etrust Audit Using the Recorder for Check Point FireWall-1 1.5

(1)

eTrust

^™

Audit

Using the Recorder for Check Point FireWall-1

1.5

(2)

This documentation and related computer software program (hereinafter referred to as the “Documentation”) is for the end user’s informational purposes only and is subject to change or withdrawal by Computer Associates International, Inc. (“CA”) at any time.

This documentation may not be copied, transferred, reproduced, disclosed or duplicated, in whole or in part, without the prior written consent of CA. This documentation is proprietary information of CA and protected by the copyright laws of the United States and international treaties.

Notwithstanding the foregoing, licensed users may print a reasonable number of copies of this documentation for their own internal use, provided that all CA copyright notices and legends are affixed to each reproduced copy. Only authorized employees, consultants, or agents of the user who are bound by the confidentiality provisions of the license for the software are permitted to have access to such copies.

This right to print copies is limited to the period during which the license for the product remains in full force and effect. Should the license terminate for any reason, it shall be the user’s responsibility to return to CA the reproduced copies or to certify to CA that same have been destroyed.

To the extent permitted by applicable law, CA provides this documentation “as is” without warranty of any kind, including without limitation, any implied warranties of merchantability, fitness for a particular purpose or noninfringement. In no event will CA be liable to the end user or any third party for any loss or damage, direct or indirect, from the use of this documentation, including without limitation, lost profits, business interruption, goodwill, or lost data, even if CA is expressly advised of such loss or damage.

The use of any product referenced in this documentation and this documentation is governed by the end user’s applicable license agreement.

The manufacturer of this documentation is Computer Associates International, Inc.

Provided with “Restricted Rights” as set forth in 48 C.F.R. Section 12.212, 48 C.F.R. Sections 52.227-19(c)(1) and (2) or DFARS Section 252.227-7013(c)(1)(ii) or applicable successor provisions.

 2002 Computer Associates International, Inc.

All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.

(3)

Chapter 1: Introducing the Recorder for Check Point FireWall-1

Information Flow... 1-1

Chapter 2: Installation Requirements

System Hardware Requirements... 2-1 System Software Requirements... 2-1

Chapter 3: Installing the Recorder for Check Point FireWall-1

Information to Consider... 3-1 Before You Begin the Installation... 3-2 Configuring the Check Point FireWall-1 Servers... 3-2 Information You Need to Collect... 3-2 Installing in a Windows Environment ... 3-3 Installing the Recorder for Check Point FireWall-1 ... 3-3 Installing Other Features Automatically... 3-8 Installing in a Solaris Environment... 3-9 Installing the Recorder for Check Point FireWall-1 ... 3-9 Upgrading the Data Tools ... 3-10

Appendix A: Configuration Values

Registry Keys and .ini File...A-1

Contents iii

(4)

Appendix B: Technical Information

OPSEC Connection Types...B-1 Configuring Check Point FireWall-1 Servers...B-2

(5)

Chapter

1 Introducing the Recorder for Check Point FireWall-1

The eTrust™ Audit Recorder for Check Point FireWall-1 is an add-on component of the eTrust Audit Client. The Recorder for Check Point FireWall-1 receives events from Check Point FireWall-1 using the OPSEC (Open Platform for Security) protocol, and sends the events to the Audit Router using the SAPI protocol. OPSEC is Check Point’s application programming interface (API).

eTrust Audit can already receive Check Point FireWall-1 log events using SNMP traps. However, SNMP traps provide only a subset of the audit information generated by Check Point FireWall-1. More detailed information, with delivery guaranteed, can be received from Check Point FireWall-1 using the OPSEC LEA (Log Export) API. This enables a third party application to securely receive both real-time and historical auditing log data generated by Check Point VPN-1 and Check Point FireWall-1.

Information Flow

The Recorder for Check Point FireWall-1 can be installed on the same host where the Check Point FireWall-1 server runs, or on another host. To receive data from Check Point FireWall-1 servers, the Recorder for Check Point FireWall-1 connects to the Check Point LEA server using the OPSEC protocol. After message

parsing, the Recorder for Check Point FireWall-1 sends the messages to the Audit Router using the SAPI protocol. The information flow from here onward is like the one in the eTrust Audit Client. The filtered events are sent to the Audit Router queue, which sends them to the Action Manager. According to the actions defined for each event, you will be able to view filtered information with the eTrust Audit Data Tools, or have other actions executed.

