Documente Academic
Documente Profesional
Documente Cultură
Student Manual
R76 Edition
FEATURING
GRiR
Check Point Education Series
Security Administration
Student Manual
R76 Edition
P/N: 705320
jj Check Point'
SOFTWARE TECHNOLOGIES INC.
C 2013 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distrib-
uted under licensing restricting their use, copying, distribution, and de-compilation. No part of this
product or related documentation may be reproduced in any form or by any means without prior
written authorization of Check Point. While every precaution has been taken in the preparation of
this book, Check Point assumes no responsibility for errors or omissions. This publication and fea-
tures described herein are subject to change without notice.
TRADEMARKS:
Refer to the Copyright page (http://www.checkpoint.com/copyright.htmI) for a list of our trade-
marks.
Refer to the Third Party copyright notices (http:// www.checkpoint.com/
3rdjarty_copyright.html) for a list of relevant copyrights and third-party licenses.
International Headquarters: 5 Ha'Solelim Street
Tel Aviv 67897, Israel
Tel: +972-3-753 4555
Document #: DOC-Manual-CCSA-R76
Revision: R76.2013
Content: Mark Hoefle, Joey Witt
Graphics: Chunming Jia
Contributors Beta Testing and Technical Review
Chris Alblas - Arrow ECS - UK
Robin Bay - Arrow ECS - Cz Republic
Kishin Fatnani - K-Secure - India
Patrick Feistier - Arrow ECS - Austria
Tim Hall - Shadow Peak - USA
Thomas Norbeck - Glasspaper - Norway
Alejandro Dicz Rodriguez - Afina - Spain
lrnrich Tarhanic, - INTAS - Slovakia
Erik Wagemans - JCA - Belgium
Test Development:
Ken Finley - Check Point
Check Point Technical Publications Team:
Rochelle Fisher, DalyYam, Eli Har-Even, Paul Grigg, Richard
Levine, Rivkah Albinder, Shira Rosenfield, Yaakov Simon
Contents
inistration
Check Point Security Administration I
Table of Contents
SmartEvent....................................................................................................................24
SmartViewMonitor .......................................................................................................26
SmartReporter...............................................................................................................27
SmartUpdate..................................................................................................................28
SmartProvisioning.........................................................................................................29
SmartEndpoint...............................................................................................................3 1
Security Management Server .............................................................................................32
Managing Users in SmartDashboard .............................................................................32
UsersDatabase ..............................................................................................................33
Securing Channels of Communication ..............................................................................34
Secure Internal Communications ..................................................................................34
Testing the SIC Status ...................................................................................................35
Resetting the Trust State ...............................................................................................36
Practiceand Review ...........................................................................................................38
PracticeLabs .................................................................................................................38
Review...........................................................................................................................38
Student Manual V
Table of Contents
Course Layout
This course is designed for Security Administrators and Check Point resellers,
and for those who are working towards their CCSA (Check Point Certified
Security Administrator) certification. The following professionals benefit best
from this course:
System administrators
Support analysts
Network engineers
Prerequisites
Before taking this course, we strongly suggest you have the following knowledge
base:
General knowledge of TCP/IP
Working knowledge of Windows and/or UNIX
Working knowledge of network technology
Working knowledge of the Internet
Certification Title
Course Chapters
Student Manual 3
Security Administration
Most lab exercises will require you to manipulate machines in your network and
other labs will require interaction with the instructor's machines.
F Name:0-GW
Ext Address. 172.29.109.1/8
LAN 3
Name: A-DMZ
Ext Address: 192.0.2.100/24
LAN?
Name: AWIN Default OW: 192.0.2.1
P Address Class. All
Default 0W: 10,1.1.1
Class' All LA44
Name: B-GUI
IP Address: 10.1.9.201/24
Default OW. 10.1.9.1
jo
Site Alpha
j : Site Bravo
Topology Conxentloos
172D 0,0 addresses represent all external interfaces.
10.000 addtessxs represent all internal interlaces.
192.0.0.0 addresses represent all server communication, interfaces (sync and DM0
All addsesses ending i n the .200 range are Windows 081 Clrents
All addresses endinginthe .100 range are Servers IMartagement or DM71
Computer
ter
VM/Object Name Description
1\-WIN /\dt11lI(f1n(tor client machine used to connect to Security
Management server.
Active Directory server for corporate office.
A-MGMT Security Management Server at corporate office
A-GW Security Gateway at corporate office
A-DMZ Multi-purpose server in the DMZ of the corporate office
4 Check Point Security Administration
Security Administration Overview
Computer
VMiObject Name Description
B-GW Security Gateway at branch office
B-GUI PC at branch office
Student Manual
Security Administration
Learning Objectives:
Describe Check Point's unified approach to network management, and the key
elements of this architecture.
Design a distributed environment using the network detailed in the course
topology.
Install the Security Gateway in a distributed environment using the network
detailed in the course topology.
Student Manual
Introduction to Check Point Technology
SmartConsole
The SmartCenter GUI, SmartConsole is comprised of several clients, used to
manage the Check Point security environment.
Once policies are created or modified, they are distributed to Security Gateways.
Centralized Policy management increases efficiency, when compared to solutions
that require either multiple management interfaces or per-device policy
installation. Security is strengthened, because the Security Policy is always up-
to-date on all networked Security Gateways.
Security Gateway
The Security Gateway is the firewalled machine on which the firewall software is
installed, and is based on Stateful Inspection. SmartConsole and Security
Management Server may be deployed on the same or separate machines, in a
client/server configuration.
The Security Gateway is deployed on an Internet gateway and other network-
access points. Security Policies are defined using Smart Dashboard, and saved to
a Security Management Server. An Inspection Script is generated from Policies.
Inspection Code is compiled from the Inspection Script, and is installed on the
Security Gateway, which protects the network.
Layer 7 - Application
Layer 6 - Presentation
Layer 5 - Session
Layer 4 - Transport
Layer 3 - Network
Layer 1 - Physical
Student Manutil 11
Introduction to Check Point Technology
The more layers a firewall is capable of covering, the more thorough and
effective the firewall. Advanced applications and protocols can be
accommodated more efficiently with additional layer coverage. In addition, more
advanced firewalls, such as Check Point's Security Gateways, can provide
services that are specifically oriented to the user, such as authentication
techniques and logging events to specific users.
Any firewall must deny or permit traffic based on explicitly defined rules. Check
Point utilizes the following technologies to grant or deny network traffic:
Packet filtering
Stateful Inspection
Application Intelligence
Packet Filtering
Fundamentally, messages are divided into packets that include the destination
address and data. Packets are transmitted individually and often by different
routes. Once the packets reach their destination, they are recompiled into the
original message.
[Appllcatil
40e^
Application
Presentation Presentation
Session1 Session
Transport Transport
Network 0
Data Link
Network
Data Link Data Link
Physical Physical Physical
ROUTER
PROS CONS
Application Independence Low Security
High Performance No Screening Above
Scalability Network Layer (No state' or
application-context information)
Packet-filter fircwalls are the least secure type of firewall, because they cannot
understand the context of a given communication, making them easier for
intruders to attack.
.St,uh,zt Muiiiia/ - - 13
Stateful Inspection
10
Application
Application i Presentation Applicatkfl
Presentation Session Presentation
Session Transport Session
Transport Network Transport
?ork
Data Link
0
Data Link Data Link
Physical Physical
j Physical -
iNs p ecT ENGINE
PROS
Good Security
FuN ApplcatsOn-iaye I i-
High P.rtornlenc* III State Tabte
Extensibility
Transparency
There are many state tables that hold usellil infbrmation in regards to monitoring
performance through a Security Gateway. State tables are used to keep state
information needed to correctly inspect packets. The tables are key components
of Check Point Stateluil Inspection technology.
Check Point's INSPECT Engine is the mechanism used for extracting the state-
related information from all application layers, and maintains this information in
these dynamic state tables needed for evaluating subsequent connections. The
Application Intelligence
Sample Protocols
Layer 7 - Application
Layer 6 Presentahon
HT1R FTP
------ RPC, SMTP
Layer 5- Session
Layer 3- Network IP
Layer I - Physkal
St!u/L'n! tt'Iu,uu,I 15
Introduction to Check Point Technology
The diagram presents a sample flow of a new inbound packet initiating a TCP/IP
session through the Inspection Module, at the kernel level:
NIC
lo
New
Connection
Inspection Module
p Drop the
P Packet
0
StiuJeni ,4cn,,tc; -
Introduction to Check Point Technology
Deployment Considerations
As a brief introduction to Gateway deployments, consider the network topology.
The network topology represents the internal network (both the local access
network (LAN) and the demilitarized zone (DMZ)) protected by the Gateway.
The Gateway must be aware of the layout of the network topology to:
Correctly enforce the Security Policy.
Ensure the validity of IP addresses for inbound and outbound traffic.
Configure a special domain for Virtual Private Networks.
-.
LqM I/
SswWy 0. UThIt Elgs
C4.
Figure 8 - Secure Network
Standalone Deployment
In a standalone deployment, the Security Management Server and Security
Gateway are installed on the same computer or appliance.
Item Description
Standalone computer
Distributed Deployment
In a distributed deployment, the Security Gateway and the Security Management
Server are installed on different computers or appliances.
Item Description
0
:,..
Security Management Server component
$'ti,deni ItIa,,ual - 19
Standalone Full HA
In a standalone full high availability deployment, the Security Management
server and Security Gateway are each installed on one appliance, and two
appliances work in High Availability mode.
Item Description
M] 1 Primary appliance
2f
3 Backup appliance
0
3
Security Gateway component
a
Bridge Mode
A bridge mode deployment adds a Security Gateway to an existing environment
without changing IP Routing.
Item Description
1 and 2 Switches
SmartDashboard
In SmartDashboard, you can manage all aspects of your network security. The
settings defined in the various tabs are applied to gateways and/or endpoints to
enforce the security that you choose to implement.
19
oexpired
0 zero hjt
Figure 13 SmartDashboard
The tabs that you see in the SmartDashboard may depend on the Software Blades
that you have deployed
Firewall In this window you can see the important current data for the
Firewall Software Blade and its Security Gateways.
Application Control & URL Filtering - In the Application and URL
Filtering Overview pane, you can quickly see the status of computers and
incidents. Use the windows for the most urgent or commonly-used
management actions.
Si,,de,,i A/tcl,!UaI 21
Introduction to Check Point Technology
Data Loss Prevention (DLP) In this window you can quickly see the
status of DLP Security Gateways and Exchange Security Agents. You can
also see incidents and access the windows for the most urgent or commonly-
used management actions.
IPS (Intrusion Prevention System) - In this window you can quickly view
and handle urgent security issues that deal with IPS management.
Anti-Bot &Anti-Virus In the Anti-Bot and Anti-Virus Overview pane,
you can quickly see the gateways in your organization that are enforcing Anti-
Bot and Anti-Virus and maiware details. Use the windows for the most urgent
or commonly-used management actions.
Anti Spam and Mail In this window you can configure enforcing
gateways, enable database updates, and review and adjust your messaging
security settings.
Mobile Access - In this window you see the important current data for the
Mobile Access Software Blade. Mobile Access gives remote users secure
connectivity to read emails and to access web applications.
IPSec VPN In this window you can easily see status and quickly access
data for your VPNs.
QoS (Quality of Service) In this window you can view and manage the
QoS policy.
Desktop In this window you can view and modify the Desktop policy Rule
Base.
From Smart Dashboard, you can also access some of Check Point's other
SmartConsole components. These are a group of software modules including:
SmartView Tracker
SmartLog
SmartEvent Intro
SmartEvent
SmartView Monitor
SmartReporter
SrnarttJpdate
Smart Provisioning
SmartEndpoint
SmartView Tracker
SmartView Tracker is used for managing and tracking logs and alerts. It provides
real-time historical and visual tracking, monitoring, and accounting information
for all logged connections. Additionally, SmartView Tracker logs administrator
actions, such as changes to object definitions or rules, which can dramatically
reduce the time needed to troubleshoot configuration errors. Security
Administrators can filter or perform searches on log records, to quickly locate
and track events of interest. In the case of an attack or otherwise suspicious
network activity, Security Administrators can use SmartView Tracker to
temporarily or permanently terminate connections from specific IP addresses.
Al i R- U .uJ :rvr.'I..vF
,3* 10240 310l*11*
I
ID U
.4
324 10 1 IU 24.
4l21*
'FI 424 [32
I.1*.1t1C.....
iwo 132110
. 3*21 3142
.
2*3.... 3*0.3 1!,, *4* 41
II
.
1II,..'oli 111*1 1010 14124.".....
2211.I1ISI..41 10 32 IU*24.U2.....
22124212* fl&l* L2ISIU.I.I.,,,,
30
"C
lUtO.,,,01V.d0
249224 2212*114 4.121324104212t**.,b
U [
(2
3*10
3*2*44
1*22*414024
.
221043 304(324*1,,.....
O31r22l(024*l9011U1*22.0*r9n3 1010
Ill 01 0*9 1201* ''. S 1.UO2,,2..42U
2 0.,21,*03.l*3*2*, U a 14114* *03 (3 14101011,1*1
lt 452*&124223119
U
1413912114410541*,1.U2122,,
-'I
_L_______J J...1 1410 0*10
1. Network & Endpoint tab Network and Endpoint mode is the default view
for Smart View Tracker. Network and Endpoint mode displays entries for
security-related events for different Check Point products as well as Check
Points OPSEC partners.
2. Active tab - In the Active mode you can view connections that are currently
open through the Security Gateways that are logging to the active Log file.
3. Management tab In the Management mode you can show audit entries in
the SrnartView Tracker. The Management All Records Query is displayed.
Student Manual -- 23
SmartLog
SmartLog, part of the Logging and Status Software Blade and unified security
management console, enables enterprises to centrally track log records and
security activity across all Software Blades with split-second Google-like search
results that provides instant visibility over billions of log records. The intuitive
search box delivers real-time search results from any log field displaying top-
down results, saving security administrators valuable time. Administrators can
search multiple log files, time periods, gateways and domains, or search by
action, user, time or geography for powerful granular security investigation. The
Logging and Status Software Blade transforms data into security intelligence
with real-time visibility over billions of log records from a single, integrated
security management console.
+ (U
3 I 11l.31.31
1 131I31 02311*
1' t'X4 (*11110 'I01I341tIl* ...,.1.12 00 *310.
0' I10..11i1]13111
1?l..4tIII3IIl( V
30 1.14121 III
1101101131*
I) 22,11.1,131 .1100112*1
.'l
1U1,.lU. I *111*
Figure 15 SmartLog
SmartEvent
SmartEvent provides centralized, real-time event correlation of log data from
Check Point perimeter, internal, and Web security gateways-as well as third-party
security devices-automatically prioritizing security events for action. By
automating the aggregation and correlation of raw log data, SuiartIvent
minimizes the amount of data that needs to be reviewed and collates and
prioritizes security threats.
t4 G.N.cB,
Ss. SflflOhl 1P
EA.S, *. 1.. * CP. A .... C P.1W .
F/A F/F/A
1
ftp
UP-
NA.AA 404UO2 CJ Aol 00/15 CF MS.*l0.*.4*s A/A
AN CNIOHIIP PU
AS
Figure 16 SmartEvent
With SmartEvent, security teams no longer need to comb through the massive
amount of data generated by the devices in their environment. Instead, they can
focus on deploying resources on the threats that pose the greatest risk to their
business.
SmartEvent is capable of managing millions of logs per day per correlation unit
in large enterprise networks. Through its distributed architecture, SmartEvent can
be installed on a single server but has the flexibility to spread processing load
across multiple correlation units and reduce network load.
Student Manual 25
Introduction to Check Point Technology
Data Visualization - See real time information, trends, anomalies, and statistics
at a glance with events displayed graphically by timelines, charts, pies, or on a
world map.
SmartView Monitor
Managing network and security performance today can be a difficult juggling act.
Security teams have to deal with many networks and VPN gateways, large
numbers of users with different needs, and a fast-growing array of security
threats that can quickly congest networks. SmartView Monitor shows the
complete picture of network and security performance, enabling fast response to
changes in traffic patterns or security activities.
