Published on

checkpoint firewall.

Published in: Business, Technology
  • You are most welcome guys !!

    On popular demand I have enabled the downloading of the source file..

    No need to give out your email id's when you can simply download the file

    Cheers !!<br /><br/>
    Are you sure you want to  Yes  No
    Your message goes here
  • heya..
    after reading from the slides, this is the most useful notes regarding checkpoint i've ever read. i really wish to download the slides, can you send the slides to my email please thanks.cheers
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • checkpoint

    1. 1. VPN-1/FireWall-1 NGManagement I
    2. 2. VPN-1/FireWall-1 NGManagement I Course Description Objectives  Identify the basic components of VPN-1/FireWall-1 NG  Successfully configure VPN-1/FireWall-1 NG (NT and/or Solaris)  Identify the VPN-1/FireWall-1 NG elements that you will need to manage  Successfully create and manage management objects  Demonstrate how to use the: Security Policy, Log Viewer, and System Status  Successfully apply NAT rules  Successfully demonstrate the ability to authenticate users
    3. 3. VPN-1/FireWall-1 NGManagement I Course Layout Course Requirements Prerequisites Check Point Certified Security Administrator (CCSA)
    4. 4. Course Requirements The course is geared towards System administators Support analysts Network engineers
    5. 5. Pre-requisites Each delegate should have : General knowledge of tcp/ip Working knowledge of Windows and/or Unix Working knowledge of network technology Working knowledge of the Internet
    6. 6. Checkpoint Certified SecurityAdministator (CCSA) The exam is wide ranging and covers all aspects of Checkpoint Firewall 1 NG. Some of the topics can be found on pages 2-3, however all documentation covered on the course CD should be reviewed including PDFs
    7. 7. VPN-1/FireWall-1 NGManagement I Course Map Module 1: VPN-1/FireWall-1 NG Architecture Module 2: Security Policy Rule Base and Properties Setup Module 3: Advanced Security Policy Module 4: Log Management Module 5: Authentication Parameters: User, Client, and Session Authentication
    8. 8. VPN-1/FireWall-1 NGManagement I Course Map-continued Module 6: Network Address Translation
    9. 9. VPN-1/FireWall-1 NGManagement I Lab Setup Lab Topology IP Addresses Lab Terms Lab Stations
    10. 10. VPN-1/FireWall-1 NGManagement I Lab Topology
    11. 11. VPN-1/FireWall-1 NGManagement I VPN-1/FireWall-1 NG System Requirements Management Client  Platform : Windows 9x, ME, NT 4.0, Windows 2000 Pro.  Disk Space : 40 Mbytes  Memory : 128 Mbytes  Network I/f : All interfaces supported : by Operating System
    12. 12. VPN-1/FireWall-1 NGManagement I VPN-1/FireWall-1 NG System Requirements Firewall-1 NG FP2 Modules on Windows Platform  OS : Windows NT and Windows 2000  Processor : Intel Pentium II 300+ MHz or equivalent  Disk Space : 40 Mbytes  Memory : 128 Mbytes  Network I/F : All interfaces supported : by Operating System
    13. 13. VPN-1/FireWall-1 NGManagement I VPN-1/FireWall-1 NG System Requirements Management Server or Firewall-1 Module on Solaris  OS : Solaris 7 (SunOS 5.7) Solaris 8 (SunOS 5.8)  CPU Architecture Solaris 7 - 32 Bit mode Solaris 8 – 32 Bit & 64 Bit mode  Disk Space : 40Mbytes (software installation only)  Memory : 128 Mbytes  CPU : 360 MHz  Required OS : Check latest release notes Patches for requd. patches
    14. 14. VPN-1/FireWall-1 NGManagement I VPN-1/FireWall-1 NG System Requirements Management Server or Firewall-1 Module on a Linux Platform  OS : Red Hat Linux 6.2 and 7.0  CPU Architecture 32 bit and 64 bit  Disk Space : 40 Mbytes  Memory : 128 Mbytes  CPU : Intel Pentium II 300+ MHz
    15. 15. Module 1: VPN-1/FireWall-1 NG Architecture
    16. 16. Module 1: Introduction Objectives  Describe the purpose of a firewall  Describe and compare firewall architectures  Identify the different components of VPN-1/FireWall-1 NG
    17. 17. Module 1 Key Terms Firewall Packet Filtering Application Layer Gateway (Proxy) Client/Server Model Stateful Inspection Management Client Secure Internal Communication (SIC) Virtual Private Network (VPN) Secure Virtual Network (SVN)
