Check Point Security
Administration Training
Phan Thanh Long
Công ty Misoft
Email: [email protected]
Check Point Security Administration
Course Map
Module 1: Check Point Firewall Architecture &
Installation
Module 2: Security Policy
Module 3: Network Address Translation
Module 4: Log/Monitoring
Module 5: SmartDefense
Module 6: Encryption and VPNs
Module 7: Disaster Recovery
Check Point Security Administration
Course Map
Module 1: Check Point Firewall Architecture &
Installation
Module 2: Security Policy
Module 3: Network Address Translation
Module 4: Log/Monitoring
Module 5: SmartDefense
Module 6: Encryption and VPNs
Module 7: Disaster Recovery
Check Point Security
Administration
Module 1: Check Point Firewall
Architecture & Installation
Module 1: Check Point Firewall
Architecture & Installation
Introduction
Objectives
Describe the purpose of a firewall.
Describe and compare firewall architectures
Identify the different components of
Check Point firewall
Check Point firewall Deployments Models
SIC (Secure Internal Communication )
SmartConsole components
Lab 1: Firewall Stand-alone Installation
Lab 2: Firewall Distributed Installation
Describe the purpose of a firewall
Firewall Technologies
A firewall is a system designed to
prevent unauthorised access to or from a
secured network
act as a locked security door between internal
and external networks
data meeting certain criteria will be allowed
through
However, note that a firewall can only
protect a network from traffic filtered
through it
Internet
SSL
DMZ
IPSec
Trusted Networks
Trusted Users
Firewall
What is a Firewall?
Describe and compare firewall
architectures
Firewall Technologies
Packet Filters
Application-Layer Gateway
Stateful Inspection
Packet Filters
Packet Filtering Path in the OSI Model
Packet Filters
The Advantages of Packet Filtering:
• Inexpensive
• Application transparency
• Faster than application layer gateways
The Disadvantages of Packet Filtering:
• Access to a limited part of a packet header
only
• Limited screening above the network layer
• Very limited ability to manipulate information
Application-Layer Gateway (Proxy)
Application-Layer Gateway Path
Application-Layer Gateway
The advantages of application layer gateways are:
• Good security
• Full application-layer awareness
The disadvantages of Application Layer Gateways (Proxy) are:
• Each service requires its own process, so the number of available
services and their scalability is poor
• Implementation at the application level is detrimental to performance
• Most proxies are not transparent
• Vulnerable to operating system and application level bugs
• Overlooks information contained in lower layers
Stateful Inspection
Stateful Inspection Technologyinvented by CheckPoint Software Technologies
Stateful Inspection
•It is not sufficient to examine packets in isolation.
•State information—derived from past communications and other
applications—is an essential factor in making the control decision
for new communication attempts.
•The ability to perform Information manipulation on data in any part
of the packet
Check Point Firewall Architecture
SmartConsole (Client)
SmartCenter (Management Server)
Security Gateway (Enforcement)
SmartCenterSmartConsole
Security Gateway
SmartConsoleSmartDashboard
SmartConsole
SmartCenter (Management)
Security policy is defined using the
SmartDashboard
It is then saved to the SmartCenter
SmartCenter maintains policy
databases including
network object definitions
user definitions
security policy
log files
SmartCenter
Security Gateway (Firewall Enforcement)
Deployed on the gateway
An Inspection script written in
INSPECT is generated from the
security policy
Inspection code is compiled from the
script and downloaded to the Security
Gateway
Security GatewaySecurity Gateway
How Security Gateway Works
INSPECT engine allowing Packets
if a packet passes inspection, the Firewall
Module passes packets through the TCP/IP
stack to their destination
if packets are destined for the OS local
processes, are inspected then passed through
the TCP/IP stack
if packets do not pass inspection, they are
blocked.