SmartView Monitor centrally monitors Check Point and OPSEC devices,
presenting a complete visual picture of changes to gateways, tunnels, remote
users and security activities. This enables administrators to immediately identify
changes in network traffic flow patterns that may signify malicious activity.
Benefits
_.
I5'! O :- ::, , B 32 tG2LV
(orporatr-WA- proxy
. ..... . ....
SmartReporter
The Check Point SmartReporter Software Blade increases the visibility of
security threats by centralizing network security reporting of network, security
and user activity into concise predefined or custom-built reports. Easy report
generation and automatic distribution save time and money and allow
organizations to maximize security investments.
t'
r ra.r32.dI 3 ..0 -
,.131
2.13232 Bloc ked Soiir ome 11
_______ 3404 32
Figure 18 SmartReporter
Student it'iianu,aI 27
Introduction to Check Point Technology
SmartUpdate
I4..3.3,db 1?? 13 -
15331' -
Figure 19 SmartUpdate
O.*.3..*. c
Figure 20 - Smartprovisioning
Student Manual 29
Introduction to Check Point Technology
SmartEndpoint
Endpoint Security is a Software Blade in a Check Point Security Management
server. SmartEndpoint is the management console for endpoint clients and their
features.
Ovew
...
t
Securi y Statvs
______ I ttvet,
FJjI
__
TIIT ..
Figure 21 - SmartEndpoint
StIIJL'flt Manual 31
Introduction to Check Point Technology
Your network can be accessed and managed by multiple users and administrators.
A secure network is efficiently managed by centrally controlled user and
administrator accounts. SmartDashboard - Desktop Tab manages users,
administrators and their groups as objects using the standard object
administration tools; i.e., the Objects Tree pane and the Users and Administrators
window.
I,
a-- ,-
11
Figure 22 - Objects Tree and the Users and Administrators
The user's definition includes access permissions to and from specific machines
at specific times of the day. The user definition can be used in the Rule Base's
Authentication Rules and in Remote Access VPN.
Users Database
Student Manual 33
Introduction to Check Point Technology
Secure Internal Communication (SIC) lets Check Point platforms and products
authenticate with each other.The SIC procedure creates a trusted status between
gateways, management servers and other Check Point components. SIC is
required to install polices on gateways and to send logs between gateways and
management servers.
The ICA is created during the Security Management server installation process.
The ICA is responsible for issuing certificates for authentication. For example.
The SIC status reflects the state of the Gateway after it has received the
certificate issued by the ICA. This status conveys whether or not the Security
Management server is able to communicate securely with the gateway. The most
typical status is Communicating. Any other status indicates that the SIC
communication is problematic. For example, if the SIC status is Unknown then
there is no connection between the Gateway and the Security Management
server. lithe SIC status is Not Communicating, the Security Management server
is able to contact the gateway, but SIC communication cannot be established. In
this case an error message will appear, which may contain specific instructions
how to remedy the situation.
Studcizt A//annul 35
Resetting the Trust State revokes the gateway's SIC certificate. This must be done
if the security of the gateway has been breached, or if for any other reason the
gateway functionality must be stopped. When the gateway is reset, the Certificate
Revocation List (CRL) is updated to include the name of the revoked certificate.
The CRL is signed by the ICA and issued to all the gateways in this system the
next time a SIC connection is made. If there is a discrepancy between the CRL of
two communicating components, the newest CRL is always used. The gateways
refer to the latest CRL and deny a connection from an impostor posing as a
gateway and using a SIC certificate that has already been revoked.
Important - The SIC reset must be performed on the gateway's object using
SmartDashboard, and from a command prompt on the gateway using the
cpconfig tool. Performing the SIC reset on the gateway will cause an outage
until SIC is reestablished and policy reinstalled. The fw stat command can
be used to verify a Gateway's Policy installed status.
SmartConsole
Co,tI?k.to
0 delivers certificates to
the Check Point Modules
Security I Ce,1,h,Io I
Management Server JI
I I
Security
Management Server i Gateway
, Router
Intranet ( Intranet
Internal
Security
Security
Gateway
Gateway
36 Check Point Security A dminivt ration
Securing Channels of Communication
1. The ICA creates a Certificate for the Security Management Server during the
Security Management Server installation. The ICA is created automatically
during the installation procedure.
2. Certificates for the Security Gateways, and any other communicating compo-
nents, are created via a simple initialization from the SmartConsole. Upon ini-
tialization, the ICA creates, signs, and delivers a Certificate to the
communication component. Every component can then verify the Certificate
for authenticity.
Communication between a Security Management Server and its components
depends on a Security Policy specified in a Policy file on each machine. Com-
munication using Certificates will take place, provided that the communicat-
ing components are of the appropriate version, and agree on the
authentication and encryption methods. The Security Management Server and
its components are identified by their SIC name, also known as the Distin-
guished Name.
Student Manual - --
Introduction to Check Point Technology
Practice Labs
Lab 1: Distributed Installation
Review
1. What is the strength of Check Point's Stateful Inspection technology?
3. What is the main purpose for the Security Management Server? Which func-
tion is it necessary to perform on the Security Management Server when
incorporating Security Gateways into the network?
Deployment Platforms
Before delving into the intricacies of creating and managing Security Policies, it
is beneficial to know about Check Point's different deployment platforms, and
understand the basic workings of Check Point's Linux operating systems such as
Gaia, that support many Check Point products - and what those products are.
Learning Objectives:
Given network specifications, perform a backup and restore the current
Gateway installation from the command line.
Identify critical files needed to purge or backup, import and export users and
groups and add or delete administrators from the command line.
Deploy Gateways from the Gateway command line.
Security Appliances
Check Point Security Appliances are integrated hardware devices that are pre-
installed with essential software blades to produce a comprehensive, turnkey
security gateway solution.
Data Center:
61000 Security System - The Check Point 61000
Security System is the industry's fastest security appliance,
offering scalable performance for data centers and
telecommunication companies. Its robust multi-bladed
hardware architecture delivers up to 200 Gbps of firewall
throughput today and up to 1 Tbps in the future. Further
more, its ability to support 70 million concurrent
connections and 600,000 sessions per second brings
unparalleled performance to multi-transaction
environments.
21000 Appliance The 21000
Appliances deliver the industry's
best security performance in their I
class and offer unmatched
scalability, serviceability and port
density. Benefiting from Check
Point's advanced SecureXL, CoreXL and SecurityCore technologies, the
21000 Appliances are capable of delivering stunning performances while
maintaining a compact 2 rack-unit physical footprint. With the support of the
Software Blade Architecture, up to 110 Gbps lirewall throughput and sub 5
micro second latency, the 21000 Appliances are designed to secure the most
demanding network environment.
lAS Bladed Hardware Check Point Integrated
Appliance Solutions (lAS) Bladed Hardware
provides organizations with the ultimate choice in
carrier-grade chassis. lAS Bladed Hardware
delivers integrated software and hardware
solutions that are customized to your exact security
needs--all while maintaining the network
performance you require.
.S/,I(Iefl( Manual 41
Deployment Platforms
Large Enterprise
12000 Appliance - The 12000
Appliances, featuring multi-core
security technology and high port ---
density, are ideally suited for
perimeter security of large network
environments as well as business-
critical internal network segments. High business continuity and
serviceability are delivered through features such as hot-swappable redundant
power supplies/disk drives, a Lights-Out-Management card, and High-
Availability features such as Check Point ClusterXL and Load-Sharing.
IP Appliance Proven for years in
complex networking and high
performance environments, Check
Point IP Appliances offer turnkey
and modular security functionality.
With integrated firewall, VPN. IPS,
Application Control, Identity Awareness and more, lP Appliances deliver
unmatched extensibility, broad deployment options and lower total cost of
ownership.
IAS-D, M, and R Appliance
Powered by HP, the lAS -Series of
appliances provide integrated
software and hardware bundles and
direct support that are customized to
organizations exact specifications, enabling the provisioning of security
services based on exact corporate needs.
Medium-Sized Business
4000 Appliance - Check Point 4000
Appliances offer complete and -
integrated security solutions in a -----.---- --.--
compact I U form factor. Delivering
firewall throughput up to II Ghps and IPS throughput up to 6 Gbps, these
enterprise-grade appliances deliver superior performance for their class.
Studew Manual 43
Deployment Platforms
Virtualized
Virtual Systems Check Point
Virtual Systems taps the power of
virtualization to consolidate and
simplify security for private clouds
while delivering a lower total cost
of ownership. It enables customized
security against evolving network threats with the extensible Software Blade
Architecture. Virtual Systems is supported on Check Point Appliances,
including the 61000 Security System as well as open servers.
Lj
Security Gateway Virtual Edition The Check Point
Security Gateway Virtual Edition (VE) protects dynamic
virtualized environments and external networks, such as
private and public clouds, from internal and external threats
by securing virtual machines and applications with the full
range of Check Point Software Blades.
Virtual Appliance for Amazon Web Services -
Check Point Virtual Appliance for Amazon Web
Services enables customers to extend their security
to the cloud with the full range of protections using
Check Point Software Blades. This easy to deploy
virtual appliancea security gateway for virtual
environments in the Amazon Cloudprevents
network attacks and data breaches while enabling secure connectivity in
dynamic cloud computing environments.
Dedicated Appliance
Secure Web Gateway Appliance
Embracing the current paradigm shift from
simple URL filtering to comprehensive
malware protection, the Check Point
Secure Web Gateway provides an intuitive
solutions that enables secure use of Web
2.0 with real time multi-layered protection against web-borne malware,
largest application coverage in the industry, advanced granular control,
intuitive centralized management, and essential end-user education
functionality.
Leveraging the new Check Point Appliance Selection Tool, the Check Point
account team or Check Point partners can take criteria of the customer's network
- including the required throughput performance and desired security functions -
as inputs, and produce a SecurityPower requirement value. That value is then
compared against the SecurityPower capacities of the range of Check Point
appliances to determine and present candidates that can best meet the customer's
network security and performance requirements.
Throughput
1.3 Giaps
IL
'W
Figure 24 - Security Power
ide,it A4czniiaf 45
Deployment Platforms
Threat Prevention
ThreatCloud Feeds security gateway software
blades with real-time security intelligence. THREATCL')UD
SFCUTY SVICS
47
Deployment Platforms
tudent A'1,,,uaI 49
Deployment Platforms
Ipso
IPSO 3.x and 4.x were based on FreeBSD 2.x. IPSO 6.x is based on FreeBSD
6.x. As a stripped down operating system, IPSO provided enough functionality to
run Check Point firewalls, along with the incorporation of some standard Unix
commands, such as top, ps, df. It also provided a hardened, secure operating
system (no compilers included). IPSO also provided great visibility into kernel
statistics, such as network counters, interrupts, and more.
IPSO contained many key differentiators from mainline FreeBSD, as well as
From SecurePlatform:
ipsctl: comparable to sysctl (BSD) and /proc (Linux)
ipsrd: comparable to GateD or Quagga
xpand and configuration database: Single system configuration repository
Voyager: Web based management GUI for the operating system
dish: command line shell supporting same features as Voyager
iclid: ipsrd command line interface daemon
VRRP and IP Clustering: Iligh Availability solutions
ADP: Accelerated Data Path
Boot Manager: Similar to OpenBoot on Sun boxes
CST: Configuration Summary Tool
SecurePlatform
Any software package not needed by network security services was removed
from SecurePlatform. Required services, that might present security risks, were
modified as necessary. Where the existing software could not be made secure, it
was replaced. For example, the Web server used by the Web interface for system
administration, was developed internally at Check Point. The Web server is a
small server, designed to perform only the functions required to allow Web-based
system administration.
St ilcie,,! AIa,,,ia/ 51
Deployment Platforms
Gaia
Check Point Gala is the next generation Secure Operating System for all Check
Point appliances and open servers. Gaia combines the best features from IPSO
and SecurePlatform (SPLAT) into a single unified OS providing greater
efficiency and robust performance. With the support of the full suite of Software
Blades, customers will benefit from improved connection capacity and the full
breadth and power of Check Point security technologies by adopting Gaia.
Check Point Gaia announced on April 17th 2012 offers 3 key value propositions:
Combining the best features of IPSO & SecurePlatform
Increase operational efficiency with wide range of features
A secure platform for the most demanding environments
Gala combines the best features from IPSO and SecurePlatform (SPLAT) into a
single unified OS providing greater efficiency and robust performance. As a 64-
bit operating system, Gaia increases the connection capacity of select appliances.
Customers migrating from lPv4 to lPv6 networks are secured with Gala utilizing
the Check Point Acceleration & Clustering technology. Gala fits into the most
complex networks by supporting dynamic routing, bridge mode and 802.3ad link
aggregation.
Benefits of Gaia
Gaja Architecture
tI(Iep ?f Manual -
Deployment Platforms
software updates offered by Gaia, new releases and patches can be pre-scheduled
for automatic download and deployment at a time with minimum business
impact. Update times have been reduced to only a few seconds and post-update
checks automatically rollback to the previous configuration if a problem is found.
Notification emails are sent about new and recommended updates and update
statuses
S!,,ck,,, 11(11111(g/
55
Deployment Platforms
Dual Stack is the concept of running IPv4 and lPv6 at the same time in parallel.
That is, lPv4 and lPv6 packets will flow over the same wire and are transmitted
and received on the same interface. It is still the best transition strategy for most
enterprise networks. Security policies can be implemented for IPv6 that match
the security policies implemented for IPv4. Internal services can be made
available on IPv6 in a gradual manner. Clients that are not able to run IPv6 will
still be able to access services via IPv4.
Tunneling is the concept of running one protocol over another, for example
carrying an IPv6 packet as the data portion of an lPv4 packet. A common use
case is a home or small remote office that wants access to lPv6, but the ISP does
not yet provide support for IPv6. With Gala lPv6 packets can be tunneled inside
of lPv4 packets in order to reach the part of the Internet that supports lPv6. An
enterprise use case of IPv6 over lPv4 tunnels is to use it to bridge the parts of the
Enterprise network that are lPv4 only. Gaia supports configured tunnels "lPv6 in
lPv4" (RFC4213) which is the main approach to tunnel IPv6 in lPv4. Similarly,
"Generic Packet Tunneling in lPv6" is the main approach to tunnel lPv4 in lPv6.
These may be host to host, host to router, or router to router. These tunnels are
very similar to VPNs except they do not secure or authenticate the traffic. IPSEC
VPN technology can also be used to create secure and/or authenticated tunnels.
Unencrypted tunnels are appropriate inside an Enterprise, but using VPN
technology is preferred for creating tunnels between the main Enterprise network
and remote sites.
RFC 2460: lPv6 Basic specification
RFC 2464 Transmission of lPv6 Packets over Ethernet Networks
RFC 191: Path Maximum Transmission Unit Discovery for lPv6
RFC 462: lPv6 Stateless Address Auto-configuration
RFC 4007: IPv6 Scoped Address Architecture
RFC 4193: Unique Local IPv Unicast Addresses
RFC 4291: lPv6 Addressing Architecture
RFC4443: l(MPv6
RF('486I: Neighbor Discovery
REC3596: DNS kxtensions to Support IP
RFC42 13 - Basic Transition Mechanisms for IPv6 Hosts and Routers - 6in4
tunnel is supported.
Link Aggregation
Link Aggregation is a technology that joins multiple physical interfaces into one
virtual interface known as a bond interface. The bond interface gives fault
tolerance and increases throughput by sharing the load among many interfaces
Silic/en, Mw,,,,/
57
Deployment Platforms
I c
L4. L - 144' 8
0
).4.2Thed 4wt.flneed --
i.
o4,
- -
34__
_
44 4Ub,t., 141G4
2W
.e.ee.n e.e 4-444.- R
M.4.I, Pew., I IIS
S..I.I N..",: 12M
Ia.lI.,a 0.
4
cm
-
F . pnaa co.,tpe.o..
0 ,,a,oaoLoss,.c.s.w..ew.
