The install is fairly straightforward, just mount/insert the disc and run the setup. I’ll run through a sample of an R65 SmartCenter install as some of the screens need a little explanation.

Skip past the first two screens until you hit this page:

If you are installing the full firewall product, what you choose here will depend on your licensing. As we are just installing the SmartCenter it doesn’t matter for us. On the next page you can import a config if you have one, or choose a fresh install. After that you come to this page:

This is where you choose the products you want to install. Here I’ve chosen the SmartCenter itself, plus the SmartConsole management tools. If you wanted to install the firewall software, you would choose the top box. On the next page you can choose if this will be a primary, secondary, or log server. You can install two SmartCenter servers in an HA cluster using the primary/secondary options. At this point the installer will run and complete. There are a few more steps before we can use it though.

Firstly it will ask you to install any licenses that you might have. The products come with a 15 day evaluation license if you are just playing around. If you have any license files you can either upload the files directly, or type in the keys manually.

The next step is to create an admin user, which is followed by defining IP ranges which are allowed to access the management software on the server. The default is that any user can manage the server. Although I’ve selected to install the management tools locally on the server, you can also install them separately on another machine, in a similar way to a Microsoft MMC or the Cisco ASDM. Finally you’ll be given a signature key, which is used to verify the identity of the server once we start linking it up to remote firewalls.

At this point your SmartCenter server is up and running, its a fairly painless install. You can have a play with the management tools (they have a nice demo mode with predefined topologies), but until we link up our first firewall the server alone is pretty useless.

With any new product there is always a little confusion, but with Check Point this seems to have been taken to a whole other level and I’ve had a great deal of difficulty working out what it is that they sell, what it actually does and how it all fits together. Check Point appear to have gone through a great deal re-branding, and with a lot of older versions still supported everything now has more than one name depending on which version of the software you are talking about. I’ll try and simplify it here as I understand things. The main thing to remember with Check Point is that, to a much greater extent than with other products, you are looking at two very different and separate things with regards to the hardware and the software.

Hardware

The hardware you choose for your firewalls will determine how fast and big it can go, as you might expect. It also determines which software features you can use on that particular bit of tin (which I’ll talk about shortly). Check Point give you a large number of options for your hardware depending on your needs.

• IP appliances – the appliance formerly known as Nokia. These are the mid to high end firewalls and range from 1Gb to 30Gb of throughput (with the right model and expansion cards). For your money you get a piece of tin with various ports and space for extra modules. This is very much a pure networking appliance with support for all the basics such as VPN, plus support for advanced features like IPS, routing protocols, clustering, QoS and VoIP.
• Power-1 appliances – these are more datacenter oriented, and run from 9Gb up to 30Gb throughput and are again a piece of tin. They support a few more edge defence features than the IP appliances such as URL filtering, antivirus, antispam, antimalware. Apart from this though they look very similar performance-wise to the high-end IP appliances.
• UTM-1 appliances – I see these as the low end version of the Power-1, tin again. Performance is from 1.5Gb to 4.5Gb, but you can get all the features of the Power-1 plus a few extra ones like built in management and monitoring.
• “Open server” – also known as SPLAT (Secure PLATform). This is kind of like Bring Your own Box, you install the Check Point into a standard bit of server hardware. The license determines things like how many cores your server can have and what features you are allowed, but after that the performance is down to your hardware. SPLAT itself is a modified version of Linux into which various Check Point software modules can be installed.

There are a few other variations including a virtualised version, but these are the main ones. For my testing I’ll be using a SPLAT system running in VMware.

Software

Check Point has gone through a lot of different versions of their software. The good news is that every device runs a version of the same software, and is managed through the same tools. Configuring rules on a SPLAT is exactly the same as configuring rules on one of the appliances. The bad news is that due to the number of iterations and the different licensing for them, you can be left scratching your head.

