• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
checkpoint
 

checkpoint

on

  • 23,207 views

checkpoint firewall.

checkpoint firewall.

Statistics

Views

Total Views
23,207
Views on SlideShare
23,204
Embed Views
3

Actions

Likes
5
Downloads
602
Comments
2

2 Embeds 3

http://www.filescon.com 2
http://www.filestube.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

12 of 2 previous next

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • You are most welcome guys !!



    On popular demand I have enabled the downloading of the source file..



    No need to give out your email id's when you can simply download the file



    Cheers !!<br /><br/>
    Are you sure you want to
    Your message goes here
    Processing…
  • heya..
    after reading from the slides, this is the most useful notes regarding checkpoint i've ever read. i really wish to download the slides, can you send the slides to my email please yatie_802@yahoo.com. thanks.cheers
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

checkpoint checkpoint Presentation Transcript

  • VPN-1/FireWall-1 NGManagement I
  • VPN-1/FireWall-1 NGManagement I Course Description Objectives  Identify the basic components of VPN-1/FireWall-1 NG  Successfully configure VPN-1/FireWall-1 NG (NT and/or Solaris)  Identify the VPN-1/FireWall-1 NG elements that you will need to manage  Successfully create and manage management objects  Demonstrate how to use the: Security Policy, Log Viewer, and System Status  Successfully apply NAT rules  Successfully demonstrate the ability to authenticate users
  • VPN-1/FireWall-1 NGManagement I Course Layout Course Requirements Prerequisites Check Point Certified Security Administrator (CCSA)
  • Course Requirements The course is geared towards System administators Support analysts Network engineers
  • Pre-requisites Each delegate should have : General knowledge of tcp/ip Working knowledge of Windows and/or Unix Working knowledge of network technology Working knowledge of the Internet
  • Checkpoint Certified SecurityAdministator (CCSA) The exam is wide ranging and covers all aspects of Checkpoint Firewall 1 NG. Some of the topics can be found on pages 2-3, however all documentation covered on the course CD should be reviewed including PDFs
  • VPN-1/FireWall-1 NGManagement I Course Map Module 1: VPN-1/FireWall-1 NG Architecture Module 2: Security Policy Rule Base and Properties Setup Module 3: Advanced Security Policy Module 4: Log Management Module 5: Authentication Parameters: User, Client, and Session Authentication
  • VPN-1/FireWall-1 NGManagement I Course Map-continued Module 6: Network Address Translation
  • VPN-1/FireWall-1 NGManagement I Lab Setup Lab Topology IP Addresses Lab Terms Lab Stations
  • VPN-1/FireWall-1 NGManagement I Lab Topology
  • VPN-1/FireWall-1 NGManagement I VPN-1/FireWall-1 NG System Requirements Management Client  Platform : Windows 9x, ME, NT 4.0, Windows 2000 Pro.  Disk Space : 40 Mbytes  Memory : 128 Mbytes  Network I/f : All interfaces supported : by Operating System
  • VPN-1/FireWall-1 NGManagement I VPN-1/FireWall-1 NG System Requirements Firewall-1 NG FP2 Modules on Windows Platform  OS : Windows NT and Windows 2000  Processor : Intel Pentium II 300+ MHz or equivalent  Disk Space : 40 Mbytes  Memory : 128 Mbytes  Network I/F : All interfaces supported : by Operating System
  • VPN-1/FireWall-1 NGManagement I VPN-1/FireWall-1 NG System Requirements Management Server or Firewall-1 Module on Solaris  OS : Solaris 7 (SunOS 5.7) Solaris 8 (SunOS 5.8)  CPU Architecture Solaris 7 - 32 Bit mode Solaris 8 – 32 Bit & 64 Bit mode  Disk Space : 40Mbytes (software installation only)  Memory : 128 Mbytes  CPU : 360 MHz  Required OS : Check latest release notes Patches for requd. patches
  • VPN-1/FireWall-1 NGManagement I VPN-1/FireWall-1 NG System Requirements Management Server or Firewall-1 Module on a Linux Platform  OS : Red Hat Linux 6.2 and 7.0  CPU Architecture 32 bit and 64 bit  Disk Space : 40 Mbytes  Memory : 128 Mbytes  CPU : Intel Pentium II 300+ MHz
  • Module 1: VPN-1/FireWall-1 NG Architecture
  • Module 1: Introduction Objectives  Describe the purpose of a firewall  Describe and compare firewall architectures  Identify the different components of VPN-1/FireWall-1 NG
  • Module 1 Key Terms Firewall Packet Filtering Application Layer Gateway (Proxy) Client/Server Model Stateful Inspection Management Client Secure Internal Communication (SIC) Virtual Private Network (VPN) Secure Virtual Network (SVN)
  • Module 1: Check Point Product Overview  Securing the Internet  An emerging requirement  Securing Networks, Systems, Application and Users
