ccsa

VPN-1/Firewall-1 CCSAPreparation for Check Point™ Certification

Based on NG FP2/FP3Missing SmartDefense chapter for NG AI (FP4) CCSA Exam

CoreFacts acknowledge all registered trademarks. While a effort has been made to recognise and acknowledge trademarks all references to trademarks are purely editorial and to the benefit of the company. This book as no affiliation with or endorsement from any company whose trademark may have been used.

Notice of rightsAll rights reserved. No part of this work covered by copyright may be reproduced in any form or by any means - graphic, electronic, or mechanical - including photocopying, recording, taping, or storage in an information retrieval system for resale, without the prior written permission of the copyright owner.

Notice of liabilityThe information in this book is distributed on an “As is” basis, without warranty. While every precaution has been taken in the preparation of this book, neither the author or CoreFacts Ltd. shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the instructions contained in this book or by the computer software and hardware products described herein.

© CoreFacts 2003

The contents for this PDF file have been extracted from VPN-1/Firewall-1 CCSA/CCS , ISBN 0-9543830-0-1Published by CoreFacts Publishing.

The complete book is printed in Great Britain at the University Press, Cambridge, distributed by CoreFacts Publishing.

CoreFacts Training Technologies.Broadway House149 - 151 St Neots RoadHardwickCambridgeCB3 7QJUK

Tel. +44 (0)1954 212111Fax. +44 (0)1954 212555email [email protected]

Core Knowledge & Key Facts

Firewalls can be made to appear easy to configure, they are not, be careful, and always test the Security Policy that is installed.Knowing how to configure a feature in the software is only part of the puzzle, the other part is knowing the consequences of what you have just configured and evaluating the risks associated with it.

If you are using this document as a guide to help pass the CCSA exam, then you must also read the Check Point PDF documentation chapter on SmartDefense. The SmartDefense content was added when the exams changed to cover NG AI. Previously SmartDefense was a CCSE+ exam topic. A chapter on SmartDefense will be available from www.corefacts.co.uk.

To successfully use this document you should build a sample firewall configuration and work through all the exercises. Read each chapter first then create the objects and follow the suggestions/examples. Exercises have not been written in a numbered format, they require you to think and understand what you are doing. Anyone can paint by numbers.

All the screenshots/content/questions apply to NG FP2/FP3 will that mean that I can’t use this if I’m sitting the NG AI exam?No, the topics covered are basically the same just use the NG AI software, some options have moved dialog box location but they are fairly easy to find.

Contents

Chapter 1: VPN-1/Firewall-1 ArchitectureNetwork Connections and Protocols ...................................................................2

The TCP/IP Stack .........................................................................................2Network Connections ...................................................................................2IP Protocol .....................................................................................................3TCP Protocol .................................................................................................3UDP Protocol ................................................................................................4ICMP Protocol ..............................................................................................5

What is a Firewall? .............................................................................................6Trust ..............................................................................................................6Trojans ..........................................................................................................6

Securing Networks - Packet Filters ....................................................................7Typical ACL installed on a perimeter router ................................................8

Securing Networks - Application Proxies ..........................................................11Securing Networks - Stateful Inspection ............................................................13

Content Security Servers ..............................................................................14Stateful Inspection at Work ...........................................................................15

VPN-1/Firewall-1 ...............................................................................................16Policy Editor .................................................................................................16Management Server ......................................................................................17Enforcement Module ....................................................................................18VPN-1/Firewall-1 NG Architecture ..............................................................19

VPN-1/Firewall-1 Configurations ......................................................................19Combined Management/Firewall .................................................................19Distributed Management/ Firewall Module ..................................................19License Count ...............................................................................................20

Secure Internal Communications (SIC) ..............................................................21SIC Certificates .............................................................................................21

SecureUpdate - Central Licenses ........................................................................22Installing Firewall Module Licenses .............................................................22SecureUpdate License Attachment ................................................................23

Secure Virtual Network Architecture .................................................................25Securing Networks, Systems, Applications and Users .................................25SVN Components .........................................................................................25

Basic Common Sense Security ...........................................................................29Services .........................................................................................................29Servers ..........................................................................................................29People.............................................................................................................30Peer Pressure .................................................................................................30Security Policy Procedures ...........................................................................30Documentation ..............................................................................................30Log files ........................................................................................................30Prepare for the unexpected ...........................................................................30

www.corefacts.com i

Implement Trust procedures .........................................................................30Site Security Handbook - RFC 2196 ............................................................30

VPN-1/Firewall-1 Architecture - Review Questions ..........................................31

Chapter 2: Security Policy & Rules SetupFirst Contact with the Management Server .........................................................34

GUI Login .....................................................................................................34Start Policy Editor .........................................................................................35Administrator Authentication .......................................................................35Fingerprint Check .........................................................................................36Policy Editor .................................................................................................37

Creating Network Objects ..................................................................................38Create the Firewall Object ............................................................................40External Partner Firewall ..............................................................................44www.yoursite.com ........................................................................................45www.partner.com ..........................................................................................46www.server.com ...........................................................................................46Networks .......................................................................................................47net-10.3.3.0 ...................................................................................................47net-10.4.4.0 ...................................................................................................48Object Tree Expanded ..................................................................................48

Adding Rules to the Security Policy ...................................................................49Rule base Elements .......................................................................................49Removing the If Via Element .......................................................................49New Security Policy .....................................................................................49Rulebase Elements without If Via ................................................................50Adding rules ..................................................................................................50Stealth Rule ...................................................................................................54Anything Out Bound Rule ............................................................................54Clean up Rule ................................................................................................54Broadcast Junk ..............................................................................................54Current Rulebase check ................................................................................56Negating objects in Rules ..............................................................................57

Installing and Verifying the Security Policy .......................................................58Verify the Security Policy .............................................................................58Installing the Security Policy ........................................................................58Uninstalling the Security Policy ...................................................................60

Testing the Security Policy .................................................................................60Basic Log Viewer information ...........................................................................61Implicit and Explicit Rules in the Security Policy ..............................................62

First, Before Last, Last .................................................................................65Rule Base Filtering Order ...................................................................................65Rule Base Filtering Order, Exception - Authentication ......................................66Policy Properties, Controlling Implied Rules .....................................................67

Turning Implied Rules off ............................................................................67Locked out of Policy Installs - Recovery Procedure ....................................68

ii www.corefacts.com

DNS as an Implied Rule ...............................................................................70Configuring DNS in a Live Environment......................................................72

Management/Firewall-1 Module communications and services ........................73Stopping and Starting the Firewall .....................................................................75

fwstop/fwstart ...............................................................................................75cpstop/cpstart ................................................................................................76

Security Policy & Rules Setup - Review Questions ...........................................77

Chapter 3: System Manager and Log ViewerSystem Manager .................................................................................................88

OPSEC ..........................................................................................................88Status Information .........................................................................................88Policy Uninstalled State ................................................................................89Disconnected State ........................................................................................90

Configuring Status Manager Alerts ....................................................................91Overriding the Global Setting .......................................................................92

Log Viewer .........................................................................................................93Log Viewer Modes .......................................................................................93Searching ......................................................................................................95Selections .......................................................................................................96Selection Criteria - Toggle.............................................................................98Resolve Addresses ........................................................................................98

Block Intruder (Suspicious Activity Monitoring) ...............................................100Block Intruder from within the Log Viewer .................................................100Log Viewer Telnet entry ...............................................................................100

Log Viewer & Status Manager - Review Questions ...........................................104

Chapter 4: Anti-Spoofing & ServicesConfiguring Anti-Spoofing .................................................................................108

IP Spoofing ...................................................................................................108TCP Sessions .................................................................................................109UDP Sessions ................................................................................................109Anti-Spoofing ................................................................................................110Topology of fw.f16.com ...............................................................................110

Predefined Services .............................................................................................114Tunnelled Protocol Example ........................................................................115Adding Services .............................................................................................116

Policy Properties - Stateful Inspection ................................................................118Creating New Services ........................................................................................119

Create a Service ............................................................................................120TCP ...............................................................................................................120UDP ..............................................................................................................122Other .............................................................................................................122

Anti-Spoofing & Services - Review Questions ..................................................125

www.corefacts.com iii

Chapter 5: Working with the Security PolicyRevision Control .................................................................................................130

Changes to your Policy .................................................................................132Viewing the Installed Policy .........................................................................134

Hiding Rules .......................................................................................................134Hiding a Rule ................................................................................................135Viewing Hidden Rules...................................................................................136Unhiding Rules .............................................................................................136

Rules Masks and Searches ..................................................................................136Disabling Rules ...................................................................................................138Uninstalling the Security Policy .........................................................................138Basic Performance Guidelines ............................................................................139

Hosts file .......................................................................................................139DNS lookup ..................................................................................................139Log Viewer Resolve Addresses ....................................................................139Module Performance .....................................................................................139Simple Rulebase ...........................................................................................139Appliance specific features ...........................................................................140Logging .........................................................................................................140

Multiple Firewall Administrators and Authentication Methods .........................141Management Configuration Tool ..................................................................141Policy Editor - Manage -> Users &Administrators ......................................142User accounts ................................................................................................142General details ..............................................................................................142Account Profile .............................................................................................143Authentication Schemes ...............................................................................144Administrator Certificate ..............................................................................145Certificate Password .....................................................................................145Install User Database ....................................................................................146Test Admin Certificate login ........................................................................147

Working With the Security Policy - Review Questions .....................................149

Chapter 6: Setting up AuthenticationAuthentication Methods ......................................................................................152

$FWDIR/conf/fwauthd.conf .........................................................................152Authentication Schemes .....................................................................................153

SecurID .........................................................................................................153AXENT .........................................................................................................153RADIUS ........................................................................................................153TACACS .......................................................................................................153S/Key ............................................................................................................154VPN-1/Firewall-1 Password .........................................................................154OS Password .................................................................................................154

Set the Authentication Schemes .........................................................................154Creating Users .....................................................................................................155

iv www.corefacts.com

Creating User Groups .........................................................................................160External Groups ............................................................................................161

User generic* ......................................................................................................162Generic* ........................................................................................................162

Setting up Authentication - Review Questions ...................................................163

Chapter 7: User AuthenticationUser Authenticated Services ................................................................................166

User Authentication ......................................................................................166Stealth Authentication ...................................................................................167Rulebase Check .............................................................................................167

Authentication Using Telnet ...............................................................................167Add a User Authentication Rule ...................................................................167

Intersect with User database for Source and Destination ...................................172Authentication Using http ...................................................................................172

Add http to the Rule ......................................................................................172Change the User Properties............................................................................173

User Authentication Using ftp ............................................................................174User Authentication - Review Questions ............................................................176

Chapter 8: Session AuthenticationSession Authentication .......................................................................................182Install the Session Agent .....................................................................................183Session Authentication Using ftp .......................................................................186

Session Authentication Rule .........................................................................186Session Authentication Properties ................................................................186Install and Test Session Authentication ........................................................187Log Entry for Session auth ...........................................................................188Agent Settings - Once per session ................................................................188

Session Authentication - Review Questions .......................................................189

Chapter 9: Client AuthenticationClient Authentication ..........................................................................................192Client Authentication Using ftp ..........................................................................193

Add a client Auth Access rule ......................................................................193Using telnet on port 259 ................................................................................194Using http on port 900 ..................................................................................196

Controlling the number of sessions or time period .............................................197Risks with Client Authentication ..................................................................198

Sign On Required ................................................................................................198Sign On Methods ................................................................................................198

Manual Sign On ............................................................................................199Partially Automatic .......................................................................................199Fully Automatic ............................................................................................199Agent Automatic Sign On..............................................................................200

www.corefacts.com v

Single Sign On ..............................................................................................200Client Authentication - Review Questions .........................................................201Authentication - General Review Questions ......................................................204

Chapter 10: Network Address TranslationNetwork Address Translation (NAT) .................................................................208

Reason behind NAT ......................................................................................208RFC 1918 Addresses ....................................................................................208Problems with NAT ......................................................................................208Rulebase Check .............................................................................................209

Hide Mode NAT or Dynamic NAT - Automatic ................................................209Configuring Hide Mode NAT .......................................................................209NAT Log Entries ..........................................................................................211

Hide Mode NAT or Dynamic NAT - Manual ....................................................211Static NAT for Servers - Automatic ...................................................................214

Choose an External NAT Address ................................................................214The Problem with Static NAT ......................................................................214Check the Policy Global Properties for NAT ................................................217Edit the Web Server Object ..........................................................................218Check the NAT Rules ...................................................................................218Static NAT Log Entry - Automatic ...............................................................219

Static NAT for Servers - Manual ........................................................................219Create the local.arp File on the Firewall Module .........................................220State Table arp_table ....................................................................................220Create an Object for the External Web Address ...........................................221Rulebase Rule Required ................................................................................221Create the NAT Rules ...................................................................................221Static NAT Log entry - Manual ....................................................................222Manual Static NAT - Advantages .................................................................223

Static NAT for Networks - Automatic ................................................................225Network Address Translation - Review Questions .............................................226

Chapter 11: NG Feature Pack 3Product Name Changes .......................................................................................230Upgrade from FP2 to FP3 ...................................................................................231

Upgrade the Firewall Module .......................................................................231Upgrade the Management Server .................................................................232Install the Security Policy .............................................................................233

Converting a Traditional to Simplified Mode Security Policy ...........................234Policy Install Settings .........................................................................................236

Policy Installs and the Connection Table .....................................................236Policy Rules, Section Headings ....................................................................237DNS UDP Queries .........................................................................................238SynDefender .................................................................................................238

SmartView Status ...............................................................................................239

vi www.corefacts.com

SmartView Tracker .............................................................................................240Block Intruder ................................................................................................241Remote Log File Management .....................................................................241

Revision Control .................................................................................................242Content Security .................................................................................................243

Resource - CIFS ............................................................................................243URI Filtering - SOAP ...................................................................................245

VPN Configuration Changes ..............................................................................246

Chapter A: VPN-1/Firewall-1 InstallationInstalling in a Split Management/Firewall Module Configuration .....................253

Sample network Layout ................................................................................254Installing the Firewall Module ............................................................................255

Un-installing the Software .............................................................................261Installing the Management Server and Clients ...................................................262

Chapter B: Review Questions - AnswersReview Question Answer sheets .........................................................................273

www.corefacts.com vii

viii www.corefacts.com

VPN-1/Firewall-1 NG CCSA/CCSE

Introduction

ix

The book has been written to provide configuration examples for each topic covered by the CCSA/CCSE certification. To be most effective the reader should have a Firewall configuration that they can use to test each topic and experiment with the configuration. If you do not have a complete test environment that you can use then the VPN-1/Firewall-1 Management Clients in demo mode will at least allow you to step through and create many of the objects and rules to become familiar with the Firewall configuration.

While working your way through the book, before you do any Firewall configuration always thoroughly read the chapter first then go back and step through the chapter doing the configuration.

Throughout this book the topics and example configurations are designed to help you think about each aspect of the configuration. Do not just follow the steps, they are not explicitly numbered and therefore require a little more thought. Security is a state of mind you need to be asking not only can this be done but also what are the risks associated with doing it.

The book is designed to lead the reader through the essential topics required for understanding how to configure Check Point VPN-1/Firewall-1. This book will not, and was not designed to explain every option available in a dialog box. The on-line help built into the Management Clients do a good job of listing the options and what they do. The on-line help should be used as a supplementary source of information when working your way through this book.

The Check Point Management clients can be downloaded from www.checkpoint.com.

The example installation in Appendix A uses a split Management Server/Firewall Module configuration. This configuration is used throughout the book and was chosen because it is a more interesting environment to learn from when you have to consider the interaction of the Management Server and Firewall Module.

The network configuration used for most of the example configurations in the book is shown below.

x

www.server.com was configured with virtual IP addresses for the 172.23.3.0 and 172.24.4.0 networks to act as the router between the networks in the classroom and includes routes to the 10.x.x.x networks. The Management Station has a default route set to be the Internal interface of the Firewall.

The installation example in appendix A uses Windows NT since this is currently the most common configuration that most users will have available and be familiar with. The Firewall module can be installed on any supported platform and some readers may wish to use the SecurePlatform™ installation but I would still recommend installing in a split Management/Firewall Module configuration.

The platform used for the Firewall will make little or no difference to the contents of the book since most of the configuration for VPN-1/Firewall-1 is done through the Management clients.

www.server.com(172.23.3.254)

172.23.3.0/24

10.3.3.0/24 10.4.4.0/24

1

1254

1

254

1

Required for Site to Site VPNs

fw.f16.com(Falcon)

www.f16.com(Management Station)

172.24.4.0/24

xi

xii

1VPN-1/Firewall-1 Architecture

Objectives

When you have completed this Module you should be able to

• Know the limitations of a firewall.• Understand what a firewall will not do.• Describe the Advantages and Disadvantages of Packet Filtering.• Describe the Advantages and Disadvantages of Application Proxies.• Describe the Advantages and Disadvantages of Stateful Inspection.• Know the three main components of VPN-1/Firewall-1.• Understand how Stateful Inspection extracts session information.• Understand what information a Stateful Inspection Engine can extract and

use to secure network connections.• Understand where Secure Internal Communications (SIC) is applied to

validate and secure connections between Check Point and OPSEC components.

1

VPN-1/Firewall-1 Architecture

1.1 Network Connections and Protocols

The TCP/IP Stack In the OSI model layer 5 is Session, layer 6 is Presentation and layer 7 is Application

Network Connections In the diagram below if you need to get a packet from client A to Server B then you would just need to know the Source and Destination IP address. The routers and network infrastructure would take care of getting the packets delivered.

The IP header will take care of delivering the packet across the network using the routing on the Gateways. The TCP/UDP/ICMP will take care of the type of session being used and the client/server takes care of the data.

Either of the gateways could implement controls to extract information from any of the TCP/IP headers and possibly the application data to accept or deny the packet.

The gateway could check the destination IP address and destination port number, if the smtp server is not running on the destination address it could drop the packet. This is simple packet filtering.

Firewalls extract information from each header and use the information to secure the connection. Some firewalls will extract more data than others.

application telnet ftp nfs

Protocol layers (TCP/IP)

smtp dns ntp

internet

datalink

physical

transport udptcp

ip

various

slip pppX.25

HDLC

ISO 8802-2

802.3 802.5

Ethernet

CSMA/CDToken

ring serial

5 - 7

4

3

2

1

icmp

A

B

Gateway

Gateway

IP Header

TCP Header http,ftp,smtp

UDP Header

ICMP Header

IPSEC encrypted packet

dns, nfs, ntp

Echo Req./Reply

Data

Src/Dest Port

Protocol No. & Src, Dst. IP Address

25 SMTP80 http

Src/Dest Port

IMCP Type/Code

2 www.corefacts.com © CoreFacts 2002


IP Protocol The IP header details are shown below (RFC 791). Any field in the header may be extracted and used to control a packet passing through a gateway. In simple terms for firewalls the Source and Destination IP Address are the main controlling factors along with the 8-bit Protocol. Firewalls may do a lot more but the relevant controlling features firewall administrators can usually control are those three components of the IP header.

In VPN-1/Firewall-1 you could write your own INSPECT scripts to extract any part of the packet but that is not something many administrators do.

The full list of IP Protocols can be obtained from

http://www.iana.org/assignments/protocol-numbers

8-bit protocol Protocol1 ICMP Internet Control Message6 TCP Transmission Control17 UDP User Datagram

TCP Protocol The TCP header details are shown below (RFC 793). The source port is determined by the client TCP stack. The destination port is where the service on offer is listening and access to this can be controlled by the Firewall administrator.

version header

16-bit identification

8-bit type of Service 16-bit total length (in Bytes)

13-bit fragmentation offset

16-bit header checksum

32-bit source IP address

32-bit destination IP address

options (if any)

data (TCP/UDP/ICMP header + data or other protocol tunnelled over IP)

8-bit time to live 8-bit protocol

length3-bitFlags

20 bytes

0 15 16 31

IP Header

Padding

© CoreFacts 2002 www.corefacts.com 3


TCP protocols go through an open, send data and close phase and all packets are acknowledged. The TCP session knows how many packets are sent and received and resends lost or corrupt packets.

Data (commands) to the service cannot be sent until after the open phase.

TCP sessions tend to be trusted because the client cannot send data until the server receives an acknowledgement to the Syn/Ack. It is still possible to spoof/steal TCP connections. The only secure prevention against spoofing/stealing TCP sessions is encryption or packet authentication.

UDP Protocol UDP protocols (RFC 768) are inherently insecure because there is no tracking of how many packets have been sent and received, that is the job of the application to ensure it understands the data it has received.

32-bit sequence number

16-bit source port number 16-bit destination port number

32-bit acknowledgement number

16-bit TCP checksum 16-bit urgent pointer

options (if any)

data (telnet/ftp/smtp/nntp)

reserved 6 bits - flags

0 15 16 31TCP Header

DataOffset

20 bytes

Window

Padding

Client Server

Syn

Syn/Ack

Ack

DataAck

FinAck

Open

Data

Close

Server knows client exists, senddata

Client send it’s Seq. No. asking to open connection.Server sends it’s Seq. No. acknowledgingreceipt of the Syn packet from the client.

1057 23



Some firewalls will create a virtual UDP session that implement timeouts and some protocol knowledge in an attempt to secure UDP sessions. It is easy to spoof UDP packets and integrity of packets received relies on the application. You can send data as the first packet to a UDP application and unless there is some authentication built into the UDP application the server will just accept the data. As an example, a DNS lookup uses UDP and just sends the name to be resolved to the server, the server blindly accepts the request and returns the result to the source IP address.

ICMP Protocol Internet Control Message Protocol (RFC 792). This is not session orientated and tools like nmap can be used to fingerprint the TCP stack of a server to determine which OS is being used.Although ICMP is generally considered a protocol to deny through a firewall this will not always be the case and if you do not allow some types of ICMP then you may break the protocol being used.

If you have a problem with MTUs this is normally ICMP related, not being able to negotiate the MTU size, probably because ICMP is blocked through a gateway.

16-bit UDP length

16-bit source port number 16-bit destination port number

16-bit UDP checksum

data (NFS/DNS/NTP)

8 bytes

0 15 16 31

UDP Header

Client Server

DataReplyData

DataReply

Data(commands)

data (if any)

8-bit code8-bit type 16-bit checksum

ICMP Header0 15 16 31



1.2 What is a Firewall?‘A Firewall implements the Security Policy that controls connections between trusted and untrusted networks passing through a gateway’

The Security Policy may implement a very strict control of services and server access or may be fairly liberal. Exactly how the firewall will control the connections is dependant on who writes the site Security Policy document and the type of organization involved.

Financial and government defence industries are much more security aware than the average manufacturing industry, making for example birthday cards. Their risks and objectives are totally different, as well as the budget allocated to the task of security.

Trust Internal employees are just as likely to be malicious as external Internet users and pose a greater threat since a firewall cannot protect you against malicious authorized users.

Trojans A trojan is a program that is installed on a computer but has other functions than those advertised as part of the program. Basically it pretends to be something that it is not to gain trust.

Trojans are the biggest nightmare for security administrators because if they are installed on a users computer the trojan is already on the internal network and your network is potentially compromised. A firewall will not help you against trojans. The control of trojans requires user education and control of the applications installed on a users desktop.

Virus scanning engines will recognize trojans, well at least the ones that are known.

Most Security Policies implemented on a firewall allow internal users access to the external network (Internet) with at least http and ftp. A example of a good trojan might be a virtual flower pot with a flower of your choice that grows, attractive to users and must be run continuously on the desktop. While the application is running it is busy collecting information off the network and sending it out through port 80 to a remote site. If the trojan can initiate a connection through port 80 or 21 to it’s remote relay site then any server commands built into the trojan would be available to the remote controller.

Trojans are an inside to outside security problem, firewalls are generally successful at controlling external network to internal/DMZ network access. They have less success at controlling inside to outside security problems.



You might want to consider using proxy servers to control access, this makes the use of trojans more difficult, the trojan then needs to tunnel the data over the protocol being proxied. Still a potential problem but reduces the risk.

The problem with using trojans is that you need to get them installed on the internal network, the worst kind of trojan is a trusted employee.

As a simple rule of thumb - minimise the points of access to and from your network, this provides you with more control.

1.3 Securing Networks - Packet FiltersThe first line of defence in any organisation is the perimeter routers that are the gateways to other networks. A simple packet filtering router would not now be considered a firewall but it remains an important part of the perimeter security.

With simple packet filtering routers, users and administrators found it easy to circumvent the Access Control List on the perimeter router. The above configuration was common in the early days of public Internet growth. The perimeter router would control incoming access to the servers, only

Application

Presentation

Session

Transport

Network

Data Link

Physical

Application

Presentation

Session

Transport

Network

Data Link

Physical

Transport

Network

Data Link

Physical

N oC H E C KC H E C K

IP TCP/UDP Data

ISP

PC

PCPCPC smtpftphttp nntp dns

Router

ServersClients PCs

ACLs

ftpdPort 7777

All addresses visible to the Internet



allowing specific services. A user/administrator would then install a server on another host on a high numbered port and use it to connect from home. This would often be telnet for administering Unix boxes. Unfortunately the workstation with the ftp/telnet server, if found, could become a WAREZ site for illegally copied software. Some sites complained to the ISP about the bandwidth and then be informed that the bandwidth was being consumed by the ftp or http server the user had installed. Once you install a Firewall and change the location of the clients and Servers this is not a problem. With configurations that have Routers doing NAT, then initiating connections to the internal PCs is not possible unless explicitly configured, the internal workstation must initiate the connection first.

Advantages• Much Cheaper than firewalls• Faster than Stateful Inspection and application proxies• Good for perimeter access control

Disadvantages• Difficult to manage Access Control Lists (ACLs).• Limited to IP and TCP/UDP/ICMP header information checking

and that may be basic.• Logging usually only to a syslog daemon.• Very easy to abuse the open ports - with tunnelled protocols.

The filtering abilities of routers have increased over the past five years but methods of administering them still tend to be command line orientated, often only basic features are used.

Typical ACL installed on a perimeter router

Internet Service Providers may provide a managed router with ACLs configured. This can be a problem if you are not aware of what has been configured. The ISP will usually only talk to listed technical support personnel about configuration issues.

Do not remove or ask the ISP to remove all the ACLs on your perimeter router, open up the ports required, not everything.

A typical starting ACL on a Cisco Internet perimeter router might be similar to the following.

Current configuration:! The IP addresses used in this example were selected at! random and do not refer to a specific live site! Last configuration change at 17:30:40 GMT Fri May 13 2002 by gusbouse! NVRAM config last updated at 17:30:44 GMT Fri May 13 2002 by gusbouse!version 11.3



service timestamps debug uptimeservice timestamps log uptimeservice password-encryption!hostname hitetech04-gw!!ip subnet-zerono ip source-routeno ip fingerno ip bootp serverip domain-name bytes.co.ukip name-server 153.42.128.1ip name-server 153.42.192.1ip name-server 197.2.3.1clock timezone GMT 0clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00!interface Ethernet0ip address 193.8.73.14 255.255.255.240ip access-group 102 outno ip directed-broadcastno ip proxy-arptraffic-shape rate 2048000 2048000 2048000 1000!interface Serial0ip unnumbered Ethernet0ip access-group 151 inip access-group 101 outno ip directed-broadcastno ip mroute-cachebandwidth 2048traffic-shape rate 2048000 2048000 2048000 1000!interface Serial1no ip addressno ip directed-broadcastshutdown!ip classlessip default-network 153.42.0.0ip route 0.0.0.0 0.0.0.0 Serial0ip route 153.42.0.0 255.255.0.0 Serial0logging trap debugginglogging 197.139.21.16access-list 1 permit 200.78.31.8access-list 1 permit 153.42.128.0 0.0.127.255access-list 1 permit 193.8.73.0 0.0.0.15access-list 101 permit ip 193.8.73.0 0.0.0.15 anyaccess-list 102 deny ip 193.8.73.0 0.0.0.15 anyaccess-list 102 permit icmp any anyaccess-list 102 permit tcp any host 193.8.73.4 eq 1023access-list 102 permit udp any host 193.8.73.4 eq 1023



access-list 102 permit tcp any host 193.8.73.4 eq 1494access-list 102 permit udp any host 193.8.73.4 eq 1604access-list 102 deny udp any any eq 2049access-list 102 deny tcp any any eq 2049access-list 102 deny tcp any any eq 6000access-list 102 permit tcp any any gt 1023access-list 102 permit udp any any gt 1023access-list 102 permit udp any any eq domainaccess-list 102 permit tcp any host 193.8.73.7 eq smtpaccess-list 102 permit tcp any host 193.8.73.4 eq wwwaccess-list 102 permit tcp any host 193.8.73.5 eq wwwaccess-list 102 permit tcp any host 193.8.73.3 eq wwwaccess-list 102 permit tcp any host 193.8.73.4 eq 443access-list 102 permit tcp any host 193.8.73.2 eq smtpaccess-list 102 permit tcp any host 193.8.73.6 eq wwwaccess-list 102 permit tcp any host 193.8.73.6 eq 443access-list 151 deny udp any host 193.8.73.14 eq snmp logaccess-list 151 deny ip 193.8.73.0 0.0.0.15 any logaccess-list 151 deny tcp any host 193.8.73.14 eq 1999access-list 151 deny tcp any host 193.8.73.14 eq 2001access-list 151 deny tcp any host 193.8.73.14 eq 4001access-list 151 deny tcp any host 193.8.73.14 eq 6001access-list 151 deny ip host 0.0.0.0 host 193.8.73.14access-list 151 deny ip 10.0.0.0 0.255.255.255 anyaccess-list 151 deny ip 172.16.0.0 0.15.255.255 anyaccess-list 151 deny ip 192.168.0.0 0.0.255.255 anyaccess-list 151 deny ip 127.0.0.0 0.255.255.255 anyaccess-list 151 deny ip 224.0.0.0 31.255.255.255 anyaccess-list 151 permit ip any anytacacs-server host 191.79.31.8tacacs-server host 191.79.63.56tacacs-server attempts 2tacacs-server timeout 6banner login ^C=20Authorised access onlyThis system is the property of XX-ISP UKDisconnect IMMEDIATELY if you are not an authorised user !Contact [email protected] +44 1323 111122 for help.^C!line con 0password 7=20transport input noneline aux 0line vty 0 4access-class 1 inpassword 7=20!ntp clock-period 17246996ntp peer 153.42.128.33ntp peer 153.42.128.66ntp peer 153.42.192.66end



1.4 Securing Networks - Application ProxiesApplication proxies work at the application layer and rewrite every connection going through the Firewall. The connection will appear to come from the external address of the Firewall. Application Proxy Firewalls are considered by most security experts to be the most secure type of Firewall.The number of proxies differ from Firewall to Firewall but it is usually about 30 but not all are doing detailed protocol analysis.

