Upload
phamlien
View
222
Download
2
Embed Size (px)
Citation preview
PA Sna 02/1
VPN-1 Security Gateway von Check Point
Anhang A, Check Point Guidance
PA Sna 02/1, VPN-1 Security Gateway von Check Point
Content
1 Introduction ...........................................................................................................3 2 Topology ................................................................................................................4 3 Preparatory work...................................................................................................4
3.1 Public Key Signature_____________________________________________ 4 4 Setup of Check Point Firewall-1 NG / VPN-1.......................................................5
4.1 Installation of Check Point Firewall-1 NG / VPN-1 ______________________ 5 4.2 Global Properties________________________________________________ 5 4.3 Networks in front and behind the gateway ____________________________ 6 4.4 Create a Certificate Authority (CA) __________________________________ 9 4.5 Create and modify the firewall itself ________________________________ 10 4.6 VPN-Network__________________________________________________ 17 4.7 Create and modify Linux as a VPN partner___________________________ 18 4.8 Gateway-to-Gateway and Network-to-Network rule set _________________ 21 4.9 Encryption Properties ___________________________________________ 22 4.10 Install a rule set ________________________________________________ 23
5 Linux FreeS/WAN ................................................................................................24 5.1 Modify FreeS/WAN on pluto.zhwin.ch_______________________________ 24
6 Logging at Check Point, Logfile-View...............................................................25 7 URLs.....................................................................................................................25
© 2002, Zürcher Hochschule Winterthur Seite 2 von 25
PA Sna 02/1, VPN-1 Security Gateway von Check Point
1 Introduction The following guide describes how to create a VPN-Tunnel between a Check Point
Firewall-1 and a Linux FreeS/WAN Security Gateway.
If you have not done so already, you will need to install a copy of FreeS/WAN on your
Linux host. FreeS/WAN will allow Linux to support IKE and IPsec, and can be easily
configured to interoperate with Check Point VPN-1 NG. For further information on
installing and compiling FreeS/WAN please refer to the URLs listed in chapter 7.
This guide will only give the required information about configuring Check Point VPN-1
NG to allow interoperability between FreeS/WAN and VPN-1 and not details about
setting up FreeS/WAN.
The following products were testing during our tests:
- Gateway 1: Check Point Firewall-1 NG FP-2 installed on a Windows 2000
Advanced Server SP 2.
- Gateway 2: Linux Suse 7.1 Gateway running kernel 2.4.17 extended with a
Iptables-Firewall and FreeS/WAN VPN-Software.
The following issues should be known before starting with the configuration of Check
Point VPN- and FreeS/WAN:
- FreeS/WAN does not support Aggressive Mode. Aggressive mode is slightly
faster, but reveals more information to an eavesdropper. Specifically, it lets an
eavesdropper know what identities are in use.
- FreeS/WAN does not support an IKE SA renegotiation time above 480
minutes.
- FreeS/WAN does not implement Diffie-Hellman group 1 (768-bit) because it is
considered to be insecure.
- The interoperability works only when Perfect Forward Secrecy (PFS) is
enabled. With PFS enabled, a Diffie-Hellman key exchange is executed for
each IPsec SA in order to make the short term session keys independent of
each other.
Good luck and have fun!
© 2002, Zürcher Hochschule Winterthur Seite 3 von 25
PA Sna 02/1, VPN-1 Security Gateway von Check Point
2 Topology The following diagram corresponds to the configuration that we’ve used during the
creation of this document:
Picture A 2.1: Topology test net
3 Preparatory work Before you install the Check Point Software make sure that the communication to all
the machines in and out of your network is functioning well (that all routing has been
setup), otherwise you may have problems with your Check Point Firewall-1.
3.1 Public Key Signature
Under Check Point NG it’s not possible to generate certificates for external servers with
the Check Point Management station itself. You have to create an additional CA
(Certificate Authority). In our case this means, that we have to import the root-
certificate from the ZHW-CA.
