| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FW1] re: work/home laptop, securemote client
Problem:
Given a SecuRemote userc.C file which defines the
following:
:topology (
: (
:name (ExampleCom.fw1)
:type (gateway)
:ipaddr (169.254.1.1)
:ipmask (255.255.255.255)
)
: (
:name (ExampleCom.fw1)
:type (gateway)
:ipaddr (10.1.0.1)
:ipmask (255.255.255.255)
)
: (
:name (ExampleCom.Net-10-0-0-0)
:type (network)
:ipaddr (10.0.0.0)
:ipmask (255.0.0.0)
)
: (
:name (ExampleCom.Net-192-168-0-0)
:type (network)
:ipaddr (192.168.0.0)
:ipmask (255.255.0.0)
)
)
...
:dns_servers (
: (dns1.fw1
:obj (
: (10.1.2.11)
)
:topology (
: (
:ipaddr (10.0.0.0)
:ipmask (255.0.0.0)
)
: (
:ipaddr (192.168.0.0)
:ipmask (255.255.0.0)
)
)
:domain (
: (
:dns_label_count (4)
:domain (.example.com)
)
)
)
)
the decision to build a VPN and encrypt traffic is
(apparently) decided based on IP destination and/or
destination domain. So if you have SecuRemote
installed on a laptop, plugged into the *CORPORATE
LAN* on the 10.1.1.0 network, SecuRemote will start up
no matter what (especially if you have SDL enabled),
and normal intranet traffic -- destined for other
10.x.x.x or 192.168.x.x nets or internal example.com
hosts -- will unnecessarily be shoved into the VPN,
sent out of the enterprise and back into
ExampleCom.fw1's external interface (169.254.1.1).
Result: unnecessary taxation of local computer and
firewall.
SecuRemote -- which most of us would have enabled as
service which starts automatically -- apparently
doesn't have any way to know that you're not "remote"
and a VPN is unnecessary. (Checking your local IP
address to see if it falls into any of the nets
defined in your userc.C topology would fix that).
What can be done about it?
Rocky Stefano wrote:
>>
You have a rule that allows a vpn connection to be
intiated from the private network. The vpn network and
encryption domain should only allow connections
from the outside in. That would solve your problem.
<<
True, I have a rule which allows any to initiate VPN
traffic. That "any" would, by definition, include the
private network presently.
But does modification of that rule really solve the
problem, or just prohibit the completion of the VPN
and break the corporate-residing client, resulting in
support calls from users about how the local network
is down and the internet is broken?
Robert MacDonald wrote:
>>
SecureRemote, when setup properly, will function very
well and never needs to be killed. Is your encryption
domain setup correctly? This should encompass the
networks inside of your private network. This way,
when SecureRemote detects that you have local
connectivity, it will just ignore all requests and
allow traffic to pass as local traffic.
<<
I believe I have the encryption domain set up
properly, and the topology() statements above, in each
user's userc.C define only the internal networks.
My Logview would dispute that SecuRemote can detect
that you're in the same network as the "encryption
domain." I see VPN connections from
internally-residing SecuRemote machines all the time.
Only manually killing SecuRemote will stop this and
allow the machine to function sans VPN on the local
LAN.
Robert MacDonald continued:
>>
When SecureRemote detects traffic bound for your
encryption domain and it does not have a local
connection, SR will spring to life.
<<
I have SecuRemote starting as a service, under WinNT
and SDL is enabled so that users can go home, boot up,
and "log into the domain" as though at work.
It appears to me that SecuRemote doesn't know or care
whether you're local to the encryption domain or not.
Robert MacDonald continued:
>>
A problem that occur often is, the system in question
has an IP address in the encryption domain while
remote. If this happens then SR will think it's still
local.
<<
I have just the opposite problem. SecuRemote is
installed on a laptop that often is remote (static IP,
residing on a home DSL net for instance). But when
the laptop is brought in house, DHCP configured, given
an IP on the corporate LAN -- which is also in the
encryption domain -- SecuRemote still creates a VPN
because the destination of the user's traffic is in
the encryption domain.
Robert MacDonald continued:
>>
Do you have different setups for these users at home
vs work or are these machines equipped with a docking
station at work and a PCMCIA at home?
<<
Built-in ethernet card -- plug in local LAN or plug in
DSL/Internet. Users are manually reconfiguring
Network settings when home for a public, static IP.
Manually reconfiguring for an RFC 1918 private, DHCP
address when at work.
Matt Bruce confirmed he has the same problem:
>>
As you mention, I just Kill my client whenever I'm in
the office.
<<
Gijs Wuyts wrote:
>>
How about Nt's Boot profiles ?
<<
I am not a Windows person per se; I'm not familiar
with NT boot profiles nor do I know if they would
solve this or the problem of corporate users going
home to a static IP environment or coming to work in a
DHCP environment and needing to seemlessly switch
between the two.
I'm hoping someone who is more familiar with NT boot
profiles could verify that.
Michael Haller wrote:
>>
Can you use NT startup profiles for this?
You could create a remote and office profile.
You users will still need to choose the correct
profile at system startup but it shouldn't be
too hard.
<<
The startup profile would address the DHCP/static IP
problem. Can you suggest a resource to find out more
about this? Microsoft's site is not especially
helpful despite the pages of irrelevant search results
it returns.
Thanks for all your help and suggestions with this.
__________________________________________________
Do You Yahoo!?
Yahoo! Shopping - Thousands of Stores. Millions of Products.
http://shopping.yahoo.com/
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
|
|