Other types of firewall, are sometimes used as the packet filtering inspection control mechanism to allow access to a dedicated application proxy server. A dedicated application proxy server is not necessarily a application Proxy Firewall.

Examples of application proxy Firewalls are Raptor™, and Gauntlet™.

The low level kernel packet filter hands the connection onto the appropriate proxy for the destination port number. The proxy fully understands the protocol in detail. The proxy sends a Syn/Ack back to the client and it thinks it has connected to the remote site. The proxy spawns off a process to handle the connection, 20 connections 20 processes. The

Application

Application

Presentation

Session

Transport

Network

Data Link

Physical

Application

Presentation

Session

Transport

Network

Data Link

Physical

Transport

Network

Data Link

Physical

C H E C KC H E C K

IP TCP/UDP Data

C H E C K

Low LevelPacket Filter

80 8080

ftp-gwlp-gwsy-gwtn-gwx-gwhttp-gw

plug-gw

http-gw

http-gwhttp-gw



proxy sends a Syn to the real site and waits for the reply, and at the same time it checks that the client is allowed to connect to the requested site. If it is not allowed by the rules it terminates the connection, if it is allowed it waits for the reply. The remote site sees the connection as coming from the external Firewall address but the client sees the connection as if it came from the remote server. This is transparent proxying. Alternatively you could set the client to explicitly proxy off the Firewall but then the user has to interact with the Firewall to use some services.

The number of proxies are limited since they are difficult to write and must be modified to keep up with the version of the protocol they are proxying.

They tend to be memory and processor intensive since they must spawn off a process for each client request. Just because you are using a proxy like Apache http server it does not mean it is a Firewall. Application proxy Firewalls are security aware for the protocol being proxied and designed to prevent misuse and generate detailed logging and alerts.

Advantages• Considered to be the most secure method of controlling network

connections.• Works at the application level and fully understands the protocol

being used.• Good logging of network and protocol information.

Disadvantages• Can be the bottleneck with high bandwidth connections.• Can be slow and is not for high speed data streams, like VOIP.• Proxies may only be available for TCP services.• The number of proxies supplied is limited.• Each connection requires it’s own process, can be CPU and

memory intensive.• May be exposed to low level OS and TCP/IP stack compromises.

Even if you do not use an application proxy type firewall it is almost certain that you will implement application proxies to control user access to specific services. Only small or low risk sites never use proxies of some form or another to control protocols passing through the security gateway.

The plug-gw proxy can be used to relay any TCP service which makes its use no better than a packet filtering router. The low level kernel packet filters can also be used to control traffic through the gateway.

The TIS Toolkit is still available for personnel use if you would like to investigate how application proxies work. Gauntlet™ became the commercial version of the TIS Toolkit and added a lot more features.



1.5 Securing Networks - Stateful InspectionCheck Point VPN-1/Firewall-1 Stateful Inspection has the ability to extract information from any part of the IP packet to control the network session.

The Inspection Engine uses a programming language called INSPECT to create scripts to handle different protocols. Protocols may not all receive the same degree of inspection. Every release and service pack has extended the protocol inspection abilities of the Inspection Engine.

Advantages• Faster than application proxies.• Can inspect the whole packet.• Can understand protocol details.• Easy to administer with GUI front end.• Provides good logging.• Adds virtual session information to UDP and ICMP.

Disadvantages• Less secure than application proxies.• Slower than packet filtering routers.• Administrators can be fooled into thinking firewall administration

is easy with a simple GUI.• Too easy to add services that need time for further review.• Provides little or no better protection than a packet filter for some

protocols.

Application

Presentation

Session

Transport

Network

Data Link

Physical

Application

Presentation

Session

Transport

Network

Data Link

Physical

Transport

Network

Data Link

Physical

Application

C a n d o

DynamicState Tables

C H E C KC H E C K

IP TCP/UDP Data Session Information



Stateful Inspection Stateful Inspection is designed to not only check packets received but also extract information about connections related to the packets about to be received.

Communication information - Information derived from inspecting the Application, Presentation, Session, Transport, and Network headers. For TCP/IP Application, Presentation and Session are considered to just be part of the Application data. The OSI model splits the Application data into three components.

Communication derived state - Information derived from previous communications, for example extracting the port number of a data connection in an ftp file transfer. This is session information.

Application derived state - Information derived from an interaction with a application on the firewall that sets a state in the Inspection Engine to allow access. For example a user connecting to the in.aclientd and authenticating before attempting use of a protocol in a rule. (in.aclientd is explained in Client authentication.)

Information manipulation - Evaluation of flexible expressions (INSPECT language) based on the communication information, communication derived state and the application derived state.

Content Security Servers VPN-1/Firewall-1 does have application proxies, they are called Content Security Servers and work with the following protocols

• SMTP• FTP• HTTP

Content Security Servers are explained in the module on Content Security.



Stateful Inspection at Work An example of Stateful Inspection at work extracting communication derived state information would be for an FTP session.

Client A establishes a connection to the ftp server on B, connection ID 57. The user then uses the ls command in ftp. The firewall extracts the port number embedded in the data part for the port number of the data listener on the client, port 1063. The firewall adds the port details to the state table and links connections 57 and 58. If the control connection is finished the data connection is disallowed.

Server B sends a connection, from ftp-data port (20) to 1063 where its been informed the client is listening. The firewall is expecting the connection because it extracted the port details from the outgoing ls command.

If the user misses half the directory listing and repeats the process, the connection ID 58 expires (is complete) and a new entry created for the next data download after extracting the port details.

FTP Server B

FTP Client A

Firewall-1

Client A Server B1061 21

login/passwd

port = 1063 ls

1063 20dir listing (data)

ftp data port

port = 1065 ls

1065 20dir listing (data)

ftp data port

Control Connection

DataConnection

Ctrl

DataDest. port= 1063

IP Address Port AddressSrc Dst Src DstIDA B 1061 2157B A 20 106358B A 20 106559

Connection State Table Information

12



This is Stateful Inspection at work, only opening up the ports required for the protocol to work and requires knowledge of the protocol. This is looking for and extracting specific values, if it finds them the Inspection Engine will use them if it does not the protocol may break or may work depending on the INSPECT scripts associated with the protocol.

This is the area that packet filtering routers do not touch, being aware of when to open ports, packet filters just open up the ports all the time.

Just because VPN-1/Firewall-1 does it for one protocol does not mean it does it for all protocols. INSPECT scripts to extract session information do not exist for every protocol (port number).

Be careful with protocols that are not well used, they are likely to have very little checking other than simple port or IP protocol number matching.

1.6 VPN-1/Firewall-1VPN-1/Firewall-1 NG is a scalable modular architecture that allows an organization to define a single centrally managed Security Policy. The core components of VPN-1/Firewall-1 are

• Policy Editor• Management Server• Enforcement Module

Other modular components involve bandwidth management - Floodgate-1, IP address management - Meta IP, Software updates - SecureUpdate.

Policy Editor The enterprise Security Policy is defined and managed through the Policy Editor. The policy is defined through a clear simple rulebase that controls Source, Destination, Service, Action, Tracking, Install On and Time. Some settings are through dialog box toggles which turn on/off a specific feature.

The installed settings and rules are called a rulebase.

A rulebase consists of rules you create using object and service definitions and settings set in the Global Policy Properties.



Management Server The Management Server is the central point of Security Policy distribution and stores all configuration information to be distributed to the firewall module enforcement points. The Management Server maintains the Check Point databases, including network object definitions, user definitions, policies and log files for any number of enforcement points. The configuration information is accessible through the Policy Editor which connects to the Management Server using a secure encrypted connection.

The Policy Editor can be installed on the same server as the Management Server or on a separate workstation and connect over the network. Authentication is required to connect to the Management Server.

There is no limit to the number of Firewall Enforcement Modules that a single Management Server can manage. However there are practical limits on how well the Management Server will be able to cope with logging and rule base management from an administrators view point.A reasonable ratio of Management to Firewall modules is 1:12 but every site is different and this is not a fixed limit.



Enforcement Module A VPN-1/Firewall-1 NG enforcement module is installed on a network gateway access point. This may be an Internet gateway at the perimeter of your organization or an internal gateway to protect specific internal networks. Multiple enforcement points may be controlled by a central enterprise Management Server with a single central policy.

The Security Policy is defined by the Policy Editor, saved to the Management Server as INSPECT and compiled at the Management Server into a format that can be installed on the enforcement point.

The enforcement module includes the Inspection Engine and security servers. The enforcement module examines all communications according to the rules in the Security Policy using the security servers to authenticate users and further inspect protocol specifics at an application level for SMTP, FTP and HTTP.

INSPECT Language INSPECT is the language VPN-1/Firewall-1 uses to generate the scripts that enforces the Security Policy.

INSPECT is a macro based language that allows flexible expressions to be created to check the contents of an IP packet.

#define ip_p [9 : 1]define tcp { ip_p = 6 };define udp { ip_p = 17 };define icmp { ip_p = 1 };accept (tcp, telnet or ftp) or (udp, domain_udp)

The script is passed through the C pre-processor and the #define macros expanded into the script.

The script meansDefine a macro ip_p, get byte 9 in the IP header, look at one byte.Define an entity tcp, which has value 6 in the IP header at byte 9.Define an entity udp, which has value 17 in the IP header at byte 9.Define an entity icmp, which has value 1 in the IP header at byte 9.Accept the packet if it is tcp, telnet or ftp or udp, domain_udp.

Obviously the values for telnet, ftp and domain_udp would also need to have been defined.

The INPSECT scripts are stored in the $FWDIR\lib directory on the Management Server. Every time the Policy is installed these files are used to compile the Security Policy. If these files are compromised then the resulting Security Policy is compromised. Make sure you protect the Management Station from internal and external users.



VPN-1/Firewall-1 NG Architecture

All components of VPN-1/Firewall-1 now use SVN Foundation as a base which helps protect the Check Point modules from potential OS bugs. SVN Foundation is also known as CPShared and is the Check Point ‘Operating System’ that is installed with every product.

1.7 VPN-1/Firewall-1 Configurations

Combined Management/Firewall

This is still the most common installed configuration of VPN-1/Firewall-1 since it requires one server and suits small to medium sized organizations with a single firewall.

Distributed Management/ Firewall Module

This is used by larger organizations that often have multiple firewalls or those that require High Availability, since Check Point HA requires that the Firewall-1 Module and Management Server software not be installed on the same server in a HA configuration. Not necessarily true for other vendor HA solutions. Rebuilding Firewall module configurations is simpler in a split configuration. A Firewall module just requires a re-install of the software and reset of the SIC secret between Management Server and Firewall module followed by a Policy install.

It is more likely you will upgrade the hardware of the Firewall module than the Management Server since in the future you will be adding HA and more VPN links which requires higher specification hardware. You can of course use the firewall to filter the VPN traffic to a dedicated VPN gateway box so that the VPN box only ever receives VPN traffic from specific sites. The firewall then acts as a protector for the VPN box which does not have to be Check Point based.

VPN-1/Firewall-1 ModuleManagement ServerGUI - Policy Editor

Log ViewerStatus Manager

GUI Clients(optional install)



License Count The license count for VPN-1/Firewall-1 is based on the number of IP addresses that the Firewall module recognizes as internal IP addresses. If you have a limited license version, 25/50/100/250 user license then during the install one interface will be listed as the external interface. All IP addresses on all other interfaces will be counted as being internal and protected by VPN-1/Firewall-1.

The IP addresses collected by the firewall are written into a database file and can be viewed by the command fw lichosts.

Make sure you count all IP addresses, hosts, servers, routers, printers, and remote sites with links to internal networks.

The firewall does not stop working if you have extra hosts it just informs you that you need to upgrade the license. If you are using a DHCP server you should restrict the address range it allocates addresses from. If you renumber your network you may need to run fwstop to stop the firewall delete the database file, then fwstart to start firewall, the address count will start from scratch again.

VPN-1/Firewall-1 Module

Management ServerGUI - Policy Editor

Log ViewerStatus ManagerGUI Clients

(optional install)



1.8 Secure Internal Communications (SIC)In NG Check Point have introduced Secure Internal Communications (SIC) this has replaced the fw putkey authentication method.

SIC is used to secure communications between Check Point SVN components such as:

• Management Servers• VPN-1/Firewall-1 Modules• Customer Log files• SecureUpdate• Policy Servers• OPSEC applications using SDK for NG

With SIC in place a simple SIC initialization procedure for each component from within the Policy Editor is all that is needed which removes the need to do fw putkey operations between pairs of communicating components to secure the link.

SIC Certificates Secure Internal Communication for Check Point SVN components uses certificates for authentication and SSL for encryption. Certificates are created by the Internal Certificate Authority (ICA) on the Management Server which is a standard part of VPN-1/Firewall-1 NG.

The ICA is created automatically during Management Server installation and only requires each component to have a single certificate created. An object may only have one certificate issued from a single CA, you cannot have two certificates for the same object. The Management Server and modules are identified by their SIC name also known as the Distinguished Name (DN).

The names of objects and name resolution is important when using certificates, names must be resolvable to addresses that can be contacted over the Internet if necessary for remote modules.

You cannot rename objects that have had certificates issued for them, you need to delete them and recreate the object creating a new certificate for it.



1.9 SecureUpdate - Central LicensesIn NG Check Point changed the way that Firewall module licenses were associated with an IP address. In previous versions the license was associated with the External IP address of the Firewall module. In a Combined Management/Firewall module configuration the License for the Management Module and the Firewall Module were associated with the same IP address. In a Split Management/Firewall module configuration there was a license for the Management Station tied to its IP address and a license for the Firewall module tied to its IP address.

For licenses in NG the only IP address that is required is the address of the Management Station. The Management Station will then have Firewall module licenses attached to it for each Firewall it can Manage. This is known as central licensing and all licenses are added to the Management Server by either using the Check Point Configuration Tool or SecureUpdate.

Using SecureUpdate licenses can then be detached from the Management Station and attached to a Firewall module that has been defined using the Policy Editor. The license will be attached to the primary address of the defined Firewall module object which should be the external IP address.

The advantages of Central Licenses are

• All licenses can be manage via SecureUpdate.• Only one IP address is required for all licenses.• A license can be detached from one module and attached to another.• The license remains valid when changing the IP address of the

module. There is no need to re-create and re-install a new license when changing the IP address.

Installing Firewall Module Licenses

When you install a remote Firewall module if you are using central licenses then you do not have to add a license during the Firewall module installation. You will only need to set the SIC secret to get SIC communications working between the Management Server and Firewall module. After defining the Firewall object in the Policy Editor you can use SecureUpdate to attach a license to the new Firewall module.

Central licenses are recommended for all Firewall Modules.

Management Server licenses are local licenses and if you change the IP address of the Management Station you need to re-create the license and re-install.



SecureUpdate License Attachment

Once the Firewall module object has been created in the Policy Editor, save the settings and start SecureUpdate which can be used to attach a license to the newly defined Firewall module.

In SecureUpdate the Management and Firewall module should be displayed, if they do not appear make sure the Firewall object has been created and the Security Policy saved.

Highlight the Management Server object and select Get Check Point Node Licenses.

The licenses associated with the Management Server should be displayed. The local license is the Management Server License and the central the Firewall module license.

Make sure you Detach the central license and not the local license otherwise you will have to add the license information back using SecureUpdate or the Check Point Configuration Tool.

When you install the Management Server copy the license file details obtained from Check Point into a directory under the $FWDIR\conf that way you will not have to go hunting for the license details if they are deleted. They will always be available and backed up as part of the



Firewall configuration. License information can be retrieved at any time from Check Points license center but you need to get there and have your login details available.

Attach the license to the Firewall Module.

The license details will be displayed for confirmation, if you make a mistake you can Detach the License and then Attach it somewhere else.

Licenses that have been attached will be listed beside the module in the License Management display.

To view all licenses use the License Depository display.



1.10 Secure Virtual Network Architecture

Securing Networks, Systems, Applications and Users

A complete network Security Policy requires the management of many different areas of network control, including internal, external networks, remote users, authentication, content control, bandwidth management, PKI and encryption.

The Check Point suite of products allow all aspects of a Security Policy to be managed through a single from end, the Policy Editor.

SVN Components Secure Virtual Network (SVN) components that can be used to control your Security Policy are listed in the following tables.

Security Protection

Product Description

FireWall-1 Provides access control, content security, authentication, centralized management and other capabilities, core Inspection/filtering foundation for enterprise security deployment.

SmartDefense Protects organizations from known and emerging attacks using Check Point's intelligent security technology, was CPMAD in 4.x.

SecurePlatform Media Pack

Solution for quickly deploying Check Point's market-leading security on open platforms. Installs a core Linux filesystem building the installation directly from a bootable CD.

VPN-1/FireWall-1 SmallOffice

Security for branch offices and MSPs that includes web-based management and seamlessly integrates with Check Point's Enterprise Management Console, Provider-1 and SiteManager-1.

Safe@ Products Security for small businesses, remote offices and MSPs that includes web-based management and supports centralized managed with the Security Management Portal.

VPN-1/FireWall-1 VSX

A high-speed, multi-policy security solution designed for data center environments.



VPN-1/FireWall-1 SecureServer

Provides firewall protection for and enables VPN connectivity to individual servers running critical applications. Requires a Management Console to control the security policies.

FireWall-1 GX (Wireless)

Security for 2.5G and 3G GPRS enabled wireless networks.

Security Management

Product Description

SmartCenter & SmartCenter Pro

Solutions for Check Point's security, VPN and Quality of Service products. SmartCenter Pro includes Visual Policy Editor, SecureUpdate, Account Management Module and full redundancy for policy management.

Provider-1 Solution for service providers and large enterprises that enables the efficient management of multiple security policies from a single management console.

SiteManager-1 A system that allows the Provider-1 architecture to enable service providers to deliver comprehensive, cost-effective managed security to small and medium-size businesses.

Security Management Portal

Centralized management solution for Safe@ products.

Visual Policy Editor Visualisation tool that provides a detailed, graphical map of an organisation's security deployment.

Security Protection

Product Description



SecureUpdate Centralised management and distribution tool for software applications and product licenses which guarantees enterprise security is always up to date. Central license management is free, remote software updates requires a license for SecureUpdate.

Account Management Module

Optional module which enables VPN-1/FireWall-1 gateways to integrate with one or more LDAP-compliant directory servers and obtain identification and security information for network users.

Reporting Module Log consolidation and reporting tool enabling users to create custom reports for security audits, activity trending and accounting.

Real-time Monitor A graphical, real-time VPN performance analysis solution that presents users with detailed views of network performance characteristics.

UserAuthority Unified, secure communication layer for authenticating users to eBusiness applications.

Open Security Extension

Management tool that enables organisations to define, distribute and centrally manage the security policies for routers from within the Check Point Management Console.

Meta IP IP address management solution that combines secure, enterprise-class DNS and DHCP services with centralized management. Integrates into single Sign On for Client authentication.

Security Management

Product Description



Connection Control

Product Description

VPN-1 Pro Integrated VPN/Firewall solution that supports all deployment types including remote access, site-to-site and extranet VPNs.

VPN-1 Net VPN solution for connecting multiple offices and partners, with a simplified management interface for creating the VPNs.

SecuRemote Client application that enables remote and mobile users to securely access corporate resources. The license for this is free.

SecureClient Client application that enables remote and mobile users to securely access company resources and protect systems with personal firewalls using the central Policy Server.

Performance Accelerators

Product Description

Performance Pack Accelerates encryption and security functions for VPN-1 and FireWall-1 deployments on Linux.

ClusterXL Integrated High Availability and Load Sharing for Check Point Gateways.

FloodGate-1 QoS solution that ensures reliable performance for VPN and other mission-critical applications on congested network links.

VPN-1 Accelerator Card

Improves VPN-1 Gateway performance by accelerating intensive cryptographic operations.

ConnectControl Optional module for VPN-1/FireWall-1 that intelligently balances incoming connections among multiple application servers.



1.11 Basic Common Sense SecurityThere tends to be a ‘Harrods Bag’ syndrome associated with Firewalls. Just because you see someone in London with a Harrods bag does not mean that they have been shopping at Harrods. A Firewall, from all vendors, puts forward marketing claims regarding security. However, do not assume that they all do the same level of security for the same service or even implement security in the way you are possibly thinking.

• Do not make assumptions!• If in doubt ask, even if it is just for reassurance that you are correct!• If you do not know, test it! Try and break/abuse it.

Services Only allow the minimum number of services to allow business operations to function. Force users to justify a service they require for business purposes.

There is no such thing as a secure service, it is software built using an API, software has bugs, programmers make mistakes, they just may not have been found yet. API - Application Programming Interface, a group of library routines designed to simplify application development.

If you can proxy a service do so, it prevents users tunnelling data directly through a port number. They can of course tunnel data over the proxied service.

If you do not have to have a service, for example DNS, coming into your network, then don’t. Let your ISP run your primary and secondary DNS servers, security of the server becomes their problem. You can run internal caching DNS servers that only internal hosts have access to.

For smaller organisations Virus screened email services may be worth investigating, incoming mail will only originate from a single source then.

Servers Have an OS monitor and patch policy. All sites usually patch their exposed servers but think about the internal servers as well.

Control physical and network access to servers. Apply locks to doors and enforce strong authentication to servers if necessary. Data is a company asset.

Locate servers on the network to provide maximum protection and control, use multiple firewalls if necessary. Firewalls do not have to be from the same vendor, lower cost solutions may be appropriate for internal networks. All firewalls have similar filter abilities, once you’ve learnt one you are looking for similar filtering functionality in the others.



People Users are your biggest problem, they cannot be trusted to do what they are told. Technical users are often a problem, they think they know what they are doing and often find ways around security features. Learn from them.

Much as we believe everyone is honest, if you make a mistake and your job is on the line you will attempt to cover it up.

Peer Pressure If you are responsible for network security then you know more than the managing director about the security risks. Just because a manager wants a service does not mean they have to get it.

Persuade managers to set a good example.

Security Policy Procedures Enforce the policy procedures, there is no point in writing them if no-one knows what they are.

Incorporate criticism and feedback into the procedures they are not cast in stone and have to work in the business environment otherwise they will be ignored. Too much red tape results in by passing procedures.

Documentation Every change to the firewall must be documented. Document it at the time and not 12 hours later, you will make mistakes. Do it even if it is just a simple wordpad document listing the history of changes. It does not have to be fancy with screen shots of the rules and Global Properties dialog boxes.

Read your Firewall Configuration and Control Change documentation before you do updates, especially when multiple administrators are involved.

Make sure any critical notes are at the front or highlighted.

Log files Firewalls write log files, someone should be looking at them.

Prepare for the unexpected Make sure you have complete backups of all the servers that are recoverable, if a security breach does occur then you need a plan of action.

Implement Trust procedures Implement procedures that remove the question of trust as much as possible. This is difficult in an IT environment since a single administrator has full administration rights to many servers.

No matter how much you know assume someone knows more and think defensively, never be bold with security.

Site Security Handbook - RFC 2196

Make sure you read this Request For Comments (RFC) an excellent starting point for writing the overall site security policy.

RFC 2196 - Site Security Handbook



1.12 VPN-1/Firewall-1 Architecture - Review Questions

1. In the OSI protocol stack model, routers traditionally filter up to which layer?

A. HardwareB. TransportC. NetworkD. SessionE. Application

2. VPN-1/Firewall-1 is based on a technology called Stateful Inspection this means that the VPN-1/Firewall-1 NG Module will be able to do which of the following?

1. look at every layer of the OSI protocol stack.2. Use flexible expressions to determine packet contents before

allowing connections.3. Strip viruses from data streams.4. Strip Java and ActiveX code from data streams.5. Extract port information for reverse connections.

A. 1, 2B. 1, 2, 3, 4C. 2, 3, 4, 5D. 2, 4, 5E. 1, 2, 4, 5

3. VPN-1/Firewall-1 NG uses an Inspection Engine above which layer in the OSI protocol stack model does the Inspection Engine sit?

A. Data linkB. NetworkC. TransportD. PhysicalE. Application

4. VPN-1/Firewall-1 implements it’s Security Policy based on which of the following general security principles?

A. Allow only that which is explicitly allowed, deny everything else.B. Allow everything except that which is explicitly disallowed.C. Allow all traffic that is from internal networks, deny all incoming

traffic.D. All traffic is denied unless permitted by the implied rules.E. Allow all traffic from external to internal NAT servers.



5. Which of the Following describes the behaviour of VPN-1/Firewall-1 NG?

1. Inspects packets at the Network layer.2. Inspects packets at the Session Layer.3. Extracts information like port details from the Application layer to

control reverse connections.4. Uses flexible expressions to extract information from all layers of

the TCP/IP protocol stack to control connections.

A. 1, 2B. 3, 4C. 1, 4D. 1, 2, 3, 4E. 2, 3

6. CPShared is the Check Point Operating System that is silently installed with every Check Point product. The main components of CPShared are?

1. cpstop/cpstart2. Check Point Registry3. CPShared Daemon4. Watch Dog5. SNMP Daemon

A. 1, 3, 4, 5B. 2, 3, 4, 5C. 1, 2, 3, 4, 5D. 1, 3E. 1, 2, 5


2Security Policy & Rules Setup

This module is perhaps the most important, if you do not completely understand and are comfortable with all of the objectives, you will at some point incorrectly configure an aspect of the Security Policy. This module covers the creation of network objects and the interaction of the rules and the limitations of the services as defined by default.

Objectives

When you have completed this module you should be able to

• Use the Policy Editor.• Validate the Management Server fingerprint during Policy Editor

connections.• Create and edit enforcement type objects.• Create and edit general network objects.• Add and delete rules.• Verify and Install the Security Policy.• Understand the use of implied rules.• Know what makes up a rulebase.• Know the rulebase filtering order.• Understand the options in the Install On column in the rulebase.• Know the exceptions to rule base filtering order.• Know how to correctly configure DNS rules.• Know how to stop and start the Firewall module.• Know how to recover after locking out Security Policy installs.• Formulate a plan and procedure for testing the Security Policy.

33

Security Policy & Rules Setup

2.1 First Contact with the Management ServerWhen you start the Policy Editor from the Windows start menu you must logon to a VPN-1/Firewall-1 Management Server unless you are using the GUI in demo mode.

Demo mode is a new tick box selection in the Policy Editor logon dialog box in NG FP2, in previous versions it was called *local. To use *local you could enter anything for the Username, anything for the Password, and *local for the Management Server. Demo or *local mode uses a local copy, on the GUI client machine, of the configuration files. Demo mode is useful for technical support and familiarization with the Policy Editor when a Management Server is not available. In demo mode sample objects and rules have already been created and may provide guidance on how a feature should be configured.

Demo mode does not connect to a Management Server therefore some functionality is disabled.

GUI Login To login to a Management Server you must have

• A Valid administrator Username• A Valid Password or authentication token• The IP address or hostname of the Management Server• The Client IP address must be allowed to connect to the

Management Server, this is the GUI clients list. The GUI clients list is configured in the Check Point Configuration Tool on the Management Server. If you are using the GUI from the Management Server you can use 127.0.0.1 as the address to connect to.

Administrators can have different levels of permission, to fully administer the firewall you will need Read/Write access and be allowed to use all of the GUI clients.

Only one administrator at a time can be logged on with Read/Write access, however, as many administrators as required can log on with Read Only access.

Do not leave yourself logged on with Read/Write access in an environment with multiple administrators as it may make it difficult for others to have access if your screen lock prevents access to closing down your GUI.

Read/Write access is controlled by a simple lock file that is checked when you connect to the Management Server, if it exists you will only be allowed to connect in Read only mode.



