Title: Auditing Checkpoint FW1:
1Auditing Checkpoint FW1 The Combat Overview
Welcome!
Ed Capizzi Janus IT Security Auditor
ed.capizzi_at_janus.com
2OSI 7 Layer Reference Model
3Router
4Proxy
5Dynamic State Tables
6 Malicious authorized users.
Connections that dont go
through it. 100 of all
threats!
A firewall is only as effective as the policy it
supports.
7GUI
User Interface
MM
Management Logging
FW
Enforcement Point
8GUI
MM
FW
Monolithic Stack
9MM
GUI
FW
Remote GUI
10FW
GUI
MM
Remote Management
Always Authenticated .
11FW
MM
GUI
Remote Management AND Remote GUI
Beware ports 256, 257, 258 259
12GUI
GUI
FW
MM
GUI
Remote Management AND Remote GUIs
GUI
GUI
13WIFM
GUI
User Interface
Local Mode !
MM
Management Logging
Logs, Users, Configs, Rulesets
Enforcement Point
FW
Daemons, Etc
14(No Transcript)
15Any Input
Lets go look!
16Useful Commands FW ver returns version and
patch info FWM p Print a list of Admin
users Fwstart Self explain, be carefull Fwstop se
lf explain, dont use this! fw log Displays the
log has many switches fw logexort Exports a log
beware of size creep fw dpexport Exports the user
database fw printlic prints the license fw
status Shows the status of the firewall cpconfig
config util to review fw setup (fwconfig)
17fw ver - returns version and patch info
fw ver
This is Check Point VPN-1(TM) FireWall-1(R)
Version 4.1 Build 41862 VPN DES STRONG
18fwm p - Print a list of Admin users
FireWall-1 Remote Manager Administrators
Larry (Read/Write on all
Management clients Log Consolidator -
Read/Write Reporting Module - Read/Write
) Curly (Read/Write on all Management clients
Log Consolidator - Read/Write Reporting Module
- Read/Write ) Mo (Read Only on all Management
clients ) Total of 3 administrators This is
Check Point VPN-1(TM) FireWall-1(R) Version 4.1
(20Nov2002 141022)
19fwstart - Self explanatory, be careful fwstop
- Self explanatory, dont use this!
20fw log - Displays the log, feature rich (has
many switches) fw logexport - Exports a log to
ascii format with your choice of delimiters.
beware of size creep!
fw dpexport - Exports the user database d to
set delimiter
21fw printlic - prints the license
Host Expiration
Features 170.199.190.253 Never
CPVP-ESC-U-3DES-V41 CK- 15CCD095822D
22cpconfig (fwconfig) -config util to review fw
setup
23cpconfig (cont)
Welcome to Check Point Configuration
Program
This program will let you
re-configure your Check Point Management
configuration. Configuration Options -----------
----------- (1) Licenses (2) Administrators (3)
GUI clients (4) Remote Modules (5) Groups (6)
Exit Enter your choice (1-6)
24 ./fw stat HOST POLICY
DATE localhost Snoopy1 18Nov2002 100049
gtqfe0 ltqfe0 gtqfe1 ltqfe1 gtqfe2
ltqfe2 gtqfe3 ltqfe3
(Run on the FW )
25Important Checkpoint files, commands
directories ./FWDIR/CONF/ /FWDIR/CONF/rulebas
