We have a Nexpose security scan engine on our inside network. It typically scans inside PCs - all works OK.
With hundreds of users now working remotely our security team want to scan remotely connected laptops. They connect via Checkpoint vpn client to a Checkpoint 6900 firewall.
Best practice dictates that a scan engine should not traverse a firewall - the suggestion is that the engine reside in the dmz / network for the clients it wants to scan.
We do have additional Nexpose scan engines residing in a dmz - and that works ok also.
But that's not possible here for vpn clients user devices - or is it ???
The clients get inside ip addresses - but their vpn sessions terminate on the firewall - so scan traffic traverses the firewall.
I ask because even though i've allowed source Nexpose scan engine and destination vpn clients to any port - and disabled antispoofing for the vpn network - i'm still getting traffic drops - i'm working thru that - but its a pain.
No comments:
Post a Comment