Checkpoint R75 new feature violated PCI rules - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Thursday, December 15, 2011

Checkpoint R75 new feature violated PCI rules

My company recently upgraded our firewall UTM from R71 to R75. It was neat and no worries upgrade until today our External Security company sent us a report our public Internet ip scanning report failed on PCI compliance. Report shows there is self-sign checkpoint certification on our Internet facing firewall. Yes, it is right. All checkpoint firewall has a Certification on it which default is self signed. Our policy doesn't allow any http/https access to our firewalls. There is a stealthy rule in place to deny all access. 

Checked the smartview, no logs even show https traffic to be denied or accepted. 

contacted the checkpoint TAC. After hours review issues , finally TAC admit there is new feature introduced into R75 and later which call Multi-portal. KB 66030 explained how it works. 

    Even there is no rule that accepts that and the GW/MGMT are not listening to this port; there is http (port 80) access to the GW from the external network.
    From SmartView Tracker, you can see that this get accepted by rule 0 – Implied rules.
    After un-checking all the implied rules and pushing policy, it still get accepted by the implied rules. 

The gateway is responding to http traffic because of a new feature introduced in R75 called multi portal.
Because there are lots of daemons who to listen on port 80 & 443, the multi portal was introduced in R75.

In general it listens to any request on port 80 & 443 and after the 3 ways handshake is done it's forwarding request to the daemon according to the data context.
If the request to port 80 or 443 is not legitimate then the traffic is dropped.

Solution 1
Change the "multi_portal_allow_redirect" kernel parameter to 0.


# fw ctl set int multi_portal_allow_redirect 0

Please note: disabling multi-portal with kernel will break software blades other than FW, IPS, and VPN

*note that this change will not survive reboot.
Also this command works for R75.20 , but not for R75
To change this parameter permanently, refer to sk26202 for instructions.

Setting kernel global parameters permanently is unique for some OS's. 
Warning: Edit the Security Gateways ONLY. 
Note: Verify the parameter first using command fw ctl get int 
Example:   fw ctl get int fwseqvalid_exact_syn_on_rst

 fw ctl get int multi_portal_allow_redirect

Edit the $FWDIR/boot/modules/fwkern.conf file using vi editor or text editor to add line syntax: 


"Value" in syntax must be a valid number Decimal or Hexadecimal, as used in C programming language. 
Decimal = a number, such as 10 or 1024.
Hexadecimal = prefixed by 0x, such as 0x10 (which is 16), 0xffff

Note: Create the fwkern.conf file if not found in the $FWDIR/boot/modules/ directory.

Important Note: The Security Gateway must be rebooted after any change in the fwkern.conf file.

Solution 2: 
Another solution from CPUG Phoneboy

Edit $FWDIR/lib/implied_rules.def on the Security Management Server. Find this line: #define ENABLE_PORTAL_HTTP_REDIRECT and comment it out. After the change should look like:

Reinstall the Security Policy.

As I said (and can confirm now) this should be addressed in a future release. 

# mpclient list
that will show a list of "processes clients' assotsiiorovannyh with multiportalom. For example, sslvpn.

Fortunately we only use FW, IPS and VPN blades, not others although is thinking to get Identity Awareness for next year. During try fw ctl set command, it doesn't works on R75, actually it works on R75.20. 

it looks we have to get a third party trust certification for our R75 firewall if we do not want to tune the kernel. That means add $600 for each internet facing firewall.

Another KB sk58362 for this feature in Other Improvement Section

"You can now use multiple portals over port 443 and port 80. For example, the SecurePlatform Web User interface and the Mobile Access portal can both be on port 443. In the SmartDashboard Gateway properties window, set the Portal URL for the different portals on the portal configuration pages."

No comments:

Post a Comment