Administering Check Point VPN-1FW-1 NG AI for Effectiveness

Quality Control

One of the best ways to test a firewall s effectiveness is to assume the role of attacker. Although it is not only possible but also advisable to hire a third party to do penetration testing, the initial testing is your responsibility. The simplest way to test the firewall is by using a simple port scanner. Some popular and free port scanners you may want to try include the following:

• Nmap A favorite of security professionals and hackers alike. Nmap allows different types of scans , spoofing, decoys, and timing changes. It can be found at www. insecure .org.

• Languard Network Scanner A very noisy but full-featured scanner. This tool will pull SNMP information as well as attempt to connect to open services and gather banners. It can be found at www.gfisoftware.com/languard/lanscan.htm.

• Hping2 An advanced tool that runs on *nix that allows the crafting of custom TCP/IP packets. Hping2 can be used to test firewall rules and even transfer files. You can download Hping2 from www.hping.org.

If you would like to further assess your configuration, you can use a full-featured vulnerability assessment tool. Most even have modules that enable you to test known vulnerabilities. For recommendations and more descriptions, you can visit www.insecure.org/tools.html.

This sort of quality control has multiple benefits. It helps you see what ports are open or not filtered from the outside. In addition, it may help you see what patches you might be missing or vulnerabilities you are exposed to. It enables you to test your logging and monitoring. Finally, it enables you to see what an attack might look like and help you detect one from your monitoring.

Patches and Updates

As a security professional, make sure you sign up to a few security mailing lists (such as bugtraq ) to stay abreast of new developments in security. Especially make sure you get the Check Point e-mail newsletter, which will notify you of support issues and relevant patches when they re available. You can sign up for Check Point s newsletter at www.checkpoint.com/newsletter.html.

To obtain updates to your FW-1 NG AI installation, you can use SmartUpdate, as shown in Figure 8.8. From the Products menu, select New Product Add From Download Center . After you agree to the licensing agreement, this choice will connect your computer to the Check Point download site. It will get a list of software available for download up to the version you have installed on the management station. Select the products you want to add to your repository, and click Download .

Figure 8.8: SmartUpdate Utility

Designing & Planning
War Games

Don t underestimate the value of auditing your firewall configuration. Assign someone (another employee or an auditing firm) to periodically audit the configuration with scans from the outside or even simulated attacks. This will enable you to test your monitoring and incident response procedures. It will be much easier to hone your incident response skills under simulation than to respond ineffectively to a real attack ”or worse yet, to not detect a real attack at all.

To use SmartUpdate to do remote installations and updates centrally , you must be licensed. Beyond that basic requirement, SmartUpdate tries to make it easy. The first step is to obtain a SmartUpdate package from the Internet or CD. The Product Repository is managed using cppkg commands. The command to add a new package is the following:

 cppkg add <package-full-path  CD directory> 

Next , you must put the package into the Product Repository. After the package is in the Product Repository, you can literally drag and drop packages onto modules from the SmartUpdate GUI interface or select Upgrade All Products .

As an alternative, if you are not licensed to use SmartUpdate, you can download updates from www.checkpoint.com/techsupport/downloads_ng.html. You will want to pay particular attention to the hotfixes. Download the appropriate hotfix just as you would any other file. After extracting it to a directory, you can install the hotfix . Make sure that the SVNFoundation ( cpshared_hf*.tgz ) hotfix is installed first, and then you can follow with the particular hotfix for the products you are running.

Policy Administration

The core of an effective firewall is policy. To help you manage and administer your firewall, you will want to implement a number of best practices. One of the most important administrative tasks you will perform is modifying security policy. This could also be a task you spend a lot of time doing. To assist you, here are a number of tips to keep in mind:

• Clean up old policies.

• Use groups.

• Use Revision Control.

• Use comments.