    18. 18. Module 1: Check Point Product Overview  Securing the Internet  An emerging requirement  Securing Networks, Systems, Application and Users
    19. 19. Module 1 Secure Virtual Network (SVN) is a true security architecture Integrates multiple capabilities, including  firewall security, VPNs, IP address management etc, all within a common management framework enables security to be defined and enforced in a single policy incorporating all aspects of network security
    20. 20. Module 1 Emerging requirements To enjoy benefits of an eBusiness model a robust security infrastructure needs to be deployed Integrating the security infrastructure with application environment  providing full security for eBusiness  allowing easily established and maintained trusted relationships
    21. 21. Module 1 SVN Architecture designed to meet the challenges of eBusiness connects the four elements common to any enterprise network  Networks  Systems  Applications  Use
    22. 22. Module 1: SVN Diagram
    23. 23. Module 1: VPN-1/FireWall-1 Key component of SVN architecture  Access Control  User Authentication  Network Address Translation (NAT)  Virtual Private Networking  High Availability  Content Security  Auditing and Reporting  LDAP-based user management
    24. 24. Module 1: VPN-1/FireWall-1-continued  Intrusion Detection  Malicious Activity Detection  Third-party Device Management  High Availability and Load Sharing
    25. 25. Module 1: Internet Firewall Technologies A firewall is a system designed to  prevent unauthorised access to or from a secured network  act as a locked security door between internal and external networks  data meeting certain criteria will be allowed through However, note that a firewall can only protect a network from traffic filtered through it
    26. 26. Module 1 Stateful Inspection Technology invented by CheckPoint Software Technologies utilises the INSPECT Engine  Programmable using the INSPECT language  Provides for system extensibility  Dynamically loaded into the OS kernel  Intercepts and inspects all inbound and outbound packets on all interfaces  Verifies that packets comply with the security policy
    27. 27. Module 1: Firewall Technologies Packet Filters Application-Layer Gateway Stateful Inspection VPN-1/FireWall-1 NG Enforcement Module INSPECT Language VPN-1/FireWall-1 NG Advantages
    28. 28. Module 1: Packet Filtering Path in the OSI Model
    29. 29. Module 1: Packet Filter FTP Example
    30. 30. Module 1: Application-Layer Gateway Path
    31. 31. Module 1: VPN-1/FireWall-1 NG Enforcement Module
    32. 32. Module 1: How VPN-1/FireWall-1 NG FP-1 Works INSPECT Allowing Packets  if a packet passes inspection,the Firewall Module passes packets through the TCP/IP stack to their destination  if packets are destined for the OS local processes, are inspected then passed through the TCP/IP stack  if packets do not pass inspection, they are rejected, or dropped and logged.
    33. 33. Module 1: INSPECT Module Flow
    34. 34. Module 1: VPN-1/FireWall-1 NG Architecture The Policy Editor Management Module VPN-1/FireWall-1 NG Enforcement Module SVN Foundation
    35. 35. Module 1: Check Point Policy Editor
    36. 36. Module 1 Management Module security policy is defined using the policy editor on the Management client it is then saved to the Management module Management Module maintains FW-1 NG databases including  network object definitions  user definitions  security policy  log files
    37. 37. Module 1 VPN-1/Firewall-1 NG Enforcement Module deployed on the Internet gateway an Inspection script written in INSPECT is generated from the security policy inspection code is compiled from the script and downloaded to the enforcement module
    38. 38. Module 1 SVN Foundation CheckPoint SVN Foundation NG (CPShared) is the Operating System integrated with every CheckPoint product All CheckPoint products use the CPOS services via CPShared The SVN Foundation includes :  Secure Internal Communications (SIC)  CheckPoint registry  CPShared daemon  Watch Dog for critical services  Cpconfig  License utilities  SNMP daemon
