This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
HeikoAnkenbrand
Champion Champion
Champion
‎2019-02-17 09:27 AM
Jump to solution

R80.30 - ClusterXL CCP Encryption!

Under R80.30 it is possible to encrypt CCP traffic.  This is very useful to protect the cluster from manipulated CCP packets.  Therefore new commands have been implemented on the CLI for this purpose. The following description shows you how to enable CCP encryption. All settings you make on the CLI are permanently stored in the following file “/etc/fw.boot/ha_boot.conf”.  This means that all settings are preserved after the reboot. You have to set the settings on both gateways and they will take effect on the fly. The CCP encryption is disabled by default and must be enabled via CLI on both gateways.

 

The CCP Encryption:

  • Supports SHA-256 hash.
  • Key replacement is done on every policy installation
  • Encryption & decryption is done by CPU using AES-GCM to achieve minimal effect on performance.

 

Example commands:

 

# cphaprob ccp_encrypt         

clish> show cluster members ccpenc

 

 

With the following command the encryption can be permanently enabled on the fly:

# cphaconf ccp_encrypt on


In this way the encryption can be disabled on the fly

# cphaconf ccp_encrypt off

 

With this command you can test if the CCP encryption works. Here you should not see any cluster status information on the sync interface (blue). All packages should be visible under unknown when CCP encryption is enabled.

# tcpdump -nepi eth1 -x port -s 0 8116 2>/dev/null | ccp_analyzer -g –c

 

Unfortunately it is no longer possible to analyze the CCP packets via "ccp_analyzer " when encryption is enabled.

 

The CLISH commands:

  • Toggle encryption mode: “set cluster member ccpenc <on/off>”
  • Show encryption mode: “show cluster members ccpenc”


The commands under expert mode:

  • Toggle encryption mode: "cphaconf ccp_encrypt <on/off>"
  • Show encryption mode: "cphaprob ccp_encrypt"
  • Display encryption key: "cphaprob ccp_encrypt_key

 

 

More interesting articles: cp.ankenbrand24.de

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
(1)
1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion
‎2019-02-24 07:08 AM
Jump to solution

Intel‘s AES New Instructions AES-NI is a encryption instruction set that improves on the Advanced Encryption Standard (AES) algorithm and accelerates the encryption of data in many processor familys.

Comprised of seven new instructions, AES-NI gives your environment faster, more affordable data protection and greater security.

You found more informations about AES NI here:

https://community.checkpoint.com/docs/DOC-3278-r80x-performance-tuning-tip-aes-ni

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

17 Replies
Sabine_Freimann
Participant
‎2019-02-17 11:11 AM
Jump to solution

Is this already available with R80.20?

HeikoAnkenbrand
Champion Champion
Champion
‎2019-02-17 12:46 PM
Jump to solution

Hi Sabine,

Only R80.30+

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Timothy_Hall
Legend Legend
Legend
‎2019-09-26 09:46 AM
In response to HeikoAnkenbrand
Jump to solution

To further clarify, CCP encryption is enabled by default on R80.30 Gaia kernel version 3.10 only.  CCP encryption is disabled by default on R80.30 Gaia kernel version 2.6.18.  See sk162358: R80.30 cluster, with CCP Encryption enabled, managed by an R80.10 Security Management come...  Just noticed this difference in my lab and could not figure out what was going on until I found that SK.

Also tagging @PhoneBoy with this follow-up question: If CCP encryption is enabled it impacts both CCP traffic emanating out all clustered interfaces presenting a Cluster IP, and the CCP traffic on the sync interface, correct?  Is there any way to disable CCP encryption just for the state sync traffic (FWHAP_SYNC) yet leave it enabled for all the clustered interfaces presenting a Cluster IP?  My guess is no, but if one has a crossover cable connecting the sync ports in a 2-member cluster, it would be nice to save the overhead involved encrypting/decrypting that heavy sync traffic if the sync network is known to be secure.  Securing CCP on the cluster interfaces is still very important of course since they are accessible to the surrounding networks.

Yes I suppose someone could vampire into the sync cable and mess with the cluster if the sync network CCP traffic is not encrypted, but if the attacker already has physical access to your cluster and the sync cable you've got much bigger problems afoot...

