Professional Documents
Culture Documents
Check Point
SOFTWARE TECHNOLOGIES LTD.
Check Point
Certified Security Administrator R75
STUDENT MANUAL
3D
SECURITY
Check Point"
No part o f this publication may be reprod uced, stored in a retrieval system or transmitted. in any form or by any means, photocopying, recording or otherwise. without
prior written consent of C heck Point Software Technologies Ltd. No patent liability
is assumed with respect to the usc oflhc infonnation contained herein. while every
precaution has been taken in the preparation of this publication. Chcck Point Software Technologies Ltd. assumes no responsi bility fo r errors Of o missions. This publication and features desc ribed herein are subject to change without notice .
Copyright
TRADEMARKS
0 2003-201 I Check Point Software Technologies Ltd. All rights reserved. Check
Po int. Check Point Abra. AlenAdvisor, Application Intelligence. Check Point
Application Control Software Blades, Check Point Data Loss Prevention. Check
Point DLP. C heck Point DLP-I, Check Point Endpoint Security, Check Point Endpoint Security On Demand. the Check Point logo, Check Point Full Disk Encryption. Check Point Horizon Manager, Check Point Identity Awareness, Cheek Point
IPS. Check Point IPSec VPN, Check Point Media Encryption, Check Point Mobile.
Check Point Mobile Access, Check Point NAC, Check Point Network Voyage r,
Check Point OneCheck. Check Point R75. Check Point Security Gateway. Check
Point Update Service, Check Point WebCheck. ClusterX L, Confidence Indexing,
ConnectControl. Connectra. Connectra Accelerator Card. Cooperative Enforcement. Cooperative Security Alliance, CoreX L. DefcnseNet. Dynamic lD. Endpoint
Connect VPN Client, Endpoint Security, Evenlia. Eventia Analyzer. Eventia
International Headquarters :
Document # :
DOC-Manual-Lab-CCSA-R 75
Revision:
R75
Content:
Graphics:
Contributors
Test Development:
Ken Finley ~ Check Point
Contents
. .... .. . . . .............. 2
. .6
. ... 8
.10
.14
. . 16
SmnnConsolc Components
... .. ...... .. .. ... .
Security Management Server
...... _. . . . .. . . .. . . ... .. . . . . . .. . ... .
Securing Channels o f Communication
...... . . . ........ .
Practice and Review ........... ....... . . ..
. . . . . . . . . . . . . . . . .
.20
. .31
.34
.38
IP Appliance . . ... .
IP Network Voyager . ..... . . .
IPSO ............. .. . . .. .
Sec ure Platform
Practice and Review
. .. .... ........ .
... . . .... . .
. .. .. 46
. .... 48
....... 51
.. 59
Table of Contents
. . 10 I
..107
.. 109
.114
.117
.121
.. 122
123
Using SrnanUpdate . .
. . . . .. . ..... . .
SmartUpdate and Managing Licenses.
. ...... . . .. .. . ...............
Smart Update Architecture .
SmanUpdate Introduction . . . .. . .. . .. . .
Upgrading Licenses .
. .. . . ... .
Viewing License Propenies . . ... .. . . .
Service Contracts
.. . . .. .. .
Licensing R75 .......... .
Licensing SmanEvent
Practice and Review . .
.. .96
.97
.124
.125
. . . . 126
.128
.133
. .. 1)7
. .... . . . . 138
.140
.142
.143
..... 146
. ... .. 147
..... 148
. ........ 153
...... 156
. .... IS8
...... 162
... , ....... 164
. ..... 172
Table or Contents
PREFACE
Course Layout
Thi s course is designed for Security Admin istrators and Check Point resetters.
:md for those who arc working towards the ir CCSA certification. The fo llowing
professionals benefit best from this course:
System administrators
Support analysts
Network engineers
Prerequisites
Before taking this course. we strongly suggest you have the following knowledge
base:
General knowledge ofTCP/IP
Certification Title
The current Check Point Certified Security Administrator (CCSA) cert ification is
designed for partners and customers seeking to validate their knowledge of
Check Point's Software Blade products.
Course Chapters
Chapter I: Introduction to Check Point Technology
Chapter 2: Deployment Platfonns
Chapter 3: Introduction to the Security Policy
Chapter 4: Monitoring Traffic and Connections
Chapter 5: Using SmanUpdate
Chapter 6: User Management and Authentication
Chapter 7: Identity Awareness
Chapter 8: Introduction to Chcck Point VPNs
Lab Terminology
Consider the following:
Corporate Otlice
,
~
guicliem
AT_GU I
smcorp
AT MGMT
Management Server at
corporate office
sgcorp
AT_GWY
AT DMZ
ADserver
adscrvcr
t ~ ....
Branch Office
PC at branch office
Introduction to
Check Point Technology
Design a distributed environ mcnt using the network dctailed in the course
topology.
Check Poijnt
S~I""1y
Gaw...-uy
Intemet
Figure 1 -
Layer 7
Application
Layer 6 - Presentation
Layer 5 ~ Sess/on
Layer 4
Transport
Layer 3
Network
Layer 1 - Physical
Figure 2 -
Layers 5. 6 and 7: Represent end user appl ications and systems; the
application layer is not the actual end-user software application, but a set of
services that allow the software application 10 communicate th rough the
network. Distinctions among layers 5. 6, and 7 arc not always clear. and some
competing models combine these layers. as does this handbook .
The more layers a firewall is capablc of covering, the more thoroug h and
effcct ivc the firewall. Advanced applications and protocols can be
accommodated more efficiently with additional layer coverage. In addition. more
advanced firew alls. such as Chec k Point's Security Gateways. can provide
services that are specifically oriented to the user. such as authentication
techniques and logging events 10 specifi c users.
Packct filtering
Stateful Inspection
Application Intclligence
Packet Filtering
Fundamentally, messages are divided into packcts that include thc destination
address :md data. Packets are transmiucd individually and often by differcnt
routes. Oncc thc packcts reach thcir dcstination. thcy arc recompiled into the
origina l mcssage.
,.....,
>
Application
Application
....""
......,
Presentation
~tatlOn
T~-,
TU""","
Data I.k'Ik
OOtaUnk
Data I.k'Ik
Physical
Phy>1eoJ
ROUTER
PROS
CONS
. ~~
" l.-Sect.Otty
.. No ScteerIIt>g ACoov
High ~
.. Sc:lIot>iHIy
Ntt~
l..Iy_1No
'Jtaq;' Of
IoPJIIil:at0000COI'II'>CI. .,brnl'llolll
Figure 3 -
Packet Filtering
Packet filte ring is a firewal! in its most basic foml. Primaril y, the purpose is 10
control access to specific network segments as directed by a preconfigured set of
rules, or nile base. which defines the traffic pcnnitted access. Packct fillers
usually func tion at layers 3 (network) and 4 (transpon) of the OS ! modeL
Statefullnspection
Statefui inspection. a technology developed and patented by Chec k Point,
incorporates layer 4 awareness into the standard packet-filter firewall
architecture. Statefullnspcclion differs fro m static packet filtering. in that it
examines a packet nOI only in its header. but also the contents of the packet up
through the application layer, to detennine more about the packet than just
infomUlIion about its source and destination . The state of the connection is
monitored and a slate table is created to compile tile info nnalion. As a result,
filtering includes context that has been established by previous packets passed
through the firewalL
For example, statefu l-inspection firewalls provide a security measure against port
scanning, by closing all ports until thc specific port is requcsted.
_."""
.......
_.,
Applocaticn
~Ioc .. llon
......,.,
""'-"ration
T_
Tra"sport
Data link
Oe.ta Link
Figure 4 -
PhyslC.1
Stateful lnspection
Therc are many state tables that hold uscful infonnation in regards to monitoring
performance through a Security Gatcway. State tables are uscd to kcep state
infonnation needed to corrcctly inspect packets. The tables are key components
of Check Point Statc fullnspection technology.
Check Point 's INSPECT Engine is the mechanism uscd for extracting the Slalerelated infonnation from all application layers. and maintains this infonnation in
thcse dynamic state tables needed for eval uat ing subsequent connections. The
INS PECT Engine enforces Security Policies on the Security Gateway on which
they reside.
Application Intelligence
A growing number of anacks attempt to exploit vulnerabilities in network
applications. rather than targeting firewalls directly. Application Intelligence is a
sel of advanced capabilities. integrated into the fi rewall and IPS. w hich detect
and prevent application-level unacks.
Application Intelligence works primarily with application-layer defenses. In
practicc however. many attacks ai med at network applications actually target the
network and transpon layers.
<:::===:>
:--,_=.:.'.:."_:.:...=_--,<:::===:>
:--=-=':..".:."""=""'=-_<:::===:> """'"'"
L..ayIr 4 .llJn'PQ1
:----'----'---
TC P. UDP
IP
LAywl'~
Figure 5 -
Protocol Examples
The diagram presents a sample flow of a new inbound packet initiating a TCPIIP
session through the Inspection Module. allhe kemel level:
.-
~.~ "
.
Nle
1
0
con~~IIIII-------------------------------'1
T
.
.
.
.
.
r;;;-. a. -
M'!"u,"- - -
Packet
~:;s
/"""IA/on _
-..
. 7:::
TCPIIP
Packet? _
Steck
T
e~
~;::t::-_~--=NACK---,
Ii)
N'IOther
RuItI?
s-d
RDteCt80 _
Oy Rule?
"
L\f)~7~
'"
Deployment Considerotions
As a brierinlroduetion to Gateway deployments, consider the network lopology.
The network topology represents the internal network (both the local access
network (LAN) and the demilitarized zone (DMZ protected by the Gateway.
The Gateway must be aware orthe layout of the network topology to:
Correctly enforce the Security Policy.
The DMZ
Ir you have servers that are externally accessible from the Internet. it is
recommended to create a de militarized zone (D MZ). T he DMZ isolates all
servers that are acccssible from untrustcd sources, such as the Internet. so that if
one of those servcrs is compromised. the intruder only has li mited access to other
externally accessi ble servers. Serve rs in the DMZ are accessible rrom any
network. and all externally accessible servers should be located in the DMZ.
Servers in the DMZ should be as secure as possible. Do not allow the DMZ to
initiate connections into the internal network . other than for specifi c ap plications
such as UscrA ut hority.
ASaska.GW
Alaska-,}f>Q.ftp
A!CIsl.:a_Of..mail
Figure 7 -
Bridge Mode
Bridge mode allows for the placement of a Security Gateway without changing
the existing IP routing.
A Security Gateway in Bridge mode operates as a firewall. inspecting traffic and
dropping or blocking unauthorized or unsafe traffic. A Gateway in Bridge mode
is invisible to alllayer 3 traffic. When authorized traffic arrives at the Gateway, it
is passed from one interface to another through a procedure known as bridging.
Bridging creates a layer 2 relationship between two or more interfaces, where any
traffic that enters one interface always exits the other. This way, the firewall can
inspect and forward traffic without interfering with the original lP routing.
Bridge mode is supponed on the operating system Check Point SecurePlatfonn.
Figure 8 -
Bridge Mode
Sinor/Console Components
SmanConsole is comprised of several soft ware modules including:
SmanDashboard
SmanEvent
SmanProvisioning
SmanRcponer
SmanUpdate
SmanView Monitor
SmanView Tracker
SmartOashboard
SmanDashboard is a single, comprehensive user interface for defining and
managing mu ltiple elements of a Security Policy: Firewall security. IPSec VPN,
Nct\vork Address Translation. IPS, SSL VPN. QoS. Anti Spam and Mail. Data
Loss Prevention. Ant Virus and URL Filtering, and desktop security. TIle Check
Point SmartDashboard allows you to define Security Policies and rules in tenns
of network objects. All such object definitions are shared among all applications
for efficient Policy creation and security management.
......
~-
..
. ~
,t_._
:,--
,
..........
......
......
""
~..
..
..
~ ,
---~
Figure 9 - SmartDashboard
--'-"--
If ..
._
SmartConsole Components
Tabs are available to define, con figure or manage Check Point networks:
1. Firewull - Provides parameters useful to define the Rule Base for your net
work; here, you specify how connections are allowed or disallowed, authenticated and encrypted.
2. NAT (Network Address Translation) -
3.
4. Application Control -
Roles.
5. Anti Sparn and Ma il -
Configure integrated ami virus scanning. secure messaging and appropriate Wcb filtering parameters.
6. Mobile Access -
In this window you can quickly sec the status of machines and inc idents. and access the windows fo r the most urgent or
commonlyused management actions.
9. IPSec VPN -
SmartEvent
SmanEvent provides centralized, real-time event correlation of log data from
Check Point perimeter. intemal, and Web security gateways-as well as third-pany
security devices-automatically prioritizing security events for action. By
automating the aggregation and correlation of raw log data, SmanEvent
minimizes the amount of data that needs 10 be reviewed and collates and
prioritizes security threats.
,~
";.:
"1.,'
~:
'-:.I'
.,..
....
'l:.,~
.--- ....
-~,..-.,-
:'''-
...
"
"'
~"
,"."
~
'"
~"';O
"
'- '-''"'-'---"'~
...
.:: ",J ....'....
~
~
.II.
we
-.
,. ,~ ,~
Figure 10 -
SmartEvent
With SmartEvent, security teams no longer need to comb through the massive
amount of data generated by the devices in their environment. Instead. they can
focus on deploying resources on the threats that pose the greatest risk to their
business.
SmanEvent is capable of managing millions oflogs per day percorrelation unit in
large enterprise networks. Through its distributed architecture. SmartEvcnt can
be installed on a single server but has the flexibility to spread processing load
across multiple correlation units and reduce network load.
SmartConsole Components
Th e SmartEl-'ent Architecture
Sman Event has scveral components that work together to help track down
security threats and make your network more secure:
Correlation Unit - analyzes each log entry as it enters a Log servc r, looking
for patterns according to the installed Event Policy. The logs contain duta
from both Check Point products and cenain third-pany devices. When a
threat pattern is idemified. the Correlation Unit forwards what is known as an
event to the SmanEvent server.
Sma rtEvent server - receives eventS from a Correlation Unit, and assigns a
severity level to the event. invokes any defined automatic reactions. and adds
the event to the Events Database. which resides on the server. The severity
level and automat ic reaction are based on the Events Policy.
SmarlEvent client - displays the received events, and is the place to manage cvents (such as filte ring and closing events) and fine-tunc and install the
Events Policy.
l og s...-(sl
Corr~alion
SmiirlEVfilI
CI"",I
Figure 11 -
SmartEvent Architecture
SmartConso le Components
The mode is determined by the Software Blades activated and the licenses
installed on the management server. If both IPS and DL P are installed and
licensed. a message will ask you in which mode, IPS or DLP. you want to open
SmanEvent.
