Sunday, September 15, 2013
Wednesday, September 11, 2013
Check Point VPN-1 NG : Usage of an OPSEC PKI as external Certificate Authority
Contents
Import a new OPSEC PKI Certificate Authority
Create a new Certifciate Authority by selecting the Servers and OPSEC Application tab, open Servers and then Certificate Authority.
Specify proper name, description and type (here we are using XCA as PKI tool, which is of type OPSEC PKI):
Import of the external Certificate Authority
Select a Certificate Authority file for input
Import the external Certificate Authority by selecting the proper file:Note: using XCA as PKI tool, under tab Certificates select the CA, then Export -> File, Export Format: PEM
Verification of the choosen Certificate Authority file:
Advanced settings
There is currently no need to touch the default values in Advanced settings.
Result
As result you get a second Certificate Authority beneath the already existing internal_ca:
Use of an OPSEC PKI for IKE authentication
Create a certificate request of the Check Point VPN-1 object for later signing by the external PKI:
If you can't specify subject alternative name later in the PKI tool, specify it in the request like (note that XCA at least version 0.4.5 don't care about subject alternative name in requests, they will be overwritten or removed on signing step):
Export the certificate request via copy & paste from the View:
Sign certificate request of module by exernal PKI tool
- Create an empty PEM file on floppy disk (here: PKIcert-checkpoint-request.pem)
- Open this file with notepad editor, select Format -> Word Wrap
- Paste the certificate request into
- Important: rewrite the non existent line breaks on all lines
- Deselect Format -> Word Wrap, if view is no longer equal, you have step 4 not done completly
- Save and close file
- Transfer request to the PKI tool
- Import the request in the PKI tool
- Sign the request
- Attention: because of the Check Point VPN-1 currenty still sending on IKE authentication its ID_IPV4_ADDR, which is not contained by the certificate of the internal_ca, you have to add this on the certificate signed by the external CA.
- Using XCA: specify on subject alternative name: IP:1.2.3.4
- Save signed certificate to floppy disk
Import signed certificate
The firewall object now has 2 certificates installed:
Force use of this certificate by selecting the CA on a locally managed gateway
Configure matching criteria for externally managed gateway or interoperable device
Select OPSEC PKI, additionally, you can extend the matching criteria by DN, IPv4 address and e-mail (specified in subject alternative names) contained by the externally managed gateway or interoperable device certificate.
Protect VPN and File by Using ePass with CheckPoint
Protect VPN and File by Using ePass with CheckPoint
1. Overview
1.1 Introduction to CheckPoint
Check Point Software Technologies Ltd. (www.checkpoint.com), worldwide leader in securing the Internet, is the only vendor to deliver Total Security for networks, data and endpoints, unified under a single management framework. Check Point provides customers uncompromised protection against all types of threats, reduces security complexity and lowers total cost of ownership. Check Point first pioneered the industry with FireWall-1 and its patented Stateful Inspection technology. Today, Check Point continues to innovate with the development of the software blade architecture. The dynamic software blade architecture delivers secure, flexible and simple solutions that can be fully customized to meet the exact security needs of any organization or environment. Check Point customers include tens of thousands of businesses and organizations of all sizes including all Fortune 100 companies. Check Point award-winning ZoneAlarm solutions protect millions of consumers from hackers, spyware and identity theft.
1.2 Introduction to CheckPoint R70
Check Point R70 introduces the revolutionary Software Blades architecture. The Software Blades architecture provides a complete selection of Software Blades, each delivering a modular security gateway or security management function. Software Blades enable users to efficiently and quickly tailor Security Gateway and Management functionality to specific and changing needs. When running on multi-core platforms and appliances, Check Point CoreXL technology delivers near linear performance scalability for many of the Software Blades.
The release has several highlights:
1)New IPS blade which delivers superb IPS capabilities integrated into the Security Gateway:
Integrated IPS Engine delivering over 2000 Pre-emptive/Behavioral-based Protections, Signature-based Protections, Client and Server Protections and Application Controls.
Admin workflow and tools that allow simple management and deployment of IPS capabilities.
Support for Prevent or Detect Mode per Profile and per Protection.
