What is a firewall?Controls traffic between trusted and untrusted networks, and provides network partitioningRestricts the entrance and exit of traffic based on acceptabilityA wall is a bad analogyYour firewall may have more than two sidesYou may install enforcement points throughout your networkmore like a honeycomb?Even when we allow traffic through, we watch it carefullyWe dont just punch holes in the firewall
Best of Breed security applicationsVPN-1/Firewall-1 NGX
VPN-1/Firewall-1 NGX
Logical components of FW-1 NGXMultiple firewall modules (FWM) Enforcement PointsManages security policy and object DBs, log DB, concurrent administrative access.User interfaces for building objects and security policy rules. Views logs and FW status.Enforces security policy, reports status and log data to management server.Management Server (SmartCenter Server)Management Clients(SmartConsole)/SMART clients
Check Point components for various architecturesEnforcement (Firewall) Module Nokia IPSO Solaris Linux Windows 2000 Windows 2003 HP-UX AIX CP secure platformSmartConsole (GUI)DatabasesFWMFWD*SmartCenter (Management) Server Windows Solaris
Nokia IPSO Solaris Linux Windows 2000 Windows 2003 HP-UX CP secure platformFWDSecurity serversInspection ModuleSNMPSVN** FoundationSVN Foundation* FWD: Firewall Daemon** SVN: Secure Virtual Networking
CP logical components can be physically differentManagement ServerFirewall Enforcement PointGUIGUIGUIDistributed, Single Management, Redundant FEPs (VRRP)StandAloneDistributed, Redundant Management, Redundant FEPs (VRRP)Management ServerManagement ServerFirewall Enforcement PointFirewall Enforcement Point
About the boot managerThe partition menu probably defaults to 1: BootmgrNokia allows booting direct toIPSO (2), orIPSO using boot manager (1)The boot manager has a command modeWe dont need it just at the moment so dont press a keyBoot manager commandsBoot an alternate kernelReinstalling IPSOSingle user boot(& password recovery)Diagnostic InfoThe boot manager includes a small subset IPSO OS on a separate partition or diskYou can reinstall a corrupt IPSO from boot managerYou can reinstall a corrupt boot manager from IPSO
Set the IP address, default route and speedsSet the IP addressIn the class use 10.x.x.1/16 on the LAN side interfaceThe LAN interface will be eth1Configure the default route according to the class topologyIts okay that it is not reachable yet - configure it anywayConfigure the speed and duplex to 100M full duplexCHECK with the instructor in case speed/duplex are differentConfirm the configuration
Accessing features in VoyagerAccess all the features from the navigation tree Expand Tree to view all the features at a glanceNavigation frame width is adjustableThe Current feature is highlightedTree hierarchy is consistent with IPSO 3.9 Voyager
The main interfaces screenWe will have three interfaces in this class. The third one is configured using clish
Check that they appear here as you would expectNote the physical and link layer status lightsRed, Green, or BlueBlue means hot swap interface not present
Adding static routesStatic Routes will allow team1fw1 to get to team3-netInterface routes allow team1fw1 to get through to team1-Net and to the Internet
team1pc110.1.1.101team1pc210.1.1.10Internetteam1fw1Lab routerteam3pc210.1.3.10team3pc110.1.3.103team3-Net10.1.3.0/16team1-Net10.1.1.0/1610.1.1.1172.21.101.1/16172.23.103.110.1.3.1172.21.101.2 /16team3fw1192.168.22.0 /24172.23.103.2 /16192.168.22.103192.168.22.101
Network Testing
Ping !..!!!..!!!!!!!!!...........!!!!!!!!!!!!!!!!!!!
Installing CheckPoint through VoyagerFour step procedureDownload the FTP packageIn IPSO 4.2, HTTP Upload is very useful
Installing CheckPoint through Voyager
Package configuration is from the UNIX command linePackage configuration is from the UNIX command line similar to the Solaris and Linux versionsBe sure to log out and log back in so that the CP software is in your path before you run cpconfig
Distributed installation
Configuring secure internal communicationsFinal Steps
Basic components of VPN-1/FireWall-1 NGX
Introduction to SmartDashboard and Objects
Create a gateway and take control of it
Install an Allow All policyThe default policy is drop-allYou may have noticed that you currently cant SSH or use VoyagerAllow all isnt very secureYour instructor may show you more if you have extra timeYou need to attend CP Mgmt I or an equivalent class to learn Check Point specific-security informationOn the desktop, or Start/Program/ Check Point Smart Clients
Save, Verify, Compile, and Install the policyThe Policy / Install does all of this in one easy stepPolicies are always installed from a saved copy
SmartView Monitor
DEMO
Thanks for coming