Which of the following actions does Secure Configuration Verification perform? (Choose three)
Secure Configuration Verification confirms that the:
A.
Desktop Policy is installed on all client interfaces.
B.
TCP/IP is enabled on the desktop.
C.
User name and password cached on the desktop are correct.
D.
Client’s operating system has the appropriate patch level.
E.
IP address of the client is correct for entrance into the VPN Domain.
Explanation:
Secure Configuration Verification (SCV)
Secure Configuration Verification (SCV) is a mechanism that determines
whether the SecureClient machine is securely configured (clean) or not
securely configured (dirty). SCV makes sure SecureClient machines that are
attempting to VPN with the firewall are protected by the Policy Server’s policy
and their security is not being compromised.
The SCV process is done with an
SCV Manager
component running on
the Policy Server. The SCV Manager is responsible for configuration and
maintenance of the SCV state from all
SCV plug-ins
. SCV plug-ins are DLLs
registered with SecureClient; they contain functions that can notify the SCV
Manager of the DLL’s state. When the SCV Manager wants SCV status, it
queries all registered SCV plug-ins about the SCV state for which they are
responsible. If all SCV plug-ins indicate that the machine is securely configured,
the SCV Manager sets the general SCV state to “securely configured.”
Otherwise, it considers the SecureClient machine to be not secure. One of the
files that carries the SCV information is
local.scv
; it is stored on the
SecureClient machine with its other configuration files.
Future versions of SCV will support Check Point NG and third-party SCV
plug-ins such as Open Platform for Security (OPSEC) products. Administrators
will be able to configure both the SCV plug-ins and the SCV checks.
Doing so will help the administrator customize the SCV operation and gain
more control over the SecureClient machine.
The next section discusses SecureClient, its deployment, and the SecureClient Packaging Tool.Understanding SecureClient
SecureClient is the same software as SecuRemote, with added functionality.
Just as with SecuRemote, the client-to-site VPNs created with SecureClient use IPSec-based encryption. The major difference in using the
SecureClient graphical interface (shown in Figure below) is the Policy menu,
which helps users interact with the Policy Server. Most of the other menu
options are the same as in SecuRemote and are defined in Chapter 9.The only difference is the selection of the default
SecureClient with desktop security, instead of SecuRemote. However,
despite the similarity in the GUI interface and the installation, SecureClient
provides greater functionality than SecuRemote with its desktop security.
As you can see in Figure above, an option in the Policy menu lets you log
on to a Policy Server. When you choose the Logon to Policy Server option,
a list of the installed Policy Servers is displayed as a submenu; you can then
choose a Policy Server to log on to. When the SecureClient user logs on to the
Policy Server, the Desktop policy is downloaded to the SecureClient
machine.
The logon occurs as either an
implicit logon or an explicit logon
. During an implicit logon, a Desktop policy is automatically installed on the SecureClient machine when the client authenticates. During an explicit logon, you
click the Update button to update the Desktop policy. The logon is considered
explicit because you initiate the download and are prompted to specify
whether you would like to download a Desktop policy. The policy is downloaded
only when you add or update a site that contains a Policy Server.
The Policy menu lets you disable a Desktop policy. If a Desktop policy is
required by a Policy Server and you disable the policy, you will not be able
to VPN with the firewall until you log on again and a new policy is issued to
the client. If you disable the policy while participating in a VPN, the VPN
will continue, and the change will take effect after you restart SecureClient.
SecureClient does not support IP forwarding. IP forwarding may be enabled
to forward packets to another NIC on a machine. When IP forwarding is
detected, a warning message is shown to the user. If you are implementing
SecureClient, be sure you off turn IP forwarding.
