CheckPoint Security Administration Module_PartI_09Nov2009
Transcript of CheckPoint Security Administration Module_PartI_09Nov2009
![Page 1: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/1.jpg)
Check Point Security
Administration Training
Phan Thanh Long
Công ty Misoft
Email: [email protected]
![Page 2: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/2.jpg)
Check Point Security Administration
Course Map
Module 1: Check Point Firewall Architecture &
Installation
Module 2: Security Policy
Module 3: Network Address Translation
Module 4: Log/Monitoring
Module 5: SmartDefense
Module 6: Encryption and VPNs
Module 7: Disaster Recovery
![Page 3: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/3.jpg)
Check Point Security Administration
Course Map
Module 1: Check Point Firewall Architecture &
Installation
Module 2: Security Policy
Module 3: Network Address Translation
Module 4: Log/Monitoring
Module 5: SmartDefense
Module 6: Encryption and VPNs
Module 7: Disaster Recovery
![Page 4: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/4.jpg)
Check Point Security
Administration
Module 1: Check Point Firewall
Architecture & Installation
![Page 5: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/5.jpg)
Module 1: Check Point Firewall
Architecture & Installation
Introduction
Objectives
Describe the purpose of a firewall.
Describe and compare firewall architectures
Identify the different components of
Check Point firewall
Check Point firewall Deployments Models
SIC (Secure Internal Communication )
SmartConsole components
Lab 1: Firewall Stand-alone Installation
Lab 2: Firewall Distributed Installation
![Page 6: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/6.jpg)
Describe the purpose of a firewall
Firewall Technologies
A firewall is a system designed to
prevent unauthorised access to or from a
secured network
act as a locked security door between internal
and external networks
data meeting certain criteria will be allowed
through
However, note that a firewall can only
protect a network from traffic filtered
through it
![Page 7: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/7.jpg)
Internet
SSL
DMZ
IPSec
Trusted Networks
Trusted Users
Firewall
What is a Firewall?
![Page 8: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/8.jpg)
Describe and compare firewall
architectures
Firewall Technologies
Packet Filters
Application-Layer Gateway
Stateful Inspection
![Page 9: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/9.jpg)
Packet Filters
Packet Filtering Path in the OSI Model
![Page 10: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/10.jpg)
Packet Filters
The Advantages of Packet Filtering:
• Inexpensive
• Application transparency
• Faster than application layer gateways
The Disadvantages of Packet Filtering:
• Access to a limited part of a packet header
only
• Limited screening above the network layer
• Very limited ability to manipulate information
![Page 11: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/11.jpg)
Application-Layer Gateway (Proxy)
Application-Layer Gateway Path
![Page 12: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/12.jpg)
Application-Layer Gateway
The advantages of application layer gateways are:
• Good security
• Full application-layer awareness
The disadvantages of Application Layer Gateways (Proxy) are:
• Each service requires its own process, so the number of available
services and their scalability is poor
• Implementation at the application level is detrimental to performance
• Most proxies are not transparent
• Vulnerable to operating system and application level bugs
• Overlooks information contained in lower layers
![Page 13: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/13.jpg)
Stateful Inspection
Stateful Inspection Technologyinvented by CheckPoint Software Technologies
![Page 14: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/14.jpg)
Stateful Inspection
•It is not sufficient to examine packets in isolation.
•State information—derived from past communications and other
applications—is an essential factor in making the control decision
for new communication attempts.
•The ability to perform Information manipulation on data in any part
of the packet
![Page 15: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/15.jpg)
Check Point Firewall Architecture
SmartConsole (Client)
SmartCenter (Management Server)
Security Gateway (Enforcement)
SmartCenterSmartConsole
Security Gateway
![Page 16: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/16.jpg)
SmartConsoleSmartDashboard
SmartConsole
![Page 17: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/17.jpg)
SmartCenter (Management)
Security policy is defined using the
SmartDashboard
It is then saved to the SmartCenter
SmartCenter maintains policy
databases including
network object definitions
user definitions
security policy
log files
SmartCenter
![Page 18: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/18.jpg)
Security Gateway (Firewall Enforcement)
Deployed on the gateway
An Inspection script written in
INSPECT is generated from the
security policy
Inspection code is compiled from the
script and downloaded to the Security
Gateway
Security GatewaySecurity Gateway
![Page 19: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/19.jpg)
How Security Gateway Works
INSPECT engine allowing Packets
if a packet passes inspection, the Firewall
Module passes packets through the TCP/IP
stack to their destination
if packets are destined for the OS local
processes, are inspected then passed through
the TCP/IP stack
if packets do not pass inspection, they are
blocked.