The lock file is $FWDIR\tmp\manage.lock and contains the hostname (GUI client) and username (administrator) who is currently logged on with Read/Write access. The lock file may be left after a GUI crash and no Read/Write access is available until the lock file is removed.

$FWDIR is the root directory where you installed the VPN-1/Firewall-1 configuration files. In Windows environments this is usually C:\WINNT\FW1\NG but it can be any directory.

Start Policy Editor You can run as many instances of the GUI as you like there is no license

required. It is only useful for technical support and basic learning without a Management Server to connect to which you have to license.

Administrator Authentication For the first Policy Editor logon use the administrator username and password created during installation, fwadmin/abc123, if you followed the installation in the Appendix for the test environment.

Either enter the hostname or IP address of the Management Server.

The login details for administrators created during installation or through the Check Point Configuration tool are stored in $FWDIR\conf\fwmusers. This is a plain text file and portable between Management Stations. Its contents may look similar to the following.

fwadmin d0fae92ce4124cfc0a190b9c72a82a92b679b745 ffffffff

The ffffffff controls the GUI clients and type of access - read/write.



You need OS administrator access on the Management Station to modify this file.

Fingerprint Check The first time a GUI client connects to the Management Server the Fingerprint check is displayed for approval. This is to prevent connecting to the wrong Management Server. To check this value you need the value from the Check Point Configuration tool on the Management Server.

This can be checked by looking at the Fingerprint details on the Management Server.

The GUI client will store the Fingerprint details on the local client, if you need to rebuild the Management Server and reconnect to the same IP



address the Fingerprint will be different and the following will be dislayed.

In the above case the hostname of the Firewall was changed and the Management Server was re-installed.

If you want to compromise VPN-1/Firewall-1 your target should be the Management Server as it is usually the weakest access point and has control over the gateways through the INPSECT scripts and the object definition files. Secure the Management Server.

Policy Editor When you login to the Management Server for the first time several objects

will automatically have been created during install. The objects created will be slightly different in a combined Management/Firewall Module than a split environment. In a split configuration the LocalMachine is always



created, the other object will either be the Management Server or the Firewall.

The Policy Editor in this case displays the Visual Policy Editor (VPE) as well as the standard areas. The VPE requires a separate license and may not be available on your live system. From NG FP2 you can have the VPE displayed in a separate independent window (undocked or docked). The VPE just clutters the view and is best turned off while learning the basics of managing the Security Policy.

Use the tool bar toggle to turn off the unwanted areas of the Policy editor.

The areas are• Rules• Object tree• Object list• Visual Policy Editor

A common simple configuration is to use the Rules and Objects Tree, the other two areas just crowd the screen unless you have a large, greater than 1024x768, screen.

If you are doing VPN-1/Firewall-1 managed firewalls for large organisations or a large number of clients a high resolution 1600x1200 19” or 20” screen is a useful asset.

2.2 Creating Network ObjectsThe first stage in configuring your Security Policy is creating the network objects, there is not a lot you can do until you have them configured.

The topics and examples in this book have used a configuration with two Firewalls in a split Management/Firewall Configuration. To complete the CCSA topics and some of the CCSE topics using the examples a network configuration with one firewall and three hosts are required. All the basic objects will be created now. Two firewalls are required for the site to site VPN topics.

You can create the objects as you read through the next section.

The diagram below shows the configuration used for the example configurations used in this book.



Create the following objects, you only need one pair configured, all sites that are part of a full classroom/test environment are listed below.

Before you do the next part you need a hosts file with all the hosts you will be using, this will allow you to use the hostname and resolve the IP addresses.

Check Points, Firewalls For a full classroom/test environment the following sites and firewalls have been used.

fw.f14.com 172.21.1.1 (Site 1 - Tomcat)fw.f15.com 172.22.2.1 (Site 2 - Eagle)fw.f16.com 172.23.3.1 (Site 3 - Falcon)fw.f18.com 172.24.4.1 (Site 4 - Hornet)fw.f22.com 172.25.5.1 (Site 5 - Raptor)fw.sr71.com 172.26.6.1 (Site 6 - Blackbird)

www.f16.com www.f18.com

fw.f16.com fw.f18.com

www.server.com

10.3.3.0/24 10.4.4.0/24

172.24.4.0/24172.23.3.0/24

172.23.3.254172.24.4.254

www.server.com has virtual addresses so it can be on both networks and act as the router betweenthe two networks. The full configuration is required for CCSE VPN topics, only one half is required tocomplete CCSA topics.

10.3.3.1

172.23.3.1 172.24.4.1

10.4.4.1

(254)(254)



Nodes, Hosts www.f14.com 10.1.1.1www.f15.com 10.2.2.1www.f16.com 10.3.3.1www.f18.com 10.4.4.1www.f22.com 10.5.5.1www.sr71.com 10.6.6.1

Nodes, Hosts Only create one of the following www.server.com depending on which site you are

www.server.com 172.21.3.254 (if you are site 1 Tomcat)www.server.com 172.22.2.254 (if you are site 2 Eagle)www.server.com 172.23.3.254 (if you are site 3 Falcon)www.server.com 172.24.4.254 (if you are site 4 Hornet)www.server.com 172.25.5.254 (if you are site 5 Raptor)www.server.com 172.26.6.254 (if you are site 6 Blackbird)

Networks Site object Name Net Address Mask1 - Tomcat net-10.1.1.0 10.1.1.0 255.255.255.02 - Eagle net-10.2.2.0 10.2.2.0 255.255.255.03 - Falcon net-10.3.3.0 10.3.3.0 255.255.255.04 - Hornet net-10.4.4.0 10.4.4.0 255.255.255.05 - Raptor net-10.5.5.0 10.5.5.0 255.255.255.06 - Blackbird net-10.6.6.0 10.6.6.0 255.255.255.0

Create the Firewall Object Objects can be created from several locations in the User Interface

• Menu bar, Manage -> Network Objects.• Objects Tree, 2nd mouse button, New.., type of object.• Objects List, shows specific type of object, use 2nd mouse button,

New (must have blank area to click on).

In NG Objects can now also be created on the fly when you need them from dialog boxes within the user interface instead of having to exit the dialog, create the object and re-enter the dialog box.

fw.f16.com This is a Check Points type object since it is an enforcement point with VPN-1/Firewall-1 installed. Previous (4.x) versions only had object type Workstation with dialog settings to indicate VPN-1/Firewall-1 was installed.



In NG FP2 a wizard can step you through the creation but this is more for novices and it is better to remove the Wizards option and use Classic mode. The Wizard is not very helpful if the object settings are not fully completed, you then have to manually edit the object anyway.

Turn off Wizard prompts for the future, this can be changed or set in the Policy - Global Properties.

Enter the Name of the object, DNS or hosts file resolvable and Select the Get address button.



Get Address The Get Address button retrieves the IP address given the hostname of the object using the system settings of the Management Server, usually hosts file, and DNS.

Description Add a suitable description in the Comment area.

Version Make sure the version displayed is correct, this ensures the Management Server generates the correct version of the INSPECT code.

Product Selection Select VPN-1 Pro, since this object is an encryption enabled enforcement point.

SIC setup You must setup the Secure Internal Communications (SIC) before trying to get the Interfaces from the Topology dialog. In a combined Management/Firewall Module SIC is configured during install since both are on the same host.

The secret you configure here is the same one you entered during the install



of the Firewall module.

If the secrets are the same then trust should be established. If trust failed

then you will need to reset the secret on the firewall module and try again. If you select Reset you will need to reset the SIC secret on the Firewall module, only do this if that is the intention, a warning dialog will appear.

You can Test the SIC status at any time.

Topology Change to the Topology dialog and get the Interface details.

The topology may take up to 90 seconds to respond.



The interfaces on the firewall module will be displayed.

This is where Anti-Spoofing will be configured. Anti-Spoofing is an important part of your Security Policy configuration but is explained in detail later.

The basic details for your firewall object have been set, Select OK to complete the object creation.

Internal Certificate The Internal CA will create a certificate for this object because VPN-1 Pro is selected and this is a VPN object.

The Firewall object is now complete and should be listed in the Objects Tree and Objects List.

External Partner Firewall This object is not strictly needed for the CCSA topics but is useful to have it ready for the CCSE topics. Your Management Server does not control this object and cannot install Security Policies or get topology information from it, but you know it is a VPN-1/Firewall-1 gateway, important for Site



to Partner Site (Extranet) VPN configuration.

Create Partner Gateway This is a Check Point type object.

Only set the basic details, Name, use Get address, if the hostname is resolvable or fill in the IP address, add a Comment and select the Version and Product Installed. No other options needs to be set on this object until VPN configuration with a partner.

www.yoursite.com Create the web server object for your site, www.f16.com.

Do this even if you have a www-f16 object created by default. You would have this object if you installed in a split environment and the machine name is www-f16.

This is a Nodes, Host type object.



Enter the name and use the Get address if the name is resolvable, add a Comment and select a Color.

The object definition is complete, select OK.

Since an object with this IP address already exists, www-f16, a warning message will appear, Confirm that you want to create the object.

You can safely have multiple objects with the same IP address but as general practise you should avoid doing so as too many duplicate objects can make the rulebase difficult to follow or debug.

www.partner.com Create your partner web server object, again this is type Nodes, Host.Fill in the name and complete the object details.

www.server.com Create the external test server, the name will be www.server.com but the address will be different for each site. Type Nodes, Host

www.server.com 172.21.3.254 (if you are site 1 Tomcat)www.server.com 172.22.2.254 (if you are site 2 Eagle)www.server.com 172.23.3.254 (if you are site 3 Falcon)www.server.com 172.24.4.254 (if you are site 4 Hornet)www.server.com 172.25.5.254 (if you are site 5 Raptor)www.server.com 172.26.6.254 (if you are site 6 Blackbird)



Networks Create two network objects, one for your site, and one for your partner site. In the classroom/test environment partners are.

• Site 1 & Site 2• Site 3 & site 4• Site 5 & Site 6

net-10.3.3.0 You should consider a naming convention for all objects, some objects are easy like web, ftp and email.

Set the network and subnet mask, the object name is net-10.3.3.0, this is a simple naming convention which allows easy identification of network objects in the rulebase.

Note the Broadcast address setting is Not included. This means that 10.3.3.255 will not be considered to be part of the network and match a rule if the source is net-10.3.3.0. This is a normal configuration in Security Policies for network objects.

You do not want a packet leaving your network with source address 10.3.3.255, when replies came back they could create a broadcast storm.



net-10.4.4.0 Create the partner network object.

Object Tree Expanded You should now have the following objects created and are ready to start creating rules. The objects may be different if you are not site 3 or 4.



2.3 Adding Rules to the Security PolicyThe Security Policy is created by adding rules and using the object definitions as either Sources or Destinations along with the type of service allowed between them. Note Any in a rule is a default value that acts as a group that contains all possible values, not always what you want even if it is convenient.

Rule base Elements The rulebase elements are the headings for each column in a rule. In a default NG FP2 this includes the If Via column used for simplified VPNS.

Removing the If Via Element The If Via Column only applies when doing simplified VPNs. For the moment it is just a distraction, to remove it change the setting in Global Properties - VPN Pro, to Traditional VPNs. It is currently set to Traditional and Simplified (default for NG FP2 install). VPNs, Traditional and Simplified are explained in the CCSE topics.

This setting will apply to new Security Policies, not the existing default Policy currently being used. The default Policy currently being used is called Standard.

New Security Policy Create a new Security Policy called mgmt-1, which will be used for the CCSA topics. Managing Security Policies and reversion control is explained later.

You will be prompted to Save any changes made to the current Security Policy and objects. The objects you create are common to all Security Policies.



Select Security and Address Translation and Desktop Security.

Rulebase Elements without If Via

The new Security Policy should not have the If Via Column, this would be the same as all pre NG versions of the Policy Editor rules.

Adding rules To add a rule use the Rules - Add, from the menu.

Default settings Every time you add a rule, it is added with default settings as shown below.

To set any value for the rulebase elements use the 2nd Mouse button in the rule element area.



Rule Number This indicates the position in the rulebase, rule order is very important, rules are executed in 1 to n order, the first matching rule is executed, no other rules are tested There is an exception to this if the Action is Authenticated and when using Simplified VPN rules.

Source and Destination Add a source or destination to the rule, select from the list of existing objects or you can create the object if it does not exist.

Service To add services select from the pre-defined list of services, new services can be created if they are not defined as standard. Note you can select multiple services by using Mouse Button 1 + Ctrl.



Action The Action determines what happens to a packet when it matches a rule. The encrypt actions are covered in the CCSE topics.

Track This determines the type of tracking that is done for the rule. The size of your log file growth will depend on the number of rules set to log and the volume of traffic through the firewall.

Install On This determines which enforcement points the rule will apply to, a single rule could apply to multiple gateways or you could specify a specific target.

Gateways, applies the rule to any object with Check Point VPN-1/Firewall-1 installed and checked as a gateway and under control of the Management Server.Dst, applies the rule to the firewalled object(s) in the Destination element and the firewall filters in an inbound direction.Src, applies the rule to the firewalled object(s) in the Source element and

Accept -allow the packet if it matches the rule.Drop - discard the packet giving no reply to the client.Reject - reject the packet provide a response to the client.User Auth - requires a User Authentication, service http/telnet/ftp/rlogin.Client Auth - requires a Client Authentication, any service.Session Auth - requires a Session Authentication, any service.Encrypt - apply encryption between the source and destinations, site to site encryption.Client Encrypt - apply a client to gateway encryption, requires the user to authenticate.



the firewall filters in an outbound direction.OSE Devices - Open Security Extension Devices can be Cisco, BayRS, 3Com routers. The rule will be converted to ACL format of the device and installed on that device. Requires a separate license.Embedded Devices - Apply the rule to the objects in the objects database that are defined as Embedded objects. These objects can be type Nokia IP5x or Xylan, they have a Firewall-1 module installed on them.Targets, installs the rule on the specific target firewalled object.

The majority of rule examples in this book will use ‘Policy Targets’ as the setting. This is a common setting if you only have one firewall module. You do not need to use Targets Specific for the CCSA examples in this book as you will only be controlling a single VPN-1/Firewall-1 module. It may be used in the CCSE topics for VPNs, where different rules are installed on different targets. Policy Targets means install the rule on all targets under the control of the Management Server.

Time This element can control when the rule will apply, Time objects need to be created and selected from the list.

Comment Comments in rules are important, it is your front line documentation, however, comments cannot be more than 255 characters. This is not a

substitute for a firewall Security Policy configuration and change control document.



Create the following Rules.

Stealth Rule This rule is usually in the rulebase to prevent access to the Firewall. Management connections for installing Policies are treated separately by the implied rules. This is known as the stealth rule because no response to any incoming packet is made. The target destination is the Firewall which silently drops the packets and in this case logs the event.

It is not always the first rule but is usually somewhere near the start of the rules.

Change the rule added from the defaults to have a destination - fw.yoursite.com and Track - log, if you did not previously add a rule, add a rule now and change the default settings.

Anything Out Bound Rule This rule allows anything from the internal network to Any destination, including the IP addresses of the firewall (that is why the stealth rule is above it). In this form it is a fairly liberal rule in that Any service is allowed. Allowing all services is convenient for the time being as the Policy evolves a limited set of services can be configured. On a live Firewall always start with the minimum number of services required.

Add the Anything out bound rule.

Clean up Rule This rule is almost always in a Security Policy and is the last rule. Although you do not strictly need it because if a packet has not matched a previous rule and reaches the end of the rulebase the packet is dropped. However, the packet is silently dropped and not logged, usually you need to know what is being dropped.

Add the clean up rule

Broadcast Junk Some packets, like broadcasts will arrive at the firewall and be dropped and logged by the Clean up rule. To reduce the amount of logging, a rule can be configured to drop the traffic without logging by matching a rule higher up in the rulebase.

If you have a large amount of broadcast traffic that is visible to the firewall



this rule should be near the top of the rule base. You want to have the packets match without dropping through all the rules. Depending on your network configuration there may be very little visible broadcast traffic.

Add a rule to the beginning of the rulebase, it will become rule 1, all other rules will be renumbered.

Add nbname and nbdatagram as the services, there may be others but this will do to start.

If there are a lot of different broadcast services then a cleaner method is to create a Service Group and put the services into the group.

For example you might want to create a group Broadcast_junk and use that.

Create a new Group.



Add nbname and nbdatagram to the group.

Now you could change the rule to use the Service Group name instead of adding services individually to the rule. The use of groups keeps the rulebase tidy, however you cannot just look at the rule to see the list of services.

The rule would change to.

In NG FP2 you can drag and drop rules to change their position.

Current Rulebase check Make sure you do a file save, although for each object you create it is saved at the time of creation this is not true for rules you have added.

Your rulebase should look similar to the following.



Negating objects in Rules Since anti-spoofing has not yet been configured, rule 3 might be better written using the negate option which can be applied to Source, Destination or Service elements.

You could change rule 3 to the following.

Notice the destination is net-10.3.3.0 negated and not Any, the negate means anywhere but net-10.3.3.0. This means that if a packet arrived from an external site with an IP address with a source IP address in net-10.3.3.0 and destination IP address in net-10.3.3.0 it would not match this rule and drop to the next (rule 4) which would drop it.

The previous version of the rule would accept a packet with source 10.3.3.1, destination 10.3.3.252 as the packet contents would match the rule, even if the packet originated from the external network.

Once anti-spoofing is configured this would not be an issue and there would be no need to negate the destination.

Having a lot of negates in a rulebase makes it more difficult to follow the rulebase logic.

When you install your Security Policy there may be warnings about anti-spoofing configuration until you configure the settings for anti-spoofing. Anti-spoofing is only set on your firewalled objects.



2.4 Installing and Verifying the Security PolicyFor changes to take place in your rulebase and affect your firewall you must install the policy. Any change to an object or setting within the Security Policy Editor will require a Policy install, except User database changes which can be installed separately.

Verify the Security Policy Policy - Verify does some integrity checks on the rules to make sure there are no conflicting rules or settings that will result in the Policy failing to compile. The verify does not catch everything and sometimes the verify may be OK but the Policy install fails.

You should get into the habit of doing Policy - Verify, then Policy - Install.

If you do not verify the Policy and just do an install, the Policy compilation may fail but it will not break your firewall.

Installing the Security Policy To install your Security Policy select Policy - Install... and select the target Firewalls you want to install the Policy on. In this case there should only be one Firewall.

Uninstall Policy

Revision Control

Install PolicyVerify Policy



You will be warned about implied rules which are set in the Global Properties dialog box. Just select OK and continue the Policy install, implied rules are explained later.

If you have multiple firewalls you can select the firewalls that this Policy install will apply to.

Warning about no anti-spoofing configuration.



Policy install complete.

You should now have a policy installed on your firewall ready for testing. Your firewall will now be able to route packets through it providing a rule is matched.

Uninstalling the Security Policy

To uninstall the Security Policy, select Policy - Uninstall..., you do not have to uninstall policies before installing new ones. New policies override the INSPECT code of the current installed policy. There may be times when you need to unload the policy but that is usually because you have installed a policy that prevents any access to the Firewall, including policy installs.

Uninstalling the policy can be done from the command line on the Management Server or firewall. Using fw unloadlocal on the Firewall module and fwm unload target where target is the hostname of the Firewall from the Management Station, providing it can communicate with the Firewall module.

Do not uninstall your policy at this time! If you did then install it again.

2.5 Testing the Security PolicyTest your Security Policy by using ftp or a web browser. You should at least be able to connect to the server www.server.com, in your environment. You could attempt access from an external server to the internal server to check drops as well.

Testing a Security Policy is vital to having confidence in the policy that is currently installed. Just because it is a Firewall does not mean it is secure, administrators make mistakes. Make sure the rules work the way you expect. It is a piece of software, software has features.

Track events you expect in the log file and in some cases, snoop the traffic to ensure it’s in the format you expect - encrypted maybe.

Never just trust the Firewall Security Policy, this is regardless of which product you are using. That is why companies pay to have their Firewall



audited, you could create your own audit tools and procedures. There are plenty of scanners around, languard, nmap, iss.

Your Firewall is now controlling network connections, once in place it will be the first location of blame for failed network connections and you should start to think about how you will prove this not to be the case. When using Unix Firewalls this is fairly simple, use snoop or tcpdump on the internal and external interfaces to prove the packet is visible on both networks. Then send the dump to the administrator complaining your firewall is blocking his/her connections. When using NT firewalls depending on accessibility you may need snooping tools either side of the Firewall.

In small organizations this is not an issue but larger networks it is definitely an issue.

2.6 Basic Log Viewer informationYou can start the Log Viewer and see the logged events to check that packets are being accepted, logged, dropped or rejected as you expect.Your logged events may look similar to the following.

The log viewer has standard filter views, select the required view from the toolbar

The General view does not show full Source/Destination IP address and service, the Firewall-1 view does that.



2.7 Implicit and Explicit Rules in the Security PolicyMost, if not all firewalls implement a Policy that assumes, ‘That which is not expressly permitted is prohibited’. This means that until there is a rule that allows traffic through the firewall nothing is allowed.

In order to simplify the installation for the majority of users there are certain rules that are added by some firewall vendors by default.

In VPN-1/Firewall-1 these rules are known as implied rules.

You have created four explicit rules, and if the question came up as to how many rules you have just installed, your answer would probably be four.

If fact, you installed forty five rules, four that you created and 41 that Check Point set as default rules. The 41 implied rules apply to a default install of NG FP2, there were less in previous versions.

Implied rules are installed to simplify Policy installs and reduce the number of technical support calls regarding the firewall not working. For full time network engineers the services in the implied rules can be evaluated and removed if necessary without much difficulty since they are using network services regularly. If you remove implied rules and need the service you will have to add an explicit rule.

For the novice who is thrown in at the deep end, if these services had to be added manually before the firewall would work they would probably use a different product.

The default implied rules can be turned off but only if you know what you are doing, and in the process of setting the right explicit rules you may block the ability to install Policies. (You are going to do this so you will know how to recover if it happens.)

In early versions of VPN-1/Firewall-1 the default rules had DNS tcp, DNS udp and RIP turned on by default which was not necessary, NG has these turned off by default. If you upgrade your Firewall the settings are inherited from the previous configuration.

If you have a environment where the Management and Firewall module is installed on the same box then you can turn the implied rules off without



having to set explicit rules for the majority of installations.

To view the implied rules, select View - Implied Rules, this is a toggle, select once to show and again to show only explicit rules.

The implied rules in a default install are.



This shows the implied rules integrated into your explicit rules.

Implied rules are set in the Policy - Global Properties dialog box.

To turn off most of the implied rules untick Accept VPN-1 & Firewall-1 control connections.



The rulebase with implied rules shown should now look like the following.

If you are in a split environment with the Management and Firewall module on separate boxes and install the above Policy then you will not be able to install new Security Policies. The install of the above policy would appear to hang half way through the install since you would cut connects off because of the new rulebase but the Policy would get installed.

Do not install this policy yet.

The implied rules that are left apply to the remaining tick boxes in the Firewall-1 Implied Rules dialog box.

Notice the position of the implied rules, some are before your first explicit rule, and one before your last rule.

First, Before Last, Last Implied rules can be positioned, First, before your first explicit rule, Before Last, before your last explicit rule, and Last, after your last explicit rule. You may think that since you have an explicit last rule that drops everything that no rules will apply after it, since it would drop everything at this point. Not true, implicit rules may apply but it depends where the packet originated, if it is from the Firewall then the implied rule may apply and be matched.

2.8 Rule Base Filtering OrderPackets are filtered in a simple top down order, it is an if then else step ladder, the first matching rule will apply and no further rules will be tested.

However, you must consider, SAM (Suspicious Activity Monitoring), Anti-spoofing, implied and explicit rules and how they are merged to form a single rulebase.



SAM and Anti-Spoofing are explained later.

2.9 Rule Base Filtering Order, Exception - AuthenticationConsider the following rules.

Both rule 3 & 4 have an action of User Auth, explained in Authentication topics, which requires a user account authentication before matching the rule.

There are 2 groups, Sales and Techs. Until the user types in an account name the Firewall will not know which rule to match against therefore it must always match the first authentication rule even if it does not end up applying. Normally the first matched rule will be the only rule checked but in this case the user may belong to Techs and not Sales so the packet would

tcp_timeoutsproxied_conn

connectionsudp_services

tcp_services

State Tables

Accept and Handlepacket by OS IP

stack

Expected packet ornew entry added byrule match Accept

Action

Update statetables

Send Nack

No matching rule - Action is drop

InspectionEngine

Anti-Spoofing rules

SAM rules (See Block Intruder)

Reject

Drop

Accept

Builds the statetable

Useful command, fw tab -t connections -s

Find first matching ruleNo details of connection instate tables - check rules



not be Rejected/Dropped by rule 3 but passed through all rules that have an action Auth. In fact because of the way the Inspection Engine works with Authentication, rule 5 will also be checked and since the source, destination and service matches the User Auth rules it applies and the user would go out without getting authenticated.

It may appear that the least restrictive rule is being applied but that is just the way the Inspection Engine handles groups of users and an Authentication Action. It would not matter if the Action is User Auth, Session Auth or Client Auth.

This will only be a potential problem if you are authenticating users from Internal to external networks. You would never normally have a rule that just let you in to your internal networks without authentication. Always check the rules work in the manner you expect, never make assumptions.

2.10 Policy Properties, Controlling Implied Rules

Turning Implied Rules off If you are using a combined Management/Firewall module installation you can turn off the implied rules for simple Firewall configurations without any problems.

If you are in a split environment then you will break Management to Firewall module communications and will not be able to install a new Security Policy.

Your rulebase should look something like the following, this is with the implied rules displayed and the Accept VPN-1 & Firewall-1 control connections turned off.

Install this Security PolicyThis assumes you installed the software in a split environment, which is more interesting for learning.

The Security Policy may appear to hang and you will not get the usual close button. The rules will have successfully been installed. To check you



could run the command ‘fw stat’ on the Firewall module and it will display the current Policy name and install time.

On the Management Server you would normally be able to run ‘fw stat fw.f16.com’ but the connection would be blocked in this case. In versions before NG FP2 the fw command applied to Firewall modules and Management Servers, FP2 split the command into fw for commands on a Firewall Module and fwm for commands on a Management Server.

The service CPD is used to install Policies, it is now no longer allowed between the Management and Firewall module and is being dropped. You will not be able to install a new Security Policy even if you set the VPN-1 control connections in the Global Properties.

Locked out of Policy Installs - Recovery Procedure

Make sure that you have ticked the VPN-1 control connections. Otherwise you will end up installing a Policy once and block the next install.

This will turn on all the implied rules.

You will need to install the Policy but you cannot currently do that since the current installed rules drop all connections to the Firewall, that is the stealth rule at work.

On the firewall module workstation, not the Management you must unload the Security Policy.

Logon to the firewall module box and bring up a command prompt and run the following command.

fw unload fw.f16.comNote: This command is obsolete.Calling "C:\WINNT\FW1\NG\bin\fwm unload fw.f16.com" instead

Uninstalling Policy From: fw.f16.com

VPN-1/FireWall-1 policy successfully uninstalled from fw.f16.com...

VPN-1/FireWall-1 policy Uninstallation complete

Note from NG FP2 the command you should use is



fw unloadlocal

This will unload the Security Policy from the Firewall module, this means that there is no Policy installed and connections can be made to the firewall on any of it’s interfaces. Connections cannot pass through the firewall but they can go to it. [Yes, it does matter that the firewall box is running a minimum set of services and they are patched, this may be a point of vulnerability, that is why people like appliances the OS is stripped and secured].

Since there is no Policy you should be able to install a new Policy on the Firewall module - go ahead and install your Policy.

If you want to load the Policy from the command line instead of through the GUI then you can use the following on the Management Station.

fwm load c:\winnt\fw1\ng\conf\mgmt-1.W fw.f16.commgmt-1.W: Security Policy Script generated into mgmt-1.pfmgmt-1:Compiled OK.

Installing Databases On: localhostDatabase installed successfully on www-f16...Database installation completeDatabase installation Succeeded for:www-f16

Installing VPN-1/FireWall-1 policy On: fw.f16.com ...VPN-1/FireWall-1 policy installed successfully on fw.f16.com...VPN-1/FireWall-1 policy installation completeVPN-1/FireWall-1 policy installation Succeeded for:fw.f16.com

A rule that you may want to consider adding if you are installing Security Policies on remote Firewall modules is the following.

This has to come before the stealth rule that drops all packets to the firewall. This would allow you to Secure Shell to the firewall to perform the Policy unload without having to physically be at the module console. It does assume that you have Secure Shell installed on the Firewall module which may not be the case in Windows environments.

For Nokia firewalls you would need to configure and turn on the sshd package.

Your site Security Policy procedures may dictate that you must physically



be at the console and remove all external cables before doing the Policy unload. Or you may have to bring down a perimeter router to prevent incoming connections until the unload and new Policy install has been done.

Note the log file will have logged the unload and load so you cannot hide it.

DNS as an Implied Rule Most sites, since the Firewall is at the perimeter to the Internet require DNS udp (domain queries) through the Firewall.

The simple and usually incorrect way of doing this is to use the implied rules. If your technical support suggest that you should just turn on the implied DNS rules, either they do not know what they are doing or they believe you do not and will be a technical headache if they have to explain.

