Not sure about all of your questions, but you could switch to certificate
authorization. The predefined password settings for certificates are a
minimum of 6 characters and four must be different. You can also set a
end-of-life date if you want. With administrators set up via the User -
Administrator group, there is a setting you can enable for failed login
lockouts, but not if the admins are configured via cpconfig or the GUI
version. Unfortunately some things, like using ASD and I believe SmartView
Reporter, require a cpconfig login.
Failed logins and successful logins are shown in SmartView Tracker in the
Audit tab. You could explain to your auditor about the IP address
restrictions you can set and how physical access is controlled. Don't let
each person know the "admin" account password. Set up each administrator
with their own admin-level account.
If these steps fail, ask your auditing agency for someone knowledgable in
auditing firewalls because it's not the same as auditing standard user
network accounts.
If that fails, offer to replace the firewall and give them the costs to do
so, because no vendor gives two hoots about some auditor's checklist that
they downloaded from some site without any understanding of the underlying
issues. The auditors will then have to quantify the risk versus the dollars
and disruption.
Ray
From: Erik Widholm <ckptfw1 AT GMAIL DOT COM>
Reply-To: Mailing list for discussion of Firewall-1
<FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] Password rules for console/ssh admin login accounts
Date: Wed, 24 Nov 2004 19:31:57 -0600
For connections to management and FW1 servers (using SPLAT, FW1/VPN1
NG AI R55 HFA_09), what are the password policies?
1. is there a minimum length restriction?
2. is there a composition restriction (mixed case, let+num+spec_chars)?
3. is there a valid length of time restriction (3 mos, 1 year?)?
4. is there a no-repeat password restriction?
5. logging of failed attempts? where? how to audit?
where do I find this information?
Our auditor isn't letting up at all, and I couldn't find it in the FW
documentation.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
