Getting Started with Check Point – SmartCenter Server
Jan.17, 2011, under Networks, Security
The SmartCenter server is a key part of the Check Point infrastructure and without one you can’t do very much at all with your firewalls, so it should be one of the first things you set up. It can either be installed on the same hardware as one of your firewalls, or as a dedicated management machine. In this case I’m going to set it up on a dedicated Windows 2003 server.
The install is fairly straightforward, just mount/insert the disc and run the setup. I’ll run through a sample of an R65 SmartCenter install as some of the screens need a little explanation.
Skip past the first two screens until you hit this page:
If you are installing the full firewall product, what you choose here will depend on your licensing. As we are just installing the SmartCenter it doesn’t matter for us. On the next page you can import a config if you have one, or choose a fresh install. After that you come to this page:
This is where you choose the products you want to install. Here I’ve chosen the SmartCenter itself, plus the SmartConsole management tools. If you wanted to install the firewall software, you would choose the top box. On the next page you can choose if this will be a primary, secondary, or log server. You can install two SmartCenter servers in an HA cluster using the primary/secondary options. At this point the installer will run and complete. There are a few more steps before we can use it though.
Firstly it will ask you to install any licenses that you might have. The products come with a 15 day evaluation license if you are just playing around. If you have any license files you can either upload the files directly, or type in the keys manually.
The next step is to create an admin user, which is followed by defining IP ranges which are allowed to access the management software on the server. The default is that any user can manage the server. Although I’ve selected to install the management tools locally on the server, you can also install them separately on another machine, in a similar way to a Microsoft MMC or the Cisco ASDM. Finally you’ll be given a signature key, which is used to verify the identity of the server once we start linking it up to remote firewalls.
At this point your SmartCenter server is up and running, its a fairly painless install. You can have a play with the management tools (they have a nice demo mode with predefined topologies), but until we link up our first firewall the server alone is pretty useless.
Getting Started With Check Point – Product Overview
Jan.06, 2011, under Networks, Security
As we all know the only thing constant in IT is change and as a result of that I’ve been using Check Point firewalls a lot lately, a departure from my usual ASA and ISA firewalls. I’m going to do a series of posts documenting what I find, as I haven’t seen a good resource which wasn’t either out of date or simply didn’t cover the basics.
With any new product there is always a little confusion, but with Check Point this seems to have been taken to a whole other level and I’ve had a great deal of difficulty working out what it is that they sell, what it actually does and how it all fits together. Check Point appear to have gone through a great deal re-branding, and with a lot of older versions still supported everything now has more than one name depending on which version of the software you are talking about. I’ll try and simplify it here as I understand things. The main thing to remember with Check Point is that, to a much greater extent than with other products, you are looking at two very different and separate things with regards to the hardware and the software.
Hardware
The hardware you choose for your firewalls will determine how fast and big it can go, as you might expect. It also determines which software features you can use on that particular bit of tin (which I’ll talk about shortly). Check Point give you a large number of options for your hardware depending on your needs.
- IP appliances – the appliance formerly known as Nokia. These are the mid to high end firewalls and range from 1Gb to 30Gb of throughput (with the right model and expansion cards). For your money you get a piece of tin with various ports and space for extra modules. This is very much a pure networking appliance with support for all the basics such as VPN, plus support for advanced features like IPS, routing protocols, clustering, QoS and VoIP.
- Power-1 appliances – these are more datacenter oriented, and run from 9Gb up to 30Gb throughput and are again a piece of tin. They support a few more edge defence features than the IP appliances such as URL filtering, antivirus, antispam, antimalware. Apart from this though they look very similar performance-wise to the high-end IP appliances.
- UTM-1 appliances – I see these as the low end version of the Power-1, tin again. Performance is from 1.5Gb to 4.5Gb, but you can get all the features of the Power-1 plus a few extra ones like built in management and monitoring.
- “Open server” – also known as SPLAT (Secure PLATform). This is kind of like Bring Your own Box, you install the Check Point into a standard bit of server hardware. The license determines things like how many cores your server can have and what features you are allowed, but after that the performance is down to your hardware. SPLAT itself is a modified version of Linux into which various Check Point software modules can be installed.
There are a few other variations including a virtualised version, but these are the main ones. For my testing I’ll be using a SPLAT system running in VMware.