Breakthrough performance of up to 10Gbps.
Ability to limit system resources (CPU and memory) dedicated to IPS.
Granular Exceptions.
Easy IPS Protection updates including full coverage for Microsoft Patch Tuesday updates and many others.
Enhanced log information (including packet capture) and new troubleshooting capabilities.
2)New Provisioning blade provides centralized administration and provisioning of Check Point security devices through a single management console. The blade provides an intuitive and easy interface to centrally manage both security and device configurations, such as operating system and network settings. Management can be done either device-by-device or using profiles which enable an administrator to manage large scale deployments that benefit from common security policies and device settings.
3)CoreXL for multi-core support and other performance enhancements.
4)Enhanced SecurePlatform operating system, supporting new hardware platforms and providing better performance.
5)Provider-1 Enhancements: New Migration Tool, New High Availability Capabilities, Cross-CMA Search, New IPS Global Policy capabilities and more.
1.3 Introduction to Feitian ePass Token
ePass Tokens of FEITIAN Technologies Co., Ltd. are secure carriers of personal digital certificates and private keys, which fully support the PKI security mechanism. With a number of solid features of smart card and protection of a personal PIN, private keys generated on the card can never be retrieved from the ePass token. Based on hardware chips ranging from the cost-effective secure MCU chip to the latest 32-bit smart card chip, ePass PKI products of FEITIAN provide flexibility and innovation in any PKI applications: the best-seller ePass2000, the high-performance ePass3000, the industrial-innovative biometric BioPass, the user-interactive InterPass, the Zero-Footprint GreenPass with Flash memories and the ePass token in SD card and card forms.
2.Using ePass in CheckPoint
2.1 Preparation
1) Installation
- Install CheckPoint R70 (Windows server) software in a Windows platform which can be a server, install the client software in another Windows platform.
- Install ePass middleware in client.
2)Proved ePass models
ePass1000
ePass1000ND
ePass2001
ePass2000 FT11/FT12
ePass2003
ePass3000
ePass3003/3003Auto
PKI Card/PKI Token
Other
2.2 Configuration for Server side
1) Open SmartDashboard, double click the gateway in Network Object of tab menu:
, in the General Properties of Check Point Gateway, select IPSec VPN as below image shown:
Figure 1 Check Point Gateway
2) In VPN page, add RemoteAccess to VPN Community as below image shown:
Figure 2 VPN Setting
3)In the Users tab menu, right click User GroupsNew Group…to add a user group, please see below image:
Figure 3 Add user group
4)Enter a group name and click OK, please see below image:
Figure 4 Group properites
5)Add a user with the same method as add user group, please see below image:
Figure 5 Add new user
6)Enter a Login Name for test user and add this user into the group we created before, please see below images:
Figure 6 User properties
7)In Certificates page, click Initiate to pending a certificate and obtain the Registration Key, please see below images:
Figure 7 Initiate certificate
8)After add user group and new user, need to update these configuration into database. In SmartDashboard, ManageUsers and Administrators, choose the group and user, click ActionInstall, please see below image:
Figure 8 Install group and user
9)Add a rule in Rules menu, set Source to be Any, Destination to be Gateway, VPN to be Remote Access and Action to be Accept, other options can be default. After setting, choose Policy -> Install to install this rule, please see below image:
Figure 9 Create rule
10)Open RemoteAccess in VPN Communities tab menu, in Participant User Group page add All Users for Remote Access User Groups, please see below image:
Figure 10 Remote Access Community Properties
2.3 Configuration and Connection for Client side
1) Right click Check Point client tray icon on taskbar, select SettingsCertificatesCreate Certificate, and please see below image:
Figure 11 Create Certificate
2) Select Store on a hardware or software token (CAPI) and click Next, please see below image:
Figure 12 Store certificate
3) Select the CSP for ePass product (here using ePass2003 as an example), please see below image:
Figure 13 Select CSP
4) Enter the server IP and Registration Key obtained from step of Initiate Certificate, please see below image:
Figure 14 Enter CA IP and registration key
5) Click Next to generate key pair and certificate into the ePass token, please see below image:
Figure 15 Create certificate successfully
6) Open Check Point client, see below image:
Figure 16 Check Point Client
7) Click Connect and select the correct certificate to login, then ePass token will request to input user PIN, please see below image:
Figure 17 Input User Pin
8) After input correct user PIN, the connection will be build up successfully, please see below image:
Figure 18 Connection Succeeded
Tuesday, September 10, 2013
CSR Creation for a Checkpoint VPN Appliance (Root Certificate, Intermediate Certificate & Request CSR)
http://www.digicert.com/csr-creation-checkpoint-vpn.htm
Add a Root Certificate and Subordinate (Intermediate Certificate) & Request CSR
then click the OPSEC PKI tab.
