etrust Audit Using the Recorder for Check Point FireWall-1 1.5
This documentation and related computer software program (hereinafter referred to as the Documentation ) is for the end user s informational purposes only and is subject to change or withdrawal by Computer Associates International, Inc. ( CA ) at any time. This documentation may not be copied, transferred, reproduced, disclosed or duplicated, in whole or in part, without the prior written consent of CA. This documentation is proprietary information of CA and protected by the copyright laws of the United States and international treaties. Notwithstanding the foregoing, licensed users may print a reasonable number of copies of this documentation for their own internal use, provided that all CA copyright notices and legends are affixed to each reproduced copy. Only authorized employees, consultants, or agents of the user who are bound by the confidentiality provisions of the license for the software are permitted to have access to such copies. This right to print copies is limited to the period during which the license for the product remains in full force and effect. Should the license terminate for any reason, it shall be the user s responsibility to return to CA the reproduced copies or to certify to CA that same have been destroyed. To the extent permitted by applicable law, CA provides this documentation as is without warranty of any kind, including without limitation, any implied warranties of merchantability, fitness for a particular purpose or noninfringement. In no event will CA be liable to the end user or any third party for any loss or damage, direct or indirect, from the use of this documentation, including without limitation, lost profits, business interruption, goodwill, or lost data, even if CA is expressly advised of such loss or damage. The use of any product referenced in this documentation and this documentation is governed by the end user s applicable license agreement. The manufacturer of this documentation is Computer Associates International, Inc. Provided with Restricted Rights as set forth in 48 C.F.R. Section 12.212, 48 C.F.R. Sections 52.227-19(c)(1) and (2) or DFARS Section 252.227-7013(c)(1)(ii) or applicable successor provisions. 2002 Computer Associates International, Inc. All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.
Contents Chapter 1: Introducing the Recorder for Check Point FireWall-1 Information Flow... 1-1 Chapter 2: Installation Requirements System Hardware Requirements... 2-1 System Software Requirements... 2-1 Chapter 3: Installing the Recorder for Check Point FireWall-1 Information to Consider... 3-1 Before You Begin the Installation... 3-2 Configuring the Check Point FireWall-1 Servers... 3-2 Information You Need to Collect... 3-2 Installing in a Windows Environment... 3-3 Installing the Recorder for Check Point FireWall-1... 3-3 Installing Other Features Automatically... 3-8 Installing in a Solaris Environment... 3-9 Installing the Recorder for Check Point FireWall-1... 3-9 Upgrading the Data Tools... 3-10 Appendix A: Configuration Values Registry Keys and.ini File... A-1 Contents iii
Appendix B: Technical Information OPSEC Connection Types...B-1 Configuring Check Point FireWall-1 Servers...B-2 iv Using the Recorder for Check Point FireWall-1
Chapter 1 Introducing the Recorder for Check Point FireWall-1 The etrust Audit Recorder for Check Point FireWall-1 is an add-on component of the etrust Audit Client. The Recorder for Check Point FireWall-1 receives events from Check Point FireWall-1 using the OPSEC (Open Platform for Security) protocol, and sends the events to the Audit Router using the SAPI protocol. OPSEC is Check Point s application programming interface (API). etrust Audit can already receive Check Point FireWall-1 log events using SNMP traps. However, SNMP traps provide only a subset of the audit information generated by Check Point FireWall-1. More detailed information, with delivery guaranteed, can be received from Check Point FireWall-1 using the OPSEC LEA (Log Export) API. This enables a third party application to securely receive both real-time and historical auditing log data generated by Check Point VPN-1 and Check Point FireWall-1. Information Flow The Recorder for Check Point FireWall-1 can be installed on the same host where the Check Point FireWall-1 server runs, or on another host. To receive data from Check Point FireWall-1 servers, the Recorder for Check Point FireWall-1 connects to the Check Point LEA server using the OPSEC protocol. After message parsing, the Recorder for Check Point FireWall-1 sends the messages to the Audit Router using the SAPI protocol. The information flow from here onward is like the one in the etrust Audit Client. The filtered events are sent to the Audit Router queue, which sends them to the Action Manager. According to the actions defined for each event, you will be able to view filtered information with the etrust Audit Data Tools, or have other actions executed. For more information about the information flow in the etrust Audit Client, see the Administrator Guide. Introducing the Recorder for Check Point FireWall-1 1 1
