Security Guy wrote: ...
+ allows a user from anywhere to gain access to the terminal server + no need to define an end user IP
- Allows anyone to telnet to the firewall - yet another password and ID to manage
Hi, when using Client-Authentication combined with a Stealth-Rule, you need to put the Client-Auth-Rule before the Stealth-Rule. Then, the access is allowed implicitely. Or, you put it behind the Stealth-Rule and accept the whole Internet to connect to your Firewall's port 259... If using HTTP it's the same problem with cleartext. Maybe SSL helps? Further information: http://www.fw-1.de/aerasec/ng/client-auth-ssl.html Here, the Firewall is authenticated by a certificate, the authentication of the user is the same. What if you are using RADIUS or something else? Another solution might be to deploy User Authority from Check Point. Btw., the pages for HTTP/HTTPS can be changed. They are located in $FWDIR/conf/ahclientd. The port (telnet or HTTP) can also be changed, see the document above. Hope it helps, best regards, Matthias http://www.fw-1.de -- AERAsec Network Services and Security GmbH Wagenberger Strasse 1 D-85662 Hohenbrunn, Germany http://www.aerasec.de
================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
