Ngx II r65 Slides

©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity

Check Point Security Administration IINGX R65

2©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity

Slide Graphic LegendSlide Graphic Legend


Course ObjectivesCourse Objectives

Part 1: Updating and Upgrading Chapter 1: SmartUpdate

– Identify the common operational features of SmartUpdate.– Use SmartUpdate to create an upgrade package.– Upgrade and attach product licenses using SmartUpdate.

Chapter 2: Upgrading VPN-1– Determine which VPN-1 upgrade strategy is appropriate, given

a variety of scenarios.– Determine VPN-1 license requirements, based on upgrade

strategy.



Part 2: Virtual Private Networks Chapter 3: Encryption and VPNs

– Explain encryption for VPNs.– Compare and contrast common encryption methods.– Describe the process for setting up a encrypted VPN tunnels.

Chapter 4: Introduction to VPNs– Select the appropriate VPN deployment to meet requirements,

given a variety of scenarios.– Configure VPN-1 to support site-to-site VPNs, given a variety of

business requirements.– Adjust NGX R65 VPN configuration settings to correct a

problem, given symptoms of a configuration problem.



Chapter 5: Site-to-Site VPNs– Select the appropriate VPN deployment to meet requirements,

given a variety of scenarios.– Configure VPN-1 to support site-to-site VPNs, given a variety of

business requirements.– Adjust VPN configuration settings to correct a problem, given

symptoms of a configuration problem.

Chapter 6: Remote Access VPNs– Configure VPN-1 to support remote-access VPNs, given a

variety of business requirements.



Part 3: High Availability and ClusterXL Chapter 7: High Availability and ClusterXL

– Identify the features and limitations of Management High Availability.

– Identify the benefits and limitations of different modes in a ClusterXL configuration.

– Configure a ClusterXL VPN, given a specific business scenario.– Implement and test State Synchronization, given a business

scenario.

©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity

PrefaceCheck Point Security Administration II

NGX (R65)


Course LayoutCourse Layout

Prerequisites Check Point Certified Security Expert (CCSE)


Recommended Setup for LabsRecommended Setup for Labs

Recommended Lab Topology


Recommended Setup for LabsRecommended Setup for Labs

IP Addresses Lab Terms


Check Point Security ArchitectureCheck Point Security Architecture

PURE Security



Check Point Components



Unified Security Architecture



Broad Range of Security Solutions



Network Security Data Security Security Management Services


Training and CertificationTraining and Certification

CCMA Learn More


Part 1: Updating and UpgradingPart 1: Updating and Upgrading

Chapter 1: SmartUpdate

Chapter 2: Upgrading VPN-1

©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.




1

SmartUpdateSmartUpdate


ObjectivesObjectives

Identify the common operational features of SmartUpdate.

Use SmartUpdate to create an upgrade package. Upgrade and attach product licenses using

SmartUpdate.

11


Introduction to SmartUpdateIntroduction to SmartUpdate

Optional component of VPN-1 that automatically distributes software applications and updates for Check Point and OPSEC certified products

Manages product licenses

11


Introduction to SmartUpdateIntroduction to SmartUpdate

SmartUpdate Architecture

11


Upgrading PackagesUpgrading Packages

Prerequisites for Remote Upgrades Retrieving Data From VPN-1 Gateways Adding New Packages to the Package Repository Verifying the Viability of a Distribution Transferring Files to Remote Devices Upgrading Edge Firmware with SmartUpdate Rebooting the VPN-1 Gateway Recovering From a Failed Upgrade Deleting Packages From the Package Repository

11


Managing LicensesManaging Licenses

Central license: package license tied to IP address of SmartCenter Server

Local license: package license tied to IP address of VPN-1 Gateway, and cannot be transferred to Gateway with different IP address

License Upgrade Retrieving License Data From VPN-1 Gateways CPInfo SmartUpdate Command Line

11


1Updating an Installation with Updating an Installation with

SmartUpdateSmartUpdate


Review Questions & AnswersReview Questions & Answers

1. What can be upgraded remotely using SmartUpdate?

11



VPN-1 Gateways Hotfixes, HFAs, and patches Third-party OPSEC applications UTM Edge devices Nokia operating systems Check Point SecurePlatform

11



2. What two repositories does SmartUpdate install on the SmartCenter Server?

11



License & Contract Repository in $FWDIR\conf Package Repository in C:\SUroos (Windows),

/var/suroot (UNIX)

11



3. What does the Pre-Install Verifier check?

11



Operating-system compatibility Disk-space availability Package not already installed Package dependencies met

11



4. What are the benefits of using a central license?

11



Only one IP address is needed for all licenses. A license can be moved from one Gateway to another. A license remains valid when changing Gateway IP

addresses.

