0
VPN-1/FireWall-1 NGManagement I
VPN-1/FireWall-1 NGManagement I Course Description   Objectives     Identify the basic components of VPN-1/FireWall-1    ...
VPN-1/FireWall-1 NGManagement I Course Layout   Course Requirements   Prerequisites   Check Point Certified Security   Adm...
Course Requirements The course is geared towards   System administators   Support analysts   Network engineers
Pre-requisites Each delegate should have :   General knowledge of tcp/ip   Working knowledge of Windows and/or   Unix   Wo...
Checkpoint Certified SecurityAdministator (CCSA) The exam is wide ranging and covers all aspects of Checkpoint Firewall 1 ...
VPN-1/FireWall-1 NGManagement I Course Map   Module 1: VPN-1/FireWall-1 NG   Architecture   Module 2: Security Policy Rule...
VPN-1/FireWall-1 NGManagement I Course Map-continued   Module 6: Network Address Translation
VPN-1/FireWall-1 NGManagement I Lab Setup   Lab Topology   IP Addresses   Lab Terms   Lab Stations
VPN-1/FireWall-1 NGManagement I   Lab Topology
VPN-1/FireWall-1 NGManagement I VPN-1/FireWall-1 NG System Requirements   Management Client     Platform        :   Windo...
VPN-1/FireWall-1 NGManagement I VPN-1/FireWall-1 NG System Requirements   Firewall-1 NG FP2 Modules on Windows   Platform ...
VPN-1/FireWall-1 NGManagement I VPN-1/FireWall-1 NG System Requirements   Management Server or Firewall-1 Module on   Sola...
VPN-1/FireWall-1 NGManagement I VPN-1/FireWall-1 NG System Requirements   Management Server or Firewall-1 Module   on a Li...
Module 1: VPN-1/FireWall-1 NG Architecture
Module 1: Introduction   Objectives     Describe the purpose of a firewall     Describe and compare firewall architectur...
Module 1 Key Terms   Firewall   Packet Filtering   Application Layer Gateway (Proxy)   Client/Server Model   Stateful Insp...
Module 1:   Check Point Product Overview       Securing the Internet       An emerging requirement       Securing Netwo...
Module 1 Secure Virtual Network (SVN) is a true security architecture   Integrates multiple capabilities, including     f...
Module 1 Emerging requirements   To enjoy benefits of an eBusiness model   a robust security infrastructure needs to   be ...
Module 1 SVN Architecture designed to meet the challenges of eBusiness   connects the four elements common to   any enterp...
Module 1:   SVN Diagram
Module 1: VPN-1/FireWall-1   Key component of SVN architecture       Access Control       User Authentication       Net...
Module 1: VPN-1/FireWall-1-continued    Intrusion Detection    Malicious Activity Detection    Third-party Device Manag...
Module 1: Internet Firewall Technologies   A firewall is a system designed to     prevent unauthorised access to or from ...
Module 1 Stateful Inspection Technology   invented by CheckPoint Software   Technologies   utilises the INSPECT Engine    ...
Module 1: Firewall Technologies   Packet Filters   Application-Layer Gateway   Stateful Inspection   VPN-1/FireWall-1 NG E...
Module 1:   Packet Filtering Path in the OSI Model
Module 1:   Packet Filter FTP Example
Module 1:   Application-Layer Gateway Path
Module 1:   VPN-1/FireWall-1 NG Enforcement Module
Module 1: How VPN-1/FireWall-1 NG FP-1 Works   INSPECT Allowing Packets     if a packet passes inspection,the Firewall   ...
Module 1:   INSPECT Module Flow
Module 1: VPN-1/FireWall-1 NG Architecture   The Policy Editor   Management Module   VPN-1/FireWall-1 NG Enforcement Modul...
Module 1:   Check Point Policy Editor
Module 1 Management Module   security policy is defined using the policy   editor on the Management client   it is then sa...
Module 1 VPN-1/Firewall-1 NG Enforcement Module   deployed on the Internet gateway   an Inspection script written in INSPE...
Module 1 SVN Foundation   CheckPoint SVN Foundation NG (CPShared) is   the Operating System integrated with every   CheckP...
Module 1: Secure Internal Communication (SIC)   Communication Components   Security Benefits   SIC Certificates   Communic...
Module 1 Communication Components   SIC secures communication between   CheckPoint SVN components such as       managemen...
Module 1 Security Benefits of SIC   confirms a management client   connecting to a management modules is   authorised   ve...
Module 1 SIC Certificates   SIC for CheckPoint VPN uses certificates   for authentication and standards-based   SSL for en...
Module 1 Communication between Management Modules and Components   the ICA automatically creates a certificate   for the M...
Module 1 Communication between Management Modules and Management Clients   the management client must be defined as   auth...
Module 1:   Distributed VPN-1/FireWall-1 NG   configuration showing the components   with certificates
Module 1:   Distributed Client/Server Configuration
Module 1: Review   Summary   Review Questions
Module 1: Review Question #1:   What is Stateful Inspection?   Class Discussion
Module 1: Review Question #2:   Why is Stateful Inspection more reliable   than packet filtering and application layer   g...
Module 1: Review Question #3:   What process does VPN-1/FireWall-1 NG   use to accept, drop, or reject packets?   The NG E...
Module 1: Review Question #4:   What three components make up   VPN-1/FireWall-1 NG?   The Policy Editor   The Management ...
Module 1a Installation of VPN-1/Firewall-1 module Installation of Management Module Installation of Management Client
Module 1a: Pre-installation Configuration   Network Configuration     ensure network is properly configured      (especia...
Module 1a:    VPN-1/FireWall-1 NG Client-Server    Configuration      a distributed installation is supported
Module 1a: Installing VPN-1/FireWall-1 NG Enforcement Module and Management Module on Windows NT Server
Module 1a: Lab 1a:
Module 1a: Installing VPN-1/FireWall-1 NG Enforcement Module and Management Module on Sun Solaris
Module 1a: Lab 2a:
Module 1a: Installing VPN-1/FireWall-1 NG Management Client on Windows NT
Module 1a: Lab 3a:
Module 2: Security Policy Rule Base and Properties Setup
Module 2: Introduction   Objectives     Explain the function and operation of a      Security Policy.     Demonstrate th...
Module 2 Key Terms   Security Policy   Rule Base   Rule Base Elements   spoofing   anti-spoofing   implicit rules   explic...
Module 2: Security Policy Defined   What is a Security Policy?     a set of rules that defines network security   Conside...
Module 2: Check Point Policy Editor   enables administrators to define security   policy
Module 2: Access Control for Administrators   Concurrent Sessions     only one administrator with read/write      permiss...
