I can't guarantee this will work but if your users are on XP,
I think you may be able to lock down the OS enough to limit
users from being able to create dialup adapters. You will
need to remove 'use default gateway on remote network' from
the advance properties of TCP/IP on the dialup adapter, and
instead add a persistent static route using your firewall
as the gateway. This way your dialup should only be able to
route to your network via your firewall. You will need to
go into user profiles and remove administrative and power
users rights from the users login. This way I _believe_ that
they will not be able to modify or add dialup adapaters, but
I haven't actually tried it so your mileage may vary.
Hal
> -----Original Message-----
> From: Brett, Gary [mailto:garybrett AT HALIFAXCETELEM DOT COM]
> Sent: Monday, April 05, 2004 8:14 AM
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: Re: [FW-1] SecureClient - Blocking web browsing
>
>
> Thanks guys, the secureclient packaging tool certainly seems
> pretty good,
> but it doesnt really solve my problem, yes it will enable me
> to restrict
> them from stopping the service and even connecting to other
> sites or even
> configuring the current one, but as far as i can see it will
> not stop them
> launching the dial-up to the isp and browsing the web (and downloading
> stuff) without authenticating with the firewall first. I need
> it so that if
> they dial the isp the secureclient authentication box pops up
> (and this to
> implemented without and backdoors, as i say, i have clever
> users who will
> quite happily search around the file system to find a
> dial-up link so that
> they can use their laptops as web browsers without connecting to the
> network) I do not want to give them any form of web browsing
> ability but
> only use the internet as a medium to connect to the office
>
> any ideas ??
>
>
> -----Original Message-----
> From: Ray Pesek [mailto:sixsigma44 AT HOTMAIL DOT COM]
> Sent: 03 April 2004 04:29
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: Re: [FW-1] SecureClient - Blocking web browsing
>
>
> When I installed the management station, I simply selected it to be
> installed, as I recall. This was FP3 to start with.
>
> You go over to the Check Point public free downloads and get the
> administrator version of the operating system you want. This
> is just the
> install program but with the individual files available. Save
> it into a
> folder on the management station. You have to have all GUI
> clients closed to
> run the tool.
>
> You select the "administrator" version folder as the source
> and pick your
> options. The tool creates a single executable in a new
> destination folder
> that you also select.
>
> It's pretty nice as it lets you embed some limited topology
> information in
> the installation executable, which makes the initial setup
> much easier since
> it already knows the firewall IP and policy server IP. I have
> mine set to
> default to Connect mode, know the firewall and policy server
> IPs, do not
> allow the end user to unload the desktop policy or to stop
> SecureClient and
> basically a three click install. Run it, OK the license and
> OK the reboot.
> No muss, no fuss. I also have IKE over TCP and UDP
> Encapsulation preselected
> and locked down.
>
> We have the installation path hard-coded as well because we
> use iPass and it
> needs to know the path to ConnSHApp.exe.
>
> Ray
>
>
> >--- "Brett, Gary" <garybrett AT HALIFAXCETELEM DOT COM>
> >wrote:
> > > Thanks, do you know of any docs/whitepapers that
> > > explain how to use the
> > > SecureClient Packaging tool ?? and also, is this
> > > function available for NG
> > > FP3 ??? or is it an AI feature?
> > >
> > > -----Original Message-----
> > > From: Ray Pesek [mailto:sixsigma44 AT HOTMAIL DOT COM]
> > > Sent: 31 March 2004 17:47
> > > To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> > > Subject: Re: [FW-1] SecureClient - Blocking web
> > > browsing
> > >
> > >
> > > 1. Use the SecureClient Packaging Tool on the
> > > management station to create a
> > > customized build of SecureClient. Select the options
> > > that do not allow them
> > > to unload the policy or shut down SecureClient.
> > > Allow DHCP to work even if
> > > the policy does not allow it.
> > >
> > > 2. Use SCV so they cannot connect to the internal
> > > network unless the policy
> > > is loaded.
> > >
> > > 3. Implement an Outbound desktop rule like so:
> > >
> > > Source: AllUsers@any
> > > Destination: any
> > > Service: any
> > > Action: drop
> > >
> > > This will cause one big issue. The "AllUsers@any"
> > > rules are the desktop
> > > security policy that is in effect when they are NOT
> > > VPNed in. Some hotel
> > > broadband systems, notably STSN, require that a
> > > browser outbound connection
> > > come from the laptop. They then intercept the call
> > > and pop up their own page
> > > that you have to click a button on to get Internet
> > > access.
> > >
> > > No clicky, no Internet. No browser outbound, no STSN
> > > page, no Internet, no
> > > VPN connection. Kind of a chicken-or-egg thing. If
> > > you have a forced browser
> > > home page, you could create an outbound rule to
> > > allow HTTP to it, even if it
> > > is unreachable from the Internet. This is enough to
> > > trip the STSN page.
