CPUG

The Check Point User Group

A Resource For The Check Point Community.  Fast.  Useful.  Independent.

1. Come to CPUG CON 2008 EUROPE in Switzerland on September 8th - 9th!
    Two days full of technical content for Check Point administrators in the beautiful Swiss Alps!
    We already have sign-ups from twelve different countries!
2. CCSA/CCSE One-Week Dual-Certification Training Course with CPUG in San Francisco!
    Courses Starting 7/14, 8/25, 10/6, 11/3, 12/8, (2009) 1/19, 2/9, 3/9, 4/6, 5/4, 6/8, 7/6, 8/3, 9/7.
3. Corrent S3500 SecureXL Turbocards For Sale - Last Six Remaining - Get Your Spares!
4. Join Us On LinkedIn - We now have a CPUG group.


Go Back   CPUG: The Check Point User Group > Check Point Firewall-1/VPN-1 And Related Products > Authentication
Reload this Page Restricting remote VPN users
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 2007-08-02
slash85 slash85 is offline
Junior Member
  
Join Date: 2007-01-30
Posts: 12
Rep Power: 0
slash85 has an average reputation (10+)
Default Restricting remote VPN users
(CheckPoint NG with Application Intelligence R55 Build 127)

Hi,

Is possible to restrict remote vpn users so that they can't access the whole network once authenticated? I guess you can but i can't seem to get it to work.

I've created a group called lockdown and added the required users (I only want them to be able to access 1 server on RDP). Then i've created a rule:

lockdown@svr1 svr1 any traffic RemoteDesktop ClientAuth Log

But once i've authenticated i can still get to other servers? I have missed something?


Thanks for any help / informartion.

Cheers,
Slash.
Reply With Quote
  #2 (permalink)  
Old 2007-08-02
dantro dantro is offline
Senior Member
  
Join Date: 2007-02-07
Location: Halle (Saale)
Posts: 208
Rep Power: 2
dantro has an average reputation (10+)
Default Re: Restricting remote VPN users
There are several ways to accomplish this. You should of course first check SmartView Tracker for the rules that allow your RemoteUsers unwanted access. In your case I'd simply create a second rule below your Accept rule:

lockdown@svr1 any any traffic any Drop Log

Make sure no other rule above these two grants permission to your RemoteUsers.

What else could be done?
- you could define the allowed locations for your RemoteUsers within their User Properties
- you could use Accept instead of ClientAuth and define the RemoteAccess Community within the VPN tab of the related rule (see examples in demo mode) Example: lockdown@svr1 svr1 RemoteAccess RemoteDesktop Accept Log

Best regards,
Danny Trommer
CCSA/CCSE/CCSE+
Reply With Quote
  #3 (permalink)  
Old 2007-08-02
slash85 slash85 is offline
Junior Member
  
Join Date: 2007-01-30
Posts: 12
Rep Power: 0
slash85 has an average reputation (10+)
Default Re: Restricting remote VPN users
Top man,

I'll try the suggested.

Many thanks,
Slash.
Reply With Quote
  #4 (permalink)  
Old 2007-08-02
mcnallym mcnallym is offline
Senior Member
  
Join Date: 2007-06-04
Posts: 923
Rep Power: 2
mcnallym has an average reputation (10+)
Default Re: Restricting remote VPN users
Why using Client Auth with a Remote Access VPN, surely should be Client Encrypt action if traditional mode, or specify the Remote Access VPN and Accept if Simplified Mode.

Is the user a member of another user group that would have access to the whole network still.
Reply With Quote
  #5 (permalink)  
Old 2007-08-02
slash85 slash85 is offline
Junior Member
  
Join Date: 2007-01-30
Posts: 12
Rep Power: 0
slash85 has an average reputation (10+)
Default Re: Restricting remote VPN users
Hi,

When i try the above the policy fails to install with error:

User Groups are allowed only on Authentication Rules

Any ideas?

I've got this in the rulebase:

10: lockdown@svr1 svr1 RemoteAccess RemoteDesktop Accept Log
11: lockdown@svr1 any any traffic any drop log

Thanks for any help

Slash.
Reply With Quote
  #6 (permalink)  
Old 2007-08-02
mcnallym mcnallym is offline
Senior Member
  
Join Date: 2007-06-04
Posts: 923
Rep Power: 2
mcnallym has an average reputation (10+)
Default Re: Restricting remote VPN users
I would suggest that the problem is in Rule 11

Set the 3rd coloumn, VPN to be Remote Access.
Reply With Quote
  #7 (permalink)  
Old 2007-08-02
slash85 slash85 is offline
Junior Member
  
Join Date: 2007-01-30
Posts: 12
Rep Power: 0
slash85 has an average reputation (10+)
Default Re: Restricting remote VPN users
Thanks for the respone but now the policy install fails with:

action can be only Accept when the "VPN" includes SR Communities objects

Any more idea?

Slash.
Reply With Quote
  #8 (permalink)  
Old 2007-08-02
mcnallym mcnallym is offline
Senior Member
  
Join Date: 2007-06-04
Posts: 923
Rep Power: 2
mcnallym has an average reputation (10+)
Default Re: Restricting remote VPN users
Try disabling Rule 11. I do not believe that you will need it.
Reply With Quote
  #9 (permalink)  
Old 2007-08-02
Danielpb Danielpb is offline
Senior Member
  
Join Date: 2006-10-23
Posts: 155
Rep Power: 2
Danielpb has an average reputation (10+)
Default Re: Restricting remote VPN users
You could try using IP pools and try and restrict access that way.
But i could be wrong on that as I've never tested it.

But from what I can see your rules it looks fine other than the ClientAuth this should be Cleint Encrypt as mcnallym says.
Last edited by Danielpb; 2007-08-02 at 05:13.
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -7. The time now is 20:40.

Contact Us - CPUG Home Page - Archive - Top

Powered by vBulletin® Version 3.7.2
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO 3.0.0