Software
Check Point has gone through a lot of different versions of their software. The good news is that every device runs a version of the same software, and is managed through the same tools. Configuring rules on a SPLAT is exactly the same as configuring rules on one of the appliances. The bad news is that due to the number of iterations and the different licensing for them, you can be left scratching your head.
The first bit of confusion is that way back in 1994 when Check Point made their first firewall they decided to name it Firewall-1, and quickly followed with a VPN product called VPN-1. If you fast forward to today you’ll still find references to Firewall-1, VPN-1, and a whole raft of other things called xxx-1. The 1 has nothing to do with the version of the software as you might imagine, its simply the name of the product. It makes more sense if you think of these as identifiers of feature sets.
The way you differentiate between older and newer software is via the version number of the software. Wikipedia has the full details, but the numbering is roughly:
| Version | Release Date |
| 1.0 | April 1994 |
| 2.0 | Sep 1995 |
| 3.0 | Oct 1996 |
| 4.0 | 1998 |
| 4.1 | 2000 |
| NG | Jun 2001 |
| NG AI R54 | Jun 2003 |
| NG AI R55 | Nov 2003 |
| NG AI R57 | April 2005 |
| NGX R60 | Aug 2005 |
| NGX R61 | Mar 2006 |
| NGX R62 | Nov 2006 |
| NGX R65 | Mar 2007 |
| R70 | Feb 2009 |
| R71 | April 2010 |
| R75 | December 2010 |
Anything prior to NGX R65 is end of life, NGX R65 itself is nearing end of life, and R75 has just been released. Lots of people are currently in the process of upgrading from NGX R65, and if you have existing licenses Check Point are currently running an upgrade promotion.
If you are looking at NGX products and earlier, you combine a feature set and a version number to label your software. Eg, a VPN-1 UTM NGX R65 has a defined set of features from the VPN-1 UTM label, and is the NGX R65 software version of those features.
With R71 and later Check Point have adopted a software blade architecture. You still have a software version, but the features which you run inside of that are a lot more mix and match and are deployed as virtual blades (providing your hardware supports it).
In Conclusion
With all the different product names and the mix of people on different versions currently, Check Point is very confusing to the newcomer. Over the next few posts I’m going to go through some basic installation and configuration, starting with an NGX R65 set up. Depending on how things go I may throw in some more advanced stuff like the failover clustering and and upgrade to R71.
Useful IOS tricks (part 3) – the ‘do’ command
Jan.03, 2011, under Networks
I have a very short but very useful command for you today. You’ll often find yourself working within the IOS config mode, and you might forget little things such as ‘what is the interface number I need’, or ‘what is the current IP assigned to this interface’. Following this you probably go through a series of commands like the ones below
Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#int fa 0/^Z <---Arrgh forgot which interface it was, Ctrl+Z out of config mode % Incomplete command. Router#sh ip int brief Interface IP-Address OK? Method Status Prot ocol FastEthernet0/0 10.10.10.1 YES NVRAM up up FastEthernet0/1 192.168.0.1 YES NVRAM up up Router#conf t <---OK found it, back into config mode Enter configuration commands, one per line. End with CNTL/Z. Router(config)#int fa 0/0 etc
This gets annoying pretty fast, but luckily you can execute exec commands from within config mode by preceding them with ‘do’! This is a lot nicer:
Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#int fa 0/ <---Arrgh forgot which interface it was, lets try 'do' % Incomplete command. Router(config)#do sh ip int brief Interface IP-Address OK? Method Status Prot ocol FastEthernet0/0 10.10.10.1 YES NVRAM up up FastEthernet0/1 192.168.0.1 YES NVRAM up up Router(config)#int fa 0/0
Much easier right? There are of course a few caveats, the main one being that you can’t use the ‘?’ symbol to remind you of the commands but its still a great little time saver.
WEP cracking with BackTrack 4 R1
Nov.03, 2010, under Networks, Security
Its a well known fact that WEP is fundamentally broken, and its also a well known fact that it can be cracked very easily. Unfortunately it doesn’t seem to be well known enough, as I frequently come across friends who only use WEP encryption on their wireless. The best way to convince them to change it is to demonstrate how easy it is to break, which is what this post is about. This post is for my benefit as much as anyone else’s. I realise its been done to death and there’s hundreds of tutorials already out there, but whenever I need to do this I can never remember the commands and the stuff online never seems to be quite correct or is slightly out of date regarding command switches etc.