Information Flow The following diagram shows the basic information flow between the Recorder for Check Point FireWall-1 and the various components of etrust Audit: Check Point FireWall-1 Server Data OPSEC protocol Client Recorder for Check Point FireWall-1 Messages SAPI protocol Router Audit Router Audit Router FIlter Filtered Events Action Queue SNMP Program Program File Other Actions Action Manager Screen Router Action Collector Unicenter E-mail Action Monitor Event Database Security Monitor Viewer Reporter Data Tools The etrust Audit Viewer has specific SQL queries for Check Point FireWall-1 provided as ASCII files. Tip: You can edit the SQL queries in the Filter by Events dialog in the etrust Audit Viewer. 1 2 Using the Recorder for Check Point FireWall-1
Chapter 2 Installation Requirements The following sections list the hardware and software needed to install the Recorder for Check Point FireWall-1. Note: The installation of the Recorder for Check Point FireWall-1 only adds the component to the already installed etrust Audit product. System Hardware Requirements You need the following hardware to install the Recorder for Check Point FireWall-1: For installation in a Windows environment: Pentium III or higher 64 MB RAM or higher 12 MB free disk space TCP/IP For installation in a Solaris environment: 64 MB RAM or higher 12 MB free disk space TCP/IP System Software Requirements To install the Recorder for Check Point FireWall-1, you need the following installed in your host: Operating systems Microsoft Windows NT SP5 or SP6 Microsoft Windows 2000 SP1, SP2, or SP3 Installation Requirements 2 1
System Software Requirements Microsoft Windows XP Solaris 2.51, 2.6, 2.7, 8 or 9 etrust Audit v1.5 SP1 2 2 Using the Recorder for Check Point FireWall-1
Chapter 3 Installing the Recorder for Check Point FireWall-1 The installation of the Recorder for Check Point FireWall-1 consists of the following: The addition of the component to the already installed etrust Audit product Updates to the etrust Audit components found on the host You can install the Recorder for Check Point FireWall-1 in a Windows environment and in a Solaris environment. Information to Consider You should take into consideration the following: The Recorder for Check Point FireWall-1 supports Check Point FireWall-1 version 4.1.2, and NG (v.5.0) with the authenticated connection types supported in 4.1.2. The Recorder for Check Point FireWall-1 values that have no direct matching to database or Security Monitor fields, are concatenated in the message text field, are shown as details. The maximum size of the information field is 512 bytes. The new policies for the etrust Audit Policy Manager are appended to the etrust Audit Policy Manager database during the installation process. The specific filters (DB queries) of the Check Point FireWall-1 events for the etrust Audit Viewer cannot be created using the existing etrust Audit Viewer. These queries are provided as external files containing SQL queries, which you can be edit manually in the Filter by Event dialog in the etrust Audit Viewer. The specific reports for Check Point FireWall-1 events are added during the installation process. Installing the Recorder for Check Point FireWall-1 3 1
Before You Begin the Installation Before You Begin the Installation Before you begin the installation of the Recorder for Check Point FireWall-1, verify your site has the hardware and software requirements detailed in Chapter 2 Installation Requirements. Then, ensure you: Configure the Check Point FireWall-1 servers Collect specific information about the Check Point FireWall-1 servers you want to audit. You need Acrobat Reader to open the PDF file after installation. Free download is available from www.acrobat.com. Configuring the Check Point FireWall-1 Servers You need to configure the Check Point FireWall-1 server or servers that you want to audit. For information about configuration, see Appendix B. Information You Need to Collect Before you install the Recorder for Check Point FireWall-1, we recommend you collect useful information about the Check Point FireWall-1 server or servers you want to audit. The following sections will help you organize yourself. Server Details Have the following information for each Check Point FireWall-1 server you want to audit: Logical name Host name or IP address OPSEC port number Tip: Look for the OPSEC port number in the fwopsec.conf file, which is located in the installation path under FW1\conf. Connection Types Choose the OPSEC connection type to use between the Recorder for Check Point FireWall-1 and each of the Check Point FireWall-1 servers. Define for each server you want to audit the connection type you will assign it during installation. For information about connection types, see Appendix B. 3 2 Using the Recorder for Check Point FireWall-1