For clarify, but do not install the Security Policy, untick VPN-1 & Firewall-1 control connections in the Global properties. This is just to reduce the number of rules you are looking at. Remember to set it again before you install a Policy.

You should now be back to the following.

In the Global Properties, Firewall-1 Implied Rules there are two settings that relate to DNS.

For your internal hosts to do DNS queries to external DNS servers, you



need Domain name queries (UDP port 53).For external DNS servers to copy your zone records you need Domain Name Zone transfer (TCP port 53)

Just so you are clear, you do not need to tick either of these in a live firewall, use explicit rules. Internal firewalls may be a different situation.

Here’s why you do not want to turn these on.

Turn them on and look at the implied rules that have just been added.

When you look at the rules, alarm bells should start immediately, the source and destination is Any. A rule that has Source = Any, Destination = Any and Action = Accept should set off alarm bells.

You might of course be thinking that since this is an Inspection Engine and it is ‘protocol aware’ that nothing would get through that was not DNS traffic so the risk is small. Well maybe the only thing the Inspection Engine checks is the port number 53, you would only ever know by testing the port with tunnelled data. If you could tunnel any protocol through the port then only the port details are checked. There will be timeouts, fragmentation, overlay checks but that is irrelevant if you can tunnel other protocols through it.

In this case you can tunnel anything over port 53, may change for NG FP3 DNS udp queries.

This would appear to be bad, since you can go either way through the Firewall and no logging is done by default for implied rules. For a large number of sites you probably cannot come from the Internet on port 53 to just any host because the perimeter router will have Access Control Lists controlling access to specific ports and hosts, port 53 one of them. You may have no ACLs on your perimeter router, you need to know as they can interfere with services you want to allow. Perimeter routers are often owned and configured by your ISP.

Remember, implied rules are to simplify user configuration, they usually provide wider access than required. This applies to anything that is a simplified configuration.

Unset the DNS implied rules and make sure Accept VPN-1/Firewall-1 control connections are allowed i.e. ticked.



Configuring DNS in a Live Environment

There is no single correct solution but a common configuration for larger organizations would be. Actually size has nothing to do with it, security risk assessment and what you have to lose are the main considerations.

Two internal DNS servers, set to forward all unknown queries to ISP DNS servers, all internal hosts resolve off the internal DNS servers.

A rule in the Security Policy would only allow DNS queries to specific destinations, for example.

The ISP can be Primary and Secondary for your DNS records. They will only have to handle a few records since DNS records only need to advertise Internet visible Name/Address space and for most organisations this is a small number.

As a minimum you could set all internal hosts to query from the ISP DNS servers and add an appropriate rule.

If you are running a Primary DNS server at your site this will usually be located in the DMZ. It should not be located on the Internal network, everyone requires access to it that wants to resolve your Name Space.



2.11 Management/Firewall-1 Module communications and services

VPN-1/Firewall-1 Services - FW1

Service Port/Transport Description

FW1 256/TCP VPN-1 & FireWall-1 Service, Management to Fire-wall module policy installs pre-NG

FW1_log 257/TCP VPN-1 & FireWall-1 Logs

FW1_mgmt 258/TCP GUI client to Management Server (Pre NG)

FW1_clntauth_telnet 259/TCP VPN-1 & FireWall-1 Client Authentication (Telnet)

FW1_snmp 260/UDP VPN-1 & FireWall-1 SNMP Agent

FW1_snauth 261/TCP VPN-1 & FireWall-1 Session Authentication

FW1_topo 264/TCP VPN-1 SecuRemote Topology Requests

FW1_key 265/TCP VPN-1 Public Key Transfer Protocol

FW1_clntauth_http 900/TCP VPN-1 & FireWall-1 Client Authentication (HTTP)

FW1_Encapsulation 94/IP VPN-1 SecuRemote FWZ Encapsulation Protocol

FW1_cvp 18181/TCP OPSEC Content Vectoring Protocol

FW1_ufp 18182/TCP OPSEC URL Filtering Protocol

FW1_sam 18183/TCP OPSEC Suspicious Activity Monitor API

FW1_lea 18184/TCP OPSEC Log Export API

FW1_omi 18185/TCP OPSEC Objects Management Interface

FW1_omi-sic 18186/TCP OPSEC Objects Management Interface with Secure Internal Communication

FW1_ela 18187/TCP OPSEC Event Logging API

FW1_amon 18193/TCP OPSEC Application Monitoring

FW1_pslogon 18207/TCP Policy Server Logon protocol

FW1_CPRID 18208/TCP Remote Installation Protocol

FW1_ica_pull 18210/TCP Internal CA Pull Certificate Service

FW1_ica_push 18211/TCP Internal CA Push Certificate Service

FW1_load_agent 18212/UDP ConnectControl Load Agent



FW1_pslogon_NG 18231/TCP NG Policy Server Logon protocol

FW1_sds_logon 18232/TCP SecuRemote Distribution Server Protocol

FW1_scv_keep_alive 18233/UDP SecureClient Verification Keepalive Protocol

tunnel_test 18234/TCP Check Point tunnel testing application

FW1_ica_services 18264/TCP Internal CA Fetch CRL and User Registration Serv-ices

FW1_netso 19190/TCP User Authority simple protocol

FW1_uaa 19191/TCP OPSEC User Authority API

VPN-1/Firewall-1 Services - FW1


Check Point Services - CP


CPMI 18190/TCP GUI to Management Server Interface

CPD 18191/TCP Management Server/Firewall Module communication

CPD_amon 18192/TCP Internal Application Monitoring

CP_rtm 18202/TCP Real Time Monitoring

CP_reporting 18205/TCP Reporting Client Protocol

CP_redundant 18221/TCP Redundant Management Protocol

CP_Exnet_PK 18262/TCP Extranet public key advertisement

CP_Exnet_resolve 18263/TCP Extranet remote objects resolution



2.12 Stopping and Starting the FirewallThere may be times when you have to stop and start the firewall module or all processes related to Check Point. This is usually when something stops working or a configuration change requires the firewall to be ‘bounced’.

fwstop/fwstart In previous versions of Check Point VPN-1/Firewall-1 (pre NG), the following commands would be used.

fwstop

fwstart

This will stop the firewall, flush any cached information, read configuration files and start the Firewall module. Sometimes the module did not log, and after a restart worked, or changing VPN configurations from FWZ to IKE did not take affect until an fwstop/fwstart. Sometimes it required a complete system reboot.

During an fwstop, the firewall box is vulnerable as there is no Policy installed, no packets can go through it but they can go to it.

In NG extra options have been added to the fwstop command to protect the firewall box.

These are

fwstop -default

this stops the firewall module and loads a default Security Policy that allows Management GUI control connections so Policies can be installed but all other traffic is rejected.

fwstop -proc

This stops the firewall module and loads a default Security Policy that allows Management control connections and drops all other traffic.

If you run ‘fw stat’ after running the ‘fwstop -default’, the status shows a defaultfilter policy installed.

The default filter was available in previous versions but buried in the documentation. You can create your own default filter with rules you create, instructions are in the Check Point Reference manual.



The correct way to ‘bounce’ the firewall in NG is

fwstop -defaultfwstart

cpstop/cpstart NG introduced the SVN foundation, also known as CPShared, this is the module that sits between the OS and Check Point components. The components can be VPN-1, Firewall-1, Floodgate, MetaIP or any other Check Point product. This provides a layered model that better suits security implementation as the SVN module can provide controlled interaction with the OS.

The commands cpstop and cpstart will stop or start all Check Point components running on the box.

In some cases you may have to turn the VPN driver on/off

vpn drv off

vpn drv on

This is usually when changing from one VPN configuration to another, for example, two networks using IKE shared secrets changing to IKE certificates. If you do not stop and start the driver then they would continue using shared secrets. Alternatively you can just run fwstop/fwstart.



2.13 Security Policy & Rules Setup - Review Questions

1. When you first connect to the Management Server using the Policy Editor a Fingerprint is displayed this is used to.

A. Verify that the Firewall Module is authorised to communicate with the Management Server.

B. Verify that the user is authorised to connect to the Management Server.

C. Verify that the Management Server is the correct Management Server and not an imposter.

D. Verify that the GUI is a valid client to the Management Server.E. Verify that the GUI executable is a valid version and is not a trojan.

2. In Global Security Policy Properties, if you uncheck ‘Accept VPN-1/Firewall-1 Control Connections’ you will break Management Server to Firewall Module communications. This option must always be left checked.

A. TrueB. False

3. Implied rules are by default logged to the implied rules log file.

A. TrueB. False

4. In most Security Policies a ‘Clean Up’ rule is added which is the last rule in the rulebase, this is because.

A. It is the only method of accepting packets that have not matched a previous rule.

B. It is the only method of rejecting or dropping packets with a destination of the firewall.

C. It is the only method of logging implied rules.D. It is the only method of logging packets that are not matched any

previous rules.E. None of the above are correct.



5. The Stealth rule is used to ensure what.

A. That all packets with a destination of the firewall are accepted silently.

B. That all packets are checked for a stealth scan before being passed through the rulebase.

C. That all packets with a destination of the firewall will be dropped.D. That all packets are watermarked to track which route they take in a

HA environment.E. That all packets with the stealth bit set are invisible to monitoring to

prevent the log file from growing too large.

6. When defining objects like www.yourcity.com the ‘Get Address’ button does what.

A. An inverse address lookup to get the fully qualified domain nameB. Finds the Mac address and IP address information needed for

configuring Anti-Spoofing.C. Uses the system setting for retrieving an IP address given a

hostname.D. Finds the address of the object by using NIS.E. None of the above.

7. A VPN-1/Firewall-1 NG Security policy is NOT responsible for which of the following.

1. Enforcing rules in a specific order2. Tracking user Authentication3. Authenticating and Encrypting user connections4. Tracking events and generating alerts5. Tracking Operating System bugs

A. 1B. 2C. 3D. 4E. 5

8. Implicit rules are generic rules that are required by most VPN-1/Firewall-1 implementations.

A. TrueB. False



9. You have three Firewall modules under the control of a single Management Station. The same implicit rules would be applied to all three Firewall modules.

A. TrueB. False

10. The VPN-1/Firewall-1 NG Firewall consists of which components.

A. Policy Editor, log Viewer, Status ViewerB. Management Server, Firewall ModuleC. Management Server, Firewall Module, Policy EditorD. Firewall Module, Visual Policy Editor, Management ServerE. Firewall Module, Management Server, GUI Clients

11. A 25 user VPN-1/Firewall-1 NG module dynamically tracks the number of users going through the firewall and ensures that only 25 users are passing through the firewall at any one time even if you have 75 internal hosts.

A. TrueB. False

12. In VPN-1/Firewall-1 NG licenses are always tied to the IP address of the Firewall Module.

A. TrueB. False

13. You have a 50 user license for VPN-1/Firewall-1, where is the ‘external.if’ file located.

A. $FWDIR\databaseB. $FWDIR\confC. $FWDIR\tmpD. $FWDIR\libE. Not used in NG

14. When you Verify a Security Policy you are testing the rules will work as intended.

A. TrueB. False



15. When you unload a Security Policy in NG by selecting Policy unload from the GUI the firewall is safe because a default Security Policy is installed which prevents all access except VPN-1/Firewall-1 Control connections.

A. TrueB. False

16. During the installation of the Management Server you must add an administrator to allow GUI logins, the file that the administrator details are stored in is called.

A. fwauthB. fwmusersC. fwadmindbD. fwdbadminE. Not used in NG

17. An Administrator with permissions set to read only is allowed to do which of the following.

1. View the log files.2. View the Status.3. Rotate and update log files.4. Add a new network to the objects.5. Install patches using Secure Update.

A. 1, 4B. 1, 2, 4C. 1, 3, 4D. 1, 2E. All of them

18. Changes made to the Security Policy do not have an affect until which of the following takes place.

A. The Security Policy is Saved.B. The Security Policy is Installed.C. The Security Policy is Verified.D. The firewall module is stopped and started forcing a fetch of the

new Security Policy.E. The Management Server is stopped and restarted.



19. In VPN-1/Firewall-1 NG the rules can be enforced in an inbound, outbound or eitherbound direction depending on the setting in the Global Security Policy Properties.

A. TrueB. False

20. The OSE module is used to install Security Policies on what kind of object.

A. FirewallsB. RoutersC. SwitchesD. AppliancesE. Not used for Security Policies

21. Security Policies are limited to how many rules in a single rulebase.

A. 200B. 300C. 400D. 500E. no limit

22. You have a large complex Security Policy that enforces rules on 4 different Firewall modules all under the control of the same Management Server. It is taking a long time to install the Security Policies. Which of the following are you most likely to take to reduce the time to install Security Policies in the future.

A. Delete all rules that involve domain objects.B. Remove rules that use group objects and replace them with un-

grouped objects.C. Split the Security Policy into 4 different Policies to have a smaller

rule set which can be installed individually on each module.D. Upgrade the memory and processor on the Management Station.E. Upgrade the memory and processor on all the firewall modules.

23. In a split Management & Firewall Module configuration in NG it is not possible to install a Security Policy that will prevent you from installing new Security Policies.

A. TrueB. False



24. A Security Policy enforces rules based on which of the following

1. Authentication2. Encryption3. Drop4. Reject5. Pass Through

A. 1, 2, 4B. 2, 3C. 2, 3, 4, 5D. 1, 2, 3, 4E. All of the above

25. What does fw load do.

A. Loads the state tables into memory ready for accepting packets.B. Loads the user database so users can be authenticated through the

Management Server.C. Loads the Security Policy on the specified firewall.D. Loads the log files into the log consolidation engine.E. Loads the Security Policy into the Policy Editor.

26. What does fw fetch do.

A. Fetches the last installed Security Policy from the Management Server, if it cannot connect to the Management Server loads the last installed Security Policy.

B. Fetches the last installed Security policy from the Firewall moduleC. Fetches the user authentication database.D. Fetches the Security Policy and displays the rules in ASCII format

to allow viewing from the command line.E. Updates the current installed Security Policy with any changes that

have been made and is a method of auto updating the Security Policy to make sure the latest modifications are installed.

27. When you do a cpstop command which of the following occurs.

A. The firewall module stops.B. The SVN process stops and the firewall installs a default filter.C. The VPN-1/Firewall service stops and a default filter is installed.D. All Services related to Check Point running on the Server are

stopped.E. The Floodgate and VPN-1/Firewall Services are stopped.



28. When you do an ‘fwstop -default’ command which of the following occurs.

A. The firewall continues logging events but does not pass packets through the gateway.

B. The firewall stops logging events but does pass firewall administration traffic through the gateway.

C. The firewall drops all packets until you run the fwstart command.D. The firewall will allow a new Security Policy to be loaded using the

GUI.E. None of the above happens

29. When you install the Security Policy all information about current connections going through the firewall is cleared and packets must be rematched against the rulebase.

A. TrueB. False

30. If you install the Security Policy and a time out error message appears then this means that the Security Policy did not get installed.

A. TrueB. False

31. What command would you run to check the currently installed Security Policy.

A. fw verB. fw ver -k C. fw statD. fw viewE. fw tab -t policy

32. In a split configuration when you need to check the currently installed Security Policy from the command line, this can be done.

A. From only the firewall module.B. From only the Management module.C. From either the Management or Firewall Module.D. Never done from the command line, always use the GUI Status

Viewer.E. The firewall module broadcasts it’s state to the Management

Station(s) every 5 minutes with status information and all the information required is held in $FWDIR\database\fwstatus.



33. Rules in a Security Policy can be in any order and changing their order will not affect the Security Policy.

A. TrueB. False

34. When you save a Security Policy the file extension used for saved Security Policies is.

A. WB. fwsC. pfD. ndbE. isp

35. If you have two firewalls and a single Management Station, each on separate workstations, how many objects with Firewall-1 Module installed will you have in your Objects database. Two other machines are going to be used as GUI clients.

A. 1B. 2C. 3D. 4E. 5

36. The Security Policy can have a maximum of how many rules.

A. 50B. 100C. 200D. 400E. unlimited

37. When using the Visual Policy Editor, what does the option Actualize Network do.

A. Tests network connectivity.B. Connects the network to the Internet object in the Visual Policy

editor.C. Creates the implied network object and adds the network to the

objects database.D. Displays the subnet mask associated with the network object.E. Causes the network to flash in the visual Policy Editor to highlight

it.



38. In a distributed Management/ Firewall Module for an NG configuration, the administrator has un-checked Accept VPN-1/Firewall-1 Control connections. Which port number must be allowed to the Firewall to allow Policy installs.

A. 80B. 256C. 259D. 900E. None of the Above

39. The default action for a packet that does not match a rule is?

A. Drop the packet and send an ICMP destination un-reachable back to the client

B. Drop the packet and send an ICMP port un-reachable back to the client

C. Drop the packet and send nothing back to the clientD. Put the packet in a hold for refresh state table and watch for the next

packetE. Drop the packet and mark the source as suspicious in the internal

state tables

40. When you perform a ‘fw fetch’ what can you expect from this command?

A. The Security Policy to be fetched from the firewall module and installed

B. The Security Policy to be fetched from the Management StationC. The inspect code to be compiledD. The objects.C and fwauth.NDB files to be down loaded to the

Firewall module.E. None of the above

41. You have a split Management Server and Firewall Module each installed on separate workstations, how many copies of SVN foundation will you need to install? You are going to install two copies of the GUI on separate workstations.

A. 0B. 1C. 2D. 3E. 4F. None of the above


86

3System Manager and Log Viewer

Objectives


• Use the Log Viewer.• Use the System Manager.• Know how to rotate log files.• Know how to export log files for further analysis.• Know how to display different log file views.• Know how to search log entries using the Log Viewer.• Know how to use Active Mode to block Intruder connections.• Know the different states displayed in the Status Manager.• Know how to set alert types in the Status Manager.

87

System Manager and Log Viewer

3.1 System ManagerThis used to be called the System Status in previous versions but changed it’s name in NG FP2, it has developed into a useful tool for monitoring the status and OS information of Check Point and/or OPSEC components.

OPSEC Open Platform for Secure Enterprise Connectivity - see www.opsec.com, a Check Point web site. Over 200 third party vendors now have products that integrate into VPN-1/Firewall-1.

The Status Manager can either be started from the Windows menu or from another GUI client like the Policy Editor.

When it first starts it shows the Check Point and/or OPSEC components under its control.

Status Information This shows that there is a Management Station and Firewall module. Each component can be expanded to view the details of the SVN foundation, Firewall module and VPN-1 component.

The details area shows the currently connected GUI clients. In this example the Management Station is not configured to synchronise its configuration with another (secondary backup), that is Management high availability (HA). HA for Management Stations allows another Management Server to take over Policy installs while the primary is being upgraded or is broken. In this case two clients are connected the Policy Editor and the Status Manager by administrator fwadmin. Generic named administrators is not

88


good practise but in a training/learning environment is simpler. All changes are audited and tracking of who did what and when is meaningful only if each administrator has their own account name.

This shows the SVN Foundation details of the Firewall module, including

the amount of disk space available. Not specifically important on the Firewall module since logging is rarely done to the Firewall module but the same information on the Management Station is useful. Alerts can be set when disk space reaches a specific value.

Policy Uninstalled State If you unload the Security Policy from the Firewall module, either from the Policy Editor or at the command prompt the Firewall status will change and the ! will be displayed.

The ! means that there is no policy installed on the Firewall module, not a good status, immediate action is required. The administrator probably did the uninstall so this is likely to just be informative. It can also mean that the status of the object is problematic, the Status Manager cannot determine the full cause and further investigation is required.

89


Note, more than one administrator may be running the Status Manager and all connected Status Managers will display the same information.

To unload the policy you can use the command

fwm unload fw.f16.com

from the Management Station or

fw unloadlocal

from the Firewall module.

Disconnected State If you disconnect the cable from the internal interface of the Firewall then the Management Station will loose connectivity from the Firewall module and display the disconnected icon and have ? beside each component because the status is unknown.

The firewall, although disconnected from the Management Station will continue to work, you just cannot install new Security Policies. The Firewall module will start to log locally. Use fw log on the Firewall module to see the logged events.

If you connect the cable back the status will update, this may take a few minutes. To force an update, highlight the component and the 2nd mouse button pops up an update box.

Note SVN Foundation is installed as a base for all Check Point components.

Use the online help to check the meaning of the other Status Icons.

90


3.2 Configuring Status Manager AlertsThe Status Manager can be configured to generate alerts of different types to specific events like Policy installs, uninstalls or disk space size.

The System Alert tab allows configuration of the type of event and type of alert generated.

The default setting is ‘Same as Global’, this means that whatever is set for Global event types and alert method will apply to each of the modules.

The ‘Global’ settings are.

Different event types apply to different components.

The alert type can be

• None - do not generate an alert• Log - Generate a event in the log file• Alert - Send an alert to the Status Manager with the event details• Mail - Send an email containing the event details, email command

91


and address needs to be correctly configured in the Policy Editor Global Properties - Log and Alert tab.

• Snmptrap - Where to send the trap is configured in the Log and Alert Tab in Global properties in the Policy Editor.

• User defined[1,2,3] - User defined scripts 1, 2, or 3 are configured in the Log and Alert tab in Global properties in the Policy Editor. Previous versions of VPN-1/Firewall-1 only allowed a single user defined script to be run.

Overriding the Global Setting Individual settings for each component can be set, for example if you want a Mail alert each time the Policy is installed or uninstalled.

Highlight the Firewall icon and change the setting to Custom, then set the type of alert in the VPN-1 & Firewall-1 tab.

You would of course have to configure the mail command correctly in the Policy Editor, Global Properties - Log and Alert.

Note the ‘Policy has been installed’ event only applies when there is no Policy installed. You will get an alert if you just install a new Security Policy changing the existing installed policy, this is different from previous versions where policy overwrites did not generate an alert.

The Policy install event details will always be written to the log file.

92


3.3 Log ViewerThe Log Viewer is the main front end into viewing the logged events. Each record in the log file is a complete record of the event. The Log Viewer has different modes and pre-defined filters to view separate log details alternatively you can filter for specific details.

If you need reporting and log analysis tools you could use

• Check Point Reporting Module.• OPSEC Log and Analysis tools - www.opsec.com• Dump the log file to a text file and write your own tools.

Logon The Log Viewer can either be started from the Windows menu or from another GUI client like the Policy Editor or System Manager.

Log Viewer Modes The Log Viewer has three modes, Log, Active, Audit that can be switched between using the combo box.

Log This view shows events for all Products depending on the filter being used.The default view when started is the Log mode.

This displays different filtered views of the log file depending on the current pre-defined selection.

93


The different filtered views are set from the Selection menu or toolbar buttons.

These are pre-defined filters applied to the log file you can create customised filters for your own use. The pre-defined filters are

• General• Firewall-1• Account Management• VPN-1• Floodgate-1• Virtual Link Monitoring• SecureClient• UA WebAccess

Active The Active Mode shows the current connections in the state table, some of these events are not necessarily active. They may relate to an http connection that has completed but not yet expired from the state table and the log file takes time to update its display.

94


Audit The Audit mode shows the GUI client interaction with the Management Server.

The audit events were integrated into the Log Viewer in NG, in previous versions this information was written into a plain text file in the log directory. In previous versions, the Log Viewer had Log, Account and Active as it’s three display modes. Account information is now a pre-defined filter.

Searching The Log Viewer is a table format database and therefore any of it’s columns can be searched. You can search the columns either by Number, Date and/or Time, or a search pattern

95


Selections If you want to view only specific records you can apply a selection criteria.

By Product Select to view records of a particular Product.

By Origin Select to view records by Origin, useful if managing multiple Firewall modules. The Origin is the Firewall module that generated the event.

By Event Type Select the type of event.

96


By Action Select the type of Action.

By Service Select the type of Service(s) to display, can be negated to show everything except a specific service.

Useful if you have not filtered out all nbname and nbdatagram events, select to show all protocols except these.

By Source/Destination Select the Source or Destination to display.

You can type in the IP address, not just pre-defined objects, or use wild cards for example 10.3.* would find all event in the 10.3.x.x network.

97


Selection Criteria - Toggle Once you have set a selection criteria you can toggle the display between showing and not showing the selection from the toolbar.

Resolve Addresses The Log Viewer is notoriously slow at displaying records, this has been a feature from way back and is just the way the records are written and the problem with doing DNS inverse address lookups.

DNS forward lookups, given www.corefacts.com will always find an IP address, providing the site wants to be found.

DNS inverse address lookups are an optional configuration, given an IP address find a name. This causes the display of records to be slow. For services like smtp and ftp some sites will not allow the client application to connect unless the server can do an inverse address lookup on the connecting IP address. Although optional, DNS reverse address configuration should at least be configured for names that are visible to the Internet.

Every time a record is created it is the source and destination IP address that is written into the log record. When the record is displayed and Resolve Addresses is turned on, the Management Server does an inverse address lookup to find the name to display. The name may be in it’s cache or the local DNS server cache which the Management Server will be resolving from, in which case a fast response will occur. The problem starts when no inverse address records exist and a large number of lookups are required.

The Management Server only resolves a page of information at a time, and the resolver page time out is 20 seconds by default. This means that if you hit the page down key 4 times it could take 80 seconds to get to the page of interest.

98


Setting Resolver time out period

The resolver time out period is set in the Policy Editor in Global Properties.

You can usually reduce the time out period to 5 seconds if you have a good DNS server to resolve from. If within the time period it fails to resolve the IP address to a name then the IP address is displayed and not the hostname.

A side affect of resolving the addresses at the time of viewing is what happens if you look at last months logs and the IP address has changed hands. It might have belonged to www.innocent.com but now belongs to www.ultrasexysex.com.

99


3.4 Block Intruder (Suspicious Activity Monitoring)This is an OPSEC protocol that Check Point introduced in Version 4.x and allows third party products to communicate with the firewall to allow it to Drop/Reject connections if the product recognizes an attack.

The Block Intruder from within the Log Viewer when in Active mode is a sample implementation of the protocol and demonstrates its potential.

This will alter your Security Policy and in some circumstances if integrated through a third party could result in a really good denial of service on your site. For example if the source address appears to come from a business partner and an attack was recognized you could end up dropping legitimate packets. Automatic changes to a Security Policy is always tricky it just depends on what you have to loose if you do not react immediately. It may be appropriate for ecommerce servers but not for partner VPNs.

Block Intruder from within the Log Viewer

Block Intruder is accessed from the Log Viewer in Active mode. Note you must have resolve addresses turned on for block intruder to work from within the Log Viewer. Block Intruder can also be done through the command line using the ‘fw sam’ command.

If resolve addresses is not turned on you will get the following error.

Make sure you have a telnet or ftp session going through the firewall to your external server, www.server.com.

Make sure you have the System Manager GUI running as alerts will be sent to it every time you try to connect to the blocked destination until the blocking is cleared.

Log Viewer Telnet entry Once you have a telnet connection look at the Active mode in the Log Viewer, all connections have a connection id.

100


In previous versions of the Log Viewer you could double click on the log entry to bring up the block intruder dialog box, now you have to select Block intruder from the tools menu.

Note, there is also a clear blocking, this clears all blocked connections not just a single blocked request. This can also be done from the command line with.

fw sam -f All -D

Deletes all blocked connections on All firewalls, a specific target firewall could have been specified.

If you have not highlighted the telnet entry then you will be requested for the connection id to block.

If you did highlight the connection id the Block Intruder dialog box will be displayed.

You can• Block only this connection• Block from this source• Block to the destination.

101


The time out period allows you to set how long the block will last.

For this blocking request, set the time out to 1 minute.

Select the OK to proceed with the block request.

Now try and make a telnet connection to the server, try several times. The Log Viewer in normal Log mode should display the attempts.

The Status Manager would display the alerts.

If you have blocked a source that you need to clear then you can use the Clear Blocking option in the tools menu. This clears all blocked connections.

102


The diagram below illustrates the interaction between the GUI (Log Viewer), Management Server and the Firewall Module.

The Management Station must be able to connect to the Firewall module on port 18183 (FW1_sam), this is one of the implied rules in NG FP2, but not in 4.x. If the Management Server and Firewall module are on the same box this will not be a problem.

1. The Log Viewer connects to the Management Server on port 18190 (CPMI), in 4.x this is port 258 (FW1_mgmt).

2. Display the Active mode connections and highlight the connection to block. Make the Block Intruder request. The request goes to the Management Server.

3. Management Server connects to the firewall on port 18183 (FW1_sam) with the block request details, source/destination Address, source/destination port, and time out period.

4. Firewall Module accepts the request and adds a SAM rule, which is not displayed in any Security Policy viewing area.

5. Current connection is blocked and packets rejected.6. New connection attempts are blocked by the sam rule, alerts are sent to

the System Manager.

FW

GUI

telnetd

Mgmt

18183 (Sam)

Sam Rules

Log Viewer inActive Mode

18190(CPMI)

Anti-Spoof

Policy Rules

Rules Check

BlockRequest

103


3.5 Log Viewer & Status Manager - Review Questions

1. In NG the Log Viewer has three modes these are.

A. Log, State, ActiveB. Log, Audit, ActiveC. Log, Status, ActiveD. Account, Audit, ActiveE. Security, Audit, Suspicious Activity

2. When in the Active mode you can use block connections to stop Suspicious Activity, an alternative way of doing this is to use which command.

