InfoSecter Support Notes for CheckPoint

Supported versions

InfoSecter has been tested against CheckPoint NGX R65.

The analysis support concentrates on firewall and IPSec features. In particular InfoSecter reports may include the following classes of actions.

• permit or deny, basic firewall filtering.
• IPSec Tunnel name, traffic directed into specific IPSec tunnels

Gather device configurations

InfoSecter's analysis operates over a snapshot of the Check Point operational policy with respect to a particular firewall device. The Check Point Smart Center may contain firewall policies that are applied to multiple physical enforcing devices.

InfoSecter includes a program to pull a snapshot of the current configuration for a particular firewall device from the SmartCenter policy database. This tool uses the OPSEC CPMI interface to read information from the database. This tool does not write interface to the database, so there is no threat of corrupting the policy database while pulling a configuration snapshot. The configuration snapshot is stored in an XML file, which can then be used by the InfoSecter Executer engine.

Initializing communication

Check Point enforces an authenticated encrypted channel called Secure Internal Communications (SIC) for all communication between its components, so the InfoSecter tools must be initialized before they are allowed access to the policy database. This initizalization requires actions on the firewall device, in the SmartDashboard GUI, and from the InfoSecter client machine.

On the Smart Center Server

To initialize the SIC key, you must log onto your SmartCenter Server (most likely co-located with your firewall machine), and enter the command fw putkey -opsec -ssl <InfoSecter address> This command will prompt you for an authentication key. Pick a phrase and remember it for use on the InfoSecter machine.

On SmartDashboard

Log into SmartDashboard to create a representation of InfoSecter as an OPSec client. This will create a certificate which InfoSecter will use for proof of identify for future communication.

1. Create a host node for the InfoSecter client machine if it is not already represented in the SmartDashboard database.
2. Go to the Manage menu and select the OPSEC Applications entry. This will pop up a dialog box. Click the New button to create a representation of your installation of the InfoSecter application. This will drop down a list of types of applications you can create. Select OPSEC Application.... This will pop up a new dialog box.
1. In the new dialog box, enter a name for the application, e.g. InfoSecter or InfoSecter_on_hostX.
2. For Host select the host object representing your InfoSecter machine
3. Under Client Entities click the check box next to the CPMI protocol. This is the OPSEC protocol used by InfoSecter.
4. Click on the Communication... button. This will open another dialog box that prompts you for an Activation Key. Pick a phrase (this does not need to be the same phrase you selected on the SmartCenter), enter it twice, and click the Intialize button.
5. Back at the OPSEC Application Properties dialog box, there is now a CPMI Permissions tab. Select that tab. Change the login creditials from the "Administrator's Credentials" to a Permissions Profile. You may need to create a new profile. This profile must provide read and write access to the Security Policy database even those InfoSecter only reads the Security Policy database.

On the InfoSecter machine

Finally, on the InfoSecter machine you can run the infosecter-checkpoint-setup.exe to complete the SIC and certification initializations you started on the firewall and in SmartDashboard. This program is located under the bin/cp directory of the InfoSecter install directory.

infosecter-checkpoint-setup.exe will display a simple dialog box composed of two parts. The top part completes the SIC initialization you started at the firewall console. In the text field labeled Smart Center Server enter the address or resolvable name for the Smart Center Server. In the text field labeled Secret Phrase enter the authentication key you entered on the Smart Center Server.

With both of these values entered, press the Initialize button. Status information will be displayed in a box under the Intialize button.

If the first step was successful, look at the bottom part of the dialog box to complete the communication initialization between InfoSecter and SmartDashboard. In the field labeled Application Name enter the name you selected for the installed InfoSecter application in SmartDashboard. In the field labeled Secret Phrase enter the activation key you created when initializating communication in SmartDashboard for the InfoSecter application. Press the pull button to pull the application certificate keys created by SmartDashboard. Status information about this step will be displayed in a text box under the pull button.

Pulling a snapshot

Assuming the initialization sequence was successful, you can use the infosecter-checkpoint-retrieve.exe application (also located in bin/cp subdirectory of the InfoSecter install directory) to get a snapshot of the current policy for your Check Point firewall.

This application will display a dialog box. In the field labeled Smart Center Server enter the address or resolvable name of the Smart Center machine. In the field labeled CheckPoint Firewall enter the name of the firewall for which you want the policy. In the field labeled Application Name enter the name you used in definition of the InfoSecter application installation in SmartDashboard. In the text field labeled Save in File enter the name of the XML file where you want the snapshot stored. You may use the Browse button to aid in selecting a file. In the text field labeled Debug Level, you can enter a number from 0 to 9 to display increasing amounts of debug information. If the connection is not working, the debug messages may give you some hints to the problem.

Once the fields are entered, hit the Retrieve button to start the snapshot process. The window below the buttons will show status and debug messages about the snapshot process. If the snapshot is successful, the file you indentified in the Save in File field will contain information about the current configuration of the identified firewall that can be used by InfoSecter for analysis. This file may be selected in the Visualizer or Querent for analysis.