auditing checkpoint fw1: the combat overview
DESCRIPTION
Auditing Checkpoint FW1: The Combat Overview. Welcome!. Ed Capizzi Janus IT Security Auditor [email protected]. OSI 7 Layer Reference Model. Router. Proxy. Dynamic State Tables. Malicious authorized users. Connections that don’t - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/1.jpg)
11/20/2002
1
Auditing Checkpoint FW1: The Combat Overview
Welcome!Ed CapizziJanus IT Security Auditor [email protected]
![Page 2: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/2.jpg)
11/20/2002
2
OSI 7 Layer Reference Model
![Page 3: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/3.jpg)
11/20/2002
3
Router
![Page 4: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/4.jpg)
11/20/2002
4
Proxy
![Page 5: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/5.jpg)
11/20/2002
5
Dynamic State Tables
![Page 6: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/6.jpg)
11/20/2002
6
Malicious authorized
users.
Connections that don’t
go through it.
100% of all threats!
A firewall is only as effective A firewall is only as effective as the policy it supports. as the policy it supports.
![Page 7: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/7.jpg)
11/20/2002
7
GUI
Enforcement Point
MM
FW
Management & Logging
User Interface
![Page 8: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/8.jpg)
11/20/2002
8
FW
MM
GUI
“Monolithic Stack”
![Page 9: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/9.jpg)
11/20/2002
9
FW
MM GUI
Remote GUI
![Page 10: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/10.jpg)
11/20/2002
10
FW
MM
GUI
Remote Management
Always Authenticated ….
![Page 11: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/11.jpg)
11/20/2002
11
FW MM GUI
Remote Management AND Remote GUI Beware ports 256, 257, 258 & 259
![Page 12: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/12.jpg)
11/20/2002
12
FW MM
GUI
Remote Management
AND Remote GUIsGUIGUI
GUI
GUI
![Page 13: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/13.jpg)
11/20/2002
13
WIFM
GUI
Enforcement Point
MM
FW
Management & Logging
User InterfaceLocal Mode !
Logs, Users, Configs, Rulesets
Daemons, Etc
![Page 14: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/14.jpg)
11/20/2002
14
![Page 15: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/15.jpg)
11/20/2002
15
Any Input
Let’s go look!
![Page 16: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/16.jpg)
11/20/2002
16
Useful Commands
FW ver returns version and patch info
FWM –p Print a list of Admin users
Fwstart Self explain, be carefull
Fwstop self explain, don’t use this!
fw log Displays the log has many switches
fw logexort Exports a log beware of size creep
fw dpexport Exports the user database
fw printlic prints the license
fw status Shows the status of the firewall
cpconfig config util to review fw setup(fwconfig)
![Page 17: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/17.jpg)
11/20/2002
17
fw ver - returns version and patch info
# fw ver
# This is Check Point VPN-1(TM) & FireWall-1(R) Version 4.1 Build 41862 [VPN + DES + STRONG]
![Page 18: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/18.jpg)
11/20/2002
18
fwm –p - Print a list of Admin users
FireWall-1 Remote Manager Administrators:
================================
Larry (Read/Write on all Management clients; Log Consolidator - Read/Write; Reporting Module - Read/Write; )
Curly (Read/Write on all Management clients; Log Consolidator - Read/Write; Reporting Module - Read/Write; )
Mo (Read Only on all Management clients; )
Total of 3 administrators
This is Check Point VPN-1(TM) & FireWall-1(R) Version 4.1
(20Nov2002 14:10:22)
![Page 19: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/19.jpg)
11/20/2002
19
fwstart- Self explanatory, be careful
fwstop
- Self explanatory,
don’t use this!
![Page 20: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/20.jpg)
11/20/2002
20
fw log- Displays the log, “feature rich” (has many switches)
fw logexport- Exports a log to ascii format with your choice of
delimiters…. beware of size creep!
fw dpexport- Exports the user database –d to set delimiter
![Page 21: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/21.jpg)
11/20/2002
21
fw printlic - prints the license
Host Expiration Features
170.199.190.253 Never CPVP-ESC-U-3DES-V41 CK-15CCD095822D
![Page 22: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/22.jpg)
11/20/2002
22
cpconfig (fwconfig)-config util to review fw setup
![Page 23: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/23.jpg)
11/20/2002
23
Welcome to Check Point Configuration Program
=================================================
This program will let you re-configure
your Check Point Management configuration.