11





2Upgrading VPN-1Upgrading VPN-1



Determine which VPN-1 upgrade strategy is appropriate, given a variety of scenarios.

Determine VPN-1 license requirements, based on upgrade strategy.

22


Preinstallation ConfigurationPreinstallation Configuration

– Remove any services not running that might be considered a security risk.

– Ensure your network and Gateway are properly configured, with special emphasis on routing.

– Log in to each of the hosts, and Ping the other hosts.– Enable IP routing/forwarding.– Confirm that DNS is working properly. – Note names/IP addresses of the Gateway’s interfaces.– Confirm Gateway’s name corresponds to IP address of

Gateway’s external interface.– Isolate the computers on which you will be installing VPN-1

components from the network.– Verify you have correct version of software for all VPN-1

components.

22


Distributed InstallationDistributed Installation

VPN-1 Client/Server Configuration

22


Upgrading To VPN-1 NGX R65Upgrading To VPN-1 NGX R65

Upgrade Guidelines Upgrade Order Upgrade Export/Import Upgrading via SmartUpdate

22


VPN-1 Backward CompatibilityVPN-1 Backward Compatibility

Supported Versions

22


Licensing VPN-1Licensing VPN-1

Obtaining Licenses Supported Upgrade Paths Contract Verification

22


Performing License UpgradePerforming License Upgrade

Two Upgrade Methods Trial Licenses

22


Pre-Upgrade ConsiderationsPre-Upgrade Considerations

Pre-Upgrade Verification Tool Web Intelligence License Enforcement Upgrading on SecurePlatform

22


Upgrading SmartCenter ServerUpgrading SmartCenter Server

Using the Pre-Upgrade Verification Tool

22


Gateway UpgradeGateway Upgrade

Gateway Upgrade with SmartUpdate

22



1. What is the correct order for a VPN-1 upgrade?

22



SmartCenter Server first, then Security Gateway

22



2. What should be done before installing a VPN-1 Security Gateway?

22



– Remove any services not running that may be a security risk.– Make sure your network and Gateway are properly configured.– Test network communication.– Enable IP routing/forwarding– Confirm DNS is working properly.– Note the names and IP addresses of the Gateway’s interfaces.– Confirm the Gateway is shown in the hosts files correctly.– Isolate the computers.– Verify the correct version of software for you OS

22



3. What methods are there for upgrading licenses?

22



Centrally, from the SmartCenter Server via SmartUpdate

Locally at the Check Point machine

22



4. Which products can be upgraded to NGX R65?

22



– VPN-1 Pro Gateways– SecurePlatform– SmartView Monitor– Eventia Reporter– UserAuthority Server– Policy Server– Check Point QoS– Nokia OS– UTM-1

22


Part 2: Virtual Private NetworksPart 2: Virtual Private Networks

Chapter 3: Encryption and VPNs

Chapter 4: Introduction to VPNs

Chapter 5: Site-to-Site VPNs

Chapter 6: Remote Access VPNs





3

Encryption and VPNsEncryption and VPNs



Explain encryption for VPNs. Compare and contrast common encryption methods. Describe the process for setting up a encrypted VPN

tunnels.

33


Securing CommunicationSecuring Communication

Privacy

33



Shared-Secret Key

33



Symmetric Encryption

33



Symmetric Disadvantages Asymmetric Encryption

33



Diffie-Hellman Encryption

33



Integrity– Hash Function

33



Authentication– Digital Signature

33



Two Phases of Encryption Encryption Algorithms

33


IKEIKE

ISAKMP Oakley ISAKMP/Oakley Phase 1 Phase 2 IKE Example

33


IKEIKE

Tunneling-Mode Encryption– Encrypted Packet

33


Certificate AuthoritiesCertificate Authorities

Certificates Multiple Certificate

Authorities Certificate Authority

Hierarchy

33



Local Certificate Authority

33



CA Service via the Internet

33



Internal Certificate Authority CA Public Keys

– CA Action

33



Creating Certificates

33



1. What three tenets of network communication do Security Administrators need to ensure?

33



Confidentiality — No one, other than the intended parties, can understand the communication.

Integrity — The sensitive data passed between the communicating parties is unchanged.

Authentication — The communicating parties must be sure they are connecting with the intended party.

33



2. Which encryption system uses a different key for encryption and decryption?

33



Asymmetric cryptographic systems

33



3. What two modes does VPN-1 supply for IKE Phase 1 between Gateways?

33



Main mode (default) Aggressive mode

33



4. Which encryption method encapsulates an entire packet, adding its own encryption protocol header to the packet?

33



Tunnel-mode encryption

33





4Introduction to VPNsIntroduction to VPNs



Select the appropriate VPN deployment to meet requirements, given a variety of scenarios.