A. fw killB. fw tab -t connectionC. fw samD. fw stopE. fw xfer

3. When in the Active log and you block a connection with the default setting, which one of the following applies.

A. All connections to the destination IP address will be dropped.B. All connections from the Source IP address will be blocked.C. The current connection is blocked but new connections are allowed.D. The current connection is blocked but new connections are allowed

after an 60 second time out period.E. All connections are blocked but new connections are allowed after

a 60 second time out period.

4. You see a telnet connection going to the company web server from an internal host and for security reasons you have told all web administrators to use Secure Shell and not telnet. You use block request from the Log Viewer to block the connection for 5 minutes from this source, this will

A. Block the current telnet connection and any other telnet connections from this source.

B. Block the current telnet connection and any other connections from this source.

C. Block the current telnet connection and allow Secure shell access.D. Block all telnet connections to the web server.E. Block all connections to the web server.

104


5. If you see ! against the Firewall-1 icon in the Status Manager, the most likely meaning is.

A. A Security Policy with a different name has been installed.B. The Management Server and Firewall module have lost network

connectivity.C. The firewall has no policy installed.D. The firewall has a policy installed and this is displaying the normal

state.E. None of the above.

6. You have a split Management Server and Firewall Module, network connectivity between the Management Server and firewall has failed. Which of the following statement would be true.

A. The firewall can no longer send log files to the Management Server and log events will be lost until the Management Server is back online.

B. The firewall will stop all traffic going through the firewall until logging ability is established.

C. The Management Server will issue a network broadcast to all administrators to inform them that the firewall module connectivity is lost.

D. The Firewall will start writing log files to a local log and continues working.

E. The Firewall will stop logging for 300 seconds then if it cannot establish connectivity with the Management Server will start to log locally.

7. In the Log Viewer the option in the file menu purge does what.

A. Removes the currently displayed entries from the log file.B. Compresses the log files and removes all control events.C. Stops logging to the current log file and starts a new log file.D. Deletes all entries in the current log file.E. Deletes all log files older than the ‘Keep log files for’ setting in the

policy Editor.

105


8. What does the ‘fw logswitch’ command do.

A. This will date stamp the current Security Policy and refresh the state tables.

B. This will date stamp the user authentication logs and start a new one.

C. This will date stamp the log files and start new ones.D. This will date stamp and compress the log files.E. This will dump the log files to a text file for post processing by a

third party.

9. What does the ‘fw logexport’ command do.

A. Dumps the log files to Check Point log manager.B. Exports the log files to a text file.C. Exports the log environment variables so the log server knows

which directory to put log files into.D. Sets which Management Server will be the log server for this

firewall.E. None of the above.

10. The Log Viewer is notoriously slow to display log details (feature not bug), what action would you take to speed up the display of log data.

A. Increase the memory in the Management Station.B. Increase the Graphics card memory to speed up redisplays.C. Disable resolve addresses.D. Enable resolve addresses.E. Add a rule to the rulebase to allow it to accept FW_log connections

from DNS servers.

106

4Anti-Spoofing & Services

Objectives


• Know the importance of configuring Anti-Spoofing.• Know how to configure Anti-Spoofing.• Know that not all pre-defined services extract session information.• Know how to define new services, TCP, UDP, and type Other.• Know how to tunnel services through open ports.• Know how Stateful Inspection handles ICMP and UDP protocols with

timeouts.• Know the time out periods for TCP, UDP, ICMP.• Know how to override the default time out periods.

107

Anti-Spoofing & Services

4.1 Configuring Anti-SpoofingThis is IP address spoofing not service (or port) spoofing and explained here because it introduces a useful reminder about details of TCP, UDP and ICMP sessions.

Port spoofing is simple to do and can be difficult to detect, that is the job of a Firewall (Stateful Inspection or otherwise), application proxies and Intrusion Detection Systems (IDS).

IP Spoofing You can never just trust the Source IP address in an IP packet. That is why authentication systems like SecurID exist and why client to server VPN implementations with certificate based authentication are increasing in popularity.

In the diagram shown below, to get a packet delivered from host A to the server 10.3.3.1 you need to send it to the firewall and if the right rulebase is installed the packet will get through. It does not matter which type of service used, TCP, UDP or ICMP in the example shown you will not see the replies. The replies would never be routed back through the firewall.

For TCP the worst you can do is a Denial of Service (Dos), not much of one either. For UDP you can send commands and hope to compromise the service.

The packet matches the rule in the rulebase since it is a fairly liberal rule and allows Any service and no anti-spoofing has been configured on the gateway. The replies would of course be sent to an internal host since that is the source address.

FW

host

SRC/10.3.3.31

Srv

Packet matches rule (no anti-spoofing configured)

Replies

110.3.3.0/24

172.23.3.0/24

DST/10.3.3.1

Net-10.3.3.0 Any Any Accept

A

108


TCP Sessions The TCP transport protocol has session information as part of the protocol for re-sending lost or corrupt packets. The protocol keeps track of how many packets are sent and received. There is a setup, data (command) and close phase for every connection.

Before data (commands) can be sent the client must go through the setup phase.TCP sessions can be spoofed and stolen (that is why we have VPNs). With the introduction of Network Address Translation (NAT) on gateways it became a lot easier to spoof IP addresses.

UDP Sessions The UDP transport protocol has no concept of how many packets it should receive or what order they should be received in. The integrity of the data is left to the application to understand and request the data be resent if necessary. The client does not know if it gets connected to the server until it receives replies. The client waits for a time out period and just retries if it gets no reply.

Data (commands) can just be sent as the first packet dispatched. It is easy to spoof IP addresses and protocols when using UDP as the server never checks who it is getting a connection from before accepting the data. It is up to the service being used to validate the data, might be through authentication or encryption or both.

Client Server

SynSyn/Ack

Ack

DataAck

FinAck

Setup

Data

Close

(commands)

Client Server

DataReplyData

DataReply

Data(commands)

109


Anti-Spoofing Anti-spoofing is configured as part of the Firewall object settings in the Topology tab.

If you have a combined Management/Firewall Module your configuration defaults may be different to those that have a split environment. The details are the same but in NG FP2 when you get the Interfaces the Policy Editor tries to guess which is the external interface and sets some defaults. The external interface will be set to the IP address used for the definition of the firewall object.

At the moment you should have a Security Policy that looks similar to the following, the implied rules are not shown but for convenience the Accept VPN-1/Firewall control connections is turned on. If not when you install the policy you will lock yourself out with this policy.

Topology of fw.f16.com Edit your Firewall object and look at the Topology dialog.

When you first created the object you got the topology to fill in the interface details. If you do a Get Topology again you will loose any IP address spoofing that was configured.

Not a problem in this case since it has not been set. If you add network cards to your firewall you will need to do the get topology or manually add the interface and set spoofing for the new interface.

Do a Get Topology now.

110


This may take over a minute.

The results are displayed accept the results, they can be edited if necessary.

External Interface Highlight the External network interface and edit the settings.

You are not going to change anything since the settings are correct in this example, just view the options.

111


Only one interface can be set to external, this is the interface that leads to the Internet or your largest group of networks if this is an internal firewall.

DMZ Interface Highlight and select the DMZ network if you have one, that is the 192.168.22.103 in this example.

This is set to Network defined by this interface and IP address mask, this is

112


correct for a single flat network on this interface. It is just the network and subnet mask associated with 192.168.22.103, network 192.168.22.0/24.

Internal Interface The internal interface setting for the classroom/test configuration could be the same as the DMZ interface because there is only a single flat network.

In a live firewall it is likely that more than one network resides internally and you would have to create a group that contained all the networks and use Specific, selecting the group.

In this case use Specific but select your internal network.

For Anti-Spoofing to become part of the Security Policy you must install the policy.

Testing Anti-Spoofing Just because you have configured and installed the policy does not mean it is working the way you expect you may have selected the wrong interface. Well, in this case it will be correct but the rule is TEST, TEST and TEST again. It is just as important to test that existing rules still work as it is to test the changes.

You’ll need a network tool that allows you to create packets with any source address.

113


4.2 Predefined ServicesA general guideline before you start adding lots of services to your firewall and letting users have access to chat and web services.

If you increase the number of services, sources and destinations you will increase the security risk.

There is a balance between business requirements and security practise, make users justify why they need the service. That is part of the Site Security Policy documented procedures.

The firewall is there to reduce the risks to an acceptable level but cannot fully eliminate the risks.

• It is a piece of software.• It is designed to allow connections through it.• It needs to be configured, depends on the experience of the

administrator.

Question In VPN-1/Firewall-1 do all pre-defined services have INSPECT code that extracts session or protocol information from the packets to secure the service and stop tunnelled data over open ports through the firewall?

Answer No! There is no list anywhere of which services do and do not have INSPECT that extracts session information. Check Point are hardly going to supply one and state that if service X is used then only the IP protocol Number or TCP/UDP port number is checked. State information is kept for every session but that is not the same as extracting protocol data (session details, even at a basic level) to check the correct protocol is going through the right port number.

Check Point VPN-1/Firewall-1 will do session extraction of information for many protocols but not all. The number of protocols that do have session protocol extracted information increases with each release.

The only way to know for sure is to try and tunnel a protocol over the port you want to use and if it works then there is no INPSECT session protocol extraction going on. It may use INSPECT but only do something if the right byte values are found.

This is nearly always an internal to external site risk and applies to all firewalls. You could of course tunnel one protocol on top of another and satisfy the INSPECT or application proxy requirements. However, that for the moment is beyond most users, but not hackers. Hackers will have written there own tools to do this. Check out http://www.http-tunnel.com

114


they have a commercial product that will tunnel TCP and UDP over http connections. Port 80 is becoming the ultimate tunnel since most sites allow it out.

Caution Pre-defined services may just be a port number definition or contain INPSECT or be a port number definition with more detailed INPSECT when you use the protocol.

Tunnelled Protocol Example If you want to see a tunnelled protocol then install a telnet server on port 53 to your www.server.com box and add the following rule.

This example would work on your existing rule 3 but an explicit rule with just domain_tcp in it illustrates it more clearly since you might be thinking that a defined service from the pre-defined list would do some protocol checking and Any might not. (It makes no difference, if there is INSPECT at the back it will be used for the appropriate port number if it exists).

Try telnet www.server.com 53, you should get a login prompt unless your telnet server is not listening on port 53. If you get no login try telnet 127.0.0.1 53 on the box running the telnet server.

The entry in the log file would look like a domain-tcp connection, not telnet, after all it is going through port 53 (DNS).

This is an Internal to external problem since you would never have a rule that allowed incoming connections to controlled servers without knowing the integrity of the service being connected to. Unless of course you have turned on the implied DNS TCP rule, but you would not have done that.

Integrity of the service means you know it is a valid server that only works with the protocol intended and is not a trojan. You have control over this, ‘well sort of’, so it should not be a problem.

If you can trust your internal users and all internal hosts are guaranteed not to have trojans installed you do not have a problem. Just because you can do it does not necessarily mean you have a problem, only that it can be done.

115


Adding Services Add a rule to your Security Policy to allow http and ftp to your web server.

The add services dialog box has all the pre-defined services, over 150 of them.

The rule should look like the following.

Adding services is easy, just select from the list the service required.

Rule 4 is a bit liberal in that Any service can be used, give users and inch and they will take a foot. Always start with a strict, reduced set of services and add services as needed.

It is easier to add than take away.

Change your Anything outbound rule to allow only http, ftp and telnet.

Although telnet is frowned upon now since passwords are clear text and Secure Shell (ssh) would be better, for this environment it will not matter.

The Secure Shell server and client may not be installed in the classroom/test environment.

116


Your rules should look like the following.

Before you install and test your Security Policy you should be aware that if you install this you will break DNS host name resolution, since at the moment this is allowed through the Anything Outbound rule.

Since DNS is a service that is continually used it is best positioned higher in the rulebase. Remember you do not really want to just turn on the implied DNS UDP setting in the Policy Global Properties.

Add a rule after the first rule to allow internal networks access to DNS servers. If you know what the servers are create objects for them and add the rule.

Object DNS NS0/NS1 Create the DNS server Nodes.

117


With the DNS rule added your rulebase should look something like.

Install and test the Security Policy

You should be able to connect to the internal web server using ftp and http from an external host.

When adding and changing rules you should be beginning to see that although it is easy to do, care must be taken in case you prevent a service that was previously allowed.

With the number of rules in use at the moment maintaining the Security Policy is easy, 40+ rules requires more care and a good degree of familiarization with the network environment being used. Multiple firewalls in a single policy needs even more care. Good documentation helps, did you remember to comment the rules?

4.3 Policy Properties - Stateful InspectionStateful Inspection builds virtual session information about connections that would not necessarily have connection details. Both UDP and ICMP protocols are connectionless and do not keep track of how many packets are sent or received or if all packets for this protocol request have been completed. Both protocols have no means of knowing when a session has ended, therefore timeouts are added by the firewall to decide when to end the session.

Default timeouts and protocol settings can be set in the Global Properties, these settings apply to all firewalls under the control of the Management Server.

118


The timeouts for TCP and UDP services can be set for individual services in the advanced dialog box for each defined service.

• TCP time out is 3600 seconds• UDP time out is 40 seconds

4.4 Creating New ServicesCreating new services (port number definition) is required when you have a service that is not one of the pre-defined services or when you use the pre-defined service and it does not work with your client/server implementation.

In some cases the INSPECT code may be looking for details that are not in the protocol communication and the connection fails. This is either an implementation problem with the Client/Server or the INSPECT, depends on who interpreted the RFC.

Sometimes you may have to tweak the INPSECT scripts to get your client/server implementation to work, this is usually documented in the FAQs somewhere as someone has usually been there before you.

119


Create a Service New services of the following type can be configured.

If you only want to view specific types of service use the filter options.

TCP Create a new TCP service called vidi_printer. There used to be a service called vidi_printer which displayed teletype information in a web page. Tunnelling over http replaced it because firewalls prevented user access to the service.

The advanced dialog allows individual time out settings for each protocol, this will override the Global setting in the Policy Properties.

120


In previous versions you needed to edit the INPSECT scripts to override the default time outs.

After creating the service you could then use it in the rulebase. Remember you have just defined a port number definition and although the Inspection Engine will track TCP data, it will know nothing about the vidi_printer protocol. This could be used to tunnel anything.

Use it with care and try not to have a rule like this.

Which would allow internal users to tunnel any protocol to Any destination through port 5150. Restrict the rule and protocol use to a known destination if possible.

121


UDP Create a new UDP service on port 3130 called mytunnel_test.

Other Service type Other is used for User Defined services where you might specify the source port a connection comes from or the IP protocol number for a service that is tunnelled over IP but not already defined.

IP protocol numbers can be found at

• www.iana.org/assignments/protocol-numbers

Protocol port numbers for TCP and UDP services can be found at

• www.iana.org/assignments/port-numbers

122


Defining a service type Other may just result in anything being able to be tunnelled through your firewall using the IP header protocol number.As an example, you could defined a service type Other using IP protocol number 6.

In a Security Policy you could then have the following rule, not a good thing to do since specific services have already been defined and this will not work will all TCP services.

A service that definitely will not work correctly for this rule is ftp, or anything that has reverse data connections that the Inspection Engine handles because of the protocol type.

The outgoing connection will work but any reserve data connections will fail, allowing them would be Stateful Inspection at work.

If possible you should always use the defined services and only resort to defining your own when all else fails and then the rule should be from a known source to a known destination.

The following is a service that some administrators created to control UDP replies in early versions of firewall-1. This is no longer needed.

123


Early versions of Firewall-1 had a single tick box to Accept UDP replies for every UDP protocol even if you only used DNS queries. The dnsreplies service just allowed the administrator to add a rule that accepted anything from source port 53 (supposedly only DNS relies). Usually ended up more open then required since depending on the Source the rule could let anything in.

The Inspection Engine handles UDP replies as a virtual Stateful session, controlling the replies and where they came from is based on time outs. It may also extract session information from the replies.

124


4.5 Anti-Spoofing & Services - Review Questions

1. Anti-Spoofing prevents which of the following.

A. The firewall from accepting packets that arrive on the internal interface with a source address of an internal network.

B. The firewall from accepting packets that arrive on the external interface with a source address of an external network.

C. The firewall from accepting packets that arrive on the external interface with a source address of an internal network.

D. The firewall from accepting stealth scan packets coming from tools like nmap.

E. The firewall from accepting packets on the internal network with an external destination address.

2. Given the following network diagram, what would the settings be for anti-spoofing

The options for setting Anti-spoofing on each Interface are shown in the dialog box below. What would be the correct setting for the firewall in the diagram.

It’s a BadBad World

External Net - 172.21.1.0

net-10.1.1.0

FW-Mgmt

net-192.168.22.0254

254

1fw.detroit.com

10.2.2.0 10.3.3.0

Router

125


A. 172.21.1.254 set to External, 192.168.22.254 set to Network defined by Interface, 10.1.1.254 set to Network defined by Interface.

B. 172.21.1.1 set to Specific, 192.168.22.254 set to specific, 10.1.1.254 set to Network defined by Interface.

C. 172.21.1.1 set to Network defined by Interface, 10.1.1.254 set to External, 192.168.22.254 set to specific.

D. Network 172.21.1.1 set to External, 192.168.22.254 set to Network defined by Interface, 10.1.1.254 set to Specific containing a group that has all internal networks.

E. None of the above are correct.

3. The default time out for an established TCP connection is

A. 50 Milli-SecondsB. 1 SecondC. 60 SecondsD. 3600 SecondsE. infinite

4. When using a Stateful Inspection engine like VPN-1/Firewall-1 NG it is not possible to tunnel protocols through port numbers like port 53 because Stateful Inspection checks protocol details for all protocols.

A. TrueB. False

126


5. For a TCP session the default time out that the Inspection engine will wait for an Ack packet reply to a Syn/Ack at the start of a TCP session will be.

A. 50 Milli-SecondsB. 1 SecondC. 60 SecondsD. 3600 SecondsE. infinite

6. When defining a new TCP service in the Advanced Service Properties the option ‘Match for Any’ means.

A. Ignore Stateful Inspection session information for this service, even if it is available.

B. If this service is used in the rule then match for any service to the source or destination.

C. If the service is Any in the rule then use this service definition in the rule and not any other service associated with the same port number.

D. Match the service for any service using this port number regardless of the type of transport session being used.

E. Only match the first packet of a session to test against the rules, all other packets are assumed to be part of the established connection from then on.

7. The default time out period for UDP sessions is.

A. 10 SecondsB. 40 SecondsC. 3600 SecondsD. 180 SecondsE. 50 Mill-Seconds

8. The most secure method of allowing DNS queries from Internal hosts to external DNS servers is to turn on the Implied rule for Domain UDP.

A. TrueB. False

127


9. You run the weekly firewall audit tools against the firewall, this is done from the external side of the firewall, and you see in the log file that a IP spoof generated packet was accepted by the firewall. You know from last weeks records that Anti-spoofing was working correctly and rejecting the packets. Which of the following is the most likely cause given that the Firewall module and Management Server are on the same box.

A. Your colleague has done a Get Topology request on the firewall object which gets the interface details and deletes any existing Anti-spoof configuration and they did not reset it.

B. Someone has run the command fwstop -default and the Inspection Engine is currently not doing Anti-spoofing.

C. The spoof packet matched the first rule in the rulebase which comes before Anti-spoof checking so it was allowed.

D. The rulebase included encryption rules that were added during the week and Anti-spoofing does not work if encryption rules exist.

E. The setting for External (leads out to the Internet) has been set wrong and is the Internal interface not the external IP address.

10. You are having problems with a UDP service on port 3130, the client/server communication never seems to complete reliably, you suspect the network and server latency to be a problem. Which of the following would you most likely do.

A. Tell the users that this protocol is broken going through the firewall and they cannot use it.

B. Tell the administrator of the server that they will need to upgrade the hardware of the server as the time outs for relies are excessive.

C. Edit the Global properties and increase the UDP time out period.D. Edit the virtual time out period for the service on port 3130 and

increase it.E. Position the rule higher in the rulebase and try using the service

again.

128

5Working with the Security Policy

Objectives


• Know how revision control works.• Use a sensible Security Policy naming convention.• Know how to view the installed policy compared to the saved policy file.• Know how to hide rules.• Know how to use rule masks and searches.• Know basic performance guidelines.• Know how to uninstall the Security Policy and the consequences.• Add Firewall administrators that can use strong authentication, like

certificates and SecurID.

129

Working with the Security Policy

5.1 Revision ControlKeeping control of which version of the Security Policy is installed and following a naming convention simplifies the Security Policy changes.

In VPN-1/Firewall-1 prior to NG FP2 there was no Revision Control method other than manually adding the date and time stamp every time you changed the Policy.

Administrators usually open the policy, do a Save As, and use a filename with the current date and time i.e. fw16-Jun212002-1545,

Firewall fw16Date of policy change Jun 21st 2002Time of policy change 3:45 PM

If you have Management Stations in multiple countries then time zones need to be considered. Work with a single central time, GMT only, or use a different naming convention.

Log files would also be switched when the new Policy was installed, that would keep the rule numbers in the log file and Security Policy synchronised.

If you have a policy with 6 rules, then rule 4 may allow and show in the log file access attempts to your http and ftp servers, if you add a rule before rule 4 then the log file for the same events will now be displaying rule 5.

If you change your policy by adding new rules it is a good idea to rotate the log files at the same time. You could then open the Policy file that relates to the log file and when looking at the rule entry be able to match the events to the rule that allowed it.

In NG FP2, revision control has been added, this allows a new Revision Version of the Policy to be created when you make changes to the Security Policy.

Revision Control is accessed, from the file menu or the toolbar.

130


To create a Revision Controlled Policy select - Create.

You must save the current Security Policy settings before creating a Revision Controlled version.

Provide the Policy version with a name and comment, it does not have to be the same as the Policy name.

131


You are now working with Version 1 of this Policy.

Changes to your Policy Make a simple change to your Security Policy and create a new version. Your policy should look similar to the following at the moment.

Create a group object called ISP_dns_servers and change rule 3 to the following.

Creating a Group Create the Group

132


Modify the Rule

Before you install the Security Policy you need to create a new version, maybe in future versions this will automatically be done but for now you have to manually do it.

If you get an error when creating the new version it will be because you have not made any changes this should not happen here since you have just modified a rule. New versions can be created not only for rule changes but changes to any service or other dialog box setting in the Policy Editor.

Revision database files are stored on the Management Station

Install the new Security Policy.

To revert back to the old policy you can use the Show Version, then install the Policy. Well, actually you cannot do that in FP2 but you can in FP3. FP2 only lets you take snapshots of the Security Policy Configuration.

133


Viewing the Installed Policy In NG FP2 you can view the policy that is currently installed on a firewall module.

The policy you are editing may not be the policy that is installed, this may not always be clear when you open the Policy Editor as someone may have made changes to the policy, then saved the changes but not installed them.

You could use the Status Manager to see when the policy was last installed and check the date and time stamp of the Security Policy file that the OS gave when it saved the file.

5.2 Hiding RulesWhen working with a small rulebase the ability to hide rules may not appear useful, however, when you are dealing with a single policy managing multiple Firewalls the rules soon exceed the available viewing area.

The average rulebase, excluding the implied rules if turned on, is between 18 - 30 rules and for some sites 10 rules may be adequate. Some administrators may chuckle at that since they may have over 200 rules.

There is no limit to the number of objects you can create or the rules that a Security Policy may have.

134


Our rulebase only has 6 rules and hiding rules may seem trivial but knowing you can do it, will at some time be useful.

The current rulebase should look similar to the following.

Hiding a Rule To hide a rule use one of the menu options, or Select the rule then use the popup menu.

It does not matter which rule you hide for this example.

Rule numbers are still consistent with the number of rules and if you install the Security Policy then hidden rules still get installed as part of the Policy.

135


Viewing Hidden Rules When working with a Security Policy you may have hidden several rules to allow yourself to focus on a specific group of rules. To view the hidden rule(s), this acts like a toggle, view or do not view, use View Hidden

Unhiding Rules To unhide a single rule you can double click on the hidden rule.

To unhide all hidden rules use the menu option.

5.3 Rules Masks and SearchesWith a large rulebase you may want to find instances of rules that contain network objects or services this can be done using the Query Column...

136


For example you may want to find every rule that has the firewall as a destination.

This displays all rules that contain the Firewall object but also any rule that has Any since this is a group that contains all objects and could apply.

To only show rules with the specific object requested.

The result excludes group objects.

137


5.4 Disabling RulesThis will take the rule out of the Security Policy that is being installed but leave it in the rulebase for future use. This would be like commenting out a section of code before you compile the program, it is still there but not being used for this version.

You can use the Shift key to select more than one rule at a time and disable them all.

Remember to tidy up disabled rules, if you have multiple administrators it is easy to end up with a Security Policy that has many disabled rules. Each administrator being unsure they can delete the disabled rules.

The disable rule menu option is a toggle, select once to disable and again to enable.

You do not want any of your current rules disabled, enable the selected rules if you disabled them.

The disabled rules do not take affect until the policy install takes place.

5.5 Uninstalling the Security PolicyYou do not normally have to uninstall the Security Policy you just make changes and install the new Policy.

If you must uninstall the policy you can do this from the menu, be careful the Install and Uninstall option are right next to each other and the dialog boxes look very similar.

138


Install and Uninstall dialog boxes

You will soon realise if you make a mistake, everyone will start complaining the Internet is down. You might also realise that the normal Security Policy compilation messages did not appear.

5.6 Basic Performance Guidelines

Hosts file Object creation and Security Policy compilations are helped if the Management Station has a hosts file with the names of all the objects you create in the Policy Editor. At least make sure the names are resolvable, could be through an Internal DNS server.

DNS lookup The Management Server does a large amount of DNS lookups, make sure it resolves from an efficient DNS server. Helps with viewing the log file with resolve addresses on.

Log Viewer Resolve Addresses

To increase the display performance of the Log Viewer switch off Resolve Addresses.

Module Performance The VPN-1/Firewall-1 performance depends on the hardware, OS, Security Policy, network bandwidth and network traffic characteristics.

Simple Rulebase The rulebase is essentially an if then else ladder, the more rules the more steps to drop through. Note the number of rules is not normally an issue since the Firewall throughput even with a large number of rules often outstrips the network bandwidth available, especially true for the Internet. Not all firewalls lead to the Internet and bandwidth may exceed the available throughput, load sharing/balancing should be considered in that case.

139


Rule Order In some cases, when using large rulebases, positioning the most commonly execute rules like DNS and SMTP, higher in the rulebase will increase throughput.

Rule Number Keep the rules to a minimum.

Use of Groups Use groups not individual workstations. A network is a group that contains all workstations, may not be exactly what you want but it is efficient.

Group services together instead of adding them individually

Services Do not add services if they are not used, why have gopher, archie, finger if the rule is never matched on that service. This would just be another service to test against before dropping through to the next rule.

Appliance specific features Nokia Flows, and RapidStream Cut Through, will both increase the packet throughput. FASTPATH for TCP services is no longer available for NG at FP2, not recommended anyway unless desperate for throughput.

Logging Only log what you need to log, your email and web servers have their own log files and usually provide more information.

Log the interesting events, like drops and rejects not day to day http traffic, this will be determined by your Site Security Policy and in some cases every event may have to be logged. Use a internal caching proxy server, then all the links users access will be available from it. You will probably get better log analysis as well.

Active This requires the firewall module to track session times and packet counts for every session, CPU usage will increase.

Accounting This will require the firewall to keep track of the amount of packets passing through a particular session, for a busy firewall CPU usage will increase.

140


5.7 Multiple Firewall Administrators and Authentication MethodsEvery administrator should have their own account name, generic accounts although convenient do not allow audit tracking of individual administrator actions.

There are two places that Firewall administrator accounts can be created.

• Management Configuration Tool - Administrators• Policy Editor - Manage -> Users & Administrators

Management Configuration Tool

On the Management Station Console from the windows start menu start the Check Point Configuration Tool. On Unix systems type cpconfig and use the simple ASCII menu to select adding an administrator. You can also directly edit the gui-clients file.

To modify administrator details from the command line you can use

fwm -a

Administrator accounts created using the configuration tool use simple reusable passwords with no strong authentication.

fwmusers The administrators created using the configuration tool are stored in a file $FWDIR\NG\conf\fwmusers.

You must have at least one administrator account in this file, it is created during the Management Server install.

On the Management Station

141


From NG FP2 onwards firewall administrators can be created from within the Policy Editor and additional administrators no longer need to be created with the Configuration Tool. Only one account needs to be in fwmusers and it is created during the Management Server install. In fact once you have created administrator accounts in the Policy Editor you could delete the account in the fwmusers file and always use the strong authentication.

Policy Editor - Manage -> Users &Administrators

Creating an Administrator account in the Manage -> Users & Administrators allows accounts to be created that use strong authentication or certificates.

The account information is stored in the fwauth.NDB database file which also stores the user account information for authenticating users through the firewall.

Create an administrator account

User accounts

General details Provide a user name for this account it cannot be the same as a user name that is stored in the fwmusers file. The fwmusers file will take precedence.

