Scribd Logo
Upload

Welcome to Scribd!

  • Checkpoint Firewall Presentation

    Uploaded by

    Piyush Singh
    759 views42 pages
    firewall

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    firewall

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    759 views42 pages

    Checkpoint Firewall Presentation

    Uploaded by

    Piyush Singh
    firewall

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 42

    Auditing Checkpoint FW1: The Combat Overview

    Welcome!
    Ed Capizzi Janus IT Security Auditor ed.capizzi@janus.com 11/20/2002 1

    OSI 7 Layer Reference Model

    11/20/2002 2

    Router
    11/20/2002 3

    Proxy

    11/20/2002 4

    11/20/2002

    Dynamic State Tables


    5

    Malicious authorized
    users. Connections that dont go through it. 100% of all threats!

    11/20/2002

    A firewall is only as effective as the policy it supports.


    6

    GUI

    User Interface

    MM

    Management & Logging

    FW

    Enforcement Point

    11/20/2002 7

    GUI MM FW

    Monolithic Stack
    11/20/2002 8

    MM FW

    GUI

    Remote GUI
    11/20/2002 9

    FW

    GUI MM

    Remote Management
    Always Authenticated .
    10

    11/20/2002

    FW

    MM

    GUI

    Remote Management AND Remote GUI


    Beware ports 256, 257, 258 & 259

    11/20/2002 11

    GUI

    GUI

    FW

    MM GUI

    Remote Management AND Remote GUIs


    GUI
    11/20/2002 12

    GUI

    WIFM
    User Interface
    GUI

    Local Mode !

    Management & Logging


    MM

    Logs, Users, Configs, Rulesets

    Enforcement Point
    FW
    11/20/2002 13

    Daemons, Etc

    11/20/2002 14

    Any Input

    Lets go look!

    11/20/2002 15

    Useful Commands
    FW ver FWM p Fwstart Fwstop fw log fw logexort fw dpexport fw printlic fw status cpconfig
    (fwconfig)
    11/20/2002 16

    returns version and patch info Print a list of Admin users Self explain, be carefull self explain, dont use this! Displays the log has many switches Exports a log beware of size creep Exports the user database prints the license Shows the status of the firewall config util to review fw setup

    fw ver - returns version and patch info

    # fw ver # This is Check Point VPN-1(TM) & FireWall-1(R) Version 4.1 Build 41862 [VPN + DES + STRONG]

    11/20/2002 17

    fwm p

    - Print a list of Admin users

    FireWall-1 Remote Manager Administrators: ================================

    Larry (Read/Write on all Management clients; Log Consolidator Read/Write; Reporting Module - Read/Write; )
    Curly (Read/Write on all Management clients; Log Consolidator Read/Write; Reporting Module - Read/Write; )

    Mo (Read Only on all Management clients; ) Total of 3 administrators

    This is Check Point VPN-1(TM) & FireWall-1(R) Version 4.1 (20Nov2002 14:10:22)
    11/20/2002 18

    fwstart
    - Self explanatory, be careful

    fwstop
    - Self explanatory,
    dont use this!

    11/20/2002 19

    fw log
    - Displays the log, feature rich (has many switches)

    fw logexport
    - Exports a log to ascii format with your choice of delimiters. beware of size creep!

    fw dpexport
    - Exports the user database d to set delimiter

    11/20/2002 20

    fw printlic - prints the license


    Host
    170.199.190.253

    Expiration
    Never

    Features
    CPVP-ESC-U-3DES-V41 CK15CCD095822D

    11/20/2002 21

    cpconfig (fwconfig) -config util to review fw setup

    11/20/2002 22

    cpconfig
    Welcome to Check Point Configuration Program ================================================= This program will let you re-configure your Check Point Management configuration.

