of 38
8/12/2019 Ccsa - Ngx Training- Vpn_partii_21nov09
1/38
Check Point Security
Administration NGX I
Author ized Check Point Distr ibutor
Module 6: Encryption and Virtual
Private Networks
8/12/2019 Ccsa - Ngx Training- Vpn_partii_21nov09
2/38
Check Point Security
Administration
Course Map
Module 1: Check Point Firewall Architecture &
Installation
Module 2: Security PolicyModule 3: Network Address Translation
Module 4: Log/Monitoring
Module 5: SmartDefense
Module 6: Encryption and VPNsModule 7: Disaster Recovery
8/12/2019 Ccsa - Ngx Training- Vpn_partii_21nov09
3/38
Module 6:
Introduction to Site-to-Site VPNObjectives Demon strate gateway-to-gateway enc rypt io n
using IKE w ith shared secrets.
Demon strate gateway-to-gateway encry pt ion
us ing Ike with cert i f icates.
Discuss the conf igurat ion of Remo te Acc ess usingIPSec and SSL VPN
Key Terms
pre-shared secret
VPN site
VPN commun i ty
Mesh
Star
8/12/2019 Ccsa - Ngx Training- Vpn_partii_21nov09
4/38
Module 6:
The Virtual Private Network
a VPN is a private network that overlays
onto the Internet
this supports a secure communicationlink between partners
VPNs are fast replacing more expensive
leased lines, frame relay circuits and
other forms of dedicated connections
8/12/2019 Ccsa - Ngx Training- Vpn_partii_21nov09
5/38
Site-to-Site VPN
Remote Access (client-to-side)
Module 6: Encryption and VirtualPrivate Networks
8/12/2019 Ccsa - Ngx Training- Vpn_partii_21nov09
6/38
Module 6.a: Site-to-Site VPN
8/12/2019 Ccsa - Ngx Training- Vpn_partii_21nov09
7/38
Module 6:
Two Gateway Network Configurationtwo private networks are connected to the Internet
through firewalled gateways
8/12/2019 Ccsa - Ngx Training- Vpn_partii_21nov09
8/38
Module 6:
Types of site-to-site VPNs
Intranet VPNs
Extranet VPNs
8/12/2019 Ccsa - Ngx Training- Vpn_partii_21nov09
9/38
Module 6:
Intranet VPNs
built to handle secure communication
between internal departments and branch
offices
intranet VPN design requirements
include:
strong data encrypt ion to protect con f ident ial
in format ion
re liabi l ity for m ission -cr i t ical sy stems (e.g.,database management)
scalable to accommodate grow th and ch ange
8/12/2019 Ccsa - Ngx Training- Vpn_partii_21nov09
10/38
Module 6:
Intranet VPN
8/12/2019 Ccsa - Ngx Training- Vpn_partii_21nov09
11/38
Module 6:
Extranet VPNs
built to handle secure communication
between a company and its strategic
partners, customers and suppliers
an extranet VPN design requirements
include:
Internet Proto co l Secu rity standard (IPSec)
t raf f ic contro l to prevent n etwo rk access
point bot t lenecks
fast delivery and respon se t imes for c r i t ical
data
8/12/2019 Ccsa - Ngx Training- Vpn_partii_21nov09
12/38
Module 6:
Extranet VPN
8/12/2019 Ccsa - Ngx Training- Vpn_partii_21nov09
13/38
Module 6:
VPN Implementation
a complete VPN implementation
supports all types of VPN
the complete VPN must include threecritical components:
Secur i ty inc lud ing access c ontro l ,
authent icat ion and encry pt ion
QoS VPN traf fic con tro l should include
bandwidth management and VPNaccelerat ion to ensure QoS
Performance and management shou ld
include pol icy based management
8/12/2019 Ccsa - Ngx Training- Vpn_partii_21nov09
14/38
Module 6:
Complete VPN
8/12/2019 Ccsa - Ngx Training- Vpn_partii_21nov09
15/38
Module 6:
Understanding VPN Deployment
Check Points VPN management model
now enables administrators to directly
define a VPN on a group of gateways
this uses a new entity called a VPN Site
th is is dif ferent from s ites def ined in
SecuRemote o r Secu reClient
VPN Sites can be grouped to create
VPN Communities
this model simplifies the process of
defining VPNs
8/12/2019 Ccsa - Ngx Training- Vpn_partii_21nov09
16/38
16
Simplified Intranet Setup
Two Basic Types of VPN community
Mesh
Star
8
8/12/2019 Ccsa - Ngx Training- Vpn_partii_21nov09
17/38
