1 / 42

Auditing Checkpoint FW1: The Combat Overview

Auditing Checkpoint FW1: The Combat Overview. Welcome!. Ed Capizzi Janus IT Security Auditor ed.capizzi@janus.com. OSI 7 Layer Reference Model. Router. Proxy. Dynamic State Tables. Malicious authorized users. Connections that don’t

Download Presentation

Auditing Checkpoint FW1: The Combat Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Auditing Checkpoint FW1: The Combat Overview Welcome! Ed Capizzi Janus IT Security Auditor ed.capizzi@janus.com

  2. OSI 7 Layer Reference Model

  3. Router

  4. Proxy

  5. Dynamic State Tables

  6. Malicious authorized users. Connections that don’t go through it. 100% of all threats! A firewall is only as effective as the policy it supports.

  7. GUI User Interface MM Management & Logging FW Enforcement Point

  8. GUI MM FW “Monolithic Stack”

  9. MM GUI FW Remote GUI

  10. FW GUI MM Remote Management Always Authenticated ….

  11. FW MM GUI Remote Management AND Remote GUI Beware ports 256, 257, 258 & 259

  12. GUI GUI FW MM GUI Remote Management AND Remote GUIs GUI GUI

  13. WIFM GUI User Interface Local Mode ! MM Management & Logging Logs, Users, Configs, Rulesets FW Enforcement Point Daemons, Etc

  14. Any Input Let’s go look!

  15. Useful Commands FW ver returns version and patch info FWM –p Print a list of Admin users Fwstart Self explain, be carefull Fwstop self explain, don’t use this! fw log Displays the log has many switches fw logexort Exports a log beware of size creep fw dpexport Exports the user database fw printlic prints the license fw status Shows the status of the firewall cpconfig config util to review fw setup (fwconfig)

  16. fw ver - returns version and patch info # fw ver # This is Check Point VPN-1(TM) & FireWall-1(R) Version 4.1 Build 41862 [VPN + DES + STRONG]

  17. fwm –p - Print a list of Admin users FireWall-1 Remote Manager Administrators: ================================ Larry (Read/Write on all Management clients; Log Consolidator - Read/Write; Reporting Module - Read/Write; ) Curly (Read/Write on all Management clients; Log Consolidator - Read/Write; Reporting Module - Read/Write; ) Mo (Read Only on all Management clients; ) Total of 3 administrators This is Check Point VPN-1(TM) & FireWall-1(R) Version 4.1 (20Nov2002 14:10:22)

  18. fwstart - Self explanatory, be careful fwstop - Self explanatory, don’t use this!

  19. fw log - Displays the log, “feature rich” (has many switches)fw logexport - Exports a log to ascii format with your choice of delimiters…. beware of size creep! fw dpexport - Exports the user database –d to set delimiter

  20. fw printlic - prints the license Host Expiration Features 170.199.190.253 Never CPVP-ESC-U-3DES-V41 CK- 15CCD095822D

  21. cpconfig (fwconfig) -config util to review fw setup

  22. cpconfig (con’t) Welcome to Check Point Configuration Program ================================================= This program will let you re-configure your Check Point Management configuration. Configuration Options: ---------------------- (1) Licenses (2) Administrators (3) GUI clients (4) Remote Modules (5) Groups (6) Exit Enter your choice (1-6) :

  23. # ./fw stat HOST POLICY DATE localhost Snoopy1 18Nov2002 10:00:49 : [>qfe0] [<qfe0] [>qfe1] [<qfe1] [>qfe2] [<qfe2] [>qfe3] [<qfe3] (Run on the FW )

  24. Important Checkpoint files, commands & directories …./$FWDIR/CONF/ …/$FWDIR/CONF/rulebases.fws – Contains all firewall rulebases …/$FWDIR/CONF/objects.C - Contains all firewall objects …/$FWDIR/CONF/cp.licenses - Licenses file …/$FWDIR/CONF/fwmusers - Contains all FW admins …/$FWDIR/CONF/gui-clients - List of all authorized GUI clients …/$FWDIR/CONF/masters - List of all FW masters (Mgt & Logging) …./$FWDIR/log/ …/$FWDIR/LOG/cpmgmt.aud - Log of admin access via the GUI. …/$FWDIR/LOG/manage.lock - Empty file used for GUI RW management

  25. …/$FWDIR/CONF/rulebases.fws #cat rulebases.fws :rule-base ("##A_Standard_Policy" :rule ( :src ( : Any ) :dst ( : Any ) :services ( : Silent_Services ) :action ( : drop ) :track () :install ( : Gateways