How Security Gateway Works
INSPECT engine
INSPECT Engine analyzes packet and extracts all relevant
information (communication and application level)
The INSPECT Engine resides in an operating system’s
kernel, loaded between the second and third levels, which are
the network interface card (NIC) driver
By inspecting communications at the kernel level, the
INSPECT Engine intercepts and analyzes all packets before
they reach the operating system
No packet is processed by any of the higher protocol layers,
unless FireWall verifies that it complies with the enterprise
security policy
How Security Gateway Works
Security features…
IPSsubscription
Anti-Spamsubscription
Web Application Firewallexpansion
SSL VPN / QoSexpansion
URL Filteringsubscription
VPN (site-to-site, remote access)standard
Anti-virus / Anti-spywaresubscription
The best Firewall in the market
HTTP FTP
Instant Msg E-mail P2P
VoIP SQL
standard
Stand-alone Deployments Models
Distributed Deployments Models
Secure Internal Communication (SIC)
SIC secures communication between
Check Point components such as SmartCenter
SmartConsole
Security Gateway
Customer log modules
OPSEC applications
...
Security Benefits of SIC
Confirms a SmartConsole connecting
to a SmartCenter is authorised
Verifies that a security policy loaded
on a Security Gateway came from an
authorised SmartCenter
SIC ensures that data privacy and
integrity is maintained
SIC Certificates
SIC Certificates
enables each CheckPoint enabled
machine to be uniquely identified
a unique certificate is generated for each
physical machine
certificates are generated by the Internal
Certificate of Authority (ICA) on the
Management module
SIC Certificates
the ICA automatically creates a certificate for the Management module during installation
certificates for other modules are created via a simple initialisation from the Management Client
upon initialisation, the ICA creates, signs and delivers a certificate to the communication component
Distributed VPN-1 NGX configuration
with certificates
SmartConsole components
SmartDashboard
SmartView Tracker
SmartView Monitor
SmartUpdate
Policy Editor
SmartDashboard
SmartView Tracker
Log viewer/management
SmartView Monitor
SmartUpdate
SmartUpdate…
Module 1:
Review
Summary
Review Questions
Review and discussion
Review Question
What is Stateful Inspection Firewall?
What process does Check Point FireWall
use to accept, drop, or reject packets?
What three components making up Check
Point Firewall?
What are key SmartConsole Components?
What are deployments Models
Lab 1: NGX Stand-alone Installation
Installing VPN-1 NGX (SmartCenter
and Security Gateway) on
SecurePlatform
Installing SmartConsole on Windows
Lab 1: NGX Stand-alone Installation
Lab Topology
Security Administration
Lab IP Addresses
PC IP PC
(Web Server)
IP FW Internal
(Int 0)
IP FW DMZ
(Int 1)
IP FW External (Int 2) FW Default Gateway
1 172.16.1.5/24 172.16.1.1/24 172.17.1.1/24 192.168.50.1/24 192.168.50.254/24
2 172.16.2.5/24 172.16.2.1/24 172.17.2.1/24 192.168.50.2/24 192.168.50.254/24
3 172.16.3.5/24 172.16.3.1/24 172.17.3.1/24 192.168.50.3/24 192.168.50.254/24
