Checkpoint Firewall - ISACA Denver Chapter
Download
Report
Transcript Checkpoint Firewall - ISACA Denver Chapter
Auditing Checkpoint FW1:
The Combat Overview
Welcome!
Ed Capizzi
Janus
IT Security Auditor
[email protected]
11/20/2002
1
OSI 7 Layer
Reference Model
11/20/2002
2
Router
11/20/2002
3
Proxy
11/20/2002
4
11/20/2002
Dynamic State Tables
5
Malicious authorized
users.
Connections that don’t
go through it.
100% of all threats!
11/20/2002
A firewall is only as effective
as the policy it supports.
6
GUI
MM
FW
User Interface
Management & Logging
Enforcement Point
11/20/2002
7
GUI
MM
FW
“Monolithic Stack”
11/20/2002
8
MM
GUI
FW
Remote GUI
11/20/2002
9
FW
GUI
MM
Remote Management
11/20/2002
Always Authenticated ….
10
FW
MM
GUI
Remote Management AND Remote GUI
Beware ports 256, 257, 258 & 259
11/20/2002
11
GUI
FW
GUI
MM
GUI
Remote Management
AND Remote GUIs
GUI
GUI
11/20/2002
12
WIFM
User Interface
GUI
Local Mode !
Management & Logging
MM
Logs, Users, Configs, Rulesets
Enforcement Point
FW
Daemons, Etc
11/20/2002
13
11/20/2002
14
Any Input
Let’s go look!
11/20/2002
15
Useful Commands
FW ver
returns version and patch info
FWM –p
Print a list of Admin users
Fwstart
Self explain, be carefull
Fwstop
self explain, don’t use this!
fw log
Displays the log has many switches
fw logexort
Exports a log beware of size creep
fw dpexport
Exports the user database
fw printlic
prints the license
fw status
Shows the status of the firewall
cpconfig
config util to review fw setup
(fwconfig)
11/20/2002
16
fw ver - returns version and patch info
# fw ver
# This is Check Point VPN-1(TM) & FireWall-1(R) Version 4.1
Build 41862 [VPN + DES + STRONG]
11/20/2002
17
fwm –p
- Print a list of Admin users
FireWall-1 Remote Manager Administrators:
================================
Larry (Read/Write on all Management clients; Log Consolidator Read/Write; Reporting Module - Read/Write; )
Curly (Read/Write on all Management clients; Log Consolidator Read/Write; Reporting Module - Read/Write; )
Mo (Read Only on all Management clients; )
Total of 3 administrators
This is Check Point VPN-1(TM) & FireWall-1(R) Version 4.1
(20Nov2002 14:10:22)
11/20/2002
18
fwstart
- Self explanatory, be careful
fwstop
- Self explanatory,
don’t use this!
11/20/2002
19
fw log
- Displays the log, “feature rich” (has many switches)
fw logexport
- Exports a log to ascii format with your choice of
delimiters…. beware of size creep!
fw dpexport
- Exports the user database –d to set delimiter
11/20/2002
20
fw printlic - prints the license
Host
Expiration
Features
170.199.190.253
Never
CPVP-ESC-U-3DES-V41 CK15CCD095822D
11/20/2002
21
cpconfig (fwconfig)
-config util to review fw setup
11/20/2002
22
cpconfig
(con’t)
Welcome to Check Point Configuration Program
=================================================
This program will let you re-configure
your Check Point Management configuration.