SmartEvent uses filt ered event views. called queries, to allow you to precisely
definc the types of events you want to view. l ocated in the Queries Tree, these
queries filter and organize event data for display in the Events, Chans and Maps
tabs. QUeries aTe defined by filte r properties and charts properties. Filter
properties allow you to define what type of events to display and how they should
be organized. Chans propen ies allow you to define how the filtered event data
should be displayed in chan fonn .
SmartProvisioning
Sman Provisioning provides centralized administration and provisioning of
Check Point security devices via a single management console.
-.-
.-
. ~ . - --- .~
System Over'l'''''''
-'-'
-",-",,,",,,,---, -
'---
. _ ' . . 4 ....~_
---
Figure 12 -
"-~-
- ..
-- .
SmartProvisioning
--
SmartUpdate
Smart Update is used to manage and maintain a license repository. as well as to
fac ilitate upgrading Check Point soflware. SmanUpdate is a component that
distributes software applications and updates for Check Point and OPSEC
certified products. and manages product licenses. SmanUpdatc provides a
central ized means to guarantee that Internet security throughout an enterprise
network is always up-to-date.
"::;;::;:: ",.,.
!:=:
-,,'
,-
-,.
......
",n.
".
SmartView Monitor
Based on SMA RT technology, SmanView Monitor provides a s ingle. central
interface fo r monitoring network activity and perfonnance of Check Point
applications in real-time.
SmanView Monitor allows Administrators to easily configure and monitor
different aspects of network activities. Graphical views can easily be viewed
from an integrated, intuitive GUI.
27
-_.
...
,.......
"~
-... - . ...
....
~
.)--""
I
~- '"''''
-----
.,
...-
"
-'--.~
rJ,,~rI{
SmartConsole Components
3. Tunnels - SmanView Monitor enables Administrators to mon itor connectivity among Gateways. By showing real-time in formation about active tunnels
(Le., infonnation about their state and activities, volume of tratlic, which
hosts are most active. etc.), Administrators can verify whether the tunnels are
working properly and verify privacy, authentication and integrity.
4. Remote Users - The Remote User Monitor is an administrati ve feature
allowing you to keep track of VPN remote users currently logged in (i.e.,
Secu Remote, SecureClient and SSL Network Extender. and in general any
IPSec client connecting to the Gateway). It provides you with a comprehensive set of filters . which enables you to casily navigate through the obtained
results.
5. Cooper ative Enfo rcement - This is a feature that works in conjunction
with the Integrity Server. This feature utilizes the Integrity Server compliance
capability to verify connections arriving from the various hosts across the
internal network. The Security Gateway generates logs for unauthorized
hosts. The logs generated for both authorized and unauthorized hosts can be
viewed.
SmartView Tracker
SmanView Tracker is used for managing and tracking logs and alens. It provides
realt ime historical and v;sualtracking. monitoring. and accounting infonnation
for all logged connections. Additionally, SmanView Tracker logs administrator
actions. such as changes to object definitions or mles. which can dramatically
reduce the time needed to troubleshoot configuration crrors. Security
Admi nistrators can filter or perform searches on log records. to quickly locale
and track events ofimerest . In the case of an attack or otherwise suspicious
network activity. Security Administrators can usc SmanVicw Tracker to
tcmporarily or permanently terminate connections from specific IP addresses.
..
1' - ' - 1 -
...'0 -
,=-'.-.,."'-
-.- .,,"~
:~:::....-.:;::
: i=:~
..,--:i:::::-::
,,_ ....----..-
...-,
.-,....
. .,,---
-~-
---~
.--.-..tt _ ..
Figure 15 -
- :-_""
.
.--..0,
-'--
- .......
---
SmartView Tracker
1. Network & Endpoint tab - displays entrics for security-related events for
different Check Point products, as well as Check Point's OPSEC partners.
2. Active tab - shows active connections in thc SmartView Tmcker. i.c ..
connections currently open through any Security Gateway components
logging to the currently active log file .
l. Management tab-- tracks changes made to objects in the Rule Base. as well
as general SmartDashboard usc.
administrator accounts. Sman Dashboard manages users. admin ist rators and their
groups as Objects using the standard object administration tool s; i.e .. the Objects
Tree pane and the Users and Administrators window.
-...-.
'"
---
"
""'--
'.. -\ A _....
~-~
""''''''"'*"
~e_!
DEJ--=--J
Figure 16 -
Administrators
,.
The user 's definition includes acccss permissions to and from specific machines
at specific times of the day. Thc user definition can be uscd in the Rule Base's
Authentication Rules and in Remote Access VPN.
SmartDashboard furt her facilitates user management by allowing you to define
user and administrator templates. Templates serve as prototypes of standard user
account properties that are common to many users. Any user you create based on
a template inherits all of the template's properties, induding membcrship in
groups.
Users Database
The users defined in SmartDashboard (as well as their authentication schemes
and encryption keys ) are saved to the proprietary Check Point Internal Users
Database on the Security Management Server.
The Users Database is automatically downloadcd to Check Point hosts with
installed Management Softwarc Blades as part of the Policy installation process.
Alternatively, you can manually instal! the Users Database by selecting Policy >
Install Database ... from the menu. Security Gateways that do not include a
Management Software Blade do not receive the Users Database.
J," ~.
,_.
'_.-" uno..,.,.......
'''''--
o.-...lIPtlu....... ~
figure 17 -
3DES fo r encryption
ICA Clients
leA operations are perfonned using the following clients:
Cheek Point configuration tool or cpconfig on the command line. Using this
tool. the ICA is created and a SIC Certificate is issued for the Security
Managemenl Server.
ICA management tool. This tool is used to manage VPN Certificates for users
that are either managed on the internal database or on an LDA P server. and to
pcrform ICA management opcrations. Thc leA generates audit logs when
ICA operations are performed. Thesc logs can be viewed in the SmanVlcw
Tracker Managcment tab.
35
..,------j
~,ty
------- ...
-,
~..dChVOl'S ecniflcatcs to
,,
Management SElt'liElf :
,,
,
M""9'''''''' ""'" ,,
Seoum,
Gateway
Intranet
Invanet
1_ __ - _
Security
G.alllw.ly
Figure 18 -
36
Rev iew
,. What is the strength of Check Point's Stateful Inspection technology?
3, What is the main purpose for the Security Management Server? Which function is it necessary to pcrfonn on the Security Management Server when
incorporating Security Gateways into the network?
CHAPTER 2
Deployment Platforms
Oeployment Platforms
Deployment Platforms
Before delving iOio the intricacies of creating and managing Security Policies. il
is bene fi cial to know about Che<:k Point's different deployment platfonns. and
understand the basic work ings of Check Point's UN IX-based and Linux
operating systems ( IPSO and SecurePlatfonn) that support many Chec k Point
products. For those fa miliar with Linux and UN IX this section will be a review.
But for those with linle to no LinuxiUN IX experience. this will be a welcome
guide.
Learning Objectives:
Given network specifications. perfoml a backu p and restore the current
Gateway installation from the command line.
Identify critical files needed to purge or back up, import and export users and
groups and add or delete administrato rs from the command line.
Deploy Gateways using sysconfig and cpconfig from the Gateway command
line.
The Xseries - for sites req uiring site-to-site VPN. This series also delivers
additional capabilities such as high performance. high availabili ty. support for
mu lti- ISPs and automatic recovery.
Smart-1 Edge -
- ~
Figure 19 -
..
"'--
.:.;:
---.-=I
... ......
SmartProvisioning
SmanProvisioning is an extension of Security Management providing
administrators with an effective means of provisioning and managing thousands
ofSmanLSM Security Gateways. UTM-l Edge Profiles and Profile policies arc
defined in SrnanDushboard. SmanLSM Security Gateways arc provisioned and
managed via the Sman Provisioning console application. For more information,
sec the Check Point Security Expen (CCSE) course.
Provider-1
Multi Domain Managemenl (Providcr- I) is used by large enlerpris es and by
Managed Servicc Providers to centrally manage multiple. fully customized.
customer domains. UTM-l Edge applianccs are inlcgrated transparently with this
managemcnt sol ution. The management capabilitics of a Multi Domain
Managemcnl CMA (Customer Managemcnl Add-On) arc cq uiva lent to those of
the Security Managemcnl Gateway, including the SmanProvisioning extension.
Global VPN Communities are currently not supponed for UTM-] Edge
applianccs. For mo re infonnation. sec the Check Point Multi Dom a in
Managemcnl course.
Power-1 Appliances
The family of Power-I appliances enables organizations to maxim ize security in
high-perfonnance environments such as large campuses or data centers. Utilizing
multi-core technologies. Power-I delivers a high-perfonnance sec urity platfonn
capable of blocking application layer threats. Even as new threats appear. PowerI appliances maintain or increase pcrfonmmce while protect ing the network
against attacks.
-~
Figure 20 -
Deployment Platforms
IP Appliance
IP Appliance
The IP Security Platforms combine market-leading security software and worldclass IP routing, to provide high-perfonnanee network security sol utions. This
appliance fa mily is built for rapid deployment. Key advantages of the IP security
solutions are presented in this section.
key integrated applications, tum-key and ready 10 be
Easily serviced -
Remote-network management -
IP Network Voyager
[P Network Voyager. a Web-based application. runs on a remote computcr as a
client application. Voyager communicates with routing software, to configurc
inter/ace hardware, sct routing protocols and routing policies, and monitor
routing traffic and protocol performance.
[s the primary configuration interface 10 IPSO.
[s a SS L enabled, Web-based configuration and monitoring tool.
Comes packaged with the hardened IPSO operating system software.
Displays configuration parameters. status and event logs.
Permits the ability to set routing protocols. applications. and QoS rules
enabled or disabled.
IP Network Voyager
Once the IP Appliance is set up and configured, it is managed via the Voyager
GU I interface. You simply open an Internet browser and log in 10 Voyager. using
the authentication screen to log in. Upon successful authentication, you will be
presented with the Nokia Network Voyagcr home page.
The IP Voyagcr home pagc dis plays the name of the Appliancc, model number of
the device, software release. and version. serial number. uptime, and memory. A
title bar will always be made available across the top, a configuration tree on the
left. and buttons for savi ng and other actions across the bottom,
Configuring Voyager
After the initial configuration of the IP Appliance using IPSO is done. you can
complete the IPSO con fi guration using Voyager.
After configuring IPSO, you wi ll be able to:
Deployment Platforms
IPSO
IPSO slaned as a bare-bones operating system, beginning with a b3se kemel wiIh
no extraneous services. The Kernel is a FreeBSD derivative. meaning that IPSO
is a UN IX-bused oper3ling system. The Kcmel itself is optimized for switching
packets. In fact. it can 31so be deployed as a router only.
IPSO is still an operating system, so it can run applications compiled for it, such
as the Check Point suite of products.
Et~ Idconfig .... th : lIib lusr/hb
Inili.l i l86 initiali zation :
Addi ti_1 1181 SU",)or! .
Sl"..Iing u..bd .
109 l n : _
Figure 22 -IPSO
The key strengths of the IPSO operating system arc:
IPSO
logu, : "d'lL n
P~s ....... d :
t.as t tOllin: Wed I\pr 21 12 ' 3'5 :56 on ttydO
Ilpr 21 12:43: 09 IP390 (ftu th . (lOG.~OtlCEI) login : i n pa ~ oPen.$e$$ ion () (IO{Ii
n) sess; "" opened f or us er ad.,n by root!u;d - O)
Apr 2112 :43: 09 IP 390 ( /lut h. ILOG.HDtICEt) l ogin : in p"._~ open_se!<Sion(l (log;
n l session O)I)en.ed for user adJoi n by roolluid~OI
CODyrighl (e) 1992 2008 Ihe Fre<!BSO Proje.:!.
Couv.-i\lh l tel 197? 1980 . 1983 . 1986 . 1988. 1?89 . 1991. 1992 . 1993 . 1m
the ReoefIts of the Uni~r s i t y of C.. tiforni ... All r i gh ts res erved .
IPSO 6 . 2-GA02' 11 : M .04 .208? G421"12b
You l"wIYe lo"_
j;i~~iIii':;
""
~k Point IPSO Sec.... i! y Rooliann .
I . ... i""l tlj
IP390llIdooi
Mold alP
Codes: C Stat ic. I IGIII' . R - RIP. 8 - BGP .
0 0
n r
ea (IA - Interllr ell . E - hterMI. N - NSSllI
R - lIooregat<!. K Ker lWll RellnN"lt. H - Hidden . P - Suoor u s4d
C
C
19 .2.2124
127 .0 . 0 .1/32
NokialP:l90 :?) _
Figure 23 - IPSO
To usc the CLI :
Log on to the platfonn using a command-line connection (SSH. console, or
tclnct) over a TCP/ IP nctwork as an admin. cadmin, o r monito r uscr.
If you log in as a eadmin (duster administrator) user. you ean change and view
configuration settings on all the d uster nodes.
49
Deployment Platforms
If you log in as a monitor user. you can cxecUie only the show foml of
commands. ThaI is. you can view configuration scttings, but you cannOt change
them.
CLIS H is the new default shell for all uscrs except admin
CLISH is designed to look more like a typical network appliance and less like
UN IX
50
SecurePlatform
SecurePlatfo rm
With limited IT personnel and budget. organizations must oft en choose between
the si mplicity of pre-installed security appliances or the flexibility of open
servers.
Chcck Point SccurePlatfonn combines the simplicity and built-in security of an
appliance with the flexibil ity of an open servcr by enabling you to tum an lntelor AMD-based open server into a pre-hardened security appliance in less than 5
minutes.
Figure 24 -
SecurePlatform
Deployment Platforms
SecurePlatfonn
The logs arc displayed in SmanView Trac ker. These should be logsw itched
regularly. The time between a logswitch will depend on how many rules arc
logging, the type oflogging, and the amount oflmffie passing through the
Security Gateway. The logswitch can be configured 10 perfOntl on a set schedule,
using time objects . This is completed through the SmanCentcr Server and log
server 's General Propenies.
$FWDIR ! log contains log files such as ahupd.log, aftpd.log,and s mptd.log.
These files contain infonnation about each Security Server. SFWDIR! log can
get large quickly, depending upon the amount of network traffic passi ng through
the Security Gateway.
Oeployment Platform s
The ru l ebases_S_O . flo'S file is located in $ FWDI R/con f. This file contains
rules and auditing infommtion about modifications made to the Rule Base.
Unlike objects.C.rulebases_ s _o . flo' S does not appear on the Security Gateway
in a distributed environment. All created Rule Bases may be extracted from
rulebases_s_o. flo'S: Select a Ru le Base. then install the Security Policy on the
Security Gateways. rulebases_s _0 . flo'S is nOI modified manually. but is
manipulalcd through Sman Dashboard.
fwauth.NOB
The fwauth . NDB database file contains all users and groups. It is located in both
the $FWD IR/conf and $FWDIR / database directories. File modifi cation is
perfonned through SmanDashboard user administ ration.