![Page 20: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/20.jpg)
How Security Gateway Works
INSPECT engine
INSPECT Engine analyzes packet and extracts all relevant
information (communication and application level)
The INSPECT Engine resides in an operating system’s
kernel, loaded between the second and third levels, which are
the network interface card (NIC) driver
By inspecting communications at the kernel level, the
INSPECT Engine intercepts and analyzes all packets before
they reach the operating system
No packet is processed by any of the higher protocol layers,
unless FireWall verifies that it complies with the enterprise
security policy
![Page 21: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/21.jpg)
How Security Gateway Works
![Page 22: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/22.jpg)
Security features…
IPSsubscription
Anti-Spamsubscription
Web Application Firewallexpansion
SSL VPN / QoSexpansion
URL Filteringsubscription
VPN (site-to-site, remote access)standard
Anti-virus / Anti-spywaresubscription
The best Firewall in the market
HTTP FTP
Instant Msg E-mail P2P
VoIP SQL
standard
![Page 23: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/23.jpg)
Stand-alone Deployments Models
![Page 24: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/24.jpg)
Distributed Deployments Models
![Page 25: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/25.jpg)
Secure Internal Communication (SIC)
SIC secures communication between
Check Point components such as SmartCenter
SmartConsole
Security Gateway
Customer log modules
OPSEC applications
...
![Page 26: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/26.jpg)
Security Benefits of SIC
Confirms a SmartConsole connecting
to a SmartCenter is authorised
Verifies that a security policy loaded
on a Security Gateway came from an
authorised SmartCenter
SIC ensures that data privacy and
integrity is maintained
![Page 27: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/27.jpg)
SIC Certificates
SIC Certificates
enables each CheckPoint enabled
machine to be uniquely identified
a unique certificate is generated for each
physical machine
certificates are generated by the Internal
Certificate of Authority (ICA) on the
Management module
![Page 28: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/28.jpg)
SIC Certificates
the ICA automatically creates a certificate for the Management module during installation
certificates for other modules are created via a simple initialisation from the Management Client
upon initialisation, the ICA creates, signs and delivers a certificate to the communication component
![Page 29: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/29.jpg)
Distributed VPN-1 NGX configuration
with certificates
![Page 30: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/30.jpg)
SmartConsole components
SmartDashboard
SmartView Tracker
SmartView Monitor
SmartUpdate
![Page 31: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/31.jpg)
Policy Editor
SmartDashboard
![Page 32: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/32.jpg)
SmartView Tracker
Log viewer/management
![Page 33: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/33.jpg)
SmartView Monitor
![Page 34: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/34.jpg)
SmartUpdate
![Page 35: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/35.jpg)
SmartUpdate…
![Page 36: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/36.jpg)
Module 1:
Review
Summary
Review Questions
![Page 37: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/37.jpg)
Review and discussion
Review Question
What is Stateful Inspection Firewall?
What process does Check Point FireWall
use to accept, drop, or reject packets?
What three components making up Check
Point Firewall?
What are key SmartConsole Components?
What are deployments Models
![Page 38: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/38.jpg)
Lab 1: NGX Stand-alone Installation
Installing VPN-1 NGX (SmartCenter
and Security Gateway) on
SecurePlatform
Installing SmartConsole on Windows
![Page 39: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/39.jpg)
Lab 1: NGX Stand-alone Installation
![Page 40: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/40.jpg)
Lab Topology
![Page 41: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/41.jpg)
Security Administration
Lab IP Addresses
PC IP PC
(Web Server)
IP FW Internal
(Int 0)
IP FW DMZ
(Int 1)
IP FW External (Int 2) FW Default Gateway
1 172.16.1.5/24 172.16.1.1/24 172.17.1.1/24 192.168.50.1/24 192.168.50.254/24
2 172.16.2.5/24 172.16.2.1/24 172.17.2.1/24 192.168.50.2/24 192.168.50.254/24
3 172.16.3.5/24 172.16.3.1/24 172.17.3.1/24 192.168.50.3/24 192.168.50.254/24