    39. 39. Module 1: Secure Internal Communication (SIC) Communication Components Security Benefits SIC Certificates Communication Between Management Modules and Components Communication Between Management Modules and Management Clients
    40. 40. Module 1 Communication Components SIC secures communication between CheckPoint SVN components such as  management modules  management clients  VPN-1/Firewall 1 NG modules  customer log modules  SecureConnect modules  policy servers  OPSEC applications
    41. 41. Module 1 Security Benefits of SIC confirms a management client connecting to a management modules is authorised verifies that a security policy loaded on a firewall module came from an authorised management module SIC ensures that data privacy and integrity is maintained
    42. 42. Module 1 SIC Certificates SIC for CheckPoint VPN uses certificates for authentication and standards-based SSL for encryption enables each CheckPoint enabled machine to be uniquely identified certificates are generated by the Internal Certificate of Authority (ICA) on the Management module a unique certificate is generated for each physical machine
    43. 43. Module 1 Communication between Management Modules and Components the ICA automatically creates a certificate for the Management module during installation certificates for other modules are created via a simple initialisation from the Management Client upon initialisation, the ICA creates, signs and delivers a certificate to the communication component
    44. 44. Module 1 Communication between Management Modules and Management Clients the management client must be defined as authorised when invoking the Policy Editor on the Management client, the user is asked :  to identify themselves  specify the IP address of the Management Module the Management Client then initiates an SSL based connection the Management Module verifies the Client’s IP address Management Module sends back it’s certificate
    45. 45. Module 1: Distributed VPN-1/FireWall-1 NG configuration showing the components with certificates
    46. 46. Module 1: Distributed Client/Server Configuration
    47. 47. Module 1: Review Summary Review Questions
    48. 48. Module 1: Review Question #1: What is Stateful Inspection? Class Discussion
    49. 49. Module 1: Review Question #2: Why is Stateful Inspection more reliable than packet filtering and application layer gateways for protecting networks? Class Discussion
    50. 50. Module 1: Review Question #3: What process does VPN-1/FireWall-1 NG use to accept, drop, or reject packets? The NG Enforcement Module
    51. 51. Module 1: Review Question #4: What three components make up VPN-1/FireWall-1 NG? The Policy Editor The Management Server The Enforcement Point
    52. 52. Module 1a Installation of VPN-1/Firewall-1 module Installation of Management Module Installation of Management Client
    53. 53. Module 1a: Pre-installation Configuration Network Configuration  ensure network is properly configured (especially, routing)  on WinNT & Solaris enable IP routing/forwarding  for WinNT, disable the NetBUI protocol (not an IP protocol so not intercepted by Firewall-1)  environment variables are set automatically (via the installation wrapper) on WinNT, Win2000 & Solaris
    54. 54. Module 1a: VPN-1/FireWall-1 NG Client-Server Configuration  a distributed installation is supported
    55. 55. Module 1a: Installing VPN-1/FireWall-1 NG Enforcement Module and Management Module on Windows NT Server
    56. 56. Module 1a: Lab 1a:
    57. 57. Module 1a: Installing VPN-1/FireWall-1 NG Enforcement Module and Management Module on Sun Solaris
    58. 58. Module 1a: Lab 2a:
    59. 59. Module 1a: Installing VPN-1/FireWall-1 NG Management Client on Windows NT
    60. 60. Module 1a: Lab 3a:
    61. 61. Module 2: Security Policy Rule Base and Properties Setup
    62. 62. Module 2: Introduction Objectives  Explain the function and operation of a Security Policy.  Demonstrate the creation of network objects and groups, using the Management Client.  Demonstrate the setup of anti-spoofing on the firewall.  Demonstrate the setup and operation of an active Security Policy.