Module 2: Rule Base Defined   Rule Base Elements     the individual components that make up a rule         No.         ...
Module 2 Rule Base Defined Ctd.   Rule Base Element Options     to customise the element options in      the rule base
Module 2:   Example Policy Editor
Module 2: Lab 1: Launching the Policy Editor
Module 2: VPN-1/FireWall-1 NG Licensing   License Types     central – the license is linked to the IP number      of the ...
Module 2: SecureUpdate   Made up of two components – Installation   Manager and License Manager     allows tracking of cu...
Module 2:   SecureUpdate Architecture, Distributed   Configuration
Module 2: Defining Basic Objects
Module 2: Detecting Spoofing   Spoofing is a technique used by intruders   attempting to gain unauthorised access     a p...
Module 2 Detecting Spoofing   Configuring Anti-Spoofing     networks reachable from an interface need to      be defined ...
Module 2:  Anti-Spoofing
Module 2: Creating the Rule Base   Basic Rule Base Concepts     each rule in a rule base defines the packets      that ma...
Module 2 The default rule   added when you add a rule to the Rule   Base
Module 2: The Basic Rules   Cleanup Rule     CP follows the principle “that which is not      expressly permitted, is pro...
Module 2 The Basic Rules   The Stealth Rule     prevents users from connecting directly to the      firewall
Module 2: Defining Basic Rules
Module 2: Implicit and Explicit Rules   Completing the Rule Base     Firewall-1 NG creates implicit rules derived      fr...
Module 2:  Implied Rules
Module 2: Verifying and Installing a Security Policy
Module 2: Command Line Options for the Security Policy   Basic Options     cpstart/cpstop starts and stops all CP      ap...
Module 2: Review   Summary   Review Questions
Module 2: Review Question #1:   What are the steps for creating and   enforcing a Security Policy?   Name your policy, add...
Module 2: Review Question #2:   What is the difference between implicit   and explicit rules?   Implicit (or pseudo) rules...
Module 2: Review Question #3:   What order are policies and rules   matched?   Policies and rules are matched in order   o...
Module 3: Advanced Security Policy
Module 3: Introduction   Objectives     Demonstrate how to perform the following:        Hide and unhide rules        V...
Module 3: Introduction   Objectives (continued)     List the guidelines for improving      VPN-1/FireWall-1 NG performanc...
Module 3: Masking Rules   Overview     rules in a rule base can be hidden to allow      easier reading of a complex ruleb...
Module 3 Masking Rules   Viewing Hidden Rules     if View Hidden in the Rules>Hide menu is      checked, all rules set as...
Module 3: Disabling Rules   Disabling Rules     a disabled rule will only take effect after the      security policy is r...
Module 3: Uninstalling a Security Policy   Steps for Uninstalling a Security Policy     select Policy>Uninstall from the ...
Module 3: Guidelines for Improving VPN-1/FireWall-1 NG Performance via a Security Policy   Management Module     listing ...
Module 3 Guidelines for Improving VPN-1/FireWall-1 NG Performance via a Security Policy   Enforcement Module     keep the...
Module 3: Review   Summary   Review Questions
Module 3: Review Question #1:   If a rule is masked or hidden, is it   disabled and no longer part of the Rule   Base?   N...
Module 3: Review Question #2:   When you select a rule, and then select   “Disable Rule(s)” from the menu, what   must you...
Module 3: Review Question #3:   How does masking help you maintain a   Rule Base?   Discussion
Module 3: Review Question #4:   Define some guidelines for improving   VPN-1/FireWall-1 NG’s performance via a   Security ...
Module 4: Log Management
Module 4: Introduction   Objectives     Identify the three display modes of the Log      Viewer     Identify and define ...
Module 4: Introduction   Objectives (continued)     Specify selection criteria and save log files     Describe the steps...
Module 4 Key Terms   log viewer   status manager
Module 4: Log Viewer   provides visual tracking, monitoring and   accounting information   provides control over the log f...
Module 4:   Logging
Module 4 Log Viewer   Kernel Side     FWD merges log fragments producted the      FW-1 Kernel components into one log rec...
Module 4 Log Viewer   Log Viewer Logon     Select Window>Log Viewer from the security      policy main menu   Data (Colum...
Module 4 Log Viewer   Log Viewer Toolbar Buttons
Module 4 Log Viewer   Log Types     there are seven types of log which can be      displayed from the toolbar         ge...
Module 4 Log Viewer   Log Viewer Mode     there are three different predefined selection      views         log mode    ...
Module 4: Log Viewer (continued)   Log File Management     the File menu allows the administrator to      perform the fol...
Module 4: Configuring the Security Policy for Logging   System-wide logging and alerting     Global Properties window all...
Module 4: Blocking Connections   Terminating a Connection with Block   Intruder     it is possible to block an active con...
Module 4: Block Intruder
Module 4: Status Manager   Status Manager Logon   Working with the Status Manager   Interface   Modules View   Module Stat...
Module 4: Checking VPN-1/FireWall-1 NG Status in the Status Manager
Module 4: Review   Summary   Review Questions
Module 4: Review Question #1:   What are the three display modes of Log   Viewer?   Log   Audit   Active
Module 4: Review Question #2:   What are the three blocking scope   options and their uses?   Block only this connection  ...
Module 4: Review Question #3:   What option could you use to block an   intruder whose connection ID is known?   Block req...
Module 5: Authentication Parameters: User, Client, and Session Authentication
Module 5: Introduction   Objectives     Demonstrate how to implement authentication.     Demonstrate the process of crea...
Module 5: Introduction   Objectives (continued)     Demonstrate how to implement user authentication,      using various ...
Module 5 Key Terms   User Authentication   Client Authentication   Session Authentication   Session Authentication Agent
Module 5: Understanding Authentication   User Authentication       grants access on a per user basis       can be used f...
Module 5: Understanding Authentication   Session Authentication       requires authentication for each connection       ...
Module 5 Understanding Authentication   Client Authentication     grants access on a per host basis     allows connectio...
Module 5 Understanding Authentication   Authentication Schemes       skey       OS Password       VPN-1/Firewall-1 Pass...
Module 5: User Authentication Overview   user authentication provided by the   security servers on the gateway   when a ru...
Module 5: Defining User Templates
Module 5: Defining Users from Templates
Module 5: Set Up Authentication Parameters
Module 5: HTTP User Authentication with a VPN-1 & FireWall-1 Password
Module 5: Telnet User Authentication with a VPN-1 & FireWall-1 Password (Optional)
Module 5: FTP User Authentication with a VPN-1 & FireWall-1 Password (Optional)
Module 5: Client Authentication   How Client Authentication Works     enables administrators to grant access      privile...
Module 5:   Client Authentication
Module 5: Sign On Methods   Source Field     sources field in the User Properties window      may specify that the user i...
Module 5 Sign On Methods   Required Sign On     Standard Sign On – user is allowed to use all      the services permitted...
Module 5 Sign on Methods   Sign On Method     Manual – the user has to initiate Client      Authentication by         te...
Module 5 Sign on Methods   Successful Authentication Tracking     logging option for Client Authentication      attempts ...
Module 5: Client Authentication
Module 5: Additional Features of Single Sign On   Single Sign On For Multiple Users     privileged user can sign on and o...
Module 5:    Single Sign On Example Network  User on Localnet would normally TELNET to port 259 on London and  authenticat...
Module 5: Additional Features of Client Authentication   Redirection of HTTP Requests According   to Host Header     it i...
Module 5 Additional Features of Client Authentication   Authorizing All Standard Sign on Rules     Firewall-1 will automa...
Module 5: Session Authentication Overview   How Session Authentication Works     based on a pre-session authentication me...
Module 5:   Session Authentication                            1.   User initiates a                                 connec...
Module 5: Session Authentication
Module 5: Review   Summary   Review Questions
Module 5: Review Question #1:   What are the three types of   VPN-1/FireWall-1 NG authentication?   User Authentication   ...
Module 5: Review Question #2:   When you want a user to authenticate   once, and then be able to use any service   until l...
Module 5: Review Question #3:   When defining user authentication, where   do you add the authentication rule-above   or b...
Module 5: Review Question #4:   What is the advantage of using session   authentication, over client authentication   and ...
Module 5: Review Question #5:   Why would the client authentication rule   need to be placed above the stealth rule?   Cli...
Module 6: Network Address Translation
Module 6: Introduction   Objectives     List the reasons and methods for Network      Address Translation     Demonstrat...
Module 6 Key Terms   Network Address Translation (NAT)   Static Source NAT   Static Destination NAT   Dynamic (Hide) NAT  ...
Module 6 Network Address Translation   NAT conceals internal computers from   outside networks   as a component of VPN-1/F...
Module 6: NAT   IP Addressing     RFC 1918 details the reserved address groups        Class A network numbers           ...
Module 6   Network Security     additional benefit of NAT is increased network      security         internal host can c...
Module 6   Network Administration     VPN-1/Firewall-1 supports two types of NAT        Static NAT        Dynamic (Hide...
Module 6   Static Source NAT     translates private internal source IP addresses      to a public external source IP addr...
Module 6:   Static Source NAT
Module 6:   Address Translation Using Static Source   Mode
Module 6   Static Destination NAT     translates public addresses to private      addresses     initiated by external cl...
Module 6:   Address Translation Using Static   Destination Mode
Module 6:   Address Translation Using Static   Destination Mode
Module 6 Dynamic (Hide) NAT   used for connections initiated by hosts in   an internal network where the hosts’ IP   addre...
Module 6:   Dynamic NAT
Module 6 Dynamic (Hide) NAT Ctd.   hide mode packets’ source port numbers are   modified   destination of a packet is dete...
Module 6:   Hide Mode Address Translation
Module 6   Hiding behind 0.0.0.0     if the administrator specifies 0.0.0.0 as the      hide address, all clients will be...
Module 6:   Hiding Behind 0.0.0.0
Module 6: Automatic and Manual NAT Rules   NAT Rules     NAT rules consist of two elements         the conditions that s...
Module 6 Automatic and Manual NAT Rules   NAT Rules     the action is always the same         translate source under ori...
Module 6   Network Address Translation Properties     several properties can be applied to      automatically generated N...
Module 6   Network Address Translation Properties   (Ctd)     Allow Bi-directional NAT         the firewall will check a...
Module 6   Network Address Translation Properties   (Ctd)     Translate destination on client side         prior version...
Module 6   IP Pools     a range of IP addresses routable to a gateway     encrypted connections opened to a host will   ...
Module 6: Address Translation Example- Gateway with Two Interfaces   Routing     the router routes IP addresses in the ne...
Module 6:   Gateway with Two Interfaces
Module 6: Address Translation Example- Gateway with Three Interfaces   Routing     ensure router routes IP address in the...
Module 6:   Gateway with Three Interfaces
Module 6: Address Translation Example Two Networks Statically Translated
Module 6:   Two Networks Statically Translated
Module 6: Address Translation and Anti-Spoofing   anti spoofing is performed correctly for   automatically generated NAT r...
Module 6: Static NAT
Module 6: Hide NAT
Module 6: Review   Summary   Review Questions
Module 6: Review Question #1:   What is NAT?   Replacing one IP address in a packet with   a different IP address.
Module 6: Review Question #2:   What is the reason for using NAT, as   related to IP addressing?   To conceal the network’...
Module 6: Review Question #3:   What is the NAT Rule Base?   Automatically generated and manually   entered NAT rules
Upcoming SlideShare
Loading in...5
×

checkpoint

18,744

Published on

checkpoint firewall.

Published in: Business, Technology
2 Comments
9 Likes
Statistics
Notes
  • You are most welcome guys !!



    On popular demand I have enabled the downloading of the source file..



    No need to give out your email id's when you can simply download the file



    Cheers !!<br /><br/>
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • heya..
