Você está na página 1de 336

Introduction to Firewall-1 Management (CCSA) Student User Guide Ve r s i o n 4 .

0 R e v i s i o n B

Document # CPTS-DOC-C1011

Rev. B

Copyright 1999 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distribution under licensing restricting their use, copy, and distribution. No part of this documentation may be reproduced in any form or by any means without prior written authorization of Check Point Software Inc. While every precaution has been taken in the preparation of this document, Check Point assumes no responsibility for errors or omissions. This document and features described herein are subject to change without notice. Trademarks: FireWall-1, SecuRemote, Stateful Inspection, INSPECT, Check Point and the Check Point logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. Sun, SPARC, Solaris, and SunOS are trademarks of Sun Microsystems, Inc. UNIX and OPEN LOOK are registered trademarks of UNIX System Laboratories. All other products or services mentioned herein are trademarks or registered trademarks of their respective owners. Check Point Software Technology Ltd.

International Headquarters: 3A Jabotinsky Street Ramat Gan 52520 Israel Tel: 972-3-613 1833 Fax: 972-3-575 9256 E-mail: info@checkpoint.com

U.S. Headquarters: Three Lagoon Drive, Suite 400 Redwood City, CA 94065 Tel: 650-628-2000 Fax: 650-654-4233 HTTP://www.checkpoint.com

Dallas Courseware Development: 2505 N. Highway 360, Suite 700 Grand Prairie, TX. 75050 Tel: 817-606-6600 Fax: 817-652-9374

Please direct any comments concerning Check Point courseware to courseware@us.checkpoint.com.

Rev. B

Document # CPTS-DOC-C1011

Document # CPTS-DOC-C1011

Rev. B

Introduction To Firewall-1 Management (CCSA)

CCSA Course Description .................................................................................... 1


Course Objectives ........................................................................................................................ 1

CCSA Course Layout ........................................................................................... 2


Course Requirements .................................................................................................................. 2 Prerequisites ................................................................................................................................ 2

Check Point Certification Exams .......................................................................... 3


Check Point Certified Security Administrator ............................................................................... 3 Check Point Certified Security Engineer ...................................................................................... 3 Check Point Certified Security Instructor ..................................................................................... 3

Course Map .......................................................................................................... 4


Day 1 ............................................................................................................................................ 4 Day 2 ............................................................................................................................................ 4

Lab Setup ............................................................................................................. 5


Lab Topology ............................................................................................................................... 6 IP Addresses ................................................................................................................................ 7 Lab Terms .................................................................................................................................... 7 Site-Number Table ....................................................................................................................... 7

Whats New in FireWall-1 Version 4.0 .................................................................. 8


New Platforms .............................................................................................................................. 8 Encryption .................................................................................................................................... 8 Enterprise Management ............................................................................................................... 8 Authentication .............................................................................................................................. 8 Client Authentication .................................................................................................................... 8 Security Servers ........................................................................................................................... 8 Support for New Services ............................................................................................................ 8

Unit I Chapter 1: FireWall-1 Architecture

Introduction ........................................................................................................... 9
Objectives .................................................................................................................................... 9 Key Terms .................................................................................................................................... 9

Defining a Firewall .............................................................................................. 11


What is a Firewall? ..................................................................................................................... 11 TCP/IP ....................................................................................................................................... 11 Packets ...................................................................................................................................... 12

Rev. B

Document # CPTS-DOC-C1011

ii

Methods of Securing Networks ........................................................................... 13


Packet Filtering .......................................................................................................................... 13 Application Layer Gateway (Proxy) ............................................................................................ 15 Stateful Inspection ..................................................................................................................... 16

What is FireWall-1? ............................................................................................ 19


Advantages of Stateful Inspection Architecture ......................................................................... 19 Inspect Engine in the Kernel Module ......................................................................................... 20

FireWall-1 Products ............................................................................................ 22 FireWall-1 Components ...................................................................................... 23


The Firewall Module ................................................................................................................... 23 The Management Module .......................................................................................................... 24 Other FireWall-1 Components ................................................................................................... 24 Graphical User Interface (GUI) .................................................................................................. 24

Review ................................................................................................................ 25
Summary .................................................................................................................................... 25 Review Questions ...................................................................................................................... 26

Unit II Chapter 1: FireWall-1 Installation and Setup

27

Introduction ......................................................................................................... 27
Objectives .................................................................................................................................. 27

Firewall-1 System Requirements on Windows NT ............................................. 28 Getting Started with FireWall-1 ........................................................................... 29
Network Configuration ............................................................................................................... 29

Installation Procedure ......................................................................................... 31


Components to Install ................................................................................................................ 31

Installing FireWall-1 on Windows NT .................................................................. 32 Installation Configuration on Windows NT .......................................................... 38


Administrators ............................................................................................................................ 38 GUI Clients ................................................................................................................................. 40 Remote Modules ........................................................................................................................ 41 IP Forwarding ............................................................................................................................. 42 SMTP Security Server ............................................................................................................... 43 Key Hit Session .......................................................................................................................... 44 CA Keys ..................................................................................................................................... 45 Completing the Installation ......................................................................................................... 46

Installing GUI Client on Windows NT ................................................................. 47

Document # CPTS-DOC-C1011

Rev. B

iii

FireWall-1 System Requirements on Solaris ...................................................... 50


Client/Server Hardware and Operating System Requirements ................................................. 50 Non-Client/Server Hardware and Operating System Requirements .......................................... 50

Installing FireWall-1 on Solaris ........................................................................... 52 Installation Configuration on Solaris ................................................................... 56


Configuring Licenses ................................................................................................................. 56 Configuring Administrators ......................................................................................................... 57 Configuring GUI Clients ............................................................................................................. 58 Configuring Remote Modules .................................................................................................... 58 Configuring SMTP Server .......................................................................................................... 58 Configuring SNMP Extension .................................................................................................... 59 Configuring Groups .................................................................................................................... 59 Configuring IP Forwarding ......................................................................................................... 59 Configuring Default Filter ........................................................................................................... 60 Auto-Configuring the Certificate Authority Key .......................................................................... 60

Installing X/Motif GUI Client ................................................................................ 62


Hardware and Operating System Requirements ....................................................................... 62 Installing X/Motif GUI Client ....................................................................................................... 63

Uninstalling FireWall-1 Components .................................................................. 66


FireWall-1 Windows NT Uninstall .............................................................................................. 66 FireWall-1 Solaris Uninstall ........................................................................................................ 67

Review ................................................................................................................ 68
Summary .................................................................................................................................... 68 Review Questions ...................................................................................................................... 68

Unit II Chapter 2: Navigating in FireWall-1

69

Introduction ......................................................................................................... 69
Objectives .................................................................................................................................. 69 Key Terms .................................................................................................................................. 69

FireWall-1 GUIs .................................................................................................. 70


Logon Information ...................................................................................................................... 70

Security Policy Editor GUI .................................................................................. 71


Windows NT Security Policy Editor Logon ................................................................................. 71 X/Motif Security Policy Editor Logon .......................................................................................... 72 Security Policy Editor Toolbar Buttons ....................................................................................... 72

Log Viewer GUI .................................................................................................. 74


Log Viewer Logon ...................................................................................................................... 74

Rev. B

Document # CPTS-DOC-C1011

iv

Data (Column) Fields ................................................................................................................. 75 Column Menu ............................................................................................................................. 76 Log Viewer Modes ..................................................................................................................... 77 Log Viewer Toolbar Buttons ....................................................................................................... 77 Navigating and Searching .......................................................................................................... 78 Displaying Selected Entries ....................................................................................................... 81 Selection Options ....................................................................................................................... 84 Viewing/Editing Current Selection Criteria ................................................................................. 85 Creating and Selecting Selection Criteria .................................................................................. 85 Log File Management ................................................................................................................ 86

System Status GUI ............................................................................................. 88


System Status Logon ................................................................................................................. 88 System Status Toolbar Buttons ................................................................................................. 89 System Status Update ............................................................................................................... 90 Alerts .......................................................................................................................................... 91 Display Firewalled Objects ......................................................................................................... 92 Updating and Changing the Status Display ............................................................................... 93 Changes to Firewalled Objects .................................................................................................. 94

Review ................................................................................................................ 96
Summary .................................................................................................................................... 96 Review Questions ...................................................................................................................... 97

Unit II Chapter 3: Management Tools

99

Introduction ......................................................................................................... 99
Objectives .................................................................................................................................. 99 Key Terms .................................................................................................................................. 99

Management Tools ........................................................................................... 101


Accessing Management Tools ................................................................................................. 101 Color Scheme .......................................................................................................................... 101

Network Objects Manager ................................................................................ 102


Defining Network Objects ........................................................................................................ 102

Workstation Properties Object .......................................................................... 104


General Tab ............................................................................................................................. 104 Interfaces Tab .......................................................................................................................... 106 Authentication Tab ................................................................................................................... 108 Encryption Tab ......................................................................................................................... 108 NAT Tab ................................................................................................................................... 110 SNMP Tab ............................................................................................................................... 110

Document # CPTS-DOC-C1011

Rev. B

Network Properties Object ................................................................................ 111


General Tab ............................................................................................................................. 111 NAT Tab ................................................................................................................................... 112

Domain Properties Object ................................................................................ 113


Using Domain Objects in a Rule .............................................................................................. 113 General Tab ............................................................................................................................. 114

Router Properties Object .................................................................................. 115


General Tab ............................................................................................................................. 115 Interfaces Tab .......................................................................................................................... 116 NAT Tab ................................................................................................................................... 118 SNMP Tab ............................................................................................................................... 118 Setup Tab ................................................................................................................................ 119

Switch Properties Object .................................................................................. 120


General Tab ............................................................................................................................. 120 Interfaces Tab .......................................................................................................................... 121 NAT Tab ................................................................................................................................... 121 SNMP Tab ............................................................................................................................... 121 VLANs Tab ............................................................................................................................... 121 Setup Tab ................................................................................................................................ 122

Integrated Firewall Properties Object ............................................................... 123


General Tab ............................................................................................................................. 123 Interfaces Tab .......................................................................................................................... 124 SNMP Tab ............................................................................................................................... 124 NAT Tab ................................................................................................................................... 125 Setup-A Tab for Cisco PIX ....................................................................................................... 125 Setup-B Tab for Cisco PIX ....................................................................................................... 126 Setup Tab for TimeStep ........................................................................................................... 127

Group Properties Object ................................................................................... 128 Logical Server Object ....................................................................................... 129 Address Range Properties Object .................................................................... 130
General Tab ............................................................................................................................. 130 NAT Tab ................................................................................................................................... 131

Lab 1: Defining Network Objects ...................................................................... 132 Services Manager ............................................................................................. 134
Allowed Services ...................................................................................................................... 135 TCP .......................................................................................................................................... 135 UDP ......................................................................................................................................... 136 RPC ......................................................................................................................................... 137 ICMP ........................................................................................................................................ 138 Other ........................................................................................................................................ 139 Group ....................................................................................................................................... 139 Port Range ............................................................................................................................... 140

Rev. B

Document # CPTS-DOC-C1011

vi

Resources Manager ......................................................................................... 142


URI Resource .......................................................................................................................... 143 Wild Card URI Match Specification Type ................................................................................. 144 File URI Match Specification Type ........................................................................................... 147 UFP URI Match Specification Type ......................................................................................... 150 SMTP Security Server ............................................................................................................. 153 FTP Security Server ................................................................................................................. 157

Server Manager ................................................................................................ 160 Users Manager ................................................................................................. 162


General Tab ............................................................................................................................. 162 Groups Tab .............................................................................................................................. 163 Authentication Tab ................................................................................................................... 163 Location Tab ............................................................................................................................ 164 Time Tab .................................................................................................................................. 165 Encryption Tab ......................................................................................................................... 165 User Template Setup ............................................................................................................... 166 New User Setup ....................................................................................................................... 167 New Group Setup .................................................................................................................... 168

Time Objects Manager ..................................................................................... 169 Keys Manager .................................................................................................. 172 Review .............................................................................................................. 173
Summary .................................................................................................................................. 173 Review Questions .................................................................................................................... 173

Unit III Chapter 1: Security Policy Rule Base and Properties Setup

175

Introduction ....................................................................................................... 175


Objectives ................................................................................................................................ 175 Key Terms ................................................................................................................................ 176

Security Policy Defined ..................................................................................... 177


What is a security policy? ........................................................................................................ 177 Considerations ......................................................................................................................... 177 Creating the Security Policy ..................................................................................................... 177

Rule Base Defined ............................................................................................ 179


Rule Base Elements ................................................................................................................ 179 Rule Base Element Options ..................................................................................................... 180

Document # CPTS-DOC-C1011

Rev. B

vii

Creating the Rule Base .................................................................................... 184


Add a Rule ............................................................................................................................... 185 The Default Rule ...................................................................................................................... 185 Creating the Cleanup Rule ....................................................................................................... 186 Creating the Stealth Rule ......................................................................................................... 187 Adding Additional Rules ........................................................................................................... 188 Completing the Rule Base ....................................................................................................... 189

Implicit (Pseudo) and Explicit Rules ................................................................. 190


Understanding Rule Base Order .............................................................................................. 191

Understanding Interface Direction .................................................................... 193 Properties Setup Tabs ...................................................................................... 197
Security Policy Properties ........................................................................................................ 197 Services Properties .................................................................................................................. 200 Log and Alert Properties .......................................................................................................... 201 Security Servers Properties ..................................................................................................... 203 Authentication Properties ......................................................................................................... 206 SYNDefender Properties ......................................................................................................... 207 Lightweight Directory Access Protocol (LDAP) Properties ...................................................... 209 Encryption Scheme Properties ................................................................................................ 211 Miscellaneous (Load Balancing) Properties ............................................................................. 214 Access Lists Properties ............................................................................................................ 215

Security Policy Checklist .................................................................................. 217 Review .............................................................................................................. 218


Summary .................................................................................................................................. 218 Review Questions .................................................................................................................... 218

Unit III Chapter 2: Administering Security Policy with Rule Base

219

Introduction ....................................................................................................... 219


Objectives ................................................................................................................................ 219 Key Terms ................................................................................................................................ 219

Administering a Security Policy ........................................................................ 220


Verify and Install a Security Policy ........................................................................................... 220

Detecting Spoofing ........................................................................................... 222


Anti-Spoofing and Security Policies ......................................................................................... 222 Adding Anti-Spoofing ............................................................................................................... 222 Anti-Spoofing and Routers ....................................................................................................... 224

Lab 2: Anti-Spoofing Configuration ................................................................... 226

Rev. B

Document # CPTS-DOC-C1011

viii

Lab 3: Defining Basic Rules ............................................................................. 228 Lab 4: Implied Pseudo-Rules ........................................................................... 230 Lab 5: Defining a Time-Based Rule .................................................................. 231 Review .............................................................................................................. 232
Summary .................................................................................................................................. 232 Review Questions .................................................................................................................... 232

Unit IV Chapter 1: Authentication

235

Introduction ....................................................................................................... 235


Objectives ................................................................................................................................ 235 Key Terms ................................................................................................................................ 235

Understanding Authentication .......................................................................... 236


User Authentication .................................................................................................................. 236 Client Authentication ................................................................................................................ 238 Session Authentication ............................................................................................................ 239

Implementing Authentication ............................................................................ 242


Authentication Schemes .......................................................................................................... 242 Authentication Setup ................................................................................................................ 243

Lab 6: Set up Authentication Parameters ......................................................... 248 Lab 7: Defining Users and Groups ................................................................... 249 Lab 8: User Authentication with a FireWall-1 Password ................................... 251 Lab 9: User Authentication with S/Key ............................................................. 252 Lab 10: User Authentication for FTP ................................................................ 254 Lab 11: User Authentication for HTTP .............................................................. 255 Lab 12: Client Authentication ............................................................................ 256 Lab 13: Session Authentication ........................................................................ 257 Review .............................................................................................................. 258
Summary .................................................................................................................................. 258 Review Questions .................................................................................................................... 258

Document # CPTS-DOC-C1011

Rev. B

ix

Unit IV Chapter 2: Network Address Translation

259

Introduction ....................................................................................................... 259


Objectives ................................................................................................................................ 259 Key Terms ................................................................................................................................ 259

Understanding Network Address Translation ................................................... 260


Availability of IP Addresses ...................................................................................................... 260 How FireWall-1 Reads IP Addresses ....................................................................................... 261

NAT Modes ....................................................................................................... 262


Static Source Mode .................................................................................................................. 263 Static Destination Mode ........................................................................................................... 263 Hide Mode ................................................................................................................................ 265

Applying NAT Modes ........................................................................................ 266


Applying Static Mode ............................................................................................................... 266 Adding Hide Mode to a Cisco Router ....................................................................................... 268 Adding Hide Mode to a Bay Networks Router ......................................................................... 271

NAT Rule Base ................................................................................................. 272


NAT Rules ................................................................................................................................ 272

NAT Issues ....................................................................................................... 274


Routing Issues ......................................................................................................................... 274

Lab 14: NAT Static Mode Manual ................................................................ 276 Lab 15: NAT Static Mode Automatic ............................................................ 279 Lab 16: NAT Hide Mode Manual .................................................................. 281 Lab 17: NAT Hide Mode Automatic ............................................................. 283 Review .............................................................................................................. 285
Summary .................................................................................................................................. 285 Review Questions .................................................................................................................... 285

Final Scenario

287

Introduction ....................................................................................................... 287 Lab 18: Final Scenario ...................................................................................... 288

Rev. B

Document # CPTS-DOC-C1011

Appendix A: Licensing Issues

291

Resolving Licensing Issues .............................................................................. 291


Licensing Enforcement for Single Gateway Products .............................................................. 291 Adding License at the Command Prompt ................................................................................ 291 Removing Old Licenses ........................................................................................................... 292 How to Contact Check Point .................................................................................................... 292

Appendix B: Installation Troubleshooting

293

Installing and Operating in NT and Solaris ....................................................... 293


NT Systems ............................................................................................................................. 293 Solaris Systems ....................................................................................................................... 293

Special Notes for HP-UX 10 ............................................................................. 294 Special Notes for IBM AIX ................................................................................ 295 Special Note for Management Servers ............................................................. 296
Administrators: Solaris Specific ............................................................................................... 296

Extracting Files ................................................................................................. 297


SunOS ..................................................................................................................................... 297

Installing FireWall ............................................................................................. 298


HP-UX 10 ................................................................................................................................. 298 IBM AIX .................................................................................................................................... 299

Appendix C: Port Numbers and Common Services

301

Port Numbers ................................................................................................... 301


Ports Common to Windows NT ................................................................................................ 303

Document # CPTS-DOC-C1011

Rev. B

xi

Appendix D: Basic Rule Base

305

Glossary

307

Rev. B

Document # CPTS-DOC-C1011

xii

Document # CPTS-DOC-C1011

Rev. B

Unit I Overview
Introduction to CCSA Chapter 1: FireWall-1 Architecture

Rev. B

Document # CPTS-DOC-C1011

Document # CPTS-DOC-C1011

Rev. B

Intro Introduction to CCSA


1

I n t r o d u c t i o n To Firewall-1 Management (CCSA)


CCSA Course Description
Welcome to the Check Point Certified Security Administrator (CCSA) course. This course is intended to provide you with an understanding of basic concepts and skills necessary to install and configure FireWall-1. The Check Point Certified Security Administrator (CCSA) course provides you with the following key elements: An overview and understanding of firewall technology FireWall-1 installation and setup Managing FireWall-1

This course provides hands-on training as you install FireWall-1 on a Solaris and/or Windows NT system. You will configure a security policy using FireWall-1s graphical user interface (GUI), and learn about managing a firewalled network. You are encouraged to follow along in the manual as the class progresses and take notes for future reference.

Course Objectives

Identify the basic components of FireWall-1 Successfully install FireWall-1 Successfully configure FireWall-1 (Solaris and/or NT) Identify the FireWall-1 elements that you will need to manage Successfully configure FireWall-1 Successfully complete the final scenario at the end of the course

CCSA Course Layout

CCSA Course Layout


Course Requirements This course is designed for end users and resellers who need to install and set up the initial FireWall-1 configuration, and for those who seek CCSA certification. The following professionals benefit best from this course: Systems administrators Support analysts Network engineers

I-1 Introduction to CCSA

Prerequisites

Before taking this course, we strongly suggest that you have the following knowledge base: General knowledge of TCP/IP Working knowledge of Windows or UNIX Working knowledge of network technology Working knowledge of the Internet

Document # CPTS-DOC-C1011

Rev. B

Introduction To Firewall-1 Management (CCSA)

Check Point Certification Exams


CCSA, CCSE, and CCSI courses no longer provide certification to students who participate in these courses. Students will be required to take and pass a certification exam to obtain certification.

Intro Introduction to CCSA

Check Point Certified Security Administrator

The Check Point Certified Security Administrator (CCSA) course provides a complete overview of FireWall-1, including hands-on training for stand-alone systems. This exam is for end users and resellers who need a technical understanding of FireWall-1 and who need to install and set up simple configurations.

Check Point Certified Security Engineer

The Check Point Certified Systems Engineer (CCSE) course is an advanced course for engineers managing multiple FireWall-1 systems and/or needing formal training in advanced FireWall-1 features. This exam covers techniques in remote management, encryption, and virtual private networking. It also exploits the built in SNMP features of FireWall-1, router management, user-defined tracking, load balancing, and firewall synchronization.

Check Point Certified Security Instructor

This exam is for candidates preparing to teach FireWall-1 and who are employees of an Authorized Training Center. Instructors are required to pass the CCSA and CCSE exams before they are eligible to take this exam. The CCSI exam is an advanced test, covering all topics previously reviewed by FireWall-1 CCSA and CCSE exams.

Rev. B

Document # CPTS-DOC-C1011

Course Map

Course Map
Day 1 Unit I Overview Introduction Chapter 1: FireWall-1 Architecture Unit II Getting Started Chapter 1: FireWall-1 Installation and Setup Chapter 2: Navigating in FireWall-1 Chapter 3: Management Tools Unit III Managing Your Network Chapter 1: Security Policy Rule Base and Properties Setup Chapter 2: Administering Security Policy with Rule Base

I-1 Introduction to CCSA


Rev. B

Day 2 Unit IV Customizing FireWall-1 Chapter 1: Authentication Chapter 2: Network Address Translation

Final Scenario

Document # CPTS-DOC-C1011

Introduction To Firewall-1 Management (CCSA)

Lab Setup
The following is the setup of your lab: The lab is directly connected to the Internet. The Internet servers (www.yourcity.com) cannot communicate directly with the Internet. (The servers have illegal/reserved IP addresses.) Each firewalled and Internet server has a unique IP address. Root password to all systems is _______________________________________. (Your instructor will give you this password. Be careful with root access!) OpenWindows mouse-button controls (Solaris only): Left Selects objects. Middle Selects additional objects or deselects objects. Right Displays menus.

Intro Introduction to CCSA

Rev. B

Document # CPTS-DOC-C1011

Lab Setup

Lab Topology

Figure 1 is a sample eight-station lab topology.


Detroit Firewall Server: fw.detroit.com 204.32.38.101 192.168.1.101 Internet Server: www.detroit.com 192.168.1.1 London Firewall Server: fw.london.com 204.32.38.103 192.168.3.103 Internet Server: www.london.com 192.168.3.1 Paris Firewall Server: fw.paris.com 204.32.38.105 192.168.5.105 Internet Server: www.paris.com 192.168.5.1 Moscow Firewall Server: fw.moscow.com 204.32.38.107 192.168.7.107 Internet Server: www.moscow.com 192.168.7.1 Chicago Firewall Server: fw.chicago.com 204.32.38.102 192.168.2.102 Internet Server: www.chicago.com 192.168.2.1 NewYork Firewall Server: fw.newyork.com 204.32.38.104 192.168.4.104 Internet Server: www.newyork.com 192.168.4.1 Tokyo Firewall Server: fw.tokyo.com 204.32.38.106 192.168.6.106 Internet Server: www.tokyo.com 192.168.6.1 Berlin Firewall Server: fw.berlin.com 204.32.38.108 192.168.8.108 Internet Server: www.berlin.com 192.168.8.1 Hub: 204.32.38.0

I-1 Introduction to CCSA


Rev. B

Figure 1: Lab topology

Document # CPTS-DOC-C1011

Introduction To Firewall-1 Management (CCSA)

IP Addresses

Table 1 lists the IP addresses for the FireWall-1 lab:

Intro Introduction to CCSA

Table 1: IP Addresses for FireWall-1 Lab FireWall-1 Server


fw.detroit.com fw.chicago.com fw.london.com fw.newyork.com fw.paris.com fw.tokyo.com fw.moscow.com fw.berlin.com

IP Address
204.32.38.101 204.32.38.102 204.32.38.103 204.32.38.104 204.32.38.105 204.32.38.106 204.32.38.107 204.32.38.108

Internet Server
www.detroit.com

IP Address
192.168.1.1

www.chicago.com 192.168.2.1 www.london.com 192.168.3.1 www.newyork.com www.paris.com 192.168.4.1 192.168.5.1

www.tokyo.com 192.168.6.1 www.moscow.com www.berlin.com 192.168.7.1 192.168.8.1

Lab Terms

Yourcity The city name for your workstation pair. Partnercity The name of your partner city. Site number A number between 1 and 8 assigned to your workstation pair.

Site-Number Table

Table 2 lists site numbers for each of the lab stations:

Table 2: Lab Site Numbers Site Name


Detroit Chicago London New York Paris Tokyo Moscow Berlin

Site Number
1 2 3 4 5 6 7 8

Rev. B

Document # CPTS-DOC-C1011

Whats New in FireWall-1 Version 4.0

Whats New in FireWall-1 Version 4.0


New Platforms Firewall modules can now be installed on Ipsilon and TimeStep PERMIT/Gate platforms.

I-1 Introduction to CCSA


Rev. B

Encryption

ISAKMP/Oakley (IKE) is now supported for VPNs and SecuRemote, including ENTRUST PKI, and is exportable worldwide.

Enterprise Management

LDAP-based user databases are now fully integrated into FireWall-1, and an LDAP client is included with FireWall-1.

Authentication

A number of major improvements have been implemented in the FireWall-1 version 4.0 authentication feature: Support for TACACS/TACACS+ Support for RADIUS Version 2 Support for MD5 in S/Key Secondary (backup) AXENT servers are supported

Client Authentication

Authentication can now be performed using a Web browser. The following new features are available: Implicit client authentication Automatic client authentication sign-off

Security Servers

All FireWall-1 security servers now support OPSEC version 1.0. The HTTP security server supports FTP and HTTPS.

Support for New Services

Network address translation now supports H-323, NetShow, VXtreme and many other services that were not supported in earlier versions of FireWall-1. This further extends FireWall-1s impressive list of over 120 out-of-box supported services.

Document # CPTS-DOC-C1011

Unit I Chapter 1: FireWall-1 Architecture


Introduction
In reality, the concept of a firewall is simple: Network traffic comes in through the firewall. The firewall examines and controls the traffic, then sends the traffic to its destination. It does sound simple, yet firewalls are an important part of network security. Without a firewall, the possibility of security breaches from external and internal sources is greatly increased. To protect your network from attacks, installing and maintaining a firewall is an important part of network operations. An important part of understanding what a firewall is and does is to understand the firewalls architecture, including the following elements: Definition of a firewall TCP/IP basics Types of packet filtering FireWall-1 components Introduction to Stateful Inspection

I-1 FireWall-1 Architecture


9

Objectives

Describe the purpose of a firewall Describe and compare firewall architectures Identify the different components of FireWall-1

Key Terms

security policy Transmission Control Protocol/Internet Protocol (TCP/IP) data packet IP addresses packet filtering application layer gateway (proxy) Stateful Inspection Inspection Module

10

Firewall Module network address translation (NAT) INSPECT Management Module Management Server Connect Control Module encryption access control lists

Document # CPTS-DOC-C1011

Rev. B

Unit I Chapter 1: FireWall-1 Architecture

11

Defining a Firewall
What is a Firewall? A firewall is a system designed to prevent unauthorized access to or from an internal network. Firewalls act as locked doors between internal and external networks. Data meeting certain requirements can get through the locked door, whereas unauthorized data never gains access. A firewall is one of the most effective ways of securing a network. Firewalls track and control data, deciding whether to pass, drop, reject, encrypt or log the data. Firewalls ensure data meets the rules of its security policy, which is a set of rules that defines an internal networks security. A firewall is only as effective as its setup within the security policy. A firewall cannot protect the network against malicious authorized users. Seventy-eight percent of network attacks occur within a companys organization. And a firewall cannot protect connections that dont access the firewall. I-1 I-1 FireWall-1 Architecture FireWall-1 Architecture

TCP/IP

Transmission Control Protocol/Internet Protocol (TCP/IP) is one of the most common communication protocols used to connect to the Internet and external networks. Whereas the IP protocol deals only with data packets, which are parts of data streams, TCP enables two networks to establish connections and exchange data streams. TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent (Figure 2).

Figure 2: TCP/IP Stack

Rev. B

Document # CPTS-DOC-C1011

12

Defining a Firewall

Packets

A data packet (or packet) is a piece of a message transmitted over a network. A key feature of a packet is that it contains the destination address in addition to the data. Packets are like letters and must have addresses. Just as normal letters must have addresses on the front to make delivery likely, TCP/IP communication depends on addresses being included in each packet. These addresses are commonly termed IP addresses. As these packets of information move through the network, devices use the packets IP addresses to decide whether to keep the packets in the local network or forward them to a different network. This is a complex task, because there are many networks that either comprise the Internet or are attached to it through gateways. Figure 3 is an example of the layers that comprise a packet, and the many levels of communication TCP/IP reads:

Figure 3: Packet Layers

Document # CPTS-DOC-C1011

Rev. B

Unit I Chapter 1: FireWall-1 Architecture

13

Methods of Securing Networks


Before FireWall-1s Stateful Inspection technology, system administrators used the following traditional firewall architectures to protect internal networks: Packet filtering Application layer gateways (proxies)

These methods are not as reliable as using FireWall-1.

Packet Filtering

Packet filtering examines a packet up to the network layer. The upper four layers are unexamined and allowed into an internal network (Figure 4). The packet filter looks at each packet entering or leaving the network and accepts or rejects it based on userdefined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. The limitation of this type of filtering is its inability to provide security for the most basic protocols.
Application Presentation Session Transport Network DataLink Physical DataLink Physical Application Presentation Session Transport Network DataLink Physical

I-1 I-1 FireWall-1 Architecture FireWall-1 Architecture

Router

Figure 4: Packet Filtering Path

The Pros of Packet Filtering The pros of packet filtering include the following: Inexpensive Application transparency Quicker than application layer gateways

The Cons of Packet Filtering The cons of packet filtering include the following: Low security Access to a limited part of a packet header only No screening above the network layer, meaning that packet filters are incapable of providing communication-derived or application-derived state information Very limited ability to manipulate information

Rev. B

Document # CPTS-DOC-C1011

14

Methods of Securing Networks

Difficult to configure, monitor and manage Provides inadequate logging and alerting mechanisms Subject to IP spoofing
Example Packet filters, historically implemented on routers, filter user defined content, such as IP addresses. They examine a packet at the network layer and are application independent, which allows them to deliver good performance and scalability. They are the least secure type of firewall, because they are not application aware. They cannot understand the context of a given communication, making them easier for unauthorized entry to the network. Packet filters have two choices with regard to outbound FTP connections. They can either leave the entire upper range (greater than 1023) of ports open which allows the file transfer session to take place over the dynamically allocated port, but exposes the internal network, or they can shut down the entire upper range of ports to secure the internal network which blocks other services. This is a trade-off between application support and security.

Document # CPTS-DOC-C1011

Rev. B

Unit I Chapter 1: FireWall-1 Architecture

15

Application Layer Gateway (Proxy)

An application layer gateway, or proxy, implements firewalls at the application level. As external networks have evolved into dynamic environments that constantly offer new protocols, services and applications, proxies are no longer able to handle the diverse types of communication on external networks. They cannot fulfill the new business needs, high bandwidth and security requirements of todays networks (Figure 5):
Telnet FTP HTTP

Application Presentation Session Transport Network DataLink Physical

Application Presentation Session Transport Network DataLink Physical

Application Presentation Session Transport Network DataLink Physical

I-1 I-1
Figure 5: Application-Layer Gateway Path

The Pros of Application Layer Gateways (Proxy) The pros of application layer gateways include the following: Good security Full application-layer awareness

The Cons of Application Layer Gateways (Proxy) The cons of application layer gateways include the following: Partial communication-derived and full application-derived state information Each service requires its own application layer gateway, so the number of available services and their scalability is poor Implementation at the application level is detrimental to performance Proxies cannot provide for UDP, RPC and other services from common protocol families Most proxies are not transparent Vulnerable to operating system and application level bugs Overlooks information contained in lower layers Expensive performance cost

Rev. B

Document # CPTS-DOC-C1011

FireWall-1 Architecture FireWall-1 Architecture

16

Methods of Securing Networks

Example Application layer gateways improve on security by examining all application layers, bringing context information into the decision process. However, they do this by breaking the client/server model. Every client/server communication requires two connections: one from the client to the firewall and one from the firewall to the server. In addition, each proxy requires a different application process, or daemon, making scalability and support for new applications a problem. In using an FTP proxy, the application layer gateway duplicates the number of sessions, acting as a proxied broker between the client and the server. Although this approach overcomes the limitation of IP filtering by bringing application-layer awareness to the decision process, it does so with an unacceptable performance penalty. In addition, each service needs its own proxy, so the number of available services and their scalability is limited. Finally, this approach exposes the operating system to external threats.

Stateful Inspection

A firewall must track and control the flow of communication passing through it. To reach control decisions for TCP/IP based services (accept, reject, authenticate, encrypt and/or log communication attempts), a firewall must obtain, store, retrieve and manipulate information derived from all communication layers and from other applications. State information, derived from past communications and other applications, is an essential factor in making the control decision for new communication attempts. Depending upon the communication attempt, both the communication state (derived from past communications) and the application state (derived from other applications) may be critical in the control decision. To ensure the highest level of security, a firewall must be capable of accessing, analyzing and utilizing communication information, communication-derived state, application-derived state and information manipulation. Stateful Inspection is a firewall technology introduced in Check Point FireWall-1 and designed to meet the following security requirements: Communication Information Information from all seven layers in the packet. Communication-derived state State derived from previous communications, such as the outgoing PORT command of an FTP session could be saved so that an incoming FTP data connection can be verified against it.