    (cont)

    Configuration Options: ---------------------(1) Licenses (2) Administrators (3) GUI clients (4) Remote Modules (5) Groups

    (6) Exit

    Enter your choice (1-6) : 11/20/2002 23

    # ./fw stat
    HOST localhost

    (Run on the FW

    POLICY Snoopy1

    DATE 18Nov2002 10:00:49 :

    [>qfe0] [<qfe0] [>qfe1] [<qfe1] [>qfe2] [<qfe2] [>qfe3] [<qfe3]

    11/20/2002 24

    Important Checkpoint files, commands & directories ./$FWDIR/CONF/


    /$FWDIR/CONF/rulebases.fws Contains all firewall rulebases /$FWDIR/CONF/objects.C /$FWDIR/CONF/cp.licenses /$FWDIR/CONF/fwmusers /$FWDIR/CONF/gui-clients /$FWDIR/CONF/masters - Contains all firewall objects - Licenses file - Contains all FW admins - List of all authorized GUI clients - List of all FW masters (Mgt & Logging)

    ./$FWDIR/log/
    /$FWDIR/LOG/cpmgmt.aud /$FWDIR/LOG/manage.lock
    11/20/2002 25

    - Log of admin access via the GUI. - Empty file used for GUI RW management

    /$FWDIR/CONF/rulebases.fws
    #cat rulebases.fws :rule-base ("##A_Standard_Policy"

    :rule (
    :src ( : Any ) :dst ( : Any ) :services ( : Silent_Services ) :action ( : drop ) :track () :install ( : Gateways

    11/20/2002 26

    $ cat objects.fws
    ( :anyobj (Any :color (Blue) ) :superanyobj ( : Any ) :netobjgraph ( : (xnet-0

    /$FWDIR/CONF/objects.C

    :color (black)

    :type (network)
    :location (internal) :comments ("Created by the Graph View") :broadcast (allow) :ipaddr (2.2.2.0) :netmask (255.255.255.0) :read_only (true) :is_network_implied (true) :"#oldname" ( :type (refobj)

    11/20/2002
    )

    :refname ("#_xnet-0")

    27

    /$FWDIR/CONF/cp.licenses
    # cat cp.license Sign { LICENSE 10.199.8.26 never CPFW-OSE-U-V41 CK-5099B26B }= 7xDQpDbe8LjfgDuDhaTvT6sem Index=0 Version=0 Sign { LICENSE 10.199.8.26 never CPFW-ESC-U-V41 FW1:4.1:MOTIF CKF60A423378ED }= xzgjzt2PSZoBCBBZe6YkLue6aFh Index=0 Version=0 Sign { LICENSE 10.199.8.26 never CPFW-ENC-U-3DES-MODULE-V41 CPFW-ENC-U3DES-MGMT-V41 CK-FFA94CB }= bySNrc5YJQpWHwWc96cva8SLHVhm Index=0 Version=0
    11/20/2002 28

    /$FWDIR/CONF/fwmusers

    # cat fwmusers
    Larry Curly 2f1003fec499757c65fc004c4af907 2708994e49bef3b30d7538d2866a56 000fff0f 000f0fff

    Mo
    Schemp

    2f2b8765040049948c569f134c9e7fd
    6b09f8b704bfd1a0c986ca5efffc5cd82

    000ff0ff
    0ffffff0f

    11/20/2002 29

    /$FWDIR/CONF/gui-clients
    # cat gui-clients 10.199.8.93 10.199.8.156 10.199.8.35 10.199.44.56 10.199.87.836 10.199.87.148 10.199.8.31 10.199.51.107 10.199.8.30 10.199.58.44 10.199.58.54 10.199.88.80 10.199.58.55 11/20/2002 10.199.8.180 30