es.fws Contains all firewall rulebases
/FWDIR/CONF/objects.C - Contains all firewall
objects /FWDIR/CONF/cp.licenses - Licenses
file /FWDIR/CONF/fwmusers - Contains all FW
admins /FWDIR/CONF/gui-clients - List of all
authorized GUI clients /FWDIR/CONF/masters -
List of all FW masters (Mgt Logging) ./FWDIR/l
og/ /FWDIR/LOG/cpmgmt.aud - Log of admin
access via the GUI. /FWDIR/LOG/manage.lock -
Empty file used for GUI RW management
26/FWDIR/CONF/rulebases.fws
cat rulebases.fws rule-base ("A_Standard_Poli
cy" rule (
src ( Any
)
dst ( Any
)
services (
Silent_Services )
action (
drop )
track ()
install (
Gateways
27/FWDIR/CONF/objects.C
cat objects.fws ( anyobj (Any
color (Blue) )
superanyobj ( Any )
netobjgraph ( (xnet-0
color (black)
type (network)
location (internal)
comments ("Created by the Graph View")
broadcast (allow)
ipaddr (2.2.2.0)
netmask (255.255.255.0)
read_only (true)
is_network_implied (true)
"oldname" (
type (refobj)
refname ("_xnet-0") )
28/FWDIR/CONF/cp.licenses
cat cp.license Sign LICENSE 10.199.8.26 never
CPFW-OSE-U-V41 CK-5099B26B 7xDQpDbe8LjfgDuDhaTv
T6sem Index0 Version0 Sign LICENSE
10.199.8.26 never CPFW-ESC-U-V41 FW14.1MOTIF
CK-F60A423378ED xzgjzt2PSZoBCBBZe6YkLue6aFh
Index0 Version0 Sign LICENSE 10.199.8.26
never CPFW-ENC-U-3DES-MODULE-V41
CPFW-ENC-U-3DES-MGMT-V41 CK-FFA94CB
bySNrc5YJQpWHwWc96cva8SLHVhm Index0 Version0
29/FWDIR/CONF/fwmusers
cat fwmusers Larry
2f1003fec499757c65fc004c4af907
000fff0f Curly 2708994e49bef3b30d7538
d2866a56 000f0fff Mo
2f2b8765040049948c569f134c9e7fd
000ff0ff Schemp 6b09f8b704bfd1a0c986ca5eff
fc5cd82 0ffffff0f
30/FWDIR/CONF/gui-clients
cat gui-clients 10.199.8.93 10.199.8.156 10.199.
8.35 10.199.44.56 10.199.87.836 10.199.87.148 10.1
99.8.31 10.199.51.107 10.199.8.30 10.199.58.44 10.
199.58.54 10.199.88.80 10.199.58.55 10.199.8.180
31/FWDIR/CONF/masters
cat masters 10.1.1.1 10.1.2.1
32/FWDIR/LOG/cpmgmt.aud
Fri Nov 15 091750 2002 rule-editor
Larry_at_PC-059 Storing rulebase 'Snoopy6and7.W' Fri
Nov 15 091750 2002 rule-editor
Larry_at_PC-059 Storing rulebase 'Snoopy3-test.W' Fr
i Nov 15 091750 2002 rule-editor
Larry_at_PC-059 Storing rulebase 'Snoopy2.W' Fri
Nov 15 091750 2002 rule-editor
Larry_at_PC-059 Storing rulebase 'Snoopy1.W' Fri
Nov 15 091750 2002 rule-editor
Larry_at_PC-059 Storing rulebase 'Snoopy3.W' Fri
Nov 15 091807 2002 rule-editor
Larry_at_PC-059 Installing rulebase
'/opt/CPfw1-41/conf/Snoopy6a nd7.W' on host
'Snoopy6and7'le-editor Curly_at_IT-STD-8900
Curly_at_IT-STD-8900 Logged in gtgtgtgt Fri Nov 15
125500 2002 rule-editor Curly_at_IT-STD-8900
Failed to lock database Used by
Larry_at_PC-059us ing fwm.18 095432 2002
rule-editor Larry_at_PC-059 Larry_at_PC-059Logged
in gtgtgtgt Mon Nov 18 095434 2002 rule-editor
Larry_at_PC-059 Locking DB with '000fffff'
permissions Mon Nov 18 095732 2002 log-viewer
