This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Stefano_Chiesa
Explorer
‎2018-10-25 02:14 AM
Jump to solution

SPLAT R75.40 - disable TCP / ICMP timestamp

We were under audit and one of the finding is a TCP and ICMP timestamp response vulnerability/risk. The auditors recommend to turn TCP and ICMP timestamp off.

Does someone know how to do it and if there will be some "side effects"?

Thanks in advance.

Stefano.

0 Kudos
1 Solution

Accepted Solutions
Danny
MVP Platinum
MVP Platinum
‎2018-10-25 05:01 AM
Jump to solution

HI Stefano,

you can find all timestamp services via the integrated search function of your SmartDashboard:

You've probably allowed icmp pings by permitting the entire icmp protocol suite, including timestamps:

Just replace icmp-proto with echo-request like this:

I wonder why your internal audit didn't note that R75.40 is a version that went out of support in April 2016. You should consider upgrading to a more recent release, such as R77.30 or higher.

View solution in original post

6 Replies
Danny
MVP Platinum
MVP Platinum
‎2018-10-25 05:01 AM
Jump to solution

HI Stefano,

you can find all timestamp services via the integrated search function of your SmartDashboard:

You've probably allowed icmp pings by permitting the entire icmp protocol suite, including timestamps:

Just replace icmp-proto with echo-request like this:

I wonder why your internal audit didn't note that R75.40 is a version that went out of support in April 2016. You should consider upgrading to a more recent release, such as R77.30 or higher.

Stefano_Chiesa
Explorer
‎2018-10-25 05:06 AM
In response to Danny
Jump to solution

Hi Danny, thanks for the greetings.

0 Kudos
Stefano_Chiesa
Explorer
‎2018-10-25 07:12 AM
In response to Danny
Jump to solution

Thanks a lot Danny, I'll try this solution.

Let me say that the most up-to-date clusters are R75.40 but there is a R65 HFA 70 cluster in production too.. Smiley Sad

Thanks again.

Stefano.

0 Kudos
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2018-10-25 10:29 AM
In response to Stefano_Chiesa
Jump to solution

Hi Stefano,

I do a lot of security audits at our company. I think the timstamp problem is the smallest.

The following vulnerabilities should occur with R65HFA 70 and possibly R75.40:

- SHA1 vulnerabilities

- RC4 vulnerabilities

- poodle vulnerabilitys

and and and

I agree with Danny here. I should urgently upgrade the systems to R77.30 or higher.

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Itri
Explorer
‎2024-06-30 11:27 PM
In response to Danny
Jump to solution

Hi. Any idea how to disable the same but on MDS smart center or log server, for local vulnerability scanner, where there is no firewall in between? 
Edit: Have also some Eventia Reporter servers with same "issue", for which I can not even open smart console directly.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-07-01 11:50 AM
In response to Itri
Jump to solution

That requires disabling them at the OS level.
For TCP timestamps: sysctl -w net.ipv4.tcp_timestamps=0
For ICMP, I'm not sure it's relevant or not and would recommend engaging TAC: https://help.checkpoint.com 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events