standard firewall configuration baseline

[ligmania]

Does anyone have a document that shows best practices in configuring and
deploying checkpoint firewalls ?

[Joncon]

There is no such thing as a 'standard' firewall configuration as all firewalls differ dependant on their purpose. One FW may need ftp and therefore have it enabled another may not require it and therefore have it disabled. The security options chosen will also be dependant on the O/S Checkpoint sits on (IPSO / SOLARIS / SPLAT / WINDOWS). For example, you will need to do a hell of a lot more work to harden a windows host than you will to secure IPSO / SPLAT. I used to work for a security / audit consultancy looking at the security of FWs and used to upset the managers when I told them I couldn't give them a 'one size fits all' baseline doc for non technical auditors to follow as all firewalls are different.

Some common weaknesses I used to come across a lot:-
1. No stealth rule or stealth rule too low.
2. No logging.
3. Telnet enabled (rather than using something like SSH).
4. FTP enabled (rather than using something like SCP).
5. Backups not being taken / Test restores not been tested.
6. FW software missing critical patches.
7. O/S missing critical patches.
8. No documentation.
9. Rules allowing services no longer required.
10. Rules allowing services but no one knows why they exist.
11. 'Unknown' Admin GUIs defined.

There are plenty more. If you take the approach of least priviledge with all your configurations you will not go far wrong. Simple rule to follow is if something isn't needed disable it.

tht,

Joncon