Date post: | 29-May-2018 |
Category: |
Documents |
Upload: | sudharsun-govindan |
View: | 224 times |
Download: | 0 times |
of 63
8/9/2019 Checkpoint M1 Intro
1/64
VPN-1/FireWall-1 NGX
Management
8/9/2019 Checkpoint M1 Intro
2/64
Identify the basic components of VPN-1/FireWall-1 NG
Identify the VPN-1/FireWall-1 NG elementsthat you will need to manage
Successfully create and manage managementobjects
Demonstrate how to use the: Security Policy,Log Viewer, and System Status
Successfully apply NAT rules
Successfully demonstrate the ability toauthenticate users
Course Objectives
8/9/2019 Checkpoint M1 Intro
3/64
8/9/2019 Checkpoint M1 Intro
4/64
Module 1:VPN-1/FireWall-1 NGX ArchitectureModule 2: Security Policy Rule Base and Properties Setup
Module 3:Advanced Security Policy
Module 4: Log Management
Module 5:Authentication Parameters: User, Client, andSession Authentication
Module 6: Network Address Translation
Course Map
8/9/2019 Checkpoint M1 Intro
5/64
Recommended Setup for Labs
Recommended Lab Topology
IP Addresses
Lab Terms
Lab Stations
8/9/2019 Checkpoint M1 Intro
6/64
Recommended Lab Topology
8/9/2019 Checkpoint M1 Intro
7/64
Introduction
Objectives
Describe the purpose of a firewall
Describe and compare firewall architectures
Identify the different components ofVPN-1/FireWall-1 NGX
8/9/2019 Checkpoint M1 Intro
8/64
Need for Firewall
Protection Against
Unauthorised Access
EavesDropping
Hacker Attack
DDoS / DoS
LAND
TearDrop
Virus
Trojan
8/9/2019 Checkpoint M1 Intro
9/64
Internet Firewall Technologies
A firewall is a system designed to
prevent unauthorised access to or from a secured network
act as a locked security door between internal and external
networksdata meeting certain criteria will be allowed through
However, note that a firewall can only protect a network fromtraffic filtered through it
8/9/2019 Checkpoint M1 Intro
10/64
Firewall Technologies
Packet Filters
Application-Layer Gateway
Stateful Inspection
VPN-1/FireWall-1 NGX Enforcement Module
INSPECT Language
VPN-1/FireWall-1 NGX Advantages
8/9/2019 Checkpoint M1 Intro
11/64
8/9/2019 Checkpoint M1 Intro
12/64
Packet Filtering Path in the OSI Model
8/9/2019 Checkpoint M1 Intro
13/64
Packet Filter FTP Example
8/9/2019 Checkpoint M1 Intro
14/64
Packet filters....
Advantage
Compatibility: Packet lters do not modify the packet stream so theywork with any protocol.
Performance: Packet lters are very fast since they look only at theheaders.
Scalability: Since packet lters are simple, it is easy to scale thesolution.
Disadvantage
Low security: Packet lters do not look at the data portion of thepackets, so attacks can ow right through them.
No advanced protocol support: Since these lters do not keep trackof connections, there is no way to supportdynamic protocols.
8/9/2019 Checkpoint M1 Intro
15/64
Application-Layer Gateway Path
8/9/2019 Checkpoint M1 Intro
16/64
ALG...
Advantage
Security: Since the proxy buffers the entire connection, it has theability to do content ltering on the entire connection.
Application level awareness: Since the proxy fully understands theprotocol, it makes sure all the data follow the standards.
Disadvantage
Performance: Since the entire connection is buffered, and there aretwo connections for every connection, proxy rewalls are theslowest type of rewalls.
Scalability: The Internet standards (RFCs) for TCP/IP state that
communication occurs directly to and from the client and theserver.This is referred to as the Client/Server model. Applicationlayer rewalls break the Client/Server model, and this breakssome applications.
8/9/2019 Checkpoint M1 Intro
17/64
Stateful Inspection Technology
invented by CheckPoint Software Technologies
utilises the INSPECT Engine
Programmable using the INSPECT language
Provides for system extensibilityDynamically loaded into the OS kernel
Intercepts and inspects all inbound and outbound packets on allinterfaces
Verifies that packets comply with the security policy
8/9/2019 Checkpoint M1 Intro
18/64
VPN-1/FireWall-1 NGX Enforcement Module
8/9/2019 Checkpoint M1 Intro
19/64
How VPN-1/FireWall-1 NGX Works
INSPECT Allowing Packets
if a packet passes inspection,the Firewall Module passespackets through the TCP/IP stack to their destination
if packets are destined for the OS local processes, are inspectedthen passed through the TCP/IP stack
if packets do not pass inspection, they are rejected, or droppedand logged.
8/9/2019 Checkpoint M1 Intro
20/64
INSPECT Module Flow
8/9/2019 Checkpoint M1 Intro
21/64
Introduction to security
8/9/2019 Checkpoint M1 Intro
22/64
Firewall Technologies
Packet Filters SIP / DIP / SPort / DPort
Application Layer Gateways Application Awareness
Caching Authentication Client -> FW / FW-> Client
Stateful Inspection Communication Information C
ommunication Derived
State Application Derived State Information Manipulation INSPECT Engine Transparency
8/9/2019 Checkpoint M1 Intro
23/64
Differences!!!