Larry_at_PC-059 Larry_at_PC-059Logged in gtgtgtgt Mon
Nov 18 095929 2002 rule-editor
Larry_at_PC-059 Storing objects Mon Nov 18 095930
2002 rule-editor Larry_at_PC-059 Storing
rulebase(s) Mon Nov 18 095930 2002 rule-editor
Larry_at_PC-059 Storing rulebase 'Snoopy4.W' Mon
Nov 18 095930 2002 rule-editor
Larry_at_PC-059 Storing rulebase 'Snoopy5.W' Mon
Nov 18 095930 2002 rule-editor
Larry_at_PC-059 Storing rulebase 'Snoopy6and7.W' Mon
Nov 18 095930 2002 rule-editor
Larry_at_PC-059 Storing rulebase 'Snoopy3-test.W' Mo
n Nov 18 095930 2002 rule-editor
Larry_at_PC-059 Storing rulebase 'Snoopy2.W' Mon
Nov 18 095930 2002 rule-editor
Larry_at_PC-059 Storing rulebase 'Snoopy1.W' Mon
Nov 18 095930 2002 rule-editor
Larry_at_PC-059 Storing rulebase 'Snoopy3.W' Mon
Nov 18 095939 2002 rule-editor
Larry_at_PC-059 Installing rulebase
'/opt/CPfw1-41/conf/Snoopy1. W' on host
'Snoopy1' 2002 rule-editor Larry_at_PC-059
Storing objects Mon Nov 18 140114 2002
rule-editor Larry_at_PC-059 Storing
rulebase(s) Mon Nov 18 140114 2002 rule-editor
Larry_at_PC-059 Storing rulebase 'Snoopy4.W' Mon
Nov 18 140114 2002 rule-editor
Larry_at_PC-059 Storing rulebase 'Snoopy5.W' Mon
Nov 18 140114 2002 rule-editor
Larry_at_PC-059 Storing rulebase 'Snoopy6and7.W' Mon
Nov 18 140114 2002 rule-editor
Larry_at_PC-059 Storing rulebase 'Snoopy3-test.W' Mo
n Nov 18 140114 2002 rule-editor
Larry_at_PC-059 Storing rulebase 'Snoopy2.W' Mon
Nov 18 140114 2002 rule-editor
Larry_at_PC-059 Storing rulebase 'Snoopy1.W' Mon
Nov 18 140114 2002 rule-editor
Larry_at_PC-059 Storing rulebase 'Snoopy3.W' Mon
Nov 18 140121 2002 rule-editor
Larry_at_PC-059 Installing rulebase
'/opt/CPfw1-41/conf/Snoopy5. W' on host
'Snoopy5' Mon Nov 18 153150 2002 rule-editor
Mo_at_CMP-PC-0018 Mo_at_CMP-PC-0018 Logged in gtgtgtgt Mon
Nov 18 153152 2002 rule-editor Mo_at_CMP-PC-0018
Read-Only Mode requested. Database remains
unlocked. Mon Nov 18 153246 2002 log-viewer
Mo_at_CMP-PC-0018 Mo_at_CMP-PC-0018 Logged in gtgtgtgt Mon
Nov 18 153409 2002 ---------------------------
--- Mo_at_CMP-PC-0018 Logged out ltltltlt Tue Nov 19
131234 2002 rule-editor Mo_at_CMP-PC-0018
Mo_at_CMP-PC-0018 Logged in gtgtgtgt Tue Nov 19 131236
2002 rule-editor Mo_at_CMP-PC-0018 Read-Only Mode
requested. Database remains unlocked. Tue Nov
19 131242 2002 ------------------------------
Mo_at_CMP-PC-0018 Logged out ltltltlt Wed Nov 20
102231 2002 rule-editor Mo_at_CMP-PC-0018
Mo_at_CMP-PC-0018 Logged in gtgtgtgt Wed Nov 20 102233
2002 rule-editor Mo_at_CMP-PC-0018 Read-Only Mode
requested. Database remains unlocked. Wed Nov
20 102323 2002 ------------------------------
Mo_at_CMP-PC-0018 Logged out ltltltlt
New.W' on host 'Snoopy5' Mon Nov 18 153150 2002
rule-editor Mo_at_CMP-PC-0018 Mo_at_CMP-PC-0018 Logged
in gtgtgtgt Mon Nov 18 153152 2002 rule-editor
Mo_at_CMP-PC-0018 Read-Only Mode requested.