Installing in a Windows Environment Log Types Choose the log types for the Check Point FireWall-1 servers you want to audit: secure to audit system-related events, and account to audit user-related events. You can choose one type, both, or none. If you choose none, that server will not audit events. Installing in a Windows Environment etrust Audit Setup detects the etrust Audit components (Client, Policy Manager, and Data Tools) installed on the host where it is running, and presents options accordingly. During installation, you can perform one of these actions on that host: Install the Recorder for Check Point FireWall-1 when the etrust Audit Client is found on the host. Install etrust Audit filters and reports when the etrust Audit Tools are found on the host. Install etrust Audit policies when the etrust Audit Policy Manager is found on the host. Note: You can install the Recorder for Check Point FireWall-1 only on a host where etrust Audit Client 1.5 SP1 is installed. You need to have administrative privileges on this host. Installing the Recorder for Check Point FireWall-1 This section describes the installation process that takes place when etrust Audit Setup finds the etrust Audit Client on a host. The etrust Audit Client can reside alone on a host, with either the etrust Audit Policy Manager, or the etrust Audit Data Tools, or with both the Policy Manager and the Data Tools. etrust Audit Setup provides features to install on each host according to the components it has. Installing the Recorder for Check Point FireWall-1 3 3
Installing in a Windows Environment To show all the possible features etrust Audit Setup provides, the installation process described in this section is for a host with the three etrust Audit components (Client, Policy Manager and Data Tools). In a host without a Client, etrust Audit Setup can install automatically a subset of these features. For a description of this subset, see the section Installing Other Features Automatically. Follow these steps to install the Recorder for Check Point FireWall-1: 1. To start etrust Audit Setup, run the file eau151_fw1.exe located in your product CD. After the Welcome window, the Features to Install window appears. The installation of the Recorder for Check Point FireWall-1 on the host is optional. The mandatory features cannot be unchecked. 3 4 Using the Recorder for Check Point FireWall-1
Installing in a Windows Environment 2. To install the Recorder for Check Point FireWall-1, check Recorder service, then click Next. The Recorder Service Configuration window is displayed. 3. Click Add to specify the Check Point FireWall-1 server or servers you want to audit. The New Server window is displayed. Installing the Recorder for Check Point FireWall-1 3 5
Installing in a Windows Environment 4. Enter the information about the server: logical name, host name or IP address, and OPSEC port. Choose a connection type from the drop-down list. Both log types are checked by default. If necessary, uncheck the log type you do not need. You can also disable auditing of the server. Click OK. You are brought back to the Recorder Service Configuration window. Tip: You can modify the details of any server in your list with the Edit button in the Recorder Service Configuration window. You can also remove servers from your list with the Remove button. 5. Repeat the previous two steps for every server you want to audit. When you finish adding servers, click Next. The Recorder Service Administration window is displayed. For information about the different ways of starting the service manually, see the Administrator Guide. 3 6 Using the Recorder for Check Point FireWall-1
Installing in a Windows Environment 6. Click Next. The Start Installation window is displayed. 7. If you are satisfied with the settings, click Continue. etrust Audit Setup starts copying the program files. Note: The Recorder for Check Point FireWall-1 and the configuration update are installed in the path where etrust Audit is currently installed. No system files or other kind of files are installed outside this path. You are now prompted to start the service: Installing the Recorder for Check Point FireWall-1 3 7
Installing in a Windows Environment 8. Choose whether to start the service. The Documentation Options window is displayed. 9. Choose whether to open the readme file and to copy the PDF file to the installation directory. Then click Finish to complete the installation process. Installing Other Features Automatically This is the subset of features etrust Audit Setup can install automatically on a host without an etrust Audit Client. This is all the information etrust Audit Setup needs to start copying the program files. The features appear as follows in the Features to Install window: Components Found on the Host etrust Audit Policy Manager etrust Audit Data Tools etrust Audit Policy Manager and etrust Audit Data Tools Features Automatically Installed New Check Point FireWall-1 policies, and updates to core components files and configuration. New Check Point FireWall-1 filters and reports, and updates to core components files and configuration New Check Point FireWall-1 policies, filters and reports, and updates to core components files and configuration 3 8 Using the Recorder for Check Point FireWall-1