  26. …/$FWDIR/CONF/objects.C $ cat objects.fws ( :anyobj (Any :color (Blue) ) :superanyobj ( : Any ) :netobjgraph ( : (xnet-0 :color (black) :type (network) :location (internal) :comments ("Created by the Graph View") :broadcast (allow) :ipaddr (2.2.2.0) :netmask (255.255.255.0) :read_only (true) :is_network_implied (true) :"#oldname" ( :type (refobj) :refname ("#_xnet-0") )

  27. …/$FWDIR/CONF/cp.licenses # cat cp.license Sign { LICENSE 10.199.8.26 never CPFW-OSE-U-V41 CK-5099B26B }= 7xDQpDbe8LjfgDuDhaTvT6sem Index=0 Version=0 Sign { LICENSE 10.199.8.26 never CPFW-ESC-U-V41 FW1:4.1:MOTIF CK-F60A423378ED }= xzgjzt2PSZoBCBBZe6YkLue6aFh Index=0 Version=0 Sign { LICENSE 10.199.8.26 never CPFW-ENC-U-3DES-MODULE-V41 CPFW-ENC-U-3DES-MGMT-V41 CK-FFA94CB }= bySNrc5YJQpWHwWc96cva8SLHVhm Index=0 Version=0

  28. …/$FWDIR/CONF/fwmusers # cat fwmusers Larry 2f1003fec499757c65fc004c4af907 000fff0f Curly 2708994e49bef3b30d7538d2866a56 000f0fff Mo 2f2b8765040049948c569f134c9e7fd 000ff0ff Schemp 6b09f8b704bfd1a0c986ca5efffc5cd82 0ffffff0f

  29. …/$FWDIR/CONF/gui-clients # cat gui-clients 10.199.8.93 10.199.8.156 10.199.8.35 10.199.44.56 10.199.87.836 10.199.87.148 10.199.8.31 10.199.51.107 10.199.8.30 10.199.58.44 10.199.58.54 10.199.88.80 10.199.58.55 10.199.8.180

