-cpguru, A little paranoid, I guess. I am probably most paranoid of the disgruntled employee that has some skillz.
All i'm really trying to say on my last post is this: If internal, authorized, non-encrypted users are blocked from reaching the firewall by the stealth rule, why would that not apply to VPN users as well? -fwguru On 4/19/05, Jean-Paul Baillon <[EMAIL PROTECTED]> wrote: > True but how paranoid are you in the case of Authenticated (trusted) > users? > > -cpguru > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED] On Behalf Of fwguru > Sent: Tuesday, 19 April 2005 12:42 PM > To: [email protected] > Subject: Re: [FW-1] Does a stealth rule disable Client Authentication? > > Presuming that your intention is to NOT allow authenticated VPN clients > direct access to the firewall, on Simplified Mode Policies explicit VPN > rules CAN be below the Stealth Rule. The actual VPN control connections > to the firewall are implied. VPN-client access-control is a layer of > security unrelated to VPN technology (such as key exchanges). > > Non-transparent authentication rules (the ones with Client-Auth as the > Action) must be above the Stealth Rule. In fact, the only instance that > users *should* knowingly and explicitly connect to the firewall directly > is when Client-Auth is configured. That's it. I cannot think of other > reasons why to allow your general population to willfully and explicitly > connect to the firewall. > > Consider this: If you have a VPN rule above the Stealth Rule that says: > > [EMAIL PROTECTED] | Internal_Net | via RA_Community | ANY Service | Accept > > .....wouldn't that leave the FW's internal interface open to all ports > from authenticated VPN users? If so, that would break all kinds of > best-practices rules. > > -fwguru > > On 4/18/05, Jean-Paul Baillon <[EMAIL PROTECTED]> wrote: > > The client authentication rules as with all VPN rules should be placed > > > above the stealth rule as its purpose is to stop rogue connections > > being made to the firewall > > > > With VPN and Client auth you need to make a connection to the firewall > > > in order to proceed > > > > > > JP > > > > -----Original Message----- > > From: Mailing list for discussion of Firewall-1 > > [mailto:[EMAIL PROTECTED] On Behalf Of > > Sascha Picchiantano > > Sent: Monday, 18 April 2005 9:59 PM > > To: [email protected] > > Subject: [FW-1] Does a stealth rule disable Client Authentication? > > > > Hi, > > > > we are running NG and use SecurID to authenticate users. This works > > good. However, I implemented a stealth rule (deny traffic to firewall) > > > and since then Users can't authenticate anymore. I was under the > > impression that authentication stuff is handled by implied rules but > > it looks as if not. Any idea? What do I have to open up so users can > > authenticate? > > > > Oh btw: When users access the Internet with a browser their browser > > title bar shows > > [ip_address_of_firewall]\fwauthredirect_[long_number_probably_cookie] > > and hangs there. This might be related...? > > > > Any suggestions please? :) > > > > Cheers > > Sascha > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, send an email to > > [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your subscription options, > > email [EMAIL PROTECTED] > > ================================================= > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, send an email to > > [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your subscription options, > > email [EMAIL PROTECTED] > > ================================================= > > > > ================================================= > To set vacation, Out-Of-Office, or away messages, send an email to > [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your subscription options, > email [EMAIL PROTECTED] > ================================================= > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