    after reading from the slides, this is the most useful notes regarding checkpoint i've ever read. i really wish to download the slides, can you send the slides to my email please yatie_802@yahoo.com. thanks.cheers
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
18,744
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
766
Comments
2
Likes
9
Embeds 0
No embeds

No notes for slide
  • Transcript of "checkpoint"

    1. 1. VPN-1/FireWall-1 NGManagement I
    2. 2. VPN-1/FireWall-1 NGManagement I Course Description Objectives  Identify the basic components of VPN-1/FireWall-1 NG  Successfully configure VPN-1/FireWall-1 NG (NT and/or Solaris)  Identify the VPN-1/FireWall-1 NG elements that you will need to manage  Successfully create and manage management objects  Demonstrate how to use the: Security Policy, Log Viewer, and System Status  Successfully apply NAT rules  Successfully demonstrate the ability to authenticate users
    3. 3. VPN-1/FireWall-1 NGManagement I Course Layout Course Requirements Prerequisites Check Point Certified Security Administrator (CCSA)
    4. 4. Course Requirements The course is geared towards System administators Support analysts Network engineers
    5. 5. Pre-requisites Each delegate should have : General knowledge of tcp/ip Working knowledge of Windows and/or Unix Working knowledge of network technology Working knowledge of the Internet
    6. 6. Checkpoint Certified SecurityAdministator (CCSA) The exam is wide ranging and covers all aspects of Checkpoint Firewall 1 NG. Some of the topics can be found on pages 2-3, however all documentation covered on the course CD should be reviewed including PDFs
    7. 7. VPN-1/FireWall-1 NGManagement I Course Map Module 1: VPN-1/FireWall-1 NG Architecture Module 2: Security Policy Rule Base and Properties Setup Module 3: Advanced Security Policy Module 4: Log Management Module 5: Authentication Parameters: User, Client, and Session Authentication
    8. 8. VPN-1/FireWall-1 NGManagement I Course Map-continued Module 6: Network Address Translation
    9. 9. VPN-1/FireWall-1 NGManagement I Lab Setup Lab Topology IP Addresses Lab Terms Lab Stations
    10. 10. VPN-1/FireWall-1 NGManagement I Lab Topology
    11. 11. VPN-1/FireWall-1 NGManagement I VPN-1/FireWall-1 NG System Requirements Management Client  Platform : Windows 9x, ME, NT 4.0, Windows 2000 Pro.  Disk Space : 40 Mbytes  Memory : 128 Mbytes  Network I/f : All interfaces supported : by Operating System
    12. 12. VPN-1/FireWall-1 NGManagement I VPN-1/FireWall-1 NG System Requirements Firewall-1 NG FP2 Modules on Windows Platform  OS : Windows NT and Windows 2000  Processor : Intel Pentium II 300+ MHz or equivalent  Disk Space : 40 Mbytes  Memory : 128 Mbytes  Network I/F : All interfaces supported : by Operating System
    13. 13. VPN-1/FireWall-1 NGManagement I VPN-1/FireWall-1 NG System Requirements Management Server or Firewall-1 Module on Solaris  OS : Solaris 7 (SunOS 5.7) Solaris 8 (SunOS 5.8)  CPU Architecture Solaris 7 - 32 Bit mode Solaris 8 – 32 Bit & 64 Bit mode  Disk Space : 40Mbytes (software installation only)  Memory : 128 Mbytes  CPU : 360 MHz  Required OS : Check latest release notes Patches for requd. patches
    14. 14. VPN-1/FireWall-1 NGManagement I VPN-1/FireWall-1 NG System Requirements Management Server or Firewall-1 Module on a Linux Platform  OS : Red Hat Linux 6.2 and 7.0  CPU Architecture 32 bit and 64 bit  Disk Space : 40 Mbytes  Memory : 128 Mbytes  CPU : Intel Pentium II 300+ MHz
    15. 15. Module 1: VPN-1/FireWall-1 NG Architecture
    16. 16. Module 1: Introduction Objectives  Describe the purpose of a firewall  Describe and compare firewall architectures  Identify the different components of VPN-1/FireWall-1 NG
    17. 17. Module 1 Key Terms Firewall Packet Filtering Application Layer Gateway (Proxy) Client/Server Model Stateful Inspection Management Client Secure Internal Communication (SIC) Virtual Private Network (VPN) Secure Virtual Network (SVN)
    18. 18. Module 1: Check Point Product Overview  Securing the Internet  An emerging requirement  Securing Networks, Systems, Application and Users
    19. 19. Module 1 Secure Virtual Network (SVN) is a true security architecture Integrates multiple capabilities, including  firewall security, VPNs, IP address management etc, all within a common management framework enables security to be defined and enforced in a single policy incorporating all aspects of network security
    20. 20. Module 1 Emerging requirements To enjoy benefits of an eBusiness model a robust security infrastructure needs to be deployed Integrating the security infrastructure with application environment  providing full security for eBusiness  allowing easily established and maintained trusted relationships
    21. 21. Module 1 SVN Architecture designed to meet the challenges of eBusiness connects the four elements common to any enterprise network  Networks  Systems  Applications  Use
    22. 22. Module 1: SVN Diagram
    23. 23. Module 1: VPN-1/FireWall-1 Key component of SVN architecture  Access Control  User Authentication  Network Address Translation (NAT)  Virtual Private Networking  High Availability  Content Security  Auditing and Reporting  LDAP-based user management
    24. 24. Module 1: VPN-1/FireWall-1-continued  Intrusion Detection  Malicious Activity Detection  Third-party Device Management  High Availability and Load Sharing
    25. 25. Module 1: Internet Firewall Technologies A firewall is a system designed to  prevent unauthorised access to or from a secured network  act as a locked security door between internal and external networks  data meeting certain criteria will be allowed through However, note that a firewall can only protect a network from traffic filtered through it
    26. 26. Module 1 Stateful Inspection Technology invented by CheckPoint Software Technologies utilises the INSPECT Engine  Programmable using the INSPECT language  Provides for system extensibility  Dynamically loaded into the OS kernel  Intercepts and inspects all inbound and outbound packets on all interfaces  Verifies that packets comply with the security policy
    27. 27. Module 1: Firewall Technologies Packet Filters Application-Layer Gateway Stateful Inspection VPN-1/FireWall-1 NG Enforcement Module INSPECT Language VPN-1/FireWall-1 NG Advantages
    28. 28. Module 1: Packet Filtering Path in the OSI Model
    29. 29. Module 1: Packet Filter FTP Example
    30. 30. Module 1: Application-Layer Gateway Path
    31. 31. Module 1: VPN-1/FireWall-1 NG Enforcement Module
    32. 32. Module 1: How VPN-1/FireWall-1 NG FP-1 Works INSPECT Allowing Packets  if a packet passes inspection,the Firewall Module passes packets through the TCP/IP stack to their destination  if packets are destined for the OS local processes, are inspected then passed through the TCP/IP stack  if packets do not pass inspection, they are rejected, or dropped and logged.
    33. 33. Module 1: INSPECT Module Flow
    34. 34. Module 1: VPN-1/FireWall-1 NG Architecture The Policy Editor Management Module VPN-1/FireWall-1 NG Enforcement Module SVN Foundation
    35. 35. Module 1: Check Point Policy Editor
    36. 36. Module 1 Management Module security policy is defined using the policy editor on the Management client it is then saved to the Management module Management Module maintains FW-1 NG databases including  network object definitions  user definitions  security policy  log files
    37. 37. Module 1 VPN-1/Firewall-1 NG Enforcement Module deployed on the Internet gateway an Inspection script written in INSPECT is generated from the security policy inspection code is compiled from the script and downloaded to the enforcement module
    38. 38. Module 1 SVN Foundation CheckPoint SVN Foundation NG (CPShared) is the Operating System integrated with every CheckPoint product All CheckPoint products use the CPOS services via CPShared The SVN Foundation includes :  Secure Internal Communications (SIC)  CheckPoint registry  CPShared daemon  Watch Dog for critical services  Cpconfig  License utilities  SNMP daemon
    39. 39. Module 1: Secure Internal Communication (SIC) Communication Components Security Benefits SIC Certificates Communication Between Management Modules and Components Communication Between Management Modules and Management Clients
    40. 40. Module 1 Communication Components SIC secures communication between CheckPoint SVN components such as  management modules  management clients  VPN-1/Firewall 1 NG modules  customer log modules  SecureConnect modules  policy servers  OPSEC applications
    41. 41. Module 1 Security Benefits of SIC confirms a management client connecting to a management modules is authorised verifies that a security policy loaded on a firewall module came from an authorised management module SIC ensures that data privacy and integrity is maintained
    42. 42. Module 1 SIC Certificates SIC for CheckPoint VPN uses certificates for authentication and standards-based SSL for encryption enables each CheckPoint enabled machine to be uniquely identified certificates are generated by the Internal Certificate of Authority (ICA) on the Management module a unique certificate is generated for each physical machine
    43. 43. Module 1 Communication between Management Modules and Components the ICA automatically creates a certificate for the Management module during installation certificates for other modules are created via a simple initialisation from the Management Client upon initialisation, the ICA creates, signs and delivers a certificate to the communication component
    44. 44. Module 1 Communication between Management Modules and Management Clients the management client must be defined as authorised when invoking the Policy Editor on the Management client, the user is asked :  to identify themselves  specify the IP address of the Management Module the Management Client then initiates an SSL based connection the Management Module verifies the Client’s IP address Management Module sends back it’s certificate
    45. 45. Module 1: Distributed VPN-1/FireWall-1 NG configuration showing the components with certificates
    46. 46. Module 1: Distributed Client/Server Configuration
    47. 47. Module 1: Review Summary Review Questions
    48. 48. Module 1: Review Question #1: What is Stateful Inspection? Class Discussion
    49. 49. Module 1: Review Question #2: Why is Stateful Inspection more reliable than packet filtering and application layer gateways for protecting networks? Class Discussion
    50. 50. Module 1: Review Question #3: What process does VPN-1/FireWall-1 NG use to accept, drop, or reject packets? The NG Enforcement Module
    51. 51. Module 1: Review Question #4: What three components make up VPN-1/FireWall-1 NG? The Policy Editor The Management Server The Enforcement Point
    52. 52. Module 1a Installation of VPN-1/Firewall-1 module Installation of Management Module Installation of Management Client
    53. 53. Module 1a: Pre-installation Configuration Network Configuration  ensure network is properly configured (especially, routing)  on WinNT & Solaris enable IP routing/forwarding  for WinNT, disable the NetBUI protocol (not an IP protocol so not intercepted by Firewall-1)  environment variables are set automatically (via the installation wrapper) on WinNT, Win2000 & Solaris
    54. 54. Module 1a: VPN-1/FireWall-1 NG Client-Server Configuration  a distributed installation is supported
    55. 55. Module 1a: Installing VPN-1/FireWall-1 NG Enforcement Module and Management Module on Windows NT Server
    56. 56. Module 1a: Lab 1a:
    57. 57. Module 1a: Installing VPN-1/FireWall-1 NG Enforcement Module and Management Module on Sun Solaris
    58. 58. Module 1a: Lab 2a:
    59. 59. Module 1a: Installing VPN-1/FireWall-1 NG Management Client on Windows NT
    60. 60. Module 1a: Lab 3a:
    61. 61. Module 2: Security Policy Rule Base and Properties Setup
    62. 62. Module 2: Introduction Objectives  Explain the function and operation of a Security Policy.  Demonstrate the creation of network objects and groups, using the Management Client.  Demonstrate the setup of anti-spoofing on the firewall.  Demonstrate the setup and operation of an active Security Policy.
    63. 63. Module 2 Key Terms Security Policy Rule Base Rule Base Elements spoofing anti-spoofing implicit rules explicit rules implicit-drop rule
    64. 64. Module 2: Security Policy Defined What is a Security Policy?  a set of rules that defines network security Considerations  what kind of services, including customised services and sessions are allowed across the network  what users’ permissions and authentication schemes are needed  what objects are in the network e.g. gateways, hosts, networks, routers and domains
    65. 65. Module 2: Check Point Policy Editor enables administrators to define security policy
    66. 66. Module 2: Access Control for Administrators Concurrent Sessions  only one administrator with read/write permissions can be logged in at any one time Management Module Fingerprint  at the first log-on to a management server, the management client will receive the management server’s fingerprint  this can be checked against a copy of the fingerprint for verification
    67. 67. Module 2: Rule Base Defined Rule Base Elements  the individual components that make up a rule  No.  Source  Destination  If/Via  Services  Action  Track  Install on  Time  Comment
    68. 68. Module 2 Rule Base Defined Ctd. Rule Base Element Options  to customise the element options in the rule base
    69. 69. Module 2: Example Policy Editor
    70. 70. Module 2: Lab 1: Launching the Policy Editor
    71. 71. Module 2: VPN-1/FireWall-1 NG Licensing License Types  central – the license is linked to the IP number of the management server  local – tied to the IP number to which the license will be applied Obtaining Licenses  locate certificate key on the CD cover of the CP CD  contact www.checkpoint.com - selecting User Center to obtain eval or permanent license Check Point User Center
    72. 72. Module 2: SecureUpdate Made up of two components – Installation Manager and License Manager  allows tracking of currently installed versions of CP and OPSEC products  updating of installed CP and OPSEC software remotely from a centralised location  centrally managing licenses
    73. 73. Module 2: SecureUpdate Architecture, Distributed Configuration
    74. 74. Module 2: Defining Basic Objects
    75. 75. Module 2: Detecting Spoofing Spoofing is a technique used by intruders attempting to gain unauthorised access  a packet’s source IP address is altered to appear to come from a part of the network with higher privileges Anti-spoofing verifies that packets are coming from, and going to, the correct interfaces on the gateway  i.e. packets claiming to originate in the internal network, actually DO come from that network
    76. 76. Module 2 Detecting Spoofing Configuring Anti-Spoofing  networks reachable from an interface need to be defined appropriately  should be configured on all interfaces  spoof tracking is recommended  anti-spoofing rules are enforced before any rule in the Security Policy rule base
    77. 77. Module 2: Anti-Spoofing
    78. 78. Module 2: Creating the Rule Base Basic Rule Base Concepts  each rule in a rule base defines the packets that match the rule based on Source, Destination, Service and the Time the packet is inspected  the first rule that matches a packet is applied
    79. 79. Module 2 The default rule added when you add a rule to the Rule Base
    80. 80. Module 2: The Basic Rules Cleanup Rule  CP follows the principle “that which is not expressly permitted, is prohibited”  all communication attempts not matching a rule will be dropped  the cleanup rule drops all the communication but allows specific logging
    81. 81. Module 2 The Basic Rules The Stealth Rule  prevents users from connecting directly to the firewall
    82. 82. Module 2: Defining Basic Rules
    83. 83. Module 2: Implicit and Explicit Rules Completing the Rule Base  Firewall-1 NG creates implicit rules derived from the policy properties and includes explicit rules created by the user in the Policy Editor Understanding Rule Base Order  viewing implied rules will show both sets of rules merged in the correct sequence
    84. 84. Module 2: Implied Rules
    85. 85. Module 2: Verifying and Installing a Security Policy
    86. 86. Module 2: Command Line Options for the Security Policy Basic Options  cpstart/cpstop starts and stops all CP applications running on the machine  cplic print displays the details of the Firewall licenses  fwstart/fwstop starts and stops the Firewall NG module, firewall daemon (fwd), management module (fwm), SNMP daemon (snmpd) and authentication deamons
    87. 87. Module 2: Review Summary Review Questions
    88. 88. Module 2: Review Question #1: What are the steps for creating and enforcing a Security Policy? Name your policy, add rules with objects, install the policy
    89. 89. Module 2: Review Question #2: What is the difference between implicit and explicit rules? Implicit (or pseudo) rules are created by VPN-1/FireWall-1 NG, and are derived from the security properties. Explicit rules are created by the user.
