Checkpoint M1 Intro

8/9/2019 Checkpoint M1 Intro

1/64

VPN-1/FireWall-1 NGX

Management


2/64

Identify the basic components of VPN-1/FireWall-1 NG

Identify the VPN-1/FireWall-1 NG elementsthat you will need to manage

Successfully create and manage managementobjects

Demonstrate how to use the: Security Policy,Log Viewer, and System Status

Successfully apply NAT rules

Successfully demonstrate the ability toauthenticate users

Course Objectives


3/64


4/64

Module 1:VPN-1/FireWall-1 NGX ArchitectureModule 2: Security Policy Rule Base and Properties Setup

Module 3:Advanced Security Policy

Module 4: Log Management

Module 5:Authentication Parameters: User, Client, andSession Authentication

Module 6: Network Address Translation

Course Map


5/64

Recommended Setup for Labs

Recommended Lab Topology

IP Addresses

Lab Terms

Lab Stations


6/64

Recommended Lab Topology


7/64

Introduction

Objectives

Describe the purpose of a firewall

Describe and compare firewall architectures

Identify the different components ofVPN-1/FireWall-1 NGX


8/64

Need for Firewall

Protection Against

Unauthorised Access

EavesDropping

Hacker Attack

DDoS / DoS

LAND

TearDrop

Virus

Trojan


9/64

Internet Firewall Technologies

A firewall is a system designed to

prevent unauthorised access to or from a secured network

act as a locked security door between internal and external

networksdata meeting certain criteria will be allowed through

However, note that a firewall can only protect a network fromtraffic filtered through it


10/64

Firewall Technologies

Packet Filters

Application-Layer Gateway

Stateful Inspection

VPN-1/FireWall-1 NGX Enforcement Module

INSPECT Language

VPN-1/FireWall-1 NGX Advantages


11/64


12/64

Packet Filtering Path in the OSI Model


13/64

Packet Filter FTP Example


14/64

Packet filters....

Advantage

Compatibility: Packet lters do not modify the packet stream so theywork with any protocol.

Performance: Packet lters are very fast since they look only at theheaders.

Scalability: Since packet lters are simple, it is easy to scale thesolution.

Disadvantage

Low security: Packet lters do not look at the data portion of thepackets, so attacks can ow right through them.

No advanced protocol support: Since these lters do not keep trackof connections, there is no way to supportdynamic protocols.


15/64

Application-Layer Gateway Path


16/64

ALG...

Advantage

Security: Since the proxy buffers the entire connection, it has theability to do content ltering on the entire connection.

Application level awareness: Since the proxy fully understands theprotocol, it makes sure all the data follow the standards.

Disadvantage

Performance: Since the entire connection is buffered, and there aretwo connections for every connection, proxy rewalls are theslowest type of rewalls.

Scalability: The Internet standards (RFCs) for TCP/IP state that

communication occurs directly to and from the client and theserver.This is referred to as the Client/Server model. Applicationlayer rewalls break the Client/Server model, and this breakssome applications.


17/64

Stateful Inspection Technology

invented by CheckPoint Software Technologies

utilises the INSPECT Engine

Programmable using the INSPECT language

Provides for system extensibilityDynamically loaded into the OS kernel

Intercepts and inspects all inbound and outbound packets on allinterfaces

Verifies that packets comply with the security policy


18/64

VPN-1/FireWall-1 NGX Enforcement Module


19/64

How VPN-1/FireWall-1 NGX Works

INSPECT Allowing Packets

if a packet passes inspection,the Firewall Module passespackets through the TCP/IP stack to their destination

if packets are destined for the OS local processes, are inspectedthen passed through the TCP/IP stack

if packets do not pass inspection, they are rejected, or droppedand logged.


20/64

INSPECT Module Flow


21/64

Introduction to security


22/64

Firewall Technologies

Packet Filters SIP / DIP / SPort / DPort

Application Layer Gateways Application Awareness

Caching Authentication Client -> FW / FW-> Client

Stateful Inspection Communication Information C

ommunication Derived

State Application Derived State Information Manipulation INSPECT Engine Transparency


23/64

Differences!!!


