11/20/2002

1

Auditing Checkpoint FW1: The Combat Overview

Welcome!Ed CapizziJanus IT Security Auditor ed.capizzi@janus.com

11/20/2002

2

OSI 7 Layer Reference Model

11/20/2002

3

Router

11/20/2002

4

Proxy

11/20/2002

5

Dynamic State Tables

11/20/2002

6

Malicious authorized

users.

Connections that don’t

go through it.

100% of all threats!

A firewall is only as effective A firewall is only as effective as the policy it supports. as the policy it supports.

11/20/2002

7

GUI

Enforcement Point

MM

FW

Management & Logging

User Interface

11/20/2002

8

FW

MM

GUI

“Monolithic Stack”

11/20/2002

9

FW

MM GUI

Remote GUI

11/20/2002

10

FW

MM

GUI

Remote Management

Always Authenticated ….

11/20/2002

11

FW MM GUI

Remote Management AND Remote GUI Beware ports 256, 257, 258 & 259

11/20/2002

12

FW MM

GUI

Remote Management

AND Remote GUIsGUIGUI

GUI

GUI

11/20/2002

13

WIFM

GUI

Enforcement Point

MM

FW

Management & Logging

User InterfaceLocal Mode !

Logs, Users, Configs, Rulesets

Daemons, Etc

11/20/2002

14

11/20/2002

15

Any Input

Let’s go look!

11/20/2002

16

Useful Commands

FW ver returns version and patch info

FWM –p Print a list of Admin users

Fwstart Self explain, be carefull

Fwstop self explain, don’t use this!

fw log Displays the log has many switches

fw logexort Exports a log beware of size creep

fw dpexport Exports the user database

fw printlic prints the license

fw status Shows the status of the firewall

cpconfig config util to review fw setup(fwconfig)

11/20/2002

17

fw ver - returns version and patch info

# fw ver

# This is Check Point VPN-1(TM) & FireWall-1(R) Version 4.1 Build 41862 [VPN + DES + STRONG]

11/20/2002

18

fwm –p - Print a list of Admin users

FireWall-1 Remote Manager Administrators:

================================

Larry (Read/Write on all Management clients; Log Consolidator - Read/Write; Reporting Module - Read/Write; )

Curly (Read/Write on all Management clients; Log Consolidator - Read/Write; Reporting Module - Read/Write; )

Mo (Read Only on all Management clients; )

Total of 3 administrators

This is Check Point VPN-1(TM) & FireWall-1(R) Version 4.1

(20Nov2002 14:10:22)

11/20/2002

19

fwstart- Self explanatory, be careful

fwstop

- Self explanatory,

don’t use this!

11/20/2002

20

fw log- Displays the log, “feature rich” (has many switches)

fw logexport- Exports a log to ascii format with your choice of

delimiters…. beware of size creep!

fw dpexport- Exports the user database –d to set delimiter

11/20/2002

21

fw printlic - prints the license

Host Expiration Features

170.199.190.253 Never CPVP-ESC-U-3DES-V41 CK-15CCD095822D

11/20/2002

22

cpconfig (fwconfig)-config util to review fw setup

11/20/2002

23

Welcome to Check Point Configuration Program

=================================================

This program will let you re-configure

your Check Point Management configuration.

Configuration Options:

----------------------

(1) Licenses

(2) Administrators

(3) GUI clients

(4) Remote Modules

(5) Groups

(6) Exit

Enter your choice (1-6) :

cpconfig (con’t)

11/20/2002

24

# ./fw stat

HOST POLICY DATElocalhost Snoopy1 18Nov2002 10:00:49 :

[>qfe0] [<qfe0] [>qfe1] [<qfe1] [>qfe2] [<qfe2] [>qfe3] [<qfe3]

(Run on the FW )

11/20/2002

25

Important Checkpoint files, commands & directories

…./$FWDIR/CONF/…/$FWDIR/CONF/rulebases.fws – Contains all firewall rulebases

…/$FWDIR/CONF/objects.C - Contains all firewall objects

…/$FWDIR/CONF/cp.licenses - Licenses file

…/$FWDIR/CONF/fwmusers - Contains all FW admins

…/$FWDIR/CONF/gui-clients - List of all authorized GUI clients

…/$FWDIR/CONF/masters - List of all FW masters (Mgt & Logging)

…./$FWDIR/log/…/$FWDIR/LOG/cpmgmt.aud - Log of admin access via the GUI.

…/$FWDIR/LOG/manage.lock - Empty file used for GUI RW management

11/20/2002

26

…/$FWDIR/CONF/rulebases.fws #cat rulebases.fws

:rule-base ("##A_Standard_Policy"

:rule (

:src (

: Any

)

:dst (

: Any

)

:services (

: Silent_Services

)

:action (

: drop

)

:track ()

:install (

: Gateways

11/20/2002

27

…/$FWDIR/CONF/objects.C$ cat objects.fws

(

:anyobj (Any

:color (Blue)

)

:superanyobj (

: Any

)

:netobjgraph (

: (xnet-0

:color (black)

:type (network)

:location (internal)

:comments ("Created by the Graph View")

:broadcast (allow)

:ipaddr (2.2.2.0)

:netmask (255.255.255.0)

:read_only (true)

:is_network_implied (true)

:"#oldname" (

:type (refobj)