    63. 63. Module 2 Key Terms Security Policy Rule Base Rule Base Elements spoofing anti-spoofing implicit rules explicit rules implicit-drop rule
    64. 64. Module 2: Security Policy Defined What is a Security Policy?  a set of rules that defines network security Considerations  what kind of services, including customised services and sessions are allowed across the network  what users’ permissions and authentication schemes are needed  what objects are in the network e.g. gateways, hosts, networks, routers and domains
    65. 65. Module 2: Check Point Policy Editor enables administrators to define security policy
    66. 66. Module 2: Access Control for Administrators Concurrent Sessions  only one administrator with read/write permissions can be logged in at any one time Management Module Fingerprint  at the first log-on to a management server, the management client will receive the management server’s fingerprint  this can be checked against a copy of the fingerprint for verification
    67. 67. Module 2: Rule Base Defined Rule Base Elements  the individual components that make up a rule  No.  Source  Destination  If/Via  Services  Action  Track  Install on  Time  Comment
    68. 68. Module 2 Rule Base Defined Ctd. Rule Base Element Options  to customise the element options in the rule base
    69. 69. Module 2: Example Policy Editor
    70. 70. Module 2: Lab 1: Launching the Policy Editor
    71. 71. Module 2: VPN-1/FireWall-1 NG Licensing License Types  central – the license is linked to the IP number of the management server  local – tied to the IP number to which the license will be applied Obtaining Licenses  locate certificate key on the CD cover of the CP CD  contact - selecting User Center to obtain eval or permanent license Check Point User Center
    72. 72. Module 2: SecureUpdate Made up of two components – Installation Manager and License Manager  allows tracking of currently installed versions of CP and OPSEC products  updating of installed CP and OPSEC software remotely from a centralised location  centrally managing licenses
    73. 73. Module 2: SecureUpdate Architecture, Distributed Configuration
    74. 74. Module 2: Defining Basic Objects
    75. 75. Module 2: Detecting Spoofing Spoofing is a technique used by intruders attempting to gain unauthorised access  a packet’s source IP address is altered to appear to come from a part of the network with higher privileges Anti-spoofing verifies that packets are coming from, and going to, the correct interfaces on the gateway  i.e. packets claiming to originate in the internal network, actually DO come from that network
    76. 76. Module 2 Detecting Spoofing Configuring Anti-Spoofing  networks reachable from an interface need to be defined appropriately  should be configured on all interfaces  spoof tracking is recommended  anti-spoofing rules are enforced before any rule in the Security Policy rule base
    77. 77. Module 2: Anti-Spoofing
    78. 78. Module 2: Creating the Rule Base Basic Rule Base Concepts  each rule in a rule base defines the packets that match the rule based on Source, Destination, Service and the Time the packet is inspected  the first rule that matches a packet is applied
    79. 79. Module 2 The default rule added when you add a rule to the Rule Base
    80. 80. Module 2: The Basic Rules Cleanup Rule  CP follows the principle “that which is not expressly permitted, is prohibited”  all communication attempts not matching a rule will be dropped  the cleanup rule drops all the communication but allows specific logging
    81. 81. Module 2 The Basic Rules The Stealth Rule  prevents users from connecting directly to the firewall
    82. 82. Module 2: Defining Basic Rules
    83. 83. Module 2: Implicit and Explicit Rules Completing the Rule Base  Firewall-1 NG creates implicit rules derived from the policy properties and includes explicit rules created by the user in the Policy Editor Understanding Rule Base Order  viewing implied rules will show both sets of rules merged in the correct sequence
    84. 84. Module 2: Implied Rules
    85. 85. Module 2: Verifying and Installing a Security Policy
    86. 86. Module 2: Command Line Options for the Security Policy Basic Options  cpstart/cpstop starts and stops all CP applications running on the machine  cplic print displays the details of the Firewall licenses  fwstart/fwstop starts and stops the Firewall NG module, firewall daemon (fwd), management module (fwm), SNMP daemon (snmpd) and authentication deamons
    87. 87. Module 2: Review Summary Review Questions
    88. 88. Module 2: Review Question #1: What are the steps for creating and enforcing a Security Policy? Name your policy, add rules with objects, install the policy
    89. 89. Module 2: Review Question #2: What is the difference between implicit and explicit rules? Implicit (or pseudo) rules are created by VPN-1/FireWall-1 NG, and are derived from the security properties. Explicit rules are created by the user.
    90. 90. Module 2: Review Question #3: What order are policies and rules matched? Policies and rules are matched in order on the Rule Base, one rule at a time.
