Implementation Guide for protecting CheckPoint Firewall-1 / VPN-1 with BlackShield ID Copyright 2009 CRYPTOCard Inc. http:// www.cryptocard.com
Copyright Copyright 2009, CRYPTOCard All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of CRYPTOCard. Trademarks BlackShield ID, BlackShield ID SBE and BlackShield ID Pro are either registered trademarks or trademarks of CRYPTOCard Inc. All other trademarks and registered trademarks are the property of their owners. Additional Information, Assistance, or Comments CRYPTOCard s technical support specialists can provide assistance when planning and implementing CRYPTOCard in your network. In addition to aiding in the selection of the appropriate authentication products, CRYPTOCard can suggest deployment procedures that provide a smooth, simple transition from existing access control systems and a satisfying experience for network users. We can also help you leverage your existing network equipment and systems to maximize your return on investment. CRYPTOCard works closely with channel partners to offer worldwide Technical Support services. If you purchased this product through a CRYPTOCard channel partner, please contact your partner directly for support needs. To contact CRYPTOCard directly: International Voice: +1-613-599-2441 North America Toll Free: 1-800-307-7042 support@cryptocard.com For information about obtaining a support contract, see our Support Web page at http://www.cryptocard.com. Related Documentation Refer to the Support & Downloads section of the CRYPTOCard website for additional documentation and interoperability guides: http://www.cryptocard.com. Publication History Date Changes Version January 26, 2009 Document created 1.0 July 9, 2009 Copyright year updated 1.1 BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 i
Table of Contents Overview...1 Applicability...1 Assumptions...1 Operation...1 Preparation and Prerequisites...2 Configuration...2 Defining the RADIUS server object...2 Defining the RADIUS Server...3 Configuring the VPN-1 Settings and IKE (Internet Key Exchange) Encryption...5 Creating an Authentication Group (VPN-1)...8 Adding CRYPTOCard Users in FireWall-1 / VPN-1...9 Configuring a Generic User Entry...12 Creating a FireWall-1 / VPN-1 Rule Set...14 Troubleshooting...14 Failed Logons...14 Additional information...14 BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 ii
Overview By default CheckPoint VPN connections requires that a user provide a correct user name and password to successfully logon. This document describes the steps necessary to augment this logon mechanism with strong authentication by adding a requirement to provide a onetime password generated by a CRYPTOCard token using the instructions below. Applicability This integration guide is applicable to: Security Partner Information Security Partner Product Name and Version Protection Category CheckPoint Firewall-1 / VPN-1 Remote Access CRYPTOCard Server Authentication Server Version BlackShield ID Small Business Edition 1.2+ Professional Edition 2.3+ Assumptions BlackShield ID has been installed and configured and a Test user account can be selected in the Assignment Tab. There is no further configuration required to allow a user to use their token with this solution. Operation The CheckPoint Firewall-1 or VPN-1 server will send all RADIUS authentication requests to the BlackShield ID server. The BlackShield ID server will then return back a message to either allow or reject the connection. BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 1
Preparation and Prerequisites 1. RADIUS Server installed Eg. Microsoft Internet Authentication Service 2. Appropriate BlackShield ID plug-in installed on RADIUS server. Configuration Defining the RADIUS server object 1. Login to the CheckPoint management console. Refer to the CheckPoint documentation for instructions on performing this step. 2. From the CheckPoint SmartDashboard, select Manage > Network Objects. 3. Click New, select Node, and then click Host. 4. Under General Properties, enter the Host Node Properties: a) Name b) IP Address of the Microsoft IAS Server c) Comment d) Color 5. Click OK, then Close. BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 2
Defining the RADIUS Server Once the actual network object has been created, the server needs to be configured so that it is aware of a server object. 1. From the Check Point SmartDashboard, select Manage Servers. 2. From the Check Point SmartDashboard, select Manage Servers. 3. Define your RADIUS Server Properties: a) Name b) Comment c) Color d) Host (this should be the Host Node you defined in the previous section) e) Service (NEW-RADIUS should be selected) f) Shared Secret g) Version NOTE: The Shared Secret entered above must match the Shared Secret that is defined on the RADIUS server. When choosing your RADIUS protocol version select RADIUS Version 2.0. 4. Click OK, and then Close. BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 3
