VPN-1/Firewall-1 CCSA

Preparation for Check Point Certification

Based on NG FP2/FP3
Missing SmartDefense chapter for NG AI (FP4) CCSA Exam
CoreFacts acknowledge all registered trademarks. While a effort has been made to recognise and acknowledge
trademarks all references to trademarks are purely editorial and to the benefit of the company. This book as no
affiliation with or endorsement from any company whose trademark may have been used.
Notice of rights
All rights reserved. No part of this work covered by copyright may be reproduced in any form or by any means -
graphic, electronic, or mechanical - including photocopying, recording, taping, or storage in an information
retrieval system for resale, without the prior written permission of the copyright owner.
Notice of liability
The information in this book is distributed on an As is basis, without warranty. While every precaution has been
taken in the preparation of this book, neither the author or CoreFacts Ltd. shall have any liability to any person or
entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the instructions
contained in this book or by the computer software and hardware products described herein.
CoreFacts 2003
The contents for this PDF file have been extracted from VPN-1/Firewall-1 CCSA/CCS , ISBN 0-9543830-0-1
Published by CoreFacts Publishing.
The complete book is printed in Great Britain at the University Press, Cambridge, distributed by CoreFacts
Publishing.
CoreFacts Training Technologies.
Broadway House
149 - 151 St Neots Road
Hardwick
Cambridge
CB3 7QJ
UK
Tel. +44 (0)1954 212111
Fax. +44 (0)1954 212555
email info@corefacts.co.uk
Core Knowledge & Key Facts
Firewalls can be made to appear easy to configure, they are not, be careful,
and always test the Security Policy that is installed.
Knowing how to configure a feature in the software is only part of the
puzzle, the other part is knowing the consequences of what you have just
configured and evaluating the risks associated with it.
If you are using this document as a guide to help pass the CCSA exam, then
you must also read the Check Point PDF documentation chapter on
SmartDefense. The SmartDefense content was added when the exams
changed to cover NG AI. Previously SmartDefense was a CCSE+ exam
topic. A chapter on SmartDefense will be available from
www.corefacts.co.uk.
To successfully use this document you should build a sample firewall
configuration and work through all the exercises. Read each chapter first
then create the objects and follow the suggestions/examples. Exercises
have not been written in a numbered format, they require you to think and
understand what you are doing. Anyone can paint by numbers.
All the screenshots/content/questions apply to NG FP2/FP3 will that mean
that I cant use this if Im sitting the NG AI exam?
No, the topics covered are basically the same just use the NG AI software,
some options have moved dialog box location but they are fairly easy to
find.
www.corefacts.com i
Contents
Chapter 1: VPN-1/Firewall-1 Architecture
Network Connections and Protocols ...................................................................2
The TCP/IP Stack .........................................................................................2
Network Connections ...................................................................................2
IP Protocol .....................................................................................................3
TCP Protocol .................................................................................................3
UDP Protocol ................................................................................................4
ICMP Protocol ..............................................................................................5
What is a Firewall? .............................................................................................6
Trust ..............................................................................................................6
Trojans ..........................................................................................................6
Securing Networks - Packet Filters ....................................................................7
Typical ACL installed on a perimeter router ................................................8
Securing Networks - Application Proxies ..........................................................11
Securing Networks - Stateful Inspection ............................................................13
Content Security Servers ..............................................................................14
Stateful Inspection at Work ...........................................................................15
VPN-1/Firewall-1 ...............................................................................................16
Policy Editor .................................................................................................16
Management Server ......................................................................................17
Enforcement Module ....................................................................................18
VPN-1/Firewall-1 NG Architecture ..............................................................19
VPN-1/Firewall-1 Configurations ......................................................................19
Combined Management/Firewall .................................................................19
Distributed Management/ Firewall Module ..................................................19
License Count ...............................................................................................20
Secure Internal Communications (SIC) ..............................................................21
SIC Certificates .............................................................................................21
SecureUpdate - Central Licenses ........................................................................22
Installing Firewall Module Licenses .............................................................22
SecureUpdate License Attachment ................................................................23
Secure Virtual Network Architecture .................................................................25
Securing Networks, Systems, Applications and Users .................................25
SVN Components .........................................................................................25
Basic Common Sense Security ...........................................................................29
Services .........................................................................................................29
Servers ..........................................................................................................29
People.............................................................................................................30
Peer Pressure .................................................................................................30
Security Policy Procedures ...........................................................................30
Documentation ..............................................................................................30
Log files ........................................................................................................30
Prepare for the unexpected ...........................................................................30
ii www.corefacts.com
Implement Trust procedures .........................................................................30
Site Security Handbook - RFC 2196 ............................................................30
VPN-1/Firewall-1 Architecture - Review Questions ..........................................31
Chapter 2: Security Policy & Rules Setup
First Contact with the Management Server .........................................................34
GUI Login .....................................................................................................34
Start Policy Editor .........................................................................................35
Administrator Authentication .......................................................................35
Fingerprint Check .........................................................................................36
Policy Editor .................................................................................................37
Creating Network Objects ..................................................................................38
