Security after establishing VPN

Gibson, Brian GibsonB at GRUNTAL.COM
Tue May 16 14:58:56 EDT 2000 

Yes it would only encrypt traffic for POP3.  Other traffic would be dropped
by your drop all or if for some bizarre reason you didn't have a drop all it
would drop with no rule match found, assuming you don't have another client
encrypt rule.  You could even take it a step further, if you felt the need,
and put your POP server on its own subnet and assign only that network as
your encryption domain.  Thus any other traffic would be unencrypted and
either drop into netherspace, if you are using non-routable addresses, or be
dropped by the Firewall if you are using routable.

> -----Original Message-----
> From: Michael Louie [mailto:mlouie at SPEAKEASY.ORG]
> Sent: Tuesday, May 16, 2000 1:35 PM
> To: VPN at SECURITYFOCUS.COM
> Subject: Re: Security after establishing VPN
>
>
> Ryan,
>
> Please correct me if I'm wrong, but wouldn't this rule only
> force encrytion of
> pop3 data to the mailserver?  -Perhaps I am not being clear
> in my question.  I
> would like to implement a remote access solution.  [For
> example] if I would like
> to restrict access to only pop3 to the mailserver, and not
> allow users to
> telnet, ftp, etc anywhere else.  Is this possible?
>
>
> Thanks again,
> Mike
>
> On Tue, 16 May 2000, Ryan Russell wrote:
>
> > Assuming you're encryption settings are in place:
> >
> > Source          Dest         Service    Action
> Log     Comment
> > not localnet    mailserver   pop3       client-encrypt   long
> >
> > At least, that's what I can recall... I don't run a FW-1 anymore.
> > (Change of jobs... not FW-1's fault :) )
> >
> > 					Ryan
> >
> >
> > On Tue, 16 May 2000, Michael Louie wrote:
> >
> > > Only allowing the use of port 110 to an internal
> mailserver was only an
> > > example.  How would I define this rule?
> > >
> > >
> > > Thanks,
> > > Mike
> > >
> > > On Tue, 16 May 2000, Ryan Russell wrote:
> > >
> > > > The question isn't clear... are you asking if you can
> VPN to only port
> > > > 110?  Yes.  You can add a client-encrypt rule to only
> allow in to port
> > > > 110.  This is for SecuRemote connections, mind you..
> though I think the
> > > > same applies to FW-to-FW rules.
> > > >
> > > > 					Ryan
> > > >
> > > > On Mon, 15 May 2000, Michael Louie wrote:
> > > >
> > > > > Does Checkpoint version 4 and later have any built in
> security for restricting
> > > > > access after a VPN connection is established (port
> 110 to the mailserver only
> > > > > for example)?  -or am I pretty much forced to
> purchase an additional firewall?
> > > > >
> > > >
> > > >
> > > >
> > >
> >
> >
>
> VPN is sponsored by SecurityFocus.COM
>


***********************************************************************
Gruntal & Co., L.L.C.'s e-mail system is for business purposes only.
Messages are not confidential.  All e-mail may be reviewed by
authorized supervisors, compliance or internal audit personnel.
E-mail will be archived for at least three years and may be produced
to regulatory agencies or others with a legal right to access such
information.  Gruntal will not accept trade order instructions via
e-mail.  Please telephone your Account Executive to place trade orders.

Gruntal & Co., L.L.C.
***********************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20000516/7b209ac1/attachment.htm

More information about the VPN mailing list