Hi All, Its possible to modify the default policy. There are a couple of things I got to learn abt secure client during this problem - The key to the problem is handling the secure client desktop policy.
1. In the Inbound rule we need to put an accept rule from whichever networks the connection is required while connected on the local Lan. ( ideally the rule would be lan [EMAIL PROTECTED] -- any --accept.) This rule stays in the default policy even after the user is disconnected from the policy server, thus enabling local lan users to connect to the laptop while the user is in office - proving default policy can be tweaked. 2. All encrypt rules inbound & outbound vanish when disconnected from policy server. 3. By default there is no deny in the outbound rules , so in case you want users not to access any sites except your office lan while connected to policy server you need to put a specific deny statement in the outbound rule. 4. If the user modifies his SCV check, then to prevent him from accessing the Office Lan , in traditional mode we must right click the client encrypt & check the box which says apply rule only afte the Config options are verified. Regards, Tinu Koshy Security Consultant Cable & Wireless +91 80 28412000 x- 3108 Cell - +91 9845294006 -----Original Message----- From: Simon Desmeules [mailto:[EMAIL PROTECTED] Sent: 31 January 2005 14:08 To: [email protected] Subject: Re: [FW-1] Default policy in secure client -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It's impossible to disable the default security policy however you may always create a last rule for the outbound rule as [EMAIL PROTECTED] - any - any - accept. This will permit all traffic when not connected to the policy server. HTH - - - - - - Contact us for your Security Training! http://www.avance.info/ATC - - - - - - Simon Desmeules AVANCE Services R�seaux 440 Boul. Ren� L�vesque ouest, 15 �me �tage Montr�al, (Qu�) H2Z 1V7 [EMAIL PROTECTED] T:514 866-0271 #140 | F:514 866-7631 | C: 514 712-3309 - -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Ray Sent: Sunday, January 30, 2005 4:24 PM To: [email protected] Subject: Re: [FW-1] Default policy in secure client There's no way to make it go away, however the default policy is the set of rules that apply to the "[EMAIL PROTECTED]" group. If you set those inbound and outbound rules to "any service-accept", you'll have the same effect. Unless you have a separate firewall protecting the computers, it's a really bad idea though. Ray >From: Tinu Koshy <[EMAIL PROTECTED]> >Reply-To: Mailing list for discussion of Firewall-1 ><[email protected]> >To: [email protected] >Subject: [FW-1] Default policy in secure client >Date: Sun, 30 Jan 2005 11:48:02 +0530 > >Hi All, > >Would any one know how to disable the Default Policy on a secure >client. I am looking for an option wherein the default policy will >not be enabled once you are disconnected from the Policy Server. I >am aware of options wherein you can manually disable the default >policy but that does not help my requirements. > >I was wondering whether there are any parameters we can tweak to >disable the default policy or modify the default policy for secure >client. > >Regards, >Tinu Koshy > >This email and any files transmitted with it are confidential and >intended solely for the use of the individual addressee(s) or >entity to whom they are addressed and may contain confidential or >privileged information. If you are not the intended recipient, >please notify the sender at Cable & Wireless or >[EMAIL PROTECTED] immediately and destroy all copies of >this message and any attachments. >This footnote also confirms that this email message has been swept >for the presence of computer viruses. While Cable & Wireless has >taken reasonable precautions to minimise the risk of any attachment >to this email containing viruses, we cannot accept liability for >any damage which you sustain as a result of any such viruses. You >should carry out your own virus checks before opening this >document. > > > >This e-mail has been scanned for viruses by the Cable & Wireless >e-mail security system - powered by MessageLabs. For more >information on a proactive managed e-mail security service, visit >http://www.cw.com/uk/emailprotection/ > >The information contained in this e-mail is confidential and may >also be subject to legal privilege. It is intended only for the >recipient(s) named above. If you are not named above as a >recipient, you must not read, copy, disclose, forward or otherwise >use the information contained in this email. If you have received >this e-mail in error, please notify the sender (whose contact >details are above) immediately by reply e-mail and delete the >message and any attachments without retaining any copies. > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [EMAIL PROTECTED] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[EMAIL PROTECTED] >================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBQf470vCtLfe/COm3EQITegCfYrGQ5tXL3EFQClDCfSfj4Pxd+DIAoKyF YU+78m4xIYsYmiLouS9W2y6r =SsFO -----END PGP SIGNATURE----- Consulter notre page web pour votre formation en S�curit� informatique! Consult our website for your Security training needs! http://www.avance.info/ATC ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= This email and any files transmitted with it are confidential and intended solely for the use of the individual addressee(s) or entity to whom they are addressed and may contain confidential or privileged information. If you are not the intended recipient, please notify the sender at Cable & Wireless or [EMAIL PROTECTED] immediately and destroy all copies of this message and any attachments. This footnote also confirms that this email message has been swept for the presence of computer viruses. While Cable & Wireless has taken reasonable precautions to minimise the risk of any attachment to this email containing viruses, we cannot accept liability for any damage which you sustain as a result of any such viruses. You should carry out your own virus checks before opening this document. This e-mail has been scanned for viruses by the Cable & Wireless e-mail security system - powered by MessageLabs. For more information on a proactive managed e-mail security service, visit http://www.cw.com/uk/emailprotection/ The information contained in this e-mail is confidential and may also be subject to legal privilege. It is intended only for the recipient(s) named above. If you are not named above as a recipient, you must not read, copy, disclose, forward or otherwise use the information contained in this email. If you have received this e-mail in error, please notify the sender (whose contact details are above) immediately by reply e-mail and delete the message and any attachments without retaining any copies. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
