Search
	display results
words begin exact words any words part
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW1] URI Resource

To: [email protected]
Subject: Re: [FW1] URI Resource
From: Scott Schindler <[email protected]>
Date: Tue, 28 Nov 2000 11:52:59 -0600
Cc: [email protected]
References: <2B24AF280CCCD211A60300A0C9F2C99C1AE2E7@mandalore.capitalfactors.com>
Sender: [email protected]
Using user auth for different groups is tough, but try this.

Your network                            ANY                   HTTP>Websense
Resource    Reject    Long
User Group 1@your net            Yahoo                  HTTP
User Auth    Long
User Group 2@your net            Ebay                     HTTP
User Auth    Long
User Group 3@your net            Dell and Yahoo     HTTP
User Auth    Long

2 issues:
1)  With user auth you must either define the servers in policy properties,
security servers, or the users will get authenticated for every object.  So
client auth, partially automatic would be better.
2) Using domain names in rules, requires that a reverse lookup is
successful.  If any of those domains reverse lookups fails, access fails.
You can instead define a host object for every IP for those domains, but
those probably will not be problematical for reverse lookups.

I am sending this to the firewall list for their review as well.

----- Original Message -----
From: <[email protected]>
To: "Scott Schindler" <[email protected]>
Sent: Tuesday, November 28, 2000 10:09 AM
Subject: RE: [FW1] URI Resource


> I can use any of the 3.  I do own WebSense, although I don't think I can
> create custom groups in WebSense.
>
> -----Original Message-----
> From: Scott Schindler [mailto:[email protected]]
> Sent: Tuesday, November 28, 2000 11:03 AM
> To: MIS Security Alerts
> Subject: Re: [FW1] URI Resource
>
>
> Are you using UFP, file, or wildcard?
>
> ----- Original Message -----
> From: <[email protected]>
> To: "Scott Schindler" <[email protected]>;
> <[email protected]>
> Sent: Monday, November 27, 2000 10:02 PM
> Subject: RE: [FW1] URI Resource
>
>
> >
> > How would I do that with Multiple Groups?  For instance, Group1 has
> > access
> > to www.yahoo.com and Group2 has access to www.ebay.com and Group3 has
> > access
> > to www.dell.com and www.yahoo.com
> >
> > -----Original Message-----
> > From: Scott Schindler [mailto:[email protected]]
> > Sent: Monday, November 27, 2000 5:37 PM
> > To: MIS Security Alerts; [email protected]
> > Subject: Re: [FW1] URI Resource
> >
> >
> >
> > To be redirected they would have to match the rule.  Since they have
> not
> > authenticated, they do not match the rule.  After failing they will
> only
> > be
> > prompted for their logon information again.  If you were using a UFP
> > server,
> > which you have not specified.  The first rule would be a reject and
> the
> > second rule would be an auth.  That way they would get redirected if
> it
> > was
> > a bad site.
> >
> > You are either using file or wildcard matching or you simply need to
> > change
> > your rules.
> >
> > ----- Original Message -----
> > From: <[email protected]>
> > To: <[email protected]>
> > Sent: Monday, November 27, 2000 2:09 PM
> > Subject: [FW1] URI Resource
> >
> >
> > >
> > > How come when using a URI resource and User Authentication when a
> user
> > > comes
> > > across an "Access Denied" site it keeps prompting for another
> > user/pass
> > > as
> > > opposed to redirecting to the web page I specified?  This is only
> > > happening
> > > when I user User Auth.
> > >
> > > Rule:
> > >
> > > Src Dest Service Auth Log
> > > All Users@Any Any http->filter User Auth Long
> > >
> > > Cheers,
> > >
> > > Jamie
> > >
> > >
> > >
> > > The information transmitted by the following E-Mail is intended only
> > for
> > > the addressee and may contain confidential and/or privileged
> material.
> > > Any interception, review, retransmission, dissemination, or other
> use,
> > > or taking any action upon this information by persons or entities
> > other
> > > than the intended recipient is prohibited by law and may subject
> them
> > to
> > > criminal or civil liability. If you received this communication in
> > > error, please contact us immediately atext. 3600 and
> > > delete the communication from any computer or network system.
> > >
> > >
> > >
> > >
> > >
> >
> ========================================================================
> > > ========
> > >      To unsubscribe from this mailing list, please see the
> > instructions
> > > at
> > >                http://www.checkpoint.com/services/mailing.html
> > >
> >
> ========================================================================
> > > ========
> >
> >
> >
> ========================================================================
> > ====
> > ====
> >      To unsubscribe from this mailing list, please see the
> instructions
> > at
> >                http://www.checkpoint.com/services/mailing.html
> >
> ========================================================================
> > ====
> > ====
> >
> >
> >
> > The information transmitted by the following E-Mail is intended only
> for
> > the addressee and may contain confidential and/or privileged material.
> > Any interception, review, retransmission, dissemination, or other use,
> > or taking any action upon this information by persons or entities
> other
> > than the intended recipient is prohibited by law and may subject them
> to
> > criminal or civil liability. If you received this communication in
> > error, please contact us immediately atext. 3600 and
> > delete the communication from any computer or network system.
> >
> >
> >
> >
> >
> ========================================================================
> > ========
> >      To unsubscribe from this mailing list, please see the
> instructions
> > at
> >                http://www.checkpoint.com/services/mailing.html
> >
> ========================================================================
> > ========
>
>
>
> The information transmitted by the following E-Mail is intended only for
> the addressee and may contain confidential and/or privileged material.
> Any interception, review, retransmission, dissemination, or other use,
> or taking any action upon this information by persons or entities other
> than the intended recipient is prohibited by law and may subject them to
> criminal or civil liability. If you received this communication in
> error, please contact us immediately atext. 3600 and
> delete the communication from any computer or network system.
>


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================
Prev by Date: [FW1] Troubles with upgrading
Next by Date: RE: [FW1] intrusion detection - benefits?
Previous by thread: RE: [FW1] URI Resource
Next by thread: [FW1] VPN and Exchange
Index(es):
- Date
- Thread