The first bit of confusion is that way back in 1994 when Check Point made their first firewall they decided to name it Firewall-1, and quickly followed with a VPN product called VPN-1. If you fast forward to today you’ll still find references to Firewall-1, VPN-1, and a whole raft of other things called xxx-1. The 1 has nothing to do with the version of the software as you might imagine, its simply the name of the product. It makes more sense if you think of these as identifiers of feature sets.

The way you differentiate between older and newer software is via the version number of the software. Wikipedia has the full details, but the numbering is roughly:

Anything prior to NGX R65 is end of life, NGX R65 itself is nearing end of life, and R75 has just been released. Lots of people are currently in the process of upgrading from NGX R65, and if you have existing licenses Check Point are currently running an upgrade promotion.

If you are looking at NGX products and earlier, you combine a feature set and a version number to label your software. Eg, a VPN-1 UTM NGX R65 has a defined set of features from the VPN-1 UTM label, and is the NGX R65 software version of those features.

With R71 and later Check Point have adopted a software blade architecture. You still have a software version, but the features which you run inside of that are a lot more mix and match and are deployed as virtual blades (providing your hardware supports it).

In Conclusion

With all the different product names and the mix of people on different versions currently, Check Point is very confusing to the newcomer. Over the next few posts I’m going to go through some basic installation and configuration, starting with an NGX R65 set up. Depending on how things go I may throw in some more advanced stuff like the failover clustering and and upgrade to R71.

Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#int fa 0/^Z  <---Arrgh forgot which interface it was, Ctrl+Z out of config mode
% Incomplete command.

Router#sh ip int brief
Interface                  IP-Address      OK? Method Status                Prot
ocol
FastEthernet0/0            10.10.10.1  YES NVRAM  up                    up

FastEthernet0/1            192.168.0.1   YES NVRAM  up                    up

Router#conf t  <---OK found it, back into config mode
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#int fa 0/0
etc

This gets annoying pretty fast, but luckily you can execute exec commands from within config mode by preceding them with ‘do’! This is a lot nicer:

Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#int fa 0/  <---Arrgh forgot which interface it was, lets try 'do'
% Incomplete command.

Router(config)#do sh ip int brief
Interface                  IP-Address      OK? Method Status                Prot
ocol
FastEthernet0/0            10.10.10.1  YES NVRAM  up                    up

FastEthernet0/1            192.168.0.1   YES NVRAM  up                    up

Router(config)#int fa 0/0

Much easier right? There are of course a few caveats, the main one being that you can’t use the ‘?’ symbol to remind you of the commands but its still a great little time saver.

I’ll be using a standard laptop running BackTrack 4 R1, with an Alfa USB wireless adaptor (AWUS036H). Using a well-tested adaptor such as this will solve a lot of headaches as it is literally plug and play.

I’ll split this into four steps: finding the target; performing the attack; cracking the key; and connecting to the network. For the purposes of this I’ve set up an access point running 64 bit WEP so the capturing goes a little faster. I’m going to skim over a lot of the theory since this is available elsewhere in much better detail than I’ll be able to go into.

Finding a target

This bit is pretty easy. Boot your BackTrack live cd, type ‘startx’ to get into the GUI and then open a shell window. The tool we’ll use to scope out available APs is called Kismet. Before we run this we need to identify our wireless interface but running iwconfig. In my case the interface is called ‘wlan0′.

Then we start Kismet. It has a server and client component, which you can run separately. If you run just the client and the server isn’t running, it will prompt you to start it anyway. I’ll use the option of running the server separately:

kismet_server

Then in a new shell run the client:

kismet

The client will warn you that you are running as root, and then ask you to choose a capture interface since none is defined. This is the interface you found from iwconfig, type in its name exactly as it was written. If you get an error you might be using the wrong interface, so keep trying wireless adaptors until you find the one that works. Once Kismet is running we can see a list of the available wireless neworks plus a ton of information. There is a lot of stuff to explore, but the info we are concerned with is the bssid, the essid and the channel it is on. Below we can see my test network as seen by Kismet. Feel free to try the other menus and options to get a handle for the tool.

