Check Point Identity Awareness Integration

Description

The ExtraHop Reveal(x) integration with the Check Point Identity Awareness gateway provides immediate and automated remediation of cybersecurity threats.

When Reveal(x) detects a security threat with a risk score that is above the configured threshold, it sends a message through the AWS Simple Notification Service (SNS) in JSON format to a subscribed Lambda function. The Lambda function parses the message and sends an Identity Awareness command to all configured Check Point gateways. Finally, the offender's IP address is added to the firewall access control lists and quarantined.

Requirements

• ExtraHop Reveal(x) version 7.8 or later with administrator privileges.
• Amazon Web Services account with Lambda, IAM, VPC, SNS, and CloudFormation permissions.

Bundle Contents

• (1) Applications
  • Check Point Quarantine
• (1) Dashboards
  • Check Point Quarantine
• (1) Record Formats
  • Check Point Quarantine Event
• (1) Triggers
  • Check Point IA Quarantine Integration

Installation and Configuration

Configure AWS VPC Networking

The Lambda function for this integration must be deployed to a VPC that is configured with a public subnet and a private subnet. Instances in a public subnet can send outbound traffic directly to the internet through an internet gateway, whereas instances in a private subnet cannot. Instead, instances in the private subnet can access the internet through a NAT gateway deployed in the public subnet.

1. Log in to your Amazon Web Services account.
2. Create a NAT Gateway in your Amazon VPC. The Elastic IP address of the NAT gateway is required for configuring the Check Point Identity Awareness Web API.

Configure the Check Point Identity Awareness Web API

The Check Point Identity Awareness Web API must be configured to accept connections from the NAT Gateway defined in the AWS VPC. Configure the NAT gateway's Elastic IP address as an authorized client on each Check Point gateway you are integrating with.

1. Log in to your Check Point Security Management Server with the SmartConsole application.
2. Configure the Identity Awareness Web API with the following specifications:
   1. A new host object that is configured with the NAT gateway Elastic IP address.
   2. An authentication secret for the new host object that represents the NAT gateway. The authentication secret is required for deploying the AWS CloudFormation template.

Configure the Check Point Gateways

This integration works by assigning IP addresses for the detection participants to an access role. You must create the access role on your Check Point gateways and define firewall rules for this access role.

1. Create an access role with the following parameter:
   • Name: ExtraHop Detection Quarantine
2. Create an Access Control Rule with the following parameters:
   • Name: ExtraHop Quarantine Ingress
   • Source: Any
   • Destination: ExtraHop Detection Quarantine
   • Action: Drop
   • Track: Log
3. Create another Access Control Rule with the following parameters:
   • Name: ExtraHop Quarantine Egress
   • Source: ExtraHop Detection Quarantine
   • Destination: Any
   • Action: Drop
   • Track: Log

The following figure shows an example of a configured gateway ACL.

Deploy the AWS CloudFormation Template

1. Download the bundle file on this page and unzip the following three files:
   • cpia_lambda_function.zip
   • cpia_cloudformation_template.yaml
   • cpia_extrahop_bundle.json
2. Upload the Lambda function zip file cpia_lambda_function.zip to an S3 bucket in the same region in which you intend to deploy the CloudFormation template.
3. In AWS CloudFormation, create a stack with new resources.
4. When prompted to specify the template, upload the template file cpia_cloudformation_template.yaml and click Next.
5. Configure the stack with the following parameters:
   • cgGatewayList: Comma-separated list of GatewayIP:SecretKey for each Check Point gateway. The GatewayIP must be the publicly routable IP address for your Check Point gateway. The Secret Key must be the client secret obtained for that gateway from the previous section "Configure the Check Point Identity Awareness Web API." For example: 54.1.1.10:12345Db8gt,54.1.1.11:67890Db8gt
   • lambdaSubnet: The private subnet for the Lambda function to run in.
   • lambdaVPC: The VPC associated with the lambdaSubnet.
   • s3BucketName: S3 bucket containing the Lambda function zip file.
   • s3CodeKey: Key of the Lambda function zip file, e.g. "cpia_lambda_function.zip".
6. Click Next and then click Next again.
7. Select all of the required checkboxes in the Capabilities and Transforms section, and then click Create Stack.

Install the bundle

1. Locate the ExtraHop bundle file cpia_extrahop_bundle.json.
2. Upload and apply the bundle.

Configure the ExtraHop appliance

1. Log into the Admin UI on the Discover or Command appliance where you installed the bundle.
2. Configure an HTTP target for an open data stream with the following parameters:
   • Name: A name to identify the SNS API server; for example, aws_sns.
   • Host: sns.us-west-2.amazonaws.com or other SNS API endpoint; see AWS documentation for the full list of endpoints for your region.
   • Port: 443.
   • Type: HTTPS.
   • Additional HTTP header: Content-Type: application/x-www-form-urlencoded
   • Authentication: Amazon Web Services
   • Access key ID field: Your IAM user access key ID
   • Secret key: Your IAM user secret key
   • Service: sns.
   • Region: Your EC2 API endpoint region; for example, us-west-2

