The Firewall Hardening Guide v0.1 - Checkpoint Firewall-1 Specific Requirements - Log and alert

by Bret Watson [Published on 16 Oct. 2002 / Last Updated on 23 Jan. 2013]

Excessive Log Grace Period (sec)

This specifies the minimum amount of time between consecutive logs of similar packets. Higher number means less logging, and a higher risk of ‘losing’ important information.
If log analysis is being performed, lowering this parameter value will help improving the accuracy of the log analysis when searching for portscanning attempts and doing performance/usage analysis.
This value should be experimented with; we recommend a setting at 30 seconds or lower if pos-sible.

Popup Alert Command

This specifies the command to be executed when an alert is issued. Default value is ok, unless another specific action is wanted.

Mail Alert Command

This specifies the command(s) to be executed when Mail is specified as the required alert action. Remem-ber: it may take some time before the recipient receives a mail message, and the message must also be read.
Default setting is to send mail to the local root account, which normally won’t exist on the system (…). IF there is a system for transferring SMTP mail available,  ‘root’ should be changed to ‘name-of-person-responsible@Company.com’. Note: On NT machines there is no mechanism by default for sending mail. One will have to be installed – this should be done before the firewall is installed to reduce the possibility of vulnerable services being exposed.

SNMP Trap Alert Command

Specifies the command to be executed when SNMP is specified as the required action. Remember that SNMP and SNMP traps are UDP based services, and does not require a confirmation from the recip-ient of such an alert message. The default value is also set to send such SNMP Traps to ‘localhost’, which is the firewall system itself. This setting should be changed. Instead of localhost, an IP address of an SNMP control unit (such as CA Unicenter etc….) should be inserted.
Do not use DNS names, because doing so may allow an attacker to trick the firewall to send the SNMP Trap message to the wrong recipient station, due to failures or spoofed DNS information.

User Defined Alert Command

Specifies the command to be executed when “User-Defined” is defined as the required alert action.
This setting may be used for invoking third-party applications, such as pager messages or SMS messages to a cellular phone.

Anti Spoof Alert Command

Specifies the command(s) to be executed when alert is specified for anti-spoofing detection in the Net-work Interfaces section of the HOST PROPERTIES window.
Spoofing will normally be an attempt to trick the firewall to accept a packet from one interface, and des-tined for another interface, where the IP packet seems legitimate because of a faked sender IP ad-dress.
Attempts on using spoofed IP addresses should be detected by configuring anti-spoofing for every interface in the firewall configuration (Firewall-1 object definition – Interfaces), and should be alerted if detected.
This value may contain an SNMP trap alert, or e-mail alert, or another third-party application/solution.

User Authentication Alert Command

Specifies the command(s) to be executed when alert is specified for Authentication failure track in the Control Properties/Authentication window. If a user database is being managed and used in conjunc-tion with Firewall-1’s user authentication abilities, this option should be properly configured to give some kind of alarm, such as SNMP Traps, e-mail notification or third-party applications/solutions.

IP Options Drop Track

IP packets containing data in the options field will always be dropped (ie. ignored) by Firewall-1, but such packets should be logged, or also generate an alarm.
This value should be set to ‘log’, or in a high-security environment ‘alert’.

Log established TCP Packets

Enables logging of TCP packets previously established, or packets whose connections have timed out.
This option should be enabled.

Log ISAKMP negotiations

This option should be enabled.
This will enable logging of ISAKMP negotiations. By analyzing these log events, it will be possible to do usage monitoring.

Log encryption kernel events

This option will enable logging of encryption events. This option may be disabled, as we see no immediate danger of not logging legal encryption events. This option may be enabled for debugging purposes, when troubleshooting encryption installations.

Enable Active Connections (This option has been removed from V4.x)

Enables live connections to be viewed from the Log Viewer for Firewall-1. Represents no security risk. This option should be enabled.
 

See Also

Featured Links