IL I' II
Widget Description
System Over ie Shows system in formation, includinz:
Installed product
Product version number
Kernel build
Product build
Edition (32 bit or 64 bit)
Platform installed on
Hardware serial number (if applicable)
Network Configuration Shows interfaces, interface status, IP addresses
Memory Monitor Graphical display of memory usage
CPU Monitor Graphical display of CPU usage
Security Configuration Lets you download the SmartConsole applica-
tions (Security Management Server installa-
tions only)
You can use the CLI command: show uptime to show how long the system has
been running. The command show version all shows the full system version
information.
SilI(/elIt Manual
Deployment Platforms
Practice Labs
Review
1. What are some of the advantages in deploying UTM-1 Edge Appliances?
Learning Objectives:
Given the network topology, create and configure network, host and gateway
objects.
Verify SIC establishment between the Security Management Server and the
Gateway using SmartDashboard.
Create a basic Rule Base in SmartDashboard that includes permissions for
administrative users, external services, and LAN outbound use.
Evaluate existing policies and optimize the rules based on current corporate
requirements.
Maintain the Security Management Server with scheduled backups and policy
versions to ensure seamless upgrades and minimal downtime.
?= ?- !'=
LAC.Ga* 'C.'CO
ICC?.fl X C, , CC.M,, gO_C * EC fl
- C:. *PWCCT..VC, *
flCC
OCCWC?C(( C.EI'C...CCIS.'C.'CmC.,I
A 1(1,111(1/ 63
Objects tab represents the physical machines and logical components, such as
dynamic objects and address ranges, that make up your organization.
When creating objects, the System Administrator must consider the needs of the
organization:
What are the physical and logical components that make up the organization?
Each component that accesses the Security Gateway most likely needs to be
defined.
Who are the users and Administrators, and how should they be divided into
different groups?
a .,..
- K Pc ).. F , 1 --
*- ;.- .- . i'..
-. --
Tree
:i I--
Figure 27 - Smartoashboard
Object-Tree Pane
The Objects tree is the main view Ibr managing and displaying objects. Objects
are distributed among logical categories (called tabs), such as Network Objects
and Services. Fach tab orders its objects logically. For example, the Services tab
locates all services using ICMP in the Ibider called ICMP.
Objects-List Pane
The Objects tree works with the Objects list. The Objects list displays current
information for a selected object category. For example, when a Logical Server
network object is selected in the Objects tree, the Objects list displays a list of
Logical Servers, with certain details displayed.
Object Types
The objects lists are divided into the following categories:
Network
Services
Resources
Servers and OPSEC Applications
Users and Administrators
VPN Communities
Objects are implemented across various Rule Bases, where they are used in the
rules of various Policies. For example, network objects are generally used in the
Source, Destination or Install On columns, while time objects can be applied in
any Rule Base within the Time column.
Managing Objects
The Objects Tree is the main view for adding, editing, and deleting objects,
although these operations can also be performed from the menus, toolbars and
other views, such as in Rule Bases. You create objects to represent actual hosts
and devices, intangible components (such as HTTP and TELNET services) and
resources (for example, URI and FTP). Make an object for each component in
your organization. Then you can use the objects in the rules of the Security
Policy. Objects are stored in the Objects database on the Security Management
server.
Network Objects
Check Point
i Nodes
Network.
L Network...
Groups '
Address I
> Dynamic
Query Objects.
Import...
Sort Tree
When you create your objects, consider the needs of your organization:
What are the physical components in your network?
What are the logical components - services, resources, and applications?
What components will access the firewall?
Who are the users, and how should they be grouped?
Who are the administrators, and what are their roles'?
Will you use VPN, and ifso, will it allow remote users'?
Check Point management stations and Security Gateways appear under the
category Check Point, DAIP servers appear in the category Dynamic Objects,
etc. Organizing objects by category is preferred for small-to-medium-sized
deployments. SmartDashboard opens to classic view by default, unless set to
Group view.
Student Manual 67
Introduction to the Security Policy
*
Add QOS am
Set. DS
U:. 288 F-join,, Allow 4 t,na,cn_uc,rs. Fn.nc,j,rfl. *1 Any T,iTh, *
I
12 98 "' ny
IAliDo..n.U,
Delete Rule Deletes the currently selected rule from the Rule Base.
Hide I fides, unhides, views, and manages hidden rules; hidden rules still
apply, they are just not visible in the Sinartl)ashboard. This fature is nor-
mally used to temporarily move groups of rules out of view, to minimize con-
tusion when an Administrator is working on a complex Rule Base.
Rule Expiration Allows a rule to be set with an activation date and time,
and an expiration date and time, or a rule can be restricted to specific hours
and days.
!uift tnlfilltl
6,.' (7j -k /' i,ii ,t,
Creating the Rule Base
Default Rule
The Default Rule is added when you add a rule to the Rule Base. You can
configure this rule with all objects, services, and users installed on your database.
Hits Tacks the number of connections each rule matches on this gateway
Source - Displays the Object Manager screen, from which you can select
network objects or a group of users, to add to the Rule Base; the default is
Any.
Destination Displays the Object Manager screen, from which you can
select resource objects to add to the rule; the default is Any.
VPN - Displays the Add Objects VPN Communities screen, from which
you can select a VPN Community to add to the rule; the default is Any Traf-
lie.
Service Displays the Service Manager screen, from which you can select
services to add to the rule; the default is Any.
Track Defines logging or alerting for this rule; the default is none.
The options are: Account, Alert, Log, Mail, None, SnmpTrap. and UserDe-
lined.
Install On Specifies which lirewalled objects will enforce the rule; the
default is Policy Targets, which means all internal lirewalled objects.
(Throughout this handbook, all labs and examples assume this default, and the
Install On column is not shown.)
St ldtr pit
69
Introduction to the Security Policy
Time Specifies the time period for the rule; the default is Any. (Through-
out this handbook, all labs and examples assume this default and the Time
column is not shown.)
Comment Allows Administrators to add notes about this rule; the default
is a blank comment field.
Basic Rules
There are two basic rules used by nearly all Security Gateway Administrators:
the Cleanup Rule and the Stealth Rule.
Both the Cleanup and Stealth Rules are important for creating basic security
measures, and tracking important information in Smart View Tracker.
Cleanup Rule The Security Gateway follows the principle, "That which is
not expressly permitted is prohibited". Security Gateways drop all communi-
cation attempts that do not match a rule. The only way to monitor the dropped
packets is to create a Cleanup Rule that logs all dropped traffic. The Cleanup
Rule, also known as the "None of the Above" rule, drops all communication
not described by any other rules, and allows you to specify logging for every-
thing being dropped by this rule.
Stealth Rule - - To prevent any users from connecting directly to the Gate-
way, you should add a Stealth Rule to your Rule Base. Protecting the Gateway
in this manner makes the Gateway transparent to the network. The Gateway
becomes invisible to users on the network. The figure above displays a sam-
ple Stealth Rule.
In most cases, the Stealth Rule should he placed above all other rules. Placing the
Stealth Rule at the top of the Rule Base protects your Gateway from port
scanning, spooling, and other types of direct attacks. Connections that need to be
made directly to the Gateway, such as Client Authentication, encryption and
Content Vectoring Protocol (CVP) rules, always go above the Stealth Rule.
Implicit/Explicit Rules
The Security Gateway creates a Rule Base by translating the Security Policy into
a collection of individual rules. The Security Gateway creates implicit rules,
derived from Global Properties and explicit rules, created by the Administrator in
the SmartDashboard.
I
Figure 32 - Implicit/Explicit Rules
An explicit rule is a rule that you create in the Rule Base. Explicit rules are
displayed together with implicit rules in the correct sequence, when you select to
view implied rules. To see how properties and rules interact, select Implied
Rules from the View menu. Implicit rules appear without numbering, and
explicit rules appear with numbering.
Implicit rules are defined by the Security Gateway to allow certain connections to
and from the Gateway, with a variety of different services. The Gateway enforces
two types of implicit rules that enable the following:
Control Connections
Outgoing packets
C ontrol Connections
The Security Gateway creates a group of implicit rules that it places first, last, or
before last in the explicitly defined Rule Base. These first implicit rules are based
on the Accept control connections setting on the Global Properties window.
The Gateway anticipates other possible connections relating to Gateway
communication, and also creates implicit rules for those scenarios.
There are three types of Control Connections, defined by default rules:
Gateway specific traffic that facilitates functionality, such as logging,
management. and key exchange
- - -------- -
71
Introduction to the Security Policy
Implied rules are generated in the Rule Base through Global Properties. Check
the properties enforced in the FireWall Implied Rules screen, then choose a
position in the Rule Base for the implied rule:
First - first in the Rule Base
Before Last - before the last rule in the Rule Base
Last last rule in the Rule Base
Detecting IP Spoofing
Spooling is a technique where an intruder attempts to gain unauthorized access
by altering a packet's IP address. This alteration makes it appear as though the
packet originated in the part of a network with higher access privileges. The
Security Gateway has a sophisticated anti-spooling feature that detects such
packets, by requiring that the interface on which a packet enters a gateway
corresponds to its IP address.
1J .J
I PoI 7op6o
1
ISP X Q.
Py
OAT I 1 IP4M,.. I IPV4N*,* I I
hO 152 65 75 1 2552552550 50
HrTPS
'''I .t.-,S 721521 "' -
tITIPUTIPS P,y
M. 1d O2 :7216 I 2052552550 II A
PI6,,, Po.l 53 l-*IT" I 0 1 2152552552 50 11,. Ntwo5
Ry I - 2552552150 1 A I1 It.0
, . 'IA 20I8ffcJ42802934 IsI4wo1
'PS
IPS. 0111
Toody 10.5 I l&.a
TI, 1
[5oc.
P.Icb Pok r E,.t..nl I..d. os to it.. 61.00)
( nrnW kad. to 110 IOC flwOl)
III Cofl
00-
VPN O......n P b.hold do. olo.t.c*
6 ('1506 D*t.,ed
c M.,.
A14 $pod"
Pod...,, .go
.t Spoth. b..md w, 044s. toc.yt
AM Sooth, .d.wo .50 to F,-t
Anti-spoofing verifies that packets are coming from, and going to, the correct
interfaces on a gateway. Anti-spoofing confirms that packets claiming to be from
the internal network are actually coming from the internal-network interface. It
also verifies that, once a packet is routed, it is going through the proper interface.
Co nfiguring Anti-Spoofing
73
Introduction to the Security Policy
Before creating a Rule Base for your system, answer the following questions:
1. Which objects are in the network? Examples include gateways, hosts, net-
works, routers, and domains.
2. Which user permissions and authentication schemes are needed?
3. Which services, including customized services and sessions, are allowed
across the network?
As you formulate the Rule Base for your Policy, these tips are useful to consider:
IP spoofing/IP options:
1. First: This rule cannot be modified or overwritten in the Rule Base because
the first rule that matches is always applied to the packet and no rules can be
placed before it. Implied rules are processed before administrator explicitly-
defined rules.
2. Explicit: These are the administrator-defined rules, which may be located
between the first and the before-last rules.
3. Before Last: These are more specific implied rules that are enforced before
the last rule is applied.
4. Last: A rule that is enforced after the last rule in the Rule Base, which nor-
mally rejects all packets, usually referred to as the Cleanup Rule.
5. Implicit Drop Rule: No logging occurs.
lie It Manual - -- --
Introduction to the Security Policy
Policies are created by the system administrator and managed via the Security
Management server. Different versions of these policies can be saved. Each
version includes backups of the various databases (objects, users, Certificate
Authority data, etc.). This information is zipped and saved.
The existing versions are recorded in a "Version table. This table can be viewed
and the versions which are displayed can be modified. It is possible to:
Create a Version
Export and Import a Version
View a Version
Revert to a Previous Version
Delete a Version
Versions can be created manually by the system administrator, or the system can
be set to automatically create a new version every time Security Policy
installation takes place. It is recommended to create a version before upgrading
the system. This enables the administrator to back out to a functioning
environment in case of problems during the upgrade operation.
Important - The Revision Control feature is not supported when the Security
Management database contains VSX objects. You must not select the Create
database version option in SmartDashboard when you install a policy..
Some circumstances require multiple versions of a Security Policy, but the object
database needs to stay the same. Often this will be when adding or consolidating
rules in an existing Rule Base, or creating a new set of rules on a Gateway. In
these circumstances, using Policy Package management is better than creating
multiple versions of the system database.
These two points are worth consideration when saving your Policies:
The new Policy Package includes Firewall, Address Translation, Application
& URL Filtering, Anti-Bot & Anti-Virus, QoS and Desktop Security policies.
It is an ideal management utility for a distributed installation with multiple
Security Gateways; specific Policies are created for specific Security
Gateways.
77
Introduction to the Security Policy
The Security Management Server provides a wide range of tools that address
various Policy management tasks, both at the definition stage and at the
maintenance stage:
Policy Packages Allow you to easily group different types of Policies, to
be installed together on the same installation target(s).
Predefined Installation Targets - Allow you to associate each Policy
Package with the appropriate set of Gateways; this feature frees you of the
need to repeat the Gateway selection process every time you install (or install)
the Package, with the option to easily modify the list at any given time. In
addition, it minimizes the risk of installing Policies on inappropriate targets.
Section Titles Allow you to visually break your Rule Base into subjects,
thereby instantly improving your orientation and ability to locate rules and
objects of interest.
Queries Provide versatile search capabilities for both objects and the rules
in which they are used.
Sorting Using the Objects tree and Objects list pane is a simple and quick
way to locate objects; this feature is greatly facilitated by consistent use of
naming and coloring conventions.
The database version consists of all Policies on a single Gateway, and objects
and users configured, including settings in SmartDeknse and Global
Properties.
It is an ideal management utility for a stand-alone or distributed deployment
with a single Gateway.
It is configurable to automatically create new database versions on Policy
installation.
78
('htuk Pmisi Seeurj1r
Policy Management and Revision Control
This table compares the advantages of using Database Revision Control and
Policy Package Management:
Policy or Database
Management Utility Considerations
ii 79
Multicasting
Multicasting transmits a single message to a select group of recipients. A typical
use of multicasting is to distribute real-time audio and video to a set of hosts that
have joined a distributed conference. IP multicasting applications send one copy
of each IP packet, and address it to a group of computers that want to receive it.
This technique addresses datagrams to a group of receivers at a multicast address,
rather than to a single receiver at a unicast address. Network routers forward the
datagrams to only those routers and hosts that need to receive them.
p
O .
C
I.
The Muiticast Restrictions tab in the Interface Properties window drops multicast
packets according to configured conditions. Security Administrators can
configure a list of address ranges to drop or accept.
O.wI ToIQS
P D.*ii 08aes by ft'i
*au ia.s *$ISS 4I*. .004
d.,.4.. g
e& . 0O. *1,4.1 *, I 004W
c I i . I Lee .i I rp
:i
II
AW
Tq C e- AM
OK C4.Od
J
\,, h
h
H
Introduction to the Security Policy
Practice Labs
Lab 4: Building a Security Policy
Review
1. Objects are created by the Security Administrator to represent actual hosts
and devices, as well as services and resources, to use when developing the
Security Policy. What should the Administrator consider before creating
objects?
Learning Objectives
Use Queries in SmartView Tracker to monitor IPS and common network
traffic and troubleshoot events using packet data.
Using packet data on a given corporate network, generate reports,
troubleshoot system and security issues, and ensure network functionality.
Using Smart View Monitor, configure alerts and traffic counters, view a
Gateway's status, monitor suspicious activity rules, analyze tunnel activity
and monitor remote user access based on corporate requirements.
SmartView Tracker
SfllarJ7fJTracker
Check Point's SmartView Tracker provides visual tracking, monitoring, and
accounting information for all connections logged by Check Point components.
Online viewing features enable real-time monitoring of network activity.
SmartView Tracker provides control over every event, including those causing
alerts, as well as certain important system events, such as Security Policy
installation or uninstallation.
12h.
12
2p..L.c.h2r, 2fl 122X i 12 ............ 0 11!
22222 OC ...........
U012 2
222 Mom
12h2h
222 2225
2212 ...........
.............
@2.tl2 G&SCI,
'2 22h,12222O 222'2h
2 . 1.212
2212 ..... 222 012.2.2
.2,22222 .............
