Enabling Check Point IPS

I couldn’t find any easy / recommended  way to enable the IPS feature on the Checkpoint software blade so I came up with this sequence on my own. If someone does know the correct procedure please enlighten me.

Check Current Status
1) Click on the IPS tab
2) if you look in the “IPS in My Organization” box you should see the following

0 security gateway is enforcing IPS
2 profiles are configured

Enable the IPS
1) Click on the firewall tab
2) On the left double click Network Objects -> Check Point -> myhost (ie cpr75)
3) in the Check Point Gateway window click on the Network Security tab 
4) turn on the IPS function and click okay
5) download this policy to the gateway
6) now check to see if this is enabled by following the above procedure

Testing the IPS

First we need to find a  attack vector that the IPS is configure to protect the network from. So click on the IPS Tab and select Protections on the left hand site. Sort the table by “Default_Protection” column such that all the enabled vectors are listed at the top. I quickly scanned through the list and found LAND (CVE-1999-0016) to be something I could easily simulate. The basic summary of this vector is:

Somebody has released a program, known as land.c, which can be used to launch denial of service attacks against various TCP implementations. The program sends a TCP SYN packet (a connection initiation), giving the target host’s address as both source and destination, and using the same port on the target host as both source and destination.

This is easy to simulate using hping. So on pluto run the following command:

zzz# hping 192.168.2.1 -s 135 -p 135 -S -a 192.168.2.1
HPING 192.168.2.1 (em1 192.168.2.1): S set, 40 headers + 0 data bytes
len=40 ip=192.168.2.1 ttl=64 id=45332 sport=135 flags=S seq=0 win=512 rtt=0.4 ms
^C
— 192.168.2.1 hping statistic —
19 packets tramitted, 1 packets received, 95% packet loss
round-trip min/avg/max = 0.4/0.4/0.4 ms
zzz#

If you then check the logs of the gateway using smarttracker you will see the following:

I finally gave up finding an easy method to attach screen shots, so this is the first one on this blog. What i was really after was a confluence style java interface in which I could just paste the clipboard. The current method is to capture, save to disk and then upload.

Advertisements

IPSec VPN between Check Point and Cisco Router

Setting up a VPN between these two devices is a bit cryptic the first time you encounter it but once you have completed the task it just makes sense. This tutorial continues on from a previous post which describes how to setup a virtualized check point firewall.

The Cisco router is simulated using dynamips and the following parameters:

    [[3725]]
        image =  C:\lab\IOS\c3725-adventerprisek9-mz.124-15.T14.bin
        idlepc = 0x6026be14
        ram = 160
        disk0 = 32

    [[ROUTER R1]]
        model = 3725

        #This is the vmnet1 device
        FA0/0 = NIO_gen_eth:\Device\NPF_{A5C8EFBE-0743-4930-9373-4D2A4DBF800A}

The network diagram is

                    (Fa0/0) R1
                    +
                     | 

     External   +                          Internal
Pluto —– (eth1) CP R75 (eth2)—– Eris
                             (eth0)
                               +
                                |
                   SmartDashboard

Network block are allocated as shown below. The remote network is configured as a loopback interface on R1.

  • management network – 10.202.70.0/24
  • external network – 192.168.1.0/24
  • internal network – 192.168.2.0/24
  • remote network – 192.168.3.0/24

The ip address allocations are:

  • pluto – 192.168.1.1
  • eth1 – 192.168.1.2
  • eth2 – 192.168.2.2
  • eris – 192.168.2.1
  • fa0/0 R1 – 192.168.1.10
  • loop0 R1 – 192.168.3.1

The best introduction I’ve read to IKE and IPSec is in the Checkpoint VPN Admin guide. I would highly recommend reading chapter 2 of this document even if you have a good understanding of these protocols

Router R1 Configuration

Create the IKE policy and assume pre-shared keys

crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key abc123 address 192.168.1.2
!