    91. 91. Module 3: Advanced Security Policy
    92. 92. Module 3: Introduction Objectives  Demonstrate how to perform the following:  Hide and unhide rules  View hidden rules  Define a rule mask  Apply rule masks  Show how to install and uninstall a Security Policy
    93. 93. Module 3: Introduction Objectives (continued)  List the guidelines for improving VPN-1/FireWall-1 NG performance, using a Security Policy Key Term  masking rules
    94. 94. Module 3: Masking Rules Overview  rules in a rule base can be hidden to allow easier reading of a complex rulebase (masking rules)  all other rules will be visible however their numbers wont change  hidden rules are still enforced on the gateway
    95. 95. Module 3 Masking Rules Viewing Hidden Rules  if View Hidden in the Rules>Hide menu is checked, all rules set as hidden are displayed Unhiding Hidden Rules  select Unhide All from the Rules>hide menu
    96. 96. Module 3: Disabling Rules Disabling Rules  a disabled rule will only take effect after the security policy is reinstalled  the rule will still be displayed in the policy editor rulebase Enabling a Disabled Rule  select the disabled rule and right click  select Disable Rule to deselect  remember to reinstall the policy
    97. 97. Module 3: Uninstalling a Security Policy Steps for Uninstalling a Security Policy  select Policy>Uninstall from the Security Policy Editor main screen  click Select All to select all items on the screen (specific items may be deselected)  click OK
    98. 98. Module 3: Guidelines for Improving VPN-1/FireWall-1 NG Performance via a Security Policy Management Module  listing machine names and IP addresses in a hosts file will decrease installation time for created network objects  /etc/hosts (Solaris)  winntsystem32drivershosts (Windows)
    99. 99. Module 3 Guidelines for Improving VPN-1/FireWall-1 NG Performance via a Security Policy Enforcement Module  keep the rulebase simple  position the most frequently used rules at the top of the rulebase  don’t log unnecessary connections  use a network object in place of many workstation objects  use IP address ranges in rules instead of a set of workstations
    100. 100. Module 3: Review Summary Review Questions
    101. 101. Module 3: Review Question #1: If a rule is masked or hidden, is it disabled and no longer part of the Rule Base? No, masked or hidden rules are still part of the Rule Base, and are installed when a Security Policy is installed.
    102. 102. Module 3: Review Question #2: When you select a rule, and then select “Disable Rule(s)” from the menu, what must you also do before the rule is actually disabled? Install the Security Policy
    103. 103. Module 3: Review Question #3: How does masking help you maintain a Rule Base? Discussion
    104. 104. Module 3: Review Question #4: Define some guidelines for improving VPN-1/FireWall-1 NG’s performance via a Security Policy. Discussion
    105. 105. Module 4: Log Management
    106. 106. Module 4: Introduction Objectives  Identify the three display modes of the Log Viewer  Identify and define Status Manager icons  Assign network objects to display in Status Manager  Enable automatic updating of Status Manager
    107. 107. Module 4: Introduction Objectives (continued)  Specify selection criteria and save log files  Describe the steps needed to block an intruder  List the three blocking scope options and their uses  Describe how block request is used
    108. 108. Module 4 Key Terms log viewer status manager
    109. 109. Module 4: Log Viewer provides visual tracking, monitoring and accounting information provides control over the log files display allows quick access to information any event which causes an alert is logged, including some system events such as an install of a policy
    110. 110. Module 4: Logging
    111. 111. Module 4 Log Viewer Kernel Side  FWD merges log fragments producted the FW-1 Kernel components into one log record  each log record is stamped with a Log Unificiation Unique ID (LUUID) Server Side  FWD transfers the log record to the log database (fw.log) on the log server/management module  a single connection is represented by one entry in the log viewer
    112. 112. Module 4 Log Viewer Log Viewer Logon  Select Window>Log Viewer from the security policy main menu Data (Column) Fields  the administrator can specify which of the available data fields (columns) to display Column Menu  right clicking anywhere in the column of the log viewer will invoke the column menu
    113. 113. Module 4 Log Viewer Log Viewer Toolbar Buttons
    114. 114. Module 4 Log Viewer Log Types  there are seven types of log which can be displayed from the toolbar  general predefined selection  firewall-1 predefined selection  account predefined selection  FloodGate-1 predefined selection  SecureClient predefined selection  UA Webaccess predefined selection
    115. 115. Module 4 Log Viewer Log Viewer Mode  there are three different predefined selection views  log mode  active mode  audit mode
    116. 116. Module 4: Log Viewer (continued) Log File Management  the File menu allows the administrator to perform the following tasks :  Log Switch  Open  Save as  Purge  Print  Export
    117. 117. Module 4: Configuring the Security Policy for Logging System-wide logging and alerting  Global Properties window allows an administrator to define system-wide logging and alert parameters for options such as  VPN successful key exchange  VPN packet handling errors  VPN configuration and key exchange errors etc.