Configuration Options:
---------------------(1) Licenses
(2) Administrators
(3) GUI clients
(4) Remote Modules
(5) Groups
(6) Exit
Enter your choice (1-6) :
11/20/2002
23
# ./fw stat
HOST
localhost
(Run on the FW
POLICY
Snoopy1
)
DATE
18Nov2002 10:00:49 :
[>qfe0] [<qfe0] [>qfe1] [<qfe1] [>qfe2] [<qfe2]
[>qfe3] [<qfe3]
11/20/2002
24
Important Checkpoint files, commands &
directories
…./$FWDIR/CONF/
…/$FWDIR/CONF/rulebases.fws – Contains all firewall rulebases
…/$FWDIR/CONF/objects.C
- Contains all firewall objects
…/$FWDIR/CONF/cp.licenses
- Licenses file
…/$FWDIR/CONF/fwmusers
- Contains all FW admins
…/$FWDIR/CONF/gui-clients
- List of all authorized GUI clients
…/$FWDIR/CONF/masters
- List of all FW masters (Mgt & Logging)
…./$FWDIR/log/
…/$FWDIR/LOG/cpmgmt.aud
- Log of admin access via the GUI.
…/$FWDIR/LOG/manage.lock
- Empty file used for GUI RW management
11/20/2002
25
…/$FWDIR/CONF/rulebases.fws
#cat rulebases.fws
:rule-base ("##A_Standard_Policy"
:rule (
:src (
: Any
)
:dst (
: Any
)
:services (
: Silent_Services
)
:action (
: drop
)
:track ()
:install (
: Gateways
11/20/2002
26
…/$FWDIR/CONF/objects.C
$ cat objects.fws
(
:anyobj (Any
:color (Blue)
)
:superanyobj (
: Any
)
:netobjgraph (
: (xnet-0
:color (black)
:type (network)
:location (internal)
:comments ("Created by the Graph View")
:broadcast (allow)
:ipaddr (2.2.2.0)
:netmask (255.255.255.0)
:read_only (true)
:is_network_implied (true)
:"#oldname" (
:type (refobj)
11/20/2002
:refname ("#_xnet-0")
)
27
…/$FWDIR/CONF/cp.licenses
# cat cp.license
Sign {
LICENSE 10.199.8.26 never CPFW-OSE-U-V41 CK-5099B26B
}= 7xDQpDbe8LjfgDuDhaTvT6sem Index=0 Version=0
Sign {
LICENSE 10.199.8.26 never CPFW-ESC-U-V41 FW1:4.1:MOTIF CKF60A423378ED
}= xzgjzt2PSZoBCBBZe6YkLue6aFh Index=0 Version=0
Sign {
LICENSE 10.199.8.26 never CPFW-ENC-U-3DES-MODULE-V41 CPFW-ENC-U3DES-MGMT-V41 CK-FFA94CB
}= bySNrc5YJQpWHwWc96cva8SLHVhm Index=0 Version=0
11/20/2002
28
…/$FWDIR/CONF/fwmusers
# cat fwmusers
Larry
2f1003fec499757c65fc004c4af907
000fff0f
Curly
2708994e49bef3b30d7538d2866a56
000f0fff
Mo
2f2b8765040049948c569f134c9e7fd
000ff0ff
Schemp
6b09f8b704bfd1a0c986ca5efffc5cd82
0ffffff0f
11/20/2002
29
…/$FWDIR/CONF/gui-clients
# cat gui-clients
10.199.8.93
10.199.8.156
10.199.8.35
10.199.44.56
10.199.87.836
10.199.87.148
10.199.8.31
10.199.51.107
10.199.8.30
10.199.58.44
10.199.58.54
10.199.88.80
10.199.58.55
11/20/2002
10.199.8.180
30
…/$FWDIR/CONF/masters
# cat masters
10.1.1.1
10.1.2.1
11/20/2002
31
/$FWDIR/LOG/cpmgmt.aud
New.W' on host 'Snoopy5'
Mon Nov 18 15:31:50 2002 rule-editor Mo@CMP-PC-0018: Mo@CMP-PC-0018 Logged in >>>>
Mon Nov 18 15:31:52 2002 rule-editor Mo@CMP-PC-0018: Read-Only Mode requested. Database remains
unlocked.
