Hi All,
Its possible to modify the default policy. There are a couple of things I got
to learn abt secure client during this problem - The key to the problem is
handling the secure client desktop policy.
1. In the Inbound rule we need to put an accept rule from whichever networks
the connection is required while connected on the local Lan. ( ideally the rule
would be lan networks--Allusers@any -- any --accept.) This rule stays in the
default policy even after the user is disconnected from the policy server, thus
enabling local lan users to connect to the laptop while the user is in office -
proving default policy can be tweaked.
2. All encrypt rules inbound & outbound vanish when disconnected from policy
server.
3. By default there is no deny in the outbound rules , so in case you want
users not to access any sites except your office lan while connected to policy
server you need to put a specific deny statement in the outbound rule.
4. If the user modifies his SCV check, then to prevent him from accessing the
Office Lan , in traditional mode we must right click the client encrypt & check
the box which says apply rule only afte the Config options are verified.
Regards,
Tinu Koshy
Security Consultant
Cable & Wireless
+91 80 28412000 x- 3108
Cell - +91 9845294006
-----Original Message-----
From: Simon Desmeules [mailto:sdesmeules AT AVANCE DOT INFO]
Sent: 31 January 2005 14:08
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Default policy in secure client
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
It's impossible to disable the default security policy however you
may always create a last rule for the outbound rule as alluser@any -
any - any - accept. This will permit all traffic when not connected
to the policy server.
HTH
- - - - - -
Contact us for your Security Training!
http://www.avance.info/ATC
- - - - - -
Simon Desmeules
AVANCE Services Réseaux
440 Boul. René Lévesque ouest,
15 ème étage
Montréal, (Qué)
H2Z 1V7
sdesmeules AT avance DOT info
T:514 866-0271 #140 | F:514 866-7631 | C: 514 712-3309
- -----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Ray
Sent: Sunday, January 30, 2005 4:24 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Default policy in secure client
There's no way to make it go away, however the default policy is the
set of
rules that apply to the "allusers@any" group. If you set those
inbound and
outbound rules to "any service-accept", you'll have the same effect.
Unless you have a separate firewall protecting the computers, it's a
really
bad idea though.
Ray
>From: Tinu Koshy <tinu.koshy AT CWGOINDIA DOT COM>
>Reply-To: Mailing list for discussion of Firewall-1
><FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
>To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
>Subject: [FW-1] Default policy in secure client
>Date: Sun, 30 Jan 2005 11:48:02 +0530
>
>Hi All,
>
>Would any one know how to disable the Default Policy on a secure
>client. I am looking for an option wherein the default policy will
>not be enabled once you are disconnected from the Policy Server. I
>am aware of options wherein you can manually disable the default
>policy but that does not help my requirements.
>
>I was wondering whether there are any parameters we can tweak to
>disable the default policy or modify the default policy for secure
>client.
>
>Regards,
>Tinu Koshy
>
>This email and any files transmitted with it are confidential and
>intended solely for the use of the individual addressee(s) or
>entity to whom they are addressed and may contain confidential or
>privileged information. If you are not the intended recipient,
>please notify the sender at Cable & Wireless or
>it.helpdesk AT cwgoindia DOT com immediately and destroy all copies of
>this message and any attachments.
>This footnote also confirms that this email message has been swept
>for the presence of computer viruses. While Cable & Wireless has
>taken reasonable precautions to minimise the risk of any attachment
>to this email containing viruses, we cannot accept liability for
>any damage which you sustain as a result of any such viruses. You
>should carry out your own virus checks before opening this
>document.
>
>
>
>This e-mail has been scanned for viruses by the Cable & Wireless
>e-mail security system - powered by MessageLabs. For more
>information on a proactive managed e-mail security service, visit
>http://www.cw.com/uk/emailprotection/
>
>The information contained in this e-mail is confidential and may
>also be subject to legal privilege. It is intended only for the
>recipient(s) named above. If you are not named above as a
>recipient, you must not read, copy, disclose, forward or otherwise
>use the information contained in this email. If you have received
>this e-mail in error, please notify the sender (whose contact
>details are above) immediately by reply e-mail and delete the
>message and any attachments without retaining any copies.
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to LISTSERV AT amadeus.us.checkpoint DOT com
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>fw-1-owner AT ts.checkpoint DOT com
>=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBQf470vCtLfe/COm3EQITegCfYrGQ5tXL3EFQClDCfSfj4Pxd+DIAoKyF
YU+78m4xIYsYmiLouS9W2y6r
=SsFO
-----END PGP SIGNATURE-----
Consulter notre page web pour votre formation en Sécurité informatique!
Consult our website for your Security training needs!
http://www.avance.info/ATC
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
This email and any files transmitted with it are confidential and intended
solely for the use of the individual addressee(s) or entity to whom they are
addressed and may contain confidential or privileged information. If you are
not the intended recipient, please notify the sender at Cable & Wireless or
it.helpdesk AT cwgoindia DOT com immediately and destroy all copies of this
message and any attachments.
This footnote also confirms that this email message has been swept for the
presence of computer viruses. While Cable & Wireless has taken reasonable
precautions to minimise the risk of any attachment to this email containing
viruses, we cannot accept liability for any damage which you sustain as a
result of any such viruses. You should carry out your own virus checks before
opening this document.
This e-mail has been scanned for viruses by the Cable & Wireless e-mail
security system - powered by MessageLabs. For more information on a proactive
managed e-mail security service, visit http://www.cw.com/uk/emailprotection/
The information contained in this e-mail is confidential and may also be
subject to legal privilege. It is intended only for the recipient(s) named
above. If you are not named above as a recipient, you must not read, copy,
disclose, forward or otherwise use the information contained in this email. If
you have received this e-mail in error, please notify the sender (whose contact
details are above) immediately by reply e-mail and delete the message and any
attachments without retaining any copies.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