    /$FWDIR/CONF/masters

    # cat masters 10.1.1.1 10.1.2.1

    11/20/2002 31

    /$FWDIR/LOG/cpmgmt.aud
    New.W' on host 'Snoopy5' Mon Nov 18 15:31:50 2002 rule-editor Mo@CMP-PC-0018: Mo@CMP-PC-0018 Logged in >>>> Mon Nov 18 15:31:52 2002 rule-editor Mo@CMP-PC-0018: Read-Only Mode requested. Database remains

    unlocked. Mon Nov 18 15:32:46 2002 log-viewer Mo@CMP-PC-0018: Mo@CMP-PC-0018 Logged in >>>> Mon Nov 18 15:34:09 2002 ------------------------------: Mo@CMP-PC-0018 Logged out <<<< Tue Nov 19 13:12:34 2002 rule-editor Mo@CMP-PC-0018: Mo@CMP-PC-0018 Logged in >>>> Tue Nov 19 13:12:36 2002 rule-editor Mo@CMP-PC-0018: Read-Only Mode requested. Database remains

    unlocked. Tue Nov 19 13:12:42 2002 ------------------------------: Mo@CMP-PC-0018 Logged out <<<< Wed Nov 20 10:22:31 2002 rule-editor Mo@CMP-PC-0018: Mo@CMP-PC-0018 Logged in >>>> Wed Nov 20 10:22:33 2002 rule-editor Mo@CMP-PC-0018: Read-Only Mode requested. Database remains unlocked. Wed Nov 20 10:23:23 2002 ------------------------------: Mo@CMP-PC-0018 Logged out <<<< 11/20/2002 32

    /$FWDIR/LOG/cpmgmt.aud(cont)
    nd7.W' on host 'Snoopy6and7'le-editor Curly@IT-STD-8900: Curly@IT-STD-8900 Logged in >>>>
    Fri Nov 15 12:55:00 2002 rule-editor Curly@IT-STD-8900: Failed to lock database: Used by Larry@PC-059using fwm.18

    09:54:32 2002 rule-editor

    Larry@PC-059: Larry@PC-059Logged in >>>> Larry@PC-059: Locking DB with '000fffff' permissions Larry@PC-059: Larry@PC-059Logged in >>>> Larry@PC-059: Storing objects Larry@PC-059: Storing rulebase(s) Larry@PC-059: Storing rulebase 'Snoopy4.W' Larry@PC-059: Storing rulebase 'Snoopy5.W' Larry@PC-059: Storing rulebase 'Snoopy6and7.W' Larry@PC-059: Storing rulebase 'Snoopy3-test.W' Larry@PC-059: Storing rulebase 'Snoopy2.W' Larry@PC-059: Storing rulebase 'Snoopy1.W' Larry@PC-059: Storing rulebase 'Snoopy3.W' Larry@PC-059: Installing rulebase '/opt/CPfw1-41/conf/Snoopy1.

    Mon Nov 18 09:54:34 2002 rule-editor Mon Nov 18 09:57:32 2002 log-viewer Mon Nov 18 09:59:29 2002 rule-editor Mon Nov 18 09:59:30 2002 rule-editor Mon Nov 18 09:59:30 2002 rule-editor Mon Nov 18 09:59:30 2002 rule-editor Mon Nov 18 09:59:30 2002 rule-editor Mon Nov 18 09:59:30 2002 rule-editor Mon Nov 18 09:59:30 2002 rule-editor Mon Nov 18 09:59:30 2002 rule-editor Mon Nov 18 09:59:30 2002 rule-editor Mon Nov 18 09:59:39 2002 rule-editor 11/20/2002

    Intermission
    33

    Phone Boy and other useful Websites


    www.phoneboy.com

    a.

    Phoneboy

    b. Cassandra
    c. Bugtraq

    - cassandra.cerias.purdue.edu
    - online.securityfocus.com/archive

    d. Sun
    e. MS f. Checkpoint

    - www.sun.com
    - www.microsoft.com www.checkpoint.com

    11/20/2002 34

    Useful Perl scripts

    fwrules4.2.pl- this is where the gifs are fwrules6.0.pl

    And the output

    11/20/2002 35

    11/20/2002 36

    11/20/2002 37

    11/20/2002 38

    11/20/2002 39

    11/20/2002 40

    Advanced GUI
    1. 2. 3. 4. 5. Copy rulebases.fws from FW to GUI Copy objects.C from FW to GUI Rename rulebases.fws -> rules.fws Rename objects.C -> objects.fws Start GUI in local mode, ignore errors

    11/20/2002 41

    Thank You

    11/20/2002 42

    You might also like