For more information about the information flow in the eTrust Audit Client, see the Admin strator Guide. i

Introducing the Recorder for Check Point FireWall-1 1–1

(6)

Information Flow

The following diagram shows the basic information flow between the Recorder for Check Point FireWall-1 and the various components of eTrust Audit:

Action Queue Router

Filtered Events Audit Router SAPI protocol

Messages Recorder for

Check Point FireWall-1

Audit Router FIlter

SNMP

E-mail Router File

Program

Program

Screen

Unicenter

Security Monitor Action Monitor

Data Tools

Action Collector

Reporter Viewer

Event Database OPSEC protocol

Data Check Point FireWall-1

Server

Client

Other Actions Action Manager

The eTrust Audit Viewer has specific SQL queries for Check Point FireWall-1 provided as ASCII files.

Tip: You can edit the SQL queries in the Filter by Events dialog in the eTrust Audit Viewer.

(7)

Chapter

2 Installation Requirements

The following sections list the hardware and software needed to install the Recorder for Check Point FireWall-1.

Note: The installation of the Recorder for Check Point FireWall-1 only adds the component to the already installed eTrust Audit product.

System Hardware Requirements

You need the following hardware to install the Recorder for Check Point FireWall-1:

For installation in a Windows environment:

■ Pentium III or higher

■ 64 MB RAM or higher

■ 12 MB free disk space

■ TCP/IP

For installation in a Solaris environment:

■ 64 MB RAM or higher

■ 12 MB free disk space

■ TCP/IP

System Software Requirements

To install the Recorder for Check Point FireWall-1, you need the following installed in your host:

■ Operating systems

– Microsoft Windows NT SP5 or SP6 – Microsoft Windows 2000 SP1, SP2, or SP3

Installation Requirements 2–1

(8)

System Software Requirements

– Microsoft Windows XP – Solaris 2.51, 2.6, 2.7, 8 or 9

■ eTrust Audit v1.5 SP1

(9)

Chapter

3 Installing the Recorder for Check Point FireWall-1

The installation of the Recorder for Check Point FireWall-1 consists of the following:

■ The addition of the component to the already installed eTrust Audit product

■ Updates to the eTrust Audit components found on the host You can install the Recorder for Check Point FireWall-1 in a Windows environment and in a Solaris environment.

Information to Consider

You should take into consideration the following:

■ The Recorder for Check Point FireWall-1 supports Check Point FireWall-1 version 4.1.2, and NG (v.5.0) with the authenticated connection types supported in 4.1.2.

■ The Recorder for Check Point FireWall-1 values that have no direct matching to database or Security Monitor fields, are concatenated in the message text field, are shown as details. The maximum size of the information field is 512 bytes.

■ The new policies for the eTrust Audit Policy Manager are appended to the eTrust Audit Policy Manager database during the installation process.

■ The specific filters (DB queries) of the Check Point FireWall-1 events for the eTrust Audit Viewer cannot be created using the existing eTrust Audit Viewer. These queries are provided as external files containing SQL queries, which you can be edit manually in the Filter by Event dialog in the eTrust Audit Viewer.

■ The specific reports for Check Point FireWall-1 events are added during the installation process.

Installing the Recorder for Check Point FireWall-1 3–1

(10)

Before You Begin the Installation

Before you begin the installation of the Recorder for Check Point FireWall-1, verify your site has the hardware and software requirements detailed in Chapter 2 “Installation Requirements”. Then, ensure you:

■ Configure the Check Point FireWall-1 servers

■ Collect specific information about the Check Point FireWall-1 servers you want to audit.

You need Acrobat Reader to open the PDF file after installation. Free download is available from www.acrobat.com.

Configuring the Check Point FireWall-1 Servers

You need to configure the Check Point FireWall-1 server or servers that you want to audit. For information about configuration, see Appendix B.

Information You Need to Collect

Before you install the Recorder for Check Point FireWall-1, we recommend you collect useful information about the Check Point FireWall-1 server or servers you want to audit. The following sections will help you organize yourself.

Server Details Have the following information for each Check Point FireWall-1 server you want to audit:

■ Logical name

■ Host name or IP address

■ OPSEC port number

Tip: Look for the OPSEC port number in the fwopsec.conf file, which is located in the installation path under FW1\conf.

