[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <BAY101-F110E83B9220DF541D02D18DD420@phx.gbl>
Date: Thu Dec 8 03:36:47 2005
From: sixsigma98 at hotmail.com (Ray P)
Subject: Checkpoint SecureClient NGX Security Policy
caneasily be d
What version of SecureClient did you use?
>From: Viktor Steinmann <stony@...ny.com>
>To: full-disclosure@...ts.grok.org.uk
>Subject: [Full-disclosure] Checkpoint SecureClient NGX Security Policy
>caneasily be disabled
>Date: Wed, 7 Dec 2005 12:54:02 +0100
>
>Situation: Employees should be allowed to access your company network from
>remote by VPN. You want to make sure, that only the hardware of your own
>company is allowed to access the network on the VPN. This because your
>company
>hardware uses a hardened operating system (personal firewall, virusscanner
>etc.) and you want to make sure, that no viruses/trojans etc. are
>transported
>into your company network by the VPN from badly configured hardware and/or
>home
>networks of your employees.
>
>Solution: Checkpoint SecureClient enforces a policy on the VPN Client,
>which you
>can define on the VPN Endpoint you log on to (the firewall). Furthermore
>SecureClient includes a personal firewall, which protects the VPN Client
>from
>the network around him. Every time the VPN Client opens the VPN tunnel, the
>policy is updated, so you can be sure, that your policy is the latest one.
>In
>the above situation, you would create a policy, which checks several
>parameters, to ensure the workstation is one of yours, e.g. check the
>windows
>serial number, check a specific process which must be running, you could
>even
>check the CPUID.
>
>Checkpoints Datasheet
>(http://www.checkpoint.com/products/downloads/vpn-1_clients_datasheet.pdf)
>says:
>"VPN-1 SecureClient strengthens enterprise security by ensuring client
>machines
>cannot be configured to circumvent the enterprise security policy."
>
>So far, so good.
>
>Now we've found a way, to disable that security policy very easily (a 3
>line
>batch is all it needs). This means, that people who have a login to your
>VPN
>site can use whatever hardware they like. No secuity policy is enforced, no
>personal firewall is running - but the VPN part works.
>
>And now to the sugar part: The Procedure that makes it work:
>
>Step a) Download SecureClient from the Checkpoint Website
>Step b) Install SecureClient
>Step c) Connect to the VPN Endpoint (which will download the policy)
>Step d) Copy the downloaded policy (local.scv) to a different name (e.g.
>x.scv)
>Step e) Shutdown SecureClient
>Step f) Create a Batch-File, that looks like this
>
>:Loop
>copy x.scv local.scv
>goto Loop
>
>Step g) Edit x.scv to suit your needs (so you fulfill the policy)
>Step h) Run your batch
>Step i) Start SecureClient
>Step j) Connect to the VPN Endpoint and be surprised, that this stupid
>trick
>works...
>
>Cheers,
>Viktor
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists