checkpoint

VPN-1/FireWall-1 NGManagement I

VPN-1/FireWall-1 NGManagement I Course Description Objectives  Identify the basic components of VPN-1/FireWall-1 NG  Successfully configure VPN-1/FireWall-1 NG (NT and/or Solaris)  Identify the VPN-1/FireWall-1 NG elements that you will need to manage  Successfully create and manage management objects  Demonstrate how to use the: Security Policy, Log Viewer, and System Status  Successfully apply NAT rules  Successfully demonstrate the ability to authenticate users

VPN-1/FireWall-1 NGManagement I Course Layout Course Requirements Prerequisites Check Point Certified Security Administrator (CCSA)

Course Requirements The course is geared towards System administators Support analysts Network engineers

Pre-requisites Each delegate should have : General knowledge of tcp/ip Working knowledge of Windows and/or Unix Working knowledge of network technology Working knowledge of the Internet

Checkpoint Certified SecurityAdministator (CCSA) The exam is wide ranging and covers all aspects of Checkpoint Firewall 1 NG. Some of the topics can be found on pages 2-3, however all documentation covered on the course CD should be reviewed including PDFs

VPN-1/FireWall-1 NGManagement I Course Map Module 1: VPN-1/FireWall-1 NG Architecture Module 2: Security Policy Rule Base and Properties Setup Module 3: Advanced Security Policy Module 4: Log Management Module 5: Authentication Parameters: User, Client, and Session Authentication

VPN-1/FireWall-1 NGManagement I Course Map-continued Module 6: Network Address Translation

VPN-1/FireWall-1 NGManagement I Lab Setup Lab Topology IP Addresses Lab Terms Lab Stations

VPN-1/FireWall-1 NGManagement I Lab Topology

VPN-1/FireWall-1 NGManagement I VPN-1/FireWall-1 NG System Requirements Management Client  Platform : Windows 9x, ME, NT 4.0, Windows 2000 Pro.  Disk Space : 40 Mbytes  Memory : 128 Mbytes  Network I/f : All interfaces supported : by Operating System

VPN-1/FireWall-1 NGManagement I VPN-1/FireWall-1 NG System Requirements Firewall-1 NG FP2 Modules on Windows Platform  OS : Windows NT and Windows 2000  Processor : Intel Pentium II 300+ MHz or equivalent  Disk Space : 40 Mbytes  Memory : 128 Mbytes  Network I/F : All interfaces supported : by Operating System

VPN-1/FireWall-1 NGManagement I VPN-1/FireWall-1 NG System Requirements Management Server or Firewall-1 Module on Solaris  OS : Solaris 7 (SunOS 5.7) Solaris 8 (SunOS 5.8)  CPU Architecture Solaris 7 - 32 Bit mode Solaris 8 – 32 Bit & 64 Bit mode  Disk Space : 40Mbytes (software installation only)  Memory : 128 Mbytes  CPU : 360 MHz  Required OS : Check latest release notes Patches for requd. patches

VPN-1/FireWall-1 NGManagement I VPN-1/FireWall-1 NG System Requirements Management Server or Firewall-1 Module on a Linux Platform  OS : Red Hat Linux 6.2 and 7.0  CPU Architecture 32 bit and 64 bit  Disk Space : 40 Mbytes  Memory : 128 Mbytes  CPU : Intel Pentium II 300+ MHz

Module 1: VPN-1/FireWall-1 NG Architecture

Module 1: Introduction Objectives  Describe the purpose of a firewall  Describe and compare firewall architectures  Identify the different components of VPN-1/FireWall-1 NG

Module 1 Key Terms Firewall Packet Filtering Application Layer Gateway (Proxy) Client/Server Model Stateful Inspection Management Client Secure Internal Communication (SIC) Virtual Private Network (VPN) Secure Virtual Network (SVN)

Module 1: Check Point Product Overview  Securing the Internet  An emerging requirement  Securing Networks, Systems, Application and Users