Then click the OPSEC PKI tab and click Get and find DigiCertCA.crt file.
Then click Ok to trust this certificate.
Open the Device properties for the device you want the SSL certificate to be sent out from, click 'Add' to create a CSR.
For the CA to enroll from choose the intermediate you made (e.g. DigiCert_Intermediate).
Then click the Generate button.
DN:CN=vpn.yourdomain.com,O=Your Company Inc,L=City,ST=State,C=USThen click Ok. If you are getting a SAN certificate click 'Define Alternate Names' and specifies those when prompted.
Then during the DigiCert ordering process for Server type: Choose 'Other', then when prompted you can upload or paste your CSR file.
Thursday, September 5, 2013
IP Source Routing Enabled and How to Disable
- http://www.rapid7.com/db/vulnerabilities/generic-ip-source-routing-enabled
Description
The host is configured to honor IP source routing options. Source routing is a feature of the IP protocol which allows the sender of a packet to specify which route the packet should take on the way to its destination (and on the way back). Source routing was originally designed to be used when a host did not have proper default routes in its routing table. However, source routing is rarely used for legitimate purposes nowadays. Attackers can abuse source routing to bypass firewalls or to map your network.- http://www.microsoft.com/technet/security/bulletin/http://technet.microsoft.com/security/bulletin/MS99-038.mspx
- MSKB: http://support.microsoft.com/default.aspx?scid=kb;EN-US;238453
- URL: http://packetstormsecurity.nl/advisories/nai/nai.99-09-20.windows_ip_source_routing
Solution
- IBM AIXDisable IP source routing on IBM AIXIssue the following command to disable forwarding of source routed packets:
/usr/sbin/no -o nonlocsrcroute=0
Also, issue the following command to disable the sending of source routed packets:/usr/sbin/no -o ipsrcroutesend=0
In order to make this setting permanent, you can add this command to /etc/rc.net.You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible). - FreeBSDDisable IP source routing on FreeBSDIP source routing is disabled by default. Confirm that the 'net.inet.ip.sourceroute' sysctl option is set to 0 by issuing the following command:
sysctl net.inet.ip.sourceroute
If the option is not set to 0, you can set it to zero by issuing the following command:sysctl -w net.inet.ip.sourceroute=0
These settings can be added to /etc/sysctl.conf to make them permanent.You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible). - Cisco IOSDisable IP source routing on Cisco IOSUse the 'no ip source-route' command to disable source-routing on the affected interface(s).You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible).