4 172.16.4.5/24 172.16.4.1/24 172.17.4.1/24 192.168.50.4/24 192.168.50.254/24
5 172.16.5.5/24 172.16.5.1/24 172.17.5.1/24 192.168.50.5/24 192.168.50.254/24
6 172.16.6.5/24 172.16.6.1/24 172.17.6.1/24 192.168.50.6/24 192.168.50.254/24
7 172.16.7.5/24 172.16.7.1/24 172.17.7.1/24 192.168.50.7/24 192.168.50.254/24
8 172.16.8.5/24 172.16.8.1/24 172.17.8.1/24 192.168.50.8/24 192.168.50.254/24
9 172.16.9.5/24 172.16.9.1/24 172.17.9.1/24 192.168.50.9/24 192.168.50.254/24
10 172.16.10.5/24 172.16.10.1/24 172.17.10.1/24 192.168.50.10/24 192.168.50.254/24
11 172.16.11.5/24 172.16.11.1/24 172.17.11.1/24 192.168.50.11/24 192.168.50.254/24
12 172.16.12.5/24 172.16.12.1/24 172.17.12.1/24 192.168.50.12/24 192.168.50.254/24
13 172.16.13.5/24 172.16.13.1/24 172.17.13.1/24 192.168.50.11/24 192.168.50.254/24
14 172.16.14.5/24 172.16.14.1/24 172.17.14.1/24 192.168.50.14/24 192.168.50.254/24
15 172.16.15.5/24 172.16.15.1/24 172.17.15.1/24 192.168.50.15/24 192.168.50.254/24
16 172.16.16.5/24 172.16.16.1/24 172.17.16.1/24 192.168.50.16/24 192.168.50.254/24
17 172.16.17.5/24 172.16.17.1/24 172.17.17.1/24 192.168.50.17/24 192.168.50.254/24
18 172.16.18.5/24 172.16.18.1/24 172.17.18.1/24 192.168.50.18/24 192.168.50.254/24
19 172.16.19.5/24 172.16.19.1/24 172.17.19.1/24 192.168.50.19/24 192.168.50.254/24
20 172.16.20.5/24 172.16.20.1/24 172.17.20.1/24 192.168.50.20/24 192.168.50.254/24
![Page 42: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/42.jpg)
SecurePlatform Installation
Hệ điều hành dựa trên Linux (Linux based,
kernel 2.4 & 2.6)
Có thể cài đặt trên máy chủ (Open Servers),
thiết bị của Check Point (UTM-1, Power-1), hay
thiết bị của third-party (Crossbeam)
Cài bằng cách boot ổ đĩa CD, qua cổng USB
(usb CD hoặc usb device)
Sử dụng giao diện dòng lệnh, hoặc qua giao
diện Web (chú ý thiết bị Check Point yêu cầu
cài qua giao diện Web trước) khi cài đặt
![Page 43: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/43.jpg)
SecurePlatform Installation
Một số chú ý
Đặt hostname chuẩn, tên này sẽ dùng đặt cho
object
Đặt thời gian, ngày tháng chính xác, với múi
giờ Vietnam GMT + 7
Management IP sẽ là IP dùng Object. Sử dụng
địa chỉ Interface hướng về SmartCenter, hoặc
mạng nội bộ (stand-alone deployment)
![Page 44: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/44.jpg)
SecurePlatform Configuration
Cấu hình qua dòng lệnh (Console, SSH)
Cấu hình qua giao diện Web
webui enable [https port]
webui disable
![Page 45: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/45.jpg)
SecurePlatform Configuration
Một số lệnh, tiện ích thường dùng
sysconfig : thiết lập hầu hết cấu hình cơ bản
os
cpconfig: cấu hình sản phẩm Check Point
expert : vào Expert Mode để dùng các lệnh
linux
fw ver, fwm ver
cpstop, cpstart, cprestart
fw stat: xem policy đang cài trên firewall
![Page 46: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/46.jpg)
SecurePlatform Configuration
Một số lệnh, tiện ích thường dùng
fw unloadlocal: gỡ bỏ Policy trên firewall
Khi cài đặt xong Check Point, chính sách mặc
định ‘cấm tất’ được cài đặt. Sử dụng lệnh khi
cần mở cho các kết nối quản trị ban đầu, test,
hoặc khi bị firewall block chính mình
![Page 47: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/47.jpg)
SecurePlatform Routing
Routing
ip route add x.x.x.x /xx via x.x.x.x
ip route add x.x.x.x /xx dev ethx
ip route add default via x.x.x.x
ip route add default dev ethx
Ip route show
route --save
![Page 48: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/48.jpg)
Lab 2: Distributed Deployments
Installation
Installing SmartCenter Windows
Server 2003
Installing Security Gateway on
SecurePlatform
Installing SmartConsole on Windows
![Page 49: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/49.jpg)
Lab2: Distributed Deployments
Installation
![Page 50: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/50.jpg)
Lab Topology
![Page 51: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/51.jpg)
Security Administration
Lab IP AddressesPC IP PC
(Web Server)
IP SmartCenter IP FW Internal
(Int 0)
IP FW Server
(Int 1)
IP FW External (Int
2)
FW Default
Gateway
1 172.16.1.5/24 172.17.1.2/24 172.16.1.1/24 172.17.1.1/24 192.168.50.1/24 192.168.50.254/24
2 172.16.2.5/24 172.17.2.2/24 172.16.2.1/24 172.17.2.1/24 192.168.50.2/24 192.168.50.254/24
3 172.16.3.5/24 172.17.3.2/24 172.16.3.1/24 172.17.3.1/24 192.168.50.3/24 192.168.50.254/24
4 172.16.4.5/24 172.17.4.2/24 172.16.4.1/24 172.17.4.1/24 192.168.50.4/24 192.168.50.254/24
5 172.16.5.5/24 172.17.5.2/24 172.16.5.1/24 172.17.5.1/24 192.168.50.5/24 192.168.50.254/24
6 172.16.6.5/24 172.17.6.2/24 172.16.6.1/24 172.17.6.1/24 192.168.50.6/24 192.168.50.254/24
7 172.16.7.5/24 172.17.7.2/24 172.16.7.1/24 172.17.7.1/24 192.168.50.7/24 192.168.50.254/24