Module 6:
Star and Mesh VPN communities
8/12/2019 Ccsa - Ngx Training- Vpn_partii_21nov09
18/38
18
Integrating VPNs into a Rule Base8
VPN Rule in a Simplified Rule Base
8/12/2019 Ccsa - Ngx Training- Vpn_partii_21nov09
19/38
Module 6:
Two Gateway IKE Encryption
Configuration
8/12/2019 Ccsa - Ngx Training- Vpn_partii_21nov09
20/38
Module 6:
Lab: Site-to-Site VPN using shared key
8/12/2019 Ccsa - Ngx Training- Vpn_partii_21nov09
21/38
Module 6:
Lab: Site-to-Site VPN using certificates
8/12/2019 Ccsa - Ngx Training- Vpn_partii_21nov09
22/38
Module 6.b:
Remote Access (client-to-side)
8/12/2019 Ccsa - Ngx Training- Vpn_partii_21nov09
23/38
Module 6:
Remote Access VPNs
built to handle secure communication
between a corporate network and
remote or mobile employees
remote access VPN design requirements
include:
stron g authent icat ion to ver i fy remo te and
mobi le users
central ised management
scalable to accommodate user group s
8/12/2019 Ccsa - Ngx Training- Vpn_partii_21nov09
24/38
Module 6:
Remote Access VPN
8/12/2019 Ccsa - Ngx Training- Vpn_partii_21nov09
25/38
Module 6:
Configuring Remote AccessDefine the users, user groups that will beallowed access, and the authentication to beused
configure Gateways to enable RemoteAccess
Configure a Remote Access VPN Community
Define VPN connection rules in the PolicyRule Base
Install SecuRemote/SecureClient on all userscomputers
8/12/2019 Ccsa - Ngx Training- Vpn_partii_21nov09
26/38
Configure Remote Access
Define users/user groups
9
8/12/2019 Ccsa - Ngx Training- Vpn_partii_21nov09
27/38
Configure Remote Access
Configure VPN Community, gateway
9
8/12/2019 Ccsa - Ngx Training- Vpn_partii_21nov09
28/38
Configure Remote Access
Install VPN client (SecuRemote/SecureClient)
9
8/12/2019 Ccsa - Ngx Training- Vpn_partii_21nov09
29/38
Configure Remote Access
SecuRemote/SecureClient
9
8/12/2019 Ccsa - Ngx Training- Vpn_partii_21nov09
30/38
Module 6:
Example NetworkSecuRemote/RecureClient is installed on Bob and
Annas machines and a User Authentication rule in the
Firewall policy
Bob and Anna can connect to netoslo using their own
names and passwords
8/12/2019 Ccsa - Ngx Training- Vpn_partii_21nov09
31/38
Module 6:
Rule Base Configuration
Rule Base without Encryption
Rule Base with RemoteAccess VPN
Object
8/12/2019 Ccsa - Ngx Training- Vpn_partii_21nov09
32/38
Module 6:
Office Modethis mode allows an organisation toassign internal IP addresses toSecureClient users
this IP address is encapsulated inside theVPN tunnel between the client andgateway
this mode enables administrators tocontrol which IP addresses will be used
by remote clients inside the local network
8/12/2019 Ccsa - Ngx Training- Vpn_partii_21nov09
33/38
33
Office ModeOverview
Before VPN-1 NGX, there were only threeways to configure Office Mode:
Off ice Mode by IP poo l
Off ice Mode by DHCP
IP per user (by edit ing ipassignment.conf)
9
8/12/2019 Ccsa - Ngx Training- Vpn_partii_21nov09
34/38
34
Office Mode: How Off ice Mode
Works
9
8/12/2019 Ccsa - Ngx Training- Vpn_partii_21nov09
35/38
Module 6:
Routing Considerations
the default routing must ensure that reply
packets (returning to the SecuRemote
client) are routed through the same
encrypting gateway through which theoriginal packets were delivered
8/12/2019 Ccsa - Ngx Training- Vpn_partii_21nov09
36/38
Module 6: SSL VPN
Business Partner
Mobile Worker
Teleworker
SSL VPN
Gateway
Web-based
Applications
Users SSL
Session to
Gateway
HTTPInternet
Authentication
Server
HTTPS
For IPSec VPN, SecuRemote/SecureClient installed on P
SSL VPN just needs Web browser (IE or firefox)
8/12/2019 Ccsa - Ngx Training- Vpn_partii_21nov09
37/38
Module 6:
Defining SecuRemote Users
Install SecuRemote/SecuClient
Software
Configuring Remote Access in anIKE VPN
8/12/2019 Ccsa - Ngx Training- Vpn_partii_21nov09
38/38
Module 6: SSL VPN
Configure SSL VPN
Access thru web brower