Checkpoint VPN-1 FireWall-1 NG Management II Instructors Slides

VPN-1/FireWall-1 NG FP-2 Management II
VPN-1/FireWall-1 Management II NG
Course Description
Course Objectives
Identify the VPN-1/FireWall-1 NG FP-1 product as an enterprise-management solution. Identify and address VPN-1/FireWall-1 NG FP1 security issues. Identify important aspects of advanced VPN1/FireWall-1 NG management.
Course Requirements
intended for administrators and resellers who require in-depth knowledge of VPN1/Firewall-1 NG beyond basic installation, setup and methodologies
Prerequisites
VPN-1/Firewall-1 Management 1 NG working knowledge of
firewall technologies, TCP/IP and Internet communication, client/server configurations, routers, gateways and servers, Windows and/or UNIX operating systems
Check Point Certified Security Expert (CCSE)
this course provides a basis for undertaking the CCSE exam
Course Map
Module 1: Module 2: Module 3: Module 4: Module 5: Windows VPN-1/FireWall-1 NG Installation and Setup Tracking and Alerts Load Balancing Enabling Voice Over IP Traffic Content Security and Content Vectoring Protocol
Module 6: Module 7: Module 8: Module 9: Module 10: Module 11: SYNDefender Encryption and Virtual Private Networks Certificate Authorities Configuring VPNs VPN Client - SecuRemote SecureClient Software Distribution
Lab Setup
Lab Topology IP Addresses Lab Terms Lab Stations
Lab Setup
VPN-1/FireWall-1 NG FP-2 System Requirements
Management Clients (GUIs)
Platform : Windows 9x, ME, NT 4.0, Windows 2000 Pro. 40 Mbytes 128 Mbytes All interfaces supported by Operating System
Disk Space : Memory : Network I/f : :
Firewall-1 NG FP2 Firewall Module on Windows Platform
OS Processor MHz Disk Space Memory Network I/F : : : : : : Windows NT and Windows 2000 Intel Pentium II 300+ or equivalent 40 Mbytes 128 Mbytes All interfaces supported by Operating System
Management Server or Firewall-1 Module on Solaris
OS : CPU Architecture Disk Space Solaris 7 (SunOS 5.7) Solaris 8 (SunOS 5.8) Solaris 7 - 32 Bit mode Solaris 8 32 Bit & 64 Bit mode 40Mbytes (software installation only) 128 Mbytes 360 MHz Check latest release notes for required patches
Memory : CPU : Required OS : Patches
Management Server or Firewall-1 Module on a Linux Platform
OS : Red Hat Linux 6.2 and 7.0 32 bit and 64 bit 40 Mbytes 128 Mbytes Intel Pentium II 300+ MHz
CPU Architecture Disk Space : Memory : CPU :
Module 1:
Windows NT VPN-1/FireWall-1 NG FP-2 Installation and Setup
Module 1:
Introduction
Objectives
Demonstrate how to install VPN-1/FireWall-1 NG on NT Server Outline the procedure for uninstalling VPN1/FireWall-1 NG
Key Terms
Management client Management module VPN-1/Firewall-1 module
Module 1:
Upgrading to VPN-1/FireWall-1FP2
Supported Upgrade Paths Upgrading Solaris to enable VPN1/FireWall-1 NG Module Upgrade Sequence Backward Compatibility Minimizing Downtime During Upgrades Using SecureUpdate to Upgrade Remote Modules After upgrading
Module 1:
Supported Upgrade Paths
NG FP1 to NG FP2 (recommended) Version 4.1 to NG FP1 to NG FP2 (recommended) Version 4.1 to NG Initial release to NG FP2 NG Initial release to NG FP1 to NG FP2 NG Initial release to NG FP2
Module 1:
Upgrading Solaris to enable VPN1/FireWall-1 NG
note the procedure outlined in student notes (p 1.2)
Module 1:
Module Upgrade Sequence
1. 2. 3. 4. upgrade the management server upgrade the GUI client upgrade the enforcement module set the Policy Editor version to FP2 on the General screen of each object (Checkpoint gateways and nodes)
(The default setting of FP1 for the Policy Editor must be changed to FP2 once all modules are upgraded.)
Module 1:
Backward Compatibility
VPN-1/FireWall-1 NG FP2 is installed in its own directory without overwriting previous versions of VPN-1/Firewall-1 choosing maintain backward compatibility during installation allows management of Version 4.0 and 4.1 modules from an NG FP2 Management Station some version features are not backward compatible) an NG FP2 Management module cannot manage a Version 3.X (or earlier) Firewall-1 module
Module 1:
Minimizing Downtime During Upgrades
1. prepare another computer (the new machine) with same IP address as machine with old version (dont yet connect new machine to network) 2. copy entire disk from old machine to new machine 3. upgrade to new version of Firewall-1 on new machine 4. physically disconnect old machine from network and replace with new machine
Module 1:
Using SecureUpdate to Upgrade Remote Modules
the Secure Virtual Network Architecture of VPN1/Firewall-1 NG allows for remote upgrading of enforcement modules the SecureUpdate facility in NG allows upgrading of the following: SVN Foundation VPN-1/Firewall-1 Floodgate-1 SecureClient Policy Server Real-Time Monitor OPSEC products
Module 1:
After Upgrading
VPN-1/Firewall-1 loses its state restart the GUI install the policy on all firewalls (even if the policy has not changed)
Module 1:
Pre-installation Configuration
Network Configuration
ensure network is properly configured (especially, routing) on WinNT & Solaris enable IP routing/forwarding for WinNT, disable the NetBUI protocol (not an IP protocol so not intercepted by Firewall-1) environment variables are set automatically (via the installation wrapper) on WinNT, Win2000 & Solaris
Module 1:
VPN-1/FireWall-1 NG Client-Server Configuration
a distributed installation is supported
Module 1:
Installing VPN-1/FireWall-1 NG Enforcement Module and Management Module on Windows NT Server
Module 1:
Lab 1:
Module 1:
Installing VPN-1/FireWall-1 NG Enforcement Module and Management Module on Sun Solaris
Module 1:
Lab 2:
Module 1:
Installing VPN-1/FireWall-1 NG Management Client on Windows NT
Module 1:
Lab 3:
Module 1:
Lab Setup : creating objects and rules
Module 1:
Uninstalling VPN-1/FireWall-1 NG Components
Uninstalling on a Windows Machine Uninstalling on a Solaris Machine
Module 1:
Review
Summary Review Questions
Module 1:
Review Question #1:
What options can you change/modify with administrative rights?
Licenses, Administrators (name and password), GUI clients (client/server model), remote modules (client/server model), groups, default filter.
Module 1:
Review Question #2:
What is the difference between the VPN1/FireWall-1 NG Management Module and the Management Client? The Management Module manages the Security Policy of the firewall, including the objects, rules, and settings. The Management Client is the GUI that connects to the Management Module that allows Administrators to configure the Security Policy.
Module 1:
Review Question #3:
In which order do you uninstall VPN1/FireWall-1 NG? In the reverse order of the installation, with SVN Foundation being the last module to be removed.
Module 2:
Tracking and Alerts
Module 2:
Introduction
Objectives
Describe the purpose of tracking. Describe how to configure user defined tracking. Define parameters for the tracking of possible hacking attempts against the firewall.
Module 2
Tracking and Alerts
Key Terms
user defined tracking
Module 2
Tracking
the process of creating definitions in which the parameters of an alert or log are established occurs when an option is defined in the Track column of a rule in the rule base some tracking options will generate a log entry others will generate a log entry and trigger an executable
snmp trap sending alert email another function as defined
Module 2
An SMTP mail definition with an SMTP resource
alert is selected as the exception track
Module 2:
Tracking
Configuring a Rule
a defined alert requires the following steps : write the user defined application script on the Management Module (must be placed in the $FWDIR/bin directory specify the application name to be run in the Run User Defined Script property field (in the policy properties screen) under Log and Alert>Alert Commands tab add or modify the rulebase for User Defined Alert by selecting the UserDefined option in the Track column
Module 2:
The Log and Alert Tab
Module 2
Track Options
VPN Successful key exchange VPN packet handling errors VPN configuration and key exchange erros IP Options drop Administrative notifications SLA violation Connection matched by SAM
Module 2
Logging Modifiers
if selected, specifies that a log entry should be generated for every authenticated HTTP connection
Time Settings
excessive log grace period log viewer resolving timeout virtual link statistics logging interval status fetching interval
Module 2
Alert Commands
executed by the alertd process running on the machine where the log files are written default machine is the Management Module, but logs can be directed to other machines
if logs are being sent to more than one machine then each alertd process will execute the alert command
Module 2
Global Properties Alert Commands
Module 2:
Review
Module 2:
Review Question #1:
Why would you need to use User Defined Tracking? Be specific. To extend the alert handling capabilities beyond what is typically provided.
This allows you to generate more detailed, custom messages in alert situations, as well as associate priority/actions with the alert handler.
Module 2:
Review Question #2:
Explain how User Defined Tracking works. User Defined Tracking allows connection information to be viewed.
Usually custom-written and can be applied to any of the tracking properties of a Security Policy.
Module 3:
Load Balancing
Module 3:
Introduction
Objectives
Describe the purpose of load balancing Define the different methods for load balancing Demonstrate the set up of a Logical Server for Round Robin load balancing of HTTP traffic
Module 3
Key Terms
ConnectControl Address Resolution Protocol Load Balancing Load Measuring Agent server load algorithm round trip algorithm round robin algorithm
Module 3:
The Need for Server Load Balancing
How Load Balancing Works
allows several servers to share and distribute network load a logical server is created on the firewall the logical server has a unique IP address through which packets are routed traffic that is directed to this logical server is then load shared among the physical servers uses ARP to ensure packets destined to the IP address of the logical server is passed to the appropriate physical server
Module 3:
Load Balancing in VPN-1/FireWall-1 NG
Module 3:
VPN-1/FireWall-1 NG Load Balancing
Load Balancing Algorithms
server load determines the load of each physical server round trip determines round trips between the firewall and each physical server using PING round robin chooses the next physical server random chooses the physical server randomly domain chooses the physical server based on domain name
Module 3:
Logical Server Types
HTTP Other
Module 3:
Logical Server Types : HTTP
HTTP Redirect
1. Firewall detects an HTTP request to a logical server and redirects the request to the load balancing module on the firewall
2. The load balancing application notifies the client that the request is being redirected to the destination physical server
3. The rest of the session is conducted between the client and destination server without intervention of the load balancing application
Module 3
Logical Server Types : Other
other load balancing places entries in the Firewall-1 address translation table for a connection allows a servers IP address to be a logical servers address from firewall to client and a physical servers address from server to firewall uses NAT similar to a reverse hide can also be used with an HTTP connection and each connection may be redirected to different servers
Module 3
Logical Server Types : Other
ftp example
the client starts a session with the FTP logical server Firewall-1 determines that the session is to be redirected to a particular FTP server uses NAT to relay incoming packet to selected physical FTP server uses NAT to relay reply back to originating client
Module 3:
Load Balancing Algorithms
Server Load Round Trip Round Robin Random Domain
Module 3:
The Server Load Algorithm
Module 3:
Round Trip Load Balancing
Module 3:
Round Robin Load Balancing
Module 3:
Random Load Balancing
Module 3:
Domain Load Balancing
Module 3:
Setting up Load Balancing Algorithms
Setting up Load Balancing Algorithms
Select Manage>Network Objects from the Policy editor Click New and Logical Server Select and define the appropriate balance method NB Persistent server mode if checked will connect a client to a specific service or server the client will continue to stay connected for the duration of that session
Module 3:
Logical Server
represents a group of servers that provide the same services is a legal IP address that is mapped to the external interface of the firewall points to a group of servers on which the firewall is performing load balancing
Module 3:
HTTP Logical Server (Round Robin)
Module 3:
Lab 5:
Module 3:
Load Balancing on Other Logical Servers
Overview
when the server is FTP or other than HTTP in the Logical Server Properties screen Other requires to be chosen under server type
Module 3:
Address Translation in Load Balancing
Module 3:
FTP Logical Server (Round Robin)
Module 3:
Lab 6:
Module 3:
Review
Module 3:
Review Question #1:
What are the two load balancing components?
Load balancing daemon
Load balancing algorithms
Module 3:
Review Question #2:
What are the steps for setting up HTTP redirect based load balancing?
To use HTTP redirect on the firewall, you must create two rules: the first rule specifies the Logical Server for the HTTP session to connect, the second rule specifies the physical server group that will communicate directly with the client throughout the remainder of the session.
Module 3:
Review Question #3:
How do you create a Logical Server?
Click Manage > Network Objects. Click New > Logical Server. Enter an object (server) name in the Name Option, and the IP Address in the IP Address field. Click Get Address to resolve the name and Address.
Module 3:
Review Question #4:
What are the load balancing algorithms, and how are they used? Server Load-queries all physical servers in a group to determine which server is best able to handle a communication request. The Server Load Agent must be installed on each server.
Module 3:
Review Question #4: (continued)
Round Trip-uses PING to determine the round trips between the firewall and physical servers, choosing the server with the shortest round trip time.
Module 3:
Round Robin-the VPN-1/FireWall-1 NG daemon chooses the next server in the list.
Random-the load balancing daemon chooses a server at random.

