<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-1252">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2448.0">
<TITLE>RE: Security after establishing VPN</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>Yes it would only encrypt traffic for POP3. Other traffic would be dropped by your drop all or if for some bizarre reason you didn't have a drop all it would drop with no rule match found, assuming you don't have another client encrypt rule. You could even take it a step further, if you felt the need, and put your POP server on its own subnet and assign only that network as your encryption domain. Thus any other traffic would be unencrypted and either drop into netherspace, if you are using non-routable addresses, or be dropped by the Firewall if you are using routable.</FONT></P>
<P><FONT SIZE=2>> -----Original Message-----</FONT>
<BR><FONT SIZE=2>> From: Michael Louie [<A HREF="mailto:mlouie@SPEAKEASY.ORG">mailto:mlouie@SPEAKEASY.ORG</A>]</FONT>
<BR><FONT SIZE=2>> Sent: Tuesday, May 16, 2000 1:35 PM</FONT>
<BR><FONT SIZE=2>> To: VPN@SECURITYFOCUS.COM</FONT>
<BR><FONT SIZE=2>> Subject: Re: Security after establishing VPN</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> Ryan,</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> Please correct me if I'm wrong, but wouldn't this rule only </FONT>
<BR><FONT SIZE=2>> force encrytion of</FONT>
<BR><FONT SIZE=2>> pop3 data to the mailserver? -Perhaps I am not being clear </FONT>
<BR><FONT SIZE=2>> in my question. I</FONT>
<BR><FONT SIZE=2>> would like to implement a remote access solution. [For </FONT>
<BR><FONT SIZE=2>> example] if I would like</FONT>
<BR><FONT SIZE=2>> to restrict access to only pop3 to the mailserver, and not </FONT>
<BR><FONT SIZE=2>> allow users to</FONT>
<BR><FONT SIZE=2>> telnet, ftp, etc anywhere else. Is this possible?</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> Thanks again,</FONT>
<BR><FONT SIZE=2>> Mike</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> On Tue, 16 May 2000, Ryan Russell wrote:</FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> > Assuming you're encryption settings are in place:</FONT>
<BR><FONT SIZE=2>> ></FONT>
<BR><FONT SIZE=2>> > Source Dest Service Action </FONT>
<BR><FONT SIZE=2>> Log Comment</FONT>
<BR><FONT SIZE=2>> > not localnet mailserver pop3 client-encrypt long</FONT>
<BR><FONT SIZE=2>> ></FONT>
<BR><FONT SIZE=2>> > At least, that's what I can recall... I don't run a FW-1 anymore.</FONT>
<BR><FONT SIZE=2>> > (Change of jobs... not FW-1's fault :) )</FONT>
<BR><FONT SIZE=2>> ></FONT>
<BR><FONT SIZE=2>> > Ryan</FONT>
<BR><FONT SIZE=2>> ></FONT>
<BR><FONT SIZE=2>> ></FONT>
<BR><FONT SIZE=2>> > On Tue, 16 May 2000, Michael Louie wrote:</FONT>
<BR><FONT SIZE=2>> ></FONT>
<BR><FONT SIZE=2>> > > Only allowing the use of port 110 to an internal </FONT>
<BR><FONT SIZE=2>> mailserver was only an</FONT>
<BR><FONT SIZE=2>> > > example. How would I define this rule?</FONT>
<BR><FONT SIZE=2>> > ></FONT>
<BR><FONT SIZE=2>> > ></FONT>
<BR><FONT SIZE=2>> > > Thanks,</FONT>
<BR><FONT SIZE=2>> > > Mike</FONT>
<BR><FONT SIZE=2>> > ></FONT>
<BR><FONT SIZE=2>> > > On Tue, 16 May 2000, Ryan Russell wrote:</FONT>
<BR><FONT SIZE=2>> > ></FONT>
<BR><FONT SIZE=2>> > > > The question isn't clear... are you asking if you can </FONT>
<BR><FONT SIZE=2>> VPN to only port</FONT>
<BR><FONT SIZE=2>> > > > 110? Yes. You can add a client-encrypt rule to only </FONT>
<BR><FONT SIZE=2>> allow in to port</FONT>
<BR><FONT SIZE=2>> > > > 110. This is for SecuRemote connections, mind you.. </FONT>
<BR><FONT SIZE=2>> though I think the</FONT>
<BR><FONT SIZE=2>> > > > same applies to FW-to-FW rules.</FONT>
<BR><FONT SIZE=2>> > > ></FONT>
<BR><FONT SIZE=2>> > > > Ryan</FONT>
<BR><FONT SIZE=2>> > > ></FONT>
<BR><FONT SIZE=2>> > > > On Mon, 15 May 2000, Michael Louie wrote:</FONT>
<BR><FONT SIZE=2>> > > ></FONT>
<BR><FONT SIZE=2>> > > > > Does Checkpoint version 4 and later have any built in </FONT>
<BR><FONT SIZE=2>> security for restricting</FONT>
<BR><FONT SIZE=2>> > > > > access after a VPN connection is established (port </FONT>
<BR><FONT SIZE=2>> 110 to the mailserver only</FONT>
<BR><FONT SIZE=2>> > > > > for example)? -or am I pretty much forced to </FONT>
<BR><FONT SIZE=2>> purchase an additional firewall?</FONT>
<BR><FONT SIZE=2>> > > > ></FONT>
<BR><FONT SIZE=2>> > > ></FONT>
<BR><FONT SIZE=2>> > > ></FONT>
<BR><FONT SIZE=2>> > > ></FONT>
<BR><FONT SIZE=2>> > ></FONT>
<BR><FONT SIZE=2>> ></FONT>
<BR><FONT SIZE=2>> ></FONT>
<BR><FONT SIZE=2>> </FONT>
<BR><FONT SIZE=2>> VPN is sponsored by SecurityFocus.COM</FONT>
<BR><FONT SIZE=2>> </FONT>
</P>
<CODE><FONT SIZE=3><BR>
<BR>
***********************************************************************<BR>
Gruntal & Co., L.L.C.'s e-mail system is for business purposes only. <BR>
Messages are not confidential. All e-mail may be reviewed by <BR>
authorized supervisors, compliance or internal audit personnel.<BR>
E-mail will be archived for at least three years and may be produced <BR>
to regulatory agencies or others with a legal right to access such<BR>
information. Gruntal will not accept trade order instructions via<BR>
e-mail. Please telephone your Account Executive to place trade orders.<BR>
<BR>
Gruntal & Co., L.L.C.<BR>
***********************************************************************<BR>
</FONT></CODE></BODY>
</HTML>