Document # CPTS-DOC-C1011

Rev. B

Unit I Chapter 1: FireWall-1 Architecture

17

Application-derived state State information derived from other applications, such as a previously authenticated user would be allowed access through the firewall for authorized services only. Information manipulation Evaluation of flexible expressions based on communication information, communication-derived state and applicationderived state.
Application Application Presentation Session Transport Network DataLink Physical DataLink Physical Presentation Session Transport Network Application Presentation Session Transport Network DataLink Physical

INSPECT

Engine Dynamic State Tables

I-1 I-1 FireWall-1 Architecture FireWall-1 Architecture

Figure 6: Stateful Inspection Path

The Pros of Stateful Inspection The pros of Stateful Inspection (Figure 6) include the following: Good security Full application-layer awareness High performance Scalability Extensible Transparency

Rev. B

Document # CPTS-DOC-C1011

18

Methods of Securing Networks

Example Stateful Inspection tracks the FTP session, examining FTP application-layer data. When the client requests that the server generate the back-connection (an FTP PORT command), FireWall-1 extracts the port number from the request. Both client and server IP addresses and both port numbers are recorded in an FTP-data pending request list. When the FTP data connection is attempted, FireWall-1 examines the list and verifies that the attempt is in response to a valid request. The list of connections is maintained dynamically, so that only the required FTP ports are opened. As soon as the session is closed, the ports are locked, ensuring maximum security.

Packet filters and application-layer gateways each fall short of Stateful Inspection in some area (Table 3):

Table 3: Comparison of Firewall Architectures Firewall Capability


Communication information Communicationderived state Applicationderived state Information manipulation

Packet Filters
Partial No No Partial

Applicationlayer Gateways
Partial Partial Yes Yes

Stateful Inspection
Yes Yes Yes Yes

Document # CPTS-DOC-C1011

Rev. B

Unit I Chapter 1: FireWall-1 Architecture

19

What is FireWall-1?
FireWall-1 is based upon Stateful Inspection architecture, assuring the highest level of network security. FireWall-1s Inspection Module analyzes all packet communication layers, and extracts the relevant communication and application state information. The Inspection Module understands and can learn any protocol and application. The FireWall-1 Inspection Module resides in the operating system kernel, below the network layer, at the lowest software level. By inspecting communications at this level, the Inspection Module can intercept and analyze all packets before they reach the operating system. No packet is processed by any of the higher protocol layers unless FireWall-1 verifies that it complies with the enterprise security policy. The Inspection Module stores and updates state and context information in dynamic connection tables. These tables are continually updated, providing cumulative data against which FireWall-1 checks subsequent communications. The kernel is the core of the UNIX and NT Server operating systems, managing memory, files and peripheral devices; maintaining time and date; launching applications; and allocating system resources. I-1 I-1 FireWall-1 Architecture FireWall-1 Architecture

User Mode

Firewall Daemon

TCP/IP Management

Kernel Mode

IP Stack

IOCTLs and Messages

Inspection Module

Network Driver
Figure 7: Firewall-1 Architecture

Network Driver

Network Driver

Advantages of Stateful Inspection Architecture

Because it processes packets in the operating systems kernel, FireWall-1 saves system processing time and resources. Applications and processes above the kernel layer (Figure 7) suffer little (if any) performance problems. And by placing its kernel module between the Network Interface Cards (NICs) and the TCP/IP stack, FireWall-1 solves the problem of protecting the TCP/IP stack itself.

Rev. B

Document # CPTS-DOC-C1011

20

What is FireWall-1?

Inspect Engine in the Kernel Module

When packets pass through an internal NIC (Figure 8), the FireWall-1 kernel module inspects the packets by accessing its rule base.

Figure 8: Packet Inspected in Kernel Module

The FireWall-1 kernel module uses the INSPECT engine to control traffic passing between networks. FireWall-1 inspects packets by accessing all levels of communication. The FireWall-1 kernel module has access to the lowest level of communication, and can inspect all layers of a packet and its data. If packets pass FireWall-1 inspection, the Firewall Module passes the packets through the TCP/IP stack and to their destination. Packets pass through the NIC to the INSPECT engine and on up the network stack. Some packets are destined for the operating systems local processes. In this case, the Firewall Module inspects the packets and passes them through the TCP/IP stack to the processes (Figure 9):

Figure 9: INSPECT Engine Allows Packet

Document # CPTS-DOC-C1011

Rev. B

Unit I Chapter 1: FireWall-1 Architecture

21

If packets do not pass inspection, they are rejected or dropped, according to the FireWall-1 rule base (Figure 10):

I-1 I-1
Figure 10: INSPECT Engine Drops or Rejects Packet

A detailed flow of the packets through the INSPECT engine is shown in Figure 11:

Figure 11: INSPECT Engine Flow

Rev. B

Document # CPTS-DOC-C1011

FireWall-1 Architecture FireWall-1 Architecture

22

FireWall-1 Products

FireWall-1 Products
The following product options are available during installation. Each option is listed with its components: FireWall-1 Enterprise Product Management Module Centralized graphical security management for either one or unlimited security enforcement points Inspection Module Access control; client and session authentication; network address translation; auditing Firewall Module Includes the Inspection Module; user authentication; multiple firewall synchronization; content security Encryption Module Provides DES encryption (for SKIP and IPSec) and FWZ1 encryption. Router Security Management Security management for router access control lists across one or more routers Open Security Manager Centralized security management for 3Com, Cisco and Microsoft NT Server routers, and Cisco PIX firewalls

FireWall-1 Single Gateway Product Management Module Centralized graphical security management for either one or unlimited security enforcement points Inspection Module Access control; client and session authentication; network address translation; auditing Firewall Module Includes the Inspection Module; user authentication; multiple firewall synchronization; content security

FireWall-1 Enterprise Management Product Connect Control Module Automatic applications server load balancing across multiple servers (deployed with FireWall-1)

FireWall-1 FireWall Module Inspection Module Access control; client and session authentication; network address translation; auditing User Authentication; multiple firewall synchronization; content security

FireWall-1 Inspection Module Access control; client and session authentication; network address translation; auditing

Document # CPTS-DOC-C1011

Rev. B

Unit I Chapter 1: FireWall-1 Architecture

23

FireWall-1 Components
FireWall-1 is comprised of the Firewall and Management Modules and accessed through a GUI interface. The modules can reside on the same or separate computers.

The Firewall Module

The Firewall Module provides access control, client, user and session authentication, and network address translation (NAT), which replaces source and destination network addresses. NAT can be used to hide internal network structure and/or prevent network address conflicts between networks. The Firewall Module also provides auditing, multiple firewall synchronization and content security. The Firewall Module contains the Inspection Module, the FireWall-1 Daemon and the Security Server. Inspection Module The Inspection Module contains the INSPECT Engine, compiled INSPECT code, and various state and context information stored in dynamic tables. INSPECT code is a compiled script that is generated from the information in the security policy and its rule base. The INSPECT script is used to compare the information in a data packet to the rules in the rule base. Actions that make up access control, client, user and session authentication, NAT, auditing capabilities, load balancing and anti-spoofing are triggered based on conditional comparisons made on the packet data by statements in the INSPECT code and context information. Daemon The FireWall-1 Daemon is responsible mainly for communication between modules, clients and hosts (SNMPD, FWD, ALERTD). Security Server The Security Server is a specialized server that is responsible for handling authentication of packets for a specific service or protocol (SMTP, TELNET, FTP and HTTP).

I-1 I-1 FireWall-1 Architecture FireWall-1 Architecture

Rev. B

Document # CPTS-DOC-C1011

24

FireWall-1 Components

The Management Module

This Management Module is accessed through the GUI and located on the Management Server. The Management Module is used to control and monitor Firewall Modules either residing on local or remote computers. The GUI and the Management Server can reside on separate computers in a client/server environment. Management Server The Management Server is part of the Management Module and manages the FireWall-1 database: the rule base, network objects, servers, users, and more. The client interacts with the user via the GUI, but all the data (the database and configuration file) is maintained on the Management Server.

Other FireWall-1 Components

Connect Control Module The Connect Control Module provides automatic, application-server load balancing across multiple servers. The Encryption Module The Encryption Module enables both firewall-to-firewall and client-to-firewall encryption, which ensures data is secured when coming from or going to a firewalled computer. Router Security Management Provides for management of access control lists, which allow rule bases for 3Com, Bay Networks and Cisco routers.

Graphical User Interface (GUI)

The GUI is the front end to the Management Server. The Windows NT Server version of FireWall-1 uses a Windows GUI; the Solaris version uses FireWall-1s proprietary command-line interface and the X/Motif GUI. Following are the three GUIs that can be accessed in FireWall-1: Security Policy Editor GUI Creates rules and network objects Controls installation of security policy

Log Viewer GUI Views connections that pass through the firewall that are selected for logging Identifies threats when the network is under attack

System Status GUI Status of firewalled objects Alerts from all Firewall Modules

Document # CPTS-DOC-C1011

Rev. B

Unit I Chapter 1: FireWall-1 Architecture

25

Review
Summary A firewall is a system designed to prevent unauthorized access to or from an internal network. Firewalls act as locked doors between internal and external networks. Data meeting certain requirements can get through the locked door, whereas unauthorized data never gains access. A firewall is one of the most effective ways of securing a network. Transmission Control Protocol/Internet Protocol (TCP/IP) is one of the most common communication protocols used to connect to the Internet and external networks. Whereas the IP protocol deals only with data packets, which are parts of data streams, TCP enables two networks to establish connections and exchange data streams. TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent. Packet filtering and application layer gateways were traditionally used as a means to protect the network. FireWall-1s Stateful Inspection architecture and its INSPECT engine utilize the best features of these two methods plus added features to insure the most reliable protection of a network. Stateful Inspection enforces the security policy on the firewalled computer on which it resides and provides support for a large number of protocols and applications. The components of FireWall-1 include the following: The Firewall Module: Inspection Module Daemon Security Server The Management Module: Management Server Other FireWall-1 Components: Connect Control Module Encryption Module Router Security Management Graphical User Interface Security Policy Editor Log Viewer System Status I-1 I-1 FireWall-1 Architecture FireWall-1 Architecture

Rev. B

Document # CPTS-DOC-C1011

26

Review

Review Questions

1. What is Stateful Inspection and why is it crucial to FireWall-1?

2. Why is Stateful Inspection more reliable than packet filtering and application layer gateways for protecting internal networks?

3. What process does FireWall-1 use to accept, drop or reject packets?

4. What components are available with FireWall-1?

Document # CPTS-DOC-C1011

Rev. B

Unit II Getting Started


Chapter 1: FireWall-1 Installation and Setup Chapter 2: Navigating in FireWall-1 Chapter 3: Management Tools

Rev. B

Document # CPTS-DOC-C1011

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 1: FireWall-1 Installation and Setup


Introduction
The first step in utilizing FireWall-1 is its installation. The hands-on procedure simulates a first-time installation, whether you use the installation GUI for Windows NT Server or use command line input for Solaris. By default, FireWall-1 follows the security principle of All communications are denied unless expressly permitted. Until the security policy is configured, FireWall-1 will prevent access to the network and drop all traffic. Installation in this chapter includes the following topics: FireWall-1 for Windows NT Server Installing FireWall-1 on Windows NT Server Configuring FireWall-1 for Windows NT Server Installing the Windows GUI Client

FireWall-1 for Solaris Installing FireWall-1 on Solaris Configuring FireWall-1 for Solaris Installing the X/MOTIF GUI Client FireWall-1 Installation and Setup
27

II-1

Objectives

List the minimum system requirements to run FireWall-1 Demonstrate how to install FireWall-1 on Windows NT Server Demonstrate how to install FireWall-1 on Solaris Outline the procedure for uninstalling FireWall-1

28

Firewall-1 System Requirements on Windows NT Server

Firewall-1 System Requirements on Windows NT Server


Supported Platforms HP-PA-RISC 700 and 800 Sun SPARC-Based Systems Intel x86 and Pentium RS 6000, PowerPC Operating Systems HP-UX 10.x AIX 4.2.1 and 4.3.0 Solaris 2.5 and higher Windows NT Server 4.x, Service Pack 3.01 (Intel-based only) Disk Space 20 MB Memory 32 MB Minimum 64 MB Recommended Network Interface All interfaces supported by the operating systems Open Security Manager (optional module) 3Com Router Access Control Lists Bay Networks Router Access Control Lists Cisco Systems Router Access Control Lists Microsoft RRAS (Steelhead) Media CD-ROM

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 1: FireWall-1 Installation and Setup

29

Getting Started with FireWall-1


Network Configuration Before installing FireWall-1, make sure that your network is properly configured, with special emphasis on routing. Ensure that each of the internal networks and the gateway (the firewall) can see each other. (Make sure the routing tables are correctly defined.) Do this by logging on to each of the hosts and pinging other hosts in the internal networks and on to the Internet. FireWall-1 is comprised of two primary modules: Management Module Resides on the Management Server. The Management Module manages the FireWall-1 database: the rule base, network objects, services, users, and is accessed through the GUI. The Management Server is used for adding, updating and removing administrators. Firewall Module Includes the Inspection Module, daemon and security server. The Firewall Module implements the security policy, logs events and communicates with the Management Module using the daemons. The two components of the Management Module (the GUI and the Management Server) can be installed on the same machine or on two different machines. When installed on two different machines, FireWall-1 implements the client/server model, in which a GUI client running on Windows or X/Motif workstation controls a Management Server running on a Windows NT Server or Solaris workstation (Figure ):

II-1 FireWall-1 Installation and Setup


Rev. B Document # CPTS-DOC-C1011

30

Getting Started with FireWall-1

Firewall Module
Inspection Module

Management Module
Management Server

GUI

Install on Management Server Separate Computer

Figure 12: FireWall-1 Client-Server Confirguration

The functionality of the Management Module is divided between two workstations: The GUI on one and the Management Server, including the FireWall-1 database, is on the server. The user working on the GUI maintains the FireWall-1 security policy and database, which resides on the server. The Firewall Module is installed on the firewalled gateway, which enforces the security policy and protects the network.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 1: FireWall-1 Installation and Setup

31

Installation Procedure
To install the firewall on both NT Server and Solaris systems, follow these steps: 1. Install FireWall-1 on the Management Station computer (the computer housing the Management Server). 2. Install and start the Firewall Module on each of the firewalled hosts. 3. Start the FireWall-1 GUI on the Management Station or on a remote GUI client machine.

Components to Install

FireWall-1 products included in a typical installation, are shown in Table 4:

Table 4: Components to Install on Various Computers On this Computer


Management Server GUI Client Firewall

Install this Component


Management Module Windows or X/Motif GUI Client Firewall Module

II-1 FireWall-1 Installation and Setup


Rev. B Document # CPTS-DOC-C1011

32

Installing FireWall-1 on Windows NT Server

Installing FireWall-1 on Windows NT Server


To install FireWall-1 onto a Windows NT Server system, follow these steps: These installation steps assist you in installing and configuring FireWall-1 in the classroom lab environment. When installing on your corporate firewall the steps and results may vary. 1. Insert the FireWall-1 CD into the CD-ROM drive. 2. From the Start menu, select Settings, Control Panel, Add/Remove Programs and Install. 3. Click Next. 4. In the Run Installation Program screen, click Browse and select the CD-ROM drive. 5. Select the Windows folder, FW1 folder, disk 1 and setup.exe. 6. The Select Components screen appears (Figure 13):

For this example, the Firewall and Management Modules are installed on one machine. The GUI is installed later. However, you can install the GUI at the same time by selecting both the FireWall and the FireWall User Interface.

Figure 13: Select Components Screen

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 1: FireWall-1 Installation and Setup

33

7. Select FireWall-1 and click Next. 8. The Software License Agreement screen appears (Figure 14):

Figure 14: Software License Agreement Screen.

9. Click Yes to accept the agreement. 10. The FireWall-1 Welcome screen appears (Figure 15):

II-1 FireWall-1 Installation and Setup

Figure 15: FireWall-1 Welcome Screen

11. Click Next. 12. The command line for installation appears on the Choose Destination Location screen (Figure 16 on page 34):

Rev. B

Document # CPTS-DOC-C1011

34

Installing FireWall-1 on Windows NT Server

Figure 16: Selecting Destination Directory

13. Accept the default location and click Next or change it by selecting the Browse command. 14. In the Selecting Product Type screen, select Firewall-1 Enterprise Product (Figure 17):

Figure 17: Selecting Product Type

The FireWall-1 Enterprise Product is a total package that includes gateway and management products and Firewall and Inspection Modules with incremental licenses. If a different product needs to be installed, then one of the products or modules below the FireWall-1 Enterprise Product option would be selected.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 1: FireWall-1 Installation and Setup

35

15. Click Next. The Selecting Product Type screen remains on the screen but with the Firewall Modules and Management Server options only (Figure 18):

Figure 18: Selecting Product Type (Components)

16. Select both the Firewall Module and Management Server components to install on the firewall server. The Firewall Module and Management Server do not have to be installed on the same server. One or the other can be installed on another machine, invoking the client/server model. When installing to a firewall module, only select the Firewall Module option. You will install both items on one machine for this class. 17. Click Next. The FireWall-1 product will now install on the Windows NT Server system. All FireWall-1 products require a license for operation. Without a license, you cannot use FireWall-1. II-1 FireWall-1 Installation and Setup
Rev. B Document # CPTS-DOC-C1011

36

Installing FireWall-1 on Windows NT Server

18. After the installation of FireWall-1, the Licenses screen appears (Figure 19):

Figure 19: License Configuration Tab

19. Click Add and the Add Licenses screen appears (Figure 20):

Figure 20: Add License Screen

20. Type the appropriate information for each field. Use the tab key to move from field to field. Figure 21 shows a sample installation license string:

Figure 21: Installation License String

Be careful to type the information accurately. Features field is case sensitive.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 1: FireWall-1 Installation and Setup

37

21. Click OK when finished entering license information. Notice that the Current Licenses field now lists the newly entered license information. 22. Click Next. You are now ready to configure FireWall-1 on the Windows NT Server system.

II-1 FireWall-1 Installation and Setup


Rev. B Document # CPTS-DOC-C1011

38

Installation Configuration on Windows NT Server

Installation Configuration on Windows NT Server


After FireWall-1 is installed on the system, the configuration information needs to be defined. The following setup topics require information from the installer/ administrator: Administrator (name and password) GUI Clients (client/sever model) Remote modules (client/sever model) IP Forwarding SMTP security server Key hit session CA keys You may modify the configuration at any time by running the FireWall-1 configuration application.

Administrators

The next step is to specify the administrators allowed to use the GUI client with the Management Server just installed. At least one administrator must be defined to use the Management Server. Each administrator added must be assigned a level of permission. Choose from the following permission levels: Read/Write All permissions. Only one FireWall-1 administrator at a time can be logged on with Read/Write permission. User Edit At this level, the administrator can modify user information. The rest of the information is read only. Read Only This permission level allows read-only access to the security Policy Editor. Administrators with higher permission levels can sometimes log in at this permission level. Monitor Only This is the lowest permission level. It only allows access to the Log Viewer and the System Status tools.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 1: FireWall-1 Installation and Setup

39

To set up administrators follow these steps: 1. The Administrators screen appears (Figure 22):

Figure 22: Administrator Setup Screen

2. Click Add and the Add Administrator screen appears (Figure 23):

Figure 23: Add Administrator Screen

3. Type the administrators name (fwadmin) and password (abc123) and select the level of permission from the menu. (The first administrator must be given Read/ Write permission.)

Rev. B

Document # CPTS-DOC-C1011

FireWall-1 Installation and Setup

After adding an administrator, the new administrator will appear on the Administrator screen.

II-1

40

Installation Configuration on Windows NT Server

4. Click OK. 5. Repeat the above process for other administrators. 6. When all administrators have been added, click Next.

GUI Clients

The next step is to set up the GUI clients. The GUI clients information is a list of remote GUI clients allowed to access this station. The Management Station is always allowed as a GUI client. You do not need to add the name of the Management Station to this list for class. 1. The GUI Clients screen appears (Figure 24):

Figure 24: GUI Clients Screen

2. In the Remote hostname text box, type the name or IP address. Click Add to add to the list of GUI clients 3. To remove a name, highlight it and click Remove. 4. Repeat to add additional GUI clients. 5. When all GUI clients have been added, click Next. This is used for remote management configuration.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 1: FireWall-1 Installation and Setup

41

Remote Modules

If a Management Module is the only module installed on this computer, you must specify the remote Firewall Modules for which this Management Module is defined as Master. For this class you will not specify a remote module. 1. The Remote Modules screen appears (Figure 25):

Figure 25: Remote Modules Screen

2. In the hostname text box, type the name or IP address. Click Add to add to the list of remote firewall modules. 3. Repeat the above process for other remote modules. 4. When all remote modules have been added, click Next. Remote modules are used for remote management configuration.

II-1 FireWall-1 Installation and Setup


Rev. B Document # CPTS-DOC-C1011

42

Installation Configuration on Windows NT Server

IP Forwarding

The next step in configuring FireWall-1 is to specify whether you want FireWall-1 to control IP forwarding on the gateway. IP forwarding also determines how the firewalled machine will react during specific vulnerable times, such as when the system boots-up before the firewall service starts. 1. Two choices are listed on the IP Forwarding screen (Figure 26):

Figure 26: IP Forwarding Screen

Control IP Forwarding This selection stops packets from passing through the firewall. Because no security policy is defined, packets are dropped after the timeout. When a security policy is defined, packets are handled according to the settings. It is advisable to select this option unless there is some specific reason not to use this feature. Do not control IP Forwarding This selection has no security policy and allows all packets to pass through the firewall security policy. 2. Select IP Forwarding and click Next.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 1: FireWall-1 Installation and Setup

43

SMTP Security Server

The SMTP security server does not provide authentication, because there is not a user at the keyboard who can be challenged for authentication data. The SMTP security server provides content security, enabling a security administrator to perform the following functions: Provide mail address translation Drop mail from a given address Strip MIME attachments of specified types of mail Strip the Received information from outgoing mail Drop mail messages above a given size Protect against viruses

To set up the SMTP security server, follow these steps: 1. In the SMTP Security Server screen, type the appropriate information for the SMTP security server (Figure 27):

II-1
Figure 27: SMTP Security Server Screen

2. Click Next.

Rev. B

Document # CPTS-DOC-C1011

FireWall-1 Installation and Setup

44

Installation Configuration on Windows NT Server

Key Hit Session

The next step is to set up a random key. 1. In the Random Characters box of the Key Hit Session screen, type a string of random keys until the bar is full (Figure 28):

As you type in random characters, the bar fills up until completely full, as shown at left.
Figure 28: Key Hit Session Screen

2. Try not to type the same character twice, and try to vary the delay between the characters. A light bulb indicates accepted characters while a bomb indicates ignored characters. 3. After the bar is full, click Next.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 1: FireWall-1 Installation and Setup

45

CA Keys

The next step is to configure the certificate of authority (CA). The host uses this RSA key to generate a digital signature for authenticating its communications. This digital signature is used to authenticate keys for encryption. 1. The CA Keys screen appears (Figure 29):

Figure 29: CA Keys

2. Select one of the options: Generate a new key (do this for class) Dont generate a new key

3. Click Finish to end the configuration process.

II-1 FireWall-1 Installation and Setup


Rev. B Document # CPTS-DOC-C1011

46

Installation Configuration on Windows NT Server

Completing the Installation

You have reached the end of the installation procedure (Figure 30):

Figure 30: FireWall-1 Setup Completion Screen.

1. Check Yes, I want to restart my computer now. In order for FireWall-1 to take effect, you must restart your computer. 2. Windows NT Server shuts down all applications and restarts the operating system.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 1: FireWall-1 Installation and Setup

47

Installing GUI Client on Windows NT Server


Although we can fully control FireWall-1 from the command prompt, the GUI Client installation is recommended to make the configuration process easier. To install the GUI Client, follow these steps: 1. From the Start menu, select Settings, Control Panel, Add/Remove Programs and Install. 2. Click Next. 3. In the Run Installation Program screen, click Browse, and select the CD-ROM drive. 4. Select the Windows folder, the GUI-CLNT folder, the disk1 folder and setup.exe. 5. The Welcome screen for the GUI client installation appears (Figure 31):

Figure 31: GUI Client Installation Welcome Screen

6. Click Next.

II-1 FireWall-1 Installation and Setup

Rev. B

Document # CPTS-DOC-C1011

48

Installing GUI Client on Windows NT Server

7. In the Choose Destination Location screen, select where to install the required GUI Client files (Figure 32):

Figure 32: Choose Destination Location Screen

8. To accept the default location, click Next. To change the directory where the files will be installed, click Browse and choose an alternate directory. 9. The Select Components screen appears (Figure 33):

Figure 33: Select Components Screen

10. Select the appropriate components to install, as described in Table 5 on page 49. For this class select all components. 11. Click Next. The installation process starts.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 1: FireWall-1 Installation and Setup

49

Table 5: Definition of Available Components Components


Security Policy System Status

Definition
Provides configuration of rules, definition and management of objects Provides a quick and easy way to obtain, at-a-glance, status information about internal firewalled objects and allows you to see alerts Is an interface for viewing, sorting, and obtaining details of various logged activities

Log Viewer

12. After all components are installed, the following message appears (Figure 34):

Figure 34: Installation Complete Message

13. Click OK. The installation of the FireWall-1 GUI client is complete.

II-1 FireWall-1 Installation and Setup


Rev. B Document # CPTS-DOC-C1011

50

FireWall-1 System Requirements on Solaris

FireWall-1 System Requirements on Solaris


The following are the minimum system requirements for installing FireWall-1 on a Solaris platform.

Client/Server Hardware and Operating System Requirements

Supported Platforms Sun SPARC-Based Systems Intel x86 and Pentium HP PA-RISC 700/800 RS 6000, Power PC Operating Systems Solaris 2.5 and higher HP-UX 10.x AIX Versions 4.2.1 and 4.3.0 Disk Space 21MB Memory 48MB Minimum, 64MB Recommended Network Interface All interfaces supported by the operating systems Media CD-ROM

Non-Client/Server Hardware and Operating System Requirements

Supported Platforms Sun SPARC-Based Systems Intel x86 and Pentium HP PA-RISC 700/800 RS 6000, Power PC Operating Systems Solaris 2.5 and higher HP-UX 10.x AIX Versions 4.2.1 and 4.3.0 Window System X11R5/OPEN LOOK (Open Windows 3) or X/Motif

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 1: FireWall-1 Installation and Setup

51

Disk Space 21MB (50MB for AIX) Memory 16MB Minimum, 32MB Recommended No special requirements for Firewall Module Network Interface All Interfaces supported by the OS Media CD-ROM

II-1 FireWall-1 Installation and Setup


Rev. B Document # CPTS-DOC-C1011

52

Installing FireWall-1 on Solaris

Installing FireWall-1 on Solaris


To install FireWall-1 on Solaris, use the command line utility pkgadd, which transfers the FireWall-1 installation files to the Solaris machine. Follow these steps: 1. Become superuser: hostname% su password: your root password 2. Start the installation process:
hostname% pkgadd -d . directory name

directory name is the name of the directory where the packages reside. Typically /cdrom/fw1_4_0_des/solaris2/. The following screen output appears with a list of packages to install: The following packages are available: 1 AMC Check Point Account Management Client (sparc) 1.0 2 CKPagent Check Point FireWall-1 Load Agent (sparc) 4.0 3 CKPfw Check Point FireWall-1 (sparc) 4.0 4 CKPfwgui Check Point FireWall-1 GUI (sparc) 4.0 5 CKPfwmap FireWall-1 HP OpenView Extension (sparc) 4.0,REV=98.01.26 Select package(s) you wish to process or all to process all packages(s) default: all.

3. Type 3 to select FireWall-1 and Enter.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 1: FireWall-1 Installation and Setup

53

4. The following screen output appears: Processing package instance <CKPfw> from </tmp/rm_me> Check Point FireWall-1 (sparc) 4.0 Copyright 1994-98 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this software package, Check Point assumes no responsibility for errors or omissions. This software package and its features are subject to change without notice.

The selected base directory </opt/CKPfw> must exist before installation is attempted. Do you want this directory created now [y,n,?] 5. Type Y and Enter. 6. The following screen output appears: Using </opt/CKPfw> as the package base directory. ## Processing package information. ## Processing system information. ## Verifying disk space requirements. ## Checking for conflicts with packages already installed. ## Checking for setuid/setgid programs. This package contains scripts which will be executed with super-user permission during the process of installing this package. Do you want to continue with the installation of <CKPfw> [y,n,?] 7. Type Y and Enter.

II-1 FireWall-1 Installation and Setup

Rev. B

Document # CPTS-DOC-C1011

54

Installing FireWall-1 on Solaris

8. To install Check Point FireWall-1 as <CKPfw>, the following screen output appears: ## Installing part 1 of 1. /opt/CKPfw/conf/ahclientd/ahclientd1.html /opt/CKPfw/conf/ahclientd/ahclientd2.html /opt/CKPfw/conf/ahclientd/ahclientd3.html /opt/CKPfw/conf/ahclientd/ahclientd4.html /opt/CKPfw/conf/ahclientd/ahclientd5.html /opt/CKPfw/conf/ahclientd/ahclientd6.html /opt/CKPfw/conf/ahclientd/ahclientd7.html /opt/CKPfw/conf/auth.C /opt/CKPfw/conf/default.W ## Executing postinstall script. 9. Then the following screen output appears: DONT FORGET TO: 1. Add the line: setenv FWDIR /opt/CKPfw to .cshrc or FWDIR=/opt/CKPfw; export FWDIR to .profile 2. Add $FWDIR/bin to path (Path=$Path:$FWDIR/bin;Export Path) 3. Add $FWDIR/man to MANPATH environment (MANPATH=$MANPATH:$FWDIR/man;Export MANPATH) Important: Please run fwconfig to install the license and to configure FireWall-1. Installation of <CKPfw> was successful. press <Return> to continue 10. Press Enter. 11. Type fwconfig, the following screen ouput appears: Checking available options. Please wait..................... Which of the following FireWall-1 options do you wish to install/configure? ---------------------------------------------------------------------------(1) FireWall-1 Enterprise Product (2) FireWall-1 Single Gateway Product (3) FireWall-1 Enterprise Management Console Product (4) FireWall-1 FireWall Module (5) FireWall-1 Inspection Module 12. Type 1 to select FireWall-1 Enterprise Product and Enter.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 1: FireWall-1 Installation and Setup

55

13. The following screen output appears: Installing/Configuring FireWall-1 Enterprise Product. Which Component would you like to install? ------------------------------------------(1) FireWall & Management Modules (2) FireWall Module only (3) Management Module only Enter your selection (1-3/a): 14. Type 1 to install both FireWall & Management Modules. 15. The following screen output appears: **************** FireWall-1 kernel module installation **************** installing FireWall-1 kernel module... Done. **************** Interface Configuration **************** Scanning for unknown interfaces... Do you wish to start FireWall-1 automatically from /etc/rc3.d (y/n)? 16. Type Y and Enter.

II-1 FireWall-1 Installation and Setup


Rev. B Document # CPTS-DOC-C1011

56

Installation Configuration on Solaris

Installation Configuration on Solaris


After selecting the modules to install, you need to configure FireWall-1. Most of the configuration options require additional information from the installer/administrator. The configuration options are as follows: Licenses Administrators (name and password) GUI Clients (client/sever model) Remote Modules (client/sever model) SMTP Security Server SNMP Extension Groups IP Forwarding Default filter Random Pool CA Keys When you first install FireWall-1, the following configuration screens are a continuation of the initial installation. However, you may modify the configurations at any time after the initial installation by running the FireWall-1 configuration application fwconfig at the command prompt. Configuring Licenses To configure licenses, follow these steps: 1. The following screen output appears: Do you want to add licenses (y/n)? 2. Type Y and Enter. Host: local host String: 363a301a-bf253a41-ablelb65 Features: ca encryption vpn remote rcc motif connect controlx embedded oseu des ram1 pfmx srunlimit Module /etc/fw/modules/fwmod.5.5.1.o was installed Do you want to add licenses (y/n)? 3. Add the host, string, and features information from the license string. 4. Type N and Enter.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 1: FireWall-1 Installation and Setup

57

Configuring Administrators

To configure the administrators for FireWall-1, follow these steps: 1. The following screen output appears: No FireWall-1 Administrators are currently defined for this Management Station. Do you want to add users (y/n)? 2. Type Y and Enter. 3. The following screen output appears: User: enter user name 4. Enter the name of the administrator to add. 5. The following screen output appears: Permissions ([M]onitor-only,[R]ead-only,[U]sers-edit,read/[W]rite): 6. Type W and Enter. 7. The following screen output appears: Password: enter password Verify Password: repeat password User Administrators added successfully 8. Enter the password the administrator will use, then reenter it to verify the password. 9. The following screen output appears: Add another one (y/n)? II-1 10. Type N and Enter. FireWall-1 Installation and Setup

Rev. B

Document # CPTS-DOC-C1011

58

Installation Configuration on Solaris

Configuring GUI Clients

To configure the GUI clients, follow these steps: 1. The following screen output appears: GUI clients are trusted hosts from which FireWall-1 Administrators are allowed to log on to this Management Station using Windows/X-Motif GUI. Do you want to add GUI clients (y/n)? 2. Type N and Enter.

Configuring Remote Modules

To configure remote modules, follow these steps: 1. The following screen output appears: Remote Modules are Firewall or Inspection Modules that are going to be controlled by this Management Station. Do you want to add Remote Modules (y/n)? 2. Type N and Enter.

Configuring SMTP Server

To configure the SMTP Server, follow these steps: 1. The following screen output appears: Following are the current values of the SMTP Server configuration: timeout: 900 scan_period: 2 resend_period: 600 abandon_time: 432000 maxrecipients: 50 rundir: postmaster: postmaster default_server: error_server: Would you like to modify the above configuration (y/n)? 2. Type N and Enter.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 1: FireWall-1 Installation and Setup

59

Configuring SNMP Extension

To configure the SNMP Extension, follow these steps: 1. The following screen output appears: The SNMP daemon enables FireWall-1 to export its status to external network management tools. Would you like to activate FireWall-1 SNMP? (y/n)? 2. Type N and Enter.

Configuring Groups

To configure groups for FireWall-1, follow these steps: 1. The following screen output appears: FireWall-1 access and execution permissions. Usually, FireWall-1 is given group permission for access and execution. You may now name such a group or instruct the installation procedure to give no group permissions to FireWall-1. In the latter case, only the Super-User will be able to access and execute FireWall-1. Please specify group name [<RET> for no group permissions]: 2. Press Enter for no group permissions. 3. The following screen output appears: No group permissions will be granted. Is this ok (y/n)? 4. Type Y and Enter. II-1 FireWall-1 Installation and Setup

Configuring IP Forwarding

To configure IP forwarding, follow these steps: 1. The following prompt appears: Do you wish to disable IP-Forwarding on boot time (y/n)? 2. Type Y and Enter.