Create the Firewall Object ............................................................................40
External Partner Firewall ..............................................................................44
www.yoursite.com ........................................................................................45
www.partner.com ..........................................................................................46
www.server.com ...........................................................................................46
Networks .......................................................................................................47
net-10.3.3.0 ...................................................................................................47
net-10.4.4.0 ...................................................................................................48
Object Tree Expanded ..................................................................................48
Adding Rules to the Security Policy ...................................................................49
Rule base Elements .......................................................................................49
Removing the If Via Element .......................................................................49
New Security Policy .....................................................................................49
Rulebase Elements without If Via ................................................................50
Adding rules ..................................................................................................50
Stealth Rule ...................................................................................................54
Anything Out Bound Rule ............................................................................54
Clean up Rule ................................................................................................54
Broadcast Junk ..............................................................................................54
Current Rulebase check ................................................................................56
Negating objects in Rules ..............................................................................57
Installing and Verifying the Security Policy .......................................................58
Verify the Security Policy .............................................................................58
Installing the Security Policy ........................................................................58
Uninstalling the Security Policy ...................................................................60
Testing the Security Policy .................................................................................60
Basic Log Viewer information ...........................................................................61
Implicit and Explicit Rules in the Security Policy ..............................................62
First, Before Last, Last .................................................................................65
Rule Base Filtering Order ...................................................................................65
Rule Base Filtering Order, Exception - Authentication ......................................66
Policy Properties, Controlling Implied Rules .....................................................67
Turning Implied Rules off ............................................................................67
Locked out of Policy Installs - Recovery Procedure ....................................68
www.corefacts.com iii
DNS as an Implied Rule ...............................................................................70
Configuring DNS in a Live Environment......................................................72
Management/Firewall-1 Module communications and services ........................73
Stopping and Starting the Firewall .....................................................................75
fwstop/fwstart ...............................................................................................75
cpstop/cpstart ................................................................................................76
Security Policy & Rules Setup - Review Questions ...........................................77
Chapter 3: System Manager and Log Viewer
System Manager .................................................................................................88
OPSEC ..........................................................................................................88
Status Information .........................................................................................88
Policy Uninstalled State ................................................................................89
Disconnected State ........................................................................................90
Configuring Status Manager Alerts ....................................................................91
Overriding the Global Setting .......................................................................92
Log Viewer .........................................................................................................93
Log Viewer Modes .......................................................................................93
Searching ......................................................................................................95
Selections .......................................................................................................96
Selection Criteria - Toggle.............................................................................98
Resolve Addresses ........................................................................................98
Block Intruder (Suspicious Activity Monitoring) ...............................................100
Block Intruder from within the Log Viewer .................................................100
Log Viewer Telnet entry ...............................................................................100
Log Viewer & Status Manager - Review Questions ...........................................104
Chapter 4: Anti-Spoofing & Services
Configuring Anti-Spoofing .................................................................................108
IP Spoofing ...................................................................................................108
TCP Sessions .................................................................................................109
UDP Sessions ................................................................................................109
Anti-Spoofing ................................................................................................110
Topology of fw.f16.com ...............................................................................110
Predefined Services .............................................................................................114
Tunnelled Protocol Example ........................................................................115
Adding Services.............................................................................................116
Policy Properties - Stateful Inspection ................................................................118
Creating New Services ........................................................................................119
Create a Service ............................................................................................120
TCP ...............................................................................................................120
UDP ..............................................................................................................122
Other .............................................................................................................122
Anti-Spoofing & Services - Review Questions ..................................................125
iv www.corefacts.com
Chapter 5: Working with the Security Policy
Revision Control .................................................................................................130
Changes to your Policy .................................................................................132
Viewing the Installed Policy .........................................................................134
Hiding Rules .......................................................................................................134