Installing in a Solaris Environment Installing in a Solaris Environment The installation process detects the etrust Audit components installed on the host where it is running, and presents options accordingly. During installation, you can perform one of these actions on each host: To install the Recorder for Check Point FireWall-1 when the etrust Audit Client is found on the host (residing alone or with the etrust Audit Data Tools) To upgrade the etrust Audit Data Tools when the etrust Audit Client is not found on the host. Note: You can install the Recorder for Check Point FireWall-1 only on a host where the etrust Audit Client 1.5 is installed. You must have root authority to invoke the installation script. Installing the Recorder for Check Point FireWall-1 This section describes the installation process for a host with an etrust Audit Client. 1. From the installation directory, run the following script:.\install_eauditfw1rec When only the etrust Audit Client resides on the host, or both the etrust Audit Client and the etrust Audit Data Tools, you are prompted to upgrade: Looking for previous installations of etrust Audit Found etrust Audit Client. Do you want to upgrade it? [y/n] or: Looking for previous installations of etrust Audit Found both etrust Audit Client and etrust Audit Data Tools. Select the components you want to upgrade: 1 - Data Tools 2 - Client and Data Tools : 2. Choose the upgrade you need for the host. After several messages about calculations and configuration, you are prompted to enter information about the servers: Enter the Check Point FireWall-1 servers information one by one, terminating with CTRL-D or your EOF. Server logical name: Host name or IP address: Connection port: Installing the Recorder for Check Point FireWall-1 3 9
Installing in a Solaris Environment Select OPSEC connection type: 1 - Clear connection 2 - Authenticated and encrypted connection using SSL 3 - Authenticated connection using SSL 4 - Authenticated connection (Check Point proprietary) : Secure log [y/n]: Account log [y/n]: Server logical name: 3. Enter the information for the first server. You are immediately prompted to enter information for another server. If you need to configure additional servers, continue entering information. Otherwise, press Enter to exit the prompt and to continue with the installation process. Several messages appear on screen informing about the status of the installation process. You are prompted with the following message: Would you like to start the etrust Audit Recorder for Check Point Firewall-1 daemons right now? [y/n]: (y) 4. Choose whether to start the program. You are now prompted: Do you want to view the etrust Audit Recorder for Check Point FireWall-1 Readme.txt file? [y/n]: (y) 5. Choose whether to view the readme file. You are prompted as follows: Do you want to copy the PDF guide to the installation directory? [y/n] (y) 6. Choose whether to copy the PDF file. A message informs you that the installation is completed. Tip: If you need to configure additional servers after the installation, you can either edit the eaudit.ini file, which is updated during the installation, or edit the Registry. Upgrading the Data Tools This section describes the upgrade procedure for a host without an etrust Audit Client. When the installation process finds only the etrust Audit Data Tools on the host, you can upgrade them so that the Audit Collector receives Check Point FireWall-1 events. 1. From the installation directory, run the following script:.\install_eauditfw1rec You are prompted to upgrade the etrust Audit Data Tools as follows: Found etrust Audit Data Tools. Do you want to upgrade them? [y/n] 3 10 Using the Recorder for Check Point FireWall-1
Installing in a Solaris Environment 2. Choose whether to upgrade. If you choose yes, you are prompted: Do you want to view the etrust Audit Recorder for Check Point FireWall-1 Readme.txt file? [y/n]: (y) 3. Choose whether to display the readme file. You are now prompted: Do you want to copy the PDF guide to the installation directory? [y/n] (y) 4. Choose whether to copy the PDF file. A message informs you that the upgrade is completed. Installing the Recorder for Check Point FireWall-1 3 11
Appendix A Configuration Values After installation, the configuration values of the Recorder for Check Point FireWall-1 are kept in the Registry on a Windows environment, or in a configuration file on a Solaris environment. Check Point FW-1 is the name of the new Registry key or the new configuration file section. Registry Keys and.ini File In a Windows environment, the Registry keys are located under: HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrust Audit In a Solaris environment, the configuration file eaudit.ini is located in the directory: /usr/eaudit/ini The configuration information is the same in both environments, with the following terminology and syntax considerations: Windows Environment Solaris Environment Registry key name Section title in the configuration file Backslash \ Slash / The following table shows the specific configuration parameters of the Recorder for Check Point FireWall-1. The words in italic indicate data entered during installation: Parameter Type Default value Comments Client\Recorders\Check Point FW-1 Key N/A New key for the Recorder for Check Point FireWall-1 DatFilePath String dat\recorders\ fw.dat The Recorder for Check Point FireWall-1 uses this file internally. This location must not be changed. Configuration Values A 1