Requirements from CA::
- X.509 certificate of CA in PEM format (e.g.: ca-cert.pem)
- X.509 certificate of FreeS/WAN host (e.g.: plutoCert.der)
© 2002, Zürcher Hochschule Winterthur Seite 4 von 25
PA Sna 02/1, VPN-1 Security Gateway von Check Point
4 Setup of Check Point Firewall-1 NG / VPN-1 This section will not discuss all required configuration information on VPN-1. Only the
needed parts to get the VPN-Tunnel functioning with certificates. For detailed
information about other configuration options please consult the user guide from Check
Point.
4.1 Installation of Check Point Firewall-1 NG / VPN-1
That’s easy so that no screenshots should be required. Otherwise please consult the
Check Point guide.
4.2 Global Properties
The first step to a successful setup is to change the VPN configuration method to
traditional. Otherwise you get the VPN Wizard from Check Point, which was not tested
in this document.
Picture A 4.1: Global Properties
© 2002, Zürcher Hochschule Winterthur Seite 5 von 25
PA Sna 02/1, VPN-1 Security Gateway von Check Point
Modify Global Properties (According to picture A 4.1)
Policies\Global
Properties\VPN-1 Pro
Traditional Mode: Enabled
Expand the VPN-1 Pro tree to check the following settings
Policies\Global
Properties\VPN-1
Pro\Early Versions
Compatibility (not
shown)
Renegotiate IKE:
Renegotiate IPsec
60 minutes
3600 seconds
4.3 Networks in front and behind the gateway
To create a policy, you have to create acting objects which map to your real network
components (Management Server, Networks, Nodes etc.).
First of all you have to create the networks both in front and behind the gateway:
Picture A 4.2: Create a network
Create object: Intranet/Extranet (According to picture A 4.2)
Manage\Network Objects\New\Network
© 2002, Zürcher Hochschule Winterthur Seite 6 von 25
PA Sna 02/1, VPN-1 Security Gateway von Check Point
4.3.1 Intranet
After creating a new network you have to specify it:
Picture A 4.3: Intranet
Modify object: Intranet (According to picture A 4.3)
General Name:
Network Address:
Net Mask:
Broadcast address:
Intranet-160.85.22.0
160.85.22.0
255.255.255.0
Included
NAT - -
© 2002, Zürcher Hochschule Winterthur Seite 7 von 25
PA Sna 02/1, VPN-1 Security Gateway von Check Point
4.3.2 Extranet
(The same as chapter 4.3.1)
Picture A 4.4: Extranet
Modify object: Extranet (According to picture A 4.4)
General Name:
Network Address:
Net Mask:
Broadcast address:
Extranet-160.85.20.0
160.85.20.0
255.255.255.0
Included
NAT - -
© 2002, Zürcher Hochschule Winterthur Seite 8 von 25
PA Sna 02/1, VPN-1 Security Gateway von Check Point
4.4 Create a Certificate Authority (CA)
It’s not possible to generate certificates for external servers with the Check Point
Management station itself, so you have to create an additional Certificate Authority (we
used the ZHW-CA, which is based on OPSEC1 PKI):
Picture A 4.5 and A 4.6: ZHW-CA
Create object: ZHW-CA
Manage\Servers\New\Certificate Authority
Modify object: ZHW-CA (According to picture A 4.5 and A 4.6)
General Name:
Certificate Authority:
ZHW-CA
OPSEC PKI
OPSEC PKI LDAP-Server:
HTTP-Server:
GET:
Disabled
Enabled
Get the ZHW-CA-Root-Certificate
Advanced (not shown) - Default values
1 OPSEC = Open Platform for Secure Enterprise Connectivity
© 2002, Zürcher Hochschule Winterthur Seite 9 von 25
PA Sna 02/1, VPN-1 Security Gateway von Check Point
4.5 Create and modify the firewall itself
If you have not already created the Firewall itself, do so now. It is represented as a
gateway between the encryption domain and the insecure extranet.
Check whether VPN-1 Pro is enabled, otherwise the VPN will not work (VPN-1 must be
licensed)!