Create the IPSec transform set (ie the encryption parameters it will work with)

crypto ipsec transform-set mytransform esp-aes 256 esp-sha

Define the interesting traffic

access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255

Now put it all together and apply it to an interface

crypto map mymap 1 ipsec-isakmp
 set peer 192.168.1.2
 set transform-set mytransform
 match address 101
!
interface FastEthernet0/0
 crypto map mymap
!

Checkpoint Configuration

Click on the IPSec VPN Tab. The first task is to define the remote end point. Click on the IPSec VPN Tab and in the tree on the left hand side right click on Interoperable Device and add a new device which we’ll call CiscoRTR. In the IP address field put in 192.168.1.10.

Click on the toplogy of CiscoRTR and add the following:

  • fa0/0: 192.168.1.10, netmask 255.255.255.0; topology: Leads to internet
  • loop0: 192.168.3.1, netmask 255.255.255.0; topology: Internal, Network defined by IP address and netmask

Now create a new VPN community, type Star called MyVPN, with the following settings:

  • Center gateways: the object representing the Check Point enforcement point
  • Satellite gateways: the object representing the Cisco router – CiscoRTR
  • Encryption:
    • Encryption Method: IKEv1 Only
    • Encryption Suite: Custom with the following properties
    • IKE (Phase 1) Properties
    • Perform key exchange encryption with: AES-256
    • Perform data integrity with: SHA-1
    • IPSec (Phase 2) Properties
    • Perform IPSec data encryption with: AES-256
    • Perform data integrity with: SHA-1
  • Tunnel Management: VPN Tunnel sharing: One VPN tunnel per subnet pair
  • Advanced settings
    • VPN Routing: To center only
    • Shared Secret: Use only Shared Secret for all external members, then add the shared secret to CiscoRTR
    • Advanced VPN Properties:IKE (Phase 1): Use Diffie-Helman Group: Group 2

Now click on the Firewall tab and add the following two rules:

Name: InterestingVPNTrafffic
Source: 192.168.2.0 255.255.255.0
Destination: 192.168.3.0 255.255.255.0
VPN: MyVPN (ie the community defined above)
Service: Any
Action: Accept
Track: Log

Name: Encrypted Traffic
Source: Checkpoint Gateway
Destination: CiscoRTR
VPN: Any traffic
Service: IKE & IPSec
Action: Accept
Track: Log

Now apply this changes to the checkpoint and you should then be able to ping from Eris to the loopback of R1.

Learning about Checkpoint

Installation
I looked around the web and couldn’t find any how to guide for first timers to learn about Checkpoint. I have some experience with firewalls but nothing that suited my level of knowledge. This post contains my Checkpoint

notes on installing and using Checkpoint in a virtualized environment.

I used VMware (VMware workstation 7.1.4 build-385536) to create three virtual machines. Two of them ran FreeBSD 8.2 and were used as the external and internal hosts. You could have just as easily used Windows/Linux or an OS of your choice. I decided on FreeBSD because I have enough working experience with it and most of the daemons (SSH / Telnet / FTP etc) are already installed.

The third virtual machine was installed with the Checkpoint Secure Platform (SPLAT) image.

The routing and ip addressing is shown in the diagram below:

         <—– Default route

     External                              Internal
Pluto —– (eth1) CP R75 (eth2)—– Eris
                             (eth0)
                               +
                                |
                   SmartDashboard

The mapping of the CPR75 interfaces to the VM are:

  • eth0 – vmnet 0 (management network – 10.202.70.0/24)
  • eth1 – vmnet 1 (192.168.1.0/24)
  • eth2 – vmnet 2 (192.168.2.0/24)

The ip address allocations are:

  • pluto – 192.168.1.1
  • eth1 – 192.168.1.2
  • eth2 – 192.168.2.2
  • eris – 192.168.2.1

The installation of CP R75 SPLAT can be followed here. I setup a virtual machine with the following parameters:

  • Memory: 512MB
  • Processors: 1
  • HD: IDE 9G

VMware boot sequence is documented here but you can hit Esc to bring up the boot menu. I set the default password for my virtual machines as below:

Console username / password : admin / adminpass
Security Management Server Admin: cpadmin / cpadmin

The installation of the FreeBSD clients isn’t covered here but can be easily googled for if required.