I’ll be using a standard laptop running BackTrack 4 R1, with an Alfa USB wireless adaptor (AWUS036H). Using a well-tested adaptor such as this will solve a lot of headaches as it is literally plug and play.
I’ll split this into four steps: finding the target; performing the attack; cracking the key; and connecting to the network. For the purposes of this I’ve set up an access point running 64 bit WEP so the capturing goes a little faster. I’m going to skim over a lot of the theory since this is available elsewhere in much better detail than I’ll be able to go into.
Stratix 8000 IOS recovery (or how dd saved the day)
Oct.15, 2010, under Networks, Sysadmin
I’ve been playing with some Stratix 8000 switches lately – if you’ve never come across them they are built for heavy duty environments and are a result of a collaboration between Rockwell and Cisco. They run a Catalyst OS so if you’ve used a Cisco switch you’ll be in familiar territory. During my work with them I somehow ended up with a corrupt IOS following an upgrade and the switch would no longer boot, giving the console error message below
... mifs[7]: 684 files, 26 directories mifs[7]: Total bytes : 64094208 mifs[7]: Bytes used : 11614208 mifs[7]: Bytes available : 52480000 mifs[7]: mifs fsck took 60 seconds. ...done Initializing Flash. done. Loading "flash:/ies-lanbase-mz.122-50.SE2/ies-lanbase-mz.122-50.SE2.bin"...flash:/ies-lan base-mz.122-50.SE2/ies-lanbase-mz.122-50.SE2.bin: magic number mismatch: bad mzip file Error loading "flash:/ies-lanbase-mz.122-50.SE2/ies-lanbase-mz.122-50.SE2.bin" Interrupt within 5 seconds to abort boot process. Boot process failed... The system is unable to boot automatically. The BOOT environment variable needs to be set to a bootable image.
No problem I thought, I’ll just use Rommon and suck down a clean image from a TFTP server. How wrong I was! These switches don’t have Rommon, instead they have their own boot OS which bizarrely doesn’t seem to support any kind of networking whatsoever. It can format the filesystem and do basic file operations, but thats it as far as I can tell. You quickly find yourself stuck with no way to upload an image, and the scant documentation unhelpfully suggests that you reset your switch to factory defaults. If you follow this advice you now have a switch with no config and still a corrupt IOS. There doesn’t appear to be any documentation at all about the strange little OS you find yourself stuck in, so its time to experiment.
Plugging the flash card into my Windows machine showed that it wasn’t formatted in a way that Windows could read it, so you can’t copy an image that way. Formatting it as FAT resulted in a strange situation where both Windows and the switch could write to the flash card, but neither could see the others files. Unfortunately I didn’t have easy access to a Linux machine to see if it was readable on there, I needed another way to get the right data onto the card. I did have other working Stratixes, so I had the idea of cloning a working flash card. You can’t do this natively in Windows so I had to find a Windows version of the well known Linux tool, dd.
dd is a very low level tool that copies data at a block level. It doesn’t see files or folders or even disk formats, it just sees the raw bits. The plan was to make an image of a working flash card, and then dump that onto the failed one. In theory you should end up with a perfect clone, and this way Windows doesn’t need to be able to read the disk format. I used the tool as follows, first listing the available drives, second making an image of a good flash card and finally writing that image onto the corrupt one:
D:\Programs\dd>dd --list
rawwrite dd for windows version 0.6beta3.
Written by John Newbigin <jn@it.swin.edu.au>
This program is covered by terms of the GPL Version 2.
Win32 Available Volume Information
[snip]
\\.\Volume{43371b24-d6a0-11df-b040-005056c00008}\
link to \\?\Device\HarddiskVolume10
removeable media
Mounted on \\.\l:
[snip]
D:\Programs\dd>dd if=\\.\l: of=stratix.img
rawwrite dd for windows version 0.6beta3.
Written by John Newbigin <jn@it.swin.edu.au>
This program is covered by terms of the GPL Version 2.
125440+0 records in
125440+0 records out
D:\Programs\dd>dd if=stratix.img of=\\.\l:
rawwrite dd for windows version 0.6beta3.
Written by John Newbigin <jn@it.swin.edu.au>
This program is covered by terms of the GPL Version 2.