Rev. B

Document # CPTS-DOC-C1011

60

Installation Configuration on Solaris

Configuring Default Filter

To configure the default filter, follow these steps: 1. The following screen output appears: Do you wish to modify your /etc/rcS.d boot scripts to allow a default filter to be automatically installed during boot (y/n)? 2. Type Y and Enter. 3. The following screen output appears: Which default filter do you wish to use? (1) Allow only traffic necessary for boot (2) Drop all traffic Enter your selection (1-2): 4. Type 1 and Enter. 5. The default filter will now be generated.

Auto-Configuring the Certificate Authority Key

To configure the certificate authority key, follow these steps: 1. The following screen output appears: You are now asked to perform a short random keystroke session. The random data collected in this session will be used for generating Certificate Authority RSA keys. Please enter random text containing at least six different characters. You will see the * symbol after keystrokes that are too fast or too similar to preceding keystrokes. These keystrokes will be ignored. Please keep typing until you hear the beep and the bar is full. *********************** Thank you. 2. Enter random text containing at least six different characters until you hear a beep and the bar displayed on the screen is full. 3. A random key will now be generated.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 1: FireWall-1 Installation and Setup

61

4. The following screen output appears: Configuring Entrust PKI... FireWall-1 can use certificate management software from Entrust (R) Technolgies, Inc. Do you want to configure FireWall-1 to work with an Entrust PKI? (y/n) 5. Type N and Enter. 6. The following screen output appears: Configuring CA Keys... Do you want to create an FWZ Certificate Authority key? (y/n) 7. Type Y and Enter. 8. The following screen output appears: Do you want to create a SKIP Certificate Authority key? (y/n) 9. Type Y and Enter. 10. The following screen output appears: The installation procedure is now creating an FW Certificate Authority Key for this host. This can take several minutes. Please wait... Key created successfully The installation procedure is now creating a SKIP Certificate Authority key for this host. This can take several minutes. Please wait... Key created successfully. In order to complete the installation of FireWall-1 you must reboot the machine. After the machine reboots, you can start FireWall-1 by running fwstart Do you want to reboot? (y/n) 11. Type Y and Enter. 12. After rebooting, you can log on to FireWall-1 by running fwstart. II-1 FireWall-1 Installation and Setup

Rev. B

Document # CPTS-DOC-C1011

62

Installing X/Motif GUI Client

Installing X/Motif GUI Client


The X/Motif GUI client is a graphical interface that resembles the Windows environment. This allows easier configuration of FireWall-1. However, you can use the command line at any time for the configuration process. You can install the X/Motif GUI with the FireWall-1 installation or as a separate installation. You select what to install at the first screen prompt of the pkgadd utility.

Hardware and Operating System Requirements

Platforms SunOS Solaris (except for x86) HP-UX IBM AIX Disk Space 15 MB Memory 16 MB Network Interface All Interfaces supported by the Operating System Media CD-ROM Software Motif Libraries FireWall-1 Management Module The FireWall-1 GUI client does not have to reside on the Management Server computer.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 1: FireWall-1 Installation and Setup

63

Installing X/Motif GUI Client

To install FireWall-1 on Solaris, use the command line utility pkgadd, which transfers the FireWall-1 installation files to the Solaris machine. Follow these steps: 1. Become superuser: hostname% su password: your root password 2. Start the installation process:
hostname% pkgadd -d directory name

3. directory name is the name of the directory where the packages reside. Typically /cdrom/fw1_4_0_des/solaris2/. 4. The following screen output appears with a list of packages to install: The following packages are available: 1 AMC Check Point Account Management Client (sparc) 1.0 2 CKPagent Check Point FireWall-1 Load Agent (sparc) 4.0 3 CKPfw Check Point FireWall-1 (sparc) 4.0 4 CKPfwgui Check Point FireWall-1 GUI (sparc) 4.0 5 CKPfwmap FireWall-1 HP OpenView Extension (sparc) 4.0,REV=98.01.26 Select package(s) you wish to process or all to process all packages(s) default: all. 5. Type 4 to select FireWall-1 GUI and Enter. II-1 FireWall-1 Installation and Setup
Rev. B Document # CPTS-DOC-C1011

64

Installing X/Motif GUI Client

6. The following screen output appears: Processing package instance <CKPfwgui> from </cdrom/fw1_4_0_des/ solaris2> Check Point FireWall-1 GUI (sparc) 4.0 Copyright 1994-98 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this software package, Check Point assumes no responsibility for errors or omissions. This software package and its features are subject to change without notice.

The selected base directory </opt/CKPfwgui> must exist before installation is attempted. Do you want this directory created now? (y/n) 7. Type Y and Enter. 8. The following screen output appears: Using </opt/CKPfwgui> as the package base directory. ## Processing package information. ## Processing system information. ## Verifying disk space requirements. ## Checking for conflicts with packages already installed. ## Checking for setuid/setgid programs. This package contains scripts which will be executed with super-user permission during the process of installing this package. Do you want to continue with the installation of <CKPfwgui>? (y/n) 9. Type Y and Enter.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 1: FireWall-1 Installation and Setup

65

10. The following screen output appears: Installing Check Point FireWall-1 GUI as <CKPfwgui> (file list) Installation of <CKPfwgui> was successful.

II-1 FireWall-1 Installation and Setup


Rev. B Document # CPTS-DOC-C1011

66

Uninstalling FireWall-1 Components

Uninstalling FireWall-1 Components


You can uninstall one or all components of FireWall-1 within the NT Server or Solaris platforms. During your initial installation of FireWall-1 components, you may have installed both the Firewall Module and the Management Module on the same workstation. To change the Management Module to another workstation, you must uninstall the FireWall-1 User Interface and install it on the new workstation.

FireWall-1 Windows NT Server Uninstall

To uninstall a FireWall-1 component on a Windows NT Server system, follow these steps: 1. From the Start menu, select Settings, Control Panel and Add/Remove Programs. 2. Select the FireWall-1 component to uninstall (Figure 35).

Figure 35: Windows NT Server Uninstall

3. Click the Add/Remove button to start the uninstall process.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 1: FireWall-1 Installation and Setup

67

FireWall-1 Solaris Uninstall

To uninstall a FireWall-1 component on a Solaris system, follow these steps: 1. Type: cd /opt pkgrm component or change directory to the location of the package to be removed. Choose the name of the component you wish to remove from the following: AMC CKPagent CKPfw CKPfwgui CKPfwmap Check Point Account Management Client Check Point FireWall-1 Load Agent Check Point FireWall-1 Check Point FireWall-1 GUI FireWall-1 HP OpenView Extension

2. The following screen output appears: The following package is currently installed: CKPfwgui Check Point FireWall-1 GUI (sparc) 4.0 Do you want to remove this package? (y/n) 3. Type Y and Enter. 4. The following screen output appears: Removing installed package instance <CKPfwgui> This package contains scripts which will be executed with super-user permission during the process of removing this package. Do you want to continue with the removal of this package? (y/n) 5. Type Y and Enter. 6. The following screen output appears: Verifying package dependencies. Processing package information. Removing pathnames in class <base> Removal of <CKPfwgui> was successful. 7. The X/Motif GUI client has been successfully removed. Repeat steps 1-6 for any other component. II-1 FireWall-1 Installation and Setup

Rev. B

Document # CPTS-DOC-C1011

68

Review

Review
Summary The FireWall-1 installation process can be accomplished easily on both the Windows NT Server and Solaris platforms. It is best that the system administrator have all the necessary information before starting this process to ensure that the installation goes smoothly. There are many elements to configure during installation. These elements include the following: Administrators GUI Clients Remote modules IP forwarding Security servers SMTP security server Certificate of authority key

It is important to know what the minimum system requirements are for FireWall-1 to run on the platform of your choice. This ensures you have the available drive capacity and memory in order to run FireWall-1 properly.

Review Questions

1. What are the minimum system requirements for your FireWall-1 system?

2. Which elements will you need information about before installing FireWall-1?

3. What is the difference between installing FireWall-1 components and the GUI installation?

Document # CPTS-DOC-C1011

Rev. B

II-2 Navigating In FireWall-1


69

Unit II Chapter 2: Navigating in FireWall-1


Introduction
Theres nothing worse than not knowing how to fully utilize a new piece of software. There are always shortcuts available, if you know how to use them. Learning how to navigate in the FireWall-1 GUI programs using shortcut buttons and menu options will assist you in finding these important shortcuts.

Objectives

Demonstrate how to log on to FireWall-1s GUI List the three FireWall-1 GUI programs Describe what happens when multiple FireWall-1 administrators are logged on Identify the most frequently used shortcut buttons Identify the three display modes of Log Viewer Specify selection criteria and save log files Identify and define System Status icons Assign network objects to display in System Status Enable automatic updating of System Status

Key Terms

Security Policy Editor Log Viewer System Status Security Log Accounting Entries Active Connections

70

FireWall-1 GUIs

FireWall-1 GUIs
FireWall-1 has three GUI programs for easy configuration of your security policy and access to information. Administrators are assigned varying access privileges to the GUI programs during installation. An administrator with Read/Write privileges can access all three GUI programs from within any one of the GUIs. This chapter will help you navigate through each of the following GUI programs: Security Policy Editor The Security Policy Editor GUI provides you with management tools to add rules and define properties to create your security policy. Log Viewer The Log Viewer GUI allows you to view entries in the Log File. System Status The System Status GUI presents a high-level view of operation and flow statistics for all firewalled objects.

Logon Information

To access FireWall-1s management features, you must first log on. If multiple administrators log on at the same time, only one administrator will have Read/Write privileges. You will need to have the following information available to log on: User Name Defined administrator of the firewall Password Defined password of the administrator Firewall server Management station

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 2: Navigating in FireWall-1

71

Security Policy Editor GUI


A FireWall-1 security policy is defined in terms of firewalls, services, users, resources and the rules that govern the interactions between them. In the Security Policy Editor GUI, you create a rule base and define properties to create your security policy. After logging onto the Security Policy GUI, you can access the Log Viewer and the System Status GUIs through the Windows menu.

II-2 II-2 Navigating In FireWall-1 Navigating In FireWall-1

Windows NT Security Policy Editor Logon

To log onto the Security Policy Editor in Windows NT, follow these steps: 1. Open the Start menu and select Programs and FireWall-1. 2. Select Security Policy and the Login screen appears (Figure 36):

fwadmin abc123 localhost

Figure 36: Login Screen

3. Type in the user name, password and FireWall server. 4. Click OK and the Security Policy Editor GUI appears (Figure 37):

Figure 37: Security Policy Editor GUI

If the Log Viewer GUI or System Status GUI is open, you can open the Security Policy Editor GUI from the Window menu.

Rev. B

Document # CPTS-DOC-C1011

72

Security Policy Editor GUI

X/Motif Security Policy Editor Logon

To log on to the Security Policy in Solaris, follow these steps: 1. At the prompt type: cd $FWDIR/bin 2. At the prompt type: ./fwpolicy 3. The Login screen appears (Figure 36 on page 71). 4. Type in the User Name, Password and the name of the Firewall server. 5. Click OK.

Security Policy Editor Toolbar Buttons

The toolbar buttons are shortcuts for menu commands. The actions of the buttons duplicate actions that are available in the menus. Position the pointer over each button for a description of the buttons function. The most commonly used commands are available with the use of shortcut buttons (Figure 38 and Table 6):

Figure 38: Security Policy Editor Toolbar Buttons

Table 6: Security Policy Editor Toolbar Buttons Defined Button Menu Command
File>Save File>Print File>Print Preview File>Refresh Edit>Cut Edit>Copy Edit>Paste Manage>Network Objects Manage>Services Manage>Resources

Description
Save the current Security Policy. Print the current Security Policy. Print Preview of the current Security Policy. Refresh the Security Policy from the management server. Delete the selected rule (or rules) and copy to the clipboard. Copy the selected rule (or rules) to the clipboard. Paste the contents of the clipboard. Add, remove or edit Network Objects. Add, remove or edit Services. Add, remove or edit Resources.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 2: Navigating in FireWall-1

73

Table 6: Security Policy Editor Toolbar Buttons Defined (Continued) Button Menu Command
Manage>Servers Manage>Users Manage>Users on LDAP Account Unit Policy>Properties Edit>Add Rule>Bottom Edit>Add Rule>Top Edit>Add Rule>Before Edit>Add Rule>After Edit>Delete Rule Policy>Access Lists Policy>Verify Policy>View Policy>Install Policy>Uninstall Help>Help Topics

II-2 II-2 Navigating In FireWall-1 Navigating In FireWall-1

Description (Continued)
Add, remove or edit Servers. Add, remove or edit Users. Add, remove or edit Users on LDAP Account Unit. Display the Properties Setup screen. Add rule at the bottom. Add rule at the top. Add rule before the selected rule. Add rule after the selected rule. Delete selected rule. Display the Router Access Lists Operations screen. Verify the Security Policy. View the Inspection Script. Install the Security Policy on the targets. Remove the Security Policy from the targets. Display context sensitive help.

Rev. B

Document # CPTS-DOC-C1011

74

Log Viewer GUI

Log Viewer GUI


The Log Viewer GUI allows you to view entries in the log file. Each entry in the log file is a record of an event that, according to the rule base or the properties, is to be logged. In addition, every event which caused an alert, as well as certain important system events (such as a Security Policy being installed or uninstalled on a host), are also logged. The format of log entries requested by a rule is determined by the log type specified in the rule. The management server reads the log file and sends the data to the GUI client for display. The GUI client merely displays the data. The Log Viewer gives you control over which information in the log file is displayed. You can select which log entries and data fields to display. The Log Viewer also allows you to navigate through the log file.

Log Viewer Logon

To log onto the Log Viewer, follow these steps: 1. Open the Start menu and select Programs and FireWall-1. 2. Select Log Viewer and the Login screen appears (Figure 39):

fwadmin abc123 localhost

Figure 39: Log Viewer Login Screen

3. Type in the user name, password and management server to connect. Log events are sent by one or more Firewall Module to a log server. One of these Firewall Modules may be running on the log server. 4. Click OK.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 2: Navigating in FireWall-1

75

5. The Log Viewer GUI appears (Figure 40).

II-2 II-2 Navigating In FireWall-1 Navigating In FireWall-1

Figure 40: Log Viewer GUI

If the Security Policy Editor GUI or System Status GUI is open, you can open Log Viewer GUI from the Window menu.

Data (Column) Fields

You can specify which of the available data fields (columns) to display in the Log Viewer. In addition, you can change the width of columns, and define selection criteria based on the columns. Only entries matching the selection criteria will be displayed. To customize your Log File, choose from the following fields: Bytes The number of bytes transferred. Conn. ID The connection ID, a fixed number which uniquely identifies each connection (active Connections only). Date The date the event occurred. Destination The destination of the communication. DstKeyID The KeyIP of the destination of an encrypted communication. Elapsed The duration of the connection, calculated to the time of the last byte transferred. Info Additional information (for example, messages generated during Inspection Code installation) not included in other fields. Inter. Hardware interface at which the logged event occurred. No Number of the log entry (a sequential number assigned by FireWall-1). Origin Name of the host enforcing the rule that caused the logged event. Port The source port. Proto. The communication protocol used. Rule The number of the rule in the rule base that was applied to this packet. Service The service (destination port) requested by this communication.

Rev. B

Document # CPTS-DOC-C1011

76

Log Viewer GUI

Source The source of the communication. SrcKeyID The KeyID of the source of an encrypted communication. Start date The date on which the connection began. Time The time of day the event occurred. Type Type of action that caused the event to be logged. User The user name. Xlate Address translation data: source and destination addresses and ports.

Column Menu

Right-click anywhere in a column of the Log Viewer GUI, and the Column menu appears (Figure 41):

Figure 41: Log Viewer Column Menu

The Column Menu contains the following information: Hide Select to hide a column. To display a column which is hidden, choose Hide/ Unhide from the View menu and check the column to display (unhide). Selection Select to display only entries of interest in the Log Viewer and to hide other entries. The appropriate selection Criteria screen for that column will be displayed. Only the log entries that match the selection criteria will be displayed in the Log Viewer. Find Select to find a specific record in the Log File based on a value in a specific column. Enter the desired criteria and click OK to move to the specified location. Width Select to change the width of a column. Specify the column width in pixels or reset the columns width to its default value.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 2: Navigating in FireWall-1

77

Log Viewer Modes

You can display one of three different log modes from the toolbar (Figure 42):

II-2 II-2 Navigating In FireWall-1 Navigating In FireWall-1

Figure 42: Log Viewer Log Modes

To view varied log information, choose from the following log modes: Security Log This log shows all security-related events. Accounting Entries This log shows accounting entries in addition to the security log. The additional accounting entries include Elapsed, Bytes and Start date. Active Connections This log shows connections currently open through any of the firewalled hosts and gateways that are logging to the currently open log file. In addition to the security log, the additional active connections entries include Elapsed, Bytes, Start date and Conn. ID.

Log Viewer Toolbar Buttons

Some of the log viewer toolbar buttons are shortcuts for menu commands. Other buttons have no corresponding menu commands (Figure 43 and Table 7).

Figure 43: Log Viewer Toolbar Buttons

Table 7: Log Viewer Toolbar Buttons Defined Button Menu


File, New File, Open File, Save

Definition
Open a new log file Open an existing log file Save the current log file

Rev. B

Document # CPTS-DOC-C1011

78

Log Viewer GUI

Table 7: Log Viewer Toolbar Buttons Defined (Continued) Button Menu


File, Print File, Print Preview n/a n/a Edit, Go to top Edit, Go to Bottom n/a n/a View, Online Select, Block Intruder View mode

Definition (Continued)
Print the current log file Print preview the current log file Open the current selection criteria screen Apply the current selection criteria Go to the top of the log file Go to the bottom of the log file Stop retrieving data from the log file Reload data from the log file Toggle the online updating of the log viewer from the log file Block a connection Choose the view of the Log Viewer: Log, Account and Active.

Navigating and Searching

There are several ways to navigate in the Log Viewer. You can scroll through the entries using the scrollbars on the side and bottom of the Log Viewer. You can also use the arrow, Page Up and Page Down keys. From the edit menu you can navigate to specific areas by selecting from the following options: Find To find a record in the Log File based on a value in a specific column. Go To Top Select to go to the beginning of the Log File. Go To Bottom Select to go to the end of the Log File.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 2: Navigating in FireWall-1

79

1. On the Edit menu, select Find and the list of Column Fields appears (Figure 44):

Figure 44: Find Column Fields

2. Select the column with the information you are searching to find. For example, if you select the Date column, the Find Date screen appears (Figure 45):

Figure 45: Find Date Screen

3. Type in the desired criteria and click OK.

Rev. B

Document # CPTS-DOC-C1011

Navigating In FireWall-1 Navigating In FireWall-1

To Find Record by Column To find a specific record in the Log File based on a value in a specific column, follow these steps:

II-2 II-2

80

Log Viewer GUI

4. Repeat these steps for any column and the Find screen for that column appears (Figure 46):

Figure 46: Various Find Screens

To Find Record in All Columns The All Columns option allows you to search for a text string in any specified data column in the Log File. To search for a text string in all the columns, follow these steps: 1. On the Edit menu (Figure 44 on page 79), select Find and All Columns and the Find in all fields screen appears (Figure 47):

Figure 47: Find in all fields Screen

2. In the Pattern field, type the text string for the search. You can specify a regular expression in this field. 3. Select one of the Direction options to specify the desired search direction: Forward (from the current entry), Backward (from the current entry) or From Top. 4. Click OK to go to the specified log entry, which will be highlighted.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 2: Navigating in FireWall-1

81

1. On the Edit menu (Figure 44 on page 79), select Go To Top or Go To Bottom. 2. Your view is moved to the location you specify.

Displaying Selected Entries

To display only entries of interest in the Log Viewer and to hide other entries, you can specify selection criteria. Specify as many selection criteria as you want to appear. A log entry is displayed only if it matches all the selection criteria. You can also specify selection criteria using the Select menu. To specify selection criteria, follow these steps: 1. On the Select menu, select By Columns. The Column Selection menu appears (Figure 48):

Figure 48: Select By Column Menu

Rev. B

Document # CPTS-DOC-C1011

Navigating In FireWall-1 Navigating In FireWall-1

To Change Location To go to the top or bottom of the log file, follow these steps:

II-2 II-2

82

Log Viewer GUI

2. Select the name of the column for which to define selection criteria. For example, if you select Services, the Services Selection Criteria screen appears (Figure 49):

Figure 49: Service Selection Criteria

3. Select a service from the list of services. 4. Click Add to add it to the list of selected objects. You may also add a service by double-clicking on the services name.

5. Click Apply. 6. You will then see the prompt seen in Figure 50:

Figure 50: Applying Selection Criteria

If you select Yes, the currently selected Selection Criteria is applied to the log view. Any other Selection Criteria will automatically be applied to the log view. If you select No, then the prompt seen in Figure 50 will continue to appear each time you click Apply.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 2: Navigating in FireWall-1

83

7. Repeat these steps for any other column and the selection criteria screen for that column appears (Figure 51):

II-2 II-2 Navigating In FireWall-1 Navigating In FireWall-1

Figure 51: Various Selection Criteria Screens

Each time you add an additional Selection Criteria, the view in the log viewer will change to match the selected information. If you wish to apply or change your selection criteria, review the information in the Selection Options on page 84.

Rev. B

Document # CPTS-DOC-C1011

84

Log Viewer GUI

Selection Options

When using selection criteria you can specify certain viewing options by following these steps: 1. On the Select menu, select Options and the Options screen appears (Figure 52):

Figure 52: Options Screen

The following fields can be selected: Apply Selection Criteria Applies any selection criteria already defined. Hide Repeating Lines Does not show lines of data that are repeated that differ only by date and time. Show Null Matches Displays null matches that are neither included or excluded from current selection criteria. Resolve Address If checked, will show the host and domain names. If not checked, will display the IP address in numeric form. 2. Check Apply Selection Criteria. 3. Click OK to apply the selection criteria.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 2: Navigating in FireWall-1

85

in {telnet} in {le0.all}

Figure 53: Current Selection Criteria Screen

2. Any current selection criteria appears in the Show records matching field. 3. You may then perform any of the following functions: Edit To edit the current selection criteria. Delete To delete a particular selection criteria. Clear To clear all selection criteria. 4. Click OK to save your changes. Only Log entries matching the criteria in the Current Selection Criteria screen are displayed in the Log Viewer.

Creating and Selecting Selection Criteria

To save your selection criteria in a file to use later, follow these steps: 1. On the Select menu, click New Selection. 2. The new Selection screen appears (Figure 54 on page 86).

Rev. B

Document # CPTS-DOC-C1011

Navigating In FireWall-1 Navigating In FireWall-1

Viewing/Editing Current Selection Criteria

To view and/or edit the current selection criteria, follow these steps: 1. On the Select menu, select Find and Current to view the list of matching records based on your selection criteria (Figure 53):

II-2 II-2

86

Log Viewer GUI

Figure 54: New Selection Screen

3. Enter a name for the new selection criteria. 4. Modify the selection criteria as required. 5. On the Select menu, choose Save Selection. To reuse the selection criteria file, follow these steps: 1. On the Select menu, choose Open Selection. 2. Specify the file name to use. The entries in the Log Viewer will display based on selection criteria you have set.

Log File Management

The File menu allows you to perform the following tasks: Open New Purge Save Print Export

Important: The following statements affect these menu choices: When you create a new Log File, the current Log File is closed and written to disk with a name that contains the current date and time. Only one log file can be open in the Log Viewer at a time. When you select Purge, you delete all the entries in the log file, regardless of which entries are selected. When printing or saving, only the log entries that match the selection criteria will be printed or saved. You can print all entries displayed in the Log Viewer or all the entries

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 2: Navigating in FireWall-1

87

in the file that match the Selection Criteria. To print to a file or to a printer in ASCII (text) format, select the appropriate options in the Print window. When saving a log file, the current log entries will be written to file. Only the records that match the selection criteria will be saved to the file (both the entries that are visible in the window and those that are not visible).

II-2 II-2 Navigating In FireWall-1 Navigating In FireWall-1

Rev. B

Document # CPTS-DOC-C1011

88

System Status GUI

System Status GUI


The System Status GUI presents a high-level view of operation and flow statistics for all firewalled objects. Communication between firewalled objects and the management station is by a proprietary FireWall-1 protocol. The Management Server retrieves the system status information and sends the data to the GUI client for display.

System Status Logon

To log on to the System Status GUI, follow these steps: 1. On the Start menu, select Programs and then FireWall-1. 2. Select System Status and the Login screen appears (Figure 55):

fwadmin abc123 localhost

Figure 55: System Status Login Screen

3. Type the user name, password and management server to connect. 4. Click OK. 5. The System Status GUI appears (Figure 56 on page 89).

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 2: Navigating in FireWall-1

89

II-2 II-2 Navigating In FireWall-1 Navigating In FireWall-1


Figure 56: System Status Screen

If the Security Policy Editor GUI or Log Viewer GUI is open, you can open System Status GUI from the Window menu.

System Status Toolbar Buttons

Some of the toolbar buttons in the System Status screen are shortcuts for menu commands on the View menu (Table 8):

Table 8: System Status Toolbar Buttons Defined Button Menu


View, Auto Update n/a View, Alert

Definition
Opens the Update Status screen.

Update status of all objects. Opens the Alert screen.

Rev. B

Document # CPTS-DOC-C1011

90

System Status GUI

System Status Update

Before FireWall-1 updates the status display, it broadcasts a status request message to all firewalled objects. For each firewalled object whose status is displayed, the following information is shown: Date the security policy was installed on the firewalled object Firewalled objects status Objects name Rule base name the name of the file containing the rule base Date and time this objects status was last updated in the System Status View screen, manually or automatically

An object status icon appears for each object to indicate its status (Table 9):

Table 9: System Status Icons Icon Object Status Variables


Protected; the security policy is installed and system is being protected.

Unprotected; the security policy is not loaded. No response; the firewalled object does not respond to requests from FireWall-1 for status updates. FireWall-1 is unable to resolve this objects IP address.

The following information is also displayed, depending on the objects status:

Icon

Object Status Display


Date and Time this objects status became effective. If the object is protected, this is the date and time the Security Policy was installed. Otherwise, this is the date and time when FireWall-1 last determined the objects status. For example, if FireWall-1 is unable to resolve the objects IP address, this is the date and time FireWall-1 last tried to do so and failed. Number of packets inspected on this firewalled object. Number of packets dropped or rejected on this firewalled object. Number of packets logged on firewalled objects.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 2: Navigating in FireWall-1

91

Alerts

Play Sound To play a sound when an alert is received. Show This Window To display the Alerts screen when an alert is received. Clear To clear alerts, select the alert(s). Dismiss To close the Alerts screen. To set up the Alert screen, follow these steps: 1. On the View menu, select Alert (Figure 57):

Figure 57: System Status View Menu

2. The FW1 Alerts! screen appears (Figure 58):

Figure 58: FW1 Alerts! Screen

3. Check the action you desire on new alerts. 4. Select Dismiss or Clear to return to the System Status screen.

Rev. B

Document # CPTS-DOC-C1011

Navigating In FireWall-1 Navigating In FireWall-1

Alerts are sent by Firewall Modules to the management server, which sends them in turn to all the GUI client system status applications connected to the management server at that moment. The Alert screen contains the following information:

II-2 II-2

92

System Status GUI

Display Firewalled Objects

To display a firewalled objects status, choose from settings in the Show Status screen. To set up the Show Status screen, follow these steps: 1. On the View menu, select Gateways (Figure 59):

Figure 59: System Status View Menu

2. The Show Status screen appears (Figure 60):

Figure 60: Show Status Screen

3. Select which firewalled objects to display: Select specific firewalled objects Select All to display all firewalled objects Select Clear to not display firewalled objects

4. Click OK to return to System Status screen.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 2: Navigating in FireWall-1

93

Automatic updating Click Enabled or Disabled. If Enabled, you can set the number of minutes between automatic updates. Firewalled objects Check the firewalled objects you wish to be updated. To set up the Update Status screen, follow these steps: 1. Select Auto Update from the View menu (Figure 61):

Figure 61: System Status View Menu

2. The Update Status screen appears (Figure 62):

Figure 62: Update Status Screen

Rev. B

Document # CPTS-DOC-C1011

Navigating In FireWall-1 Navigating In FireWall-1

Updating and Changing the Status Display

To immediately update the status of a firewalled object, double-click on the object. You can enable or disable automatic updating of the status for specific firewalled objects with the Update Status screen. The Update Status screen contains the following information:

II-2 II-2

94

System Status GUI

3. Check Enabled or Disabled for automatic updating. 4. If you check Enabled, set the number of minutes between intervals. 5. Check the firewalled objects to update. 6. Click OK to return to System Status screen.

Changes to Firewalled Objects

You can specify the actions to be taken when the status of a firewalled object changes in the Options screen. The Options screen contains the following information: Action on Transition: Alert Issue an alert as defined in the Properties Setup screen. Mail Send a mail alert as defined in the Properties Setup screen. SNMP Trap Issue an SNMP trap as defined in the properties Setup screen. User Defined Issue a User Defined Alert as defined in the Properties Setup screen. To set up the Options screen, follow these steps: 1. Select Options from the View menu (Figure 63):

Figure 63: System Status View Menu

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 2: Navigating in FireWall-1

95

2. The Options screen appears (Figure 64):

II-2 II-2 Navigating In FireWall-1 Navigating In FireWall-1

Figure 64: Options Screen

3. Check the actions to be taken when the status of a firewalled object changes. 4. Click OK to return to System Status screen.

Rev. B

Document # CPTS-DOC-C1011

96

Review

Review
Summary The FireWall-1 logon procedure is simple on both the Windows NT and Solaris platforms. Knowledge and use of the shortcut buttons can add to the efficiency of navigating in each of the following FireWall-1 GUIs: Security Policy Editor Provides management tools for adding rules and defining properties to create a security policy. Log Viewer Displays the log file consisting of all logged and critical activities on the network. System Status Displays status of all firewalled objects. In the Security Policy Editor GUI, you create a rule base and define properties to create your security policy. The Log Viewer GUI allows you to view entries in the log file. Each entry in the log file is a record of an event that, according to the rule base or the properties, is to be logged. The Log Viewer gives you control over which information in the log file is displayed by selecting which log entries and data fields to display. When displaying events through the Log Viewer, you can view in either one of three modes: Security Log Accounting Active Connections

The System Status GUI presents a high-level view of operation and flow statistics for all firewalled objects. You can set your System Status to provide the status of your network automatically on the network objects you specify. For each firewalled object whose status is displayed, the following information is shown: Date the security policy was installed on the firewalled object Firewalled objects status Objects name Rule base name for firewalled objects, the name of the file containing the rule base Date and time this objects status was last updated in the System Status View screen, manually or automatically

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 2: Navigating in FireWall-1

97

Review Questions

1. What information do you need to log onto FireWall-1?

II-2 II-2 Navigating In FireWall-1 Navigating In FireWall-1

2. How many administrators can access FireWall-1 with Read/Write privileges at the same time?

3. What are the three GUI programs used in FireWall-1?

4. How do you navigate from one GUI to another?

5. What are the three display modes of the Log Viewer and how is each different?

6. How do you display the list of selection criteria that you have specified in the Log Viewer?

7. What are the three status choices that can be reported on firewalled objects?

8. How is the System Status updated?

Rev. B

Document # CPTS-DOC-C1011

98

Review

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 3: M a n a g e m e n t To o l s
Introduction
After installing FireWall-1, a configuration process is necessary. This ensures that gateways, intranets and other objects connected to the network are recognized by FireWall-1. These objects consisting of network objects, services, resources, servers, users and time become part of the security policy that protects your network. In this chapter, you will learn about creating objects for use in your security policy. To configure these objects, you will learn to use the following management tools: Network Objects Manager Services Manager Resources Manager Servers Manager Users Manager Time Objects Manager II-3 Managmement Tools
99

Although you do not have to define all the objects related to your network, it is important that you have an understanding of each. You will define only the objects that are a part of your network. As each rule or object is defined, it becomes an integral part of the security policy. Objects needed for basic configuration are defined in this chapter. More complex objects are defined in later chapters or in the CCSE course.

Objectives

Identify, define and access the management tools Explain the difference between internal and external management stations List the common services already defined by FireWall-1

Key Terms

network objects Network Objects Manager FWZ

100

Manual IPSec SKIP ISAKMP/Oakley (IKE) Virtual Local Area Network (VLAN) Transmission Control Protocol (TCP) User Datagram Protocol (UDP) Remote Procedure Call (RPC) Internet Control Message Protocol (ICMP) URL Filtering Protocol (UFP) Content Vectoring Protocol (CVP) RADIUS TACACS AXENT Defender LDAP Account Units URL Filtering Protocol (UFP) Uniform Resource Locator (URL) Uniform Resource Identifier (URI)

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 3: Management Tools

101

Management Tools
Various management tools are provided in FireWall-1 to define the objects that are in contact with the network. Before an object can be included in the rule base, its properties must first be defined. Management tools can be accessed through the Manage menu of the Security Policy Editor.

Accessing Management Tools

To access the management tools, follow these steps: 1. Select Manage from the Security Policy Editor toolbar (Figure 65):

II-3 Managmement Tools


Document # CPTS-DOC-C1011

Figure 65: Manage Menu

2. Select from the following management tools: Network Objects Services Resources Servers Users Users on account unit Time Keys

3. The corresponding management screen appears. Create a new object to be used in the rule base.

Color Scheme

It is helpful to determine a color scheme before defining the objects to include in your rule base. By assigning the same color to related objects, managing your firewall is made easier. A simple color scheme enables you to quickly identify and select objects, rather than scroll through long lists with little or no distinction between objects. To develop a color scheme for your objects, consider the following categories: Green Internal elements, Blue External elements and Red Firewalls.

Rev. B

102

Network Objects Manager

Network Objects Manager


Network objects are any elements that come in contact with the network. Before an object is included in the rule base, its properties must first be defined. Defining the entire network to FireWall-1 is not necessary. Only those objects that are used in the rule base need to be defined.

Defining Network Objects

The Network Objects Manager is a tool used to define the following network objects: networks and subnetworks, hosts, gateways and servers (firewalled or not), routers, Internet domains and logical servers. Before an object is included in the rule base, its properties must first be defined. To access the Network Objects Manager, follow these steps: 1. Select Network Objects from the Manage menu (Figure 65 on page 101). 2. The Network Objects Manager appears (Figure 66):

Figure 66: Network Objects Manager with New Menu Options

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 3: Management Tools

103

3. Click New and select the object to manage. There are nine options that allow you to manage your network objects. To configure each network object, select from the following: Workstation Network Domain Router Switch Integrated Firewall Group Logical Server Address Range The screen options and tabs vary depending on whether FireWall-1 is installed on each object. This is because certain options are not applicable unless the object is a gateway or has FireWall-1 installed. II-3 Managmement Tools
Rev. B Document # CPTS-DOC-C1011

104

Workstation Properties Object

Workstation Properties Object


The Workstation Properties screen allows you to configure any workstation (or server) that will be in contact with FireWall-1.

