Wednesday, June 29, 2016

Gaia Embedded - includes a port scanner

Did you know Gaia Embedded includes a port scanner?



[Expert@FW1100]# /usr/bin/pscan
BusyBox v1.8.1 (2016-03-02 11:16:04 IST) multi-call binary

Usage: pscan [-p MIN_PORT] [-P MAX_PORT] [-t TIMEOUT] [-T MIN_RTT] HOST

Scan a host, print all open ports

Options:
        -p      Scan from this port (default 1)
        -P      Scan up to this port (default 1024)
        -t      Timeout (default 5000 ms)
        -T      Minimum rtt (default 5 ms, increase for congested hosts)

[Expert@FW1100]#

That's all for now. Night!

Friday, June 24, 2016

Check Point - Star VPN - HUB and Spoke VPN - To Center and Through Center of Miami

Hello everyone! Its time for another blog post from John <at> Spikefish Solutions. The last blog post contained a bit of silliness. Let me be Frank, that isn't going to stop. This write up will be a bit more technical. I ran across the need for a Hub and Spoke mode VPN with Check Point. I hit a few problems and had to get some advice from the local Check Point Diamond rep.

This guy was super knowledgeable and is a joy to work with. To protect his identity, we'll call him XML Smith.

That aside, let's make something clear. This write up is intended to be a very detailed write up on how to set up a Hub and Spoke VPN with a Check Point Firewall, which is located in Miami, FL, as the center gateway. This basically shows how Check Point Firewalls can act as a IPSec Proxy. What do I mean by IPSec Proxy?

==

What this write up is about:
The Firewalls on the outsides (Firewall A and Firewall C) don't know the remote networks don't exist on the Center Check Point Firewall. If you look closely you'll see Firewall A and Firewall C's encryption domains are not in Firewall B's encryption domain and yet we have Firewall A making a VPN to Firewall B and Firewall B making a VPN to Firewall C. What is really happening is there are 2 VPNs, but the Firewall A and Firewall C only know of a single VPN.

Something else interesting to point out is the Satellite gateways are Interoperability Devices (interop). In this demo they will be pfsense firewalls. I used this because I didn't have access to cisco devices and didn't feel like going GNS3 route. I also didn't want to use Check Point gateways to prove there was no black magic involved here.

Ok wait a sec..before moving on. The Check Point Diamond rep's name... I'm not a fan of XML. XML is a markup language that is hard for both humans and machines to parse. Let's call him JSON Smith instead. .. phew.. ok. That sounds much better. JSON Smith in Check Point Diamond is a great guy to have in your corner. Diamond is completely worth it, espically when you call them up and say come out here and upgrade P1 for me. :D

RIGHT! So let's talk lab overview. Engage network diagram (insert scifi sound here)!

Click to enlarge ( I hope ).


Network Overview

All clients: OpenBSD 5.9 (.100 address) - Default route is pointing to .1 btw
Interop Firewall A: Pfsense 2.3.1 - Release
Check Point Firewall B: Check Point R77.30 - Single Firewall + Management
Interop Firewall C: Pfsense 2.3.1 - Release
I should also point out all Firewalls have static routes for all networks listed.

I Created 5 Vlans for this (VL100 - VL 104). I used vlans off a single virtual switch for this lab. Also no devices are trunking.

The Orange cloud represents what would be the internet. The reason I'm pointing this out is it shows how you can even have a firewall on the internal network for this design.

Debugs:
All debugs have been started before passing traffic so that you can see everything.
This is all from the Check Point Firewall B in the Center of Miami.

  • TCPDUMP on eth0, eth1, eth2.
  • Firewall Monitor output
  • ike.elg - vpn debug ikeon
  • Export of all Tracker events during the passing of traffic.
Traffic for the vpn includes ping and SSH between VL100 and VL102 and a SSH attempt between VL100 and VL104.

Note: to view the ike.elg you need to download infoview from Check Point. If you don't have access call your local Check Point SE. I'm sure they'll be more then happy to get you a copy... or call Phoneboy, but make sure its like 3am in whatever timezone he is in. He loves that!


Backups:
But wait, that isn't all! I also took backups of everything! This means you can setup this in a lab and quickly restore the backups if you want! Be warned the Checkpoint Firewall in Miami Beach (ok virtual Miami Beach) backup is 128Meg. Backup links and debug files will be located at end of post so scroll all the way down if that's what you're looking for.

Also, if you are restoring the checkpoint backup you will most likely need to install an eval as the license will have expired. You'll need a central all in one eval pointing to IP 192.168.20.10. Again call your local Checkpoint SE and they will be happy to help with this if you don't have access to usercenter to generate your own eval keys.

One last quick note, the key to this config is the contents of encryption domain A and C cannot be located in encryption domain B. This is really the main configuration item to the setup and a little odd from a normal domain based VPN setup on Check point Firewall.

So let's start with the policy shall we? Here we can see ping and ssh is allowed bidirectionally from VL100 to VL102. We can also see ping is allow bidirectionally between VL100 and VL104 (this is the hub and spoke part). Nothing else is allowed. Clients are all running stock OpenBSD 5.9 and I didn't feel like setting up any other services beside SSH.



