On Wed, 18 Jul 2001, Haroon Meer wrote:
> Checkpoint Firewall-1 makes use of a piece of software called SecureRemote
> to create encrypted sessions between users and FW-1 modules. Before remote
> users are able to communicate with internal hosts, a network topology of
> the protected network is downloaded to the client. While newer versions of
> the FW-1 software have the ability to restrict these downloads to only
> authenticated sessions, the default setting allows unauthenticated
> requests to be honoured. This gives a potential attacker a wealth of
> information including ip addresses, network masks (and even friendly
> descriptions)
This is a well-known, and generally accepted, risk associated with running
FWZ SecuRemote VPN's to FireWall-1. As others have already commented, it
is possible to turn off unauthenticated topology downloads through the
policy properties. If you do this, you will need to manually distribute a
userc.C file (containing the topology information) to all of your
secuRemote users. This file should be loaded into the
c:\winnt\fw\database directory on the client.
>From start to finish, the procedure should go something like this:
1. Set up you firewall gateway for VPN, with the "Respond to
unauthenticated topology requests" enabled.
2. Set up a sample secuRemote client, and download the site topology.
3. Turn off "Respond to unauthenticated topology requests".
4. Securely distribute the file userc.C from the sample client to all
secuRemote users.
You will need to send out an updated userc.C any time there is a change to
the encryption domain or keying info.
Regards,
Dave Taylor
