| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed Dec 7 11:54:43 2005 From: stony at stony.com (Viktor Steinmann) Subject: Checkpoint SecureClient NGX Security Policy can easily be disabled Situation: Employees should be allowed to access your company network from remote by VPN. You want to make sure, that only the hardware of your own company is allowed to access the network on the VPN. This because your company hardware uses a hardened operating system (personal firewall, virusscanner etc.) and you want to make sure, that no viruses/trojans etc. are transported into your company network by the VPN from badly configured hardware and/or home networks of your employees. Solution: Checkpoint SecureClient enforces a policy on the VPN Client, which you can define on the VPN Endpoint you log on to (the firewall). Furthermore SecureClient includes a personal firewall, which protects the VPN Client from the network around him. Every time the VPN Client opens the VPN tunnel, the policy is updated, so you can be sure, that your policy is the latest one. In the above situation, you would create a policy, which checks several parameters, to ensure the workstation is one of yours, e.g. check the windows serial number, check a specific process which must be running, you could even check the CPUID. Checkpoints Datasheet (http://www.checkpoint.com/products/downloads/vpn-1_clients_datasheet.pdf) says: "VPN-1 SecureClient strengthens enterprise security by ensuring client machines cannot be configured to circumvent the enterprise security policy." So far, so good. Now we've found a way, to disable that security policy very easily (a 3 line batch is all it needs). This means, that people who have a login to your VPN site can use whatever hardware they like. No secuity policy is enforced, no personal firewall is running - but the VPN part works. And now to the sugar part: The Procedure that makes it work: Step a) Download SecureClient from the Checkpoint Website Step b) Install SecureClient Step c) Connect to the VPN Endpoint (which will download the policy) Step d) Copy the downloaded policy (local.scv) to a different name (e.g. x.scv) Step e) Shutdown SecureClient Step f) Create a Batch-File, that looks like this :Loop copy x.scv local.scv goto Loop Step g) Edit x.scv to suit your needs (so you fulfill the policy) Step h) Run your batch Step i) Start SecureClient Step j) Connect to the VPN Endpoint and be surprised, that this stupid trick works... Cheers, Viktor
Powered by blists - more mailing lists