Copyright © 2009 CRYPTOCard Inc. http:// www.cryptocard.com

Implementation Guide for protecting

CheckPoint Firewall-1 / VPN-1

with

BlackShield ID

BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 i

Copyright

Copyright © 2009, CRYPTOCard All Rights Reserved. No part of this publication may be

reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any

language in any form or by any means without the written permission of CRYPTOCard.

Trademarks

BlackShield ID, BlackShield ID SBE and BlackShield ID Pro are either registered trademarks

or trademarks of CRYPTOCard Inc. All other trademarks and registered trademarks are the

property of their owners.

Additional Information, Assistance, or Comments

CRYPTOCard’s technical support specialists can provide assistance when planning and

implementing CRYPTOCard in your network. In addition to aiding in the selection of the

appropriate authentication products, CRYPTOCard can suggest deployment procedures that

provide a smooth, simple transition from existing access control systems and a satisfying

experience for network users. We can also help you leverage your existing network

equipment and systems to maximize your return on investment.

CRYPTOCard works closely with channel partners to offer worldwide Technical Support

services. If you purchased this product through a CRYPTOCard channel partner, please

contact your partner directly for support needs.

To contact CRYPTOCard directly:

International Voice: +1-613-599-2441

North America Toll Free: 1-800-307-7042

support@cryptocard.com

For information about obtaining a support contract, see our Support Web page at

http://www.cryptocard.com.

Related Documentation

Refer to the Support & Downloads section of the CRYPTOCard website for additional

documentation and interoperability guides: http://www.cryptocard.com.

Publication History

Date Changes Version

January 26, 2009 Document created 1.0

July 9, 2009 Copyright year updated 1.1

BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 ii

Table of Contents

Overview...................................................................................................................1

Applicability...............................................................................................................1

Assumptions..............................................................................................................1

Operation..............................................................................................................1

Preparation and Prerequisites ......................................................................................2

Configuration.............................................................................................................2

Defining the RADIUS server object ...........................................................................2

Defining the RADIUS Server ........................................................................................3

Configuring the VPN-1 Settings and IKE (Internet Key Exchange) Encryption.....................5

Creating an Authentication Group (VPN-1) ....................................................................8

Adding CRYPTOCard Users in FireWall-1 / VPN-1 ............................................................9

Configuring a Generic User Entry................................................................................12

Creating a FireWall-1 / VPN-1 Rule Set .......................................................................14

Troubleshooting .......................................................................................................14

Failed Logons.......................................................................................................14

Additional information...............................................................................................14

BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 1

Overview

By default CheckPoint VPN connections requires that a user provide a correct user name and

password to successfully logon. This document describes the steps necessary to augment

this logon mechanism with strong authentication by adding a requirement to provide a one-

time password generated by a CRYPTOCard token using the instructions below.

Applicability

This integration guide is applicable to:

Security Partner Information

Security Partner CheckPoint

Product Name and Version Firewall-1 / VPN-1

Protection Category Remote Access

CRYPTOCard Server

Authentication Server BlackShield ID

Version Small Business Edition 1.2+

Professional Edition 2.3+

Assumptions

BlackShield ID has been installed and configured and a “Test” user account can be selected

in the Assignment Tab. There is no further configuration required to allow a user to use

their token with this solution.

Operation

The CheckPoint Firewall-1 or VPN-1 server will send all RADIUS authentication requests to

the BlackShield ID server. The BlackShield ID server will then return back a message to

either allow or reject the connection.

BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 2

Preparation and Prerequisites

1. RADIUS Server installed – Eg. Microsoft Internet Authentication Service

2. Appropriate BlackShield ID plug-in installed on RADIUS server.

Configuration

Defining the RADIUS server object

1. Login to the CheckPoint management console. Refer to the CheckPoint documentation

for instructions on performing this step.

2. From the CheckPoint SmartDashboard, select Manage > Network Objects.

3. Click New, select Node, and then click Host.

4. Under General Properties, enter

the Host Node Properties:

a) Name

b) IP Address of the

Microsoft IAS Server

c) Comment

d) Color

5. Click OK, then Close.

BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 3

Defining the RADIUS Server

Once the actual network object has been created, the server needs to be configured so that

it is aware of a server object.

1. From the Check Point SmartDashboard, select Manage | Servers.

2. From the Check Point SmartDashboard,

select Manage | Servers.

