This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Cakerack
Participant
‎2020-04-15 04:53 AM

"Respond to unauthenticated topology requests" option

Greetings!  

 

So many moons ago I used Check Point Firewall-1 4.0 and there was an option in there to stop topology downloads to SecuRemote/SecureClient unless you had authenticated.  The option was "respond to unauthenticated topology requests" which you would disable to force the client to ask for authentication before downloading the topology.  Does this option still exist in R80 and if so, where is it?

 

Cheers


Sean

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2020-04-15 10:08 PM

I remember this property.
However, it wasn't even in Firewall-1 NG, which means it's been gone for a while.
And when I go back to my first Firewall-1 book (written in the 4.1 days), it looks like it was only relevant for pre-4.0 versions of clients, which allowed this.
Every version since 4.0 should require authentication to download topology.

Which begs the question: What's the real issue you're trying to solve?
0 Kudos
Cakerack
Participant
‎2020-04-16 02:53 AM
In response to PhoneBoy

Hi - It was just a new R80.30 install we did recently allowed me to download the site information into Endpoint Security client purely by pointing at the gateway address - no auth or anything.  I used to be very familiar with Check Point from 3.0b through to R65 (CCSE) but I've had a few years away before re-joining the fold at R80 - this is the first time I have come across this since coming back. 

In the past, once you had site information downloaded, it was then very simple to determine the partial internal network topology from the client's userc.c file (or whatever it was).  I remember you also had the option of encrypting the users.c file to provide a degree of protection, but you also had the ability to provide authentication before topology download and hence taking away the potential of unauthorised/unauthenticated discovery in the first place.

I'm guessing things in local config files are a little more protected since the days of 4.0 but the fact that VPN site information can be set up without auth potentially gives an attacker the additional opportunity to try (for instance) brute force?  Not sure if I'm thinking along the right lines here but it seemed to me having the ability to switch off "Respond to unauthenticated topology requests" was a good idea.  Maybe it's mitigated in a different way now - what do you think?

Cheers

Sean

0 Kudos
PhoneBoy
Admin
Admin
‎2020-04-16 10:48 AM
In response to Cakerack

I'm pretty sure topology is not downloaded when the site is created, but only on first authentication.
Further, interesting bits of the config (including Topology) should be obscured in the local config files.
I haven't checked recently, but that's what I remember.
0 Kudos
Cakerack
Participant
‎2020-04-16 10:50 AM
In response to PhoneBoy

Ah that might make sense - I took site download to include topology download.  OK I think you have answered my question - thanks!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events