That's not the only way to do it. An 'authenticated' connection can download
the topology data. However, the authentication needed for this to work is a
shared secret or certificate as defined in the 'IKE' properties for the user
(i.e. you can't use things like SecurID for this bit) Once you've got the
topology, there's nothing stopping you re-authenticating with a normal
authentication method.
We do this with a seperate account set up purely for topology downloads.
This account does not have any access to the network via the rulebase.
Checkpoint have a couple of documents available on how to set this up, they
are not that hard to find, searching for 'unauthenticated topology downlads'
in the Checkpoint knowledge base should do the trick.
Regards,
Dave
> -----Original Message-----
> From: Bugtraq Account [SMTP:[EMAIL PROTECTED]]
> Sent: 19 July 2001 23:02
> To: Haroon Meer
> Cc: [EMAIL PROTECTED]
> Subject: Re: Firewall-1 Information leak
>
> On Wed, 18 Jul 2001, Haroon Meer wrote:
[David Sexton] <snip>
> This is a well-known, and generally accepted, risk associated with running
> FWZ SecuRemote VPN's to FireWall-1. As others have already commented, it
> is possible to turn off unauthenticated topology downloads through the
> policy properties. If you do this, you will need to manually distribute a
> userc.C file (containing the topology information) to all of your
> secuRemote users. This file should be loaded into the
> c:\winnt\fw\database directory on the client.
[David Sexton] </snip>
-----------------------------------------------
Any opinions expressed in this message are those of the individual and not necessarily
the company. This message and any files transmitted with it are confidential and
solely for the use of the intended recipient. If you are not the intended recipient
or the person responsible for delivering to the intended recipient, be advised that
you have received this message in error and that any use is strictly prohibited.
Sapphire Technologies Ltd
http://www.sapphire.net