    90. 90. Module 2: Review Question #3: What order are policies and rules matched? Policies and rules are matched in order on the Rule Base, one rule at a time.
    91. 91. Module 3: Advanced Security Policy
    92. 92. Module 3: Introduction Objectives  Demonstrate how to perform the following:  Hide and unhide rules  View hidden rules  Define a rule mask  Apply rule masks  Show how to install and uninstall a Security Policy
    93. 93. Module 3: Introduction Objectives (continued)  List the guidelines for improving VPN-1/FireWall-1 NG performance, using a Security Policy Key Term  masking rules
    94. 94. Module 3: Masking Rules Overview  rules in a rule base can be hidden to allow easier reading of a complex rulebase (masking rules)  all other rules will be visible however their numbers wont change  hidden rules are still enforced on the gateway
    95. 95. Module 3 Masking Rules Viewing Hidden Rules  if View Hidden in the Rules>Hide menu is checked, all rules set as hidden are displayed Unhiding Hidden Rules  select Unhide All from the Rules>hide menu
    96. 96. Module 3: Disabling Rules Disabling Rules  a disabled rule will only take effect after the security policy is reinstalled  the rule will still be displayed in the policy editor rulebase Enabling a Disabled Rule  select the disabled rule and right click  select Disable Rule to deselect  remember to reinstall the policy
    97. 97. Module 3: Uninstalling a Security Policy Steps for Uninstalling a Security Policy  select Policy>Uninstall from the Security Policy Editor main screen  click Select All to select all items on the screen (specific items may be deselected)  click OK
    98. 98. Module 3: Guidelines for Improving VPN-1/FireWall-1 NG Performance via a Security Policy Management Module  listing machine names and IP addresses in a hosts file will decrease installation time for created network objects  /etc/hosts (Solaris)  winntsystem32drivershosts (Windows)
    99. 99. Module 3 Guidelines for Improving VPN-1/FireWall-1 NG Performance via a Security Policy Enforcement Module  keep the rulebase simple  position the most frequently used rules at the top of the rulebase  don’t log unnecessary connections  use a network object in place of many workstation objects  use IP address ranges in rules instead of a set of workstations
    100. 100. Module 3: Review Summary Review Questions
    101. 101. Module 3: Review Question #1: If a rule is masked or hidden, is it disabled and no longer part of the Rule Base? No, masked or hidden rules are still part of the Rule Base, and are installed when a Security Policy is installed.
    102. 102. Module 3: Review Question #2: When you select a rule, and then select “Disable Rule(s)” from the menu, what must you also do before the rule is actually disabled? Install the Security Policy
    103. 103. Module 3: Review Question #3: How does masking help you maintain a Rule Base? Discussion
    104. 104. Module 3: Review Question #4: Define some guidelines for improving VPN-1/FireWall-1 NG’s performance via a Security Policy. Discussion
    105. 105. Module 4: Log Management
    106. 106. Module 4: Introduction Objectives  Identify the three display modes of the Log Viewer  Identify and define Status Manager icons  Assign network objects to display in Status Manager  Enable automatic updating of Status Manager
    107. 107. Module 4: Introduction Objectives (continued)  Specify selection criteria and save log files  Describe the steps needed to block an intruder  List the three blocking scope options and their uses  Describe how block request is used
    108. 108. Module 4 Key Terms log viewer status manager
    109. 109. Module 4: Log Viewer provides visual tracking, monitoring and accounting information provides control over the log files display allows quick access to information any event which causes an alert is logged, including some system events such as an install of a policy
    110. 110. Module 4: Logging
    111. 111. Module 4 Log Viewer Kernel Side  FWD merges log fragments producted the FW-1 Kernel components into one log record  each log record is stamped with a Log Unificiation Unique ID (LUUID) Server Side  FWD transfers the log record to the log database (fw.log) on the log server/management module  a single connection is represented by one entry in the log viewer
    112. 112. Module 4 Log Viewer Log Viewer Logon  Select Window>Log Viewer from the security policy main menu Data (Column) Fields  the administrator can specify which of the available data fields (columns) to display Column Menu  right clicking anywhere in the column of the log viewer will invoke the column menu
    113. 113. Module 4 Log Viewer Log Viewer Toolbar Buttons
    114. 114. Module 4 Log Viewer Log Types  there are seven types of log which can be displayed from the toolbar  general predefined selection  firewall-1 predefined selection  account predefined selection  FloodGate-1 predefined selection  SecureClient predefined selection  UA Webaccess predefined selection
    115. 115. Module 4 Log Viewer Log Viewer Mode  there are three different predefined selection views  log mode  active mode  audit mode
    116. 116. Module 4: Log Viewer (continued) Log File Management  the File menu allows the administrator to perform the following tasks :  Log Switch  Open  Save as  Purge  Print  Export
    117. 117. Module 4: Configuring the Security Policy for Logging System-wide logging and alerting  Global Properties window allows an administrator to define system-wide logging and alert parameters for options such as  VPN successful key exchange  VPN packet handling errors  VPN configuration and key exchange errors etc.