SecurePlatform
N Cores
--------~~---------'\
VPN-1 Kernels
___A~_ _
"\
, - - - - - - - - r - - - - - ,-- - - - - -- - . , - - - - - - ,
SNO
Instance 'n-2
Instance 10
Processing
Processing
Processing
Core 10
Core'1
Core . n-1
Deployment Platforms
Daemon
A daemon is a computer program (i.e .. process) that runs in the background,
and doesn't rely on direct user control. In CoreXL. the firewall daemon (fwd)
and other dacmons can be configured to run on a dedicated core.
It is not recom mended to share a core between the SND and an instance
unless the machine is limited to two cores. or if you know that most oflhe
packets are processed in the accelerated path (i.e., Performance Pack, 10 be
fully discussed in CCSE R71). In the latter case, it is likely the instances a re
not receiving significant work and sharing cores becomes appropriate.
SecurePlatfQffl\
Figure 26 - CoreXl
t\v etl affinity - This command is used to set and view affinities a nd firewall
instances. To set affinities. type fw ct1 affinity -soTo list existing
affinities, type fw ct1 affinity -1.
However. the senings arc not persistent through a restan of the security gateway.
To make the settings persi stent, you must edit the fwa ffin ity.conf configuration
file.
To list complete affinity infonnation fo r all Check Point daemons, kernel
instances and interfaces, including items without spccific affinities. and with
additional infonnation, run : fw etl affini ty - 1 -a -v.
fw etl multik stat - This co mmand displays infonnation for each kernel
instance. The state and processing core number of each instance is displayed.
along with the number of connections currently being handled. and the peak
number of concurrent connections the instance has handled since its inception.
Oeployment Platform s
sim affi nity - When Performance Pack is running, the sim aff inity
command controls Perfonnance Pack driver features and applies only to
SeeurcPlatfoml. Affinity is a generaltenn for binding NIC interrupts to
processors. By default, SecurePlatform does not set Affinity to the NIC
intcrrupts, which means that each NIC is handled by all processors. Optimal
network performance is obtained when each NIC is individually bound to a
single processor.
NIC.
You should use sim affinity to set affinities only if Performance Pack is
running. These scttings will be persistent. If Perfonnanec Pack '5 sim atlinity is
set to Automatic mode (even if Perfonnanee Pack was subseq uently disabled),
you will not be able to set interface affinities by using fw etl affinity -5 .
Review
1. What are some of the advantages in deploying UTM-l Edge Appliances?
Deployment Platforms
-CH- A-PT-ER- 3- -
Introduction to the
Security Policy
Learning Objectives:
Given the network topology. create and configure network. host and galeway
objects.
Verify SIC establ ishment between the Security Management Server and the
Gateway using Smart Dashboard.
Create a basic Rule Base in Sman Dashboard that includes pennissions [or
administrative users. external services. and LAN outbound use.
Configure NAT rules on Web and Gateway servers.
Evaluate existing policies and optimize the rules based on current corporate
requirements.
.~
C:::... '~''''.-
.-
Figure 27 -
00.."._
rn __
.,-~
,~'.""'"
'.-
0-~-
oo_b_
'-
-.--- ....
,,- ......
- ,,-
~~
li:"..,
Ii..
.-..,.....
.""""-.:..-
Rule Base
..
---. _-_.,
--.-- . .___._..._-_
-- _. __.... ...
K __
-~-- .
. . .-
v__
Figure 28 - SmartDashboard
....
-....
.-".
._J ""..... 1 -
)f _ W __
1Ir- 'J=
==1___
-- ,
--.
-"""-
-~
. . 1_,...
"
.-.--
., ... ,U
- - -
Object-Tree Pane
The Objects tree is the main view for managing and displaying objects. Objects
arc distributed among logical categories (called tabs). such as Network Objects
and Services. Each tab orders its objects logically. For example, the Services tab
locates all services using ICM P in the folder called IC MP.
Objects-List Pane
The Objects tree works with the Objects list. The Objects list disp lays current
inronnution ror a selected object category. For example. when a Logical Server
network object is selected in the Objects tree. the Objects list displays a list or
Logical Servers, with certain detai ls displaycd.
Object Types
The objects lists are divided into the rollowing categories:
Network
Services
Resources
VPN Communities
SmartMap Pane
A graphical display orobjecls in the system is displayed in the SmartMap view.
This view is a visual representation orlhe network topology. Existing objects
represent ing physical components such as gateways or hosts arc d isplayed in
SmanMap, but logical objects such as dynamic objects cannot be displayed. Th is
is a userul documentation tool.
Managing Objects
The O bjects Tree is the main view fo r adding. editing. and deJcling objC<:ts.
although these operations can also be perfonned from the menus. loolbars and
other views. such as in Rule Bases or in SmanMap .
.,-.
E!
Network Objects
ffifilll Dy - - - - - -
- J@l Se _Query
ObJects."
Bluo;u
__
_ __
!~
~h.!J
Figure 29 -
IpI
Sort Tree
..
-----~
Object Tree
Ma naging Objects
~~I"'~ I,o, IO I
E ~ Iiot_k. ~lOCU
IB ~ 0.0:. Pont
El (Qj_.
~ '~""""UA(J)N51
I.. .o.o-ot_lA<J)N52
~[QJII
.r;
':: _JA<..won1
_ _IA<..9IISftZ
... {gJ-... ~-
J;. _I"'U'-;..-.I
:0 ~
Dr<- 0bI0W
a; ;e 5u-ty_
<;; ......,.,
J:l CIlnxSTAs..v
li:
!;I CItr[>(1iI1
,,,:gj-
il
Ccoroor~
GW-q....,
~"j' t4t
$ !ilw...
!;j~
_~
......
.y. 1T~
~.~
! ; j__~
ffi "
""" Portnor.,..
J:l NoOo'_<lew:.l
J:l NAT_<lew:02
J:l SIP _,01_"""'"90<
" ,,-,
..,... "'''N+doat)'rd''
!;j-~
C T..n.So.w:>rI
.13-
-~-"
!;j-
00- 00 "'''-
lfl ~ Addros.Ri>rJ90S
III ~ Oyt.omic Object,
jf 1111 Sooxt Zone,
-'
t!J tM
6- ~JlN5_'J'""'"
~ Corporot.dn. ..t
Q Corporot.-dr"l<..rI;
<c> _r~
::B_1o:.o
.J [j"' __
",add Rule
[~P.ule
~ " OO
Title:;
e.ottom
Ctfl+Ai+6
r""
Ctrl+Al+T
Bo<ow
Qr1+AIt+E
&OOve
CtrI+AIt+A
Ad,:! Sidb-Pule
--------
C!~!~e
r.;.!
t!de
Select AI
Cl:JI+A
I>Q
Default Rule
The Defaull Rule is added when you add a rule to the Rule Base. You can
configure this rule with all objects, services, and users installed on your database.
No. -
Defines the number order of each rule; the first rule in the Ru le
Base is No.1.
Name - Gives Administrators a space to name the rule, helping to annotate
the Rule Base; by default, it is blank.
Sou rce - Displays the Object Manager screen, from which you can select
network objects or a group of users. to add to the Rule Base; the default is
Any.
Destination - Displays the Object Manager screen. from which you can
select resource objects to add to the rule; the default is Any.
VPN - Displays the Add Objects VPN Communities screen, from which
you can select a VPN Community to add to the rule; the default is Any Traftic.
Service - Displays the Service Manager screen, from which you can select
services to add to the rule; the default is Any.
Action - Accepts, drops, o r rejects the session, or provides authentication
and encryption; the default is drop.
Tr ack -
The opt ions are: Account, Alert, Log. Mail, None, SnmpTrap, and UserDefined.
Install On - Specifics which firewallcd objects will enforce the rule; the
default is Policy Targets. which means all internal firewalled objects.
(Throughout this handbook. all labs and examples assume this defauh, :md the
Install On col umn is not shown.)
70
Time - Specifies the time period for the rule; the default is Any. (Throughout this handbook, all labs and examples assume this default and the Time
column is not shown.)
Comment - Allows Administrators to add notes about this nile; the defau lt
is a blank comment field.
Basic Rules
There lIrc IWO basic rules uscd by nearly all Security Gateway Administrators:
the Cleanup Rule and the Stcalth Rule.
Figure 33 -
Basic Rules
Both the Cleanup and Stcalth Rules arc imponant for creating basic security
measures, and tracking imponant information in SmanView Tracker.
Cleanup Rule - The Security Gateway follow s the principle. 'That which is
not expressly penn itted is prohibited". Security Gateways drops all communication attempts Ihat do not match a rule. The only way to monitor the dropped
packets is to create a Cleanup Rulc that logs all dropped traffic. The Cleanup
Rule, also known as the None oflhe Above rule. drops all communication
not described by any other rules, and allows you to specify logging for everything being dropped by this rulc.
Stealth Rule - To prevent any users from connecting directl y to the Gateway. you should add a Stealth Rule to your Rule Base. Protecting the Gateway
in this manncr makes the Gateway uansparcnt to thc network. The Gateway
becomes invisible to users on thc network. Figure 4-10 below displays a sample Stealth Rule.
In most cases. the Stealth Rule should be placed above all other rules. Pl acing the
Stealth Rule at the top of the Rule Basc protects your Gateway fro m pan
scanning, spoofing, and othcr types of direct attacks. Connections thill nced to be
made dircctly to the Gateway, such as Client Authentication, encryption and
Content Vcctoring Protocol (CVP) rules, always go above the Stealth Rule.
Implicit/Explicit Rules
Thc SecurilY Galcway creates a Rulc Base by translating thc Sccurity Policy into
a collcclion of individual ru les. The Security Gateway creates implicil rules.
derivcd from Global Properties and explicit rules. created by the Admin istrator in
the Smart Dashboard.
-"
- --
.._--.__
- ._-- .-.- .-
...""'"'-
....
.- --.
......
'
- --
... ....
~ ....
~- - . -
<-
.~
0-
e- o0-
o.
J.'
Figure
34 -
Imp~dUExplicit
Rules
An explicit rule is a rule that you crcatc in the Rule Basc. Explicit rules arc
displayed together with implicit rules in the correct sequence. when you select to
view implied rules. To sec how properties and rules interact. select Implied
Rules from the View menu. Impl icit rules appear without numbering. and
explicit rules appear with numbcring.
Implicit rules arc defined by the Security Gateway to allow certain connections to
and fro m the Gateway, with a variety of different services. The Gateway enforces
two typcs of impl icit rules that enable the following:
Contro l Connections
Outgoing packets
Control Connections
The Security Gateway creates a group of [mpEcit rules that it places first, last, or
before last in the explicitly defined Rule Base. These first implicit rules are based
on the Accept control connections setting on the Global Properties window.
The Gateway anticipates other possible connections relating to Ga teway
communication, and also creates implicit rules for those scenarios.
There are three types of Control Conneclions, dcfined by default rules:
Gateway specific traffic that facilitates functionality, such as logging,
management, and key exchange
Acccptance of IKE and RDP traffic for communication and encryption
purposes
Communication with various types of servers. such as RAD IUS, CVP, UF P,
TACACS. LDAP. and Logical Servers, even if these servers are not
specifically defined resources in your Security Policy
Implied rules arc generated in the Rule Base through Global Properties. Check
the properties enforced in the FireWall Implied Ru les screen. then choose a
position in the Ru le Base for the implied rule:
Firsl -
Before Last -
Detecting IP Spoofing
Spoofing is a technique where an intruder attempts to gain unauthorized access
by altering a packet's IP address. This alteration makes it appear as though the
packet originated in the part of a network with higher access privileges.
n.,~
..,...___ __
, _ . ~
,'-_ .. _,
The Security Gatcway has a sophisticated anti-spoofing feature that detects such
packets, by requiring that the intcrface on which:l packet enters a gateway
corresponds to its IP address.
'-; ,,-JOoo".. ., ..
~~
""'Pe-~_""
...",. ........
I<?'JO
I"
Figure 35 - Anti-Spoofing
Anti-spoofing verifies that packets arc coming from. and going to. the correct
interfaces on a gateway. Anti-spoofing confinns that packets claiming to be from
the internal network are actually coming from the internal-network interface. It
also verifies that, once a packet is routed. it is going through the proper interface.
Configuring Anti-Spoofing
To properly configure anti-spoofing. networks that arc reachable from an
interface need to be defined appropriately. For anti-spoofing to be most effective,
it should be configured on all gateway interfaces. If antispoofing is implemented
on a specific interface. spooftraeking fo r that interface should also be defined.
This will help with both intrusion detection and troubleshooting.
To activate anti-spoofing. configure the firewalled-interfaee properties. The
Topology tab of the Interface Properties window allows you 10 configure antispoofing properties of a gateway.
.,... ,
,,,
.. ..
.,
Place the most restrictive rules at the top of the Policy, then proceed with the
generalized rules further down the Rule Base. If more pennissive rules are
located at the lOp, the restrictive rule may not be used properly. This allows
misuse or unintended use of access. or an intrusion, due to improper rule
configuration.
Add a Stealth Rule and Cleanup Rule first to each new Policy Package. A
Stealth Rule blocks access to the Gateway. Using an Explicit Drop Rule is
recommended for logging purposes.
Limit the use of tile Reject action in mles. If a rule is configured to reject, a
message is returned to the source address. infonn ing that the connection is not
pennitted.
Use section titles to group simi lar rules according to thei r func tion. For
example, rules controlling access to a DMZ should be placed together. Rules
allowing an internal network access to the Internet should be placed together.
and so on. This allows easicr modification orthe Rule Base, as it is easier to
locate the appropriate rules.
77
78
Policy Package Management cntails the Policy Package. which incl udes only
Security, NAT, and Desktop and OoS Policy rules.
The Security Management Server provides a wide range of tools that address
various Policy management tasks, both at the definition stage and at the
maintenance stage:
This table comparcs thc advantages of using Database Revision Contro l and
Policy Package Management:
IP Addressing
In an IP network, each computer is assigned a unique IP address. Because public
IP addresses are scarce and ex pensive, many enterprises choose to use private
addresses for their internal networks. The following blocks of lP addresses were
set aside for internal-network use in RFC 1918, "Address Allocation for Private
Networks":
Class A network numbers: 10.0.0.0- 10.255.255.255
Class B network numbers: ! 72 , 16.0,0-172.31.255.255
Class C network numbers: 192.168.0.0-192.168.255.255
Best practices recommend using only these address ranges for intranets . RFC
1918 addresses cannot traverse public networks.
