Checkpoint VPN-1 NG/FP3

Transcription

1 Checkpoint VPN-1 NG/FP3 Quick Start Guide Copyright CRYPTOCard Corporation All Rights Reserved

2 Table of Contents SECTION OVERVIEW... 1 PREPARATION AND PREREQUISITES...1 SECTION CONFIGURE THE CRYPTO-SERVER... 3 RADIUSPROTOCOL NAS.# KEYS...4 VERIFYING THE CRYPTO-SERVER RADIUS PROTOCOL SETTINGS...5 SECTION CONFIGURE CHECK POINT FW-1 AND VPN CONFIGURING A RADIUS PORT IN CHECK POINT FIREWALL-1 / VPN DEFINING THE RADIUS WORKSTATION IN CHECK POINT FIREWALL-1 / VPN DEFINING THE RADIUS SERVER IN FIREWALL-1/VPN ENABLING RADIUS AUTHENTICATION ON FIREWALL-1 / VPN CONFIGURING THE VPN-1 SETTINGS & IKE ENCRYPTION CREATING AN AUTHENTICATION GROUP (VPN-1) ADDING CRYPTOCARD USERS IN FIREWALL-1 / VPN CONFIGURING A GENERIC USER ENTRY CREATING A FIREWALL-1 / VPN-1 RULE SET SECTION CONNECT USING SECUREMOTE SECTION TROUBLESHOOTING TIPS For assistance mailto:support@cryptocard.com i

3 Change History Date Nov. 15, 2004 Changes Initial release For assistance ii

4 S ECTION 1 Overview Check Point FireWall-1 / VPN-1 with SecuRemote can be used to prevent unauthorized access to a network. CRYPTOCard authentication replaces username and static password with strong two-factor authentication to prevent the use of lost, stolen, shared or easily guessed password to traverse a firewall or establish a tunnel and gain access to protected resources. The following diagram illustrates the components involved in CRYPTOCard authentication. 1) End-User responds to the Firewall / VPN logon prompt by entering their logon name and CRYPTOCard generated One-time Password (OTP). 2) The Check Point FireWall-1/ VPN-1 passes the authentication request via RADIUS to CRYPTO-Server. (Alternatively Funk Steel Belted RADIUS, Cisco Secure ACS or Microsoft IAS can be configured to use CRYPTOCard authentication). CRYPTO-Server authenticates the End-user and passes a RADIUS accept message back to the Firewall/VPN. 3) Firewall-1/VPN-1 allows the connection to internal resources on receipt of the RADIUS accept message. The intent of this document is to present the necessary steps to configure Check Point FireWall-1 / VPN-1 NG FP3 and SecuRemote for use with CRYPTOCard tokens. Preparation and Prerequisites The following systems must be installed and operational prior to configuring the VPN concentrator to use CRYPTOCard authentication. For assistance mailto:support@cryptocard.com 1

5 CRYPTO-Server including CRYPTO-Protocol Server module. RADIUS Server: The VPN concentrator can be configured to use the RADIUS Server facility provided by the CRYPTO-Protocol Server module included with CRYPTO-Server 1, or use a third-party RADIUS server, such as Cisco Secure ACS 2, Funk Steel-Belted RADIUS 3, or IAS 4. CRYPTOCard user account and token: In order to authenticate to the VPN-1, a user account must exist on the CRYPTO-Server and a token must be assigned to that user. 5 VPN Client application: Check Point SecuRemote NG Client installed and configured. Ensure that the client system can connect to the concentrator before configuring the concentrator to use CRYPTOCard authentication. If the end-user wishes to use the SecurRemote Client software along with a CRYPTOCard software ( ST-1 ), smart card ( SC-1 ), or USB-dongle ( UB-1 ) token, they should also install the CRYPTOCard CRYPTOPlugin for CheckPoint VPN. 6 The following information is also required. IP Address of the RADIUS server: Port number used by the RADIUS server: Shared Secret: 1 See section 2 for details. 2 Refer to the Cisco Secure ACS QuickStart for details. 3 Refer to the Funk SBR QuickStart for details 4 Refer to the Microsoft IAS QuickStart for details. 5 Refer to the CRYPTO-Server Administrators Guide for details. 6 Refer to the SC-1/EUS and ST-1/EUS Software Token Deployment Guide for token installation instructions. For assistance mailto:support@cryptocard.com 2

6 S ECTION 2 Configure the CRYPTO-Server If you wish to use the CRYPTO-Server as your RADIUS server, you must verify that the Protocol Server is configured to accept RADIUS communications from the Check Point system. Connect to the CRYPTO-Server using the Console, and choose Server -> System Configuration & Status from the menu. In the Entity column choose RadiusProtocol. Next look at the Value corresponding to the key NAS.2. The data in this value field defines which RADIUS clients are allowed to connect to the CRYPTO-Server, and the shared secret they must use. For assistance mailto:support@cryptocard.com 3