:refname ("#_xnet-0")

)

11/20/2002

28

…/$FWDIR/CONF/cp.licenses# cat cp.license

Sign {

LICENSE 10.199.8.26 never CPFW-OSE-U-V41 CK-5099B26B

}= 7xDQpDbe8LjfgDuDhaTvT6sem Index=0 Version=0

Sign {

LICENSE 10.199.8.26 never CPFW-ESC-U-V41 FW1:4.1:MOTIF CK-F60A423378ED

}= xzgjzt2PSZoBCBBZe6YkLue6aFh Index=0 Version=0

Sign {

LICENSE 10.199.8.26 never CPFW-ENC-U-3DES-MODULE-V41 CPFW-ENC-U-3DES-MGMT-V41 CK-FFA94CB

}= bySNrc5YJQpWHwWc96cva8SLHVhm Index=0 Version=0

11/20/2002

29

…/$FWDIR/CONF/fwmusers

# cat fwmusers

Larry 2f1003fec499757c65fc004c4af907 000fff0f

Curly 2708994e49bef3b30d7538d2866a56 000f0fff

Mo 2f2b8765040049948c569f134c9e7fd 000ff0ff

Schemp 6b09f8b704bfd1a0c986ca5efffc5cd82 0ffffff0f

11/20/2002

30

…/$FWDIR/CONF/gui-clients

# cat gui-clients

10.199.8.93

10.199.8.156

10.199.8.35

10.199.44.56

10.199.87.836

10.199.87.148

10.199.8.31

10.199.51.107

10.199.8.30

10.199.58.44

10.199.58.54

10.199.88.80

10.199.58.55

10.199.8.180

11/20/2002

31

…/$FWDIR/CONF/masters

# cat masters

10.1.1.1

10.1.2.1

11/20/2002

32

/$FWDIR/LOG/cpmgmt.audNew.W' on host 'Snoopy5'

Mon Nov 18 15:31:50 2002 rule-editor Mo@CMP-PC-0018: Mo@CMP-PC-0018 Logged in >>>>

Mon Nov 18 15:31:52 2002 rule-editor Mo@CMP-PC-0018: Read-Only Mode requested. Database remains

unlocked.

Mon Nov 18 15:32:46 2002 log-viewer Mo@CMP-PC-0018: Mo@CMP-PC-0018 Logged in >>>>

Mon Nov 18 15:34:09 2002 ------------------------------: Mo@CMP-PC-0018 Logged out <<<<

Tue Nov 19 13:12:34 2002 rule-editor Mo@CMP-PC-0018: Mo@CMP-PC-0018 Logged in >>>>

Tue Nov 19 13:12:36 2002 rule-editor Mo@CMP-PC-0018: Read-Only Mode requested. Database remains

unlocked.

Tue Nov 19 13:12:42 2002 ------------------------------: Mo@CMP-PC-0018 Logged out <<<<

Wed Nov 20 10:22:31 2002 rule-editor Mo@CMP-PC-0018: Mo@CMP-PC-0018 Logged in >>>>

Wed Nov 20 10:22:33 2002 rule-editor Mo@CMP-PC-0018: Read-Only Mode requested. Database remains

unlocked.

Wed Nov 20 10:23:23 2002 ------------------------------: Mo@CMP-PC-0018 Logged out <<<<

11/20/2002

33

/$FWDIR/LOG/cpmgmt.aud(con’t)

nd7.W' on host 'Snoopy6and7'le-editor Curly@IT-STD-8900: Curly@IT-STD-8900 Logged in >>>>

Fri Nov 15 12:55:00 2002 rule-editor Curly@IT-STD-8900: Failed to lock database: Used by Larry@PC-059using fwm.18

09:54:32 2002 rule-editor Larry@PC-059: Larry@PC-059Logged in >>>>

Mon Nov 18 09:54:34 2002 rule-editor Larry@PC-059: Locking DB with '000fffff' permissions

Mon Nov 18 09:57:32 2002 log-viewer Larry@PC-059: Larry@PC-059Logged in >>>>

Mon Nov 18 09:59:29 2002 rule-editor Larry@PC-059: Storing objects

Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase(s)

Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy4.W'

Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy5.W'

Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy6and7.W'

Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy3-test.W'

Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy2.W'

Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy1.W'

Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy3.W'

Mon Nov 18 09:59:39 2002 rule-editor Larry@PC-059: Installing rulebase '/opt/CPfw1-41/conf/Snoopy1.

Intermission

11/20/2002

34

Phone Boy and other useful Websites

a. Phoneboy – www.phoneboy.com

b. Cassandra - cassandra.cerias.purdue.edu

c. Bugtraq - online.securityfocus.com/archive

d. Sun - www.sun.com

e. MS - www.microsoft.com

f. Checkpoint – www.checkpoint.com

11/20/2002

35

fwrules4.2.pl- this is where the gifs are

fwrules6.0.pl

Useful Perl scripts

And the output…

11/20/2002

36

11/20/2002

37

11/20/2002

38

11/20/2002

39

11/20/2002

40

11/20/2002

41

Advanced GUI

1. Copy rulebases.fws from FW to GUI2. Copy objects.C from FW to GUI3. Rename rulebases.fws -> rules.fws4. Rename objects.C -> objects.fws5. Start GUI in local mode, ignore errors

11/20/2002

42

Thank You