Software Blades R7x - Check Point Software


Software Blades R7xCC Evaluated ConfigurationInstallation GuideMarch 2012

2003-2012 Check Point Software Technologies Ltd.All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying,distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without priorwritten authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibilityfor errors or omissions. This publication and features described herein are subject to change without notice.RESTRICTED RIGHTS LEGEND:Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data andComputer Software clause at DFARS 252.227-7013 and FAR 52.227-19.TRADEMARKS: 2003–2008 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point EndpointSecurity, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra,Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoreXL, CoSa, DefenseNet, Dynamic ShieldingArchitecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1,Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect,IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Pointsec, Pointsec Mobile, Pointsec PC, Pointsec Protector,Policy Lifecycle Management, Provider-1, PureAdvantage, PURE Security, the puresecurity logo, Safe@Home, Safe@Office, SecureClient,SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXLTurbocard, Security Management Portal, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro,SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap,SmartPortal, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SMP, SMP On-Demand,SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, UTM-1, UTM-1Edge, UTM-1 Edge Industrial, UTM- 1 Total Security, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN-1Power, VPN-1 Power Multi-core, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM,VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm ForceField, ZoneAlarmInternet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registeredtrademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company. All otherproduct names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document areprotected by U.S. Patent No. 5,606,668, 5,835,726, 5,987,611, 6,496,935, 6,873,988, 6,850,943, and 7,165,076 and may be protected by otherU.S. Patents, foreign patents, or pending applications.klFor third party notices, see “THIRD PARTY TRADEMARKS AND COPYRIGHTS” on page 9.

ContentsPrefaceIntroduction. 7Who Should Use This Guide?. 8About This Guide. 8Related Documentation. 9The Common Criteria Evaluated ConfigurationChapter1Evaluated Configuration1214Physical Components of the Evaluated Configuration . 14Functionality Excluded from the Evaluation . 17Security Environment Considerations . 18Chapter2Secure Delivery Procedures20Overview. 20Hardware Delivery. 21Software Delivery . 25License Confirmation and Verification. 31Chapter3Deployment32Security Management Server . 32Security Gateway. 33SmartConsole (Management GUI) . R7x Fresh Installation40Overview. 41Installing the Security Management Server . 45Installing SmartConsole. 74Installing the Security Gateway . 805

ConfigurationChapter6108Installation Settings110Setting the Certificate Hash Algorithm to SHA-256 . 111Extending the Validity Period of a SIC Certificate. 111Enabling Support for IP Options. 112Scheduling Backups and Restoring from Backup. 112Configuring OCSP. 113Defining a Larger Kernel Log Buffer . 114Configuring SecurID. 116SecureClient Mobile Download. 117Configuring Support for Diffie-Hellman Groups 15-24 . 118User Defined Database Settings. 126Chapter7FIPS Compliance Configuration128Chapter8First Time Login130Security Management Server Fingerprint Verification. 131Evaluated Configuration Permissions Profiles. 133Creating an Authorized Administrator Account . 138Deleting the cpconfig Administrator. 140AppendicesAppendix A142Check Point User Center144User Center Registration and Access. 145Product Registration . 152SecureKnowledge Solutions . 160Appendix B6Appliance Installation164

PrefaceIn This ChapterIntroductionWho Should Use This Guide?About This GuideRelated Documentationpage 7page 8page 8page 9IntroductionThis document describes the delivery and operation procedures that mustbe implemented by Check Point Software Technologies Ltd. customersand/or resellers to ensure the secure delivery, installation, generation, andstart-up of Check Point Software Blades in accordance with the CommonCriteria evaluated configuration, as defined in the Check Point SoftwareBlades R7x Security Target.The guidelines provided in this document explain how to use the existingCheck Point Installation process to set up Check Point Software Blades ina manner that is consistent with the evaluated configuration. This guidancemust be read in conjunction with the referenced installation andconfiguration guides, and is written to take account of the specific detailsand setting that are required to be conformant with the evaluatedconfiguration.These guidelines and requirements are most often exceptions to theinstructions written in the referenced documentation. If a feature or serviceis listed below, you must configure the mentioned item as described here.If a feature or service is not listed below, configure it as written in thereferenced documentation.If you follow the requirements in this document when setting up and usingthe system, your configuration will match the evaluated configuration.7