Hide NAT
In Hide NAT, the source is translated, the source port is modi tied and translation
occurs on the server side. As shown in the illustration below. notice the source
packet with address 10.1.1.101 going to destination x.x.x.x. As the packet hits the
interface on pre-in, 'i', it is processed by the firewall kernel and fonvarde d to
post-in. T where it is then routed to the external interface. It arrives, pre-out. '0 ' ,
and is then processed by the NAT rule base. The firewall modifies the SOUTce pOrt
and adds the port information to a state table. The packet translates on post-out,
'0' as it leaves the Gateway, For protocols where the pOrt number cannot be
changed, Hide NAT cannot be used.
Original Packet (franslated)
SouR:a
IP
""'"
o.s_oo
1122110"11 1929100 10
':?53't
$0
Hide NAT
Figure 36 -
Hide NAT
Static NAT
A static translation is assigned to a server that needs to be accessed directly from
outside the Security Gateway. So. the packet is typically initiated from a host
outside the fircwall. When the client initiatcs tramc to the static NAT address. the
destination of the packet is tmnslatcd.
puoo.com
'.
Static NAT
In the pas!. all destination NAT occurred at the "server side" oflhe kerneL i.e., on
the outbound side of the kernel closest to the server. When NAT occurs in this
configuration, a host route is required on the Security Gateway to rout e to the
destination server. As ofV PN-1 NGX. the default method for Destination NAT is
"client side". where NAT occurs on the inbound interface closest to the client.
Assume the client is outside the Gatewuy. and the server is inside the Gateway
with automatic Static NAT configured. When the client stans a conneclion to
access the server's NAT IP address, the following happens to the original packet
in a client-side NAT:
Original Packet
1. The packet from outside the GatewllYarrives at the inbound interface, 'i'. destined for the Web server. and passes Sec urity Policy and NAT rules.
2. Ifaccepted. the packet infonnation is added to the connections t:lble and the
destination is translated on the post-in side of the interface, 'l' before it is
routed.
3. The packet arrives at the TCP/IP stack of the Gateway. and is routed to the
outbound interface. ' 0' .
4. The packet is then forwarded through the kernel, '0' and routed to t he Web
server.
Reply Packet
1. The Web server replies and hits the inbound interface, 'i', of the Gateway.
2. The packet is passed by the Policy. since it is found in the connections table
and arrives at the post-in si de of the kernel. T .
3. The packet arrives at the TCP!IP stack of the Gateway, and is routed to the
outbound interface. '0',
4. The packet goes through the outbound interface and is translated to the static
NAT IP address as it leaves the Security Gateway, '0'. The source pon does
not change.
When the external server must distinguish between clients based on their IP
addresses. Hide NAT cannot be uscd. because all cl ients share the same IP
address under Hide NAT.
To allow connections from the extemal nctwork to the intcmul network, only
Static NAT can be used,
.--," FnIN..
_~"'I
Ulllll<1g06_
""~-
..,II.ON'I
~.
-,
g
. --",,~
r=:_'8'
_ _ ..
r~,.
~,
"'
_ _ .of<p _ _
~ ... ..H"I""
~I'
"___ A.,
,~
0;;0-$.""",
s""... ItI _ _ [
_
... ___ -.
_ _"",-"
....... ""1
r~_.!'>oIIIIt..T
\.IoIP>otlo e...
""1.<>0 .......
'-"-
........,,,_.
~,
1io;n U..... . _
"~
~
'f
Saot!O_~(_
Figure 37 -
NAT Settings
In most cases. the Security Gateway automatically creates NAT rules. based on
information derived from object propenies. The following three Global
Propenies can be modified to adjust the behavior of Automatic NAT rules on a
global level:
Allow bi-directional NAT - Ifmore than one Automatic NAT rule matches
a connection, both rules arc matched. If Allow bidirectional NAT is selectcd,
the Gateway will check all NAT ru les to see if there is a source match in one
rule, and a destination match in another rule. The Gateway will usc the first
matches found. and apply both rules concurrently.
Translate Destination on client side - For packets from an external host
that arc to be translated according to Static NAT rules. select this option to
translate destination IP addresses in the kernel nearest Ihc elient.
Auto rn lltic ARP configura tion - Select this option to automatically update
ARP tables on Security Gateways. For NAT to function properly, a Gateway
must accept packets whose destination addresses differ fro m the add resses
configured on its interfaces. Automatic ARP configuration adds the A RP
entries needed to accomplish this task. This property applies to automatically
created NAT rules only.
Mer ge man ual p roxy AR P - Select this optio n to merge automatic and
manual AR P configurations. Manual proxy ARP configuration is req uired for
manual Static NAT rules. lfa manual ARP configuration is ddined in the
local.arp file and automatic ARP configuration is enabled. both definitions arc
maintained. If there is a conflict between the definitions (the same N AT IP
address appears in bOlh).the manual configuration is used. If this opt ion is not
enabled and automatic ARP configuration is enabled. the Gateway ignores the
entries in the local.arp file .
-- _
... .... ( -.
~-
_""-...1,.-
--
r.;~_-'1'~-'!1
Figure 38 - NAT
",1-;::-::--"'3
Configured Object
Address-translation rules arc divided into two elements: Original Packet and
Translated Packet. The clements of the Original Pac ket section infonn a Secu rity
Gateway which packets match the rule. The Translated Packet elements define
how the Security Gateway should modifY the packet. Configuring the network
object as described above creates two rules in the Address Translation Policy.
The first rule prevents translation of packets traveling from the translated object
to itself. The second rule instructs the Security Gateway to translate packets
whose source IP address is pan of the Corporate-Financc-nefs net"\.vork . This rule
translates packets from private addresses to the IP address of the ex iting interface
of the Security Gateway.
I"
"""f
I ";
I~
I - -r-'c-
l!
i..... c""""...,...,.,
Figure 39 -
...",.
------
NAT
* "'"
* ~'"
Rules
Because Hide NAT also modifie s source pons, there is no need to add another
rule for reply packets. Infonnation recorded in a Security Gateway 's state tables
will be used to modifY the destination IP address and destination pon of reply
packets.
~_""A-'I_
J...- -
'""
;;---3~
-
r ll-_G_
" _ _ !f>_ 1!1l12'1I2 '~
or
Figure 40 -
I~
For Automatic NAT rulc creation, the Security Gatcway makes all necessary
route and ARP table entries on the Security Gateway. In the example above, the
Security Gateway will process packets destined for 172.22.102.15, even though
that IP address is not bound to its interface. For routing to work properly, the
address selected to hide internal networks should be on the same subnet as the IP
address of the interface where packets will arrive.
Like Hide NAT behind a Security Gateway's IP address, configuration for Hide
NAT using another externally accessible IP address also creates two rules. The
fi rst rule instructs the Security Gateway not to translate traffic whose source and
destination is the object fo r which Hide NAT is configured. The second rule
translates the source address of packets not destined for the object for which Hide
NAT is configured.
Static NAT
Configuring a Security Gateway 10 perform Static NAT fo r a host is similar to
configuring a Security Gateway to perfoml Hi de NAT using anoth er ex ternally
accessible IP address.
~ _ IOI_f _
--c
Figure 41 -
The figu re illustrates how to configure NAT propcnics. when Slatic NAT is used
to translate a host's IP address.
For routing 10 work properly. the Translate to IP Address must be on the same
subne! as the Security Gateway's IP address. When Automatic NAT rule crealion
is used. it makes the necessary adj ustments to the ARP configurat ion.
Configuring an object for automatic creation of Static NAT rules adds IWO rules
to the Address Translation Policy. For Stalic NAT, both rules are translating rules.
In thc cllample above, the Security Gateway changes the source address from a
private add ress to the public address (172.22.102. 112).
0 0
Manual NAT
The Security Gateway allows Security Administrators to create Manual NAT
rules. Manual NAT involves more configuration than automatic NAT rule
cremion. but provides additional flexibility in Rule Base design.
Automatic NAT rule creation is appropriate fo r most installations. Properly
configured objects. well-planned networks. and Global Properties settings make
Manual NAT rule creation unnecessary for most enterprises. For Security
Administrators faced with legacy networks where design issues prevent the use
of automatic NAT rules, Manual NAT rules may provide solut ions.
Some of the situations where Manual NAT rule creation may be warranted
include:
Instances where remote networks only allow specific II' addresses.
Situations where translation is desired fo r some services. and n01 for others.
Manual NAT
Special Considerations
When Automatic NAT rule creation is used. it makes all necessary adjustments to
the Security Gateways ARP and routing tables. Using Automat ic NAT rule
creation also eliminates potential anti-spoofing issues. If Manual NAT rule
creation is used, special consideration must be paid to ARP and routing-table
entrics. and anti-spoofing issues.
ARP
When Automatic NAT rule creat ion is used. the Security Gateway makes all
nccessary adjustments to thc Security Gatcways ARP tablc. If Manual NAT rule
creation is used. the Security Administrator must edit the Security Galeways
A RP table. as follows:
Hide NAT, Set!urity Gateway in Translated Packet, Sourcl' field additional ARP table entries arc req uired.
Add ARP table entries to the Set!urity Gatcway for all hiding
..... ,. ...
No
Multicasting
Multicasting transmits a single message to a select group ofrccipicnts. A typical
use of multicasting is 10 distribute realtime audio and video 10 a set of hosts thm
have joined a distributed conference. lP multicasting applications send one copy
of each IP packet, and address it to a group of computers that want to receive it.
This technique addresses datagrams to a group of receivers at a multicast address.
rather than to a single receiver at a unicast address. Network routers Forward the
datagrams to only those routers and hosts that need to receive them.
0-
...
.'p_a-..
t,...
r _r_
f",._j'::HO~
Figure 42 -
The Multicast Restrictions tab in the Interface Propert ies window drops mult icast
packets according 10 config ured conditions. Security Administrators can
configure a list of address ranges to drop or accept.
_i,_,OW
--1
I'1lw _ _ .... _ _
r _ _ ...... _ _ ....
.~
1>0,. . _ _ _ _ _ _ , .......
Figure 43 -
Interface Properties
Manual NAT
Review
1. Objects are created by the Security Administrator to represent actual hosts
and devices, as wei) as services and resources, to use when developing the
Security Policy. What should the Administrator consider before creating
objects'?
2. What arc some important considerations when form ulating or updating a Rule
Base?
3. What are some reasons fo r employing NAT in a network when requiring pri
vate IP addresses in internal networks. to limit extcmalnetwork access, or 10
ease network administration?
CHAPTER 4
Learning Objectives
Use Queries in Sman View Tracker to monitor IPS and com mon network
trallie and troubleshoot events using packet dala.
SmartVlew Tracker
_._-
,-"_i._I._
,
11' 'D
<,f
..---.--
- -..--
- _.... .. -
-.--
--
iJ
Ii! .-. ..
...
.
..
..
...
..._...... -- ..- r" . -_.......
.,
--- ""
10
____
.~--
---_.
".-t-.......a_,_
--_.-
--.
..
.
,,,
.
"'
.....
...
'- _....... , -- t ..:;
a - ..
.' . ... - ."" -,
,.,
"" ....,,....-.
---/1;---, _
-'-'... , . .," ..
.--, ..... ."
-.,'
....
.- . .-. - ....
.
.,
.~
"" .
(1,
:.
:~ ~
0 .. . ",
4> 11/
~
4> '!:
."
..- '
.'
....
~.
,-
Figure 44 -
..J
;;:
i ' :'
'",
SmanView Tracker
Log Types
The format oflog entries requested by a rule is determined by the log type
speci fied in the rule. You can select the log cntries and data fields to display.
SmanView Tracker also allows you to navigate the log Iile. You can display one
of several log types from the Network & Endpoint Queries trec, as shown.
Log types are defined as either predefined or custom. The predefined types
include log details specifi e to that type. For instance, UA WebAccess displays
UserAuthority Web access log data for SecureClienl entries. and the Ac count
type displays changes made to fields over lime.
L~~~ji"=~-"~~,?f,,".:~.~~~~_,=~..~~f'~~~=='1~,...o-"$
";;1
.".......
-1$1-- '"-
. . . .- . . _
",.N
,;. """'-~'
Jit
_ __ . _ ,
0'11'-,.,,"-"1
~. ... .......
. ;:::..;:.
'",.
'"
... .~
, " ...'-~--l
, (JiI' _~ ~ '_-l
0<0",,.,,,,,,_
-....,_..0'"",-_ .. .
--:iiiiioo,
"'_ ow
.'1"......----.
~4_" "'w
ill ~ ~ " . v
;11:"", ....
.,. ,
., -~
", ,-,._
,-
("".-
t _
Figure 45 -
--,
Log Types
Smart View Tracker toolbar buttons also enable Administrators to de fin e custom
log queries that can be saved for recurring use. The CUSlOm query allows the
column widths to be modified. and also aiJows selection of various log
infonnation to dis play.
SmartVlew Tracker
-.-"--.
- -.- 1~::;l~t:;j~~~1=~::;;~-:~~~f!~~:;"-~1
0 _
> _
.~
~l- ' _
-.... ""
-~
, - -,
~.
v",
.,. _ r
iiI " i. ..,
,~ ,
,-."",
co_....
~'
.,.
" ".
"'(. .,-,.
i) ''' -.
-",
co,,""
.- ....
~,...
-"' -,
,
;;;
<Ii
,~
; ,;:-.-. !t ':7
t ::;::?
~=
: ::::::: :: g
-.
.. . . ~
..
Figure 46 -
, '~ . "~
~
....... , ,..
I)
((>o
,-.~ ..,
~~ ",,<,
Action Icons
Each tab displays log fields regarding both the product that generated the log, and
the type of operation performed. Action icons provide a visual representation of
the log's operation. The following table gives a description of some of the
different types of actions recorded by SmanView Tracker:
Reject -
-'..'
Decrypt -
Key Install -
When you select Open. you can open other log files.
2. Save log File As - When saving a log file, the current log entries will be
written to file. Only the records that match the selection c riteria will be saved
to the file; both entries that arc visi ble in the screen. and those that arc not visible.
l.
Swiech log File - In this window. you can select the defaul t log file or specifya particular log file name. Thi s operation actually performs a log file
switch.
s. Show or hide Fetch Progress - After clicking Get File List from the
Remote Files Management window, you can click Fetch Files and toggle the
display of the Files Fetch Progrcss window. The file transfer operation will
continuc even ifthc Filcs Fctch Progress window is closed. It is interrupted
only if you click the Abort button.
6. Query Options - These buttons allow you to toggle the display of the query
tree pane. open an cxisting query, save a custom query, or savc a custom
query under a new namc.
Administrator A uditing
SmartView Tracker logs Security Administrator activities, including;
Administrator login and logout.