Domain-VPN-1/FireWall-1 NG chooses the closest server based on Domain Name.
Module 3:
Review Question #5:
How does VPN-1/FireWall-1 NG perform load balancing for services other that HTTP?
Using network address translation (NAT)
Module 4:
Enabling Voice Over IP Traffic
Module 4:
Introduction
Objectives
Define the different methods of using Voice Over IP. Describe how to set up the VPN-1/FireWall-1 to enable Voice Over IP in a H.323-based configuration. Describe how to set up the VPN-1/FireWall-1 to enable Voice Over IP in a SIP-based configuration.
Module 4
Enabling Voice Over IP Traffic
key terms
Voice over IP H.323 based configuration SIP-based configuration VoIP Gateway VoIP Gatekeeper
Module 4:
Voice Over IP Basics
voice phone calls transmitted over the IP network analog signal is translated to digital digital signal is transmitted to the destination then converted back to analog receiver of a VoIP call must be on the same WAN or LAN as the person instigating the call
Module 4:
Traditional Voice and Data Transmission Process
Module 4:
VoIP allows Voice to be transmitted over the existing IP infrastructure
Module 4:
Quality Control of VoIP Transmissions
Bandwidth
depends on the type of compression used to convert the analog signal largest compression rate is 10 to 1 can be achieved by using the G.723 voice compression standard using this standard, each data packet requires a transmission rate of just 5.3kbs for voice and 7.8kbs for the IP info required transmission rate for VoIP traffic is just 13.2kbs at maximum compression
Module 4
Voice Quality
depends on a number of variables amount of bandwidth available on the corporate LAN or WAN bandwidth variable can be controlled with the use of the Differentiated Services Quality of Service (DiffServ QOS) protocol
i.e. VoIP traffic can be given priority
Security
VoIP traffic is protected by the firewall can easily be encrypted two environments configurable H.323 based SIP based
Module 4:
Configuring FireWall-1 for H.323based VoIP Traffic
H.323-based VoIP Example Topology
Module 4
Configuring FireWall-1 for H.323based VoIP Traffic
two types of phone are included
IP phones are IP addressed phones (soft phones) of a PC with VoIP software the IP phones are connected to the Gatekeeper device that manages each IP phones access to the IP network the conventional phones are connected to the VoIP gateway the gateway translates the conventional analog data into digital IP communications
Module 4
Enabling FireWall-1 for H.323-based VoIP Traffic
first configure a domain object for the Gatekeeper or Gateway the prerequisites are:
address range or network object for the network of IP addressed phones Node Gateway object for the Gatekeeper machine address range or network object for the standard phones without an IP address (if any) Node gateway object for the gateway machine (for use with standard analogue phones, if any) VoIP domain objects and hosts for partner site
Module 4:
Enabling VoIP Traffic in an H.323 Environment
Gatekeeper Object Configuration
must be defined if access to the data network by IP phones is being controlled by the gatekeeper
Configuring the Gatekeeper Routing Mode

each conversation over a VoIP transmission includes several connections that take place one right after another the routing mode information determines how the different connections within the VoIP transmission are routed
Module 4
(Optional) Gateway Object Creation
creating the Gateway is only necessary if the configuration includes the use of standard analog phones
Configuring Gateway Routing Mode

each individual conversation over a VoIP transmission includes several connections one right after the other routing mode information determines how the different connections with the VoIP transmission are routed
Module 4
Configuring the Rule Base for H.323 Traffic
depends on type of VoIP traffic passing through the firewall and hardware involved two ways to configure the rule base gatekeeper configuration gateway configuration
Module 4
Enabling VoIP Traffic in a SIP Environment
most common configurations include
SIP Proxy manages the IP phones or soft phones access to the network SIP Redirect Server performs DNS like functions preceding a VoIP connection SIP Registrar provides a DNS like service by mapping SIP URLs to IP addresses
Module 4:
Defining the VoIP SIP Domain
must be defined is a proxy is used for IP phones to gain access to the data network
Configure Global Properties