8/9/2019 Checkpoint M1 Intro
24/64
RS007
VPN-1/FireWall-1 NGX Architecture
SmartConsole
SmartCenter Server
Security Gateway (Enforcement Module)
8/9/2019 Checkpoint M1 Intro
25/64
Check Point Three-Tier Architecture
8/9/2019 Checkpoint M1 Intro
26/64
Module 1:
Check Point SmartConsole
8/9/2019 Checkpoint M1 Intro
27/64
Module 1
Smartcentre Server
security policy is defined using the smartdashboard on theManagement client
it is then saved to Smartcentre server
Smartcentre server maintains FW-1 NG databases includingnetwork objectdefinitions
user definitions
security policy
log files
8/9/2019 Checkpoint M1 Intro
28/64
Module 1
VPN-1/Firewall-1 NGX Enforcement Module
deployed on the Internet gateway
an Inspection script written in INSPECT is generated from thesecurity policy
inspection code is compiled from the script anddownloadedto the enforcement module
8/9/2019 Checkpoint M1 Intro
29/64
Distributed Deployments
SVN Foundation
Secure Internal Communications (SIC)
8/9/2019 Checkpoint M1 Intro
30/64
Secure Virtual Network (SVN) is a true security architecture
Integrates multiple capabilities, including
firewall security, VPNs, IP address management etc, all within acommon management framework
enables security to be defined and enforced in a single policyincorporating all aspects of network security
8/9/2019 Checkpoint M1 Intro
31/64
SVN Architecture designed to meet the challenges of eBusiness
connects the four elements common to any enterprisenetwork
Networks
SystemsApplications
Use
8/9/2019 Checkpoint M1 Intro
32/64
SVN Diagram
8/9/2019 Checkpoint M1 Intro
33/64
Module 1
SVN FoundationCheckPoint SVN Foundation NGX (CPShared) is the Operating
System integrated with every CheckPoint product
All CheckPoint products use the CPOS services via CPShared
The SVN Foundation inclu
des :Secure Internal Communications (SIC)
CheckPoint registry
CPShareddaemon
Watch Dog for critical services
Cpconfig
License utilitiesSNMP daemon
8/9/2019 Checkpoint M1 Intro
34/64
Module 1:
Secure Internal Communication (SIC)
Communication Components
Security Benefits
SICCertificates
Communication Between Management Modules andComponents
Communication Between Management Modules andManagementClients
8/9/2019 Checkpoint M1 Intro
35/64
Module 1
Communication Components
SIC secures communication between CheckPoint SVNcomponents such as
management modules
management clientsVPN-1/Firewall 1 NG modules
customer log modules
SecureConnect modules
policy servers
OPSEC
applications
8/9/2019 Checkpoint M1 Intro
36/64
Module 1
Security Benefits of SIC
confirms a management client connecting to a managementmodules is authorised
verifies that a security policy loaded on a firewall module
came from an authorised management moduleSIC ensures thatdata privacy and integrity is maintained
8/9/2019 Checkpoint M1 Intro
37/64
Module 1
SICCertificates
SIC for CheckPoint VPN uses certificates for authenticationand standards-based SSL for encryption
enables each CheckPoint enabled machine to be uniquely
identifiedcertificates are generated by the Internal Certificate of
Authority (ICA) on the Management module
a unique certificate is generated for each physical machine
8/9/2019 Checkpoint M1 Intro
38/64
Module 1
Communication between Management Modules andComponents
the ICA automatically creates a certificate for theManagement module during installation
certificates for other modules are createdvia a simpleinitialisation from the ManagementClient
upon initialisation, the ICA creates, signs anddelivers acertificate to the communication component
8/9/2019 Checkpoint M1 Intro
39/64
Module 1
Communication between Management Modules andManagementClients
the management client must be defined as authorised
when invoking the Policy Editor on the Management client,
the user is asked :to identify themselves
specify the IP address of the Management Module
the ManagementClient then initiates an SSL based connection
the Management Module verifies the Clients IP address
Management Module sends back its certificate
8/9/2019 Checkpoint M1 Intro
40/64
DistributedClient/Server Configuration
8/9/2019 Checkpoint M1 Intro
41/64
Distributed VPN-1/FireWall-1 Configuration Showing theComponents with Certificates
SIC (SecuredInternal Communication)
8/9/2019 Checkpoint M1 Intro
42/64
VPN-1/FireWall-1
Key component of SVN architecture
Access Control
User Authentication
Network Address Translation (NAT)Virtual Private Networking
High Availability
Content Security
Auditing and Reporting
LDAP-based
user management
8/9/2019 Checkpoint M1 Intro
43/64
VPN-1/FireWall-1-continued
Intrusion Detection
Malicious Activity Detection
Third-party Device ManagementHigh Availability and Load Sharing
8/9/2019 Checkpoint M1 Intro
44/64
RS007
Review Question #1
What is Stateful Inspection?
