1 Day Training on Firewall

In compliance with ISO-9001 Cost Effective Quality ManpowerTraining Services

1 Day Training on Firewall


Agenda1) HA2) NAT3) QOS4) SSL VPN for Mobile Clients5) IP sec VPN6) Licensing 7) Traffic monitoring8) Dual ISP fail over9) Advance Troubleshooting10) New features in Gaia.


High Availability

• Networks carry information that is the lifeblood of your business, often making network outages or degraded performance unacceptable. To help ensure business continuity and balanced performance, several high availability solutions are available for IP appliances. Virtual Router Redundancy Protocol (VRRP) and patented IP clustering technology provide robust and scalable high availability for IP appliances. These technologies allow several independent IP appliances to join together for a common security goal as one virtual machine.


• When using VRRP, at least one active appliance and a hot-standby are deployed as a cluster. The backup appliance is ready to assume any active appliance functions in case of any failures. In addition to processing network traffic in parallel, IP clustered appliances share information about the context of that traffic to enable the cluster to survive the failure or degradation of any of its individual appliances. By dividing and conquering, clustering can allow several appliances to work in concert to take on a task that would tax any single member. And all the appliances can be centrally managed from one location. VRRP, IP Clustering and external load balancers are supported across all IP appliances.


Key benefits

• High Availability – Limits any disruption to network uptime should a security appliance face unforeseen performance issues. Transparently redistributes workloads to surviving cluster appliances without impacting communication throughout the cluster.

• Scalability – Enables security administrators to improve performance and adapt to increasing traffic by adding cluster members that divide the workload among more appliances for efficient processing.


• Resiliency and fault tolerance – Avoids simultaneous failures through clustering, and enables active IP appliance maintenance possible through workload redistribution. Administrators can perform transparent "rolling upgrades," in which nodes are gracefully removed from the cluster, upgraded, and reinserted, all without any disruption to end-user operations.


Features• High Availability across all IP Appliances

Check Point IP appliances offer a range of high availability technologies to ensure critical services remain live under the most demanding conditions. Customers can choose from Virtual Router Redundancy Protocol (VRRP), patented high-performance IP Clustering technology, or external load balancers for their high availability requirements. Using these advanced technologies avoids network down time and related loss of productivity, customer frustration, or negative impact on business reputation.


• Virtual Router Redundancy Protocol (VRRP)VRRP allows two or more IP appliances to represent a single virtual IP appliance, with only one functioning as a firewall at any given time. If the IP appliance routing data on behalf of the virtual IP appliance fails, an arrangement is made automatically for another physical IP appliance to replace it. Network traffic continues with minimal or any disruption.


• IP ClusteringIP Clustering technology allows up to four devices to act as a single network entity, sharing one internal and one external IP address. IP packet processing is distributed among all cluster member gateways to achieve equal member processing loads. By its nature, IP Clustering adds scalability. When the cluster is reaching its capacity limits, additional cluster members can be added to increase performance. IP Clustering also provides sub-second fail-over; while VRRP fail-over time to the standby appliance is usually a few seconds.

• IP Platforms also support external load balancers.


NAT (Network Address Translation) • NAT (Network Address Translation) is a feature of the Firewall

Software Blade and replaces IPv4 and IPv6 addresses to add more security. You can enable NAT for all SmartDashboard objects to help manage network traffic. NAT protects the identity of a network and does not show internal IP addresses to the Internet. You can also use NAT to supply more IPv4 addresses for the network.


• The Firewall can change both the source and destination IP addresses in a packet. For example, when an internal computer sends a packet to an external computer, the Firewall translates the source IP address to a new one. The packet comes back from the external computer, the Firewall translates the new IP address back to the original IP address. The packet from the external computer goes to the correct internal computer.


How Security Gateways Translate Traffic• A Security Gateway can use these procedures to translate IP

addresses in your network:• Static NAT - Each internal IP address is translated to a different

public IP address. The Firewall can allow external traffic to access internal resources.

• Hide NAT - The Firewall uses port numbers to translate all specified internal IP addresses to a single public IP address and hides the internal IP structure. Connections can only start from internal computers, external computers CANNOT access internal servers. The Firewall can translate up to 50,000 connections at the same time from external computers and servers.


