[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] SecureRemote
Probably better late than never ... much catching up to do I also do this with my users with SecureClient, there are several advantages, disadvantages and caveats that I see. Advantages ========== 1. More secure - Can prevent Internet connected users from bypassing the core network anti-virus and content rules 2. Same rules in the office as out on the road 3. No ability for the bad guys to use my remote workstations for attacking my network. 4. Same proxy logs of who's going where Disadvantages ============== Sucks more bandwidth - data from the user, through the firewall, content scanners and back out again. Higher load on the Firewalls Can't handle things like outbound unencrypted traffic that is not proxyably - eg Telnet, SSL, etc - this will bite me in the future (but not a problem for today :-> ) Caveats SecureClient's gradients on security are lousy eg outbound, all ports open, and encrypted only are the only two useful ones if you want any form of security/usability - It looks like the same engine if you compare process names and event log entries etc so ... why cant it download the SAME security policy to the remote nodes -- after all a policy is a policy and the weakest link is the one that breaks . You have to use NAT pools if you have multiple gateways or traffic goes in one firewall and out the other which makes things break. ICMP doesn't work properly if you allow outbound ICMP only -- that is the firewall drops the outbound after it's un-natted the reply packet - This is a known CP issue and I'm waiting for a fix in SP3 (I hope ...) Hope this helps. Cheers Tim -----Original Message----- From: WEIZENECKER, Robert, GCM [mailto:[email protected]] Sent: 07 November 2000 20:38 To: [email protected] Subject: [FW1] SecureRemote Is it possible to setup SecureRemote so clients can only connect to the Firewall \ VPN and browse the internet through the firewall (Effectively disabling Split-tunnel as referred to on other VPN devices.) ? I would like to force all traffic from the client to the VPN then back out to the internet. Thanks in advance for your help. Rob Weizenecker ********************************************************************** This e-mail is intended only for the addressee named above. As this e-mail may contain confidential or privileged information, if you are not the named addressee, you are not authorised to retain, read, copy or disseminate this message or any part of it. ************************************************************************ ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ************************************************************************ The information in this email is confidential and is intended solely for the addressee(s). Access to this email by anyone else is unauthorised. If you are not an intended recipient, you must not read, use or disseminate the information contained in the email. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of The Capital Markets Company. http://www.capco.com *********************************************************************** ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|