Whenever you create a new policy and save it, it is written to a *.W file and to the rulebases_5_0.fws file. The asterisk in the *.W file represents the name of the policy. The rulebases_5_0.fws file is a collection of all *.W files. If you have a lot of policies, the rulebases_5_0.fws file can get quite large. Don t be afraid to clean up some of the old policies if you no longer need them. The best way to do this is through the SmartDashboard interface. Choose File from the menu, and select Delete Entire Policy Package . This will open a dialog box that will enable you to choose the policy you would like to delete. When you delete policies this way, the actual *.W file is deleted as well as the reference within the rulebases_5_0.fws file.

Second, try to arrange network objects into groups. This will help in administration and make the Rule Base easier to read. As you add new objects to groups, they are automatically included in any relevant rules.

Next, if you are making modifications to a production policy, before you begin ensure an updated version is saved in File Database Revision Control . If something goes wrong or gets misconfigured, you can then restore the saved policy. Previous to Database Revision Control, it was suggested to save a new policy package. This resulted in enormous rulebases_5_0.fws files that would cause the GUI to take a long time to open, save, or push policies. This situation is discussed in the next section and is no longer an issue.

And finally, it cannot be emphasized enough: Use comments. Using comments in your FW-1 Rule Base will help you understand what certain rules are doing, whom they are for, and when they should expire. Comments are even more important when multiple administrators are managing the firewall policy. The comments can help explain the purpose of the rule. This will help you keep the Rule Base fit and trim. There is nothing worse than making a modification on the fly and forgetting about it. Making appropriate comments will help you audit your Rule Base and network objects from time to time.

Managing Multiple Policies

Although possibly confusing at times, it may be necessary to have multiple policies for multiple firewalls. If this is the case for you, here are a couple of pointers to help you effectively administer your policies:

• Use meaningful policy names .

• Use the Policy Installation Targets setting for each policy.

• Delete old policies.

• Properly configure the Install On field.

When naming a policy, use a name that is indicative of its function and enforcement points. This is helpful so that you don t accidentally overwrite the wrong policy. Note that the GUI will alert you if you will be installing a policy package of a different name on a firewall. You can also set by which firewalls each policy will be enforced using Policy Policy Installation Targets or Select Targets from the Install Policy dialog box. By defining the modules this policy will be enforced by, you will no longer be prompted to install the policy on the other systems.

Deleting old policies will also improve performance because the GUI downloads all policies from the management server. This could slow the GUI s response. Deleting old policies will decrease the amount of data that must be sent to the GUI. As recommended before, delete policies by selecting Delete from the File menu in the Policy Editor.

Finally, when working with multiple policies, be sure that the Install On field is properly configured. By installing a policy on FW-1 modules that will not enforce any of the policy, you do two things:

1. You will slow the install of the policy due to the process a policy goes through when it is installed.

2. FW-1 modules that have a policy installed to them but that enforce no rules in that policy will enforce the default rule and reject all communications.

Editing Files

One of the most powerful features of FW-1 is the ability to customize or change virtually everything about the way FW-1 operates. However, to do so requires that you manually edit certain files. Before we discuss how to go about that, let s identify some of those files and their purposes.

After you create a Rule Base in a new policy, it is written to a *.W file upon saving or installing the policy. This file can be edited, though that s not recommended, with a text editor, since it contains the information displayed graphically in the GUI regarding the Rule Base.

The objects_5_0.C file was formerly called objects.C in earlier versions of FW-1 (although objects.C still exists). The purpose of the objects_5_0.C file is to contain network objects, properties, and configuration information for the management server. It is a global file. The objects.C is pushed to the modules and is created from the master objects_5_0.C when a policy is installed. It is possible to edit the objects_5_0.C with the new DBEDIT utility, which is illustrated as Figure 8.9. The advantage of this utility is that it enables an administrator to search the file based on type and attribute. Moreover, the tool will keep an audit trail of modifications. This is the recommended way to edit objects_5_0.C. Remember to close all GUI clients and back up your objects_5_0.C before you use dbedit to make modifications. If you are an administrative user on the management station and are running dbedit on the local system, you can use the command dbedit “m to skip the authentication. All login data can be done as part of the dbedit command, and commands can be run from a file for easy scripting and automation if necessary. For a full listing of options, type dbedit “help .

