CPMI traffic from Management Clients (e.g., SmartDashboard) to Management Server over TCP port 18190 is indeed secure.
Security Management is performed using Management GUI applications (e.g., SmartDashboard) that connect to the Security Management Server / Multi-Domain Security Management Server. The authorized administrator role and authorized audit administrator role correspond to administrators using the SmartConsole GUI applications, with either full or restricted privileges, respectively.
The CPMI Client component is built on top of the OPSEC layer and communication with the FWM process on the Security Management Server / Multi-Domain Security Management Server is protected by the SIC facility using the Secure Internal Communication (SIC) Module's 'SIC API' interface. The administrator must authenticate to Security Management Server / Multi-Domain Security Management Server using either certificate-based authentication, or via a password that is authenticated with the support of an authentication server in the IT environment, using the RADIUS or SecurID protocols.
SIC protects management communications from disclosure or modification. Therefore, only authenticated administrator roles may perform management operations. Security Gateways also receive management commands from Security Management Server / Multi-Domain Security Management Server over authenticated, SIC-protected channels. Administrators do not connect to Security Gateways for performing management operations.
SIC lets Check Point platforms and products authenticate each other. The SIC procedure creates a trusted status between Security Gateways, Management Servers and other Check Point components. SIC is required to install policies on Security Gateways and to send logs between Security Gateways and Management Servers / Log Server.
These security measures make sure of the safety of SIC:
- Certificate usage is according to definitions in ICA. In case there are requirements for sha265 relevant values should be defined there.
- Certificates are used for authentication
- SIC supports TLS 1.2 for the creation of the secure channel since R80.10.
In previous versions, TLS 1.0 is used.
- AES128/256 for encryption (CBC only)
- Hashing algorithm is SHA1.
(Other hashing algorithms such as SHA256 will only be an option after support of TLS1.2 in future releases)
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.