22222224C...............
.222 2 ..............
Log Types
The format of log entries requested by a rule is determined by the log type
specified in the rule. You can select the log entries and data fields to display.
SniartView Tracker also allows you to navigate the log file. You can display one
of several log types from the Network & Endpoint Queries tree, as shown.
Log types are defined as either predefined or custom. The predefined types
include log details specific to that type. For instance, UA WebAccess displays
tJscrAuthority Web access log data for SecureClient entries, and the Account
type displays changes made to fields over time.
SIifl12Pt,.iUflhiUI . .-- 85
Monitoring Traffic and Connections
-
Mint I MM4dffit0lt
UA WebALces (lvwarnrecsIws)
L t.ttislM & &300+nt Q4050l NO S Dolt 7 nm Psodud 7 O.11n V Type tows. V Destination
SPtt0et,td
Ill 3003503 i 12Ot.2XS 013720 UAWONMUSS 1020046 (I 109 1020045 10.20345
2 120102000 114620
UAV,00*(ltll 10 L.9 40:0345 1020249
6.905,5 50(420/ .
3 120452000 115925 02 Wtb4050:i 10208*6 Li; 1010 615 020245
, ,, 4 420032030 443513 UI WtbAiiOii 1020046 190 40 204.45 10201.45
. n sloan
I DOsS 3,09,045
000set!0000d 164 FIt,
osryntiloio.i,on
4 A Aflt..001&2315..I!at
20 !4,M tyAs,wtfleIi aMa.
+ U0lInaiti3 Blade
20S)J0nt .5po.& Onall
23 OttO 100 P,slnit,OflNIaI
23 PsyiPtI 91020
23 Ad 5,4 1.9450 0 F
TitdII:0I,eI5,l
45.540,0
4toan,i.toncont,or
^ P111 CIt 103109,33
2.09 14.1.0.11
V ClQnttstntI
2J Reedy
Management tab Displays only audit entries in Smart View Tracker; this
enables you to track changes made to objects in the Rule Base, and tracks
general SmartDashboard use.
I -eflTL TiMiM1
.
Active Management
I
Ai,,,11/
Monitoring Traffic and Connections
Action Icons
Each tab displays log fields regarding both the product that generated the log, and
the type of operation performed. Action icons provide a visual representation of
the log's operation. The following table gives a description of some of the
different types of actions recorded by SmartView Tracker:
Icon Action
Accept -The connection was allowed to proceed.
0
Drop - The connection was dropped without noti-
fying the source.
L og-File Management
The SmartView Tracker toolbar allows you to perform the following tasks:
1. Open Log File - When you select Open, you can open other log files.
2. Save Log File As - When saving a log file, the current log entries will be
written to file. Only the records that match the selection criteria will be saved
to the file; both entries that are visible in the screen, and those that are not vis-
ible.
3. Switch Log File In this window, you can select the default log file or spec-
ify a particular log file name. This operation actually performs a log file
switch.
4. Remote Files Management In this window, you can transfer log files
from a remote machine to the machine to which the SmartView Tracker is
currently connected.
5. Show or hide Fetch Progress After clicking (let File List from the
Remote Files Management window, you can click Fetch Files and toggle the
display of the Files Fetch Progress window. The file transfer operation will
continue even if the Files Fetch Progress window is closed. It is interrupted
only if you click the Abort button.
6. Query Options These buttons allow you to toggle the display of the query
tree pane, open an existing quely, save a custom query, or save a custom
query under a new name.
OK Cancel
Figure 39 - Auditing
Logging provides a historical record of logged connections. Logs are essential for
security management, so properly configuring Security Gateway to log
connections of interest is important.
The Global Properties Log and Alert window, accessed by clicking Policy>
Global Properties> Log and Alert, allows you to define global log-and-alert
parameters.
VPN successful key exchange Specifies the action to be taken then VPN keys
are successfully exchanged.
VPN configuration and key exchange errors Specifies the action to be taken
when logging configuration or key-exchange errors occur; for example, when
IP Options drop Specifies the action to take when a packet with IP options is
encountered; the Security Gateway always drops these packets, but you can log
them or issue an alert.
SLA violation - Specifies the action to be taken when an SLA violation occurs,
as defined in the Virtual Links window.
Log every authenticated HTTP connection - Specifies that a log entry should
be generated for every authenticated HTTP connection.
Log VoIP connection Generates additional log entries for every VoIP
connection; additional log entries for SIP contain information about the user (SIP
URL, for example, fred@bloggs.com ). Additional log entries for H.323 contain
inlrmation about phone numbers.
T ime Settings
The Time Settings window allows you to configure time settings associated with
system-wide logging-and-alert parameters.
Excessive log grace period - Specifies the minimum amount of time
between consecutive logs of similar packets: two packets are considered simi-
lar, if they have the same source address, source port, destination address and
destination port, and the same protocol was used. After the first packet, simi-
lar packets encountered within the grace period will be acted upon according
to the Security Policy, but only the first packet generates a log entry or an
alert.
Silk/c,,, 91
Monitoring Traffic and Connections
Blocking Connections
You can terminate an active connection and block further connections from and
to specific lP addresses, using the SmartView Tracker Block Intruder function.
To block an active connection with Block Intruder, select the connection you
want to block, then select Tools> Block Intruder from the menu.
5J
Comect,o,tD
Connectior Parameters.
From twoso to 172 22.255.255 INough rwoio, forservice rtdatagrn
Bbckrig scope.
( Block all connections with the ume source, destination aix jelyce,
C Block access from this souce.
C Block access to thi* destetmn
Blocking 1tneiit:
6 Ind&ri
4et
OK Camel HeO
The Block Intruder window displays. In the Blocking Scope fields, select one 01
the options:
Block all connections with the same source, destination and service
Block the connection or any other cuiiflectjofl with the same service, source or
destination.
92 Check I'oipit
Working with Smartview Tracker
Block access from this source The connection is terminated, and all fur-
ther attempts to establish connections from this source IP address will be
denied.
Block access to this destination The connection is terminated, and all fur-
ther attempts to establish connections to this destination IP address will be
denied.
In the Blocking Timeout field, select one of the options: Indefinite - Block
all further access. For... minutes - Block all further access attempts for the
specified number of minutes.
Only on... Block access attempts through the indicated Security Gateway.
On any Security Gateway - Block access attempts through Security Gate-
ways defined as gateways or hosts on the log server. The connection will
remain blocked, until you choose Tools > Clear Blocking from the main
InC 110.
I( III 1 /
Monitoring Traffic and Connections
IEI[ lit
II
Figure 41 - SmartView Monitor
Predefined views include the most frequently used traffic, counter, tunnel,
gateway, and remote-user inlormation. For example. (heck Point system
counters collect information on the status and activities of ('heck Point llades
(tr example, Firewall). Using custom or predefined views, Administrators can
drill down on the status ofa specific gateway and/or segment ol traffic to i(lefltitY
top bandwidth hosts that may he affecting network perIrmance. It',uspiciouS
activity is detected. Administrators can immediately apply a security rule to the
appropriate Security Gateway to block that activity. These security rules can hen
8
created dynamically via the graphical intert.tce, and can be set to expire withi
certain time period.
Ih I I" iii 1I It
R
Customized Views
C ust5zed Views
Smart View Monitor enables graphical views depicting data for several types of
measurements, including bandwidth, round-trip time, packet rate, CPU use, etc.
The most efficient way to yield helpful information is to create a view based on
your specific needs. It is possible to create customized views for view types (for
example, status, traffic, system statistics, and tunnels). The customization
provides the ability to filter specific data and how the data is to be displayed.
--
'. c____-____. it
.Q."-.
i S
1..
a'
1% w.--'-, * ' Sr
Z.
IS,..
.5,-., C. C
5
lo
G
ateway Status View
Traffic View
.
1104,111
14 11111 , 11
0'S
Monitoring Traffic and Connections
You can generate fully detailed or summarized graphs and charts for all
connections and for numerous rates and figures when calculating network use.
System Counters provides in-depth details on Gateway use and activity. As a
Security Administrator, you can generate system status information about:
Resource use for the variety of components associated with the Security
Gateway.
Gateway performance statistics for a variety of firewalled components.
Detect and monitor suspicious activity.
Tunnels View
VPN tunnels are secure links between Security Gateways, and ensure secure
connections between an organization's gateways and its remoteaccess clients.
Once tunnels are created and put to use, Administrators can keep track of their
normal functions, so possible malfunctions and connectivity problems can be
accessed and solved as soon as possible.
r1]!fl1
a
aa
aa
aa
aa
a
IlL aa
aa
a
Figure 43 - Tunnels
To ensure this security level, Smart View Monitor can recognize malfunction"
fl
connectivity problems, by constantly monitoring and analyzing the statUS o1
organizations' tunnels. With the use of tunnel queries. Administrators can
generate fully detailed reports that include intirmation about all tunnels that
'ujtv .f/,flfl,stra('"
96 ( Ileck /'()ifl( ,Se
Customized Views
.. 0 -- -
C--
ai$. WSM I
1._ . ** ' SiI 131'ii
a,,--
WIE )S
a its IUMPI LYSI
S .....Si U" 'It,..irttu
. 31 3. IMOPY 2*311
S. -Ti it. IUaa 2.itlI
I I.21. 3a tillJn
t
aZ::* '.4r itgtI ala,,
SCits,. tar.. rat,
.1.)r LW S2'S ISNiI
Stt. a" 12113* 12313
a. ULa 3WI
I, Ill 1., ltdt ra.. it lIt)
RM
--
1 I.'' I I.; -
-
113202315
1--'.-
9 II. 1122041?
20'' II. 11 0.1,0,1 .M
0
In "a IlIZS%'
.9
'9 t*
'9laL
.9 To
.9
ad..
fi CWft.0 kTIdS
a .n..
On... ....-
:. 0- Gd...,
nc..., auw.
flG.,,., .TS0.
.f(/,flIfljStr(
99 ('heck P,inI .S'eeuritt'
Monitoring Suspicious Activity Rules
Mo
nitoring Suspicious Activity Rides
The fast-changing network environment demands the ability to immediately react
to a security problem, without having to change the entire network's Rule Base
(for example, to instantly block a specific user). All inbound and outbound
network activity should be inspected and identified as suspicious when necessary
(for instance, when network or system activity indicates that someone is
attempting to break in).
.0JLJ
Is
Custom
Is - Gateways StIsu;
t_ I)
Firewall;
t 0o.t P Iactm.r
T.
r
T.
I,
eP A SA4 Fthr
5.
5 COOl) CoOl - .00 (o.urorarv-O. 00:50
00,, 91.96 11- 56 f'50(TJ2l) R..ot LOO Coroor.q. 0956 OlLIo.y 11..
&
T. 201162.116.33 a'v 00rs 09 .060 Cw.00 .gw 09:56 'u.,v
I. 43.103,181.1&3 1650 ICW 6056st ;o9 Coe0or0I09 09:50 5).
"5.9955,
"Is
"IF
Aid o*
I - '-'-"l I a.s.
I
'I Cor4*,#I,,.st,u.rI.
'I Fu,.0 0,01007
'I o 54.ow
000oIsq
5O
I
I tow.I9 00 Co09.nst
0105910.00 OSOSO44S
:e D.r P0,waaWoI
'I G.mI,
1u05s16, 00
(0 ao 09cr
kh-
Monitoring Traffic and Connections
Monitoring Alerts
Alerts provide real-time information about vulnerabilities to computing systems
and how they can be eliminated.
Check Point alerts users to potential threats to the security of their systems, and
provides information about how to avoid, minimize, or recover from the damage.
Alerts are sent by the Security Gateways to the Security Management Server. The
Security Management Server then forwards these alerts to the SmartView
Monitor SmartConsole, which is actively connected to the Security Management
Server. Alerts are sent to draw the Administrator's attention to problematic
Gateways, and are displayed in SmartView Monitor. These alerts are sent:
If certain rules or attributes, which are set to be tracked as alerts, are matched
by a passing connection.
If system events, also called System Alerts, are configured to trigger an alert
when various thresholds are surpassed.
The Administrator can define alerts to be sent for different Gateways. These
alerts are sent under certain conditions, such is if they have been defined for
certain Policies, or if they have been set for different properties. By default, an
alert is sent as a message to the Administrator's desktop when a new alert arrives
in Smart View Monitor. Alerts can also be sent for certain system events. If
certain conditions are set, you can receive System Alerts for critical situation
updates; for example, if free disk space is less than 10 percent, or if Security
Policy has been changed. System Alerts are characterized as follows:
They are defined per product. For instance, you may define certain System
Alerts for (heck Point Q0S that would not apply to (onnectra.
They may be global or per Gateway. You can set global alert parameters for
all Gateways in the system, or you can specify a particular alert for a
particular Gateway.
They are displayed and viewed via the same user-friendly window. The
information Smart View Monitor gathers also includes status in format ion
about OPSl(' gateways and network objects.
After reviewing the status of certain clients in SmartVicw Monitor, YOU may
decide to take decisive action for a particular client or cluster member, for
instance:
Disconnect client If you have the correct permissions, you can choose 10
disconnect one Or more of the connected Smart('onsole clients. (lick the
Disconnect Client button oil Results pane toolbar.
Start/Stop (luster Member All cluster members of a given gateway
cluster can he viewed via Smart View Monitor. You can start or stop a selected
100 Check Pmnt Securit y Ad,ni,1iS(rhhb0hn
Monitoring Suspicious Activity Rules
Cluster member. To do this, right-click the cluster member. From the pull-
down menu, select Start Member or Stop Member.
A1( pn;/ - -- -
-b_i
Monitoring Traffic and Connections
Gateway Status
Check Point enables information about the status of all gateways in the system to
be collected by the Security Management server and viewed in SmartView
Monitor. The information gathered includes status information about:
Check Point gateways
OPSEC gateways
Check Point Software Blades
A Gateways Status view displays a snapshot of all Check Point Software Blades,
such as VPN and ClusterXL, as well as third party products (for example,
OPSEC-partner gateways). Gateways Status is very similar in operation to the
SNMP daemon that also provides a mechanism to ascertain information about
gateways in the system.
Firewell
Firewall VPN
01
LI
SeuJuY:a9enreri
VPN
I owl
10? ( A /iiilf 10M 1, /,,,,,,j(ratjofl
Gateway Status
An alternate source for status collection may be any AMON client, such as an
OPSEC partner, which uses the AMON protocol.
Note: There are general statuses which occur for both the gatewa y or
machine on which the Check Point Software Blade is
installed, and the Software Blade which represents the
components installed on the gateway.
Ov erall Status
An Overall status is the result of the blades statuses. the most serious Software
Blades status determines the Overall status. For example, if all the Software
Blades statuses are OK except for the SrnartReporter blade, which has a Problem
status, then the Overall status will be Problem.
S/1
"" 111 lhjlln^d
1I
Monitoring Traffic and Connections
To display infbrmation about the gateway, click the specific gateway in the
Gateway Results view. Details about the gateway will he displayed in the
Gateway Details pane.
IMIJ Check Iinf Sec univ 4 t/mj,zis1r11h"
SmartView Tracker vs. SmartView Monitor
Smart View Monitor Benefits - Administrators can use Smart View Monitor to:
Centrally monitor Check Point and OPSEC devices.
Present a complete picture of changes to Gateways, tunnels, remote users, and
security activities. Immediately identify changes in network-traffic flow
patterns that may signify malicious activity.
Maintain high network availability.
Improve efficiency of bandwidth use.
Track SLA compliance.
'(1icI.,, %1,/
Monitoring Traffic and Connections
Practice Lab
Review
Discuss the benefits of using SmartView Monitor instead of SmartView
Tracker in monitoring network activity.
106 ('Jiet 'k Poin! .cl'(U,itv 1/m,nis1rhh10fl
CH APTER 5 Network Address
Translation
Learning Objectives:
Configure NAT rules on Web and Gateway servers
108 ( 'hk /(,I?1( Se 'uritv
Introduction to NAT
The Security Gateway supports two t y pes of NAT where the source and or the
destination are translated:
Hide NAT - Hide NAT is a man y -to-one relationship, where multiple
computers on the internal network are represented by a single unique address.
