SecuRemote works with 2 FireWall-1 encryption schemes, FWZ and IKE. Here's my reading on it. If you use IKE, you MUST deselect "respond to unauthenticated topology requests." However, if you use FWZ, CheckPoint recommends that you select "respond to unauthenticated topology requests." As the previous posting describes, you can work around this by placing topology information in users' userc.C files. Why might anybody use FWZ (CheckPoint's propriatary encryption scheme), rather than IKE? It's inherently less secure, as it can't use IPSec tunnel mode. As I see it, there's a genaral problem with using firewalls for encryption gateways. You don't want to tie up your gateway with all the processing and memory usage that VPN devices require. CheckPoint seems to have built a client-to-site VPN that is designed to reduce some of the performace hit on the firewall. What you end up with, I think, is a kind of security "lite." A little less data security (especially if you make topology requests available to anybody with the SecuRemote client software). But you can keep more encrypted data sessions going simultaneously. Alex Malin -----Original Message----- From: Bugtraq Account [mailto:bugtraqat_private] Sent: Thursday, July 19, 2001 3:02 PM To: Haroon Meer Cc: bugtraqat_private Subject: Re: Firewall-1 Information leak On Wed, 18 Jul 2001, Haroon Meer wrote: > Checkpoint Firewall-1 makes use of a piece of software called SecureRemote > to create encrypted sessions between users and FW-1 modules. Before remote > users are able to communicate with internal hosts, a network topology of > the protected network is downloaded to the client. While newer versions of > the FW-1 software have the ability to restrict these downloads to only > authenticated sessions, the default setting allows unauthenticated > requests to be honoured. This gives a potential attacker a wealth of > information including ip addresses, network masks (and even friendly > descriptions) This is a well-known, and generally accepted, risk associated with running FWZ SecuRemote VPN's to FireWall-1. As others have already commented, it is possible to turn off unauthenticated topology downloads through the policy properties. If you do this, you will need to manually distribute a userc.C file (containing the topology information) to all of your secuRemote users. This file should be loaded into the c:\winnt\fw\database directory on the client. From start to finish, the procedure should go something like this: 1. Set up you firewall gateway for VPN, with the "Respond to unauthenticated topology requests" enabled. 2. Set up a sample secuRemote client, and download the site topology. 3. Turn off "Respond to unauthenticated topology requests". 4. Securely distribute the file userc.C from the sample client to all secuRemote users. You will need to send out an updated userc.C any time there is a change to the encryption domain or keying info. Regards, Dave Taylor
This archive was generated by hypermail 2b30 : Mon Jul 23 2001 - 11:33:51 PDT