4 172.16.4.5/24 172.16.4.1/24 172.17.4.1/24 192.168.50.4/24 192.168.50.254/24
5 172.16.5.5/24 172.16.5.1/24 172.17.5.1/24 192.168.50.5/24 192.168.50.254/24
6 172.16.6.5/24 172.16.6.1/24 172.17.6.1/24 192.168.50.6/24 192.168.50.254/24
7 172.16.7.5/24 172.16.7.1/24 172.17.7.1/24 192.168.50.7/24 192.168.50.254/24
8 172.16.8.5/24 172.16.8.1/24 172.17.8.1/24 192.168.50.8/24 192.168.50.254/24
9 172.16.9.5/24 172.16.9.1/24 172.17.9.1/24 192.168.50.9/24 192.168.50.254/24
10 172.16.10.5/24 172.16.10.1/24 172.17.10.1/24 192.168.50.10/24 192.168.50.254/24
11 172.16.11.5/24 172.16.11.1/24 172.17.11.1/24 192.168.50.11/24 192.168.50.254/24
12 172.16.12.5/24 172.16.12.1/24 172.17.12.1/24 192.168.50.12/24 192.168.50.254/24
13 172.16.13.5/24 172.16.13.1/24 172.17.13.1/24 192.168.50.11/24 192.168.50.254/24
14 172.16.14.5/24 172.16.14.1/24 172.17.14.1/24 192.168.50.14/24 192.168.50.254/24
15 172.16.15.5/24 172.16.15.1/24 172.17.15.1/24 192.168.50.15/24 192.168.50.254/24
16 172.16.16.5/24 172.16.16.1/24 172.17.16.1/24 192.168.50.16/24 192.168.50.254/24
17 172.16.17.5/24 172.16.17.1/24 172.17.17.1/24 192.168.50.17/24 192.168.50.254/24
18 172.16.18.5/24 172.16.18.1/24 172.17.18.1/24 192.168.50.18/24 192.168.50.254/24
19 172.16.19.5/24 172.16.19.1/24 172.17.19.1/24 192.168.50.19/24 192.168.50.254/24
20 172.16.20.5/24 172.16.20.1/24 172.17.20.1/24 192.168.50.20/24 192.168.50.254/24
SecurePlatform Installation
Hệ điều hành dựa trên Linux (Linux based,
kernel 2.4 & 2.6)
Có thể cài đặt trên máy chủ (Open Servers),
thiết bị của Check Point (UTM-1, Power-1), hay
thiết bị của third-party (Crossbeam)
Cài bằng cách boot ổ đĩa CD, qua cổng USB
(usb CD hoặc usb device)
Sử dụng giao diện dòng lệnh, hoặc qua giao
diện Web (chú ý thiết bị Check Point yêu cầu
cài qua giao diện Web trước) khi cài đặt
SecurePlatform Installation
Một số chú ý
Đặt hostname chuẩn, tên này sẽ dùng đặt cho
object
Đặt thời gian, ngày tháng chính xác, với múi
giờ Vietnam GMT + 7
Management IP sẽ là IP dùng Object. Sử dụng
địa chỉ Interface hướng về SmartCenter, hoặc
mạng nội bộ (stand-alone deployment)
SecurePlatform Configuration
Cấu hình qua dòng lệnh (Console, SSH)
Cấu hình qua giao diện Web
webui enable [https port]
webui disable
SecurePlatform Configuration
Một số lệnh, tiện ích thường dùng
sysconfig : thiết lập hầu hết cấu hình cơ bản
os
cpconfig: cấu hình sản phẩm Check Point
expert : vào Expert Mode để dùng các lệnh
linux
fw ver, fwm ver
cpstop, cpstart, cprestart
fw stat: xem policy đang cài trên firewall
SecurePlatform Configuration
Một số lệnh, tiện ích thường dùng
fw unloadlocal: gỡ bỏ Policy trên firewall
Khi cài đặt xong Check Point, chính sách mặc
định ‘cấm tất’ được cài đặt. Sử dụng lệnh khi
cần mở cho các kết nối quản trị ban đầu, test,
hoặc khi bị firewall block chính mình
SecurePlatform Routing
Routing
ip route add x.x.x.x /xx via x.x.x.x
ip route add x.x.x.x /xx dev ethx
ip route add default via x.x.x.x
ip route add default dev ethx
Ip route show
route --save
Lab 2: Distributed Deployments
Installation
Installing SmartCenter Windows
Server 2003
Installing Security Gateway on
SecurePlatform
