Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [FW-1] Active Directory replication between VPN site-site-tunnels

from Christian Chiaverini [Permanent Link]
Subject: Re: [FW-1] Active Directory replication between VPN site-site-tunnels
From: Christian Chiaverini <cchiaver AT CV DOT NET>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Tue, 25 Oct 2005 16:17:43 -0400 
The one thing I do wish for SmartDefense is to be separate per Security
policy.  eg. to have DNS inspection turned on for one policy where there
are only DNS servers, and to have it turned off for another.  Global
properties are similar.

Is that what you are trying to have?

You can push it for one policy and uncheck it for the others, but you
now would have to keep this in mind on every push.  You would have to
check or uncheck that setting every time you do push it compared to
which rulebase you are working with.  If you mess up you may cause
problems.



Christian Chiaverini



On Tue, 2005-10-25 at 15:20 -0400, Tony Pombo wrote:
> True, you can enable or disable the individual protections of SmartDefense.
> However, each protection is all or nothing.  For example, the DNS protocol
> inspection setting is either on or off for the entire corporation.
> 
> DNS protocol inspection may be a poor example because it adds modest value,
> and turning it off is of little concern.  There are others that you never
> want to turn off, but it impacts the proper functioning of just one system.
> It would be nice to allow that one system to function without jeopardizing
> the entire network.
> 
> CheckPoint is a good firewall, and I like it, but there is room for
> improvement.
> 
> -----------------------------------------------
> Tony Pombo
> Systems and Security Architect
> 
> 
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of 
> Christian
> Chiaverini
> Sent: Tuesday, October 25, 2005 2:30 PM
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: Re: [FW-1] Active Directory replication between VPN
> site-site-tunnels
> 
> You don't have to disable all of SmartDefense, just the DNS protocol
> inspection part.
> 
> Who said it was all or nothing?
> 
> 
> 
> On Tue, 2005-10-25 at 13:52 -0400, Tony Pombo wrote:
> > Microsoft is always going to change things, but why should I have to
> > completely disable enterprise-wide protection just so two windows PCs can
> > communicate?
> > 
> > My point is that I should be able to apply SmartDefense settings
> > selectively.  Currently, it's all or nothing.  That's the bad design I
> speak
> > of.
> > 
> > -----------------------------------------------
> > Tony Pombo
> > Systems and Security Architect
> > Edict Systems, Inc.
> > 937-429-4288 x279
> > tony.pombo AT edictsystems DOT com
> > 
> > 
> > -----Original Message-----
> > From: Mailing list for discussion of Firewall-1
> > [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of 
> > Christian
> > Chiaverini
> > Sent: Tuesday, October 25, 2005 12:40 PM
> > To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> > Subject: Re: [FW-1] Active Directory replication between VPN
> > site-site-tunnels
> > 
> > If Microsoft breaks the protocol and it is then dropped, SmartDefense is
> > doing exactly what it is supposed to do.  Microsoft has deviated from
> > the RFCs before in this case they may be doing it again.
> > 
> > Report this to CheckPoint and they may ignore the bad packets Microsoft
> > sends when inspecting this in a hotfix or update of SmartDefense.
> > 
> > 
> > Christian Chiaverini
> > CCSE
> > 
> > 
> > 
> > On Tue, 2005-10-25 at 10:19 -0400, Tony Pombo wrote:
> > > I need to disable the DNS UDP protection for my entire firewall system
> > just
> > > so a couple domain controllers can talk?  So, now I'm no longer
> protected
> > > against bad DNS UDP packets from the Internet?  That's no good.
> > > 
> > > In this manner, the entire SmartDefense architecture seems poorly
> > designed.
> > > 
> > > -----------------------------------------------
> > > Tony Pombo
> > > Systems and Security Architect
> > > Edict Systems, Inc.
> > > 937-429-4288 x279
> > > tony.pombo AT edictsystems DOT com
> > > 
> > > -----Original Message-----
> > > From: Mailing list for discussion of Firewall-1
> > > [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of
> cisco4ng
> > > Sent: Tuesday, October 25, 2005 7:33 AM
> > > To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> > > Subject: Re: [FW-1] Active Directory replication between VPN
> > > site-site-tunnels
> > > 
> > > This is quite simple.  Under SmartDefense, there is an option under DNS
> to
> > > turn off 
> > > "udp protocol enforcement".  just simply uncheck the box and re-push the
> > > policy.
> > > It will work after that.
> > >  
> > > cisco4ng
> > > 
> > > Loge VK <logevk AT GMAIL DOT COM> wrote:
> > > I hope u have tried the Enabling Domain Name over UDP and TCP in Global
> > > Properties... if u don't want to do that then add explicit rule with
> > service
> > > as domain-udp for this to pass..
> > > Loge VK
> > > 
> > > On 10/25/05, Kalpesh Patel wrote:
> > > >
> > > > Hi
> > > >
