Hello and thanks for your reply!
See below for comments and another (critical) problem.
On Mon, 13 Oct 2003 11:07 -0700, Benny Czarny wrote:
> Hi Peter ,
> Did you made sure thaty Enforce Secure Configuration Verification Flag is
> checked ?
> (global properties)
You mean in Remote Access->Secure Configuration Verification ?
I don't have that checkbox, I only have these (all are checked):
Secure Configuration Options
*Apply Secure Configuration Verifications on Simplified mode Security Policies
*Policy is installed on all interfaces
*Only TCP/IP protocols are used
Configuration Violation Notification
*Generate log on client
*Notify the user
This is in NG FP3 (SecurePlatform), maybe we need to upgrade to NG AI
before it works?
However, I noticed another very disturbing fact today:
* My SecureClient has successfully connected.
* I terminate one of the processes I check for in SCV.
* I get the warning popup but no disconnect.
* I continue using the VPN connection.
* I disconnect the VPN connection.
* I can now connect to the VPN again without running the required process!!!
I don't even get the warning popup. I can, in fact, terminate all required
processes and still connect to the VPN without any warning.
Something must be cached somewhere, but I can't understand why the server's
SCV checks seem to be overridden by some cache or something like that.
Anyone have any ideas on this?
I can't believe there is as big a security bug as this, so I must be doing
something wrong in the configuration.
The ProcessMonitor section of local.scv is like this:
: (ProcessMonitor
:type (plugin)
:parameters (
:Realmon.exe (true)
:InoRpc.exe (true)
:InoTask.exe (true)
:InoRT.exe (true)
:begin_admin (admin)
:send_log (alert)
:mismatchmessage ("Please check that the followi
ng processes are running: InoTask.exe, InoRT.exe, InoRpc.exe, Realmon.exe.")
:end (admin)
)
)
And here are some other parts of local.scv:
:SCVPolicy (
: (user_policy_scv)
: (sc_ver_scv)
: (ProcessMonitor)
)
:SCVGlobalParams (
:block_connections_on_unverified (true)
:scv_policy_timeout_hours (2)
:enforce_ip_forwarding (true)
:enable_status_notifications (true)
:disconnect_when_not_verified (true)
)
Thanks!
Peter Olsson
> Best
> Benny
> www.opswat.com
>
>
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:[EMAIL PROTECTED] Behalf Of Peter
> Olsson
> Sent: Monday, October 13, 2003 9:46 AM
> To: [EMAIL PROTECTED]
> Subject: [FW-1] SecureClient is not disconnected when SCV check turns
> false?
>
>
> Hello!
>
> We use, among other tests, a ProcessMonitor test for SecureClient
> connections. If all processes aren't running at the time of connect,
> the connection is refused. But now I tried shutting down one of these
> processes after a successful connection. I got the popup telling me that
> I didn't have all the required processes running, but the connection
> wasn't broken as it probably should have been. Is it something I have
> missed in the begin_admin/end section of our tests in local.scv, or is
> it something that won't work until NG AI (we use NG FP3)?
>
> Thanks!
>
> --
> Peter Olsson [EMAIL PROTECTED]
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