the global properties VoIP has to be configured allow to re-direct option if not selected only calls from endpoint-to-endpoint are allowed. All calls made through proxies or redirect servers are prohibited
Module 4
Configuring the Rule Base for SIP Traffic
depends on the type of traffic through the enforcement module with proxies without proxies from a a network without a proxy to a network with a proxy with a proxy for internal communication
Module 4
SIP Services
two services are pre-defined sip and sip_any both are UDP protocols traversing the firewall on port 5060
Module 4
sip if source or destination is any then the object represented by any is not allowed to redirect the the connection unless it is a SIP proxy sip_any if source or destination is any then the object represented by any is NOT a SIP proxy
Module 4
Configuring the Rule Base for SIP Traffic SIP Services
Module 4:
Simple SIP-based VoIP Configuration with Proxies
Module 4:
Simple SIP-based VoIP Configuration without Proxies
Module 4:
Review
Module 4:
Review Question #1:
What are the two protocols that can be used in VPN-1/FireWall-1 NG to enable VoIP traffic to pass through the firewall?
H.323-based and SIP-based
Module 4:
Review Question #2:
What is the function of a VoIP gateway?
The gateway translates the conventional analog data to digital IP communications for transmission over the data network.
Module 4:
Review Question #3:
What is the function of a VoIP gatekeeper? The gatekeeper device manages each IP phones access to the IP network.
Module 4:
Review Question #4:
What is the difference between sip and sip_any?
In the rulebase, if Source or Destination is Any and the Service is sip, then the object represented by Any is not allowed to redirect the connection, unless it is a Sip Proxy. If Source or Destination is Any and the Service is sip_any, then the object represented by Any is not a SIP Proxy.
Module 5:
Content Security and Content Vectoring Protocol
Module 5:
Introduction
Objectives
Define the VPN-1/FireWall-1 NG Content Security process and components. Demonstrate how to configure Java Blocking. Demonstrate how to block Web browser access to restricted sites in a URL list. Demonstrate how to enable a UFP Server to restrict access to FTP sites on the Internet.
Module 5
Key Terms
Content Vectoring Protocol (CVP) anti virus inspection URL Filtering Protocol (UFP) Uniform Resource Locator (URL) Uniform Resource Identifier (URI)
Module 5:
Role of the Security Server
if a rule includes a resource in the service column (or requires authentication) the security server for the specified service in invoked the following security servers are included
telnet rlogin ftp http smtp
Module 5
Security Server Overview
performs two tasks authentication and content security
Server
TELNET
Authentication
Yes Yes Yes Yes No
Content Security
No No Yes Yes Yes
RLOGIN FTP HTTP SMTP
Module 5
Telnet
Security Server provides authentication but cannot be used for content security purposes
RLOGIN
as Telnet
FTP
content security functions based on GET and PUT commands, file name restrictions and CVP checking
HTTP
content security functions based on methods such as Get, Post and PUT, specific hosts, URLs, paths and queries
Module 5
SMTP
content security functions are based on the From and To fields in the envelope and in the header and attachment types also provides a secure sendmail application that prevents direct online connection attacks
Module 5:
Understanding Content Security
Content Security
extends the scope of data inspection to the highest level of a services protocol provides content security for HTTP, FTP and SMTP using FW-1 Security Servers and Resource object specifications a resource can be defined based on HTTP, FTP and SMTP then used in the rulebase in a similar manner to a service when a resource is specified the security server can divert a connection to a Content Vectoring Protocol server or a URI Filtering Protocol (UFP) server
Module 5:
A Connection Mediated by the HTTP Security Server
Module 5:
CVP Inspection During an FTP Connection
CVP uses TCP port 18181 CVP uses TCP port 18181
Module 5:
Content Vectoring Protocol (CVP)
FW-1 determines that the CVP server must be invoked (the relevant rule specifies a resource than includes cvp checking) ftp server connect to the CVP server and initiates the Content Vectoring Protocol FTP security server sends the CVP server the file to be inspected CVP server inspects the file and returns a validation result message, notifying the FTP server of the result CVP server optionally returns a modified version of the file to the FTP security server FTP Security Server takes the action defined for the resource
Module 5:
CVP Server Integration
Module 5
Inspection
anti virus inspection reduces the vulnerability of hosts and gateways using an external anti-virus module (or CVP Server) the anti virus option can check all files transferred for HTTP, SMPT and FTP protocols
Module 5:
FTP to Anti-Virus Server Process
Module 5:
FTP to Anti-Virus Server Process
1. The FTP client establishes a connection via port 21 to the FTP server (the INSPECT) module monitors port 21 for PUT and GET commands 2. When a client initiates a data transfer over port 20 the INSPECT module folds the connection into the FTP security server 3. The FTP data stream is relayed to the anti-virus server 4. The CVP server scans FTP files the results of which are sent to the Firewall Module 5. The clean FTP file is sent back to the FTP Security Server via CVP 6. The FTP Security Server determines whether the GET or PUT command is allowed, then relays the FTP file on the FTP server
Module 5:
URI Filtering Protocol (UFP)
How UFP Works
client invokes a connection through the Firewall Module Firewall-1 security server uses UFP to send the third party UFP server the url to be categorised the URL content server inspects the file and returns a validation result message, notifying the security server of the result of the inspection the firewall takes the action defined for the resource, allowing or disallowing the viewing of the particular web page
Module 5:
Simple UFP to Content Server Process
Module 5:
Implementing Content Security
Security Considerations
a combination of two methods might be desired active method can be used for the majority of population
prevents unauthorized people from using anothers machine to access information through the gateway
other users in more restrictive physical environments may be configured to use a transparent authentication scheme
Module 5:
URI Filtering
provides precise control over web access Firewall-1 checks web connection attempts using URI filtering protocol (UFP) servers UFP servers maintain lists of URLs and their appropriate categories permitted or denied
Module 5:
Mail SMTP
SMTP security server provides highly granular control over SMTP connections the administrator can hide outgoing mails from address behind a standard generic address hiding internal network structure and real internal users perform mail filtering based on SMTP addresses and IP addresses strip MIME attachments from mail strip the Received information from outgoing mail drop mail messages of a given size
Module 5:
VPN-1/FireWall-1 SMTP Security Server
The SMTP Security Server provides an additional layer of security over standard sendmail applications splitting functionality between two separate modules. Ensures no direct path connecting mail servers exists, preventing direct online connections to the real sendmail application protected by firewall Enqueur writes incoming messages to disc cache, the dequeuer empties the cache
Module 5
FTP Security Server
provides authentication services and content security based on FTP commands (PUT and GET) file name restrictions anti virus checking for files
Module 5:
FTP Security Server
when using a browser without defining a proxy in the browser, all HTTP requests use the HTTP protocol, and all FTP requests use the FTP protocol when using a browser with a proxy defined for FTP the proxy defined should be an HTTP proxy rather than an FTP proxy limitation of the web browser not Firewall-1
Module 5:
VPN-1/FireWall-1 NG without Next Proxy Defined
The browser and the proxy use the HTTP protocol. The proxy should convert the request from HTTP to FTP protocols. Security Server doesnt support this type of protocol conversion
Module 5:
VPN-1/FireWall-1 NG with Next Proxy Defined
Here a second proxy supporting protocol conversion is installed and defined in the GUI as the next HTTP proxy
Module 5:
Java and ActiveX Stripping
Administrators can
strip JAVA applet tags from HTML pages block JAVA attacks by blocking suspicious back connections strip ActiveX tags from HTML pages implement JAVA and ActiveX stripping with a URI resource
Module 5
Module 5:
JAVA Blocking
Module 5:
Lab 7:
Module 5:
URL Screening by File
Module 5:
Lab 8:
Module 5:
URL Blocking Using a UFP Server (Optiona)
Module 5:
Lab 9:
Module 5:
Anti-Virus Checking for Incoming EMail (Optional)
Module 5:
Lab 10:
Module 5:
FTP Content Security
Module 5:
Lab 11:
Module 5:
Security Server and the Rule Base
Proper Rule Placement
most commonly rules should be placed at the top of the rulebase more restrictive and specific rules should be placed at the top, more generalised rules placed lower
Module 5:
Security Server and the Rule Base
Consequences of Misconfigured Rules
Three possible outcomes when configuring security servers: connections are allowed that shouldnt be connections are dropped that shouldnt be security server allows packets that should pass, and denies packets that should not the last condition is obviously the one desired the first two are typically due to rules that are placed in the incorrect order
Module 5:
Implementing the TCP Resource
supports all TCP services allows URL screening via a UFP server as well as providing CVP capabilities he UFP server can provide URL verification without using a security server full URL is not sent to the UFP server, on the IP address of the remote server
Module 5:
CVP Load Sharing and Chaining
CVP Load Sharing
enables a resource to invoke any number of CVP servers identical servers can be configured to share the load among themselves
CVP Chaining
useful when each CVP server serves a different function chaining process connects servers for the purpose of stringing functionality
Module 5:
Three CVP Servers with Load Sharing
Module 5:
Three CVP Servers in a Chain
Module 5:
Review
Module 5:
Review Question #1:
What is content security?
Content Security works by inspecting data at the highest protocol, achieving highly tuned access control to network resources.
Module 5:
Review Question #2:
Content security protects internal networks from what types of hazards? Computer viruses
JAVA applets and ActiveX code Undesirable Web Content
Module 5:
Review Question #3:
Can you use VPN-1/FireWall-1 NGs Content Security features without the use of a content vectoring server? Why or why not?
No, a CVP server must be defined in order for VPN-1/FireWall-1 NGs content vectoring protocol to be used.
CVP uses a specific port, and is designed to reroute data streams to an external server, when enabled.
Module 5:
Review Question #4:
What are the steps for setting up antivirus inspection?
Define the CVP server object, create a resource, define a service rule and implement the security policy.
Module 5:
Review Question #5:
What does URL filtering provide?
Enables the integration of thirdparty applications to categorize and control access to specific URL addresses through the OPSEC security management framework.
Module 6:
SYNDefender
Module 6:
Introduction
Objectives
Describe the components and process of a SYN flood attack Outline how to defend against SYN floodattacks with SYNDefender
Key Terms
SYN flood attack SYN/ACK denial of service backlog queue SYNDefender
Module 6:
TCP/IP Three-Way Handshake
Normal Handshake
Module 6:
SYN Flood Attack
network attack
servers backlog queue will fill
Module 6:
Defending Against SYN Flood Attacks
SYNDefender affords two defences against SYN flood attacks:
SYNDefender Relays Gateway SYNDefender Passive Gateway
Module 6:
SYNDefender Relays Gateway
using SYNDefender Relays Gateway FW-1 intercepts incoming SYN packets FW-1 sends its own SYN packet to the internal server and sends the servers SYN/ACK reply to the originating external client FW-1 sends its own final ACK to the server FW-1 sets a timer to await further response from the external client if the final ACK packet is received, FW-1 intercepts this and sends its own ACK packet to the internal server if the clients final ACK packet is not received by FW-1 within the time limit, FW-1 resets the connection with the internal server
Module 6:
SYNDefender Relays Gateway Handshake
Module 6:
SYNDefender Passive Gateway
using SYNDefender Passive Gateway FW-1 passes incoming SYN packets FW-1 passes the servers SYN/ACK reply to the originating external client FW-1 sets a timer to track further response from the external client if the final ACK packet is received, FW-1 passes it to the internal server if the clients final ACK packet is not received by FW-1 within the time limit, FW-1 resets the connection with the internal server
Module 6:
SYNDefender Passive Gateway Handshake
Module 6:
Enabling SYNDefender
access from the Advanced section in Properties for your Firewall object
Module 6:
Review
Module 6:
Review Question #1:
What happens to the backlog queue during a SYN attack?
If the backlog queue (or backlog limit) is reached, the network server silently discards all incoming connection requests until the pending connections can be dealt with.
Module 6:
Review Question #2:
What type of packet is the server waiting for to signal the start of a TCP connection with a client?
Permission to talk (SYN)
Module 6:
Review Question #3:
What steps would you take if a clients ACK needed 20 seconds to reach the firewall?
Edit the timeout field, in the SYNDefender Global Properties page to reflect the correct time to wait before terminating the connection.
Module 7:
Encryption and Virtual Private Networks
Module 7:
Introduction
Objectives
Explain encryption for Virtual Private Networks. Compare and contrast the common encryption methods. Describe the process for setting up a VPN.
Module 7:
Key Terms
encryption Virtual Private Network (VPN) key plaintext ciphertext symmetric encryption asymmetric encryption tunneling mode encryption in-place encryption digital signature hash function message digest Certificate Authority encryption algorithm encryption scheme
Module 7:
How Encryption Works
Overview Privacy Symmetric Encryption (shared key) Symmetric Encryption Disadvantages Asymmetric Encryption Diffie-Hellman
Module 7:
How Encryption Works (continued)
Integrity Authenticity Two Phases of Encrypted Communication Encryption Algorithms
Module 7:
How Encryption Works - Overview
For transfer of sensitive information Network Systems Administrators must ensure:
Privacy no one, other than intended parties, can understand the communication Integrity that no one is tampering with the communication Authenticity that no one is sending false communications
VPN-1/FW-1 enables these features through its VPN capability

supporting industry standard algorithms and protocols (such as DES, 3DES and IPSec/IKE)
Module 7:
How Encryption Works Privacy
privacy in communication is achieved using encryption encryption transforms readable data (cleartext) into an unreadable form (ciphertext) encryption works by encoding data with encryption software and a secret key the secret key is known only to the sender and the recipient
Module 7:
Encryption Using a Secret Key
Module 7:
Symmetric Encryption
uses the same key for encoding and decoding
also called shared key encryption
Module 7:
Symmetric Encryption
1. the cleartext message is encrypted, using the shared key 2. the encrypted packet passes through the insecure network 3. on the receiving gateway, the same shared key is used to decrypt the ciphertext
Module 7:
Symmetric Encryption Disadvantages
key exchange problem
secret key is used both for encryption and decryption anyone who steals the key and captures encrypted data can decrypt the data shared keys must be exchanged in a secure manner by some out of band method
large number of keys

different key required for each pair of correspondents all possible pairs in 10,000 hosts would require ~50 million keys
Module 7:
Asymmetric Encryption
an alternative approach to encryption does not depend upon a single shared key also called public key encryption usually employs a different pair of keys for each party called asymmetric encryption because different keys are used at the encryption and decryption asymmetric encryption is used for:
secure key exchange mechanisms authentication data integrity checking
Module 7:
Diffie-Hellman Encryption
this asymmetric encryption scheme is often as a key management facility
to create a shared secret
the shared secret can then be used as a session key for symmetric encryption the shared secret doesnt have to be exchanged
this overcomes the key exchange problem for symmetric encryption
Module 7:
Diffie-Hellman Encryption
Module 7:
How Encryption Works Integrity
to ensure the integrity of a message a hash value is computed a hash function is a one-way mathematical function that maps variable values into smaller values of a fixed length the result of the hash function (known as the message digest) is much smaller than the original message but is unique to that message if any changes occur to the message, the message digest will be different
indicating that the message has been altered
Module 7:
One Way Hash Function (integrity check)
1. the original message is created 2. the original message is processed using a hash function 3. the hash function creates a new compact representation of the original message
Module 7:
Authenticity
to verify that a message actually came from a specific sender and not an imposter a digital signature is attached to the message this serves to guarantee the senders identity also serves to validate message integrity digital signatures are asymmetrically encrypted hash values
encrypted with the senders RSA private key
Module 7:
Generating a Digital Signature
any information encrypted with the RSA private key can only be decrypted using the corresponding RSA public key
this provides authentication while the message digest provides an integrity check
Module 7:
IKE Encryption Scheme
encryption schemes consist of: key management protocol for generating and exchanging keys encryption algorithm for encrypting messages authentication algorithm for ensuring integrity
Module 7:
IKE Encryption Scheme
Key Management Protocol Encryption Algorithm Authentication Encryption is.. Algorithm
HMAC-MD5 HMAC-SHA-1 Encapsulated; the traffic encryption is IPSec
IKE industry DES(3DES for standard protocol key encryption), for VPN key CAST, AES management
Module 7:
Encryption algorithms
DES (Data Encryption Standard)
symmetric key encryption method using 56bit key allows interoperability with other compliant firewalls
Triple DES
addresses security concerns by using three different DES keys in succession equivalent to a DES key length of 168 bits
Module 7:
AES (Advanced Encryption Standard)
new federal encryption standard for sensitive (unclassified) information will be widely used by bodies outside the US in some cases, the AES encryption algorithm is Rijndael (pronounced rain doll) a key length of between 128 and 256 bits is supported more key bits equates to stronger the encryption
Module 7:
CAST cipher
similar to DES VPN-1/FW-1 implementation uses 40 bit key length CAST algorithm supports variable key lengths (between 40 and 128 bits) CAST is faster than DES and 3DES CAST is less strong than DES for comparable key lengths
Module 7:
IKE (Internet Key Exchange) ISAKMP/Oakley
ISAKMP (the Internet Security Association and Key Management Protocol)
encryption standard of the IETF provides a framework for transferring keys and authenticating data independent of the encryption and authentication methods
Module 7:
IKE (Internet Key Exchange) ISAKMP/Oakley
Oakley
protocol used to establish strong cryptography-based keys used for encrypting data Oakley defines how users select the prime number groups for the Diffie-Hellman key exchange keys can be derived from the Diffie-Hellman keys or from an existing encryption key Oakley allows IPSec to use secret key and certificate-based authentication
Module 7:
IKE ISAKMP/Oakley in VPN-1/FW-1
the ISAKMP/Oakley process is done in two phases each phase uses the encryption and authentication agreed by the two computers during initial negotiation
Module 7:
IKE ISAKMP/Oakley in VPN-1/FW-1
Phase 1 : ISAKMP SA negotiation
peers negotiate a Security Association that will be used for encryption and authentication in phase 2 the SA includes the encryption method, authentication method, and keys
Phase 2 : IPSec SA negotiation