  • Module 1 Secure Virtual Network (SVN) is a true security architecture Integrates multiple capabilities, including  firewall security, VPNs, IP address management etc, all within a common management framework enables security to be defined and enforced in a single policy incorporating all aspects of network security
  • Module 1 Emerging requirements To enjoy benefits of an eBusiness model a robust security infrastructure needs to be deployed Integrating the security infrastructure with application environment  providing full security for eBusiness  allowing easily established and maintained trusted relationships
  • Module 1 SVN Architecture designed to meet the challenges of eBusiness connects the four elements common to any enterprise network  Networks  Systems  Applications  Use
  • Module 1: SVN Diagram
  • Module 1: VPN-1/FireWall-1 Key component of SVN architecture  Access Control  User Authentication  Network Address Translation (NAT)  Virtual Private Networking  High Availability  Content Security  Auditing and Reporting  LDAP-based user management
  • Module 1: VPN-1/FireWall-1-continued  Intrusion Detection  Malicious Activity Detection  Third-party Device Management  High Availability and Load Sharing
  • Module 1: Internet Firewall Technologies A firewall is a system designed to  prevent unauthorised access to or from a secured network  act as a locked security door between internal and external networks  data meeting certain criteria will be allowed through However, note that a firewall can only protect a network from traffic filtered through it
  • Module 1 Stateful Inspection Technology invented by CheckPoint Software Technologies utilises the INSPECT Engine  Programmable using the INSPECT language  Provides for system extensibility  Dynamically loaded into the OS kernel  Intercepts and inspects all inbound and outbound packets on all interfaces  Verifies that packets comply with the security policy
  • Module 1: Firewall Technologies Packet Filters Application-Layer Gateway Stateful Inspection VPN-1/FireWall-1 NG Enforcement Module INSPECT Language VPN-1/FireWall-1 NG Advantages
  • Module 1: Packet Filtering Path in the OSI Model
  • Module 1: Packet Filter FTP Example
  • Module 1: Application-Layer Gateway Path
  • Module 1: VPN-1/FireWall-1 NG Enforcement Module
  • Module 1: How VPN-1/FireWall-1 NG FP-1 Works INSPECT Allowing Packets  if a packet passes inspection,the Firewall Module passes packets through the TCP/IP stack to their destination  if packets are destined for the OS local processes, are inspected then passed through the TCP/IP stack  if packets do not pass inspection, they are rejected, or dropped and logged.
  • Module 1: INSPECT Module Flow
  • Module 1: VPN-1/FireWall-1 NG Architecture The Policy Editor Management Module VPN-1/FireWall-1 NG Enforcement Module SVN Foundation
  • Module 1: Check Point Policy Editor
  • Module 1 Management Module security policy is defined using the policy editor on the Management client it is then saved to the Management module Management Module maintains FW-1 NG databases including  network object definitions  user definitions  security policy  log files
  • Module 1 VPN-1/Firewall-1 NG Enforcement Module deployed on the Internet gateway an Inspection script written in INSPECT is generated from the security policy inspection code is compiled from the script and downloaded to the enforcement module
  • Module 1 SVN Foundation CheckPoint SVN Foundation NG (CPShared) is the Operating System integrated with every CheckPoint product All CheckPoint products use the CPOS services via CPShared The SVN Foundation includes :  Secure Internal Communications (SIC)  CheckPoint registry  CPShared daemon  Watch Dog for critical services  Cpconfig  License utilities  SNMP daemon
  • Module 1: Secure Internal Communication (SIC) Communication Components Security Benefits SIC Certificates Communication Between Management Modules and Components Communication Between Management Modules and Management Clients
  • Module 1 Communication Components SIC secures communication between CheckPoint SVN components such as  management modules  management clients  VPN-1/Firewall 1 NG modules  customer log modules  SecureConnect modules  policy servers  OPSEC applications
  • Module 1 Security Benefits of SIC confirms a management client connecting to a management modules is authorised verifies that a security policy loaded on a firewall module came from an authorised management module SIC ensures that data privacy and integrity is maintained
  • Module 1 SIC Certificates SIC for CheckPoint VPN uses certificates for authentication and standards-based SSL for encryption enables each CheckPoint enabled machine to be uniquely identified certificates are generated by the Internal Certificate of Authority (ICA) on the Management module a unique certificate is generated for each physical machine
