Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Question regarding rules and grouping best practices in Check Point

from [Michael D. Ulsh/Corp/GIG] Network Security [Permanent Link]
Subject: Re: Question regarding rules and grouping best practices in Check Point
Date: Tue, 22 Nov 2005 09:14:21 -0500 
The answer depends on what you are trying to accomplish, and what problems
you anticipate.  Obviously both solutions get the desired result, however
thinking forward, will there be other services that you will need to add
later to specific servers?  Typically in most rule bases I've seen and
worked with, most people try to group rules of these nature together like
your example 1 states.  On the other hand, however, you risk security; for
example say Server 1 becomes infected with a broadcasting virus, in
scenario 1 the infected server has the possibility of infecting all the
DBservers, whereas in scenario 2, it can only infect the one DBServer you
have the rule set up for.

Unfortunately there isn't a cookie cutter answer when it comes to security
questions of this nature due to every company and person having specific
and specialized needs.  This also keeps most of us employed :-)

Cheers,

Mike



                                                                           
             <David.Menard@tho                                             
             mson.com>                                                     
                                                                        To 
             11/17/2005 08:52          <firewalls@securityfocus.com>       
             AM                                                         cc 
                                                                           
                                                                   Subject 
                                       Question regarding rules and        
                                       grouping best practices  in Check   
                                       Point                               
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




This might be an academic question.  What is the best practice for this
scenario?  If you have for example 3 servers each running an application,
the same application but different ports.  Microsoft SQL as the application
with ports 1433 to 1439.

Would you create separate rules for each, or group them together?  They are
in the same subnet.  A visual diagram below:

Source        Destination        Service
server1        dbserver3          sqlportrangegroup
server2        dbserver4
server3        dbserver1

-- OR --

Source        Destination        Service
server1        dbserver3        sqlport1437

server2        dbserver4        sqlport1433

server3        dbserver1        sqlport1438

In other words, to me it is simpler, more flexible to group all servers by
service or function as in this case for SQL.  Or should you have a rule for
each server.  This would isolate the server possibly from the other servers
and other ports?

Any thoughts or opinions is appreciated.

Dave Ménard

********************************************************
The information contained in this message may be privileged and
confidential and protected from disclosure. If the reader of this message
is not the intended recipient, or an employee or agent responsible for
delivering this message to the intended recipient, you are hereby notified
that it is strictly prohibited (a) to disseminate, distribute or copy this
communication or any of the information contained in it, or (b) to take any
action based on the information in it. If you have received this
communication in error, please notify us immediately by replying to the
message and deleting it from your computer.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Email Gateways, Alexis Villagra - VILSOL LatinAmerica
Next by Date:  RE: ISS Proventia Integrated Security Appliance, Zachary Richmond
Previous by Thread:  RE: Question regarding rules and grouping best practices in Check Point, Pablo Hauser
Next by Thread:  RE: Question regarding rules and grouping best practices in Check Point, Jason Monroe
Indexes:  [Date] [Thread] [Top] [All Lists]