General Tab

The General tab for Workstation Properties allows definition of basic information about the workstation. Defining the General tab allows access to the other tabs within the Workstation Properties screen (Figure 67):

Figure 67: Workstation Properties - General Tab

The General tab contains the following information: Name The hostname of the workstation. IP Address The IP address that identifies this workstation. Get Address Retrieves the IP address. Reduces the possibility of entering the address incorrectly. Comment Any information that describes this workstation. Location Internal objects on the management station should appear as external to other management stations (Figure 68 on page 105): Internal Managed by this management station. External Not managed by this management station.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 3: Management Tools

105

Management Station #1

FW A FW B FW C

Management Station #2

FW D FW E FW F

Each circled management station with its associated firewalls is internal to itself and can make rules. Neither management station can make rules for the other management station. For example, Management Station 1 can make rules for A, B and C but cannot make rules for D, E and F since these are external to the management station.
Figure 68: Internal and External Management Stations

Type Defines the type of workstation: Host A device with a single IP address. Gateway A device with multiple IP addresses. Color Defines the color scheme of the object. Exportable Allows remote users access to the internal network. FireWall-1 Installed Indicates a FireWall-1 module installed on workstation. Version FireWall-1 version installed on the workstation. General Tab Setup To set up the General tab, follow these steps: 1. Define the workstation by completing the information in the fields. 2. Select another tab to continue the Workstation Properties setup or click OK to return to the Network Objects Manager.

II-3 Managmement Tools

Rev. B

Document # CPTS-DOC-C1011

106

Workstation Properties Object

Interfaces Tab

The Interfaces tab allows definition and display of interface names, IP addresses and network masks for the workstation (Figure 69):

Figure 69: Workstation Properties - Interfaces Tab

The Interfaces tab contains the following information: Add Allows access to the Interface Properties screen to add an interface. Edit Allows access to the Interface Properties screen to edit an interface. Remove Delete an interface by highlighting an interface and click Remove. Get Retrieves necessary information for all interfaces. Interfaces Tab Setup To set up the Interfaces tab, follow these steps: 1. Define the interfaces by selecting one of the commands. 2. Select another tab to continue the Workstation Properties setup or click OK to return to the Network Objects Manager.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 3: Management Tools

107

Interfaces Properties When you add or edit an interface, the Interface Properties screen appears (Figure 70):

II-3 Managmement Tools

Figure 70: Add Interfaces Properties Screen

The Interface Properties Screen contains the following information: Name The interface associated with the host name. Net Address The IP address of the host. Net Mask If the network is a standard class A, B, or C network, the Net Mask does not need to be specified. Valid Addresses: Any Default selection. Does not allow spoof tracking. This net Packets are allowed whose source IP addresses are part of the network connected to this interface. Used on the Internal NIC, mostly for DMZs, and only if there is one network. No security policy! No security policy is installed on this interface. Used when the security policy is enforced on another interface of this object. Others Packets are allowed except those whose resource IP addresses belong to the networks listed under Valid Addresses for this objects interface. Used on the external NIC when you have identified the network and Other is anything other than the identified network.

Rev. B

Document # CPTS-DOC-C1011

108

Workstation Properties Object

Others + Used to allow traffic for non-standard packet flow such as with NAT. Packets are allowed except those whose resource IP addresses belong to the networks listed under Valid Addresses for this objects interface. Use on the external NIC when you have identified the network and Other+ is anything other than the identified network. Specific Packets are allowed only from this group. This is typically a group of network objects. Spoof tracking Spoofed packets are always dropped. Specific action is taken by selecting one of the following options: Anti-spoofing and its relation to the Interfaces tab is defined in Unit III Chapter 2: Administering Security Policy with Rule Base on page 221. None No additional action is taken. Log The spoofing attempt is logged. Alert The action specified in the Anti Spoof Alert command field in the Log and Alert tab of the Properties Setup screen is taken. When anti-spoofing is specified, an implicit anti-spoof rule is generated. This rule comes first in the rule base, even before properties specified in the Security Policy tab of the properties setup screen. Interface Properties Setup To set up the Interface Properties screen, follow these steps: 1. Define the interface by completing the information in the fields. 2. Click OK to return to the Interfaces tab.

Authentication Tab

The Authentication tab is defined in Unit IV Chapter 1: Authentication on page 235.

Encryption Tab

The Encryption tab of the Workstation Properties specifies encryption parameters for network objects (Figure 71 on page 109). For a gateway to perform encryption, the encryption domain must first be defined. The gateway can then conduct encrypted sessions on network objects in the encryption domain. This only applies to workstations or gateways with FireWall-1 installed on them.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 3: Management Tools

109

Figure 71: Workstation Properties - Encryption Tab

The Encryption tab contains the following information: Encryption Domain A domain that will use encryption; disabled is the default setting. If all gateway interfaces have been defined in the Interfaces tab of the gateways Workstation Properties screen, then Valid addresses can be selected in the Encryption domain. Encryption Methods Defined Encryption method used on a selected domain. Encryption Methods An encryption method consists of the following elements: An encryption algorithm for encrypting messages An authentication algorithm for ensuring integrity, that is, that messages have not been tampered with Key management protocol for generating and exchanging keys

II-3 Managmement Tools

Encryption Schemes Firewall-1 supports the following encryption schemes: FWZ, IPSec, SKIP and ISAKMP/Oakley (IKE). FWZ FWZ is a FireWall-1 proprietary symmetric encryption scheme. FWZ manages key encryption automatically, including updating public keys. FWZ encryption does the following: Encrypts all data behind the IP and TCP headers, using in-place encryption Uses reliable-data protocol to manage VPN session keys, encryption methods and data integrity

Rev. B

Document # CPTS-DOC-C1011

110

Workstation Properties Object

Obtains certified Diffie-Hellman public keys from a trusted certificate authority Supports FWZ-1, DES and Triple DES algorithms, using a 40-bit encryption key that is exportable outside the United States Uses FWZ scheme to authenticate passwords

Manual IPSec IPSec is an encryption and authentication scheme. A security association is associated with each packet, consisting of: Functionality Indicates whether the packet is encrypted, authenticated or both Algorithms Specifies the encryption algorithm and authentication algorithm used in the packet Keys used in the above algorithms Additional data

IPSec has two shortcomings: The keys are fixed over duration of the connection There is mechanism for exchanging keys

SKIP SKIP overcomes the shortcomings of IPSEC by providing a hierarchy of keys that change over time. This is used to encrypt the connection as well as to implement a key protocol. ISAKMP/Oakley (IKE) ISAKMP/Oakley, also known as Internet Key Exchange (IKE), is a standard for negotiating Security Associations (SA) between two hosts that will be using IPSec, and is the key management scheme that was chosen for IP Version 6. In IP Version 4, ISAKMP/Oakley is optional. ISAKMP/Oakley offers improved authentication (HMAC) and Perfect Forward Secrecy (PFS). Encryption Tab Setup To set up the Encryption tab, follow these steps: 1. Define the Encryption by completing the information in the fields. 2. Choose another tab to continue the Workstation Properties setup or click OK to return to the Network Objects Manager.

NAT Tab

To configure the NAT tab, see Unit IV Chapter 2: Network Address Translation on page 259.

SNMP Tab

To configure the SNMP tab, see SNMP Tab on page 124.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 3: Management Tools

111

Network Properties Object


The Network Properties screen allows you to configure any network that will be in contact with FireWall-1.

General Tab

The General tab for the Network Properties allows definition of basic information about the network (Figure 72):

II-3 Managmement Tools

Figure 72: Network Properties - General Tab

The General tab contains the following information: Name The user-defined name to indicate the network definition. IP Address Defines the network address. This is made by appending one or more zeros (0) to the host portion of an IP address. Net Mask If this is a standard Class A, B or C network, this field does not apply. If non-standard, enter the net mask in this field. Comment Any information that describes this network. Color Defines the color scheme of the object. Location Internal objects on the management station should appear as external to other management stations. Internal Protected by the firewall. External Outside the firewall. Broadcast: Allowed/Disallowed Specifies whether to consider the networks broadcast address as specified in the network.

Rev. B

Document # CPTS-DOC-C1011

112

Network Properties Object

General Tab Setup To set up the General tab, follow these steps: 1. Define the network by completing the information in the fields. 2. Select another tab to continue the Network Properties setup or click OK to return to the Network Objects Manager.

NAT Tab

To configure the NAT tab, see Unit IV Chapter 2: Network Address Translation on page 259.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 3: Management Tools

113

Domain Properties Object


When a domain object is used in a rules Source or Destination, the FireWall-1 Inspection Module must determine whether the packets IP address belongs to the domain by reverse resolving the address. FireWall-1 then confirms the reverse resolution by resolving the domain name (Figure 73):

Workstation

Workstation

Workstation

II-3 Managmement Tools


Document # CPTS-DOC-C1011

Workstation

Workstation

Workstation

Figure 73: Defining Domains

Using Domain Objects in a Rule

The first time a rule containing a domain object is applied to a specific IP address, there is a slight delay while the Inspection Module reverse resolves the IP address. The resolved address is then stored in a local cache, so the delay occurs only one time per IP address per rule. In order to minimize these delays, it is recommended that rules containing domain objects should be positioned as far down as possible in the rule base.

Rev. B

114

Domain Properties Object

General Tab

The General tab for Domain Properties allows definition of basic information about the domain (Figure 74):

Figure 74: Domain Properties - General Tab

Name Enter an Internet or intranet domain name. In Figure 74, the domain name is .checkpoint.com and starts with a period ( . ). Comment Any information that describes this domain. Color Defines the color scheme of the object. General Tab Setup To set up the General tab, follow these steps: 1. Define the Domain by completing the information in the fields. 2. Click OK to complete the Domain Properties setup and return to the Network Objects Manager.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 3: Management Tools

115

Router Properties Object


Configuring router properties allows administrators to implement a security policy using access lists and routers, such as 3Com, CISCO and Bay Networks. The FireWall-1 Management Module can use a Firewall Module loaded on the router. To specify a router, check the Type field in the General Tab of the Router Properties screen.

General Tab

The General tab for Router Properties allows definition of basic information about the router. Defining the General tab allows access to the other tabs (Figure 75):

II-3 Managmement Tools


Document # CPTS-DOC-C1011

Figure 75: Router Properties - General Tab

The General tab contains the following information: Name The name of the router. IP Address The IP address that identifies this router: Get Address Retrieves the IP address. Reduces the possibility of entering the address incorrectly. Type Select the router from the drop-down menu. Comment Any information that describes this router. Color Defines the color scheme of the object. Location Internal objects on the management station appear as external to other management stations. Internal Managed by the management station. External Not managed by the management station. FireWall-1 Installed Indicates a FireWall-1 module installed on router.

Rev. B

116

Router Properties Object

General Tab Setup To set up the General tab, follow these steps: 1. Define the workstation by completing the information in the fields. 2. Select another tab to continue the Router Properties setup or click OK to return to the Network Objects Manager.

Interfaces Tab

The Interfaces tab allows definition and display of interface names, IP addresses and network masks for the router (Figure 76):

Figure 76: Router Properties - Interfaces Tab

The Interface tab contains the following information: Add Allows access to the Interface Properties screen to add an interface. Edit Allows access to the Interface Properties screen to edit an interface. Remove Delete an interface by highlighting an interface and clicking Remove. Get Retrieves necessary information for all interfaces. Interfaces Tab Setup To set up the Interfaces tab, follow these steps: 1. Define the interfaces by selecting one of the commands. 2. Select another tab to continue the Router Properties setup or click OK to return to the Network Objects Manager.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 3: Management Tools

117

Interfaces Properties When you add or edit an interface, the Interface Properties screen appears (Figure 77):

router

II-3 Managmement Tools

Figure 77: Add Interfaces Properties Screen

This Interfaces Properties screen contains the following information: Name The interface associated with the host name. Net Address The IP address of the host. Net Mask If the network is a standard class A, B, or C network, the Net Mask does not need to be specified. Valid Addresses: Any Default selection. Does not allow spoof tracking. This net Packets are allowed whose source IP addresses are part of the network connected to this interface. Used on the Internal NIC, mostly for DMZs, and only if there is one network. No security policy! No security policy is installed on this interface. Used when the security policy is enforced on another interface of this object. Others Packets are allowed except those whose resource IP addresses belong to the networks listed under Valid Addresses for this objects interface. Used on the external NIC when you have identified the network and Other is anything other than the identified network.

Rev. B

Document # CPTS-DOC-C1011

118

Router Properties Object

Others + Used to allow traffic for non-standard packet flow such as with NAT. Packets are allowed except those whose resource IP addresses belong to the networks listed under Valid Addresses for this objects interface. Use on the external NIC when you have identified the network and Other+ is anything other than the identified network. Specific Packets are allowed only from this group. This is typically a group of network objects. Spoof tracking Spoofed packets are always dropped. Specific action is taken by selecting one of the following options: Anti-spoofing and its relation to the Interfaces tab is defined in Unit III Chapter 2: Administering Security Policy with Rule Base on page 221. None No additional action is taken. Log The spoofing attempt is logged. Alert The action specified in the Anti Spoof Alert command field in the Log and Alert tab of the Properties Setup screen is taken. When anti-spoofing is specified, an implicit anti-spoof rule is generated, which comes first in the rule base, even before properties specified in the Security Policy tab of the properties setup screen. Interface Properties Setup To set up the Interface Properties screen, follow these steps: 1. Define the interface by completing the information in the fields. 2. Click OK to return to the Interfaces tab.

NAT Tab

To configure the NAT tab, see Unit IV Chapter 2: Network Address Translation on page 259.

SNMP Tab

To configure the SNMP tab, see SNMP Tab on page 124.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 3: Management Tools

119

Setup Tab

In the case of access lists and filters, the Setup tab allows for the entry of parameters like router manager IDs and passwords. The Setup tab contains various information depending on the router selected (Figure 78):

The information in the Setup screen varies depending on the router selected.

CISCO

II-3 Managmement Tools

Bay Networks

3Com

Steelhead
Figure 78: Router Properties - Setup Tab

Setup Tab Setup To complete the Setup tab, follow these steps: 1. Define the parameters by completing the information in the fields. 2. Choose another tab to continue the Router Properties setup or click OK to return to the Network Objects Manager.

Rev. B

Document # CPTS-DOC-C1011

120

Switch Properties Object

Switch Properties Object


Switch Properties allow setup for Xylan packet switch equipment so that the FireWall-1 Control Module can implement the Security Policy on a FireWall-1 module loaded into the switch. The option for FireWall-1 must be checked on the General tab. Xylan and other brands of switches (such as Nokias Ipsilon IP Switch Gateway) that do not have the FireWall-1 module loaded can be set up as regular multi-interface objects. General Tab The General tab allows you to define general information about the switch object that is installed. Completing the information in the General tab allows access to the other tabs (Figure 79):

Figure 79: Switch Properties - General Tab

The General tab contains the following information: Name The name of the switch. IP Address The IP address that identifies this switch. Get address Retrieves the IP address. Reduces the possibility of entering the address incorrectly. Comment Any information that describes this switch. Type Select the type of switch. Color Defines the color scheme of the object. Location Internal objects on the management station appear as external to other management stations: Internal Managed by the management station. External Not managed by the management station. FireWall-1 Installed Indicates a FireWall-1 module installed on the switch.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 3: Management Tools

121

General Tab Setup To set up the General tab, follow these steps: 1. Define the workstation by completing the information in the fields. 2. Choose another tab to continue the Switch Properties setup or click OK to return to the Network Objects Manager.

Interfaces Tab

To configure the Interfaces tab, see Interfaces Tab on page 106.

NAT Tab

To configure the NAT tab, see Unit IV Chapter 2: Network Address Translation on page 259.

SNMP Tab

To configure the SNMP tab, see SNMP Tab on page 124. II-3

VLANs Tab

Figure 80: Switch Properties - VLANs Tab

The VLANs tab contains the following information: Add Click Add and the Interface Properties screen appears. Edit Click Edit to edit existing interfaces and the Interface Properties screen appears. Remove Highlight an interface and click Remove.

Rev. B

Document # CPTS-DOC-C1011

Managmement Tools

The VLANs tab allows you to configure and display the properties of the Virtual Local Area Network (VLAN) associated with a switch (Figure 80):

122

Switch Properties Object

SNMP Get Click to retrieve necessary information for all interfaces. VLANs Tab Setup To set up the VLANs tab, follow these steps: 1. Define the VLAN by selecting one of the commands. 2. Choose another tab to continue the Switch Properties setup or click OK to return to the Network Objects Manager.

Setup Tab

The Setup tab for switch properties contains the External Interface and License Type (Figure 81):

le0

Figure 81: Switch Properties - Setup Tab

The Setup tab contains the following information: External Interface Name of the external interface. License Type Pull-down list of license type (number of users allowed per license). Setup Tab Setup To complete the Setup tab, follow these steps: 1. Define the switch properties by completing the information in the fields. 2. Choose another tab to continue the Switch Properties setup or click OK to return to the Network Objects Manager.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 3: Management Tools

123

Integrated Firewall Properties Object


With the Integrated Firewall Properties, OPSEC-compliant components such as Cisco PIX and Timestep, can be integrated with FireWall-1, providing for the integration of alternative security configurations. General Tab The General tab for the Integrated FireWall Properties allows definition of basic information about the firewall (Figure 82):

II-3 Managmement Tools


Document # CPTS-DOC-C1011

Figure 82: Integrated Firewall Properties - General Tab

The General tab contains the following information: Name The name of the integrated firewall. IP Address The address that uniquely defines this interface. Get Address Retrieves the IP address. Reduces the possibility of entering the address incorrectly. Comment Any information that describes this integrated firewall. Type Choose between TimeStep PermitGate and CISCO PIX Firewall. Color Defines the color scheme of the object. Location Internal objects on the management station appear as external to other management stations: Internal Managed by the management station. External Not managed by the management station. FireWall-1 Installed Indicates a FireWall-1 module installed on the integrated firewall.

Rev. B

124

Integrated Firewall Properties Object

General Tab Setup To set up the General tab, follow these steps: 1. Define the integrated firewall by completing the information in the fields. 2. Choose another tab to continue the Integrated FireWall Properties setup or click OK to return to the Network Objects Manager.

Interfaces Tab

To configure the Interfaces tab, see Interfaces Tab on page 106.

SNMP Tab

The SNMP tab enables you to retrieve or set SNMP information for the integrated firewall (Figure 83):

Figure 83: Integrated Firewall Properties - SNMP Tab

The SNMP tab contains the following information: sysName The objects name. sysLocation The objects location. sysContact The name of a contact person. Get Retrieves necessary information about this network object. Set Set the objects properties to those shown in this window. Read Community The community with read permission for this object. Write Community The community with write permission for this object.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 3: Management Tools

125

SNMP Tab Setup To set up the SNMP tab, follow these steps: 1. Define the integrated firewall by completing the information in the fields. 2. Select another tab to continue the Integrated Firewall Properties setup or click OK to return to the Network Objects Manager.

NAT Tab

To configure the NAT tab, see Unit IV Chapter 2: Network Address Translation on page 259.

Setup-A Tab for Cisco PIX

The Setup tabs of the Integrated Firewall Properties screens contain fields that are specific to the type of Firewall you selected on the General tab (Figure 84):

II-3 Managmement Tools


Figure 84: Integrated Firewall Properties - Setup-A Tab

The Setup-A tab contains the following information: Inside Addresses The networks for which the PIX Integrated FireWall performs address translation. Xlate Timeout The time after which a PIX address translation slot times out and a global address is returned to the available pool. Conn Timeout The period after which a PIX connection slot times out. Enable Password The password required to modify PIX settings. PIX Password The password required to enable communication between the Management Server and the PIX Integrated FireWall. Version The drop-down list that displays the PIX version.

Rev. B

Document # CPTS-DOC-C1011

126

Integrated Firewall Properties Object

Authentication: Server Drop-down list of authentication servers previously defined. Enable Outbound Authenticatio n Sets the option to request authentication for outbound connections. Enable Inbound Authentication Sets the option to request authentication for inbound connections. Shared Secret Specifies the public key to encrypt communication between PIX and the authentication server. Type Specifies an authentication scheme: RADIUS or TACACS

Setup-B Tab for Cisco PIX

For Cisco PIC integrated firewalls, a second tab appears (Figure 85):

Figure 85: Integrated FireWall Properties - Setup-B Tab

The Setup-B tab contains the following information: RIP Inside Defines RIP settings on the PIX inside interface. Default: Sets the broadcast for a default route to the inside network. Passive: Enables passive RIP. RIP Outside Defines RIP settings for the PIX outside interface. Default: Sets the broadcast for a default route to the outside network. Passive: Enables passive RIP.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 3: Management Tools

127

Failover Defines the PIX failover feature in which a secondary PIX firewall takes over connections if the primary PIX fails. Private Link Key Duration Sets the interval in minutes in which PIX Private Link keys are changed. Private Link Connections Lists the remote PIX units with which you want to establish PIX Private Link communications. Connections between the local PIX blackbox and the remote PIX blackbox will be encrypted. New: Adds a remote PIX. Edit: Opens the encryption properties of the remote Integrated FireWall. Remove: Removes a selected remote PIX.

Setup Tab for TimeStep

When you select TimeStep on the General tab, the following setup screen appears (Figure 86): II-3 Managmement Tools
Figure 86: Integrated FireWall Properties - Setup Tab

The TimeStep Setup screen contains the following information: External Interface Name of the external interface. License Type Pull-down list of license type (number of users allowed per license). Setup Tab Setup To complete the Setup tab, follow these steps: 1. Complete the information in the fields. 2. Select another tab to continue the Integrated Firewall Properties setup or click OK to return to the Network Object Manager.

Rev. B

Document # CPTS-DOC-C1011

128

Group Properties Object

Group Properties Object


Group properties allow the grouping of network objects into a named entity. This is done to ease administration of the rule base, allowing the named group to be inserted into one or more rules easily (Figure 87):

Figure 87: Group Properties Screen

The Group Properties screen contains the following information: Name A defined group. Comment Any information that describes this group. Color Defines the color scheme of the object. Not in Group Selects the objects to include in the group. Add Adds the selected object to the group. Remove Removes a selected object from the group. Group Properties Setup To set up the Group Properties, follow these steps: 1. Define the group by completing the information in the fields. 2. Click OK to save the Group Properties setup and return to the Network Objects Manager.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 3: Management Tools

129

Logical Server Object


The Logical Server network object screen is defined in the CCSE course.

II-3 Managmement Tools


Rev. B Document # CPTS-DOC-C1011

130

Address Range Properties Object

Address Range Properties Object


An address range is a group of contiguous IP addresses in a named entity. FireWall-1 administrators use address ranges to ease the administration of named address ranges to be inserted into one or more rules or to limit or eliminate rules. An address range is different from a network object. A network object refers to any network, such as 138.210.111.0. An address range object can represent as few as two addresses since the starting and ending addresses are entered on the General tab.

General Tab

Address Range Properties is a range of IP addresses used in hide mode IP translation (Figure 88):

Figure 88: Address Range Properties - General Tab

The General tab contains the following information: Name The name of the range. First IP Address First IP Address in the range. Last IP Address Last IP Address in the range. Comment Any information that describes this address range. Color Defines the color scheme of the object.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 3: Management Tools

131

General Tab Setup To set up the General tab, follow these steps: 1. Define the address range by completing the information in the fields. 2. Select another tab to continue the Address Range Properties setup or click OK to return to the Network Objects Manager.

NAT Tab

To configure the NAT tab, see Unit IV Chapter 2: Network Address Translation on page 259.

II-3 Managmement Tools


Rev. B Document # CPTS-DOC-C1011

132

Lab 1: Defining Network Objects

Lab 1: Defining Network Objects


Objective: In this lab, you will define network objects, using the Workstation Properties screen. You will need to replace machine names with respect to your table/site number, and lab setup information as found in the Introduction to CCSA.

4Define gateways
Define the following firewalled gateways. Color all brick-red: fw.detroit.com 204.32.38.101 fw.chicago.com 204.32.38.102 fw.london.com 204.32.38.103 fw.newyork.com 204.32.38.104 fw.paris.com 204.32.38.105 fw.tokyo.com 204.32.38.106 fw.moscow.com 204.32.38.107 fw.berlin.com 204.32.38.108

4Define Web hosts


Define the following Web servers. Color yours green, others blue: www.detroit.com 192.168.1.1 www.chicago.com 192.168.2.1 www.london.com 192.168.3.1 www.newyork.com 192.168.4.1 www.paris.com 192.168.5.1 www.tokyo.com 192.168.6.1 www.moscow.com 192.168.7.1 www.berlin.com 192.168.8.1

4Define mail hosts


Define the following e-mail servers. Color yours green, others blue: email.detroit.com 192.168.1.1 email.chicago.com 192.168.2.1 email.london.com 192.168.3.1 email.newyork.com 192.168.4.1 email.paris.com 192.168.5.1 email.tokyo.com 192.168.6.1 email.moscow.com 192.168.7.1 email.berlin.com 192.168.8.1

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 3: Management Tools

133

4Define networks
Define the following local networks. Color yours green, others blue: net-detroit 192.168.1.0 net-chicago 192.168.2.0 net-london 192.168.3.0 net-newyork 192.168.4.0 net-paris 192.168.5.0 net-tokyo 192.168.6.0 net-moscow 192.168.7.0 net-berlin 192.168.8.0

II-3 Managmement Tools


Rev. B Document # CPTS-DOC-C1011

134

Services Manager

Services Manager
FireWall-1 controls access to hosts and networks, not only based on the source and destination addresses, but also according to the service requested or used in each packet of data. Service Object Setup Before you can use a service in a rule base, you must define its properties. To set up Services, follow these steps: 1. Select Services from the Manage menu (Figure 89):

Figure 89: Manage Menu

2. The Services screen appears (Figure 90):

Figure 90: Services Screen with New Menu

3. Click New and select the service to define from the menu.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 3: Management Tools

135

Allowed Services

You can set up the following types of services: TCP UDP RPC ICMP Other Group Port Range

TCP

Transmission Control Protocol (TCP) allows hosts to send and receive streams of data. TCP guarantees that data sent from one side will be received at the other side without loss from being garbled. The majority of Internet services are built on top of TCP.

II-3 Managmement Tools

Figure 91: TCP Service Properties Screen

The TCP Service Properties screen contains the following information (Figure 91): Name The name in the services file enables FireWall-1 to retrieve the port number automatically. If Network Information Service (NIS) is used on the system, FireWall-1 will consult the NIS services file. (NIS is a service under UNIX that sends configuration information automatically across the network.) The following are the Windows NT and Solaris services files: NT: c:\winnt\system32\drivers\etc\services Solaris: /etc/services

Rev. B

Document # CPTS-DOC-C1011

136

Services Manager

Comment Any information that describes this service. Color Defines the color scheme of the object. Port (Get) The number of the port used to provide this service. If the Port Number is omitted, FireWall-1 will attempt to resolve the Port Number (based on the services name) when the rule base is installed. If resolution fails, an error message is issued and installation will fail. Source port range Only packets with source ports in the range will be considered to belong to this service. Protocol Type Specifies which type of resource can be associated with this service. Fast Mode If Fast Mode is enabled for a service, packets belonging to this service and established connections will be accepted without further inspection. In most cases you will want to select Fast Mode.

UDP

User Datagram Protocol (UDP) is primarily used for protocols where performance is more important than getting all of the packets. For example, audio stream protocols usually use UDP because they can stand to lose a few packets. They cannot, however, stand remissions of lost packets that take time.

Figure 92: UPD Service Properties

The UDP Service Properties screen contains the following information (Figure 92): Name The name assigned here should be identical to the server service name as it appears in the services file. If Network Information Service (NIS) is used, FireWall-1 will automatically retrieve the information from the NIS. Comment Any information that describes this service.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 3: Management Tools

137

Color Defines the color scheme of the object. Port (Get) The port number used to provide this service. If the Port Number is omitted, FireWall-1 will attempt to resolve the Port Number (based on the services name) when the rule base is installed. If resolution fails, an error message is issued and installation will fail. Source port range Only packets with source ports in the range will be considered to belong to this service.

RPC

Remote Procedure Call (RPC) allows a program on one computer to execute a program on a server computer. The client program sends a message to the server with appropriate arguments and the server returns a message containing the results of the program executed.

II-3 Managmement Tools


Figure 93: RCP Service Properties Screen

The RCP Service Properties screen contains the following information (Figure 93): Name The name in the RPC file allows FireWall-1 to retrieve the port number automatically. (The RPC file is /etc/rapt in Solaris; not available in NT.) If Network Information Service (NIS) is used on the system, FireWall-1 will consult the NIS services file. Comment Information that describes this service. Color Defines the color scheme of the object. Program Number The program number is simply the RPC equivalent for a service port number. For standard services, you can retrieve the program number from the RPC database. If the program number is omitted, FireWall-1 will attempt to resolve the program number when the rule base is installed. If resolution fails, an error message is issued and installation will fail.

Rev. B

Document # CPTS-DOC-C1011

138

Services Manager

ICMP

Internet Control Message Protocol (ICMP) is an extension to the IP. ICMP supports packets containing error, control, and informational messages. The PING command, for example, uses ICMP to test an Internet connection. All ICMP services are predefined in FireWall-1.

Figure 94: ICMP Service Properties

The ICMP Service Properties screen contains the following information (Figure 94): Name The services name. The name assigned here should be identical to the server service name as it appears in the services file. FireWall-1 will retrieve some properties automatically. Comment Any information that describes this service. Color Defines the color scheme of the object. Match Enter the code string residing in the INSPECT language that determines whether the packet belongs to this service. Pre-Match INSPECT language command to be executed prior to the rule base. Prologue (optional) Add a fixed code string to the rules at the head of the rule base.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 3: Management Tools

139

Other

Other or user-defined uses INSPECT to check for a specific unidentifiable item in a packet. Use Other for protocols that do not use TCP, UDP, RPC or accepted standard services.

II-3 Managmement Tools


Figure 95: User Defined Service Properties

The User Defined Service Properties screen contains the following information (Figure 95): Name The services name. The name assigned here should be identical to the server service name as it appears in the services file. Comment Any information that describes this service. Color Defines the color scheme of the object. Match Enter the code string (residing in the INSPECT language) which determines whether the packet belongs to this service. For example, dport = telnet. The file tcpip.def lists some predefined components that can be used in expressions. Pre-Match INSPECT language command to be executed prior to the rule base. Prologue (optional) Add a fixed code string to the rules at the head of the rule base, before the Properties macros.

Group

Group Properties allows the administrator to define a service and add it to a named group. This eliminates the need to list each service, individually, in the rule base. When forming groups, follow these guidelines: Groups do not have to be of the same type of service Groups can be part of other groups

Rev. B

Document # CPTS-DOC-C1011

140

Services Manager

Figure 96: Group Properties with Services Added to a Group Name

The Group Properties screen contains the following information (Figure 96): Name The group name. Comment Any information that describes this group. Color Defines the color scheme of the object. Not in Group Services not included in the named group. In Group Services added to the named group.

Port Range

Most well known services have an associated port. For example: TELNET is port 23, FTP is port 21 and SMTP is port 25. Some protocols or services may operate with a range of ports, especially for the reverse connection back to the client that initiated the connection. Port Range allows setup of either UDP, TCP or FTP protocols with a starting and ending port range. If specified, only those port numbers will be accepted, dropped or rejected when inspecting packets considered to belong to the service.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 3: Management Tools

141

Figure 97: Port Range Properties

The Port range properties screen contains the following information (Figure 97): Name Name of the port. First Port A single port number or the starting port number within a range or ports. Last Port The ending port number within the range of ports. Comment Any information that describes this service. Color Defines the color scheme of the object. Protocol Select TCP or UPD.

II-3 Managmement Tools

Rev. B

Document # CPTS-DOC-C1011

142

Resources Manager

Resources Manager
A FireWall-1 resource is used in conjunction with content security. FireWall-1 resource specification defines further protocol-specific matching as well as actions to be performed at the protocol specific level in a data packet. You can define FireWall-1 Resources for use with the following protocols: HTTP, FTP and SMTP. Anti-virus checking, URL screening and e-mail address translations are major security enhancements enabled by the content security. These options are enforced using UFP and CVP server objects. The Resources Manager is covered in detail in the CCSE manual. Resource Object Setup To set up a new Resource, follow these steps: 1. Select Resources from the Manage menu (Figure 98):

Figure 98: Manage Menu

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 3: Management Tools

143

2. The Resources screen appears (Figure 99):

Figure 99: Resources Screen

II-3 Managmement Tools

3. Click New and select a resource to create from the menu. 4. Select each tab and complete the fields. 5. Click OK to save your settings. The resource can now be used in a rule. If the source and destination meet in a rule, the service must comply with what is outlined in the URI as a match and action.

URI Resource

A Uniform Resource Identifier (URI) resource is an extension of the rule base. The URI goes beyond the source, destination and service fields and provides more details about the content of the service. HTTP security servers must be installed with default options for the URI to work. After creating a CVP or UFP server object if required, you must define the resource for HTTP to create a URI resource. URI Match Specification Type In the General tab of the URI Definition screen, you select from one of the following URI Match Specification types: Wild Cards The URIs are described on the Match tab of the Resource screen. Under this method, many URIs are described by a single wild card. For example, the wild card www.elvis* describes a large number of URIs. The URIs will be allowed or disallowed, depending on the Action in the rule that uses the resource.

Rev. B

Document # CPTS-DOC-C1011

144

Resources Manager

File The URIs are listed by name in the file specified in the Match tab of the Resource screen. Under this method, each URI is individually listed in the given file. The URIs will be allowed or disallowed, depending on the Action in the rule that uses the resource. UFP A list of URIs in selected categories is provided by the server specified in the Match tab of the Resource screen.