Note - that legitimate reasons may exist to modify the system setup inways not described here if that is necessary for the system to fulfill itsintended purpose. However, the evaluation results may not apply to sucha configuration.Who Should Use This Guide?This guide is for IT staff who will be installing Check Point SoftwareBlades R7x software and appliances.About This GuideThis guide is organized as follows: Chapter 1, Evaluated Configuration, describes the evaluatedconfiguration in general. Chapter 2, Delivery Procedures, provides instructions on verifyingthe secure delivery of the software and hardware. Chapter 3, Deployment, provides information on the configuration ofthe different parts of the evaluated configuration. Chapter 4, Pre-installation, lists information that should be availableprior to the installation. Chapter 5, R7x Fresh Installation, explains how to install thesoftware on the Security Management Server,SmartConsole host, and Security Gateways. Chapter 6, Installation Settings, provides installation settings thatmay be applied in the evaluated configuration. Chapter 7, FIPS Compliance Configuration, explains how to enableFIPS compliance for the evaluated configuration. Chapter 8, First Time Login, describes the first administrator logininto SmartConsole after the installation. Appendix A, Check Point User Center, describes the use of theCheck Point award-winning support site. Appendix B, Appliance Installation, explains how to re-image andconfigure Check Point security appliances.8

Related DocumentationThe evaluated configuration is described in: Check Point Software Blades R7x Security TargetGuidance for post-installation administration is provided in: Check Point CC Evaluated Configuration Administration GuideSee the following Check Point documentation provided with the productCD-ROMs for more information on Check Point Software Blades R7x: SecurePlatform R71 Administration Guide SecurePlatform R70.1 Administration Guide Security Management Server R71 Administration Guide Firewall R70 Administration Guide VPN R70 Administration Guide ClusterXL R70.1 Administration GuideThis CC Evaluated Configuration Installation Guide as well as the CCEvaluated Configuration Administration Guide are available for downloadfrom SecureKnowledge solution ID: sk77840 – Common Criteria EAL4and FIPS 140-2 and Evaluation Resources for Check Point SoftwareBlades R7x. The SK solution also provides additional resources referred toin this guide.Instructions for configuring Diffie Hellman groups 15 through 18 and 24are available in SecureKnowledge solution ID: sk27054 - Definingadvanced Diffie-Hellman groups for IKE.9

Tip - See APPENDIX A - SecureKnowledge Solutions for instructions onhow to access SecureKnowledge solutions.10


The Common CriteriaEvaluated Configuration12


Chapter1Evaluated ConfigurationIn This ChapterPhysical Components of the Evaluated ConfigurationFunctionality Excluded from the EvaluationSecurity Environment Considerationspage 14page 17page 18Physical Components of the Evaluated ConfigurationThe evaluated configuration includes the following components:14 Security Gateway software installed on an appliance running theCheck Point SecurePlatform operating system. Security Management Server software installed on a hostrunning the Check Point SecurePlatform operating system. SmartConsole– management GUI software installed on a hostrunning a Microsoft Windows operating system. TheSmartConsole hardware and operating system are not consideredpart of the evaluated system – they are installed and configured bythe administrator as needed to support the Check Point application. SSL Network Extender and SecureClient Mobile – SSL VPNclients that can be downloaded from the Security Gateway to theuser's workstation.

An evaluated configuration includes one or more Security Managementservers, one or more Security Gateways, and one or more SmartConsoles.(Fault tolerant configurations require two or more of each component.)The evaluated configuration can be configured to interact with thefollowing external entities: NTP servers for time synchronizationAn authentication server for authenticating single-use passwords:o Using the RADIUS protocol; oro Using the RSA SecurID protocolCertificate Authority and OCSP respondersCRL Distribution Points for certificate revocation checking:o Using the HTTP protocol; oro Using the LDAP protocol15

16Peer VPN gateways and SecuRemote/SecureClient remote accessusers authenticating using IKE/IPsec with certificate-based orpreshared-secret authenticationCVP and UFP servers used to provide additional third-partycontent protection functionality.