    118. 118. Module 4: Blocking Connections Terminating a Connection with Block Intruder  it is possible to block an active connection using the source IP address  the scope of the blocked connection can be  block only this connection  block access from this source  block access to this destination
    119. 119. Module 4: Block Intruder
    120. 120. Module 4: Status Manager Status Manager Logon Working with the Status Manager Interface Modules View Module Status Product Details Windows Critical Notifications
    121. 121. Module 4: Checking VPN-1/FireWall-1 NG Status in the Status Manager
    122. 122. Module 4: Review Summary Review Questions
    123. 123. Module 4: Review Question #1: What are the three display modes of Log Viewer? Log Audit Active
    124. 124. Module 4: Review Question #2: What are the three blocking scope options and their uses? Block only this connection Block access from this source IP Block access to this destination
    125. 125. Module 4: Review Question #3: What option could you use to block an intruder whose connection ID is known? Block request
    126. 126. Module 5: Authentication Parameters: User, Client, and Session Authentication
    127. 127. Module 5: Introduction Objectives  Demonstrate how to implement authentication.  Demonstrate the process of creating users and groups.  Demonstrate the setup of authentication parameters.
    128. 128. Module 5: Introduction Objectives (continued)  Demonstrate how to implement user authentication, using various authentication schemes.  List types of services supported by VPN-1/FireWall-1 NG requiring user name and password.  Demonstrate how to implement client authentication.  Demonstrate how to implement session authentication.
    129. 129. Module 5 Key Terms User Authentication Client Authentication Session Authentication Session Authentication Agent
    130. 130. Module 5: Understanding Authentication User Authentication  grants access on a per user basis  can be used for Telnet, FTP, RLOGIN, HTTP  requires separate authentication for each connection
    131. 131. Module 5: Understanding Authentication Session Authentication  requires authentication for each connection  can be used with any service  requires a Session Authentication Agent
    132. 132. Module 5 Understanding Authentication Client Authentication  grants access on a per host basis  allows connections for a specific IP address after successful authentication  can be used for any number of connections  can be used for any service  most commonly used authentication method
    133. 133. Module 5 Understanding Authentication Authentication Schemes  skey  OS Password  VPN-1/Firewall-1 Password  SecurID  Radius  Axent Defender  TACACS
    134. 134. Module 5: User Authentication Overview user authentication provided by the security servers on the gateway when a rule specifies user authentication the corresponding security server is invoked (TELNET, FTP, HTTP and RLOGIN if authentication is successful the security server opens a separate connection to target server
    135. 135. Module 5: Defining User Templates
    136. 136. Module 5: Defining Users from Templates
    137. 137. Module 5: Set Up Authentication Parameters
    138. 138. Module 5: HTTP User Authentication with a VPN-1 & FireWall-1 Password
    139. 139. Module 5: Telnet User Authentication with a VPN-1 & FireWall-1 Password (Optional)
    140. 140. Module 5: FTP User Authentication with a VPN-1 & FireWall-1 Password (Optional)
    141. 141. Module 5: Client Authentication How Client Authentication Works  enables administrators to grant access privileges to a specific IP address  authentication is by username and password, but access is granted to the host machine (IP)  can be used for any number of connections, for any service, for any length of time
    142. 142. Module 5: Client Authentication
    143. 143. Module 5: Sign On Methods Source Field  sources field in the User Properties window may specify that the user is not allowed access from the source address – but the rule allows access. This field specifies how to resolve the problem Destination Field  destination field in the User Properties window may specify that that the user is now allowed access to the destination address. This field specifies how to resolve that problem
    144. 144. Module 5 Sign On Methods Required Sign On  Standard Sign On – user is allowed to use all the services permitted by the rule for the authorisation period Specific Sign On  only connections that match the original connection are allowed without additional authentication
    145. 145. Module 5 Sign on Methods Sign On Method  Manual – the user has to initiate Client Authentication by  telnet to port 259  http to port 900  Partially Automatic Client Authentication  Fully Automatic Client Authentication  Agent Automatic Sign On  Single sign on
    146. 146. Module 5 Sign on Methods Successful Authentication Tracking  logging option for Client Authentication attempts for the session
    147. 147. Module 5: Client Authentication
    148. 148. Module 5: Additional Features of Single Sign On Single Sign On For Multiple Users  privileged user can sign on and off on behalf of other users User Authority SecureAgent  extends UA capabilities to the LAN by having the SecureAgent on the desktop
    149. 149. Module 5: Single Sign On Example Network User on Localnet would normally TELNET to port 259 on London and authenticate then request access to BigBen. With the single sign on system extension anther user can open the connection to BigBen in advance on behalf of a user on Localnet
    150. 150. Module 5: Additional Features of Client Authentication Redirection of HTTP Requests According to Host Header  it is possible to configure Firewall-1 to complete the connection according to the destination specified in the HTTP host header  used when several http hosts share the same virtual IP address
    151. 151. Module 5 Additional Features of Client Authentication Authorizing All Standard Sign on Rules  Firewall-1 will automatically open all standard rules after successful authentication through partial or fully automatic sign on  if user successfully authenticates according to an automatic sign on rule all standard sign on rules which specify that user and source are opened.
