True but how paranoid are you in the case of Authenticated (trusted) users?
-cpguru -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of fwguru Sent: Tuesday, 19 April 2005 12:42 PM To: [email protected] Subject: Re: [FW-1] Does a stealth rule disable Client Authentication? Presuming that your intention is to NOT allow authenticated VPN clients direct access to the firewall, on Simplified Mode Policies explicit VPN rules CAN be below the Stealth Rule. The actual VPN control connections to the firewall are implied. VPN-client access-control is a layer of security unrelated to VPN technology (such as key exchanges). Non-transparent authentication rules (the ones with Client-Auth as the Action) must be above the Stealth Rule. In fact, the only instance that users *should* knowingly and explicitly connect to the firewall directly is when Client-Auth is configured. That's it. I cannot think of other reasons why to allow your general population to willfully and explicitly connect to the firewall. Consider this: If you have a VPN rule above the Stealth Rule that says: [EMAIL PROTECTED] | Internal_Net | via RA_Community | ANY Service | Accept .....wouldn't that leave the FW's internal interface open to all ports from authenticated VPN users? If so, that would break all kinds of best-practices rules. -fwguru On 4/18/05, Jean-Paul Baillon <[EMAIL PROTECTED]> wrote: > The client authentication rules as with all VPN rules should be placed > above the stealth rule as its purpose is to stop rogue connections > being made to the firewall > > With VPN and Client auth you need to make a connection to the firewall > in order to proceed > > > JP > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED] On Behalf Of > Sascha Picchiantano > Sent: Monday, 18 April 2005 9:59 PM > To: [email protected] > Subject: [FW-1] Does a stealth rule disable Client Authentication? > > Hi, > > we are running NG and use SecurID to authenticate users. This works > good. However, I implemented a stealth rule (deny traffic to firewall) > and since then Users can't authenticate anymore. I was under the > impression that authentication stuff is handled by implied rules but > it looks as if not. Any idea? What do I have to open up so users can > authenticate? > > Oh btw: When users access the Internet with a browser their browser > title bar shows > [ip_address_of_firewall]\fwauthredirect_[long_number_probably_cookie] > and hangs there. This might be related...? > > Any suggestions please? :) > > Cheers > Sascha > > ================================================= > To set vacation, Out-Of-Office, or away messages, send an email to > [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your subscription options, > email [EMAIL PROTECTED] > ================================================= > > ================================================= > To set vacation, Out-Of-Office, or away messages, send an email to > [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your subscription options, > email [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