Functionality Excluded from the EvaluationThe Check Point Software Blades R7x product can provide a broad rangeof services (product types), features and capabilities. Some of theserequire additional products or licenses to be installed on the Check PointSoftware Blades R7x appliance and/or on the Security ManagementServer.This section describes additional features and capabilities that areexcluded from the evaluated configuration: SNMP daemon: Check Point Software Blades appliances provideoptional SNMP daemons that can be used for remote management.These daemons are disabled in the evaluated configuration.WebUI: The evaluated configuration operating systems provide Webbased configuration interfaces as an alternative to the Check PointSoftware Blades appliance CLI. This interface is disabled in the TOEevaluated configuration.CLIs and SSH: Check Point Software Blades appliances andoperating systems include CLI interfaces that are used for initialinstallation and configuration of the appliance, the OS and thesoftware. A CLI is also provided on the Security Management Server.The CLI can be accessed from a directly connected console orremotely using the SSH protocol.In the evaluated configuration, these CLIs should not be used after thisinstallation stage. All management of the TOE should be performedvia the Security Management Server and Management GUIs. If theappliance must be reconfigured (e.g. a NIC is added to the appliance),it should be reinstalled to ensure that it remains in a secureconfiguration.17

Security Environment ConsiderationsThe following issues should be taken into account when preparing thesecurity environment of the Check Point Software Blades evaluatedconfiguration: Physical Access Control: Physical access must be controlled. TheSecurity Management Server, SmartConsole workstations, and firewallappliances must be located in secure locations, protected from physicalaccess by unauthorized persons. Permitted Applications: You may not install any general-purposeapplications, public data or other capabilities that are outside theevaluated configuration on any firewall or Security ManagementServer host. In particular, you must not install services (e.g. an FTPserver) that can be accessed remotely by non-administrative users. Trustworthy Administrators: Only trustworthy Administratorsshould receive authorization to manage the evaluated configuration. Traffic Mediation: A configured firewall shall mediate traffic for atleast two networks. You must ensure that all information pathsbetween mediated networks pass through a firewall in the evaluatedconfiguration. Administrative Workstation: Check Point Software Blades shall bemanaged from an administrative workstation, running SmartConsole.Use of CLI or Web interfaces is restricted to product installation. Oncethe product is operational, the only administrator interfaces used byauthorized administrators are SmartConsole and other supportedOPSEC applications. Preventing Access by Untrusted Users: The following componentsmust be installed on subnets connected to a firewall interface that isprotected by the Security Policy such that they cannot be accessed byuntrusted users: Security Management Server host SmartConsole hosts OPSEC applications An external authentication server that is used to supportSecurID single-use authentication, if any.18

RADIUS and NTP servers: The communication with a RADIUS orNTP server if any is protected using a MD5 shared secret. Secretsshould be chosen out of a sufficiently large range (at least 16 randomlyselected octets) in order to provide protection against exhaustivesearch attacks. It is also recommended to periodically change theseshared secrets, in order to improve resistance to replay attacks.Single-Use Password Authentication: The evaluated configurationsupports authentication of administrators, Telnet and FTP users, and ofremote access VPN users by sending the user-entered username andpassword using the RADIUS or SecurID protocols to an externalauthentication server. In the evaluated configuration, this should onlybe used in conjunction with single-use password mechanisms, e.g. theRSA SecurID hardware or software tokens. Multiple-use passwordsare inherently insecure if used over an unencrypted or physicallyinsecure network.Dedicated Cluster Synchronization Networks: Synchronizationinformation exchanged between cluster members (over defined Syncinterfaces) contains sensitive information. This information is notcryptographically protected by the Security Gateway. The evaluatedconfiguration therefore requires that all cluster members should be colocated. To secure the synchronization interfaces, cluster membersshould be directly connected by a cross cable, or in a cluster with threeor more members, use a dedicated hub or switch. No users should begiven remote or local access to cluster synchronization networks.19

Chapter2Secure Delivery ProceduresIn This ChapterOverviewHardware DeliverySoftware DeliveryLicense Confirmation and Verificationpage 20page 21page 25page 31OverviewThis section provides information on verifying the secure delivery of theCheck Point Check Point Software Blades product. Product deliveryconsists of hardware and software components.The Check Point Software Blades product is not sold by Check Pointdirectly to customers. Instead, Check Point makes use of established ValueAdded Resellers (VARs), Original Equipment Manufacturers (OEM’s)and other distributors, to sell its software and hardware. A customerpurchases the certified system by placing an order for the software with adistributor. Customers purchase third-party evaluated hardware directlyfrom the hardware manufacturer.Note - Check Point provides a resource for locating distributors at

