My recommendation to all my clients: Get off of CVP and dont ever use
it! Turn the eSafe box into a NitroInspection Bridge Mode box.
Forget CVP.
I would even go and spend the extra $500 (if <2000 user esafe lic) to
get an additional CI/CR. Have one CI/CR on your DMZ scanning SMTP
only. You dont need CVP for this if the eSafe box is your MX record,
since the eSafe box is already the destination.
Then get the second box and install it in bridge mode. This box will
scan everything except SMTP. If you do this, then remember to exclude
your Management Server from being scanned, or SIC and policy installs
will fail as a false Skype attack.
The only time CVP is necessary is when you want to scan connections
that go thru the firewall but don't go thru the content filter (like
you HTTP and FTP stuff). But putting eSafe in bridge mode will force
all of that traffic to traverse the eSafe box.
Regards,
Neil Delacruz
On 7/13/06, Joachim Altenhein <Joachim.Altenhein AT mikado DOT de> wrote:
Hello,
i've done an upgrade from R60 to R61. The customer uses CVP with eSafe to scan
SMTP, HTTP and ftp.
Starting with R61 you get an error message "Compressed HTTP responses (containing a
'Content-Encoding:' header) are not allowed when using CVP or weeding" whenever http
1.1 is used and the server answers compressed. This is well documented in
http://updates.checkpoint.com/fileserver/ID/5563/FILE/sk17454_Connectivity_Security.pdf
but i can't follow the suggestion to lift security for these connections.
I tried to fix the problem with http_force_down_to_10 = 1 but it has no effect.
The client request still leaves the firewall with HTTP/1.1 as tcpdump shows.
I checked why we don't had this problem with R60 and found, that
http_force_down_to_10 = 1 is not working on R60 too (without and with HFA_03)
and that 'Strip SCRIPT Tags' (and probably CVP, too) is NOT working on sites
using compression without any warning message. Looks like a real security
problem of R60 for me.
Testing is easy. Create a resource with 'Strip SCRIPT Tags' and test it as a
transparent or explicit proxy with www.google.de. Configure your IE 6 internet
options to use HTTP/1.1 (note, you have to restart the IE after changing this
setting, clear your IE cache!) With R61 you see an error message in the Tracker, with
R60 the SCRIPT-Tag passes unmodified(!). To crosscheck you can switch to HTTP 1.0 and
you will see the SCRIPT-Tag changed to <scrip!>.
Additionally I tested eSafe 5.2 in proxy mode and it passes <SCRIPT>-Tag
unmodified if the response is compressed. I've not checked the virus scanning, but
expecting the worst.
Any suggestions beside configuring all clients to use http 1.0?
Why is http_force_down_to_10 not working (since which release)?
Thanks
Achim
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
