topic Re: SFTP traffic Inspection via VPN Tunnel in Firewall and Security Management

SFTP traffic Inspection via VPN Tunnel

Prabulingam_N1 — Tue, 05 Jan 2021 15:34:00 GMT

Hello CheckMates,

I have below doubt to be implemented, can anyone shed some ideas on how to achieve.

1) I have CheckPoint ClusterHA deployed and VPN Tunnel is running towards Peer 3rd Party FW.

2) Enabled FW, VPN, IPS, APP/URL, AV, AB blades in CheckPoint.

3) Behind CheckPoint Cluster - we have SFTP Server in VPN Domain

4) Behind Peer 3rd FW - we have Client machine who will access our SFTP server via VPN Tunnel and upload files.

How can I inspect this SFTP traffic in CheckPoint?

Like, if I'm uploading any malware file onto our SFTP Server via VPN Tunnel from 3rdParty Client domain, will CheckPoint FW able to inspect this? (Either IPS or AV)

As per FW chain modules, at external interface of CheckPoint-decrypt happens and then moved to modules like IPS/AV into FW kernel. Then the packet reaches Internal SFTP server.

I cannot use HTTPS inspection Policy as it is not HTTP/S protocol.

Which way I can inspect this traffic which is passing via Tunnel and reaches CheckPoint and then to SFTP Server.

Note: Under Threat Profile - under AV setting we see "Protocol-HTTP, FTP, SMTP" - will enabling FTP can work?

Also IPS can only check few of SFTP/FTP Protocols based on signatures only

Regards, Prabu

Re: SFTP traffic Inspection via VPN Tunnel

Marcel_Gramalla — Tue, 05 Jan 2021 15:42:32 GMT

Hi,

we havent't implented this feature yet but it is possible: SSH Deep Packet Inspection (checkpoint.com)

This feature requires R80.40 as per documentation.

Regards

Marcel

Re: SFTP traffic Inspection via VPN Tunnel

_Val_ — Tue, 05 Jan 2021 15:53:37 GMT

R80.40 has SSH Deep Packet inspection feature, which allows decrypting SFTP and SSH for inbound connections. Some details are here: https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_ThreatPrevention_AdminGuide/Topics-TPG/Using-SSH-Inspection.htm?Highlight=SSH%20DPI

However, in your case VPN is complicating the issue.

Re: SFTP traffic Inspection via VPN Tunnel

Prabulingam_N1 — Tue, 05 Jan 2021 15:56:38 GMT

Hello Marcel,

Yes , SSH DPI can be used from R80.40 onwards in which AV & Sandblast can check inspection on SCP/FTP traffic which is new..

"SCP and SFTP file transfers can be scanned using SSH Deep Packet Inspection"

But any idea how will it show or make the SFTP Traffic inspection? or anyone have tried this SSH DPI in R80.40 having results?

Regards, Prabu

Re: SFTP traffic Inspection via VPN Tunnel

_Val_ — Tue, 05 Jan 2021 16:00:02 GMT

@Prabulingam_N1 Please read the guide, you should have all you need there.
Also, we do have customers using this feature.

Re: SFTP traffic Inspection via VPN Tunnel

Prabulingam_N1 — Tue, 05 Jan 2021 16:23:03 GMT

Hi Val,

Yes since my SFTP traffic from Peer side passes thru Tunnel and reaches CheckPoint - hope once CheckPoint decrypts then it can perform this inspection.

Let me try this once to see if really inspects or not.

Regards, Prabu

Re: SFTP traffic Inspection via VPN Tunnel

_Val_ — Tue, 05 Jan 2021 16:27:01 GMT

Most probably not. IPSec VPN tunnel here is an issue

Re: SFTP traffic Inspection via VPN Tunnel

Prabulingam_N1 — Tue, 05 Jan 2021 16:37:43 GMT

Hi Val,

Since on FW chain modules (fw ctl chain) Inbound - Packet gets decrypted by FW, then moves into kernel modules for other blades to check, then goes into inbound towards Internal SFTP server. with this it should work.

Regards, Prabu

Re: SFTP traffic Inspection via VPN Tunnel

_Val_ — Tue, 05 Jan 2021 16:39:43 GMT

Not that simple, but you can try anyway.

Re: SFTP traffic Inspection via VPN Tunnel

Prabulingam_N1 — Mon, 18 Jan 2021 16:02:23 GMT

Dear Val,

I had setup SSH DPI as per Document.

Copied SFTP Server's Public/Private Key into FW and enabled thru command.