Configure VPN-1 to support site-to-site VPNs, given a variety of business requirements.

Adjust NGX R65 VPN configuration settings to correct a problem, given symptoms of a configuration problem.

44


The Check Point VPNThe Check Point VPN

– Check Point VPN Topology

44



Simplified VPN Tunnel

44



How a VPN Works– Gateway-to-Gateway Network configuration

44



Specifying Encryption

44


VPN DeploymentsVPN Deployments

Site-to-Site VPNs

44


VPN DeploymentsVPN Deployments

Remote-Access VPNs

44


VPN ImplementationVPN Implementation

Three Critical VPN Components– Complete VPN

44



VPN Setup– Two-Network Configuration

44



How a VPN Works

44



– VPN Tunnel

44



VPN Communities

44



VPN Topologies– Basic Meshed Community

44



– Star VPN Community

44



Choosing a Topology– Star and Mesh Combined

44



– Different Encryptions in Mesh Communities

44



– Special Condition

44



– Three VPN Communities

44



Authentication Between Community Members Dynamically Assigned IP Gateways Routing Traffic Within a VPN Community Access Control and VPN Communities

44



– Access Control in VPN Communities

44



Special Considerations for Planning a VPN Topology

44



Integrating VPNs into a Rule Base

44



1. What is a VPN Community?

44



A collection of VPN enabled Gateways capable of communication via VPN tunnels

44



2. What is a meshed VPN Community?

44



A VPN Community in which a VPN site can create a VPN tunnel with any other VPN site within the Community

44



3. Which is the preferred means of authentication between VPN Community members, and why?

44



Certificates, because they are more secure than pre-shared secrets

44



4. If both domain-based VPN and route-based VPN are configured, which will take precedence?

44



Domain-based VPN

44



5. When planning a VPN topology, what questions should be asked?

44



Who needs secure/private access? From the point of view of the VPN, what will be the

structure of the organization? How will externally managed Gateways authenticate?

44





5

Site-to-Site VPNsSite-to-Site VPNs



Select the appropriate VPN deployment to meet requirements, given a variety of scenarios.

Configure VPN-1 to support site-to-site VPNs, given a variety of business requirements.

Adjust VPN configuration settings to correct a problem, given symptoms of a configuration problem.

55


Site-to-Site VPNSite-to-Site VPN

Domain-Based VPN

55



Simple VPN Routing

55



Route-Based VPN VPN Routing Process for VTIs

55



Routing to a Virtual Interface

55



Route-Based VPN

55



Routing Multicast Packets Through VPN Tunnels

55



Multicasting

55


VPN Tunnel ManagementVPN Tunnel Management

Permanent Tunnels

55



Permanent Tunnel in MEP Environment

55



VPN Tunnel Sharing

55


Wire ModeWire Mode

Wire Mode in a MEP Configuration

55


Wire ModeWire Mode

– Wire Mode in MEP

55


Wire ModeWire Mode

Wire Mode with Route-Based VPN– Wire Mode in a Satellite Community

55


Wire ModeWire Mode

Wire Mode Between Two VPN Communities

55


Directional VPN EnforcementDirectional VPN Enforcement

Directional Enforcement Between Communities

55



Directional Enforcement Within a Community

55



Directional Enforcement Between Communities– Directional VPN between Mesh and Star Communities

55


Multiple Entry Point VPNsMultiple Entry Point VPNs

VPN High Availability with MEP

55


Traditional Mode VPNsTraditional Mode VPNs

Organizations with large VPN deployments with complex networks may continue to work within Traditional Mode.

VPN Domains and Encryption Rules

55


2Two-Gateway IKE EncryptionTwo-Gateway IKE Encryption

(Shared Secret)(Shared Secret)


3Two-Gateway IKE Encryption

(Certificates)



1. What type of VPN does the use of VPN tunnel interfaces support?

55



Route-based VPNs

55



2. What are the three types of VPN tunnel sharing supported by VPN-1?

55



One VPN tunnel per each pair of hosts One VPN tunnel per subnet pair One VPN tunnel per Gateway pair

55



3. What is the advantage of a Wire Mode VPN?

55



Improves connectivity by allowing existing connections to fail over successfully by bypassing firewall enforcement, and relying on the security of the trusted VPN connection itself

55



4. What are the primary benefits of Multiple Entry Point VPNs?

55



High Availability Load Sharing

55





6

Remote Access VPNsRemote Access VPNs



Configure VPN-1 to support remote-access VPNs, given a variety of business requirements.

66


Remote Access VPNRemote Access VPN

VPN-1 SecuRemote enables you to create a VPN tunnel between a remote user and your organization’s internal network.

