Managing Your SecurePlatform System
This section provides information on how to manage your SecurePlatform system, using the SecurePlatform Command Shell.
The Command Shell provides a set of commands required for configuration, administration and diagnostics of various system aspects. To manage Firewall and Address Translation policies and QoS policies, use SmartConsole.
Connecting to SecurePlatform by Using Secure Shell
SecurePlatform provides an SSH service, which allows secured, authenticated and encrypted access to the SecurePlatform system.
SSH (or Secure SHell) is a protocol for creating a secure connection between two systems. In the SSH protocol, the client machine initiates a connection with a server machine. The following safeguards are provided by SSH:
- After an initial connection, the client can verify that it is connecting to the same server during subsequent sessions.
- The client can transmit its authentication information to the server, such as a username and password, in an encrypted format.
- All data, sent and received, during the connection is transferred using strong encryption, making it extremely difficult to decrypt and read.
The SSH service runs by default. In addition, access to the SSH service is limited to the same IPs that have been allowed access to the Web UI. Granular control of machines that are allowed access to the SecurePlatform system, using SSH, can be set, using the security policy.
SSH login is allowed using the Standard Mode account user name and password, only. SCP service and client files can be copied to and from SecurePlatform, using SCP client software. Access to SCP is controlled, by editing /etc/scpusers.
|
Important - When you add a user to the scpusers file, you give him expert privileges!
|
User Management
SecurePlatform Shell includes two permission levels (Modes): Standard and Expert.
Standard Mode
This is the default mode, when logging in to a SecurePlatform system. In Standard Mode, the SecurePlatform Shell provides a set of commands, required for easy configuration and routine administration of a SecurePlatform system. Most system commands are not supported in this Mode. Standard mode commands are listed in SecurePlatform Shell.
Standard Mode displays the following prompt: [hostname]# , where hostname is the host name of the machine.
Expert Mode
The Expert Mode provides full system root permissions and a full system shell. Switching from Standard Mode to Expert Mode requires a password. The first time you switch to Expert mode you will be asked to select a password. Until then, the password is the same as the one that you set for Standard Mode.
You need to enter the first replacement password that you used when logging in as the admin user. Any sequential administrator password change will not update the expert password that you must enter at the first-time expert user password change.
- To exit Expert Mode, run the command
exit .
Expert Mode displays the following prompt: [Expert@hostname]# , where hostname is the host name of the machine.
|
Important - Expert Mode should be used with caution. The flexibility of an open shell, with a root permission, exposes the system to the possibility of administrative errors.
|
|
Note - An Expert user must first login as a Standard user, and only then enter the expert command to access Expert Mode. Until you change passwords, the Expert password is the same password that you set for Standard Mode, i.e. you need to enter the first replacement password that you used when logging in as the admin user. Any sequential admin password change will not update the expert password that you must enter at the first-time expert user password change.
|
SecurePlatform Administrators
SecurePlatform supports multiple administrator access to the regular shell. This can be used to audit configuration changes performed by administrators. Every such change is logged to the system's syslog mechanism, with the username of the administrator as a tag.
To configure another administrator from the cpshell:
Enter the following command:
adduser [-x EXTERNAL_AUTH] <user name>
You will be asked to enter and confirm a password for the administrator. The password must conform to the following complexity requirements:
- at least 6 characters, in length
- a mixture of alphabetic and numeric characters
- at least four different characters
- does not use simple dictionary words, or common strings such as "qwerty"
To delete an administrator from the cpshell:
Enter the following command:
deluser <name>
You can also define additional administrators through the Web GUI.
How to Authenticate Administrators via RADIUS
|
Note - Authentication of SecurePlatform Administrators via RADIUS is available only if the Advanced Networking Software Blade is enabled on the gateway.
|
All Administrators must be authenticated by one of the supported authentication methods. As well as being authenticated through the internal database, Administrators may also be authenticated via RADIUS. SecurePlatform administrators can be authenticated using the RADIUS server in two ways:
- By configuring the local user authentication via the RADIUS server. In this case it is necessary to define all users that will be authenticated by the RADIUS server on every SecurePlatform machine, and it is NOT required to define any RADIUS groups.
