Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Ivory

"Respond to unauthenticated topology requests" option

Greetings!  

 

So many moons ago I used Check Point Firewall-1 4.0 and there was an option in there to stop topology downloads to SecuRemote/SecureClient unless you had authenticated.  The option was "respond to unauthenticated topology requests" which you would disable to force the client to ask for authentication before downloading the topology.  Does this option still exist in R80 and if so, where is it?

 

Cheers


Sean

0 Kudos
4 Replies
Highlighted
Admin
Admin

I remember this property.
However, it wasn't even in Firewall-1 NG, which means it's been gone for a while.
And when I go back to my first Firewall-1 book (written in the 4.1 days), it looks like it was only relevant for pre-4.0 versions of clients, which allowed this.
Every version since 4.0 should require authentication to download topology.

Which begs the question: What's the real issue you're trying to solve?
0 Kudos
Highlighted
Ivory

Hi - It was just a new R80.30 install we did recently allowed me to download the site information into Endpoint Security client purely by pointing at the gateway address - no auth or anything.  I used to be very familiar with Check Point from 3.0b through to R65 (CCSE) but I've had a few years away before re-joining the fold at R80 - this is the first time I have come across this since coming back. 

In the past, once you had site information downloaded, it was then very simple to determine the partial internal network topology from the client's userc.c file (or whatever it was).  I remember you also had the option of encrypting the users.c file to provide a degree of protection, but you also had the ability to provide authentication before topology download and hence taking away the potential of unauthorised/unauthenticated discovery in the first place.

I'm guessing things in local config files are a little more protected since the days of 4.0 but the fact that VPN site information can be set up without auth potentially gives an attacker the additional opportunity to try (for instance) brute force?  Not sure if I'm thinking along the right lines here but it seemed to me having the ability to switch off "Respond to unauthenticated topology requests" was a good idea.  Maybe it's mitigated in a different way now - what do you think?

Cheers

Sean

0 Kudos
Highlighted
Admin
Admin

I'm pretty sure topology is not downloaded when the site is created, but only on first authentication.
Further, interesting bits of the config (including Topology) should be obscured in the local config files.
I haven't checked recently, but that's what I remember.
0 Kudos
Highlighted
Ivory

Ah that might make sense - I took site download to include topology download.  OK I think you have answered my question - thanks!

0 Kudos