Wild Card URI Match Specification Type

Wild Cards is the first specification type listed in the General tab (Figure 100):

Figure 100: URI General Tab for Wild Cards Specification

The General tab contains the following information: Name Type in the name you want for the URI definition. Comment Type in the comment for the URI definition. Color Defines the color scheme of the object. Connection Methods Check the methods of connection. Your choices are: Transparent, Proxy and Tunneling. Exception Track Select the method of reporting. Your choices are: None, Log and Alert. URI Match Specification Type Check the specification type. Your choices are: Wild Cards, File and UFP.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 3: Management Tools

145

If you select Wild Cards specification type, the following Match tab appears (Figure 101):

II-3
Figure 101: URI Match Tab for Wild Cards Specification

The Wild Cards Match tab contains the following information: Schemes Check http and type in a wild card (*) in the Other text box. Methods Type in a wild card (*) in the Other text box. Host, Path and Query Type in wild cards (*) in these text boxes.

Rev. B

Document # CPTS-DOC-C1011

Managmement Tools

146

Resources Manager

If you select Wild Cards specification type, the following criteria must be defined in the action tab. Action is what the URI will do if all other criteria are met (Figure 102):

www.badweb.com/warning.html

Figure 102: URI Action Tab for Wild Cards Specification

The Wild Cards Action tab contains the following information: Replacement URI Type in your alternate IP address to be sent back to any unauthorized source. HTML Weeding Check Strip Script Tags, Strip Applet Tags and Strip ActiveX tags. This weeds out tags so they are not displayed. If a CVP server is present, the choice to select the server and the action that the server takes is available. Response Scanning Check Block JAVA Code. CVP Specify the inspection options for the third-party CVP server. None The file is not inspected. Read Only The file is inspected by the CVP server. If the CVP server rejects the file, it is not retrieved. Read/Write The file is inspected by the CVP server. If the CVP server detects that the file is invalid (perhaps because it contains a virus), the CVP server corrects the file before returning it to the firewall.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 3: Management Tools

147

File URI Match Specification Type

File is the second specification type listed in the General tab (Figure 103):

II-3
Figure 103: URI General Tab for File Specification

The General tab contains the following information: Name Type in the name you want for the URI definition. Comment Type in the comment for the URI definition. Color Defines the color scheme of the object. Connection Methods Check the methods of connection. Your choices are: Transparent, Proxy and Tunneling. Exception Track Select the method of reporting. Your choices are: None, Log and Alert. URI Match Specification Type Check the specification type. Your choices are: Wild Cards, File and UFP.

Rev. B

Document # CPTS-DOC-C1011

Managmement Tools

148

Resources Manager

If you select File specification type, the following Match tab appears (Figure 104):

Figure 104: URI Match Tab for File Specification

The File Match tab contains the following information: Import Click to import a URI specification file (a list of URIs to which access will be denied or allowed, depending on the Action in the rule). Export Click to export a previously imported URI specification file. You will be asked to specify a file name under which the file will be saved. A URI Specification file is an ASCII file of records.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 3: Management Tools

149

If you select File specification type, the following action criteria must be defined in the action tab. Action is what the URI will do if all other criteria are met (Figure 105):

www.badweb.com/warning.html

II-3 Managmement Tools


Figure 105: URI Action Tab for File Specification

The File Action tab contains the following information: Replacement URI Type in your alternate IP address to be sent back to any unauthorized source. HTML Weeding Check Strip Script Tags, Strip Applet Tags and Strip ActiveX tags. This weeds out tags so they are not displayed. If a CVP server is present, the choice to select the server and the action that the server takes is available. Response Scanning Check Block JAVA Code. CVP Specify the inspection options for the third-party CVP server. None The file is not inspected. Read Only The file is inspected by the CVP server. If the CVP server rejects the file, it is not retrieved. Read/Write The file is inspected by the CVP server. If the CVP server detects that the file is invalid (perhaps because it contains a virus), the CVP server corrects the file before returning it to the firewall.

Rev. B

Document # CPTS-DOC-C1011

150

Resources Manager

UFP URI Match Specification Type

UFP is the third specification type listed in the General tab (Figure 106):

Figure 106: URI General Tab for UFP Specification

The General tab contains the following information: Name Type in the name you want for the URI definition. Comment Type in the comment for the URI definition. Color Defines the color scheme of the object. Connection Methods Check the methods of connection. Your choices are: Transparent, Proxy and Tunneling. Exception Track Select the method of reporting. Your choices are: None, Log and Alert. URI Match Specification Type Check the specification type. Your choices are: Wild Cards, File and UFP.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 3: Management Tools

151

If you select UFP specification type, the following Match screen appears (Figure 107):

II-3
Figure 107: URI Match Tab for UFP Specification

The UFP Match tab contains the following information: UFP Server Select the UFP server from the menu. The UFP server should have already been defined in the Servers manager. Categories Check the categories you wish to include in the resource definition. This list displays the categories defined by the UFP Server properties.

Rev. B

Document # CPTS-DOC-C1011

Managmement Tools

152

Resources Manager

If you select UFP specification type, the following action criteria must be defined in the Action tab. Action is what the URI will do if all other criteria are met (Figure 108):

www.badweb.com/warning.html

Figure 108: URI Action Tab for UFP Specification

The UFP Action tab contains the following information: Replacement URI Type in your alternate IP address to be sent back to any unauthorized source. HTML Weeding Check Strip Script Tags, Strip Applet Tags and Strip ActiveX tags. This weeds out tags so they are not displayed. If a CVP server is present, the choice to select the server and the action that the server takes is available. Response Scanning Check Block JAVA Code. CVP Specify the inspection options for the third-party CVP server. None The file is not inspected. Read Only The file is inspected by the CVP server. If the CVP server rejects the file, it is not retrieved. Read/Write The file is inspected by the CVP server. If the CVP server detects that the file is invalid (for example, it may contain a virus), the CVP server corrects the file before returning it to the firewall.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 3: Management Tools

153

SMTP Security Server

The SMTP protocol provides exact control over SMTP connections. The SMTP resource definition allows hiding of internal IP addresses from outgoing e-mail, strips specific attachment types, drops messages above a given size, and rewrites e-mail addresses. Implement SMTP security server with a SMTP resource. If you select SMTP from the Resource Manager, the following information must be defined in the general tab (Figure 109):

II-3 Managmement Tools


Document # CPTS-DOC-C1011

Figure 109: SMTP General Tab screen

The General tab contains the following information: Name The resources name. Comment Descriptive text. Color Defines the color scheme of the object. Mail Server Mail is forwarded to this server. Error Handling Server If Notify Sender on Error is checked, then: If Error Handling Server is empty, the error notification is sent to the server specified under default_server in: $FWDIR/conf/smtp.conf. If default_server in $FWDIR/conf/smtp.conf is not specified, then the error notification is sent to the originator of the mail. If Notify Sender on Error is not checked, then no error notification is generated. If multiple servers are defined, then they are tried until successful. Exception Track This option determines if an action taken as a result of a resource definition is logged. Select one of the following: None No logging or alerting.

Rev. B

154

Resources Manager

Log Log the event. Alert Issue and alert. Notify Sender on Error Notify the sender if the message was not delivered. If you select the SMTP Match tab, the following screen appears (Figure 110):

Figure 110: SMTP Match Tab screen

The SMTP Match tab contains the following information: Sender The From field in the envelope. Recipient The To field in the envelope. You may use wild card characters in specifying these fields.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 3: Management Tools

155

The Action1 tab defines transformations to be performed on the given fields. The data in the field is modified in accordance with the defined transformation. The left part of the transformation is a match field. The right part specifies the form of the new transformed data (Figure 111):

II-3 Managmement Tools

Figure 111: SMTP Action1 Tab screen

The SMTP Action1 tab contains the following information: Sender The From field in the header. Recipient The To field in the header. It is recommended that the transformed data not include embedded spaces. Field The name of a field in the SMTP header (case-sensitive). Contents The contents of the specified field. Stripping fields such as From and To is discouraged, since it makes it impossible to deliver the mail message.

Rev. B

Document # CPTS-DOC-C1011

156

Resources Manager

If your select the SMTP Action2 tab, the following screen appears (Figure 112):

Figure 112: SMTP Action2 Tab screen

The SMTP Action2 tab contains the following information: Strip MIME of Type MIME attachments of the specified type will be stripped from the message. Allowed types are: text, multipart, message, image, audio, video and application. If you strip MIME of type text, the text in the body of the message is not stripped. Dont Accept Mail Larger Than Mail messages larger than this size will not be allowed to pass. Server Select the CVP server from the menu. The CVP server should have already been defined in the Servers manager. CVP Select on the the following: None The file is not inspected. Read Only The file is inspected by the CVP server. If the CVP server rejects the file, it is not retrieved. Read/Write The file is inspected by the CVP server. If the CVP server detects that the file is invalid (perhaps because it contains a virus), the CVP server corrects the file before returning it to the firewall. Allowed Characters Select one of the following: 8 bit Allow 8 bit ASCII. 7 bit Allow only 7 bit ASCII (but no control characters).

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 3: Management Tools

157

FTP Security Server

The FTP security server provides authentication services and content security based on FTP commands (PUT/GET), file name restrictions and anti-virus checking for files.Implement FTP security server with an FTP resource (Figure 113):

II-3 Managmement Tools


Figure 113: FTP General Tab screen

The FTP General tab contains the following information: Name The resources name. Comment Descriptive text. Color Defines the color scheme of the object. Exception Track This option determines if an action (specified in the Action tab) taken as a result of a resource definition is logged. Select one of the following: None No logging or alerting. Log Log the event. Alert Issue an alert.

Rev. B

Document # CPTS-DOC-C1011

158

Resources Manager

If you select the FTP Match tab, the following screen appears (Figure 114):

Figure 114: FTP Match Tab screen

The FTP Match tab contains the following information: Path Full path name of the file. Methods Select one of the following: GET Getting a file from the server to the client. PUT Sending a file from the client to the server. If you select the FTP Action tab, the following information appears (Figure 115):

Figure 115: FTP Action Tab screen

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 3: Management Tools

159

The FTP Action tab contains the following information: Server Select the CVP server from the menu. The CVP server should have already been defined in the Servers manager. CVP Select one of the options: None The file is not inspected. Read Only The file is inspected by the CVP server. If the CVP server rejects the file, it is not retrieved. Read/Write The file is inspected by the CVP server. If the CVP server detects that the file is invalid (for example, because it may contain a virus), the CVP server corrects the file before returning it to the firewall.

II-3 Managmement Tools


Rev. B Document # CPTS-DOC-C1011

160

Server Manager

Server Manager
A Server object represents a server running on a specific host. The available server objects are: URL Filtering Protocol (UFP) A UFP server can be used in defining a URI Resource. Content Vectoring Protocol (CVP) A CVP server examines the contents of a file or data stream. RADIUS A RADIUS server is used to provide authentication services. TACACS A TACACS server is used to provide authentication services. AXENT Defender An AXENT Defender server is used to provide authentication services. LDAP Account Units The FireWall-1 Account Management system is an independent module that enables the Security Manager to integrate an LDAPcompliant user database with FireWall-1 user authentication. The Server Manager is covered in detail in the CCSE manual.

Server Objects Setup Servers must be created before you can add them to the rule base. To set up servers, follow these steps: 1. Select Servers from the Manage menu (Figure 116):

Figure 116: Manage Menu

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 3: Management Tools

161

2. The Servers screen appears (Figure 117):

II-3 Managmement Tools

Figure 117: Resources Screen with New Menu

3. Click New and select the type of server you want to create from the menu, as follows: UFP CVP RADIUS RADIUS Group TACACS DEFENDER LDAP Account Unit

Rev. B

Document # CPTS-DOC-C1011

162

Users Manager

Users Manager
When you define users and user groups, you can use these as the Source in rules which specify Authentication as the Action. The users properties are then applied. In this way, you can specify, for example, that users in one group can connect only during the day, while users in another group can connect only at night. In addition, you can define templates upon which future user definitions will be based. To create a new user or a new user group, select Users from the Manage menu and click New. The following screens appear.

General Tab

The General tab is identical for user properties and template properties (Figure 118):

Figure 118: User Properties General Tab

The General tab contains the following information: Name The user (or template) name. Comment Descriptive text. Color Defines the color scheme of the object. Expiration Date after which the user will be denied.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 3: Management Tools

163

Groups Tab

The Groups tab in identical when setting up users and templates (Figure 119):

II-3
Figure 119: User Properties Groups Tab

The Groups tab contains the following information: Add Adds a user to a group. Delete Deletes a user from a group.

Authentication Tab

The Authentication tab is defined in Unit IV Chapter 1: Authentication on page 235.

Rev. B

Document # CPTS-DOC-C1011

Managmement Tools

164

Users Manager

Location Tab

The Location tab in identical when setting up users and templates (Figure 120):

Figure 120: User Properties Location Tab

The Location tab contains the following information: Source The user will be allowed access only from the listed network objects. Add Adds a network object to the list of accessible sources. Delete Deletes a network object from the list of accessible sources. Destination The user will be allowed access only to the listed network objects. Add Adds a network object to the list of accessible destinations. Delete Deletes a network object from the list of accessible destinations.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 3: Management Tools

165

Time Tab

The Time tab in identical when setting up users and templates (Figure 121):

II-3
Figure 121: User Properties Time Tab

The Time tab contains the following information: Days in Week The days on which the user will be allowed access. Time of day Hours, from and to, between which the user will be allowed access.

Encryption Tab

To configure the Encryption tab, see Encryption Tab on page 108.

Rev. B

Document # CPTS-DOC-C1011

Managmement Tools

166

Users Manager

User Template Setup

Once you have created a template, any user you create based on the template will inherit all of the templates properties, including membership in groups. If you modify a templates properties, the change will affect all users created from the template in the future. Users already created from the template will not be affected. To setup a user template, follow these steps: 1. Select Users from the Manage menu (Figure 122):

Figure 122: Manage Menu

2. The Users setup screen appears (Figure 123):

Figure 123: Users Setup Screen

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 3: Management Tools

167

3. Click New and the New User Object menu appears, listing the types of objects you can create: Group, External group and Template. The Default template is listed in the bottom part of the menu until User Templates are defined and listed. Creating External Groups is defined in the CCSE manual. 4. Create a new template before creating a new user by selecting Template from the New User Object menu. 5. The User Properties screens appear. Complete the properties setup in each of the tabs. 6. Click OK and the name of the new template appears in the bottom of the New User Object menu.

New User Setup

To create a new user, follow these steps: 1. Choose the template on which the new users properties will be based from the New User Object menu. 2. The User Properties screens appear. Complete the properties setup in each of the tabs. You can modify the templates properties for each user, but they will be changed for the new user only. The template remains unchanged. 3. Click OK and the new user appears in the User Manager list. II-3 Managmement Tools

Rev. B

Document # CPTS-DOC-C1011

168

Users Manager

New Group Setup

To create a new group, follow these steps: 1. Select Group from the New User Object menu. 2. The Group Properties screens appears (Figure 124).

Figure 124: Group Properties Screen

3. Complete the properties setup. Select names of Users shown in the Not in Group list and click Add. They are now shown in the In Group list. 4. Click OK and the new group appears in the User Manager list.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 3: Management Tools

169

Time Objects Manager


Time objects are used to specify time periods during which rules are in effect. Time Object Setup To set up a Time object, follow these steps: 1. Select Time from the Manage menu (Figure 125):

II-3 Managmement Tools


Document # CPTS-DOC-C1011 Figure 125: Manage Menu

2. The Time Objects Manager appears (Figure 126):

Figure 126: Users Setup Screen

3. Click New to set up a new user. A menu appears, listing the types of objects you can create. Choose from Time or Group.

Rev. B

170

Time Objects Manager

4. The General tab appears (Figure 127):

Figure 127: Time General Tab

The General tab contains the following information: Name The objects name. Comment Descriptive text. Time of Day Enter up to three From-To pairs in 24-hour notation. To specify all day, set From: 00:00 and To: 23:59. 5. Select the Days tab (Figure 128):

Figure 128: Time Days Tab

The Days tab contains the following information: None The times of day specified in the general tab of the Time Object Properties screen apply on all days.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 3: Management Tools

171

Day in Month The times of day specified in the General tab of the Time Object Properties screen apply only on the days of the month checked under Days in Month. Day in Week The times of day specified in the General tab of the Time Object Properties screen apply on the days of the month checked under days in Week. Month The times of day specified in the General tab of the Time Object Properties screen apply only during the month specified. This field is enable only if Days Specification is days in Month.

II-3 Managmement Tools


Rev. B Document # CPTS-DOC-C1011

172

Keys Manager

Keys Manager
The Keys Manager is defined in the CCSE course.

Document # CPTS-DOC-C1011

Rev. B

Unit II Chapter 3: Management Tools

173

Review
Summary Before an object is included in a rule base, its properties must first be defined. Only those objects that are used in the rule base need to be defined. It is helpful to determine a color scheme before defining your objects. By assigning the same color to related objects, managing your firewall is made easier. A simple color scheme enables you to quickly identify and select objects, rather than scroll through long lists with little or no distinction between objects. Understanding internal and external management stations is essential for defining objects. Grouping your objects gives you a better overview of the security policy and will lead to a more readable rule base. As your network changes, you can add, delete or modify objects as needed. FireWall-1 comes with several of the most common services predefined. These services include TCP, HTTP and HTTPS, SMTP, UDP and RPC. Most well known services have an associated port, such as port 23 for telnet. Some types of protocols or services may operate with a range of ports, especially for the reverse connection back to the client that initiated the connection. A server object represents a server running on a specific host. The available server objects include UFP, CVP, RADIUS, TACACS, AXENT Defender, and LDAP Account Units. You must create the server object before adding it to a rule in the rule base. II-3 Managmement Tools

Review Questions

1. How do you access the Management Tools?

2. What is the difference between internal and external management stations?

3. What objects must be defined for your network?

Rev. B

Document # CPTS-DOC-C1011

174

Review

4. List the associated port numbers for TELNET, FTP, and SMTP.

Document # CPTS-DOC-C1011

Rev. B

Unit III Managing your Network


Chapter 1: Security Policy Rule Base and Properties Setup Chapter 2: Administering Security Policy with Rule Base

Rev. B

Document # CPTS-DOC-C1011

Document # CPTS-DOC-C1011

Rev. B

Unit III Chapter 1: Security Policy Rule Base and Properties Setup
Introduction
The FireWall-1 security policy is an essential part of FireWall-1 administration. Defining and implementing a security policy maximizes FireWall-1s effectiveness. Without a well-defined security policy, FireWall-1 is limited to its ability to be an effective security solution. The following are key concepts about security policies: A security policy defines the way you and your organization view internalnetwork security A well-defined rule base is the key to the effectiveness of a security policy A security policy is divided into two parts the policies and the rule base

In this chapter, you will learn how to create rules and modify a security policys properties. You must modify security policy properties because a security policy is made up of its rule base and fields specified in the Properties Setup screens.

Objectives

Explain why it is important to correctly set up a security policy Explain the order FireWall-1 matches policies and rules Be able to name and define the rule base elements Show how to create a rule base Show how to add rules to the rule base Identify the process of how security policy rules are applied to a packet Define the ways rules can be applied to interface direction Successfully define and configure properties for a security policy III-1 Security Policy Rule Base and Properties Setup
175

176

Key Terms

security policy rule base rule base elements rule base editor pseudo rule implicit rule explicit rule implicit-drop rule accounting log entry security server authentication schemes SYNDefender SYN packets Lightweight Directory Access Protocol (LDAP) load balancing

III-1 Security Policy Rule Base and Properties Setup


Document # CPTS-DOC-C1011

Rev. B

Unit III Chapter 1: Security Policy Rule Base and Properties Setup

177

Security Policy Defined


What is a security policy? A security policy is a set of rules that defines your internal networks security. In FireWall-1, the security policy is defined using a rule base, which translates your security policy to a collection of individual rules. These rules are created with the FireWall-1 rule base editor (security policy GUI), which is a tool for creating a security policy. Each rule can be comprised of any combination of network objects, users, services and actions. Once a rule is defined, FireWall-1 provides the ability to define which network enforcement points should be distributed across your internal network.

Considerations

Before creating a security policy for your system, you must answer the following questions: What kind of services, including customized services and sessions, are allowed in your system? What are your users permissions and authentication schemes? What objects are in your system? Examples include gateways, hosts, networks, routers and domains.

Creating the Security Policy

To create a new security policy, follow these steps: 1. Select New from the File menu (Figure 129):

III-1 Security Policy Rule Base and Properties Setup


Document # CPTS-DOC-C1011

Figure 129: File Menu

Rev. B

178

Security Policy Defined

2. Type in a name for your security policy (Figure 130):

Figure 130: New Security Policy

3. The security policy screen has no data added (Figure 131):

Figure 131: Security Policy with no Rules

III-1 Security Policy Rule Base and Properties Setup


Document # CPTS-DOC-C1011

Rev. B

Unit III Chapter 1: Security Policy Rule Base and Properties Setup

179

Rule Base Defined


The FireWall-1 rule base translates a security policy to a collection of individual rules. These rules are created with the rule base editor, also referred to as the Security Policy Editor GUI. An example of a rule base as it appears in FireWall-1 is (Figure 132):

Figure 132: Example Rule Base

Rule Base Elements

Each rule is made up of rule base elements, which are the individual components that make up a rule. The rule base elements are shown in Table 10:

Table 10: Rule Base Elements Element


No. Source Destination Services Action Track Install On Time Comment

Definition
Rule number, defines the order in which FireWall-1 enforces each rule. The source of the packet. Where the packet is going. Source and destination can be any network objects. TCP, HTTP, HTTPS, SMTP, UDP, RPC and ICMP protocols. What to do with a packet. Log or alert rule. Which firewalled objects will enforce the rule. When a rule is effective. Define times as needed. User-defined description of the rule.

III-1 Security Policy Rule Base and Properties Setup

Rev. B

Document # CPTS-DOC-C1011

180

Rule Base Defined

Rule Base Element Options

To customize rules in the rule base, right-click on each element and select from the available menu options (Table 11):

Table 11: Source Element Menu Options


Add Add Users Access Edit Delete Negate

Description
Select network objects to add to the rules Source. Select user group(s) to add to the rules Source. Edit the selected object. Delete the selected object. Negate the selected object, when system administrators need to include all objects or users and exclude a specific object or user. Negating the selected object (or user) is sometimes a more efficient way to manage a security policy. Cut the selected object and copy onto the clipboard. Copy the selected object onto the clipboard. Paste the object from the clipboard in the rules Source.

Cut Copy Paste

Table 12: Destination Element Menu Options


Add Edit Delete Negate

Description
Select network objects to add to the rules Destination. Edit the selected object. Delete the selected object. Negate the selected object, when system administrators need to include all objects or users and exclude a specific object or user. Negating the selected object (or user) is sometimes a more efficient way to manage a security policy. Cut the selected object and copy onto the clipboard. Copy the selected object onto the clipboard. Paste the object from the clipboard in the rules Destination.

III-1 Security Policy Rule Base and Properties Setup

Cut Copy Paste

Document # CPTS-DOC-C1011

Rev. B

Unit III Chapter 1: Security Policy Rule Base and Properties Setup

181

Table 13: Service Element Menu Options


Add Add with Resource Edit Delete Negate

Description
Select network objects to add to the rules Services. Add a resource. Edit the selected object. Delete the selected object. Negate the selected object, when system administrators need to include all objects or users and exclude a specific object or user. Negating the selected object (or user) is sometimes a more efficient way to manage a security policy. Cut the selected object and copy onto the clipboard. Copy the selected object onto the clipboard. Paste the object from the clipboard in the rules Service.

Cut Copy Paste

Table 14: Action Element Icon


n/a n/a n/a n/a

Menu Options Definition


Edit properties Add Encryption Remove Encryption Edit Encryption Accept Drop Reject User Authentication Client Authentication Edit the properties of the rules Action. Add Encryption to the Action for this rule. Remove Encryption from the Action for the rule. Edit this rules Encryption parameters. Accept the connection. Drop the connection and do not notify the sender. Reject the connection and notify the sender. Invoke user authentication for this connection. Invoke client authentication for this connection.

III-1 Security Policy Rule Base and Properties Setup

Rev. B

Document # CPTS-DOC-C1011

182

Rule Base Defined

Table 14: Action Element (Continued) Icon Menu Options Definition (Continued)
Session Authentication Encrypt Client Encrypt Invoke session authentication for this connection. Encrypt outgoing packets; accept incoming encrypted packets and decrypt them. Accept only SecuRemote communications, which allows remote.

Table 15: Tracking Element Icon n/a Menu Options Definition


None Short Log Long Log Accounting Alert Mail SNMP Trap User Defined No logging or alerting for this communication. Log in short format. Log in long format. Log in Accounting format. Issue an alert. Send a mail alert. Issue an SNMP trap. Issue a User Defined Alert.

III-1 Security Policy Rule Base and Properties Setup

Table 16: Install On Element Icon Menu Options Definition


Gateway Destination Source Enforce on all network objects defined as gateways, in the direction specified. Enforce in the inbound direction on the firewalled network objects. Enforce in the outbound direction on the firewalled network objects.

Document # CPTS-DOC-C1011

Rev. B

Unit III Chapter 1: Security Policy Rule Base and Properties Setup

183

Table 16: Install On Element (Continued) Icon Menu Options Definition (Continued)
Router Integrated FireWalls Target Enforce on specified routers. Enforce on specified integrated firewalls. Enforce on the specified target object(s) only, in the inbound and outbound (eitherbound) directions.

Install On: Enforced on all the interfaces of a firewalled host or gateway. Enforced differently for incoming and outgoing packets, depending on the rules Install On field.

Table 17: Time Element Menu Options


Add Edit Delete

Description
Displays the Time Objects screen, from which you can select time objects to add to the rules Time. Edit the selected object. Delete the selected object.

Table 18: Comment Element Command


Double-click

Description
Add a descriptive comment that you wish to appear in the comment area of the rule and click OK.

III-1 Security Policy Rule Base and Properties Setup


Rev. B Document # CPTS-DOC-C1011

184

Creating the Rule Base

Creating the Rule Base


In FireWall-1, the security policy is defined using the FireWall-1 rule base editor, which is a tool for creating a security policy. The rule base editor allows you to create a rule base, which translates your security policy to a collection of individual rules. Choose from the following options (Figure 133):

Figure 133: Adding a Rule

Add Rule To add a new rule, choose the position where the rule is to be placed: Bottom, Top, After, Before. The following options can be accessed after you have created a rule. Delete Rule To delete the currently selected rule from the rule base. Cut To remove (cut) the selected data and put it on the clipboard. Copy To copy selected data onto the clipboard. Paste To paste the selected data from the clipboard. Choose the position of where the rule is to be pasted from the following: Bottom, Top, After, Before. Disable Rule To disable a rule, when testing a security policy without affecting the actual firewalled network. Disabling a rule allows local testing only. Also, to allow access to a previously restricted source or destination.

III-1 Security Policy Rule Base and Properties Setup

Document # CPTS-DOC-C1011

Rev. B

Unit III Chapter 1: Security Policy Rule Base and Properties Setup

185

Add a Rule

To add a rule, follow these steps: 1. Select Add Rule from the Edit menu. 2. Select Top from the Add Rule menu, since this is the first rule. 3. A new rule the default rule is added to the security policy (Figure 134):

Figure 134: Default Rule

The Default Rule

The default rule is defined with the following information: No. Defines the number order of each rule. The first rule in the rule base is No. 1. Source Displays the object manager screen, from which you can select network objects or a group of users to add to the rule base. The default is Any. Destination Displays the object manager screen, from which you can select network objects to add to the rule. The default is Any. Service Displays the service manager screen, from which you can select services to add to the rule. The default is Any. Action Accepts, drops or rejects data, or provides authentication and encryption. The default is drop. Track Defines logging or alerting for this rule. The default is no tracking. Install On Specifies which firewalled objects will enforce the rule. The default is Gateways, which means all internal firewalled objects. Time Defines when this rule base takes effect. The default is Any. Comments Allows system administrators to add notes about this rule. The default is no comments. III-1 Security Policy Rule Base and Properties Setup

Rev. B

Document # CPTS-DOC-C1011

186

Creating the Rule Base

Creating the Cleanup Rule

The cleanup rule should be the first rule you create in the rule base. A cleanup rule allows you to specify logging for remaining packets, and drops all communication not described by other rules. To create a cleanup rule, follow these steps: 1. Select Add Rule from the Edit menu. 2. Select Bottom from the Add Rule menu. 3. The default rule has now been added to the security policy (Figure 134):

Figure 135: Default Rule

4. Right-click in the Tracking column and select Long Log. 5. Right-click in the Comment column, type Cleanup Rule in the dialog box and click OK. 6. The default rule now becomes the cleanup rule (Figure 136):

Figure 136: Cleanup Rule

For the cleanup rule to be effective, be sure to add all other rules above the cleanup rule. The last rule in the rule base must be the cleanup rule.

III-1 Security Policy Rule Base and Properties Setup


Document # CPTS-DOC-C1011

Rev. B

Unit III Chapter 1: Security Policy Rule Base and Properties Setup

187

Creating the Stealth Rule

To prevent any users from connecting to the firewall, you must add a Stealth Rule to your rule base. Protecting the firewall in this manner makes it transparent, that is, it becomes an invisible network object that, from the point of view of network users, does not even exist. To create a stealth rule, follow these steps: 1. Right-click in the Number column of the cleanup rule and select Add Rule from the Edit menu. 2. Select Top from the Add Rule menu. 3. Right-click in the Destination column and select the firewall. 4. Right-click in the Action column and select Drop. 5. Right-click in the Tracking column and select Long Log. 6. Right-click in the Comment column, type Stealth Rule in the dialog box and click OK. 7. The stealth rule now appears in the rule base (Figure 137):

Figure 137: Stealth Rule

For the stealth rule to fully protect your firewall, be sure to add all other rules below it. In this way, the stealth rule should always be the first rule and the cleanup rule should always be the last rule.

III-1 Security Policy Rule Base and Properties Setup


Rev. B Document # CPTS-DOC-C1011

188

Creating the Rule Base

Adding Additional Rules

Add additional rules to your security policy below the stealth rule and above the cleanup rule. To add additional rules, follow these steps: 1. Right-click in the Number column of an existing rule and select Add Rule from the Edit menu. 2. Select the position for the rule to be located from the Add Rule menu, choosing from After or Before. 3. Right-click in the Source column of the new rule and the Source menu appears (Figure 138):

Figure 138: Rule-Base Element Menu

4. Select Add from the Source menu and the Add Object screen appears (Figure 139):

III-1 Security Policy Rule Base and Properties Setup

Figure 139: Add Object Screen

Document # CPTS-DOC-C1011

Rev. B

Unit III Chapter 1: Security Policy Rule Base and Properties Setup

189

5. Choose the appropriate network object and click OK. The object is added to the rule base. 6. Repeat these steps for other rule base elements: Service, Action, Track, Install On, Time and Comment.

Completing the Rule Base

When you have defined the desired rules, you must install the rule base. The Install On element specifies the network object on which the security policy is installed. In contrast, the Install On element in the rule base editor specifies the network object that is to enforce a specific rule. To install the rules, follow these steps: 1. Select Install from the Policy menu (Figure 140):

Figure 140: Install on the Policy Menu

2. The Install Security Policy Module screen appears (Figure 141):

III-1 Security Policy Rule Base and Properties Setup

Figure 141: Install Security Policy Module Screen

3. Select the firewall to install on, then click OK to install the security policy.

Rev. B

Document # CPTS-DOC-C1011

190

Implicit (Pseudo) and Explicit Rules

Implicit (Pseudo) and Explicit Rules


FireWall-1 creates a rule base by translating your security policy to a collection of individual rules. FireWall-1 creates pseudo rules, also called implicit rules, derived from the security properties and explicit rules created in the rule base. One of FireWall-1s implicit rules is the implicit-drop rule. The implicit-drop rule follows the principle that which is not expressly permitted is prohibited. This rule implicitly adds a rule at the end of each rule base that drops all communication attempts not described by the previous rules. If you rely on the implicit-drop rule to drop packets, they will not be logged, because only packets which are described by an explicit rule can be logged. In order to log these packets, you must explicitly define a None of the above rule, commonly defined as the cleanup rule. An explicit rule is a rule that you create in the rule base. The explicit rules are displayed together with the implicit rules in the correct sequence. To see how the properties and rules interact, select Implied Pseudo-Rules from the View menu. The implicit rules appear without numbering and the explicit rules appear with numbering, (Figure 142):

III-1 Security Policy Rule Base and Properties Setup

Figure 142: Explicit and Implicit Rules

Document # CPTS-DOC-C1011

Rev. B

Unit III Chapter 1: Security Policy Rule Base and Properties Setup

191

Understanding Rule Base Order

Before you can define security policy properties, you must consider the rule base order. FireWall-1 examines the rule base rule by rule. FireWall-1 inspects packets by comparing them to the security policy, one rule at a time. For this reason, it is important to define each rule in a security policy in the appropriate order. The order in which FireWall-1 applies the rules in a security policy to packets is shown in Figure 143:

Properties labeled First are matched prior to the numbered rules. The property labeled Last is matched last. The property labeled Before Last is matched prior to the last numbered rule.

III-1 Security Policy Rule Base and Properties Setup

The # 5 rule, the cleanup rule, drops all remaining connections that do not match the previous rules.
Figure 143: Rule Base Order

Rev. B

Document # CPTS-DOC-C1011

192

Implicit (Pseudo) and Explicit Rules

1 2 3 4 5 6 7

Any anti-spoofing rules are applied. Checked properties in the Security Policy tab of the Properties Setup screen labeled First are matched prior to the numbered rules. Rules are matched according to their order in the rule base, except for the last rule in the rule base. FireWall-1 reads rule base 1, 2 and 3, in that order. Checked properties labeled Before Last are matched after all but the last rule in the rule base. The last rule in the rule base is matched. The checked property labeled Last is matched last. The implicit drop rule is matched. The implicit rules are not shown when viewing the rule base unless you select Implied Pseudo Rules from the View menu (Figure 144):

Match Order

1 2 3 4 5 6 7
 
6 yphyr

IP Spoofing / IP Options Security Policy First Rule


hvy

WFS

hppr

Tu

Rule Base
6 6 hppr Tu s

Security Policy Before Last Rule



6 6

Last Rule In Rule Base


6 q

Gt

III-1 Security Policy Rule Base and Properties Setup

Security Policy Last Rule Implicit Drop

Figure 144: Rule Base Order Defined

Document # CPTS-DOC-C1011

Rev. B

Unit III Chapter 1: Security Policy Rule Base and Properties Setup

193

Understanding Interface Direction


Which is it? Inbound, Outbound or Eitherbound. The answer is important to the success of your firewall. When defining security policy properties, you must consider one of three ways FireWall-1 inspects packets: Inbound Outbound Eitherbound

FireWall-1 can inspect packets going into or coming from an internal network moving in a one-way (inbound or outbound) or two-way (eitherbound) direction. This is important for administrators, because FireWall-1 must provide the greatest level of security when inspecting packets. It is important to note that packet filtering must be considered from the firewalls point of view, and not the Internet or Intranet point of view. Figure 145 and Figure 146 illustrate the concept of one-way packet filtering. In Figure 145, the inbound packet (from the firewall point of view) is inspected at the outer NIC if packet filtering is set to inbound.

