Sunday, June 7, 2009

Check Point Firewall Virtual Setup

Introduction

After using Cisco System’s PIX firewall for some time, I decided to give Check Point firewalls a go. Probably most of you might be aware of how efficient and user-friendly it is to configure Check Point ZoneAlarm firewall for endpoint security. This is exactly what you get even with their Enterprise-level products! Configuring Check Point VPN-1 NGX65 is such a breeze and its GUI never comes in the way. On the contrary, SmartDashboard, the GUI for manipulating Check Point firewalls, gives you access to advanced features with relative ease. For instance, the use of Database Revision Control allows you to revert to a previous firewall policy as easily as it is to install new ones!

In this blog, I will describe about my experience working with this firewall deployed as a VMware virtual machine and tested using a couple of Cisco routers on Dynamips, all using just two Windows XP laptops (say Laptop A & B). This is consistent with all my other postings here. This setup may provide you with the necessary hands-on experience, if you are interested in pursuing any Check Point certification (such as CCSA). This is however NOT a tutorial on how to install and configure Check Point. Instead, I aim to show how you can setup a Check Point firewall in a lab setting and see it in action filtering traffic between two networks.


Scenario

The objective of this lab is to enable Check Point VPN-1 firewall in a mostly virtual environment, but still observe the firewall in live action. Using VMware ESX 2.0, I created a virtual machine with 512 MB RAM, 15 GB disk, and mostly importantly two bridged network adapters for inside and outside access, respectively. I ensured that the bridged interface (by default vmnet0) is bridged to Laptop A’s physical NIC port.

To represent the inside network, a Cisco 3640 router is used. This router will provide Telnet as well as Http services to the outside network. To allow the interaction between the Dynamips hypervisor and the Check Point virtual machine (CPVM), I linked my NIC’s NIO device to Dynamips’s Ethernet switch S1, since CPVM is already bridged to the NIC. Also, as I will run SmartDashboard from Laptop A, I need to connect a loopback adapter to S1 as well. Some of you might have noticed that this actually places both CPVM’s inside and outside interfaces on the same broadcast domain! (Good, at least you are alert..) Here, comes the magic of VLANs! I will place the inside interface in the native VLAN 1, and assign the outside interface to VLAN 100. This completes the setup in Laptop A (consists of cpfirewall, WEB1 and S1 objects from Fig. 1).

Laptop B is physically connected to Laptop A using a crossover UTP cable (shown as a red line in Fig. 1). It is mainly used to represent the outside network to CPFW. In order to assign suitable addresses both laptop’s NICs, there are many ways to approach this. I decided to use another Cisco 3640 router as the DHCP server to run on Laptop B to dynamically assign addresses in VLAN 100 to both NICs. As before, to link router D1 to the physical NIC, I connected the appropriate NIO device to Ethernet switch S2, which is further linked to Fastethernet0/0 of the router. That is the full scenario! Phew.. It might appear a bit convoluted, but try to use the following figure to assist understanding and to visualise.


Fig.1: Network diagram for this setup (link pattern shows VLAN membership). cpfirewall runs on a VMware virtual machine.


Check Point Virtual Machine

It does not matter which virtualisation software you use to create this virtual machine. You can use anything at your disposal. I had VMware ESX 2.0 installed on my machine, so just used its VI Web Access management console to create the virtual machine, as shown in Fig. 2. For the Check Point installation, I chose the Standalone deployment, which means the firewall as well as the management application (i.e. SmartCenter Server) will be installed on the same VM.


Fig. 2: The VMware ESX management console after CPFW is created.

Before you install the firewall program, you need to have an OS installed first. You can use the standard server OSes or use Check Point’s own OS called SecurePlatform, which is a modified version of Redhat Enterprise Linux 3.0. I went with the latter option. To get access to Check Point’s software, you can download the ISO images from their website or get the evaluation CD from their office. The installation of both OS and firewall product is rather straightforward. Just follow their Getting Started Guide. It took me around an hour to complete this step. During the installation, you need to specify firewall’s host name, domain name, interface information and routing. The followings are what I used:

host name: cpfirewall
domain name: km.net
eth0 IP: 192.168.100.1/24
eth1 IP: 192.168.124.7/24

Once you have installed and bring up the firewall VM, you can now install the SmartConsole applications (GUIs for firewall configuration and tracking) on the host machine itself, NOT in the VM. Just follow the setup wizard through a series of questions to complete the installation. Before you can access the firewall configuration through SmartConsole, you need to add your host’s IP to the allowed client list on the firewall (use cpconfig and choose option 3). In Fig. 3, I have included an address range 192.168.100.1 – 30 as trusted GUI client hosts.