  • Module 1 Communication between Management Modules and Components the ICA automatically creates a certificate for the Management module during installation certificates for other modules are created via a simple initialisation from the Management Client upon initialisation, the ICA creates, signs and delivers a certificate to the communication component
  • Module 1 Communication between Management Modules and Management Clients the management client must be defined as authorised when invoking the Policy Editor on the Management client, the user is asked :  to identify themselves  specify the IP address of the Management Module the Management Client then initiates an SSL based connection the Management Module verifies the Client’s IP address Management Module sends back it’s certificate
  • Module 1: Distributed VPN-1/FireWall-1 NG configuration showing the components with certificates
  • Module 1: Distributed Client/Server Configuration
  • Module 1: Review Summary Review Questions
  • Module 1: Review Question #1: What is Stateful Inspection? Class Discussion
  • Module 1: Review Question #2: Why is Stateful Inspection more reliable than packet filtering and application layer gateways for protecting networks? Class Discussion
  • Module 1: Review Question #3: What process does VPN-1/FireWall-1 NG use to accept, drop, or reject packets? The NG Enforcement Module
  • Module 1: Review Question #4: What three components make up VPN-1/FireWall-1 NG? The Policy Editor The Management Server The Enforcement Point
  • Module 1a Installation of VPN-1/Firewall-1 module Installation of Management Module Installation of Management Client
  • Module 1a: Pre-installation Configuration Network Configuration  ensure network is properly configured (especially, routing)  on WinNT & Solaris enable IP routing/forwarding  for WinNT, disable the NetBUI protocol (not an IP protocol so not intercepted by Firewall-1)  environment variables are set automatically (via the installation wrapper) on WinNT, Win2000 & Solaris
  • Module 1a: VPN-1/FireWall-1 NG Client-Server Configuration  a distributed installation is supported
  • Module 1a: Installing VPN-1/FireWall-1 NG Enforcement Module and Management Module on Windows NT Server
  • Module 1a: Lab 1a:
  • Module 1a: Installing VPN-1/FireWall-1 NG Enforcement Module and Management Module on Sun Solaris
  • Module 1a: Lab 2a:
  • Module 1a: Installing VPN-1/FireWall-1 NG Management Client on Windows NT
  • Module 1a: Lab 3a:
  • Module 2: Security Policy Rule Base and Properties Setup
  • Module 2: Introduction Objectives  Explain the function and operation of a Security Policy.  Demonstrate the creation of network objects and groups, using the Management Client.  Demonstrate the setup of anti-spoofing on the firewall.  Demonstrate the setup and operation of an active Security Policy.
  • Module 2 Key Terms Security Policy Rule Base Rule Base Elements spoofing anti-spoofing implicit rules explicit rules implicit-drop rule
  • Module 2: Security Policy Defined What is a Security Policy?  a set of rules that defines network security Considerations  what kind of services, including customised services and sessions are allowed across the network  what users’ permissions and authentication schemes are needed  what objects are in the network e.g. gateways, hosts, networks, routers and domains
  • Module 2: Check Point Policy Editor enables administrators to define security policy
  • Module 2: Access Control for Administrators Concurrent Sessions  only one administrator with read/write permissions can be logged in at any one time Management Module Fingerprint  at the first log-on to a management server, the management client will receive the management server’s fingerprint  this can be checked against a copy of the fingerprint for verification
  • Module 2: Rule Base Defined Rule Base Elements  the individual components that make up a rule  No.  Source  Destination  If/Via  Services  Action  Track  Install on  Time  Comment
  • Module 2 Rule Base Defined Ctd. Rule Base Element Options  to customise the element options in the rule base
  • Module 2: Example Policy Editor
  • Module 2: Lab 1: Launching the Policy Editor
  • Module 2: VPN-1/FireWall-1 NG Licensing License Types  central – the license is linked to the IP number of the management server  local – tied to the IP number to which the license will be applied Obtaining Licenses  locate certificate key on the CD cover of the CP CD  contact www.checkpoint.com - selecting User Center to obtain eval or permanent license Check Point User Center