SmartConsole R75 Clients
SmartConsole clients allow you to configure manage monitor and analyze network security features: Firewall, VPN, IPS, Anti-Virus, Anti-Spam, URL Filtering and more.

  • SmartDashboard
  • SmartView Tracker (aka Log viewer)
    Check Point products provide you with the ability to collect comprehensive information on your network activity in the form of logs. You can then audit these logs at any given time, analyze your traffic patterns and troubleshoot networking and security issues. The SmartCenter server makes these logs available for inspection via SmartView Tracker, a comprehensive auditing solution, enabling central management of both active and old logs of all Check Point products. You can conveniently customize searches to address specific tracking needs; integrate the logs with Check Point’s SmartView Reporter, or export them to text files or to an external database. Administrators can use SmartView Tracker in order to ensure their products are operating properly, troubleshoot system and security issues, gather information for legal or audit purposes, and generate reports to analyze network traffic patterns. In the case of an attack or other suspicious network activity, administrators can use SmartView Tracker to temporarily or permanently terminate connections from specific IP addresses.  
  • SmartEvent
  • SmartUpdate
  • SecureClient Packging Tool
  • SmartView Monitor – Look at the physical parameters of the firewall. Eg CPU, memory, disk space
  •  

    SmartView Monitor shows the complete picture of network and security performance, enabling fast response to changes in traffic patterns or security activities. SmartView Monitor centrally monitors Check Point and OPSEC devices, presenting a complete visual picture of changes to gateways, tunnels, remote users and security activities. This enables administrators to immediately identify changes in network traffic flow patterns that may signify malicious activity.
  • SmartReporter – Generates reports based on the logs issued by Checkpoint products.
  • SmartProvisioning
  • Smart Event Intro
  • Abra Password Reset

Setting the Gateway Topology
This is required so that you can tell the gateway about your internal and external interfaces and network. To set this up click on Application Control -> Gateways and then double click your gateway to edit it.

In the window select topology and then for each interface set the Network type (Internal, DMZ, External) and the topology, ie the networks that reside behind this interface.

Why doesn’t this get picked up automatically from the routing table?

    Adding Firewall Rules
    The most interesting thing to note about this is that there is no mention of interfaces. The rules apply to all traffic transiting the box. Otherwise the process is quite standard:

    1) click on the firewall tab
    2) add a new line
    3) fill out out your source/dest and traffic info
    4) push your changes back to gateway

    There are some implicit rules that are configured when you first build a gateway and these can be viewed by clicking on View -> Implied Rules in the Dashboard. You can turn on logging for these by clicking Policy -> Global Properties -> Firewall Tab -> Log implied rules.

    If you are troubleshooting some traffic rules, then fire up the SmartView Tracker and click on the Network and Endpoint tab and select All Records. You can then double click on a log entry and see which rule permitted/denied it.

    Adding NAT Rules
    With NAT rules you need to have a firewall rule that matches in the traffic BEFORE it was translated. Then adding a NAT rule is quite easy:

    1) click on the NAT tab
    2) add a new line
    3) fill out your Original packet details (ie what to match for)
    4) fill our your Net packet details (ie what to change)
    5) push you changes out

    Here is a good description of how the packets transit the box (original source here):

    ORIGINAL PACKET
    1. The packet arrives at the inbound interface, and passes Security Policy rules.
    2. If accepted, the packet is entered into the connections table. (See SmartView Tracker and the the Active Tab)
    3. The packet is matched against NAT rules for the destination. The packet is translated if a match is found.