Registry Keys and.ini File Parameter Type Default value Comments MPFile SendInterval MaxSeqNoSleep LEA Servers LEA Servers\ServerName LEA Servers\ServerName\Active LEA Servers\ServerName\Host LEA Servers\ServerName\Port LEA Servers\ServerName\AuthType LEA Servers\ServerName\ Logs\Secure String cfg\fw.mp Mapping file used for parsing received messages. DWORD 10 The time, in seconds, that the service sleeps after MaxSeqNoSleep records. DWORD 50 The maximum number of records sent before sleeping. Key N/A New subkey. Key N/A It must be a unique name. DWORD 1 0=server inactive 1=server active String N/A The server host name can be a logical name or an IP address. String N/A The OPSEC port number of the server. String Empty Empty means clear connection. For a description of connection types, see Appendix B. DWORD 0 0=deactivate secure log events 1=activate secure log events LEA Servers\ServerName\Account LEA Servers\ServerName\Logs\logn LEA Servers\ServerName\LoadType DWORD 0 0=deactivate account log events 1=activate account log events String N/A The Recorder receives records from this list of log files. DWORD 0 0=read according to offset 1=read from the beginning ignoring offset A 2 Using the Recorder for Check Point FireWall-1
Appendix B Technical Information To help you configure your system, this appendix provides basic technical information about various Check Point FireWall-1 configuration settings, as follows: OPSEC connection types Configuring Check Point FireWall-1 servers For detailed information about these topics, see the Check Point documentation. OPSEC Connection Types The following information will help you choose the most suitable OPSEC connection type between the Recorder for Check Point FireWall-1 and the Check Point FireWall-1 servers you want to audit. The OPSEC application can make one of the following types of connections: Authenticated and encrypted connection using SSL (Secure Socket Layer) The data transferred is encrypted using a 3DES key. An authenticated and encrypted connection is the most secure. This type of connection is supported by Check Point VPN-1/FireWall-1 starting from version 4.1. Authenticated connection using SSL When data encryption is not required, this is the recommended method for authenticating the host running the OPSEC application before the Check Point FireWall-1 servers. This type of authentication is supported by Check Point VPN-1/FireWall-1 starting from version 4.1 SP2. Authenticated connection (Check Point proprietary) This type of authentication is done at the transport layer using Check Point s proprietary authentication algorithm. Use this method for backward compatibility with Check Point VPN-1/FireWall-1 version 4.1 SP1 and earlier. Clear connection The data transference is made without restrictions. Technical Information B 1
Configuring Check Point FireWall-1 Servers Configuring Check Point FireWall-1 Servers Any machine in your system that works with Check Point FireWall-1 version 4.1.2 needs to be configured to establish an authenticated connection. This section explains how to establish an authentication connection between an etrust Audit Client host where the Recorder for Check Point FireWall-1 runs, and a Check Point FireWall-1 version 4.1.2 server. The following scenario illustrates how an authenticated connection is established between two machines: comp1 and comp2. The machine comp1 runs the Check Point FireWall-1 server, and the machine comp2 runs the Recorder for Check Point FireWall-1. Important! You need to run the executable opsec_putkey, which is part of the OPSEC SDK. To configure comp1 and comp2: 1. On comp1, enter one of the following commands on the command line, depending on the connection type desired: For an SSL based connection (authenticated or authenticated and encrypted), enter: fw putkey -opsec -ssl comp2 For a backward compatible authenticated connection, enter: fw putkey -opsec comp2 2. Enter the authentication key at the prompt. The authentication key must be at least six characters long. 3. On comp2 enter one of the following commands in the command line, depending on the connection type desired: For an SSL based connection (authenticated or authenticated and encrypted), enter: opsec_putkey ssl port fw comp1 For a backward compatible authenticated connection, enter: opsec_putkey port fw comp1 4. Enter the authentication key you entered in step 2. Note: If the Recorder for Check Point FireWall-1 will be communicating with several Check Point FireWall-1 servers, follow the previous procedure for each pair of client and server machines, for example, comp2 and comp3, comp2 and comp4, and so on. B 2 Using the Recorder for Check Point FireWall-1