8 172.16.8.5/24 172.17.8.2/24 172.16.8.1/24 172.17.8.1/24 192.168.50.8/24 192.168.50.254/24
9 172.16.9.5/24 172.17.9.2/24 172.16.9.1/24 172.17.9.1/24 192.168.50.9/24 192.168.50.254/24
10 172.16.10.5/24 172.17.10.2/24 172.16.10.1/24 172.17.10.1/24 192.168.50.10/24 192.168.50.254/24
11 172.16.11.5/24 172.17.11.2/24 172.16.11.1/24 172.17.11.1/24 192.168.50.11/24 192.168.50.254/24
12 172.16.12.5/24 172.17.12.2/24 172.16.12.1/24 172.17.12.1/24 192.168.50.12/24 192.168.50.254/24
13 172.16.13.5/24 172.17.13.2/24 172.16.13.1/24 172.17.13.1/24 192.168.50.11/24 192.168.50.254/24
14 172.16.14.5/24 172.17.14.2/24 172.16.14.1/24 172.17.14.1/24 192.168.50.14/24 192.168.50.254/24
15 172.16.15.5/24 172.17.15.2/24 172.16.15.1/24 172.17.15.1/24 192.168.50.15/24 192.168.50.254/24
16 172.16.16.5/24 172.17.16.2/24 172.16.16.1/24 172.17.16.1/24 192.168.50.16/24 192.168.50.254/24
17 172.16.17.5/24 172.17.17.2/24 172.16.17.1/24 172.17.17.1/24 192.168.50.17/24 192.168.50.254/24
18 172.16.18.5/24 172.17.18.2/24 172.16.18.1/24 172.17.18.1/24 192.168.50.18/24 192.168.50.254/24
19 172.16.19.5/24 172.17.19.2/24 172.16.19.1/24 172.17.19.1/24 192.168.50.19/24 192.168.50.254/24
20 172.16.20.5/24 172.17.20.2/24 172.16.20.1/24 172.17.20.1/24 192.168.50.20/24 192.168.50.254/24
![Page 52: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/52.jpg)
Check Point Security
Administration
Module 2: Security Policy
![Page 53: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/53.jpg)
Security Administration
Course Map
Module 1: Check Point Firewall Architecture
& Installation
Module 2: Security Policy
Module 3: Network Address Translation
Module 4: Log/Monitoring
Module 5: SmartDefense
Module 6: Encryption and VPNs
Module 7: Disaster Recovery
![Page 54: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/54.jpg)
Module 2: Security Policy
Introduction
Objectives
Explain the function and operation of a Security
Policy
Create and modify policy, rules, objects…
Modify Global Properties
Configure anti-spoofing on the firewall
Use Policy Package Management
Use Database Revision Control
![Page 55: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/55.jpg)
Security Policy Defined
What is a Security Policy?
a set of rules that defines network security
Considerations
Which services, including customized
services and sessions, are allowed across
the network?
Which user permissions and authentication
schemes are needed?
Which objects are in the network? Examples
include gateways, hosts, networks, routers,
and domains.
![Page 56: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/56.jpg)
56
© 2006 Check Point Software
Rule Base 2
![Page 57: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/57.jpg)
Launching the SmartDashboard…
Check Point SmartDashboardenables administrators to define security policy
only one administrator with read/write
permissions can be logged in at any one timeStart \ Programs \ Check Point SmartConsole R65 \ SmartDashboard
![Page 58: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/58.jpg)
Defining Basic Objects…
![Page 59: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/59.jpg)
Defining Node Object
![Page 60: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/60.jpg)
Defining Network Object
![Page 61: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/61.jpg)
Defining Address range Object
![Page 62: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/62.jpg)
Defining Group Object
![Page 63: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/63.jpg)
Launching the SmartDashboard and
define basic objects
![Page 64: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/64.jpg)
Anti-Spoofing…
Scenario
![Page 65: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/65.jpg)
Anti-spoofing
Spoofing is a technique used by
intruders attempting to gain
unauthorised access
a packet’s source IP address is altered to
appear to come from a part of the network
with higher privileges
Anti-spoofing verifies that packets are
coming from, and going to, the correct
interfaces on the gateway
i.e. packets claiming to originate in the
internal network, actually DO come from
that network
![Page 66: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/66.jpg)
Configuring Anti-Spoofing
Networks reachable from an interface
need to be defined appropriately
Should be configured on all interfaces
Spoof tracking is recommended
Anti-spoofing rules are enforced
before any rule in the Security Policy
rule base
![Page 67: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/67.jpg)
Configuring Anti-Spoofing
![Page 68: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/68.jpg)
Configuring Anti-Spoofing
![Page 69: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/69.jpg)
Rule Base Defined
Rule Base Elements
- No.