- SGI IrixDisable IP source routing on SGI IrixIssue the following command to disable forwarding of source routed packets:
/usr/sbin/systune ipforward to 2
You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible). - LinuxDisable IP source routing on LinuxSource routing is disabled by default. On Linux kernel 2.2 and earlier, this setting was controlled by the contents of the following proc file:
/proc/sys/net/ipv4/conf/all/accept_source_route
However, in more recent versions of Linux, the source route setting is controlled by several sysctl variables. Issue the following command to drop all source routed packets:/sbin/sysctl -w net.ipv4.conf.all.accept_source_route=0
Also, issue the following commands to disable forwarding of any frames with source routing options:/sbin/sysctl -w net.ipv4.conf.all.forwarding=0
/sbin/sysctl -w net.ipv4.conf.all.mc_forwarding=0
These settings can be added to /etc/sysctl.conf to make them permanent.You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible). - Microsoft Windows NT, Microsoft Windows NT Workstation, Microsoft Windows NT Server, Microsoft Windows NT Advanced Server, Microsoft Windows NT Server, Enterprise Edition, Microsoft Windows NT Server, Terminal Server EditionDisable IP source routing on Windows NT 4First upgrade to the latest NT4 Service Pack (SP6 for NT4 Terminal Server, SP6a for all other versions of NT4). Versions of NT4 prior to SP6 can still be "tricked" into honoring source routing even if you have disabled it via the registry. See Q238453 for more information.After upgrading to NT Service Pack 6a, run the registry editor (regedit.exe) and browse to the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Add a DWORD value named "DisableIPSourceRouting", and set it to 2. Windows must be rebooted for the change to take effect.You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible). - OpenBSDDisable IP source routing on OpenBSDIP source routing is disabled by default. Confirm that the 'net.inet.ip.sourceroute' sysctl option is set to 0 by issuing the following command:
sysctl net.inet.ip.sourceroute
If the option is not set to 0, you can set it to zero by issuing the following command:sysctl -w net.inet.ip.sourceroute=0
These settings can be added to /etc/sysctl.conf to make them permanent.You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible). - Cisco PIXDisable IP source routing on Cisco PIXPIX firewalls are designed to drop IP packets with insecure options, including source routing. See the following Cisco support document for more information.You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible).
- Sun SolarisDisable IP source routing on SolarisWhile you cannot completely disable Solaris's handling of source-routed packets directed at the Solaris host itself, you can prevent Solaris from forwarding source routed packets on to the next hop by issuing the following command:
/usr/sbin/ndd -set /dev/ip ip_forward_src_routed 0
In order to make this setting permanent, you will need to set this option automatically when the machine is booted.You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible). - Microsoft Windows Vista, Microsoft Windows Vista Home, Basic Edition, Microsoft Windows Vista Home, Basic N Edition, Microsoft Windows Vista Home, Premium Edition, Microsoft Windows Vista Ultimate Edition, Microsoft Windows Vista Enterprise Edition, Microsoft Windows Vista Business Edition, Microsoft Windows Vista Business N Edition, Microsoft Windows Vista Starter Edition, Microsoft Windows Server 2008, Microsoft Windows Server 2008 Standard Edition, Microsoft Windows Server 2008 Enterprise Edition, Microsoft Windows Server 2008 Datacenter Edition, Microsoft Windows Server 2008 HPC Edition, Microsoft Windows Server 2008 Web Edition, Microsoft Windows Server 2008 Storage Edition, Microsoft Windows Small Business Server 2008, Microsoft Windows Essential Business Server 2008Disable IP source routing on Windows Vista/2008Run the registry editor (regedit.exe) and browse to the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Add a DWORD value named "DisableIPSourceRouting", and set it to 2. Windows must be rebooted for the change to take effect.You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible). - Microsoft Windows 2000, Microsoft Windows 2000 Professional, Microsoft Windows 2000 Server, Microsoft Windows 2000 Advanced Server, Microsoft Windows 2000 Datacenter Server, Microsoft Windows XP, Microsoft Windows XP Home, Microsoft Windows XP Professional, Microsoft Windows Server 2003, Microsoft Windows Server 2003, Standard Edition, Microsoft Windows Server 2003, Enterprise Edition, Microsoft Windows Server 2003, Datacenter Edition, Microsoft Windows Server 2003, Web Edition, Microsoft Windows Small Business Server 2003Disable IP source routing on Windows 2000/XP/2003Run the registry editor (regedit.exe) and browse to the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Add a DWORD value named "DisableIPSourceRouting", and set it to 2. Windows must be rebooted for the change to take effect.You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible). - Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows 98SE, Microsoft Windows MEDisable IP source routing onMicrosoft has provided a fix for this issue, but requires users to contact Microsoft directly to obtain the fix. Please see MSKB article Q238453 for more information.You should also consider blocking or "scrubbing" source routed packets at your firewall (i.e. either reject source routed packets or have the firewall remove the source routing options if possible).
Related Vulnerabilities
Subscribe to:
Posts (Atom)