Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] user rule

To: "''[email protected] ' '" <[email protected]>
Subject: RE: [FW1] user rule
From: Chris Arnold <[email protected]>
Date: Tue, 6 Feb 2001 11:10:03 -0500
Cc: "'[email protected]'" <[email protected]>
Sender: [email protected]

Actually, Camille never once mentioned having a licensed encryption module
with her FW or the consolidated VPN-1 module.  Without that, SecureRemote or
any Macintosh IPSEC-complient client won't do much good at all.

Camille--  Do you have encryption on your FW so you can set-up a VPN tunnel
or are you just looking to punch a hole through for one user coming in the
clear?

Chris 

-----Original Message-----
From: Sprouse, Ben
To: 'Vincent, Mike'; ''Camille Edge' ';
'[email protected] '
Sent: 2/6/01 9:04 AM
Subject: RE: [FW1] user rule

I would agree....securemote currently is only available as a win client
app. 


-----Original Message----- 
From: Vincent, Mike [ mailto:[email protected]
<mailto:[email protected]> ] 
Sent: Tuesday, February 06, 2001 8:43 AM 
To: ''Camille Edge' '; '[email protected] ' 
Subject: RE: [FW1] user rule 


I know you said you did not want a third party product but you could
have 
the user run an IPSEC client on his Macintosh and set up a shared secret

VPN.  You would have to allow all possible addresses in his DHCP scope
in 
your VPN rule.  That would at least add authentication and encryption.
If I 
remember correctly www.netlock.com and www.nia.com offer IPSEC clients
for 
Macintosh. 

Mike 


-----Original Message----- 
From: Sprouse, Ben 
To: 'Camille Edge'; [email protected] 
Sent: 2/6/01 7:52 AM 
Subject: RE: [FW1] user rule 

I would suggest getting this person SeceRemote, it is a part of 
FW-1/VPN-1 and available free for download at checkpoint's site. You 
would need to setup user authentication object within the policy 
database and create a rule similar to the one below: 

The user objects you create would need to be setup with the right 
encryption (IKE, FWZ). We use IKE since it is the easiest to setup and a

shared secret is all you need for the firewall and the client 
authentication. 

The SecuRemote is free for download, BUT you MUST get a license for it 
from your reseller or checkpoint. The license is free, but it is 
REQUIRED in order for SR. 

SecuRemote User objects (or a group) --> Allowed destination --> Allowed

Services or Groups access to --> Client Encrypt 

This rule would is pretty plain, but it works. \You can restrict the SR 
users to certain networks or server objects if you want to further lock 
down their access. I am curious as to why they cnnot get a static IP 
though...oh well I hope this answers your question... 



Regards, 


Benjamin Sprouse 
Senior Network Architect 
eMarketWorld.com, Inc. 
700 E. Franklin St. 
Suite 600A-700A 
Richmond, VA. [email protected] 

-----Original Message----- 
From: Camille Edge [ mailto:[email protected] <mailto:[email protected]>
< mailto:[email protected] <mailto:[email protected]> > 
] 
Sent: Monday, February 05, 2001 10:48 PM 
To: [email protected] 
Subject: [FW1] user rule 


Hi all 

I have a question that I didn't find an answer to already and I've 
searched the archives here, phoneboy and checkpoint's websites.  If 
it is out there I apologize, but any help you could give I would 
appreciate. 

I want to setup a rule to allow an external user access inside my 
firewall.  The user does not always have a static IP address when 
they are online and can not get one from their ISP.  However I know 
the IP range the user would be coming from.  I don't want to give 
access to other users from that ISP only this one person.  How do I 
do this?  I figured I must use some sort of user specific 
authentication, but I'm not sure what.  Currently I don't have 
anything setup and really don't want to have to get a third party 
product such as secure id for just one user.  That just wouldn't be 
cost effective.  The user has a Mac so I don't think that the secure 
remote client would work since it doesn't support Macs from what I 
can tell. 

How would I write the rule and what objects would I need to create? 
Thanks 

cee 


========================================================================

======== 
     To unsubscribe from this mailing list, please see the instructions 
at 
               http://www.checkpoint.com/services/mailing.html
<http://www.checkpoint.com/services/mailing.html>  
< http://www.checkpoint.com/services/mailing.html
<http://www.checkpoint.com/services/mailing.html> > 
========================================================================

======== 



========================================================================
======== 
     To unsubscribe from this mailing list, please see the instructions
at 
               http://www.checkpoint.com/services/mailing.html
<http://www.checkpoint.com/services/mailing.html>  
========================================================================
======== 



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] DNS / NAT / FW-1 vs PIX
Next by Date: RE: [FW1] ftp client with user auth capabilities
Previous by thread: RE: [FW1] user rule
Next by thread: [FW1] firewall-1 Upgrade 4.0 to 4.1
Index(es):
- Date
- Thread