7 RadiusProtocol NAS.# keys By default, the CRYPTO-Server is configured to listen for RADIUS requests over UDP port 1812, from any host on the same subnet, using a shared secret of testing123. You can manually define as many RADIUS clients as desired by adding NAS.# entries to the CRYPTO-Server configuration. The syntax of the data for a NAS entry is as follows: <First IP>, <Last IP>, <Hostname>, <Shared Secret>, <Perform Reverse Lookup?>, <Authentication Protocols> Where: <First IP>: The first IP address of the RADIUS client(s) configured in this NAS.# key. <Last IP>: The last IP address of the RADIUS client(s) configured in this NAS.# key. If only one IP address is defined by a NAS.# key, the <First IP> and <Last IP> will be the same. <Hostname>: Only applies in cases where the NAS.# key is for one host. Required for performing reverse lookup. <Shared Secret>: A string used to encrypt the password being sent between the CRYPTO-Server and the RADIUS client (i.e. the Check Point VPN/Firewall). You will need to enter the exact same string into the Check Point configuration in Section 3. The <Shared Secret> string can be any combination of numbers and uppercase and lowercase letters. <Perform Reverse Lookup?>: An added security feature of the CRYPTO-Server is its ability to verify the authenticity of a RADIUS client by cross-checking its IP address with the Domain Name Server. If this value is set to true, when the CRYPTO-Server receives a RADIUS request from the RADIUS client defined by this NAS.# entry, it sends a request to the DNS using the hostname set in the NAS.# entry. The DNS should respond with the same IP address as configured in the NAS.# entry, otherwise the CRYPTO-Server assumes that the RADIUS packet is coming from some other host posing as the RADIUS client, and ignores the request completely (also known as a man in the middle attack). <Authentication Protocols>: Many different authentication protocols can be used during RADIUS authentication. Common examples are PAP, CHAP,MS-CHAP and EAP. This setting determines which authentication protocols the CRYPTO-Server will allow from a given RADIUS client. Currently PAP and CHAP are the only available authentication protocols for RADIUS clients. NOTE: After changing or adding a NAS.# entry, click the Apply button. For assistance mailto:support@cryptocard.com 4

8 Verifying the CRYPTO-Server RADIUS Protocol Settings The RADIUSProtocol.dbg log 7 on the CRYPTO-Server will include information about its RADIUS configuration. Each time the Protocol Server starts, the following information is logged: Adding IP range to to ACL with reverse lookup set to false Adding IP range to to ACL with reverse lookup set to false RADIUS protocol has established link with EJB server at jnp:// :1099 RADIUS Receiver Started: listening on port 1812 UDP. RADIUS Receiver Started: listening on port 1813 UDP. This example indicates that the CRYPTO-Server is listening for RADIUS requests on UDP port 1812 (for authentication) and 1813 (for accounting), and RADIUS clients within the IP range of to As well, no reverse lookup is being performed. 7 See Section 7 Troubleshooting Tips for the location of the RADIUSProtocol.dbg file For assistance mailto:support@cryptocard.com 5

9 Section 3 Configure Check Point FW-1 and VPN-1 The following steps are required to complete the configuration of the FW-1 and VPN-1. Define a RADIUS Workstation Define a RADIUS Server Configure the RADIUS server port Enable RADIUS Authentication. Configuring the VPN-1 settings & IKE Encryption Create an authentication group. Add CRYPTOCard users in FireWall-1/VPN-1 Configure the Rule Set. Configuring a RADIUS port in Check Point FireWall-1 / VPN-1 Check Point FireWall-1 / VPN-1 and the RADIUS Server need to be configured to use the same port so they can exchange RADIUS packets. By default Firewall-1 uses port The RADIUS standards group has since changed this value to port 1812 as the official RADIUS port. Newer O/S releases have implemented the 1812 port number for RADIUS. CRYPTO-Server 6.1, Funk Steel Belted RADIUS, and Cisco Secure ACS may be configured to use any port. Please check your RADIUS configuration to determine the RADIUS port you are using for your RADIUS Server, and configure the RADIUS port in FireWall-1 to match the value on the RADIUS Server. For assistance mailto:support@cryptocard.com 6

10 Defining the RADIUS Workstation in Check Point FireWall-1 / VPN-1 On the machine with Check Point FireWall-1 / VPN-1, define the IP address of the RADIUS Server. This should be on the system that CRYPTO-Server 6.1 was installed on, in this case the IP is From the Check Point SmartDashboard, select Network Objects from the Manage Menu. Click New, select Node, and then click Host. Under General Properties, enter the Host Node Properties: Name, IP Address of RADIUS Server, Comment, and Color. Click OK then Close. Defining the RADIUS Server in FireWall-1/VPN-1 From the system running Check Point FireWall-1 / VPN-1, you need to define the machine which has your RADIUS Server installed on it. From the Check Point SmartDashboard, open the Manage Menu and choose Servers. In the Servers window, click New, and then select RADIUS. Define your RADIUS Server Properties: Name, Comment, Color, Host (this should be the Host Node you defined in the previous section), Service (NEW-RADIUS may be selected if the RADIUS server is using port 1812), Shared Secret, and Version. Click OK, and then Close. For assistance mailto:support@cryptocard.com 7

