This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
StevePearson
Advisor
yesterday

Securing central management

I have a site with a quantum cluster and SMS plus several remote sites that are also managed from the SMS.

An external pen test has highlighted issues with port 264 as follows:

The Check Point SecuRemote topology service on TCP port 264 is designed to provide VPN clients with 
gateway identity and encryption capability information during the connection establishment phase. When this 
service is accessible without authentication, any remote attacker can retrieve the gateway object name, the 
SmartCenter management server hostname, the internal domain name, and the list of supported VPN 
encryption methods by sending a single topology request. This information enables an attacker to map the 
organisation's site topology, identify subsidiary relationships, and plan targeted attacks without prior access. 
During testing, a SecuRemote topology probe was sent to TCP port 264 on all six gateways.

They also note other ports that are used for gateway comms and the fact that the cert is self signed (which it is as the comms are all "internal".

Is there a best practice for securing this type of setup? It must be quite common to have this setup for managing remote gateways.

0 Kudos
3 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
yesterday

Hey Steve, 

There are a few relevant SKs, did you already find sk60773 and similar or is your ask different?

CCSM R77/R80/ELITE
0 Kudos
StevePearson
Advisor
yesterday
In response to Chris_Atkinson

Hi Chris,

Yes I've seen this but it doesn't really help. I know it's due to implied rules so I need to turn some of them off, but I was hoping there may be a document that explained the effect of turning each one off, and how to replace them with standard rules that can be controlled.

For example port 264 is used by the VPN client to get the topology. In the scenario I'm working with here the main quantum cluster has VPN users but none of the remote sites do, so it would be good to turn it off for them (and it's those sites that were scanned, not the quantum, to get the info I posted earlier!

0 Kudos
PhoneBoy
Admin
Admin
yesterday

This is probably the most relevant SK: https://support.checkpoint.com/results/sk/sk132712 
More specifically the part about vpnd listening on port 264.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events