    118. 118. Module 4: Blocking Connections Terminating a Connection with Block Intruder  it is possible to block an active connection using the source IP address  the scope of the blocked connection can be  block only this connection  block access from this source  block access to this destination
    119. 119. Module 4: Block Intruder
    120. 120. Module 4: Status Manager Status Manager Logon Working with the Status Manager Interface Modules View Module Status Product Details Windows Critical Notifications
    121. 121. Module 4: Checking VPN-1/FireWall-1 NG Status in the Status Manager
    122. 122. Module 4: Review Summary Review Questions
    123. 123. Module 4: Review Question #1: What are the three display modes of Log Viewer? Log Audit Active
    124. 124. Module 4: Review Question #2: What are the three blocking scope options and their uses? Block only this connection Block access from this source IP Block access to this destination
    125. 125. Module 4: Review Question #3: What option could you use to block an intruder whose connection ID is known? Block request
    126. 126. Module 5: Authentication Parameters: User, Client, and Session Authentication
    127. 127. Module 5: Introduction Objectives  Demonstrate how to implement authentication.  Demonstrate the process of creating users and groups.  Demonstrate the setup of authentication parameters.
    128. 128. Module 5: Introduction Objectives (continued)  Demonstrate how to implement user authentication, using various authentication schemes.  List types of services supported by VPN-1/FireWall-1 NG requiring user name and password.  Demonstrate how to implement client authentication.  Demonstrate how to implement session authentication.
    129. 129. Module 5 Key Terms User Authentication Client Authentication Session Authentication Session Authentication Agent
    130. 130. Module 5: Understanding Authentication User Authentication  grants access on a per user basis  can be used for Telnet, FTP, RLOGIN, HTTP  requires separate authentication for each connection
    131. 131. Module 5: Understanding Authentication Session Authentication  requires authentication for each connection  can be used with any service  requires a Session Authentication Agent
    132. 132. Module 5 Understanding Authentication Client Authentication  grants access on a per host basis  allows connections for a specific IP address after successful authentication  can be used for any number of connections  can be used for any service  most commonly used authentication method
    133. 133. Module 5 Understanding Authentication Authentication Schemes  skey  OS Password  VPN-1/Firewall-1 Password  SecurID  Radius  Axent Defender  TACACS
    134. 134. Module 5: User Authentication Overview user authentication provided by the security servers on the gateway when a rule specifies user authentication the corresponding security server is invoked (TELNET, FTP, HTTP and RLOGIN if authentication is successful the security server opens a separate connection to target server
    135. 135. Module 5: Defining User Templates
    136. 136. Module 5: Defining Users from Templates
    137. 137. Module 5: Set Up Authentication Parameters
    138. 138. Module 5: HTTP User Authentication with a VPN-1 & FireWall-1 Password
    139. 139. Module 5: Telnet User Authentication with a VPN-1 & FireWall-1 Password (Optional)
    140. 140. Module 5: FTP User Authentication with a VPN-1 & FireWall-1 Password (Optional)
    141. 141. Module 5: Client Authentication How Client Authentication Works  enables administrators to grant access privileges to a specific IP address  authentication is by username and password, but access is granted to the host machine (IP)  can be used for any number of connections, for any service, for any length of time
    142. 142. Module 5: Client Authentication
    143. 143. Module 5: Sign On Methods Source Field  sources field in the User Properties window may specify that the user is not allowed access from the source address – but the rule allows access. This field specifies how to resolve the problem Destination Field  destination field in the User Properties window may specify that that the user is now allowed access to the destination address. This field specifies how to resolve that problem
    144. 144. Module 5 Sign On Methods Required Sign On  Standard Sign On – user is allowed to use all the services permitted by the rule for the authorisation period Specific Sign On  only connections that match the original connection are allowed without additional authentication
    145. 145. Module 5 Sign on Methods Sign On Method  Manual – the user has to initiate Client Authentication by  telnet to port 259  http to port 900  Partially Automatic Client Authentication  Fully Automatic Client Authentication  Agent Automatic Sign On  Single sign on
    146. 146. Module 5 Sign on Methods Successful Authentication Tracking  logging option for Client Authentication attempts for the session
    147. 147. Module 5: Client Authentication
    148. 148. Module 5: Additional Features of Single Sign On Single Sign On For Multiple Users  privileged user can sign on and off on behalf of other users User Authority SecureAgent  extends UA capabilities to the LAN by having the SecureAgent on the desktop
    149. 149. Module 5: Single Sign On Example Network User on Localnet would normally TELNET to port 259 on London and authenticate then request access to BigBen. With the single sign on system extension anther user can open the connection to BigBen in advance on behalf of a user on Localnet
    150. 150. Module 5: Additional Features of Client Authentication Redirection of HTTP Requests According to Host Header  it is possible to configure Firewall-1 to complete the connection according to the destination specified in the HTTP host header  used when several http hosts share the same virtual IP address
    151. 151. Module 5 Additional Features of Client Authentication Authorizing All Standard Sign on Rules  Firewall-1 will automatically open all standard rules after successful authentication through partial or fully automatic sign on  if user successfully authenticates according to an automatic sign on rule all standard sign on rules which specify that user and source are opened.
    152. 152. Module 5: Session Authentication Overview How Session Authentication Works  based on a pre-session authentication method  can be integrated with any application  CP Session Agent must be loaded on the client machine  authentication performed by the daemon module
    153. 153. Module 5: Session Authentication 1. User initiates a connection directly to the server 2. Firewall-1 Inspection module intercepts the connection and connects to Session Authentication agent 3. Session agent prompts for authentication data and returns this to the inspection module 4. if successful, Firewall-1 module allows the connection to pass through the gateway
    154. 154. Module 5: Session Authentication
    155. 155. Module 5: Review Summary Review Questions
    156. 156. Module 5: Review Question #1: What are the three types of VPN-1/FireWall-1 NG authentication? User Authentication Client Authentication Session Authentication
    157. 157. Module 5: Review Question #2: When you want a user to authenticate once, and then be able to use any service until logging off, which authentication type would you use? Client Authentication
    158. 158. Module 5: Review Question #3: When defining user authentication, where do you add the authentication rule-above or below the stealth rule? Below the stealth rule
    159. 159. Module 5: Review Question #4: What is the advantage of using session authentication, over client authentication and user authentication? The advantage session authentication has over user authentication is that session authentication can be used with any service. The advantage session authentication has over client authentication is that the user is prompted automatically with session authentication, where client authentication encompasses a manual process the user has to remember.
