[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Alerting-Features

To: "'Ralf Stracke'" <ralf.stracke@gmx.de>, fw-1-mailinglist@lists.us.checkpoint.com
Subject: RE: [FW1] Alerting-Features
From: Brendan McCauley <BMcCauley@Trustcorp.com>
Date: Thu, 2 Mar 2000 11:15:12 -0500
Sender: owner-fw-1-mailinglist@lists.us.checkpoint.com


<begin disclaimer>
As usual, and as with anyone else, there is a potential for what I think to
be the truth, to be wrong.  Please feel free to reply with your 'OH MY
GODS!' and other such distinguished claims of 'never heard something so
stupid, in all my years' as often as you please.  For I have no feelings,
and don't care what you think anyway...
<insert blast here>
On to whatever it was that I started to say...
<end disclaimer>

> Hi !

Hello
 
> Is FW-1 able to shutdown or deactivate the firewall if there 
> is an attack ? 

RealSecure is able to disable traffic from a particular remote host if it
senses an attack.
One of the coolest things I think I've ever seen (keep in mind, I am a
geek...) is watching the logs while a friend of mine ran a 'SATAN' like
attack (www.2600.com www.antionline.com) against my Firewall-1, while I was
on the phone with him.  I watched as pages full of 'drop - alert' IP packets
of every kind imaginable dropped at the gateway, in the form of red lines in
my log.  He was convinced that my routing tables were screwed because he
wasn't seeing ANYTHING.  He couldn't even believe that I had a network set
up on the external IP range that I gave him.
Meanwhile, intermingled with the thousands of red 'dropped' packets, was the
occassional green 'accept' line from my users surfing or the mail server
connecting to the ISP's gateway, unaware of the attempted intrusion.
Business as usual... the attack did nothing for them, but maybe hog up some
bandwidth, the idea is not to shut down, but to maintain your stealth and
make them give up.  More advanced techniques of hacking, like planting
sniffers on various interfaces would be harder to defend against, but also
take time and some fairly libral access to plant.  

> Does Alerting only works if the FW-1-Status-Window is active ? There
> should be a possibility to send automated eMails even if the 
> Status-Window is not
> active.

I've never set this up, but I imagine you could use sendmail and a batch
file along with the log and alert properties  sheet to notify yourself of
anything.

> Are there any tools available (as freeware?) which you can use for
> managing Alerts ?

www.phoneboy.com has several links to resources, there is a GNU snmp manager
listed there as well.  There is more information here about Firewall-1 than
even Checkpoint maintains.  Phoneboy is also a regular in this group, pay
homage should you be graced with a response from his magesty.
www.bhs.com has a ton of free and shareware files, if phoneboy's offerings
don't suit you.  There are even some free smtp servers there, as well.

> Thanx !
> 
> Ralf


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] SecuRemote, DHCP, Cable Modem
Next by Date: Re: [FW1] Firewall-1 - Denial of Service Attack Successes ?
Prev by thread: Re: [FW1] Alerting-Features
Next by thread: [FW1] PPP support
Index(es):
- Date
- Thread