Re: [FW-1] User authentication mechanism[s]

Subject:	Re: [FW-1] User authentication mechanism[s]
From:	Chris Hoff <choff AT CORNERSTONESECURITY DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Fri, 26 Dec 2003 10:20:11 -0500

Hello SG,

You worry about telnet to the firewall, but should not. This
authentication is on port 259, not the normal port 23. I'm not sure why
you have that port allowed in the Client Auth rule. Even having this in
the Client Auth rule, the user would have to authenticate before they
are able to telnet to the firewall.

As far as the issue about another password and ID, try using RADIUS
authentication. Either that, or if you have an LDAP database already
created, you could purchase the Account Management license. This would
allow you to integrate Check Point with LDAP.

Hope this helps,

Chris

-----Original Message-----
From: Security Guy [mailto:firewall_security AT HOTMAIL DOT COM]
Sent: Monday, December 22, 2003 4:46 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] User authentication mechanism[s]

Well I figured it out, the rule looks like this:

User Group    W32 Terminal Server/Firewall    ports 23 & 3389
Client
Auth

It works great, here's a breakdown

1. telnet session to the firewall over port 259 2. sign in | select
"standard sign-on"
3. launch Microsoft RDP connection to the desired server

+ allows a user from anywhere to gain access to the terminal server no
+ need to define an end user IP

- Allows anyone to telnet to the firewall
- yet another password and ID to manage

Since placement of the rule requires is to be above the "stealth" rule
it permits any telnet session to the firewall.  How can I allow this to
work yet deny just anyone the ability to gain access to the firewall via
telnet?

Thanks

----- Original Message -----
From: "Security Guy" <firewall_security AT HOTMAIL DOT COM>
To: <FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
Sent: Monday, December 22, 2003 11:25 AM
Subject: Re: [FW-1] User authentication mechanism[s]


> Still not having much luck with creating this access.  Here's the rule

> I'm trying to configure.  Is there some trick to setting up the actual

> user account? [test user exists within "user group"]  I'm expecting to

> see a login prompt from the firewall to allow further access to the
> terminal server, but no joy.  The logs show the traffic being stopped
> by the last rule, aka the clean up rule.  Do I need another port open
> to allow
the
> prompt, or possibly another rule to augment the terminal server rule?
>
> Here's the rule
>
> User Group    W32 Terminal Server    Tcp Port 3389       Client Auth
>
> Thanks!
>
> ----- Original Message -----
> From: "Peter Goodridge" <petegdr AT YAHOO DOT COM>
> To: <FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
> Sent: Friday, December 19, 2003 11:59 AM
> Subject: Re: [FW-1] User authentication mechanism[s]
>
>
> > Hi SG,
> >
> > I use client auth for this kind of stuff.  It works fine.  It's not
> > encrypted however unless you take some extra steps.  The other
> > downside being that if your user authenticates from a multiuser
> > system, or from behind a NAT device other folks will also have
> > access.
> >
> > HTH,
> > Pete
> > --- Security Guy <firewall_security AT HOTMAIL DOT COM>
> > wrote:
> > > We have a device that resides within our DMZ, a select group of
> > > DHCP users will need access.  I don't really want to give the
> > > users static IP addresses, can some kind of alternate
> > > authentication be used?  I've tried User Authentication, only to
> > > find out it only supports telnet rlogin http,https and ftp.  I
> > > would like to keep the users on DHCP IPs,  they will be accessing
> > > the DMZ resource via a RDP connection [tcp port 3389]  Will client

> > > authentication work?
> > >
> > > thoughts | ideas | suggestions
> > >
> > > Thanks!
> > >
> > >
> > > =================================================
> > > To set vacation, Out-Of-Office, or away messages, send an email to

> > > LISTSERV AT amadeus.us.checkpoint DOT com
> > > in the BODY of the email add:
> > > set fw-1-mailinglist nomail
> > > =================================================
> > > To unsubscribe from this mailing list, please see the instructions

> > > at http://www.checkpoint.com/services/mailing.html
> > > =================================================
> > > If you have any questions on how to change your subscription
> > > options, email fw-1-owner AT ts.checkpoint DOT com
> > > =================================================
> >
> >
> > __________________________________
> > Do you Yahoo!?
> > New Yahoo! Photos - easier uploading and sharing.
> > http://photos.yahoo.com/
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages, send an email to
> > LISTSERV AT amadeus.us.checkpoint DOT com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list, please see the instructions
> > at http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your subscription
> > options, email fw-1-owner AT ts.checkpoint DOT com
> > =================================================
> >
>
> =================================================
> To set vacation, Out-Of-Office, or away messages, send an email to
> LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your subscription options,
> email fw-1-owner AT ts.checkpoint DOT com
> =================================================
>

=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options,
email fw-1-owner AT ts.checkpoint DOT com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] User authentication mechanism[s], Security Guy Re: [FW-1] User authentication mechanism[s], Peter Goodridge Re: [FW-1] User authentication mechanism[s], Security Guy Re: [FW-1] User authentication mechanism[s], Security Guy Re: [FW-1] User authentication mechanism[s], Matthias Leu Re: [FW-1] User authentication mechanism[s], Chris Hoff <=

Previous by Date:	Re: [FW-1] NGAI storm center, Mateo Cabrera - Easynet SRL
Next by Date:	[FW-1] R55 for Nokia released, Ray Pesek
Previous by Thread:	Re: [FW-1] User authentication mechanism[s], Matthias Leu
Next by Thread:	[FW-1] Ip pool to vpn clients, Kypros Politis
Indexes:	[Date] [Thread] [Top] [All Lists]