cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Restricting Remote Access by IPv4 Address

Jump to solution

Objective: 

Permit Chekpoint Endpoint Security VPN clients to establish a connection only if those clients are connecting from a known a selection of IPv4 addresses. 

Clients are secured using Certificates issued by the Checkpoint Appliance but we do not want them to be able to connect unless they are being used from specific locations (and therefore are using known public IP addresses).

Our methodology:

-Disabled the Implied Rule "Accept Remote Access Control Connections"

-Other Implied Rules for "Control Connections" remain Enabled

-Configured appliance for Remote Access using Office Mode 

-Configured an Explicit rule for RA Connections:

 SOURCE = (Known group of IP addresses)

 DEST = External interface of Appliance

 Service = ESP, TCP18231,500,264,443, UDP500,4500,259,2746

 Action = ACCEPT 

Expected Result: 

-Endpoint clients with a Certificate AND inside private networks NAT'd out from one of the Known IPs can establish the VPN connection

-Otherwise no connection possible

Actual Result:

-Any client with a Certificate can establish the VPN connection from any source IP address

For verification, we have disabled the Explicit Rule for RA Connections (described above) (and left the Implied Rule "Accept Remote Access Control Connections" disabled) and even then, any client with a Certificate can still establish a connection successfully. 

The Implied Rule "Accept Web and SSH connections" is Enabled

This is using GAIA R77.3

Any advice gratefully received.

0 Kudos
1 Solution

Accepted Solutions

Re: Restricting Remote Access by IPv4 Address

Jump to solution

This is the answer... at last

Network Location Awareness in Global Properties

It had to be something simple!

Thanks again for your assistance.

Network Location Awareness

17 Replies
Admin
Admin

Re: Restricting Remote Access by IPv4 Address

Jump to solution

Where is the rule you describe into relation to the rule that permits access from the Remote Access clients? (Rule numbers)

Also which Remote Access clients are you using here? 

0 Kudos

Re: Restricting Remote Access by IPv4 Address

Jump to solution

Explicit Rules 

...

#4 - the Rule I describe above (i.e. 

{ SOURCE = (Known group of IP addresses), DEST = External interface of Appliance } 

    (n.b. VPN = "Any traffic", because this is intended to Control the establishment of the tunnel)

#5 - Stealth Rule (Drop traffic to Appliance)

...

Numerous other rules...

#20 & 21     Rules that specify VPN = "x-RemoteAccess" to control client access through the tunnel.

The client is Checkpoint Secure Endpoint E80.72 Build 986005008

(I'm not sure of the relevance to the problem of the relative positioning of #4 and #s 20 & 21 - presumably the latter pair are only evaluated by the Appliance once the tunnel has been established... but I'll defer to expertise!   Do let me know please if I have misunderstood your question)

0 Kudos
Admin
Admin

Re: Restricting Remote Access by IPv4 Address

Jump to solution

You understood the question perfectly. Smiley Happy

If the rules were swapped in order, I may have thought the VPN rule was enabling the needed traffic.

After thinking about it more, what I suspect is happening is that the VPN traffic is actually being accepted by a different implied rule.

And, in fact, if you show the Implied Rules in the policy, you'll see rules for IKE and NAT Traversal there.

And this is even with the option you chose disabled:

From looking at $FWDIR/lib/implied_rules.def on the management, I'm thinking the two lines you will need to comment out are:

#define ENABLE_IKE

#define ENABLE_NATT

In other words, replace the above two lines with:

/* #define ENABLE_IKE

#define ENABLE_NATT */

And install the security policy.

In general, though, one should be careful about disabling all implied rules.

See: How to completely disable FireWall Implied Rules 

0 Kudos

Re: Restricting Remote Access by IPv4 Address

Jump to solution

Thanks for this Smiley Happy

Disabling any more of Implied Rules does make me nervous, particularly IKE, because we are also running other Site-to-Site VPNs which I do not want to break.

So I may have to stick another firewall in front of the Checkpoint to get exactly what I want Smiley Sad

Thanks for your time and help! 