Hiding a Rule ................................................................................................135
Viewing Hidden Rules...................................................................................136
Unhiding Rules .............................................................................................136
Rules Masks and Searches ..................................................................................136
Disabling Rules ...................................................................................................138
Uninstalling the Security Policy .........................................................................138
Basic Performance Guidelines ............................................................................139
Hosts file .......................................................................................................139
DNS lookup ..................................................................................................139
Log Viewer Resolve Addresses ....................................................................139
Module Performance .....................................................................................139
Simple Rulebase ...........................................................................................139
Appliance specific features ...........................................................................140
Logging .........................................................................................................140
Multiple Firewall Administrators and Authentication Methods .........................141
Management Configuration Tool ..................................................................141
Policy Editor - Manage -> Users &Administrators ......................................142
User accounts ................................................................................................142
General details ..............................................................................................142
Account Profile .............................................................................................143
Authentication Schemes ...............................................................................144
Administrator Certificate ..............................................................................145
Certificate Password .....................................................................................145
Install User Database ....................................................................................146
Test Admin Certificate login ........................................................................147
Working With the Security Policy - Review Questions .....................................149
Chapter 6: Setting up Authentication
Authentication Methods ......................................................................................152
$FWDIR/conf/fwauthd.conf .........................................................................152
Authentication Schemes .....................................................................................153
SecurID .........................................................................................................153
AXENT .........................................................................................................153
RADIUS ........................................................................................................153
TACACS .......................................................................................................153
S/Key ............................................................................................................154
VPN-1/Firewall-1 Password .........................................................................154
OS Password .................................................................................................154
Set the Authentication Schemes .........................................................................154
Creating Users .....................................................................................................155
www.corefacts.com v
Creating User Groups .........................................................................................160
External Groups ............................................................................................161
User generic* ......................................................................................................162
Generic* ........................................................................................................162
Setting up Authentication - Review Questions ...................................................163
Chapter 7: User Authentication
User Authenticated Services................................................................................166
User Authentication ......................................................................................166
Stealth Authentication ...................................................................................167
Rulebase Check .............................................................................................167
Authentication Using Telnet ...............................................................................167
Add a User Authentication Rule ...................................................................167
Intersect with User database for Source and Destination ...................................172
Authentication Using http ...................................................................................172
Add http to the Rule ......................................................................................172
Change the User Properties............................................................................173
User Authentication Using ftp ............................................................................174
User Authentication - Review Questions ............................................................176
Chapter 8: Session Authentication
Session Authentication .......................................................................................182
Install the Session Agent .....................................................................................183
Session Authentication Using ftp .......................................................................186
Session Authentication Rule .........................................................................186
Session Authentication Properties ................................................................186
Install and Test Session Authentication ........................................................187
Log Entry for Session auth ...........................................................................188
Agent Settings - Once per session ................................................................188
Session Authentication - Review Questions .......................................................189
Chapter 9: Client Authentication
Client Authentication ..........................................................................................192
Client Authentication Using ftp ..........................................................................193
Add a client Auth Access rule ......................................................................193
Using telnet on port 259 ................................................................................194
Using http on port 900 ..................................................................................196
Controlling the number of sessions or time period .............................................197
Risks with Client Authentication ..................................................................198
Sign On Required ................................................................................................198
Sign On Methods ................................................................................................198
Manual Sign On ............................................................................................199
Partially Automatic .......................................................................................199
Fully Automatic ............................................................................................199
Agent Automatic Sign On..............................................................................200
vi www.corefacts.com
Single Sign On ..............................................................................................200