FireWall-1 Rule Base and Inspect Engine Intranet Internet


INSPECTED HERE

Inbound Packet

Outer NIC

Inner NIC

III-1
Figure 145: Inspecting Inbound packets from the Internet

Rev. B

Document # CPTS-DOC-C1011

Security Policy Rule Base and Properties Setup

194

Understanding Interface Direction

In Figure 146, the packet coming from the Intranet is inbound from the perspective of the firewall. Therefore, the packet gets inspected on the inner NIC.

FireWall-1 Rule Base and Inspect Engine


INSPECTED HERE

Intranet

Internet

Outer NIC

Inner NIC

Inbound Packet

Figure 146: Inspecting Inbound packets from the Intranet

In an outbound scenario, the opposite would be true. In Figure 147, a packet coming in from the Internet would not get inspected until it hits the firewalls inner NIC, because in an outbound scenario the packet does not get inspected until it is leaving the firewall.
FireWall-1 Rule Base and Inspect Engine Intranet Internet
INSPECTED HERE

Outer NIC

Outbound Packet

Inner NIC

III-1 Security Policy Rule Base and Properties Setup

Figure 147: Inspecting Outbound packets from the Internet

Document # CPTS-DOC-C1011

Rev. B

Unit III Chapter 1: Security Policy Rule Base and Properties Setup

195

In Figure 148, a packet originating from the Intranet enters the firewall from the inner NIC. This is an inbound packet from the firewalls perspective. It therefore doesnt get inspected until it hits the outer NIC, which is outbound from the firewall.

FireWall-1 Rule Base and Inspect Engine Internet


INSPECTED HERE

Intranet

Outer NIC

Outbound Packet

Inner NIC

Figure 148: Inspecting Outbound packets from the Intranet

Figure 149 illustrates how eitherbound inspects packets at both the inner and outer NICs. This provides the greatest level of security, with minimal performance degradation, since the inspect engine is operating in the kernel and not in user memory.
FireWall-1 Rule Base and Inspect Engine Intranet
INSPECTED HERE INSPECTED HERE

Internet

Inbound Packet

Outer NIC

Inner NIC

FireWall-1 Rule Base and Inspect Engine Internet


INSPECTED HERE INSPECTED HERE

III-1
Intranet

Outer NIC

Inner NIC

Outbound Packet

Figure 149: Inspecting Eitherbound packets from the Internet and Intranet

Rev. B

Document # CPTS-DOC-C1011

Security Policy Rule Base and Properties Setup

196

Understanding Interface Direction

One important aspect of this security is missing: What about a user directly on the firewall? If a user is operating on the firewall, by definition, all packets are outbound, since from the firewalls perspective everything is going out. If inbound is specified in the properties, then users on the firewall are not bound by the rule base. If outbound is specified in the properties, the user is now bound by the rule base; however, traffic going through the firewall is not inspected until it has reached the outgoing NIC.
Example

Scenario Firewall is in secure room; operator is trusted Firewall is in secure room; operator is not trusted

Properties Inbound

Advantage Inspects packets before entering firewall Inspects packets before entering firewall, but does not inspect packets originating from the firewall Inspects traffic only when leaving the gateway; covers firewall operator Inspects packets coming in and out of firewall; greatest amount of security

Disadvantage

Inbound

Firewall operator is free to surf the Web with no restrictions May leave inbound interface vulnerable Some degradation in performance

Firewall is in secure room; operator is not trusted Firewall is in secure room; is not in secure room; operator not trusted

Outbound

Eitherbound

III-1 Security Policy Rule Base and Properties Setup


Document # CPTS-DOC-C1011

Rev. B

Unit III Chapter 1: Security Policy Rule Base and Properties Setup

197

Properties Setup Tabs


There are many options and settings to configure when setting up properties for a security policy. The following section describes each of the tabs on the Properties Setup screen.

Security Policy Properties

A security policy is defined not only by the rule base, but also by parameters specified in the Security Policy tab of the Properties Setup screen. These parameters enable the user to control all aspects of a packets inspection, without having to add repetitive detail in the rule base. Security Policy Tab Setup To access the Security Policy tab, follow these steps: 1. Choose Properties from the Policy menu (Figure 150):

Figure 150: Properties on the Policy Menu

III-1 Security Policy Rule Base and Properties Setup


Rev. B Document # CPTS-DOC-C1011

198

Properties Setup Tabs

2. Select the Security Policy tab on the Properties Setup screen (Figure 151):

.
Figure 151: Security Policy Tab

The Security Policy tab contains the following information: Apply Gateway Rules to Interface Direction Click the arrow and select one of the following choices: Inbound (Default) To enforce the security policy only on packets entering the gateway. Packets will be allowed to leave the gateway only if you select Accept Outgoing Packets. Outbound To enforce the security policy only on packets leaving the gateway. (You can still enforce a rule in the incoming direction by choosing Destination under Install On, and specifying the gateway in the rule base.) You must have at least one rule like this that allows packets to enter the gateway, otherwise no packets will be allowed to enter the gateway. III-1 Security Policy Rule Base and Properties Setup Eitherbound To enforce the Security Policy on packets entering and leaving the gateway. FireWall-1 inspects packets twice: once when packets come into the internal network and again when packets leave. Interface direction is related to the firewall, not the network and regardless of the packets source or destination. TCP Session Timeout Specify the time period (in seconds) after which a TCP session times out. Accept FireWall-1 Control Connections Check to have FireWall-1 use these connections for downloading Inspection Code.

Document # CPTS-DOC-C1011

Rev. B

Unit III Chapter 1: Security Policy Rule Base and Properties Setup

199

Accept UDP Replies Check to accept reply data in a two-way UDP communication. Reply Timeout Specify the amount of time (in seconds) a UDP reply channel may remain open without any packets being returned. Accept Outgoing Packets Check to accept all outgoing packets (from FireWall-1, not from the internal network). On gateways, rules are usually enforced in the inbound direction only. When a packet passing through the gateway leaves the gateway, it will be allowed to pass only if one of the following conditions is true: a.) the Accept Outgoing Packets property is checked, or b.) rules are enforced both directions (eitherbound), and there is a rule which allows the packet to leave the gateway. Click the arrow button to select the rule base order (First, Last or Before Last). Enable Decryption on Accept Check to decrypt incoming accepted packets even if the rule does not include encryption. Accept RIP Check to accept Routing Information Protocol (RIP) used by the routed daemon. Click the arrow button to select the rule base order (First, Last or Before Last). Accept Domain Name Queries (UDP) Check to accept Domain Name Queries used by named. This resolves names by associating them with their IP address. If named does not know the IP address associated with a particular host name, it issues a query to the name server on the Internet. Enable UDP Replies must be enabled to receive the reply. Domain Name Queries are issued as needed. Click the arrow to select the rule base order (First, Last or Before Last). Accept Domain Name Download (TCP) Check to allow uploading of domain name-resolving tables. Click the arrow to select the rule base order (First, Last or Before Last). Accept ICMP Check to accept Internet Control Messages. The IP on each system uses ICMP (Internet Control Message Protocol) to send control messages (for example, destination unreachable, source quench, route change) to other systems. This protocol is commonly used to assure proper and efficient operation of IP. Click the arrow to select the rule base order (First, Last or Before Last). In Figure 151 on page 198, the Accept ICMP property is set to Before Last to enable the user to define more detailed ICMP related rules that will be enforced before this property. If this property were First, then there would be no opportunity for the user to relate to ICMP in the rule base. If it were Last, then it would be enforced after the last rule (which typically rejects all packets) and would thus have no effect. Enabling this option does not enable ICMP Redirect. If you want to enable ICMP redirect, you must do so in the rule base. III-1 Security Policy Rule Base and Properties Setup

Rev. B

Document # CPTS-DOC-C1011

200

Properties Setup Tabs

Services Properties

The services properties allow you to define what services can be enabled by the firewall. Services Tab Setup To set up the Services tab, follow these steps: 1. Select Properties from the Policies menu. 2. Select the Services tab on the Properties Setup screen. 3. The Services tab appears (Figure 152):

Figure 152: Services Tab

The Services tab contains the following options: Enable FTP Port Data Connections Check to accept all FTP data coming from established FTP connections. III-1 Security Policy Rule Base and Properties Setup Enable FTP PASV Connections Check to allow FTP PASV (passive) connections. Enable RSH/REXEC Reverse stderr Connections Check to allow RSH and REXEC to open reverse connections for the stderr file. Enable RPC Control Check to enable the inspection module to handle the dynamic port numbers assigned by portmapper to RPC service.

Document # CPTS-DOC-C1011

Rev. B

Unit III Chapter 1: Security Policy Rule Base and Properties Setup

201

Log and Alert Properties

For each packet entering or leaving an internal network, FireWall-1 generates an accounting log entry, which includes the packets connection duration, the number of bytes and the number of packets transferred. Log and Alert Tab Setup To set up the Log and Alert tab, follow these steps: 1. Select Properties from the Policy menu. 2. Select the Log and Alert tab from the Properties Setup screen. 3. The Log and Alert tab appears (Figure 153):

Figure 153: Log And Alert Tab

The Log and Alert tab contains the following information: Excessive Log Grace Period Click the arrow to set the minimum amount of time (in seconds) between consecutive logs of similar packets. Popup Alert Command Type in the OS command (normally $FWDIR/bin/ alert) to execute on the firewalled machine when an alert is issued. If you change this command, you may not become aware of the condition that caused the alert. Mail Alert Command Type in the OS command to execute on the firewalled machine when mail is the specified track of a rule. You can specify commands other than mail.

III-1 Security Policy Rule Base and Properties Setup

Rev. B

Document # CPTS-DOC-C1011

202

Properties Setup Tabs

The Mail Alert Command field (Figure 153) contains a command for an NT operating system. This field will vary depending on your operating system. SNMP Trap Alert Command Type in the OS command to be executed on the firewalled machine when SNMP Trap is specified as the action in a rule. User Defined Alert Command Type in the OS command to be executed when User-Defined is specified as the action in a rule. Anti Spoof Alert Command Type in the OS command(s) to be executed (default is $FWDIR/bin/alert) on the firewalled machine when Alert is specified for AntiSpoofing detection in the Interface Properties window. User Authentication Alert Command Type in the OS command to execute on the firewalled machine when an alert is specified for any of the following: Authentication Failure Track in the screen of the Properties Setup screen Successful Authentication Tracking in the General tab of the Client Authentication Action Properties screen

IP Options Drop Track Select the action to take when a packet with IP Options is encountered. None, Log or Alert. FireWall-1 always drops these packets, but you can log them or issue an alert. Log Established TCP Packets Check to log TCP packets for previously established TCP connections or packets whose connections have timed out.

III-1 Security Policy Rule Base and Properties Setup


Document # CPTS-DOC-C1011

Rev. B

Unit III Chapter 1: Security Policy Rule Base and Properties Setup

203

Security Servers Properties

The FireWall-1 security server, which is a server that has FireWall-1 installed, resides above the INSPECT engine in the FireWall-1 kernel module (Figure 154). The security server provides two features: authentication and content security.

Figure 154: Security Server

Security Servers Tab Setup To set up the Security Servers tab follow these steps: 1. Select Properties from the Policy menu. 2. Select the Security Servers tab from the Properties Setup screen. 3. The Security Servers tab appears (Figure 155):

III-1 Security Policy Rule Base and Properties Setup


Document # CPTS-DOC-C1011

Figure 155: Security Servers Tab

Rev. B

204

Properties Setup Tabs

4. To configure a predefined HTTP Server, click New and the HTTP Server Definition screen appears (Figure 156):

Figure 156: Add HTTP Server Definition Screen

5. Complete the information on the HTTP Server Definition screen and click OK to return to the Security Servers tab. The Security Servers tab contains the following information: Telnet Welcome Message File Type in the name of the file to display when an authenticated user begins a TELNET session. FTP Welcome Message File Type in the name of the file to display when an authenticated user begins an FTP session. Rlogin Welcome Message File Type in the name of the file to display when an authenticated user begins an RLOGIN session. Client Authentication Welcome File Type in the name of the file to display when an authenticated user begins a Client Authenticated session. III-1 Security Policy Rule Base and Properties Setup SMTP Welcome Message File Type in the name of the file whose contents are to be displayed when a user begins an SMTP session. HTTP Next Proxy Type in the Host name and the Port number of the HTTP proxy behind the FireWall-1 HTTP Security Server (if one exists). HTTP Servers Click New, Edit or Remove HTTP servers. In the HTTP Server Definition screen (Figure 156), the following information must be defined when configuring a predefined HTTP server: Logical Name The servers logical name. Host The host on which the server runs. Port The port number on the host. Server for Null Requests Can be checked for only one server.

Document # CPTS-DOC-C1011

Rev. B

Unit III Chapter 1: Security Policy Rule Base and Properties Setup

205

Reauthentication Options: Standard Authentication The timeout period is measured from the last successful access. The user will not be required to enter a password again during the authorization period (as specified in the Session Timeout field in the Control Properties/Authentication screen). Each successful access resets the timer to zero. Reauthentication for POST Requests Every request sent by the client which may change the servers configuration or data requires the user to enter a new password. Reauthentication for Every Request Every request for a connection requires the user to enter a new password. This option is useful when access to some pages must be severely restricted. It is recommended that pages such as these be handled by a separate server.

III-1 Security Policy Rule Base and Properties Setup


Rev. B Document # CPTS-DOC-C1011

206

Properties Setup Tabs

Authentication Properties

FireWall-1 Version 4.0 provides authentication schemes that validate all connection attempts within an internal network. FireWall-1 authenticates connections based on users, clients or sessions, depending on how system administrators set up FireWall-1 authentication. Authentication Tab Setup To set up the Authentication tab, follow these steps: 1. Select Properties from the Policy menu. 2. Select the Authentication tab from the Properties Setup screen. 3. The Authentication tab appears (Figure 157):

Figure 157: Authentication Tab

The Authentication tab contains the following information: III-1 Security Policy Rule Base and Properties Setup User Authentication/Session Timeout Click the arrow to set the amount of time (in minutes) before the session will time out if there is no activity. This applies to FTP, TELNET, RLOGIN, and the HTTP Authenticating Server. Client Authentication Check to have FireWall-1 automatically sign off the connection if there is no activity during the authorization period of a clientauthentication session. Authentication Failure Track Select the action to take if authentication fails (applies to all authentication rules): None, Log and Alert.

Document # CPTS-DOC-C1011

Rev. B

Unit III Chapter 1: Security Policy Rule Base and Properties Setup

207

SYNDefender Properties

SYNDefender is a proprietary FireWall-1 application that protects against denial-ofservice attacks from external networks. SYNDefender does this by intercepting all SYN packets, which are communication packets from an external-network client to an internal-network server. SYNDefender then mediates any connection attempts before they reach the internal network. By sending several SYNs at once, the attacking client can effectively tie up internalnetwork servers, making it impossible for legitimate users to access the internal network (Figure 158):

Figure 158: SYN Attack on a Server

SYNDefender Tab Setup To set up the SYNDefender tab, follow these steps: 1. Select Properties from the Policy menu. 2. Select the SYNDefender tab from the Properties Setup screen. III-1 Security Policy Rule Base and Properties Setup
Rev. B Document # CPTS-DOC-C1011

208

Properties Setup Tabs

3. The SYNDefender tab appears (Figure 159):

Figure 159: SYNDefender Tab

The SYNDefender tab contains the following information: Method Choose one of the following: None SYNDefender is not deployed. (If you choose this option, your network will not be protected from SYN attacks.) SYN Gateway Deploy the SYN Gateway method. Passive SYN Gateway Deploy the Passive SYN Gateway method. Timeout Click the arrow to set the amount of time (in seconds) SYNDefender waits for an acknowledgment before concluding that the connection is a SYN attack. Maximum Sessions Click the arrow to set the maximum number of protected sessions. This number specifies the number of entries in an internal connection table maintained by SYNDefender. If the table is full, SYNDefender will not examine new connections. Display Warning Messages Check to have SYNDefender print console messages regarding its status.

III-1 Security Policy Rule Base and Properties Setup

Document # CPTS-DOC-C1011

Rev. B

Unit III Chapter 1: Security Policy Rule Base and Properties Setup

209

Lightweight Directory Access Protocol (LDAP) Properties

Lightweight Directory Access Protocol (LDAP) , which is a set of protocols for accessing information directories, supports FireWall-1 TCP/IP connections, necessary for any type of Internet access. LDAP support allows for LDAP-based user databases to be fully integrated into FireWall-1. Other features of FireWall-1 LDAP support include the following: Internet client access and management of users over TCP/IP connections Netscape support Included in Windows NT version 5.x Support for multiple, distributed and redundant user databases GUI to manage LDAP servers and support FireWall-1 authentication FireWall-1 access to LDAP server for user-properties management SSL encryption support

LDAP Tab Setup To set up the LDAP tab, follow these steps: 1. Select Properties from the Policy menu. 2. Select the LDAP tab from the Properties Setup screen. 3. The LDAP tab appears (Figure 160):

III-1 Security Policy Rule Base and Properties Setup


Document # CPTS-DOC-C1011

Figure 160: LDAP Tab

Rev. B

210

Properties Setup Tabs

The LDAP tab contains the following information: Use LDAP Account Management Check to allow User Authentication to use LDAP Account Units, in addition to the FireWall-1 internal user database. When this field is checked, the other fields in the window are enabled. If this field is not checked, User Authentication will use only the FireWall-1 internal user database. AccountManagement-1 Properties: Time-Out on LDAP Requests Type in the amount (in seconds) before an LDAP request will be considered to have timed out. Time-Out on Cached Users Type in the amount (in seconds) before a cached user will be considered to no longer be valid, and will be fetched again from the LDAP Server. Cache Size (Users) Type in the number of users that will be cached. Days before Password Expires Check and type in the number of days before the Password (specified in the General tab of the Account Unit Properties window) expires. This field is disabled until checked. Number of Entries Account Unit Can Return Type in the number of users that can be returned in response to a single query to the Account Unit. Display Users DN at login Check when an LDAP user logs in, DN will be displayed before prompted for a password.

III-1 Security Policy Rule Base and Properties Setup


Document # CPTS-DOC-C1011

Rev. B

Unit III Chapter 1: Security Policy Rule Base and Properties Setup

211

Encryption Scheme Properties

FireWall-1 provides multiple encryption schemes. Key management and an internal certificate authority are fully integrated with other FireWall-1 features. Firewall-1 supports the following encryption schemes: FWZ, IPSec, SKIP and ISAKMP/Oakley: FWZ FWZ is a FireWall-1 proprietary encryption scheme. FWZ manages key encryption automatically, including updating public keys. FWZ encryption does the following: Encrypts all data behind the IP and TCP headers, using in-place encryption Uses reliable-data protocol to manage VPN session keys, encryption methods and data integrity Obtains certified Diffie-Hellman public keys from a trusted certificate authority Supports FWZ-1, DES and Triple DES algorithms, using a 40-bit encryption key that is exportable outside the United States Uses FWZ scheme to verify Public Keys

Manual IPSec IPSec is an encryption scheme with optional Message Authentication (MAC). A security association is associated with each packet, consisting of: Functionality Indicates whether the packet is encrypted, authenticated or both. Algorithms Specifies the encryption algorithm and authentication algorithm used in the packet. Keys used in the above algorithms Additional data

IPSec has two shortcomings: The keys are fixed over duration of the connection There is no mechanism for exchanging keys III-1 Security Policy Rule Base and Properties Setup

SKIP SKIP overcomes the shortcomings of IPSEC by providing a hierarchy of keys that change over time. This is used to encrypt the connection as well as to implement a key protocol. ISAKMP/Oakley ISAKMP/Oakley is a standard for negotiating Security Associations (SA) between two hosts that will be using IPSec, and is the key management scheme that was chosen for IP Version 6. In IP Version 4, ISAKMP/ Oakley is optional. ISAKMP/Oakley offers improved authentication (HMAC) and Perfect Forward Secrecy (PFS).

Rev. B

Document # CPTS-DOC-C1011

212

Properties Setup Tabs

Encryption Tab Setup To set up the Encryption tab, follow these steps: 1. Select Properties from the Policy menu. 2. Select the Encryption tab from the Properties Setup screen. 3. The Encryption tab appears (Figure 161):

Figure 161: Encryption Tab

The Encryption tab contains the following information: Respond to unauthenticated cleartext topology requests Check to respond to topology requests from SecuRemote Clients even if the request is not encrypted. This feature enables backwards-compatibility with earlier versions of the SecuRemote Clients. III-1 Security Policy Rule Base and Properties Setup Enable Exportable SKIP Check to generate keys for exportable SKIP, in addition to non-exportable SKIP keys, and conduct SKIP encryption with other hosts that are enabled only for exportable SKIP: Change SKIP key every Type in the number of seconds after which the SKIP session key is changed. Change SKIP key every Type in the number of bytes transferred after which the SKIP session key is changed.

Document # CPTS-DOC-C1011

Rev. B

Unit III Chapter 1: Security Policy Rule Base and Properties Setup

213

ISAKMP Key Renegotiation: Renegotiate IPSec SAs every Type in the number of seconds after which the IPSec session key is changed. Renegotiate ISAKMP SAs every Type in the number of minutes after which the ISAKMP session key is changed. Manual IPSec SPI Allocation Range Type in the range reserved for allocations of Manual IPSec SPIs, and ISAKMP will allocate SPIs from outside this range.

III-1 Security Policy Rule Base and Properties Setup


Rev. B Document # CPTS-DOC-C1011

214

Properties Setup Tabs

Miscellaneous (Load Balancing) Properties

The Miscellaneous screen of the Properties Setup window defines properties relating to load balancing, which is a FireWall-1 algorithm that prevents internal-network (system) servers from handling a disproportionate amount of network traffic. Incoming packets routed through a FireWall-1 computer are directed to the system servers with the lightest loads. Miscellaneous Tab Setup To set up the Miscellaneous tab, follow these steps: 1. Select Properties from the Policy menu. 2. Select the Miscellaneous tab from the Properties Setup screen. 3. The Miscellaneous tab appears (Figure 162):

Figure 162: Miscellaneous (Load Balancing) Tab

The Load Balancing tab contains the following information: III-1 Security Policy Rule Base and Properties Setup Load Balancing: Load Agents Port Type the port on which the Log Measurement Agent communicates. Load Measurement Interval Click the arrow to set the intervals at which the Load Measuring Agent measures the load. Log Viewer Resolver Properties: Page Timeout Click the arrow to set the time (in seconds) before a page timeout occurs.

Document # CPTS-DOC-C1011

Rev. B

Unit III Chapter 1: Security Policy Rule Base and Properties Setup

215

Access Lists Properties

When a rule is installed on a router, FireWall-1 generates access lists and loads them to the router. Access lists can be viewed and verified before installing a security policy. Verification checks that the rules are consistent and that no rule is redundant. If a rule base fails the verification, an appropriate message will appear. Access Lists Tab Setup To set up the Access Lists tab, follow these steps: 1. Select Properties from the Policy menu. 2. Select the Access Lists tab from the Properties Setup screen. 3. The Access Lists tab appears (Figure 163):

Figure 163: Access Lists Tab

The Access Lists tab contains the following information: Accept Established TCP Connections Check to accept packets of established TCP connections. Click the arrow to select the rule base order (First, Last or Before Last). Accept RIP Check to enable the routing information protocol used by the routed daemon. Click the arrow to select the rule base order (First, Last or Before Last). Accept Domain Name Queries (UDP) Check to accept domain-name queries used by named. As in the Enable Domain Name Queries in the Security Policy screen, if named does not know the IP address associated with a particular host name, it issues a query to the name server on the Internet. Click the arrow to select the rule base order (First, Last or Before Last). III-1 Security Policy Rule Base and Properties Setup

Rev. B

Document # CPTS-DOC-C1011

216

Properties Setup Tabs

Accept Domain Name Download (TCP) Check to allow uploading of domain name-resolving tables. Tables of Internet host names and their associated IP addresses and other data can be uploaded from designated servers on the Internet. Click the arrow to select the rule base order (First, Last or Before Last). Accept ICMP Check to accept Internet Control Messages. The IP on each system uses ICMP (Internet Control Message Protocol) to send control messages (for example, destination unreachable, source quench, route change) to other systems. This protocol is commonly used to assure proper and efficient operation of IP. Click the arrow to select the rule base order (First, Last or Before Last). In Figure 163 on page 215, the Accept ICMP property is set to Before Last to enable the user to define more detailed ICMP related rules that will be enforced before this property. If this property were First, then there would be no opportunity for the user to relate to ICMP in the rule base. If it were Last, then it would be enforced after the last rule (which typically rejects all packets) and would thus have no effect. Enabling this option does not enable ICMP Redirect. If you wish to enable ICMP Redirect, you must do so in the rule base.

III-1 Security Policy Rule Base and Properties Setup


Document # CPTS-DOC-C1011

Rev. B

Unit III Chapter 1: Security Policy Rule Base and Properties Setup

217

Security Policy Checklist


Before creating your security policy, use the following checklist as a tool for developing your own security policy. 1. Decide on a security policy: Accepted services/sessions: Internet, e-mail, and so on User Permissions: Users allowed access to services User authentication schemes: Users to provide authentication before allowed through FireWall-1

2. Determine your Objects: Gateway Hosts Network Routers Domains

3. Create a rule base: Source: where the communication is coming from Destination: where the communication is going to Services: what kind of communication it is Action: what to do with the communication Track: log or alert Install on: who will enforce the rule Time: During what time can this action take place Comment: description of rule III-1 Security Policy Rule Base and Properties Setup

Rev. B

Document # CPTS-DOC-C1011

218

Review

Review
Summary FireWall-1 allows administrators to define and enforce security policies to provide the most effective security for their internal networks. In this chapter, you learned why creating the best security policy for your system is so important. A security policy is a set of rules that defines your internal networks security. In FireWall-1, the security policy is defined using a rule base, which translates your security policy to a collection of individual rules. FireWall-1 creates pseudo rules, also called implicit rules, derived from the properties and explicit rules created in the rule base. When defining security policy properties, you must consider the rule base order. FireWall-1 examines the rule base rule by rule. FireWall-1 inspects packets by comparing them to the existing security policy, one rule at a time. For this reason, it is important to define each rule in a security policy in the appropriate order. A security policy is defined not only by the rule base, but also by parameters specified in the security policy tab of the properties setup screen. These parameters enable the user to control all aspects of a packets inspection, while at the same time freeing the user of the need to specify repetitive detail in the rule base.

Review Questions

1. What are the steps for creating a security policy?

2. What is the difference between implicit and explicit rules?

III-1 Security Policy Rule Base and Properties Setup 3. What order are policies and rules matched?

4. What are the choices of packet filtering?

Document # CPTS-DOC-C1011

Rev. B

III-2 Administering Security Policy with Rule Base


219

Unit III Chapter 2: Administering Security Policy with Rule Base


Introduction
A pad and a pen are great tools to use when you wish to create a security policy. You write the information down, you change it around, you put it in the order you like, all without entering one bit of data. But that will not help you secure your network unless you build and install the security policy on your firewalled system. When installing a security policy and maintaining a security policy, you must also consider other security concepts: anti-spoofing in general anti-spoofing and routers

Objectives

Demonstrate how to use the FireWall-1 rule base editor to create a security policy Verify and install a security policy

Key Terms

spoofing and anti-spoofing

220

Administering a Security Policy

Administering a Security Policy


To administer a security policy, you must know how to verify a security policy, analyze any conflicting rules and modify the security policy as needed.

Verify and Install a Security Policy

There are times when verifying a security policy is useful to system administrators. By verifying a security policy, you can do the following: Create a security policy but not install it on a firewalled computer Ensure all rules in a security policy are accurate Test a security policy before installing it on a firewalled computer

To verify a security policy, follow these steps: 1. Select Verify from the Policy menu (Figure 164):

Figure 164: Verify from the Policy Menu

2. If the security policy fails verification, refer to the error message to determine which rule (or rules) is in conflict. Analyze the conflicting rule (or rules) and modify the security policy as needed. 3. If the security policy passes verification, apply it by selecting Install from the Policy menu (Figure 165):

Figure 165: Install from the Policy Menu

Document # CPTS-DOC-C1011

Rev. B

Unit III Chapter 2: Administering Security Policy with Rule Base

221

4. The Install Security Policy Module screen appears (Figure 166):

III-2 Administering Security Policy with Rule Base

Figure 166: Install Security Policy Screen

5. Click OK. 6. The security policy will now be installed on all selected firewalled objects.

Rev. B

Document # CPTS-DOC-C1011

222

Detecting Spoofing

Detecting Spoofing
When considering firewall issues, system administrators must consider spoofing, which is a method of making packets appear as if they come from authorized IP addresses. A packet originating on the Internet and going to an internal network may be disguised as a local packet. Or the packet could have a legal IP address that belongs to the internal network. If undetected, this packet might have unrestricted access to the internal network. To solve this problem, FireWall-1 uses an anti-spoofing feature, which ensures the IP addresses of packets entering a system are valid. FireWall-1 examines the IP addresses of incoming packets to validate that these addresses are valid for the network from which they come.

Anti-Spoofing and Security Policies

When creating firewalled objects, FireWall-1 defaults to no spoofing. When considering security policy issues, systems administrators must decide whether or not to apply anti-spoofing to objects. This is important, because anti-spoofing rules defined in an objects properties are enforced before any rule in the security policys rule base.

Adding Anti-Spoofing

To add anti-spoofing, modify the firewalled objects properties. The Interfaces tab of the Workstation Properties screen allows you to add an anti-spoofing IP address to a workstation (Figure 167):

Figure 167: of Workstation Properties - Interfaces Tab

Document # CPTS-DOC-C1011

Rev. B

Unit III Chapter 2: Administering Security Policy with Rule Base

223

To add anti-spoofing to an object, modify the objects properties: 1. Select the object from the Network Objects Manager. 2. Click Edit and select the Interfaces tab (Figure 167). 3. Click Edit on the Interfaces tab. The Interface Properties screen appears (Figure 168):

III-2 Administering Security Policy with Rule Base

Figure 168: Interfaces Properties Screen

4. Define the Interface properties by completing the fields. 5. Click OK when finished. Interface Properties Name The interface associated with the host name. Net Address The IP address of the host. Net Mask If the network is a standard class A, B, or C network, the Net Mask does not need to be specified. Valid Addresses: Any Default selection. Does not allow spoof tracking. This net Packets whose source IP addresses are part of the network connected to this interface are allowed. This option is typically used for internal interfaces of the last network. No security policy! This option is used when the security policy is enforced on another interface of this object, while leaving this interface open.

Rev. B

Document # CPTS-DOC-C1011

224

Detecting Spoofing

Others All packets are allowed except those whose resource IP addresses belong to the networks listed under Valid Addresses for this objects interface. Others + All packets are allowed except those whose resource IP addresses belong to the networks listed under Valid Addresses for this objects interface. However, packets from the addresses listed under Others + are allowed. Specific Only packets from this object are allowed. Spoof tracking Spoofed packets are always dropped. Specific action is taken by selecting one of the following options: None No additional action is taken. Log The spoofing attempt is logged. Alert The action specified in the Anti Spoof Alert command field in the Log and Alert tab of the Properties Setup screen is taken. When anti-spoofing is specified, an implicit anti-spoof rule is generated, which comes first in the rule base (even before properties specified in the Security Policy tab of the properties setup screen).

Anti-Spoofing and Routers

In general, routers examine only destination addresses, but Cisco version 10 and 11 and Bay Networks examine source addresses when anti-spoofing is defined. Routers supported by FireWall-1 have varying anti-spoofing capabilities (Table 19):

Table 19: Routers Supported by FireWall-1 Routers


Cisco version 9 Cisco version 10 + 3-Com Bay Network Microsoft Steelhead

Anti-Spoofing Capabilities
No anti-spoofing capabilities. Capable of detecting spoofing in both directions only on the interface connected to the outside. Can detect spoofing in both directions. Can detect spoofing on incoming packets only. No anti-spoofing capabilities.

Document # CPTS-DOC-C1011

Rev. B

Unit III Chapter 2: Administering Security Policy with Rule Base

225

Figure 169: Anti-spoofing Example

Table 20: Anti-Spoofing Interfaces Interface


le0 qe0 qe1 Other This net (192.168.1.0) Specific Intranets

Valid Addresses

On interface qe1, only packets whose source IP address belongs to the internal network should be allowed to enter. A packet with another source IP address coming in on qe1 is spoofed. The same is true for qe0. On le0, only packets with source IP addresses other than those belonging to the DMZ or the localnet should be allowed to enter.

2 3

Rev. B

Document # CPTS-DOC-C1011

Administering Security Policy with Rule Base

Anti-Spoofing Network Anti-spoofing should be defined on the gateways three interfaces (Figure 169 and Table 20):

III-2

226

Lab 2: Anti-Spoofing Configuration

Lab 2: Anti-Spoofing Configuration


Objective: You will set up anti-spoofing parameters on the workstation object that corresponds to your firewall.

4Define the interface properties for your firewall object


1. Open the Network Objects screen (Figure 170):

Figure 170: Network Objects screen.

2. Select fw.yourcity.com and click Edit. 3. Click the Interfaces tab. 4. Click SNMP Get. This will retrieve the interface properties for your firewall.

Document # CPTS-DOC-C1011

Rev. B

Unit III Chapter 2: Administering Security Policy with Rule Base

227

4Define valid addresses for an internal interface


1. Under the Name column, select Internal Interface. 2. Click Edit. The Interface Properties screen appears (Figure 171):

III-2 Administering Security Policy with Rule Base

Figure 171: Interface Properties Screen

3. In Valid Addresses, select This Net. 4. For Spoof Tracking, select Log. 5. Click OK.

4Define valid addresses for an external interface


1. Under the Name column, select External Interface. 2. Click Edit. The Interface Properties screen appears. 3. In Valid Addresses, select Others. 4. For Spoof Tracking, select Log. 5. Click OK.

4Verify and install the security policy

Rev. B

Document # CPTS-DOC-C1011

228

Lab 3 : Defining Basic Rules

Lab 3: Defining Basic Rules


Objective: Modify your current security policy to allow SMTP traffic from the Internet to get to your e-mail server and vice versa; this policy will also allow internal users to access the World Wide Web. Allow HTTP and FTP traffic from the Internet to get to your Web server. Allow your internal users to use any service to leave the network. Protect your network from intruders not specifically defined in the rule base.