Database remains unlocked. Mon Nov 18 153246
2002 log-viewer Mo_at_CMP-PC-0018 Mo_at_CMP-PC-0018
Logged in gtgtgtgt Mon Nov 18 153409 2002
------------------------------ Mo_at_CMP-PC-0018
Logged out ltltltlt Tue Nov 19 131234 2002
rule-editor Mo_at_CMP-PC-0018 Mo_at_CMP-PC-0018 Logged
in gtgtgtgt Tue Nov 19 131236 2002 rule-editor
Mo_at_CMP-PC-0018 Read-Only Mode requested.
Database remains unlocked. Tue Nov 19 131242
2002 ------------------------------
Mo_at_CMP-PC-0018 Logged out ltltltlt Wed Nov 20
102231 2002 rule-editor Mo_at_CMP-PC-0018
Mo_at_CMP-PC-0018 Logged in gtgtgtgt Wed Nov 20 102233
2002 rule-editor Mo_at_CMP-PC-0018 Read-Only Mode
requested. Database remains unlocked. Wed Nov 20
102323 2002 ------------------------------
Mo_at_CMP-PC-0018 Logged out ltltltlt
33/FWDIR/LOG/cpmgmt.aud(cont)
nd7.W' on host 'Snoopy6and7'le-editor
Curly_at_IT-STD-8900 Curly_at_IT-STD-8900 Logged in
gtgtgtgt Fri Nov 15 125500 2002 rule-editor
Curly_at_IT-STD-8900 Failed to lock database Used
by Larry_at_PC-059using fwm.18 095432 2002
rule-editor Larry_at_PC-059 Larry_at_PC-059Logged
in gtgtgtgt Mon Nov 18 095434 2002 rule-editor
Larry_at_PC-059 Locking DB with '000fffff'
permissions Mon Nov 18 095732 2002 log-viewer
Larry_at_PC-059 Larry_at_PC-059Logged in gtgtgtgt Mon
Nov 18 095929 2002 rule-editor
Larry_at_PC-059 Storing objects Mon Nov 18 095930
2002 rule-editor Larry_at_PC-059 Storing
rulebase(s) Mon Nov 18 095930 2002 rule-editor
Larry_at_PC-059 Storing rulebase 'Snoopy4.W' Mon
Nov 18 095930 2002 rule-editor
Larry_at_PC-059 Storing rulebase 'Snoopy5.W' Mon
Nov 18 095930 2002 rule-editor
Larry_at_PC-059 Storing rulebase 'Snoopy6and7.W' Mon
Nov 18 095930 2002 rule-editor
Larry_at_PC-059 Storing rulebase 'Snoopy3-test.W' Mo
n Nov 18 095930 2002 rule-editor
Larry_at_PC-059 Storing rulebase 'Snoopy2.W' Mon
Nov 18 095930 2002 rule-editor
Larry_at_PC-059 Storing rulebase 'Snoopy1.W' Mon
Nov 18 095930 2002 rule-editor
Larry_at_PC-059 Storing rulebase 'Snoopy3.W' Mon
Nov 18 095939 2002 rule-editor
Larry_at_PC-059 Installing rulebase
'/opt/CPfw1-41/conf/Snoopy1.
Intermission
34Phone Boy and other useful Websites a.
Phoneboy www.phoneboy.com b. Cassandra -
cassandra.cerias.purdue.edu c. Bugtraq -
online.securityfocus.com/archive d. Sun -
www.sun.com e. MS - www.microsoft.com f.
Checkpoint www.checkpoint.com
35Useful Perl scripts
fwrules4.2.pl- this is where the gifs are
fwrules6.0.pl
And the output
36(No Transcript)
37(No Transcript)
38(No Transcript)
39(No Transcript)
40(No Transcript)
41Advanced GUI
- Copy rulebases.fws from FW to GUI
- Copy objects.C from FW to GUI
- Rename rulebases.fws -gt rules.fws
- Rename objects.C -gt objects.fws
- Start GUI in local mode, ignore errors
42Thank You