Module 1 Secure Virtual Network (SVN) is a true security architecture Integrates multiple capabilities, including  firewall security, VPNs, IP address management etc, all within a common management framework enables security to be defined and enforced in a single policy incorporating all aspects of network security

Module 1 Emerging requirements To enjoy benefits of an eBusiness model a robust security infrastructure needs to be deployed Integrating the security infrastructure with application environment  providing full security for eBusiness  allowing easily established and maintained trusted relationships

Module 1 SVN Architecture designed to meet the challenges of eBusiness connects the four elements common to any enterprise network  Networks  Systems  Applications  Use

Module 1: SVN Diagram

Module 1: VPN-1/FireWall-1 Key component of SVN architecture  Access Control  User Authentication  Network Address Translation (NAT)  Virtual Private Networking  High Availability  Content Security  Auditing and Reporting  LDAP-based user management

Module 1: VPN-1/FireWall-1-continued  Intrusion Detection  Malicious Activity Detection  Third-party Device Management  High Availability and Load Sharing

Module 1: Internet Firewall Technologies A firewall is a system designed to  prevent unauthorised access to or from a secured network  act as a locked security door between internal and external networks  data meeting certain criteria will be allowed through However, note that a firewall can only protect a network from traffic filtered through it

Module 1 Stateful Inspection Technology invented by CheckPoint Software Technologies utilises the INSPECT Engine  Programmable using the INSPECT language  Provides for system extensibility  Dynamically loaded into the OS kernel  Intercepts and inspects all inbound and outbound packets on all interfaces  Verifies that packets comply with the security policy

Module 1: Firewall Technologies Packet Filters Application-Layer Gateway Stateful Inspection VPN-1/FireWall-1 NG Enforcement Module INSPECT Language VPN-1/FireWall-1 NG Advantages

Module 1: Packet Filtering Path in the OSI Model

Module 1: Packet Filter FTP Example

Module 1: Application-Layer Gateway Path

Module 1: VPN-1/FireWall-1 NG Enforcement Module

Module 1: How VPN-1/FireWall-1 NG FP-1 Works INSPECT Allowing Packets  if a packet passes inspection,the Firewall Module passes packets through the TCP/IP stack to their destination  if packets are destined for the OS local processes, are inspected then passed through the TCP/IP stack  if packets do not pass inspection, they are rejected, or dropped and logged.

Module 1: INSPECT Module Flow

Module 1: VPN-1/FireWall-1 NG Architecture The Policy Editor Management Module VPN-1/FireWall-1 NG Enforcement Module SVN Foundation

Module 1: Check Point Policy Editor

Module 1 Management Module security policy is defined using the policy editor on the Management client it is then saved to the Management module Management Module maintains FW-1 NG databases including  network object definitions  user definitions  security policy  log files

Module 1 VPN-1/Firewall-1 NG Enforcement Module deployed on the Internet gateway an Inspection script written in INSPECT is generated from the security policy inspection code is compiled from the script and downloaded to the enforcement module

Module 1 SVN Foundation CheckPoint SVN Foundation NG (CPShared) is the Operating System integrated with every CheckPoint product All CheckPoint products use the CPOS services via CPShared The SVN Foundation includes :  Secure Internal Communications (SIC)  CheckPoint registry  CPShared daemon  Watch Dog for critical services  Cpconfig  License utilities  SNMP daemon

Module 1: Secure Internal Communication (SIC) Communication Components Security Benefits SIC Certificates Communication Between Management Modules and Components Communication Between Management Modules and Management Clients

Module 1 Communication Components SIC secures communication between CheckPoint SVN components such as  management modules  management clients  VPN-1/Firewall 1 NG modules  customer log modules  SecureConnect modules  policy servers  OPSEC applications

Module 1 Security Benefits of SIC confirms a management client connecting to a management modules is authorised verifies that a security policy loaded on a firewall module came from an authorised management module SIC ensures that data privacy and integrity is maintained

