topic Re: Problem with implicit rule in SMB Firewall and use of dropbear as ssh client in Spark Firewall (SMB)

Problem with implicit rule in SMB Firewall and use of dropbear as ssh client

Luis1980 — Thu, 23 Mar 2023 08:28:57 GMT

Good morning,

I'm telling you my problem, let's see if someone can help me, in a backup center we have installed 2 FWs checkpoint model 1800 splunk smb, gaia embedded R80.20.35, the problem is that in the global properties there is a rule for default "image attached" and it is a frist rule and cannot be modified unless you disable it, this rule exposes services to the outside and represents a serious security problem, not if this is given by the dropbear program, but our SOC alerted of services exposed through the shodan page, can you think of how this can be changed? Is the only option is to disable that rule? Even if I put a drop rule first in the Firewalls, this rule will be implicit. Thank you all for your time.

Re: Problem with implicit rule in SMB Firewall and use of dropbear as ssh client

_Val_ — Thu, 23 Mar 2023 09:20:17 GMT

How is it a security risk? Those are management interfaces for your appliance, and only authenticated admin accounts can connect to them.

If you want to disable this implied rule, create an explicit rule with Source IPs assigned to your dedicated admin devices and put it on top of your policy.

Re: Problem with implicit rule in SMB Firewall and use of dropbear as ssh client

Luis1980 — Thu, 23 Mar 2023 09:47:52 GMT

Hi Val

When you have enabled that rule, which is an implicit rule and in accept, they appear published for the Firewall that we have output to intenert the public IP and my security team was able to connect via web and via ssh to this firewall until it disables the rule this does not change and puts between parenthesis small office appliance, as are these models. The rule says accept web and ssh connections for administration.

My security partner was connected to the appliance from outside our infrastructure.

Or can it be due to the dropbear he has running?, The truth is that I do not understand what is happening, but if I am clear that when I disable that rule my security colleagues no longer came from outside.

Re: Problem with implicit rule in SMB Firewall and use of dropbear as ssh client

_Val_ — Thu, 23 Mar 2023 10:34:48 GMT

Once again, I do not really understand the concern. You can actually configure the management access and disable it on the WAN interface while still allowing it from internal networks. But say someone is trying to connect to the appliance from outside your networks. There is still an authentication to do before the access is granted.

What are you trying to achieve?

Re: Problem with implicit rule in SMB Firewall and use of dropbear as ssh client

Luis1980 — Thu, 23 Mar 2023 14:22:19 GMT

Thank you for your answers and your time, apparently the problem came through port 264, I have already been reading several cases about this. And the security group understood that it is normal behavior.

Re: Problem with implicit rule in SMB Firewall and use of dropbear as ssh client

Chris_Atkinson — Thu, 23 Mar 2023 15:40:29 GMT

"Accept Remote Access Control Connections" setting is one option to negate this but due diligence is required if Check Point is used for remote access here.

As you say plenty of SK articles available on this and related topics otherwise.

Re: Problem with implicit rule in SMB Firewall and use of dropbear as ssh client

Luis1980 — Thu, 23 Mar 2023 15:45:57 GMT

I prefer not to touch that rule at the moment, if it creates confusion for me that I had to disable the other implicit rule for ssh access and web access, it is in the image of my first query, in the end I don't know if it is an appliance configuration issue. Or is it due to the firewall model, but I think switching to these appliances was not a good idea.

Thank you.

Re: Problem with implicit rule in SMB Firewall and use of dropbear as ssh client

Chris_Atkinson — Fri, 24 Mar 2023 11:12:16 GMT

Sorry like @_Val_ says I don't understand what your concern is?

These are global properties mostly irrespective of appliance model/type.

Re: Problem with implicit rule in SMB Firewall and use of dropbear as ssh client

Luis1980 — Thu, 23 Mar 2023 15:58:59 GMT

Let's see how I commented in my first comment, My security group alerted me that the appliance was accessible via the web and via ssh from outside, I know that later you have to have a username and password, but there are attacks to access it. And our device came out public in shodan as vulnerable via ssh and via the web and I had to disable the implicit rule that I commented in the first post. I don't know if it is a configuration issue of the WAN interface of the equipment or why this behaviour. This device was exchanged two months ago for another checkpoint model and this did not happen with that model.