Installing SmartConsole on Windows
Lab2: Distributed Deployments
Installation
Lab Topology
Security Administration
Lab IP AddressesPC IP PC
(Web Server)
IP SmartCenter IP FW Internal
(Int 0)
IP FW Server
(Int 1)
IP FW External (Int
2)
FW Default
Gateway
1 172.16.1.5/24 172.17.1.2/24 172.16.1.1/24 172.17.1.1/24 192.168.50.1/24 192.168.50.254/24
2 172.16.2.5/24 172.17.2.2/24 172.16.2.1/24 172.17.2.1/24 192.168.50.2/24 192.168.50.254/24
3 172.16.3.5/24 172.17.3.2/24 172.16.3.1/24 172.17.3.1/24 192.168.50.3/24 192.168.50.254/24
4 172.16.4.5/24 172.17.4.2/24 172.16.4.1/24 172.17.4.1/24 192.168.50.4/24 192.168.50.254/24
5 172.16.5.5/24 172.17.5.2/24 172.16.5.1/24 172.17.5.1/24 192.168.50.5/24 192.168.50.254/24
6 172.16.6.5/24 172.17.6.2/24 172.16.6.1/24 172.17.6.1/24 192.168.50.6/24 192.168.50.254/24
7 172.16.7.5/24 172.17.7.2/24 172.16.7.1/24 172.17.7.1/24 192.168.50.7/24 192.168.50.254/24
8 172.16.8.5/24 172.17.8.2/24 172.16.8.1/24 172.17.8.1/24 192.168.50.8/24 192.168.50.254/24
9 172.16.9.5/24 172.17.9.2/24 172.16.9.1/24 172.17.9.1/24 192.168.50.9/24 192.168.50.254/24
10 172.16.10.5/24 172.17.10.2/24 172.16.10.1/24 172.17.10.1/24 192.168.50.10/24 192.168.50.254/24
11 172.16.11.5/24 172.17.11.2/24 172.16.11.1/24 172.17.11.1/24 192.168.50.11/24 192.168.50.254/24
12 172.16.12.5/24 172.17.12.2/24 172.16.12.1/24 172.17.12.1/24 192.168.50.12/24 192.168.50.254/24
13 172.16.13.5/24 172.17.13.2/24 172.16.13.1/24 172.17.13.1/24 192.168.50.11/24 192.168.50.254/24
14 172.16.14.5/24 172.17.14.2/24 172.16.14.1/24 172.17.14.1/24 192.168.50.14/24 192.168.50.254/24
15 172.16.15.5/24 172.17.15.2/24 172.16.15.1/24 172.17.15.1/24 192.168.50.15/24 192.168.50.254/24
16 172.16.16.5/24 172.17.16.2/24 172.16.16.1/24 172.17.16.1/24 192.168.50.16/24 192.168.50.254/24
17 172.16.17.5/24 172.17.17.2/24 172.16.17.1/24 172.17.17.1/24 192.168.50.17/24 192.168.50.254/24
18 172.16.18.5/24 172.17.18.2/24 172.16.18.1/24 172.17.18.1/24 192.168.50.18/24 192.168.50.254/24
19 172.16.19.5/24 172.17.19.2/24 172.16.19.1/24 172.17.19.1/24 192.168.50.19/24 192.168.50.254/24
20 172.16.20.5/24 172.17.20.2/24 172.16.20.1/24 172.17.20.1/24 192.168.50.20/24 192.168.50.254/24
Check Point Security
Administration
Module 2: Security Policy
Security Administration
Course Map
Module 1: Check Point Firewall Architecture
& Installation
Module 2: Security Policy
Module 3: Network Address Translation
Module 4: Log/Monitoring
Module 5: SmartDefense
Module 6: Encryption and VPNs
Module 7: Disaster Recovery
Module 2: Security Policy
Introduction
Objectives
Explain the function and operation of a Security
Policy
Create and modify policy, rules, objects…
Modify Global Properties
Configure anti-spoofing on the firewall
Use Policy Package Management
Use Database Revision Control
Security Policy Defined
What is a Security Policy?
a set of rules that defines network security
Considerations
Which services, including customized
services and sessions, are allowed across
the network?
Which user permissions and authentication
schemes are needed?
Which objects are in the network? Examples
include gateways, hosts, networks, routers,
and domains.