Configuration Options:
----------------------
(1) Licenses
(2) Administrators
(3) GUI clients
(4) Remote Modules
(5) Groups
(6) Exit
Enter your choice (1-6) :
cpconfig (con’t)
![Page 24: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/24.jpg)
11/20/2002
24
# ./fw stat
HOST POLICY DATElocalhost Snoopy1 18Nov2002 10:00:49 :
[>qfe0] [<qfe0] [>qfe1] [<qfe1] [>qfe2] [<qfe2] [>qfe3] [<qfe3]
(Run on the FW )
![Page 25: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/25.jpg)
11/20/2002
25
Important Checkpoint files, commands & directories
…./$FWDIR/CONF/…/$FWDIR/CONF/rulebases.fws – Contains all firewall rulebases
…/$FWDIR/CONF/objects.C - Contains all firewall objects
…/$FWDIR/CONF/cp.licenses - Licenses file
…/$FWDIR/CONF/fwmusers - Contains all FW admins
…/$FWDIR/CONF/gui-clients - List of all authorized GUI clients
…/$FWDIR/CONF/masters - List of all FW masters (Mgt & Logging)
…./$FWDIR/log/…/$FWDIR/LOG/cpmgmt.aud - Log of admin access via the GUI.
…/$FWDIR/LOG/manage.lock - Empty file used for GUI RW management
![Page 26: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/26.jpg)
11/20/2002
26
…/$FWDIR/CONF/rulebases.fws #cat rulebases.fws
:rule-base ("##A_Standard_Policy"
:rule (
:src (
: Any
)
:dst (
: Any
)
:services (
: Silent_Services
)
:action (
: drop
)
:track ()
:install (
: Gateways
![Page 27: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/27.jpg)
11/20/2002
27
…/$FWDIR/CONF/objects.C$ cat objects.fws
(
:anyobj (Any
:color (Blue)
)
:superanyobj (
: Any
)
:netobjgraph (
: (xnet-0
:color (black)
:type (network)
:location (internal)
:comments ("Created by the Graph View")
:broadcast (allow)
:ipaddr (2.2.2.0)
:netmask (255.255.255.0)
:read_only (true)
:is_network_implied (true)
:"#oldname" (
:type (refobj)
:refname ("#_xnet-0")
)
![Page 28: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/28.jpg)
11/20/2002
28
…/$FWDIR/CONF/cp.licenses# cat cp.license
Sign {
LICENSE 10.199.8.26 never CPFW-OSE-U-V41 CK-5099B26B
}= 7xDQpDbe8LjfgDuDhaTvT6sem Index=0 Version=0
Sign {
LICENSE 10.199.8.26 never CPFW-ESC-U-V41 FW1:4.1:MOTIF CK-F60A423378ED
}= xzgjzt2PSZoBCBBZe6YkLue6aFh Index=0 Version=0
Sign {
LICENSE 10.199.8.26 never CPFW-ENC-U-3DES-MODULE-V41 CPFW-ENC-U-3DES-MGMT-V41 CK-FFA94CB
}= bySNrc5YJQpWHwWc96cva8SLHVhm Index=0 Version=0
![Page 29: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/29.jpg)
11/20/2002
29
…/$FWDIR/CONF/fwmusers
# cat fwmusers
Larry 2f1003fec499757c65fc004c4af907 000fff0f
Curly 2708994e49bef3b30d7538d2866a56 000f0fff
Mo 2f2b8765040049948c569f134c9e7fd 000ff0ff
Schemp 6b09f8b704bfd1a0c986ca5efffc5cd82 0ffffff0f
![Page 30: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/30.jpg)
11/20/2002
30
…/$FWDIR/CONF/gui-clients
# cat gui-clients
10.199.8.93
10.199.8.156
10.199.8.35
10.199.44.56
10.199.87.836
10.199.87.148
10.199.8.31
10.199.51.107
10.199.8.30
10.199.58.44
10.199.58.54
10.199.88.80
10.199.58.55
10.199.8.180
![Page 31: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/31.jpg)
11/20/2002
31
…/$FWDIR/CONF/masters
# cat masters
10.1.1.1
10.1.2.1
![Page 32: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/32.jpg)
11/20/2002
32
/$FWDIR/LOG/cpmgmt.audNew.W' on host 'Snoopy5'
Mon Nov 18 15:31:50 2002 rule-editor Mo@CMP-PC-0018: Mo@CMP-PC-0018 Logged in >>>>
Mon Nov 18 15:31:52 2002 rule-editor Mo@CMP-PC-0018: Read-Only Mode requested. Database remains
unlocked.