  • Module 2: SecureUpdate Made up of two components – Installation Manager and License Manager  allows tracking of currently installed versions of CP and OPSEC products  updating of installed CP and OPSEC software remotely from a centralised location  centrally managing licenses
  • Module 2: SecureUpdate Architecture, Distributed Configuration
  • Module 2: Defining Basic Objects
  • Module 2: Detecting Spoofing Spoofing is a technique used by intruders attempting to gain unauthorised access  a packet’s source IP address is altered to appear to come from a part of the network with higher privileges Anti-spoofing verifies that packets are coming from, and going to, the correct interfaces on the gateway  i.e. packets claiming to originate in the internal network, actually DO come from that network
  • Module 2 Detecting Spoofing Configuring Anti-Spoofing  networks reachable from an interface need to be defined appropriately  should be configured on all interfaces  spoof tracking is recommended  anti-spoofing rules are enforced before any rule in the Security Policy rule base
  • Module 2: Anti-Spoofing
  • Module 2: Creating the Rule Base Basic Rule Base Concepts  each rule in a rule base defines the packets that match the rule based on Source, Destination, Service and the Time the packet is inspected  the first rule that matches a packet is applied
  • Module 2 The default rule added when you add a rule to the Rule Base
  • Module 2: The Basic Rules Cleanup Rule  CP follows the principle “that which is not expressly permitted, is prohibited”  all communication attempts not matching a rule will be dropped  the cleanup rule drops all the communication but allows specific logging
  • Module 2 The Basic Rules The Stealth Rule  prevents users from connecting directly to the firewall
  • Module 2: Defining Basic Rules
  • Module 2: Implicit and Explicit Rules Completing the Rule Base  Firewall-1 NG creates implicit rules derived from the policy properties and includes explicit rules created by the user in the Policy Editor Understanding Rule Base Order  viewing implied rules will show both sets of rules merged in the correct sequence
  • Module 2: Implied Rules
  • Module 2: Verifying and Installing a Security Policy
  • Module 2: Command Line Options for the Security Policy Basic Options  cpstart/cpstop starts and stops all CP applications running on the machine  cplic print displays the details of the Firewall licenses  fwstart/fwstop starts and stops the Firewall NG module, firewall daemon (fwd), management module (fwm), SNMP daemon (snmpd) and authentication deamons
  • Module 2: Review Summary Review Questions
  • Module 2: Review Question #1: What are the steps for creating and enforcing a Security Policy? Name your policy, add rules with objects, install the policy
  • Module 2: Review Question #2: What is the difference between implicit and explicit rules? Implicit (or pseudo) rules are created by VPN-1/FireWall-1 NG, and are derived from the security properties. Explicit rules are created by the user.
  • Module 2: Review Question #3: What order are policies and rules matched? Policies and rules are matched in order on the Rule Base, one rule at a time.
  • Module 3: Advanced Security Policy
  • Module 3: Introduction Objectives  Demonstrate how to perform the following:  Hide and unhide rules  View hidden rules  Define a rule mask  Apply rule masks  Show how to install and uninstall a Security Policy
  • Module 3: Introduction Objectives (continued)  List the guidelines for improving VPN-1/FireWall-1 NG performance, using a Security Policy Key Term  masking rules
  • Module 3: Masking Rules Overview  rules in a rule base can be hidden to allow easier reading of a complex rulebase (masking rules)  all other rules will be visible however their numbers wont change  hidden rules are still enforced on the gateway
  • Module 3 Masking Rules Viewing Hidden Rules  if View Hidden in the Rules>Hide menu is checked, all rules set as hidden are displayed Unhiding Hidden Rules  select Unhide All from the Rules>hide menu
  • Module 3: Disabling Rules Disabling Rules  a disabled rule will only take effect after the security policy is reinstalled  the rule will still be displayed in the policy editor rulebase Enabling a Disabled Rule  select the disabled rule and right click  select Disable Rule to deselect  remember to reinstall the policy
  • Module 3: Uninstalling a Security Policy Steps for Uninstalling a Security Policy  select Policy>Uninstall from the Security Policy Editor main screen  click Select All to select all items on the screen (specific items may be deselected)  click OK