56
© 2006 Check Point Software
Rule Base 2
Launching the SmartDashboard…
Check Point SmartDashboardenables administrators to define security policy
only one administrator with read/write
permissions can be logged in at any one timeStart \ Programs \ Check Point SmartConsole R65 \ SmartDashboard
Defining Basic Objects…
Defining Node Object
Defining Network Object
Defining Address range Object
Defining Group Object
Launching the SmartDashboard and
define basic objects
Anti-Spoofing…
Scenario
Anti-spoofing
Spoofing is a technique used by
intruders attempting to gain
unauthorised access
a packet’s source IP address is altered to
appear to come from a part of the network
with higher privileges
Anti-spoofing verifies that packets are
coming from, and going to, the correct
interfaces on the gateway
i.e. packets claiming to originate in the
internal network, actually DO come from
that network
Configuring Anti-Spoofing
Networks reachable from an interface
need to be defined appropriately
Should be configured on all interfaces
Spoof tracking is recommended
Anti-spoofing rules are enforced
before any rule in the Security Policy
rule base
Configuring Anti-Spoofing
Configuring Anti-Spoofing
Rule Base Defined
Rule Base Elements
- No.
-Name
-Source
- Destination
- VPN
- Services
- Action
- Track
- Install on
- Time
- Comment
Creating the Rule Base
The default rule
added when you add a rule to the Rule
Base
The Basic Rules
Cleanup Rule
CP follows the principle ―that which is not
expressly permitted, is prohibited‖
all communication attempts not matching a
rule will be dropped
the cleanup rule drops all the communication
but allows specific logging
The Basic Rules
The Stealth Rule
prevents users from connecting directly to
the firewall
Implicit, Explicit Rules and …
NGX creates implicit rules from
Global Properties
Explicit rule created by Administrator
in the SmartDashboard
Control Conections
VPN-1 NGX creates a group of implicit
rules that it places first, last or before
last…
Implicit rules, Global Properties
Rule Base Order
VPN-1 NGX enforces the rule base in
following order:
IP spoofing
NAT
Security Policy ―First‖ rule
Administrator defined rule base
Security Policy ―before last‖ rule
Cleanup rule or Security Policy ―last‖ rule
Create a new policy package
Add new rule into policy
Add object into rule
Basic Policy
Verify / Install and Uninstall a
Security Policy
Verify a Security Policy Select Policy \ Verify from the SmartDashboard
Click OK
Install/Uninstall a Security Policy Select Policy \ Install (or Uninstall) from the
SmartDashboard
Click Select All to select all items on the
screen (specific items may be deselected)
Click OK
Install Policy
Defining and install a basic policy
Defining and install a basic policy
Stealth Rule
Allow Ping to firewall gateway
Allow Ping from Internal network to
outside
Allow Internet access (HTTP)
Cleanup Rule
Defining and install a basic policy
Modify Routing Table for ping test
-sysconfig
-add route:
Dest 172.16.x.0/24 gateway 192.168.50.x
85
Advanced Security Policy
Hide/Unhide rule
Enable/Disable rule
Add section title
Object Cloning
Masking Rules
Rules in a rule base can be hidden to allow
easier reading of a complex rulebase
(masking rules)
All other rules will be visible however their
numbers wont change
Hidden rules are still enforced on the
gateway
Viewing Hidden Rules
if View Hidden in the Rules>Hide menu is
checked, all rules set as hidden are displayed
Unhiding Hidden Rules
select Unhide All from the Rules>hide menu
Hide/Unhide rule
Disabling Rules
Disabling Rules
a disabled rule will only take effect after
the security policy is reinstalled
the rule will still be displayed in the
rulebase
Enabling a Disabled Rule
select the disabled rule and right click
select Disable Rule to deselect
remember to reinstall the policy
Enable/Disable rule
Add section title
Add section title (continue…)
Object Cloning
Policy editing
Clone Object
Add Section Title
Hide rule
Disable Rule
Command Line Options for the
Security Policy
Basic Options
cpstart/cpstop starts and stops all CP
applications running on the machine
cprestart issues a cpstop and a cpstart
cplic print displays the details of the NGX
licenses
fw ver, fwm ver: displays version
fw unloadlocal: uninstalls current policy of
local Gateway
Improving Performance
SmartCenter
listing machine names and IP addresses
in a hosts file will decrease installation
time for created network objects /etc/hosts (Solaris)
\winnt\system32\drivers\hosts (Windows)
Improving Performance…
Security Gateway
Keep the rulebase simple
Position the most frequently used rules at
the top of the rulebase
Don’t log unnecessary connections
Limit the use Reject action in rules
Use a network object in place of many
node objects
Use IP address ranges in rules instead of
a set of nodes
Database revision control and Policy
package management
Database revision control
DRC gives the admin to create fallback
configurations when implementing new
objects or rules
Policy package management
PPM gives the admin to create multiple
versions of a Security Policy but the
objects needs to stay the same
Using Database Revision Control
Using Database Revision Control
and Policy Package management
Review
1. If a rule is masked or hidden, is it disabled and no
longer part of the Rule Base?
