You may also check want to check -
http://www.opswat.com/opstop_ie_security.html
Regards
Benny
OPSWAT Inc,
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Ray
Pesek
Sent: Monday, April 05, 2004 10:10 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] SecureClient - Blocking web browsing
When you set up the package, make it bind to all adapters. In FW-1, use SCV
so they cannot connect unless they pass the SCV checks. If they're not
logged into a policy server, they're not securely configured.
Create an allusers@any desktop policy to deny FTP/HTTP/HTTPs. If they don't
login to the firewall, the allusers@any rule drops all HTTP/HTTPS packets.
Ray
>From: "Brett, Gary" <garybrett AT HALIFAXCETELEM DOT COM>
>Reply-To: Mailing list for discussion of Firewall-1
><FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
>To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
>Subject: Re: [FW-1] SecureClient - Blocking web browsing
>Date: Mon, 5 Apr 2004 15:13:55 +0100
>
>Thanks guys, the secureclient packaging tool certainly seems pretty good,
>but it doesnt really solve my problem, yes it will enable me to restrict
>them from stopping the service and even connecting to other sites or even
>configuring the current one, but as far as i can see it will not stop them
>launching the dial-up to the isp and browsing the web (and downloading
>stuff) without authenticating with the firewall first. I need it so that if
>they dial the isp the secureclient authentication box pops up (and this to
>implemented without and backdoors, as i say, i have clever users who will
>quite happily search around the file system to find a dial-up link so that
>they can use their laptops as web browsers without connecting to the
>network) I do not want to give them any form of web browsing ability but
>only use the internet as a medium to connect to the office
>
>any ideas ??
>
>
>-----Original Message-----
>From: Ray Pesek [mailto:sixsigma44 AT HOTMAIL DOT COM]
>Sent: 03 April 2004 04:29
>To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
>Subject: Re: [FW-1] SecureClient - Blocking web browsing
>
>
>When I installed the management station, I simply selected it to be
>installed, as I recall. This was FP3 to start with.
>
>You go over to the Check Point public free downloads and get the
>administrator version of the operating system you want. This is just the
>install program but with the individual files available. Save it into a
>folder on the management station. You have to have all GUI clients closed
>to
>run the tool.
>
>You select the "administrator" version folder as the source and pick your
>options. The tool creates a single executable in a new destination folder
>that you also select.
>
>It's pretty nice as it lets you embed some limited topology information in
>the installation executable, which makes the initial setup much easier
>since
>it already knows the firewall IP and policy server IP. I have mine set to
>default to Connect mode, know the firewall and policy server IPs, do not
>allow the end user to unload the desktop policy or to stop SecureClient and
>basically a three click install. Run it, OK the license and OK the reboot.
>No muss, no fuss. I also have IKE over TCP and UDP Encapsulation
>preselected
>and locked down.
>
>We have the installation path hard-coded as well because we use iPass and
>it
>needs to know the path to ConnSHApp.exe.
>
>Ray
>
>
> >--- "Brett, Gary" <garybrett AT HALIFAXCETELEM DOT COM>
> >wrote:
> > > Thanks, do you know of any docs/whitepapers that
> > > explain how to use the
> > > SecureClient Packaging tool ?? and also, is this
> > > function available for NG
> > > FP3 ??? or is it an AI feature?
> > >
> > > -----Original Message-----
> > > From: Ray Pesek [mailto:sixsigma44 AT HOTMAIL DOT COM]
> > > Sent: 31 March 2004 17:47
> > > To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> > > Subject: Re: [FW-1] SecureClient - Blocking web
> > > browsing
> > >
> > >
> > > 1. Use the SecureClient Packaging Tool on the
> > > management station to create a
> > > customized build of SecureClient. Select the options
> > > that do not allow them
> > > to unload the policy or shut down SecureClient.
> > > Allow DHCP to work even if
> > > the policy does not allow it.
> > >
> > > 2. Use SCV so they cannot connect to the internal
> > > network unless the policy
> > > is loaded.
> > >
> > > 3. Implement an Outbound desktop rule like so:
> > >
> > > Source: AllUsers@any
> > > Destination: any
> > > Service: any
> > > Action: drop
> > >
> > > This will cause one big issue. The "AllUsers@any"
> > > rules are the desktop
> > > security policy that is in effect when they are NOT
> > > VPNed in. Some hotel
> > > broadband systems, notably STSN, require that a
> > > browser outbound connection
> > > come from the laptop. They then intercept the call
> > > and pop up their own page
> > > that you have to click a button on to get Internet
> > > access.
> > >
> > > No clicky, no Internet. No browser outbound, no STSN
> > > page, no Internet, no
> > > VPN connection. Kind of a chicken-or-egg thing. If
> > > you have a forced browser
> > > home page, you could create an outbound rule to
> > > allow HTTP to it, even if it
> > > is unreachable from the Internet. This is enough to
> > > trip the STSN page.
> > >
> > > Ray
> > >
> > >
> > > >From: "Brett, Gary" <garybrett AT HALIFAXCETELEM DOT COM>
> > > >Reply-To: Mailing list for discussion of Firewall-1
> > > ><FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
> > > >To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> > > >Subject: [FW-1] SecureClient - Blocking web
> > > browsing
> > > >Date: Wed, 31 Mar 2004 13:07:32 +0100
> > > >
> > > >Dear all
> > > >
> > > >I am implementing secure client for all remote
> > > users, but as my test bed
> > > >has
> > > >highlighted there are concerns over the users
> > > connecting to the internet
> > > >and
> > > >not using the VPN, i.e. for non work related
> > > reasons and installing all
> > > >types of goodies from the net on their laptops.