- By defining the list of RADIUS groups. All users that belong to the RADIUS groups defined on SecurePlatform will be able to authenticate and perform login.
The option utilizing RADIUS groups allows more flexibility, by eliminating the need to define all RADIUS users on each SecurePlatform machine.
There is a special RADIUS group called any. When this group is present in the group list, ALL users defined on the RADIUS server will be able to log into the SecurePlatform machine.
To authenticate an Administrator via RADIUS, you must:
- Enter expert mode.
- Type the command
- Verify that a RADIUS server is configured. If a RADIUS server is not configured, add one by using the following command:
radius servers add <server[:port]> <secret> <timeout> <label>
|
- Verify that at least one of the following is correct:
- The user that you want to authenticate via the RADIUS server is configured on SecurePlatform, as using the RADIUS authentication method. You can define local users that authenticate via RADIUS by using the following command:
radius users add <username>
|
- At least one RADIUS group is configured, and the user defined on the RADIUS server belongs to that group. You can define RADIUS groups by using the following command line:
radius groups add <groupname>
|
- Define the Administrator as a RADIUS user, by using the following command:
radius users add <username>
|
You can use the following commands to monitor and modify your RADIUS configuration.
To control RADIUS servers:
- radius servers show
- radius servers add <server[:port]> <secret> <timeout>
- radius servers del <server[:port]>
To control RADIUS user groups:
- radius groups show
- radius groups add <groupname>
- radius groups del <groupname>
To control local RADIUS users:
- radius users show
- radius users add <username>
- radius users del <username>
FIPS 140-2 Compliant Systems
The Federal Information Processing Standard (FIPS) 140-2 imposes certain restrictions on the operation of SecurePlatform. Administrators whose systems are FIPS 140-2 compliant, must configure their systems correctly.
To configure SecurePlatform to be FIPS 140-2 compliant:
- Run the following command from cpshell:
This command does the following:
- Adds an integrity check that verifies the integrity of all executables, scripts and configuration files, before connecting the system to the network.
- Enforces the policy of locking accounts of administrators who have exceeded the threshold of unsuccessful login attempts (see Lockout of Administrator Accounts).
- Removes the Web GUI daemon, thus disabling the Web GUI.
- Removes the Check Point Remote Installation daemon, thus disabling SmartUpdate.
- Configures the Check Point Security Gateway's default filter to "drop all incoming".
Lockout of Administrator Accounts
The account of an administrator, who attempts to logon unsuccessfully, three times in one minute, is locked for 60 minutes. This feature is configurable using the lockout command.
Using TFTP
The Trivial File Transfer Protocol (TFTP) provides an easy way for transferring files to and from SecurePlatform. SecurePlatform mechanisms that can utilize TFTP include:
Backup / Restore Utilities Patch Utility – used for software updatesDiag Utility – used for obtaining various diagnostics information
|
Note - Freeware and Shareware TFTP servers are readily available on the Internet.
|
Follow the vendor instructions on how to setup the TFTP server, and make sure that you configure the server to allow both reception and transmission of files.
|
Important - TFTP is not an encrypted, or authenticated protocol. Make sure that you only run the TFTP server on your internal network.
|
Backup and Restore
SecurePlatform provides both command line, or Web GUI, capability for conducting backups of your system settings and products configuration.
The backup utility can store backups either locally on the SecurePlatform machine hard drive or to an FTP server, TFTP server or SCP server. You can perform backups on request, or according to a predefined schedule.
Backup files are kept in tar gzipped format (.tgz ). Backup files, saved locally, are kept in /var/CPbackup/backups .
The restore command line utility is used for restoring SecurePlatform settings, and/or Product configuration from backup files.
|
Note - Only administrators with Expert permission can directly access directories of a SecurePlatform system. You will need the Expert password to execute the restore command.
|
For more information about the backup and restore utilities, see backup, and restore.
|