    4. The packet arrives at the TCP/IP stack of the NGX Gateway, and is routed to the outbound interface. The packet is translated, so it is routed correctly without any need to add a static route to the Gateway.
    5. The packet goes through the outbound interface, and is matched against NAT rules for the source.
    6. NAT takes place, if a match is found for translating the source.
    7. The packet leaves the Security Gateway.


    REPLY PACKET
    1. The reply packet arrives at the inbound interface of the Gateway.
    2. The packet is passed by the Policy, since it is found in the connections table.
    3. The packet’s destination, which is the source of the original packet, is translated according to NAT information in the tables.
    4. The packet arrives at the TCP/IP stack of the Gateway, and is routed to the outbound interface.
    5. The packet goes through the outbound interface. The packet’s source, the destination of the original packet, is translated according to the information
    in the NAT tables.
    6. The packet leaves the Gateway.

    Content Filtering

    Generic Setup

    To enable, click on Anti-Span & Mail tab and select overview. Then in the Enforcing gateways pick the correct gateway for Anti-Virus and Anti-Spam. Under database updates, click on configure and select the activation tab. Then select “Use the trial license provided by the Security Gateway”.

    Then select the Anti-virus and URL Filtering tab and select Database Updates. Click the configure button and again select select the activation tab. Then select “Use the trial license provided by the Security Gateway”.

    URL Filtering
    Finally under URL Filtering select URL Filtering Policy and ensure that the Policy mode is on and tacking is set to log for both the blocked and allowed requests.

    You now need to allow outbound requests to the Squid proxy on port 3128 in the firewall tab.Then download the policy to the gateway.

    To test this I installed a Squid Proxy on pluto and then telneted from eris to port 3182 and manually did a request. The log file will now show two entries, one from the firewall product and one from the web filtering product.

    Virus Scanning (FTP downloads)
    Under Anti-Virus & URL Filtering tab select Anti-Virus -> Security Gateways -> FTP and ensure its set to  Block for incoming files. Then click the advanced and log everything.

    Also all firewall rules to allow eris to passive ftp into pluto and get files. On pluto you can follow eicar to create positive test file using vi. When you try to download this file you will see the following error:

    ftp> mget aeicar.com
    mget aeicar.com [anpqy?]? y
    227 Entering Passive Mode (192,168,1,1,209,20)
    150 Opening BINARY mode data connection for ‘aeicar.com’ (69 bytes).
      0% |                                                                                       |     0       0.00 KB/s    –:– ETA
    450 Content Inspection module rejected the requested resource. Virus found. For more information please contact your system administrator.

    Checkpoint Product Guide

    If you read the checkpoint product documents it quickly becomes confusing as to what hardware provides which features. Here is something that sums up all the differences (& cost) at a quick glance:

    https://pricelist.checkpoint.com/pricelist/US/PLUSswblades/GeneralPL.jsp

    This document describes how the you can purchase the software only solution and what restrictions you have to keep in mind:

    https://www.checkpoint.com/products/downloads/brochures/SoftwareBlades.pdf

    In many cases, a license bundle containing the management solution as well as one firewall is purchased. You can also buy a management solution (CPSM, mandatory) and the needed licenses for the Security Gateway(s). Be sure to order the correct size of CPSM! Additionally, you can obtain licenses for additional Software Blades which offer different security enhancements. 

    SG100, SG200, SG400, SG800 and SG1200 series are designed to utilize 1, 2, 4, 8 and 12 cores respectively.
    SG100 series is limited to 50 users. SG200 series is limited to 500 users. SG203U pre-defined systems, SG400, SG800 and SG1200 series are unlimited.
    SM200, SM300, SM1000, SM2500, SMU000 are licensed to manage 2, 3, 10, 25 and unlimited gateways respectively.
    License is per number of managed gateways.

    Our requirements are SG203U (2 core, unlimited users) + SM200 (manage 2 gateways) it looks like we cannot buy them individually. The closest I can find is CPSG-P203-CPSM-P303 which is a 500 user limited license.