the SA agreed in phase 1 is used to negotiate an SA for encrypting the IPSec traffic keys may be modified many times during the lifetime of a connection by re-performing Phase 2 phase 2 provides additional protection by refreshing the keys to ensure reliability of the SAs and prevent man-in-the-middle attack
Module 7:
Tunneling-Mode Encryption
IKE uses tunneling-mode encryption that encapsulates the entire packet new protocol headers are added to the whollyencrypted packet packet size is increased this degrades network performance but increases security
Module 7:
Review
Module 7:
Review Question #1:
What is a shared key used for?
A shared key (or symmetric encryption) is used primarily for faster encryption performance.
Module 7:
Review Question #2:
Explain how data is protected in a Virtual Private Network.
Encryption allows communication via a virtual private network, which is a private network that provides secured connections between points where encrypted data travels through the Internet.
Module 7:
Review Question #3:
What is the difference between tunneling mode and in-place encryption? Which is best for your network?
Tunneling mode encryption embeds its own network protocol within a packets TCP/IP headers.
Module 7:
Review Question #4:
How are asymmetric and symmetric encryption different? Asymmetric encryption uses separate keys for encrypting and decrypting.
Symmetric encryption uses the same key for encrypting and decrypting.
Module 8:
Certificate Authorities
Module 8:
Introduction
Objectives
Describe Certificate Authority deployment using an internal CA Describe Certificate Authority deployment using an external CA
Key Terms
Certificate Authority (CA) Certificate Revocation List (CRL) Internal Certificate Authority
Module 8:
Using Certificates
Overview Enabling and Trusting Certificates Using Multiple Certificate Authorities Certificate Authority Hierarchy SecureClient CAs with Users
Module 8:
Using Certificates Overview
a Certificate Authority (CA) issues certificates to entities (users or hosts) the certificates are used to identify the entity by providing verifiable information about them a certificate might include a Distinguished Name (DN), public key and IP address having exchanged and validated certificates, entities can encrypt communication between them using the public keys contained in the certificates two types of entity can use certificates in VPN1/FW-1: encrypting gateways SecuRemote clients
Module 8:
Enabling and Trusting Certificates
For VPN-1/FW-1 to use certificates:
1. determine which Certificate Authorities to use, contact them and load any specific software they require 2. define the Certificate Authority to the VPN1/FW-1 3. generate the certificates using the steps that apply to that specific type of CA
Module 8:
Enabling and Trusting Certificates
the VPN-1/FW-1 IKE implementation supports X.509 digital certificates provided by the following PKI implementations:
Checkpoint VPN-1 Certificate Manager OPSEC PKI vendor Entrust Technologies Internal Certificate Authority on a Check Point Management Module
Module 8:
Using Multiple Certificate Authorities
small networks may only require a single Certificate Authority enterprise networks that authenticate and encrypt communications with branches, vendors and customers that use different CAs may need to use multiple Certificate Authorities enterprise VPNs must be able to:
acquire and recognise different certificates trust more than one CA acquire more than one certificate for an entity
Module 8:
Certificate Authority Hierarchy
where a CAs certificate is issued by another CA, only the highest level trusted CA needs to be defined
even if there are other CAs higher up in the hierarchy
certificates issued by a CA subordinate to a trusted CA are also trusted
Module 8:
CA Hierarchy
here, CA-US is trusted by Gateways A and B so both gateways will also trust CA-NY and CA-TX if Gateway A has a certificate issued by CA-TX and Gateway B has a certificate issued by CA-NY then the two gateways will accept each others certificates
Module 8:
SecureClient CAs with users
when a SecureClient user and a site authenticate using a certificate, the SecureClient trusts only the CA that signed the users certificate if the certificate is signed by a different CA the authentication will fail
regardless of any existing certificate hierarchy
Module 8:
Certificate Authority Deployment
Local Certificate Authority Certificate Authority Service via the Internet Internal Certificate Authority
Module 8:
Local Certificate Authority
in this configuration, the Certificate Authority and the Certificate Revocation List (CRL) repository are local servers managed by the administrator at HQ SecuRemote users do not have access to the LDAP servers and cannot download CRLs the VPN-1/FW-1 Managment Module manages keys and certificates for the VPN-1/FW-1 modules the certification process involves interaction between the VPN-1/FW-1 Management Module and the Certificate Authority
Module 8:
Local CA scenario
the VPN-1/FW-1 modules create a VPN between them using authentication via certificates SecuRemote user Bob generates a key pair on his own, contacting the CA to receive his certificate he uses his key and certificate to establish a VPN between his PC and any of the offices the SecuRemote software requires that the CRL be sent to it IKE negotiation will fail if a valid CRL is not sent as part of the negotiation
Module 8:
Local CA scenario
Module 8:
CA Service via The Internet
in this configuration, the CA and CRL HTTP server are accessed over the Internet the VPN-1/FW-1 Management Module manages keys and certificates for the VPN-1/FW-1 modules the certification process involves interaction between the Management Module and the Certificate Authority the two VPN-1/FW-1 modules establish a VPN between them using authentication via certificates SecuRemote user Bob generates a key pair on his own, contacting the CA directly to receive a certificate Bob can then use his key and certificate to establish a VPN between his PC and any of the offices
Module 8:
CA Service via The Internet
Module 8:
Internal Certificate Authority (ICA)
the ICA is a fully featured authentication server that is installed on a Check Point Management Module the ICA allows administrators to configure a security solution without need for third-party software the ICA can be used in the following situations:
establishing SIC between Check Point components, including OPSEC applications providing certificates for users and administrators authenticating SecuRemote and SecureClient traffic to VPN-1/FW-1 modules for VPN operation using hybrid mode RAS VPN for authenticating VPN1/FW-1 modules to SecuRemote and SecureClient users establishing site-to-site VPNs between VPN-1 modules
Module 8:
Certificate Authority Public Keys
the actions taken by the CA include:
1. a sender sends their public key to the CA in a secure manner 2. the CA signs the public key with its own private key (creating a CA public key) 3. the CA creates a certificate with its private and public keys
the receiver then authenticates the senders public key by matching the CA public key to the CA private key used on the certificate
Module 8:
Generating a Certificate
Module 8:
Certificate Authority Public Keys
a certificate is issued by a trusted CA and includes
a person or hosts unique id (e.g., an LDAP Distinguished Name) the persons public key the CAs unique identifier an expiration date a digital signature signed with the CAs private key
Module 8:
Encryption Demonstration
Module 8:
Lab 12:
Module 8:
Review
Module 8:
Review Question #1:
What kinds of entities can identify themselves using certificates?
Encrypting gateways, when encrypting with other encrypting gateways, or with SecuRemote Clients and the site confirming each others identities
Module 8:
Review Question #2:
How many certificates can an entity have from each Certificate Authority? Only one
Module 8:
Review Question #3:
When connecting with SecuRemote, why will IKE connections fail if a valid CRL is not sent as part of the negotiations when using an internal Certificate Authority?
The SecuRemote software mandates that the CRL be sent to confirm that the certificate has not been revoked.
Module 9:
Configuring VPNs
Module 9:
Introduction
Objectives
Demonstrate gateway-to-gateway encryption using IKE with shared secrets. Demonstrate gateway-to-gateway encryption using Ike with certificates. Discuss the configuration of VPNs using the Simplified VPN Setup. Discuss the configuration of extranets using the Extranet Management Interface.
Key Terms
pre-shared secret VPN site VPN community Mesh Star
Module 9:
IKE
Gateway-to Gateway Configuration Specifying Encryption
Module 9:
Gateway-to-Gateway Network Configuration
e.g., three private networks connected via VPNs
encryption takes place over the public part of the network (the Internet)
fwoslo and fwmadrid are the encryption/decryption points
Module 9:
Specifying Encryption requires answers to three questions:
who will encrypt?
the encryption gateways and their domains
what are the encryption keys?