142


Account Profile Create a new account profile, this will set the GUI clients and permissions that this administrator will be able to have access to.

This is a Read/Write account and full access to all clients needs to be set. In larger enterprises with multiple administrators then restricted access can be set limiting the user to specific GUI clients. For example an administrator may not be qualified to use Floodgate-1, (Qos Policy) because they have not completed training or done the Check Point certification.

143


Select the type of authentication to be used, VPN-1/Firewall-1 Password and OS Password are no better than using the fwmusers file. SecurID or another two factor authentication scheme integrated with a RADIUS server is the ideal choice. RADIUS requires a radius server and SecurID requires an ACE server.

Authentication Schemes For this example you are going to use Admin Certificates, so leave the Admin Auth scheme set to Undefined.

144


Administrator Certificate Generate a new certificate for this administrator.

You cannot undo the certificate create but you can revoke it, revoking the certificate would have to be done if the administrator was no longer responsible for the firewall administration.

Certificate Password In order to protect the certificate a password is required. Enter a password. Do not forget it, you would have to revoke the certificate and issue a new one if you do.

The certificate will be created and stored in the InternalCA.

The certificate will be saved to your local disk, this would be the PC you will be using the GUI client from.

145


Before you create any certificates make sure the hostname of the Management Station is resolvable and has the correct DNS domain settings.

The new firewall administrator will be added, the icon has a crown to distinguish them from other user accounts.

Install User Database Install the user database on both the Firewall and Management Server, this example is a split Management/Firewall module configuration.

146


Test Admin Certificate login To test the new administrator account, exit the Policy Editor and login using the certificate you saved to your local disk.

Select the certificate you want to use.

147


Type in the password, if you forget it you will not be able to use the certificate.

148


5.8 Working With the Security Policy - Review Questions

1. Rule masks allow administrators to.

A. Create search criteria for automatically removing rules that are no longer required.

B. Create masks to display only relevant rules to the task on hand.C. Create masks to hide rules and then automatically remove them

from the Security Policy during the next policy install.D. Search the state table for specific connections.E. Search the state table and block specific connections using source,

destination or service.

2. When you hide a rule, then the next time you install the Security Policy that rule will not be enforced.

A. TrueB. False

3. VPN-1/Firewall-1 NG introduced integrating firewall administrator details into the standard user authentication database. Which of the following authentication methods can now be used to authenticate VPN-1/Firewall-1 NG administrators.

1. OS Password2. SecurID3. VPN-1/Firewall-1 Password4. Radius5. Certificates

A. 1, 3B. 2, 4C. 1, 2, 4D. 2, 3, 4E. 1, 2, 3, 4, 5

4. If you have to work in a command line environment which of the following commands would you use to edit the firewall administrator details.

A. fwadminB. fwm -aC. fw editD. fwm fetch adminE. None of the above the administrator details can only be changed

using the Configuration tool.

149


5. You are setting the permissions for an administrator and have selected the following in the permissions profile. This will allow the administrator to do what.

A. Create and edit network objects and add user authentication account information.

B. Create new users and edit existing users and block connection in the log file using block Intruder.

C. Create new users and edit exiting users and install the user database.

D. Change the rule to add groups of users in the rulebase and create and edit users in the User authentication database.

E. Delete objects from the database and install user databases after modifying the user account details.

6. If you mark a rule as being disabled, in order for it to take affect you must install the Security Policy.

A. TrueB. False

7. Which component of Firewall-1 allows log files to be exported to third party products.

A. CVPB. LEAC. ELAD. UFPE. RTM

150

6Setting up Authentication

Objectives


• Know the database used to store authentication details.• Know the authentication schemes supported by VPN-1/Firewall-1.• Create Users and Groups.• Know the authentication daemons and where they are configured.• Understand the use of the account name ‘generic*’.

151

Setting up Authentication

6.1 Authentication MethodsAuthentication is required because the source IP address in the IP header cannot be trusted, IP addresses can be spoofed therefore additional information is required to prove that the connection is coming from a valid user.

In VPN-1/Firewall-1 there are three types of authentication

• User• Client• Session

They all use authentication servers that reside on the firewall and are automatically started if required by a connection passing through the firewall.

If a rule is matched with Action Auth then the Inspection Engine hands the connection onto the authentication server.

$FWDIR/conf/fwauthd.conf The $FWDIR/conf/fwauthd.conf file contains the daemons and port numbers used. The port numbers can be changed from the defaults by editing the port number and doing an fwstop/fwstart. Alternatively you can add a new entry with the port number you want to use.

21 fwssd in.aftpd wait 080 fwssd in.ahttpd wait 0513 fwssd in.arlogind wait 025 fwssd in.asmtpd wait 023 fwssd in.atelnetd wait 0259 fwssd in.aclientd wait 25910081 fwssd in.lhttpd wait 0900 fwssd in.ahclientd wait 9000 fwssd in.pingd respawn 00 fwssd in.asessiond respawn 00 fwssd in.aufpd respawn 00 vpn vpnd respawn 00 fwssd mdq respawn 00 xrm xrmd respawn 0 -pr

152


6.2 Authentication SchemesAn authentication scheme is the process of how a user is authenticated, in VPN-1/Firewall-1 this can be one of the following.

• SecurID*• AXENT Pathworks Defender*• RADIUS*• TACACS*• S/Key*• VPN-1/Firewall-1 Password• OS Password

Schemes marked * are considered to be strong authentication, i.e. they do not use simple reusable passwords that can be snooped.

SecurID SecurID is currently the most popular two factor authentication scheme and requires a token which generates a number every sixty seconds (the time frame can vary for different types of tokens), and a pin number that the user knows.

Put the token number and the pin number together to form the authentication. Stealing the token does little good since you do not have the pin number. Stealing the pin is no good without the token. Users need to take care of the tokens!

Stolen/lost tokens need to be disabled at the SecurID ACE server.

AXENT AXENT Pathworks defender, challenges the user with a challenge when they enter their user name. The user generates the response using a special calculator by entering their pin number and the challenge. The number generated becomes the password for that authentication.

RADIUS Requires a RADIUS server to be configured and the Firewall must be able to communicate with it. The Policy Properties implied rules allow this, however, you may have turned the implied rules off.

Any authentication scheme that works with your RADIUS server can be used.

If you need a radius server to test firewall integration with try

www.freeradius.org

Safeword™ integrates into Firewall-1 through a RADIUS server.

TACACS Similar to RADIUS but uses TCP instead of UDP protocols.

153


S/Key A One Time Password (OTP) based authentication scheme. Generate the passwords in advance or use an S/Key client to generate the password when presented with the challenge. The user knows the secret to enter into the client.

Simple to use and better than reusable passwords, users usually need to have the client installed on their computer.

VPN-1/Firewall-1 Password This is a simple reusable password stored in the fwauth.NDB database and not recommended except for authenticating users from internal to external networks.

OS Password This is a simple reusable password and not recommended except for authenticating users from internal to external networks. It uses the OS password database on the firewall, NT passwords for NT firewalls and Unix passwords for Unix based firewalls.

Unix firewalls could be configured to use NIS/NIS+, and NT Firewalls could be part of a Domain and use the PDC, neither methods are recommended.

6.3 Set the Authentication SchemesSince this is a test configuration and strong authentication may not be available for the authentication exercises, Firewall-1 Password is going to be used.

Set your Firewall to use VPN-1/Firewall-1 Password authentication.

If you do not set this when you try to use Firewall-1 Password the firewall informs the user that it is not supported on this gateway.

154


6.4 Creating UsersAccess to creating users is done either from the User Object Tree or from the Manage - Users & Administrators.

Default is a template with some of the settings already configured. You can create templates for your live environment to simplify user account creation. The Default template has no authentication scheme defined but you could create a new template called SecurID and set the scheme to SecurID. Every time you needed a new user that used SecurID you would then use the SecurID template.

You will just use the Default template and change the values as required.

155


You will be creating the following users.

Note, user names are case sensitive, bob and Bob would be two different users, passwords are case sensitive.

General Enter the user name.

Personal This controls when the user account expires, if you blank the expiration date then the account will not expire. This requires some input from the site user account management policy. Add a comment, might be useful to identify the department or main manager contact for this user. It helps when you want to delete the user account, the firewall administrator is usually the last person to be told that this user has left the company.

User Authentication Scheme

bob VPN-1 & Firewall-1 Password

jenny VPN-1 & Firewall-1 Password

joe VPN-1 & Firewall-1 Password

linda VPN-1 & Firewall-1 Password

ann VPN-1 & Firewall-1 Password

156


Groups Users must belong to at least one group, (except administrators), since no groups have been created yet, no change to this tab. The group Any exists by default. The groups for this example will be created after you have created all the users.

Authentication Set the authentication scheme that is going to be used. In this example all users will be using VPN-1 & Firewall1 Password.

Select the scheme and set the password.

157


Encryption The encryption tab is for SecuRemote/SecureClient, Remote Access VPNs, no changes for this example.

Certificates This allows creation of a certificate for this user, this is covered later, no changes for this example.

Time This controls when the account can be used, no changes for this example.

158


Location This controls the sources and destinations that the account can be used from or to.

Repeat the creation process for the four other user accounts.

You should now have the following user accounts.

Note, if you want to disable a user account but not delete it you can set the Authentication to Undefined. In the Encryption tab of the user account, IKE shared secrets and certificate authentication would still work but these are used with SecuRemote/SecureClient and explained in the Client VPN modules.

159


6.5 Creating User GroupsYou cannot specify a single user in a rule in the rulebase, only groups of users. Therefore every user must belong to at least one group. By default all users belong to the group Any which could be used in a rule but it not normally what is intended. You can nest groups as well.

Create the following groups.

Support Group Create the Support group and add the users that belong to Support.

Group Users

Support bob, jenny

Sales joe, linda, ann

160


Sales Group Create the Sales group and add the users that belong to Sales.

If you use a colour scheme it helps to identify the users and the groups they belong to when displaying the users in the Objects tree.

You should now have the users and groups created.

External Groups External Groups are used where the user account information is stored in an LDAP server. The account information for external Groups is not stored in the fwauth.NDB database.

When using external groups the fwauth.NDB is always checked first therefore you cannot have an account name in the external LDAP database that is the same as an account name in the fwauth.NDB.

You will not be creating external groups, that is part of the CCSE+ topics.

You need a license for VPN-1/Firewall-1 to use the LDAP authentication database.

161


6.6 User generic*Authentication for most sites through a firewall involves a small number of users, less than 25, however large sites could have thousands of users. For a large number of users you have to decide where and how to implement authentication.

You may already have a large authentication database accessible through RADIUS and want to use that database with the firewall. One way would be to create an account in the firewall user database for every user and set the authentication to RADIUS and point it to the RADIUS server. This requires duplicating all the accounts. This would take a considerable amount of time to create let alone trying to administer it.

Generic* Generic* is a Check Point internal account username that can be used to map onto all usernames not matched in the fwauth.NDB.

You could create a user called generic* and set the Authentication type to be RADIUS.

When the user types in their username the firewall first checks fwauth.NDB and will not find the name, if generic* exists it will assume the name is known to the authentication scheme you have set generic* to point to and hands them off to it for authentication.

The generic* account name can use any of the authentication schemes. Up to and including NG FP2 you can only have one generic* username created.

162


6.7 Setting up Authentication - Review Questions

1. When creating users for authentication they are stored in which file.

A. fwauth.NDBB. rulesbases.fwsC. fwmusersD. FWDIR/database/userc.cE. Fwusers.NDB

2. The following error message is reported to appear when a user tries to login ‘Firewall-1 Password not supported’ appears as a message.

To fix the problem and allow the user to authenticate, you would

A. Modify the user account details and reset their password.B. Modify the Authentication tab in the firewall object and enable S/

Key.C. Modify the Authentication tab in the firewall object and enable

Firewall-1 password.D. Modify the Authentication tab in the firewall object and enable OS

Password.E. Change the authentication method for the user to OS Password.

3. After making changes to a user’s authentication account but no other changes to the Security Policy what must you do for the user to be able to use the changes.

A. Run fwstop and fwstart on the firewall Module.B. Install the User database.C. Install the Security Policy.D. Verify and then install the Security Policy.E. Nothing, changes saved to the database are automatically seen by

the firewall module.

4. In VPN-1/Firewall-1 NG what is the name of the default template for creating user accounts for general authentication through the firewall.

A. DefaultB. Standard UserC. Default UserD. Firewall-1 UserE. External User

163


5. The username generic* is an special username that can be used for what.

A. To allow a single account to be used by may users.B. To set global parameters for client authenticated users.C. To allow unmatched user names in fwauth.NDB to be mapped to a

common authentication scheme.D. To enable LDAP interaction with the firewall.E. Generic* does not exist in NG because NG is more flexible than

previous version and it is not required.

6. Strong authentication for users like SecurID is no longer required by NG because all communication is done using SIC (Secure Internal Communications).

A. TrueB. False

164

7User Authentication

Objectives


• Know the services supported by User Authentication.• Know how to configure the rulebase for telnet User Authentication.• Know how to configure the rulebase for http User Authentication.• Know how to configure the rulebase for ftp User Authentication.• Understand the use of ‘Intersect user database for Source and Destination’.• Understand the problem with authentication and using the least restrictive

rule.

165

User Authentication

7.1 User Authenticated Services

User Authentication User Authentication is limited to four services

• telnet• http• ftp• rlogin

All of these protocols have an inbuilt authentication process, telnet, ftp, rlogin all require a username/password before they can be used. For http an optional username/password can be used to restrict content access.

You can use User Authentication with https but you have to change the definition of the service and set the browser to proxy off the firewall, details are listed in the Firewall-1 FAQ.

Check Point have written authentication daemons for each of the User Authenticated protocols that run on the firewall module and interact with the data stream to provide a fairly seamless authentication process.

1. The user tries to connect to www.server.com using telnet.2. The Inspection Engine matches the User Auth rule and hands the

connection to the in.atelnetd daemon.3. The in.atelnetd injects into the data stream a prompt for a username.4. The username entered is checked in the fwauth.NDB. If the user exists

then the prompt for the appropriate authentication is made. If the user does not exist a prompt for a Firewall-1 password is made. The user enters the authentication password or token which is checked against the

in.aftpdin.ahttpdin.arlogindin.atelnetd

}

PC

RADIUSSecurIDAce server

1

2

3

4

5

telnetd

www.server.com

fwauth.NDB

166

User Authentication

database. At this point the firewall may need to connect to the ACE or RADIUS server.

5. If the authentication is correct the in.atelnetd passes the connection onto the target server. All communications to the server are relayed through the in.atelnetd. Connections appear to come from the IP address of the firewall.

The same steps are used for ftp, http, and rlogin.

Stealth Authentication If a username is supplied, a password prompt is always presented, even if the user does not exist. In this way a person making login attempts will not be able to determine if they have a valid username or password. In Check Point terms this is known as stealth authentication.

Rulebase Check Before starting, you should have rules similar to the following installed and have created the users and groups in the previous module.

Rule 5 will cause a minor problem with authentication since the example below will be doing authentication from the internal network to the external www.server.com.

7.1 Authentication Using TelnetThis is the easiest protocol to use to illustrate the use of User Authentication, you will need to have a telnet server running on www.server.com or have a telnet server you can connect to somewhere on your network the other side of the firewall.

Add a User Authentication Rule

Add a rule after rule 3, and change the setting to use authentication for telnet.

167

User Authentication

Set the Source Use the Add User Access menu and select the group and restrict to your network.

In this case leave the destination at Any, although in the real world this would normally be a specific target since authentication is most often used from external networks to internal targets.

Set the Service to telnet If you authenticate for more than one service with the same group of users then you can add the services, you do not have to create separate rules for each authenticated service. Providing of course they work with the Authentication type you are using, remember User Auth only works with telnet, ftp, http, rlogin.

Set the Action Set the Action to User Auth and check the Properties for any settings that may be required.

In this case leave the settings to the defaults. The Add Encryption can be used if the user has the VPN client installed on their desktop and you have configured the gateway to do client encryption. Client encryption is a CCSE topic.

168

User Authentication

Install the Security Policy When you test your Security Policy after installing, it is not going to work and authenticate you on the User Auth rule as you might expect. Can you remember why, it was explained in the Module Security Policy & Rules Setup.

Test your authentication rule by trying to telnet to www.server.com. Users bob and jenny belong to the support group.

Telnet Not being Authenticated

You should have got directly connected to the server without having to authenticate.

Check Point FireWall-1 authenticated Telnet server running on fw-f16

Connected to 172.23.3.254

Account Name: studentPassword:

Rules are matched in order 1 to n, except when a rule has an action of Authentication in which case the first authentication rule is matched because until you type in a user name the Inspection Engine does not know if this is the rule to use. In fact if you have a rule that matches the source, destination, services, and an action Accept elsewhere in the rulebase then that rule will be used and no authentication takes place.

169

User Authentication

If you look at your log file you will see that the telnet connection went through rule 6, which matches everything in your authentication rule.

Disable the rule that lets your network out with telnet, ftp, http.

Install the Security Policy and try accessing the telnet server again.

DoesAuthentication or

Resource ruleApply?

Connectionallowed?

Pass connectionto the Security

Server.

other non-Authentication rules

Apply?

Arethey all Dropor Reject?

Apply the firstnon-Authentication

rule.Continue connectionthrough the Security

Server.

PerformAuthentication

rule.

First Packetof the connection

Accept theconnection

Reject theconnection

End

No No

No

Yes Yes

Yes

No

Yes

170

User Authentication

Telnet being Authenticated If you get the following error when typing in the username it means youhave not set VPN-1/Firewall-1 as an authentication scheme that can be used with this gateway.

Check Point FireWall-1 authenticated Telnet server running on fw-f16User: jennyThis gateway does not support FireWall-1 Password.

User:

If you have set the Authentication Scheme in Global Properties then you will be prompted for the Gateway authentication details and then the login details at the telnet server. In this case user jenny was used and the telnet server user name is student.

Check Point FireWall-1 authenticated Telnet server running on fw-f16User: jennypassword: ******User jenny authenticated by FireWall-1 authentication

Connected to 172.23.3.254

Account Name: studentPassword:

c:\home\student>

The log entry will indicate the user who authenticated and in the info field which authentication scheme they used.

The problem with letting the user out without authenticating would not occur for external authentication coming to internal servers since there would never be another rule that would accept the connection in the first place. Only the authentication rule would exist for the incoming connection.

Note that each time you attempt to telnet you are prompted for an authentication.

171

User Authentication

7.2 Intersect with User database for Source and DestinationIn the Properties of the User Auth action, there are settings which allow, interaction with the user database. This applies to User, Client and Session Authentication.

Every user account has a location field.

The defaults for the properties in an authentication rule are ‘Intersect with user database’. This means that if a user is restricted to a specific target destination in their account then even if the rule states Any for the destination then they would only be allowed to go to the destination in the account.

If you select ‘Ignore User database’, then the settings in the user account are ignored and whatever is allowed in the rule is used.

You could reduce the number of authentication rules you have by using this feature by allowing all users to match the rule and set specific locations in user accounts.

7.3 Authentication Using httpChange your authentication rule and add http as a service. For this to work you will also need to change the User Auth Properties.

Add http to the Rule Modify the User Auth rule to authenticate http connections.

172

User Authentication

Change the User Properties Change the User Auth Properties to ‘Allow all servers’, you could specify a list of servers that the user could access, but this only works if you set the http client to proxy off the firewall.

Install the Security Policy and test http through the firewall.

Setting the server list in done in the Global Properties. This is also where you would set the message file that would be displayed when a user authenticates.

Note, for every different site connected to you will be prompted for an authentication. This is extremely annoying if you connect to sites with advertising banners.

Remember authentication is really designed for external to internal access, therefore it is likely you will only be connecting to a single server and do require a single authentication.

If you need to authenticate users coming from internal networks out to the Internet there are better ways of doing it than controlling the access at the Firewall.

173

User Authentication

You could set the client to proxy off the firewall and this does reduce the number of authentications, however, the firewall will not do any caching of http requests.

7.4 User Authentication Using ftpChange your authentication rule and add ftp as a service.

Install the Security Policy and try ftp to the server www.server.com

Account on www.server.comUser: anonymousPassword: anything

Account in firewall authentication database - fwauth.NDBUser: jennyPassword: abc123

The in.aftpd authentication server needs all the information required to authenticate with both the firewall and the remote ftp server, therefore the prompt for login and password will require the following.

login:user_at_remote_ftp_server@user_in_fwauth.NDB@target_hostPasswd:Passwd_for_remote_ftp_server@Passwd_for_fwauth.NDB

The in.aftpd strips off the details up to the @ and uses the right side for the firewall authentication and the remainder for the ftp server authentication.

Users find this awkward, although once done a couple of times is in fact quite simple.

Using the account information above you would need

Login: jenny@[email protected]: abc123@anything

Note, you would not be able to use a web browser to do ftp authentication through Firewall-1 since the browser uses the @ symbol for it’s own purposes and the authentication string would cause a problem.

174

User Authentication

To ftp from a browser to an account bob password abc123 at site 193.128.73.254 you would use

ftp://bob:[email protected]

The browser parses the URL and will never present the correct formatted information to the firewall.

175

User Authentication

7.5 User Authentication - Review Questions

1. User Authentication will provide a seamless transparent authentication method for which protocols.

A. ftp, http, telnetB. ftp, http, pop3C. pop3, http, rloginD. http, telnet, nntpE. all of the above options are correct for NG

2. The User Authentication Session timeouts for ftp, rlogin and telnet in the Policy properties – authentication tab apply to what.

A. How long any session is authenticated for.B. How many minutes the user can hold a single session open.C. How long before the next auto refresh of the Security Policy.D. How long the IP address will stay authenticated after the user has

finished his/her session.E. How many minutes of inactivity is allowed before the session is

timed out.

3. Stealth authentication means.

A. That users are transparently authenticated using the Security servers.

B. That users will never see their login and password details displayed on the screen.

C. That attempts to guess user names or passwords will result in no feedback for incorrect values.

D. That the stealth rule will match all authentication methods and select the most appropriate for ease of authenticating the user.

E. That all authentication is encrypted and username and passwords cannot be snooped.

176

User Authentication

4. Given the following rulebase and user account details will the user be able to connect to the ftp server nero. Use jim belongs to the ftp_users group.

A. YesB. No

5. User authentication and authentication of ftp sessions are a simple transparent process and users will have no problems using ftp with user authentication.

A. TrueB. False

6. The ftp and http authentication daemons are used for authentication and Content Security.

A. TrueB. False

177

User Authentication

7. All users in the internal network are allowed out to the Internet providing they authenticate, the firewall administrator has setup the following rules, which rule will let the user out for http connections.

A. They will be authenticated by rule 4 but go out through rule 7.B. They will be authenticated and go out on rule 4.C. They will not be authenticated and go out on rule 7.D. The Security Policy will not compile and will complain of

conflicting rules 4 and 7.E. They will be dropped by rule 8.

8. Management want all users that download ftp to be controlled and audited by authentication, this is a change to current policy and everyone in the company in the past was allowed ftp access.

The firewall administrator has created a user group called ftp_users and added all users that are allowed to use ftp to this group. All outgoing connections use hide NAT. After adding the authentication rule to the rulebase the installed rules now look like the following

178

User Authentication

Once the Security Policy is installed will this implement managements objective of controlling only authorised ftp users.

A. YesB. No

179

180

8Session Authentication

Objectives


• Install the Session Agent.• Understand the difference between Every Request and Once per Session.• Use Session Authentication for authenticating ftp.• Understand the limitations of Session Authentication.• Know the port number used by the Session Agent.• Know the interaction between the firewall and the agent.

181

Session Authentication

8.1 Session AuthenticationSession Authentication requires a Session Agent to be installed on the users PC or one can be centrally configured on the network. Session authentication will work with all services and authenticates on a per session basis.

1. The user tries to make a connection to the remote server, the firewall matches the Session Auth rule and puts the packet on hold.

2. The Inspection Engine informs the in.asessiond that it needs to negotiate the session authentication.

3. The in.asessiond makes a connection to port 261 on the user workstation IP address, the agent pops up a dialog box for the user to enter the user name and authentication token.

4. The in.asessiond checks with the database for the details of the user name and correct authentication token.

5. The in.asessiond informs the Inspection Engine the authentication is valid and lets the packet continue to the server.

in.asessiond

PC


1

2

3

4

5

telnetd

www.server.com

fwauth.NDB

SessionAgent (port 261)

182


8.2 Install the Session AgentThe session agent is on the Check Point CD and can be installed through the Auto Play and high level setup by selecting Mobile/Desktop Components or by going into the windows directory on the CD and directly running the Session Agent setup program.

If you insert the CD the AutoPlay should start the installation program, alternatively exit this and go directly to the Session Agent directory.

Select the Desktop component you want to install.

183


Select the Session Agent directory and run the setup program.

The Agent will be installed and appear as a icon on your toolbar.

Use the default directory

184


You do not have to reboot after installing the agent.

On the toolbar you should now have a icon for the Session Agent, this allows configuration of the agent.

You now have a application running that listens on port 261 (FW1_snauth), this may be important if you are behind a filtering router since the firewall may not be able to connect to port 261. This is not an issue if using the classroom/test environment, but will be in the real world.

For the time being you will not make any changes to the agent but if you want to have a look at the options for configuration select the agent.

185


The defaults are set to force authentication for every request, have no listed IP addresses to limit where the authentication request originates and allows clear text passwords and does reverse DNS lookups on addresses connecting to it.

Resolve addresses can make the Session Agent responses slow, if this happens turn it off.

8.3 Session Authentication Using ftpSince the average user will not like User Authentication using ftp it might be more appropriate to do it using Session Authentication.

Session Authentication Rule Modify the User Authentication rule to remove ftp as a service and add a rule to do Session Authentication.

It does not matter if it comes before or after the User Authentication rule.

Session Authentication Properties

Check the Session Authentication properties, these are going to stay as the defaults, you only need to change them if you have a central server that is

186


used for all Session authentications.

Install and Test Session Authentication

Install the Security Policy and test ftp through the firewall.

You should get a prompt to add the IP address of the firewall to the list of known IP addresses.

This is done because there is nothing to stop someone from writing a client that tries to connect to port 261 and get a user to hand out their user name and password. If the IP address is already in the list this dialog box will not appear.

The user should enter their user name and password, once the user name is known the appropriate prompt for the type of password is made.

If a user types the wrong user name they will still be prompted for a password, but they will then not know which bit they got wrong. This is

187


Stealth Authentication.

Log Entry for Session auth The log entry for user jenny doing a Session Auth should look like

Agent Settings - Once per session

If you change the Session Agent setting to authenticate once per session then the Session Authentication rule could be used with http. Since http makes a large number of connections to download a single page leaving it as every request would require repeated authentications.

Try it with the existing ftp rule, you will be able to make multiple ftp sessions with a single authentication. You do not need to install the Security Policy this configuration is done at the Session agent.

When will the session timeout and need another authentication?

Once authenticated the user will not need to authenticate again until the Session Agent is stopped and restarted. Once per session applies to the agent not the protocol being used.

188


8.4 Session Authentication - Review Questions

1. For Session Authentication to work it always requires the user’s host to have a special agent installed on their machine.

A. TrueB. False

2. The Session Agent can be set to authentication on a per session basis what affect will this have on the client if the client is an http browser

A. The user will be authenticated for every different site they go to.B. The user will be authenticated once and be allowed to go to other

sites without being asked for authentication.C. The user will get a session agent dialog popup for every connection

the browser makes, to download text and gifs.D. The user will not be able to use the browser because the Session

Agent will prevent it from working.E. The user will have to restart the browser every time they want to go

to a different site.

189

190

9Client Authentication

Objectives


• Configure rules to use client Authentication.• Know the port numbers used to complete Manual Client Authentication.• Know the risks associated with Client Authentication.• Know the operation of the different Sign On Methods.

191

Client Authentication

9.1 Client AuthenticationClient authentication works with any protocol, however it authenticates the IP address the user initiated the connection from for a specific time period and/or a specific number of sessions. To use client authentication you only require a telnet client or a web browser which are usually available.

Client authentication requires the user to go through an authentication process by connecting to the in.aclientd (port 259) or in.ahclientd (port 900) and identifying themselves before being allowed through the firewall.

Once authenticated the user can use the service(s) listed in the Client Authentication rule.

1. The user makes a connection to in.aclientd (port 259) or in.ahclientd (port 900) and goes through the authentication process entering the user name and authentication token.

2. The in.aclientd checks the username/password details.3. The client authentication daemon sets a flag in the Inspection Engine

that a valid authentication from the IP address has been made.4. The user can now use any of the services in the Client Auth rule for the

specified time or number of sessions.5. When the user has finished they may have to unauthenticate by

connecting back to the in.aclientd or in.ahclientd.

in.aclientdin.ahclientd}

PC


4

1

2

telnetd

www.server.com

fwauth.NDB3

192


9.2 Client Authentication Using ftpModify your Session Authentication rule so that the action is Client Auth.

If you were to just install this rulebase as it is then client authentication will fail. For client authentication to work you must be able to connect to the firewall on port 259 or port 900.

In the rulebase shown above, rule 2 the stealth rule, would drop all connections going to the firewall.

You have two choices, one is the simple way out, which is to position the Client authentication rule before the stealth rule.

