Checkpoint SIC

Secure Internal Communications (SIC) 26-Jun-2001NG-FCS VersionAbstractCheck Point Software has enhanced the Internal Communications method for the components within a Next Generation (NG) Check Point System. This method is based on Digital Certificates, and will be further described below. This is a new and improved method for all of the internal communications, so if you are familiar with "fw putkeys", you will not have to go back there…Document Title: Secure Internal CommunicationsCreation Date: 08-Feb-2001Modified Date: 26-Jun-2001Document Revision: 2 (meaning this is the 3rd revision)Product Class: FireWall-1 / VPN-1Product and Version: NGAuthor: Joe DiPietroDISCLAIMERThe Origin of this information may be internal or external to Check Point Software Technologies. Check Point Software Technologies makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Check Point Software Technologies makes no explicit or implied claims to the validity of this information.Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.Given the Diagram below, we will establish a Trust Relationship with the Management Station and the FireWall-1 Module. The Management Server is located at 10.1.2.3, and the FireWall-1 Module will be defined as 10.1.2.1.Table of ContentsDescription Page SIC Overview (3)FireWall-1 Object Definition on Management Station (4)Initialize Trust Relationship (5)Interface Definition (6)Policy Install (8)Troubleshooting (9)Netstat (9)cpstop/cpstart (10)cpd –d (10)Secure Internal Communications (SIC) is the new method for how Check Point components will communicate with each other in Check Point Next Generation (NG). It is based on SSL with Digital Certificates. When you install the management station, you will create a Certificate Authority (CA). This Certificate Authority will issue certificates for all components that need to communicate to each other. For example, a distributed FireWall-1 Module will need a certificate from the management station prior to downloading a policy to this module (or even licensing this module remotely via the new license method). Here is a quick snapshot of a Primary Management Station installation, where the CA will be created.Once the Primary Management Station is up and active, then it can initialize the remote FireWall-1 Module if it has the same One Time Password (OTP). The following screen shows a snapshot of the FireWall-1 Module installation, where youmust enter a One Time Password(OTP) for the InitializationProcess with the ManagementStation. You can also run"cpconfig" after the installationand initialize the OTP at thatpoint.FireWall-1 Module InstallationDefining the Network Object on the Management StationWhen defining the Network Object for SIC communications on the Management Station, the password entered must match the OTP defined on the module, in order for the Certificate to be distributed to the FireWall-1 Module and communications to be established. The screen below shows the object definition for a FireWall-1 Module. This has changed significantly from prior versions.In this example, the Module is a "Gateway " with Check Point version "NG " Installed.Also, note that you must now select what components are installed on this machine. In our case, we have VPN-1 & FireWall-1 installed .Please notice that until the DN: portion is filled in, we are not communicating with thismodule. We must now select Communication in order to initialize the SIC process.Remember, the Management Station must be able tocommunicate to the Remote Module before you can "remotely" apply the Check Point license from the Management Station.By selecting "communication " above, thescreen on the left appears. This is where we need to enter the OTP that was defined on the FireWall-1 Module during installation as shown below.Next select, InitializeNotice that we now have a "Trust" relationshipestablished between the Management Station and the FireWall-1 Module. SIC is now up and running.Unlike putkeys, it is possible to check that SIC is Working. Using the Test SIC status you will see that GW1 is communicating.NB: Name resolution must be functioning correctly.The Management Station is nowcommunicating with the FireWall-1 Module, and the Certificate has been issued and received. Notice the DN: field at the bottom of this object. It is now filled in with the appropriate information.Next, continue defining the other components of the Gateway Object so that the Management Station will be able to push a policy to the FireWall-1 Module.You must define the FireWall-1 “interfaces ” at a minimum. Select the “Topology ” tab, and then Select “Get Interfaces ”.The screen to the left will show up with filled in Interface Information.Next, Edit the interface information.Next Select the “Topology” tab of the Interface Properties. This is where we will define what connects to this particular Interface. In our example, this interface will connect to the Internet. Also note, that Anti-Spoofing information can be based off of the Topology Information defined here.Define the Internal Interface information as shown.Now the final interface definition is shown on the RightThis is where we can also define the VPN Domain information. So far, we have the following Network Diagram as created by the Visual Policy Editor.The Management Station (mgmt-p- 10.1.2.3), the FireWall-1 Gateway (GW1- 10.1.2.1), and the three networks defined by the topology information(10.1.2.1/255.255.255.0), (192.168.10.0/255.255.255.0), and (199.203.71.0/255.255.255.0) which connects to the Internet Cloud.If we select “Show” under the “VPN Domain” in the screen above, this will show us what the“Encryption” domain will be calculated to be. It is shown in the screen below with the highlighted objects in Red.For our Purposes, we will make it just the 192.168.10.0 network. So the final VPN Topology information will be as follows:Please note that we have made this topology “exportable” for SecuRemote. This will allow us to download this topology information to the SecuRemote machine.Now we can push the policy:Select “OK ” from the scre en on the right, and the screen below will appear:Notice that the Policy was successfully installed.TroubleshootingIf you get the following error message, a number of things could be wrong:1. Connectivity issues from the ManagementStation to the FireWall-1 Module2. CPshared is not installed on the FireWall-1Module3. The FireWall-1 Module is not listening on theproper ports for the SIC communicationsThis is the next screen that appears on the Management Station. This means the digitalcertificate has been initialized on the CA, but has not been delivered to the FireWall-1 Module.Let's troubleshoot at the FireWall-1 ModuleFirst check the Network Port that SIC is trying to listen on with the"netstat" command. It should be listening on port 18211 as shown to the right.If you see the screen above, reset your OTP by using the CPCONFIG utility as shown to the right by selecting:Start → Programs → Check Point Management Clients → Check Point Configuration NG on the FireWall-1 ModuleRemember to use the same password on theManagement Station, as you define within this screen.After you initialize the OTP again, then try and Initialize the object at the management station.If you don't see the host listening on this port, then perform the following steps as shown belowThere is a common infrastructure component called "CPShared" with Check Point NG. This component is located under C:\Program Files\CheckPoint\CPShared\5.0. There is a subdirectory call "bin", which has all of the commands for this shared component. To stop and start the shared component infrastructure, use the commands "CPSTOP " and "CPSTART " respectively. An excellent troubleshooting program for this communications is the "CPD " application. To troubleshooting the SIC communications between the Management Station and the FireWall-1 Module, perform the following steps on the FireWall-1 Module. First stop all of the FireWall-1 Processes on the module with the "cpstop" command.Now, put the Module into Debug Mode by running the CPD application with the "-d" flag.Now try and "initialize" the FireWall-1 object on the Management Station by selecting the "Initialize" button as shown to the right.If the OTP's are in sync, then you should see the "Trust Established" on the management station, as shown to the right.On the FireWall-1 Module, you will see the following:If the FireWall-1 Module already has a certificate, as shown below:Re-initialize the OTP, so that the Management Station can issue the correct certificate to this FireWall-1 Module.In this particular case, SIC has already been initialized on this module, but unable to communicate with the Management Station. You have to reset the OTP in order to get another certificate from the Management Station as shown below.Select "Reset " as shown on the rightThe following screen will appear to remind you that the OTP's must be the same on the Management Station object, and the FireWall-1 Module.Select "Yes", and then enter the OTP on the FireWall-1 Module.Next restart the "CPShare" processes by issuing "cpstop " and then "cpstart " commands.Next, try to "initialize" the Object at the Management Station, and you should see the following screen to the right.。