I have to agree with Kyle here. Secure Client is your only option.
To refute other suggestions posted:
"Have you considered using KSE (formerly CMDS) to monitor input from
FW-1..."
There is no point, it will never seem like an attack if the user has a
dialup connection to the internet; the computer will act as a router, ie the
traffic will come from an authenticated host
"...some VPN software based on IPSec. Windows 2000 actually uses IPSec..."
Again same arugment; the traffic between the user and the company network
will be encrypted, but the traffic coming via the modem won't be until the
computer acts as a router and encrypts it to the Firewall. There is no
advantage there.
"...use xxxxx third party product..."
Users have a great knack of disabling or not loading such programs. There
is no way to check, (that I know of, someone correct me), that when they
enter your network that the third party product is running. "Oh it crashed
so I forgot" or "Oh it stopped ICQ running even when I wasn't connected to
the company so I disabled it"
Also small 3rd party firewalls have this great "learn" feature; esentially
people allow everything and end up defeating the purpose of having a
firewall
Really your only option is to run SecureRemote:
1) You require encryption between user and company network (firewall) - this
is standard with SR
2) You require security at the user end (SR is a mini firewall @ the end
users pc, a defined policy is pushed out each time the user connects to the
firewall)
3) You need to make sure that its running; the user has to access the
network via SR, no other options
It does have draw backs;
1) It only comes with 4.1 (CP 2000) and its an addon feature which could be
expensive. Check to see if you have a maintainence contract with CP; if you
do they will upgrade you to 4.1 free of charge.
2) Its new; checkpoint are pretty good with service packs so it's probably
reasonably bullet proof
3) I have only seen it running in the labs; not in real situations
Regards,
Rob Purdy
> -----Original Message-----
> From: firewall-wizards-admin_at_nfr.net
> [mailto:firewall-wizards-admin_at_nfr.net]On Behalf Of Starkey, Kyle
> Sent: Saturday, 19 August 2000 3:57 a.m.
> To: 'Michael C. Ibarra'; firewall-wizards_at_nfr.net
> Subject: RE: [fw-wiz] VPN for *DSL/CableModem Users
>
>
> Mike,
> I believe that if you are using Checkpoint vers4.1 with
> SecureRemote you can
> "push" policy to the remote client while connected to them. This protects
> you from an attacker using your users as a transit resource into your
> network. This unfortunately does not help you out with Trojans already
> planted on the users system, it only helps to attacks during the VPN
> session. I have not seen this work, but this is what I was told by some
> unbiased individuals. The second thing you can do is to bring the idle
> timeout down, this alleviates the problem of users setting a dial up
> connection then while at work using it to go back out... kinda
> lame I know,
> but on something like this layers of protection are your only resource and
> being annoying and dropping the connection after 30 seconds might
> stop some
> unmotivated indivuals.
>
> Lastly you can only allow tunnells sourced from the client to the
> host only
> and not the other way around, again this stops your users from getting a
> tunnell created back to their house so that they can get to napster or
> whatever... unfortunately your last line of defense from internal attacks
> is your corporate security attacks is your security policy. If you make
> sure to be a real fascist when it comes to this then people will get the
> hint that running napster in the office is an offense for which they might
> get fired. This should stop your low end users from being annoying....
>
>
> -Kyle
> -----Original Message-----
> From: Michael C. Ibarra [mailto:ibarra_at_hawk.com]
> Sent: Thursday, August 17, 2000 2:15 PM
> To: firewall-wizards_at_nfr.net
> Subject: [fw-wiz] VPN for *DSL/CableModem Users
>
>
> Hello:
>
> I've been asked to perform the horrible task of allowing
> in remote/home internet connections into a corporate LAN.
> The firewall/s in question are a FW-1 and IPFilter (separate
> machines) combo. The pipe decided upon was either DSL or
> cable modems, based of course on availibilty. The present
> method is an isdn/SecureID/dialback method. The present
> corporate policy allows no inbound traffic from the inter-
> net and allows a limited outbound connections, mainly http.
> My feeling is that users, unable to reach their AOL/Napster/
> whatever type of services could place a modem into these home
> PC's, corporate owned but that doesn't matter, making that
> box an insecure gateway or transfer point for a virus to the
> corporate network. VPN's IMO would do little to protect a
> machine which has a greater chance of becoming compromised,
> besides breaking corporate security policy since all non-VPN
> connections would probably allow those same services not
> normally allowed in the office. My question, and thank you
> for reading this far, is what VPN software and/or hardware
> is recommended and what can be done to enforce the present
> corporate policy (aside from asking users to sign an agreement).
>
> Thank you all,
>
> -mike
>
>
>
> The information contained in this message
> is not necessarily the opinion of Hawk
> Technologies, Inc.
>
>
> _______________________________________________
> Firewall-wizards mailing list
> Firewall-wizards_at_nfr.net
> http://www.nfr.net/mailman/listinfo/firewall-wizards
>
> _______________________________________________
> Firewall-wizards mailing list
> Firewall-wizards_at_nfr.net
> http://www.nfr.net/mailman/listinfo/firewall-wizards
>
_______________________________________________
Firewall-wizards mailing list
Firewall-wizards_at_nfr.net
http://www.nfr.net/mailman/listinfo/firewall-wizards
Received on Aug 21 2000
Intro