  • Module 3: Guidelines for Improving VPN-1/FireWall-1 NG Performance via a Security Policy Management Module  listing machine names and IP addresses in a hosts file will decrease installation time for created network objects  /etc/hosts (Solaris)  winntsystem32drivershosts (Windows)
  • Module 3 Guidelines for Improving VPN-1/FireWall-1 NG Performance via a Security Policy Enforcement Module  keep the rulebase simple  position the most frequently used rules at the top of the rulebase  don’t log unnecessary connections  use a network object in place of many workstation objects  use IP address ranges in rules instead of a set of workstations
  • Module 3: Review Summary Review Questions
  • Module 3: Review Question #1: If a rule is masked or hidden, is it disabled and no longer part of the Rule Base? No, masked or hidden rules are still part of the Rule Base, and are installed when a Security Policy is installed.
  • Module 3: Review Question #2: When you select a rule, and then select “Disable Rule(s)” from the menu, what must you also do before the rule is actually disabled? Install the Security Policy
  • Module 3: Review Question #3: How does masking help you maintain a Rule Base? Discussion
  • Module 3: Review Question #4: Define some guidelines for improving VPN-1/FireWall-1 NG’s performance via a Security Policy. Discussion
  • Module 4: Log Management
  • Module 4: Introduction Objectives  Identify the three display modes of the Log Viewer  Identify and define Status Manager icons  Assign network objects to display in Status Manager  Enable automatic updating of Status Manager
  • Module 4: Introduction Objectives (continued)  Specify selection criteria and save log files  Describe the steps needed to block an intruder  List the three blocking scope options and their uses  Describe how block request is used
  • Module 4 Key Terms log viewer status manager
  • Module 4: Log Viewer provides visual tracking, monitoring and accounting information provides control over the log files display allows quick access to information any event which causes an alert is logged, including some system events such as an install of a policy
  • Module 4: Logging
  • Module 4 Log Viewer Kernel Side  FWD merges log fragments producted the FW-1 Kernel components into one log record  each log record is stamped with a Log Unificiation Unique ID (LUUID) Server Side  FWD transfers the log record to the log database (fw.log) on the log server/management module  a single connection is represented by one entry in the log viewer
  • Module 4 Log Viewer Log Viewer Logon  Select Window>Log Viewer from the security policy main menu Data (Column) Fields  the administrator can specify which of the available data fields (columns) to display Column Menu  right clicking anywhere in the column of the log viewer will invoke the column menu
  • Module 4 Log Viewer Log Viewer Toolbar Buttons
  • Module 4 Log Viewer Log Types  there are seven types of log which can be displayed from the toolbar  general predefined selection  firewall-1 predefined selection  account predefined selection  FloodGate-1 predefined selection  SecureClient predefined selection  UA Webaccess predefined selection
  • Module 4 Log Viewer Log Viewer Mode  there are three different predefined selection views  log mode  active mode  audit mode
  • Module 4: Log Viewer (continued) Log File Management  the File menu allows the administrator to perform the following tasks :  Log Switch  Open  Save as  Purge  Print  Export
  • Module 4: Configuring the Security Policy for Logging System-wide logging and alerting  Global Properties window allows an administrator to define system-wide logging and alert parameters for options such as  VPN successful key exchange  VPN packet handling errors  VPN configuration and key exchange errors etc.
  • Module 4: Blocking Connections Terminating a Connection with Block Intruder  it is possible to block an active connection using the source IP address  the scope of the blocked connection can be  block only this connection  block access from this source  block access to this destination
  • Module 4: Block Intruder
  • Module 4: Status Manager Status Manager Logon Working with the Status Manager Interface Modules View Module Status Product Details Windows Critical Notifications
  • Module 4: Checking VPN-1/FireWall-1 NG Status in the Status Manager
  • Module 4: Review Summary Review Questions
  • Module 4: Review Question #1: What are the three display modes of Log Viewer? Log Audit Active
  • Module 4: Review Question #2: What are the three blocking scope options and their uses? Block only this connection Block access from this source IP Block access to this destination
