This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
fdhfdshs5454
Participant
Participant
yesterday

Default implied policy expose SMS services to attackers on internet

Hello,

SMS is published on internet using automatic NAT on the SMS object.

We defined firewall policy rules to allow trafic to SMS from some IPs (remotes gateways) and deny it from everywhere else.

Today, we found out some ports are accessible from ANY IP from internet.
So every attacker can bypass our firewall policy rules to access some ports on the SMS.
We are afraid attackers could try to exploit SMS over these ports.

We found several vulnerable customers.

We found logs saying trafic is matching implied rules.
The relevant implied rule seems to be located in "Global Properties" > Firewall > "Accept control connections".

It's a GLOBAL setting that control firewalling for gateway<->SMS trafic, as well as RAVPN_CLIENT->Gateway trafic, as well as S2S VPN IKE trafic, as well as specific CheckPoint "hacks" (need editing user.def) for specific services...
- https://support.checkpoint.com/results/sk/sk179346
- https://support.checkpoint.com/results/sk/sk17745

This setting is enabled by DEFAULT.

We wanted to disable it but are afraid of the impact it might have.
Sk179346 says "Warning - We recommend to configure and use the Implied Rules in SmartConsole and not disable them.".
Indeed, when looking at everything that needs to be done to replace this setting (firewall policy rules, user.def, S2SVPN exluded services...) we are afraid we miss something or something is missing in the SK.

So here are our questions:
1. Does someone here has already done this setup?
2. Does someone knows if these implied rules can be disabled ONLY for the SMS and not GLOBALLY?
3. Does someone knows if there is a way to disable this setting ONLY for MANAGEMENT services and not for VPN related services?

Thank you.

0 Kudos
4 Replies
Chillyjim
Participant
yesterday

1. Yes

2 & 3, I don't know, but I don't think so.

4. Don't do it. Ask your SE for all the reasons why not to and how to explain them to the auditors. 

Seriously, disabling implied rules has always come back to bite me and my customers over the years (and that's a lot of them). All communication over the management ports is encrypted and authenticated (via SIC). 

0 Kudos
the_rock
Legend
Legend
yesterday
In response to Chillyjim

I totally agree with that. I would NOT disable implied rules (ever), UNLESS TAC says it so in email through an official case. I find its way too risky and can lead to really bad problems...been there, done that.

Andy

0 Kudos
Duane_Toler
Advisor
yesterday

+1 @Chillyjim 

+1 @the_rock 

Don't do this.  In olden days you could, and get away with it, but now.. don't. I used to disable them myself, but now it's too easy to cause problems fast.  Don't do it.

While these ports may be open, the management server is smart enough to not accept full connections from just anywhere for these management services.  The server internally checks for valid sources that "should" be connecting to these services.  These are also protected by Check Point's "Secure Internal Communication" (SIC) protocol which is a TLS-wrapped connection requiring X.509 certificates. The certificates are issued, and managed, by the management server itself.  That's how the server "knows" what should be connecting.

 

0 Kudos
the_rock
Legend
Legend
yesterday
In response to Duane_Toler

I only ever had 2 customer ask me about it and I told them without any hesitation I would not do it, unless TAC specifies the reason via the case and its 100% clear why we are doing it, thats it.

Luckily, we did not have to do it at tne end. I am with you @Duane_Toler when you say its easy to cause problems now in doing so, absolutely true.

And even worse than that, sometimes coming back from those problems is not as easy as reverting the changes.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events