24/64

RS007

VPN-1/FireWall-1 NGX Architecture

SmartConsole

SmartCenter Server

Security Gateway (Enforcement Module)


25/64

Check Point Three-Tier Architecture


26/64

Module 1:

Check Point SmartConsole


27/64

Module 1

Smartcentre Server

security policy is defined using the smartdashboard on theManagement client

it is then saved to Smartcentre server

Smartcentre server maintains FW-1 NG databases includingnetwork objectdefinitions

user definitions

security policy

log files


28/64

Module 1

VPN-1/Firewall-1 NGX Enforcement Module

deployed on the Internet gateway

an Inspection script written in INSPECT is generated from thesecurity policy

inspection code is compiled from the script anddownloadedto the enforcement module


29/64

Distributed Deployments

SVN Foundation

Secure Internal Communications (SIC)


30/64

Secure Virtual Network (SVN) is a true security architecture

Integrates multiple capabilities, including

firewall security, VPNs, IP address management etc, all within acommon management framework

enables security to be defined and enforced in a single policyincorporating all aspects of network security


31/64

SVN Architecture designed to meet the challenges of eBusiness

connects the four elements common to any enterprisenetwork

Networks

SystemsApplications

Use


32/64

SVN Diagram


33/64

Module 1

SVN FoundationCheckPoint SVN Foundation NGX (CPShared) is the Operating

System integrated with every CheckPoint product

All CheckPoint products use the CPOS services via CPShared

The SVN Foundation inclu

des :Secure Internal Communications (SIC)

CheckPoint registry

CPShareddaemon

Watch Dog for critical services

Cpconfig

License utilitiesSNMP daemon


34/64

Module 1:

Secure Internal Communication (SIC)

Communication Components

Security Benefits

SICCertificates

Communication Between Management Modules andComponents

Communication Between Management Modules andManagementClients


35/64

Module 1

Communication Components

SIC secures communication between CheckPoint SVNcomponents such as

management modules

management clientsVPN-1/Firewall 1 NG modules

customer log modules

SecureConnect modules

policy servers

OPSEC

applications


36/64

Module 1

Security Benefits of SIC

confirms a management client connecting to a managementmodules is authorised

verifies that a security policy loaded on a firewall module

came from an authorised management moduleSIC ensures thatdata privacy and integrity is maintained


37/64

Module 1

SICCertificates

SIC for CheckPoint VPN uses certificates for authenticationand standards-based SSL for encryption

enables each CheckPoint enabled machine to be uniquely

identifiedcertificates are generated by the Internal Certificate of

Authority (ICA) on the Management module

a unique certificate is generated for each physical machine


38/64

Module 1

Communication between Management Modules andComponents

the ICA automatically creates a certificate for theManagement module during installation

certificates for other modules are createdvia a simpleinitialisation from the ManagementClient

upon initialisation, the ICA creates, signs anddelivers acertificate to the communication component


39/64

Module 1

Communication between Management Modules andManagementClients

the management client must be defined as authorised

when invoking the Policy Editor on the Management client,

the user is asked :to identify themselves

specify the IP address of the Management Module

the ManagementClient then initiates an SSL based connection

the Management Module verifies the Clients IP address

Management Module sends back its certificate


40/64

DistributedClient/Server Configuration


41/64

Distributed VPN-1/FireWall-1 Configuration Showing theComponents with Certificates

SIC (SecuredInternal Communication)


42/64

VPN-1/FireWall-1

Key component of SVN architecture

Access Control

User Authentication

Network Address Translation (NAT)Virtual Private Networking

High Availability

Content Security

Auditing and Reporting

LDAP-based

user management


43/64

VPN-1/FireWall-1-continued

Intrusion Detection

Malicious Activity Detection

Third-party Device ManagementHigh Availability and Load Sharing


44/64

RS007

Review Question #1

What is Stateful Inspection?


