Questions on Firewall-1 and Neighborhood Browser

Burden, James JBurden@caiso.com
Mon, 1 Jun 1998 09:44:40 -0700


Jim,

IMHO, the DMZ should not be apart of the internal NT Domain.  The DMZ
should be for public access, and internal users should use local servers
on the inside of the firewall.  

NetBEUI and NetBios are broadcast protocols that require client and
server to be in the same collision domain for Network Neighborhood to
work.  If you cross a router/gateway, then a bridge must be configured
to flatten the two subnets.   

I would suggest having an internal server that users update, and it
update the DMZ servers with ftp (ssh).  Users could easily find their
resource, and only one hole has to be created in the firewall.

I think CERT (or AF-CERT) put out an advisory that NetBios should not be
enabled through a firewall in early 1997 (don't remember the exact one).

Just my $.02.
Jim

James L. Burden		Phone - 916.351.2243
Security Engineer		Page - 916.814.2563
California ISO			Fax - 916.351.2181
http://www.caiso.com	Email - jburden@caiso.com
41DF 0E4C 26E0 2FD3 8C81  A260 5C40 280E B4AE 7420
____________________________________________
   To Teach is to Learn   - Aaron Nimzovich
____________________________________________

Disclaimer:  The above represents my personal opinions and not an 
official endorsement or position by the California ISO, my current 
employer.  I reserve the right to disavow them at my convenience.   

> -----Original Message-----
> From:	Rodney van den Oever [SMTP:roever@nse.simac.nl]
> Sent:	Friday, May 29, 1998 1:38 PM
> To:	Jim Hebert
> Cc:	firewall-wizards@nfr.net
> Subject:	Re: Questions on Firewall-1 and Neighborhood Browser
> 
> >I have a customer that I'm working with using Check Point Firewall-1.
> 
> Sorry, but I cut a *lot* of your original posting...
> 
> >255.255.255.240). The firewall, internal network, and DMZ are all in
> the
> >same WindowsNT domain. The firewall is a standalone server. The
> customer
> 
> Are you referring to the classic DMZ description, or the Checkpoint
> one?
> 
> So your external victim hosts are trusted by your internal servers. If
> anything happens to them the entire network could be compromised. It's
> like
> a bypass around the firewall!
> 
> Created a seperate domain, block all browsing, only patch a specific
> workstation to the DMZ to manage the web-/ftpserver(s).
> 
> >that they can see the shares that are available. By default, the user
> >will not see these because the NetBEUI protocol is not routable, (the
> 
> Don't confuse NetBEUI with NetBIOS. NetBEUI is a network protocol like
> IP.
> NetBIOS is a session-layer protocol that can run on top of IP, IPX or
> NetBEUI.
> 
> >internal network. I define a peering between the two (2) WINS servers
> >and force a replication. The DMZ WINS server pushes and the internal
> 
> You don't want to allow stuff like WINS to cross your firewall,
> really...
> If you still do need to access a machine on the other side of the
> firewall,
> just create a '%SYSTEMROOT%\system32\drivers\etc\lmhosts'-file.
> 
> Either:
> 
> o Think about a good security policy and enforce it with the Firewall.
> o Just disable the firewall, it only stands in the way with all this
> stuff
> your customer wants to do :-).
> 
> Good luck!
> 
> --
> Rodney van den Oever / 06 55868577 / PGP Key ID 0x0A6CCE53
> When asked by an anthropologist what the Indians called America
> before the white man came, an Indian said simply "ours". - Vine
> Deloria, Jr.
> 
>