Thursday, February 23, 2012

Check Point Blocking H323 Traffic (Part 2) - Explained

Hi all.  Today I wanted to go back to my first post that I put on this site:  http://www.shanekillen.com/2011/11/check-point-blocking-h323-traffic.html
I had stated a problem and solution, but I didn't really know why the solution was what it was.  Well, I happen to have a pretty good SE in my area now (one I actually have confidence in), and he explained to me why I had the problem that I had.  This below is what he wrote to me, and I thought Id put this out there for anyone interested.  Here is his explanation, which I happen to think is a very good one.  
Quote:
I can tell you why this worked. Most likely, the H.323 service was not defined as a "Match for Any" service. When you said you had a rule allowing "ANY" traffic, it's not really allowing *everything*. It's allowing a class of services that are allowed to "Match Any".
So if you go to the Service properties for H.323 in R75.20 you'll see that the Match for Any is selected. This means it will match the "Any" service designation. I'm betting in your case it wasn't selected.
There is a reason Check Point does this and it has to do with it's protocol inspection.
  End Quote.

Well, he was right on this.  I didnt have that service as a "Match Any".  
Posted by 4 comments:

Thursday, February 16, 2012

How to disable SSH version 1 on a Cisco ASA

I had a customer come to me and ask me to disable SSH version 1 on their Cisco ASA firewall because they were in the process of having a vulnerability scan run on their network.  Ok, not big deal, but I thought Id show a couple of neat things. 
First, how do we disable SSH version 1 and only allow SSH version 2?  Like this:  "ssh version 2" in config mode.  Thats it.
So, with that said, you can also look at your current SSH sessions to see what version people are using.  Lets first look at version 1.  I am a little confused about one thing in particular.  Notice that under the "version" tab, it says "1.5".  I understand this as version 1, but Im not sure what it means to have version 1.5.  I haven't figured that out at the time of this writing, and Im not sure I care.  I just need version 1.anything disabled.  Here is what it looks like:
"sho ssh session"
SID Client IP       Version Mode Encryption Hmac     State            Username
1   24.196.3.248    1.5     -    3DES       -        SessionStarted       sk

Now, with version 2, it looks like this:
"sho ssh session"
SID Client IP       Version Mode Encryption Hmac     State            Username
1   24.196.3.248    2.0     IN   aes256-cbc sha1     SessionStarted   sk
                                       OUT  aes256-cbc sha1     SessionStarted   sk

Notice the differences.  The main thing is the encryption algorithm.  aes256 and SHA is much stronger than 3DES.
Posted by

Wednesday, February 1, 2012

Notes on VPN clients for Check Point...

Here are just some notes on the VPN clients that I have collected over time.  These notes are applicable up to R75.30. 

The Check Point mobile (fat client) licensing is covered under the mobile access blade.  However, it is not configured under this blade.  It is configured like a regular remote-access client with the rule base.
Check Point Mobile - IPSec vpn and mobile access required on gateway.  

Only the SSL client is configured under the mobile access blade.  Licensing is also under this blade for the SSL clients.

Endpoint security has a Check Point Endpoint Policy Management Software Blade.  This is the most feature rich vpn client.
Endpoint security VPN - requires remote-access vpn on management and IPSec vpn on gateway.

SecuRemote is configured like a regular IPSEC remote-access.  Office-mode is not part of the SecuRemote package.
secureremote - IPSec vpn required on the gateway. 

Iphone/Ipad  - need mobile access blade.  comes with LDAP capability. 

Important questions that you might want to ask, to determine what you might need:
1.  Do you need LDAP authentication?  (If "yes", they need the mobile access license)(If they need LDAP, they probably dont need Radius authentication)
2.  Do you need Radius integrated with AD?   (If "yes", they need the IPSec VPN license)
3.  Will you do site-to-site vpn?  (If "yes", they need the IPSec VPN license)
4.  Will you do remote-acess vpn with your laptop?  (If "yes", they need the IPSec VPN license)
5.  Will you do remote-access vpn with your IPhone/IPad?  (If "yes", they need the mobile access license)
6.  Will you do remote-access vpn with your Android phone?  (If "yes", they need the mobile access license)
Posted by No comments:
Subscribe to: Posts (Atom)