Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] AW: securemote and sms client

To: "'Hartmann, Josef'" <[email protected]>, '"Roßmanith, Peter"' <[email protected]>, "'Maroney, Patrick @ CSE'" <[email protected]>
Subject: RE: [FW1] AW: securemote and sms client
From: Daniel Hitchcock <[email protected]>
Date: Tue, 24 Apr 2001 11:30:15 -0700
Cc: "'[email protected]'" <[email protected]>
Sender: [email protected]

Title: RE: [FW1] AW: securemote and sms client

Actually, the nasty secret here is that the SMS client doesn't require anyone to be logged in to the machine, you just have to have the client binary running. Take the example of watching someone on SMS remote control while they log out and log back in. The connection doesn't drop. This was from my SMS 2.0 admin days about a year ago; don't know if they've changed things since then, but if not, you should be scared now. Anyone with the SMS admin tool (SMS's remote.exe binary) anywhere can control any of your client PCs (unless the SMS client is configured to prompt; some users might accept anyway), with the SMS client happily passing everything in cleartext over the internet. The solution, of course, is to implement client-side protection of some sort (SecureClient, personal firewall, etc.).

Microsoft Technet lists the ports used by the SMS client.

Please post if things have changed.

Dan Hitchcock
CCNA, CCSE, MCSE
Security Analyst
Breakwater Security Associates

dhitchcock (at) breakwatersecurity (dot) com
http://www.breakwatersecurity.com

-----Original Message-----
From: Hartmann, Josef [mailto:[email protected]]
Sent: Tuesday, April 24, 2001 5:42 AM
To: '"Roßmanith, Peter"'; 'Maroney, Patrick @ CSE'
Cc: '[email protected]'
Subject: RE: [FW1] AW: securemote and sms client

Accessing a SR user from within the encryption domain, e.g. with SMS
requires the user to be logged on. Furthermore the ip address of the SR user
must be known (this is either an official IP address or one of the
configured IP NAT pool).

Last but not least in order to establish such back connections the rulebase
needs to have an entry for that. Search the CP knowledge base for X11 and
encrypted connections. There's the syntax given for such a rule.

If SecureClient is running on the users desktop, it mustn't be configured to
allow only outgoing+encrypted as this blocks back-connections on the client
desktop.

Josef

> -----Original Message-----
> From: "Roßmanith, Peter" [SMTP:[email protected]]
> Sent: Monday, April 23, 2001 1:39 PM
> To:   'Maroney, Patrick @ CSE'
> Cc:   '[email protected]'
> Subject:      [FW1] AW: securemote and sms client
>
>
> hi pat,
> i dont have installed secure desktop, so i think that the client dont
> block
> a incoming connection.
> my understandig of sr is that at the end of the ip-tunnel the ip of the sr
> client is translated in the
> internal ip of the fw. the communication with the network than is made
> over
> this adress + port.
> but: how can i find a sr client from the network ?
> now i make some experiments with the ip-pool-nat-tab in the firewall
> properties.
> if i find out interesting things i will inform you.
>
> peter
>
> > -----Ursprüngliche Nachricht-----
> > Von:        Maroney, Patrick @ CSE [SMTP:[email protected]]
> > Gesendet am:        Montag, 23. April 2001 13:10
> > An: '"Roßmanith, Peter"'
> > Betreff:    RE: securemote and sms client
> >
> > Peter,
> >
> > The problem is that the desktop policy is probably blocking unsolicited
> > incoming connections to the desktop. This will "break" a number of
> things
> > like SMS and Outlook incoming mail updates.
> >
> > If your policy is blocking incoming connections then you need to have
> the
> > workstation initiate the SMS dialog. One solution might be to configure
> > the
> > desktop client to connect to the server on startup for database updates
> > and
> > downloads.
> >
> > We are facing the same issues and are playing with things like using a
> > "personal firewall" in conjunction with SecureRemote.If you find a more
> > elegant solution please let me know.
> >
> > Pat
> >
> > -----Original Message-----
> > From: "Roßmanith, Peter" [mailto:[email protected]]
> > Sent: Friday, April 20, 2001 7:28 AM
> > To: [email protected]
> > Subject: securemote and sms client
> >
> >
> > hi world,
> > has anyone expiriences in managing an securemote pc with sms ?
> > how to configure the firewall so that it is possible to get access to
> the
> > sr-pc from the network?
> >
> > thanks in advance
> > peter
>
>
> ==========================================================================
> ======
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==========================================================================
> ======

================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: Re: [FW1] Negate Question
Next by Date: Re: [FW1] Passed CCSA.
Previous by thread: RE: [FW1] AW: securemote and sms client
Next by thread: [FW1] About SecuRemote
Index(es):
- Date
- Thread