Client Authentication - Review Questions .........................................................201
Authentication - General Review Questions ......................................................204
Chapter 10: Network Address Translation
Network Address Translation (NAT) .................................................................208
Reason behind NAT ......................................................................................208
RFC 1918 Addresses ....................................................................................208
Problems with NAT ......................................................................................208
Rulebase Check .............................................................................................209
Hide Mode NAT or Dynamic NAT - Automatic ................................................209
Configuring Hide Mode NAT .......................................................................209
NAT Log Entries ..........................................................................................211
Hide Mode NAT or Dynamic NAT - Manual ....................................................211
Static NAT for Servers - Automatic ...................................................................214
Choose an External NAT Address ................................................................214
The Problem with Static NAT ......................................................................214
Check the Policy Global Properties for NAT................................................217
Edit the Web Server Object ..........................................................................218
Check the NAT Rules ...................................................................................218
Static NAT Log Entry - Automatic ...............................................................219
Static NAT for Servers - Manual ........................................................................219
Create the local.arp File on the Firewall Module .........................................220
State Table arp_table ....................................................................................220
Create an Object for the External Web Address ...........................................221
Rulebase Rule Required ................................................................................221
Create the NAT Rules ...................................................................................221
Static NAT Log entry - Manual ....................................................................222
Manual Static NAT - Advantages .................................................................223
Static NAT for Networks - Automatic ................................................................225
Network Address Translation - Review Questions .............................................226
Chapter 11: NG Feature Pack 3
Product Name Changes .......................................................................................230
Upgrade from FP2 to FP3 ...................................................................................231
Upgrade the Firewall Module .......................................................................231
Upgrade the Management Server .................................................................232
Install the Security Policy .............................................................................233
Converting a Traditional to Simplified Mode Security Policy ...........................234
Policy Install Settings .........................................................................................236
Policy Installs and the Connection Table .....................................................236
Policy Rules, Section Headings ....................................................................237
DNS UDP Queries .........................................................................................238
SynDefender .................................................................................................238
SmartView Status ...............................................................................................239
www.corefacts.com vii
SmartView Tracker .............................................................................................240
Block Intruder ................................................................................................241
Remote Log File Management .....................................................................241
Revision Control .................................................................................................242
Content Security .................................................................................................243
Resource - CIFS ............................................................................................243
URI Filtering - SOAP ...................................................................................245
VPN Configuration Changes ..............................................................................246
Chapter A: VPN-1/Firewall-1 Installation
Installing in a Split Management/Firewall Module Configuration .....................253
Sample network Layout ................................................................................254
Installing the Firewall Module ............................................................................255
Un-installing the Software .............................................................................261
Installing the Management Server and Clients ...................................................262
Chapter B: Review Questions - Answers
Review Question Answer sheets .........................................................................273
viii www.corefacts.com
ix
VPN-1/Firewall-1 NG CCSA/CCSE
Introduction
x
The book has been written to provide configuration examples for each
topic covered by the CCSA/CCSE certification. To be most effective the
reader should have a Firewall configuration that they can use to test each
topic and experiment with the configuration. If you do not have a complete
test environment that you can use then the VPN-1/Firewall-1 Management
Clients in demo mode will at least allow you to step through and create
many of the objects and rules to become familiar with the Firewall
configuration.
While working your way through the book, before you do any Firewall
configuration always thoroughly read the chapter first then go back and
step through the chapter doing the configuration.
Throughout this book the topics and example configurations are designed
to help you think about each aspect of the configuration. Do not just follow
the steps, they are not explicitly numbered and therefore require a little
more thought. Security is a state of mind you need to be asking not only
can this be done but also what are the risks associated with doing it.
The book is designed to lead the reader through the essential topics
required for understanding how to configure Check Point VPN-1/Firewall-
1. This book will not, and was not designed to explain every option
available in a dialog box. The on-line help built into the Management
Clients do a good job of listing the options and what they do. The on-line
help should be used as a supplementary source of information when
working your way through this book.
The Check Point Management clients can be downloaded from
www.checkpoint.com.
The example installation in Appendix A uses a split Management Server/
Firewall Module configuration. This configuration is used throughout the
book and was chosen because it is a more interesting environment to learn
from when you have to consider the interaction of the Management Server
and Firewall Module.
The network configuration used for most of the example configurations in
the book is shown below.
xi
www.server.com was configured with virtual IP addresses for the
172.23.3.0 and 172.24.4.0 networks to act as the router between the
networks in the classroom and includes routes to the 10.x.x.x networks.
The Management Station has a default route set to be the Internal interface
of the Firewall.
The installation example in appendix A uses Windows NT since this is
currently the most common configuration that most users will have
available and be familiar with. The Firewall module can be installed on any
supported platform and some readers may wish to use the
SecurePlatform installation but I would still recommend installing in a
split Management/Firewall Module configuration.