Picture A 4.7: Create the firewall
Create object: zhwpoint
Manage\Network Objects\New\Check Point\Gateway
Modify object: zhwpoint – General Properties (According to picture A 4.7)
General Properties Name:
IP-Address:
Firewall-1:
VPN-1 Pro:
zhwpoint (Computer Name)
160.85.20.120 (GET address)
Enabled
Enabled
© 2002, Zürcher Hochschule Winterthur Seite 10 von 25
PA Sna 02/1, VPN-1 Security Gateway von Check Point
To get the firewall to work properly you have to define its interfaces to its neighboring
networks. Just push the Get Topology button to get the default values and then check
and correct the details of each interface (contact Picture A 4.9).
Picture A 4.8: Topology firewall
Modify object: zhwpoint-Topology (According to picture A 4.8)
Topology Get Topology:
VPN Domain:
Exportable for
SecuRemote:
(get standard value)
Manually Defined Intranet
Enabled (for the use with SecuRemote)
© 2002, Zürcher Hochschule Winterthur Seite 11 von 25
PA Sna 02/1, VPN-1 Security Gateway von Check Point
Picture A 4.9: Topology firewall
Modify object: zhwpoint-Interface Properties (According to picture A 4.9)
General (not shown) Name:
IP:
Net Mask:
EL90Xbc0
EL90Xbc1
160.85.22.2
160.85.20.120
255.255.255.0
Topology
Anti Spoofing
Internal:
Perform Anti-
Spoofing based……:
Specific Intranet
Disabled (see chapter 7)
QoS (not shown) Outbound Activity
Rate:
Enable (5898240 Bps) only for the
EL90Xbc1 interface (otherwise it does
not work properly)
© 2002, Zürcher Hochschule Winterthur Seite 12 von 25
PA Sna 02/1, VPN-1 Security Gateway von Check Point
FreeS/WAN supports IKE, so you have to enable the IKE-Encryption scheme by
clicking on it. To set the IKE properties click Edit (see picture A 4.11).
To make a VPN connection you have to get a certificate from your CA (created below
in shown in picture A 4.12).
Picture A 4.10: VPN
Modify object: zhwpoint-VPN (According to picture A 4.10)
VPN Encryption schemes Enable IKE
© 2002, Zürcher Hochschule Winterthur Seite 13 von 25
PA Sna 02/1, VPN-1 Security Gateway von Check Point
FreeS/WAN does not support DES encryption because it is considered insecure, so
you have to choose the safer 3DES. Both data integrity hashing algorithms MD5 and
SHA1 are supported by FreeS/WAN.
We want to authenticate Check Point to Pluto with certificates, so we have to enable
the Public Key Signature box. To set the matching certificate from the right CA we have
to edit the Public Key Signature and select the CA which we‘ve defined above (ZHW-
CA).
Picture A 4.11: IKE-Properties
Modify object: zhwpoint-VPN-IKE (According to picture A 4.11)
IKE Properties 3DES:
MD5:
SHA1:
Public Key Signature:
Enabled
Enabled
Enabled
Enabled Specify: ZHW-CA
© 2002, Zürcher Hochschule Winterthur Seite 14 von 25
PA Sna 02/1, VPN-1 Security Gateway von Check Point
The UDP encapsulation will be used for the SecuRemote access (see in the main
document chapter 4.6 SecuRemote).
Quite a safe Diffie-Hellmann group is group 2.
As we told that FreeS/WAN does not support IKE SA renegotiation time above 480
minutes, you have to change Rekeying Parameters as shown in picture A 4.11b.
Picture A 4.11b: Advanced IKE properties
Modify object: zhwpoint-VPN-IKE Advanced (According to picture A 4.11b)
Advanced IKE
Properties
Use UDP
encapsulation:
Support Diffie-
Hellman groups:
Rekeying
Parameters:
Misc:
Enabled VPN1_IPSEC_encapsulation
Enable group 2
Renegotiate IKE 60 Minutes
Renegotiate IPsec 3600 Seconds
-
© 2002, Zürcher Hochschule Winterthur Seite 15 von 25
PA Sna 02/1, VPN-1 Security Gateway von Check Point
To get a certificate for the VPN you first have to generate a certificate request for your
machine. With your request you can get the correct certificate from your CA.