Connection Types Choose the OPSEC connection type to use between the Recorder for Check Point FireWall-1 and each of the Check Point FireWall-1 servers. Define for each server you want to audit the connection type you will assign it during

installation. For information about connection types, see Appendix B.

(11)

Installing in a Windows Environment

Log Types Choose the log types for the Check Point FireWall-1 servers you want to audit:

secure to audit system-related events, and account to audit user-related events.

You can choose one type, both, or none. If you choose none, that server will not audit events.

Installing in a Windows Environment

eTrust Audit Setup detects the eTrust Audit components (Client, Policy

Manager, and Data Tools) installed on the host where it is running, and presents options accordingly. During installation, you can perform one of these actions on that host:

■ Install the Recorder for Check Point FireWall-1 when the eTrust Audit Client is found on the host.

■ Install eTrust Audit filters and reports when the eTrust Audit Tools are found on the host.

■ Install eTrust Audit policies when the eTrust Audit Policy Manager is found on the host.

Note: You can install the Recorder for Check Point FireWall-1 only on a host where eTrust Audit Client 1.5 SP1 is installed. You need to have administrative privileges on this host.

Installing the Recorder for Check Point FireWall-1

This section describes the installation process that takes place when eTrust Audit Setup finds the eTrust Audit Client on a host.

The eTrust Audit Client can reside alone on a host, with either the eTrust Audit Policy Manager, or the eTrust Audit Data Tools, or with both the Policy Manager and the Data Tools. eTrust Audit Setup provides features to install on each host according to the components it has.

(12)

To show all the possible features eTrust Audit Setup provides, the installation process described in this section is for a host with the three eTrust Audit

components (Client, Policy Manager and Data Tools). In a host without a Client, eTrust Audit Setup can install automatically a subset of these features. For a description of this subset, see the section Installing Other Features

Automatically.

Follow these steps to install the Recorder for Check Point FireWall-1:

1. To start eTrust Audit Setup, run the file eau151_fw1.exe located in your product CD. After the Welcome window, the Features to Install window appears. The installation of the Recorder for Check Point FireWall-1 on the host is optional. The mandatory features cannot be unchecked.

(13)

2. To install the Recorder for Check Point FireWall-1, check Recorder service, then click Next. The Recorder Service Configuration window is displayed.

3. Click Add to specify the Check Point FireWall-1 server or servers you want to audit. The New Server window is displayed.

(14)

4. Enter the information about the server: logical name, host name or IP address, and OPSEC port. Choose a connection type from the drop-down list. Both log types are checked by default. If necessary, uncheck the log type you do not need. You can also disable auditing of the server. Click OK. You are brought back to the Recorder Service Configuration window.

Tip: You can modify the details of any server in your list with the Edit button in the Recorder Service Configuration window. You can also remove servers from your list with the Remove button.

5. Repeat the previous two steps for every server you want to audit. When you finish adding servers, click Next. The Recorder Service Administration window is displayed.

For information about the different ways of starting the service manually, see the Admin strator Guide. i

(15)

6. Click Next. The Start Installation window is displayed.

7. If you are satisfied with the settings, click Continue. eTrust Audit Setup starts copying the program files.

Note: The Recorder for Check Point FireWall-1 and the configuration update are installed in the path where eTrust Audit is currently installed. No system files or other kind of files are installed outside this path.

You are now prompted to start the service:

(16)

8. Choose whether to start the service. The Documentation Options window is displayed.

9. Choose whether to open the readme file and to copy the PDF file to the installation directory. Then click Finish to complete the installation process.

Installing Other Features Automatically

This is the subset of features eTrust Audit Setup can install automatically on a host without an eTrust Audit Client. This is all the information eTrust Audit Setup needs to start copying the program files.

The features appear as follows in the Features to Install window:

Components Found on the Host Features Automatically Installed eTrust Audit Policy Manager New Check Point FireWall-1 policies,

and updates to core components files and configuration.

eTrust Audit Data Tools New Check Point FireWall-1 filters and reports, and updates to core

components files and configuration eTrust Audit Policy Manager and

eTrust Audit Data Tools

New Check Point FireWall-1 policies, filters and reports, and updates to core components files and configuration

(17)

Installing in a Solaris Environment

The installation process detects the eTrust Audit components installed on the host where it is running, and presents options accordingly. During installation, you can perform one of these actions on each host:

■ To install the Recorder for Check Point FireWall-1 when the eTrust Audit Client is found on the host (residing alone or with the eTrust Audit Data Tools)

■ To upgrade the eTrust Audit Data Tools when the eTrust Audit Client is not found on the host.