  • Module 4: Review Question #3: What option could you use to block an intruder whose connection ID is known? Block request
  • Module 5: Authentication Parameters: User, Client, and Session Authentication
  • Module 5: Introduction Objectives  Demonstrate how to implement authentication.  Demonstrate the process of creating users and groups.  Demonstrate the setup of authentication parameters.
  • Module 5: Introduction Objectives (continued)  Demonstrate how to implement user authentication, using various authentication schemes.  List types of services supported by VPN-1/FireWall-1 NG requiring user name and password.  Demonstrate how to implement client authentication.  Demonstrate how to implement session authentication.
  • Module 5 Key Terms User Authentication Client Authentication Session Authentication Session Authentication Agent
  • Module 5: Understanding Authentication User Authentication  grants access on a per user basis  can be used for Telnet, FTP, RLOGIN, HTTP  requires separate authentication for each connection
  • Module 5: Understanding Authentication Session Authentication  requires authentication for each connection  can be used with any service  requires a Session Authentication Agent
  • Module 5 Understanding Authentication Client Authentication  grants access on a per host basis  allows connections for a specific IP address after successful authentication  can be used for any number of connections  can be used for any service  most commonly used authentication method
  • Module 5 Understanding Authentication Authentication Schemes  skey  OS Password  VPN-1/Firewall-1 Password  SecurID  Radius  Axent Defender  TACACS
  • Module 5: User Authentication Overview user authentication provided by the security servers on the gateway when a rule specifies user authentication the corresponding security server is invoked (TELNET, FTP, HTTP and RLOGIN if authentication is successful the security server opens a separate connection to target server
  • Module 5: Defining User Templates
  • Module 5: Defining Users from Templates
  • Module 5: Set Up Authentication Parameters
  • Module 5: HTTP User Authentication with a VPN-1 & FireWall-1 Password
  • Module 5: Telnet User Authentication with a VPN-1 & FireWall-1 Password (Optional)
  • Module 5: FTP User Authentication with a VPN-1 & FireWall-1 Password (Optional)
  • Module 5: Client Authentication How Client Authentication Works  enables administrators to grant access privileges to a specific IP address  authentication is by username and password, but access is granted to the host machine (IP)  can be used for any number of connections, for any service, for any length of time
  • Module 5: Client Authentication
  • Module 5: Sign On Methods Source Field  sources field in the User Properties window may specify that the user is not allowed access from the source address – but the rule allows access. This field specifies how to resolve the problem Destination Field  destination field in the User Properties window may specify that that the user is now allowed access to the destination address. This field specifies how to resolve that problem
  • Module 5 Sign On Methods Required Sign On  Standard Sign On – user is allowed to use all the services permitted by the rule for the authorisation period Specific Sign On  only connections that match the original connection are allowed without additional authentication
  • Module 5 Sign on Methods Sign On Method  Manual – the user has to initiate Client Authentication by  telnet to port 259  http to port 900  Partially Automatic Client Authentication  Fully Automatic Client Authentication  Agent Automatic Sign On  Single sign on
  • Module 5 Sign on Methods Successful Authentication Tracking  logging option for Client Authentication attempts for the session
  • Module 5: Client Authentication
  • Module 5: Additional Features of Single Sign On Single Sign On For Multiple Users  privileged user can sign on and off on behalf of other users User Authority SecureAgent  extends UA capabilities to the LAN by having the SecureAgent on the desktop
  • Module 5: Single Sign On Example Network User on Localnet would normally TELNET to port 259 on London and authenticate then request access to BigBen. With the single sign on system extension anther user can open the connection to BigBen in advance on behalf of a user on Localnet
  • Module 5: Additional Features of Client Authentication Redirection of HTTP Requests According to Host Header  it is possible to configure Firewall-1 to complete the connection according to the destination specified in the HTTP host header  used when several http hosts share the same virtual IP address
