Wednesday, September 11, 2013

Protect VPN and File by Using ePass with CheckPoint

Protect VPN and File by Using ePass with CheckPoint

1. Overview

1.1 Introduction to CheckPoint

Check Point Software Technologies Ltd. (www.checkpoint.com), worldwide leader in securing the Internet, is the only vendor to deliver Total Security for networks, data and endpoints, unified under a single management framework. Check Point provides customers uncompromised protection against all types of threats, reduces security complexity and lowers total cost of ownership. Check Point first pioneered the industry with FireWall-1 and its patented Stateful Inspection technology. Today, Check Point continues to innovate with the development of the software blade architecture. The dynamic software blade architecture delivers secure, flexible and simple solutions that can be fully customized to meet the exact security needs of any organization or environment. Check Point customers include tens of thousands of businesses and organizations of all sizes including all Fortune 100 companies. Check Point award-winning ZoneAlarm solutions protect millions of consumers from hackers, spyware and identity theft.

1.2 Introduction to CheckPoint R70

Check Point R70 introduces the revolutionary Software Blades architecture. The Software Blades architecture provides a complete selection of Software Blades, each delivering a modular security gateway or security management function. Software Blades enable users to efficiently and quickly tailor Security Gateway and Management functionality to specific and changing needs. When running on multi-core platforms and appliances, Check Point CoreXL technology delivers near linear performance scalability for many of the Software Blades.
The release has several highlights:
1)New IPS blade which delivers superb IPS capabilities integrated into the Security Gateway: 
  1. Integrated IPS Engine delivering over 2000 Pre-emptive/Behavioral-based Protections, Signature-based Protections, Client and Server Protections and Application Controls.
  2. Admin workflow and tools that allow simple management and deployment of IPS capabilities.
  3. Support for Prevent or Detect Mode per Profile and per Protection.
  4. Breakthrough performance of up to 10Gbps.
  5. Ability to limit system resources (CPU and memory) dedicated to IPS.
  6. Granular Exceptions.
  7. Easy IPS Protection updates including full coverage for Microsoft Patch Tuesday updates and many others.
  8. Enhanced log information (including packet capture) and new troubleshooting capabilities.
2)New Provisioning blade provides centralized administration and provisioning of Check Point security devices through a single management console. The blade provides an intuitive and easy interface to centrally manage both security and device configurations, such as operating system and network settings. Management can be done either device-by-device or using profiles which enable an administrator to manage large scale deployments that benefit from common security policies and device settings.
3)CoreXL for multi-core support and other performance enhancements.
4)Enhanced SecurePlatform operating system, supporting new hardware platforms and providing better performance.
5)Provider-1 Enhancements: New Migration Tool, New High Availability Capabilities, Cross-CMA Search, New IPS Global Policy capabilities and more.

1.3 Introduction to Feitian ePass Token

ePass Tokens of FEITIAN Technologies Co., Ltd. are secure carriers of personal digital certificates and private keys, which fully support the PKI security mechanism. With a number of solid features of smart card and protection of a personal PIN, private keys generated on the card can never be retrieved from the ePass token. Based on hardware chips ranging from the cost-effective secure MCU chip to the latest 32-bit smart card chip, ePass PKI products of FEITIAN provide flexibility and innovation in any PKI applications: the best-seller ePass2000, the high-performance ePass3000, the industrial-innovative biometric BioPass, the user-interactive InterPass, the Zero-Footprint GreenPass with Flash memories and the ePass token in SD card and card forms.

2.Using ePass in CheckPoint

2.1 Preparation

1) Installation
- Install CheckPoint R70 (Windows server) software in a Windows platform which can be a server, install the client software in another Windows platform.
- Install ePass middleware in client.
2)Proved ePass models
ePass1000
ePass1000ND
ePass2001
ePass2000 FT11/FT12
ePass2003
ePass3000
ePass3003/3003Auto
PKI Card/PKI Token
Other 

2.2 Configuration for Server side

1) Open SmartDashboard, double click the gateway in Network Object of tab menu: , in the General Properties of Check Point Gateway, select IPSec VPN as below image shown:

Figure 1 Check Point Gateway
2) In VPN page, add RemoteAccess to VPN Community as below image shown:

Figure 2 VPN Setting
3)In the Users tab menu, right click User GroupsNew Group…to add a user group, please see below image:

Figure 3 Add user group
4)Enter a group name and click OK, please see below image:

Figure 4 Group properites
5)Add a user with the same method as add user group, please see below image:

Figure 5 Add new user
6)Enter a Login Name for test user and add this user into the group we created before, please see below images:

Figure 6 User properties
7)In Certificates page, click Initiate to pending a certificate and obtain the Registration Key, please see below images:

Figure 7 Initiate certificate
8)After add user group and new user, need to update these configuration into database. In SmartDashboard, ManageUsers and Administrators, choose the group and user, click ActionInstall, please see below image:

Figure 8 Install group and user
9)Add a rule in Rules menu, set Source to be Any, Destination to be Gateway, VPN to be Remote Access and Action to be Accept, other options can be default. After setting, choose Policy -> Install to install this rule, please see below image:

Figure 9 Create rule
10)Open RemoteAccess in VPN Communities tab menu, in Participant User Group page add All Users for Remote Access User Groups, please see below image:

Figure 10 Remote Access Community Properties


2.3 Configuration and Connection for Client side

1) Right click Check Point client tray icon on taskbar, select SettingsCertificatesCreate Certificate, and please see below image:

Figure 11 Create Certificate
2) Select Store on a hardware or software token (CAPI) and click Next, please see below image:

Figure 12 Store certificate
3)  Select the CSP for ePass product (here using ePass2003 as an example), please see below image:

Figure 13 Select CSP
4) Enter the server IP and Registration Key obtained from step of Initiate Certificate, please see below image:

Figure 14 Enter CA IP and registration key
5) Click Next to generate key pair and certificate into the ePass token, please see below image:

Figure 15 Create certificate successfully
6) Open Check Point client, see below image:

Figure 16 Check Point Client
7) Click Connect and select the correct certificate to login, then ePass token will request to input user PIN, please see below image:

Figure 17 Input User Pin
8) After input correct user PIN, the connection will be build up successfully, please see below image:

Figure 18 Connection Succeeded



No comments: