Copyright © 2009 CRYPTOCard Inc. http:// www.cryptocard.com
Implementation Guide for protecting
CheckPoint Firewall-1 / VPN-1
with
BlackShield ID
BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 i
Copyright
Copyright © 2009, CRYPTOCard All Rights Reserved. No part of this publication may be
reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any
language in any form or by any means without the written permission of CRYPTOCard.
Trademarks
BlackShield ID, BlackShield ID SBE and BlackShield ID Pro are either registered trademarks
or trademarks of CRYPTOCard Inc. All other trademarks and registered trademarks are the
property of their owners.
Additional Information, Assistance, or Comments
CRYPTOCard’s technical support specialists can provide assistance when planning and
implementing CRYPTOCard in your network. In addition to aiding in the selection of the
appropriate authentication products, CRYPTOCard can suggest deployment procedures that
provide a smooth, simple transition from existing access control systems and a satisfying
experience for network users. We can also help you leverage your existing network
equipment and systems to maximize your return on investment.
CRYPTOCard works closely with channel partners to offer worldwide Technical Support
services. If you purchased this product through a CRYPTOCard channel partner, please
contact your partner directly for support needs.
To contact CRYPTOCard directly:
International Voice: +1-613-599-2441
North America Toll Free: 1-800-307-7042
For information about obtaining a support contract, see our Support Web page at
http://www.cryptocard.com.
Related Documentation
Refer to the Support & Downloads section of the CRYPTOCard website for additional
documentation and interoperability guides: http://www.cryptocard.com.
Publication History
Date Changes Version
January 26, 2009 Document created 1.0
July 9, 2009 Copyright year updated 1.1
BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 ii
Table of Contents
Overview...................................................................................................................1
Applicability...............................................................................................................1
Assumptions..............................................................................................................1
Operation..............................................................................................................1
Preparation and Prerequisites ......................................................................................2
Configuration.............................................................................................................2
Defining the RADIUS server object ...........................................................................2
Defining the RADIUS Server ........................................................................................3
Configuring the VPN-1 Settings and IKE (Internet Key Exchange) Encryption.....................5
Creating an Authentication Group (VPN-1) ....................................................................8
Adding CRYPTOCard Users in FireWall-1 / VPN-1 ............................................................9
Configuring a Generic User Entry................................................................................12
Creating a FireWall-1 / VPN-1 Rule Set .......................................................................14
Troubleshooting .......................................................................................................14
Failed Logons.......................................................................................................14
Additional information...............................................................................................14
BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 1
Overview
By default CheckPoint VPN connections requires that a user provide a correct user name and
password to successfully logon. This document describes the steps necessary to augment
this logon mechanism with strong authentication by adding a requirement to provide a one-
time password generated by a CRYPTOCard token using the instructions below.
Applicability
This integration guide is applicable to:
Security Partner Information
Security Partner CheckPoint
Product Name and Version Firewall-1 / VPN-1
Protection Category Remote Access
CRYPTOCard Server
Authentication Server BlackShield ID
Version Small Business Edition 1.2+
Professional Edition 2.3+
Assumptions
BlackShield ID has been installed and configured and a “Test” user account can be selected
in the Assignment Tab. There is no further configuration required to allow a user to use
their token with this solution.
Operation
The CheckPoint Firewall-1 or VPN-1 server will send all RADIUS authentication requests to
the BlackShield ID server. The BlackShield ID server will then return back a message to
either allow or reject the connection.
BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 2
Preparation and Prerequisites
1. RADIUS Server installed – Eg. Microsoft Internet Authentication Service
2. Appropriate BlackShield ID plug-in installed on RADIUS server.
Configuration
Defining the RADIUS server object
1. Login to the CheckPoint management console. Refer to the CheckPoint documentation
for instructions on performing this step.
2. From the CheckPoint SmartDashboard, select Manage > Network Objects.
3. Click New, select Node, and then click Host.
4. Under General Properties, enter
the Host Node Properties:
a) Name
b) IP Address of the
Microsoft IAS Server
c) Comment
d) Color
5. Click OK, then Close.
BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 3
Defining the RADIUS Server
Once the actual network object has been created, the server needs to be configured so that
it is aware of a server object.
1. From the Check Point SmartDashboard, select Manage | Servers.
2. From the Check Point SmartDashboard,
select Manage | Servers.