  30. …/$FWDIR/CONF/masters # cat masters 10.1.1.1 10.1.2.1

  31. Fri Nov 15 09:17:50 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy6and7.W' Fri Nov 15 09:17:50 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy3-test.W' Fri Nov 15 09:17:50 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy2.W' Fri Nov 15 09:17:50 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy1.W' Fri Nov 15 09:17:50 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy3.W' Fri Nov 15 09:18:07 2002 rule-editor Larry@PC-059: Installing rulebase '/opt/CPfw1-41/conf/Snoopy6a nd7.W' on host 'Snoopy6and7'le-editor Curly@IT-STD-8900: Curly@IT-STD-8900 Logged in >>>> Fri Nov 15 12:55:00 2002 rule-editor Curly@IT-STD-8900: Failed to lock database: Used by Larry@PC-059us ing fwm.18 09:54:32 2002 rule-editor Larry@PC-059: Larry@PC-059Logged in >>>> Mon Nov 18 09:54:34 2002 rule-editor Larry@PC-059: Locking DB with '000fffff' permissions Mon Nov 18 09:57:32 2002 log-viewer Larry@PC-059: Larry@PC-059Logged in >>>> Mon Nov 18 09:59:29 2002 rule-editor Larry@PC-059: Storing objects Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase(s) Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy4.W' Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy5.W' Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy6and7.W' Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy3-test.W' Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy2.W' Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy1.W' Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy3.W' Mon Nov 18 09:59:39 2002 rule-editor Larry@PC-059: Installing rulebase '/opt/CPfw1-41/conf/Snoopy1. W' on host 'Snoopy1' 2002 rule-editor Larry@PC-059: Storing objects Mon Nov 18 14:01:14 2002 rule-editor Larry@PC-059: Storing rulebase(s) Mon Nov 18 14:01:14 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy4.W' Mon Nov 18 14:01:14 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy5.W' Mon Nov 18 14:01:14 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy6and7.W' Mon Nov 18 14:01:14 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy3-test.W' Mon Nov 18 14:01:14 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy2.W' Mon Nov 18 14:01:14 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy1.W' Mon Nov 18 14:01:14 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy3.W' Mon Nov 18 14:01:21 2002 rule-editor Larry@PC-059: Installing rulebase '/opt/CPfw1-41/conf/Snoopy5. W' on host 'Snoopy5' Mon Nov 18 15:31:50 2002 rule-editor Mo@CMP-PC-0018: Mo@CMP-PC-0018 Logged in >>>> Mon Nov 18 15:31:52 2002 rule-editor Mo@CMP-PC-0018: Read-Only Mode requested. Database remains unlocked. Mon Nov 18 15:32:46 2002 log-viewer Mo@CMP-PC-0018: Mo@CMP-PC-0018 Logged in >>>> Mon Nov 18 15:34:09 2002 ------------------------------: Mo@CMP-PC-0018 Logged out <<<< Tue Nov 19 13:12:34 2002 rule-editor Mo@CMP-PC-0018: Mo@CMP-PC-0018 Logged in >>>> Tue Nov 19 13:12:36 2002 rule-editor Mo@CMP-PC-0018: Read-Only Mode requested. Database remains unlocked. Tue Nov 19 13:12:42 2002 ------------------------------: Mo@CMP-PC-0018 Logged out <<<< Wed Nov 20 10:22:31 2002 rule-editor Mo@CMP-PC-0018: Mo@CMP-PC-0018 Logged in >>>> Wed Nov 20 10:22:33 2002 rule-editor Mo@CMP-PC-0018: Read-Only Mode requested. Database remains unlocked. Wed Nov 20 10:23:23 2002 ------------------------------: Mo@CMP-PC-0018 Logged out <<<< /$FWDIR/LOG/cpmgmt.aud New.W' on host 'Snoopy5' Mon Nov 18 15:31:50 2002 rule-editor Mo@CMP-PC-0018: Mo@CMP-PC-0018 Logged in >>>> Mon Nov 18 15:31:52 2002 rule-editor Mo@CMP-PC-0018: Read-Only Mode requested. Database remains unlocked. Mon Nov 18 15:32:46 2002 log-viewer Mo@CMP-PC-0018: Mo@CMP-PC-0018 Logged in >>>> Mon Nov 18 15:34:09 2002 ------------------------------: Mo@CMP-PC-0018 Logged out <<<< Tue Nov 19 13:12:34 2002 rule-editor Mo@CMP-PC-0018: Mo@CMP-PC-0018 Logged in >>>> Tue Nov 19 13:12:36 2002 rule-editor Mo@CMP-PC-0018: Read-Only Mode requested. Database remains unlocked. Tue Nov 19 13:12:42 2002 ------------------------------: Mo@CMP-PC-0018 Logged out <<<< Wed Nov 20 10:22:31 2002 rule-editor Mo@CMP-PC-0018: Mo@CMP-PC-0018 Logged in >>>> Wed Nov 20 10:22:33 2002 rule-editor Mo@CMP-PC-0018: Read-Only Mode requested. Database remains unlocked. Wed Nov 20 10:23:23 2002 ------------------------------: Mo@CMP-PC-0018 Logged out <<<<

  32. /$FWDIR/LOG/cpmgmt.aud(con’t) nd7.W' on host 'Snoopy6and7'le-editor Curly@IT-STD-8900: Curly@IT-STD-8900 Logged in >>>> Fri Nov 15 12:55:00 2002 rule-editor Curly@IT-STD-8900: Failed to lock database: Used by Larry@PC-059using fwm.18 09:54:32 2002 rule-editor Larry@PC-059: Larry@PC-059Logged in >>>> Mon Nov 18 09:54:34 2002 rule-editor Larry@PC-059: Locking DB with '000fffff' permissions Mon Nov 18 09:57:32 2002 log-viewer Larry@PC-059: Larry@PC-059Logged in >>>> Mon Nov 18 09:59:29 2002 rule-editor Larry@PC-059: Storing objects Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase(s) Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy4.W' Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy5.W' Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy6and7.W' Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy3-test.W' Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy2.W' Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy1.W' Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy3.W' Mon Nov 18 09:59:39 2002 rule-editor Larry@PC-059: Installing rulebase '/opt/CPfw1-41/conf/Snoopy1. Intermission

  33. Phone Boy and other useful Websites a. Phoneboy – www.phoneboy.com b. Cassandra - cassandra.cerias.purdue.edu c. Bugtraq - online.securityfocus.com/archive d. Sun - www.sun.com e. MS - www.microsoft.com f. Checkpoint – www.checkpoint.com

  34. Useful Perl scripts fwrules4.2.pl- this is where the gifs are fwrules6.0.pl And the output…

  35. Advanced GUI • Copy rulebases.fws from FW to GUI • Copy objects.C from FW to GUI • Rename rulebases.fws -> rules.fws • Rename objects.C -> objects.fws • Start GUI in local mode, ignore errors

  36. Thank You

More Related