topic Re: Access to HTTPS decrypted data in General Topics

Access to HTTPS decrypted data

HristoGrigorov — Fri, 24 Apr 2020 05:22:05 GMT

Hello,

You all know that there is a way to gain access to HTTPS decrypted data via fw ctl set ... interface.

Now, we need to have second firewall admin with expert access, this cannot be avoided for many reasons.

However, because of the EU GDPR requirements he/she must not be able to gain any access to employees personal data because he is not authorized for that.

Certain categories (Health, Financial) are already bypassed and I am thinking to restrict that admin access to modify HTTPS Inspection policy but I am not sure that is good enough first because false categorization may happen and second it kind of limits that admin in his tasks to modify policy should another urgent reason arises.

So, is there any way to restrict access to fw ctl set ... for an admin with expert access or otherwise how do you recommend to handle such situation?

Re: Access to HTTPS decrypted data

PhoneBoy — Fri, 24 Apr 2020 06:44:39 GMT

If you give someone expert access, it's the same as giving them root shell access.
Which means: there's not really a way to restrict access to that.

The way I've seen other customers handle this is to log all the commands a user does in expert mode and audit what they do to ensure they don't access any commands of concern.
You can see how to do that here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk99134

Longer term, the goal is to eliminate any reason to go to expert mode to begin with.
That means adding more commands to clish and ensuring RBA can be used to control access to said commands.

Re: Access to HTTPS decrypted data

HristoGrigorov — Fri, 24 Apr 2020 07:26:12 GMT

Thanx, I though about that too but it is more like reactive measure and not proactive one as it should.

You happen to know how much long will be that "long term" ? 😉

Re: Access to HTTPS decrypted data

Danny — Fri, 24 Apr 2020 07:50:51 GMT

I'd probably try to configure a restricted Admin role with extended commands and see if that fits my needs.

Alternatively you could avoid access to the CLI by allowing this user to run a script within SmartConsole only that is preconfigured for fw ctl set..

And then there are SmartConsole extensions you could use to reach your goal providing access to specific fw ctl output via run-script. I'd be more than happy to assist you with that.

Re: Access to HTTPS decrypted data

HristoGrigorov — Fri, 24 Apr 2020 08:30:20 GMT

Plenty of good ideas Danny!

I have to think about it. Access is needed mostly for troubleshooting purposes and may be in case of DoS attack.

So, CPView, ccc and of course "super seven", fwmonitor, etc....

Setting kernel parameters isn't really daily task and I am fine with only one person having access to it.

I like the Smart Extensions idea but they are currently a bit buggy and annoying. Hope CP improves them soon...

Re: Access to HTTPS decrypted data

PhoneBoy — Fri, 24 Apr 2020 15:21:32 GMT

No specific timelines that I'm aware of.
May want to discuss an RFE with your local office.