Module 1 SIC Certificates SIC for CheckPoint VPN uses certificates for authentication and standards-based SSL for encryption enables each CheckPoint enabled machine to be uniquely identified certificates are generated by the Internal Certificate of Authority (ICA) on the Management module a unique certificate is generated for each physical machine

Module 1 Communication between Management Modules and Components the ICA automatically creates a certificate for the Management module during installation certificates for other modules are created via a simple initialisation from the Management Client upon initialisation, the ICA creates, signs and delivers a certificate to the communication component

Module 1 Communication between Management Modules and Management Clients the management client must be defined as authorised when invoking the Policy Editor on the Management client, the user is asked :  to identify themselves  specify the IP address of the Management Module the Management Client then initiates an SSL based connection the Management Module verifies the Client’s IP address Management Module sends back it’s certificate

Module 1: Distributed VPN-1/FireWall-1 NG configuration showing the components with certificates

Module 1: Distributed Client/Server Configuration

Module 1: Review Summary Review Questions

Module 1: Review Question #1: What is Stateful Inspection? Class Discussion

Module 1: Review Question #2: Why is Stateful Inspection more reliable than packet filtering and application layer gateways for protecting networks? Class Discussion

Module 1: Review Question #3: What process does VPN-1/FireWall-1 NG use to accept, drop, or reject packets? The NG Enforcement Module

Module 1: Review Question #4: What three components make up VPN-1/FireWall-1 NG? The Policy Editor The Management Server The Enforcement Point

Module 1a Installation of VPN-1/Firewall-1 module Installation of Management Module Installation of Management Client

Module 1a: Pre-installation Configuration Network Configuration  ensure network is properly configured (especially, routing)  on WinNT & Solaris enable IP routing/forwarding  for WinNT, disable the NetBUI protocol (not an IP protocol so not intercepted by Firewall-1)  environment variables are set automatically (via the installation wrapper) on WinNT, Win2000 & Solaris

Module 1a: VPN-1/FireWall-1 NG Client-Server Configuration  a distributed installation is supported

Module 1a: Installing VPN-1/FireWall-1 NG Enforcement Module and Management Module on Windows NT Server

Module 1a: Lab 1a:

Module 1a: Installing VPN-1/FireWall-1 NG Enforcement Module and Management Module on Sun Solaris

Module 1a: Lab 2a:

Module 1a: Installing VPN-1/FireWall-1 NG Management Client on Windows NT

Module 1a: Lab 3a:

Module 2: Security Policy Rule Base and Properties Setup

Module 2: Introduction Objectives  Explain the function and operation of a Security Policy.  Demonstrate the creation of network objects and groups, using the Management Client.  Demonstrate the setup of anti-spoofing on the firewall.  Demonstrate the setup and operation of an active Security Policy.

Module 2 Key Terms Security Policy Rule Base Rule Base Elements spoofing anti-spoofing implicit rules explicit rules implicit-drop rule

Module 2: Security Policy Defined What is a Security Policy?  a set of rules that defines network security Considerations  what kind of services, including customised services and sessions are allowed across the network  what users’ permissions and authentication schemes are needed  what objects are in the network e.g. gateways, hosts, networks, routers and domains

Module 2: Check Point Policy Editor enables administrators to define security policy

Module 2: Access Control for Administrators Concurrent Sessions  only one administrator with read/write permissions can be logged in at any one time Management Module Fingerprint  at the first log-on to a management server, the management client will receive the management server’s fingerprint  this can be checked against a copy of the fingerprint for verification

Module 2: Rule Base Defined Rule Base Elements  the individual components that make up a rule  No.  Source  Destination  If/Via  Services  Action  Track  Install on  Time  Comment

Module 2 Rule Base Defined Ctd. Rule Base Element Options  to customise the element options in the rule base