Figure 8.9: Introduction to dbedit

Another file you should become familiar with is the *.pf. The *.pf is the packet filter or Inspection script that results from the *.W file and the objects_5_0.C file when you perform a policy install. It is not recommended that you attempt editing this file. You can view the Inspection script for a policy by selecting View from the Policy menu in the Policy editor.

During a policy install, the *.pf file is compiled into a *.fc file. The *.fc file is the Inspection code that is installed onto enforcement modules. It is not recommended that you edit this file, either. The process of compiling the *.W file into the *.pf and subsequent *.fc is begun by the command fw load . This command compiles and installs a policy to the firewall. The whole process of installing a policy is illustrated in Figure 8.10.

Figure 8.10: The Policy Installation Process

One *.pf file that is of particularly importance is the defaultfilter.pf. This file is responsible for implementing security during the boot process. In FW-1 NG, IP forwarding is always disabled until a policy is loaded. This is the function of the default filter (default.pf). This policy protects the firewall until the initial policy can be loaded.

The boot process can be summarized as follows :

1. Machine boots up.

2. Default filter loads and IP Forwarding is disabled.

3. Interfaces are configured.

4. FW-1 services start.

5. Initial policy is fetched from the local module if this is the first boot and there is no policy; otherwise the configured policy is installed.

Managing Firewall Logs

Monitoring logs is an important job for administrators. Logs not only help you ensure that the firewall is effective ”they can help you detect an attack. You should probably review your logs on a daily basis at a minimum. Understanding the different types of logs available to you and their purposes will help you review them.

There are basically three Log modes in FW-1 NG AI. The three modes are these:

• Log mode

• Active mode

• Audit mode

Log mode is the basic log file that contains all logging information. It is the default Log mode. To assist you in reading the log, there are 15 predefined log views. They are as follows:

• General

• FW-1

• Account

• FloodGate-1

• VPN-1

• Virtual Link Monitoring

• SmartDefense

• UA WebAccess

• UA Server

• FW-1 GX

• Voice over IP

• IPv6

• Safe@

• Login Failures

• SecureClient

Obviously, each predefined view contains information specific to the view title.

The new Log Unification Engine in FW-1 NG is responsible for bringing information from all these modules into one log (fw.log). The other two logging modes are Audit and Active:

• Audit mode files are named *.fwo. Audit mode provides an audit trail of administrator actions. This can be helpful for seeing what administrative actions have been performed.

• Active mode files are named *.fwa. Active mode is used primarily for monitoring current connections and blocking connections. When blocking connections, it doesn t modify the Rule Base and remains in effect until manually removed or until the enforcement module is unloaded. Your choices in blocking, as illustrated in Figure 8.11, include the following:

  • Block only this connection.

  • Block access from this source.

  • Block access to this destination.

    
    Figure 8.11: The Block Intruder Dialog Box

You can also specify how long the block should last and if the blocking should be enforced by the FW-1 that is currently processing the connection or on any other FW-1.

Log Rotations

Rotating your logs will prevent them from getting too big and eating up all your hard drive space or becoming too cumbersome to understand. You have two options in performing log rotations from within the Log Viewer application: Switch Active File and Purge Active File. If you select Switch Active File from the File menu, you will save a copy of the current log and start a fresh one. If you select Purge Active File , the current log file are deleted, and a new log is started. New to NG is the ability to schedule log rotation. Under your firewall object s workstation properties, displayed in Figure 8.12, you can create a logging policy and specify to perform a log switch when the log reaches a certain size or at a certain time. (The default time is midnight, though the option to schedule a log switch is off by default.) These options are explained in detail in Table 8.4.

Figure 8.12: Setting Firewall Logging Policy

Simply rotating your logs will not eliminate the problem of using up all available hard drive space. You need to have a separate process (a script, perhaps) to move the old log file to another drive, server, tape, or the like.