Object creation, deletion, and editing.
Rule Base changes.
Administrator auditing si mplifies the process of tracking and troubleshooting
Security Policy changes, especially in environments with more than one
Administrator. Yia the Management tab. it is possible to see the changes made by
a particular Administrator, or see who modi fi ed an object and what changes were
made.
Figure 48 -
Auditing
Time Settings
The Time Settings window allows you to configu re time settings associated with
system-wide logging-and-alert parameters.
Excessive log grace period - Specifics the minimum amount of time
between consecutive logs of similar packets; two packets are considered si milar. if they have the same source address. source pon. destination add ress and
destination port. and the same protocol was used, After the first packet. similar packets encountered within the grace period will be acted upon according
to the Security Policy, but only the first packet generates a log entry or an
alert.
SmartView Tracker resolving - After a specified amount of time , displays
a log page, without resolving names and showing only lP addresses.
Virtual Link statistics logging inlerval - Specifies the frequency with
which Virtual Link statistics will be logged; this parameter is relevant only for
Virtual Links defined with Log SLA values enabled in the SLA Parameters
tab of the Virtual Link window. Virtual Links are defined by clicking Manage
> Smart View Monitor > Virtual Links from the main menu.
Status fetching intCT\'al - Specifics the frequency at which the Sec urity
Management Server queries the Security Gateway, Check Point QoS , and
other software it manages for status information; any value from 30 to 900
seconds can be entered in this field .
Blocking Connections
You can tcnninate an acti ve connection and block funher connect ions from and
specific IP addresses. using thc Smart View Tracker Block Intruder function .
To block an active connection with Block Intrudcr. select the connection you
want to bloc k, then se lect Tools > Block Intruder rrom the menu .
(0
Block Intrwler
"""""" 10
Cornec.to,PIII-"':
6Joo:l<n.l ~eOpe.
rollio<;l<"cctTJeCtKm.,Itw._,c:u
r
eled<.~hOfl\\t.:cuo; ..
<intNhon><<eMt,.
BIod<r.,111'n01<JJ
rolndefrQ
FOI
r-
....-...ee,
iw bIockrq
R 0", tn rwosIo
FOICOI
O,...,VPNl l.F.evJal-l
Figure 49 -
Block Intruder
...
The Block Intruder window displays. In the Blocking Scope fields . select one of
the options:
Block all connections with the same source, destination and service Block the connection or any other connection with the same service. source or
dcstination.
Block access from this source - The connection is terminated, and all further attempts to establish connections from this source IP address will be
denied.
Block access to this destination - Thc connection is terminated, and all further attempts to establish connections to this destination lP address will be
denied.
In the Blocking Timeout field. select one of the options: Indefinite - Block
all funher access. For... minutes - Block all funher access attempts for the
specified number of minutes.
In the Force this blocking field , select one of the options:
Only on ... - Block access attempts through the indicated Security Gateway.
On any Security Gateway - Block acccss attempts through Security Ollteways defined as gateways or hosts on the log server. The connection will
remain blocked, until you choose Tools> Clear Blocking fro m the main
menu.
SmartView Monllor
-----
-...-.....-_'.
"""--
: ::::;'0:",
"~ ::"'..=.
~.
Z-:="'__
........
& ....... -
,
;
~'
Figure 50 -
SmartView Monitor
~;
i
i
::
!~
Predefined views include the most frequently used traffic, counter, tunnel,
gateway, and remote-user infonnation. For example, Check Point system
counters collect information on the status and activities of Check Point Blades
(for example, Firewall). Using custom or predefined views. Administrato rs can
drill down on the status of a specific gateway and/or segment of traffic to identify
top bandwidth hosts that may be affecting network perfonnance. If suspicious
activity is detected, Administrators can immediately apply a security rule to the
appropriate Security Gateway to block that activity. These security rules can be
created dynamically via the graphical interface. and can be sct to expire within a
certain time period.
Real-time and historical reports of monitored events can be generated to provide
a comprehensive view of gateways. tunnels, remote users, network. security, and
Security Gateway perfommnce over time.
Customized Views
Customized Views
Smart View Monitor enables gmphical views depicting data for several types of
measurements, including bandwidth, round-trip lime. packet rate, CPU usc. elc.
The most efficient way to yield helpful information is to create a v iew based on
your specific needs. It is possible to create customized views for v iew types (for
example, status, traffic, system statistics, and tunnels). The customization
provides the ability to filter specific data and how the data is to be displayed.
-...
""
"
'I::::"
-----I..,-..,--f~
---.",-"""'"
.11---
. ,.
_
"'''"''
.. ..
,~
...
-,,~
".
.--.
,.,
.
-- ..,..
..
."
N'
--
------"'
----~
-...
~~.-~
.. _
"Uou-..
---
,--,..
u_._
Figure 51 -
Customized Views
Traffic View
SmllrtView Monitor makes Administrators aware of traffic associated with
speci fic network activities, servers, clients, etc .. as well as activitics, hardware,
and software use of different Check Point products in real time. Among other
things, this knowledge enables Administrators to:
Block specific traffic when a threat is imposed.
Assume instant control of traffic flow on a Gateway.
Learn about how many tunnels are currently open, or about the rate of new
connections passing through the Security Gateway.
You can generate fully detailed or summarized graphs and charts for all
connections and for numerous rates and figures when calculating network usc.
System Counters provides in-depth details on Gateway usc and activity. As a
Security Administrator, you can generate system status infonnation about:
Resource use for the variety of components associated with the Security
Gateway.
Customized Views
Tunnels View
VPN tunnels are secure links between Security Gateways, and ens ure secure
connections between an organization's gateways and its remoteaccess clients.
Once tunnels arc created and put to use, Administrators can keep track of their
nomlal functions, so possible malfunctions and connectivity prob lems can be
accessed and solved as soon as possible.
.,"---......--
'" ....
"- ' ....
~,.;.-
.-._. -,~
--
& ..... -
~I"-~---
-.
-
- , - .- -- . .- .
- ,
-- "' . * -
-~
-~
Figure 52 -
.-
Tunnels
To ensure this security leveL SmanView MonilOr can recognize malfunctions and
connectivity problems, by constantly monitoring and analyzing the stams of an
organizations' tunnels. With the use ofmnnel queries, Administrators can
generate fully detailed repons that include infonnation about all tunnels that
fulfill specific tunnel-query conditions. With this infonnation, it is possible 10
monitor tunnel status, the VPN Community with which a tunnel is associated. the
Gateways 10 which a tunncl is connected. etc.
I II
.-
-.--
wu
.- -_.
= --1'-.
-- ---1-----.-_.--. ...-_. - ------.- .-.,
" .-.~
"
-"
''-~.
'-
~ _ _ a.
Figure 53 -
-"
. ,"
-. ..... ..._..
.......
..
_
...
.........
...
-J
--............
. ..
....... -.......
..
.._..... . .-_ --- -._._.
. "- -.....
.. --..... -- -" ..........
--. ....
_....-- .-- .._...._- -.....
" . . -.
.-.......
-.
....
.
.
-. . "--- ..
--.
..
I:...... -....
....
........
_.
............ .-......
.-.
........
.
--... - --..
_
........
_.
....
_,
-.
.....
-- ....... .. - -.... .-.
'-'-.,.. .. ,-.
--
.-~
. ~ .
...........
"... "
~
>
I!' - > ~
11 _ _ ._
III ... ~.
..-'
,.,' ,.
-.~
-~
~
.... .,...
........ u . .
,..
'"
_-
>""" ' -
.-~
....,
*.- ...
"
"
,,.........
... ,
, .. :a _ _ _
t.~
.~
11 _ _ _ '"
''''''''~"
<>1 .... _ ,
'''_
''''''
..,.-
.,.
'
,,;-
_. I
_. ,I
Remote Users
The Remote Users view provides detlliled real-time information about remote
users' connectivity, using data collected from sources such as current open
sessions. overlapping sessions. route traffic, and connection time.
,, ?
Customized Views
I~,-
.,"
-i
::.
--0::::::
I ,""":...-
----,...
--
----
-.....
.....
.
--.'.--.':1-)_-. .,,-..
..... _--_. "-", --..
."'-~
.-
1> _
,.--~-
.
Figure 54 -
Cooperative Enforcement
113
Figure 55 -
11 4
Monitoring Alerts
Alerts provide real-time information about vulnerabilities to computing systems
and how they can be eliminated.
Check Point alerts users to potential threats to the security of their systems, and
provides infonnation about how to avoid, minimize, or recover from the damage,
Alerts arc sent by the Security Gateways to the Security Management Server. The
Security Management Server then forwards these alerts to the Smart View
Monitor SmartConsole, which is actively connected to the Security Management
Server. Alerts arc sent to draw the Administrator 's attention to problematic
Gateways, and arc displayed in Smart View Monitor. These alerts are sent:
If certain rules or attributes, which arc set to be tracked as alerts. are matched
by a passing connection.
If system events, also called System Alerts, are configured to Trigger an alert
when various thresholds are surpassed.
The Administrator can define alerts to be sent for different Gateways . These
alens are sent under certain conditions, such is if they have been defined for
certain Policies, or if they have been set for different properties. By default, an
alert is sent as a message to the Administrator 's desktop when a new alen arrives
in Smart View Monitor. Alerts can also be sent for certain system events. If
certain conditions are set, you can receive System Alerts for critical situation
updates; for example, if free disk space is less than 10 percent, or if a Security
Policy has been changed. System Alerts arc characterized as follows:
They are defined per product. For instance, you may define certain System
Alerts for Check Point QoS that would not apply to Conncctra .
They may be global or per Gateway. You can set global alert parameters fo r
all Gateways in the system, or you can specify a particular alert for a
particular Gateway.
They arc displayed and viewed via the same user-friendly window. The
infonnation Smart View Monitor gathers also includes status information
about O PSEC gateways and network objects.
After reviewing the status of cenain clients in SmanView Monitor. you may
decide to take decisive action for a panicular client or cluster member, for
instance:
Disconnect cliem ~ If you have the correct permissions, you can c hoose to
disconnect one or more of the connected SmanConsole clients. Click the
Disconnect Client button on the Results pane toolbar.
Gateway Status
Gateway Status
Cheek Point enables infonnation about the status orall gateways in the system to
be collected by the Security Management server and viewed in SnlartView
Monitor. The information gathered includes status infonnation about:
Check Point gateways
OPSEC gateways
Check Point Softwarc Blades
A Gateways Status view displays a snapshot of all Check Point Software Blades.
such as VPN and ClusterXL. as well as third party products (for example.
OPSEC-partner gateways). Gateways Status is vcry similar in opc"ralion to the
SNMP daemon that also provides a mechanism to ascertain information about
gateways in the system.
_.
Figure 56 -
""~r
__
..
-.--- -
Io<t....",~o<o,
$ _ _ , _ _ 1_ _ _ ","
Note: There are general statuses whieh occur for both the
gateway or machine on which the Check Point So ftw are
Blade is installed. and the So ftware Bl ade which
represents the components installed on the gateway.
Gateway Status
Overall Status
An Overall status is the result of the blades' statuses. The most serious Software
Blades status detennines the Overall status. For example. if all the Software
Blades statuses are OK except for the Sman Reponer blade. whieh has a Problem
status, then the Overall status will be Problem.
OK -
Attention - at least one of the Software Blades indicates that there is a minor
problem but it can still continue to work. Attention can also indicate Ihal.
although a Software Blade is not installed. it is selected in the General
Properties > Check Point Products associ ated with a specific gateway.
Waiting - from the time that the view Slarts to run until the tim e that the fi rst
status message is received. This takes no more than thirty seconds.
Disconnected -
119
Attention - the blade indicates that there is a minor problem but it can still
continue to work.
Waiting - displayed from the time that the view stans to run until t he time
that the first status message is received. This takes no more than thirty
seconds.
120
VS .
R 75 Traillillf! Malliial
121
Review
1. Discuss the benefits or using SmanView Monitor instead orSmanView
Tracker in monitoring network activity.
2. Why is there a warning message when switching to Active mode in SmanView Tmcker?
"1
Arll/lill i~/r(/rnr
CHAPTER 5
Us ing SmartUpdate
Using SmortUpdate
Sman Update extends your organization's ability to provide centralized poliey
management across enterprise-wide deployments. SmartUpdate can dcliver
automated softwa re and license updates to hundreds of distributed Securi ty
GaTeways from a s ingle management console.
Learning Objectives:
Monitor remote Gateways using Smart Update to evaluate the need fo r
upgrades. new installations. and license modifications.
- - -_.,--.
,,..'"--'.'ij-~ - ... _-a~~D~~~~
"",-_
~~~e~~.
."....._ ........'-\,"1
--- - -- --- .
..
...
-,
"" ,--~o".:_:_=-_ .", ;::..,
~ =='"
'-'" ...:
, -'
-; ; - ;::--
~,
-;:
.1_
.. "
"'"
.~_
:l_.
"'.~
.,
1~.~~!!i!!!!!~""
*
Figure 57 -
"
....
-I
'
",-... _ _ _
~-,t,;,
_
_ .....
iIl
__
,"
~-
.... ,..
".,
----- n
...
=:::::J
'=...J
Managing Ucenses
_"'!!.J
-~
Operating System.
SecurePlatfo nn .
Using SmartUpdate
tory SC POIR\conf\.
2. Package Repository. which is stored on:
--
oI
~.
_-
....--
0
Bo-_
_
''''<Mwo._~CW<>_Cll
~~
Figure 58 -
$martUpdate Architecture
Packages and licenses arc loaded imo these repositories from several sources:
Using SmartUpdate
"
....
-- ,-'-- ,--
.-- -.....
--.
......,..,....
'..,
Figure 59 - SmartUpdale
SmartUpdate Introduction
129
Using SmartUpdate
-""-'~.~ !
."-- ",
,,'" ~~~:;E
. . . ...
."~,,
,.,~,,,
.~
."
' '-'
'"
.""'''''
. ".,,,,
",.
Figure 60 -
~
~
SmartUpdate - Licenses
130
SmartUpda le Introduction
When you add a license to the system using SmartUpdate, it is stored in the
License & Contract Repository. Once there. it must be installed to the Gateway
and registered with the Security Management Server. Installing and registering a
license is accomplished through an operation known as attaching [) license.
Central licenses require an administrator to designate a Gateway for attachment.
while Local licenses arc automatically 311ached to their respective Check Point
Security Gateways.
Licensing Te rminology
Common tenns used with respect to licensing incl ude the following:
Add -Licenses received fro m the User Center should first be added to the
Smart Update License & Contract Repository. Adding a local license to the
License & Contract Repository also attaches it to the gateway.