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Armin__Alic
Participant
‎2019-02-17 08:01 PM
Jump to solution

nice

Dmitry_Krupnik
Employee Alumnus
Employee Alumnus
‎2019-02-18 06:45 AM
Jump to solution

Hi Heiko,

Thank you, that share this information with CheckMates. Did you mean "R80.30 - ClusterXL CCP Encryption!", right? Smiley Happy

Regards,

Dmitry.

HeikoAnkenbrand
Champion Champion
Champion
‎2019-02-18 02:41 PM
Jump to solution

Hi Dmitry,

Thanks, I made a mistake. That must be named ClusterXL:-)

Regards

Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Pasqual_Woodcoc
Explorer
‎2019-08-10 12:55 AM
In response to HeikoAnkenbrand
Jump to solution

Very nice feature. I have all cluster encrypted:-)

Aviel_Ruijiling
Explorer
‎2019-02-20 02:36 AM
Jump to solution

Is it possible to use certificates to protect ccp sessions.

HeikoAnkenbrand
Champion Champion
Champion
‎2019-02-20 07:42 AM
Jump to solution

I don't know that.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Dmitry_Krupnik
Employee Alumnus
Employee Alumnus
‎2019-02-20 12:20 PM
Jump to solution

Hi Heiko,

I would to provide more information about the CCP encryption, could you update your article according to it.


The CCP Encryption:

  • Supports SHA-256 encryption.
  • Key replacement is done on every policy installation
  • Encryption & decryption is done by CPU using AES-GCM to achieve minimal effect on performance.


You don't need to set key manually, it will be generated automatically and we recommend to use only this mode, at least because every policy installation will be generated new key (this option doesn't work if a key was set manually). The key can be set manually only as option for troubleshooting.


The CLISH commands:

  • Toggle encryption mode: “set cluster member ccpenc <on/off>”
  • Show encryption mode: “show cluster members ccpenc”


The commands under expert mode:

  • Toggle encryption mode: "cphaconf ccp_encrypt <on/off>"
  • Show encryption mode: "cphaprob ccp_encrypt"
  • Display encryption key: "cphaprob ccp_encrypt_key"

Regards,

Dmitry.

Dmitry_Krupnik
Employee Alumnus
Employee Alumnus
‎2019-02-20 12:28 PM
Jump to solution

Hi Aviel,

No, it isn't possible. In my opinion, we don't have a reason to use certificates here.

Regards,

Dmitry.

Tim_Tielens
Contributor
‎2019-02-22 04:06 AM
Jump to solution

What kind of performance impact are we talking about when enabling CCP encryption ?

It says: "minimal effect on performance"

But are there numbers available ?

PhoneBoy
Admin
Admin
‎2019-02-22 10:37 AM
Jump to solution

The encryption/decryption is most likely using AES-NI instructions built into recent Intel processors.

On systems that don't have AES-NI instructions, I imagine the performance impact will be a bit more noticeable.

As for exact numbers, I don't think we can comment until after GA.

HeikoAnkenbrand
Champion Champion
Champion
‎2019-02-24 07:08 AM
Jump to solution

Intel‘s AES New Instructions AES-NI is a encryption instruction set that improves on the Advanced Encryption Standard (AES) algorithm and accelerates the encryption of data in many processor familys.

Comprised of seven new instructions, AES-NI gives your environment faster, more affordable data protection and greater security.

You found more informations about AES NI here:

https://community.checkpoint.com/docs/DOC-3278-r80x-performance-tuning-tip-aes-ni

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Slavisa_Stojkov
Participant
‎2019-04-12 05:49 AM
In response to HeikoAnkenbrand
Jump to solution

Can I change the encrytion algorithm. 

Paul_Erez
Participant
‎2019-09-05 12:00 PM
Jump to solution

We use now the encryption. It works fine. 

Thanks

0 Kudos
cir007
Contributor
Contributor
‎2019-09-06 05:15 AM
Jump to solution

Unfortunately, it is no longer possible to analyze the CCP packets via "ccp_analyzer " when encryption is enabled.

 

Is there any other way to analyze CCP packets, or do I need to simply disable encryption when debugging clusterxl?

 

BR Jernej

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events