> > >
> > > Ray
> > >
> > >
> > > >From: "Brett, Gary" <garybrett AT HALIFAXCETELEM DOT COM>
> > > >Reply-To: Mailing list for discussion of Firewall-1
> > > ><FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
> > > >To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> > > >Subject: [FW-1] SecureClient - Blocking web
> > > browsing
> > > >Date: Wed, 31 Mar 2004 13:07:32 +0100
> > > >
> > > >Dear all
> > > >
> > > >I am implementing secure client for all remote
> > > users, but as my test bed
> > > >has
> > > >highlighted there are concerns over the users
> > > connecting to the internet
> > > >and
> > > >not using the VPN, i.e. for non work related
> > > reasons and installing all
> > > >types of goodies from the net on their laptops.
> > > Does anybody know of a way
> > > >I
> > > >can set it up so that when connecting to the net,
> > > it always and only
> > > >connects to the firewall hence not giving them the
> > > ability to browse the
> > > >web
> > > >at all? Unfortunately for me, my users are quite PC
> > > literate and as such
> > > >this method would have to be put in place with no
> > > workaround (well, no
> > > >obvious one at least). I am quite willing to look
> > > at reg hacks to lock the
> > > >OS down, but I don't know if they'll solve my
> > > problem
> > > >
> > > >
> > > >any help would be greatly appreciated
> > > >
> > > >regards
> > > >Gary
> > > >This electronic message contains information from
> > > Halifax Cetelem Credit
> > > >Ltd
> > > >which may be privileged or confidential. The
> > > information is intended to be
> > > >for the use of the individual(s) or entity named
> > > above. If you are not the
> > > >intended recipient be aware that any disclosure,
> > > copying, distribution or
> > > >use of the contents of this information is
> > > prohibited. If you have received
> > > >this electronic message in error, please notify us
> > > by telephone or email
> > > >(to
> > > >the numbers or address above) immediately.
> > > >
> > > >=================================================
> > > >To set vacation, Out-Of-Office, or away messages,
> > > >send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > > >in the BODY of the email add:
> > > >set fw-1-mailinglist nomail
> > > >=================================================
> > > >To unsubscribe from this mailing list,
> > > >please see the instructions at
> > > >http://www.checkpoint.com/services/mailing.html
> > > >=================================================
> > > >If you have any questions on how to change your
> > > >subscription options, email
> > > >fw-1-owner AT ts.checkpoint DOT com
> > > >=================================================
> > >
> > >
> >_________________________________________________________________
> > > MSN Toolbar provides one-click access to Hotmail
> > > from any Web page - FREE
> > > download!
> > > http://toolbar.msn.com/go/onm00200413ave/direct/01/
> > >
> > > =================================================
> > > To set vacation, Out-Of-Office, or away messages,
> > > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > > in the BODY of the email add:
> > > set fw-1-mailinglist nomail
> > > =================================================
> > > To unsubscribe from this mailing list,
> > > please see the instructions at
> > > http://www.checkpoint.com/services/mailing.html
> > > =================================================
> > > If you have any questions on how to change your
> > > subscription options, email
> > > fw-1-owner AT ts.checkpoint DOT com
> > > =================================================
> > > This electronic message contains information from
> > > Halifax Cetelem Credit Ltd
> > > which may be privileged or confidential. The
> > > information is intended to be
> > > for the use of the individual(s) or entity named
> > > above. If you are not the
> > > intended recipient be aware that any disclosure,
> > > copying, distribution or
> > > use of the contents of this information is
> > > prohibited. If you have received
> > > this electronic message in error, please notify us
> > > by telephone or email (to
> > > the numbers or address above) immediately.
> > >
> > > =================================================
> > > To set vacation, Out-Of-Office, or away messages,
> > > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > > in the BODY of the email add:
> > > set fw-1-mailinglist nomail
> > > =================================================
> > > To unsubscribe from this mailing list,
> > > please see the instructions at
> > > http://www.checkpoint.com/services/mailing.html
> > > =================================================
> > > If you have any questions on how to change your
> > > subscription options, email
> > > fw-1-owner AT ts.checkpoint DOT com
> > > =================================================
> >
> >
> >__________________________________
> >Do you Yahoo!?
> >Yahoo! Small Business $15K Web Design Giveaway
> >http://promotions.yahoo.com/design_giveaway/
> >
> >=================================================
> >To set vacation, Out-Of-Office, or away messages,
> >send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list,
> >please see the instructions at
> >http://www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your
> >subscription options, email
> >fw-1-owner AT ts.checkpoint DOT com
> >=================================================
>
> _________________________________________________________________
> MSN Toolbar provides one-click access to Hotmail from any Web
> page - FREE
> download! http://toolbar.msn.com/go/onm00200413ave/direct/01/
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
> This electronic message contains information from Halifax
> Cetelem Credit Ltd
> which may be privileged or confidential. The information is
> intended to be
> for the use of the individual(s) or entity named above. If
> you are not the
> intended recipient be aware that any disclosure, copying,
> distribution or
> use of the contents of this information is prohibited. If you
> have received
> this electronic message in error, please notify us by
> telephone or email (to
> the numbers or address above) immediately.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