Module 2: Example Policy Editor

Module 2: Lab 1: Launching the Policy Editor

Module 2: VPN-1/FireWall-1 NG Licensing License Types  central – the license is linked to the IP number of the management server  local – tied to the IP number to which the license will be applied Obtaining Licenses  locate certificate key on the CD cover of the CP CD  contact www.checkpoint.com - selecting User Center to obtain eval or permanent license Check Point User Center

Module 2: SecureUpdate Made up of two components – Installation Manager and License Manager  allows tracking of currently installed versions of CP and OPSEC products  updating of installed CP and OPSEC software remotely from a centralised location  centrally managing licenses

Module 2: SecureUpdate Architecture, Distributed Configuration

Module 2: Defining Basic Objects

Module 2: Detecting Spoofing Spoofing is a technique used by intruders attempting to gain unauthorised access  a packet’s source IP address is altered to appear to come from a part of the network with higher privileges Anti-spoofing verifies that packets are coming from, and going to, the correct interfaces on the gateway  i.e. packets claiming to originate in the internal network, actually DO come from that network

Module 2 Detecting Spoofing Configuring Anti-Spoofing  networks reachable from an interface need to be defined appropriately  should be configured on all interfaces  spoof tracking is recommended  anti-spoofing rules are enforced before any rule in the Security Policy rule base

Module 2: Anti-Spoofing

Module 2: Creating the Rule Base Basic Rule Base Concepts  each rule in a rule base defines the packets that match the rule based on Source, Destination, Service and the Time the packet is inspected  the first rule that matches a packet is applied

Module 2 The default rule added when you add a rule to the Rule Base

Module 2: The Basic Rules Cleanup Rule  CP follows the principle “that which is not expressly permitted, is prohibited”  all communication attempts not matching a rule will be dropped  the cleanup rule drops all the communication but allows specific logging

Module 2 The Basic Rules The Stealth Rule  prevents users from connecting directly to the firewall

Module 2: Defining Basic Rules

Module 2: Implicit and Explicit Rules Completing the Rule Base  Firewall-1 NG creates implicit rules derived from the policy properties and includes explicit rules created by the user in the Policy Editor Understanding Rule Base Order  viewing implied rules will show both sets of rules merged in the correct sequence

Module 2: Implied Rules

Module 2: Verifying and Installing a Security Policy

Module 2: Command Line Options for the Security Policy Basic Options  cpstart/cpstop starts and stops all CP applications running on the machine  cplic print displays the details of the Firewall licenses  fwstart/fwstop starts and stops the Firewall NG module, firewall daemon (fwd), management module (fwm), SNMP daemon (snmpd) and authentication deamons

Module 2: Review Question #1: What are the steps for creating and enforcing a Security Policy? Name your policy, add rules with objects, install the policy

Module 2: Review Question #2: What is the difference between implicit and explicit rules? Implicit (or pseudo) rules are created by VPN-1/FireWall-1 NG, and are derived from the security properties. Explicit rules are created by the user.

Module 2: Review Question #3: What order are policies and rules matched? Policies and rules are matched in order on the Rule Base, one rule at a time.

Module 3: Advanced Security Policy

Module 3: Introduction Objectives  Demonstrate how to perform the following:  Hide and unhide rules  View hidden rules  Define a rule mask  Apply rule masks  Show how to install and uninstall a Security Policy

Module 3: Introduction Objectives (continued)  List the guidelines for improving VPN-1/FireWall-1 NG performance, using a Security Policy Key Term  masking rules

Module 3: Masking Rules Overview  rules in a rule base can be hidden to allow easier reading of a complex rulebase (masking rules)  all other rules will be visible however their numbers wont change  hidden rules are still enforced on the gateway

Module 3 Masking Rules Viewing Hidden Rules  if View Hidden in the Rules>Hide menu is checked, all rules set as hidden are displayed Unhiding Hidden Rules  select Unhide All from the Rules>hide menu