This enhances securit y because connections call he initiated from the
protected side of the Securit y Gate a y. This type ofNAl is also referred to as
Dynamic NAT.
Static NAT - Static NA F is a one-to-one relationship, where each host is
translated to a unique address. This allows connections to be initiated
internally and externally. An example would be a Web server or a mail server
that needs to allow connections initiated externally.
NAT can be configured oil Point hosts, nodes, networks, address ranges
and dynamic objects. NAT can he configured automatically or by creating
manual NA1' rules. Manual NAT rules oiler flexibility because it can allow the
translation of both the source and destination of the packet and allow the
translation of services.
109
IP Addressing
Best practices recommend using only these address ranges for intranets. RFC
1918 addresses cannot traverse public networks.
Hide NAT In Hide NAT, the source is translated, the source port is modified and translation
occurs on the server side. As shown in the illustration below, notice the source
packet with address 10.1.1.101 going to destination x.x.x.x. As the packet hits the
interface on pre-in, 'i', it is processed by the firewall kernel and forwarded to
1,
post-in, '1' where it is then routed to the external interface. It arrives, pre-out, 1 0
and is then processed by the NAT rule base. The firewall modifies the source port
and adds the port information to a state table. The packet translates on post-out,
'0' as it leaves the Gateway. For protocols where the port number cannot be
changed, Hide NAT cannot be used.
00
4 II1VI
- intfl
Rcre
ii I
1.101
t i
* ii 00 IF1JF iii4l
Hepy Packet \RCiJY Pckct (ftanslatcd)
Hide NAT
110 Check Paint Securili' Idministr,1io"
Introduction to NAT
Choosing a fixed public IP address is a good option if you want to hide the
address of the Security Gateway. However, it means you have to use an extra
publicly routable IP address. Choosing to hide behind the address of the Gateway
is a good option for administrative purposes. For example, if the external IP
address of the Gateway changes, there is no need to change the NAT settings.
Static NAT
A static translation is assigned to a server that needs to be accessed directly from
outside the Security Gateway. So, the packet is typically initiated from a host
outside the firewall. When the client initiates traffic to the static NAT address, the
destination of the packet is translated.
Ititernat
Router
85.10.1.4 10.1.1.101
.Ir(_INWUT1U A.
_____________ 00
Reply Packet (Translated) . Reply Packet
II
Static; NAI .
Mwiva/ Ill
Network Address Translation
In the past, all destination NAT occurred at the "server side" of the kernel, i.e., on
the outbound side of the kernel closest to the server. When NAT occurs in this
configuration, a host route is required on the Security Gateway to route to the
destination server. As of VPN-I NGX, the default method for Destination NAT is
"client side", where NAT occurs on the inbound interface closest to the client.
Assume the client is outside the Gateway, and the server is inside the Gateway
with automatic Static NAT configured. When the client starts a connection to
access the server's NAT IP address, the following happens to the original packet
in a client-side NAT:
Original Packet
1. The packet from outside the Gateway arrives at the inbound interface, 'i', des-
tined for the Web server, and passes Security Policy and NAT rules.
2. If accepted, the packet information is added to the connections table and the
destination is translated on the post-in side of the interface, 'I' before it is
routed.
3. The packet arrives at the TCP/IP stack of the Gateway, and is routed to the
outbound interface, V.
4. The packet is then forwarded through the kernel, '0' and routed to the Web
server.
Reply Packet
1. The Web server replies and hits the inbound interface, 1', of the Gateway.
2. The packet is passed by the Policy, since it is found in the connections table
and arrives at the post-in side of the kernel, 'I'.
3. The packet arrives at the TCP/IP stack of the Gateway, and is routed to the
outbound interface, V.
4. The packet goes through the outbound interface and is translated to the static
NAT III address as it leaves the Security Gateway, 0'. The source port does
not change.
When the external server must distinguish between clients based on their IP
addresses, hide NAT cannot he used, because all clients share the same IF
address under Ihide NAT.
To allow connections from the external network to the internal network, only
Static NAT can he used.
t1jo ll
V. I. /i!t
Introduction to NAT
Check Port GO
W Aulanwbc ARP wftm.
'PS
Vood O.dc
Uselolock
Co,,1
It
I oElCI
In most cases. the Security Gateway automatically creates NA1' rules, based on
information derived from object properties. The following three Global
Properties can be modified to adjust the behavior of Automatic NAT rules on a
global level:
Allow hi-directional NAT Ii more than one Automatic NAT rule matches
a connection, both rules are matched. If'Allow bidirectional NAT is selected.
the Gateway will check all NAT rules to see if there is a source match in one
rule, and a destination match in another rule. The (iatewav will use the first
matches found. and apply both rules concurrently.
Translate Destination on client side For packets from an external host
that are to he translated according to Static NAT rules, select this option to
translate destination 11' addresses in the kernel nearest the client.
hill/w/
NAT
fr4a.. T,..,n
Add Id,
(
C bel
P4 Add.s.
PG Ad&m
rid
ptw .J J
r
OK I
114 ('heck PojizI SecuriIi At/,ninistriliOt'
Introduction to NAT
Address-translation rules are divided into two elements: Original Packet and
Translated Packet. The elements of the Original Packet section inform a Security
Gateway which packets match the rule. The Translated Packet elements define
how the Security Gateway should modify the packet. Configuring the network
object as described above creates two rules in the Address Translation Policy.
The first rule prevents translation of packets traveling from the translated object
to itself. The second rule instructs the Security Gateway to translate packets
whose source IP address is part of the Corporate-finance-net's network. This rule
translates packets from private addresses to the IP address of the exiting interface
of the Security Gateway.
11LrL Copo, f A
* ny * Any Co,po,e t1c = =0,9nd co,po, jw
Because Hide NAT also modifies source ports, there is no need to add another
rule for reply packets. Information recorded in a Security Gateway's state tables
will be used to modify the destination IP address and destination port of reply
packets.
Hiding internal addresses behind a Security Gateway's IP address is not the most
secure way to configure Hide NAT. Using another externally accessible IP
address for Hide NAT is considered best practice. The figure illustrates how to
configure the NAT properties for a network that will use another externally
accessible IP address when dynamically translated.
tdm.d
6,__ 6a
I ..J
For Automatic NAT rule creation, the Security Gateway makes all necessary
route and ARP table entries on the Security Gateway. In the example above, the
Security Gateway will process packets destined for the HR Server, even though
that IP address is not bound to its interface. For routing to work properly, the
address selected to hide internal networks should be on the same subnet as the IP
address of the interface where packets will arrive.
Like Hide NAT behind a Security Gateway's IP address, configuration for Hide
NAT using another externally accessible I address also creates two rules. The
first rule instructs the Security Gateway not to translate traffic whose source and
destination is the object for which Hide NAT is configured. The second rule
translates the source address of packets not destined for the object for which II ide
NAT is configured.
116 ( lu k Point Security pjjfljtI'lt1OIl
Introduction to NAT
Static NAT
NT
1%,n.thod
to IP Pd&000
Pv4P4 j21:21I2
IPV6 Ad&.
* - J
OK
For routing to work properly, the I raio!aie to II \ddtess 111LISt be on thc inic
subnet as the Security Gateway's IP address. When Automatic NAT rule eleitun
is used, it makes the necessary adjustments to the ARP configuration.
Configuring an object for automatic creation olSiatic NAT rules adds tvo rule
to the Address Translation Policy. For Static NAT, both rules are translating rules.
In the example above, the Securit y Gateway changes the '.oui'ee tddi'e hiotti a
ate dres to the public addrc.y, (I 7222.102.112).
II
kkk-
Network Address Translation
Manual NAT
The Security Gateway allows Security Administrators to create Manual NAT
rules. Manual NAT involves more configuration than automatic NAT rule
creation, but provides additional flexibility in Rule Base design.
Some of the situations where Manual NAT rule creation may be warranted
include:
Instances where remote networks only allow specific IP addresses.
Situations where translation is desired for some services, and not for others.
Environments where more granular control of address translation in VPN
tunnels is needed.
Enterprises where Address Translation Rule Base order must be manipulated.
When port address translation is required (port forwarding).
Environments where granular control of address translation between internal
networks is required.
When a range of lP addresses, rather than a network, will be translated.
Sp ecial Considerations
When Automatic NAT rule creation is used, it makes all necessary adjustments to
the Security Gateway's ARP and routing tables. Using Automatic NAT rule
creation also eliminates potential anti-spooling issues. If Manual NAT rule
creation is used, special consideration must be paid to ARP and routing-table
entries, and anti-spooling issues.
ARP
When Automatic NAT rule creation is used, the Security Gateway makes all
necessary adjustments to the Security Gateway's ARP table. If Manual NAT rule
creation is used, the Security Administrator must edit the Security Gateway's
ARP table (local arp), as follows:
Hide NAT, Security Gateway in Translated Packet, Source field No
additional ARP table entries are required.
Hide NAT, hiding behind an IP address not assigned to the Security
Gateway Add an ARP table entry to the Security Gateway for the hiding
address.
Static NAT Add ARP table entries to the Security Gateway for all hiding
addresses.
Practice Labs
Review
What are some reasons for employing NAT in a network when requiring pri-
vate IP addresses in internal networks, to limit external-network access, or to
ease network administration?
2. When would an Administrator favor using Manual NAT over automatic NAT?
Check '
>( Ji!II S iuiIr .1 lininislratuni 121
Using SmartUpdate
Using Smart
SmartUpdate extends your organization's ability to provide centralized policy
management across enterprise-wide deployments. SmartUpdate can deliver
automated software and license updates to hundreds of distributed Security
Gateways from a single management console.
Learning Objectives:
Monitor remote Gateways using SmartUpdate to evaluate the need for
upgrades, new installations, and license modifications.
Use SmartUpdate to apply upgrade packages to single or multiple VPN-1
Gateways.
Upgrade and attach product licenses using SmartUpdate.
122
Check Point Securit y Athninist ratiOfl
SmartUpdate and Managing Licenses
----...---.-. .
.........
..-..--.
-" !J _-.
-.
C) - p
!_i L
flNSI'I
Manual - 123
Using SmartUpdate
1. License & Contract Repository, which is stored on all platforms in the direc-
tory $FWDIR\conf\.
2. Package Repository, which is stored on:
Windows machines in C:\SUroot.
UNIX machines in /var/suroot.
in
tn
O UM Cer.SWW C*. O%Wk PONI CD
Packages and licenses are loaded into these repositories from several sourccS
OF the many processes that run oil Gateways distributed across the
corporate network, two in particular are Used fr Smarttipdate. Upgrade
operations require the cprid daemon, and license operations use the cpd daenl01L
These processes listen and wait lr the information to be summoned by the
Security Management Server,
Using SmartUpdate
These tabs are divided into a tree structure that displays the packages installed
and the licenses attached to each managed Security Gateway. The tree has three
levels:
The root level shows the name of the Security Management server to which
the GUI is connected.
The second level shows the names of the Check Point Security Gateways
configured in SmartDashboard.
The third level shows the Check Point packages or installed licenses on the
Check Point Security Gateway.
. S
- a afl.a h
Ill ,.l 13
l. I112
o m C.....
1_....Ql_. I1IUIUI
01l344Q
,0L? 10131143
10)1013
1721921
- CaSlSeS. 0.
M40
0 MP a'o
- q..s..,r. Ill III '0 I,... 0'
0 o.,. *p-_, pie
alt..' I 10141122
l4.ap. r23
RN
0 '.i' *
0* RX
lliljo
17411
la4..,(.. l4(lflfl
qlI....hp 13Il 1,,.l1
't... 0*N" Pie
I ...r*, ...P.i All
Figure 56 - SmartUpdate
The Package Repository shows all the packages available for installation. To
view this pane, select Packages> View Repository.
The License & Contract Repository shows all licenses (attached or
unattached). To view this pane, select Licenses & Contracts> View
Repository.
The Operation Status shows past and current SmartUpdate operations. To
view this pane, select Operations > View Status.
The Operations performed (i.e., Installing package <X> on Gateway <Y>, or
Attaching license <L> to Gateway <Y>).
The status of the operation being performed, throughout all the stages of its
development (i.e., operation started, or a warning).
A progress indicator.
The time that the operation takes to complete.
27
Using SmartUpdate
-aC,,,..Qafl I5QIOiW1 Pt
ISO 1.
10311243 03
a f. .32.1*rM. 054125 PlO
pWht. '27123 575
332 332 RI2344 4
- ,.q. 352 361351 535
1721(1251 678
375
e 1*_32L 1071372
lbs 1..7*0 c:u 1221 578
P7223
'I. 774
PS IS flfl 4h (iSA,,.. 5J3
The Central license is the preferred method of licensing. A Central license ties
the package license to the IP address of the Security Management Server. That
means that there is one IP address fbr all licenses; that the license remains valid if
you change the lP address of the gateway; and that it license can be taken from
one Check Point Security Gateway and given to another with ease.
The Local license is an older method of licensing, however it is still supported by
SmartUpdate. A Local license ties the package license to the IP address of the
specific Check Point Security Gateway, and cannot be transferred to a Gateway
with it different IP address.
When you add a license to the system using SmartUpdate, it is stored in the
License & Contract Repository. Once there, it must be installed to the Gateway
and registered with the Security Management Server. Installing and registering
license is accomplished through an operation known as attaching a license.
Central licenses require an administrator to designate a Gateway for attachment,
while Local licenses are automatically attached to their respective Check Point
Security Gateways.
Li censing Terminology
Common terms used with respect to licensing include the following:
Add Licenses received from the User Center should first be added to the
SmartUpdate License & Contract Repository. Adding a local license to the
License & Contract Repository also attaches it to the gateway.
Attach Licenses are attached to a Gateway via SmartUpdate. Attaching a
license to a Gateway involves installing the license on the remote Gateway,
and associating the license with the specific Gateway in the License &
Contract Repository.
Central License - A Central License is a license attached to the Security
Management server IP address, rather than the gateway lP address. The
benefits of a Central License are:
Only one IP address is needed for all licenses
A license can be taken from one gateway and given to another
The new license remains valid when changing the gateway IP
address. There is no need to create and install a new license.
Certificate Key The Certificate Key is a string of 12 alphanumeric
characters. The number is unique to each package. For an evaluation license,
your Certificate Key can be found inside the mini pack. For a permanent
license, you should receive your Certificate Key from your reseller.
CPLIC A command line for managing local licenses and local license
operations. For additional information, refer to the R76 Command Line
lntcrfuice Relrence Guide.
Detach Detaching a license from a Gateway involves uninstalling the
license from the remote Gateway, and making the license in the License &
Contract Repository available to any Gateway.
State Licenses can be in one of the following states: Requires Upgrade, No
License, Obsolete or Assigned. The license state depends on whether the
license is associated with the Gateway in the License & Contract Repository,
-
- 129
Using SmartUpdate
and whether the license is installed on the remote Gateway. The license state
definitions are as follows:
Attached indicates that the license is associated with the Gateway
in the License & Contract Repository, and is installed on the remote
Gateway.
Unattached - indicates that the license is not associated with the
Gateway in the License & Contract Repository, and is not installed on
any Gateway.
Assigned is a license that is associated with the Gateway in the
License & Contract Repository, but has not yet been installed on the
Gateway as a replacement for an existing NG license.
Upgrade Status - A field in the License & Contract Repository
that contains an error message from the User Center if the upgrade process
fails.
Get - Locally installed licenses can be placed in the License & Contract
Repository, to update the repository with all licenses across the installation.
The Get operation is a two-way process that places all locally installed
licenses in the License & Contract Repository and removes all locally deleted
licenses from the License & Contract Repository.
License Expiration Licenses expire on a particular date, or never. After a
license has expired, the functionality of the Check Point package may be
impaired.
Local License - A Local License is tied to the JP address of the specific
gateway and can only be used with a gateway or a Security Management
server with the same address.
Multi-License File - Licenses can be conveniently added to a Gateway or
Security Management Server via a file, rather than by typing long text strings.
Multi-license files contain more than one license, and can be downloaded
from the User Center. Multi-license tiles are supported by the cplic put, and
cplic add command-line commands.