    160. 160. Module 5: Review Question #5: Why would the client authentication rule need to be placed above the stealth rule? Client authentication requires a connection made to the firewall, that the stealth rule prevents, so either the client rule must be above the stealth rule to allow the connection, or a rule must be placed above the client authentication rule that allows connections to port 259/900 on the firewall.
    161. 161. Module 6: Network Address Translation
    162. 162. Module 6: Introduction Objectives  List the reasons and methods for Network Address Translation  Demonstrate how to set up Static NAT  Demonstrate how to set up Dynamic (Hide) NAT  Describe basic network configurations using NAT
    163. 163. Module 6 Key Terms Network Address Translation (NAT) Static Source NAT Static Destination NAT Dynamic (Hide) NAT Automatic and Manual NAT rules Address Resolution Protocol (ARP)
    164. 164. Module 6 Network Address Translation NAT conceals internal computers from outside networks as a component of VPN-1/Firewall-1 it is used for three things :  to make use of private IP addresses on the internal network  to limit external network access for security reasons  to give ease and flexibility to network administration
    165. 165. Module 6: NAT IP Addressing  RFC 1918 details the reserved address groups  Class A network numbers – 10.0.0.0 – 10.255.255.255  Class B network numbers – 172.16.0.0 – 172.31.255.255  Class C network numbers – 192.168.0.0 – 192.168.255.255
    166. 166. Module 6 Network Security  additional benefit of NAT is increased network security  internal host can connect both inside and outside intranet  external unknown host outside the network cannot connect to internal host  external connections with a spoofed internal address will be recognised and prevented from gaining access  internal public servers are made available with inbound mapping of well know TCP ports to specific internal addresses
    167. 167. Module 6 Network Administration  VPN-1/Firewall-1 supports two types of NAT  Static NAT  Dynamic (Hide) NAT Static NAT  translates each private address to a corresponding public address  two modes, static source and static destination
    168. 168. Module 6 Static Source NAT  translates private internal source IP addresses to a public external source IP address  initiated by internal clients with private IP address
    169. 169. Module 6: Static Source NAT
    170. 170. Module 6: Address Translation Using Static Source Mode
    171. 171. Module 6 Static Destination NAT  translates public addresses to private addresses  initiated by external clients
    172. 172. Module 6: Address Translation Using Static Destination Mode
    173. 173. Module 6: Address Translation Using Static Destination Mode
    174. 174. Module 6 Dynamic (Hide) NAT used for connections initiated by hosts in an internal network where the hosts’ IP addresses are private private internal addresses are hidden behind a single public external address uses dynamically assigned port numbers to distinguish between them
    175. 175. Module 6: Dynamic NAT
    176. 176. Module 6 Dynamic (Hide) NAT Ctd. hide mode packets’ source port numbers are modified destination of a packet is determined by the port number port numbers are dynamically assigned from two pools of numbers :  from 600 to 1023  from 10,000 to 60,000 hide mode cannot be used for protocols where the port number cannot be changed or where the destination IP address is required
    177. 177. Module 6: Hide Mode Address Translation
    178. 178. Module 6 Hiding behind 0.0.0.0  if the administrator specifies 0.0.0.0 as the hide address, all clients will be hidden behind the firewall’s server side interface
    179. 179. Module 6: Hiding Behind 0.0.0.0
    180. 180. Module 6: Automatic and Manual NAT Rules NAT Rules  NAT rules consist of two elements  the conditions that specify when the rule is to be applied  the action to be taken when the rule is applied  each section in the NAT Rule Base Editor is divided into Source, Destination and Service
    181. 181. Module 6 Automatic and Manual NAT Rules NAT Rules  the action is always the same  translate source under original packet to source under translated packet  translate destination under original packet to destination under translated packet  translate service under original packet to service under translated packet
    182. 182. Module 6 Network Address Translation Properties  several properties can be applied to automatically generated NAT rules  these are enabled by default in new installations however disabled by default when upgrading from previous versions  these properties can be configured in the network address translation page of the Global Properties window IP Pools IP Pool NAT Track Address Translation and Routing
    183. 183. Module 6 Network Address Translation Properties (Ctd)  Allow Bi-directional NAT  the firewall will check all of the rules to see if a source in one rule and destination in another rule match  firewall will take the first source rule and the first destination rule that are found to match, applying both rules concurrently
    184. 184. Module 6 Network Address Translation Properties (Ctd)  Translate destination on client side  prior versions of Firewall performed NAT on the server side, requiring special anti spoofing and internal routing  Automatic ARP configuration  ARP tables on the gateway are automatically configured, enabling ARP requests for a NATed machines, network or address range are answered by the gateway
    185. 185. Module 6 IP Pools  a range of IP addresses routable to a gateway  encrypted connections opened to a host will have a substituted IP address from the IP Pool for the source IP address  must be routable back to the gateway
    186. 186. Module 6: Address Translation Example- Gateway with Two Interfaces Routing  the router routes IP addresses in the network 199.203.73.0 to the gateway  the gateway routes IP address 192.203.73.3 to the internal interface (10.0.0.1)  the gateway routes IP addresses 199.203.73.64 through 199.203.73.80 to the internal interface (10.0.0.1)
    187. 187. Module 6: Gateway with Two Interfaces
    188. 188. Module 6: Address Translation Example- Gateway with Three Interfaces Routing  ensure router routes IP address in the network 192.45.125.0 to the gateway  the gateway should be able to route IP address 172.45.125.209 to the internal interface (195.9.200.1)
    189. 189. Module 6: Gateway with Three Interfaces
    190. 190. Module 6: Address Translation Example Two Networks Statically Translated
    191. 191. Module 6: Two Networks Statically Translated
    192. 192. Module 6: Address Translation and Anti-Spoofing anti spoofing is performed correctly for automatically generated NAT rules (provided it is allowed in the Global Properties) there will be a conflict between anti- spoofing and NAT if NAT takes place at the server side to correct the problem, add the translated (i.e the Valid address) is added to the public addresses on the Internal Interface
    193. 193. Module 6: Static NAT
    194. 194. Module 6: Hide NAT
    195. 195. Module 6: Review Summary Review Questions
    196. 196. Module 6: Review Question #1: What is NAT? Replacing one IP address in a packet with a different IP address.
    197. 197. Module 6: Review Question #2: What is the reason for using NAT, as related to IP addressing? To conceal the network’s internal IP addresses from the Internet To translate private addresses to public addresses, and back
    198. 198. Module 6: Review Question #3: What is the NAT Rule Base? Automatically generated and manually entered NAT rules
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×