The platform used for the Firewall will make little or no difference to the
contents of the book since most of the configuration for VPN-1/Firewall-1
is done through the Management clients.
www.server.com
(172.23.3.254)
172.23.3.0/24
10.3.3.0/24 10.4.4.0/24
1
1
254
1
254
1
Required for Site to Site VPNs
fw.f16.com
(Falcon)
www.f16.com
(Management Station)
172.24.4.0/24
xii
1
1
VPN-1/Firewall-1 Architecture
Objectives
When you have completed this Module you should be able to
Know the limitations of a firewall.
Understand what a firewall will not do.
Describe the Advantages and Disadvantages of Packet Filtering.
Describe the Advantages and Disadvantages of Application Proxies.
Describe the Advantages and Disadvantages of Stateful Inspection.
Know the three main components of VPN-1/Firewall-1.
Understand how Stateful Inspection extracts session information.
Understand what information a Stateful Inspection Engine can extract and
use to secure network connections.
Understand where Secure Internal Communications (SIC) is applied to
validate and secure connections between Check Point and OPSEC
components.
VPN-1/Firewall-1 Architecture
2 www.corefacts.com CoreFacts 2002
1.1 Network Connections and Protocols
The TCP/IP Stack In the OSI model layer 5 is Session, layer 6 is Presentation and layer 7 is
Application
Network Connections In the diagram below if you need to get a packet from client A to Server B
then you would just need to know the Source and Destination IP address.
The routers and network infrastructure would take care of getting the
packets delivered.
The IP header will take care of delivering the packet across the network
using the routing on the Gateways. The TCP/UDP/ICMP will take care of
the type of session being used and the client/server takes care of the data.
Either of the gateways could implement controls to extract information
from any of the TCP/IP headers and possibly the application data to accept
or deny the packet.
The gateway could check the destination IP address and destination port
number, if the smtp server is not running on the destination address it could
drop the packet. This is simple packet filtering.
Firewalls extract information from each header and use the information to
secure the connection. Some firewalls will extract more data than others.
application telnet ftp nfs
Protocol layers (TCP/IP)
smtp dns ntp
internet
data
link
physical
transport udp tcp
ip
various
slip ppp
X.25
HDLC
ISO 8802-2
802.3 802.5
Ethernet
CSMA/CD
Token
ring serial
5 - 7
4
3
2
1
icmp
A
B
Gateway
Gateway
IP Header
TCP Header http,ftp,smtp
UDP Header
ICMP Header
IPSEC encrypted packet
dns, nfs, ntp
Echo Req./Reply
Data
Src/Dest Port
Protocol No. & Src, Dst. IP Address
25 SMTP
80 http
Src/Dest Port
IMCP Type/Code
VPN-1/Firewall-1 Architecture
CoreFacts 2002 www.corefacts.com 3
IP Protocol The IP header details are shown below (RFC 791). Any field in the header
may be extracted and used to control a packet passing through a gateway.
In simple terms for firewalls the Source and Destination IP Address are
the main controlling factors along with the 8-bit Protocol. Firewalls may
do a lot more but the relevant controlling features firewall administrators
can usually control are those three components of the IP header.
In VPN-1/Firewall-1 you could write your own INSPECT scripts to extract
any part of the packet but that is not something many administrators do.
The full list of IP Protocols can be obtained from
http://www.iana.org/assignments/protocol-numbers
8-bit protocol Protocol
1 ICMP Internet Control Message
6 TCP Transmission Control
17 UDP User Datagram
TCP Protocol The TCP header details are shown below (RFC 793). The source port is
determined by the client TCP stack. The destination port is where the
service on offer is listening and access to this can be controlled by the
Firewall administrator.
version
header
16-bit identification
8-bit type of Service 16-bit total length (in Bytes)
13-bit fragmentation offset
16-bit header checksum
32-bit source IP address
32-bit destination IP address
options (if any)
data (TCP/UDP/ICMP header + data or other protocol tunnelled over IP)
8-bit time to live 8-bit protocol
length
3-bit
Flags
20 bytes
0 15 16 31
IP Header
Padding
VPN-1/Firewall-1 Architecture
4 www.corefacts.com CoreFacts 2002
TCP protocols go through an open, send data and close phase and all
packets are acknowledged. The TCP session knows how many packets are
sent and received and resends lost or corrupt packets.