From this then we can see the info we need to make a note of:

• essid: test
• bssid: 00:14:6C:6E:B4:7C
• channel: 11

Performing the attack

To crack WEP we need to capture a special kind of packet, known as an Initialisation Vector. Once we have enough of these we can attempt to crack the key. If you just set off something to monitor you’ll find that these naturally occur, but to get the amount required for cracking we can do a few tricks to speed up the process. We are going to send packets to the AP which will cause it to send out IVs at a much faster rate than normal. I’ll also show you how to fake an association with the AP from the laptop – usually you can use already connected clients to perform the attack but if there aren’t any this is a handy trick.

If at any point during this part things don’t work or you get errors, I’ve found the best way is to just reset the wireless adapter by disconnecting/reconnecting it.

First close Kismet so it doesn’t interfere, and run the following command in a shell window to start the IV capture:

airodump-ng --channel 11 --bssid 00:14:6C:6E:B4:7C --write /testcap --ivs wlan0

–channel 11 means capture on channel 11
–bssid 00:14:6C:6E:B4:7C means capture traffic from the given bssid
--write /testcap is where we want the output saving
–ivs means only capture packets containing IVs
wlan0 is the interface to capture on

You’ll get a screen with some stats, but assuming there are no clients connected it won’t show much traffic yet. Now we are going to set off an association attack against the AP in another shell window. This will cause our laptop to associate with the AP so we can use it to generate IVs:

aireplay-ng -1 0 -e test -a 00:14:6C:6E:B4:7C -h 00:C0:CA:11:22:33 wlan0

--1 0 use attack 1 (fake auth) with 0 delay, or only associate once
-e test is the target essid of the fake auth
-a 00:14:6C:BE:B4:7C is the target bssid
-h 00:C0:CA:11:22:33 is the mac address of the wireless card (got via ifconfig, need to run ifup wlan0 if it doesn’t show up)
wlan0 is once again the source interface

So now we are capturing traffic and have a client to use for the attack. The next command is:

aireplay-ng -3 -b 00:14:6C:6E:B4:7C -h 00:C0:CA:11:22:33 wlan0

--3 use attack 3 (ARP replay)
-b 00:14:6C:BE:B4:7C is the target bssid
-h 00:C0:CA:11:22:33 is the mac address of the wireless card
wlan0 is once again the source interface

Eventually you should see some ARP replies (it may take a while to start). Now if you look in the airodump window, we are watching for the column labelled #Data. This is the number of packets we’ve captured, which all happen to be IVs due to our airodump filters. The amount you need to perform a crack may vary. I find the best approach is to try to crack every 50,000, which leads us onto the next part.

Cracking the key

Really easy this bit, just run the following command:

aircrack-ng -s /testcap-01.ivs

If it takes more that a couple of seconds, wait until you have more IVs. Now we have all the info we need to connect to the network

Connecting to the network

Nothing surprising here, just using the info we already have to get on the network.

ifdown wlan0
iwconfig wlan0 mode managed
iwconfig wlan0 channel 11
iwconfig wlan0 essid test
iwconfig wlan0 key 1b9dda483d
ifup wlan0

At this point you should get an IP via DHCP, if not try running “dhcpd wlan0“. If you do this a few times you can get pretty fast at it, and 5-10 minutes will be all you’ll need to perform the full attack.

...
mifs[7]: 684 files, 26 directories
mifs[7]: Total bytes     :   64094208
mifs[7]: Bytes used      :   11614208
mifs[7]: Bytes available :   52480000
mifs[7]: mifs fsck took 60 seconds.
...done Initializing Flash.
done.
Loading "flash:/ies-lanbase-mz.122-50.SE2/ies-lanbase-mz.122-50.SE2.bin"...flash:/ies-lan
base-mz.122-50.SE2/ies-lanbase-mz.122-50.SE2.bin: magic number mismatch: bad mzip file

Error loading "flash:/ies-lanbase-mz.122-50.SE2/ies-lanbase-mz.122-50.SE2.bin"

Interrupt within 5 seconds to abort boot process.
Boot process failed...

