1 11/20/2002 auditing checkpoint fw1: the combat overview welcome! ed capizzi janus it security...
TRANSCRIPT
11/20/2002
1
Auditing Checkpoint FW1: The Combat Overview
Welcome!Ed CapizziJanus IT Security Auditor [email protected]
11/20/2002
6
Malicious authorized
users.
Connections that don’t
go through it.
100% of all threats!
A firewall is only as effective A firewall is only as effective as the policy it supports. as the policy it supports.
11/20/2002
13
WIFM
GUI
Enforcement Point
MM
FW
Management & Logging
User InterfaceLocal Mode !
Logs, Users, Configs, Rulesets
Daemons, Etc
11/20/2002
16
Useful Commands
FW ver returns version and patch info
FWM –p Print a list of Admin users
Fwstart Self explain, be carefull
Fwstop self explain, don’t use this!
fw log Displays the log has many switches
fw logexort Exports a log beware of size creep
fw dpexport Exports the user database
fw printlic prints the license
fw status Shows the status of the firewall
cpconfig config util to review fw setup(fwconfig)
11/20/2002
17
fw ver - returns version and patch info
# fw ver
# This is Check Point VPN-1(TM) & FireWall-1(R) Version 4.1 Build 41862 [VPN + DES + STRONG]
11/20/2002
18
fwm –p - Print a list of Admin users
FireWall-1 Remote Manager Administrators:
================================
Larry (Read/Write on all Management clients; Log Consolidator - Read/Write; Reporting Module - Read/Write; )
Curly (Read/Write on all Management clients; Log Consolidator - Read/Write; Reporting Module - Read/Write; )
Mo (Read Only on all Management clients; )
Total of 3 administrators
This is Check Point VPN-1(TM) & FireWall-1(R) Version 4.1
(20Nov2002 14:10:22)
11/20/2002
20
fw log- Displays the log, “feature rich” (has many switches)
fw logexport- Exports a log to ascii format with your choice of
delimiters…. beware of size creep!
fw dpexport- Exports the user database –d to set delimiter
11/20/2002
21
fw printlic - prints the license
Host Expiration Features
170.199.190.253 Never CPVP-ESC-U-3DES-V41 CK-15CCD095822D
11/20/2002
23
Welcome to Check Point Configuration Program
=================================================
This program will let you re-configure
your Check Point Management configuration.
Configuration Options:
----------------------
(1) Licenses
(2) Administrators
(3) GUI clients
(4) Remote Modules
(5) Groups
(6) Exit
Enter your choice (1-6) :
cpconfig (con’t)
11/20/2002
24
# ./fw stat
HOST POLICY DATElocalhost Snoopy1 18Nov2002 10:00:49 :
[>qfe0] [<qfe0] [>qfe1] [<qfe1] [>qfe2] [<qfe2] [>qfe3] [<qfe3]
(Run on the FW )
11/20/2002
25
Important Checkpoint files, commands & directories
…./$FWDIR/CONF/…/$FWDIR/CONF/rulebases.fws – Contains all firewall rulebases
…/$FWDIR/CONF/objects.C - Contains all firewall objects
…/$FWDIR/CONF/cp.licenses - Licenses file
…/$FWDIR/CONF/fwmusers - Contains all FW admins
…/$FWDIR/CONF/gui-clients - List of all authorized GUI clients
…/$FWDIR/CONF/masters - List of all FW masters (Mgt & Logging)
…./$FWDIR/log/…/$FWDIR/LOG/cpmgmt.aud - Log of admin access via the GUI.
