[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Secure Client and NAT
>Ah-ha! Therein lies the crux of the matter. Indeed, >the information provided in the userc.C file is necessary >for VPN connectivity regardless of vendor. However, you >have just confirmed (perhaps) a weakness in Checkpoint's >implementaion of VPN in contrast to a vendor like Axent >who's technology (as far as I am able to determine) >encrypts the details on the network so that it is not >easily obtained. Also, the Axent product does not >provide as much info (even encrypted) as Checkpoint does. Well all VPN Clients will have to know this: - A routeable address of the VPN Gateway - Which hosts/networks it should encrypt traffic to - Encryption details (keys, schemes etc.) >Specifically I am ! thinking of the implementation of the >VPN server inside the firewalled network with a rule in the >FW rulebase allowing access via a NATed TCP/IP address to >the VPN server from the VPN client. Thus, an encrypted tunnel >will be established from the client on the Internet through >my FW to the VPN server. >This might work using Checkpoint's VPN in a way other than their documentation suggests. Worth a try? I'm not quit sure I completly understand what you are trying to describe here. But the way I normally would have implemented a Client VPN to be "secure". I would design the setup kind of like this: VPN Client | | Firewall | | VPN Gateway | | Firewall | | Internal Network If you let the Firewall control the traffic both before and after the data is encrypted you can control what the clients access on the internal network as well as protect your VPN Gateway. This is kind of one of the advantages you get by using Firewall-1 as a VPN Gateway, but if you don't want to add this service to the Firewall because of security concerns or performance concerns I would reccomend the setup above. As well as using somekind of strong authentication for the clients. As far as I know you're not able to NAT the address of the VPN Gateway when you are using IKE. I think this will brake the integrity check. The only way I would think this would work is if the Encryption/Integrity Mechanism are just applied to the Data inside the packet not the TCP/IP Header as well. And as Simon says: "you could of course use the :encrypt_db (true) option in the :options section to encrypt the userc.c file" It is possible to encrypt the transfer of the userc.C file. /erik ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|