The customer is then responsible for completing the installation andconfiguration of the evaluated configuration, as described in this guidancedocument.Hardware DeliveryHardware PlatformsThe evaluated configuration includes three types of hardware platforms:gateway appliance platforms, Security Management Server platforms, andSmartConsole (Management GUI) platforms. Corresponding R7x softwaremust be installed on each platform.The customer purchases one or more of the appliance hardware platformsidentified in the Check Point Software Blades R7x Security Target, andinstalls the Check Point Software Blades software. On platforms runningthe Check Point SecurePlatform operating system, the softwareinstallation also installs the operating system.A separate hardware platform from the list of Check Point SecurePlatformappliances identified in the Security Target should be used for the SecurityManagement Server. The customer installs the operating system andsoftware.One or more SmartConsole hosts should be installed. SmartConsole isinstalled on a standard PC workstation running a Microsoft Windowsoperating system. The workstation is not considered part of the Target ofEvaluation, and is not specified in the Security Target.The product supports the following Microsoft Windows operating systems(or later versions thereof): Windows XP Home & Professional (SP3) Windows Vista (Ultimate, Enterprise, Business, Home Premium,or Home Basic) (SP1)21

Windows Server 2003 (Standard, Enterprise, or DatacenterEdition) (SP1-2) Windows Server 2008The SmartConsole machine hardware must meet the following minimumrequirements: CPU – Intel Pentium IV or 2 GHz equivalent processor Memory – 512 Mb, Disk Space – 500 Mb CD-ROM drive, Video Adapter with minimum resolution: 1024 x768Hardware Acquisition and DeliveryThe Check Point software depends on the correct operation of theunderlying hardware and firmware in order to meet the securityrequirements of the evaluated configuration. The hardware platformsidentified in the Security Target have been vetted for compatibility withthese requirements. It is important that the customer ensure that validhardware has been received.The Check Point SecurePlatform operating system runs on commodityhardware. This is hardware that is used by many organizations, for manypurposes. Because of the diversity of the supported hardware platforms, anadversary will not be able to install a Trojan Horse in hardware that istargeted for Check Point software in general, or for a specific customer'sorganizational border protection devices in particular.Check Point security appliances are manufactured by a trusted CheckPoint supplier, and shipped from regional distribution centers directly tothe customer-specified location.The following are recommendations that can be used to further mitigatethe risks of hardware substitution: 22Buy hardware from people you trust. In particular, it is goodpractice to purchase hardware directly from the hardware vendor,

according to the procedures provided on the hardware vendor’sWeb site. Prefer new hardware to used or refurbished equipment. Attempt to make hardware purchases seem random. If possible, donot identify upfront the purpose for which these platforms aregoing to be used. Use platform types that have been purchased byyour organization for other purposes as well. Use reputable commercial carriers to deliver hardware to yourorganization. Request tracking information and use shipper Websites to determine that the hardware did not take any suspiciousroutes or was mislaid enroute. Where possible, pick it up yourself. Apply physical access controls throughout the hardware platform'slifetime, including any periods of time when the hardware is instorage, before product installation.If the hardware is to be installed in extreme environmental conditions(heat, cold, humidity, power spikes, vibration, etc.), verify that theseconditions are compatible with the hardware vendor's specifications.Hardware Verification ProcedureUse the following steps to verify that valid hardware has been received:1. Examine the outside packaging and markings of the delivery containercontaining the hardware to ensure that it arrived via the contractedcommercial carrier from the hardware vendor.2. Examine the shipping and tracking information available with thepackage to look for any unexpected information related to the timingand route for the shipment. If there is any doubt about the veracity ofthe shipment, contact the vendor and confirm that the product wasindeed ordered by your organization and sent by the vendor.3. Visually examine the hardware platform to determine that it is labeledin accordance with the hardware vendor's standard markings, and thatit matches the platform model that was ordered.23

Note - Follow the hardware vendor's guidance to disconnect or disableany wake on LAN (WoL), Lights Out Management (LOM) or any otherNIC-related remote management functionality.In particular, on Check Point security appliances, if the appliance hasbeen delivered with a LOM card installed, do not enable the card in theBIOS menu.24