…/$FWDIR/LOG/manage.lock - Empty file used for GUI RW management
11/20/2002
26
…/$FWDIR/CONF/rulebases.fws #cat rulebases.fws
:rule-base ("##A_Standard_Policy"
:rule (
:src (
: Any
)
:dst (
: Any
)
:services (
: Silent_Services
)
:action (
: drop
)
:track ()
:install (
: Gateways
11/20/2002
27
…/$FWDIR/CONF/objects.C$ cat objects.fws
(
:anyobj (Any
:color (Blue)
)
:superanyobj (
: Any
)
:netobjgraph (
: (xnet-0
:color (black)
:type (network)
:location (internal)
:comments ("Created by the Graph View")
:broadcast (allow)
:ipaddr (2.2.2.0)
:netmask (255.255.255.0)
:read_only (true)
:is_network_implied (true)
:"#oldname" (
:type (refobj)
:refname ("#_xnet-0")
)
11/20/2002
28
…/$FWDIR/CONF/cp.licenses# cat cp.license
Sign {
LICENSE 10.199.8.26 never CPFW-OSE-U-V41 CK-5099B26B
}= 7xDQpDbe8LjfgDuDhaTvT6sem Index=0 Version=0
Sign {
LICENSE 10.199.8.26 never CPFW-ESC-U-V41 FW1:4.1:MOTIF CK-F60A423378ED
}= xzgjzt2PSZoBCBBZe6YkLue6aFh Index=0 Version=0
Sign {
LICENSE 10.199.8.26 never CPFW-ENC-U-3DES-MODULE-V41 CPFW-ENC-U-3DES-MGMT-V41 CK-FFA94CB
}= bySNrc5YJQpWHwWc96cva8SLHVhm Index=0 Version=0
11/20/2002
29
…/$FWDIR/CONF/fwmusers
# cat fwmusers
Larry 2f1003fec499757c65fc004c4af907 000fff0f
Curly 2708994e49bef3b30d7538d2866a56 000f0fff
Mo 2f2b8765040049948c569f134c9e7fd 000ff0ff
Schemp 6b09f8b704bfd1a0c986ca5efffc5cd82 0ffffff0f
11/20/2002
30
…/$FWDIR/CONF/gui-clients
# cat gui-clients
10.199.8.93
10.199.8.156
10.199.8.35
10.199.44.56
10.199.87.836
10.199.87.148
10.199.8.31
10.199.51.107
10.199.8.30
10.199.58.44
10.199.58.54
10.199.88.80
10.199.58.55
10.199.8.180
11/20/2002
32
/$FWDIR/LOG/cpmgmt.audNew.W' on host 'Snoopy5'
Mon Nov 18 15:31:50 2002 rule-editor Mo@CMP-PC-0018: Mo@CMP-PC-0018 Logged in >>>>
Mon Nov 18 15:31:52 2002 rule-editor Mo@CMP-PC-0018: Read-Only Mode requested. Database remains
unlocked.
Mon Nov 18 15:32:46 2002 log-viewer Mo@CMP-PC-0018: Mo@CMP-PC-0018 Logged in >>>>
Mon Nov 18 15:34:09 2002 ------------------------------: Mo@CMP-PC-0018 Logged out <<<<
Tue Nov 19 13:12:34 2002 rule-editor Mo@CMP-PC-0018: Mo@CMP-PC-0018 Logged in >>>>
Tue Nov 19 13:12:36 2002 rule-editor Mo@CMP-PC-0018: Read-Only Mode requested. Database remains
unlocked.
Tue Nov 19 13:12:42 2002 ------------------------------: Mo@CMP-PC-0018 Logged out <<<<
Wed Nov 20 10:22:31 2002 rule-editor Mo@CMP-PC-0018: Mo@CMP-PC-0018 Logged in >>>>
Wed Nov 20 10:22:33 2002 rule-editor Mo@CMP-PC-0018: Read-Only Mode requested. Database remains
unlocked.
Wed Nov 20 10:23:23 2002 ------------------------------: Mo@CMP-PC-0018 Logged out <<<<
11/20/2002
33
/$FWDIR/LOG/cpmgmt.aud(con’t)
nd7.W' on host 'Snoopy6and7'le-editor Curly@IT-STD-8900: Curly@IT-STD-8900 Logged in >>>>
Fri Nov 15 12:55:00 2002 rule-editor Curly@IT-STD-8900: Failed to lock database: Used by Larry@PC-059using fwm.18
09:54:32 2002 rule-editor Larry@PC-059: Larry@PC-059Logged in >>>>
Mon Nov 18 09:54:34 2002 rule-editor Larry@PC-059: Locking DB with '000fffff' permissions
Mon Nov 18 09:57:32 2002 log-viewer Larry@PC-059: Larry@PC-059Logged in >>>>
Mon Nov 18 09:59:29 2002 rule-editor Larry@PC-059: Storing objects
Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase(s)
Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy4.W'
Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy5.W'
Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy6and7.W'
Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy3-test.W'
Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy2.W'
Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy1.W'
Mon Nov 18 09:59:30 2002 rule-editor Larry@PC-059: Storing rulebase 'Snoopy3.W'
Mon Nov 18 09:59:39 2002 rule-editor Larry@PC-059: Installing rulebase '/opt/CPfw1-41/conf/Snoopy1.
Intermission
11/20/2002
34
Phone Boy and other useful Websites
a. Phoneboy – www.phoneboy.com
b. Cassandra - cassandra.cerias.purdue.edu
c. Bugtraq - online.securityfocus.com/archive
d. Sun - www.sun.com
e. MS - www.microsoft.com
f. Checkpoint – www.checkpoint.com
11/20/2002
35
fwrules4.2.pl- this is where the gifs are
fwrules6.0.pl
Useful Perl scripts
And the output…
11/20/2002
41
Advanced GUI
1. Copy rulebases.fws from FW to GUI2. Copy objects.C from FW to GUI3. Rename rulebases.fws -> rules.fws4. Rename objects.C -> objects.fws5. Start GUI in local mode, ignore errors