Extending SecuRemote with SecureClient Connect Mode Establishing Remote Access — Workflow

66


Remote Access VPNRemote Access VPN

Workflow for Establishing Remote Access VPN

66


Office ModeOffice Mode

How Office Mode Works

66


Office ModeOffice Mode

– Office Mode Process

66


Office Mode PlanningOffice Mode Planning

IP Pool vs. DHCP Routing-Table Modifications Multiple External Interfaces Before Configuring Office Mode

66


Desktop Security PolicyDesktop Security Policy

Policy Expiration and Renewal Policy Server HA Wireless Hotspot/Hotel Registration Logging SecureClient Mobile

66


VPN Routing — Remote AccessVPN Routing — Remote Access

VPN routing provides a way of controlling how VPN traffic is directed.

VPN routing can be implemented with Gateways and remote-access clients.

Configuration for VPN routing is performed either through SmartDashboard, or by editing routing-configuration files.

66



– Simple VPN Routing

66



Hub Mode

66


SSL Network ExtenderSSL Network Extender

SSL Network Extender is connected to an SSL enabled Web server that is part of the Security Gateway.

SSL Network Extender It is via SmartDashboard. How SSL Network Extender Works Prerequisites

66


Clientless VPNClientless VPN

Clientless VPN provides secure SSL-based communication between clients and servers that support HTTPS.

Two phases:– Establishing a secure channel– Communication phase

66



– Communication Phase

66



Special Considerations for Clientless VPN Configuring Clientless VPN Creating Appropriate Rules in the Rule Base

66


4Configuring Remote Access in an IKE

VPN


5Using SecuRemote in an IKE VPN


6Remote Access and Office Mode


7SSL Network Extender



1. When a SecuRemote/SecureClient needs to know the elements of the organization’s internal network to build a connection, how is that information sent?

66



Over a connection secured and authenticated using IKE over SSL

66



2. What is the most recommended and manageable method for client-Gateway authentication?

66



Digital Certificates

66



3. What problem does Office Mode solve?

66



Nonroutable IP addresses; Office Mode enables a VPN-1 Gateway to assign a remote client an IP address.

66



4. What is the advantage of SSL Network Extender

66



Simple to implement, easy-to-use remote-access solution

66


Part 3: High AvailabilityPart 3: High Availability

Chapter 7: High Availability and ClusterXL





7

High Availability and ClusterXLHigh Availability and ClusterXL



Identify the features and limitations of Management High Availability.

Identify the benefits and limitations of different modes in a ClusterXL configuration.

Configure a ClusterXL VPN, given a specific business scenario.

Implement and test State Synchronization, given a business scenario.

77


Management High AvailabilityManagement High Availability

– Management High Availability Deployment

77



Management High Availability Environment Synchronization Status

77



– Typical Management High Availability Example

77


ClusterXLClusterXL

– VPN-1 Gateway Cluster

88


ClusterXLClusterXL

Load Sharing

88


ClusterXL ModesClusterXL Modes

Legacy High Availability Mode New High Availability Mode Load Sharing Multicast Mode Load Sharing Unicast (Pivot) Mode

88



– Load Sharing Unicast Mode

88



– Cluster Member Forwarding Packet

88



Cluster Control Protocol

88


Synchronizing ClustersSynchronizing Clusters

The Synchronization Network How State Synchronization Works Synchronized-Cluster Restrictions

88


Sticky ConnectionsSticky Connections

The Sticky Decision Function

88


cpha Commandscpha Commands

cphastart cphastop cphaprob cphaprob Syntax cphaprob Example fw hastat

88


Debugging ClusterXL IssuesDebugging ClusterXL Issues

fw ctl pstat Sync Output

88


ClusterXL Configuration IssuesClusterXL Configuration Issues

Modes of ClusterXL Supporting SecureXL Crossover-Cable Support

88


8Deploying New Mode HA


9Load Sharing Unicast (Pivot) Mode


10Configuring Load Sharing Multicast

Mode (Optional)



1. For Management HA to function properly, what data must be synchronized and backed up?

88



2. In ClusterXL, what benefit does State Synchronization provide?

88



Ensures no data is lost in case of a cluster member failure; all connection information and VPN state information is synchronized between the members.

88



3. What does Load Sharing in Multicast Mode do?

88



Enables you to distribute network traffic between cluster members

88



4. In what two modes does State Synchronization work?

88



Full sync, which transfers all VPN-1 kernel-table information from one cluster member to another

Delta sync, which transfers changes in the kernel tables between cluster members

88



5. What is a “sticky” connection?

88



When all of a connection’s packets are handled, in either direction, by a single cluster member

77

Ngx II r65 Slides

Documents

Transcript of Ngx II r65 Slides