Module 3: Disabling Rules Disabling Rules  a disabled rule will only take effect after the security policy is reinstalled  the rule will still be displayed in the policy editor rulebase Enabling a Disabled Rule  select the disabled rule and right click  select Disable Rule to deselect  remember to reinstall the policy

Module 3: Uninstalling a Security Policy Steps for Uninstalling a Security Policy  select Policy>Uninstall from the Security Policy Editor main screen  click Select All to select all items on the screen (specific items may be deselected)  click OK

Module 3: Guidelines for Improving VPN-1/FireWall-1 NG Performance via a Security Policy Management Module  listing machine names and IP addresses in a hosts file will decrease installation time for created network objects  /etc/hosts (Solaris)  winntsystem32drivershosts (Windows)

Module 3 Guidelines for Improving VPN-1/FireWall-1 NG Performance via a Security Policy Enforcement Module  keep the rulebase simple  position the most frequently used rules at the top of the rulebase  don’t log unnecessary connections  use a network object in place of many workstation objects  use IP address ranges in rules instead of a set of workstations

Module 3: Review Question #1: If a rule is masked or hidden, is it disabled and no longer part of the Rule Base? No, masked or hidden rules are still part of the Rule Base, and are installed when a Security Policy is installed.

Module 3: Review Question #2: When you select a rule, and then select “Disable Rule(s)” from the menu, what must you also do before the rule is actually disabled? Install the Security Policy

Module 3: Review Question #3: How does masking help you maintain a Rule Base? Discussion

Module 3: Review Question #4: Define some guidelines for improving VPN-1/FireWall-1 NG’s performance via a Security Policy. Discussion

Module 4: Log Management

Module 4: Introduction Objectives  Identify the three display modes of the Log Viewer  Identify and define Status Manager icons  Assign network objects to display in Status Manager  Enable automatic updating of Status Manager

Module 4: Introduction Objectives (continued)  Specify selection criteria and save log files  Describe the steps needed to block an intruder  List the three blocking scope options and their uses  Describe how block request is used

Module 4 Key Terms log viewer status manager

Module 4: Log Viewer provides visual tracking, monitoring and accounting information provides control over the log files display allows quick access to information any event which causes an alert is logged, including some system events such as an install of a policy

Module 4: Logging

Module 4 Log Viewer Kernel Side  FWD merges log fragments producted the FW-1 Kernel components into one log record  each log record is stamped with a Log Unificiation Unique ID (LUUID) Server Side  FWD transfers the log record to the log database (fw.log) on the log server/management module  a single connection is represented by one entry in the log viewer

Module 4 Log Viewer Log Viewer Logon  Select Window>Log Viewer from the security policy main menu Data (Column) Fields  the administrator can specify which of the available data fields (columns) to display Column Menu  right clicking anywhere in the column of the log viewer will invoke the column menu

Module 4 Log Viewer Log Viewer Toolbar Buttons

Module 4 Log Viewer Log Types  there are seven types of log which can be displayed from the toolbar  general predefined selection  firewall-1 predefined selection  account predefined selection  FloodGate-1 predefined selection  SecureClient predefined selection  UA Webaccess predefined selection

Module 4 Log Viewer Log Viewer Mode  there are three different predefined selection views  log mode  active mode  audit mode

Module 4: Log Viewer (continued) Log File Management  the File menu allows the administrator to perform the following tasks :  Log Switch  Open  Save as  Purge  Print  Export

Module 4: Configuring the Security Policy for Logging System-wide logging and alerting  Global Properties window allows an administrator to define system-wide logging and alert parameters for options such as  VPN successful key exchange  VPN packet handling errors  VPN configuration and key exchange errors etc.