5. Click the Policy menu then click Install. Applying RADIUS Authentication 1. From the Check Point SmartDashboard, click Manage Network Objects. 2. Select the FireWall-1 / VPN-1 object (in this case it s win2k-8) and click Edit. BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 4
3. Under General Properties, select Authentication then verify the boxes to the left of VPN-1 & FireWall-1 Password and RADIUS are checked. Configuring the VPN-1 Settings and IKE (Internet Key Exchange) Encryption The following steps allow the SecuRemote end-users to download the VPN-1 topology from the FireWall, and to encrypt connections to the Inside network. 1. From the FireWall-1 / VPN-1 network object, under General Properties choose VPN. 2. Select your VPN Community (RemoteAccess). 3. Click Traditional mode configuration. BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 5
1. Ensure to place a check in the box next to Exportable for SecuRemote/SecureClient Note: If the FireWall-1 is in the Remote Access community already then this check box is checked and cannot be unchecked. 2. In the VPN section under General Properties verify that a Certificate exists in the Certificate List. BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 6
3. Verify that Hybrid Mode Authentication has been enabled. Select Policy, Global Policy, Remote Access, VPN Basic. 4. Under Support authentication methods verify that Hybrid Mode has been check marked. BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 7
Creating an Authentication Group (VPN-1) 1. From the Manage Menu, select Users and Administrators then click New and select Group. This group will be used to reference all users being authenticated by BlackShield ID. 2. In the Group Properties box enter the: a) Name b) Comment c) Colour 3. Click OK BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 8
Adding CRYPTOCard Users in FireWall-1 / VPN-1 CRYPTOCard token users can be configured to use RADIUS authentication in two methods on FireWall-1 / VPN-1. Each CRYPTOCard token user can be added to the FireWall-1 / VPN- 1 database individually, or a generic user entry can be configured. Use the method that best meets your network authentication requirements. 1. In the Check Point SmartDashboard, Select Manage > Users and Administrators. Click New, then Template. 2. In the User Template Properties dialog box, under the General Tab, define the Login Name. See the screen shot example on the next page). 3. Click the Personal Tab to define the Expiration Date, Comment, and Color. BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 9
4. Click on the Groups Tab. 5. Select the SecuRemote group created previously and click the Add button 6. Click on the Authentication Tab and define the Authentication Scheme as RADIUS. 7. Select the RADIUS Server you just created in the previous section 8. Click the Location Tab and Time Tab to define these settings as per your network security policy. BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 10
9. Select the Encryption Tab and check the box to the left of IKE 10. Click the Edit button to configure the IKE Encryption settings. 11. Select the Encryption Tab to validate the Encryption Algorithm. 12. Click the Install button to add the user to the FireWall-1 user database. 13. Close the Users and Administrators dialog box. BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 11
Configuring a Generic User Entry 1. From the Users and Administrators window, click New, External User Profile then choose Match all users. 2. In the External User Profile Properties window, select the Groups tab then add the appropriate Group. BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 12
3. On the Authentication tab choose RADIUS as the Authentication Scheme then select the RADIUS Server. 4. Select the Encryption tab and place a checkmark in IKE. BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 13
Creating a FireWall-1 / VPN-1 Rule Set Below is an example of two simple rule sets that will require users to authenticate with CRYPTOCard tokens. Configure the rule sets as per your network requirements. Troubleshooting Failed Logons Symptom: Authentication using the VPN client is rejected. Possible Causes: Verify that the shared secret is correct on both the RADIUS server, and the Checkpoint Firewall-1 / VPN-1 Ensure that the BlackShield IAS NPS Agent has been installed and configured properly. Verify that the token is in sync with BlackShield ID. Additional information For additional information, please visit http://www.cryptocard.com BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 14