> > > > We have a Site-to-Site VPN tunnel between UK, Paris and Munich with
> > "any"
> > > > service going through the rule (for now).
> > > >
> > > > We have now moved over to Microsoft Active directory (Windows 2003
> SP1)
> > > > and for some reason I'm seeing "domain-udp" drops in the firewall logs
> > > > between the domain controllers and the DC are not replicating through
> > the
> > > > firewalls.
> > > >
> > > > Does anyone have a solution to this?
> > > >
> > > > Regards
> > > > Kalpesh
> > > >
> > > >
> > > >
> > > > This message has been scanned for viruses by BlackSpider MailControl -
> > > > www.blackspider.com 
> > > >
> > > > Website: http://www.kingston.com/europe
> > > >
> > > > Registered in England, No: 3643195 VAT No: GB 720 5258 60"
> > > >
> > > > "This email and any attachments is intended for the addressee only.
> > > > It may contain confidential, proprietary or legally privileged
> > > > information and any views or opinions presented are solely those of
> the
> > > > author.
> > > > If you are not the address you have received this e-mail in error.
> > > > Please notify the sender by return e-mail and then destroy it.
> > > > If you have received this e-mail in error, copying, printing,
> > > > forwarding or dissemination of this e-mail is strictly prohibited.
> > > > We virus scan all e-mails but are not responsible for any damage
> > > > caused by a virus or alteration by a third party after it is sent.
> > > >
> > > >
> > > >
> > > >
> > > > =================================================
> > > > To set vacation, Out-Of-Office, or away messages,
> > > > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > > > in the BODY of the email add:
> > > > set fw-1-mailinglist nomail
> > > > =================================================
> > > > To unsubscribe from this mailing list,
> > > > please see the instructions at
> > > > http://www.checkpoint.com/services/mailing.html
> > > > =================================================
> > > > If you have any questions on how to change your
> > > > subscription options, email
> > > > fw-1-owner AT ts.checkpoint DOT com
> > > > =================================================
> > > >
> > > 
> > > =================================================
> > > To set vacation, Out-Of-Office, or away messages,
> > > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > > in the BODY of the email add:
> > > set fw-1-mailinglist nomail
> > > =================================================
> > > To unsubscribe from this mailing list,
> > > please see the instructions at
> > > http://www.checkpoint.com/services/mailing.html
> > > =================================================
> > > If you have any questions on how to change your
> > > subscription options, email
> > > fw-1-owner AT ts.checkpoint DOT com
> > > =================================================
> > > 
> > >           
> > > ---------------------------------
> > >  Yahoo! FareChase - Search multiple travel sites in one click.  
> > > 
> > > =================================================
> > > To set vacation, Out-Of-Office, or away messages,
> > > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > > in the BODY of the email add:
> > > set fw-1-mailinglist nomail
> > > =================================================
> > > To unsubscribe from this mailing list,
> > > please see the instructions at
> > > http://www.checkpoint.com/services/mailing.html
> > > =================================================
> > > If you have any questions on how to change your
> > > subscription options, email
> > > fw-1-owner AT ts.checkpoint DOT com
> > > =================================================
> > > 
> > > =================================================
> > > To set vacation, Out-Of-Office, or away messages,
> > > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > > in the BODY of the email add:
> > > set fw-1-mailinglist nomail
> > > =================================================
> > > To unsubscribe from this mailing list,
> > > please see the instructions at
> > > http://www.checkpoint.com/services/mailing.html
> > > =================================================
> > > If you have any questions on how to change your
> > > subscription options, email
> > > fw-1-owner AT ts.checkpoint DOT com
> > > =================================================
> > 
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-owner AT ts.checkpoint DOT com
> > =================================================
> > 
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-owner AT ts.checkpoint DOT com
> > =================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [FW-1] Active Directory replication between VPN site-site-tunnels, Covington, Chris
Next by Date:  Re: [FW-1] Active Directory replication between VPN site-site-tunnels, Tony Pombo
Previous by Thread:  Re: [FW-1] Active Directory replication between VPN site-site-tunnels, Tony Pombo
Next by Thread:  Re: [FW-1] Active Directory replication between VPN site-site-tunnels, Tony Pombo
Indexes:  [Date] [Thread] [Top] [All Lists]