This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
mistercinux
Contributor
Friday

Bypassing MFA when authenticating with vpn certificates

Hello team, 

 

We recently found that using strongswan with vpn certificate and MFA enabled, we can bypass MFA.

Is there a way to prevent connections with strongswan clients ? 

 

All versions are concerned.

 

Best regards,

Chris

0 Kudos
9 Replies
G_W_Albrecht
Legend Legend
Legend
Friday

Do not give them certificates and rewoke the ones already issued!

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
mistercinux
Contributor
Friday
In response to G_W_Albrecht

Hello G_W_Albrecht

All our users were using certificate authentication, and since we are implementing additional MFA, we configured the gateway to do a push after certificate authentication. if we revoke all certificates we just cut the vpn access of all the remote users. 

What we are looking for is a way to prevent non checkpoint clients to connect to the security gateway.

What are the best practices authenticating users for remote access ? I always thought that certificate auth was the best.

 

Will the usage of CAPI prevent such 3rd party vpn clients to authenticate ?

 

0 Kudos
G_W_Albrecht
Legend Legend
Legend
Friday
In response to mistercinux

Hi,

 

sorry, maybe i did mix up something - with our CheckPoint deployment, each user gets his own certificate, so what i mentioned above was based on that configuration. Here https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C... you find what has to be enabled on CP GW to enable StrongSwan access, so you can disable access by disabling these - e.g. if StrongSwan connects using aes256-sha1-modp1024 you can disable it on GW.

I would suggest to open SR# with CP TAC to get suggestios how to achieve this in a simple way !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
mistercinux
Contributor
Friday
In response to G_W_Albrecht

Hi, 

Thanks for your answer. We'll try it and update the case. 

Chris

0 Kudos
the_rock
Legend
Legend
Friday

I know last time I worked with customer for cert auth for vpn clients, we ended up working with TAC. Its probably your best bet at this point.

Andy

0 Kudos
mistercinux
Contributor
Friday
In response to the_rock

Hi the_Rock,

Thank you for your feedback. 
We already worked with tac and they said that it's working as designed.
We'll may stop working with certificats if we do not find a way to prevent strongswan clients to bypass mfa :-(.

 

Chris

0 Kudos
the_rock
Legend
Legend
Friday
In response to mistercinux

I cant say for sure if its expected or not, but I have a gut feeling there must be some way to make this work. We can connect offline if you are allowed to do remote and check it out.

Andy

0 Kudos
PhoneBoy
Admin
Admin
14 hours ago

There's an option to allow only certain VPN clients to connect in SmartConsole (specifically in Global Properties), but not sure how Strongswan is treated here as it is not explicitly listed.

In any case, you can configure SCV to do some Windows-specific checks.
See: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C... 
If you need to support Mac clients, you will need to enable macOS support and configure a specific policy with: https://support.checkpoint.com/results/sk/sk182226 
If you require SCV, clients that don't support it (like Strongswan) will fail unless you've enabled the option to allow clients without SCV support.

0 Kudos
mistercinux
Contributor
14 hours ago
In response to PhoneBoy

Hi, 

Thank you. We'll test this configuration and update this post as soon as we have the results. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events