2. When you select a rule, and then select ―Disable
Rule(s)‖ from the menu, what must you also do
before the rule is actually disabled?
3. How does masking help you maintain a Rule Base?
4. Define some guidelines for improving VPN-
1/FireWall-1 NG’s performance via a Security Policy
5. Which of following options used to back up entire
Policy database?
• Database revision control
• Policy package management
Check Point Security
Administration
Module 3: Network Address Translation
Security Administration
Course Map
Module 1: Check Point Firewall Architecture
& Installation
Module 2: Security Policy
Module 3: Network Address Translation
Module 4: Log/Monitoring
Module 5: SmartDefense
Module 6: Encryption and VPNs
Module 7: Disaster Recovery
Introduction
Objectives
List the reasons and methods for Network
Address Translation
Demonstrate how to set up Static NAT
Demonstrate how to set up Dynamic (Hide)
NAT
Network Address Translation (NAT)
Network Address Translation
What is NAT?
as a component of Check Point Firewall it
is used for three things :
to make use of private IP addresses on the
internal network
to conceal internal networks from out side
networks for security reasons
to give ease and flexibility to network
administration
For example, an internal Web server with IP
address 192.168.1.1 could be assigned a NAT
address of 172.10.101.111
Module 3:
NAT
IP Addressing
RFC 1918 details the reserved address groups
Class A network numbers
– 10.0.0.0 – 10.255.255.255
Class B network numbers
– 172.16.0.0 – 172.31.255.255
Class C network numbers
– 192.168.0.0 – 192.168.255.255
Module 3
Network Administration
VPN-1/Firewall-1 supports two types of NAT
Static NAT
Dynamic (Hide) NAT
Understanding Dynamic (Hide) NAT
Module 3:
Dynamic NAT
Module 3
Dynamic (Hide) NAT Ctd.
hide mode packets’ source port numbers are
modified
destination of a packet is determined by the port
number
port numbers are dynamically assigned from two
pools of numbers :
from 600 to 1023
from 10,000 to 60,000
hide mode cannot be used for protocols where
the port number cannot be changed or where the
destination IP address is required
Module 3:
Hide Mode Address Translation
Module 3:
Hiding Behind Gateway
all clients will be hidden behind the
firewall’s server side interface
Understanding Static NAT
Module 3
Static Source NAT
translates private internal source IP addresses
to a public external source IP address
initiated by internal clients with private IP
address
Module 3:
Static Source NAT
Module 3:
Address Translation Using Static Source
Mode
Module 3
Static Destination NAT
translates public addresses to private
addresses
initiated by external clients
Module 3:
Address Translation Using Static
Destination Mode
Module 3:
Address Translation Using Static
Destination Mode
204.32.38.112
Module 3:
Automatic and Manual NAT Rules
NAT Rules
NAT rules consist of two elements
the conditions that specify when the rule is
to be applied
the action to be taken when the rule is
applied
each section in the NAT Rule Base Editor is
divided into Source, Destination and Service
Module 3
Edit Object’s properties to enable Automatic NAT
Module 3
Configure manual NAT
Automatic NAT rules are generated by Gateway
Module 3:
Static NAT
Hide NAT
Lab
•Hide NAT allows LAB to connect the Internet
•Static NAT allows Webserver to be public so users
outside can access it
Check Point Security
Administration
Module 4: Log/Monitoring
Security Administration
Course Map
Module 1: VPN-1 NGX Architecture
Module 2: Security Policy
Module 3: Network Address Translation
Module 4: Log/Monitoring
Module 5: SmartDefense
Module 6: Encryption and VPNs