11 Click the Policy menu then choose Install. The Shared Secret entered above must match the Shared Secret that is defined on the actual RADIUS server. See Configure the CRYPTO-Server for details. When choosing your RADIUS protocol version, you can select either RADIUS Version 1.0 or RADIUS Version 2.0. Both will work with CRYPTO-Server 6.1. Enabling RADIUS Authentication on FireWall-1 / VPN-1 From the Check Point SmartDashboard, go to the Manage Menu and choose Network Objects. Select the FireWall-1 / VPN-1 object (in this case it s win2k-8) and click Edit. Under General Properties, select Authentication then verify the boxes to the left of VPN-1 & FireWall-1 Password and RADIUS are checked. For assistance mailto:support@cryptocard.com 8

12 For assistance 9

13 Configuring the VPN-1 settings & IKE Encryption The following steps allow the SecuRemote endusers to download the VPN-1 topology from the FireWall, and to encrypt connections to the Inside network. From the FireWall-1 / VPN-1 network object, under General Properties choose VPN then select your VPN Community (RemoteAccess), click Traditional mode configuration. Make sure to place a check in the box next to Exportable for SecuRemote/SecureClient. Note: If the FireWall-1 is in the Remote Access community already then this check box is checked and cannot be unchecked. In the VPN section under General Properties verify that a Certificate exists in the Certificate List. Verify that Hybrid Mode Authentication has been enabled. Select Policy, Global Policy, Remote Access, VPN Basic. Under Support authentication methods verify that Hybrid Mode has been checkmarked. For assistance mailto:support@cryptocard.com 10

14 Creating an Authentication Group (VPN-1) From the Manage Menu, select Users and Administrators then click New and select Group. This group will be used to reference all users being authenticated by CRYPTO-Server 6.1. In the Group Properties box enter the: Name, Comment, and Colour for the group. Click OK. Adding CRYPTOCard Users in FireWall-1 / VPN-1 CRYPTOCard token users can be configured to use RADIUS authentication in two methods on FireWall-1 / VPN-1. Each CRYPTOCard token user can be added to the FireWall-1 / VPN-1 database individually, or a generic user entry can be configured. Use the method that best meets your network authentication requirements. In the Check Point SmartDashboard, select Users and Administrators from the Manage Menu. Click New, then Template. In the User Template Properties dialog box, under the General Tab, define the Login Name. Click the Personal Tab to define the Expiration Date, Comment, and Color. For assistance mailto:support@cryptocard.com 11

15 Click on the Groups Tab. Select the SecuRemote group created previously and click the Add button. Click on the Authentication Tab and define the Authentication Scheme as RADIUS, and select the RADIUS Server you just created in the previous section. Click the Location Tab and Time Tab to define these settings as per your network security policy. Select the Encryption Tab and check the box to the left of IKE. Click the Edit button to configure the IKE Encryption settings. Select the Encryption Tab to validate the Encryption Algorithm. Click the Install button to add the user to the FireWall-1 user database. Close the Users and Administrators dialog box. For assistance 12

16 Configuring a Generic User Entry From the Users and Administrators window, click New, External User Profile then choose Match all users. In the External User Profile Properties window, select the VPN tab then add the appropriate Group. On the Authentication tab choose RADIUS as the Authentication Scheme then select the RADIUS Server. Select the Encryption tab and place a checkmark in IKE. For assistance mailto:support@cryptocard.com 13

17 Creating a FireWall-1 / VPN-1 Rule Set Below is an example of two simple rule sets that will require users to authenticate with CRYPTOCard tokens. Configure the rule sets as per your network requirements. The first rule states that anyone in the group External is must be Authenticated to be able to use HTTP, FTP, or Telnet. Authentication may be via RADIUS or FireWall-1 s internal database. The second rule has the SecuRemote group that contains users configured to use RADIUS as their authentication method when using the FTP, HTTP, or Telnet services. Once you have established your rules, connect to the service using a CRYPTOCard username and response generated from your token. For assistance mailto:support@cryptocard.com 14

18 Section 4 Connect using SecuRemote After installing SecuRemote /Secure Client and configuring it to connect to the VPN-1 / FW- 1 gateway, the end-user will be able to connect to the gateway using their CRYPTOCard token. Using the connection configured above, launch the SecuRemote connection. Enter the CRYPTOCard username. Generate a One-Time-Password from the CRYPTOCard token. Enter that One-Time-Password in the password field, and click OK. Once the VPN-1 / FW-1 gateway has verified the username and password with the CRYPTO-Server, the secure tunnel will be established. For assistance mailto:support@cryptocard.com 15

19 Section 5 Troubleshooting Tips If you are experiencing continuous authentication failures, check the CRYPTO-Server RADIUS authentication log ( RADIUSProtocol.dbg ), found in \ Program Files \ CRYPTOCard \ CRYPTO-Server\bin directory. If you encounter a problem that cannot be solved using the tips above, contact support@cryptocard.com or call us at (800) or , Monday through Friday 8:30 am to 5:00 pm EST. For assistance mailto:support@cryptocard.com 16