Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Secure Client and NAT

To: [email protected], [email protected]
Subject: RE: [FW1] Secure Client and NAT
From: [email protected]
Date: Wed, 7 Mar 2001 20:40:41 +0100
Sender: [email protected]



>Ah-ha!  Therein lies the crux of the matter.  Indeed, 
>the information provided in the userc.C file is necessary 
>for VPN connectivity regardless of vendor. However, you 
>have just confirmed (perhaps) a weakness in Checkpoint's 
>implementaion of VPN in contrast to a vendor like Axent 
>who's technology (as far as I am able to determine) 
>encrypts the details on the network so that it is not 
>easily obtained.  Also, the Axent product does not 
>provide as much info (even encrypted) as Checkpoint does.  

Well all VPN Clients will have to know this:

- A routeable address of the VPN Gateway
- Which hosts/networks it should encrypt traffic to
- Encryption details (keys, schemes etc.)

>Specifically I am ! thinking of the implementation of the 
>VPN server inside the firewalled network with a rule in the 
>FW rulebase allowing access via a NATed TCP/IP address to 
>the VPN server from the VPN client.  Thus, an encrypted tunnel 
>will be established from the client on the Internet through 
>my FW to the VPN server. 

>This might work using Checkpoint's VPN in a way other than their
documentation suggests.  Worth a try?


I'm not quit sure I completly understand what you are trying to describe
here. But the way I normally would have implemented a Client VPN to be
"secure". I would design the setup kind of like this:


  VPN Client
      |
      |
  Firewall
      |
      |
  VPN Gateway
      |
      |
  Firewall
      |
      |
  Internal Network

If you let the Firewall control the traffic both before and after the data
is encrypted you can control what the clients access on the internal network
as well as protect your VPN Gateway. This is kind of one of the advantages
you get by using Firewall-1 as a VPN Gateway, but if you don't want to add
this service to the Firewall because of security concerns or performance
concerns I would reccomend the setup above. As well as using somekind of
strong authentication for the clients. 

As far as I know you're not able to NAT the address of the VPN Gateway when
you are using IKE. I think this will brake the integrity check. The only way
I would think this would work is if the Encryption/Integrity Mechanism are
just applied to the Data inside the packet not the TCP/IP Header as well. 

And as Simon says:

"you could of course use the :encrypt_db (true) option in the :options
section to encrypt the userc.c file"

It is possible to encrypt the transfer of the userc.C file.



/erik


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1]number connections allowed
Next by Date: [FW1] fw1: site to site vpn
Previous by thread: RE: [FW1] Secure Client and NAT
Next by thread: RE: [FW1] Secure Client and NAT
Index(es):
- Date
- Thread