This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Coketo
Participant
Participant
‎2024-12-31 08:30 AM

How to avoid 3th Party VPN Client

Hi,

After some security updates, certain VPN clients using Linux OS and the SNX connector (without Mobile Access Blades, just IPsec VPN) were unable to complete the MFA process using OTP. This issue was resolved by having users access the Mobile Access Portal through Chrome on their Linux devices and use the SNX client to receive the OTP and connect.

However, during this process, some users discovered they could use third-party software clients to establish VPN connections with MFA by using alternative client software.

The third-party client being referenced is available at:
https://github.com/ancwrd1/snx-rs

The concern is: how can I prevent access from non-official clients, especially when their logs appear as "EndpointClient," similar to those of users who use the official Endpoint Client to connect?

Best Regards,

8 Replies
the_rock
MVP Diamond
MVP Diamond
‎2024-12-31 08:53 AM

Apart from SCV feature, maybe below can help? You can use access roles for it, but you do need identity awareness blade enabled.

Andy

 

Screenshot_1.png

Best,
Andy
"Have a great day and if its not, change it"
Coketo
Participant
Participant
‎2025-01-02 11:59 AM
In response to the_rock

It looks interesting I'll investigate more about this, thanks

the_rock
MVP Diamond
MVP Diamond
‎2025-01-02 12:05 PM
In response to Coketo

I never personally tested it myself, but I am pretty sure it would work.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
PhoneBoy
Admin
Admin
‎2025-01-02 10:04 AM

Short of disabling SNX as an allowed client (which would also disable the official SNX client), not sure of a way to do this.
I would open a TAC case.

0 Kudos
Coketo
Participant
Participant
‎2025-01-02 11:58 AM
In response to PhoneBoy

Yes, but I need to keep linux users that uses snx.. One particular issue with this unofficial client is that it appears as official EndPointClient on Windows in the IAw logs 

0 Kudos
PhoneBoy
Admin
Admin
‎2025-01-02 02:06 PM
In response to Coketo

Completely understand.
As I said, best to open a TAC case.
I’m also checking with R&D on the backend.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-01-02 05:13 PM
In response to Coketo

Thats super valid point.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
ancwrd1
Participant
‎2025-01-20 02:09 PM
In response to the_rock

Hi, I am the author of the mentioned 3rd-party software. The only reason why it exists is the lack of the proper VPN client for Linux which is comparable to the one for Windows or macOS.
Security by obscurity will never work so trying to block it is waste of time and a pointless exercise (why? because the protocol is reverse-engineered).
If you have specific wishes for the logging please open a bug ticket in github.

(2)
Upcoming Events

    CheckMates Events