From the looks of this, the batch file runs continuously, which might let it
bypass the SCV 15-second recheck.
OK, now for my enhancement request for the umpteenth time, but this time in
a different venue.
"The local .scv file is in clear text. Please give us an option to scramble
it on the disk, like we can do for the topology part of userc.c. I do not
want my users seeing what I am checking for."
The answer I received is that the file is digitally signed, so it cannot be
modified even though people can read it. I think it's timeto make it
unreadable when it is on the client.
Ray
------------------------------------------------------------------
From : Viktor Steinmann <[EMAIL PROTECTED]>
Sent : Wednesday, December 7, 2005 11:54 AM
To : [email protected]
Subject : [Full-disclosure] Checkpoint SecureClient NGX Security Policy
caneasily be disabled
Go to previous message | Go to next message | Delete |
Inbox
Situation: Employees should be allowed to access your company
network from
remote by VPN. You want to make sure, that only the hardware of
your own
company is allowed to access the network on the VPN. This
because your company
hardware uses a hardened operating system (personal firewall,
virusscanner
etc.) and you want to make sure, that no viruses/trojans etc.
are transported
into your company network by the VPN from badly configured
hardware and/or home
networks of your employees.
Solution: Checkpoint SecureClient enforces a policy on the VPN
Client, which you
can define on the VPN Endpoint you log on to (the firewall).
Furthermore
SecureClient includes a personal firewall, which protects the
VPN Client from
the network around him. Every time the VPN Client opens the VPN
tunnel, the
policy is updated, so you can be sure, that your policy is the
latest one. In
the above situation, you would create a policy, which checks
several
parameters, to ensure the workstation is one of yours, e.g.
check the windows
serial number, check a specific process which must be running,
you could even
check the CPUID.
Checkpoints Datasheet
(http://www.checkpoint.com/products/downloads/vpn-1_clients_datasheet.pdf)
says:
"VPN-1 SecureClient strengthens enterprise security by ensuring
client machines
cannot be configured to circumvent the enterprise security
policy."
So far, so good.
Now we've found a way, to disable that security policy very
easily (a 3 line
batch is all it needs). This means, that people who have a login
to your VPN
site can use whatever hardware they like. No secuity policy is
enforced, no
personal firewall is running - but the VPN part works.
And now to the sugar part: The Procedure that makes it work:
Step a) Download SecureClient from the Checkpoint Website
Step b) Install SecureClient
Step c) Connect to the VPN Endpoint (which will download the
policy)
Step d) Copy the downloaded policy (local.scv) to a different
name (e.g. x.scv)
Step e) Shutdown SecureClient
Step f) Create a Batch-File, that looks like this
:Loop
copy x.scv local.scv
goto Loop
Step g) Edit x.scv to suit your needs (so you fulfill the
policy)
Step h) Run your batch
Step i) Start SecureClient
Step j) Connect to the VPN Endpoint and be surprised, that this
stupid trick
works...
Cheers,
Viktor
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
