Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] SunScreen SKIP and Firewall-1

To: [email protected], [email protected]
Subject: RE: [FW1] SunScreen SKIP and Firewall-1
From: [email protected]
Date: Tue, 19 Jun 2001 18:59:58 +0200
Sender: [email protected]

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 
> However when I install a Firewall-1 module on the remote 
> management station,
> SKIP nolonger works. 

I'm not sure if you're able to get this setup working. If I
understand you correctly the sunscreen management station is
installed on the same machine as the Firewall-1 module. There is alot
of different things you could try, but I can't guarantee that there
is no conflict between the sunscreen management and the fw-1 module.

>Basically the Firewall-1 inspection 
> module jumps in and
> is dropped by rule 0 logging "Decryption Failure: Source object not
> in database scheme".
> 

My guess is that this is dropped because of the choice under Policy |
Properties to Accept VPN-1 & Firewall-1 Control Connections. Since
Firewall-1 does not know the sunscreen firewall as a known SKIP
Gateway it will discard the packets based on the Firewall-1 internal
rules. It could also be that the Enable Decryption on Accept
interfers with this some how, but I never managed to get a good
documentation on what this choice actually does (my guess is that
this is used by the Implied Rules which is the only encryption rules
which actually would be defined with accept instead of Encrypt or
Client Encrypt).

What I would try to do in your situation is:

1.	Define the Control Connections in the Rulebase instead of in
Policy Properties. If you use FWZ encryption this might not work, but
everything else should be possible to define in  the rulebase.
Remember to open the communication between your management station -
the firewall-1 module  AND communication between the gui-clients and
the management station. After that disable the Control Connections
and install the rulebase.

2.	Try to disable the Enable Decryption on Acceppt

3.	If nothing else work you could try to change the direction where
the gateway rules is applied. In a Default setup this setting is
Eitherbound which would cause all packets to be inspected when they
enter the gateway and when they leave the gateway. You also have two
other choices; Inbound and Outbound. They give you the option to
choose one of the above (and if performance is concern you might not
want "double" inspection). Normally Inbound should be enough because
then all packets entering the gateway will be inspected and the only
packets not inspected is packets originating on the gateway itself.
Which in most circumstances is trusted communication.
	In your case you could consider to use the Outbound choice, which
will cause the Firewall only to inspect packets leaving the gateway.
All communication that is terminated within the Firewall should not
be inspected. As long as you don't use any encryption with Firewall-1
(IKE or SKIP) that interfers with the SKIP encryption of the
sunscreen setup, this should work. BUT REMEMBER THAT THIS LEAVES YOUR
FIREWALL WITHOUT ANY FIREWALL PROTECTION. If you have "secure"
installation with only securly authenticated services this might be
enough. This depends on your Security Policy.


> Because its dropped by rule 0 adding rules to the rule base 
> to try and let
> this through have no effect.
> 

....if you disable the rule 0 rules. The rulebase would be enough.

> I had two thoughts:
> 
> 1) Stop Firewall-1 being active on the interface with SKIP on 
> - everything
> I've read suggests that Firewall cannot be selectively installed on
> interfaces.
> 

It is actual possible to choose which interface the policy is
installed on. What you could do in the GUI is to disable the Security
Policy from being installed on some interfaces. The Anti-Spoofing
choice of the Firewall-1 Gateway Object in the GUI has the choice of
"No Security Policy!". By choosing this you disable the interface for
Rulebase Inspection......

You could also use the command line utility to install the policy. In
the utility you can choose which interfaces to install the policy on.

> 2) Disable SUNScreen SKIP on the remote management station and get
> the SunScreen Firewall to exchange SKIP with Firewall-1 SKIP. 
> However SKIP is
> set up using a manual key exchange rather than cert authorities. Is
> it possible to set Firewal-1 SKIP parameters in a config file 
> somewhere rather
> than generating a new key in the GUI?
> 

As far as i know This is not possible. You would have to use the GUI
for key management of SKIP.

/erik 

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop Security 7.0 Evaluation

iQA/AwUBOy+EZC8isLQ+eI00EQKg2gCcCyI+S513F+3AwAxDM01RP+MMdt0Amwa8
0mgGgSMEbAC1ZahV/uyUfrcu
=pMex
-----END PGP SIGNATURE-----


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: RE: [FW1] what occurs first NAT or RULEBASE
Next by Date: Re: [FW1] CCSA resource
Previous by thread: [FW1] SunScreen SKIP and Firewall-1
Next by thread: [FW1] Getting nslookups to work with SecureRemote
Index(es):
- Date
- Thread