Module 4: Blocking Connections Terminating a Connection with Block Intruder  it is possible to block an active connection using the source IP address  the scope of the blocked connection can be  block only this connection  block access from this source  block access to this destination

Module 4: Block Intruder

Module 4: Status Manager Status Manager Logon Working with the Status Manager Interface Modules View Module Status Product Details Windows Critical Notifications

Module 4: Checking VPN-1/FireWall-1 NG Status in the Status Manager

Module 4: Review Question #1: What are the three display modes of Log Viewer? Log Audit Active

Module 4: Review Question #2: What are the three blocking scope options and their uses? Block only this connection Block access from this source IP Block access to this destination

Module 4: Review Question #3: What option could you use to block an intruder whose connection ID is known? Block request

Module 5: Authentication Parameters: User, Client, and Session Authentication

Module 5: Introduction Objectives  Demonstrate how to implement authentication.  Demonstrate the process of creating users and groups.  Demonstrate the setup of authentication parameters.

Module 5: Introduction Objectives (continued)  Demonstrate how to implement user authentication, using various authentication schemes.  List types of services supported by VPN-1/FireWall-1 NG requiring user name and password.  Demonstrate how to implement client authentication.  Demonstrate how to implement session authentication.

Module 5 Key Terms User Authentication Client Authentication Session Authentication Session Authentication Agent

Module 5: Understanding Authentication User Authentication  grants access on a per user basis  can be used for Telnet, FTP, RLOGIN, HTTP  requires separate authentication for each connection

Module 5: Understanding Authentication Session Authentication  requires authentication for each connection  can be used with any service  requires a Session Authentication Agent

Module 5 Understanding Authentication Client Authentication  grants access on a per host basis  allows connections for a specific IP address after successful authentication  can be used for any number of connections  can be used for any service  most commonly used authentication method

Module 5 Understanding Authentication Authentication Schemes  skey  OS Password  VPN-1/Firewall-1 Password  SecurID  Radius  Axent Defender  TACACS

Module 5: User Authentication Overview user authentication provided by the security servers on the gateway when a rule specifies user authentication the corresponding security server is invoked (TELNET, FTP, HTTP and RLOGIN if authentication is successful the security server opens a separate connection to target server

Module 5: Defining User Templates

Module 5: Defining Users from Templates

Module 5: Set Up Authentication Parameters

Module 5: HTTP User Authentication with a VPN-1 & FireWall-1 Password

Module 5: Telnet User Authentication with a VPN-1 & FireWall-1 Password (Optional)

Module 5: FTP User Authentication with a VPN-1 & FireWall-1 Password (Optional)

Module 5: Client Authentication How Client Authentication Works  enables administrators to grant access privileges to a specific IP address  authentication is by username and password, but access is granted to the host machine (IP)  can be used for any number of connections, for any service, for any length of time

Module 5: Client Authentication

Module 5: Sign On Methods Source Field  sources field in the User Properties window may specify that the user is not allowed access from the source address – but the rule allows access. This field specifies how to resolve the problem Destination Field  destination field in the User Properties window may specify that that the user is now allowed access to the destination address. This field specifies how to resolve that problem

Module 5 Sign On Methods Required Sign On  Standard Sign On – user is allowed to use all the services permitted by the rule for the authorisation period Specific Sign On  only connections that match the original connection are allowed without additional authentication

Module 5 Sign on Methods Sign On Method  Manual – the user has to initiate Client Authentication by  telnet to port 259  http to port 900  Partially Automatic Client Authentication  Fully Automatic Client Authentication  Agent Automatic Sign On  Single sign on

Module 5 Sign on Methods Successful Authentication Tracking  logging option for Client Authentication attempts for the session

Module 5: Client Authentication

Module 5: Additional Features of Single Sign On Single Sign On For Multiple Users  privileged user can sign on and off on behalf of other users User Authority SecureAgent  extends UA capabilities to the LAN by having the SecureAgent on the desktop

Module 5: Single Sign On Example Network User on Localnet would normally TELNET to port 259 on London and authenticate then request access to BigBen. With the single sign on system extension anther user can open the connection to BigBen in advance on behalf of a user on Localnet

Module 5: Additional Features of Client Authentication Redirection of HTTP Requests According to Host Header  it is possible to configure Firewall-1 to complete the connection according to the destination specified in the HTTP host header  used when several http hosts share the same virtual IP address

Module 5 Additional Features of Client Authentication Authorizing All Standard Sign on Rules  Firewall-1 will automatically open all standard rules after successful authentication through partial or fully automatic sign on  if user successfully authenticates according to an automatic sign on rule all standard sign on rules which specify that user and source are opened.

