Re: OT: WatchGuard questions
- From: "Gregg Hill" <greggmhill at please do not spam me at yahoo dot com>
- Date: Mon, 5 May 2008 12:12:01 -0700
Well, that's quite impressive! How about false positives?
Do you have any experience with SpamBlocker and POP3 accounts?
Gregg Hill
"Colin" <Colin@xxxxxxxx> wrote in message
news:B0CE9F6B-2F53-44FE-8B7B-CF847C32D6EC@xxxxxxxxxxxxxxxx
Hi Gregg,
I use the spam filtering and it is this that my clients first started
shouting about - spam dropped by around 85 - 90% overnight. One log shows
that for the past 6 months, over 40,000 spam messages have been blocked. I
use spamblocker on my own Edge and haven't had a single spam email come
through in 8 months. The AV scanner is based on Clam AV - I'm not a big
fan of this (I'd like WG to use Kaspersky as do Juniper/Netscreen) but it
has blocked a few viruses so it's doing it's job.
Regards Colin.
"Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote
in message news:um3xqinrIHA.3632@xxxxxxxxxxxxxxxxxxxxxxx
Wow...that's a lot to get started! Thank you!
Gregg Hill
"Leythos" <void@xxxxxxxxxxx> wrote in message
news:MPG.2287e4a1aa44975b9897a9@xxxxxxxxxxxxxxxxxxxx
In article <ehkdT8hrIHA.4544@xxxxxxxxxxxxxxxxxxxx>, "Gregg Hill"
<greggmhill at please do not spam me at yahoo dot com> says...
Now to go drain my brain so that I can try to learn this thing (my
first WG
experience). My main concerns are 1) blocking web surfing by department
(managers get lightly restricted access (no porn!), factory workers get
extremely restricted),
You need to setup managers/workers by IP address on the network, you do
this by creating DHCP reservations for the managers systems and not
using reservations for the rest.
So, in a scope where DHCP is assigned 192.168.8.100-199
Manager 1 PC, 192.168.8.199
Manager 2 PC, 192.168.8.198
Manager 3 PC, 192.168.8.197.... working backwards
Create 2 HTTP rules, one with web blocker set for 192.168.8.100-19x
(last unused DHCP Scope rule not part of a reservation), and set to max
restrictions, the second one is limited to 192.168.8.199-19x (the lowest
reservation in use) and then setup WB restrictions as needed.
You can done one better by adding the USER account for each manager to
the second HTTP rule also - so that they can get their settings from any
computer in the network by authenticating with the fireawall first.
You need a third, unblocked HTTP rule for servers so that they can get
updates.
2) opening only necessary outbound ports,
This one is not as easy to describe - REMOTE THE OUTBOUND RULE, it's a
bad thing in my opinion.
My Base rule set, outbound, has the following:
DNS - outbound only from DNS server in LAN
Filtered HTTP from any LAN to specific subnets (for updates)
SMTP - outbound from SMTP Server only
HTTPS - outbound from any
NNTP - as needed
NTP - as needed
PING - outbound from servers and managers
Remote-Desktop - as needed, if needed, for branch offices
Tracerout - as needed
Whois - as needed
...
Optional rules for outbound:
PPTP, IPSec passthrough
Citrix ports
PcAnywhere Ports
VNC non-standard ports
non-standard HTTP ports (8000, 8080)...
and 3)
requiring firewall logon before accessing TS (I think it was you who
mentioned this additional security...and I like it).
We create user accounts in the firewall, users have no control over
them. Create a GROUP called RD_AUTH_GROUP and add the users to that
group (firewall authentication group, not active directory)
Create a rule that looks like this:
Remote-Desktop, TCP 3389, INBOUND (RD_AUTH_GROUP)
PUBLIC IP 1 > 192.168.8.15 (terminal server 1)
PUBLIC IP 2 > 192.168.8.16 (terminal server 2)
Now, create public DNS records for this:
firewall.company.com (your firebox Public IP)
remote1.company.com (first public IP you map to first TS
remote2.company.com (second public.. to second TS)
when users want in, they will:
HTTP://firewall.company.com:4100
and authenticate with the firewall FIRST
next they open remote desktop and connect to
remote1.company.com
and they user their domain user/password, and they are in.
This works for Linux, Windows, never tried a MAC, 2000, XP, Vista, and
even Wyse Thin Client terminal boxes.
I will dig into its spam filtering later.
Do you use the spam filtering capability? They claim that SpamBlocker
has
very few false positives because it looks at global patterns to
determine
what is spam.
I use GFI Mail Security and Essentials and IMF, but I have a number of
clients that are testing the WG Bundle AV/Spam... stuff and seem to like
it.
--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@xxxxxxxxxx (remove 999 for proper email address)
.
- Follow-Ups:
- Re: OT: WatchGuard questions
- From: Colin
- Re: OT: WatchGuard questions
- References:
- OT: WatchGuard questions
- From: Gregg Hill
- Re: OT: WatchGuard questions
- From: Leythos
- Re: OT: WatchGuard questions
- From: Gregg Hill
- Re: OT: WatchGuard questions
- From: Leythos
- Re: OT: WatchGuard questions
- From: Gregg Hill
- Re: OT: WatchGuard questions
- From: Colin
- OT: WatchGuard questions
- Prev by Date: Re: SBS Backup - How do I Specify Username/Password for destinatio
- Next by Date: Re: OT: for Vamsoft ORF users
- Previous by thread: Re: OT: WatchGuard questions
- Next by thread: Re: OT: WatchGuard questions
- Index(es):
Relevant Pages
|