Fig. 3: Add a trusted client host for remote access.

When you start SmartDashboard, you will be prompted to provide login details that you have already configured during the firewall installation, as follows.


Fig. 4: SmartDashboard login window.

Dynagen .net files

To enable the inside network of the CPFW, I have used the following Dynagen setup on Laptop A.

autostart = false
ghostios = true
sparsesmem = true
mmap = true
model = 3640

[localhost:7200]
[[3640]]
image = \Program Files\Dynamips\images\C3640-JK.image
ram = 96
idlepc = 0x603bc51c
[[ROUTER WEB1]]
f0/0 = S1 1

[[ETHSW S1]]
1 = access 1
2 = dot1q 100 NIO_gen_eth:\Device\NPF_{DCF3D8E4-D5BB-4E84-A712-97D6393034B8} #NIC
3 = access 1 NIO_gen_eth:\Device\NPF_{192F6952-5AEA-4B4A-8AC0-B07086BA6FAC} #lo0

Router WEB1 will be used as the Telnet and Web server for the inside network, and linked to S1. S1 is also connected to Laptop A’s NIC port and a loopback adapter, loopback0. S1’s port 1 and 3 are on VLAN 1, whereas port 2 is a trunk port with native VLAN 100. This port is used to link to Laptop B.

As for Laptop B, a simple environment to provide DHCP service to the physical NIC of both laptops is needed. I have used a similar setup as above.

autostart = false
ghostios = true
sparsesmem = true
mmap = true
model = 3640

[localhost:7200]
[[3640]]
image = \Program Files\Dynamips\images\C3640-JK.image
ram = 96
idlepc = 0x603bc51c
[[ROUTER D1]]
f0/0 = S1 1
[[ETHSW S2]]
1 = access 100
2 = dot1q 100 NIO_gen_eth:\Device\NPF_{A91A2A20-659A-4291-8C10-E727878AEFF7} #NIC

The most important thing to note here is S2’s port 1 is in VLAN 100 and port 2 is a trunk port with native VLAN 100.


Router WEB1 Configuration in Laptop A

1. Configure IP address and bring up fa 0/0.

interface FastEthernet0/0
ip address 192.168.100.2 255.255.255.0

2. Configure a default route to CPFW, which acts the gateway for the inside network.

ip route 0.0.0.0 0.0.0.0 192.168.100.1

3. Enable DHCP service for the laptop’s loopback0 interface. I also ensured that only 1 address is available for lease. This interface will serve as the inside interface for Laptop A’s GUI access to CPFW.

ip dhcp excluded-address 192.168.100.1 192.168.100.10
ip dhcp excluded-address 192.168.100.12 192.168.100.254
!
ip dhcp pool forloopback
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1

4. Verify that the HTTP service is enabled, and then enable Telnet access.

ip http server
!
line vty 0 4
password mypass
login


Router D1 Configuration in Laptop B

1. Configure IP address and bring up fa 0/0.

interface FastEthernet0/0
ip address 192.168.124.5 255.255.255.0

2. Configure a default route to CPFW’s outside interface.

ip route 0.0.0.0 0.0.0.0 192.168.124.7

3. Enable DHCP service for both laptop’s physical NICs on VLAN 100. I ensured just two addresses are available for lease.

ip dhcp excluded-address 192.168.124.1 192.168.124.99
ip dhcp excluded-address 192.168.124.102 192.168.124.255
!
ip dhcp pool extlan
network 192.168.124.0 255.255.255.0
default-router 192.168.124.7


Check Point Firewall Configuration

To write about VPN-1 configuration is at least a book in it itself! Here, I can only discuss about the basics of object definition and their subsequent usage in the security policy creation and deployment for firewall filtering. Figure 5 depicts the SmartDashboard interface that can be used to enable remote configuration and tracking of Check Point firewalls. The screen layout shows a rather standard Windows application layout. Below the toolbars, you can see the Network Objects tree on the left and the security rules on the right. Since we are interested in the firewall features of VPN-1, these are the relevant content panes for our discussion.


Fig. 5: A screen-shot of SmartDashboard for Check Point firewall configuration.