Features --- A character string that identifies the features of a package.
Up grading Licenses
To know exactly what type of license is on each remote Gateway, you can
retrieve that data directly from the Gateway.
To retrieve license data from a single remote Gateway, right-click the gateway
object in the License Management window, and select Get Licenses.
To retrieve license data from multiple Check Point Security Gateways, select
Get All Licenses from the Licenses menu.
To install a license, you must first add it to the License & Contract Repository.
You can add licenses to the License & Contract Repository in the following
ways:
Downloading from the User Center
1. Select Network Objects Licenses & Contracts > Add License> From User
Center.
2. Enter your credentials.
Manual 131
Using SmartUpdate
A license file can contain multiple licenses. Unattached Central licenses appear
in the License & Contract Repository, and Local licenses are automatically
attached to their Security Gateway. All licenses are assigned a default name in the
format SKU@ time date, which you can modify at a later time.
You may add licenses that you have received from the Licensing Center by e-
mail. The e-mail contains the license-installation instructions.
1. Locate the license - If you have received a license by e-mail, copy the
license to the clipboard. Copy the string that starts with cplic putlic... and ends
with the last SKU/feature. For example:
cplic putlic 1.1.1.1 06Dec2002 dw59Ufa2-
eLLQ9NBgPuyHzvQ- WKreSo4Zx CPStJITE-EVAL- . 3DES-NGX CK-
1234 5 67 890
A ttaching Licenses
After licenses have been added to the License & Contract Repository, select one
or more licenses to attach to a Security Gateway.
1. Select the license(s).
2. Select Network Objects Licenses & Contracts> Attach.
3. From the Attach Licenses window, select the desired device.
If the attach operation fails, the local licenses are deleted from the Repository.
De taching Licenses
Licenses that are not attached to any Check Point Security Gateway and are no
longer needed can be deleted from the License & Contract Repository. To delete
a license:
1. Right-click anywhere III License & Contract Repository and select View
Unattached Licenses.
2. Select the unattached license(s) to he deleted, and click Delete.
Installation Process
ihe following operations are pert oriiied during the installation process:
Check Point Remote Installation Daemon connects to Check Point gateway.
Verification for sufficient disk space.
Verification of the package dependencies.
The package is transferred to the gateway if it is not already there.
The package is installed on the gateway.
Enforcement policies are compiled for the new version.
The gateway is rebooted if the Allow Reboot option was selected and the
package requires it.
The gateway version is updated in SniartDashboard.
The Installed packages are updated in Smarttjpdate..
tI(1Il,I(1/ I 33
Using SmartUpdate
To delete expired licenses from the License Expiration window, select the
detached license(s) and click Delete.
All selected licenses are exported. lithe file already exists, the new licenses are
added to the file.
Service Contracts
Seon tracts
Before upgrading a Gateway or Security Management Server, you need to have a
valid support contract that includes software upgrade and major releases
registered to your Check Point User Center account. The contract file is stored on
Security Management Server and downloaded to Check Point Security Gateways
during the upgrade process. By verifying your status with the User Center, the
contract file enables you to easily remain compliant with current Check Point
licensing standards.
- -
- 132323
-- iJ
Ct,sct,66c.t1,.,. 1322.22 R6
_ 1.-03226'29 l2533
Cts.-c g 2. 152 164 401 06 1821641437
- 13232880
10 33 1245
Cc.sfl.-.8,,345 At. 103832
- Ctt,t.*-WA5,,. 1121623
De
Ctr*e-o,. rho
72 Ill 1
a EflCfll 3011 1112
-I632t,,e,4 72231"1
_ OKl
-.-o
307161 201
a 1374673
6X0
a 3.,_kc..._8wY 0445623
13133 Ix l
lit- in-c
Ma naging Contracts
Once you have success iii I ly upgraded the Security Management Server. you can
use SmartUpdate to display and manage your contracts. From the License
Management window, it is possible to see whether a particular license is
associated with one or more contracts. The Licence Repository window in
Smartt Jpdate displays contracts as well as licenses.
Mw,,,21! 135
Using SmartUpdate
Updating Contracts
The Licenses & Contracts on the menu bar has enhanced functionality for
handling contracts.
Licenses & Contracts> Update Contracts Installs contract information
on the Security Management Server. Each time you obtain a new contract,
you can use this option to make sure the new contract is displayed in the
license repository.
Licenses & Contracts > Get all Licenses Collects licenses of all
Gateways managed by the Security Management Server, and updates the
contract file on the Server if the file on the Gateway is newer.
Ede 0
Tree 0
IPv4 Mas I tPv M pu I Veron I State I
Eackeces
P76
Lcense & Ca.*acts
NGX / Rio
Operations tath...
R76
ToIs all Asirsed NGX / 17170
Lndow All lice c; P76
Help
P76
dd LiCtrc
- CorporateDLP P76
- Corporate-Identity-Awa P76
-i fm Corporats-WAosroxyi. P76
Show Eared..
J eval licensee U.
H. Corpocate-gw Update Con acts tr
View Repository From Ftl.,.
136 Check Point S(/(ii' Athninistratioll
Practice and Review
Review
1. What can be upgraded remotely Using SmartUpdate?
Studetit Mantitil137
Using SmartUpdate
Check Point authentication features enable you to verify the identity of users
logging in to the Security Gateway, but also allow you to control security by
allowing some users access and disallowing others. Users authenticate by
proving their identities, according to the scheme specified under a Gateway
authentication scheme, such as LDAP, RADIUS, SecurlD and TACACS.
Learning Objectives:
Centrally manage users to ensure only authenticated users securely access the
corporate network either locally or remotely.
Manage users to access to the corporate LAN by using external databases.
For the procedure describing how to create Security Gateway users using a
template, create a group, adding users to the group and installing user
information in the database, refer to the lab "Creating Users and Groups" in this
chapter.
User lypes
SmartDashboard allows you to manage a variety of user types:
External User Profiles - Externally defined users who are not defined in the
internal users database or on an LDAP server. External user profiles are used to
avoid the burden of maintaining multiple Users Databases, by defining a single.
generic profile for all external users. External users are authenticated based on
either their name or their domain.
Templates User teniplates facilitate the user definition process and pre em
mistakes, by allowing you to create a new user based on the appropriate template
and change only a few relevant properties as needed.
User Groups User groups consist of users and of user sub-groups. Including
users in groups is required for performing a variety of operations, such as
defining user access rules or remote access communities.
Users - These are either local clients or remote clients, who access your
network and its resources.
Stilcie,,,
141
User Management and Authentication
There are three ways to access a network resource and authenticate using the
Legacy Authentication in the Security Gateway:
Authentication
User Session Client
143
User Management and Authentication
on which the Security Gateway is installed. You can also use passwords that are
stored in a Windows domain. No additional software is required.
The RADIUS protocol uses UDP to communicate with the Gateway. RADIUS
servers and RADIUS server-group objects are defined in SmartDashboard.
There are no specific parameters required for the SecurlD authentication scheme.
U FK
-.
'
O..
r S.p.A, On D
"-u'"
4. L
Stzi/en, .\ /4 //lI.'(j/
User Management and Authentication
Authentication Types
Defined on user record Takes the authentication method from Gateway
object Properties> Legacy Authentication.
Username and Password - Uses a username and password defined for the user
on the gateway.
SecurlD - Users are challenged to enter the number displayed on the Security
Dynamics SecuriD card.
A uthentication Methods
This section describes how users authenticate using each authentication method,
along with guidelines for configuring each method.
S1l(10 8 tII(jl/I/(/
47
Hj
-' ,EkLCc.'
M*,tt SRewt
P..?.ot. M0b$P*.*t.Ul. * ., : p ,.otnctss '00
s -
Although it is true that the Gateway processes rules in order, an exception to this
is when User Authentication is employed. In this case, the most permissive rule
in the Rule Base is used by the Gateway. If a User Authentication rule matches a
packet, all rules are evaluated before authentication occurs, and the least
restrictive rule is applied.
I .
S 40K
CI*efltttSS
a
V Ch.fltl,Ic-,,fl. fl C00oatt.WA * L0Oratc
L2'P-.pn-iltrt
M R.mot.-1.oIb *- AAyflh100
flttpt
hitS
(SI
cceo.
j1 - too * poltit Tn
*c,01
0 Ony
Session Authentication can be used for any service, but requires either a Session
Authentication agent to get the user identity, or UserAuthority. Like User
Authentication, it requires an authentication procedure for each connection.
UserAuthority can be used to get the user identity. It can do this in one of three
ways:
1. From a SecureAgent.
2. From SecureClient, if the user authenticated via SecureClient connected to
the Check Point Security Gateway.
3. From the Check Point Security Gateway, if the user authenticated via an
HTTP connection to port 900 or Telnet to port 259 on the gateway.
A Session Authentication agent can also be used to get the user identity. The
Session Authentication agent is normally installed on the authenticating client, in
which case the person who wants the connection to the destination host supplies
the authentication credentials. However, the Session Authentication agent can
also be installed on the destination machine, or on some other machine in the
network. In that case, the person at the machine oil the Agent is installed is
asked to supply the username and a password.
A Session Authentication agent can also be used to get the user identity. The
Session Authentication agent is normally installed oil authenticating client, in
which case the person who wants the connection to the destination host supplies
the authentication credentials. However, the Session Authentication agent can
also he installed oil destination machine, or o il other machine in the
Stl!(/(.1f A-1c g
,,51/ 149
User Management and Authentication
network. In that case, the person at the machine on which the Agent is installed is
asked to supply the username and a password.
r . ci
yy T 1i2J
GI
r
I OK CcS
ijI
F,reWal AAhthcioii
cancei
151
User Management and Authentication
Authentication
Client Method for
Authentication
Authentication Authenticated
Method for Other
Sign-On Services:
Services
Method Telnet, FTP, HTTP,
riogin
Manual lelnet 1() port 2 () duet to port 259
on Gateway on Gateway
HTTP to port 900 l-ITTP to port 900
on Gateway on Gateway
Partially automatic User Authentication Not available
Fully automatic User Authentication Session Authentication
Agent automatic Session Authentication Session Authentication
Single Sign On I UserAuthority UserAuthority
At the end of an authentication session, users can sign off. When users sign off,
they are disconnected from all services and the remote host.
Manual Sign On - Available for any service that is specified in the Client
Authentication rule; the user must first connect to the Gateway and
authenticate in one of the following two ways:
Through a Telnet session to the Gateway on port 259.
Through an HTTP connection to the Gateway on port 900 and a Web browser;
the requested URL must include the Gateway name and port number, for
example. http: //Gateway: 900.
Wait Mode
Wait Mode is a Client Authentication feature for Manual Sign On, when the user
initiates a Client Authenticated connection with a Telnet session on port 259 on
the Gateway. Wait Mode eliminates the need to open a new Telnet session to sign
off and withdraw Client Authentication privileges. In Wait Mode, the initial
Telnet session connection remains open, as long as Client Authentication
privileges remain valid. Client Authentication privileges are withdrawn when the
Telnet session is closed.
The Security Gateway keeps the Telnet session open by Pinging the
authenticating client. If for some reason the client machine stops running, the
Gateway closes the Telnet session, and Client Authentication privileges from the
connected lP address are withdrawn.
Partially Automatic Sign On - Partially Automatic Sign Oil available fir
authenticated services (Telnet, FTP, Hill', and rlogin), only if they are
specified in the Client Authentication rule. If users attempt to connect to a
remote host using one of the authenticated services, they must authenticate
with User Authentication. When using partially automatic Client
Authentication, ensure that port 80 is accessible on the Gateway.
gateway object is set to log all failed authentication attempts. For example,
setting a rule to None has no effect, and failed authentication attempts are still
logged in SmartView Tracker. However, setting the rule to Alert causes an
alert to be sent for each failed authentication attempt.
Manual 155
User Management and Authentication
LDAP Features
Features of LDAP are as follows:
LDAP is based on a client/server model, in which an LDAP client makes a
TCP connection to an LDAP server.
Each entry has a unique Distinguished Name (DN).
Default port numbers are 389 for standard connections, and 636 for Secure
Sockets Layer (SSL) connections.
Each LDAP server is called an Account Unit.
For example, if searching for the name John Brown, the search path would start
with John Brown's Common Name (CN). You would then narrow the search to
the organization he works for, then to the country. lIJohn Brown works for ABC
Company, one possible DN is show below:
This can be read as. "John Brown, in Marketing, of ABC Company, in the United
States". A different John Brown, who works at the XYZ Company, might have a
DN, as follows:
The two CNs John Brown" belong to two different organizations with different
DNs. This can be outlined as an inverted tree, as in the figure.
Ia,,iiaI 1 57
User Management and Authentication
tcrriut
LDp Sprvr
C)LJ Mrkflnrj Users
C) ARC
C- cI,.JI9
The first step is to enable the option Use UserDirectory (LDAP) in Global
Properties. Then, it is necessary to define an Account Unit. If you are
implementing UserDirectory user management, you will need to know which
entities to define, and how to manage the users defined by the UserDirectory
Account Unit. UserDirectory user management requires a special license.
Global Properties
Snisrl bIp
ial password ieh. 16 character,
159
User Management and Authentication
H P
CQb r
foHe IOPSEC_DS
Acc=t Ur
r
r
Tok I cwc
General tab - Defines the general settings of the LDAP Account Unit
decide whether this Account Unit is to be used for CRL retrieval, user
management, or both.
Profile - Select a profile to be applied to the new Account Unit. Four
profiles are defined by default, each corresponding to a specific LI)AP server:
100 - ( ./ /', j
LDAP User Management with UserDirectory
M anaging Users
Users defined in the Account Unit are managed in the Users tab of the Objects
tree. This intuitive tree structure enables users to be managed as if all the users
were actually sitting on the internal Security Gateway database. For instance, you
can add, edit or delete users by right-clicking them in the Objects tree, and by
selecting the option of your choice.
5.
Last Mo1ied...
uw6
Sort
-
- 161
User Management and Authentication
UserDirectory Groups
UserDirectory groups are created to classify users within certain group types.
These UserDirectory groups are then applied in Policy rules. Define a
UserDirectory group in the LDAP Group Properties window in the Users and
Administrators tab of the Objects tree:
I!'L'JEJ !1?1
G"al
Bk
I
AccA,I
Gio,.cs Scope
( IAccflJJr*i Ute,:
.1
I
Figure 71 - LDAP Group Properties
Once UserDirectory groups are created, they can be applied in various Policy
rules, such as the Security Policy. In this window, you can select the Account
Unit on which the UserDirectory group is defined, and apply an advanced filter to
increase the granularity of a group definition. Only those users who match the
defined criteria will be included as members of the UserDirectory group. For
instance, you can include all users defined in the selected Account Unit as part of
the UserDirectory group, or only members of a specified branch, or only
members of a specified group on the branch.
Practice Lab
Review
AiU,1141 j 163
User Management and Authentication
1
Identity Awareness
Identity Awareness
Check Point Identity Awareness Software Blade provides granular visibility of
users, groups and machines, providing unmatched application and access control
through the creation of accurate, identity-based policies. Centralized
management and monitoring allows for policies to be managed from a single,
unified console.
Learning Objectives:
Use Identity Awareness to provide granular level access to network resources.
Acquire user information used by the Security Gateway to control access.
Define Access Roles for use in an Identity Awareness rule.
Implementing Identity Awareness in the Firewall Rule Base.
Identity Awareness lets you easily configure network access and auditing based
on network location and:
The identity of a user
The identity of a machine
In SmartDashboard, you use Access Role objects to define users, machines, and
network locations as one object.
P c :.. Bk..
CV I' '.*c* a., Ira-c,
I,.-.
t*aaI
C - I_I
I
Ia
? u".
Now V AMM .:
10400
S I IThd
ri_- I
I iuri /' A InIt
107
Identity Awareness
Identity Awareness also lets you see user activity in SmartView Tracker and
SmartEvent based on user and machine name and not just IP addresses.