Attach - Licenses are attached to a Gateway via SmartUpdate. Attaching a
license to a Gateway involves installing the license on the remote Gateway.
and associating the license with the specific Gateway in the License &
Contract Repository.
Certifi cnte Key - The Certificate Key is a string of 12 alphanumeric
characters. The number is unique to each package. For an eval uation license,
your Certificate Key can be found inside the mini pack. For a pennanent
license, you should receive your Certificate Key from your rescller.
CPU C - A command line for managing localliccnses and local license
operations. For additional information, refer to the Command Line Interface
Reference Guide:
http :/ supportcontent.checkpoint.com/
documentation download?ID=8713
Us ing SmartUpdate
and whether the license is installed on the remote Gateway. The license state
definitions arc as lollows:
Get - Locally installed licenses can be placed in the License & Contract
Repository, to update the repository with alllicellSCS across the installation .
The Get operation is a two-way process that places nil locally installed
licenses in the License & Contract Repository and removes aU loca lly deleted
licenses from the License & Contract Repository.
.' caturcs -
Upgrading Licenses
When a Central license is placed in the License & COnlract Repository.
SmartUpdate allows you to attach it to Check Point packages. Att:.lching a license
insta lls it to the remote Gateway and registers it with the Security Management
Server.
New licenses need 10 be attached when:
R 75 Training Manllal
To retrieve license data from a single remote Gateway, rightclick the gateway
obj ect in the License Management window, and select Get Licenses.
To retrieve license data from multiple Check Point Security Gateways. select
Get All Licenses from the Licenses & Contracts menu.
133
Using SmartUpdate
134
Upgrading Licenses
Attaching Licenses
After licenses have been added to the License & Contract Reposi tory, select one
or more licenses to attach to a Security Gateway.
1. Select the license(s).
2. Select Licenses & Contracts > Anach.
3. From the Attach Licenses window. select the desired device.
If the attach operation fails, the local licenses arc deleted from the Repository.
Oetaching Licenses
Dctaching a license involves dcleting a single Central license from a remote
Check Point Security Gateway and marking it as unattached in the License &
COnlmct Repository. Thi s license is then available to be used by any Check Point
Security Gatcway. To detach a license, select Licenses & Contract s> Detach and
selec! the licenses to be detached from the displayed window.
Using SmartUpdate
To delete expired licenses from the License Expiration window. select the
detached license(s) and click Delete.
Usin g SmartUpdate
Service Contracts
Before upgrading a Gateway or Security Management Servcr. you need to have a
valid suppon contract that includes software upgrade and major releases
registered to your Check Point User Cemer account. The comract file is stored on
Security Management Server and downloaded to Check Point Security Gateways
during the upgradc process. By veri fying your status with the User Center. the
contract file enables you to easily remain compliant with current Check Point
licensing standards.
,,--
"
_.
---
.,..
Servic e Contracts
Managing Contracts
Once you have successfully upgraded the Security Management Server. you can
use SmartUpdate to dis play and manage your contracts. From the License
Management window. it is possible to see whether a panicular license is
associated with one or more contracts. The Licence Repository window in
SmanUpdate displays contracts as well as licenses.
Updating Contracts
The Licenses & Contracts on the menu bar has enhanced functionality for
handling contracts.
---- .-.. -,
"'".
.,.
""
"',
'"
139
Us ing SmartUpdate
Licensing R75
Licenses are required for the Security Management server and Security
Gateways. No license is required for SmanConsole management cl icnts. Check
Point Gateways enforce the license installed on the Gateway by counting the
number of users Ihal have crossed the Gateway. If the maximum number of users
is reached. warning messages are sent to the console.
The Cheek Point software is activated using a cenificatc kcy, which is located on
the back of the software media pack. The ccnificate key is used to generate a
license key for products that you want to eval uate or purchase. To purchase
Check Point products, contact your rcseller.
Note : You must install Software Blade lice nses. NGX licenses
can not bc used with R75.
Obtaining a License Key
To obtain a license key from the Check Point User Center:
1. Add the required Check Point products/eval uations to your User Center
account by selecting Accounts & Products > Add Products.
2. Generate a license key for your products/evaluations by selecting Accounts
& Products > Products. Select your product(s) and click Activate License.
The selected product(s) evaluations have been assigned license keys.
3. Complete the inslallation and configuration process by doing the following:
Read and accept the End Users License Agreement.
Impon the product license key.
140
Licensing R75
Liccnses are imponed using the Check Point Configuration Tool or SmartUpdatc.
SmanUpdate allows you to centrally upgrade and manage Check Point software
and liccnses. The cenificate keys associate the product license with the Security
Management server, which means that:
The new license remains valid even if the IP address of the Check Point
gateway changes .
Only one IP address is needed for all licenses.
A Iicense can be detached fro m one Check Point Gateway and assigned to
another.
Upgrading Licenses
The upgrade procedure is free of charge to purchasers of the Software
Subsc ription service (Enterprise Base Suppon) .
Using SmartUpdate
Licensing SmartEvent
SmartEvent licenses arc installed on the SmartEvcnt server and not on the
Security Management Server. Correlation Units arc licensed by the number of
units that arc attached to the SmanEvent server.
SmartUpdate Options
Packages> Upgrade all Packages - This feature allows you to upgrade all
packages installed on a Gateway. For IPSO and SecurePlatform, this feature also
allows you to upgrade your operating system as a pan of your upgrade. In R70,
SmanUpdate's "Upgrade all Packages" supports HFAs, i.e., it will suggest
upgrading the Gateway with the latest HFA if a HFA package is available in the
Package Repository. "Upgrade All" is the recommended method. In addition,
there is an advanced method to install (distribute) pac~ages one-by-one.
Packages> Add - SmanUpdate provides three "helper' tools for adding
packages to the Package Repository:
From CD - Adds a package from the Check Point CD.
From File -
Packages> Get Gateway Data - This tool updatcs SmartUpdate with the
current Check Point or OPSEC thi rd-pany packages installed on a specific
Gateway or for your entire enterprise.
Tools> Check for Updates - This feature locates the latest HFA on the Check
Point Download Center, and adds it to the Package Repository.
For details on how to use these commands, see the Command Line Interface
(CLl) Administration Guide.
Using SmartUpdate
CHAPTER 6
l!serAianagementand
Authentication
145
Learning Objectives:
Centrally manage users to ensure only authenticated users securely access the
corporate network either local!y o r remotely.
Manage users to access to the corporate LAN by using external databases.
146
User Types
Sman Dashboard allows yo u to manage a variety of user types:
Exter nal User Profiles - Profiles of externally defined users who are not
defined in the internal users database or on an LDAP server. External user
profiles are used to avoid the burden of maintaining multiple Users Databases, by
defining a single. generic profile for all external users. External users are
authenticated based on either their name or their domain .
Groups - User groups consist of users and of user sub-groups. Including users
in groups is required fo r performing a variety of operations, such as defining user
access rules or remote access communities.
LDAP G roups - An LOAP group speci fies certain LDAP user characteristics.
All LOAP users defined on the LOAP server that match these characteristics are
included in the LOAP group. LOAP groups are required for perform ing a variety
of operations, such as defining LDAP user access rules or LDAP remote access
communities. For detailed information on LDAP groups. see chapter, "User
Management and Authentication".
Tem pla les - User templates facilitate the user definition process and prevent
mistakes, by allowing you to create a new user based on the appropriate template
and change only a few relevant properties as needed.
Users - These are either local clients or remote clients. who access your
network and its resources.
Types of Authentication
There are three ways to access a network resource and authenticate usi ng the
Security Gateway:
User Aut hentication - Grants access on a per-user basis. This method can
only be used for Telnet. FT P. HTT P. rlogin and HTTPS services. User
Aut hentication is secure. because the authentication is valid only fo r one
conncctiOI1. but intnlsive, because each connection requi res another
authentication. For example. accessing a single Web page could display
scveral dozen User Authentication windows. as different componentS arc
loaded.
Authentication
Type
User
Session
Client
Services
Tclnet. FTP,
rlogin. HITP.
HTfPS
All services
A II scrvices
Authentication is per~
formed once per ...
Connection
Session
IP address
Authenticates when_.
Each limc a
Each time a user
uscr uses one of uses allY servIce
the supponed
(requires a Sesscrvices
sion Authentication Agent on the
client)
Authentication Schemes
Authentication schemes employ usemames and passwords to identify valid users.
Some schemes are maintained locally and store uscrnames and passwords on the
Security Gateway, while others arc maintained externally and store User
Authentication information on an external authentication server. Ccnain
schemes, such as SecurlD, arc based on providing a one-time password. All of
the schemes can be used with users defined on an LDAP server. For additional
infonnation on configuring the Security Gateway to integrate with an LOAP
server, refer to the "Sman Dircctory and User Management" section in this
chapter.
Check Point Password - The Security Gateway can store a static password in
thc local user database of each user configured on the Security Management
Servcr. No additional software is required. Alternatively. to pcnnit alteration of
this credential, store thc Check Point password in SmanDirectory.
Operating System Password - The Security Gateway can authcnticate using
the usemame and password that is stored on the operating system of the machine
R 75 Trainin!{ Mallllal
14Q
on which the Security Gateway is installed. You can also usc passwords that arc
stored in a Windows domain. No additional software is required.
RADIUS - RADIUS is an external authentication scheme that provides security
and scalability by separating the authentication function from the access server.
Using RADI US. the Gateway fonva rds authentication requests by remote users
to the RADIUS server. The RADIUS server, which stores user account
infomtation. authenticates the users.
The RAD IUS protocol uses UDP to communicate with the Gateway. RAD IUS
servers and RADIUS server-group objects arc defined in SmanDashboard.
SecurlD - SecurI D requires users to both possess a token authenticator and to
supply a PI N or password. Token authenticators generate one-time passwords
that are synchronized to an RSA ACE/server, and may come in the fomlof
hardware or software. Hardware tokens are key-ring or credit card-sized devices.
while so ftware tokens reside on the computer or device fro m which the user
wants to authenticate. All tokens generate a random. one-time- use access code
that changes approximately every minute. When a user attempts to authenticate
to a protected resource, the one-time-use code must be validated by the ACE/
server.
Using SeeurlD. the Security Gateway fonvards authentication requests by remote
users to the ACE/server. ACE manages the database ofRSA users and their
assigned hard or soft tokens. The Securi ty Gateway acts as ACE/Agent 5.0. and
directs all access requests to the RSA ACE/server for authentication. For
additional infonnat ion on agent con fi guration, refer to your ACE/serve r
documentation.
There are no specific parameters required fo r the SecurlD authentication scheme.
TACACS - TACACS is an external-authentication scheme that provides
verification services. TACACS provides access control for routers, network
access servers and other networked devices through one or more centrnlizcd
servers. Using TACACS, the Gateway fonvards authentication requests by
remote users to a TACACS server. The TACACS server. which stores useraccount infonnation, authenticatcs users. The system supports card-key devices
or token cards and Kerberos secret-key authentication. TACACS encrypts the
usemame, password. authentication scrvices, and accounting infonnat ion of all
authentication requests 10 ensure secure communication.
Undefined - The authentication scheme for a user can be undefined. If a user
with an undefined authentication scheme is matched to a nile with some fonn of
authentication, access is always denied.
0<"
.. ... -=liIt
""--..
--.
~-.-
.'-''""-
. '-'-'"--
_ .. ____ , _
-'~"---_ __
r --..._.
~_
"_
"
'"~oo/'
rFigure 63 -
tJ
Authentication Methods
Each method can be configured to connect and authenticate clients to the
Security Gateway before the connection is passed to the desired resource (a
process known as nontransparent authentication). Alternatively, each method can
be configured to connect clients directly to the target server (a process known as
transparent authentication).
This section describes how users authenticate using each authentication method.
along with guidelines for configuring each method.
User Authentication
User Authentication provides authentication for the Tc lnct. FTP. H TT P. and
rJogin services. By default. User Authcmication is transparent. The user does not
connect d irectly to the Security Gateway. but initiates a connectio n to the target
server.
,.;;;;;;,;;;,:::;~
":;-;;;;". '1.'_ _ _ __
.~
--
.~
>:-
'" ~
- . """,....
:.- ..
.... 0:_
Figure 64 -
-- -
..... c....._
......
.... ,,_
.....
Q-
00-
. ,...,
Q-
fiI ....
----.--__._,. . . 1__
~~~--====-- ~
-~.' 7 _ D ' _ _ _ _ _ "'_, ....... _
.....
,'''''
=."
~-I:t~_
,..,...._._
,. &ooUI
,. srCII ....,_
____
tp.ooo ....
_"'IJoIo _
>5
... _
iJ
==::.1 -"
Figure 65 -
TimeOUt Coosiderations
To a\loid forcing users with one-time passwords to generate a new password for
each connect ion. the HTTPSecurity Scrver extends the validity of the password
fo r the time period defined by the User Authentication session timeout option
in the Authentication Settings section ofthc C heck Point Gateway window.
This ensures that users of one-time passwords do not ha\le to reauthentieatc for
each request during this time period.
To enhance security, you could require users to reauthenticate for ccrtai n types of
requests . For examplc. you can specify thaI every request to a specific HTTP
server requires a new password, or that requests that change a server's
configuration require a new password. To set reauthentieation parameters.
redefine the Reauthentication opt ions in thc HTTP Server fie ld oft he Policy >
Global Properties > fireWall > Secu rity Sen'er wi ndow.
C'
. _ :h
. '
J . : :_ .
User Authentication
Right-d ick in thc Source col umn. sel ect Add User Access. then sclect the
group.
In the Location section in the User Access window. to restrict the location of
authenticating users. select Restrict To and the host. group of hosls. network.
or group of networks that users can access.
In the Service fiel d o f the Rule Base. se lect the services you wish to authenticate,
In the Action column. select User Auth . Table 6- 2 below shows nn HTTP
User Authentication rule:
1'< SOURCE
Aoy
HTTP
Trame
FTP
User Auth
R 75 Training Mallllal
,,,
Session Authentication
Session Authentication can be used for any service; however. a Session
Aut hentication Agent is required to retrieve a user's identity. The Session
Authentication Agent is nonnally installed on the authemiealing client. w here the
person who initiates the connection to the destination host supplies the
aut hentication credentials. Session Authentication requires an authentication
procedure for each connection. However. the Session Authentication Agent can
also be installed on the destination machine or on some other machine in the
network, in which case the user at that machine would provide the usemame and
password.
IlIiI EJ
u....
II _ _ _ _ _ _ _ 1
OK
Figure 66 -
Session Authentication
The Figure shows the Session Authentication login window. After typing the
uscmame, the user is prompted 10 provide a password.
The following is a typical Session Authentication workflow:
1. The user initiates a connection directly to the server.
2. The Gateway intercepts the conneclion.
3. The Session Authentication Agent challenges the user for authentication data,
and retums this in formation to the Gateway.
