|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Keeping SecureClient PC's Safe.
Couldn't agree more. And the Secure Client protection isn't optimal. It becomes dangerous if: 1) You are running only a SecuRemote license (you don't get any policy enforcement on the client - as far as i have experienced). 2) You are allowing 'Outgoing' or 'Outgoing and Encrypted'. The fun .exe game you just played installed a trojan that initiates a connection out to the remote attacker. Now your filtering is bypassed. (even 'Encrypted Only' could in theory be exploited by a clever trojan that encrypted its outgoing traffic). Or the site you just browsed to exploited the latest vulnerability in IE and executed arbitrary code as admin. 3) If you aren't running the 'session authentication agent' - the trojanised version of winzip you just downloaded and installed off an impersonating ftp server (*grin*) has just bound itself to port 261. Hmmm... no filtering on that port? :(( At least the secure client does drop everything that is says it will - it's just not 'un-exploitable'. So i guess it comes back down to a few facts: a) that a poorly configured setup is still vulnerable - even if you have spent lots of $$$ on your software. b) if a user is stupid enough to execute an untrusted attachment, or your attacker is clever enough to comprimise something upstream and start to do nasty stuff with DNS / connection hijacking - you are still vulnerable. good anti-viral software will help with the first part of this. c) operating systems like MS windows (esp 95 / 98 / ME) that execute everything with administrator privelages are fundamentally INSECURE. avoid them at all costs. :)) I like the idea of configuring the firewall for secure-client to only allow Encrypted connections - outgoing stuff is potentially dangerous. Filtering outgoing connections from the Client in Checkpoint NG sounds nice too. I hope they bring it to 4.1. Cheers, -jonny -- Wellington, New Zealand On Fri, 24 Aug 2001, Yee, Meng-Kay wrote: > But this does not protect against any virus or worm that has been infected > on the client! Worms or virus usually comes from downloads of software, if > he/she gets infected with one of these virus, e.g. CodeRed, the client can > start spreading through the VPN tunnel into the "secure network". > > I think the solution is to have a "policy" that checks if the client has a > virus scanner installed on the desktop, threat the remote machine as a > internal network client. > > Do you know if NG has this capability? > > > -----Original Message----- > From: Larry Pingree [mailto:[email protected]] > Sent: Thursday, August 23, 2001 4:45 PM > To: Hanke, Christian (DC); '[email protected]' > Subject: RE: [FW1] Keeping SecureClient PC's Safe. > > Currently with secureclient you can deny incoming connections to your > network. The new NG secureclient will allow you to configure rules that are > outbound from the secureclient box as well. > > > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > Larry Pingree > Sr. Security Engineer/Check Point Instructor > CCSA, CCSE, CCSI, ICE, ICI, NSA > > Website: http://www.SiegeWorks.com <http://www.siegeworks.com/> > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > -----Original Message----- > From: [email protected] > [mailto:[email protected]]On Behalf Of Hanke, > Christian (DC) > Sent: Monday, August 20, 2001 2:38 PM > To: '[email protected]' > Subject: [FW1] Keeping SecureClient PC's Safe. > > I am interested in what, if any, precautions others are taking to insure > that the PC's using SecureClient to connect to their networks via VPN are > not themselves compromised. My concern is that someone at home will be virus > laden, compromised by a trojan, or who knows what else and then in turn > compromise our network security by tunneling in to our cooperate network. Is > this a valid concern? I am playing with the idea of requiring either a NAT > box or one of the new Home Internet Gateways which include firewall > functionality for users who wish to take advantage of the high speed VPN > connection to our network. Of course, there would be no way to make sure > their settings and configurations were optimal. What's everyone else doing > about this? Your feedback would be greatly appreciated. Thanks all, > Christian > > > __________________________________________________________ > > I N T E R N E T M A I L > > This mail message originated outside Commerzbank > via the Internet. As a result, the sender's address > is not verifiable. > __________________________________________________________ > > > __________________________________________________________ > > L E G A L D I S C L A I M E R: > > This communication is confidential and is intended only > for the person to whom it is addressed. If you are not > that person you are not permitted to make use of the > information and you are requested to notify immediately > Commerzbank Aktiengesellschaft, New York Branch, that > you have received it and then to destroy the copy in > your possession. Views expressed in this e-mail do not > necessarily reflect the views of Commerzbank AG > __________________________________________________________ > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