Data (commands) to the service cannot be sent until after the open phase.
TCP sessions tend to be trusted because the client cannot send data until
the server receives an acknowledgement to the Syn/Ack. It is still possible
to spoof/steal TCP connections. The only secure prevention against
spoofing/stealing TCP sessions is encryption or packet authentication.
UDP Protocol UDP protocols (RFC 768) are inherently insecure because there is no
tracking of how many packets have been sent and received, that is the job
of the application to ensure it understands the data it has received.
32-bit sequence number
16-bit source port number 16-bit destination port number
32-bit acknowledgement number
16-bit TCP checksum 16-bit urgent pointer
options (if any)
data (telnet/ftp/smtp/nntp)
reserved
6 bits - flags
0 15 16 31
TCP Header
Data
Offset
20 bytes
Window
Padding
Client Server
Syn
Syn/Ack
Ack
Data
Ack
Fin
Ack
Open
Data
Close
Server knows client exists, send
data
Client send its Seq. No. asking to open
connection.
Server sends its Seq. No. acknowledging
receipt of the Syn packet from the client.
1057 23
VPN-1/Firewall-1 Architecture
CoreFacts 2002 www.corefacts.com 5
Some firewalls will create a virtual UDP session that implement timeouts
and some protocol knowledge in an attempt to secure UDP sessions. It is
easy to spoof UDP packets and integrity of packets received relies on the
application. You can send data as the first packet to a UDP application and
unless there is some authentication built into the UDP application the
server will just accept the data. As an example, a DNS lookup uses UDP
and just sends the name to be resolved to the server, the server blindly
accepts the request and returns the result to the source IP address.
ICMP Protocol Internet Control Message Protocol (RFC 792). This is not session
orientated and tools like nmap can be used to fingerprint the TCP stack of a
server to determine which OS is being used.
Although ICMP is generally considered a protocol to deny through a
firewall this will not always be the case and if you do not allow some types
of ICMP then you may break the protocol being used.
If you have a problem with MTUs this is normally ICMP related, not being
able to negotiate the MTU size, probably because ICMP is blocked through
a gateway.
16-bit UDP length
16-bit source port number 16-bit destination port number
16-bit UDP checksum
data (NFS/DNS/NTP)
8 bytes
0 15 16 31
UDP Header
Client Server
Data
Reply
Data
Data
Reply
Data
(commands)
data (if any)
8-bit code 8-bit type 16-bit checksum
ICMP Header
0 15 16 31
VPN-1/Firewall-1 Architecture
6 www.corefacts.com CoreFacts 2002
1.2 What is a Firewall?
A Firewall implements the Security Policy that controls connections
between trusted and untrusted networks passing through a gateway
The Security Policy may implement a very strict control of services and
server access or may be fairly liberal. Exactly how the firewall will control
the connections is dependant on who writes the site Security Policy
document and the type of organization involved.
Financial and government defence industries are much more security
aware than the average manufacturing industry, making for example
birthday cards. Their risks and objectives are totally different, as well as the
budget allocated to the task of security.
Trust Internal employees are just as likely to be malicious as external Internet
users and pose a greater threat since a firewall cannot protect you against
malicious authorized users.
Trojans A trojan is a program that is installed on a computer but has other functions
than those advertised as part of the program. Basically it pretends to be
something that it is not to gain trust.
Trojans are the biggest nightmare for security administrators because if
they are installed on a users computer the trojan is already on the internal
network and your network is potentially compromised. A firewall will not
help you against trojans. The control of trojans requires user education
and control of the applications installed on a users desktop.
Virus scanning engines will recognize trojans, well at least the ones that are
known.
Most Security Policies implemented on a firewall allow internal users
access to the external network (Internet) with at least http and ftp. A
example of a good trojan might be a virtual flower pot with a flower of
your choice that grows, attractive to users and must be run continuously on
the desktop. While the application is running it is busy collecting
information off the network and sending it out through port 80 to a remote
site. If the trojan can initiate a connection through port 80 or 21 to its
remote relay site then any server commands built into the trojan would be
available to the remote controller.
Trojans are an inside to outside security problem, firewalls are generally
successful at controlling external network to internal/DMZ network access.