• Hide NAT with Port Translation - Use one IP address and let external users access multiple application servers in a hidden network. The Firewall uses the requested service (or destination port) to send the traffic to the correct server. A typical configuration can use these ports: FTP server (port 21), SMTP server (port 25) and an HTTP server (port 80). It is necessary to create manual NAT rules to use Port Translation.


QoS• Check Point's QoS is a policy-based QoS management solution

from Check Point Software Technologies Ltd., satisfies your needs for a bandwidth management solution. QoS is a unique, software-only based application that manages traffic end-to-end across networks, by distributing enforcement throughout network hardware and software.


• QoS enables you to prioritize business-critical traffic, such as ERP, database and Web services traffic, over less time-critical traffic. QoS allows you to guarantee bandwidth and control latency for streaming applications, such as Voice over IP (VoIP) and video conferencing. With highly granular controls, QoS also enables guaranteed or priority access to specific employees, even if they are remotely accessing network resources through a VPN tunnel.


• QoS is deployed with the Security Gateway. These integrated solutions provide QoS for both VPN and unencrypted traffic to maximize the benefit of a secure, reliable, low-cost VPN network.

• QoS leverages the industry's most advanced traffic inspection and bandwidth control technologies. Check Point-patented Stateful Inspection technology captures and dynamically updates detailed state information on all network traffic. This state information is used to classify traffic by service or application. After a packet has been classified, QoS applies QoS to the packet by means of an innovative, hierarchical, Weighted Fair Queuing (WFQ) algorithm to precisely control bandwidth allocation.


QoS provides the following features and benefits:• Flexible QoS policies with weights, limits and guarantees: QoS enables

you to develop basic policies specific to your requirements. These basic policies can be modified at any time to incorporate any of the Advanced QoS features described in this section.

• Integration with the Security Gateway: Optimize network performance f or VPN and unencrypted traffic: The integration of an organization's security and bandwidth management policies enables easier policy definition and system configuration.

• Performance analysis through SmartView Tracker: monitor the performance of your system by means of log entries recorded in SmartView Tracker.


• Integrated DiffServ support: add one or more Diffserv Classes of Service to the QoS Policy Rule Base.

• Integrated Low Latency Queuing: define special classes of service for "delay sensitive" applications like voice and video to the QoS Policy Rule Base.

• Integrated Authenticated QoS: provide QoS for end-users in dynamic IP environments, such as remote access and DHCP environments.

• Integrated Citrix MetaFrame support: deliver a QoS solution for the Citrix ICA protocol.

• No need to deploy separate VPN, Firewall and QoS devices: QoS and Firewall share a similar architecture and many core technology components, therefore users can utilize the same user-defined network objects in both solutions. ware and software.


• Proactive management of network costs: QoS's monitoring systems enable you to be proactive in managing your network and thus controlling network costs.

• Support for end-to-end QoS for IP networks: QoS offers complete support for end-to-end QoS for IP networks by distributing enforcement throughout network hard


SSL VPN for Mobile Clients• Check Point Mobile Access Software Blade is the safe and easy

solution to connect to corporate applications over the internet with your Smartphone, tablet or PC. The solution provides enterprise-grade remote access via both Layer-3 VPN and SSL VPN, allowing you simple, safe and secure connectivity to your email, calendar, contacts and corporate applications.

• Simply connect from mobile devices– Secure connectivity for smartphones, tablets, PCs and laptops– Provides client-based and web-based VPN connectivity– Easy access for mobile workers using managed or unmanaged devices


• Keeps your data secure– Communicate securely with proven encryption technology– Verify authorized users with two-factor authentication and User-

Device pairing• Unified management for simple deployment and

administration– Fully integrated with Check Point Security Policy Manager– Activate user-certificates with one click– Deploy and configure the Mobile Access Software Blade on your

existing Security Gateway


IPSec VPN• Secure VPN connectivity for remote and mobile users, branch

offices• Simple, centralized management of remote access and site-to-

site VPNs• Enhanced IPSec VPN security against Denial of Service (DoS)

attacks• Security policy may be applied in varying degrees based on

encryption level• Flexibility to build the VPN solution that meets your specific

needs

http://www.checkpoint.com/solutions/remote-access/index.html


• Multiple remote access VPN connectivity modes to support road warriors

• Comprehensive set of remote access VPN client choices• Multiple VPN creation methods, including route-based and

domain-based VPNs• Integrated into Check Point Software Blade Architecture• Simple activation of IPSec VPN on any Check Point security

gateway• Centralized logging and reporting via a single console


Licensing• If you have not yet migrated to Software Blade licenses, use

the migration options from Check Point’s website. Migration to Software Blades is free of charge to purchasers of the Software Subscription service (Enterprise Base Support).