-Name
-Source
- Destination
- VPN
- Services
- Action
- Track
- Install on
- Time
- Comment
![Page 70: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/70.jpg)
Creating the Rule Base
The default rule
added when you add a rule to the Rule
Base
![Page 71: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/71.jpg)
The Basic Rules
Cleanup Rule
CP follows the principle ―that which is not
expressly permitted, is prohibited‖
all communication attempts not matching a
rule will be dropped
the cleanup rule drops all the communication
but allows specific logging
![Page 72: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/72.jpg)
The Basic Rules
The Stealth Rule
prevents users from connecting directly to
the firewall
![Page 73: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/73.jpg)
Implicit, Explicit Rules and …
NGX creates implicit rules from
Global Properties
Explicit rule created by Administrator
in the SmartDashboard
Control Conections
VPN-1 NGX creates a group of implicit
rules that it places first, last or before
last…
![Page 74: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/74.jpg)
Implicit rules, Global Properties
![Page 75: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/75.jpg)
Rule Base Order
VPN-1 NGX enforces the rule base in
following order:
IP spoofing
NAT
Security Policy ―First‖ rule
Administrator defined rule base
Security Policy ―before last‖ rule
Cleanup rule or Security Policy ―last‖ rule
![Page 76: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/76.jpg)
Create a new policy package
![Page 77: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/77.jpg)
Add new rule into policy
![Page 78: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/78.jpg)
Add object into rule
![Page 79: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/79.jpg)
Basic Policy
![Page 80: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/80.jpg)
Verify / Install and Uninstall a
Security Policy
Verify a Security Policy Select Policy \ Verify from the SmartDashboard
Click OK
Install/Uninstall a Security Policy Select Policy \ Install (or Uninstall) from the
SmartDashboard
Click Select All to select all items on the
screen (specific items may be deselected)
Click OK
![Page 81: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/81.jpg)
Install Policy
![Page 82: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/82.jpg)
Defining and install a basic policy
![Page 83: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/83.jpg)
Defining and install a basic policy
Stealth Rule
Allow Ping to firewall gateway
Allow Ping from Internal network to
outside
Allow Internet access (HTTP)
Cleanup Rule
![Page 84: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/84.jpg)
Defining and install a basic policy
Modify Routing Table for ping test
-sysconfig
-add route:
Dest 172.16.x.0/24 gateway 192.168.50.x
![Page 85: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/85.jpg)
85
Advanced Security Policy
Hide/Unhide rule
Enable/Disable rule
Add section title
Object Cloning
![Page 86: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/86.jpg)
Masking Rules
Rules in a rule base can be hidden to allow
easier reading of a complex rulebase
(masking rules)
All other rules will be visible however their
numbers wont change
Hidden rules are still enforced on the
gateway
Viewing Hidden Rules
if View Hidden in the Rules>Hide menu is
checked, all rules set as hidden are displayed
Unhiding Hidden Rules
select Unhide All from the Rules>hide menu
![Page 87: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/87.jpg)
Hide/Unhide rule
![Page 88: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/88.jpg)
Disabling Rules
Disabling Rules
a disabled rule will only take effect after
the security policy is reinstalled
the rule will still be displayed in the
rulebase
Enabling a Disabled Rule
select the disabled rule and right click
select Disable Rule to deselect
remember to reinstall the policy
![Page 89: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/89.jpg)
Enable/Disable rule
![Page 90: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/90.jpg)
Add section title
![Page 91: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/91.jpg)
Add section title (continue…)
![Page 92: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/92.jpg)
Object Cloning
![Page 93: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/93.jpg)
Policy editing
Clone Object
Add Section Title
Hide rule
Disable Rule
![Page 94: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/94.jpg)
Command Line Options for the
Security Policy
Basic Options
cpstart/cpstop starts and stops all CP
applications running on the machine
cprestart issues a cpstop and a cpstart
cplic print displays the details of the NGX
licenses
fw ver, fwm ver: displays version
fw unloadlocal: uninstalls current policy of
local Gateway
![Page 95: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/95.jpg)
Improving Performance
SmartCenter
listing machine names and IP addresses
in a hosts file will decrease installation
time for created network objects /etc/hosts (Solaris)
\winnt\system32\drivers\hosts (Windows)
![Page 96: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/96.jpg)
Improving Performance…
Security Gateway
Keep the rulebase simple
Position the most frequently used rules at
the top of the rulebase
Don’t log unnecessary connections
Limit the use Reject action in rules
Use a network object in place of many
node objects
Use IP address ranges in rules instead of
a set of nodes
![Page 97: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/97.jpg)
Database revision control and Policy
package management
Database revision control
DRC gives the admin to create fallback
configurations when implementing new
objects or rules
Policy package management
PPM gives the admin to create multiple
versions of a Security Policy but the
objects needs to stay the same
![Page 98: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/98.jpg)
Using Database Revision Control
![Page 99: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/99.jpg)
Using Database Revision Control
and Policy Package management
![Page 100: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/100.jpg)
Review
1. If a rule is masked or hidden, is it disabled and no
longer part of the Rule Base?