    152. 152. Module 5: Session Authentication Overview How Session Authentication Works  based on a pre-session authentication method  can be integrated with any application  CP Session Agent must be loaded on the client machine  authentication performed by the daemon module
    153. 153. Module 5: Session Authentication 1. User initiates a connection directly to the server 2. Firewall-1 Inspection module intercepts the connection and connects to Session Authentication agent 3. Session agent prompts for authentication data and returns this to the inspection module 4. if successful, Firewall-1 module allows the connection to pass through the gateway
    154. 154. Module 5: Session Authentication
    155. 155. Module 5: Review Summary Review Questions
    156. 156. Module 5: Review Question #1: What are the three types of VPN-1/FireWall-1 NG authentication? User Authentication Client Authentication Session Authentication
    157. 157. Module 5: Review Question #2: When you want a user to authenticate once, and then be able to use any service until logging off, which authentication type would you use? Client Authentication
    158. 158. Module 5: Review Question #3: When defining user authentication, where do you add the authentication rule-above or below the stealth rule? Below the stealth rule
    159. 159. Module 5: Review Question #4: What is the advantage of using session authentication, over client authentication and user authentication? The advantage session authentication has over user authentication is that session authentication can be used with any service. The advantage session authentication has over client authentication is that the user is prompted automatically with session authentication, where client authentication encompasses a manual process the user has to remember.
    160. 160. Module 5: Review Question #5: Why would the client authentication rule need to be placed above the stealth rule? Client authentication requires a connection made to the firewall, that the stealth rule prevents, so either the client rule must be above the stealth rule to allow the connection, or a rule must be placed above the client authentication rule that allows connections to port 259/900 on the firewall.
    161. 161. Module 6: Network Address Translation
    162. 162. Module 6: Introduction Objectives  List the reasons and methods for Network Address Translation  Demonstrate how to set up Static NAT  Demonstrate how to set up Dynamic (Hide) NAT  Describe basic network configurations using NAT
    163. 163. Module 6 Key Terms Network Address Translation (NAT) Static Source NAT Static Destination NAT Dynamic (Hide) NAT Automatic and Manual NAT rules Address Resolution Protocol (ARP)
    164. 164. Module 6 Network Address Translation NAT conceals internal computers from outside networks as a component of VPN-1/Firewall-1 it is used for three things :  to make use of private IP addresses on the internal network  to limit external network access for security reasons  to give ease and flexibility to network administration
    165. 165. Module 6: NAT IP Addressing  RFC 1918 details the reserved address groups  Class A network numbers – –  Class B network numbers – –  Class C network numbers – –
    166. 166. Module 6 Network Security  additional benefit of NAT is increased network security  internal host can connect both inside and outside intranet  external unknown host outside the network cannot connect to internal host  external connections with a spoofed internal address will be recognised and prevented from gaining access  internal public servers are made available with inbound mapping of well know TCP ports to specific internal addresses
    167. 167. Module 6 Network Administration  VPN-1/Firewall-1 supports two types of NAT  Static NAT  Dynamic (Hide) NAT Static NAT  translates each private address to a corresponding public address  two modes, static source and static destination
    168. 168. Module 6 Static Source NAT  translates private internal source IP addresses to a public external source IP address  initiated by internal clients with private IP address
    169. 169. Module 6: Static Source NAT
    170. 170. Module 6: Address Translation Using Static Source Mode
    171. 171. Module 6 Static Destination NAT  translates public addresses to private addresses  initiated by external clients
    172. 172. Module 6: Address Translation Using Static Destination Mode
    173. 173. Module 6: Address Translation Using Static Destination Mode