• Licenses are required for management servers and Security Gateways.

• Check Point software is activated using a certificate key. The certificate key is used to generate a license key for products that you want to evaluate or purchase. To purchase Check Point products, contact your reseller.

http://www.checkpoint.com/products/promo/software-blades/upgrade/index.html


To get a license key from the Check Point User Center:• Add the required Check Point products/evaluations to your User Center account: selectAccounts &

Products > Add Products.• Generate a license key for your products/evaluations: select Accounts & Products > Products.• Select your products and click Activate License. The selected product evaluations are assigned

license keys.• Complete installation and configuration:

– Read and accept the End Users License Agreement.– Import the product license key. Using the Check Point Configuration Tool or SmartUpdate to

import the license. SmartUpdate lets you centrally upgrade and manage Check Point software and licenses. The certificate keys associate the product license with the Security Management server:• The new license remains valid even if the IP address of the Security Gateway changes.• Only one IP address is needed for all licenses.• A license can be detached from one Security Gateway and assigned to another.


Licensing Multi-Domain Security Management• Multi-Domain Security Management licenses are associated with the IP

address of the licensed entity.• To add a Management domain, you must add a Domain license to Multi-

Domain Security Management.• To add a Management Software Blade to a Multi-Domain Server, you

must add the required blade licenses to Multi-Domain Security Management.

• Multi-Domain Security Management licenses can be imported using the Check Point command-line licensing tool or the SmartDomain Manager.


Traffic monitoring• The Check Point Monitoring Software Blade presents a

complete picture of network and security performance, enabling fast responses to changes in traffic patterns or security events. The Software Blade centrally monitors Check Point devices and alerts to changes to gateways, endpoints, tunnels, remote users and security activities.


• Comprehensive network security monitoring for faster response to threats– Real-time information on Check Point productss– Monitor connectivity between gateways and remote user traffic– Cooperative Enforcement® verifies connections from internal and

remote hosts• Simplified network security management for maximum efficiencies– Single management console with predefined and customizable

interfaces– Detailed or summary graphs and charts for analysis of traffic patterns– Automatically modify access privileges upon detection of suspicious

activity


• Integrated into Check Point Software Blade Architecture– Activate network security monitoring on any Check Point Security

Management server– Supported on Check Point Appliances and open servers


• Gateway Monitoring– The Monitoring Software Blade provides real-time information on Check Point

gateways in the organization. Custom and predefined queries enable administrators to view in-depth information, such as system data, network activity, policy and license status about specific gateways.

• Network Traffic Monitoring– The Monitoring Software Blade also delivers a comprehensive view of network

usage. It can generate detailed or summary graphs and charts for analysis of network traffic patterns, audit and estimate costs of network use, identify departments and users that generate the most traffic, and detect and monitor suspicious activity.


• Suspicious Activity Monitoring and Alerts– The Monitoring Software Blade integrates the Check Point suspicious

activity monitoring protocol for modifying access privileges upon detection of any suspicious network activity, such as attempts to gain unauthorized access. Alerts can also be automatically sent to administrators for certain predefined system events such as when free disk space is below an acceptable threshold or if a security policy has been changed. These alerts point to potential system security threats and provide information to assist in avoiding, minimizing or recovering from damage.


• VPN Tunnel Monitoring– The Monitoring Software Blade enables system administrators to

monitor connectivity between gateways. Permanent tunnels can be set up between Check Point gateways where uninterrupted connectivity is critical to the organization’s business. By constantly monitoring the status of VPN tunnels, including inbound and outbound tunnel traffic, the Monitoring Software Blade enables administrators to track normal tunnel function so that malfunctions and connectivity problems can be quickly accessed and resolved


• Remote User Monitoring– The monitoring of remote users offers valuable information for

identifying and troubleshooting remote connectivity issues. The Monitoring Software Blade provides comprehensive information on various aspects of remote user traffic, such as current open sessions, overlapping sessions, route traffic and connection time.

