User actions accountability is one of the building blocks of Non-repudiation in Security.
In Checkpoint , nevertheless, the default (and widely used) user authentication for SSH and WEBGui sessions is local. Actually Checkpoint thought about that long ago and have been offering Radius authentication for users accessing the SecurePlatform via SSH or WEBgui for quite long time. I’ll put the discussion why they did it as a separately priced feature aside.
But if you have SecurePlatform Pro license for NGX R65 or earlier or Advanced Networking Blade for R70 or later then you can use it once Pro features are enabled on the SPLAT.
To help you configuring this I recorded this video , so be secure and enjoy.
PS As always feedback is welcome here as well as to the email email@example.com.
Direct link to Vimeo
SNMP version 3 has been with us for so many years but so very few Checkpoint folks use it that I decided to do this screencast/video showing how to enable and use SNMP v3 in Checkpoint firewall. NOTE – the language of narration is Hebrew .
BTW I think of posting more videos like that . All of them will be available under http://vimeo.com/yurisk
BTW2 If you have free user in Vimeo.com you can download the videos as files as well.
Today I’ll bring you two tips to secure SSH access to the Checkpoint firewall beyond firewall rules itself. SSH access is the most powerful way to own the firewall so it should be secured to the paranoid level and even then it is never enough.
Tip 1 Change the listening port.
You may say obscurity is not security but I will not agree – any measure that makes attacking your system harder without much burden on you is valid. After all there is no such thing total security, only endless arms race. Checkpoint just being a Linux in disguise uses OPenSSH server so changing the port is done via :
NOTE before changing listening port don’t forget to allow incoming connection on this port in firewall rules.
You change the above line to (if say I want to change port to 5022):
Then save , then restart the SSH daemon:
[Expert@fireball]# service sshd restart
Now you connect to the firewall #ssh -p 5022 user@IP
Tip 2 Limit SSH access per user and per IP address
Openssh provides the possibility to restrict access for specific user to specific IP addresses. I will look here at few potential scenarios.
Case 1 Limit all SSH users to access from specific IP , here from network 220.127.116.11/24:
At the bottom of the same file /etc/ssh/sshd_config I add:
Save , restart SSH daemon and this will take effect – only users coming from network
18.104.22.168/24 will be able to login by ssh , any other source IP will always get “Wrong username or password”
Case 2 Limit some users to access from specific IPs but allow others from Any.
Checkpoint comes with default user admin that people often do not change, and I concluded over the years that changing people’s bad behavior is much harder than changing firewalls. So I do this:
When both me and client are managing the firewall, i create the username for me , here yurisk and restrict the username admin to internal nets (for emergency cases) and his specific IP.Here my user is yurisk, client’s user is admin and LAN is 10.88.88.0/24 and client’s WAN IP is 22.214.171.124
AllowUsers firstname.lastname@example.org email@example.com.* yurisk
I love cheat sheets. Once I learn some product or technology to the level of understanding how it works I find the cheat sheets with all the options to run it and keep it handy. In case of the Checkpoint firewalls such cheat sheets are pretty much absent so I will throw from time to time here cheat sheets from me.
NB And to those claiming you need to know (read – memorize) everything, send them to Albert Einstein quote that when asked what the speed of light is, answered “I don’t memorize things that can be found in any reference”.
Today I’ll do VPN debug , basic stuff, no thrills. But we all started somewhere.
Checkpoint VPN debug cheat sheet
Checkpoint VPN debug cheat sheet , page 1
Checkpoint VPN debug cheat sheet , page 2
Hi everyone, in this video I tell and show how to enable SCP file transfer in Checkpoint firewall. I am beta testing it at the present therefore a bit shy to present to the wide audience, but be sure to check later when this idea of my site goes public . Thanks and see you soon.
Recently Checkpoint introduced new feature on their website – AppWiki that lists with short but informative descriptions lots of software they deem interesting enough.
Even more of goodies – it is public. Since I learned about this cute resource I don’t waddle through the zillions of pages in Google for say Twitter client 😉 – I go straight to the AppWiki from Checkpoint and pick the one I like. To showcase I attach the screenshot of the website.
Thanks guys and gals and Happy New Year everyone.
Well, saying ‘present’ I was a bit sarcastic – just another release in the NGX family – R75 , that is now available for download: R75 release .
So go ahead , install it , use it, enjoy its new features and bugs and report back to the mothership .
Note At the present trial download of R75 is not available but you can download R71.10 that isn’t that different . The usual way to go – Trial software from Checkpoint.