But how do I confirm if SFTP traffic gets Inspected or NOT.

No sign of related Logs on this traffic.

Regards, Prabu

Re: SFTP traffic Inspection via VPN Tunnel

_Val_ — Wed, 20 Jan 2021 09:46:01 GMT

Did you setup security rules for inspection as well?

Re: SFTP traffic Inspection via VPN Tunnel

Prabulingam_N1 — Mon, 25 Jan 2021 09:06:48 GMT

Dear Val,

I had followed as per SSH DPI mentioned in R80.40 TP Admin guide.

Copied SFTP Server's Public/Private Key into FW and enabled thru command.

Enabled AntiVirus & IPS Blade

Also enabled the option in AV Profile settings: "Process All file Types"

Im able to upload Eicar test file into my Internal SFTP Server successfully, and FW did NOT do any inspection.

No rules as such in Policies to Inspect like we have for HTTPS Policy, only enabling SSH DPI via command.

You had mentioned some customer had used this feature, can you help me in getting those info.

Regards, Prabu

Re: SFTP traffic Inspection via VPN Tunnel

_Val_ — Mon, 25 Jan 2021 09:15:55 GMT

You need inspection rules. Follow Threat Prevention guide I have referenced before. If you have any issue, please reach out to your local Check Point office or open a support request with TAC

Re: SFTP traffic Inspection via VPN Tunnel

_Val_ — Mon, 25 Jan 2021 09:17:27 GMT

Concerning the references, you can look here, for example: https://community.checkpoint.com/t5/General-Topics/SSH-decryption-in-Check-Point-R80-20/m-p/48251#M9419

Re: SFTP traffic Inspection via VPN Tunnel

_Val_ — Mon, 25 Jan 2021 09:21:39 GMT

Also, what is your output for this?

cpssh_config istatus

Re: SFTP traffic Inspection via VPN Tunnel

Prabulingam_N1 — Mon, 25 Jan 2021 10:06:50 GMT

Hello Val,

Below the Output:

[Expert@FWSTDR8040:0]# cpssh_config istatus
SSH Inspection is enabled

[Expert@FWSTDR8040:0]# cpssh_config -q
This is available ID for set/get:
0: Global
1: KeyExchange
2: Cipher
3: Mac
4: Hostkey
[Global] Inspection_Enabled = 1
[Global] Port_fowarding_Enabled = 1
[Global] Inspection_Forced = 1
[Global] Connection_Timeout_Sec = 2000000000
[KeyExchange] diffie-hellman-group-exchange-sha1 = 1
[KeyExchange] diffie-hellman-group-exchange-sha256 = 1
[Cipher] aes128-cbc = 1
[Cipher] aes256-cbc = 1
[Cipher] aes128-gcm@openssh.com = 1
[Cipher] aes256-gcm@openssh.com = 1
[Mac] MD5 = 1
[Mac] SHA1 = 1
[Mac] SHA256 = 1
[Mac] SHA384 = 1
[Mac] SHA512 = 1
[Hostkey] ssh-rsa = 1
[Hostkey] rsa-sha2-256 = 1
[Hostkey] rsa-sha2-512 = 1
[Expert@FWSTDR8040:0]#

Regads, Prabu

Re: SFTP traffic Inspection via VPN Tunnel

_Val_ — Mon, 25 Jan 2021 12:31:03 GMT

Okay, its seems to be enabled. I have told you from the start, I see VPN being an issue here, but the best cause of action is to run this with TAC

Re: SFTP traffic Inspection via VPN Tunnel

Prabulingam_N1 — Tue, 26 Jan 2021 15:34:52 GMT

Hello Val,

No worries.

I just did and got the result...Cool result in SSH DPI logs..

Traffic passing via VPN Tunnel.

Once FW decrypted, it gets into AV blade and got Prevented for Malware

(Used eicar.com file and uploaded into SFTP server via WinSCP in Client machine)

Regards, Prabu

Re: SFTP traffic Inspection via VPN Tunnel

_Val_ — Tue, 26 Jan 2021 16:49:10 GMT

Great, so what was the issue? Please share with us

Re: SFTP traffic Inspection via VPN Tunnel

Prabulingam_N1 — Wed, 27 Jan 2021 04:02:33 GMT

Hello Val,

Performed Transparent method and could not get.

Hence made as "non-transparent inspected SSH server" using only Public key of Server onto FW - got it.

And enabled the "Process file which contain known Malware" under AV Profile setting & worked.

No additional rule in FW rulebase (VPN Rule between both Encryption domains is enough)

Regards, Prabu