser] Network Security [Permanent Link]
Subject: RE: Question regarding rules and grouping best practices in Check Point
Date: Fri, 18 Nov 2005 08:51:15 -0300 
The correct answer would be the second one. That way, you only allow access
to servers that really need to access the DB and only to the port it is
listening, and that is how it should be... BUT, the fact of scalability
appears, and then is when you have to decide because if you have 600
freaking rules you probably will take the first choice, which is not bad but
is less secure than first one and allows you to leave an open way to
interconnect all 6 servers just in case sometime you need it without
creating any more rules.
 
__________________________________________________

Pablo D. Hauser | pH


 <http://www.securearg.net/> www.securearg.net
Secure from the source

 

  _____  

De: David.Menard@thomson.com [mailto:David.Menard@thomson.com] 
Enviado el: Jueves, 17 de Noviembre de 2005 10:53
Para: firewalls@securityfocus.com
Asunto: Question regarding rules and grouping best practices in Check Point


This might be an academic question.  What is the best practice for this
scenario?  If you have for example 3 servers each running an application,
the same application but different ports.  Microsoft SQL as the application
with ports 1433 to 1439.  
 
Would you create separate rules for each, or group them together?  They are
in the same subnet.  A visual diagram below:
 
Source        Destination        Service
server1        dbserver3          sqlportrangegroup  
server2        dbserver4
server3        dbserver1
 
-- OR --
 
Source        Destination        Service
server1        dbserver3        sqlport1437
 
server2        dbserver4        sqlport1433
 
server3        dbserver1        sqlport1438
 
In other words, to me it is simpler, more flexible to group all servers by
service or function as in this case for SQL.  Or should you have a rule for
each server.  This would isolate the server possibly from the other servers
and other ports?
 
Any thoughts or opinions is appreciated.
 
Dave Ménard
 
********************************************************
The information contained in this message may be privileged and confidential
and protected from disclosure. If the reader of this message is not the
intended recipient, or an employee or agent responsible for delivering this
message to the intended recipient, you are hereby notified that it is
strictly prohibited (a) to disseminate, distribute or copy this
communication or any of the information contained in it, or (b) to take any
action based on the information in it. If you have received this
communication in error, please notify us immediately by replying to the
message and deleting it from your computer.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Cisco VPN Dialer to Netscreen-50, Mike Jones
Next by Date:  Re: Testing Tools, ADT
Previous by Thread:  Question regarding rules and grouping best practices in Check Point, David.Menard
Next by Thread:  Re: Question regarding rules and grouping best practices in Check Point, Michael D. Ulsh/Corp/GIG
Indexes:  [Date] [Thread] [Top] [All Lists]