Module 5: Session Authentication Overview How Session Authentication Works  based on a pre-session authentication method  can be integrated with any application  CP Session Agent must be loaded on the client machine  authentication performed by the daemon module

Module 5: Session Authentication 1. User initiates a connection directly to the server 2. Firewall-1 Inspection module intercepts the connection and connects to Session Authentication agent 3. Session agent prompts for authentication data and returns this to the inspection module 4. if successful, Firewall-1 module allows the connection to pass through the gateway

Module 5: Session Authentication

Module 5: Review Question #1: What are the three types of VPN-1/FireWall-1 NG authentication? User Authentication Client Authentication Session Authentication

Module 5: Review Question #2: When you want a user to authenticate once, and then be able to use any service until logging off, which authentication type would you use? Client Authentication

Module 5: Review Question #3: When defining user authentication, where do you add the authentication rule-above or below the stealth rule? Below the stealth rule

Module 5: Review Question #4: What is the advantage of using session authentication, over client authentication and user authentication? The advantage session authentication has over user authentication is that session authentication can be used with any service. The advantage session authentication has over client authentication is that the user is prompted automatically with session authentication, where client authentication encompasses a manual process the user has to remember.

Module 5: Review Question #5: Why would the client authentication rule need to be placed above the stealth rule? Client authentication requires a connection made to the firewall, that the stealth rule prevents, so either the client rule must be above the stealth rule to allow the connection, or a rule must be placed above the client authentication rule that allows connections to port 259/900 on the firewall.

Module 6: Network Address Translation

Module 6: Introduction Objectives  List the reasons and methods for Network Address Translation  Demonstrate how to set up Static NAT  Demonstrate how to set up Dynamic (Hide) NAT  Describe basic network configurations using NAT

Module 6 Key Terms Network Address Translation (NAT) Static Source NAT Static Destination NAT Dynamic (Hide) NAT Automatic and Manual NAT rules Address Resolution Protocol (ARP)

Module 6 Network Address Translation NAT conceals internal computers from outside networks as a component of VPN-1/Firewall-1 it is used for three things :  to make use of private IP addresses on the internal network  to limit external network access for security reasons  to give ease and flexibility to network administration

Module 6: NAT IP Addressing  RFC 1918 details the reserved address groups  Class A network numbers – 10.0.0.0 – 10.255.255.255  Class B network numbers – 172.16.0.0 – 172.31.255.255  Class C network numbers – 192.168.0.0 – 192.168.255.255

Module 6 Network Security  additional benefit of NAT is increased network security  internal host can connect both inside and outside intranet  external unknown host outside the network cannot connect to internal host  external connections with a spoofed internal address will be recognised and prevented from gaining access  internal public servers are made available with inbound mapping of well know TCP ports to specific internal addresses

Module 6 Network Administration  VPN-1/Firewall-1 supports two types of NAT  Static NAT  Dynamic (Hide) NAT Static NAT  translates each private address to a corresponding public address  two modes, static source and static destination

Module 6 Static Source NAT  translates private internal source IP addresses to a public external source IP address  initiated by internal clients with private IP address

Module 6: Static Source NAT

Module 6: Address Translation Using Static Source Mode

Module 6 Static Destination NAT  translates public addresses to private addresses  initiated by external clients

Module 6: Address Translation Using Static Destination Mode

Module 6 Dynamic (Hide) NAT used for connections initiated by hosts in an internal network where the hosts’ IP addresses are private private internal addresses are hidden behind a single public external address uses dynamically assigned port numbers to distinguish between them