IPSec secures the connection IKE negotiation must take place before encryption can begin gateways use pre-shared secrets or certificates
what connection will be encrypted and how?

a rule is required in the rulebase specifying that communication between the gateways should be encrypted each rule specifies IKE encryption parameters
Module 9:
The Virtual Private Network
a VPN is a private network that overlays onto the Internet this supports a secure communication link between partners VPNs are fast replacing more expensive leased lines, frame relay circuits and other forms of dedicated connections
Module 9:
Types of VPNs
Intranet VPNs Remote Access VPNs Extranet VPNs
Module 9:
Intranet VPNs
built to handle secure communication between internal departments and branch offices intranet VPN design requirements include:
strong data encryption to protect confidential information reliability for mission-critical systems (e.g., database management) scalable to accommodate growth and change
Module 9:
Intranet VPN
Module 9:
Remote Access VPNs
built to handle secure communication between a corporate network and remote or mobile employees remote access VPN design requirements include:
strong authentication to verify remote and mobile users centralised management scalable to accommodate user groups
Module 9:
Remote Access VPN
Module 9:
Extranet VPNs
built to handle secure communication between a company and its strategic partners, customers and suppliers an extranet VPN design requirements include:
Internet Protocol Security standard (IPSec) traffic control to prevent network access point bottlenecks fast delivery and response times for critical data
Module 9:
Extranet VPN
Module 9:
VPN Implementation
a complete VPN implementation supports all three types of VPN the complete VPN must include three critical components:
Security including access control, authentication and encryption QoS VPN traffic control should include bandwidth management and VPN acceleration to ensure QoS Performance and management should include policy based management
Module 9:
Complete VPN
Module 9:
VPN Setup
Understanding VPN Deployment VPN-1 Pro Configuration Configuring Logging for VPN Traffic
Module 9:
Understanding VPN Deployment
Check Points VPN management model now enables administrators to directly define a VPN on a group of gateways this uses a new entity called a VPN Site
this is different from sites defined in SecuRemote or SecureClient
VPN Sites can be grouped to create VPN Communities this model simplifies the process of defining VPNs
Module 9:
Two Gateway Network Configuration
two private networks are connected to the Internet through firewalled gateways using the simplified VPN model, net-oslo and netmadrid are defined as VPN Sites and incorporated into a VPN Community
Module 9:
VPN-1 Pro Configuration
VPN configuration modes are found in the VPN-1 Pro pages of the Global Properties:
Simplified mode to all new Security Policies separates the VPN policy from the Firewall policy Traditional mode to all new Security Policies disables VPN Communities and allows the use of Regular Mode only Traditional or Simplified mode per new Security Policy allows the creation of the regular VPN Rule Base in addition to the Simplified VPN Rule Base
Module 9:
Configuring Logging for VPN Traffic
the Log and Alert page of the Global Properties window has track options for VPN traffic options include:
VPN successful key exchange VPN packet handling errors VPN configuration and key exchange errors
these options are set to Log by default
Module 9:
Two Gateway IKE Encryption Configuration
Module 9:
Lab 13:
Module 9:
Exporting ICA Certificates
before attempting to configure an IKE VPN using certificates you must export the ICA certificate from your Management Module: edit the Internal_CA object representing your CA server configure the Local Management server tab click the Save As button and save the certificate for export send the certificate to your VPN partner to complete the VPN configuration
1.
2. 3.
4.
Module 9:
Defining Certificate Authorities
when an IKE VPN with certificates has been established, you can create a new server object to represent your partners CA the following types of Certificate Authority can be created:
Entrust PKI VPN-1 Certificate Manager OPSEC PKI External Management Server
Module 9:
IKE Encryption Using Certificates
Module 9:
Lab 14:
Module 9:
Extranet Management Interface
Check Points extranet management simplifies extranet definition and maintenance gateways at two (or more) sites are extranet-enabled they each have an Extranet Resolution Server this allows each site to export network object definitions to partner gateways rules supporting specific traffic between the sites can then be defined
with encrypt as the action in the rules
Module 9:
Extranet Management Interface
in My Site Gateways B and C take part in the extranet - each has an Extranet Resolution Server.
the network objects available for export are defined by each gateways encryption domain.
the Partners Site has one extranetenabled gateway with relevant objects available for export. encrypted communication could be established between a Mail Server in My Site and the Mail Server in the Partners Site. this requires an appropriate rule in the policy of each site.
Module 9:
Establishing an Extranet Community
set up an extranet community environment
define general properties of the extranet community define the network objects that will be exported to your extranet partner(s)
define your extranet partner(s) and import their network objects integrate network objects, imported from extranet partners, into your security policy rule base your partner(s) will also complete these steps
Module 9:
Extranet-Enabled Gateway Configuration
the extranet page of the gateways object must be configured before attempting to create an extranet community
this requires that you check the Extranet Enabled Gateway box for your gateway object this also makes the object available for export to an extranet partner
Module 9:
Configuring an Extranet Community
Use the following steps:
1. complete the configuration of your extranet environment 2. verify that your partner has completed configuration for their extranet 3. define and identify your partner in the General page of the Extranet Partner Properties screen 4. select objects from your encryption domain that are exportable to your partner 5. install the Security Policy 6. your partner defines you as an extranet partner and imports your exportable network objects 7. your partner installs their Security Policy 8. import your partner objects 9. install the Security Policy
Extranet communities can only be set up in the Traditional mode of the Rule Base
Module 9:
Configuring Extranet Rules in the Security Policy
extranet community rules can be configured in a Traditional mode Rule Base rules enable traffic and encryption between objects in the extranet communities two types of extranet community rules:
Specific Rules General Rules
Module 9:
Extranet community rules
specific
contain specific objects imported from the external extranet partner specified using the @ symbol in the source or destination column
general
uses the *Any icon in source or destination column of the rule any traffic originating from imported or exported objects going to the specific item in the other column (source or destination) will be encrypted
Module 9:
Establishing an Extranet
Module 9:
Lab 15:
Module 9:
Review
Module 9:
Review Question #1:
What is a pre-shared secret? An attribute of a pair of entities. If a preshared secret is defined for a pair of gateways, IKE key negotiations between the gateways will use the pre-shared secret to authenticate each other before exchanging keys in Phase 1.
Module 9:
Review Question #2:
When VPN-1/FireWall-1 NG accepts a certificate from an external gateway, where is the external gateway defined?
The external gateway is defined to the Management Station, and the Management Station must trust the external gateways certificate and match it.
Module 9:
Review Question #3:
When using the Simplified VPN Setup, what are the three main steps to using the Simplified VPN Setup mode?
Define the Intranet VPN Community by selecting participants and encryption schemes.
Create the new Security Policy.