Configure the trigger

1. In the Web UI on the Command or Discover appliance where you installed the bundle, click the System Settings icon, and then click Triggers.
2. In the list of triggers, click Check Point IA Quarantine Integration.
3. Click the Editor tab.
4. In the trigger editor, configure the following parameters:
   • Change the default string value for the "SNS_ODS_TARGET" variable to the name of the Open Data Stream target.
   • Change the default string value for the "SNS_TOPIC_ARN" variable to the ARN for the SNS topic.
   • Change the default string value for the "IA_ROLE" variable to the name of the Identity Awareness role assigned to the Check Point gateway access control list.
   • Change the default integer value for the "IA_TIMEOUT" variable to the duration in seconds that you want to quarantine the IP address. The default value for "IA_TIMEOUT" is 86400, meaning that IP addresses will be quarantined for 86400 seconds (1 day).
   • Optionally, change the default integer value for the "RISK_THRESHOLD" variable to the desired value. Detections with risk scores at or above this value will cause the trigger to attempt quarantining.
5. Select the Enable trigger checkbox under the trigger options.
6. Click Save and Close.

Advanced Usage

SNS Message Format

The message sent from the Check Point Quarantine Integration trigger to SNS is a string that represents a JSON object that includes the following properties. This information can be useful for debugging or for applying the Lambda function through other tools.

• action: String. Must be either "add" or "delete".
  • "add": Creates a new Identity Awareness association for the specified IP address with the add-identity API.
  • "delete": Deletes the Identity Awareness association for the specified IP address with the delete-identity API.
• ip: String. The IP address to associate with Identity Awareness.
• role: String. The role to assign to the IP address.
• session-timeout: Number. The duration in seconds for this Identity Awareness association.
• detection-id: Number. The ID of the detection that triggered this Identity Awareness association.

Example:

{
    "action":  "add",
    "ip":  "192.168.35.100",
    "role":  "ExtraHop Detection Quarantine",
    "session-timeout":  86400,
    "detection-id":  102034
}

SNS Message Attributes

The Check Point Quarantine Integration trigger sets the following message attributes that can be applied to SNS message filtering.

• riskscore: Number. The risk score of the detection.

Troubleshooting the AWS Lambda Function

The Lambda function comes with a CloudWatch Logs log group. To view these logs, open the Logs page of the CloudWatch console, select the log group for the CPIA Lambda Function, and select the first stream in the list.

Example of Successful Output

A typical successful invocation of the Lambda function looks similar to the following output:

START RequestId: 0c72c7bc-9cad-4601-8b26-9bfc1e8c231c Version: $LATEST  
From SNS:
{ 
    "action": "add", 
    "ip": "192.168.35.100", 
    "role": "ExtraHop Detection Quarantine", 
    "session-timeout": 86400,
    "detection-id":  102034
}
URL: https://172.31.63.1/_IA_API/v1.0/add-identity  
Payload: {'shared-secret': 'a1b2C3d4e5', 'ip-address': '192.168.35.100', 'machine': 'allowed host', 'roles': ['ExtraHop Detection Quarantine'], 'session-timeout': 86400, 'fetch-machine-groups': 0, 'calculate-roles': 0, 'identity-source': 'ExtraHop Detection 102034'}  
/var/task/urllib3/connectionpool.py:1004: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings  
InsecureRequestWarning,  
END RequestId: 0c72c7bc-9cad-4601-8b26-9bfc1e8c231c  
REPORT RequestId: 0c72c7bc-9cad-4601-8b26-9bfc1e8c231c Duration: 267.89 ms Billed Duration: 300 ms Memory Size: 128 MB Max Memory Used: 76 MB Init Duration: 607.10 ms

Example of a Timeout Error

Timeout error occurred: HTTPSConnectionPool(host='172.31.63.1', port=443): Max retries exceeded with url: /_IA_API/v1.0/add-identity (Caused by ConnectTimeoutError(<urllib3.connection.VerifiedHTTPSConnection object at 0x7f497329aa20>, 'Connection to 172.31.63.1 timed out. (connect timeout=5)'))

Cause: Lambda was unable to communicate with the Check Point gateway.

Troubleshooting Steps: * Verify the AWS VPC routing from the Lambda subnet to the Check Point gateway. * Verify that the AWS security group ACLs allow HTTPS traffic from the Lambda function to the Check Point gateway. * Verify that the Check Point gateway's firewall ACLs allow HTTPS traffic from the Lambda function to the gateway.

Example of a 404 Client Error

HTTP error occurred: 404 Client Error: Not Found for url: https://172.31.63.1/_IA_API/v1.0/add-identity

Cause: Identity Awareness API received a request from a client not in the Identity Awareness Web API authorized clients list, or the API secret is incorrect for this gateway.

Troubleshooting Steps: * Verify that the Lambda IP address is listed in the Authorized Clients section of the Identity Web API Settings in SmartConsole. * Verify that the client secret is correct for this client.