Module 6: Dynamic NAT

Module 6 Dynamic (Hide) NAT Ctd. hide mode packets’ source port numbers are modified destination of a packet is determined by the port number port numbers are dynamically assigned from two pools of numbers :  from 600 to 1023  from 10,000 to 60,000 hide mode cannot be used for protocols where the port number cannot be changed or where the destination IP address is required

Module 6: Hide Mode Address Translation

Module 6 Hiding behind 0.0.0.0  if the administrator specifies 0.0.0.0 as the hide address, all clients will be hidden behind the firewall’s server side interface

Module 6: Hiding Behind 0.0.0.0

Module 6: Automatic and Manual NAT Rules NAT Rules  NAT rules consist of two elements  the conditions that specify when the rule is to be applied  the action to be taken when the rule is applied  each section in the NAT Rule Base Editor is divided into Source, Destination and Service

Module 6 Automatic and Manual NAT Rules NAT Rules  the action is always the same  translate source under original packet to source under translated packet  translate destination under original packet to destination under translated packet  translate service under original packet to service under translated packet

Module 6 Network Address Translation Properties  several properties can be applied to automatically generated NAT rules  these are enabled by default in new installations however disabled by default when upgrading from previous versions  these properties can be configured in the network address translation page of the Global Properties window IP Pools IP Pool NAT Track Address Translation and Routing

Module 6 Network Address Translation Properties (Ctd)  Allow Bi-directional NAT  the firewall will check all of the rules to see if a source in one rule and destination in another rule match  firewall will take the first source rule and the first destination rule that are found to match, applying both rules concurrently

Module 6 Network Address Translation Properties (Ctd)  Translate destination on client side  prior versions of Firewall performed NAT on the server side, requiring special anti spoofing and internal routing  Automatic ARP configuration  ARP tables on the gateway are automatically configured, enabling ARP requests for a NATed machines, network or address range are answered by the gateway

Module 6 IP Pools  a range of IP addresses routable to a gateway  encrypted connections opened to a host will have a substituted IP address from the IP Pool for the source IP address  must be routable back to the gateway

Module 6: Address Translation Example- Gateway with Two Interfaces Routing  the router routes IP addresses in the network 199.203.73.0 to the gateway  the gateway routes IP address 192.203.73.3 to the internal interface (10.0.0.1)  the gateway routes IP addresses 199.203.73.64 through 199.203.73.80 to the internal interface (10.0.0.1)

Module 6: Gateway with Two Interfaces

Module 6: Address Translation Example- Gateway with Three Interfaces Routing  ensure router routes IP address in the network 192.45.125.0 to the gateway  the gateway should be able to route IP address 172.45.125.209 to the internal interface (195.9.200.1)

Module 6: Gateway with Three Interfaces

Module 6: Address Translation Example Two Networks Statically Translated

Module 6: Two Networks Statically Translated

Module 6: Address Translation and Anti-Spoofing anti spoofing is performed correctly for automatically generated NAT rules (provided it is allowed in the Global Properties) there will be a conflict between anti- spoofing and NAT if NAT takes place at the server side to correct the problem, add the translated (i.e the Valid address) is added to the public addresses on the Internal Interface

Module 6: Static NAT

Module 6: Hide NAT

Module 6: Review Question #1: What is NAT? Replacing one IP address in a packet with a different IP address.

Module 6: Review Question #2: What is the reason for using NAT, as related to IP addressing? To conceal the network’s internal IP addresses from the Internet To translate private addresses to public addresses, and back

Module 6: Review Question #3: What is the NAT Rule Base? Automatically generated and manually entered NAT rules

checkpoint

by Forced_Ambitions

Accessibility

Categories

Upload Details

Usage Rights

2 Embeds 3

Statistics

checkpoint Presentation Transcript

http://www.filescon.com	2
http://www.filestube.com	1