Mon Nov 18 15:32:46 2002 log-viewer Mo@CMP-PC-0018: Mo@CMP-PC-0018 Logged in >>>>
Mon Nov 18 15:34:09 2002 ------------------------------: Mo@CMP-PC-0018 Logged out <<<<
Tue Nov 19 13:12:34 2002 rule-editor Mo@CMP-PC-0018: Mo@CMP-PC-0018 Logged in >>>>
Tue Nov 19 13:12:36 2002 rule-editor Mo@CMP-PC-0018: Read-Only Mode requested. Database remains
unlocked.
Tue Nov 19 13:12:42 2002 ------------------------------: Mo@CMP-PC-0018 Logged out <<<<
Wed Nov 20 10:22:31 2002 rule-editor Mo@CMP-PC-0018: Mo@CMP-PC-0018 Logged in >>>>
Wed Nov 20 10:22:33 2002 rule-editor Mo@CMP-PC-0018: Read-Only Mode requested. Database remains
unlocked.
Wed Nov 20 10:23:23 2002 ------------------------------: Mo@CMP-PC-0018 Logged out <<<<
![Page 33: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/33.jpg)
11/20/2002
33
/$FWDIR/LOG/cpmgmt.aud(con’t)
nd7.W' on host 'Snoopy6and7'le-editor Curly@IT-STD-8900: Curly@IT-STD-8900 Logged in >>>>
Fri Nov 15 12:55:00 2002 rule-editor Curly@IT-STD-8900: Failed to lock database: Used by Larry@PC-059using fwm.18
09:54:32 2002 rule-editor Larry@PC-059: Larry@PC-059Logged in >>>>
Mon Nov 18 09:54:34 2002 rule-editor Larry@PC-059: Locking DB with '000fffff' permissions
Mon Nov 18 09:57:32 2002 log-viewer Larry@PC-059: Larry@PC-059Logged in >>>>
Mon Nov 18 09:59:29 2002 rule-editor Larry@PC-059: Storing objects
Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase(s)
Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy4.W'
Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy5.W'
Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy6and7.W'
Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy3-test.W'
Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy2.W'
Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy1.W'
Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy3.W'
Mon Nov 18 09:59:39 2002 rule-editor Larry@PC-059: Installing rulebase '/opt/CPfw1-41/conf/Snoopy1.
Intermission
![Page 34: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/34.jpg)
11/20/2002
34
Phone Boy and other useful Websites
a. Phoneboy – www.phoneboy.com
b. Cassandra - cassandra.cerias.purdue.edu
c. Bugtraq - online.securityfocus.com/archive
d. Sun - www.sun.com
e. MS - www.microsoft.com
f. Checkpoint – www.checkpoint.com
![Page 35: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/35.jpg)
11/20/2002
35
fwrules4.2.pl- this is where the gifs are
fwrules6.0.pl
Useful Perl scripts
And the output…
![Page 36: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/36.jpg)
11/20/2002
36
![Page 37: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/37.jpg)
11/20/2002
37
![Page 38: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/38.jpg)
11/20/2002
38
![Page 39: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/39.jpg)
11/20/2002
39
![Page 40: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/40.jpg)
11/20/2002
40
![Page 41: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/41.jpg)
11/20/2002
41
Advanced GUI
1. Copy rulebases.fws from FW to GUI2. Copy objects.C from FW to GUI3. Rename rulebases.fws -> rules.fws4. Rename objects.C -> objects.fws5. Start GUI in local mode, ignore errors
![Page 42: Auditing Checkpoint FW1: The Combat Overview](https://reader035.vdocuments.site/reader035/viewer/2022062721/5681360a550346895d9d7ef6/html5/thumbnails/42.jpg)
11/20/2002
42
Thank You