lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu Dec  8 03:36:47 2005
From: sixsigma98 at hotmail.com (Ray P)
Subject: Checkpoint SecureClient NGX Security Policy
	caneasily be d

What version of SecureClient did you use?


>From: Viktor Steinmann <stony@...ny.com>
>To: full-disclosure@...ts.grok.org.uk
>Subject: [Full-disclosure] Checkpoint SecureClient NGX Security Policy 
>caneasily be disabled
>Date: Wed,  7 Dec 2005 12:54:02 +0100
>
>Situation: Employees should be allowed to access your company network from
>remote by VPN. You want to make sure, that only the hardware of your own
>company is allowed to access the network on the VPN. This because your 
>company
>hardware uses a hardened operating system (personal firewall, virusscanner
>etc.) and you want to make sure, that no viruses/trojans etc. are 
>transported
>into your company network by the VPN from badly configured hardware and/or 
>home
>networks of your employees.
>
>Solution: Checkpoint SecureClient enforces a policy on the VPN Client, 
>which you
>can define on the VPN Endpoint you log on to (the firewall). Furthermore
>SecureClient includes a personal firewall, which protects the VPN Client 
>from
>the network around him. Every time the VPN Client opens the VPN tunnel, the
>policy is updated, so you can be sure, that your policy is the latest one. 
>In
>the above situation, you would create a policy, which checks several
>parameters, to ensure the workstation is one of yours, e.g. check the 
>windows
>serial number, check a specific process which must be running, you could 
>even
>check the CPUID.
>
>Checkpoints Datasheet
>(http://www.checkpoint.com/products/downloads/vpn-1_clients_datasheet.pdf)
>says:
>"VPN-1 SecureClient strengthens enterprise security by ensuring client 
>machines
>cannot be configured to circumvent the enterprise security policy."
>
>So far, so good.
>
>Now we've found a way, to disable that security policy very easily (a 3 
>line
>batch is all it needs). This means, that people who have a login to your 
>VPN
>site can use whatever hardware they like. No secuity policy is enforced, no
>personal firewall is running - but the VPN part works.
>
>And now to the sugar part: The Procedure that makes it work:
>
>Step a) Download SecureClient from the Checkpoint Website
>Step b) Install SecureClient
>Step c) Connect to the VPN Endpoint (which will download the policy)
>Step d) Copy the downloaded policy (local.scv) to a different name (e.g. 
>x.scv)
>Step e) Shutdown SecureClient
>Step f) Create a Batch-File, that looks like this
>
>:Loop
>copy x.scv local.scv
>goto Loop
>
>Step g) Edit x.scv to suit your needs (so you fulfill the policy)
>Step h) Run your batch
>Step i) Start SecureClient
>Step j) Connect to the VPN Endpoint and be surprised, that this stupid 
>trick
>works...
>
>Cheers,
>Viktor
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