2. When you select a rule, and then select ―Disable
Rule(s)‖ from the menu, what must you also do
before the rule is actually disabled?
3. How does masking help you maintain a Rule Base?
4. Define some guidelines for improving VPN-
1/FireWall-1 NG’s performance via a Security Policy
5. Which of following options used to back up entire
Policy database?
• Database revision control
• Policy package management
![Page 101: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/101.jpg)
Check Point Security
Administration
Module 3: Network Address Translation
![Page 102: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/102.jpg)
Security Administration
Course Map
Module 1: Check Point Firewall Architecture
& Installation
Module 2: Security Policy
Module 3: Network Address Translation
Module 4: Log/Monitoring
Module 5: SmartDefense
Module 6: Encryption and VPNs
Module 7: Disaster Recovery
![Page 103: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/103.jpg)
Introduction
Objectives
List the reasons and methods for Network
Address Translation
Demonstrate how to set up Static NAT
Demonstrate how to set up Dynamic (Hide)
NAT
Network Address Translation (NAT)
![Page 104: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/104.jpg)
Network Address Translation
What is NAT?
as a component of Check Point Firewall it
is used for three things :
to make use of private IP addresses on the
internal network
to conceal internal networks from out side
networks for security reasons
to give ease and flexibility to network
administration
For example, an internal Web server with IP
address 192.168.1.1 could be assigned a NAT
address of 172.10.101.111
![Page 105: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/105.jpg)
Module 3:
NAT
IP Addressing
RFC 1918 details the reserved address groups
Class A network numbers
– 10.0.0.0 – 10.255.255.255
Class B network numbers
– 172.16.0.0 – 172.31.255.255
Class C network numbers
– 192.168.0.0 – 192.168.255.255
![Page 106: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/106.jpg)
Module 3
Network Administration
VPN-1/Firewall-1 supports two types of NAT
Static NAT
Dynamic (Hide) NAT
![Page 107: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/107.jpg)
Understanding Dynamic (Hide) NAT
![Page 108: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/108.jpg)
Module 3:
Dynamic NAT
![Page 109: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/109.jpg)
Module 3
Dynamic (Hide) NAT Ctd.
hide mode packets’ source port numbers are
modified
destination of a packet is determined by the port
number
port numbers are dynamically assigned from two
pools of numbers :
from 600 to 1023
from 10,000 to 60,000
hide mode cannot be used for protocols where
the port number cannot be changed or where the
destination IP address is required
![Page 110: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/110.jpg)
Module 3:
Hide Mode Address Translation
![Page 111: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/111.jpg)
Module 3:
Hiding Behind Gateway
all clients will be hidden behind the
firewall’s server side interface
![Page 112: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/112.jpg)
Understanding Static NAT
![Page 113: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/113.jpg)
Module 3
Static Source NAT
translates private internal source IP addresses
to a public external source IP address
initiated by internal clients with private IP
address
![Page 114: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/114.jpg)
Module 3:
Static Source NAT
![Page 115: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/115.jpg)
Module 3:
Address Translation Using Static Source
Mode
![Page 116: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/116.jpg)
Module 3
Static Destination NAT
translates public addresses to private
addresses
initiated by external clients
![Page 117: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/117.jpg)
Module 3:
Address Translation Using Static
Destination Mode
![Page 118: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/118.jpg)
Module 3:
Address Translation Using Static
Destination Mode
204.32.38.112
![Page 119: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/119.jpg)
Module 3:
Automatic and Manual NAT Rules
NAT Rules
NAT rules consist of two elements
the conditions that specify when the rule is
to be applied
the action to be taken when the rule is
applied
each section in the NAT Rule Base Editor is
divided into Source, Destination and Service
![Page 120: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/120.jpg)
Module 3
Edit Object’s properties to enable Automatic NAT
![Page 121: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/121.jpg)
Module 3
Configure manual NAT
Automatic NAT rules are generated by Gateway
![Page 122: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/122.jpg)
Module 3:
Static NAT
Hide NAT
![Page 123: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/123.jpg)
Lab
•Hide NAT allows LAB to connect the Internet
•Static NAT allows Webserver to be public so users
outside can access it
![Page 124: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/124.jpg)
Check Point Security
Administration
Module 4: Log/Monitoring
![Page 125: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/125.jpg)
Security Administration
Course Map
Module 1: VPN-1 NGX Architecture
