Ok, I
apologize for being a little slow, but if I have a rule denying all connections
to the firewall such as
Any FW Any
Drop
FW Any Any
Drop
And
then no SecuRemote rules defining a connection, doesn't this provide the same
thing? Or do I still need to define a SecuRemote rule directly denying
connections to it?
I've
disabled control connections, etc... in the interface and defined all rules
manually for IKE, firewall management, etc....
thanks
everyone...
PDB
Better than I could have explained it myself. Thanks
Anil!
-Jeff Hochberg
Hi Patrick,
what it means is that you put a rule so that
the securemote users cannot make a connection to the firewall object itself.
to elaborate further the securemote client should be able to make a secure
tunnel with VPN-1 and be able to access the objects behind the firewall but
should not be able to access the firewall object itself.
Jeff may like to correct if my understanding is
wrong.
regards
----- Original Message -----
Sent: Wednesday, March 07, 2001 7:00
PM
Subject: RE: [FW1] Secure Client and
NAT
Can you give an example of
this? I am having trouble understanding why this is necessary if the
firewall isn't defined in any of the SecuRemote
rules.
"Also,
when constructing your Client
Encrypt rule, make sure to put the firewall object(s) in the destination
field and negate them so that even VPN users can't make a direct
connection to the firewall through a SecuRemote session."
thanks!
PDB
No there is not.
How does this undermine the use of a stealth
rule? Disable the "Respond to Unauthenticated Topology Requests"
option in Policy->Properties in order to enable SSL authenticated
topology downloads to prevent just "anyone" from getting your userc.C
file.
Also, when constructing your Client Encrypt rule,
make sure to put the firewall object(s) in the destination field and
negate them so that even VPN users can't make a direct connection to the
firewall through a SecuRemote session.
-Jeff Hochberg
Helo.
Does anyone know if its possible to use a NAT'ed address of the
firewall's external interface as the point of connect in
the SecureRemote Client. In otherwords, say the
external interface of of my firewall is publicly addressable:
111.111.111.111, and I plan giving it a NAT'ed address of
222.222.222.222 to be used by my clients for topology updates and VPN
connections. Is this possible?
The reason I want to do this is because the file: userc.C, which is
located on the client, contains (in clear text) several firewall
and network details that undermine the use of a Stealth Rule, and thus
compromises my security policy.
Any advice would be appreciated.
Regards,
R.
Do You Yahoo!? Yahoo! Mail
Personal Address - Get email at your own domain with Yahoo!
Mail.
|