Checkpoint SIC

Secure Internal Communications (SIC) 26-Jun-2001

NG-FCS Version

Abstract

Check Point Software has enhanced the Internal Communications method for the components within a Next Generation (NG) Check Point System. This method is based on Digital Certificates, and will be further described below. This is a new and improved method for all of the internal communications, so if you are familiar with "fw putkeys", you will not have to go back there…

Document Title: Secure Internal Communications

Creation Date: 08-Feb-2001

Modified Date: 26-Jun-2001

Document Revision: 2 (meaning this is the 3rd revision)

Product Class: FireWall-1 / VPN-1

Product and Version: NG

Author: Joe DiPietro

DISCLAIMER

The Origin of this information may be internal or external to Check Point Software Technologies. Check Point Software Technologies makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Check Point Software Technologies makes no explicit or implied claims to the validity of this information.

Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.

Given the Diagram below, we will establish a Trust Relationship with the Management Station and the FireWall-1 Module. The Management Server is located at 10.1.2.3, and the FireWall-1 Module will be defined as 10.1.2.1.

Table of Contents

Description Page SIC Overview (3)

FireWall-1 Object Definition on Management Station (4)

Initialize Trust Relationship (5)

Interface Definition (6)

Policy Install (8)

Troubleshooting (9)

Netstat (9)

cpstop/cpstart (10)

cpd –d (10)

Secure Internal Communications (SIC) is the new method for how Check Point components will communicate with each other in Check Point Next Generation (NG). It is based on SSL with Digital Certificates. When you install the management station, you will create a Certificate Authority (CA). This Certificate Authority will issue certificates for all components that need to communicate to each other. For example, a distributed FireWall-1 Module will need a certificate from the management station prior to downloading a policy to this module (or even licensing this module remotely via the new license method). Here is a quick snapshot of a Primary Management Station installation, where the CA will be created.

Once the Primary Management Station is up and active, then it can initialize the remote FireWall-1 Module if it has the same One Time Password (OTP). The following screen shows a snapshot of the FireWall-1 Module installation, where you

must enter a One Time Password

(OTP) for the Initialization

Process with the Management

Station. You can also run

"cpconfig" after the installation

and initialize the OTP at that

point.