> > > Does anybody know of a way
> > > >I
> > > >can set it up so that when connecting to the net,
> > > it always and only
> > > >connects to the firewall hence not giving them the
> > > ability to browse the
> > > >web
> > > >at all? Unfortunately for me, my users are quite PC
> > > literate and as such
> > > >this method would have to be put in place with no
> > > workaround (well, no
> > > >obvious one at least). I am quite willing to look
> > > at reg hacks to lock the
> > > >OS down, but I don't know if they'll solve my
> > > problem
> > > >
> > > >
> > > >any help would be greatly appreciated
> > > >
> > > >regards
> > > >Gary
> > > >This electronic message contains information from
> > > Halifax Cetelem Credit
> > > >Ltd
> > > >which may be privileged or confidential. The
> > > information is intended to be
> > > >for the use of the individual(s) or entity named
> > > above. If you are not the
> > > >intended recipient be aware that any disclosure,
> > > copying, distribution or
> > > >use of the contents of this information is
> > > prohibited. If you have received
> > > >this electronic message in error, please notify us
> > > by telephone or email
> > > >(to
> > > >the numbers or address above) immediately.
> > > >
> > > >=================================================
> > > >To set vacation, Out-Of-Office, or away messages,
> > > >send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > > >in the BODY of the email add:
> > > >set fw-1-mailinglist nomail
> > > >=================================================
> > > >To unsubscribe from this mailing list,
> > > >please see the instructions at
> > > >http://www.checkpoint.com/services/mailing.html
> > > >=================================================
> > > >If you have any questions on how to change your
> > > >subscription options, email
> > > >fw-1-owner AT ts.checkpoint DOT com
> > > >=================================================
> > >
> > >
> >_________________________________________________________________
> > > MSN Toolbar provides one-click access to Hotmail
> > > from any Web page - FREE
> > > download!
> > > http://toolbar.msn.com/go/onm00200413ave/direct/01/
> > >
> > > =================================================
> > > To set vacation, Out-Of-Office, or away messages,
> > > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > > in the BODY of the email add:
> > > set fw-1-mailinglist nomail
> > > =================================================
> > > To unsubscribe from this mailing list,
> > > please see the instructions at
> > > http://www.checkpoint.com/services/mailing.html
> > > =================================================
> > > If you have any questions on how to change your
> > > subscription options, email
> > > fw-1-owner AT ts.checkpoint DOT com
> > > =================================================
> > > This electronic message contains information from
> > > Halifax Cetelem Credit Ltd
> > > which may be privileged or confidential. The
> > > information is intended to be
> > > for the use of the individual(s) or entity named
> > > above. If you are not the
> > > intended recipient be aware that any disclosure,
> > > copying, distribution or
> > > use of the contents of this information is
> > > prohibited. If you have received
> > > this electronic message in error, please notify us
> > > by telephone or email (to
> > > the numbers or address above) immediately.
> > >
> > > =================================================
> > > To set vacation, Out-Of-Office, or away messages,
> > > send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> > > in the BODY of the email add:
> > > set fw-1-mailinglist nomail
> > > =================================================
> > > To unsubscribe from this mailing list,
> > > please see the instructions at
> > > http://www.checkpoint.com/services/mailing.html
> > > =================================================
> > > If you have any questions on how to change your
> > > subscription options, email
> > > fw-1-owner AT ts.checkpoint DOT com
> > > =================================================
> >
> >
> >__________________________________
> >Do you Yahoo!?
> >Yahoo! Small Business $15K Web Design Giveaway
> >http://promotions.yahoo.com/design_giveaway/
> >
> >=================================================
> >To set vacation, Out-Of-Office, or away messages,
> >send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> >in the BODY of the email add:
> >set fw-1-mailinglist nomail
> >=================================================
> >To unsubscribe from this mailing list,
> >please see the instructions at
> >http://www.checkpoint.com/services/mailing.html
> >=================================================
> >If you have any questions on how to change your
> >subscription options, email
> >fw-1-owner AT ts.checkpoint DOT com
> >=================================================
>
>_________________________________________________________________
>MSN Toolbar provides one-click access to Hotmail from any Web page - FREE
>download! http://toolbar.msn.com/go/onm00200413ave/direct/01/
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to LISTSERV AT amadeus.us.checkpoint DOT com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>fw-1-owner AT ts.checkpoint DOT com
>=================================================
>This electronic message contains information from Halifax Cetelem Credit
>Ltd
>which may be privileged or confidential. The information is intended to be
>for the use of the individual(s) or entity named above. If you are not the
>intended recipient be aware that any disclosure, copying, distribution or
>use of the contents of this information is prohibited. If you have received
>this electronic message in error, please notify us by telephone or email
>(to
>the numbers or address above) immediately.
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to LISTSERV AT amadeus.us.checkpoint DOT com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>fw-1-owner AT ts.checkpoint DOT com
>=================================================
_________________________________________________________________
Limited-time offer: Fast, reliable MSN 9 Dial-up Internet access FREE for 2
months!
http://join.msn.com/?page=dept/dialup&pgmarket=en-us&ST=1/go/onm00200361ave/
direct/01/
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