Next :py0etsh
Idrr;ISy Awaroucts
f)LJi Soody
Noduct dodyAwoxene,, Muon Log In
Dole 120 c42010 Axgh.nlixxdio. Sxxoeh4 109 In
To
2048
SteIn,
Axxthonlio.*ion MnotouAAoe4notun JAOroe
Noe 40 Method
1y Loc Deocion
1O01023 Idenht0 Son,ce AD Qoexy
P.oloeol
Inl.d.co Idoe..tion
Soo.x. Pod
AD Query
AD Query gets identity data seamlessly from Microsoft Active Directory (AD).
AD Query for Identity Awareness is recommended for:
Identity based auditing and logging
Leveraging identity in Internet application control
Basic identity entbrcement in the internal network
The technology is based on querying the Active Directory Security Event Logs
and extracting the user and machine mapping to the network address from them.
It is based on Windows Management Instrumentation (WMI), a standard
Microsoft protocol. The Security Gateway communicates directly with the
Active Directory domain controllers and does not require a separate server.
Internet
- --- 5
Ii.3
2
AA-
1. The Security Gateway registers to receive security event logs from the Active
Directory domain controllers.
2. A user logs in to a desktop computer using his Active Directory credentials.
3. The Active Directory DC sends the security event log to the Security Gate-
way. The Security Gateway extracts the user and lP information (user
iiameadoniain, machine name and source IP address).
4. The user initiates a connection to the Internet.
5. The Security Gateway confirms that the user has been identi lied and lets him
access the Internet based on the policy.
When you set the AD Query option to get identities, you are configuring
clientless employee access for all Active Directory users. To enforce access
options, make rules in the Firewall Rule Base that contain access role objects. An
access role object defines users, machines and network locations as one object.
Active Directory users that log in and are authenticated will have seamless access
to resources based on Firewall Rule Base rules.
He received a laptop and wants to access the HR Web Server from anywhere in
the organization. The IT department gave the laptop a static IP address, but that
limits him to operating it only from his desk. The current Rule Base contains a
rule that lets John Adams access the HR Web Server from his laptop with a static
I (10.0.0.19).
Figure 75 - Rule
1. He wants to move around the organization and continue to have access to the
HR Web Server. To make this scenario work, the IT administrator does these
steps:
2. Enables Identity Awareness on a gateway, selects Al) Query as one of the
Identity Sources and installs the policy.
3. Checks Smart View Tracker to make sure the system identifies John Adams Ill
the logs.
4. Adds an access role object to the Firewall Rule Base that lets John Adams
access the hR Web Server from any machine and from any location.
5. Sees how the system tracks the actions of the access role in Smart View
Tracker.
The Smart View Tracker logs show how the system recognizes John Adamsas the
user behind 1 1) 10.0.0. 19:
Record Details
Identity Awazenetz
Sy
L^g In :
This log entry shows that the system maps the source IP to the user John Adams
from CORP.ACME.COM . This uses the identity acquired from AD Query.
Note: AD Query maps the users based on AD activity. This can take
some time and depends on user activity. If John Adams is not
identified (the IT administrator does not See the lo ). he S 11OLIId
lock and unlock the colilputer.
To let John Adams access the II R \\ ci) Set- er from any machine, it is neccssar
for the administrator to change the current rule in the Rule Base. To do this, it is
necessary to create an access role for John Adams that includes the specific user
John Adams from any network and any machine.
171
Identity Awareness
Comment:
- % HR-Partner
QAny user
Networks
L el
Then the IT administrator replaces the source object of the current rule with the
HR Partner access role object and installs the policy for the changes to be
updated.
2 rn P&tneq Acc,r S Per .-ln, FOr Web o,,., r,OV * Mnv .cceA
-
The IT administrator can then remove the static IP from John Adam's laptop and
give it a dynamic IP. The Security Gateway lets the user John Adams access the
1-IR Web server from his laptop with a dyn amic I as the llR_Partner access role
tells it that the user John Adams from any machine and any network is permitted
access.
Br owser-Based Authentication
Browser-Based Authentication acquires identities from unidentified users. You
can configure these acquisition methods:
Captive Portal
Transparent Kerberos Authentication
When users try to access a protected resource, they get a web page that must fill
out to continue.
U !fmfh
173
Identity Awareness
The Captive Portal option operates when a user tries to access a web resource and
all of these apply:
The Captive Portal is selected as a way to acquire identities and the
redirect option has been set for the applicable rule.
Unidentified users cannot access that resource because of rules with
access roles in the Firewall / Application Rule Base. But if users are
identified, they might be able to access the resource.
Transparent Kerberos Authentication was configured, but
authentication failed.
When these criteria are true, Captive Portal acquires the identities of users. From
the Captive Portal users can:
1
'T
Internal
Data Center
I
Directory
The diagram shows how Captive Portal works - in the Firewall rule base:
1. A user wants to access the Internal Data Center.
2. Identity Awareness does not recognize him and redirects the browser to the
Captive Portal.
3. The user enters his regular office credentials. The credentials can he AD or
other Check Point supported authentication methods, such as LDAP, Check
Point internal credentials, or RADIUS.
4. The credentials are sent to the Security Gateway and verified in this example
against the AD server.
5. The user can now go to the originally requested URL.
If unidentified users try to connect to resources in the network that are restricted
to identified users, they are automatically sent to the Captive Portal. If
Transparent Kerberos Authentication is configured, the browser will attempt to
identify users that are logged into the domain using SSO before it shows the
Captive Portal.
175
Identity Awareness
- Mp 0
)t cy
c,,..A, c.a.....vnt,....0,...s
So.ce 01011125411
C JmWO. McHs; Ircl&ovl
DndwSon. Oiq'isgq,in
81
1I
Sooe p .t OCLI)
This log entry shows that the system maps the source "Jennifer _McHanry" to the
user name. This uses the identity acquired from Captive Portal.
Amy, the IT administrator configures the Captive Portal to let unregistered guests
log in to the portal to get network access. She makes a rule in the Firewall Rule
Base to let unauthenticated guests access the Internet only.
When guests browse to the Internet, the Captive Portal opens. Guests enter their
name, company, email address, and phone number in the portal. They then agree
to the terms and conditions written in a network access agreement. Afterwards
they are given access to the Internet for a specified period of time.
St,i/,1, Manual - 79
Identity Awareness
0 Ore 0 W 'y 0 5v.ch colors
IdeMJy A,,,aneiz
Log In
Pioduct I4en&yAwnen
De 102OO
Source Uiri Group UredGuest3
T. 40442
So"'ce Machine
Nu.be. GIOUP
Type Log Session ID 841bd8
Orion
Fr.
- Authenscation Umrnved Guest
Method
So,sce 0 192 168 1 1
CewePrntd
Identity Soeco
' Ui.. Addition"d Coray Nan* Ch.dPon Emad
Destination lnSoisaon A*es.gieichec.00d corn
Narne guest Ph MW
S..v,c.
Piolocol
Interface
Source Pod
th.
Identity Agents
Ihere are two types of Identity Agents:
Added security - you can use the patented packet tagging technolov
to prevent IP Spooling. Endpoint Identity Agents also gives you
strong (Kerberos based) user and machine authentication.
111 ,/ 181
Identity Awareness
These are the types of Endpoint Identity Agents you can install:
Users can download and install Endpoint Identity Agents from the Captive Portal
or you can distribute MSl/DMG files to computers with distribution software or
any other method (such as telling them where to download the client from).
4
Identity Awareness
Intranet
Is ___5 ---------
Internal
Data Center
This is how a user downloads the Endpoint Identity Agent from the Captive
Portal:
1. A user logs in to his P( with his credentials and wants to access the Internal
Data Center.
2. The Security Gateway enabled with Identity Awareness does not recognize
him and sends him to the Captive Portal.
3. The Security Gateway sends a page that shows the Captive Portal to the user.
It contains a link that he can use to download the Endpoint Identity Agent.
4. The user downloads the Endpoint Identity Agent from the Captive portal and
installs it on his PC.
Terminal Servers Identity Agent is used to identify multiple users that connect
from one IP address, where a Terminal Server Identity agent is installed on the
application server that hosts Terminal/Citrix services. The Terminal Servers
Identity Agent identifies users that use a Terminal Server or Citrix environment.
The ACME organization wants to make sure that only the Finance Department
can access the Finance Web server. The current Rule Base uses static IP
addresses to define access for the Finance Department.
Amy. the IT administrator wants to leverage the use of Endpoint Identit y Agents
so:
Finance users will automatically be authenticated one time with SSO when
logging in (using Kerberos which is built-in into Microsoft Active Directory).
Users that roam the organization will have continuous access to the Finance
Web server.
Access to the Finance Web server will be more secure b y preventing IP
spoofing attempts.
Amy wants Finance users to download the Endpoint Identity Agent from the
Captive Portal. She needs to configure:
Identity Agents as an identity source for Identity Awareness.
Agent deployment for the Finance department group from the Captive Portal.
She needs to deploy the Full Identity Agent so she can set the IP spooling
protection. No configuration is necessary on the client for IP spooling
protection.
A rule in the Rule Base with an access role for Finance users, from all
managed machines and from all locations with IP spooling protection
cnahIc(l.
183
Identity Awareness
Fjure 88 - Rule
7. Install Policy
I he Finance Department user call browse to the Finance Web server, where
the Captive Portal opens because the user is not identified and cannot access the
eFvCr.
8. /\ link to (loWIiloa(I the IT1 ( I I)oT!1I Identit y AceTil vill he displ;tvetl.
1 94
Introduction to Identity Awareness
g)n1
09- ^g
9. The user clicks the link to download the Endpoint Identity Agent. The user
automatically connects to the gateway. A window opens asking the user to
trust the server.
Note: The trust window opens because the user connects to the
Security Gateway with Identity Awareness using the File
name based server discovery option. (Note that there are other
server discovery methods that do not require user trust
confirmation).
10. Click OK. The user automatically connects to the Finance Web server. The
user can successfully browse to the Internet for a specified period of time.
185
Identity Awareness
Amy, the IT administrator wants to leverage the use of the Terminal Servers
solution so that:
Sales users will automatically be authenticated with Identity Awareness when
logging in to the Terminal Servers.
All connections to the Internet will be identified and logged.
Access to Facebook will be restricted to the Sales departments users.
Deployment
You can deploy Check Point Security Gateways enabled with Identity Awareness
in various scenarios that provide a maximum level of security for your network
environment and corporate data. This section describes recommended
deployment scenarios and options available with Identity Awareness.
Perimeter security gateway with Identity Awareness - This deployment
scenario is the most common scenario, where you deploy the Check Point
security gateway at the perimeter where it protects access to the DMZ and the
internal network. The perimeter security gateway can also control and inspect
outbound traffic, targeted to the Internet. In this case, you can create an
identity-based firewall security Rule Base together with Application Control
Data Center protection -- If you have a Data Center or server firm,
segregated from the users' network, you can protect access to the servers with
the security gateway. To do this, deploy the security gateway inline in front of
the Data Center. All traffic that flows is then inspected by the gateway. You
can control access to resources and applications with an identity-based access
policy. You can deploy the security gateway in transparent mode (bridge
mode) to avoid significant changes in the existing network infrastructure.
Large scale enterprise deployment In large scale enterprise networks,
there is a need to deploy multiple security gateways at different network
locations, such as the perimeter firewall and multiple Data Centers. Identity
Awareness capability is centrally managed through the Security Management
Server and SmartDashboard. You can distribute the identity-based policy to
all identity aware security gateways in the network. Identity information
about all users and machines obtained by each gateway is shared between all
gateways in the network to provide a complete Identity Awareness
infrastructure.
Network segregation - The security gateway helps you migrate or design
internal network segregation. Identity Awareness lets you control access
between different segments in the network by creating an identity-based
policy. You can deploy the security gateway close to the access network to
avoid malware threats and unauthorized access to general resources in the
global network.
Distributed enterprise with branch offices The distributed enterprise
consists of remote branch offices connected to the headquarters through VPN
lines. You can deploy the security gateway at the remote branch offices to
avoid malware threats and unauthorized access to the headquarters' internal
network and Data Centers. When you enable Identity Awareness at the branch
office gateway you make sure that users are authenticated before they reach
internal resources. The identity inforniation learned from the branch office
gateways is shared between internal gateways to avoid unnecessary
authentications.
Wireless campus Wireless networks are not considered secure for
network access, however they are intensively used to provide access to
wireless-enabled corporate devices and guests. You can deploy a security
gateway enabled with Identity Awareness inline in front of the wireless
switch, provide an identity aware access policy and inspect the traffic that
comes from WLAN users. Identity Awareness gives guests access by
authenticating guests with the web Captive Portal.
S!l1k,,(M,,7/ - - ----------
------
Identity Awareness
Practice Labs
Review
1. Identity Awareness lets you configure network access based on what?
Check189
Introduction to Check Point VPNs
Introduction to VPNs
Virtual Private Networking technology leverages the Internet to build and
enhance secure network connectivity. Based on standard Internet secure
protocols, a VPN enables secure links between special types of network nodes:
the Gateways. Site-to site VPN ensures secure links between Gateways. Remote
Access VPN ensures secure links between Gateways and remote access clients.
Learning Objectives:
Configure a certificate-based site-to-site VPN.
Configure permanent tunnels for remote access to corporate resources.
Configure VPN tunnel sharing, given the difference between host-based,
subnet-based and gateway-based tunnels.
Extranet Partners
. "ChentlessVPN"
(S&Brows&oi
L2TP Client)
Corporate Network "dVPN.1 Remote Users
It IPSec SecuRenc*e
VPN
tea*ent
Do
%'re4ess
so
Integr
VPN.1
VPN1 Net Gateway SmailOtt,ce Appliance
Branch Offices
. I(uhl,tI/ 191
Introduction to Check Point VPNs
VPN Deployments
A VPN uses the Internet as its network backbone, allowing the establishment of
secure communication links among company offices, business partners, and so
on. VPNs are replacing more expensive leased lines, Frame Relay circuits, and
other forms of dedicated connections.
Site-to-Site VPNs
Site-to-site VPNs are built to handle secure communication between a company's
internal departments and branch offices. A site-to-site VPN's design
requirements include:
Strong data encryption, to protect confidential information.
Reliability for mission-critical systems, such as database management.
Scalahilit y , to accommodate growth and change.
OMIPublic Server(s)
E-mail
World Wide Web
File Transfer
Internet
' !
Security Secu
Gateway Gatos
i 1 to VI IN
R emote-Access VPNs
Remote-access VPNs are built to handle secure communication between a
corporate network, and remote or mobile employees. A remote-access VPN's
design requirements include:
Strong authentication, to verify remote and mobile users.
Centralized management.
Scalability, to accommodate user groups.
DMZ/Public Server(s)
E-mail
World Wide Web
File Transfer
Main Office
.) Mobile Users
0
Internet
S
Security
ateway
Stli(Ie,,,
193
Introduction to Check Point VPNs
VPN Implementation
A complete VPN implementation supports both VPN categories: Site-to-site and
remote-access VPNs. This allows a company worldwide access to network
resources, links mobile workers to corporate intranets, allows customers to place
orders, and enables suppliers to check inventory levels - all in a highly secure
and cost-effective manner.
Partners
i$^ __ Internet
le
^11
I T.
I.
go
Security
1- Gateway
Mobile Users
VII N Trust Entities For example, the ('heck Point Internal Certificate
Authority. The l('A is part of the Check Point suite used for establishing trust for
SIC connections between ( iateways, authenticating administrators and third party
ess
servers. The ICA provides certificates fr internal Gateways and remote acc
clients which negotiate the VPN link.
ON Setup
Configuring a VPN can be a complicated task for Security Administrators. Check
Point's management tools provide a simplified VPN setup mode, reducing the
VPN configuration process to essentials, and making setup straightforward and
simple.
(A VPN site is not to be confused with a site that is defined for Endpoint Security
Secure Access clients.)
Each VPN site performs encryption on behalf of a VPN Domain - the protected
domain or part of the domain requiring encrypted connections to the peer VPN
Site. System Administrators group VPN sites together, creating a VPN
Communit y . A VPN Community is a collection of VPN sites and the enabled
VPN tunnels (secure connections) among them, with predefined properties that
are automatically applied to each Community member.