Mon Nov 18 15:32:46 2002 log-viewer Mo@CMP-PC-0018: Mo@CMP-PC-0018 Logged in >>>>
Mon Nov 18 15:34:09 2002 ------------------------------: Mo@CMP-PC-0018 Logged out <<<<
Tue Nov 19 13:12:34 2002 rule-editor Mo@CMP-PC-0018: Mo@CMP-PC-0018 Logged in >>>>
Tue Nov 19 13:12:36 2002 rule-editor Mo@CMP-PC-0018: Read-Only Mode requested. Database remains
unlocked.
Tue Nov 19 13:12:42 2002 ------------------------------: Mo@CMP-PC-0018 Logged out <<<<
Wed Nov 20 10:22:31 2002 rule-editor Mo@CMP-PC-0018: Mo@CMP-PC-0018 Logged in >>>>
Wed Nov 20 10:22:33 2002 rule-editor Mo@CMP-PC-0018: Read-Only Mode requested. Database remains
unlocked.
Wed Nov 20 10:23:23 2002 ------------------------------: Mo@CMP-PC-0018 Logged out <<<<
11/20/2002
32
/$FWDIR/LOG/cpmgmt.aud(con’t)
nd7.W' on host 'Snoopy6and7'le-editor Curly@IT-STD-8900: Curly@IT-STD-8900 Logged in >>>>
Fri Nov 15 12:55:00 2002 rule-editor Curly@IT-STD-8900: Failed to lock database: Used by Larry@PC-059using fwm.18
09:54:32 2002 rule-editor
Larry@PC-059: Larry@PC-059Logged in >>>>
Mon Nov 18 09:54:34 2002 rule-editor
Larry@PC-059: Locking DB with '000fffff' permissions
Mon Nov 18 09:57:32 2002 log-viewer
Larry@PC-059: Larry@PC-059Logged in >>>>
Mon Nov 18 09:59:29 2002 rule-editor
Larry@PC-059: Storing objects
Mon Nov 18 09:59:30 2002 rule-editor
Larry@PC-059: Storing rulebase(s)
Mon Nov 18 09:59:30 2002 rule-editor
Larry@PC-059: Storing rulebase 'Snoopy4.W'
Mon Nov 18 09:59:30 2002 rule-editor
Larry@PC-059: Storing rulebase 'Snoopy5.W'
Mon Nov 18 09:59:30 2002 rule-editor
Larry@PC-059: Storing rulebase 'Snoopy6and7.W'
Mon Nov 18 09:59:30 2002 rule-editor
Larry@PC-059: Storing rulebase 'Snoopy3-test.W'
Mon Nov 18 09:59:30 2002 rule-editor
Larry@PC-059: Storing rulebase 'Snoopy2.W'
Mon Nov 18 09:59:30 2002 rule-editor
Larry@PC-059: Storing rulebase 'Snoopy1.W'
Mon Nov 18 09:59:30 2002 rule-editor
Larry@PC-059: Storing rulebase 'Snoopy3.W'
Mon Nov 18 09:59:39 2002 rule-editor
Larry@PC-059: Installing rulebase '/opt/CPfw1-41/conf/Snoopy1.
11/20/2002
Intermission
33
Phone Boy and other useful Websites
a. Phoneboy
– www.phoneboy.com
b. Cassandra
- cassandra.cerias.purdue.edu
c. Bugtraq
- online.securityfocus.com/archive
d. Sun
- www.sun.com
e. MS
- www.microsoft.com
f. Checkpoint
– www.checkpoint.com
11/20/2002
34
Useful Perl scripts
fwrules4.2.pl- this is where the gifs are
fwrules6.0.pl
And the output…
11/20/2002
35
11/20/2002
36
11/20/2002
37
11/20/2002
38
11/20/2002
39
11/20/2002
40
Advanced GUI
1.
2.
3.
4.
5.
Copy rulebases.fws from FW to GUI
Copy objects.C from FW to GUI
Rename rulebases.fws -> rules.fws
Rename objects.C -> objects.fws
Start GUI in local mode, ignore errors
11/20/2002
41
Thank You
11/20/2002
42