Frequently Asked Questions | Check Point NG[s]AI

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the Ask the Author form. You will also gain access to thousands of other FAQs at ITFAQnet.com.

1.	Why can t I just write a policy? I know better than anyone does what our network needs.
2.	We are pretty small and do not have legal counsel on staff. Is legal counsel a necessity in writing the policy?
3.	My logs are filling up with a bunch of broadcast stuff. How do I filter it out?
4.	Where do I find all the firewall s configuration files?
5.	We are using some protocols that are not listed in the Services menu. They are custom and I do not know anything about them. What can I do?
6.	How do I know my policy is working?
7.	What is the difference between a drop and a reject in the FW-1 rule base?

Answers

1.	Community involvement is essential. You cannot enforce a policy that is your personal opinion. Furthermore, it is likely you do not want the blame when something goes wrong. In addition, having too strict of a policy could encourage users to back-door the network and bypass the firewall.
2.	It depends on your potential liability. A security policy can be the standard you are held to in court , so if there is a possibility that may happen, you should seek legal counsel.
3.	You can write a rule that drops or accepts the broadcasts but does not log them. The rule will probably state that from any source to destination gateway with protocols NetBIOS, drop. However, make sure the rule appears before the rule that logs them. NetBIOS is a common protocol to filter out because it is so noisy .
4.	They are located at $FWDIR/conf .
5.	Find out from the vendor the protocol and destination port and source port number. If this does not work, then a search on the Internet will yield some results. Or you can just set up a sniffer such as TCP Dump or Ethereal to sniff the traffic. One final method is to initiate the connection from a known IP address and filter to see only those connections using the SmartView Tracker. Once the service information is found, you can then create the new service in SmartDashboard via the Services Management window.
6.	Using vulnerability assessment tools or port scanners , you can check your firewall to ensure it is properly configured. Good tools include NMAP, Nessus, or LANguard network scanner. A third-party audit is not only recommended, but is required by the government for certain industries.
7.	When the firewall drops a packet, it discards it into the bit bucket and does not respond to it in any way. When the firewall rejects a packet, however, it sends a Connection Refused back to the requesting client, thereby ending the connection attempt. If a Telnet connection is getting dropped, for example, the client will wait until the Telnet times out. If the Telnet connection is getting rejected, however, the client will get a Connection refused message right away and will not continue to try the connection. In most cases, it is best to use Drop because it is best that the firewall not respond to port scan requests , as opposed to letting the scanner know that a device is there and refusing the connections.