45/64

RS007

Review Question #1

What is Stateful Inspection?Stateful inspection tracks, analyzes and acts on both stateand context information, including:

Packet header

Connection state

TCP andIP fragmentation data

Packet reassembly, application type, contextverification

Arrival interface(continued on next slide)


46/64

RS007

Review Question #1 (continued)What is Stateful Inspection?

Departure interface

Layer 2 informationDate and time of packet arrival/departure


47/64

RS007

Review Question #2

Why is Stateful Inspection more securethan packet filtering and application-layer gateways forprotecting networks?


48/64

RS007

Review Question #2

Why is Stateful Inspection more securethan packet filtering and application-layer gateways forprotecting networks?

Packets are intercepted at the network layerfor best performance, as in packet filters. But the data derivedfrom all communication layers is analyzed, not just layers 4-7(as in application-layer gateways)


49/64

RS007

Review Question #3

Which componentdoes VPN-1/FireWall-1 use to accept, dropor reject packets?


50/64

RS007

Review Question #3

Which componentdoes VPN-1/FireWall-1 use to accept, dropor reject packets?

The Enforcement Module


51/64

RS007

Review Question #4

What are the three components that make up VPN-1/FireWall-1?


52/64

RS007

Review Question #4

What are the three components that make up VPN-1/FireWall-1?

SmartConsole

SmartCenter Management Ser

ver

Securty Gateway (Enforcement Module)


53/64


54/64


55/64

OS Support...


56/64

VPN-1/FireWall-1 NGXManagementI

VPN-1/FireWall-1 NGX System Requirements

ManagementClient

Disk Space : 40 Mbytes

Memory : 128 Mbytes

NetworkI/f : All interfaces supporte

d:by Operating System

VPN-1/F reWa -1 NGX


57/64

VPN 1/F reWa 1 NGXManagementI


Firewall-1 NGX on Windows Platform

Processor : Intel Pentium II 300+ MHzor equivalent


Memory : 128 Mbytes

Network I/F : All interfaces supporte d :by Operating System

VPN-1/F reWa -1 NGX


58/64


VPN-1/FireWall-1 NGX System RequirementsManagement Server or Firewall-1 Module on Solaris

CPU Architecture Solaris 7 - 32 Bit modeSolaris 8 32 Bit & 64 Bit mode

Disk Space : 40Mbytes (software

installation only)Memory : 128 Mbytes

CPU : 360 MHz

Required OS : Check latest release notes Patchesfor requd. patches

VPN-1/F reWa -1 NGX


59/64



Management Server or Firewall-1 Module on a Linux Platform

CPU Architecture 32 bit and 64 bit


Memory : 128 MbytesCPU : Intel Pentium II 300+ MHz


60/64

Distributed Deployment: When the gateway and the SmartCenter server areinstalled on separate machines.

Gateway: The VPN-1 engine that enforces the organizations securitypolicy and acts as a security enforcement point.

Security Policy: The policy created by the system administrator thatregulates the flow of incoming and outgoing communication.

Standalone Deployment: When Check Point components

responsible for the anagement of the security policy (theSmartCenter server and the gateway) are installed on thesame machine.


61/64

SmartCenter Server: The server used by the system administrator tomanage the security policy. The organizations databases and securitypolicies are stored on the SmartCenter server and downloaded to thegateway.

SmartConsole: GUI applications that are used to manage variousaspects of security policy enforcement. For example,SmartView Tracker is a SmartConsole application thatmanages logs.

SmartDashboard: A SmartConsole GUI application that is used bythe system administrator to create and manage the securitypolicy.


62/64

Key Terms

Firewall

Packet Filtering

Application Layer Gateway (Proxy)

Client/Server ModelStateful Inspection

Secure Virtual Network (SVN)

Secure Internal Communication (SIC)

Virtual Private Network (VPN)


63/64

Implementation ScenarioStandalone Setup


64/64

Distributed Setup

Date post:	29-May-2018
Category:	Documents
Upload:	sudharsun-govindan
View:	224 times
Download:	0 times

Checkpoint M1 Intro

Documents