Software DeliverySoftware Package DistributionEach release of the product is identified by a unique reference that consistsof a release number and (after the initial base release) a Hot Fix Accumulator (HFA) designator.Check Point releases and hot fixes are distributed to customers on CDROMs, or as downloadable packages off the Check Point Web site. TheHFA installation is applied as an upgrade to the General Availability (GA)release, or to previous HFAs, replacing one or more packages with newerbuilds of those packages.Note - Releases distributed electronically as .iso files contain CD-ROMimages. A CD-ROM created from such an image is considered to be anequivalent distribution and should be verified as described below for thenormal CD-ROM package distribution. HFA and hot fix packages aretypically distributed as compressed file archives that are installed as anupgrade to an already-installed appliance.The unique reference for the evaluated software is ‘R7x’. As identified inthe Check Point Software Blades R7x Security Target, the referencedsoftware is comprised of the following Check Point software:SoftwareCheck Point Security GatewayCheck Point Security Management and SmartConsoleGAHFAR70.1 R7x hotfixR71.1 R7x hotfixNote – The R70.1 release is made available either as a GA release, orapplied as a HFA updating the R70 base release. Both installations(R70.1 and R70 with HFA R70.1) are equivalent.25

The Check Point Software Blades GA CD-ROMs, as well as allaccompanying product documentation, are labeled externally with theproduct name and release number (for the base release).HFA DownloadsAs part of Check Point's Common Criteria-evaluated flaw remediationprocedures, Check Point publishes updated Hot Fix Accumulators (HFAs)and provides them to customers with a Software Subscription license.The customer should check for updated Check Point Software BladesHFAs on ex.html. Ifyou are installing the evaluated HFA, download it from the download linkprovided in SecureKnowledge solution sk66143. This will ensure that youare using the precise HFA package used for the evaluation.WARNING - HFA downloads other than the identified evaluatedversions are outside the evaluated configuration:The Common Criteria evaluation was performed on the identified HFAs.Other HFAs might include changes to the product that violate evaluatedsecurity requirements.However, it should be noted that the Check Point process forimplementing and distributing HFAs was included in the evaluation.Given the above mentioned caveat, Check Point does recommend thatcustomers download and install the latest HFA available. This may onlybe performed during installation; therefore, when a new HFA is published,you must reinstall to apply the HFA.Download the HFA package for the SecurePlatform operating system (youwill be asked to log in to your Check Point User Center account and agreeto the Software Subscription Download Agreement. See Appendix A User Center Registration and Access for instructions on accessing theCheck Point User Center).26

Check Point Security Appliance Software DistributionThe Check Point security appliances are delivered with the appropriateCheck Point Software Blades software pre-installed on the appliance.However, in order to insure that the installed software version is identicalto the evaluated version, it is recommended to download an appliancespecific image of the R7x software from the Check Point Web site.Software Delivery VerificationWhen accepting receipt of the software package, the customer shouldverify that the software case does not show any signs of tampering.The customer should calculate hashes of CD-ROMs, software images andHFA downloads to verify that they are identical to the correspondingmaster copy signatures presented below. The ISO file size can be used as asanity check. Hashes for HFA downloads will be posted on the CheckPoint Web site when the new HFA is available. You may also call CheckPoint to verify the HFA signature.Tip - SecureKnowledge Solution sk77840 includes a utility (cd2iso) thatcan be used to calculate MD5, SHA-1, and SHA-256 hashes for codeintegrity verification for both downloaded files and for CD-ROMs.27

Evaluated Software Hash ValuesThe hashes for the evaluated software images are as follows:R70 Gateway Software and R70.1 HFAApplies to: Open Servers, Check Point 2012 Appliances.File NameMD5SHA-1SHA-256Check PointR70 heck PointR70 HFA 0.1 Gateway Appliance Image for UTM-1Applies to: Check Point UTM-1 security appliances.File NameMD5SHA-1SHA-256Check PointR70 1 70.1 Gateway Appliance Image for Power-1 xx70 and 11000 SeriesApplies to: Check Point Power-1 xx70 and 11000 Series Appliances.File NameMD5SHA-1SHA-256Check PointR70 1 1Check pointR70 1 4C28

R7x Gateway hotfixApplies to: All Gateway appliances.File NameMD5SHA-1SHA-256Check PointR70 2BA0R71.10 Security Management SoftwareApplies to: Open Servers.File NameMD5SHA-1SHA-256Check PointR71 10 71.10 Security Management Software Image for Smart-1Applies to: Check Point Smart-1 security appliances.File NameMD5SHA-1SHA-256Check PointR71 10 CCCF545593F4F6

Chapter 8, First Time Login, describes the first administrator login into SmartConsole after the installation. Appendix A, Check Point User Center, describes the use of the Check Point award-winning support site. Appendix B, Appliance Installation, explains how to re-image and configure Check Point security appliances.