In our scenario, we want to allow all outgoing traffic from inside network to outside, and selectively allow outside traffic inside. A rule has at least five elements, namely source, destination, service, action and track. SmartDashboard makes it very easy to create network objects, which can then be referred in the rules. In Fig. 5, you can see that there is a Check Point object for the firewall, two Nodes objects (one for Laptop B and one for router WEB1) and two Networks objects (one each for the inside and outside network addresses). To allow all outbound traffic, rule 2 is created. As you can see, the Internal object is referred in rule 2 as the source. If the internal network number is changed for whatever reason, you just need to update the Internal network object on the Network Object tree. Any reference to it in the security policy will be automatically updated! To selectively allow inbound traffic, rules 3 and 4 are created. Rule 3 allows Laptop B to access WEB1 for telnet service only, and this will be logged. Rule 4 allows all traffic from Partner_Net to WEB1 for telnet and TFTP only, which is also logged.


Configuration Verification

The setup is now complete! If you have followed all the above steps carefully, it should work. Let’s try a couple of verification steps to ensure all works as expected.

1. Verify that both NICs have received addresses from D1. On D1, execute:

WAN#sh ip dhcp bindings
Bindings from all pools not associated with VRF:
IP address Client-ID Lease expiration Type
192.168.124.100 0108.0046.bfc0.3d Mar 02 2002 12:05 AM Automatic
192.168.124.101 0100.a0d1.31f0.f5 Mar 02 2002 12:05 AM Automatic

2. From inside the CPFW virtual machine, ping both inside and outside endpoints to ensure connectivity. You can’t ping the firewall from any of the endpoints because it drops any ICMP packets sent to itself (Rule 1).

3. On Laptop B, open the browser and access WEB1 with its IP address. If firewall rules are set as above, you should see the following.


Fig. 6: Basic Web server of WEB1 as seen from Laptop B.

To verify that web access is logged as per the rule definition, open SmartView Tracker, which is a log tracking application of the SmartConsole suite. In Fig. 7, the last three lines of logs in green represent the allowed access to www.km.net web traffic from 192.168.124.100.


Fig. 7: Logs from the firewall accessed using SmartView Tracker.

4. Now, try to access a service that is not allowed from the outside network. I tried to traceroute from Laptop B to WEB1, and this is what happened:

C:\tmp>tracert 192.168.100.2

Tracing route to 192.168.100.2 over a maximum of 30 hops

1 * * * Request timed out.
2 * * * Request timed out.
3 ^C

The firewall has dropped the traffic as expected. Check the logs and verify that Cleanup Rule has kicked in!

That’s it! I hope this assists you in your journey. I would love to hear your experience as well..

13 comments:

  1. Hi Kennedy Selvadurai

    I would like to thank you for such an informative blog. It was really a good learning experience. I would like to know more about you and the work you do. To give brief heads up, I am Saurabh Airi, working in HCL technologies as a Security Analyst.
    Please tell me something more about the Check Point Firewall ( CPFW ) configuration in a general scenario. You can also contact me at : saurabhairi.17@gmail.com. Again many thanks for such a lesson.

    ReplyDelete
  2. Very well done. Keep sharing such excellent articles. Networking Setup Melbourne

    ReplyDelete
  3. Appreicate your thoughts, Im not always in agreement, but you do cause a peron to think keep blogging!carpet cleaning adelaide

    ReplyDelete
  4. Appreicate your thoughts, Im not always in agreement, but you do cause a peron to think keep blogging!carpet cleaning adelaide

    ReplyDelete
  5. Awesome blog post nice quality .bast VPN A good VPN provider will offer servers in a large range of different countries.

    ReplyDelete
  6. Really great news!!! this information is well worth looking everyone. Good tips. I will be sharing this with all of my friends! Thank you for sharing valuable information. Events Security - My security services 1300 788 828 is security monitoring company that provides cheap venue security, business security, Office security, event security, building construction site security, crowd control services and helps to hire friendly personal security officer, security technician, private bodyguard in Sydney, Brisbane, Canberra and The Gold Coast Australia.

    ReplyDelete

  7. keep sharing your information regularly for my future reference. This content creates a new hope and inspiration with in me

    PHP Training in Chennai

    ReplyDelete
  8. No one can reject from the feature of this video posted at this web site, pleasant job, keep it all the time.

    IP phone system Singapore

    ReplyDelete
  9. It's surprising for me to have a site, which is productive in maneuvering of my knowledge. tremendously refreshing manager

    Web development singapore

    ReplyDelete
  10. My fairly long web turn upward has by the day's end been remunerated with charming understanding to discuss with my family and companions.
    Seo services with affordable price

    ReplyDelete

  11. Very informative and well written post! Quite interesting and nice topic selected for the post.
    Also checkout Security services Melbourne

    ReplyDelete