4Define a Web server rule


Define a rule to allow any external host to get to your Web server through HTTP and FTP (Figure 172). Your Web server is www.yourcity.com.

Figure 172: External Host to Web Server Rule

4Define an e-mail server rule


Define a rule to allow any external host to get to your e-mail server through SMTP (Figure 173). Your e-mail server is emailyourcity.com.

Figure 173: E-Mail Server Rule

Document # CPTS-DOC-C1011

Rev. B

Unit III Chapter 2: Administering Security Policy with Rule Base

229

4Define an anything outbound rule


Define a rule to allow anyone on your internal network to get out. This will be called the anything outbound rule (Figure 174).

III-2 Administering Security Policy with Rule Base

Figure 174: Anything Outbound Rule

4Define cleanup and stealth rules


Figure 175 displays the cleanup and stealth rules that should be part of every rule base.

Figure 175: Cleanup and Stealth Rules

4Save and verify the rule base


Save your rule base as your city name, such as Detroit. Verify and install the rule base. Because the Stealth rule creates problems in the classroom setting, delete this rule after you have completed this lab.

Remember: The Stealth rule can not be used as rule #1 if you use Manual Client Authentication and/or use a tunneling encryption scheme.

Rev. B

Document # CPTS-DOC-C1011

230

Lab 4: Implied Pseudo-Rules

Lab 4: Implied Pseudo-Rules


Objective: You will view how firewall properties affect/create implied pseudo-rules and how implied pseudo-rules correlate to a manually created rule base.

4View implied pseudo-rules


1. In the Security Policy Editor, click View > Implied Pseudo-Rules. 2. The implied pseudo-rules will be displayed in the rule base, interlaced with any rules that were defined manually. The implied rules are a different color than the manually defined rules. 3. Make a note of the first few implied rules.

4Set some of the firewall properties


1. Click Policy > Properties. 2. The Properties setup screen will appear. On the Security Policy tab, uncheck the Accept FireWall-1 Control Connections. 3. On the Services tab, uncheck Enable FTP PORT Data Connections.

4View the implied rules again


View the implied rules again and note the differences.

4Return the firewall properties to their previous settings

Document # CPTS-DOC-C1011

Rev. B

Unit III Chapter 2: Administering Security Policy with Rule Base

231

Lab 5: Defining a Time-Based Rule


Objective: In this lab, you will define a time object and add the object to a rule base, as follows:

III-2 Administering Security Policy with Rule Base

4Define a time object called office_hours


1. Click on Manage > Time. 2. Click New and select Time. The Time Object Properties screen will appear. 3. In the Name field, type office_hours. 4. In the first Time of day From field, type 08:00. 5. In the first Time of day To field, type 12:00. 6. In the second Time of day From field, type 13:00. 7. In the second Time of day To field, type 18:00. 8. Click OK. The office_hours time object is created.

4Add office_hours to a rule


1. Right-click the Time element and click Add. The Add Object screen appears. 2. Select office_hours in the Add Object screen. 3. Click OK. The office_hours object has now been added to the rule (Figure 176):

Figure 176: Office_Hours Added to a Rule

4Verify and install the new rule

Rev. B

Document # CPTS-DOC-C1011

232

Review

Review
Summary Defining and installing a security policy is vital to protect your network. There are times when verifying a security policy is useful to system administrators. By verifying a security policy, you can do the following: Create a security policy but not install it on a firewalled computer Ensure all rules in a security policy are accurate Test a security policy before installing it on a firewalled computer

When considering firewall issues, system administrators must consider spoofing, which is a method of making packets appear as if they came from authorized IP addresses. To solve this problem, FireWall-1 uses an anti-spoofing feature, which ensures the IP addresses of packets entering a system are valid. FireWall-1 examines the IP addresses of incoming packets to validate that these addresses are valid for the network from which they come.

Review Questions

1. Where can a rule base be added to a security policy?

2. Why would systems administrators disable a rule in a security policy?

3. What is the default action when FireWall-1 adds the first rule base in a security policy?

4. Why is it important that FireWall-1 adds this default action?

5. How do you verify and install a security policy?

Document # CPTS-DOC-C1011

Rev. B

Unit III Chapter 2: Administering Security Policy with Rule Base

233

6. What are the anti-spoofing choices for a firewalled object?

III-2 Administering Security Policy with Rule Base

Rev. B

Document # CPTS-DOC-C1011

234

Review

Document # CPTS-DOC-C1011

Rev. B

Unit IV Customizing FireWall-1


Chapter 1: Authentication Chapter 2: Network Address Translation

Rev. B

Document # CPTS-DOC-C1011

Document # CPTS-DOC-C1011

Rev. B

Unit IV Chapter 1: Authentication


Introduction
Authentication is like a box of chocolates you never know what you get unless you examine them. Better yet: Authentication is like passing through the airport security you must prove who you are before you are allowed through the gate. Administrators need a secure mechanism for authenticating users at the gateway before allowing entry into and exiting from the gateway. Authentication is simply proving your identity.

IV-1

Demonstrate how to implement authentication using the various authentication schemes

Key Terms

user authentication client authentication session authentication transparent user authentication implicit client authentication transparent session authentication session authentication agent

235

Authentication

Objectives

List types of services supported by FireWall-1 requiring user names and passwords

236

Understanding Authentication

Understanding Authentication
FireWall-1 uses three types of authentication: user, client and session: User authentication authenticates users for specific services (FTP, HTTP, HTTPS, TELNET and RLOGIN). User authentication enables an administrator to grant specific users special access privileges. Client authentication authenticates users of any service (standard or customized). Client authentication requires users to TELNET to port 259 or connect to the firewall with a Web browser on HTTP port 900 to be authenticated for a service. FireWall-1 supports implicit client authentication and automatic clientauthentication sign-off. Session authentication works like client authentication but requires the session authentication agent to be installed. Session authentication does not require users to authenticate (using TELNET or a Web browser) to the firewall. However, the user must be authenticated each session.

User Authentication

FireWall-1s transparent user authentication provides access privileges on a per user basis for FTP, HTTP, HTTPS, TELNET, and RLOGIN, regardless of the users IP address. Depending on authentication scheme properties, a password can be used once or given an expiration parameter by the administrator. The system administrator grants special access privileges to certain users, regardless of IP address. If another user discovers the authentication parameters, he then has access to any client the original user had. User authentication is restricted to the following services: FTP HTTP HTTPS TELNET RLOGIN

Document # CPTS-DOC-C1011

Rev. B

Unit IV Chapter 1: Authentication

237

How User Authentication Works To understand how user authentication works, follow these steps (Figure 177):

1.

2.

3. IV-1

Figure 177: User Authentication

1 2 3 4

Client initiates an FTP, HTTP, HTTPS, TELNET or RLOGIN connection to the destination server. Using the same connection as the client, FireWall-1 asks for authorization from the client. Client responds with ID and password. FireWall-1 allows the connection.

Transparent user authentication is FireWall-1s default, allowing the user to initiate a connection directly to the server. For transparent authentication, the user must provide the following information: user name on the gateway authentication data (password) on the gateway user name on the target host authentication data (password) on the target host

Rev. B

Document # CPTS-DOC-C1011

Authentication

4.

238

Understanding Authentication

For non-transparent user authentication, a user wishing to use a user authenticated service must first start a session for that service on the gateway. After authenticating on the gateway, FireWall-1 opens a connection to the true destination.

Client Authentication

Client authentication enables an administrator to grant access privileges to a specific IP address: typically a single user machine, such as a PC. In contrast to user authentication, client authentication is not restricted to specific services, but provides a mechanism for authenticating any application: standard or custom. FireWall-1 client authentication is not transparent, and does not require additional software or modifications on either the client or server. The administrator can determine how each individual is authenticated, which servers and applications are accessible, at what times and days, and how many sessions are permitted. How Client Authentication Works To understand how client authentication works, follow these steps (Figure 178):

1.

2.

Figure 178: Client Authentication

Client initiates a TELNET or HTTP connection to the firewall. Client authentication requires users to TELNET to port 259 or connect to the firewall with a Web browser on HTTP port 900 to be authenticated for a service. The firewall asks for the ID and password and verifies the user is authentic. FireWall-1 recognizes clients IP address and allows access to the destination server. Connection to the destination server is closed by time-out, logout or number of sessions.

Implicit client authentication also extends access privileges to a specific client without requiring the user to initiate an additional session on the gateway. If the user authenticates under a user authentication or session authentication rule, then FireWall-1 knows which user is on the client, and an additional client authentication session (the TELNET to port 259 or HTTP to port 900) is not necessary.

Document # CPTS-DOC-C1011

Rev. B

Unit IV Chapter 1: Authentication

239

When implicit client authentication is enabled, and a user successfully performs user or session authentication, then FireWall-1 opens all the standard sign-on client authentication rules in the rule base. In other words, the user is considered to have at the same time successfully performed client authentication on the client at which they successfully performed user or session authentication. This option differs from the partially and fully automatic options, in which only the first matching client authentication rule is opened. If implicit client authentication is enabled, and an automatic sign-on rule is opened, all the standard sign-on rules are opened (in addition to the automatic rule). If you enable implicit client authentication, then you should define your rules in the following order: 1. User authentication rules for HTTP 2. Client authentication rules 3. User and session authentication rules for non-HTTP services The first time through, the user and session authentication rules are applied. The second time through, client authentication rules are applied. However, user authentication rules are always applied for HTTP, preventing the browser from sending the authentication password to the HTTP server. This happens because the client authentication rules do not use the FireWall-1 security servers. IV-1

Session Authentication

System administrators can grant access privileges to a user without regard to the associated IP address. Session authentication provides a transparent per-session authentication that can be integrated with any application. Session authentication is the smoothest and least resource intensive connection. The authentication is performed by the daemon module and then the packets are accepted by the kernel module.

Rev. B

Document # CPTS-DOC-C1011

Authentication

240

Understanding Authentication

How Session Authentication Works To understand how session authentication works, follow these steps (Figure 179):

1.

2.

3.

4.

Figure 179: Session Authentication

1 2 3 4

Client attempts to contact server. FireWall-1 blocks the packet and contacts the session authentication agent. Session authentication agent pops up on the clients screen. Client enters ID and password. Clients ID and password are sent to the firewall. FireWall-1 accepts the ID and password and allows connection to the server.

Transparent session authentication can be used to authenticate any service on a per-session basis. After the user initiates a connection directly to the server, the FireWall-1 gateway (located between the user and the destination) intercepts the connection. It recognizes that user-level authentication is required, and initiates a connection with a session authentication agent. The session authentication agent is a utility provided with FireWall-1 and must be installed on any workstation using session authentication. The agent performs the required authentication, which allows the connection to continue to the requested server if permitted.

Document # CPTS-DOC-C1011

Rev. B

Unit IV Chapter 1: Authentication

241

Table 21: Comparison of Authentication Types Features


Services Authentication performed once per...

User
FTP, HTTP, TELNET, RLOGIN Session

Client
All Services IP Address (multiple sessions) in a separate nontransparent authentication session. Access any service defined as client authenticated.

Session
All Services Session

When you want a user to...

Authenticate each time one of the supported services is used.

Authenticate each time any service defined as session authenticated is used.

IV-1

Rev. B

Document # CPTS-DOC-C1011

Authentication

242

Implementing Authentication

Implementing Authentication
Authentication Schemes Determine the authentication scheme to assign to a user from the following: Internal Authentication Schemes: S/Key The user enters the value of requested S/Key iteration. A user whose authentication scheme is S/Key can be authenticated only on one gateway. S/Key is more secure than other forms of authentication schemes, however it is more complicated to set up, requiring user training. FireWall-1 Password The user enters an assigned FireWall-1 password. The advantage of a FireWall-1 password over the OS password is that the user does not require an OS account on the gateway to use a FireWall-1 password. OS Password The user enters an OS password and must have an OS account on the firewall in order to authenticate. FireWall-1 refers to local OS user database on firewalled machine. The OS Password is typically the users network logon password. External Authentication Schemes: LDAP The user is prompted for response from the LDAP server. SecurID The user enters the Security Dynamics PASSCODE. RADIUS The user is prompted for response from the RADIUS server. AXENT Pathways Defender The user is prompted for response from the AXENT server. TACACS The user is prompted for response from the TACACS server. S/Key, LDAP, SecurID, RADIUS, AXENT and TACACS are enabled as FireWall-1s default. OS Password and FireWall-1 Password must be selected to enable these authentication schemes.

When any external authentication scheme is used, a generic* user should be created to prevent the administrative overhead of maintaining duplicate user accounts on both the firewall and the external server.

Document # CPTS-DOC-C1011

Rev. B

Unit IV Chapter 1: Authentication

243

Authentication Setup

User, client and session authentication are set up in a similar manner. When authenticating a user in FireWall-1, follow these steps: 1. Define the user in the User Manager. Select Users from the Manage menu (Figure 180):

Figure 180: Manage Menu

IV-1 2. The Users setup screen appears (Figure 181): Authentication


Figure 181: Users Setup Screen

3. Click New to set up a new user, or select an existing user. Click Edit to configure the authentication scheme.

Rev. B

Document # CPTS-DOC-C1011

244

Implementing Authentication

4. Select the authentication tab of the User Properties screen (Figure 182):

Figure 182: User Properties - Authentication Tab

5. Specify the authentication scheme and other user properties. Authentication properties setup screens vary depending on the authentication scheme selected (Figure 183):

Figure 183: S/Key, FireWall-1 Password and OS Password Authentication Screens

Document # CPTS-DOC-C1011

Rev. B

Unit IV Chapter 1: Authentication

245

Complete the following fields for the S/Key authentication scheme: Seed A random name or number. Secret Key Chosen by the user (should be at least 10 characters long). Length Number of iterations. Installed On The gateway that will perform the authentication. Method The hashing method. Print Chain Print the password chain. The Print Chain option is available only immediately after generating a new chain.

Erase this password file as soon as possible, so that your passwords will not be compromised. IV-1 6. Click OK and close the User Manager. Authentication 7. Enable the authentication scheme for the firewalled object. Select Network Objects from the Manage menu, and the Network Objects Manager appears (Figure 184):

Figure 184: Network Objects Manager

Rev. B

Document # CPTS-DOC-C1011

246

Implementing Authentication

8. Select the firewalled object and click Edit. Select the Authentication tab and enable the authentication scheme defined in the User Manager by checking the appropriate box (Figure 185):

Figure 185: Default Authentication Schemes

9. Click OK and Close the Network Object Manager. 10. To add an authentication rule to the rule base, right-click the Action column of a new rule and select User, Client or Session Authentication (Figure 186):

Figure 186: Adding Authentication to Rule Base

Document # CPTS-DOC-C1011

Rev. B

Unit IV Chapter 1: Authentication

247

11. Configure the authentication rule by right-clicking the Action column of the rule again and selecting Edit Properties (Figure 187):

Figure 187: Authentication Edit Properties

IV-1

12. Configure the User, Client or Session Authentication Action Properties (Figure 188): Authentication
Figure 188: Authentication Action Properties screens

13. Click OK and install the security policy by selecting Install from the Policy menu.

Rev. B

Document # CPTS-DOC-C1011

248

Implementing Authentication

Lab 6: Set up Authentication Parameters


Objective: You will make changes to the firewall to allow use of the authentication features. Scenario: Your company wants to make use of the authentication features of the firewall in order to control access to some of their resources. FireWall-1 Password will be used initially.

4Verify authentication is enabled


Verify that the network object for the firewall machine has the appropriate authentication scheme enabled: 1. Click Manage > Network Objects. 2. Select the object for your firewall: fw.yourcity.com. 3. Click Edit. 4. Select the Authentication tab and verify that the FireWall-1 password scheme is checked. 5. Click OK.

4Verify Default template setup


Verify that the default user template is set up properly: 1. Click Manage > Users. 2. Select Template and click Edit. 3. Go to the Authentication tab and set the Authentication Scheme to FireWall-1 password. You will not enter any password for the template only users who are created from the template. 4. Click OK.

Document # CPTS-DOC-C1011

Rev. B

Unit IV Chapter 1: Authentication

249

Lab 7: Defining Users and Groups


Objective: You will create firewall users and groups. The users will be associated with groups that are associated with their job functions. Authentication will be done based on the employee/users department. Users need to have their usernames created and to be associated with groups for their respective departments (Table 22):

Table 22: Groups and Users Department


Receiving Accounting Audit Sales Junior and Keeter Lisa, Skippy and Brianna JoAnn

User

IV-1
Bob

4Create users
Create the following users: Bob, Larry, Junior, Keeter, Lisa, Brianna, Skippy, JoAnn: 1. Click Manage > Users > New > Default. 2. Enter the users name. 3. Select the appropriate color. 4. Leave the Expiration Date field empty. 5. Select the Authentication tab and verify that FireWall-1 password is selected as the authentication method. 6. Enter a password for the user (abc123). 7. Click OK. Authentication

4Create a Receiving group


Create a Receiving Group and make Junior and Keeter members: 1. Click Manage > Users > New > Group. 2. Name the group Receiving. 3. Enter an appropriate Comment. 4. Select the color associated with a group object. 5. Add the members by selecting their names from the left box (Not in Group) and click Add. 6. Close the group.

Rev. B

Document # CPTS-DOC-C1011

250

Implementing Authentication

4Create an Accounting group


Create an Accounting Group and make Lisa, Skippy and Brianna members: 1. Click Manage > Users > New > Group. 2. Name the group Accounting. 3. Enter an appropriate Comment. 4. Select the color associated with a group object. 5. Add the members by selecting their names from the left box (Not in Group) and click Add. 6. Close the group.

4Create an Audit group


Create an Audit Group and make JoAnn a member: 1. Click Manage > Users > New > Group. 2. Name the group Audit. 3. Enter an appropriate Comment. 4. Select the color associated with a group object. 5. Add the members by selecting their names from the left box (Not in Group) and click Add. 6. Close the group.

4Create a Sales group


Create a Sales Group and make Bob a member: 1. Click Manage > Users > New > Group. 2. Name the group Sales. 3. Enter an appropriate Comment. 4. Select the color associated with a group object. 5. Add the members by selecting their names from the left box (Not in Group) and click Add. 6. Close the group.

4Verify and install the policy

Document # CPTS-DOC-C1011

Rev. B

Unit IV Chapter 1: Authentication

251

Lab 8: User Authentication with a FireWall-1 Password


Objective: You will create a guest user with authentication via a FireWall-1 password. Authentication is case sensitive. For example, user guest and user Guest will be considered two different users by authentication.

4Create user guest in User Manager


1. Click on Manage > New > Default. 2. Define a user called guest in the User Manager. 3. Select FireWall-1 Password from the Authentication menu. 4. In the FireWall-1 Password Authentication fields, type the password abc123. 5. Click OK. IV-1

4Add user authentication


Add a user authentication rule for TELNET and install the security policy: 1. Click on Manage > Network Objects. 2. Select your firewall (fw.yourcity.com) and click Edit. 3. Select the Authentication tab. 4. Enable FireWall-1 Password in your gateways Workstation Properties screen. 5. Delete the anything outbound rule that allows yourcity-net to go anywhere through any service. 6. Add a new rule to the top of the rule base. 7. In the Source column, right-click, select Add User Access and select All Users > restricted to @net-yourcity. 8. In the Service column, right-click and select telnet. 9. In the Action column, right-click and select User Authentication. 10. In the tracking column, select Long. Authentication

4Verify and install the policy 4Test the policy


Try connecting to the Web server through TELNET to www.boogeyman.com. Does it work?

Rev. B

Document # CPTS-DOC-C1011

252

Lab 9: User Authentication with S/Key

Lab 9: User Authentication with S/Key


Objective: You will change guest authentication to the S/Key scheme. You will then download the user database and test the authentication.

4Change authentication to S/Key


Change the guest authentication scheme to S/Key: 1. Click on Manage > Users. 2. Edit your user called guest in the User Manager. 3. Select S/Key from the Authentication menu. 4. Set the S/Key Seed to guest. 5. In the Secret Key field, type the string abc1234567. The S/Key Secret Key must be 10 characters. 6. Select fw.yourcity.com from the Installed On menu. 7. Select the Generate button to generate the S/Key passwords. 8. Click OK to apply the new settings for user guest.

4Download the user database


1. In the User Manager screen, click Install. 2. Click OK. 3. After install is complete click Close.

4Test the user database


1. Connect to the Web server www.boogeyman.com through TELNET. Does it work? 2. Use the S/Key client program on www.yourcity.com to generate the S/Key string password. Make sure the S/Key client is loaded.

3. Type 99 guest in the first box. 4. Type in the secret password ( abc1234567). 5. Click Compute one-time password.

Document # CPTS-DOC-C1011

Rev. B

Unit IV Chapter 1: Authentication

253

6. Note the password that is generated. You will need this later. 7. Now TELNET to www.boogeyman.com. 8. For User type guest. 9. For the S/Key string enter the one-time password you noted earlier. Press Enter. You should now be connected. 10. Check your log file to verify the connection.

IV-1

Rev. B

Document # CPTS-DOC-C1011

Authentication

254

Lab 10: User Authentication for FTP

Lab 10: User Authentication for FTP


Objective: You will reset the guest users authentication scheme to FireWall-1 Password. You will add an FTP rule to the rule base and install the security policy.

4Reset guests authentication scheme


1. Click on Manage > Users. 2. Edit your user called guest in the User Manager. 3. Change the authentication back to FireWall-1 Password (abc123) 4. Click on Manage > Network Objects. 5. Edit your firewall objects properties. 6. In the Authentication Scheme menu, select FireWall-1 Password. 7. Click OK. 8. Install the rule base.

4Add user authentication rule for FTP


1. Add a new rule to the top of the rule base. 2. In the Source column, select All Users@net-yourcity. 3. In the Services column, select ftp. 4. In the Action column, select User Authentication. 5. In the Track column, select Long.

4Install the Security Policy


Verify and install the security policy.

4Test the Security Policy


Connect to the Web server www.boogeyman.com through FTP: Username: student@guest@204.32.38.204 Password: fw1@abc123 Does it work? (It should)

Document # CPTS-DOC-C1011

Rev. B

Unit IV Chapter 1: Authentication

255

Lab 11: User Authentication for HTTP


Objective: You will add a user authentication rule for HTTP and install the security policy.

4Add a new rule to the top of the rule base


1. In the Source column, select All Users@net-yourcity. 2. In the Destination column, select Any. 3. In the Services column, select http. 4. In the Action column, select User Authentication. 5. Edit the properties of the User Authentication action and select All Servers. 6. Verify and install the security policy. 7. From www.yourcity.com, connect to www.boogeyman.com. IV-1

Rev. B

Document # CPTS-DOC-C1011

Authentication

256

Lab 12: Client Authentication

Lab 12: Client Authentication


Objective: In this lab, you will add client authentication to the security policy.

4Remove user authentication


1. Remove the User Authentication rule for FTP. 2. Make sure you have a rule that allows any source to have FTP access to your Web server (that is, www.yourcity.com).

4Add client authentication


1. Add a new rule to the top of the rule base. 2. In the Source column, select All Users@net-yourcity. 3. In the Destination column, select www.partnercity.com. 4. In the Services column, select ftp. 5. In the Action column, select Client Authentication.

4Verify and install the security policy


Verify and install the security policy.

4Test the security policy


1. From your Web server, try connecting to FTP port 21 on your partners Web server in the lab. Use the following command:
# ftp www.partnercity.com

Does it work? (It should not.) 2. From your Web server, use client authentication to authenticate the service by connecting to port 259 (using TELNET) of your firewall. Use the following command:
# telnet fw.yourcity.com 259

Now does it work? (It should.)

Document # CPTS-DOC-C1011

Rev. B

Unit IV Chapter 1: Authentication

257

Lab 13: Session Authentication


Objective: You will add session authentication to a security policy.

Make sure that the Session Authentication Agent is installed.

4Add Session Authentication to a rule


1. Click on a Client Authentication rule. 2. In the Source column, select All Users@net-yourcity. 3. In the Destination column, select www.partnercity.com. 4. In the Services column, select ftp. 5. In the Action column, change Client Authentication to Session Authentication. 6. Verify that the contact agent is set to Src. IV-1

Make sure the session agent is running. If not, ask your instructor for help.

4Test the security policy


1. From www.yourcity.com, try connecting to www.partnercity.com through FTP. The Session Authentication Agent screen should appear. 2. After authenticating, connect to the FTP server on www.partnercity.com.

Rev. B

Document # CPTS-DOC-C1011

Authentication

4Verify and install the security policy

258

Review

Review
Summary Firewall-1 technology gives networks the ability to distribute security throughout the enterprise. Security implementations can and should be established to protect the inside of the organization from the outside, between groups of users and resources, while ensuring authenticated communications within the organization. FireWall-1 uses three types of authentication: user, client and session: User authentication authenticates users for specific services. Client authentication authenticates users of any service (standard or customized). Client authentication requires users to TELNET to port 259 or connect to the firewall with a Web browser on HTTP port 900 to be authenticated for a service. FireWall-1 supports implicit client authentication and automatic client-authentication sign-off. Session authentication works like client authentication but requires session authentication agent to be installed. Session authentication does not require users to authenticate (using TELNET or a Web browser) to the firewall.

Review Questions

1. What are the three types of FireWall-1 authentication?

2. What is the advantage of using transparent session authentication verses other types of authentication?

3. When defining user authentication, where do you add the authentication rule?

Document # CPTS-DOC-C1011

Rev. B

Unit IV Chapter 2: Network Address Tr a n s l a t i o n


Introduction
Secret codes are used to hide messages. Foreign languages, while not designed to hide information, can be considered languages that do hide information because you do not understand what the sounds and symbols mean. Network address translation is something in between these two concepts. Network address translation allows system administrators to conceal internal network IP addresses from external networks. This can be achieved by using three types of FireWall-1 address translation modes.

Objectives

Describe why network address translation is necessary Outline the process that FireWall-1 uses to translate IP addresses Identify and define the three address translation modes Show how to set up all address translation modes

Key Terms

Network Address Translation (NAT) Internet Protocol (IP) address classful addressing network address translation modes Network Address Translation
259

IV-2

IP address translation static source mode static destination mode hide mode address translation rule base

260

Understanding Network Address Translation

Understanding Network Address Translation


Network Address Translation (NAT), which conceals internal computers and users from outside networks, is a separate component of the FireWall-1 security policy. NAT eliminates exposure to hackers, because FireWall-1 changes (translates) or hides Internet Protocol (IP) addresses, which mark the location of computers in an internal network (system). There are differences between legal and illegal/reserved IP addresses (Table 23):

Table 23: Legal and Illegal/Reserved IP Addresses Legal IP Addresses


204.32.38.111 204.32.38.112

Internal Illegal/Reserved IP Addresses


192.168.1.1 192.168.1.2

Availability of IP Addresses

Todays computing industry suffers from a limited supply of IP addresses. When you purchase an Internet Service Provider (ISP), you purchase a block of IP addresses that become addresses for the individual computers in your internal network. Because IP addresses are limited in supply, you must know how to translate internal IP addresses to legal external addresses. A reserved and finite set of IP addresses is used for address translation. In order to provide the flexibility required to support different size networks, IP address space is divided into three different address classes: Class A, B and C. This is often referred to as classful addressing, because address space is split into three predefined classes, groupings or categories. Available class network numbers and IP address ranges for address translation are as follows: 1 Class A Network Number: 10.0.0.0 16 Class B Network Numbers: 172.16-31.0.0 256 Class C Network Numbers: 192.168.0-255.0

Document # CPTS-DOC-C1011

Rev. B

Unit IV Chapter 2: Network Address Translation

261

How FireWall-1 Reads IP Addresses

FireWall-1 translates addresses transparently. When a packet enters the FireWall-1 kernel module, it is translated before reaching its destination. NAT updates its internal table and translates the packet, rewriting the IP address from a legal to an illegal/ reserved IP address. When a packet leaves, NAT translates the packet, rewriting the illegal/reserved IP address to its original legal address (Figure 189):

1. Legal IP Address 204.32.38.1 Internet

2. Illegal/Reserved IP Address 192.168.1.1 3. Illegal/Reserved IP Address 192.168.1.1

Intranet

4. Legal IP Address 204.32.38.1

Figure 189: Network Address Translation

Translating IP Addresses To translate IP addresses, FireWall-1 follows these steps:

1 2 3 4

A packet with a legal IP address (204.32.38.1) enters a network and passes through the FireWall-1 kernel module. NAT translates the legal IP address to an illegal/reserved address (192.168.1.1). A packet with an illegal/reserved IP address leaves the system. NAT translates the address to a legal address (204.32.38.1) so that it will be accepted by outside networks, then passes the packet through the FireWall-1 kernel module, which passes the packet out of the network and to its destination.

IV-2

Rev. B

Document # CPTS-DOC-C1011

Network Address Translation

262

NAT Modes

NAT Modes
FireWall-1 supports three network address translation modes, which is another name for IP address translation (which means changing an IP address). NAT allows system administrators to change internal, illegal/reserved IP addresses into legal addresses, thus providing greater protection from external networks and hackers. This eliminates the need to manually change illegal/reserved internal IP addresses. NAT also allows hidden IP addresses, which means system administrators can deal with the issue of fewer available IP addresses. Address translation takes place in the address translation module. The FireWall-1 kernel module does not translate addresses. The kernel module verifies addresses before passing them out of an internal network, and verifies addresses before passing them to the address translation module and into an internal network. Following are the FireWall-1 address translation modes: Static source mode Translates illegal/reserved internal IP addresses to legal IP addresses when packets exit an internal network. Static destination mode Translates legal internal IP addresses to illegal/reserved IP addresses when packets enter an internal network. Hide mode Hides one or more illegal/reserved IP addresses behind one legal address. Source and destination are referred to as static modes, because the address translation is undynamic. Static mode translates IP addresses using a one-toone relationship.

Document # CPTS-DOC-C1011

Rev. B

Unit IV Chapter 2: Network Address Translation

263

Static Source Mode

Static source mode translates the clients internal, illegal/reserved IP addresses to legal IP addresses (Figure 190):

EXTERNAL
Legal IP Address 204.32.38.1

INTERNAL Static Source Mode


Network

Illegal/Reserved IP Address 192.168.1.1

Figure 190: Static Source Mode

Static source mode is used when the connection is initiated by internal clients with invalid IP addresses. Static source mode ensures that the originating hosts have unique, specific valid IP addresses, and is generally used together with static destination mode. When you generate address translation rules automatically, static source mode and static destination mode rules are always generated in pairs.

Static Destination Mode

Static destination mode translates the serverss legal external IP addresses to illegal/ reserved IP addresses (Figure 191):
INTERNAL Static Static Mode Mode
Network

EXTERNAL
Legal IP Address Destination 204.32.38.1 Destination

Illegal/Reserved IP Address 192.168.1.1

IV-2

Figure 191: Static Destination Mode

Rev. B

Document # CPTS-DOC-C1011

Network Address Translation

264

NAT Modes

Static destination mode is used when servers inside the internal network have illegal/ reserved IP addresses, and ensures that packets entering the internal network arrive at their proper destinations. When you generate address translation rules automatically, static source mode and static destination mode rules are always generated in pairs. Static Mode Example In Figure 190 and Figure 191 on page 263, the Bay Networks routers valid IP address is statically translated when the local network translates it to a valid external address once it leaves the internal network. When defining static mode for a firewalled object, you do not specify static source or destination mode. Static source and destination modes are defined in the NAT rule base automatically.

Figure 192: Static Mode Example

In Figure 192, the Bay Networks routers valid IP address is statically translated to the local networks IP address. When packets leave the Bay Networks router through the local network, the packets IP addresses are translated to illegal/reserved IP addresses; when the packets enter the network, the local network translates the packets back to their legal, internal IP addresses. The translation is done at the local network and at the firewall.

Document # CPTS-DOC-C1011

Rev. B

Unit IV Chapter 2: Network Address Translation

265

Hide Mode

Todays computing industry suffers from a limited supply of IP addresses. To alleviate this problem, hide mode allows you to hide an entire network of illegal/reserved IP addresses behind one legal IP address (Figure 193). With hide mode, you only need one legal IP address to communicate with external networks or the Internet.

EXTERNAL
1 Legal IP Address 204.32.38.1

INTERNAL Hide Mode


Network

Multiple Illegal/ Reserved IP Addresses: 198.132.176.0

Figure 193: Hide Mode

Hide Mode Example In Figure 193, everything in Local_Net will be sent out of the local network as a legal IP address.

Figure 194: Hide Mode Example

In Figure 194, the firewall hides all internal illegal/reserved IP addresses for packets leaving the local network. When packets enter the network, the firewall translates the packets IP addresses and forwards the packets to the appropriate internal device.

IV-2

Rev. B

Document # CPTS-DOC-C1011

Network Address Translation

266

Applying NAT Modes

Applying NAT Modes


To add address translation modes to FireWall-1, you edit or add network objects (servers, gateways, routers and domains). First determine whether to set address translation as static mode or hide mode. Define source or destination static mode by placing the network object as Source or Destination in the rule base.

Applying Static Mode

To add static mode NAT to an internal networks FTP server, follow these steps: 1. Select Network Objects from the Manage menu (Figure 195):

Figure 195: Manage Menu

2. The Network Objects screen appears (Figure 196):

Figure 196: Network Objects Screen

Document # CPTS-DOC-C1011

Rev. B

Unit IV Chapter 2: Network Address Translation

267

3. Highlight FTP_Server and click Edit. 4. The network object General tab of the Workstation Properties screen appears (Figure 197). Note the IP address of the FTP server is 10.96.1.101. This is the illegal/reserved internal address that will be translated to a legal external (Internet) address.

Figure 197: Workstation Properties - General Tab

5. Select the NAT tab. Note there is no address translation currently selected (Figure 198):

IV-2

Figure 198: Workstation Properties - NAT Tab

Rev. B

Document # CPTS-DOC-C1011

Network Address Translation

268

Applying NAT Modes

6. Add Automatic Address Translation Rules Check to add static translation (Figure 199).

Figure 199: Adding Source Static Mode Translation

This enables the other fields on the screen, as follows: Translation Method Select Static from the menu. Choices are: Static and Hide. Valid IP Address Type in the valid IP address you want for the FTP server when packets that originate at it or are destined to it leave the internal network. Install On Select where to install NAT from the menu. Choices are the internal firewalled objects. 7. Click OK to save your changes.

Adding Hide Mode to a Cisco Router

To add hide mode NAT to two internal network routers, first add NAT to a Cisco Router: 1. Select Network Objects from the Manage menu (Figure 200):

Figure 200: Manage Menu

Document # CPTS-DOC-C1011

Rev. B

Unit IV Chapter 2: Network Address Translation

269

2. The Network Objects screen appears (Figure 201):

Figure 201: Network Objects Screen

3. Highlight Cisco_Router and click Edit. 4. The General tab of the Router Properties screen appears (Figure 202). Note the IP address of the Cisco router is 10.96.1.112. This is the legal IP address that will be hidden from external networks and the Internet.