125440+0 records in
125440+0 records out
D:\Programs\dd>
Happily it worked flawlessly, the cloned flash card contained an exact copy of the working IOS and I was able to get my switch working again. I’d love to know the manufacturer’s recommended restore method, but as is often the case the documentation is lacking.
Useful IOS tricks (part 2) – access list editing
Oct.05, 2010, under Networks
This time we are talking about those pesky things that all the server guys blame when their apps don’t work – access lists! Until you know the tricks I’m about to show you, you’ve probably had a feeling of dread when you’ve been asked to add a rule at the end of the 200 entry ACL (but before the deny ip any any of course). We’ll use this simple access list to demonstrate
Router#sh access-lists 100 Extended IP access list 100 10 permit tcp any host 192.168.0.10 eq www 20 permit tcp any host 192.168.0.10 eq 443 30 deny ip any any
First lets examine this output. Note that we are looking at an extended access list, although our trick will work with standard ACLs too. Also note that there are numbers before each rule. We are going to learn how to harness the power of these numbers. Lets say we want to add another rule, permitting mail to the 192.168.0.10 host. If you try and just add in the rule using the way they teach you in your CCNA, you end up with the following:
Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#access-list 100 permit tcp any host 192.168.0.10 eq 25 Router(config)#do sh access-l 100 Extended IP access list 100 10 permit tcp any host 192.168.0.10 eq www 20 permit tcp any host 192.168.0.10 eq 443 30 deny ip any any 40 permit tcp any host 192.168.0.10 eq smtp Router(config)#
So not too good really, that rule will never get hit as its been put after the deny. Luckily theres another way, using the “ip access-list” configuration command. Take note here of the rule numbers – first we’ll remove the rule that was put at the end of the ACL, and then we’ll re-add it before the deny:
Router(config)#ip access-list extended 100 Router(config-ext-nacl)#no 40 Router(config-ext-nacl)#25 permit tcp any host 192.168.0.10 eq smtp Router(config-ext-nacl)#do show access-list 100 Extended IP access list 100 10 permit tcp any host 192.168.0.10 eq www 20 permit tcp any host 192.168.0.10 eq 443 25 permit tcp any host 192.168.0.10 eq smtp 30 deny ip any any Router(config-ext-nacl)#
After entering the first command note that we go into config-ext-nacl mode which is where we add and remove rules. Its quite easy – you add a rule by starting with the sequence number of where you want it go and then entering the rest of the rule as normal. You remove a rule with “no” followed by the sequence number.
You might have realised that we can only add so many rules like this before we run out of numbers, but thats fine too as IOS includes a command to let you resequence the list. For example
Router#sh access-lists 100 Extended IP access list 100 1 permit tcp any host 192.168.0.10 eq www 2 permit tcp any host 192.168.0.10 eq 443 3 permit tcp any host 192.168.0.10 eq smtp 4 deny ip any any Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#ip access-list resequence 100 10 10 Router(config)#do sh access-l 100 Extended IP access list 100 10 permit tcp any host 192.168.0.10 eq www 20 permit tcp any host 192.168.0.10 eq 443 30 permit tcp any host 192.168.0.10 eq smtp 40 deny ip any any Router(config)#
So the key command there is “ip access-list resequence 100 10 10″. Don’t get worried by the raft of numbers, its really simple. The first number (100) is the access list we want to resequence; the second number (10) is what number we want the first rule to start at; the third number (10) is what we want the increment to be for each following rule. Lets try another example, we want the list to start at 50 and have increments of 5:
Router(config)#ip access-list resequence 100 50 5 Router(config)#do sh access-l 100 Extended IP access list 100 50 permit tcp any host 192.168.0.10 eq www 55 permit tcp any host 192.168.0.10 eq 443 60 permit tcp any host 192.168.0.10 eq smtp 65 deny ip any any Router(config)#
These few commands have come in incredibly useful for me and have saved me a great deal of ACL related headaches, I recommend you learn them!
Useful IOS tricks (part 1)
Sep.16, 2010, under Networks
This is going to be a series of short posts on little features in IOS which make your life easier. These won’t change your life or anything, but knowing them will make you much more proficient when sitting at a console. The first feature I’m going to discuss I hope everyone is aware of, the command lookup. This is incredibly useful when you can’t quite remember what command you need and it can be used in two slightly different ways.