If you have a client authentication rule then you will be allowed to connect to port 259 or port 900, if there is no client authentication rule the firewall ignores connections to 259 and 900.

If you position the client authentication rule above the stealth rule then connections to port 259 and 900 are implicitly allowed. This is not part of the implied rules.

If you position the client authentication rule below the stealth rule as in the rules above then you must explicitly add a rule to allow the connection to the firewall for whichever method you are using. It may be that you only do this through port 900, web front end. You could of course move the in.aclientd and in.ahclientd to other port numbers.

If you remove the client authentication rule you should also remove the rules that allowed access to the firewall on client authentication related ports.

Add a client Auth Access rule Add a rule above the stealth rule that allows access to port 259 and port 900 on the firewall to complete client authentication. In this case the source will be Any but in the real world you may be able to limit this to a specific network or group of networks.

193


Even if you move the client Authentication rule above the stealth rule anyone can connect to port 259 or port 900 to attempt a client authentication.

Remember to comment the rule, this rule should only exist if the Client Authentication rule exists. If you disable the Client Auth rule you should disable this rule.

Install and test your Security Policy.

Using telnet on port 259 Use a telnet client to connect to port 259

You will be prompted for the authentication and Sign On method.

In this case select Standard Sign-on, this is the default method and will authenticate your IP address with the Inspection Engine. The Sign-off would be used to remove authentication for your IP address from the Inspection Engine if you had not already used your number of sessions or time period.

Check Point FireWall-1 Client Authentication Server running on fw-f16User: jennypassword: ******User jenny authenticated by FireWall-1 authentication

Choose:

(1) Standard Sign-on

(2) Sign-off

(3) Specific Sign-onEnter your choice: 1

User authorized for standard services (1 rules)

194


The telnet connection is disconnected and you will now be able to use the services listed in the rule.

Question, Can the telnet connection stay connected and not immediately be disconnected?

Yes, in the firewall gateway object under the Authentication tab, enable the wait mode.

Try using ftp, you should be able to do 5 ftp sessions and then be blocked until you do a client authentication again.

Log entries for telnet client Auth

If you check your log file you should see the connection to the firewall and the client authorize and then the ftp sessions.

195


Using http on port 900 Try using a web browser to complete the Client Authentication.

196


Try the ftp sessions again just to make sure you can only do 5 sessions.

Log entries for http Client Auth

The log file should show the connection to port 900 and the successful ftp sessions.

9.3 Controlling the number of sessions or time periodThe number of sessions are controlled by the Properties in the Client Auth rule. The defaults are 5 sessions or 30 minutes.

With the default settings you can have 5 sessions within 30 minutes. If one session exceeds the 30 minutes it will not be stopped but you cannot start new sessions until you authenticate again.

197


Risks with Client Authentication

Client authentication only authenticates the IP address that the connection to port 259 or port 900 came from. If the user is on the Internet and goes through a NAT gateway, the user may not know and the firewall would only see the NAT gateway address and authenticate it. If you allow more than one session you are effectively authenticating every host behind the NAT gateway and not just the authorized user.

Only ever allow one session unless coming from internal trusted networks. In which case you may have unlimited sessions for a 2 hour time period configured and users would only have to authenticate every 2 hours.

9.4 Sign On RequiredThis can be either Standard or Specific, for Standard Sign On any of the services listed in the client authentication rule can be used once an authentication has occurred. For Specific Sign On, you will have a list of services in the rule, however, when the user authenticates they must select the service they want to use for this authentication. Specific Sign On is not very user friendly since they must know in advance which service they want to use and most users have no clue to the service details but only that they need to run a specific application.

9.5 Sign On MethodsClient authentication has different Sign On methods, the default which was used is Manual Sign On, this requires an explicit connection to port 259 or port 900 on the firewall.

In early versions of Check Point Firewall-1 there was something called implicit client authentication. This could be used to make an authentication appear like a user type authentication, simple and non intrusive but client authenticated the user for a number of sessions or time period. This was replaced by the sign-on methods.

198


Manual Sign On The Manual Sign On method requires a user to telnet or http to the firewall before attempting to use the service in the rule. This is not transparent from a user point of view.

Partially Automatic Partially Automatic Sign On provides Transparent Client Authentication for authenticated services. A user working with one of these protocols can directly request access to the target host.

The user is then prompted and signed on through the User Authentication mechanism. This is only available for User Authenticated services, telnet, ftp, http, rlogin.

Fully Automatic Fully Automatic Sign On provides Transparent Client Authentication for all services. A user working with one of these protocols can directly request access to the target host. Users of User Authenticated services (http, telnet, rlogin, and ftp) will be signed on through the User Authentication mechanism, while users working with all other protocols are signed on using the Session Authentication Agent.

The Session Agent must be available on the users PC and the firewall must be able to connect to port 261 on the users PC.

If you know the user has an Session Agent installed then Fully Automatic can be used. However, if it is not installed non User Authenticated protocols will fail. If you use Partially Automatic the user would be able to Manually connect to the firewall using Telnet or http to do the authentication.

199


Agent Automatic Sign On Agent Automatic Sign On provides Transparent Client Authentication for all services. Users are signed on through the Session Authentication Agent.

The Agent must be installed on the user PC and the firewall must be able to connect to port 261 on the users PC.

Single Sign On Single Sign On is enabled through integration with Meta IP. This is Check Point’s address management product which provides transparent network access. Meta IP requires a separate license.

200


9.6 Client Authentication - Review Questions

1. Client Authentication Rules should be placed before the stealth rule if you only want to have one rule to control Client Authentication.

A. TrueB. False

2. Client Authentication, authenticates the User for each time they try and use a client authenticated service.

A. TrueB. False

3. Client Authentication with the properties set to Sign-on method Manual means, that the user.

A. Must explicitly connect to the firewall to authenticate.B. Will be transparently authenticated if the service is http.C. Will be transparently authenticated if the service is telnet or rlogin.D. Will be session authenticated if they have a session agent installed

on their host.E. Will be session authenticated or user authenticated depending on

the type of service.

4. Client Authentication with the properties set to Sign-on method ‘Fully Automatic’ means, that the user.

A. Will have to telnet to the firewall and authenticate, then be allowed access to the service.

B. If the service matches a rule and the service is an authenticated service the user will be authenticated after successful user authentication.

C. If the service matches a rule then the user is signed on after a session authentication and if the service is an authenticated service will be authenticated after a successful user authentication.

D. ‘Fully Automatic’ is a 4.1 feature and only exists in NG for compatibility.

E. Will be prompted to select a radius server from the available servers.

201


5. Client Authentication with the properties set to Sign-on method ‘Partially Automatic’ means, that the user.

A. Will have to telnet to the firewall and authenticate, then be allowed access to the service.


C. If the service matches a rule then the user is signed on after a session authentication.

D. ‘Partially Automatic’ is a 4.1 feature and only exists in NG for compatibility.


6. Client Authentication with the properties set to Sign-on method SSO means, that the user.

A. Will be looked up in the UAM to see if they have an IP address and username registered.


C. If the service matches a rule then the user is signed on after a session authentication.

D. Partially Automatic is a 4.1 feature and only exists in NG for compatibility.


7. When using Client Authentication one of the two default port number used to connect to for authentication of the username and password is.

A. 264B. 261C. 900D. 256E. none of the above

202


8. You have a split Firewall/Management Server configuration. For security reasons you have decided to change the standard port numbers used for client authentication, which file do you need to edit.

A. fwauthd.conf on the Firewall module.B. fwauthd.conf on the Management module.C. fwuserd.conf on the Firewall module.D. fwuserd.conf on the Management moduleE. the default port numbers cannot be changed, they are well know

ports listed at www.iana.org/assignments/port-numbers, previously known as RFC1700.

9. Client Authentication allows the number of sessions to be set, the default is 5 sessions and 30 minutes. If you authenticate using client authentication from an untrusted network and the number of sessions is set to one is there a lower risk of compromise than if the sessions were left at 5.

A. YesB. No

10. Which rule in the rule base will block Client Authentication if you have unchecked ‘Accept VPN-1/Firewall Control connections’ in the Policy properties tab.

A. 5B. 2C. 3D. 4E. Client Authentication will always be allowed to work providing a

rule with action ‘Client Auth’ is in the rulebase.

203


9.7 Authentication - General Review Questions

1. SecuRemote allows client to firewall VPNs to be configured, since all communication is now encrypted this means that authentication is no longer required.

A. TrueB. False

2. Client and Session Authentication are not limited by the type of service they can authenticate.

A. TrueB. False

3. Management have decided that all users will authenticate before going out to the Internet. Users are only allowed one service outgoing and you use Dynamic NAT on the Firewall. All users can use http once they have authenticated, you do not want the users browser to be set to proxy off the firewall and you only want users to authenticate no more that twice a day. Which authentication scheme would you consider most appropriate to implement given the above.

A. Session AuthenticationB. User AuthenticationC. Dynamic AuthenticationD. S/Key One Time PasswordE. Client Authentication

204


4. You have a user that is on contract to a customer and will be working from their site using a portable PC for the next 4 months. The user will need access to restricted information at your site which is located on an internal server. Access is required on the following port numbers 1510, 1520, 1521, all connections will be incoming from the client. The customer has their own firewall and router with ACLs installed. All clients except their servers are hidden using hide NAT but agreed to allow a rule to be added to the firewall to allow the user outgoing access to ports 1510, 1520, 1521 back to their home site.

Why would Session authentication not be appropriate in this case.

1. Because the user will have to authenticate multiple times.2. Because there is no rule on the customer firewall to allow incoming

session authentication requests communicating to an agent.3. Because the portable PC is hidden behind a NAT gateway and no

incoming connections can be initiated to it.4. The perimeter router has ACLs installed and ports less than 1024

are blocked.

A. 1B. 1, 2, 3, 4C. 2, 3D. 2, 3, 4E. 4

5. Given the following rulebase and user account details will the user be able to connect to the http server Zeus. Assume the user belongs to one of the groups used in the rulebase.

205


A. YesB. No

6. Given the following, Management want to enforce a policy that all users must be authenticated from internal to external networks for all services. The firewall administrator needs to control groups of users. However, users are continually complaining about password authentication for every service they need to use and say it is interfering with their work. To ease user complaints but satisfy Management which of the following would you chose to implement.

A. User Authentication.B. Client Authentication with web front end authentication.C. Session Authentication.D. Client Authentication with telnet front end.E. User and Session Authentication.

7. In a rule in your rulebase with an Action of Authentication (User/Client or Session) will in all cases prove that only valid users will be able to pass through the firewall.

A. TrueB. False

8. In a rule in your Security Policy an Action of Authentication (User/Client or Session) will in all cases only allow authenticated users to pass through the firewall.

A. TrueB. False

206

10Network Address Translation

Objectives


• Understand the reasons behind using NAT.• Know the RFC1918 NAT Addresses.• Understand the potential problems of using NAT.• Configure Hide/Dynamic Mode NAT - using Automatic configuration.• Know the purpose of hide address 0.0.0.0.• Configure Hide/Dynamic Mode NAT - using Manual configuration.• Configure Static NAT - using Automatic configuration.• Configure Static NAT - using Manual Configuration.• Understand the advantages of using Manual configuration.• Know the difference between client side and server side NAT.• Know when to configure ARPs for NAT.• Know how and when to use the local.arp configuration file.• Know how to check the state table for arp entries.• Know when NAT firewall routes are required.

207

Network Address Translation

10.1 Network Address Translation (NAT)

Reason behind NAT Most companies only require a small number of addresses that need to be visible to the Internet, some sites only have one. Network Address Translation may not be a limiting factor on having a presence on the Internet, however it may cause some problems.

An Internet Service Provider (ISP) will provide you with Internet address space, at one time the address allocated belonged to you and could be moved between ISPs. With the number of sites joining the Internet and the complexity of the routing tables increasing, the addresses allocated to you now belong to the ISP and if you change providers then you usually need to change perimeter addresses.

NAT is not much, if any, of a security feature, it was introduced as a convenience for the shortage of address space.

RFC 1918 Addresses RFC 1918 lists a group of IP addresses that will never be allocated to a customer of an ISP, they can safely be used for internal networks.

This specifically solved the problem of having a shortage of address space.

The RFC1918 addresses are

• Class A: 10.0.0.0 to 10.255.255.255• Class B: 172.16.0.0 to 172.31.255.255• Class C: 192.168.0.0 to 192.168.255.255

The use of these addresses for internal networks satisfies most situations, however, you will still need to co-ordinate within your organisation which addresses are allocated to which site or country.

Problems with NAT Network address translation can cause some services not to work and usually breaks VPNs. Two sites that want to VPN cannot have the same address space at either end, it must be unique. Some services embed the port or address in the data part of a packet for reverse connections and unless the NAT gateway understands the protocol it will not be able to handle the service correctly.

Check Point VPN-1/Firewall-1 supports two forms of NAT,

• Hide mode (also known as Dynamic NAT)• Static NAT

208


Rulebase Check Before you start the next section remove any authentication rules and put back the rule that lets your internal network have ftp, http and telnet access.

If you leave authentication on then you will not see NAT in action as the user authentication servers always rewrite the connection as if it came from the firewall.

Your rules should look similar to the following.

Network address Translation rules can either be automatically created or manually created. Manually creating the rules provides more flexibility.

10.2 Hide Mode NAT or Dynamic NAT - AutomaticHide mode NAT is used to hide many hosts behind a single address, usually the firewall address but it can be any address in your valid Internet address space.

This is a many to one configuration, many hosts mapped to a single address and usually used for all clients in a network.

The firewall administrator must configure the address to map all hosts to.

Configuring Hide Mode NAT Given the following network configuration then the steps needed to configure NAT are listed below. Follow the steps and configure NAT.

172.23.3.0/24

10.3.3.0/24

FW

1

254

1254

209


Choose a HIDE address You can choose any address in your external perimeter network that is not currently being used. VPN-1/Firewall-1 treats the address 0.0.0.0 as a special case for NAT, this is the address that is going to be used in this example.

The 0.0.0.0 address is used for Hide NAT only and the NAT component will take this to mean use the address on the firewall of whichever interface the packet leaves.

Edit NAT in the Network object

Edit your internal network object

Select the NAT tab and select Add automatic Address Translation Rules.

The default method is Hide and to use address 0.0.0.0. If you have multiple firewalls then you can select the specific gateway that these NAT rules will apply to, HA configurations may require this.

Select OK to create the NAT rules.

View the NAT rules Change your policy editor view to the NAT tab, two rules should have been added.

Notice that a rule (rule 1) has been added to ensure that connections from the internal network to the internal network are not natted. If you do not have this and are in a split Management/Firewall configuration then you

210


will break the Management/Firewall communications. You will get to install the policy once and then it breaks, no policy installs until you fix it.

When manually creating NAT rules this rule is often forgotten and you break communications until you unload the Security Policy and install a corrected version.

You cannot edit any of the elements in an automatically generated NAT rule. If you want to limit the service allowed then you would have to create manual rules.

Automatic NAT rules are edited in the network object they relate to.

Install your policy and test NAT works by doing a telnet session to www.server.com.

Use the netstat command to display the network connection details to see that your internal IP address is not listed. In this case it should be the external IP address of your firewall.

On Windows use: netstat -n -p tcpOn Linux use: netstat -tn

The output will be similar to the following

TCP 172.23.3.254:23 172.23.3.1:10001 ESTABLISHED

Since you are hiding behind 0.0.0.0, if you had a connection going to a DMZ network then the address hidden behind would be the DMZ firewall interface. Whichever firewall interface you exited that will be the hiding address.

NAT Log Entries The log entry should show the XlateSRC to be your firewall.

10.3 Hide Mode NAT or Dynamic NAT - ManualRemove the automatic NAT for your network object. Edit your internal network object and untick Automatic Address Translation, the rules in the

211


NAT tab will be removed.

In this example you will hide behind your external firewall address.

Add the following NAT rules, you must be in the Policy Editor viewing the NAT tab.

You will require the following two rules, basically this will be the same as the automatic generated rules. Note, you can change any of the rule elements which can be useful which you cannot do with automatic generated rule.

Make sure you set the translated source to Hide Mode.

212


Install the Security Policy and test NAT using the telnet client again.

When doing a simple NAT of a whole network there is no advantage using Manual rules, automatic NAT is more appropriate. A rule in the main Security Policy must be matched before the NAT rule will take affect so although the automatic rules do not allow you to specify a service you do not normally need to when using hide NAT.

If you have to NAT the Source and Destination of a packet then you will need to use manual rules.

If you had an http server in your DMZ listening on port 8080 and you wanted internal users to always think they are connecting to port 80, you could do this through a manual rule mapping the source/destination and service from port 80 to port 8080. You could then run another server on port 80 for external users.

The manual NAT rule would look like.

This is internal network (net-10.3.3.0) to the DMZ network (192.168.22.0) do not change the IP source/destination. For the service http change it to http8080. In NG there is no pre-defined http8080, you would need to create a service on the appropriate port.

213


10.4 Static NAT for Servers - AutomaticStatic NAT is a one to one mapping, map a single IP address onto another single IP address and is usually used for servers.

For example you could have an internal server with address 10.1.1.1 and map it’s address to 193.129.1.2. Every time a packet left the gateway it would appear to be 193.129.1.2 and every time a packet arrived at the gateway for 193.129.1.2 it would be mapped to 10.1.1.1.

The firewall administrator must specify the addresses to be mapped.

Since we only have one server on the Internal network you cannot have the hide rules and static rules in place at the same time. Well that’s not strictly true since if you automatically generate the rule the static rules will be added before the hide rules and the rules are executed in order.

Remove any NAT rules that you have in your Security Policy. The last rules added were manually added so you will have to explicitly delete the rules.

Choose an External NAT Address

This is a one to one mapping you will need an address that is a valid external network address. In the classroom/test environment use one of the following.

Site Firewall External Address1 172.21.1.1 172.21.1.1112 172.12.2.1 172.22.2.1123 172.23.3.1 172.23.3.1134 172.24.4.1 172.24.4.1145 172.25.5.1 172.25.5.1156 172.26.6.1 172.26.6.116

For site 3 the external address to use would be 172.23.3.113.

The Problem with Static NAT Hide mode NAT is fairly simple to configure since it will nearly always be configured using the 0.0.0.0 hiding address. Static NAT is a little different and care need to be taken with each step when you configure Static NAT otherwise you may spend a considerable amount of time tracking down the problem.

The diagram below explains why Static NAT is a little more difficult to configure.

214


1. The smtp server 193.128.73.1 needs to deliver mail to the Company smtp server which has address 10.3.3.1, problem, this is not a address you can route to over the Internet.

2. The Company decides to use 172.23.3.100 as the address to advertise in MX DNS records for mail delivery and configure NAT on the Firewall.

3. The smtp server 193.128.73.1 has some email for the Company, it looks up the MX records as gets the address 172.23.3.100 and tries to make the connection. The packets are routed to the perimeter router.

4. Now you have some options here. If you do nothing on the router then the router will issue an ARP broadcast looking for the MAC address of 172.23.3.100. This address is not tied to any network card, it is only used for NAT therefore nothing will respond and the packet dies here. If you configure a static ARP on the router and use the MAC address of the External interface of the firewall, the ARP broadcast would not be done and the packet is delivered directly to the firewall. Alternatively you could use a static route and force the packet to be routed to the firewall. The ARP is a better configuration. If you do not want to use static ARPs on the router because it does not belong to you, probably the ISPs, then you need to get the Firewall to publish a response to the ARP request or you can use another box on the network if you have one to do it. Unix can do this NT cannot which is why Check Point created the local.arp file.

ISP

Router

smtp

smtp

FW

172.23.3.0/24

10.3.3.0/24

10.3.3.1

172.23.3.1001

254

193.128.73.1

ARP

Static Routes orStatic ARPs

Static Published ARPsor local.arp file

Host route

classroom/test network

215


5. Once the ARP response has been solved the router can send the packet to the Firewall. However, because of when NAT is done, in pre NG always server side, the firewall receives a packet with a destination address 172.23.3.100 and of course the TCP stack knows which interface the network 172.23.3.0/24 lives and if you do nothing then it tries to ARP for the MAC address and does not get anywhere. The packet dies here.

6. If you add a host route on the Firewall you can push the packet towards the internal interface of the Firewall and NAT is done as the packet is leaving the Firewall. If NAT was done as the packet came into the firewall the TCP stack would see the destination as 10.3.3.1 and the host route would not be required, this is Client side NAT and was added in NG.

7. Now because of the way the Inspection filter and Anti-spoofing and NAT is done then you need to add any external NAT address used to the Internal interface valid addresses, unless you are using client side NAT, otherwise the Firewall sees the packet as a spoofed packet.

8. If you have configured the NAT rule mapping then 172.23.3.100 should leave the Firewall with a destination address 10.3.3.1.

216


Check the Policy Global Prop-erties for NAT

VPN-1/Firewall-1 NG introduced client side NAT, this simplified the NAT configuration and removed the need to create routes and exceptions for anti-spoofing on the internal firewall interface valid address group.

Check that ‘Translate destination on the client side’ is ticked - this is client side NAT. This only applies to static NAT, it is not relevant to dynamic NAT, hide mode was never a configuration problem in this respect.

In NG you do not have to configure the static arp(s) for the address(es) you are about to use if ‘Automatic ARP configuration’ is ticked and that you are using the NAT tab in the object to automatically create the NAT rules. Note, if this is ticked the local.arp file is never read.

IP Pools are used for SecuRemote/SecureClient and VPNs and are part of the CCSE+ topics.

Private address ranges is relevant to the Visual Policy Editor and any addresses listed here will be treated as internal networks so it can correctly draw diagrams.

217


Edit the Web Server Object Edit your internal web server object www.yoursite.com.

Select Automatic Address Translation rules, The method is Static and fill in the external address to map the web server to.

Save the object settings.

Check the NAT Rules Check the NAT rules have been created.

Note two rules are created, Static rules are always in pairs. One for connections started from the internal server being mapped to the external address. The other for connections initiated to the external address being mapped to the internal server.

This is a server mapping, connections are initiated to the server from external clients, they must be mapped specifically to a single destination address.

Install and test your Security Policy using a telnet client and the netstat command.

The result of the netstat command should be similar to

TCP 172.23.3.254:23 172.23.3.113:3997 ESTABLISHED

218


Static NAT Log Entry - Automatic

The log entry for the static NAT should look something like the following, note you should try this both ways, from your web server going out and an http connection coming in. The destination address you are trying to connect to for incoming connections is the external address.

Note, your incoming rule did not have to explicitly have an object with address 172.23.3.113 as the destination. This is because automatic address translation was used and the object www.f16.com with address 10.3.3.1 also knows it has address 172.23.3.113 associated with it.

If you manually create the rules you will need to create an object for the external address of the web server.

10.5 Static NAT for Servers - ManualRemove the automatic NAT configuration from the www.yoursite.com object.

You should now have no NAT rules.

This will still be using Translate destination on client side - client side NAT.

Note for Manual Static NAT the Automatic ARP configuration will not work even if you have it ticked because the firewall will have no idea which address you want to arp for. You will need to create a local.arp file if using NT and untick Automatic Arp.

In NG the local.arp file is located on the firewall module in the $FWDIR\conf directory.

In previous versions of Firewall-1 the local.arp file was located on the firewall module in $FWDIR\state directory.

219


In Solaris create a start-up file in the rc3.d directory, something like S69fw1-routes and add any static arps or routes needed to this file.

For unixarp -s <IP Address> <Mac Address> pub

Create the local.arp File on the Firewall Module

Find out the MAC address of the external interface of the firewall module,use ipconfig/all and note the MAC address.

The local.arp file does not exist until you create it.

Add the External hide address and the MAC address, it should not have a carriage return at the end of the line. The spacing character between the IP address and MAC address should be a tab but also works with a space.

For example

172.23.3.113 00-08-AD-73-D3-66

If this file is edited the firewall must be stopped and started (fwstop/fwstart).

State Table arp_table Stop and Start the firewall module, you do not have to do anything with the Management Server, just the firewall. Connections will not be allowed through the firewall during this so a live firewall may cause problems for users.

C:\WINNT\FW1\NG\conf>fwstopThe Check Point FireWall-1 service is stopping.The Check Point FireWall-1 service was stopped successfully.

C:\WINNT\FW1\NG\conf>fwstartThe Check Point FireWall-1 service is starting.......The Check Point FireWall-1 service was started successfully.

Check the State Table - arp_table

You should now have entries for the state table arp_table

fw tab -t arp_table

on the firewall module should show the arp entries.

C:\WINNT\FW1\NG\conf>fw tab -t arp_tablelocalhost:-------- arp_table --------dynamic, id 8186, attributes: limit 25000, hashsize 512<ac170371; 73ad8000, 000066d3, 00000000>

220


If the entry does not appear then the local.arp file is named incorrectly or is in the wrong directory or has a content error.

If you use Notepad watch out for the file being named local.arp.txt

Create an Object for the External Web Address

Create an object with the external NAT address, this will be used in the rulebase to allow connections to your web server.

Rulebase Rule Required Change the rule for incoming http and ftp connectionsThe rule will currently be.

which works for automatically generated NAT rules but not for manual NAT rules.

Change the rule to use the Exwww.yoursite.com object.

When connections are made it is to the external address and the rulebase must make a match before allowing NAT rules to take affect.

Create the NAT Rules Three rules are required, they will basically be the same as the automatically generated rules but you will be able to edit the service if needed.

You will need a rule to ensure any connection from the internal network to the internal network does not get natted, rule 1.

221


This will be a problem in a split Management/Firewall module environment with manual NAT rules. If you forget you may have to use

‘fw unloadlocal’

to unload the Security Policy and correct it. You may be able to install the policy once but not twice.

Remember it is static NAT that is being used.

Install and test your security Policy using telnet from www.yoursite.com and an http client from www.server.com to the Exwww.yoursite.com address.

Static NAT Log entry - Manual Check the log entries.

If you were doing Server side NAT which is the only method availabe pre-NG you would need to create a group for the valid addresses on the internal interface of the firewall which would include any External NAT addresses and set anti-spoofing in the topology tab of the firewall object.

Create a Group, Valid_Internal_addresses, it will contain all internal network address and all external NAT addresses.

Edit the Firewall object and set the Anti-Spoofing in the topology tab. This is needed because of where the Inpsection engine does Anti-Spoof

222


checking and NAT.

Manual Static NAT - Advantages

The rulebase is clearer since it is obvious that connections are made to the external advertised Internet address, in this example Exwww.f16.com.

The main advantage is in situations where you are short of Internet address space. You could have rules that are mapped to different internal servers based on the service that is being used.

A example might be four different servers, SMTP, FTP, HTTP, NNTP but only one internet valid address being available.

The Security Policy rule might look like.

Rule 4 allows incoming ftp, http and smtp connections from any location.Rule 5 allows the mail server to deliver mail, internal to external sites.Rule 6 allows the ISP news servers to deliver news articles.Rule 7 allows the internal news servers to deliver news articles back to the

223


ISP news servers.Rule 8 allows internal users to use telnet, ftp and http.

The NAT rules might look like.

Rule 1 stops breaking connections from internal hosts to the firewall, this should only be administrator hosts or the Management Server.Rule 2 maps incoming http connections onto www.f16.com.Rule 3 maps incoming ftp connections onto ftp.f16.com.Rule 4 maps incoming smtp connections onto smtp.f16.com.Rule 5 maps incoming nntp connections onto nntp.f16.com.Rule 6 hides the www, ftp, smtp, nntp behind Exwww.f16.com.Rule 7 maps internal hosts onto the external firewall address.

It might seem strange that the internal servers are using Hide mode NAT when they would use Static if you used Automatic NAT but in this case it makes sense to do it as it simplifies the rulebase.

Normally for Static NAT there are two rules but there does not have to be, Destination Static NAT is all that is required for incoming connections. Outgoing connections from the server can use Hide. This may not work for all services.

The examples used NAT to internal servers, www, ftp, smtp but in a live environment they would be located in the DMZ area and not if possible in the internal network. At least authentication needs to be applied before access is given to the server if it on the internal network.Good security starts at the design of the network infrastructure with strict control of server access and location. It’s worth paying for an extra couple of servers.

Just because something is simple to do, a couple of clicks in a menu, does not mean you want to do it.

224


10.6 Static NAT for Networks - AutomaticMost sites do not have enough address space to do a static NAT for a whole network, this maps addresses one to one for a network. However, you may have an internal firewall and want to map a whole network onto another network address.

For example you could have an internal address space of 172.21.1.0/24 and an external address space of 193.128.73.0/24, the firewall could do a one to one mapping for the whole network.

A more likely usage might be in VPNs where you have to hide your internal address space so that your encryption domain does not include a network that the other end also uses.

225


10.7 Network Address Translation - Review Questions

1. Your organisation has over 2000 hosts that need to access the Internet, however, the ISP has only allocated you a block of 16 Internet addresses. To allow users access you will need to configure NAT on the firewall, which would you consider the most appropriate NAT method for the 2000 hosts.

A. Source Static NATB. Destination Static NATC. Hide NATD. Source Port NATE. Destination Port NAT

2. Which NAT method allows a one to one mapping of IP addresses.

A. Hide NATB. Static NATC. Service NATD. Dual NATE. None of the above

3. When you use the address 0.0.0.0 as the address to hide behind when using hide mode what affect will this have on the outgoing packet.