  • Module 5 Additional Features of Client Authentication Authorizing All Standard Sign on Rules  Firewall-1 will automatically open all standard rules after successful authentication through partial or fully automatic sign on  if user successfully authenticates according to an automatic sign on rule all standard sign on rules which specify that user and source are opened.
  • Module 5: Session Authentication Overview How Session Authentication Works  based on a pre-session authentication method  can be integrated with any application  CP Session Agent must be loaded on the client machine  authentication performed by the daemon module
  • Module 5: Session Authentication 1. User initiates a connection directly to the server 2. Firewall-1 Inspection module intercepts the connection and connects to Session Authentication agent 3. Session agent prompts for authentication data and returns this to the inspection module 4. if successful, Firewall-1 module allows the connection to pass through the gateway
  • Module 5: Session Authentication
  • Module 5: Review Summary Review Questions
  • Module 5: Review Question #1: What are the three types of VPN-1/FireWall-1 NG authentication? User Authentication Client Authentication Session Authentication
  • Module 5: Review Question #2: When you want a user to authenticate once, and then be able to use any service until logging off, which authentication type would you use? Client Authentication
  • Module 5: Review Question #3: When defining user authentication, where do you add the authentication rule-above or below the stealth rule? Below the stealth rule
  • Module 5: Review Question #4: What is the advantage of using session authentication, over client authentication and user authentication? The advantage session authentication has over user authentication is that session authentication can be used with any service. The advantage session authentication has over client authentication is that the user is prompted automatically with session authentication, where client authentication encompasses a manual process the user has to remember.
  • Module 5: Review Question #5: Why would the client authentication rule need to be placed above the stealth rule? Client authentication requires a connection made to the firewall, that the stealth rule prevents, so either the client rule must be above the stealth rule to allow the connection, or a rule must be placed above the client authentication rule that allows connections to port 259/900 on the firewall.
  • Module 6: Network Address Translation
  • Module 6: Introduction Objectives  List the reasons and methods for Network Address Translation  Demonstrate how to set up Static NAT  Demonstrate how to set up Dynamic (Hide) NAT  Describe basic network configurations using NAT
  • Module 6 Key Terms Network Address Translation (NAT) Static Source NAT Static Destination NAT Dynamic (Hide) NAT Automatic and Manual NAT rules Address Resolution Protocol (ARP)
  • Module 6 Network Address Translation NAT conceals internal computers from outside networks as a component of VPN-1/Firewall-1 it is used for three things :  to make use of private IP addresses on the internal network  to limit external network access for security reasons  to give ease and flexibility to network administration
  • Module 6: NAT IP Addressing  RFC 1918 details the reserved address groups  Class A network numbers – 10.0.0.0 – 10.255.255.255  Class B network numbers – 172.16.0.0 – 172.31.255.255  Class C network numbers – 192.168.0.0 – 192.168.255.255
  • Module 6 Network Security  additional benefit of NAT is increased network security  internal host can connect both inside and outside intranet  external unknown host outside the network cannot connect to internal host  external connections with a spoofed internal address will be recognised and prevented from gaining access  internal public servers are made available with inbound mapping of well know TCP ports to specific internal addresses
  • Module 6 Network Administration  VPN-1/Firewall-1 supports two types of NAT  Static NAT  Dynamic (Hide) NAT Static NAT  translates each private address to a corresponding public address  two modes, static source and static destination
  • Module 6 Static Source NAT  translates private internal source IP addresses to a public external source IP address  initiated by internal clients with private IP address
  • Module 6: Static Source NAT
  • Module 6: Address Translation Using Static Source Mode
  • Module 6 Static Destination NAT  translates public addresses to private addresses  initiated by external clients
  • Module 6: Address Translation Using Static Destination Mode