Afterwards you have to import the certificate into the Check Point gateway. In picture A
4.12 you can see the certificate issued by the ZHW-CA.
Picture A 4.12: Certificate Properties
Modify object: zhwpoint-VPN-Certificate (According to picture A 4.12)
Certificate
Properties
Certificate Nickname:
Certificate Authority:
Generate the
Certificate Request:
Get the Certificate:
CertIP
ZHW-CA
CN=zhwpoint.zhwin.ch, OU=PA,
O=ZHW, C=CH It is important when
you generate the certificate, that you
specify the ip-address as the
SubjectAltName!
Read the certificate that you got from
your CA
© 2002, Zürcher Hochschule Winterthur Seite 16 von 25
PA Sna 02/1, VPN-1 Security Gateway von Check Point
4.6 VPN-Network
As mentioned in chapter 2 (Topology) our VPN tunnel is situated between two
gateways (Pluto and Check Point). Behind the Linux gateway (Pluto) is our encryption
domain, so we have to create another network to represent it (see picture A 4.13).
Picture A 4.13: VPN-Network
Create object: VPN-Net
Manage\Network Objects\New\Network
Modify object: VPN-Net (According to picture A 4.13)
General Name:
Network Address:
Net Mask:
Broadcast address:
VPNN-160.85.106.252
160.85.106.252
255.255.255.252
Included
NAT - -
© 2002, Zürcher Hochschule Winterthur Seite 17 von 25
PA Sna 02/1, VPN-1 Security Gateway von Check Point
4.7 Create and modify Linux as a VPN partner
Here you have to create and modify an object to represent the Linux host in our
security policy. A new feature in Check Point NG is the object called Interoperable
Device which best matches our requirements for a Linux gateway.
Picture A 4.14: pluto.zhwin.ch – General Properties
Create object: pluto.zhwin.ch
Manage\Network Objects\New\Interoperable Device
Modify object: pluto.zhwin.ch– General Properties (According to picture A 4.14)
General Properties Name:
IP-Address:
pluto.zhwin.ch
160.85.139.240 (GET address)
© 2002, Zürcher Hochschule Winterthur Seite 18 von 25
PA Sna 02/1, VPN-1 Security Gateway von Check Point
For a flawless function of the VPN you have to fill in the exact topology of your Linux
gateway.
The VPN domain is the encryption domain that we’ve created in chapter 4.6 (see
picture A 4.15).
Picture A 4.15: pluto.zhwin.ch - Topology
Modify object: pluto.zhwin.ch – Topology (According to picture A 4.15)
Topology Add: eth0
Add: eth1
VPN Domain
IP Address: 160.85.139.240
Network Mask: 255.255.255.0
IP Address:160.85.106.254
Network Mask: 255.255.255.252
Manually Defined VPN-Net
© 2002, Zürcher Hochschule Winterthur Seite 19 von 25
PA Sna 02/1, VPN-1 Security Gateway von Check Point
Use the VPN page to select IKE and modify its properties as shown below in picture A
4.16.
We didn’t use any matching criteria in our tests, but feel free to do so.
Picture A 4.16: pluto.zhwin.ch – IKE Properties
Modify object: pluto.zhwin.ch – IKE Properties (According to picture A 4.16)
IKE Properties 3DES:
MD5:
SHA1:
Public Key Signature:
enabled
enabled
enabled
enabled Matching Criteria: Certificate
Issued by ZHW-CA
© 2002, Zürcher Hochschule Winterthur Seite 20 von 25
PA Sna 02/1, VPN-1 Security Gateway von Check Point
4.8 Gateway-to-Gateway and Network-to-Network rule set
Create an encrypt rule to define the VPN which looks similar to the following (rule 6 and
7 in picture A 4.17):
Picture A 4.17: Rule set
Rule 1 and 2 are used to allow ICMP, IKE and ESP connection to the gateways. Be
sure that these rules are above the stealth-rule1, otherwise the IKE will fail.
