WatchGuard FireBox v60 - Security Policy

Not familiar with WatchGuard's practice and need some enlightening :-) Any comments/suggestions are appreciated.

Policy (name) Source Destination Service In Interface ALLOW_PING_FROM_PUB ANY INTERFACE_IPS PING 1 (Public)

Does it mean that the policy allows "public" or "untrusted network" PING INTERFACE_IPS? By the way, is the Interface_IPS is intrusion prevention? or something else?

SMTP_IN ANY MAIL_SERVER SMTP 1 (Public) Does it mean that mail from anyone can be forwarded to the mail_server using the public interface?

Many thanks in advance.

Reply to
a_monk
Loading thread data ...

Sir/Madam;

Please padron my ignorance. I am still not clear if these policies are properly configured? I "nessused" its external IP addresses, nothing was found !?

Further instructions are appreciated.

Thanks,

Reply to
a_monk

I don't have a V unit, but I have about every other unit they make.

In general, you allow SMTP inbound to the email server IP from External and Trusted - this lets people outside your network SEND you email and your copier/fax/scanner also (inside your network) send documents to users email boxes (provided your copier/scanner...) does that.

You don't need SMTP inside the network for clients if they use Exchange/Outlook.

Not sure about the IPS.

You also need to allow SMTP outbound from your SMTP server, but not from your workstations.

Reply to
Leythos

I can't tell if they are properly configured without seeing the rules. You should send your firewall config file to WatchGuard (as you bought support) and ask them what your exposure issues are.

Reply to
Leythos

He has absolutely nothing to worry about, because "...most firewall appliances are not easy to misconfigure such that your network is easy to compromise", this is a direct quote from you. After all, he's using a Watchguard product, and it's (another direct quote) "something you can't screw-up". Right? I'm not trying to start a flame-war, or a troll-fest, but do you realize how stupid those statements look?

It's _not_ the interface, it's the _person_ that makes mistakes. I feel quite comfortable setting up Linux and IPTables, but much like the OP, I wouldn't feel comfortable at all with Watchguard's interface. For that matter, I never have preferred the IPCop/Smoothwall/${IPTables-GUI-frontend} interfaces either.

IMHO, it's what one is comfortable with and knowledgable about. For me, it's IPTables, and for you, Watchguard, and I think that's great. Please just don't write off those of us who know what we're doing, and prefer to "roll-your-own", as incompetent idiots who are more likely to misconfigure our firewalls.

My apologies to the OP for hi-jacking this thread, but this thread presented the perfect opportunity to clear up some misconceptions.

Reply to
Micheal Robert Zium

Only if you don't remember that there are always exceptions to the rules/comments - if you take it as gospel then you would think they were stupid.

It's both - as a programmer for Human Users, it's more of the Human interface that makes or breaks an application.

To be honest, based on screen-shots I was sent in email, I don't feel comfortable with it either (at least the parts I was sent), but, if I had a manual and 10 minutes with it I could figure it out easy enough.

And that's the major problem - people can either get an appliance that is well documented (as long as they can read) and setup a secure network, in general, or they can setup a patch-your-own solution and hope it's secure/right. Again, unless you're talking about Security types, people that can already secure a XP machine so that it can be directly connected to the net without threat, you need to consider the level of skill/experience of the user/setup person.

The problem is that neither he or I have used the V60 series and I don't want to ask for enough information to be able to determine if it's setup correctly - once I had enough info, I could easily be a hacker, and do what I want with it.

The easy to setup without a mistake is still true, the firewall has rules, manuals, etc, even provides default rules based on services, and they are setup securely - where you run into problems is when people want to route or do non-firewall things with a firewall.

So, I stand with my statements - and you know as well as I, there are always exceptions, and this would be one. In most cases, as in the 50+ I have installed at clients, the setup was more secure after 10 minutes than any workstation/firewall setup was after an hour.

Reply to
Leythos

No, it's exactly the opposite. People can either buy an off-the-shelf "security appliance" and plug it in and hope for the best, or they could install their own solution and know it's done right. Appliances are too easy to misconfigure.

Reply to
Micheal Robert Zium

I agree, appliances just as easy to misconfigure as they are to configure. On the other hand, some roll-your-own solutions are just as easy. It's the person, not the interface.

Reply to
Micheal Robert Zium

Not quite, in most cases, I would say 90%, appliances are easy to configure. In the case of home/SOHO appliances, the interfaces are very easy to use and understand, which is not the case for most roll-your-own solutions.

The V60 is an enterprise class firewall, it's not in the same area as what you've been talking about.

Reply to
Leythos

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.