4. If authent ication is successful. the Gateway allows the connection to pass
through the Gateway and cont inue 10 the targel server.
1"
Session Authentication
---._..
........ _
,N_ ....."
. F_
I
___
T_ _ _ _
" R_ _
~-
- ..-..-I_}r_~
__
"--09"
oS( _ _ [
jOU_J)4oI_~
!t-' _ _ _ _ _ ....... _
r- t...~_
~,
- . ...
;"'~ " - .
"""~
"
~--~
Figure 67 -
::::_
_0.$0'_ 1
ll
Session Authentication
.. _ -
n -
Cliem Au/hemicarion
Client Authentication can be used to authenticate any service. It enables access
from a specific IP address fo r an unlimited number of connections. The client
user perfonns the authentication process. but it is the client machine that is
granted "ccess. Client Authentication is less secure than User Authentication.
becausc it perm its access for multiple users and connections fro m authorized IP
addresses or hosts. Authorization is performed on a per-machine basis tor
services that do not have an initial login procedure. The advantages of Client
Amhentication arc that it can be used for an unlimited numhcrofconncctions. for
any servicc. and is valid fo r any length oftimc.
Client
Authentication
Slgn-Gn
Method
Authentication
Method for
Authen_
5ervl....:
Telnet, FTP, HTTP,
rlogln
Authentication
Method for Other
services
PartiallyaulOmatic
User Authentication
Not available
Fully automatic
Uscr Authentication
Session Authentication
Agent automatic
Session Authentication
Session Authentication
Single Sign On
UserAuthority
UserAuthori ty
Manual
Clien t Authentication
Sign-On Methods
Manual Sign On - Available fo r any service Ihal is specifie d in the Client
Authentication rule; Ihe user muSI first connecllo the Gateway and
authenticate in one of thc following two ways:
Through a Telnet session to Ihe Gateway on port 259.
Through an HTTP connectiontotheGatcwayonport900and a Web browser;
the requested URL must include thc Gateway name and palt number. for
example. http ://Gateway: 900 .
Wait Mode
Wait Mode is a Client Authentication feature for Manual Sign On. when the user
initiates a Client Authenticated connection with a Telnet session on pOIt 259 on
the Gateway. Wait Mode eliminates the need to open a new Telnet session to sign
orr and withdraw Client Authentication privileges. In Wait Mode. the initial
Telnet session connection remains open. as long as CHent Authentication
pri vileges remain valid. Cl ient Authentication pri vileges arc withdrawn when the
Telnet session is closed.
The Security Gateway keeps thc Telnet session open by Pinging the
authenticating client. lf for some reason the client machine stops running. the
Gateway closes the Telnet session, and Client Authentication privileges from the
connected IP address arc withdrawn.
159
Fully Automatic Sign O n - Fully Automatic Sign On is avai lablc for any
service. only if the required service is specified in the Client Authentication
rule. Ifusers attempt to connect to a remote host using an authentica ted
service (Tclnct. FTP. HTTP, and rlogin), they must authenticate with User
Authentication. If users attempt to connect to a remote host using any other
service, they must authenticate through a properly installed Session
Authentication Agent. When using fully automatic Client Authentication.
ensure that pon 80 is accessible on the Gateway.
Agent Automatic Sign On - Agent Automatic Sign On is available only if
the required service is spec ified in the Client Authentication rule. and the
Session Authentication Agent is properly installed. Ifusers attempt to connect
to a remote host using any service. they must authenticate through a Session
Authentication Agent.
Single Sig n On - Single Sign On is available for any service. only if the
requi red service is specified in the Client Authentication rule and
UserA uthority is installed. Single Sign On is a Check Point addressmanagement feature that provides transparent network access. The Gateway
consults the user IP address records to dctcmline which users are logged in to
any given IP address. When a connection matches a Single Sign On enabled
rule. the Gateway queries UserAuthority with the packet's source JP.
UserAuthority returns the name of the user who is registered to the Jr. If the
user's name is authenticated. the packet is accepted. If not, it is dropped.
160
Client Authentication
To allow access according to the location specified in the rule. select Ignore
User Database .
LOAP Features
Features of LDAP are as follows:
LOAP is based on a client/server modeL in which an LOAP client m akes a
TCP connection to an LOAP server.
Oefault port numbers arc 389 for standard connections, and 636 fo r Secure
Sockets Layer (SS L) connections.
Distinguished Name
A Distinguished Name (ON) is a globally unique name for an entity, constructed
by appending the sequence of ON fro m th{' lowest leve! of a hierarchical
structure, to the root. The root becomes th{' relati ve ON. This struc ture becomes
apparent when setling up SmanOashboard user manag{'ment.
cn=
John Brown
Figure 68 -
Distinguished Name
For example. if searching fo r Ihc name John Brown, the search path would stan
with John Brown's Common Name (CN). You would then narrow the search to
the organization he works fo r, then to Ihe country. If John Brown works fo r ABC
Company, one possible ON is show below:
l fl 'i
oC - Ufo
,~RC
Figure 69 -
,(;<
,---_..- -,
.'r_ ..
_ _ a.DAPI
",1 _ _
'l A_""",,,
-.
,~.
tBi
~--~"
~~
()$(
'
s,.... 0...,'""",,,
... _
~
$......
-....UW"..
~'-
SI<_~_
__
~11W'l_
"1---.
"'~---.-,----
1.-.1"" _ _
....-
r ___
(_.,.."
.~
r u..
--
11=
r _ .. _
__
.... _
__
... __
rr
~----~
_
.. _
' 00 .... _
A_1.."
_ _ ._
$-,"-- rr _
___ ._
'-
~,
r~_
. -~
Figure 70 -
.. _ _ _
-Iw-: _
_._, _ _ 1
."" j--
'-'
If'SECM
Servers tab - Select a profile to be applicd to the new AccounI Unit. Four
profiles are defined by default. each corresponding to a specific LDA P SCNeT:
Microsoft_AD -
169
Managing Users
Users defined in the Account Unit arc managed in the User s tab of the O bj ects
tree. This intuitive tree structure enables users to be managed as ifall the users
were actually sitting on the internal Security Gateway database. For insta nce. you
can add. edit or delete users by right-clicking them in the O bjects tree. and by
selecting the option of your choice.
"101
!".-~ ..-sord-'''''',
" i!J
-..-.--.
&:!jw...... ' - .. _
.,. ~ lDU'r.r"""
~ AJ T"""'"
:~
:;:; ~ .
",it I!IIII
U OK ,,",,",", _
U ....... ,i'\5,H U
flO
~.I'
..
-Figure 72 -
170
Managing Users
SmartDirectory Groups
Sman Directory groups arc created to classify users within cenain group types.
These SmanDirectory groups are then applied in Policy rules. Define a
SmartDirectory group in the LDAP Group Properties window in the Users and
Administrators tab of the Objects tree:
,-
~~, rl-------------o3
r'- - I
r....,._ .. __
Review
1. User Auth can be on ly used fo r what scrvices'?
Tcl net. FTP. HTTP. rlogin, HTTPS
CHAPTER 7
Identity Awareness
Identity Awareness
[denary Awareness
To provide a granular access 10 resources on thc nctwork. yOll need to deploy a
morc comprehcnsivc Security Policy Ihal manages access based on more
information than juslthe IP Addrcss of the connccting machine. Implement
Identity Awarcness to manage access based on the identity of the user in addition
to their location in the network.
Learning Objectives:
174
'-n .........
--,---
10<,.....
, ",
-..~ -
......,. ...............
"'"'''''II .......... "
'--M:-.s..-
. "'
""'-.-",,~
....
..
-.~,-
...
~::...- -.....
..
, "'--'
JGoo _ _ _ _
"-"00--"
--
.~--( . . _(aoW...._____..
~-----
-.
Figure 74 -
R 75
Trai"i"~
Mallllal
_~
Identity Awareness
f=~'~'~'~"'~t~-;,,~~-~~
._.........
' .000$)
" ~' T
--
Got-. - - -
------- --_I
, If., ,.,.
::-
---
..
-....!r.o<... '"
~~
C__...
.~ -
""'Y .... .
.....
T_5_
-_
___
()hoo
....... _0....
'-
---
'l'- O'S .. _
!- """,s....
--
URI.'_
'i_V..,.'
_-_
---"'_
.....
"........
........
""-,, .
............
..
t, _ S_1
,~-
C ~"lo<._
.~
Once selected. the system displays a wizard that allows you to define the Identity
Awareness settings. The purpose of the wizard is to allow you 10 define your
authentication method as one or both of the fo llowing:
Capti ve Portal
LDAP
lDAP Integration
LDAP integration with the Security Manager allows a gateway configured with
Identity Awareness to query the Active Directory server for user infommtion.
Based on the Windows Management Instrumentation protOcoL this process
works in environments where Microsoft Active Directory Server 2003 or 2008 is
deployed. The query is clientless and takes place in a way that is transparent \0
the user, requiring no client or server side softwflre.
To identify the user or machine fo r Identity Awareness us ing the L DAP query. the
user or resource must be pre-defined in the Active Directory server's database.
Connections by users not configured in the dalnbase will be denied . To have the
user nuthenticate through LDAP. you must configure the following infonnation
to allow the gateway to query the Active Directory server for use r credentials:
Active Directory
(LDAP server object configured on the Manage ment Server)
Usemame (domain ad ministrator)
Passwo rd (domai n administrator password)
,,,
Identity Awareness
Once the LDAP information is configured. test connectivity from the Integration
with Active Directory screen:
.,,r
I . ... _
Figure 76 -
I ....
.. _
If you do not want the gateway to query the Active Directory server for user
information. sclect the option I do not wish to configure an Active Di rectory at
this ti me.
Once LDA P integration is configured. the authentication process is seamless to
the user. The gateway takes the LDAP inform from the host attempting to
connect and sends it 10 the Active Directory server. The gateway uses the
in formation retrieved from the LDAP query 10 detennine the user's access based
on the enforced Security Policy,
Captive Porta l
The Caplive Ponal is a web based loollhat allows Ihc galeway to requesl login
informati on from the user. This simple sol ution is built into the Security Gateway
and docs not require additional configuration. Enable the Capti ve Portal in the
Action column of an Identity Awareness rule.
When an unknown user uncmpts to connect to a protected resource through a n
HTTPrulewith Identity Awareness configured. the gateway presents Captive
Portal and pro mpts thc user for credcntials. Thc login infoml ation provided is
then authcnticated against Ihe existing user database con fi gured on Ihe Security
Management Server. The portal also suppons all Check Point uuthentication
methods such as LDAP, RAD IUAS. etc.
_,.._..... _.
1"' _._.,.,n.:1""1_
. ""' ____
_ lJIIl .....
By default. the portal is only accessible through internal interfaces. The system.
however. automatically selects the primary interface of the Security Gatcway as
the Main URL. This means, the automatically selected interface may not be on
Ihc internal network. If this is the case. change the Main URL selection to an IP
on a protected network.
Identity Awareness
The Capt ive Ponal offers administrators greater flexibilit y than the automatic
LDAP query. in thaI it works wit h both existing users and guests. Unidentified
users may be blocked or guests can be allowed 10 enter required crcdentinls or
download the Identity Awareness agent.
J
d
Actr.e
Oif~<10fV
l"tl'l"nilOit d
fIe",urc~
t, ,'
,'4,,
,
Figure 78 -
2. Identity Awareness does nOI recognize the user and redirects the user 's
4. The credentials arc sent to the Security Gateway and verified against the AD
SeNer.
Identity Agents
Identity Agents can be installed by the guest user by downloading it from the
Captive Portal or pre-installed on an internal user's machine. Once installed. the
Identity Agent provides both lIser and machine identity when providing
credentials 10 the gateway. [n addition, Identity Agents allow administrators to
identify the user even iflhey roam to different protected networks within the
organization.
Identity Agent uses single sign-on, so that when the user logs into the domain.
that information is also used to meet Identity Awareness credential requests.
~MO"'"
UU
Figure 79 -
1. A user logs into his PC with his regular credentials and attempts to access the
Internal Data Center.
2. The Security Gateway enabled with Identity Awareness does not recognize
the user.
3. The Security Gateway redirects the his browser 10 the Captive Portal.
4. The user downloads the Identity Agent from the Captive Portal and installs it
on his Pc.
5. The Identity Agent connects 10 the Security Gateway.
6. The user is authenticated and granted access to the originally requested
resource.
,,,
Identity Awareness
H_
I_ BIocI
::::1
~Ir-------------------~~------~
q ,,~.!
u...I
..
r. R,~~
..; Q
","" net_
1:1
.3
',.1 1:1
"'"" machne
Access Roles grant security administrators greater tlcxibility when defining the
an organization's Security Policy. For example, lcfs say you need to pro hibit all
users except for the finance group from accessing servers in the finance network
segment. Those users, however, need FTP access. You want to grant this access,
but only if they are logging in from an internal location. To do this, you simp ly
configure an Access Role with the internal network and the finance group's users.
When placed in the Source column of an FTP accept rule. your task is complete.
,.,
In rules with Access Role objects. the matching criteria operates as follows:
10'
Identity A.wareness
Review
1. What sleps must you take to enforce Identity Awareness rules in your
Security Policy?
-CH-AP-T-ER-S--
Introduction to
Check Point VPNs
1 0:
Introduction to VPNs
Vin ual Private Network ing technology leverages the Internet to build and
enhance secure network connectivity. Based on standard Internet secure
protocols. a VPN enables secure links between special types ofnelwork nodes:
the GatewrlYs. Site-to site VPN ensures secure links between Gateways. Remote
Access VPN ensures secure links between GatewrlYs and remote access clients.
Learning Objectives:
Configure a pre-shared secret site-Io-site VPN with panner sites.
Configure permanent tunnels for remote access to corporate resources.
Configure VPN tunnel sharing, given the difference between host-based.
subunit-based and gateway-based tunnels.
I R6
V!>N- l
~nCNnl
,~~
Inl0<,1mOO
'/PN.l
s.r...0ClI!ic! Appitiax..
Bratlc h ()jfic~
Figure 82 -
VPN DeploYll7el1ls
A VPN uses the Internet as its network backbone. allowing the establis hment of
secure communication links among company offices. business partners, and so
on. VPNs are replacing more expensive leased lines, Frame Relay circ uits. and
other ronns of dedicated connections.
Site ~toSite
VPNs
Site-Io-site VPNs are built 10 hand le secure commun icmion between a company's
internal departments and branch offices. A site-to-site VPN's design
requirements include:
Strong data encryption, 10 protect confidential informati on.
