ISS技術情報 お客様各位

2001年 12月 18日 東京都新宿区北新宿３−１−１６ 第2事業本部　セキュリティ営業部

以下リリースが、インターネット セキュリティ システムズ株式会社より発行されましたので、ご案内致します。

平成13年12月18日 インターネット　セキュリティ　システムズ株式会社

［英語版］　別途リリースレター参照のこと

Configuring RealSecure 6.0 to Reconfigure CheckPoint FW-1 v4.0/4.1 sp3 with OPSEC Authentication

The scope of this document is to describe the modifications necessary to allow FW-1 to accept and enforce SAM requests from RealSecure using “authentication” mode. Non-authenticated mode is not recommended, as any OPSEC-aware client application can send commands to the Firewall Management Console. Firewall Configuration- Edit file fwopsec.conf (located at $FWDIR\conf\) on the Management module and add any of the following lines that are not present: sam_server ip <ip address for fw manager> sam_server auth_port 18183 ssl_proxy auth_port 18187 ssl_proxy auth_type auth_ssl_opsec ssl_proxy fwd_machine <ip address for fw daemon> sam_allow_remote_requests yes All other default entries found in the fwopsec.config file should be commented out. Stop and restart the Firewall so that changes to fwopsec.conf will take effect. <fwstop then fwstart> On the Firewall Management Console command line, type the following command (in directory $FWDIR\bin) to setup authentication with the desired RealSecure Network Sensor: fw putkey ?opsec <ip address for network sensor> Or the type following for encrypted as well as authenticated connections. fw putkey ?opsec ?ssl <ip address for network sensor> (You will be prompted to enter and confirm a secret key phrase for generating the authentication key.) RealSecure Network Sensor Configuration- On the RealSecure Network Sensor command line, type the following command (in C:\Program Files\ISS\issSensors\network_sensor_1\) to complete the authentication process with the Firewall Management Console: opsec_putkey ?port fw <ip address for management console> (You will be prompted again for secret key.) If authentication process is successful you will get the message: “OPSEC: Received new security control key from <ip>” “Authentication with <ip> initialized” You will see the following message if you add ?ssl (for encryption as well as authentication) to the command line. opsec_putkey ?ssl ?port fw <ip address for management console> “FW: Received new security control key from <ip>” “Authentication with <ip> initialized” Setup the OPSEC response (under detector responses in the RealSecure Console GUI) with the Firewall Management Console’s IP address. Set any other desired options for the OPSEC response properties. Stop and restart the detector. Configure the desired security events with OPSEC enabled as a response under the Policy Editor and apply it to the detector. On a side note, if the Firewall and the Management Server are on the same machine then you must set up a rule allowing the outside sensor to connect to the firewall using the FW1 Service (port 256 for key exchange) FW_sam as well as FW_ela services. If the Firewall and the Management Server are on separate machines then it is not necessary to open additional ports on the Firewall but on each Firewall machine you must enter. Fw putkey ?opsec ?ssl (optional) <ip_address/hostname of Management Server)

以上

Internet Security Systemsのロゴおよび、Internet Security Systems の各商品はInternet Security Systems, Inc. の商標または登録商標です。 その他企業のロゴと製品名はそれぞれの企業の商標または登録商標です。