Module 7: Disaster Recovery
Module 3: Log/Monitoring
Introduction
Objectives
Use SmartView Tracker to display information
about traffic controlled by NGX
Use SmartView Tracker to block an intruder
connection
Use SmartView Monitor to display information
about firewalls and connections status in real
time, and to block Suspicious Activity
SmartView Tracker
Provides visual tracking, monitoring
and accounting information
Provides control over the log files
display
Allows quick access to information
Any event which causes an alert is
logged, including some system
events such as an install of a policy
130
© 2006 Check Point Software
SmartConsole: SmartView Tracker1
SmartView Tracker …
Log File Management
the File menu allows the administrator to
perform the following tasks:
Open
Save as
Export
Switch active file…
Purge active file
View events using filters
Logs management
View administrator’s activities
Block intruders
SmartUpdate
Made up of two components –
Packages Manager and License
Manager
allows tracking of currently installed
versions of CP and OPSEC products
updating of installed CP and OPSEC
software remotely from a centralised
location
centrally managing licenses
SmartUpdate Architecture
Distributed Configuration
NGX Licensing
License Types
central – the license is linked to the IP
number of the management server
local – tied to the IP number to which the
license will be applied
Obtaining Licenses
locate certificate key on the CD cover of
the CP CD
contact www.checkpoint.com - selecting
User Center to obtain eval or permanent
license
Check Point User Center
136
© 2006 Check Point Software
SmartConsole: SmartView Monitor1
Checking status in SmartView
Monitor
Gateway - Network Activity
Suspicious Activity
Setting up Suspicious Activity rule
Block Suspicious Activity
Ôn tập
1. Thành phần SmartConsole nào cho biết Policy nào đang cài
trên một Firewall gateway?
2. Người quản trị nghi ngờ một firewall đầy ổ cứng, thành phần
SmartConsole nào giúp người quản trị kiểm tra thông tin này?
3. SmartConsole nào được sử dụng trước tiên để giúp người
quản trị gỡ rối một lỗi kết nối đã xảy ra
4. File log hiện hành (active log) dung lượng quá lớn, và để save
nội dung file log hiện hành sang một file log khác để lưu, cần
dùng thao tác gì?
5. Làm thế nào để kích hoạt license cho một filewall?
Check Point Security
Administration NGX I
Authorized Check Point Distributor
Module 5: SmartDefense - Chống
tấn công , quét virus, lọc URL
Check Point Security Administration
Course Map
Module 1: Check Point Firewall Architecture
& Installation
Module 2: Security Policy
Module 3: Network Address Translation
Module 4: Log/Monitoring
Module 5: SmartDefense
Module 6: Encryption and VPNs
Module 7: Disaster Recovery
Module 4: SmartDefense - Chống tấn
công, quét virus, lọc URL
Giới thiệu
Mục tiêu
Tạo các profile chống tấn công và áp dụng
cho các tường lửa khác nhau
Cấu hình chống các tấn công mức mạng và
ứng dụng
Cập nhật các tấn công mới nhất
Xem xét có tấn công nào xảy ra
Cấu hình quét virus, lọc URL
Module 4:Chống tấn công - IPS
•Nguyên tắc kiểm soát truy cập dựa trên số hiệu
cổng, địa chỉ nguồn, đích,… Tuy nhiên điều này
chưa đủ, các tấn công ứng dụng vẫn có thể diễn ra
qua các truy cập dịch vụ được mở.
•SmartDefense là khả năng phát hiện và ngăn chặn
xâm nhập –IPS tại mức ứng dụng
•Các mẫu phát hiện tấn công được cập nhật liên tục
trong thời gian thực
Module 4:Tạo các profiles cho các tường lửa
Module 4:Tạo các profiles cho các tường lửa
Mỗi profile là một tập các cấu hình chống tấn
công. Người quản trị có thể tạo nhiều profile khác
nhau để áp dụng cho các tường lửa khác nhau.
Profile default (mặc định) bao gồm các cấu hình
chống tấn công (được kích hoạt) cơ bản nhất.
Module 4:Cấu hình chống tấn công cho các profile
Xem thông tin, mô tả, sự ảnh hưởng của tấn công
Module 4:
Kích hoạt cấu hình chống tấn công
Module 4:Cấu hình chống tấn công cho các profile
Chọn profile và kích hoạt chống tấn công, điều chỉnh các thông số
phù hợp
Module 4:Áp dụng các profiles cho các tường lửa
Module 4:Dịch vụ SmartDefense: Cập nhật chống tấn
công
Module 4:Dịch vụ SmartDefense
•Sử dụng tài khoản UserCenter được cấp để login
•Download bản cập nhật chống tấn công mới nhất (khi
dịch vụ còn hiệu lực)
•Hiển thị các tấn công mới được cập nhật mới nhất,
xem các lời khuyên và hướng dẫn cấu hình chống tấn
công
Module 4:Dịch vụ SmartDefense
Module 4:Nhận biết có tấn công xảy ra?
•Cấu hình track các tấn công
•Sử dụng SmartView Tracker, SmartView Monitor và
xem các hướng dẫn trong SmartDefense Services
Module 4:Quét Virus tại Gateway
Turn on Anti-virus
Component
162
Module 4:Antivirus Integrated Antivirus
Policy & Updates
•Quét virus ngay tại cổng truy cập, ngăn chặn trước khi
chúng vào hệ thống
•Quét cho các giao thức SMTP, POP3, FTP, HTTP, quét
theo luồng hoặc theo IP
•Có thể quét, bypass hoặc cấm khi truy cập các loại file
163
Turn on URL
filtering component
Module 4:Lọc URL
164
URL Filtering
165
URL Filtering – Advanced option
• d/s URL’s/IP’s
cho phép
• d/s URL’s/IP’s
cấm
• Các truy cập
ngoại lệ
• Thông báo ngăn
chặn
166
URL Filtering – Database
Updates are part of the SDAV Subscription
167
URL Filtering
– URL database hàng đầu (Websense)
– Hơn 15 million sites
– Cập nhật nhanh và độ
chính xác cao
– Tích hợp chặt chẽ với SmartCenter
Module 4:
SmartDefense
Check Point Security
Administration
Module 7: Disaster Recovery
Check Point Security Administration
Course Map
Module 1: Check Point Firewall Architecture
& Installation
Module 2: Security Policy
Module 3: Network Address Translation
Module 4: Log/Monitoring
Module 5: SmartDefense
Module 6: Encryption and VPNs
Module 7: Disaster Recovery
Disaster Recovery
Introduction
Objectives
Backups are used to restore configurations
and keep downtime to a minimum
Backup and Restore system
configurations
Backup
backup –f filename
backup –e on 17:00 –m 25 --file filename
backup –e : to view the schedule setting
/var/CPbackup/backups
Restore
restore
[L] Restore local backup package
[T] Restore backup package from TFTP server
[S] Restore backup package from SCP server
[R] Remove local backup package
[Q] Quit
Backup and Restore Policy database
$FWDIR (/opt/CPsuite-R65/fw1)
conf: rules, objects, policy, user database
lib:
log:
objects.C and objects_5_0.C
($FWDIR/conf)
rulebase_5_0.fws ($FWDIR/conf)
fwauth.NDB ($FWDIR/conf and
$FWDIR/database)
Backup and Restore Policy database
Export
/opt/CPsuite-R65/fw1/bin/upgrade_tools/
Copy ―windows\Actions‖ on CD2 to C:\
upgrade_export filename
Import
upgrade_import filename
Backup and Restore System
Configuration, Policy database and
Log files
snapshot command
Image management via Web console
Backup and Restore