They have less success at controlling inside to outside security problems.
VPN-1/Firewall-1 Architecture
CoreFacts 2002 www.corefacts.com 7
You might want to consider using proxy servers to control access, this
makes the use of trojans more difficult, the trojan then needs to tunnel the
data over the protocol being proxied. Still a potential problem but reduces
the risk.
The problem with using trojans is that you need to get them installed on the
internal network, the worst kind of trojan is a trusted employee.
As a simple rule of thumb - minimise the points of access to and from your
network, this provides you with more control.
1.3 Securing Networks - Packet Filters
The first line of defence in any organisation is the perimeter routers that are
the gateways to other networks. A simple packet filtering router would not
now be considered a firewall but it remains an important part of the
perimeter security.
With simple packet filtering routers, users and administrators found it easy
to circumvent the Access Control List on the perimeter router. The above
configuration was common in the early days of public Internet growth. The
perimeter router would control incoming access to the servers, only
Application
Presentation
Session
Transport
Network
Data Link
Physical
Application
Presentation
Session
Transport
Network
Data Link
Physical
Transport
Network
Data Link
Physical
N o C H E C K C H E C K
IP TCP/UDP Data
ISP
PC
PC PC PC
smtp
ftp
http
nntp dns
Router
Servers
Clients PCs
ACLs
ftpd
Port 7777
All addresses visible to the Internet
VPN-1/Firewall-1 Architecture
8 www.corefacts.com CoreFacts 2002
allowing specific services. A user/administrator would then install a server
on another host on a high numbered port and use it to connect from home.
This would often be telnet for administering Unix boxes. Unfortunately the
workstation with the ftp/telnet server, if found, could become a WAREZ
site for illegally copied software. Some sites complained to the ISP about
the bandwidth and then be informed that the bandwidth was being
consumed by the ftp or http server the user had installed. Once you install a
Firewall and change the location of the clients and Servers this is not a
problem. With configurations that have Routers doing NAT, then initiating
connections to the internal PCs is not possible unless explicitly configured,
the internal workstation must initiate the connection first.
Advantages
Much Cheaper than firewalls
Faster than Stateful Inspection and application proxies
Good for perimeter access control
Disadvantages
Difficult to manage Access Control Lists (ACLs).
Limited to IP and TCP/UDP/ICMP header information checking
and that may be basic.
Logging usually only to a syslog daemon.
Very easy to abuse the open ports - with tunnelled protocols.
The filtering abilities of routers have increased over the past five years but
methods of administering them still tend to be command line orientated,
often only basic features are used.
Typical ACL installed on a
perimeter router
Internet Service Providers may provide a managed router with ACLs
configured. This can be a problem if you are not aware of what has been
configured. The ISP will usually only talk to listed technical support
personnel about configuration issues.
Do not remove or ask the ISP to remove all the ACLs on your perimeter
router, open up the ports required, not everything.
A typical starting ACL on a Cisco Internet perimeter router might be
similar to the following.
Current configuration:
! The IP addresses used in this example were selected at
! random and do not refer to a specific live site
! Last configuration change at 17:30:40 GMT Fri May 13 2002
by gusbouse
! NVRAM config last updated at 17:30:44 GMT Fri May 13 2002
by gusbouse
!
version 11.3
VPN-1/Firewall-1 Architecture
CoreFacts 2002 www.corefacts.com 9
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname hitetech04-gw
!
!
ip subnet-zero
no ip source-route
no ip finger
no ip bootp server
ip domain-name bytes.co.uk
ip name-server 153.42.128.1
ip name-server 153.42.192.1
ip name-server 197.2.3.1
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun
Oct 1:00
!
interface Ethernet0
ip address 193.8.73.14 255.255.255.240
ip access-group 102 out
no ip directed-broadcast
no ip proxy-arp
traffic-shape rate 2048000 2048000 2048000 1000
!
interface Serial0
ip unnumbered Ethernet0
ip access-group 151 in
ip access-group 101 out
no ip directed-broadcast
no ip mroute-cache
bandwidth 2048
traffic-shape rate 2048000 2048000 2048000 1000
!
interface Serial1
no ip address
no ip directed-broadcast
shutdown
!