Module 2: Security Policy
Module 3: Network Address Translation
Module 4: Log/Monitoring
Module 5: SmartDefense
Module 6: Encryption and VPNs
Module 7: Disaster Recovery
![Page 126: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/126.jpg)
Module 3: Log/Monitoring
Introduction
Objectives
Use SmartView Tracker to display information
about traffic controlled by NGX
Use SmartView Tracker to block an intruder
connection
Use SmartView Monitor to display information
about firewalls and connections status in real
time, and to block Suspicious Activity
![Page 127: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/127.jpg)
SmartView Tracker
Provides visual tracking, monitoring
and accounting information
Provides control over the log files
display
Allows quick access to information
Any event which causes an alert is
logged, including some system
events such as an install of a policy
![Page 128: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/128.jpg)
130
© 2006 Check Point Software
SmartConsole: SmartView Tracker1
![Page 129: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/129.jpg)
SmartView Tracker …
Log File Management
the File menu allows the administrator to
perform the following tasks:
Open
Save as
Export
Switch active file…
Purge active file
![Page 130: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/130.jpg)
View events using filters
Logs management
View administrator’s activities
Block intruders
![Page 131: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/131.jpg)
SmartUpdate
Made up of two components –
Packages Manager and License
Manager
allows tracking of currently installed
versions of CP and OPSEC products
updating of installed CP and OPSEC
software remotely from a centralised
location
centrally managing licenses
![Page 132: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/132.jpg)
SmartUpdate Architecture
Distributed Configuration
![Page 133: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/133.jpg)
NGX Licensing
License Types
central – the license is linked to the IP
number of the management server
local – tied to the IP number to which the
license will be applied
Obtaining Licenses
locate certificate key on the CD cover of
the CP CD
contact www.checkpoint.com - selecting
User Center to obtain eval or permanent
license
Check Point User Center
![Page 134: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/134.jpg)
136
© 2006 Check Point Software
SmartConsole: SmartView Monitor1
![Page 135: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/135.jpg)
Checking status in SmartView
Monitor
![Page 136: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/136.jpg)
Gateway - Network Activity
![Page 137: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/137.jpg)
Suspicious Activity
![Page 138: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/138.jpg)
Setting up Suspicious Activity rule
![Page 139: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/139.jpg)
Block Suspicious Activity
![Page 140: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/140.jpg)
Ôn tập
1. Thành phần SmartConsole nào cho biết Policy nào đang cài
trên một Firewall gateway?
2. Người quản trị nghi ngờ một firewall đầy ổ cứng, thành phần
SmartConsole nào giúp người quản trị kiểm tra thông tin này?
3. SmartConsole nào được sử dụng trước tiên để giúp người
quản trị gỡ rối một lỗi kết nối đã xảy ra
4. File log hiện hành (active log) dung lượng quá lớn, và để save
nội dung file log hiện hành sang một file log khác để lưu, cần
dùng thao tác gì?
5. Làm thế nào để kích hoạt license cho một filewall?
![Page 141: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/141.jpg)
Check Point Security
Administration NGX I
Authorized Check Point Distributor
Module 5: SmartDefense - Chống
tấn công , quét virus, lọc URL
![Page 142: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/142.jpg)
Check Point Security Administration
Course Map
Module 1: Check Point Firewall Architecture
& Installation
Module 2: Security Policy
Module 3: Network Address Translation
Module 4: Log/Monitoring
Module 5: SmartDefense
Module 6: Encryption and VPNs
Module 7: Disaster Recovery
![Page 143: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/143.jpg)
Module 4: SmartDefense - Chống tấn
công, quét virus, lọc URL
Giới thiệu
Mục tiêu
Tạo các profile chống tấn công và áp dụng
cho các tường lửa khác nhau
Cấu hình chống các tấn công mức mạng và
ứng dụng
Cập nhật các tấn công mới nhất
Xem xét có tấn công nào xảy ra
Cấu hình quét virus, lọc URL
![Page 144: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/144.jpg)
Module 4:Chống tấn công - IPS
•Nguyên tắc kiểm soát truy cập dựa trên số hiệu
cổng, địa chỉ nguồn, đích,… Tuy nhiên điều này
chưa đủ, các tấn công ứng dụng vẫn có thể diễn ra
qua các truy cập dịch vụ được mở.
•SmartDefense là khả năng phát hiện và ngăn chặn
xâm nhập –IPS tại mức ứng dụng
•Các mẫu phát hiện tấn công được cập nhật liên tục
trong thời gian thực
![Page 145: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/145.jpg)
Module 4:Tạo các profiles cho các tường lửa
![Page 146: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/146.jpg)
Module 4:Tạo các profiles cho các tường lửa
Mỗi profile là một tập các cấu hình chống tấn
công. Người quản trị có thể tạo nhiều profile khác
nhau để áp dụng cho các tường lửa khác nhau.
