[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [FW1] Auto logout of Policy Editor?

To: <[email protected]>, <[email protected]>
Subject: RE: [FW1] Auto logout of Policy Editor?
From: "Robert MacDonald" <[email protected]>
Date: Tue, 31 Oct 2000 11:26:28 -0500
Sender: [email protected]

Still catching up....

This brings up a nifty and potentially harmful issue.
Just deleting the manage.lock will allow you back
into the GUI, but will also allow rulebase confusion.

No two admins should attempt to use the GUI in
R/W mode - heed the warning, but don't go into
the GUI Read Only IF your an admin with R/W rights.
Wait until the first admin is finished.

The file objects.C is copied to objects.C.sav when you
run the GUI and log in as a user with R/W rights. If a second
admin who has R/W attempts to log in with the GUI, they
will be notified that someone else is using the GUI and to
either wait or check the Read-Only box.

If they check the Read-Only box and log in, the fw
manager copies the objects.C to objects.C.sav
again! This is the 'feature' that Thomas Poole
mentions in another post(Aliases for Interfaces) and
has existed from almost the beginning.

Let's say the first admin logs in and makes a bunch
of adds and changes to the objects on the manager.
These changes are placed in the objects.C file
immediately. No save needed.

Now, the second admin tries to login and
see that the first admin is already using the GUI, so
they decide to check RO box and go into the GUI, thus
creating a new copy of objects.C.sav - now with the
new and/or modified objects.

Then the first admin, after creating or modifying some or
many objects, decides they need to abort without saving.
When they exit, the objects.C.sav is the wrong
version and may include some or all of the new/modifed
objects and is written back to the objects.C file.

If the second admin exits before the first, the objects.C.sav
will be deleted. This would disallow the first admin from
backing out any changes they made. The first admin would
also get an error from the GUI ('Not exists' and an OK button).

In either case, the last admin to logout of GUI will get a
error with the message 'Not exists' and an OK button.
This is the clue that the other admin was there and already
logged out before you and you may have to redo or undo
your work.

If the second admin deletes the manage.lock and then
proceeds into the GUI, they could really mess around
with the objects.C file. Depending on timing, this could
really ruin someone's day(dueling admin and one objects.C)

There's a few combinations of this scenario that could
do some sort of harm. In any case, beware.

>Can manage.lock be deleted while a connection is established?  How about
>having two versions of the rulebase, one that doesn't allow the gui clients
>access, and periodically ATing the restricted one and the real one, combined
>with a manage.lock delete?

Paul, sounds like your suggestion could cause pain
and suffering. I'd avoid this and stick with good policies,
procedures and most importantly, good communications
amongst admins.

As for admins who stay logged in for long periods of time,
just change there priv access to RO or take Paul's
suggestion and find a new one.

Robert

- -
Robert P. MacDonald, Network Engineer
e-Business Infrastructure
G o r d o n   F o o d    S e r v i c e
Voice:email: [email protected]

>>> "Murphy, Paul" <[email protected]> 10/16/00 5:12:35 AM >>>
>
>If you have an assistant, a *security* assistant, that leaves themselves
>logged into the policy in read/write mode for up to six hours, then I would
>certainly consider getting another one.
>
>Can manage.lock be deleted while a connection is established?  How about
>having two versions of the rulebase, one that doesn't allow the gui clients
>access, and periodically ATing the restricted one and the real one, combined
>with a manage.lock delete?
>
>Paul.
>
>-----Original Message-----
>From: Michael Sleeper [mailto:[email protected]] 
>Sent: 14 October 2000 23:41
>To: 'Tom Sevy'; Check Point FW List (E-mail)
>Subject: RE: [FW1] Auto logout of Policy Editor?
>
>After having this problem in the past, I scheduled a bounce program that
>stops and restarts the FW1 service every 6 hours.  
>  [ using WINAT to run a .bat file that runs the commands "net stop fw1svc ;
>net start fw1svc" ]
>
>This is NOT the perfect solution in that I have been caught trying to edit a
>policy and have had the service bounce on me.  However, it does work should
>my assistant remain logged in from his workstation in read/write mode.  When
>the time is up it will disconnect anyone and allow a fresh connection into
>the firewall in read/write mode.
>
>I would love to hear of a better way.
>
>  Mike
>--------------------------------------------------
>Mike Sleeper      CCSA/CCSE
>Information Technology Dept.
>Augusta-Richmond County Govt.
>http://www.co.richmond.ga.us 
>[email protected] 
>--------------------------------------------------
>-----Original Message-----
>From: Tom Sevy [mailto:[email protected]] 
>Sent: Saturday, October 14, 2000 5:05 PM
>To: Check Point FW List (E-mail)
>Subject: [FW1] Auto logout of Policy Editor?
>
>Does anyone know of a way to automatically logout the Policy editor after an
>Idle timeout?
>
>Any recommendations?  The FW Management Console is pretty hardened, and I do
>not have a way to connect it to kill the connection at this time.  It is an
>NT Mgmt console.
=====================================



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================
Prev by Date: RE: [FW1] [fw1] install
Next by Date: Re: [FW1] Installing FW-1 on Linux
Prev by thread: RE: [FW1] Auto logout of Policy Editor?
Next by thread: [FW1] NBName problem: thanks
Index(es):
- Date
- Thread