A. The Source address will be 0.0.0.0.B. The source address will be the external interface of the firewall.C. The source address will be the internal interface of the firewall.D. The source address will be the address of the interface on the

firewall that the packet leaves from.E. In Firewall-1 NG you cannot set the hide address to be 0.0.0.0.

226


4. You have a split Management and Firewall module configuration as shown in the diagram below. You are going to create manual rules to hide internal networks behind the Firewall external address. You have added the following NAT rules but after installing the policy the Management Station can no longer connect to the Firewall to install policies, this is because.

A. You also need to configure a static route and arp for the NAT address.

B. You need to add an explicit rule to the rulebase to allow connections from the NAT’ed address for Management connections.

C. You need to add another NAT rule to ensure that connections from Internal networks to the firewall are not NAT’ed.

D. You need to fwstop and fwstart the firewall module before the NAT rule sees the Management module.

E. The problem has nothing to do with NAT and the most likely cause is a cable connection problem somewhere between the Management Station and the firewall module.

5. When you manually add a NAT rule the position in the rulebase does not matter since the firewall learns which addresses live on which interface and uses the best option given the history of traffic flow.

A. TrueB. False

It’s a BadBad World

External Net

net-10.1.1.0

FW-Mgmt

net-192.168.22.0254

254

254fw.detroit.com

227


6. When Static NAT is done on the client side the firewall can be configured to automatically respond to ARPs and does not require a static route to be added to the firewall.

A. TrueB. False

7. When Static NAT is done on the Client side in NG this provides a simpler NAT configuration than previous version of Check Point VPN-1/Firewall-1.

A. TrueB. False

8. You have configured Static NAT to be done on the server side. You do a test from the Internal http server and you see in the log file that NAT is occurring and the packet is going out through the firewall. You are not getting any reply packets, which of the following is the most likely cause.

A. The packets are being dropped because you do not have a rule to allow http reply packets.

B. The perimeter router does not allow incoming http connections because of the ACLs currently configured.

C. The Mac address used in the static arp file on the firewall has the wrong MAC address in it.

D. Anti spoofing configuration is dropping the reply packets.E. The host you are trying to connect to is down and is not sending the

replies.

228

11NG Feature Pack 3

There are only minor changes to configuration settings, moving to new locations dialogs or for adding a few new settings that will affect the content and explanations within this book. The core rules operation and illustrations applied throughout the book also apply to FP3. You should read the release notes for a detailed list of fixes and enhancements that FP3 brings to Check Point VPN-1/Firewall-1.

Objectives


• Complete an upgrade of a Windows Management & Firewall Module configuration form FP2 to FP3.

• Understand the new features of FP3 relevant to CCSA and CCSE topics within this book.

229

NG Feature Pack 3

11.1 Product Name ChangesFor Feature Pack 3 Check Point have gone through a marketing exercise, re-inventing the names for commonly known products.

To verify the version of a product use the following commands.

For clients use the Help - About menu to display the version information.

For servers use the appropriate command in the table below.

After looking for the Policy Editor in the menu, you’ll remember that it is the SmartDashboard that you need and SmartView Tracker for the LogViewer.

Old Product Name New Product Name

Policy Editor SmartDashboard

VPE (Visual Policy Editor) SmartMap

LogViewer SmartView Tracker

Status Manager SmartView Status

Real-Time Monitor SmartView Monitor

Reporting SmartView Reporter

SecureUpdate SmartUpdate

Management Server SmartCenter Server

Management Clients Smart Clients

Provider-1 Provider-1/SiteManager-1

Product Command

VPN-1/Firewall-1 $FWDIR/bin/fw ver

SVN Foundation $FWDIR/bin/cpshared_ver

User Authority Server $FWDIR/bin/netsod d -v

SmartView Monitor $FWDIR/bin/rtm ver

Floodgate-1 $FWDIR/bin/fgate ver

230

NG Feature Pack 3

11.2 Upgrade from FP2 to FP3For any service pack upgrade always read the release notes thoroughly, including the known issues. If possible do the upgrade in a test environment first and check whether you can remove old packages without breaking the current install.

The Check Point release notes often contain information about a specific problem or setting available through the Objects_5_0.C file. To edit the Objects_5_0.C file use the dbedit utility. It is worth keeping an on-line copy of the release notes for previous service packs as well, the information in these will be available through the knowledge base but that takes time to navigate.

Upgrade the Firewall Module Start the installation program and select to upgrade installed products.

SIC communications may need to be reset between the Management Server and Firewall Module if your policy cannot be installed.

231

NG Feature Pack 3

Upgrade the Management Server

Select to Upgrade installed components.

Backward compatibility may be an issue if you are upgrading more than one Firewall module.

You can overwrite the Management clients unless you have another FP2 Management Server. The Management Clients must be patched to the same version of the Management Server.

232

NG Feature Pack 3

You do not have to change the FQDN.

Since the Management Server has been upgraded the Fingerprint has changed and Management clients will be prompted to accept the new Fingerprint when they connect.

Install the Security Policy You must always re-install the Security Policy after doing a Feature Pack upgrade.

233

NG Feature Pack 3

11.3 Converting a Traditional to Simplified Mode Security PolicyA new menu option has been added to step through the conversion process of a Traditional to Simplified Security Policy. This includes adding VPN enabled gateways to a VPN Community if required. You need to understand VPN Communities before doing this, there is no Encrypt Action in Simplified Security Policies.

Two firewalls are defined in the Security Policy in this conversion, one managed by the Management Server the other is Externally Managed (business partner).

Rules did not exist with an Action Encrypt in this example but the conversion process still prompts you for at least one gateway to add to a VPN Community. Community encryption rules can be added through the If Via column after conversion.

234

NG Feature Pack 3

You can select the Firewalls from the list and drag them into the selected VPN Community display area. This example is just using the default Community MyIntranet. This can be edited later if you make a mistake.

The Security Policy will be named, oldname_Simplified by default.

The alternative to doing this is to just Copy and Paste the rules.

You should test your Security Policy thoroughly after doing the conversion.

235

NG Feature Pack 3

11.4 Policy Install SettingsThe Policy Install dialog and error messages are much clearer in FP3.

Policy Installs and the Connection Table

A new option on the Firewall object has been added to configure how established connections will be handled when a new Security Policy is installed.

In this case two services using the same port number have been defined and both are set to Match for Any. In the Advanced dialog of the service set one to match if the service is Any in a rule.

236

NG Feature Pack 3

Keep all connections: Keep all control and data connections open until the connections have ended. The newly installed Policy will be enforced only for new connections.Keep data connections: Keep all data connections open until the connections have ended. Control connections that are not allowed under the new Policy will be terminated.Rematch connections: (default) All connections not allowed under the new Policy will be terminated, unless the Keep connections open after policy has been installed is enabled in the service’s Properties window.

Individual service definitions can override the Rematch connections.

Policy Rules, Section Headings

Rules can now be split into sections and the sections hidden from view but apply when the Security Policy is installed. Only disabled rules do not apply. This can be useful if you have replaced the implied rules with explicit rules. A section for replaced implied rules can be created and always left in a collapsed view state.

237

NG Feature Pack 3

DNS UDP Queries The implied rule setting Accept Domain Name over UDP (Queries) is still an open rule the Source and Destination, are set to Any. However, an option has been added in SmartDefense to turn on DNS UDP protocol Queries checking.

The DNS UDP rule should still be an explicit rule in a live Internet facing environment.

SynDefender SynDefender configuration has been removed from the Firewall object and is now part of SmartDefense.

238

NG Feature Pack 3

The old methods of Syn Gateway and Passive Syn Gateway can still be set for backwards compatibility.

11.5 SmartView StatusSmartView Status now displays detailed information on VPN connections.

239

NG Feature Pack 3

11.6 SmartView TrackerThe SmartView Tracker (LogViewer) has a much simpler interface that allows multiple log files to be viewed at the same time. The filter list on the toolbar has been replaced with an Objects Tree view which is easier to use.

The details of events are presented in a table format when viewing specific records. It is now much easier to view the info field and replaces having to change the width of the column.

240

NG Feature Pack 3

Block Intruder When viewing Active mode log records and using Block Intruder the default settings have changed to Block only the connection. When applied it blocks all connections from the source and not just the single connection.

Remote Log File Management There is a new menu option to retrieve remote log files when logging has been set to the local Firewall module.

You could just switch the log files daily and fetch them at the end of the week.

The log file will be saved in the $FWDIR\log directory on the Management Station.

241

NG Feature Pack 3

The log switch and fetch could be done in previous versions through fw logswitch and fw fetchlogs specifying the target firewall.

11.7 Revision ControlRevision control now works and allows previous Security Policy versions to be recalled and installed. In previous versions you could only view the recalled Security Policy.

The revisions are just a tar file of the configuration and stored in the

242

NG Feature Pack 3

version repository. Even if you do not have the Revision control feature the demo version will illustrate all the files that need to be backed up.

11.8 Content Security

Resource - CIFS CIFS is a new Resource type for controlling Microsoft shares.Example shares available for mounting.

Create a new Resource type CIFS using the server name or IP address and the Share name.

243

NG Feature Pack 3

Add a rule that uses the CIFS resource.

Mount the share and try other shares just to check that you have defined everything correctly.

244

NG Feature Pack 3

URI Filtering - SOAP Simple Object Access Protocol (SOAP). Another way of tunnelling everything over http/port 80.

Extract from - http://www.w3.org/TR/SOAP/‘SOAP is a lightweight protocol for exchange of information in a decentralized, distributed environment. It is an XML based protocol that consists of three parts: an envelope that defines a framework for describing what is in a message and how to process it, a set of encoding rules for expressing instances of application -defined data types, and a convention for representing remote procedure calls and responses. SOAP can potentially be used in combination with a variety of other protocols; however, the only bindings defined in this document describe how to use SOAP in combination with HTTP and HTTP Extension Framework.’

The client does not have to be a web browser it just needs to be talking http protocol. SOAP allows the client and server to agree on the data types that will be communicated making it ideal for trojans, nearly everyone allows http out the door and http proxy servers will just treat the data as plain http traffic.

The URI resource can filter the specific data schemes used by the client/server communication. Each scheme file needs to define the data types

245

NG Feature Pack 3

being used by the client/server.

11.9 VPN Configuration ChangesThe Objects Tree listing for the VPN Community configuration is clearer and easier to understand. Site to Site VPNs can include Externally Managed Firewall modules as well as those Managed by your Management Server. The term ‘Intranet’ used in the Policy Editor was confusing in that it was interpreted as meaning Site to Site VPNs within your own organisation with Firewall Modules being under the control of a single Management Server. This was true until FP2 which allowed inclusion of Externally Managed Firewall modules but needed Certificate IKE authentication. Extranets can easily be configured using the Site To Site Community setup in FP3 and allows use of Pre-shared secret IKE authentication.

The Extranet Manager is now clearly a separate additional component titled Extranet Manager and not just Extranet.

246

NG Feature Pack 3

There are two additional configuration dialogs in Site to Site Community VPNs, the Services in the Clear allows protocols to be excluded from encryption. In some cases it may not be necessary to encrypt traffic if this is already done as part of the Client/Server application process.

For Externally Managed Firewall Modules a Pre-shared secret can now be used for IKE Authentication.

247

NG Feature Pack 3

The VPN properties on the Firewall object have changed to include a Traditional mode configuration. In previous versions, Firewall modules had to be removed from all VPN Communities, configured with specific gateway IKE parameters and added back to the Communities it belonged to. This is no longer necessary, Community settings will apply for Community encryption and individual settings for VPNs between non Community members.

The IKE properties have changed to remove the Hybrid Mode setting which applies to Remote Access authentication when using SecuRemote/SecureClient.

248

NG Feature Pack 3

The Hybrid Mode IKE authentication is now set in the Remote Access tab in the Global Properties. A new setting for Pre-Shared Secret has been added for SecuRemote/SecureClient user authentication. The IKE Pre-shared secret could be set in the User account details and used in previous versions but Hybrid Mode had to be turned on for it to work.

249

250

Appendix AVPN-1/Firewall-1 Installation

Objectives

When you have completed this module you should

• Be able to Install VPN-1/Firewall-1 on a Windows NT Server.• Know the components that have been installed.• Know the order in which to uninstall the components.

251

VPN-1/Firewall-1 Installation

252


A.1 Installing in a Split Management/Firewall Module ConfigurationThis example installation installs in a split Management/Firewall Module configuration since this is the most interesting environment to learn the product. Installing in a split environment will highlight some areas of configuration that are needed at the Management Station, like Certificate generation and as well as the communications required between a Management Server and Firewall Module.

You will need the following before you start.

• Three workstations with Windows installed NT4 Sp6a or W2K Server (works with workstation and Professional as well but not officially supported, see Check Point release notes).

• The workstation that the Firewall will be installed on should be configured for routing and a ping test done between the Internal and External workstations.

• VPN-1/Firewall-1 NG FP2 CD.• A license for the Management and Firewall Module.• The Internal and External workstations should have telnet, http, and

ftp servers and clients installed to allow rules to be tested through the Firewall from either direction.

In a live environment you should build the Firewall box in the following order.

• Install the OS and configure all IP addresses and enable routing. Routing does not have to be enabled on Unix installs.

• Patch the OS with the latest patches for the services you are using.• Harden the OS with any recommended configuration changes.• Take a image of the disk.• Install the Check Point Software.• Install a Security Policy and Test that everything works.• If everything does not work restore the image of the disk you took

after hardening the OS, figure out what hardening broken the install, take a new image dump and Install and test the installation again until everything works.

The above may or may not be the official Check Point recommended method for answering a question in the exam but it works for re-sellers that build and ship NT based firewalls.

SecurePlatform™ (Linux based) is a viable alternative to an NT based Firewall since only a minimal amount of Unix expertise is required to install and maintain the system. In a SecurePlatform configuration you could have the Firewall Module on Linux with low cost hardware and the Management Server on a Windows 2000 Server. SecurePlatform is easy to install and comes with a stripped down hardened Linux OS. If you

253


currently have a Windows based Firewall you should consider looking in detail at SecurePlatform as an alternative for your next upgrade. The SecurePlatform can also be installed with both the Management Server and Firewall Module on the same workstation.

Note, in a live environment with a split Management/Firewall Module configuration the Management Server must be upgraded first and installed with backward compatibility so that it will be able to continue to manage the existing Firewall Modules. In a combined Management/Firewall Module configuration both the Management and Firewall Module software are patched at the same time.

Sample network Layout The following network layout is required to complete the CCSA topics and some of the CCSE topics. Two Firewalls are required for the Site to Site VPN CCSE topics.

Firewall

Management Server

External ServerNetwork Address

Network Address

Optional connection to the Internet

Gateway

& Internal Server

254


A.2 Installing the Firewall Module

Insert the CD and the installation program should automatically start. Alternatively run the setup.exe in the Windows directory on the CD.Select SERVER/GATEWAY COMPONENTS.

Select the Server/Gateway components you are going to install, in this case the only component is VPN-1/Firewall-1. This will also install SVN Foundation which is required for every component except the Management Clients.

The Policy Server will be installed later which is required by SecureClient. You would not install it unless you had a license to use it.

255


The components selected for install will be displayed, if this is not correct then cancel the installation and restart.

Once SVN Foundation has been installed you can select which of the VPN-1/Firewall-1 components you are installing. In this case you are installing in a split Management/Firewall Module configuration and are only installing an Enforcement Module.

256


The installation directory by default will be C:\WINNT\FW1\NG, this will map to environment variable $FWDIR. You can install in any directory path the only consideration may be disk space for logging, OS rebuilds and Firewall backups. The installation will make changes to the registry.

If you are using central licenses in a split configuration you do not add licenses at the Firewall Module. Licenses are added through the Management Server and attached to the Firewall Module using SecureUpdate.

If you have a ‘local’ Firewall Module license it must be entered here, in NG it is recommended you use central Firewall licenses. This is set when you create the license at Check Points licensing center. It is likely that you have a local license for the Management Station and central license for a

257


Firewall Module(s). Central licenses are available with NG but not previous versions. See the Section on SecureUpdate.

Enter a random series of key hits, this will be used as random data for parts of the software that need random number generation.

NG replaced the fw putkey method of authentication with SIC certificates and authentication secrets for Management to Firewall module communication. The secret entered here will be required when creating the Firewall object in the Policy Editor. For this test/classroom environment use - abc123.

258


This Firewall will not participate in High Availability, that is part of the CCSE+ topics.

The installation will do some basic OS hardening and set the directory and file permission on the installed files.

To complete the installation reboot the workstation.

259


The installed software will be listed in the Add/Remove software list, in this case the base Feature pack 1 was installed and patched automatically by the installation program with Feature Pack 2.

The SVN Foundation is installed under Program Files while the Firewall software is installed in the directory specified during the installation.

SVN Foundation Firewall Module

260


Un-installing the Software Un-install the software in the reverse order of installation. Before you un-install any Check Point software always exit all applications and reboot and logon and do not start any other applications. You do not have to explicitly stop the Check Point services. If you are un-installing the Session Agent or SecuRemote/SecureClient it is a good idea to exit these applications before un-installing them.

• Uninstall additional components like the Policy Server and Floodgate first.

• Then uninstall the VPN-1/Firewall-1 Feature Pack 2.• Then uninstall the SVN Foundation Feature Pack 2.• Then uninstall the VPN-1/Firewall-1 Feature Pack 1.• Then uninstall the SVN Foundation Feature Pack 1.

Do not reboot until all components have been removed.

261


A.3 Installing the Management Server and ClientsInsert the CD and the installation program should automatically start. Alternatively run the setup.exe in the Windows directory on the CD.Select SERVER/GATEWAY COMPONENTS.

Select the VPN-1 & Firewall-1 and the Management Clients, you will be prompted for which component you want to install.

262


Confirm the install list is correct or cancel the install and start again.

After SVN Foundation has been installed you can select which component you want to install. Install the Enterprise Primary Management component.

Enterprise Secondary Management Stations are backup Management Servers for High Availability configurations and covered in the CCSE+ topics.

263


Select the install directory, C:\WINNT\FW1\NG by default.

Select backward compatibility if you have Firewall Modules to Manage that are not patched to the same level as the Management Server.

Select the Install Directory for the Management Clients.

264


Select the Clients to install. Any client not selected can be installed later by running the Management Client setup.exe installation program on the CD.

Since this is the Management Station you at least need to add a license for it otherwise you will not be able to login with any of the Management Clients.

If you do not add a license you would need to run the Check Point Configuration tool after the install/reboot to add a license.

265


Add the Management Server license.

If you have the Firewall Module central license you can also add it here, alternatively you can use SecureUpdate or the Check Point Configuration Tool.

At least one administrator must be added during the Management Server installation.

266


Add an Administrator - fwadmin, password - abc123. This is a generic named administrator which anyone can use. In a live environment every administrator should have their own account name so that audits trails can identify who did what and when. This information is available in the Log Viewer under Audit.The administrator needs full Read/Write access to all available Management Clients.

If you have any workstations that are going to have the Management Clients installed on they should be listed here. You do not need to add the IP address of the Management Station.

267


Select random keys until the buffer is full.

NG uses Certificates which are automatically created if VPN-1 Pro is selected as installed on an object and needs the Internal Certificate Authority to be initialized, Select Initialize and Start Certificate Authority.

The FQDN needs to be set this should be an hostname that the Firewall Module and any SecuRemote/SecureClient user that uses a certificate issued by the Internal Certifciate Authority can resolve.

268


Once the FQDN is set it should not be changed otherwise checking valid certificates may become a problem.

The Fingerprint for the Management Server will be displayed, this is used by Management Clients to confirm that they are connecting to the correct Management Server.

Reboot the workstation and you should be able to login to the Management Server using the Policy Editor.

269

270

Appendix BReview Questions - Answers

271

Review Questions - Answers

272 www.corefacts.com


B.1 Review Question Answer sheetsBlank answer sheets are available for download at www.corefacts.com

CCSA Topics

Title Question/Answer

1. VPN-1/Firewall-1 Architecture

1 2 3 4 5 6B E A A D C

2. Security Policy & Rules Setup

1 2 3 4 5 6 7 8 9 10C B B D C C E A A E11 12 13 14 15 16 17 18 19 20B B B B B B D B B B21 22 23 24 25 26 27 28 29 30E C B D C A D C A B31 32 33 34 35 36 37 38 39 40C C B A B E C E C B41C

3. System Manager & Log Viewer

1 2 3 4 5 6 7 8 9 10B C B B C D D C B C

4. Anti-Spoofing & Services

1 2 3 4 5 6 7 8 9 10C D D B C C B B A D

5. Working with the Security Policy

1 2 3 4 5 6 7B B E B C A B

6. Setting up Authentication

1 2 3 4 5 6A C B A C B

7. User Authentication 1 2 3 4 5 6 7 8A E C A B A C B

8. Session Authentication 1 2A B

9. Client Authentication 1 2 3 4 5 6 7 8 9 10A B A C B A C A A C

General Authentication Questions

1 2 3 4 5 6 7 8B A E D B B B A

10. Network Address Translation

1 2 3 4 5 6 7 8C B D C B A A C

www.corefacts.com 273


CCSE Topics


11. User Defined Tracking & Alerts

1 2 3 4 5 6 7A B C A C B B

12. Load Balancing - Connect Control

1 2 3 4 5 6 7 8 9D A B C E A B A C

13. Content Security Servers

1 2 3 4 5 6 7 8 9 10B B B C D A B A D D11B

14. SynDefender 1 2 3 4 5 6 7 8B C A B B A D A

15. Encryption & VPNs 1 2 3 4 5 6C B A C B D A B C B11 12 13 14 15 16B A B C B A

16. Certificate Authorities 1 2 3 4 5 6A A A B B A

17. Implementing IKE - Traditional Mode

1 2 3 4 5 6A B B B A B

18. Extranet Management Interface

1 2 3 4 5 6 7 8 9 10C B B E C B D B B A11D

19. Implementing IKE - Intranets

1 2 3 4 5A B B A B

20. SecuRemote 1 2 3 4 5 6 7 8 9 10C D B B D C C B A B11 12 13C C A

21. SecureClient & the Policy Server

1 2 3 4 5 6 7 8 9 10B B B A B A B B C B11 12 13B B D



22. Voice Over IP 1 2 3C A E

CCSE Topics






Answer Sheet.

CCSA Topics


1. VPN-1/Firewall-1 Architecture

1 2 3 4 5 6

2. Security Policy & Rules Setup

1 2 3 4 5 6 7 8 9 10

11 12 13 14 15 16 17 18 19 20

21 22 23 24 25 26 27 28 29 30

31 32 33 34 35 36 37 38 39 40

41

3. System Manager & Log Viewer

1 2 3 4 5 6 7 8 9 10

4. Anti-Spoofing & Services

1 2 3 4 5 6 7 8 9 10

5. Working with the Security Policy

1 2 3 4 5 6 7

6. Setting up Authentication

1 2 3 4 5 6

7. User Authentication 1 2 3 4 5 6 7 8

8. Session Authentication 1 2

9. Client Authentication 1 2 3 4 5 6 7 8 9 10

General Authentication Questions

1 2 3 4 5 6 7 8

10. Network Address Translation

1 2 3 4 5 6 7 8



CCSE Topics


11. User Defined Tracking & Alerts

1 2 3 4 5 6 7

12. Load Balancing - Connect Control

1 2 3 4 5 6 7 8 9

13. Content Security Servers

1 2 3 4 5 6 7 8 9 10

11

14. SynDefender 1 2 3 4 5 6 7 8

15. Encryption & VPNs 1 2 3 4 5 6

11 12 13 14 15 16

16. Certificate Authorities 1 2 3 4 5 6

17. Implementing IKE - Traditional Mode

1 2 3 4 5 6

18. Extranet Management Interface

1 2 3 4 5 6 7 8 9 10

11

19. Implementing IKE - Intranets

1 2 3 4 5

20. SecuRemote 1 2 3 4 5 6 7 8 9 10

11 12 13

21. SecureClient & the Policy Server

1 2 3 4 5 6 7 8 9 10

11 12 13



22. Voice Over IP 1 2 3

CCSE Topics




IndexNumerics8-bit protocol 3

AAccount Profile 143ACL 8Adding Services 116Administrator

Certificate 145Agent Automatic 200Anti-Spoofing 108, 110Application Proxies 11arp_table 220Authentication

Intersect with User database 172Methods 152Not being Authenticated 169Schemes 153Schemes, setting 154Setting Scheme 157Stealth 167User Properties 173Using ftp 174Using http 172Using Telnet 167

Authentication Schemes 144Automatic ARP configuration 217AXENT 153

BBasic Common Sense Security 29Basic Performance Guidelines 139Block Intruder 100Broadcast

Not included 47Broadcast Junk 54

CCentral licenses 22Check Point HA 19clean up rule 54Clear Blocking 102Client Auth

sessions 197Sign On Methods 198

Sign On Required 198time period 197

Client Authentication 192ClusterXL 28Combined Management/Firewall 19Connection Table

Persistence 236Content Security

CIFS 243SOAP 245

Controlling Implied Rules 67Converting Traditional to Simplified Security Poli-cy 234CPD 74CPD_amon 74CPMI 74CPShared 19cpstart 76cpstop 76

DDisconnected State 90Distributed Management/ Firewall Module 19DNS 70Dynamic NAT 209

EEmbedded Devices 53Enforcement Module 18

FFingerprint Check 36Firewall Administrators 141Fully Automatic 199fw sam 100fw stat 75fw unloadlocal 69FW1_amon 73FW1_mgmt 73, 103FW1_sam 73, 103FW1_ufp 73fwauthd.conf 152fwmusers 141fwstart 75fwstop 75

281

GGauntlet 11

HHIDE address, 0.0.0.0 210Hide Mode NAT 209

Iiana 3ICMP Protocol 5If Via 49in.aclientd 192in.ahclientd 192INSPECT 13INSPECT Language 18Install

User Database 146Internal Certificate 44IP Pools 217IP Protocol 3IP Spoofing 108

LLicense Attachment 23License Count 20License Depository 24Locked out of Policy Installs 68Log

Active 94Audit 95By Origin 96Resolve Addresses 98Resolver time out period 99Searching 95Selections 96

Log Viewer 93Log Viewer Modes 93

MManagement Server 17Manual Sign On 199Manual Static NAT - Advantages 223

Nnbdatagram 56nbname 56Negating objects 57Network Address Translation 208

Network Connections 2Network Objects 38

OObjects

Check Points 39Get address 41Networks 40Nodes 40

OPSEC 88OSE Devices 53

PPacket Filters 7Partially Automatic 199plug-gw 12Policy

Uninstalling 138Viewing, installed 134

Policy Editor 16*local 34Demo mode 34fwmusers 35license 35lock file 35Login 34

Policy Installfwm load 69

port 259 194port 900 196Predefined Services 114Private address ranges 217Problems with NAT 208Product Name Changes 230Provider-1 26

RRADIUS 153Raptor 11Revision Control 130, 242Revision database files 133RFC 1918 Addresses 208RFC 768 4RFC 792 5RFC 793 3Rule

Action 52

282

Commen 53Default settings 50Disabling 138Hiding 135Install On 52Masks and Searches 136Number 51Service 51Source/Destination 51Time 53Track 52Viewing Hidden 136

Rule base Elements 49Rules

Filtering Orde 65Filtering Order, Exception 66First, Before Last, Last 65Implicit 62View - Implied 63

SS/Key 154Sateful Inpsection

Communication information 14Secure Internal Communications 21Secure Virtual Network 25SecureUpdate 22SecurID 153Security

Documentation 30Implement Trust procedures 30Log files 30Peer Pressure 30People 30Prepare for the unexpected 30Procedures 30Servers 29Services 29

Security PolicyInstalling 58Testing 60Uninstalling 60Verifying 58

Servicescreate new 119type Other 122

Session Agent 183Session Agent, port 261 182Session Authentication 182

Using ftp 186Session Authentication Properties 186SIC Certificates 21SIC setup 42simple packet filtering 7Single Sign On 200Site Security Handbook 30SiteManager-1 26SmartCenter Server 230SmartDefense 238SmartView Status 239SmartView Tracker 240Stateful Inpsection

Application derived state 14example of 15Information manipulation 14

Stateful Inspection 13Communication derived state 14

Static NAT 214Status Information 88Stealth Authentication 167SVN Components 25SVN Foundation 19Syn/Ack 4SynDefender 238System Manager 88

TTACACS 153TCP Protocol 3TCP Sessions 109TCP/IP Stack 2Timeout

UDP 119Timeouts

TCP 119TIS Toolkit 12Topology 43Translate destination on the client side 217Trojans 6Tunnelled Protocol Example 115

UUDP Protocol 4

283

UDP Sessions 109User

generic* 162User Authenticated Services 166User Groups

creating 160External 161

UsersAccount expire 156creating 155Default 155Location, src/dst 159

VVisual Policy Editor 38VPN-1 & Firewall-1 control connections 64

WWhat is a Firewall 6

284

Date post:	31-Dec-2015
Category:	Documents
Upload:	arunkumar-kumaresan
View:	73 times
Download:	1 times

ccsa

Documents