Profile default (mặc định) bao gồm các cấu hình
chống tấn công (được kích hoạt) cơ bản nhất.
![Page 147: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/147.jpg)
Module 4:Cấu hình chống tấn công cho các profile
Xem thông tin, mô tả, sự ảnh hưởng của tấn công
![Page 148: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/148.jpg)
Module 4:
Kích hoạt cấu hình chống tấn công
![Page 149: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/149.jpg)
Module 4:Cấu hình chống tấn công cho các profile
Chọn profile và kích hoạt chống tấn công, điều chỉnh các thông số
phù hợp
![Page 150: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/150.jpg)
Module 4:Áp dụng các profiles cho các tường lửa
![Page 151: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/151.jpg)
Module 4:Dịch vụ SmartDefense: Cập nhật chống tấn
công
![Page 152: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/152.jpg)
Module 4:Dịch vụ SmartDefense
•Sử dụng tài khoản UserCenter được cấp để login
•Download bản cập nhật chống tấn công mới nhất (khi
dịch vụ còn hiệu lực)
•Hiển thị các tấn công mới được cập nhật mới nhất,
xem các lời khuyên và hướng dẫn cấu hình chống tấn
công
![Page 153: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/153.jpg)
Module 4:Dịch vụ SmartDefense
![Page 154: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/154.jpg)
Module 4:Nhận biết có tấn công xảy ra?
•Cấu hình track các tấn công
•Sử dụng SmartView Tracker, SmartView Monitor và
xem các hướng dẫn trong SmartDefense Services
![Page 155: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/155.jpg)
Module 4:Quét Virus tại Gateway
Turn on Anti-virus
Component
![Page 156: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/156.jpg)
162
Module 4:Antivirus Integrated Antivirus
Policy & Updates
•Quét virus ngay tại cổng truy cập, ngăn chặn trước khi
chúng vào hệ thống
•Quét cho các giao thức SMTP, POP3, FTP, HTTP, quét
theo luồng hoặc theo IP
•Có thể quét, bypass hoặc cấm khi truy cập các loại file
![Page 157: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/157.jpg)
163
Turn on URL
filtering component
Module 4:Lọc URL
![Page 158: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/158.jpg)
164
URL Filtering
![Page 159: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/159.jpg)
165
URL Filtering – Advanced option
• d/s URL’s/IP’s
cho phép
• d/s URL’s/IP’s
cấm
• Các truy cập
ngoại lệ
• Thông báo ngăn
chặn
![Page 160: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/160.jpg)
166
URL Filtering – Database
Updates are part of the SDAV Subscription
![Page 161: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/161.jpg)
167
URL Filtering
– URL database hàng đầu (Websense)
– Hơn 15 million sites
– Cập nhật nhanh và độ
chính xác cao
– Tích hợp chặt chẽ với SmartCenter
![Page 162: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/162.jpg)
Module 4:
SmartDefense
![Page 163: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/163.jpg)
Check Point Security
Administration
Module 7: Disaster Recovery
![Page 164: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/164.jpg)
Check Point Security Administration
Course Map
Module 1: Check Point Firewall Architecture
& Installation
Module 2: Security Policy
Module 3: Network Address Translation
Module 4: Log/Monitoring
Module 5: SmartDefense
Module 6: Encryption and VPNs
Module 7: Disaster Recovery
![Page 165: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/165.jpg)
Disaster Recovery
Introduction
Objectives
Backups are used to restore configurations
and keep downtime to a minimum
![Page 166: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/166.jpg)
Backup and Restore system
configurations
Backup
backup –f filename
backup –e on 17:00 –m 25 --file filename
backup –e : to view the schedule setting
/var/CPbackup/backups
Restore
restore
[L] Restore local backup package
[T] Restore backup package from TFTP server
[S] Restore backup package from SCP server
[R] Remove local backup package
[Q] Quit
![Page 167: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/167.jpg)
Backup and Restore Policy database
$FWDIR (/opt/CPsuite-R65/fw1)
conf: rules, objects, policy, user database
lib:
log:
objects.C and objects_5_0.C
($FWDIR/conf)
rulebase_5_0.fws ($FWDIR/conf)
fwauth.NDB ($FWDIR/conf and
$FWDIR/database)
![Page 168: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/168.jpg)
Backup and Restore Policy database
Export
/opt/CPsuite-R65/fw1/bin/upgrade_tools/
Copy ―windows\Actions‖ on CD2 to C:\
upgrade_export filename
Import
upgrade_import filename
![Page 169: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/169.jpg)
Backup and Restore System
Configuration, Policy database and
Log files
snapshot command
Image management via Web console
![Page 170: CheckPoint Security Administration Module_PartI_09Nov2009](https://reader031.fdocuments.net/reader031/viewer/2022020713/55725c21497959da6be8a182/html5/thumbnails/170.jpg)
Backup and Restore