IV-2

Figure 202: Router Properties - General Tab

Rev. B

Document # CPTS-DOC-C1011

Network Address Translation

270

Applying NAT Modes

5. Select the NAT tab (Figure 203):

Figure 203: Router Properties - NAT Screen

6. Add Automatic Address Translation Rules Check to add hide translation (Figure 203). This enables the other fields on the screen, as follows: Translation Method Select Hide from the menu to add hide mode translation. Hiding IP Address Type in the valid IP address you want for the Cisco router when packets travel through it to leave the internal network. If you type 0.0.0.0, the firewall will determine the IP address to use (the firewalls own IP address at the outgoing interface). Install On Select where to install NAT from the menu. Choices are the internal firewalled objects. 7. Click OK to save your changes.

Document # CPTS-DOC-C1011

Rev. B

Unit IV Chapter 2: Network Address Translation

271

Adding Hide Mode to a Bay Networks Router

To add hide mode NAT to a Bay Networks router, follow these steps: 1. After selecting the Bay Networks router from the network objects Manager screen, modify the IP address if necessary in the General tab of Router Properties (Figure 204):

Figure 204: Bay Networks Router General Properties Screen

2. Use the same IP address for the Cisco router and the Bay Networks router. This ensures the Cisco and Bay Networks routers IP addresses will be hidden behind the legal IP address 204.32.38.113 (Figure 205):

IV-2

Figure 205: Hide Mode NAT for Bay Networks Router

3. Click OK to save your changes.

Rev. B

Document # CPTS-DOC-C1011

Network Address Translation

272

NAT Rule Base

NAT Rule Base


NAT works by using the FireWall-1 address translation rule base, which is part of the FireWall-1 security policy. The address translation rule base is created when you create the security policy (Figure 206):

Figure 206: NAT Rule Base

When you define network objects during the setup of FireWall-1, NAT rules generate automatically. You can manually specify address translation rules by editing or adding NAT rules to the automatically generated rules and provide complete control over FireWall-1 address translation. FireWall-1 validates address translation rules, helping to avoid mistakes in the setup process. To provide complete control over FireWall-1 address translation, you can do one or more of the following: Specify objects by name rather than by IP address Restrict rules to specified destination IP addresses, as well as to specified source IP addresses Translate both source and destination IP addresses in the same packet Restrict rules to specified services (ports) Translate ports

NAT Rules

Each of the address translation rules consists of three elements, as follows: Conditions that specify when a rule is to be applied The action to be taken when a rule is applied The network object to enforce the action

Document # CPTS-DOC-C1011

Rev. B

Unit IV Chapter 2: Network Address Translation

273

Table 24: NAT Rule Base Elements


When Rule is Applied
Original packet Translated packet Install On

Action to be taken
Define source, destination and service. Define source, destination and service. Define firewall objects to enforce this rule.

Original Packet (When a Rule is Applied) Source The object for the client of the connection. Destination The object for the server of the connection. Service The service, service group or port range. Translated Packet (When a Rule is Applied) Source The object; the type of object depends upon the type of address translation. Destination One object only; the type of object depends on the type of address translation. Service One object only; either TCP, UDP service or port range. Install On Specifies which firewalled objects will enforce the rule. Choose one of the following: Gateways Enforce on all network objects defined as gateways which are firewalled and internal. If you specify Gateways, the rule is enforced on all the hosts that are defined as gateways (in the Workstation Properties window). Targets Enforce on the specified target object(s) only. If you choose Targets, then the Select Target window opens, from which you can choose a firewalled gateway or host (but not a router) on which to install the address translation rule. Comment You can add comments to a rule by double-clicking on the Comments field to open the Comment window and typing any comments. IV-2

Rev. B

Document # CPTS-DOC-C1011

Network Address Translation

274

NAT Issues

NAT Issues
Routing Issues In an internal network, routers can be managed separately from firewall software. To set up address translation correctly, you must ensure that routing tables are correctly defined. With FireWall-1, there are two routing issues involved, as follows: Ensuring that the packet reaches the gateway Ensuring that the gateway forwards the packet to the correct interface and host Reconfigure routing tables on the internal networks gateway (and on any intervening routers) to set up address translation correctly. Static Source and Hide Mode When using Static Source or Hide modes, you must ensure that the translated (legal) addresses are published, so that replies will be routed back to the firewall. For Solaris Systems use the arp command to publish an IP address. For example: arp -s 204.32.38.10n 00:C0:4F:D0:35:F2 pub For NT Systems the arp command does not allow permanent entries. Because of this, Check Point created the following feature: \winnt\fw\state\local.arp The format of local.arp is: IP address <TAB> External MAC-address Make sure that you dont add anything else to this file that is not needed. After creating local.arp, stop and start the FireWall-1 service.

The local.arp file is not automatically created by FireWall-1, and must be created by the user. This is true whether NAT is automatic or manual.

Document # CPTS-DOC-C1011

Rev. B

Unit IV Chapter 2: Network Address Translation

275

Static Destination First you must get the packet to the firewall by publishing the IP address to the desired interface of the firewall. When using Static Destination mode, address translation takes place in the firewall after internal routing but before transmission. To ensure that the packet is correctly routed, use static routing (the route command) to define the same next hop for both addresses. On Solaris systems, most use the following command: route add 204.32.38.10n 192.168.n.1 1 The route add command in Solaris is a temporary command. In order to make a permanent route addition an entry must be placed in the appropriate rc directory in etc. On NT systems, use the following command: route add 204.32.38.10n 192.168.n.1 -p

IV-2

Rev. B

Document # CPTS-DOC-C1011

Network Address Translation

276

Lab 14: NAT Static Mode Manual

Lab 14: NAT Static Mode Manual 4Verify www.yourcity.com exists


Make sure you have already created the object www.yourcity.com with a real (illegal/ reserved) IP address of 192.168.n.1.

4Create a workstation object


Create a workstation object called www-valid with an IP address of 204.32.38.11n.

4Update the firewall objects valid addresses


1. Create a group object called valid-addresses. 2. Place net-yourcity and www-valid into the group. 3. Open your firewall Workstation Properties screen. 4. Click the Interfaces tab. 5. Edit the firewalls internal interface by selecting the interface name and clicking Edit. The Interface Properties screen appears. 6. Select Specific: in the Valid Addresses field. 7. Specify the group object valid-addresses in the Specific: menu. 8. Click OK.

4Create static address translation rules


1. Switch the Security Policy GUI into Address Translation mode. 2. Add two new rules to the rule base: Rule 1: Specify wwwyourcity.com as Source/Original Packet; specify www-valid as Source/Translated Packet. Rule 2: Specify www-valid as Destination/Original Packet; specify www.yourcity.com as Destination/Translated Packet.

4Create security policy rules


1. Switch the Security Policy GUI back to Security Policy mode. 2. Add a new rule to the rule base, just after the stealth rule: Source: Any Destination: www-valid Service: http and smtp

Document # CPTS-DOC-C1011

Rev. B

Unit IV Chapter 2: Network Address Translation

277

Action: accept Track: Long 3. Add/insert a new rule just after the rule you just defined: Source: www.yourcity.com Destination: Any Service: http and smtp Action: accept Track: Long 4. Remove your HTTP authentication rules.

4Verify and install the rule base 4Add static route and arp
Add static route and publish arp for legal address: For Solaris: 1. Add a static route for the translated host:
# route add 204.32.38.11n 192.168.n.1 1

2. Publish an arp entry for the legal address (this is done to get the MAC address of the external interface):
# arp fw.yourcity.com # arp-s 204.32.38.11n external MAC-address pub

For NT: 1. Add a static route for the translated host:


c:route -p add 204.32.38.11n 192.168.n.1

where (-p) makes the route permanent between boots. Without this option, temporary changes can be made; (mask) is the subnet mask to apply to the route 2. Publish an arp entry for the legal address (from the command prompt):
> > > > > > > ipconfig /all edit $FWDIR\state\local.arp 204.32.38.11n external MAC-address SAVE and EXIT cd $FWDIR\bin fwstop fwstart

IV-2

Rev. B

Document # CPTS-DOC-C1011

Network Address Translation

278

Lab 14: NAT Static Mode Manual

4Test the rule base


Test by connecting from www.yourcity.com to www.boogeyman.com without authenticating.

Document # CPTS-DOC-C1011

Rev. B

Unit IV Chapter 2: Network Address Translation

279

Lab 15: NAT Static Mode Automatic


Objective: You will set up static address mapping so that all traffic originating from a specific internal host will appear to have come from a specific external address. Also all traffic destined for the specific external address will be sent to the specific internal host. Scenario: You are already using address hiding to conserve your external Internet addresses. However, you now need to have your Web server have its own external Internet address so that it can receive requests from the Internet. You decide to use static mapping for the Web server to accomplish this. For this exercise, you will only use the HTTP service.

Remove the manual NAT rule before starting this lab!

4Edit your Web server


Edit the Network Object for the Web server on your internal network: 1. Click Manage > Network Objects; select the www.yourcity.com object. 2. Select the NAT tab. 3. Check the Add Automatic Address Translation Rules checkbox. 4. Set Translation Method to Static. 5. Enter the Static IP Address. (Add 10 to the external interface address on your firewall.) Click OK. Close the Manage Network Objects screen. 6. Select the Address Translation tab of the main Security Policy Editor screen and view the Address Translation rules.

4Test Static Source translation


Test Static Source translation by connecting to your partnercity.

IV-2

Test Static Destination translation by using the presentation machine (instructors machine). Connect to your Web Servers Legal Address from the instructors machine.

4Remove Automatic address translation


Remove the Automatic Address Translation from the network object for your internal Web server:

Rev. B

Document # CPTS-DOC-C1011

Network Address Translation

4Test Static Destination translation

280

Lab 15: NAT Static Mode Automatic

1. Click Manage > Network Objects; select the network object for your internal Web server (www.yourcity.com). 2. Select the NAT tab. 3. Uncheck the Add Automatic Address Translation Rules checkbox. 4. Click OK. Close the Manage Network Objects screen. Reminder: While the Routing and Arp issues were previously taken care of in Lab 14: NAT Static Mode - Manual, they are still required to be completed for Automatic translation.

Document # CPTS-DOC-C1011

Rev. B

Unit IV Chapter 2: Network Address Translation

281

Lab 16: NAT Hide Mode Manual 4Create an address range object
Create an address range object in the Network Object Manager called yourcity-range: 1. Create the object yourcity-range: First IP address: 192.168.n.1 Last IP address: 192.168.n.254 2. Click OK.

4Create a workstation object


Create a workstation object called yourcity-hide for your hide address: Translated (legal) IP address: 204.32.38.12n

4Create a Hide Address Translation rule


1. Switch the Security Policy GUI into Address Translation mode. 2. Add a new rule to the bottom of the rule base. 3. In the new rule, add yourcity-range as Source/Original Packet. 4. Specify yourcity-hide as Source/Translated Packet (hint: add hide). 5. Remove the Static Source translation.

4Add a rule to allow internal network out


1. Switch the Security Policy GUI back to Security Policy mode. 2. Delete www.yourcity.com from Source in your Static Source rule. 3. Add net-yourcity as Source.

4Verify and install new rule base 4Publish arp for legal Hide address
Solaris # arp fw.yourcity.com # arp -s 204.32.38.12n external MAC address pub

IV-2

Rev. B

Document # CPTS-DOC-C1011

Network Address Translation

Use the following arp commands to publish arp entry for legal Hide address:

282

Lab 16: NAT Hide Mode Manual

NT > ipconfig /all > edit $FWDIR\state\local.arp > 204.32.38.12n external MAC-address > cd $FWDIR\bin > fwstop > fwstart

4Test by connecting to www.yourcity.com

Document # CPTS-DOC-C1011

Rev. B

Unit IV Chapter 2: Network Address Translation

283

Lab 17: NAT Hide Mode Automatic


Objective: You will set up address hiding mode of network address translation so that all traffic originating internally will appear externally to have originated at the firewall. You will use automatic address translation rules and will use manually configured address translation rules. Scenario: Your company was unable to obtain more than a handful of legal Internet IP addresses from your Internet service provider. So that all of your internal users can access the Internet as needed, you elect to use address hiding so that you will only use one external address for normal access.

4Edit the network object


Edit the network object for the addresses on your internal network: 1. Use Manage, Network Objects, and select the net-yourcity object. 2. Select the NAT tab. 3. Check the Add Automatic Address Translation Rules checkbox. 4. Set Translation Method to Hide. 5. Enter the Hiding IP address. (Enter the external interface address on your firewall.) 6. Click OK. 7. Close the Manage Network Objects screen.

4Test the network object


Test the network object by connecting to your partnercity.

IV-2

Rev. B

Document # CPTS-DOC-C1011

Network Address Translation

284

Lab 17: NAT Hide Mode Automatic

4View address translation rules


Select the Address Translation tab of the main Security Policy Editor screen and view the address translation rules. Remove the Automatic Address Translation from the network object for your internal network: 1. Click Manage > Network Objects, and select the network object for your internal network (net-yourcity). 2. Select the NAT tab. 3. Uncheck the Add Automatic Address Translation Rules checkbox. 4. Click OK. 5. Close the Manage Network Objects screen.

4Save and install the policy

Document # CPTS-DOC-C1011

Rev. B

Unit IV Chapter 2: Network Address Translation

285

Review
Summary The need for IP address translation replacing one IP address in a packet by another IP address arises in two cases: 1. The network administrator wishes to conceal the networks internal IP addresses from the Internet. The administrator may reason that there is nothing to be gained, from a security point of view, by making a networks internal addresses public knowledge. 2. An internal networks IP addresses are invalid Internet addresses (that is, as far as the Internet is concerned, these addresses belong to another network). This situation may have arisen for historical reasons: An internal network was originally not connected to the Internet, and its IP addresses were chosen without regard to Internet conventions. If such a network is then connected to the Internet, its long-established internal IP addresses cannot be used externally. Changing these addresses may be impractical or unfeasible.

Review Questions

1. What is address translation?

2. What is the reason for using address translation (relating to IP addresses)?

3. What are the three address translation modes? IV-2

Rev. B

Document # CPTS-DOC-C1011

Network Address Translation

4. What is the address translation rule base?

286

Review

Document # CPTS-DOC-C1011

Rev. B

Fin

Introduction
You have learned the basics of FireWall-1 and should now be able to install, configure and administer a FireWall-1 system. The following is an exercise to reinforce the most important features of FireWall-1. There may be more than one way to achieve the final results of this exercise. Your instructor will review your results to determine their accuracy.

287

Final Scenario

Final Scenario

288

Lab 18: Final Scenario

Lab 18: Final Scenario


Objective: You will install and configure the firewall software. The configuration will involve the basic important features of Check Point FireWall-1 software (NAT, Authentication, rule base issues and object definition). Before you begin the Final Scenario, uninstall FireWall-1. Scenario: Company A has decided to add a connection from its internal private network to the Internet. Their Internet Service Provider (ISP) has registered a domain name for them yourcity.com. Also, the ISP supplied the company with a handful of Internet addresses. They wish to secure this connection using FireWall-1 as their firewall. Their policy is that SMTP e-mail be the only protocol allowed to proceed in both directions through the firewall. The basic Internet protocols (FTP, HTTP, HTTPS, Gopher) will be allowed through the firewall only if the initial connections originate from within the company.

4Add cleanup rule


Add the cleanup rule to the bottom of the rule base.

4Hide internal machines


The company has been using an IANA Private Network subnetwork address. The company wants to set up NAT so that its internal machines will be hidden behind the external interface of the firewall. (Note that for SMTP, NAT Static mapping will have to be used.)

4Authenticate Specific Users


The company only allows the Marketing Department to connect through the firewall. The TELNET protocol will be allowed through the firewall, provided that the initial connection originates within the company. Furthermore, the use of TELNET will be limited to the following users in the Marketing Department: jsmith, grivera and mpopadopolis.

4Authorize machines that can connect to the firewall


The firewall administrator's machine will be the only authorized machine that can connect to the firewall. The stealth rule in the rule base should ensure no other machines can connect to the firewall.

Document # CPTS-DOC-C1011

Rev. B

Final Scenario

289

4Solutions
Examples of possible solutions to the Final Lab Scenario are shown in Figure 207 and Figure 208. Your results may vary slightly.

Fin

Figure 207: Suggested Solution Rule Base

Figure 208: Suggested Network Address Translation Rules

Rev. B

Document # CPTS-DOC-C1011

Final Scenario

290

Lab 18: Final Scenario

Document # CPTS-DOC-C1011

Rev. B

Appendix A: Licensing Issues


Resolving Licensing Issues
Licensing Enforcement for Single Gateway Products FireWall-1 enforces user/node limits by following these steps: 1. FireWall-1 listens for all IP-based traffic (except for any external devices) on all devices in an internal network. 2. FireWall-1 notes the IP addresses of the internal devices. 3. After determining that the number of IP addresses has reached the license limit, FireWall-1 continues to function. 4. FireWall-1 sends e-mail messages to root and syslog (Solaris) or the event viewer (Windows NT). Single-gateway FireWall-1 allows you to license FireWall-1 for 25, 50, 100 or 250 interfaces. In a single gateway product the following modules must exist on the same physical machine: Management module Firewall module

Adding License at the Command Prompt

If you need to add a license at the command prompt, follow these steps: 1. In the \fw\bin directory type: fw putlic [host] [key] [features] 2. Enter. 3. Type: fwstop 4. Enter. 5. Type: fwstart 6. Enter and exit the command prompt.

291

292

Resolving Licensing Issues

Removing Old Licenses

Issue fw printlic and display the current licenses: Type Expiration Features Eval 1Dec95 pfm control routers Eval 1Nov95 control routers Eval 1Oct95 pfm control routers This message displays the following: Which features are available (for example, pfm control routers) To which hostid/IP address these features are licensed When the license will expire

Re-enter your current license string with a -o option. Do this if you have several expired evaluation licenses, or have licenses for IP addresses or hostids that are not valid for specific devices. fw putlic -o [host][key][features] If you have multiple permanent licenses, use the -o option for the first license key. Do not use the -o option on subsequent licenses.

How to Contact Check Point

If you have unresolved licensing issues, contact Check Point via e-mail (license@checkpoint.com). Or visit Check Points licensing center at http:// license.checkpoint.com.

Document # CPTS-DOC-C1011

Rev. B

Appendix B: Installation Tro u b l e s h o o t i n g


Installing and Operating in NT and Solaris
NT Systems Symptom during installation Slow install process. Symptoms after installation FW Stop command will not work. FireWall-1 configuration manager is slow to open (two to three minutes). Difficulty logging to the Management Module from the GUI. Solution Hosts file or DNS server needs to resolve the host names for the local network interface of the firewall to the IP address.

Solaris Systems

Symptom Security Policy Editor (GUI) will not connect to the Management Server. Solution The host name for the machine should be the same as the host name as one of the local interfaces, any one, preferably the external interface. The host name can be set on Solaris by one of the following methods: Manually editing the /etc/nodename file Executing the hostname command

293

294

Special Notes for HP-UX 10

1. During the installation process, FireWall-1 rebuilds the OS kernel. You must copy the new kernel to its proper location and then restart the firewalled computer. FireWall-1 displays instructions for doing this. 2. The first time you start the firewalled computer, you will receive a message that FireWall-1 failed. This is normal and occurs because there is no security policy at this point. After you have defined a security policy, subsequent restarts will proceed normally.

Document # CPTS-DOC-C1011

Rev. B

Appendix B: Installation Troubleshooting

295

Special Notes for IBM AIX


AIX does not, by default, enable IP forwarding. In order to turn your computer into a gateway, you must issue the following command: no -o ipforwarding=1 If you enable IP forwarding while FireWall-1 is not running, you will expose your network to external networks. For this reason, if you wish to enable IP forwarding, add the above command to rc.net after FireWall-1 is loaded. Because of this AIX feature, it is not possible to control IP forwarding from within FireWall-1. You will not be asked to configure this feature during the installation process. FireWall-1 version 4.0 for AIX does not support the default security-policy feature. You will not be asked to configure this feature during the installation process. In order for the X/Motif GUI to function properly, the LANG environment variable must be defined. SecurID authentication is not available. If you get an error message warning about the wrong architecture, verify that you have installed the netinet patch and restarted the system. When installing a FireWall-1 component, verify that there are no other FireWall-1 components running.

Rev. B

Document # CPTS-DOC-C1011

296

Special Note for Management Servers

Special Note for Management Servers


If you have installed the FireWall-1 management server, you must first define administrators (people who are allowed to manage the FireWall-1 management server using a GUI client). You must also define GUI clients (computers from which administrators will be allowed to manage the FireWall-1 management server).

Administrators: Solaris Specific

To define administrators, run the program fwm on the FireWall-1 Management Server, as follows: 1. To add an administrator, type the following command at the system prompt: fwm -a 2. Type the users name and password. Confirm the password by typing it a second time. 3. To delete an administrator, type the following command at the system prompt: fwm r 4. Type the users name.

Document # CPTS-DOC-C1011

Rev. B

Appendix B: Installation Troubleshooting

297

Extracting Files
SunOS hostname% # tar xvf device-name/sunos/fw1/fw.sunos4.tar

device-name is usually /dev/rfd0c for diskette drives and /cdrom for CD-ROM drives.

Rev. B

Document # CPTS-DOC-C1011

298

Installing FireWall

Installing FireWall
HP-UX 10 FireWall-1 on HP-UX 10 requires the option transitional links to be enabled. In HP-UX 10, FireWall-1 is installed using the swinstall application. 1. hostname% cd/tmp

2. hostname% su 3. password: your root password 4. hostname# tar xvf /HPUS/FW1/FW.HPUX.TAR device-name device-name is usually /cdrom for a CD-ROM drive. Register FireWall-1 hostname# swreg depot x select_local=true x target_directory=/tmp target_directory points to the directory into which you copied the FireWall-1 software with the tar command. The following steps install FireWall-1: 1. hostname# swinstall & The SD Install Software Selection window is displayed, and then the Specify Source window. 2. Click Source Depot Path: In the Depot Path window, select the directory into which you copied the FireWall-1 software with the tar command. 3. Click OK to close the Depot Path window. 4. Click Ok to close the Specify Source window. 5. In the SD Install Software Selection window, select FireWall-1. If you doubleclick on FireWall-1 you will be able to select individual FireWall-1 components to install. 6. From the Actions menu, select Install (analysis). When the analysis phase completes, click OK. 7. When the installation phase completes, click Done. From the File menu, select Exit. 8. At the command prompt enter the following: hostname# setenv SWDIR /FireWall-1 hostname# set path= ($FWDIR/bin $path)

Document # CPTS-DOC-C1011

Rev. B

Appendix B: Installation Troubleshooting

299

IBM AIX

In IBM AIX, FireWall-1 is installed using the swinstall application. There is no need to copy the software, since the installation reads the CDROM directly. hostname% smit & 1. Click software Installation and Maintenance. Click Install and Update Software. Click Install/Update Selectable Software (Custom Install). 2. Click Install Software Products at Latest Level. Click New Software Products at Latest Level. 3. In the New Software Products at Latest Level window, enter the input device or the name of the directory where the FireWall-1 installation files are located. If you are installing from a CD-ROM, click List and select the CD device in the dialog box. FireWall-1 for AIX is always installed in the /usr/lpp/FireWall-1 directory, so you cannot choose an arbitrary $FWDIR. 4. You will be asked to review the installation parameters and confirm them. In SOFTWARE to install, click List. 5. Select FireWall-1. 6. Click OK to start the installation process. 7. Exit smit. 8. At the command prompt, type the following: hostname# setenv FWDIR/usr/lpp/FireWall-1 hostname# set path=($FWDIR/bin $path) There is no need to copy the software, since the installation reads the CDROM directly. 9. Proceed to Configuring FireWall-1.

Rev. B

Document # CPTS-DOC-C1011

300

Installing FireWall

Document # CPTS-DOC-C1011

Rev. B

Appendix C: Port Numbers and Common Services


Port Numbers
Ports are used to provide services for unknown communications. Table 25 specifies each service and the port the service uses as its contact port. For detailed information about port assignments and services, refer to the UNIX NETSYS.COM port-numbers web page at: www.netsys.com/ ports.html Port numbers are divided into three ranges: well-known, registered, and dynamic and/ or private ports: Well-known ports: 0 to 1023 Registered ports: 1024 to 49151 Dynamic and/or private ports: 49152 to 65535

Table 25: Common Services and Port Numbers Service Name


CISCO-FNA CISCO-TNA CISCO-SYS DOMAIN FTP GOPHER HTTP HTTPS ISAKMP

Port Number and Supported TCP/ UDP Service


130 131 132 53 21 70 80 443 500

Description
Cisco FNATIVE Cisco TNATIVE Cisco SYSMAINT Domain Name Server File Transfer Protocol Gopher World Wide Web HTTP HTTP protocol over TLS/SSL ISAKMP

301

302

Table 25: Common Services and Port Numbers (Continued) Service Name
LOGIN NETBIOS-NS NETBIOS-DGM NETBIOS-SSN pop2 pop3 pop3s PRINTER RADIUS ROUTER RTELNET SHELL SFTP SMTP SNMP SNMPTRAP SQLSRV SYSLOG TACACS-DS TELNET TELNETS 3COM-TSMUX WHO WHOAMI WWW WWW-HTTP

Port Number and Supported TCP/ UDP Service


513 137 138 139 109 110 995 515 1812 520 107 514 115 25 161 162 156 514 65 23 992 106 513 565 80 80

Description
Remote login via Telnet NETBIOS Name Service NETBIOS Datagram Service NETBIOS Session Service Post Office Protocol, version 2 Post Office Protocol, version 3 pop3 protocol over TLS/SSL Spooler RADIUS Local routing process Remote Telnet Command for automatic authentication Simple File Transfer Protocol Simple Mail Transfer Protocol SNMP SNMPTRAP SQL Service syslog TACACS database service Telnet Telnet protocol over TLS/SSL 3COM-TSMUX Who is logged in on the local network Whoami World Wide Web HTTP Word Wide Web HTTP

Document # CPTS-DOC-C1011

Rev. B

Appendix C: Port Numbers and Common Services

303

Table 25: Common Services and Port Numbers (Continued) Service Name
XFER

Port Number and Supported TCP/ UDP Service


82 XFER utility

Description

Ports Common to Windows NT

The following is a listing of port numbers common to Windows NT:

Table 26: Ports Common to Windows NT NT Service Name


CHARGEN COURIER DAYTIME DISCARD ECHO FINGER ICMP IGMP NETSTAT NETBIOS_DGM NETBIOS_SSN QUOTD SMS_DB SMS_UPDATE TDS TFTP UDP WINS

Port Number
19 530 13 9 7 79 1 2 15 138 139 17 775 777 1433 69 135 42

Description
Character Generator Courier Daytime Discard (sink null) Ping Finger Internet Control Message Protocol Internet Group Management Protocol Network Statistics NetBIOS Datagram Service NetBIOS Session Service Quote of the Day sms_db sms_update Tabular Data Stream DB-library SQLserver Trivial File Transfer Protocol UPD RPC Locator WINS replication

Rev. B

Document # CPTS-DOC-C1011

304

Document # CPTS-DOC-C1011

Rev. B

Appendix D: Basic Rule Base


Rule bases are customized for specific networks. However, the following rules are basic to most FireWall-1 rule-base security policies: Stealth Inbound e-mail Inbound Web traffic Load balancing VPN Client encrypt Reject restricted sites Anti-virus Anything outbound Cleanup rule

Review the basic rule base, as shown in Figure 209, making notes in the comment column.

305

306

Figure 209: Basic Rule Base

Document # CPTS-DOC-C1011

Rev. B

Glossary
A
access control lists Allow rule bases for 3Com, Bay and Cisco routers. accounting log entry FireWall-1 log file that includes a packets connection duration, and the number of bytes and packets transferred. address-translation modes Another name for IP-address translation (changing an IP address). address-translation rule base Component of the FireWall-1 security policy. The address-translation rule base is created when you create the security policy. anti-spoofing Process that ensures the IP addresses of packets entering an internal network are valid. anti-virus inspection Component of FireWall-1 that uses an integrated anti-virus module to check all files transferred for all protocols, reducing the vulnerability of hosts and gateways. application layer gateways A type of firewall architecture which examines packets at the application level. authentication scheme Validates all connection attempts within an internal network. AXENT Defender Server used to provide authentication services.

classful addressing IP address space that is split into three predefined classes, groupings, or categories. client A computer system or process that requests a service of another computer system or server (using a specific protocol) and then accepts the server's responses. client authentication Authenticates users of any service. Client authentication allows an administrator to grant access privileges to a specific IP address. Connect Control Module Provides automatic application-server load balancing across multiple servers.

307

308

content-vectoring protocol (CVP) Open protocol for integrating external and thirdparty content inspection programs, plus integrated content inspection capabilities for anti-virus protection, URL screening and Java security.

daemon Provides communication between modules, clients and hosts. data packet A piece of electronic data transmitted as part of a data stream. Also called packet. data stream A block of electronic data transmitted as a unit. A data stream is made up of packets. domain Groups of computers and devices.

eitherbound The direction in which FireWall-1 inspects packets entering and leaving the firewall. elements Individual components that make up a rule; includes rule number order, source, destination, services, action, tracking, install on, time and comments. encryption Process that ensures data is secured when coming from or going to a firewalled computer. Encryption Module The FireWall-1 module that provides DES encryption (for SKIP and IPSec) and FWZ1 encryption. explicit rule Rule created in the security policy editor and added to your rule base.

Firewall Module Implements the security policy, log events and communicates with the Management Module using the daemon; includes the Inspection Module, daemon and security server. Provides inspection-module capabilities, user authentication, multiple-firewall synchronization and content security. FWZ A proprietary-key management scheme that uses FWZ-1 (a worldwide exportable encryption algorithm) and DES (North America only).

H I

hide mode The FireWall-1 network-address translation mode that hides internal IP addresses behind one legal address. implicit rule Rule created when defining properties in a security policys properties setup. Also called pseudo-rule.

Document # CPTS-DOC-C1011

Rev. B

Glossary

309

implicit drop rule Implicit rule automatically added at the end of each rule base that drops all communication attempts not described by previous rules. Inbound The direction in which FireWall-1 inspects packets entering the firewall. INSPECT Check Points high-level scripting language for expressing a security policy. Inspection Module Provides access control, client and session authentication, network-address translation, and auditing. inspection script The ASCII file generated from the security policy. Internet Control Message Protocol (ICMP) An extension to the IP, supports containing error, control and informational messages. Internet Protocol (IP) address Numbers defining the location of computers in a network. IP address translation Changing an IP address. ISAKMP/Oakley (IKE) Encryption scheme standard for negotiating between two hosts using IPSec.

K L

kernel The essential part of UNIX or other operating systems responsible for resource allocation, low-level hardware interfaces and security. LDAP Account Units Integrates an LDAP-compliant user database with FireWall-1 user authentication. Lightweight Directory Access Protocol (LDAP) A protocol that allows Internet clients to access and manage databases of users over a TCP/IP connection. LDAP is supported by Netscape and included in Windows NT version 5.x. load balancing FireWall-1 algorithm that prevents internal-network servers from handling a disproportionate amount of network traffic. Log Viewer Displays the login-and-alert fields specified in the Log and Alert screen of a security policys properties. logical server A group of machines that provide the same services and are treated as a group, among whose members a workload is distributed.

Rev. B

Document # CPTS-DOC-C1011

310

Management Module Provides centralized, GUI-based security management control and monitoring of firewall modules residing on local or distributed computers. Management Server Manages the FireWall-1 database: the rule base, network objects, servers, users and more. Manual IPSec An encryption and authentication scheme that uses fixed security keys that are exchanged manually.

Network Address Translation (NAT) Conceals internal computers and users from outside networks. network address translation modes Another name for IP address translation. network objects Any elements that come in contact with the network; includes items such as hosts, routers, networks, gateways, switches, domains and logical servers. network objects manager A tool to define network objects in FireWall-1.

O P

outbound The direction in which FireWall-1 inspects packets leaving the firewall.

packet A piece of electronic data transmitted as part of a data stream. Also called data packet. packet filtering A type of firewall architecture which examines up to the network layer of a packet. pseudo rule Created when defining properties in a security policys properties setup. Also called implicit rule.

RADIUS A RADIUS server is used to provide authentication services. Remote Procedure Call (RPC) Protocol that allows a program on one computer to execute a program on a server computer. Router Security Management Provides security management for router-access control lists across one or more routers. rule base Translates a security policy to a collection of individual rules, which are created with the FireWall-1 rule-base editor

Document # CPTS-DOC-C1011

Rev. B

Glossary

311

rule base elements Individual components that make up a rule. rule-base editor A tool for creating a security policy.

security policy A set of rules that defines an internal networks security. Security Server Resides above the INSPECT engine in the FireWall-1 kernel module and provides authentication and content security. session authentication Provides a transparent per-session authentication that can be integrated with any application. session authentication agent Utility provided with FireWall-1 that must be installed on any workstation using session authentication. Simple Key Management for Internet Protocol (SKIP) A key management protocol that defines the way encryption and authentication keys can be shared securely between two parties. spoofing A means to make packets appear as if they come from authorized IP addresses. Stateful Inspection A type of firewall architecture introduced by Check Point which examines packets before the network layer. static destination mode Translates legal internal IP addresses to illegal IP addresses when packets leave an internal network. static source mode Translates illegal internal IP addresses to legal IP addresses when packets enter an internal network. SYNDefender A proprietary FireWall-1 application that protects against denial-ofservice attacks from external networks. SYN packets Communication packets from an external network client to an internal network server.

TACACS A server used to provide authentication services. Transmission Control Protocol/Internet Protocol (TCP/IP) One of the most common communication protocols used to connect to the Internet and external networks.

Rev. B

Document # CPTS-DOC-C1011

312

Uniform Resource Identifier (URI) A scheme for identifying resources that may be available on the Internet by name, without regard to where they are located. A URI is not specific, because it can contain wildcards. Ex: http://*.com/jerry/* Uniform Resource Locator (URL) An address for a resource on the Internet. URL Filtering Protocol (UFP) A Check Point developed application programming interface that enables the integration of third-party applications to categorize and control access to specific URL addresses. user authentication Provides access privileges on a per-user basis for FTP, TELNET, HTTP, and RLOGIN, regardless of users IP addresses. User Datagram Protocol (UDP) Service primarily used for protocols where performance is more important than getting all the packets.

Document # CPTS-DOC-C1011

Rev. B