3. Define your RADIUS Server

Properties:

a) Name

b) Comment

c) Color

d) Host (this should be the Host

Node you defined in the

previous section)

e) Service (NEW-RADIUS should

be selected)

f) Shared Secret

g) Version

NOTE: The Shared Secret entered above

must match the Shared Secret that is

defined on the RADIUS server.

When choosing your RADIUS protocol

version select RADIUS Version 2.0.

4. Click OK, and then Close.

BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 4

5. Click the Policy menu then click

Install.

Applying RADIUS Authentication

1. From the Check Point SmartDashboard, click Manage | Network Objects.

2. Select the FireWall-1 / VPN-1 object (in

this case it’s win2k-8) and click Edit.

BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 5

3. Under General Properties, select

Authentication then verify the boxes to

the left of VPN-1 & FireWall-1

Password and RADIUS are checked.

Configuring the VPN-1 Settings and IKE (Internet Key Exchange)

Encryption

The following steps allow the SecuRemote end-users to download the VPN-1 topology from

the FireWall, and to encrypt connections to the Inside network.

1. From the FireWall-1 / VPN-1 network object, under General Properties choose VPN.

2. Select your VPN Community (RemoteAccess).

3. Click Traditional mode configuration.

BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 6

1. Ensure to place a check in the

box next to ‘Exportable for

SecuRemote/SecureClient

Note: If the FireWall-1 is in

the Remote Access

community already then

this check box is

checked and cannot be

unchecked.

2. In the VPN section under

General Properties verify that

a Certificate exists in the

Certificate List.

BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 7

3. Verify that Hybrid Mode

Authentication has been

enabled. Select Policy, Global

Policy, Remote Access, VPN –

Basic.

4. Under Support authentication

methods verify that Hybrid

Mode has been check marked.

BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 8

Creating an Authentication Group (VPN-1)

1. From the Manage Menu, select

Users and Administrators then

click New and select Group.

This group will be used to

reference all users being

authenticated by BlackShield ID.

2. In the Group Properties box enter

the:

a) Name

b) Comment

c) Colour

3. Click OK

BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 9

Adding CRYPTOCard Users in FireWall-1 / VPN-1

CRYPTOCard token users can be configured to use RADIUS authentication in two methods

on FireWall-1 / VPN-1. Each CRYPTOCard token user can be added to the FireWall-1 / VPN-

1 database individually, or a generic user entry can be configured. Use the method that

best meets your network authentication requirements.

1. In the Check Point SmartDashboard,

Select Manage > Users and

Administrators. Click New, then

Template.

2. In the User Template Properties dialog

box, under the General Tab, define the

Login Name. See the screen shot

example on the next page).

3. Click the Personal Tab to define the Expiration Date, Comment, and Color.

BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 10

4. Click on the Groups Tab.

5. Select the SecuRemote group

created previously and click the

Add button

6. Click on the Authentication Tab and define the Authentication Scheme as RADIUS.

7. Select the RADIUS Server you just

created in the previous section

8. Click the Location Tab and Time Tab to define these settings as per your network

security policy.

BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 11

9. Select the Encryption Tab and check

the box to the left of ‘IKE’

10. Click the Edit button to configure the IKE Encryption settings.

11. Select the Encryption Tab to validate the

Encryption Algorithm.

12. Click the Install button to add the user to the FireWall-1 user database.

13. Close the Users and Administrators dialog box.

BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 12

Configuring a Generic User Entry

1. From the Users and Administrators

window, click New, External User Profile

then choose Match all users.

2. In the External User Profile Properties

window, select the Groups tab then add

the appropriate Group.

BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 13

3. On the Authentication tab choose

RADIUS as the Authentication Scheme

then select the RADIUS Server.

4. Select the Encryption tab and place a

checkmark in IKE.

BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 14

Creating a FireWall-1 / VPN-1 Rule Set

Below is an example of two simple rule sets that will require users to authenticate with

CRYPTOCard tokens. Configure the rule sets as per your network requirements.

Troubleshooting

Failed Logons

Symptom: Authentication using the VPN client is rejected.

Possible

Causes:

• Verify that the shared secret is correct on both the RADIUS server,

and the Checkpoint Firewall-1 / VPN-1

• Ensure that the BlackShield IAS NPS Agent has been installed and

configured properly.

• Verify that the token is in sync with BlackShield ID.

Additional information

For additional information, please visit http://www.cryptocard.com