Thank you.

Re: Problem with implicit rule in SMB Firewall and use of dropbear as ssh client

Chris_Atkinson — Thu, 23 Mar 2023 16:15:56 GMT

If the previous model was an appliance running full GAiA that setting wouldn't have applied before.

Re: Problem with implicit rule in SMB Firewall and use of dropbear as ssh client

Luis1980 — Thu, 23 Mar 2023 16:21:02 GMT

The previous model was a checkpoint 12200, it has been changed to a splunk 1800 model with gaia embedded. Are you referring to this? I don't understand your answer.

Re: Problem with implicit rule in SMB Firewall and use of dropbear as ssh client

Chris_Atkinson — Thu, 23 Mar 2023 22:42:49 GMT

Correct 1800 (GAiA embedded) is classified as small office gateway hence why the setting now applies and didn't before.

(Note: Spark not splunk)

Re: Problem with implicit rule in SMB Firewall and use of dropbear as ssh client

Luis1980 — Thu, 23 Mar 2023 16:26:13 GMT

Thanks, that's why I had to disable that implicit rule, can you think of another way so that this doesn't happen without disabling that rule? I understand that no, but I ask you, thanks for your time.

Re: Problem with implicit rule in SMB Firewall and use of dropbear as ssh client

_Val_ — Thu, 23 Mar 2023 16:52:18 GMT

I am sorry, but this statement is not okay: "...but there are attacks to access it". What are you referring to?

If you know how to log into the appliance without a valid account, it should be reported as a vulnerability through appropriate channels.

Re: Problem with implicit rule in SMB Firewall and use of dropbear as ssh client

the_rock — Thu, 23 Mar 2023 17:37:50 GMT

Hey Luis,

As the guys said, it is somewhat confusing what your concern here is. Just so we can help you properly, can you maybe attach simple diagram or drawing of what exactly you are trying to do? Nothing too fancy, but at least paint drawing that can help us understand this better.

If you want to keep that option off, you can follow below article, which is literally what @_Val_ indicated in his very first response:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk106251&srcFavorites=favorites

Andy

Re: Problem with implicit rule in SMB Firewall and use of dropbear as ssh client

Chris_Atkinson — Thu, 23 Mar 2023 22:32:39 GMT

Change the setting to 'before last' rather than first and create rules in the policy itself per your requirements for the access behaviour you desire. But again I'm not sure why this is relevant If you don't want the access to succeed.

Re: Problem with implicit rule in SMB Firewall and use of dropbear as ssh client

the_rock — Thu, 23 Mar 2023 22:39:22 GMT

To add to what @Chris_Atkinson said, all you need to know is below:

Re: Problem with implicit rule in SMB Firewall and use of dropbear as ssh client

Luis1980 — Fri, 24 Mar 2023 08:30:36 GMT

I'm sorry I expressed myself badly, I don't know any vulnerability, I mean already known methods, brute force for example.

Re: Problem with implicit rule in SMB Firewall and use of dropbear as ssh client

_Val_ — Fri, 24 Mar 2023 10:57:44 GMT

My concern is that the topic-starter claims external access to WebUI/SSH presents a security risk and makes his system vulnerable. Open ports by themself do not actually represent a security risk unless there is a way to break in without knowing admin credentials.

Or are you asking about something else?

Re: Problem with implicit rule in SMB Firewall and use of dropbear as ssh client

_Val_ — Fri, 24 Mar 2023 11:05:36 GMT

Once again, this risk, however small, can be mitigated by setting up IP addresses for admin access. Please refer to the specific chapter in the admin guide, for example: https://sc1.checkpoint.com/documents/SMB_R80.20.50/AdminGuides/Locally_Managed/EN/Topics/Configuring-Administrator-Access.htm?Highlight=admin