Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [FW-1] Does a stealth rule disable Client Authentication?

from fwguru [Permanent Link]
Subject: Re: [FW-1] Does a stealth rule disable Client Authentication?
From: fwguru <fwguru AT GMAIL DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Tue, 19 Apr 2005 05:48:50 -0400 
-cpguru,

A little paranoid, I guess.  I am probably most paranoid of the
disgruntled employee that has some skillz.

All i'm really trying to say on my last post is this:
If internal, authorized, non-encrypted users are blocked from reaching
the firewall by the stealth rule, why would that not apply to VPN
users as well?


-fwguru


On 4/19/05, Jean-Paul Baillon <JPBaillon AT contentwise.com DOT au> wrote:
> True but how paranoid are you in the case of Authenticated (trusted)
> users?
>
> -cpguru
>
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of fwguru
> Sent: Tuesday, 19 April 2005 12:42 PM
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: Re: [FW-1] Does a stealth rule disable Client Authentication?
>
> Presuming that your intention is to NOT allow authenticated VPN clients
> direct access to the firewall, on Simplified Mode Policies explicit VPN
> rules CAN be below the Stealth Rule.  The actual VPN control connections
> to the firewall are implied.  VPN-client access-control is a layer of
> security unrelated to VPN technology (such as key exchanges).
>
> Non-transparent authentication rules (the ones with Client-Auth as the
> Action) must be above the Stealth Rule.  In fact, the only instance that
> users *should* knowingly and explicitly connect to the firewall directly
> is when Client-Auth is configured.  That's it. I cannot think of other
> reasons why to allow your general population to willfully and explicitly
> connect to the firewall.
>
> Consider this:  If you have a VPN rule above the Stealth Rule that says:
>
> Users@Any | Internal_Net | via RA_Community | ANY Service | Accept
>
> .....wouldn't that leave the FW's internal interface open to all ports
> from authenticated VPN users?  If so, that would break all kinds of
> best-practices rules.
>
> -fwguru
>
> On 4/18/05, Jean-Paul Baillon <JPBaillon AT contentwise.com DOT au> wrote:
> > The client authentication rules as with all VPN rules should be placed
>
> > above the stealth rule as its purpose is to stop rogue connections
> > being made to the firewall
> >
> > With VPN and Client auth you need to make a connection to the firewall
>
> > in order to proceed
> >
> >
> > JP
> >
> > -----Original Message-----
> > From: Mailing list for discussion of Firewall-1
> > [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of
> > Sascha Picchiantano
> > Sent: Monday, 18 April 2005 9:59 PM
> > To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> > Subject: [FW-1] Does a stealth rule disable Client Authentication?
> >
> > Hi,
> >
> > we are running NG and use SecurID to authenticate users. This works
> > good. However, I implemented a stealth rule (deny traffic to firewall)
>
> > and since then Users can't authenticate anymore. I was under the
> > impression that authentication stuff is handled by implied rules but
> > it looks as if not. Any idea? What do I have to open up so users can
> > authenticate?
> >
> > Oh btw: When users access the Internet with a browser their browser
> > title bar shows
> > [ip_address_of_firewall]\fwauthredirect_[long_number_probably_cookie]
> > and hangs there. This might be related...?
> >
> > Any suggestions please? :)
> >
> > Cheers
> > Sascha
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages, send an email to
> > LISTSERV AT amadeus.us.checkpoint DOT com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list, please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your subscription options,
> > email fw-1-owner AT ts.checkpoint DOT com
> > =================================================
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages, send an email to
> > LISTSERV AT amadeus.us.checkpoint DOT com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list, please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your subscription options,
> > email fw-1-owner AT ts.checkpoint DOT com
> > =================================================
> >
>
> =================================================
> To set vacation, Out-Of-Office, or away messages, send an email to
> LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your subscription options,
> email fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [FW-1] LDAP Account Unit Configuration, MOUBARIK Nabil
Next by Date:  [FW-1] CHeckpoint license probelm, john maverick
Previous by Thread:  Re: [FW-1] Does a stealth rule disable Client Authentication?, Jean-Paul Baillon
Next by Thread:  Re: [FW-1] Does a stealth rule disable Client Authentication?, Sascha Picchiantano
Indexes:  [Date] [Thread] [Top] [All Lists]