Note: You can install the Recorder for Check Point FireWall-1 only on a host where the eTrust Audit Client 1.5 is installed. You must have root authority to invoke the installation script.

Installing the Recorder for Check Point FireWall-1

This section describes the installation process for a host with an eTrust Audit Client.

1. From the installation directory, run the following script:

.\install_eAuditFW1Rec

When only the eTrust Audit Client resides on the host, or both the eTrust Audit Client and the eTrust Audit Data Tools, you are prompted to upgrade:

Looking for previous installations of eTrust Audit … Found eTrust Audit Client.

Do you want to upgrade it? [y/n]

or:

Looking for previous installations of eTrust Audit … Found both eTrust Audit Client and eTrust Audit Data Tools.

Select the components you want to upgrade:

1 - Data Tools

2 - Client and Data Tools :

2. Choose the upgrade you need for the host. After several messages about calculations and configuration, you are prompted to enter information about the servers:

Enter the Check Point FireWall-1 servers information one by one, terminating with CTRL-D or your EOF.

Server logical name:

Host name or IP address:

Connection port:

(18)

Select OPSEC connection type:

1 - Clear connection

2 - Authenticated and encrypted connection using SSL 3 - Authenticated connection using SSL

4 - Authenticated connection (Check Point proprietary) :

Secure log [y/n]:

Account log [y/n]:

Server logical name:

3. Enter the information for the first server. You are immediately prompted to enter information for another server. If you need to configure additional servers, continue entering information. Otherwise, press Enter to exit the prompt and to continue with the installation process. Several messages appear on screen informing about the status of the installation process. You are prompted with the following message:

Would you like to start the eTrust Audit Recorder for Check Point Firewall-1 daemons right now? [y/n]: (y)

4. Choose whether to start the program. You are now prompted:

Do you want to view the eTrust Audit Recorder for Check Point FireWall-1 Readme.txt file? [y/n]: (y)

5. Choose whether to view the readme file. You are prompted as follows:

Do you want to copy the PDF guide to the installation directory? [y/n] (y)

6. Choose whether to copy the PDF file.

A message informs you that the installation is completed.

Tip: If you need to configure additional servers after the installation, you can either edit the eaudit.ini file, which is updated during the installation, or edit the Registry.

Upgrading the Data Tools

This section describes the upgrade procedure for a host without an eTrust Audit Client.

When the installation process finds only the eTrust Audit Data Tools on the host, you can upgrade them so that the Audit Collector receives Check Point

FireWall-1 events.

1. From the installation directory, run the following script:

.\install_eAuditFW1Rec

You are prompted to upgrade the eTrust Audit Data Tools as follows:

Found eTrust Audit Data Tools.

Do you want to upgrade them? [y/n]

(19)

2. Choose whether to upgrade. If you choose yes, you are prompted:

Do you want to view the eTrust Audit Recorder for Check Point FireWall-1 Readme.txt file? [y/n]: (y)

3. Choose whether to display the readme file. You are now prompted:

Do you want to copy the PDF guide to the installation directory? [y/n] (y)

4. Choose whether to copy the PDF file.

A message informs you that the upgrade is completed.

(20)

Appendix

A Configuration Values

After installation, the configuration values of the Recorder for Check Point FireWall-1 are kept in the Registry on a Windows environment, or in a

configuration file on a Solaris environment. Check Point FW-1 is the name of the new Registry key or the new configuration file section.

Registry Keys and .ini File

In a Windows environment, the Registry keys are located under:

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrust Audit

In a Solaris environment, the configuration file eaudit.ini is located in the directory:

/usr/eaudit/ini

The configuration information is the same in both environments, with the following terminology and syntax considerations:

Windows Environment Solaris Environment

Registry key name Section title in the configuration file

Backslash “\” Slash “/”

The following table shows the specific configuration parameters of the Recorder for Check Point FireWall-1. The words in italic indicate data entered during installation:

Parameter Type Default value Comments

Client\Recorders\Check Point FW-1 Key N/A New key for the Recorder for Check Point FireWall-1 Client\Recorders\Check Point FW-1\

DatFilePath

String dat\recorders\

fw.dat

The Recorder for Check Point FireWall-1 uses this file internally.

This location must not be changed.