Bran ch Office
Figure 83 -
'OR
Site-te-Site VPN
VPN Oeployments
Remote-Access VPNs
Remote-access VPNs are built to handle secure communication between a
corporate network, and remote or mobile employees. A remote-access VPN's
design requirements include:
Strong authentication, to verify remote and mobile users.
Centralized management.
Scalability, to accommodate user groups.
DMZ/Public Server(s)
E-mail
World Wide Web
File Transfer
Main Office
Mobile Users
Security
Gateway
VPN Implementation
A complete VPN implementation supports all VPN categories: Imemet and
remote-access VPNs. This allows a company worldwide access to network
resources, links mobile workers to corporate intranets. aliows customers to pl ace
orders, and enables suppliers to check inventory levels - ali in a highl y secure
and cost-effective manner.
DMZJPublic Stwer(s)
CUSfOtmlfS
1Q"
VPN Implementation
VPN Setup
Configuring a VPN can be a complicated task for Security Administrators. Check
Point's management tools provide a simplified VPN setup mode. reducing the
VPN configuration process to essentials. and making setup straightforward and
simple.
VPN Communities
Creming VPN tunnels between Gateways is made easier through thc
configuration of VPN Communities. To understand VPN Communitit's. a
number of terms need to be defined:
VPN Com munity member - The Gateway that resides at one end of a VPN
tunneL
VPN Domain - The hosts behind the Gateway: the VPN Domain can be the
whole network that lies behind thc Gateway or just a section of that network.
For example, a Gateway might protect the corporate LAN and the DMZ. Only
the corporate LAN needs to be defined as the VPN Domain.
V PN site - Community member plus VPN Domain: typical VPN s ite would
be the branch office of a bank.
VPN Co mmunity - The collection of VPN tunnels/links and thei r
attributes.
Doma in-based VPN - Routing VPN tmffic based on the VPN Domain
behind each Gateway in the Community: in a star Community, th is allows
satellite Gateways to communicate with each other through center Gateways.
Route-based VPN - Traffic routed within the VPN Commun ity based on
the routing infonnation. static or dynamic. configured on thc operating
systems oflhe Gateways.
"
........,
VPN Implementation
The methods used for encryption and ensuring data integrity detennine the type
of tunnel created between the Gateways, which in tum is considered a
characteristic of that particular VPN Community.
Security Management Server can manage multiple VPN Communities, which
means Communities can be created and organized according to specific needs.
193
VPN Topologies
The most basic topology consists of two Gateways capablc or creating a VPN
tunnel between them. Security Management Server's support or morc complex
topologies enables VPN Communities to be created according 10 the pa rticular
needs or an organization. Security Management Server supports two mnin VPN
topologies:
Meshed
Star
VPN l
Gateway
Figure 87 -
IQ4
Meshed VPN
Arlmjl!j~'rnfn,.
VPN Topologies
~ ..=:..
Figure 88 -
StarVPN (Meshed)
A satellite Gateway cannot create a VPN tunnel with a Gateway that is also
defined as a satellite Gateway.
Central Gateways can create VPN tunnels with other central Gatcways only ifthe
Mesh center Gateways option has been selected in the Central Gateways
window ofSla r Community Properties.
Choosing a Topology
Which topology 10 choose for a VPN Community depcnds on the overall Policy
of the organization. For example, a meshed community is usually appropriate for
an Intranet in which only Gateways that are part of the internally managed
network are allowed to participate: Gateways belonging to company partners are
not.
1 ()~
Combination VPNs
For more complex scenarios, consider a company with headquaners (HQ) in two
countries, London and New York. Each headquaners has a number of branch
offices. The branch offices only need to communicate with the HQ in their
country, not with each other: only the HQs in New York and London need to
communicate directly. To comply with this Policy, define two star Communities.
London and New York. Configure the London and New York Gateways as
"central" Gateways. Configure the Gateways of New York and London branch
offices as "satellites:' This allows the branch offices to communicate with the
HQ in their country. Now create a third VPN Community, a VPN mesh consisting
of the London and New York Gateways.
London
STAR
---- """,
..... __ "'"'
New York
STAR
VPN Topologies
w_ _
,,
,,
; 3 DES
,,
\1
,,
,,
AU~"W\'''iflW~
~~ ... tlOlIlIlI>O~'"
_ L _ oW
~ - --~
Figure 90 -
In addition. the Washington and London Gateways need to comm unicate with
each other using the weaker DES. Consider the solution in the fig ure.
In this solution, Gateways in the Washington mesh aTe also defi ned as satellites in
the London star. In the London star, the central Gateways are meshed. Gateways
in Washington build VPN tunnc\s with the London Gateways using DES.
Internally, the Washington Gateways build VPN tunnels using 3DES.
------
,
/
/
,,
,
,,
I
I
I
London
I
I
1
\
\
New Yon: \
,,
,,
LONCON
"'
I
I
ME SH
I
I
I
I
/
,,
Figure 91 -
Paris
---
/
/
asd!
The London and New York Galeways belong 10 the London-NY Mesh VPN
Community. To create an additional VPN Community which includes London.
New York. and Paris is nm allowed. The London and New York Gateways cannot
appear "together" in more than one VPN Community.
Two Gateways that can create a VPN link between them in one Community can
appear in another VPN Community. provided that they oue incapable of creating a
link between them in the second Community.
' 0 0
Figure 92 -
asdf
In the figure. the London and New York Gllteways appear in the London-NY
mesh. These two Gateways also appcar as satellite Gateways in the Paris Star
VPN Community. In the Paris Star. satellite Gateways (London and NY) can only
communicate with the central Paris Gateway. Since the London and New York
satellite Gateways cannot open a VPN link between them. thi s is a valid
configuration.
Considered more secure, Certificates aTC the preferred means. In addition. since
the Internal CA on the Security Management Center Server automatically
provides a Certificate to each Power-l Gateway it manages, it is more convenient
to usc this type of authentication.
199
Domain-Based VPN
This method routes VPN traffic based on the VPN Domain behind each GllIeway
in Ihe Community. In a star Community. this allows satellite Gateways to
communicate with each other through center Gateways. Configuration for
domain-based VPN is perfonned di rectly through Smart Dashboard.
Route-Based VPN
Traffic is routed with in the VPN Community based on the routing information.
static or dynamic, configured on the operating systems of the Gateways. Routebased VPN is discussed in detail in the Check Point Security Administration II
course.
?on
--.~
Figure 93 -
The configuration orthe Gateways into a VPN Community mean s that ir these
Gateways are allowed to communicate via an access-control Policy, Ihen that
communication is encrypted. Access control is configured in the Rule Base.
Using the V PN column of the Rule Base. it is possible to create access-control
rules that apply only to members of a VPN community, fo r example:
DestInation
Any
Service
YPN
Comunity_A
HTTP
ActIon
Accept
It is also possible for a rule in the Rule Base to be relevant for both VPN
Communities and host machines not in the Community.
The rule in the Rule Base allows an HTTP connection between any internal lP
wit h any lP:
I.
Source
Any Internal_Machine
Destfnation
Any
YPN
A"y
Service ActIonl
HTTP
Accept
1n,
In the figure. an HTTP eonnection between Host I and the Internal Web Server
behind Gateway 2 matches Ih is rule. A connection between Host I and the Web
Server on the Internet also matches this rule; however. the connection between
Host I and the Internal Web Server is a connection between members ofa VPN
Community and passes encrypted; the connection between Host I and the
Internet Web Server passes in the clear.
In both cases. the connection is si mply matched to the rule; whether or not the
connection is encrypted is dealt with on the VPN level. VPN is another level of
security separate from the access-control level.
r_, _ -- .......
-- 1--
=-..~
'-
.. s.-".
c-....,I,._ .....
r~oI...."....
'110,_._. -.._
k
Figure 94 -
"
Encrypting All Traffic
LAvonrTc ....
Excluded Services
In the YPN Communities Properties > Excluded Sen'ices window, you can
select services that are not 10 be encrypted. for example control connections.
Services in the clear means "do not make a VPN tunnel for this connection".
Note that Excluded Services is not supponed when using route-based YPN.
R75
Trainin~
Manllal
203
,
I
..--- -. -- '.-
,,...
...... -
.~
:;--
...... -
'1--
Figure 95 -
......
.~
00 _ _
...,.. "'-
'"~-
,e_
.,~
I--~
'-0
.~
~-
.....e-
il~
*-'*-..'......
"'''''qon
"'~
*""-
Rule Base
In the Rule Base abovc. several rules arc shown. The fi rst rule allows d eartc.xt
Tclnct tT'dffic to pass each way between netoslo and netmadrid. The second
rule allows cncrypted FTP traffic to pass each way between the two networks.
Although thc second rule is an encryption rule. the Administrator cannot
configu re the AClion column for encryption. The only actions available in the
Simplified Mode of the Rule Base are as follows:
accept
drop
reject
204
Simplified
Types of tunnels and the number of tunnels can be managed with the following
features:
Pennanent Tunnels - This feature keeps VPN tunnels active. allowing realtime monitoring capabilities.
VPN Tunnel Sharing - This feat ure provides greater interoperability and
scalability between Gateways. It also controls the number ofV PN tunnels
created between peer Gateways.
The status of all VPN tunnels can be viewed in SmanVicw Monitor. f or more
information on monitoring, see the Smart View Monitor user guide.
Permanent Tunnels
As companies have become more dependent on VPNs for communication to
other sites. uninterrupted connectivity has become more crucial than ever before.
Therefore. it is essential to make su re that the VPN tunnels arc kept up and
running. Pcnnanent tunnels are constantly kept active and. as a result, make it
easier to recognize malfunctions and connectivity problems. Administrators can
monitor the two sides ofa VPN tunnel and identify problems without delay.
Tl7~
T,.ni.,i.,,,, ,\;'lI1m",1
' 0<
E3ch VPN lunnel in the Community may be set to be a pennanent tunnel. Since
permanent tunne ls are constantly moni tored. if the VPN tunnel fails. then a log,
alen , or user defined-action can be issued. A VPN tunnel is monitored by
periodically sending "tunnel test" packets. As long as responses to the packets arc
received, the VPN tunnel is considered "up." lfno response is received within a
given time period. the VPN tunnel is considered "down." Pennanent tunnels can
only be establ ished between Check Point Gatew3Ys. The configuration of
pennanent tunnels takes place on the Community level and:
Can be specified for an entire Community. This o ption sets every VPN tunnel
in the Community as pennanen!.
Can be speci fi ed for a specific Gateway. Use Ihis option to configure specific
Gateways 10 have pennanent tunnels.
Can be specified for a single VPN tunnel. This feature allows con figuring
specific tunnels between specific Gateways as permanent.
)07
?nQ
Office Mode - Addresses routing issues bctween the client and the Gateway by
encapsulating IP packets with thc remotc user's original IP address, thereby
enabl ing users to appear as if they wcre "in the ofTIce" while connecting
remOtely. Office Mode also provides enhanced antispoofing by ensuring thaI the
lP address encountered by the Galeway is authenticated and assigned to the user.
Visitor Mode - Enables employees to access resources while they arC' working
at a remote location such as a hotel or a customcr office. where Internet
connectivity may be limited to Web browsing using the standard HTTP and
HTTPS ports. The client tunnels all client-to Gateway trn ffi c through a regular
Te p connection on pon 443.
Hub i\lode - Enables rigorous. centralized inspection of all client traffic.
removing the need to deploy security functions to mulliple offices, and giving
employees secure clienHoclient communications such as Voice over IP (VoIP)
or Internet conferencing using applications like Microsoft NctMeeting.
Jl n
,.
'.
Figure 96 -
After the IKE negotiation ends successfully. a secure connection (a VPN tunnel)
is established between the client and the Gateway. All connections between the
client and the Gateway's VPN domain (the LAN behind the Gateway) arc
encrypted inside this VPN tunnel, using the IPSec standard. Except for when Ihe
user is asked to authenticate in some manner, Ihe VPN establishment process is
transparent.
1. The remote user initiates a connection 10 Gateway I.
2. The user is not authenticated via the VPN database, but an LDAP server
belonging 10 VPN Site 2.
3. Gateway 1 verifies that the user exists by querying the LOAP server behind
Gateway 2.
4. Once the user 's existence is verified. the Gateway then authenticates the user;
for example, by validating Ihe user's certificate.
5. Once IK E is successfully completed, a tunnel is created; the remote client
connects 10 Host L
Review
1. Whm is a VPN CommlmilY:
4. When planning a VPN topology, what questions should be asked? Who needs
secure/private access? From the point of view of the VPN, what will be the
structure of the organization? How will externally managed Gateways authenticate?
APPENDIX
Chapter Questions
and Answers
2. What are the advantages of Check Point 's Secure Management Architecture
(SMART)? In what way does it benefit an ente rprise network and its Administrators?
S AlA RT is a I/niJied approach 10 centrali:ing Policy managemelll and configuralioll, illellldillg mOllitorillg, logging. analysis. and reportillg Ifithin a single conlrol center.
3. What is the main purpose for the Secu rity Managcment Server? Wh ich function is it necessary 10 perfo nn on the Security Management Servcr w hen
incorporating Security Gateways into the network?
Used by Ihe Securily Adminislmlor. lhe Security Mallagement Sen-e,. manages Ihe SeclII"il), Policy. /" order 10 peljorm tlwt role. the Seclirily A1anagelIIelll Sen-er IIIUSI establish SIC with Olher compollellls. so Illal
comlllUllicatioll is verijied alld mal/Ggell/em call be pel/orllled Oil any componem 011 Ihe ne/ll'OIk.
2. Why is there a warning message when switching to Active mode in SmartView Tracker?
There are peljal'mallce implications jor memol:'o' (1m/network resources in
Active mode, .I'ince data i.l' being activef), logged.
,,,
Server?
Operating-system compalibiliry
Disk-space (lmi/ability
Package /lot already installed
Package dependencies fIIel
.r . . .
tity?
Session Authentication Agellt.
1. What must steps must you take to enforce Identity Awareness rules in your
Security Policy?
Enable Idenrif)1AII"(lrene.u from eilht'r rhe gCllell"aY:f General Properties page
or rhe ldenrif)1AII'Oll'IIess page.
Define a method 10 caplllre user login illformation.
Create (III Access Role wilh networks, IIser groups. andlor machilles ineluded.
Defille a rule ill rhe Rille Base Ihal includes all Acce.H Role mId ellable Captil'e Portal ifllecessary.
1111151
the point of riew o/the VPN. what will be the structliTe Qfthe
organization?
How lI'i/l externolly mal/aged G(l/ew{lYs {lllthelllicafe?
",
" .
Attend training
Download study guides
Challenge practice exams
Interact with technical communities
www.checkpoint.com
ISBN-13: 978-1-935862-11-6
PIN: 704735
Pf,
Check Point
SOFTWARE TECHNOLOGIES LTD.