  • Module 6: Address Translation Using Static Destination Mode
  • Module 6 Dynamic (Hide) NAT used for connections initiated by hosts in an internal network where the hosts’ IP addresses are private private internal addresses are hidden behind a single public external address uses dynamically assigned port numbers to distinguish between them
  • Module 6: Dynamic NAT
  • Module 6 Dynamic (Hide) NAT Ctd. hide mode packets’ source port numbers are modified destination of a packet is determined by the port number port numbers are dynamically assigned from two pools of numbers :  from 600 to 1023  from 10,000 to 60,000 hide mode cannot be used for protocols where the port number cannot be changed or where the destination IP address is required
  • Module 6: Hide Mode Address Translation
  • Module 6 Hiding behind 0.0.0.0  if the administrator specifies 0.0.0.0 as the hide address, all clients will be hidden behind the firewall’s server side interface
  • Module 6: Hiding Behind 0.0.0.0
  • Module 6: Automatic and Manual NAT Rules NAT Rules  NAT rules consist of two elements  the conditions that specify when the rule is to be applied  the action to be taken when the rule is applied  each section in the NAT Rule Base Editor is divided into Source, Destination and Service
  • Module 6 Automatic and Manual NAT Rules NAT Rules  the action is always the same  translate source under original packet to source under translated packet  translate destination under original packet to destination under translated packet  translate service under original packet to service under translated packet
  • Module 6 Network Address Translation Properties  several properties can be applied to automatically generated NAT rules  these are enabled by default in new installations however disabled by default when upgrading from previous versions  these properties can be configured in the network address translation page of the Global Properties window IP Pools IP Pool NAT Track Address Translation and Routing
  • Module 6 Network Address Translation Properties (Ctd)  Allow Bi-directional NAT  the firewall will check all of the rules to see if a source in one rule and destination in another rule match  firewall will take the first source rule and the first destination rule that are found to match, applying both rules concurrently
  • Module 6 Network Address Translation Properties (Ctd)  Translate destination on client side  prior versions of Firewall performed NAT on the server side, requiring special anti spoofing and internal routing  Automatic ARP configuration  ARP tables on the gateway are automatically configured, enabling ARP requests for a NATed machines, network or address range are answered by the gateway
  • Module 6 IP Pools  a range of IP addresses routable to a gateway  encrypted connections opened to a host will have a substituted IP address from the IP Pool for the source IP address  must be routable back to the gateway
  • Module 6: Address Translation Example- Gateway with Two Interfaces Routing  the router routes IP addresses in the network 199.203.73.0 to the gateway  the gateway routes IP address 192.203.73.3 to the internal interface (10.0.0.1)  the gateway routes IP addresses 199.203.73.64 through 199.203.73.80 to the internal interface (10.0.0.1)
  • Module 6: Gateway with Two Interfaces
  • Module 6: Address Translation Example- Gateway with Three Interfaces Routing  ensure router routes IP address in the network 192.45.125.0 to the gateway  the gateway should be able to route IP address 172.45.125.209 to the internal interface (195.9.200.1)
  • Module 6: Gateway with Three Interfaces
  • Module 6: Address Translation Example Two Networks Statically Translated
  • Module 6: Two Networks Statically Translated
  • Module 6: Address Translation and Anti-Spoofing anti spoofing is performed correctly for automatically generated NAT rules (provided it is allowed in the Global Properties) there will be a conflict between anti- spoofing and NAT if NAT takes place at the server side to correct the problem, add the translated (i.e the Valid address) is added to the public addresses on the Internal Interface
  • Module 6: Static NAT
  • Module 6: Hide NAT
  • Module 6: Review Summary Review Questions
  • Module 6: Review Question #1: What is NAT? Replacing one IP address in a packet with a different IP address.
  • Module 6: Review Question #2: What is the reason for using NAT, as related to IP addressing? To conceal the network’s internal IP addresses from the Internet To translate private addresses to public addresses, and back
  • Module 6: Review Question #3: What is the NAT Rule Base? Automatically generated and manually entered NAT rules