Securing virtual private networks (VPNs) in enterprise Site-to-Site environments is an important task for keeping the trusted network and data protected. Also it's critical to avoid any loss of data sovereignty.
When it comes to VPN security many security experts first think of encryption algorithms, perfect forward secrecy (PFS), Diffie-Hellman groups... and a long pre-shared key (PSK). Ouch!
What about VPN certificates?
Every security expert knows how much better certificates are for gaining high security levels. Therefore certificates are always best practice in enterprise grade security environments.
However, most VPN Site-to-site setups are still based on simple, long lasting pre-shared keys. In many cases these keys were even forgotten by the administrators in charge of keeping the network secure because once configured for the VPN tunnel they are not needed anymore.
This is because it's much quicker and really easy to set up a VPN with a simple pre-shared key than having to deal with certificates and a certificate authority (CA).
But is it really that hard to implement a way better security architecture based on certificates? This article shows how simple it can be when you work with Check Point Firewall & VPN security gateways.
So let's get started!
When working with VPN tunnels between Check Point gateways there is absolutely no reason not to use VPN certificates.
Management : Check Point SmartCenter
Gateway : Check Point Firewall & VPN
Remote Office : Check Point 1100 Appliance
Check Point is well-known for its superior security management solution to which all Check Point gateways are connected. This central management approach makes it so easy to deploy security settings to all connected gateways with a single click on policy installation.
Check Point's security management is called SmartCenter Server (or Multi-Domain Security Management) and has an internal certificate authority built-in. This InternalCA enables the global use of certificates between all connected components and gateways right out-of-the-box.
Check Point automatically generates certificates when a new Check Point object is created, so you don't have to take of certificate handling. Check Point does it all for you.
Establishing a certificate based VPN in centrally managed Check Point environments is as easy as 1-2-3.
First, create a VPN community for certificate based VPNs (Mesh or Star topology)
Configure your preferred VPN encryption settings for Phase 1 (IKE) and Phase 2 (IPsec).
We'll be using a permanent VPN tunnel here, because the Remote Office is a dynamically assigned IP address (DAIP) gateway. Therefore, when it's IP address changes it will automatically re-establish the VPN tunnel. Cool feature, isn't it?
Leave the checkbox for pre-shared keys unchecked!
Activate IPsec VPN on your participant gateways if it isn't already.
Choose your VPN community..
..and select the VPN encryption domain of the specific gateway.
Please note that you can either configure the VPN topology in wizard mode when creating a new Check Point object or in classic mode when the gateway object is already existing. Depending on where you configure it your graphics might look a bit different to the screen shots used here.
Verify your VPN certificate and IPsec VPN community.
After you have configured the VPN topology for your VPN gateways you should add them to your VPN community.
Add your VPN gateways to your VPN community.
Finally, install the security policy.
The certificate based VPN tunnel is now up an working!
Other companies love Check Point, too! They have their own SmartCenter Server (or Multi-Domain Security Management) as central Check Point security management.
To configure a certificate based VPN tunnel with their VPN gateway you just need to exchange certificates!
Navigate to Manage > Servers and OPSEC Applications... > internal_ca > Edit... > Local Security Management Server > Save As... and export your CA certificate in order to send it to the firewall administrators of that other company. Tell them to send you theirs as well.
Import their CA certificate via Manage > Servers and OPSEC Applications... > New > CA > Trusted select External Check Point CA and open the tab External Check Point CA
Import their CA certificate and confirm with OK.
Now you have two Trusted CA certificates that you can use for your VPN setup.
Create a new Check Point Externally Managed VPN Gateway... and configure your certificate based VPN according centrally managed VPNs.
Select their CA certificate as Matching Criteria for your IPSec VPN setup.
In case the Externally Managed VPN Gateway is a dynamically assigned IP address (DAIP) gateway make sure CRL checking works and the VPN tunnel is configured to be permanent. Check that your gateway can reach the CRL distribution points (check if DNS resolving is required), CRL retrieval via HTTP and CRL Caching is checked and enter the correct DN for their VPN certificate! (i.e. the DN of their defaultCert as shown under IPSec VPN of their Check Point Gateway object)
Check Point's 700 appliances are locally managed. So can be 1100 / 1400 appliances.
Using the same technique as described for externally managed Check Point gateways won't work as 600/1100 appliance don't have a SmartCenter server running. Still, these SMB appliances have their own local CA!
Check Point's SecureKnowledge article sk94028 describes the correct procedure.
First, let's export our InternalCA to the 1100 / 1400 appliance at our remote office.
In SmartDashboard just navigate to Manage > Servers and OPSEC Applications... > internal_ca > Edit... > Local Security Management Server > Save As... and export the certificate.
Verify that the locally managed SMB appliance has Site-to-Site VPN enabled.
Import the internal_ca.crt file to your locally managed SMB appliance.
You may want to disable CRL checking if your Management as primary CRL Distribution Point can't be reached or isn't resolvable. In an ideal world this shouldn't be required.
sk94028 details the CRL verification mechanism of Check Point's SMB appliances.
Easy, isn't it? Now we want to export the SMB appliance's certificate to our Management or (if you prefer) issue a certificate request to be signed by our Managements Internal_CA.
Option A - Export the SMB appliance's certificate
Highlight the Internal CA of our SMB appliance (NOT the one we just imported), then click "Export" and save the file.
Go to VPN > Certificates > Installed Certificates and open the Details of the Default Certificate.
Copy the Subject of the Default Certificate.
Create a VPN Site for the certificate based VPN tunnel to our VPN Gateway.
Configure the VPN site to use Certificate authentication.
In the Advanced tab > Certificate Matching set the "Remote Site Certificate should be issued by" to our Management Trusted CA's Name.
We are now finalizing our way cool VPN setup in SmartDashboard on our Management.
Navigate to Manage > Servers and OPSEC Applications... > New > CA > Trusted select OPSEC PKI and open the tab OPSEC PKI to import our saved SMB Internal CA file.
Again, you may want to disable CRL checking if required.
You'll then find our imported SMB certificate 'CP1100' next to our internal_ca within the Trusted CAs list of our Management.
Option B - Issue a certificate request
Go to VPN > Certificates > Installed Certificates and click New Signing Request to generate a new certificate.
Enter a Certificate name and Subject DN.
Export the Signing Request to a file
Copy the contents of the exported file
Create the signed certificate.
If required change the filename extension of the created certificate to .crt
On the SMB appliance Upload the Signed Certificate and Complete.
End of Option B
Now simply create an Externally Managed Check Point Gateway for our SMB appliance and your are all set up and done.
When configuring the Matching Criteria for our SMB appliance, check the DN box and paste the Subject of our SMB appliances Default Certificate if you took Option A.
In case of Option B first copy the DN of the created Certificate from within ICA Management Tool
then paste it into the DN field of the VPN certificate as issued by our internal_ca.
Install the security policy.
And check out the working VPN tunnel.
Danny Jung is passionate about VPN security and leads you through the joy of creating certificate based VPNs with Check Point appliances. Danny Jung is the Chief Technology Officer (CTO) at ESC and has been working with Check Point Firewalls for more than a decade.