The first way is when you have no clue at all what you need to type, and just want a refresher of what options are available. Typing the ‘?’ character will show you all possible commands with a brief description, eg
Router#? Exec commands: <1-99> Session number to resume access-enable Create a temporary Access-List entry access-profile Apply user-profile to interface access-template Create a temporary Access-List entry archive manage archive files audio-prompt load ivr prompt auto Exec level Automation beep Blocks Extensible Exchange Protocol commands bfe For manual emergency modes setting calendar Manage the hardware calendar call Voice call ccm-manager Call Manager Application exec commands cd Change current directory cellular cellular commands clear Reset functions clock Manage the system clock cns CNS agents configure Enter configuration mode connect Open a terminal connection copy Copy from one file to another credential load the credential info from file system crypto Encryption related commands. --More--
Press space to see more. You can also use this on a nested basis, eg
Router#show access-lists ? <1-2799> ACL number WORD ACL name compiled Compiled access-list statistics rate-limit Show rate-limit access lists | Output modifiers <cr> Router#show access-lists
The second, slightly different way to use this is when halfway through a command, it will try and match based on what you have already typed
Router#show ip in? inspect interface Router#show ip i? icmp igmp inspect interface ips irdp Router#show ip in? inspect interface Router#show ip in
However note that in this case you don’t get the command descriptions.
You can use this from any mode, so it works in config, user exec, privileged exec. A lot of the commands you’ll come to learn by heart, but this is very useful for the ones you use less often.
Do you always need a firewall?
Aug.25, 2010, under Networks
I recently read this post on Ivan Pepelnjak’s blog, where he discusses a pretty intense debate about whether or not firewalls are actually any good. The area where people are claiming they aren’t is in front of servers. One of the main benefits of a firewall is stateful packet inspection – the firewall monitors what connections are taking place and dynamically opens ports to let permitted return traffic through. However one opinion is that since all packets to a server are unsolicited, stateful tracking is useless and you should instead stick with basic routers and access lists (which don’t fall down as easily in the event of a DoS/DDoS). I suppose this opinion is talking of servers in the classical sense, where they only ever take inbound connections and don’t initiate outbound ones. Its very interesting reading, especially the comments.
For my part I don’t deal with set ups big enough to hit some of the limits they are discussing but it’s certainly thought provoking. Most people’s standard response is that you should have a firewall in front of everything, but after following the discussion I’m now not so sure
Cisco NAT failing for non-connected subnets
Aug.17, 2010, under Networks
This little problem had me scratching my head for a while, and as usual the solution is pretty simple. The scenario is that you have some kind of link from an ISP with static addresses. At some point you have outgrown your original assignment and have requested a new block, which the ISP has set up at their end. You want NAT an address on the new external subnet to an internal address as shown below. Now on a PIX or ASA you just set up the NAT rules and everything works, but in IOS things are a little more subtle. First the diagram and relevant initial configs. Note that the customer router only has an external IP on the first subnet – in our case this was due to a lack of spare addresses:
Debug ip packet with no output
Jul.08, 2010, under Networks
If you are working on a Cisco, it can be very useful to see details of the traffic going through it. Occasionally you can use a mirrored (SPAN) port to do this, but if you have exotic interfaces or are using Dynamips this can be more difficult. The “debug ip packet” command will dump packet information straight into your terminal. Occasionally though you will have traffic going through the device but no output shows up in the debug, whats that all about?
Well actually there are a couple of gotchas to bear in mind when doing this. The first is easy and you’ll probably be hitting yourself – if you are in a vty session (eg you are connected via telnet or ssh) you don’t see the console messages by default. Use the terminal monitor command to view the debug messages:
Router#terminal monitor
The second issue is a bit less obvious (unless you’ve read the command description carefully). Only packets which are process-switched are included in the debug – this makes sense if you think about it because unless they are process switched the CPU never sees them. To see the traffic in your debug you need to somehow disable CEF which can be done globally or on a per interface basis:
Router(config)#no ip cef Router(config)#int fa 0/0 Router(config-if)#no ip route-cache
If you do it on a per interface basis you need to do it on both the ingress and egress port of the traffic you want to capture, otherwise you will only see it in one direction.
As a final warning, think very carefully before disabling CEF on a production router! You could very easily overload the processor and crash the router.