Security Guy wrote:
...
+ allows a user from anywhere to gain access to the terminal server
+ no need to define an end user IP
- Allows anyone to telnet to the firewall
- yet another password and ID to manage
Hi,
when using Client-Authentication combined with a Stealth-Rule, you need
to put the Client-Auth-Rule before the Stealth-Rule. Then, the access is
allowed implicitely. Or, you put it behind the Stealth-Rule and accept
the whole Internet to connect to your Firewall's port 259...
If using HTTP it's the same problem with cleartext. Maybe SSL helps?
Further information: http://www.fw-1.de/aerasec/ng/client-auth-ssl.html
Here, the Firewall is authenticated by a certificate, the authentication
of the user is the same. What if you are using RADIUS or something else?
Another solution might be to deploy User Authority from Check Point.
Btw., the pages for HTTP/HTTPS can be changed. They are located in
$FWDIR/conf/ahclientd. The port (telnet or HTTP) can also be changed,
see the document above.
Hope it helps,
best regards,
Matthias
http://www.fw-1.de
--
AERAsec Network Services and Security GmbH
Wagenberger Strasse 1
D-85662 Hohenbrunn, Germany
http://www.aerasec.de
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
