|
|
Check Point Firewall-1 LDAP Authentication Vulnerability
Solution: Check Point Support <cpsuppor@ts.checkpoint.com> emailed the following information to vuldb@securityfocus.com: Resolution: After investigation, Check Point Software confirms this as the appropriate behavior with "standard" checked in "Required Sign On" field under "Client Authentication". In other words, when using "standard" sign-on, the "Destination" field under "Client Authentication" properties cannot be intersected with the user database property which defines user access to specific destinations. Accordingly, the "Destination" field is grayed out in the Client Authentication Action Properties. This information is documented on Page 534 of VPN-1/FW-1 Administration Guide where it is stated that under such circumstances, the "Destination" field is automatically set to "Ignore User Database" and that the user can access all destinations allowed by the rule. The VPN-1/FW-1 GUI can cause confusion because it simply grays out the value set in "Destination" field instead of setting it to "Ignore User Database". But internally, the "Destination" value is set to "Ignore User Database". The GUI will be amended in the subsequent release of VPN-1/FW-1 to make this more clear. It is important to note that the "Source" field can be intersected with user database even if standard sign-on is selected under Client Authentication. Also, this behavior is independent of whether the user is defined in VPN-1/FW-1 internal database or an external LDAP-complaint directory server. If one would like to enforce the "allowed-destinations" attribute (defined for each user) under Client Authentication Rule, the "Required Sign On" field must be set to "Specific", and an appropriate Sign-On Method should be selected. This limitation does not exist under User Authentication Rules. |
|
Privacy Statement |