3. Define your RADIUS Server
Properties:
a) Name
b) Comment
c) Color
d) Host (this should be the Host
Node you defined in the
previous section)
e) Service (NEW-RADIUS should
be selected)
f) Shared Secret
g) Version
NOTE: The Shared Secret entered above
must match the Shared Secret that is
defined on the RADIUS server.
When choosing your RADIUS protocol
version select RADIUS Version 2.0.
4. Click OK, and then Close.
BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 4
5. Click the Policy menu then click
Install.
Applying RADIUS Authentication
1. From the Check Point SmartDashboard, click Manage | Network Objects.
2. Select the FireWall-1 / VPN-1 object (in
this case it’s win2k-8) and click Edit.
BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 5
3. Under General Properties, select
Authentication then verify the boxes to
the left of VPN-1 & FireWall-1
Password and RADIUS are checked.
Configuring the VPN-1 Settings and IKE (Internet Key Exchange)
Encryption
The following steps allow the SecuRemote end-users to download the VPN-1 topology from
the FireWall, and to encrypt connections to the Inside network.
1. From the FireWall-1 / VPN-1 network object, under General Properties choose VPN.
2. Select your VPN Community (RemoteAccess).
3. Click Traditional mode configuration.
BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 6
1. Ensure to place a check in the
box next to ‘Exportable for
SecuRemote/SecureClient
Note: If the FireWall-1 is in
the Remote Access
community already then
this check box is
checked and cannot be
unchecked.
2. In the VPN section under
General Properties verify that
a Certificate exists in the
Certificate List.
BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 7
3. Verify that Hybrid Mode
Authentication has been
enabled. Select Policy, Global
Policy, Remote Access, VPN –
Basic.
4. Under Support authentication
methods verify that Hybrid
Mode has been check marked.
BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 8
Creating an Authentication Group (VPN-1)
1. From the Manage Menu, select
Users and Administrators then
click New and select Group.
This group will be used to
reference all users being
authenticated by BlackShield ID.
2. In the Group Properties box enter
the:
a) Name
b) Comment
c) Colour
3. Click OK
BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 9
Adding CRYPTOCard Users in FireWall-1 / VPN-1
CRYPTOCard token users can be configured to use RADIUS authentication in two methods
on FireWall-1 / VPN-1. Each CRYPTOCard token user can be added to the FireWall-1 / VPN-
1 database individually, or a generic user entry can be configured. Use the method that
best meets your network authentication requirements.
1. In the Check Point SmartDashboard,
Select Manage > Users and
Administrators. Click New, then
Template.
2. In the User Template Properties dialog
box, under the General Tab, define the
Login Name. See the screen shot
example on the next page).
3. Click the Personal Tab to define the Expiration Date, Comment, and Color.
BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 10
4. Click on the Groups Tab.
5. Select the SecuRemote group
created previously and click the
Add button
6. Click on the Authentication Tab and define the Authentication Scheme as RADIUS.
7. Select the RADIUS Server you just
created in the previous section
8. Click the Location Tab and Time Tab to define these settings as per your network
security policy.
BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 11
9. Select the Encryption Tab and check
the box to the left of ‘IKE’
10. Click the Edit button to configure the IKE Encryption settings.
11. Select the Encryption Tab to validate the
Encryption Algorithm.
12. Click the Install button to add the user to the FireWall-1 user database.
13. Close the Users and Administrators dialog box.
BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 12
Configuring a Generic User Entry
1. From the Users and Administrators
window, click New, External User Profile
then choose Match all users.
2. In the External User Profile Properties
window, select the Groups tab then add
the appropriate Group.
BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 13
3. On the Authentication tab choose
RADIUS as the Authentication Scheme
then select the RADIUS Server.
4. Select the Encryption tab and place a
checkmark in IKE.
BlackShield ID implementation guide for CheckPoint Firewall-1/VPN-1 14
Creating a FireWall-1 / VPN-1 Rule Set
Below is an example of two simple rule sets that will require users to authenticate with
CRYPTOCard tokens. Configure the rule sets as per your network requirements.
Troubleshooting
Failed Logons
Symptom: Authentication using the VPN client is rejected.
Possible
Causes:
• Verify that the shared secret is correct on both the RADIUS server,
and the Checkpoint Firewall-1 / VPN-1
• Ensure that the BlackShield IAS NPS Agent has been installed and
configured properly.
• Verify that the token is in sync with BlackShield ID.
Additional information
For additional information, please visit http://www.cryptocard.com