The system is unable to boot automatically.  The BOOT
environment variable needs to be set to a bootable
image.

No problem I thought, I’ll just use Rommon and suck down a clean image from a TFTP server. How wrong I was! These switches don’t have Rommon, instead they have their own boot OS which bizarrely doesn’t seem to support any kind of networking whatsoever. It can format the filesystem and do basic file operations, but thats it as far as I can tell. You quickly find yourself stuck with no way to upload an image, and the scant documentation unhelpfully suggests that you reset your switch to factory defaults. If you follow this advice you now have a switch with no config and still a corrupt IOS. There doesn’t appear to be any documentation at all about the strange little OS you find yourself stuck in, so its time to experiment.

Plugging the flash card into my Windows machine showed that it wasn’t formatted in a way that Windows could read it, so you can’t copy an image that way. Formatting it as FAT resulted in a strange situation where both Windows and the switch could write to the flash card, but neither could see the others files. Unfortunately I didn’t have easy access to a Linux machine to see if it was readable on there, I needed another way to get the right data onto the card. I did have other working Stratixes, so I had the idea of cloning a working flash card. You can’t do this natively in Windows so I had to find a Windows version of the well known Linux tool, dd.

dd is a very low level tool that copies data at a block level. It doesn’t see files or folders or even disk formats, it just sees the raw bits. The plan was to make an image of a working flash card, and then dump that onto the failed one. In theory you should end up with a perfect clone, and this way Windows doesn’t need to be able to read the disk format. I used the tool as follows, first listing the available drives, second making an image of a good flash card and finally writing that image onto the corrupt one:

D:\Programs\dd>dd --list
rawwrite dd for windows version 0.6beta3.
Written by John Newbigin <jn@it.swin.edu.au>
This program is covered by terms of the GPL Version 2.

Win32 Available Volume Information

[snip]

\\.\Volume{43371b24-d6a0-11df-b040-005056c00008}\
 link to \\?\Device\HarddiskVolume10
 removeable media
 Mounted on \\.\l:

[snip]

D:\Programs\dd>dd if=\\.\l: of=stratix.img
rawwrite dd for windows version 0.6beta3.
Written by John Newbigin <jn@it.swin.edu.au>
This program is covered by terms of the GPL Version 2.

125440+0 records in
125440+0 records out

D:\Programs\dd>dd if=stratix.img of=\\.\l:
rawwrite dd for windows version 0.6beta3.
Written by John Newbigin <jn@it.swin.edu.au>
This program is covered by terms of the GPL Version 2.

125440+0 records in
125440+0 records out

D:\Programs\dd>

Happily it worked flawlessly, the cloned flash card contained an exact copy of the working IOS and I was able to get my switch working again. I’d love to know the manufacturer’s recommended restore method, but as is often the case the documentation is lacking.

Router#sh access-lists 100
Extended IP access list 100
 10 permit tcp any host 192.168.0.10 eq www
 20 permit tcp any host 192.168.0.10 eq 443
 30 deny ip any any

First lets examine this output. Note that we are looking at an extended access list, although our trick will work with standard ACLs too. Also note that there are numbers before each rule. We are going to learn how to harness the power of these numbers. Lets say we want to add another rule, permitting mail to the 192.168.0.10 host. If you try and just add in the rule using the way they teach you in your CCNA, you end up with the following:

Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 100 permit tcp any host 192.168.0.10 eq 25
Router(config)#do sh access-l 100
Extended IP access list 100
 10 permit tcp any host 192.168.0.10 eq www
 20 permit tcp any host 192.168.0.10 eq 443
 30 deny ip any any
 40 permit tcp any host 192.168.0.10 eq smtp
Router(config)#

So not too good really, that rule will never get hit as its been put after the deny. Luckily theres another way, using the “ip access-list” configuration command. Take note here of the rule numbers – first we’ll remove the rule that was put at the end of the ACL, and then we’ll re-add it before the deny:

Router(config)#ip access-list extended 100
Router(config-ext-nacl)#no 40
Router(config-ext-nacl)#25 permit tcp any host 192.168.0.10 eq smtp
Router(config-ext-nacl)#do show access-list 100
Extended IP access list 100
 10 permit tcp any host 192.168.0.10 eq www
 20 permit tcp any host 192.168.0.10 eq 443
 25 permit tcp any host 192.168.0.10 eq smtp
 30 deny ip any any
Router(config-ext-nacl)#

After entering the first command note that we go into config-ext-nacl mode which is where we add and remove rules. Its quite easy – you add a rule by starting with the sequence number of where you want it go and then entering the rest of the rule as normal. You remove a rule with “no” followed by the sequence number.

You might have realised that we can only add so many rules like this before we run out of numbers, but thats fine too as IOS includes a command to let you resequence the list. For example

Router#sh access-lists 100
Extended IP access list 100
 1 permit tcp any host 192.168.0.10 eq www
 2 permit tcp any host 192.168.0.10 eq 443
 3 permit tcp any host 192.168.0.10 eq smtp
 4 deny ip any any
Router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#ip access-list resequence 100 10 10
Router(config)#do sh access-l 100
Extended IP access list 100
 10 permit tcp any host 192.168.0.10 eq www
 20 permit tcp any host 192.168.0.10 eq 443
 30 permit tcp any host 192.168.0.10 eq smtp
 40 deny ip any any
Router(config)#

So the key command there is “ip access-list resequence 100 10 10″. Don’t get worried by the raft of numbers, its really simple. The first number (100) is the access list we want to resequence; the second number (10) is what number we want the first rule to start at; the third number (10) is what we want the increment to be for each following rule. Lets try another example, we want the list to start at 50 and have increments of 5:

Router(config)#ip access-list resequence 100 50 5
Router(config)#do sh access-l 100
Extended IP access list 100
 50 permit tcp any host 192.168.0.10 eq www
 55 permit tcp any host 192.168.0.10 eq 443
 60 permit tcp any host 192.168.0.10 eq smtp
 65 deny ip any any
Router(config)#

These few commands have come in incredibly useful for me and have saved me a great deal of ACL related headaches, I recommend you learn them!

The first way is when you have no clue at all what you need to type, and just want a refresher of what options are available. Typing the ‘?’ character will show you all possible commands with a brief description, eg

Router#?
Exec commands:
 <1-99>           Session number to resume
 access-enable    Create a temporary Access-List entry
 access-profile   Apply user-profile to interface
 access-template  Create a temporary Access-List entry
 archive          manage archive files
 audio-prompt     load ivr prompt
 auto             Exec level Automation
 beep             Blocks Extensible Exchange Protocol commands
 bfe              For manual emergency modes setting
 calendar         Manage the hardware calendar
 call             Voice call
 ccm-manager      Call Manager Application exec commands
 cd               Change current directory
 cellular         cellular commands
 clear            Reset functions
 clock            Manage the system clock
 cns              CNS agents
 configure        Enter configuration mode
 connect          Open a terminal connection
 copy             Copy from one file to another
 credential       load the credential info from file system
 crypto           Encryption related commands.
 --More--

Press space to see more. You can also use this on a nested basis, eg

Router#show access-lists ?
 <1-2799>    ACL number
 WORD        ACL name
 compiled    Compiled access-list statistics
 rate-limit  Show rate-limit access lists
 |           Output modifiers
 <cr>

Router#show access-lists

The second, slightly different way to use this is when halfway through a command, it will try and match based on what you have already typed

Router#show ip in?
inspect  interface

Router#show ip i?
icmp  igmp  inspect  interface
ips   irdp

Router#show ip in?
inspect  interface

Router#show ip in

However note that in this case you don’t get the command descriptions.

You can use this from any mode, so it works in config, user exec, privileged exec. A lot of the commands you’ll come to learn by heart, but this is very useful for the ones you use less often.