Define your enterprise access control rules.
Module 9:
Review Question #4:
Encrypted connections between network objects on either side of an extranet will occur only when.?
Specific objects have been designated in the Security Policy Rule Base on each side.
Module 10:
VPN Client-SecuRemote
Module 10:
Introduction
Objectives
Demonstrate how to define SecuRemote users Demonstrate how to deploy SecuRemote in an IKE VPN Demonstrate how to configure and test SecuRemote using IKE
Key Term
SecuRemote Service
Module 10:
SecuRemote
Using SecuRemote Configuring SecuRemote Traditional Mode Rule Base Configuration Simplified Mode Rule Base Configuration
Module 10:
Using SecuRemote
typical uses for SecuRemote are:
specific users can be allowed encrypted access to sensitive data on the network a server can be set up to provide encrypted information to customers only remote users can communicate with firewalled networks without installing VPN-1/FW-1 at the remote site basic network access (email, Internet and Intranet) can be provided to remote employees private secure workgroups can be created on internal networks using VPN-1 SecuRemote and an encryption enabled application server
Module 10:
Using SecuRemote
what SecuRemote does:
encrypts data before it leaves a remote computer transparently encrypts any TCP/IP communications interfaces with any NDIS interface and TCP/IP stack enables access for VPN-1/FW-1 SecuRemote users through the Policy Rule Base enforces security features, including authentication, logging and alerts, on VPN-1/FW-1 SecuRemote connections includes support for dynamic IP addressing includes stronger authentication using DiffieHellman and RSA algorithms supports user authentication by means of certificates, RADIUS, S/Key, password, etc supports IKE encryption using DES, 3DES, AES-128 or AES-256
Module 10:
Configuring SecuRemote
implement Check Point Remote Access VPN encryption on the network obtain a SecuRemote license for your network
SecuRemote servers are licensed, SecuRemote clients are license-free
define the users that will be allowed access, and the authentication to be used install SecuRemote Client on all users computers define SecuRemote connection rules in the Policy Rule Base
Module 10:
Example Network
SecuRemote is installed on Bob and Annas machines and a User Authentication rule in the Firewall policy Bob and Anna can connect to netoslo using their own names and passwords
Module 10:
Configuring a Remote Access VPN
Configuring a Remote Access VPN Community Remote Access Community Properties
Module 10:
Configuring a Remote Access VPN Community Remote Access Community allows administrators to define the gateways and user groups for SecuRemote and SecureClient communications:
1. verify that each participant gateway has FP-1 installed 2. verify that each gateways VPN Domain has been configured in the Topology page of the Workstation Properties 3. edit the default Remote Access VPN object in the VPN Manager 4. configure the Participating Gateways page to include all gateways that the remote client can connect to 5. configure the Participating User Groups page to include all user groups for the remote users 6. configure the rule to allow the SecuRemote or SecureClient traffic access to the encryption domain
Module 10:
Remote Access Community Properties
encryption properties for Remote Access VPN are defined in the General and Participant Gateways and Participant user groups pages of the Remote Access Community Properties screen
Module 10:
Global Properties Settings
Remote Access Settings
SecuRemote/SecureClient properties are also set in the Remote Access section of the Global Properties window, e.g., topology update settings authentication timeout caching of static passwords
Module 10:
Defining SecuRemote Users
Module 10:
Structure of a SecuRemote Connection
Topology Authentication Key Exchange
Module 10:
Topology
before a SecuRemote connection can take place, the SecuRemote client must get information about the sites to which it will connect:
a user can define a site and then download the site information (topology) the system administrator can prepare a standard userc.c file for SecuRemote users, predefining the sites for them
Module 10:
Authentication
when a SecuRemote client first connects to a site (and also after a password has expired), the user must authenticate to the VPN-1/FW-1 module the authentication method depends on the encryption method used for the connection the available encryption methods is determined by the versions of SecuRemote and VPN-1/FW-1 being used
Module 10:
Key Exchange
once the user has authenticated, the SecuRemote client and the SecuRemote server exchange encryption keys after exchanging encryption keys the connection starts, encrypted according to the encryption scheme being used
FWZ for pre-NG FP2 IPSec for IKE
Module 10:
Routing Considerations
the default routing must ensure that reply packets (returning to the SecuRemote client) are routed through the same encrypting gateway through which the original packets were delivered
Module 10:
Configuring SecuRemote in an IKE VPN
Module 10:
VPN-1 SecuRemote Client
is made up of a kernel module and a daemon the kernel module is an NDIS driver installed between the TCP/IP stack and the network adaptor this module filters all TCP/IP traffic passing through the PC the SecuRemote daemon is both
a Win32 service that runs when Windows starts and a Win32 application that starts when a user logs in and stops when the user logs out
Module 10:
Installing SecuRemote
Module 10:
Lab 18:
Module 10:
Using SecuRemote in an IKE VPN
Module 10:
Lab 19:
Module 10:
Review
Module 10:
Review Question #1:
What are the two VPN-1 encryption schemes that SecuRemote supports?
IKE using DES, 3DES, or AES; and FWZ using DES, or FWZ1
Module 10:
Review Question #2:
What is the name of the file on the SecuRemote user that contains site topology configuration information?
Userc.c.
Module 11:
Desktop Security - SecureClient
Module 11:
Introduction
Objectives
Discuss the benefits of Client Encryption inside the LAN. Demonstrate how to set up the Policy Server. Demonstrate how to configure Workstation Properties for a Policy Server. Demonstrate how to configure a Policy Server and SecureClient Rule Base.
Module 11:
Introduction
Objectives (continued)
Demonstrate how to install SecureClient. Demonstrate SecureClient and the Policy Server in a VPN using encryption.
Key Terms
Policy Server SecureClient Desktop Policy Secure Configuration Verification explicit login implicit login Software Distribution Server
Module 11:
VPN-1 SecureClient
an extension to SecuRemote that allows desktop users to download Desktop Policies from Policy Servers once such a policy has been downloaded, the SecureClient software is enabled and manages desktop traffic according to the Policy rules the configuration of SecureClient machines can be verified using Secure Configuration Verification (SCV) on the firewalled gateway access is denied to SecureClient machines that are misconfigured
Module 11:
SecureClient overcomes the security risk of a hijacked SecuRemote connection
Module 11:
Securing Internal Networks with SecureClient
Module 11:
Securing a LAN with VPN-1 SecureClient
SecureClient can provide security for traffic originating inside and outside the LAN
Module 11:
Licensing
SecureClient needs two separate licenses
user license contains a maximum user count and is installed on a VPN-1/FW-1 Management Server Policy Server license installed on each Policy Servers VPN-1/FW-1 Module
Module 11:
Global Properties Settings
Remote Access Settings Client Encrypt Client Authentication
Module 11:
Remote Access Settings
SecuRemote/SecureClient properties are also set in the Remote Access section of the Global Properties window, e.g.,
topology update settings authentication timeout caching of static passwords
Module 11:
Client Encrypt
by applying a rule whose action is Client Encrypt the network is protected from someone in control of an unprotected SecuRemote machine in the Cient Encrypt rules User Encryption Action Properties window, check the Apply Rule Only if Desktop Configuration Options are Verified this combination allows you to avoid the risk of an unprotected user connecting to the Internet from the protected network in the Client Authentication rules Client Authentication Action Properties window, check Verify Secure Configuration on Desktop
Module 11:
SecureClient Policy
the desktop security tab of the Policy Editor allows the creation of a rule base for SecureClients rules may specify logging or alerts logs may also be viewed on the client machine using the SecureClient log viewer each rule must be assigned to one or many user groups different rules may apply to different user groups SecureClient only enforces rules that apply to the current users group the Policy Editor separately displays inbound and outbound Desktop Security rules
Module 11:
Installing Desktop Policies
when the Desktop Security Policy is installed on the gateway, the Policy Servers receive the policies they will install on SecureClients this policy is installed on the client when the user logs on to the Policy Server
Module 11:
Desktop Policies
Desktop Policies are made up of: Filename
local.dt
Description
the Desktop Security Policy installed on SecureClient defines which desktop components are used for Secure Configuration
local.scv
user groups file
contains a list of the groups to which the user belongs

defines how SecureClient will log events and upload them to the Policy Server
local.lp
Module 11:
Configuration Violation Notification
the firewall can verify that the SecureClient is properly configured before applying a security policy
whose action is either Client Encrypt or Client Auth
a misconfigured client is denied access under the rule the configuration components verified are those checked in the Desktop Security page of the Global Properties window
Module 11:
Secure Configuration Violation
the SecureClient machine is considered misconfigured if:
one or more SCV DLLs (SCV checks) that are enabled in the SCV Policy report failure there is no SCV policy (local.scv file) on the client machine the local.scv file is either corrupted or misconfigured the user selected to Disable Policy or Deleted the site the SCV policy has timed out and the user has not logged on to a Policy Server one or more SCV checks specified by the SCV policy are missing or misconfigured on the client machine
Module 11:
Secure Configuration Violation
SecureClient obtains the local.scv file when the user logs on to a Policy Server after Desktop Policies have been downloaded, SecureClient updates the Policy Server about its status every minute
using UDP keep alive packets
if the Policy Server is protected by a FW1 gateway, the FW-1_scv_keep_alive service must be added to allow the keep alive packets through
UDP port 18233
Module 11:
SCV Enforcement
the following occurs when the VPN-1/FW-1 Inspection Engine matches a new connection on a Client Encrypt or Client Auth rule that requires Desktop Verification (SCV):
the VPN-1/FW-1 Module holds the packet the VPN-1/FW-1 Module sends an ICMP destination unreachable packet to the SecureClient machine this tells the SecureClient that the the VPN-1/FW1 Module requires the current Secure Configuration state of the client machine SecureClient starts sending UDP keep alive packets containing its SCV state every 20 secs for 5 minutes (configurable) the firewall module accepts or drops the connection according to the clients SCV state
Module 11:
Defining SecureClient Users
Module 11:
Installing Policy Server
Module 11:
Lab 21:
Module 11:
Desktop Policies
Explicit Login
occurs when a SecureClient user logs on to a Policy Server to download a new or updated desktop policy this is initiated by the user
Implicit Login
occurs when a SecureClient user does not have an installed policy and tries to communicate through a Policy Server this is initiated by the Policy Server
Module 11:
Default Policy
the default policy is applied when a SecureClient machine (with an enforced desktop policy) boots up
at this point, before a user logs in, only the rules which apply to all users will apply rules pertaining to specific user groups will be applied only after the user has logged on to the Policy Server SecureClient needs to log on to a Policy Server at least once in order to download Desktop Security Policies and enforce a default policy
Module 11:
IP Forwarding
when a user logs on to the local machine SecureClient checks if IP forwarding is enabled if IP forwarding is enabled, the system displays a warning and SecureClientspecific features are disabled SecureClient then unctions as a SecuRemote client until IP forwarding is turned off SecureClient periodically verifies the status of IP forwarding
Module 11:
SecureClient Example
Module 11:
Configuring the Policy Server
Module 11:
Policy Server Troubleshooting
Other Firewalls
if there are other firewalls along the path connecting the SecureClient and the Policy Server, you should configure the other firewalls to allow connections to pass between them
Module 11:
Time-out
the first time a SecureClient connects to a site the delay experienced by entering a username and password may cause the application (e.g., telnet) to time-out in this case, the user should simply restart the application after the authentication has been completed
Module 11:
Data Not Encrypted
this table outlines contexts in which data is not encrypted by SecureClient
Connections in which..
A new site is being added or when updating an existing site A key is exchanged DNS information is exchanged FTP, RealAudio and VDOLive are exchanged (applies to some packets) SecureClient is on the local network
However
The information is signed The information is signed, and the session key is encrypted There is an advanced option to encrypt DNS information exchange These packets contain information needed to open a back connection to the SecureClient A connection is only local if the source and destination IP addresses are both inside the same encryption domain of the same Policy Server
Module 11:
The SecureClient GUI
the SecureClient GUI is basically the same as the SecuRemote GUI but with two key differences:
an additional toolbar icon Login to a Policy Server this icon is grey until a successful login to a Policy Server an additional menu option a Policy Menu contains commands and information related to the hosts Desktop Policy
Module 11:
Menu Bar
before attempting to download a Security Policy you must first define a the site containing the Policy Server
define a site/create a new site
the steps for logging on to a Policy Server are:

1. with a site selected in the Sites window, select Login to Policy Server from the Policy Menu 2. select a Policy Server from the list 3. the authentication window will appear 4. complete the user authentication procedure 5. the policy that you receive will remain in effect even if you reboot your computer
Module 11:
Obtaining Site Topology
before a SecureClient connection can be used, you must know the topology of the site to which it will connect as with SecuRemote, there are two ways the client can obtain a sites topology:
a user can define a site and download the topology a topology download cannot occur unless Exportable for SecuRemote is enabled on the SecureClient Server an administrator can provide userc.c file for SecureClient users this file contains all of the network topology information for a site
Module 11:
Overlapping Encryption Domains
attempting to add a site whose encryption domain overlaps with an already defined site causes SecureClient to issue a warning a red cross is placed on the icon for the conflicting site
this indicates that the site is presently disabled a site can be re-enabled if any conflicting site has been disabled once re-enabled, and following authentication, SecureClient will encrypt and decrypt communications with the site
Module 11:
The SecureClient Icon
the icon appears in the task bar and displays a number of possible system states, including:
normal icon - no desktop policy being enforced flashing blue lock SecureClient is logging on to the Policy Server blue lock either the default or a user specific Desktop Policy is being enforced red lock a packet is dropped or rejected because a Desktop Policy is being enforced
Module 11:
Passwords
there are two ways a user can preset a password for a site before connecting to the site:
setting a password using Single SignOn
Module 11:
Setting a Password
select the site for which you want to set your password select Set Password from the Passwords menu the authentication window will appear enter required information passwords for all sites can be erased by selecting Erase Passwords from the Passwords menu
Module 11:
Single SignOn
using Single SignOn users can save their SecureClient username and password this means the username and password dont have to be entered manually in future this is only available for password authentication is suitable only for SecureClient hosts with only one defined site Single SignOn has to be enabled and configured prior to use
via the Passwords menu
Module 11:
Disabling Single SignOn
select Disable SSO from the Passwords menu confirm with the dialogue boxes that follows
Module 11:
SecureClient Considerations
if you modify your network configuration after installing SecureClient, you will have to re-install SecureClient if you have more than one network adaptor then FW-1 can be bound to all of them accommodate changes to network adaptors using Re-bind Adaptors from the SecureClient Tools menu
there is no need to re-install SecureClient
Module 11:
SecureClient Files
do not uninstall SecureClient manually use Add/Remove Programs in Windows to move SecureClient files:
backup the original files uninstall SecureClient re-install SecureClient and select an alternative location for the new install restore original files
Module 11:
Upgrading SecureClient
there is an upgrade option that will allow old settings to be retained
Module 11:
Installing SecureClient
Module 11:
Lab 23:
Module 11:
Connect Mode
the initialisation of an encrypted connection between SecuRemote/SecureClient and a VPN-1 gateway is based on the first packet sent from the client to an IP address in the sites encryption domain this is called Transparent Mode FP-2 introduces an alternative called Connect Mode this new mode makes it easier for the user by defining connect and disconnect events with Connect Mode the user is required to connect to a site before accessing internal network resources requiring encryption from outside the encryption domain or the connection will be dropped
Module 11:
Connect Mode (2)
to establish the connection, the user connects with a connection profile to a specific VPN-1 gateway and logs on to a Policy Server SecuRemote/SecureClient performs an IKE key exchange with the gateway and logs on to the Policy Server thereafter, the user can access internal resources based on the firewalls Security Rule Base
Module 11:
Connection Profiles
Connect Mode uses connection profiles with definitions of sites, preferred gateway (for MEP configurations), preferred Policy Server, etc profiles can be configured by the user through the Configuration Connection Profile window profiles can also be configured by an administrator, exported to a file and imported by the user
Module 11:
Connection Profiles (2)
a default profile is defined for each site this default is generated when a new site is defined and its parameters are selected by the user in the window displayed when a new site is created the profile is configured with:
profile name profile description site (organisation) VPN-1 gateway that SecuRemote/SecureClient will connect to Policy Servers that SecureClient will log on to IKE over TCP support for connection using this profile forcing UDP encapsulation for connections using this profile Office Mode support
Module 11:
Connection Profiles (3)
after configuring a profile, the user can create a shortcut for the profile on the desktop to initialise encrypted connection from SecuRemote/SecureClient to the site, the user can:
double-click on a profile shortcut click on the SecuRemote/SecureClient system tray icon to select one of the available profiles
to disconnect, the user right-clicks on the system tray icon and selects Disconnect in the status window
Module 11:
Office Mode
this mode allows an organisation to assign internal IP addresses to SecureClient users this IP address is encapsulated inside the VPN tunnel between the client and gateway the IP used externally is assigned to the client by the ISP used for the connection this mode enables administrators to control which IP addresses will be used by remote clients inside the local network
Module 11:
SecureClient Diagnostics Tool
SecureClient Diagnostics is a standalone application included with SecureClient three viewing modes are available:
Diagnostic Viewer Policy Viewer Log Viewer
Module 11:
SecureClient Packaging Tool
Module 11:
SecureClient Packaging Tool
Module 11:
Installing VPN-1 SecureClient with an Executable File
Module 11:
SecureClient Software Distribution
Software Distribution Package SDS Configuration Utility Software Distribution Agent
Module 11:
Review
Module 11:
Review Question #1:
After the initial installation of SecureClient, how can a desktop user be sure that SecureClient has established a connection and downloaded a Desktop Policy from a Policy Server?
The gray Login shortcut icon on the SecureClient toolbar will light up upon the first successful login to a Policy Server
Module 11:
Review Question #2:
Does a Policy Server support user groups? If so, how many?
A Policy Server can support a single user group.
Module 11:
Review Question #3:
In what two ways can SecureClient users download Desktop Policies?
Initiated by the desktop user (explicit login)-logging into a Policy Server to download a new or updated desktop policy
Module 11:
Initiated by the Policy Server (implicit login)a SecureClient user without an installed policy tries to communicate with the network, and the Policy Server will install a desktop policy on the desktop.

Checkpoint VPN-1 FireWall-1 NG Management II Instructors Slides

Enviado por

Dados do documento

Descrição original:

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Checkpoint VPN-1 FireWall-1 NG Management II Instructors Slides

Enviado por

Direitos autorais:

Formatos disponíveis

VPN-1/FireWall-1 NG FP-2 Management II

Disk Space : Memory : Network I/f : :

Memory : CPU : Required OS : Patches

CPU Architecture Disk Space : Memory : CPU :

alert is selected as the exception track

HTTP Logical Server (Round Robin)

FTP Logical Server (Round Robin)

Load balancing algorithms

Random-the load balancing daemon chooses a server at random.

Configuring the Gatekeeper Routing Mode

Configuring Gateway Routing Mode

Configure Global Properties

H.323-based and SIP-based

RLOGIN FTP HTTP SMTP

VPN-1/FW-1 enables these features through its VPN capability

also called shared key encryption

large number of keys

Phase 2 : IPSec SA negotiation

certificates issued by a CA subordinate to a trusted CA are also trusted

what are the encryption keys?

what connection will be encrypted and how?

these options are set to Log by default

Create the new Security Policy.

user groups file

contains a list of the groups to which the user belongs

the steps for logging on to a Policy Server are:

Você também pode gostar