    174. 174. Module 6 Dynamic (Hide) NAT used for connections initiated by hosts in an internal network where the hosts’ IP addresses are private private internal addresses are hidden behind a single public external address uses dynamically assigned port numbers to distinguish between them
    175. 175. Module 6: Dynamic NAT
    176. 176. Module 6 Dynamic (Hide) NAT Ctd. hide mode packets’ source port numbers are modified destination of a packet is determined by the port number port numbers are dynamically assigned from two pools of numbers :  from 600 to 1023  from 10,000 to 60,000 hide mode cannot be used for protocols where the port number cannot be changed or where the destination IP address is required
    177. 177. Module 6: Hide Mode Address Translation
    178. 178. Module 6 Hiding behind  if the administrator specifies as the hide address, all clients will be hidden behind the firewall’s server side interface
    179. 179. Module 6: Hiding Behind
    180. 180. Module 6: Automatic and Manual NAT Rules NAT Rules  NAT rules consist of two elements  the conditions that specify when the rule is to be applied  the action to be taken when the rule is applied  each section in the NAT Rule Base Editor is divided into Source, Destination and Service
    181. 181. Module 6 Automatic and Manual NAT Rules NAT Rules  the action is always the same  translate source under original packet to source under translated packet  translate destination under original packet to destination under translated packet  translate service under original packet to service under translated packet
    182. 182. Module 6 Network Address Translation Properties  several properties can be applied to automatically generated NAT rules  these are enabled by default in new installations however disabled by default when upgrading from previous versions  these properties can be configured in the network address translation page of the Global Properties window IP Pools IP Pool NAT Track Address Translation and Routing
    183. 183. Module 6 Network Address Translation Properties (Ctd)  Allow Bi-directional NAT  the firewall will check all of the rules to see if a source in one rule and destination in another rule match  firewall will take the first source rule and the first destination rule that are found to match, applying both rules concurrently
    184. 184. Module 6 Network Address Translation Properties (Ctd)  Translate destination on client side  prior versions of Firewall performed NAT on the server side, requiring special anti spoofing and internal routing  Automatic ARP configuration  ARP tables on the gateway are automatically configured, enabling ARP requests for a NATed machines, network or address range are answered by the gateway
    185. 185. Module 6 IP Pools  a range of IP addresses routable to a gateway  encrypted connections opened to a host will have a substituted IP address from the IP Pool for the source IP address  must be routable back to the gateway
    186. 186. Module 6: Address Translation Example- Gateway with Two Interfaces Routing  the router routes IP addresses in the network to the gateway  the gateway routes IP address to the internal interface (  the gateway routes IP addresses through to the internal interface (
    187. 187. Module 6: Gateway with Two Interfaces
    188. 188. Module 6: Address Translation Example- Gateway with Three Interfaces Routing  ensure router routes IP address in the network to the gateway  the gateway should be able to route IP address to the internal interface (
    189. 189. Module 6: Gateway with Three Interfaces
    190. 190. Module 6: Address Translation Example Two Networks Statically Translated
    191. 191. Module 6: Two Networks Statically Translated
    192. 192. Module 6: Address Translation and Anti-Spoofing anti spoofing is performed correctly for automatically generated NAT rules (provided it is allowed in the Global Properties) there will be a conflict between anti- spoofing and NAT if NAT takes place at the server side to correct the problem, add the translated (i.e the Valid address) is added to the public addresses on the Internal Interface
    193. 193. Module 6: Static NAT
    194. 194. Module 6: Hide NAT
    195. 195. Module 6: Review Summary Review Questions
    196. 196. Module 6: Review Question #1: What is NAT? Replacing one IP address in a packet with a different IP address.
    197. 197. Module 6: Review Question #2: What is the reason for using NAT, as related to IP addressing? To conceal the network’s internal IP addresses from the Internet To translate private addresses to public addresses, and back
    198. 198. Module 6: Review Question #3: What is the NAT Rule Base? Automatically generated and manually entered NAT rules