For my part I don’t deal with set ups big enough to hit some of the limits they are discussing but it’s certainly thought provoking. Most people’s standard response is that you should have a firewall in front of everything, but after following the discussion I’m now not so sure

NAT target

interface FastEthernet0/0
 ip address 10.0.0.1 255.255.255.0
 !
ip route 0.0.0.0 0.0.0.0 10.0.0.2

Customer router

interface FastEthernet0/0
 ip address 10.0.0.2 255.255.255.0
 ip nat inside
 !
interface FastEthernet0/1
 ip address 172.0.0.2 255.255.255.0
 ip nat outside
 !
ip route 0.0.0.0 0.0.0.0 172.0.0.3
!
ip nat inside source static 10.0.0.1 172.0.1.2

ISP router

interface FastEthernet0/1
 ip address 172.0.1.3 255.255.255.0 secondary
 ip address 172.0.0.3 255.255.255.0

Looks like it should work right? Not quite. If we try and ping 172.0.1.2 from the ISP router, there is no response. We can see the NAT translation in place on the router, and with a debug arp command we can see the arp requests hitting the customer router, but it doesn’t respond.

Customer#sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
--- 172.0.1.2          10.0.0.1           ---                ---
Customer#debug arp
ARP packet debugging is on
Customer#
*Mar  1 00:40:20.147: IP ARP: rcvd req src 172.0.1.3 cc06.11b8.0001, dst 172.0.1.2 FastEthernet0/1
*Mar  1 00:40:22.147: IP ARP: rcvd req src 172.0.1.3 cc06.11b8.0001, dst 172.0.1.2 FastEthernet0/1
*Mar  1 00:40:24.147: IP ARP: rcvd req src 172.0.1.3 cc06.11b8.0001, dst 172.0.1.2 FastEthernet0/1
*Mar  1 00:40:26.111: IP ARP: rcvd req src 172.0.1.3 cc06.11b8.0001, dst 172.0.1.2 FastEthernet0/1
*Mar  1 00:40:28.135: IP ARP: rcvd req src 172.0.1.3 cc06.11b8.0001, dst 172.0.1.2 FastEthernet0/1
Customer#sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
--- 172.0.1.2          10.0.0.1           ---                ---
Customer#

We can also look in the arp table on the ISP router and confirm that it has no entry for 172.0.1.2. If we change the NAT statement so that the external natted address is on the 172.0.0.0/24 subnet, everything works so we aren’t hitting proxy-arp issues.

Customer(config)#no ip nat inside source static 10.0.0.1 172.0.1.2
Customer(config)#ip nat inside source static 10.0.0.1 172.0.0.5

ISP#ping 172.0.0.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.0.0.5, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 40/77/92 ms
ISP#

To cut a long story short, what we need to do is add the external natted address as a secondary IP on the customer router (or give it a different secondary IP on that subnet).

Customer(config)#int fa 0/1
Customer(config-if)#ip add 172.0.1.2 255.255.255.0 sec
Customer(config-if)#ip add 172.0.1.2 255.255.255.0 secondary

ISP#ping 172.0.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.0.1.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 20/49/72 ms
ISP#

Incredibly obvious when you think about it, but it took me a while to work out due to the fact that on Cisco’s firewall line it works without secondary addresses. Hopefully this will save someone else the headaches I went through.

Well actually there are a couple of gotchas to bear in mind when doing this. The first is easy and you’ll probably be hitting yourself – if you are in a vty session (eg you are connected via telnet or ssh) you don’t see the console messages by default. Use the terminal monitor command to view the debug messages:

Router#terminal monitor

The second issue is a bit less obvious (unless you’ve read the command description carefully). Only packets which are process-switched are included in the debug – this makes sense if you think about it because unless they are process switched the CPU never sees them. To see the traffic in your debug you need to somehow disable CEF which can be done globally or on a per interface basis:

Router(config)#no ip cef
Router(config)#int fa 0/0
Router(config-if)#no ip route-cache

If you do it on a per interface basis you need to do it on both the ingress and egress port of the traffic you want to capture, otherwise you will only see it in one direction.

As a final warning, think very carefully before disabling CEF on a production router! You could very easily overload the processor and crash the router.