(21)

Registry Keys and .ini File

Parameter Type Default value Comments

Client\Recorders\Check Point FW-1\

MPFile

String cfg\fw.mp Mapping file used for parsing received messages.

SendInterval

DWORD 10 The time, in seconds, that the service sleeps after

MaxSeqNoSleep records.

MaxSeqNoSleep

DWORD 50 The maximum number of records sent before sleeping.

LEA Servers

Key N/A New subkey.

LEA Servers\ServerName

Key N/A It must be a unique name.

LEA Servers\ServerName\Active

DWORD 1 0=server inactive

1=server active Client\Recorders\Check Point FW-1\

LEA Servers\ServerName\Host

String N/A The server host name can be a logical name or an IP address.

LEA Servers\ServerName\Port

String N/A The OPSEC port number of the server.

LEA Servers\ServerName\AuthType

String Empty Empty means clear connection. For a description of connection types, see Appendix B.

LEA Servers\ServerName\

Logs\Secure

DWORD 0 0=deactivate secure log events 1=activate secure log events

LEA Servers\ServerName\Account

DWORD 0 0=deactivate account log events 1=activate account log events Client\Recorders\Check Point FW-1\

LEA Servers\ServerName\Logs\logn

String N/A The Recorder receives records from this list of log files.

LEA Servers\ServerName\LoadType

DWORD 0 0=read according to offset 1=read from the beginning ignoring offset

A–2 Using the Recorder for Check Point FireWall-1

(22)

Appendix

B Technical Information

To help you configure your system, this appendix provides basic technical information about various Check Point FireWall-1 configuration settings, as follows:

■ OPSEC connection types

■ Configuring Check Point FireWall-1 servers

For detailed information about these topics, see the Check Point documentation.

OPSEC Connection Types

The following information will help you choose the most suitable OPSEC connection type between the Recorder for Check Point FireWall-1 and the Check Point FireWall-1 servers you want to audit.

The OPSEC application can make one of the following types of connections:

Authenticated and encrypted connection using SSL (Secure Socket Layer) The data transferred is encrypted using a 3DES key. An authenticated and encrypted connection is the most secure. This type of connection is

supported by Check Point VPN-1/FireWall-1 starting from version 4.1.

Authenticated connection using SSL

When data encryption is not required, this is the recommended method for authenticating the host running the OPSEC application before the Check Point FireWall-1 servers. This type of authentication is supported by Check Point VPN-1/FireWall-1 starting from version 4.1 SP2.

Authenticated connection (Check Point proprietary)

This type of authentication is done at the transport layer using Check Point’s proprietary authentication algorithm. Use this method for backward

compatibility with Check Point VPN-1/FireWall-1 version 4.1 SP1 and earlier.

Clear connection

The data transference is made without restrictions.

(23)

Configuring Check Point FireWall-1 Servers

Any machine in your system that works with Check Point FireWall-1 version 4.1.2 needs to be configured to establish an authenticated connection. This section explains how to establish an authentication connection between an eTrust Audit Client host where the Recorder for Check Point FireWall-1 runs, and a Check Point FireWall-1 version 4.1.2 server.

The following scenario illustrates how an authenticated connection is established between two machines: comp1 and comp2. The machine comp1 runs the Check Point FireWall-1 server, and the machine comp2 runs the Recorder for Check Point FireWall-1.

Important! You need to run the executable opsec_putkey, which is part of the OPSEC SDK.

To configure comp1 and comp2:

1. On comp1, enter one of the following commands on the command line, depending on the connection type desired:

For an SSL based connection (authenticated or authenticated and encrypted), enter:

fw putkey -opsec -ssl comp2

For a backward compatible authenticated connection, enter:

fw putkey -opsec comp2

2. Enter the authentication key at the prompt. The authentication key must be at least six characters long.

3. On comp2 enter one of the following commands in the command line, depending on the connection type desired:

For an SSL based connection (authenticated or authenticated and encrypted), enter:

opsec_putkey –ssl –port fw comp1

For a backward compatible authenticated connection, enter:

opsec_putkey –port fw comp1

4. Enter the authentication key you entered in step 2.

Note: If the Recorder for Check Point FireWall-1 will be communicating with several Check Point FireWall-1 servers, follow the previous procedure for each pair of client and server machines, for example, comp2 and comp3, comp2 and comp4, and so on.

B–2 Using the Recorder for Check Point FireWall-1