ON Communities
(Ie;itini. \lN tunnels between (iateavs Is made easier through the
configuration of VI'N Communities. 1 0 undeNland VPN ('ommunitks
number of'terms need to he defined.
'PN ( 'ommunitv member lie ( ate av that resides at unc end of a \' l'N
I liii it.' I
Introduction to Check Point VPNs
VPN Domain - The hosts behind the Gateway; the VPN Domain can be the
whole network that lies behind the Gateway or just a section of that network.
For example, a Gateway might protect the corporate LAN and the DMZ. Only
the corporate LAN needs to be defined as the VPN Domain.
VPN site Community member plus VPN Domain; typical VPN site would
be the branch office of a bank.
VPN Community - The collection of VPN tunnels (secure connections) and
their attributes.
Domain-based VPN - Routing VPN traffic based on the VPN Domain
behind each Gateway in the Community; in a star Community, this allows
satellite Gateways to communicate with each other through center Gateways.
Route-based VPN Traffic routed within the VPN Community based on
the routing information, static or dynamic, configured on the operating
systems of the Gateways.
VPsde
VPN
EXCkMM /
'I
kIy
The methods used tir encryption and ensuring data integrity determine the type
of tunnel created between the ( ateways. which in turn is considered a
characteristic ut that particular VPN Community.
VPN Topologies
The most basic topology consists of two Gateways capable of creating a VPN
tunnel between them. Security Management Server's support of more complex
topologies enables VPN Communities to be created according to the particular
needs of an organization. Security Management Server supports two main vPN
topologies:
Meshed
Star
0 VPN-1
Gateway
WI N 1
OVPN,1
Gateway
7 Gatowa
VPN-1
Gateway
0
Figure 95 - Meshed VPN
VPN
Getaway
0 VPN-1
Satellite
Gateway
VPN-1
Satellite
Gateway
0 A Satellite
0
Gateway
VPN-1
Central
Gateways
0v- VPN-1
Satellite
Gatoway
A satellite Gateway cannot create a VPN tunnel with a Gateway that is also
defined as a satellite Gateway.
Central Gateways can create VPN tunnels with other central Gateways only ifthe
Mesh center Gateways option has been selected in the Central Gateways
window of Star Community Properties.
Ch oosing a Topology
Which topology to choose for it VPN Community depends on the overall Policy
of the organization. For example, a meshed community is usually appropriate for
an Intranet in which only Gateways that are part of the internally managed
network are allowed to participate; Gateways belonging to company partners are
not.
Iv/uii1/ 199
Introduction to Check Point VPNs
Combination VPNs
For more complex scenarios, consider a company with headquarters (HQ) in two
countries, London and New York. Each headquarters has a number of branch
offices. The branch offices only need to communicate with the HQ in their
country, not with each other; only the HQs in New York and London need to
communicate directly. To comply with this Policy, define two star Communities,
London and New York. Configure the London and New York Gateways as
central" Gateways. Configure the Gateways of New York and London branch
offices as "satellites." This allows the branch offices to communicate with the
HQ in their country. Now create a third VPN Community, a VPN mesh consisting
of the London and New York Gateways.
01 1\
London
STAR
\0- -
7
London-New York
MESH
Now York
STAR
Top
ology and Encryption Issues
Issues involving topology and encryption can arise as a result of an organization's
Policy on security, for example the country in which a branch of the organization
resides may have a national Policy regarding encryption strength. For example,
Policy says the Washington Gateways should communicate using 3DES for
encryption. Policy also states the London Gateways must communicate using the
DES encryption algorithm.
/ ' Wahngton
/ M.ah
N..
\ ,-- - -
DES
LOfldOfl Stair
..$*th m.sh.d
.'
In this solution, Gateways in the Washington mesh are also defined as satellites in
the London star. In the London star, the central Gateways are meshed. (Iatewavs
in Washington build VPN tunnels with the London Gateways using DFS.
Infernall y, the Washineton ( atewavs hti j fd \'PN tunnels using 31)1:S.
\II1(/(,j( .'hu;iju/
2() I
---- -.-- N.
/ N
/
/
\
\
London New York
-
LONDON.
NY
tSH
---'
N
N
N
0 /
Paris
---
Figure 99 - asdi
The London and New York Gateways belong to the London-NY Mesh VPN
Community. To create an additional VPN Community which includes London,
New York. and Paris is not allowed. The London and New York Gateways cannot
appear "together" in more than one VPN Community.
Two Gateways that can create a Vl'N link between them in one Community can
appear in another VPN Community, provided that they are incapable ofacating a
link between them in the second Community.
-- LONDON-NY -
MESH
London ------------New
\ York
I
\ /
-"I
I
I 1
\
Paris
STAR
In the figure, the London and New York Gateways appear in the London-NY
mesh. These two Gateways also appear as satellite Gateways in the Paris Star
VPN Community. In the Paris Star, satellite Gateways (London and NY) can only
communicate with the central Paris Gateway. Since the London and New York
satellite Gateways cannot open a VPN link between them, this is a valid
configuration.
Before Gateways can exchange encryption keys and build VPN tunnels, the y first
need to authenticate to each other. Gateways authenticate to each other by
presenting one of two types of "credentials":
Certificates - Each Gateway presents a Certificate which contains
identifying information of the Gateway itself', and the Gateway's public key,
both of'which are signed by the trusted CA. For convenience. ('heck Point has
its own Internal CA that automatically issues Certificates for all internally
managed Gateways, requiring no configuration by the user. In addition,
('heck Point supports other PKI solutions.
Pre-shared secret A pre-shared is defined for a pair of Gateways. Each
Gateway proves that it knows the agreed-upon pre-shared secret. The pre-
shared secret can he mixture of letters and numbers, a password of some
it
kind.
Considered more secure, Certificates are the preferred means. In addition, since
the Internal ('A oil Security Management ('enter Server automatically
provides a Certificate to each ('heck Point Gateway it manages, it is more
convenient to use this type of authentication.
203
Introduction to Check Point VPNs
VPN routing provides a way of controlling how VPN traffic is directed. There are
two methods for VPN routing:
Domain-based VPN
Route-based VPN
Domain-Based VPN
l'liis method routes VPN traffic based oil VPN Domain behind each Gateway
in the Community. In a star Community, this allows satellite Gateways to
communicate with each other through center Gateways. Configuration for
domain-based VPN is performed directly through Smartl)ashhoard.
Route-Based VPN
Traffic is routed within the VPN Community based oil routing ill
or dynamic, configured oil operating systems ofthe Gateways . V"4
Tunnel Interfwes (VIls) are used to implement route-based VI'Ns.
t ii A cr u,
Irdemag Web
Sv&
- 'h'iternet
Gat.way2
VPN Sit. VPN Site
Web
Serm
The configuration of the Gateways into a VPN Community means that ii these
Gateways are allowed to communicate via an access-control Policy, then that
communication is encrypted. Access control is configured in the Rule Base.
Using the VPN column of the Rule Base, it is possible to create access-control
rules that appl y only to members of VPN communit y , for example:
Source I
Destination
I
VPN I Service I Action
\ ii \ 1k ( il \ II I' L LTI
It is also possible lot a rule in the Rule Base to he relevant lr both VPN
('oi1munities and host machines not in the Community.
The nile in the Rule Base allows an I hIP connection between any internal 11)
Ill III\ 1P.
Source I Destination I
VPN Service Action
I I
20S
Introduction to Check Point VPNs
In the figure, an HTTP connection between Host I and the Internal Web Server
behind Gateway 2 matches this rule. A connection between Host I and the Web
Server on the Internet also matches this rule; however, the connection between
Host I and the Internal Web Server is a connection between members of a VPN
Community and passes encrypted; the connection between Host I and the
Internet Web Server passes in the clear.
In both cases, the connection is simply matched to the rule; whether or not the
connection is encrypted is dealt with on the VPN level. VPN is another level of
security separate from the access-control level.
G.ns
- T FU,dP&V
r
P*. The Nj, . 1. d IrE,m* M,4QId MftL
dsIm,d .,
I 0
jpnjp3iSt?*11I1o)
206 ('heck Poini Sec univ
Access Control and VPN Communities
E xcluded Services
In the VPN Communities Properties> Excluded Services window, you can
select services that are not to be encrypted, for example control connections.
Services in the clear means "do not make a VPN tunnel for this connection".
Note that Excluded Services is not supported when using route-based VPN.
ftp-port
2 3M 54, to site VPtI 0] Any 0 .2fl1 All GwToGw .ccepy ii coo
hup
)$ CIF S
frttp
3 11 lOU Remote access 63 UobIle.vpn.uc *' Any Remoteyucess accept Log
rrttpo
t2W,0,,uit, [l LOS
S - 3M urtet server ReSrof 5.1-web fr] Any IraNru . tlttp l accept
In the Rule Base above, several rules are shown. The first rule allows clearteXt
Telnet traffic to pass each way between net-oslo and net-madrid. The second
rule allows encrypted FTP traffic to pass each way between the two networks.
Although the second rule is an encryption rule, the Administrator cannot
configure the Action column for encryption. The only actions available in the
Simplified Mode of the Rule Base are as follows:
accept
drop
reject
Legacy> User Auth
Legacy > Client Auth
Legacy> Session Auth
The presence of a VPN Community in the VPN column means "if all other fields
match and the traffic is encrypting or decrypting into/out ofa tunnel that is part of
this community match it. If the traffic is passing in the clear or encrypting/
decrypting into a different VPN community's tunnel don't match it." The decision
about whether to encrypt or not is made by the V PN domain definitions (i I . the
source IP is in this firewall's VPN domain *AND* the destination IP address is Il
a peer's VPN domain encrypt it, otherwise let it go in the clear).
So a rule with "Any" in the VI'N column will match both cleartext traffic and
encrypting/decrypting VPN traffic into Any VPN Community
Types of tunnels and the number of tunnels can be managed with the following
features:
Permanent Tunnels This feature keeps VPN tunnels active, allowing real-
time monitoring capabilities.
VPN Tunnel Sharing - This feature provides greater interoperability and
scalability between Gateways. It also controls the number of VPN tunnels
created between peer Gateways.
The status of all VPN tunnels can be viewed in Smart View Monitor. For more
information on monitoring, see the SmartView Monitor user guide.
P ermanent Tunnels
I(ifluUI 209
Introduction to Check Point VPNs
Each VPN tunnel in the Community may be set to be a permanent tunnel. Since
permanent tunnels are constantly monitored, if the VPN tunnel fails, then a log,
alert, or user defined-action can be issued. A VPN tunnel is monitored by
periodically sending "tunnel test" packets. As long as responses to the packets are
received, the VPN tunnel is considered "up." If no response is received within a
given time period, the VPN tunnel is considered "down." Permanent tunnels can
only be established between Check Point Gateways. The configuration of
permanent tunnels takes place on the Community level and:
Can be specified for an entire Community. This option sets every VPN tunnel
in the Community as permanent.
Can be specified for a specific Gateway. Use this option to configure specific
Gateways to have permanent tunnels.
Can be specified for a single VPN tunnel. This feature allows configuring
specific tunnels between specific Gateways as permanent.
Tunnel testing is a proprietary Check Point protocol that is used to test if VPN
tunnels are active. A packet has an arbitrary length, with only the first byte
containing meaningful data. This is the type field.
Tunnel testing requires two Gateways one configured to Ping and one to
respond. The Pinging Gateway uses the VPN daemon to send encrypted tunnel-
testing packets to Gateways configured to listen for them. A responder Gateway
is configured to listen on port 18234 for the special tunnel-testing packets.
The Pinging Gateway sends type I or 3. The responder sends a packet of identical
length with type 2 or 4. respectively. During the connect phase, tunnel-testing is
used in two ways:
1. A connect message is sent to the Gateway. Receipt of a connect message IS
the indication that the connection succeeded. The connect messages are
retransmitted for up to 10 seconds after the WE' negotiation is over, if no
response is received.
S'tu(/.,,( 11,1111nd 2I I
Introduction to Check Point VPNs
of hosts and a Community that was set to One VPN Tunnel per subnet pair,
would follow One VPN Tunnel per each pair of hosts.
Check Point's IPsec VPN Software Blade is an integrated software solution that
provides secure connectivity to corporate networks, remote and mobile users,
branch offices and business partners. The blade integrates access control,
authentication and encryption to guarantee the security of network connections
over the public Internet.
The IPsec VPN Software Blade provides flexibility to design a solution to meet
corporate needs with a number of reniote access VPN client choices:
Check Point Endpoint Security Check Point Endpoint Security is the first
and only single agent that combines all critical components for total security on
the endpoint while maintaining a transparent user experience. Market-leading
data security prevents corporate data loss, while collaborative endpoint and
network protections reduce complexity and cost. Unique features include Check
Point WebCheck, which secures endpoints against web-based threats, and Check
Point OneChcck, which oilers a secure single login for endpoint security
functions.
SSL Network Extender SSL connections are a great remote access solution
because they do not require IT departments to upgrade and manage client
software. All a user needs is a Web browser. However, remote users still need to
access network applications. SSL Network Extender (SNX) is a browser plug-in
that provides clientless remote access, while delivering lull network connectivity
for any IP-based application.
SSL Network Extender adds SSL VPN functionality to the IPSec \7PN
capabilities of Check Point Security Gateways, simplifying remote access
deployment while providing maximum flexibilit y for any type of remote access
scenario.
Office Mode - Addresses routing issues between the client and the Gateway by
encapsulating IP packets with the remote user's original IP address, thereby
enabling users to appear as if they were "in the office" while connecting
remotely. Office Mode also provides enhanced antispoofing by ensuring that the
IP address encountered by the Gateway is authenticated and assigned to the user.
Visitor Mode - Enables employees to access resources while they are working
at a remote location such as a hotel or a customer office, where Internet
connectivity may be limited to Web browsing using the standard I-ITTP and
HTTPS ports. The client tunnels all client-to- Gateway traffic through a regular
TCP connection on port 443.
VPN site 1
Him
Internet
-.
....:i1 Rcinot
Ceni
After the IKE negotiation ends successfully, a secure connection (a VPN tunnel)
is established between the client and the Gateway. All connections between the
client and the Gateway's VPN domain (the LAN behind the Gateway) are
encrypted inside this VPN tunnel, using the IPSec standard. Except for when the
user is asked to authenticate in some manner, the VPN establishment process is
transparent.
1. The remote user initiates a connection to Gateway 1.
2. The user is not authenticated via the VPN database, but an LDAP server
belonging to VPN Site 2.
3. Gateway I verifies that the user exists by querying the LDAP server behind
Gateway 2.
4. Once the user's existence is verified, the Gateway then authenticates the user;
for example, by validating the user's certificate.
5. Once IKE is successfully completed, a tunnel is created; the remote client
connects to Host I.
-- 215
Introduction to Check Point VPNs
Practice Labs
Review
1. What is a VPN Community?
f, jflo/I
- 1 ( ( J / \ ii, ilt I /iio1
APPENDIX Chapter Questions
and Answers
('hk /)jfr,
4( ui 1(/u 217
Chapter Questions and Answers
Review
1. What is the strength of Check Point's Stateful Inspection technology?
The contents of the packet is examined, not just the header infbrmation.
The state of the connection is monitored.
3. What is the main purpose for the Security Management Server? Which func-
tion is it necessary to perform on the Security Management Server when
incorporating Security Gateways into the network?
Used b y the Security Administrator the Security Management Server man-
ages the Security Polic y. In order to per/brm that role, the Securit y Manage-
ilt'nt Server must establish SIC with other components, so that
(OflFflUPliC(ltiO!l IS verified and management can be performed on am' comj)O-
mien! on 11w network.
21 x ( A /'i)iiil iiiili
Chapter 2 - Deployment Platforms
StuIe,,j 221
Chapter Questions and Answers
Stl(/(f AI(IF11(1/
223
Chapter Questions and Answers
Sl i(Iep;( iIa?1lftl/
22
Chapter Questions and Answers
Review
1. What is a VPN Community?
A collection of VPN enabled Gateways capable of communication via VPN
tunnels.
www.checkpolnt.com/servIces/educatiOfl/
P/N 705320