8/9/2019 Checkpoint M1 Intro
45/64
RS007
Review Question #1
What is Stateful Inspection?Stateful inspection tracks, analyzes and acts on both stateand context information, including:
Packet header
Connection state
TCP andIP fragmentation data
Packet reassembly, application type, contextverification
Arrival interface(continued on next slide)
8/9/2019 Checkpoint M1 Intro
46/64
RS007
Review Question #1 (continued)What is Stateful Inspection?
Departure interface
Layer 2 informationDate and time of packet arrival/departure
8/9/2019 Checkpoint M1 Intro
47/64
RS007
Review Question #2
Why is Stateful Inspection more securethan packet filtering and application-layer gateways forprotecting networks?
8/9/2019 Checkpoint M1 Intro
48/64
RS007
Review Question #2
Why is Stateful Inspection more securethan packet filtering and application-layer gateways forprotecting networks?
Packets are intercepted at the network layerfor best performance, as in packet filters. But the data derivedfrom all communication layers is analyzed, not just layers 4-7(as in application-layer gateways)
8/9/2019 Checkpoint M1 Intro
49/64
RS007
Review Question #3
Which componentdoes VPN-1/FireWall-1 use to accept, dropor reject packets?
8/9/2019 Checkpoint M1 Intro
50/64
RS007
Review Question #3
Which componentdoes VPN-1/FireWall-1 use to accept, dropor reject packets?
The Enforcement Module
8/9/2019 Checkpoint M1 Intro
51/64
RS007
Review Question #4
What are the three components that make up VPN-1/FireWall-1?
8/9/2019 Checkpoint M1 Intro
52/64
RS007
Review Question #4
What are the three components that make up VPN-1/FireWall-1?
SmartConsole
SmartCenter Management Ser
ver
Securty Gateway (Enforcement Module)
8/9/2019 Checkpoint M1 Intro
53/64
8/9/2019 Checkpoint M1 Intro
54/64
8/9/2019 Checkpoint M1 Intro
55/64
OS Support...
8/9/2019 Checkpoint M1 Intro
56/64
VPN-1/FireWall-1 NGXManagementI
VPN-1/FireWall-1 NGX System Requirements
ManagementClient
Disk Space : 40 Mbytes
Memory : 128 Mbytes
NetworkI/f : All interfaces supporte
d:by Operating System
VPN-1/F reWa -1 NGX
8/9/2019 Checkpoint M1 Intro
57/64
VPN 1/F reWa 1 NGXManagementI
VPN-1/FireWall-1 NGX System Requirements
Firewall-1 NGX on Windows Platform
Processor : Intel Pentium II 300+ MHzor equivalent
Disk Space : 40 Mbytes
Memory : 128 Mbytes
Network I/F : All interfaces supporte d :by Operating System
VPN-1/F reWa -1 NGX
8/9/2019 Checkpoint M1 Intro
58/64
VPN 1/F reWa 1 NGXManagementI
VPN-1/FireWall-1 NGX System RequirementsManagement Server or Firewall-1 Module on Solaris
CPU Architecture Solaris 7 - 32 Bit modeSolaris 8 32 Bit & 64 Bit mode
Disk Space : 40Mbytes (software
installation only)Memory : 128 Mbytes
CPU : 360 MHz
Required OS : Check latest release notes Patchesfor requd. patches
VPN-1/F reWa -1 NGX
8/9/2019 Checkpoint M1 Intro
59/64
VPN 1/F reWa 1 NGXManagementI
VPN-1/FireWall-1 NGX System Requirements
Management Server or Firewall-1 Module on a Linux Platform
CPU Architecture 32 bit and 64 bit
Disk Space : 40 Mbytes
Memory : 128 MbytesCPU : Intel Pentium II 300+ MHz
8/9/2019 Checkpoint M1 Intro
60/64
Distributed Deployment: When the gateway and the SmartCenter server areinstalled on separate machines.
Gateway: The VPN-1 engine that enforces the organizations securitypolicy and acts as a security enforcement point.
Security Policy: The policy created by the system administrator thatregulates the flow of incoming and outgoing communication.
Standalone Deployment: When Check Point components
responsible for the anagement of the security policy (theSmartCenter server and the gateway) are installed on thesame machine.
8/9/2019 Checkpoint M1 Intro
61/64
SmartCenter Server: The server used by the system administrator tomanage the security policy. The organizations databases and securitypolicies are stored on the SmartCenter server and downloaded to thegateway.
SmartConsole: GUI applications that are used to manage variousaspects of security policy enforcement. For example,SmartView Tracker is a SmartConsole application thatmanages logs.
SmartDashboard: A SmartConsole GUI application that is used bythe system administrator to create and manage the securitypolicy.
8/9/2019 Checkpoint M1 Intro
62/64
Key Terms
Firewall
Packet Filtering
Application Layer Gateway (Proxy)
Client/Server ModelStateful Inspection
Secure Virtual Network (SVN)
Secure Internal Communication (SIC)
Virtual Private Network (VPN)
8/9/2019 Checkpoint M1 Intro
63/64
Implementation ScenarioStandalone Setup
8/9/2019 Checkpoint M1 Intro
64/64
Distributed Setup