• Cooperative Enforcement Monitoring– The Cooperative Enforcement monitoring feature utilizes the endpoint

security server compliance capability to verify connections arriving from internal and remote hosts across the network. The logs generated for authorized and unauthorized hosts can be monitored via the Monitoring Software Blade.


• Flexible, Graphical Reporting– Using custom or predefined queries, administrators can drill down on a

specific segment of traffic or specific gateways to isolate factors that may be affecting network performance. Multiple views can be displayed within the same window and viewed side-by-side to enable easy diagnoses of traffic or security problems.

• Tight Integration with Check Point Products– The Monitoring Software Blade is part of Check Point Security Management

solutions, a suite of powerful applications for centrally configuring, managing and monitoring Check Point perimeter, internal, Web and endpoint security gateways. This integration results in reduced complexity and lowers total cost of ownership.


• Integrated into Check Point Software Blade Architecture– The Monitoring Software Blade is integrated into the

Software Blade Architecture. It can be easily and rapidly activated on existing Check Point Appliances or open server platforms, saving time and reducing costs by leveraging existing security infrastructure.

– Full integration into the modular Software Blade Architecture allows for rapid and easy activation on any Check Point Security Management server.

http://www.checkpoint.com/products/softwareblades/architecture/index.html


ISP Redundancy• Make Internet connectivity more reliable with ISP Redundancy.

This connects a Security Gateway or cluster member to the Internet through redundant Internet Service Provider (ISP) links.

Item Description

1 Security Gateway

2 Link A to the ISP

3 Link B to the ISP


• ISP Redundancy monitors the links and directs the connection. You can configure this choice to be for Load Sharing or Primary/Backup.– Load Sharing: Uses the two links with a distributed load of connections

going out from the Security Gateway. Connections coming in are alternated. You can configure best relative loads for the links (set a faster link to handle more load). New connections are randomly assigned to a link. If one link fails, the other takes the load.

– Primary/Backup: Uses one link for connections going out from the Security Gateway and coming in. It switches to the backup if the primary link fails. When the primary link is restored, new connections are assigned to it. Existing connections continue on the backup link until they are complete.


Check Point GAiA• Check Point GAiATM is the unified cutting-edge secure

operating system for all Check Point Appliances, open servers and virtualized gateways. GAiA combines the best features from IPSO and SecurePlatform into a single unified OS providing greater efficiency and robust performance. With the support of the full suite of Software Blades, customers will benefit from improved connection capacity and the full breadth and power of Check Point security technologies by adopting GAiA.


• Combining the Best Features of IPSO & SecurePlatform– Secure platform for all Check Point Gateways and Management, open

servers and virtualized gateways– Support the full-range of Software Blades on all Check Point

Appliances, including IP Series– Full compatibility with IPSO and SPLAT command line interface


• Increase Operational Efficiency with Wide Range of Features– Feature-rich and intuitive Web-UI to configure and manage the entire

gateway– Role-based administration allowing segregation of duties among

users with different privilege– New Software Update Tool puts system updates on autopilot– Replication of security gateway settings or image to others in minutes– Fast and efficient installation, backup and recovery


• A Secure Platform for the Most Demanding Environments• Full integration of IPv6 network security utilizing Check Point

advanced technologies (CoreXL, SecureXL, ClusterXL and VRRP)• High connection capacity with 64-bit operating system

providing up to 70 million concurrent connections• Advanced routing options including ClusterXL and VRRP

clustering, 5 dynamic routing protocols and 6 multicasting protocols


• Web-Based User Interface with Search Navigation– This interface integrates all management functions into a Web-based

dashboard that is accessible via the most popular Web browsers – Internet Explorer, Chrome, Firefox and Safari. The built-in search navigation delivers instant results on commands and properties. For the CLI-inclined users, a Shell-Emulator pop-up window is only a single click away.

1 Day Training on Firewall

Documents

Transcript of 1 Day Training on Firewall