0 Kudos
Admin
Admin

Re: Restricting Remote Access by IPv4 Address

Jump to solution

In terms of implied rules that can be disabled, these have a much lower impact than, say, disabling FireWall-1 Control Connections. Smiley Happy

Also, if you go down this road, it's worth pointing out this is most likely a change that won't be preserved on upgrades. 

0 Kudos

Re: Restricting Remote Access by IPv4 Address

Jump to solution

Tried to disable the Implied Rules: as predicted, all of the Site-to-Site VPN connections came crashing down (this, even with explicit rules in place to compensate).

Have also tried putting a firewall in front of the Checkpoint and NATTing the Remote Access connections through, but it all got too messy and unworkable. (I have discovered the limitations of Checkpoint Policy Based Routing along the way).

Now reaching out to Checkpoint Support for guidance.

What a wasted weekend LOL

0 Kudos
Admin
Admin

Re: Restricting Remote Access by IPv4 Address

Jump to solution

Not sure why I didn't think of it before, but you can restrict the sources the user is allowed from in the user profile itself.

This won't block IKE traffic from unallowed sources, but it will prevent the specific users from authenticating if they are not at an allowed location.

0 Kudos

Re: Restricting Remote Access by IPv4 Address

Jump to solution

I assumed that those referred to IP topology zones as seen from the perspective of being inside the tunnel.

It would be quite hilarious if this was the solution, given the amount of time I have spent on this.

I'll try it. If it applies to the "plain" (outer) connection, then it will probably be good enough, if not ideal.

Thanks.

0 Kudos

Re: Restricting Remote Access by IPv4 Address

Jump to solution

Yea, so based on a quick test, the settings you are looking at have nothing to do with whether or not the tunnel can be established.

Authentication works independently of these settings.

These settings are controlling traffic inside the tunnel once it has been established (much like standard Policy)

0 Kudos
Admin
Admin

Re: Restricting Remote Access by IPv4 Address

Jump to solution

If you're not using Office Mode on your VPN clients, then this can work.

Granted, it will still allow tunnel establishment, but they won't allow any traffic to flow through.

In any case, it was worth a shot. 

0 Kudos
Admin
Admin

Re: Restricting Remote Access by IPv4 Address

Jump to solution

Try creating an Access Role for your VPN users.

Ensure that access role is limited to the specific IP addresses.

Use that as the "Source" for your Remote Access rules.

0 Kudos

Re: Restricting Remote Access by IPv4 Address

Jump to solution

It seems fairly unlikely to me that that will work. I strongly suspect that it's just an extension of the functionality we have already discussed - don't you?

I may give it a try tomorrow. It's spectacularly late here.

Another option has occurred to me which is to place a firewall bridge in front of the CP instead of a routing firewall. This would allow me to filter but without needing any additional awkward routing requirements on the CP itself.

I'll see what CP support say too. You'd think that there would be a way of doing this on the CP box - but I'm coming toward the surprising conclusion that there isn't. Perhaps, not many customers have this as a requirement.

0 Kudos
Admin
Admin

Re: Restricting Remote Access by IPv4 Address

Jump to solution

Access Roles are different functionality than what I previously described.

They handle this requirement for non-VPN usage (who, where, on what machine) for sure.

The previous functionality I described has been in the product for a couple of decades now.

Very different use cases Smiley Happy

0 Kudos

Re: Restricting Remote Access by IPv4 Address

Jump to solution

I can confirm that this is not possible, because it isn't possible to use an Access Role in the Source Column of a VPN-specific rule.

Policy fails validation.

0 Kudos

Re: Restricting Remote Access by IPv4 Address

Jump to solution

Can also confirm that (somewhat unsurprisingly) using an AR in a VPN "Any Traffic" Rule has no effect on policy inside the tunnel (even if the AR includes Users authenticated to establish the tunnel).

0 Kudos

Re: Restricting Remote Access by IPv4 Address

Jump to solution

This is the answer... at last

Network Location Awareness in Global Properties

It had to be something simple!

Thanks again for your assistance.

Network Location Awareness

Admin
Admin

Re: Restricting Remote Access by IPv4 Address

Jump to solution

Glad you were able to figure it out.

Sorry I wasn't able to provide the correct answer Smiley Happy

0 Kudos