Next lets walk through the settings of Check Point Firewall B, which is our Hub and Star of our VPN. This is what you would see after double clicking Check Point Firewall B (Which is a Check Point Firewall if I didn't make that clear. I hear Check Point in Miami is a good deal also).



Here is the Topology view



Next is the IPSec VPN tab



Link Selection under that.



This is what is under the Setup button.



VPN Advanced



Firewall B encryption domain



====

Firewall A!




Firewall A Topology



Firewall A encryption domain




====

Firewall C - General



Firewall C topology



Firewall C encryption domain.




====

And here is the IPSec VPN tab configuration!



Center gateway and Satellite - Yes, the Check Point Firewall in Miami. Yes I know that's getting annoying, at least there aren't ads (cough cough yet)!



Encryption ( encryption + hashing).



And then under the Advanced tab - VPN Routing! This is where magic happens assuming you setup the encryption domains correctly. Everything else is default on the VPN Community.




Ok so that's about it for the Check Point VPN Hub and Spoke configuration examples. Everything else is default. If you want to see the other windows let me know and I'll add them, but I get the feeling there are a lot of screen shots in here already.

Lets look at logs. Notice the bounces? Those are the VPN Routing Icons that tell you magic is happening!




Debugs:
eth0.cap
eth1.cap
eth2.cap
ike.elg
Firewall_Monitor.txt
Tracker-export.txt

Backups:
backup-FirewallA.localdomain-20160624013059.xml
backup-FirewallC.localdomain-20160624013128.xml
backup_FirewallB_23_Jun_2016_18_26.tgz

Note: I haven't tried restoring any of these so please let me know if there are problems.

all logins are as follows.

User: admin
Password: vpn123

No one who worked at checkpoint can use any other login for a lib install.

Sunday, June 19, 2016

Check Point 750 - see inside!

Hi everyone! This will be a quick write up covering physical aspects of a Check Point 750. And let's face it, you want to know what's on under the case right? Who wouldn't?!?!

I won't bother with packing material, but this is the box, just like all the other pics show.

Here is the front:





And here is the back:



6 x 10/100/1000 ports on a switch + WAN and DMZ ports.
802.11 b/g/n/ac MIMO 3x3, 1 radio band: 2.4Ghz/5Ghz
2 Console ports - 1 rj45 serial port and one usb port for console.


Here are all the cables it comes with:

Note: the black rectangle is a USB -> Mini USB Console Cable.
Basically, you can use this to console into the device if you for some reason
don't already own 3 to 5 USB -> 9pin serial converts.
You may need to download drivers from checkpoint to get it working.
I'll stick with my usb console cable because it has leds and blinky lights are fun!




Here is a picture with the Antenna properly installed. 

Why did it come with an extra one?


That might not be right, I'll have to do some research on that.




Now comes the hard part. How do we open this?
As it turns out, it's a highly complicated process involving up to two screws:




Ok screws are off. The top of the case should slide forward and lift off. Now we can see the sexy hardware on the inside!








...



...


.... Oh no! It's too sexy!







Ok, remove that last bit and this is what we have.
Here is a close up of the left side of the motherboard:



And here is the right:



Not much to see really. I want to take that heat sink off but the chicken is great with this one.

Oh, I should have listed what is on the inside.

ARMv7 Processor rev 4 (v7l) (Two cores)
1GB of ram
Not sure how big the storage is yet. I'll update with info.
Busybox 1.8.1
Linux Optix-700 3.10.20-al-5.0-pr2 (haven't check if this changed with R77.20 hfa 20).

I'll follow this up with some software info shortly.

Wednesday, June 15, 2016

An open letter to Check Point: App control and scada + offline updates

Dear Checkpoint

    Over the past 90 days I have been working on testing out checkpoint's scada protections in the 1200R firewall. After seeing what is possible with just modbus at CPX Chicago, I can hardly wait to see what else can be done!

There is just one problem. App control requires internet access.*

Checkpoint's solution for application control assumes the firewall (and / or the management server?) will have internet access. This presents a major problem for scada systems of which many do not have internet access. Ok maybe some of them do, but lets ignore those for now.

So list the issues that remain stalemated.


  1. 1200R doesn't seem to support offline updates without internet access. This is what i've been told but can't verify since I can't see to get the offline update package (yet). From what I understand it has something to do with verifying the contract over the internet.
  2. You have to sign a new EULA to get access to an offline update package. Once you have something happens (magic!) and then you gain access the package. The rumblings i'm hearing is its a completely manual process to install them to the firewall. I'm guessing its a tar file.
  3. Assuming issues 1 and 2 are resolved and worked into a process for updating, how will I know when a new package is out? The app wiki has no release dates on it. I also haven't found any place to get email alert about to signatures. Could be missing something here.
  4. bonus points, why isn't there a smartupdate package I can download?

I had no idea what an uphill battle this would become. I've been working with many people on this issue. I also don't want to diminish all the help I've received, but this is a major problem that remains unresolved.

So i guess after calling this an open letter I should wrap this up.

Check Point, come on, there has to be a way to resolve this. Lets find it and move on and start generating some really interesting reports!