To create an encrypt rule, you have to choose the encrypt-symbol from the Action-
Field. Afterwards you have to edit the encrypt properties (see chapter 4.9).
Note The rules shown in picture A 4.17 are required for the VPN tunnel. In addition to this
rules, you have to implement the needed rules for the firewall itself.
1 A Stealth-Rule is used to prevents a direct connection to the firewall.
© 2002, Zürcher Hochschule Winterthur Seite 21 von 25
PA Sna 02/1, VPN-1 Security Gateway von Check Point
4.9 Encryption Properties
So far we have only defined that a connection between Pluto an Check Point should be
encrypted, but we haven’t declared an encryption algorithm. So you have to change the
properties in the encryption rules (see picture A 4.18).
Picture A 4.18: Encryption Properties
Modify object: Encryption Properties (According to picture A 4.18)
Encryption Properties
right mouse click on
the Encrypt symbol in
the rule base Edit
IKE Edit: Encryption Algorithm: 3DES
Data Integrity: MD5
Compression method: None
Allowed Peer Gateway: pluto.zhwin.ch
Use PFS1 Group2
Note: Perfect Forward Secrecy (PFS): PFS is a policy which requires encryption keys to be changed during each rekeying
and thus ensures that no two sets of keys have any relation to each other. The
advantage of perfect forward secrecy is that if one set of keys is compromised, only
data encrypted with those keys are at risk. The IKE protocol achievesperfect forward
secrecy by using frequent Diffie-Hellman key exchanges.
1 Perfect Forward Secrecy
© 2002, Zürcher Hochschule Winterthur Seite 22 von 25
PA Sna 02/1, VPN-1 Security Gateway von Check Point
4.10 Install a rule set
Policy\Install
That’s easy, no screenshots should be required – good luck!
After this last step your machine is ready to build a VPN connection.
© 2002, Zürcher Hochschule Winterthur Seite 23 von 25
PA Sna 02/1, VPN-1 Security Gateway von Check Point
5 Linux FreeS/WAN
5.1 Modify FreeS/WAN on pluto.zhwin.ch
/etc/ipsec.conf: config setup
# # THIS SETTING MUST BE CORRECT or almost nothing will work # %defaultroute is ok for most simple cases. interfaces=%defaultroute klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes dumpdir=/root conn %default keyingtries=3 ikelifetime=3h keylife=1h disablearrivalcheck=no # --- RSA authentication using certificates authby=rsasig # --- left: this server left=%defaultroute [email protected] leftcert=plutoCert.der leftupdown=/usr/local/lib/ipsec/updown # --- right: roadwarrior right=%any rightrsasigkey=%cert # --- preferred encryption algorithms esp=aes128, 3des # --- load connections automatically at startup auto=add conn checkpoint right=160.85.20.120 rightsubnet=160.85.22.0/24 leftsubnet=160.85.160.252/30
© 2002, Zürcher Hochschule Winterthur Seite 24 von 25
PA Sna 02/1, VPN-1 Security Gateway von Check Point
© 2002, Zürcher Hochschule Winterthur Seite 25 von 25
6 Logging at Check Point, Logfile-View Below is an excerpt from our logs after successful establishment of a VPN connection
to Pluto.
Picture A 6.1: Check Point Logfile
Log-Nr. 0 shows the establishment of a IKE Security Association.
Log-Nr. 1/2 shows the IKE authentication
Log-Nr.3 shows the encrypted data transfer
7 URLs URLs:
- # Linux netfilter firewallhttp://www.netfilter.org
- # Linux IPsec stackhttp://www.freeswan.org
- # Certificate support for Linux IPsechttp://www.strongsec.com/freeswan/
- http://www.irrigacion.gov.ar/juanjo/ipsec/ # AES encryption for Linux IPsec