This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
shenderson
Participant
‎2019-04-09 01:38 AM

Restricting access to corporate devices

We are evaluating Checkpoint VPN and one of the things it needs to do is control client access based on whether the devices is corporate or non-corporate.

What we need it to do is the following:

  1. Corporate owned devices (Windows, Mac, Linux, iOS,Android) need to be able to connect to the VPN and have access to all internal and DMZ based systems. Authentication will be done with with LDAP (Active Directory)
  2. Contractors need to be able to connect to the VPN and access certain systems in the DMZ. Authentication will be done with with LDAP (Active Directory).

In an ideal world I would like to be able to push a certificate to the corporate machines and have this inspected at VPN connection time, and then based on this allow the machine into the internal network. For Windows we have Group Policies/SCCM and for Mac we have Jamf so we can push what every we need. The contractors would get access based on their username/password.

Basically I want to stop an employee from going to Aldi and buying a PC, then use this to connect to the internal network through VPN using their username and password, 

How can Checkpoint do this, any ideas?

 

12 Replies
G_W_Albrecht
Legend Legend
Legend
‎2019-04-09 07:07 AM

I would suggest to use ESOD (Endpoint Security on Demand) with SNX, see Remote Access VPN Administration Guide R80.20 p. 132ff ! This makes it possible to use e.g. a Win registry key deployed by GPO to differentiate between corporate and contractors PCs.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
shenderson
Participant
‎2019-04-09 11:49 PM
In response to G_W_Albrecht

Great thanks! How do I differentiate between Windows and non-Windows machines in the policies. I am more interested in stopping private Windows machines than Mac or Linux. Is is a case to looking at the client type, meaning having multiple lines for the internal employees each with a different client version?

I have also seen that I can check if the machine is in a specific AD group, has anyone had any success with this and will it also work with Mac (if they are registered in the domain)?

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2019-04-10 02:50 AM
In response to shenderson

Please first have a good read through R80.20 Remote Access VPN Administration Guide and afterwards, after digesting the conatined information, ask the questions that have been left over !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Jerry
Mentor
Mentor
‎2019-04-09 08:22 AM

all you need is one-two day PS Consultant 🙂 and job done!
Jerry
0 Kudos
abihsot__
Advisor
‎2020-05-27 06:59 AM

Hello,

were you able to find a solution?

0 Kudos
Wolfgang
Authority
Authority
‎2020-05-27 08:16 AM
In response to abihsot__ 

I think best solution doing that will be using Secure Configuration Verification (SCV).
The client is checked for compliance before they can connect.
Follow Secure Configuration Verification (SCV) 

Wolfgang

 

abihsot__
Advisor
‎2020-05-27 08:45 AM
In response to Wolfgang

Hello,

Thanks fo reply. In fact I read about SCV already but I am a bit lost in all the flavours and products. 

So SCV will not check compliance for Mac OS, which I think will make device non-compliant immediately upon connecting to VPN. My overall challenge is very simllar as for original poster.

 

company laptop (only windows) -> Remote Access -> resource A, B

any other device (windows + Mac OS) -> Remote Access -> resource A

 

I was investigating as well SmartEndpoint suite, but at first try it looks good, but probably not the right tool to achieve such setup. 

 

0 Kudos
Jeroen_Demets
Collaborator
‎2020-05-28 01:33 AM
In response to abihsot__

This is a very interesting topic that would be very nice to have in a GUI.

What I read from sk sk147416 about SCV is that it also requires a desktop policy, so we have to go to the old SmartDashboard to create a firewall policy. Ok, that's doable but doesn't that require a higher license and EndPoint Security?

=> The compliance checks is supported by Endpoint Security Client, Check Point Mobile for Windows, Full Suite version

With the active marketing the names of the vpn client are changing every year :'s

I thought Check Point Mobile for Windows (apparently new name for EndPoint Connect) is not able to use a desktop policy but apparently can use SCV. This is confusing. So we create a fake desktop policy and enable Policy server and then we edit the scv text file.

 

Let's say it just works then:

SCV can check a registry key as well: Registry Monitor: Verifies System Registry keys, values, and their contents. 

So we could just add a key somewhere using a GPO and then we have an easy way to check the clients. Of course this will then only work for Windows. I noticed you could create exceptions so you can allow some access to those who fail the check.

I'd like to see Check Point's recommendation or a real how-to guide to do this. Does anyone have a link for that? The sk on itself is already pretty good though so if I'd have the time I can start trying this out.

A lot of current home workers are using their own personal computer instead of their company laptop to VPN in so it seems really interesting to be able to control this.

0 Kudos
Ruan_Kotze
Advisor
‎2020-05-28 02:39 AM
In response to Jeroen_Demets

Hi Jeroen,

It's not a official Check Point guide but I wrote a detailed howto on my blog: https://namitguy.blogspot.com/2020/04/implementing-secure-client-verification.html

This covers both the gateway and endpoint configuration.

Let me know if anything is not clear.

Ruan

abihsot__
Advisor
‎2020-06-17 01:04 AM
In response to Ruan_Kotze

Hi there,

Does anyone know what happens when Mac OS connects to the gateway where SCV check is enforced? SCV does not support Mac OS, so does it mean such client will be marked as non-compliant?

0 Kudos
Wolfgang
Authority
Authority
‎2020-06-17 02:28 AM
In response to abihsot__

Connection is not allowed until you set the following:

Traffic from Mac OS is dropped and "SCV client configuration is not verified" error is displayed 

Wolfgang

abihsot__
Advisor
‎2020-06-17 02:39 AM
In response to Wolfgang

Many thanks for your reply. TAC is still working on another issue regarding Desktop policy installation problem, which is blocking me to actively test it.

This looks very promissing indeed, as in such case even without enabling :allow_non_scv_clients (true) I can setup SCV exception to allow non-verified clients to some VPN resources. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events