Table 8.4: Logging Options

Local Logging Options	Explanation
Log switch when file size is	Specifies a size, in megabytes, that the log file shall not exceed. When this size is met, the current log file will be closed and a new one created.
Schedule log switch to	Schedules a time (as defined by a predefined time object) when the current log will be closed and a new one created.
Alert when free disk space is below	Sends an alert when free disk space falls below this threshold. This also enables you to specify the alert type.
Turn on QoS logging Required Free Disk Space	Specifies a minimum amount of space on the log partition. If this minimum is exceeded, old log files will be removed until space is available. The Advanced button defines a command to run before deleting the old log files.
Do not delete log files from the last	Specifies the minimum length in days to keep logs. This overrides the deletion of logs.
Stop logging when free disk space is below	Specifies a threshold that, when reached, will cause log recording to cease .
Additional Logging	Explanation
Forward log files to Management Server	Specifies where to forward locally recorded logs. Logs are recorded locally when the defined log servers are unavailable. Logs will be forwarded according to the log forward schedule. A log switch can also be performed before sending the logs to the log server.
Update account log every	Specifies the time interval for accounting messages to be logged. Accounting messages contain the information about a connection, such as packets sent. When the accounting message is sent, those counters are reset. Each subsequent message is therefore a recording of the change since the last message.
Turn on QoS logging	Enables logging of QoS- related events. This option requires FloodGate-1.
Additional Logging	Explanation
Detect new Citrix ICA application names	When utilizing FloodGate-1, Citrix ICA application names can be detected as it changes inside a single connection and QoS rules applied appropriately.This option defines whether to detect the new names and log the information.
Accept Syslog messages	If this option is selected, syslog messages will be accepted. This is often necessary when the source of the log data is not an OPSEC-compliant device. Note that the firewall must be configured to accept syslog data on UDP port 514 for this option to function. Also, the CPSyslogD daemon must have been started prior to the start of FW-1.

In previous versions of FW-1, the automation of log rotation required some configuration outside FW-1. As an alternative, a security administrator can still schedule a cron or at job, depending on the operating system, to execute the fw logswitch command. Additionally, you could also perform an export on the log files, such as copy or move the log files to another partition or disk drive or even to another machine.

The following is an example of logswitch script for Solaris:

 #!/bin/sh # # Set variables # 

 FW_BIN_PATH=/etc/fw/bin BIN_PATH=/usr/bin LOG_PATH=/etc/fw/log TODAY='$BIN_PATH/date +%d%b%y' # # Switch the log files # $FW_BIN_PATH/fw logswitch $TODAY # # Export the logs # $FW_BIN_PATH/fw logexport -d ";" -i $LOG_PATH/$TODAY.alog o      $LOG_PATH/$TODAY.alog.txt -r 1000 $FW_BIN_PATH/fw logexport -d ";" -i $LOG_PATH/$TODAY.log -o      $LOG_PATH/$TODAY.log.txt -r 1000 # # Compress log files to conserve disk space, and delete pointer files. # $BIN_PATH/rm $LOG_PATH/$TODAY.*ptr compress $LOG_PATH/$TODAY.*log # EOF 

This script could be placed in the crontab file and run at midnight every day or as often as required.

An example batch file for NT is as follows:

 c:\bin\fdate /Ff /o"ddmn3yy" /P"@SET TODAY=" > c:\temp\_tmpfile.bat call c:\temp\_tmpfile del  c:\temp\_tmpfile.bat cd c:\winnt\fw1.0\log c:\winnt\fw1.0\bin\fw logswitch %TODAY% c:\winnt\fw1.0\bin\fw logexport -r 1000 -d ; -i %TODAY%.alog -o      %TODAY%.alog.txt c:\winnt\fw1.0\bin\fw logexport -r 1000 -d ; -i %TODAY%.log -o      %TODAY%.log.txt :end 

In this batch file, we are using a script called fdate to set the date for TODAY on the system. If you do not specify the format of the date for the logswitch command, the log files will be saved based on the date and time that the switch occurred. This can be tricky if you want to call the log file for an export, but if you are just performing a logswitch and are not manipulating the log files after the switch, the default format is sufficient. To use this script in NT 4, the scheduler would have to be enabled and an at job created to run the file every night at midnight or as often as necessary. To use this script in Windows 2000, the administrator would only have to create a task within the Task Scheduler application.