The Firewall Hardening Guide v0.1 - Index

ADMINISTRATIVE
INTRODUCTION

Firewall-1 Overview

GENERIC FIREWALL REQUIREMENTS

Mandatory Requirements

Network Documentation
Change Control
Firewall Documentation
Physical Security
Patches
Backup Procedures
Alert Procedure

Recommended Requirements

Testing Procedures
User names / passwords for managing the firewall
Management stations that can access and configure the firewall

CHECKPOINT FIREWALL-1 SPECIFIC REQUIREMENTS

Log and alert

Excessive Log Grace Period (sec)
Popup Alert Command
Mail Alert Command
SNMP Trap Alert Command
User Defined Alert Command
Anti Spoof Alert Command
User Authentication Alert Command
IP Options Drop Track
Log established TCP Packets
Log ISAKMP negotiations
Log encryption kernel events
Enable Active Connections

Services

Enable FTP PORT Data Connections
Enable FTP PASV Connections
Enable RSH/REXEC Reverse stderr Connections
Enable RPC control

Miscellaneous

Lookup Priorities
Log Viewer Resolver Properties
Access List settings
Security server settings
SYNDefender settings

Suggested Rules

Tracking
DNS queries from internal hosts (clients)
DNS queries from internal (DMZ) DNS servers to the outside (Internet)
Protecting the Firewall-1 system
Last rule in the rule base
Anti-spoofing and use of IP addresses
Using alternative domain names to hide the true identity when using services like WWW and FTP
Differences in using ‘Drop’ and ‘Reject’ in the ‘Action’ setting for each rule
Unnecessary services should be removed.
Risk of losing log data, or log data being manipulated.

Implicit Rules (Rule Zero rules)

DNS Rule Zero Rules
FW-1 Control Connections
Apply gateway rules to interface direction
TCP session timeout
Accept UDP Replies
Reply Timeout
Accept Outgoing Packets
Enable Decryption on Accept
Use Fastpath/Fastmode
Synchronisation between firewalls are being used
Accept RIP
Accept ICMP