Well,
Since security folks are some of the last to know when a system change occurs
having three separate rules by virtue of counts can certainly help identify
when and if a source and destination tuple changes, and applies least access.
I'm not certain how the CheckPoint evaluates rules with service groups, but I
would doubt a noticeable performance difference between the two approaches. I
find it difficult to justify the servicegroup approach in my mind, but I'm sure
least path is king for some shops.
Best,
JC
________________________________
From: Pablo Hauser [mailto:pablohauser@yahoo.com.ar]
Sent: Friday, November 18, 2005 3:51 AM
To: David.Menard@thomson.com
Cc: firewalls@securityfocus.com
Subject: RE: Question regarding rules and grouping best practices in Check Point
The correct answer would be the second one. That way, you only allow access to
servers that really need to access the DB and only to the port it is listening,
and that is how it should be... BUT, the fact of scalability appears, and then
is when you have to decide because if you have 600 freaking rules you probably
will take the first choice, which is not bad but is less secure than first one
and allows you to leave an open way to interconnect all 6 servers just in case
sometime you need it without creating any more rules.
__________________________________________________
Pablo D. Hauser | pH
www.securearg.net <http://www.securearg.net/>
Secure from the source
________________________________
De: David.Menard@thomson.com [mailto:David.Menard@thomson.com]
Enviado el: Jueves, 17 de Noviembre de 2005 10:53
Para: firewalls@securityfocus.com
Asunto: Question regarding rules and grouping best practices in Check Point
This might be an academic question. What is the best practice for this
scenario? If you have for example 3 servers each running an application, the
same application but different ports. Microsoft SQL as the application with
ports 1433 to 1439.
Would you create separate rules for each, or group them together? They are in
the same subnet. A visual diagram below:
Source Destination Service
server1 dbserver3 sqlportrangegroup
server2 dbserver4
server3 dbserver1
-- OR --
Source Destination Service
server1 dbserver3 sqlport1437
server2 dbserver4 sqlport1433
server3 dbserver1 sqlport1438
In other words, to me it is simpler, more flexible to group all servers by
service or function as in this case for SQL. Or should you have a rule for
each server. This would isolate the server possibly from the other servers and
other ports?
Any thoughts or opinions is appreciated.
Dave Ménard
********************************************************
The information contained in this message may be privileged and confidential
and protected from disclosure. If the reader of this message is not the
intended recipient, or an employee or agent responsible for delivering this
message to the intended recipient, you are hereby notified that it is strictly
prohibited (a) to disseminate, distribute or copy this communication or any of
the information contained in it, or (b) to take any action based on the
information in it. If you have received this communication in error, please
notify us immediately by replying to the message and deleting it from your
computer.
