[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20051207144233.GA29311@melpomene.jschipper.dynalias.net>
Date: Wed Dec 7 14:42:44 2005
From: j.schipper at math.uu.nl (Joachim Schipper)
Subject: Checkpoint SecureClient NGX Security Policy can
easily be disabled
On Wed, Dec 07, 2005 at 12:54:02PM +0100, Viktor Steinmann wrote:
> (...) Checkpoint SecureClient enforces a policy on the VPN Client,
> which you can define on the VPN Endpoint you log on to (the firewall).
> Furthermore SecureClient includes a personal firewall, which protects
> the VPN Client from the network around him. Every time the VPN Client
> opens the VPN tunnel, the policy is updated, so you can be sure, that
> your policy is the latest one. In the above situation, you would
> create a policy, which checks several parameters, to ensure the
> workstation is one of yours, e.g. check the windows serial number,
> check a specific process which must be running, you could even check
> the CPUID.
>
> Checkpoints Datasheet
> (http://www.checkpoint.com/products/downloads/vpn-1_clients_datasheet.pdf)
> says:
> "VPN-1 SecureClient strengthens enterprise security by ensuring client
> machines cannot be configured to circumvent the enterprise security
> policy."
>
> So far, so good.
>
> Now we've found a way, to disable that security policy very easily (a
> 3 line batch is all it needs). This means, that people who have a
> login to your VPN site can use whatever hardware they like. No secuity
> policy is enforced, no personal firewall is running - but the VPN part
> works.
>
> And now to the sugar part: The Procedure that makes it work:
>
> Step a) Download SecureClient from the Checkpoint Website
> Step b) Install SecureClient
> Step c) Connect to the VPN Endpoint (which will download the policy)
> Step d) Copy the downloaded policy (local.scv) to a different name
> (e.g. x.scv)
> Step e) Shutdown SecureClient
> Step f) Create a Batch-File, that looks like this
>
> :Loop
> copy x.scv local.scv
> goto Loop
>
> Step g) Edit x.scv to suit your needs (so you fulfill the policy)
> Step h) Run your batch
> Step i) Start SecureClient
> Step j) Connect to the VPN Endpoint and be surprised, that this stupid
> trick works...
Actually, be not very surprised at all. It's a little surprising that it
is *this* easy to bypass it, but hardly surprising that this flawed
concept doesn't work.
Joachim
Powered by blists - more mailing lists