ip classless
ip default-network 153.42.0.0
ip route 0.0.0.0 0.0.0.0 Serial0
ip route 153.42.0.0 255.255.0.0 Serial0
logging trap debugging
logging 197.139.21.16
access-list 1 permit 200.78.31.8
access-list 1 permit 153.42.128.0 0.0.127.255
access-list 1 permit 193.8.73.0 0.0.0.15
access-list 101 permit ip 193.8.73.0 0.0.0.15 any
access-list 102 deny ip 193.8.73.0 0.0.0.15 any
access-list 102 permit icmp any any
access-list 102 permit tcp any host 193.8.73.4 eq 1023
access-list 102 permit udp any host 193.8.73.4 eq 1023
VPN-1/Firewall-1 Architecture
10 www.corefacts.com CoreFacts 2002
access-list 102 permit tcp any host 193.8.73.4 eq 1494
access-list 102 permit udp any host 193.8.73.4 eq 1604
access-list 102 deny udp any any eq 2049
access-list 102 deny tcp any any eq 2049
access-list 102 deny tcp any any eq 6000
access-list 102 permit tcp any any gt 1023
access-list 102 permit udp any any gt 1023
access-list 102 permit udp any any eq domain
access-list 102 permit tcp any host 193.8.73.7 eq smtp
access-list 102 permit tcp any host 193.8.73.4 eq www
access-list 102 permit tcp any host 193.8.73.5 eq www
access-list 102 permit tcp any host 193.8.73.3 eq www
access-list 102 permit tcp any host 193.8.73.4 eq 443
access-list 102 permit tcp any host 193.8.73.2 eq smtp
access-list 102 permit tcp any host 193.8.73.6 eq www
access-list 102 permit tcp any host 193.8.73.6 eq 443
access-list 151 deny udp any host 193.8.73.14 eq snmp log
access-list 151 deny ip 193.8.73.0 0.0.0.15 any log
access-list 151 deny tcp any host 193.8.73.14 eq 1999
access-list 151 deny tcp any host 193.8.73.14 eq 2001
access-list 151 deny tcp any host 193.8.73.14 eq 4001
access-list 151 deny tcp any host 193.8.73.14 eq 6001
access-list 151 deny ip host 0.0.0.0 host 193.8.73.14
access-list 151 deny ip 10.0.0.0 0.255.255.255 any
access-list 151 deny ip 172.16.0.0 0.15.255.255 any
access-list 151 deny ip 192.168.0.0 0.0.255.255 any
access-list 151 deny ip 127.0.0.0 0.255.255.255 any
access-list 151 deny ip 224.0.0.0 31.255.255.255 any
access-list 151 permit ip any any
tacacs-server host 191.79.31.8
tacacs-server host 191.79.63.56
tacacs-server attempts 2
tacacs-server timeout 6
banner login ^C
=20
Authorised access only
This system is the property of XX-ISP UK
Disconnect IMMEDIATELY if you are not an authorised user !
Contact support@xx-isp.net +44 1323 111122 for help.^C
!
line con 0
password 7=20
transport input none
line aux 0
line vty 0 4
access-class 1 in
password 7=20
!
ntp clock-period 17246996
ntp peer 153.42.128.33
ntp peer 153.42.128.66
ntp peer 153.42.192.66
end
VPN-1/Firewall-1 Architecture
CoreFacts 2002 www.corefacts.com 11
1.4 Securing Networks - Application Proxies
Application proxies work at the application layer and rewrite every
connection going through the Firewall. The connection will appear to come
from the external address of the Firewall. Application Proxy Firewalls are
considered by most security experts to be the most secure type of Firewall.
The number of proxies differ from Firewall to Firewall but it is usually
about 30 but not all are doing detailed protocol analysis.
Other types of firewall, are sometimes used as the packet filtering
inspection control mechanism to allow access to a dedicated application
proxy server. A dedicated application proxy server is not necessarily a
application Proxy Firewall.
Examples of application proxy Firewalls are Raptor, and Gauntlet.
The low level kernel packet filter hands the connection onto the
appropriate proxy for the destination port number. The proxy fully
understands the protocol in detail. The proxy sends a Syn/Ack back to the
client and it thinks it has connected to the remote site. The proxy spawns
off a process to handle the connection, 20 connections 20 processes. The
Application
Application
Presentation
Session
Transport
Network
Data Link
Physical
Application
Presentation
Session
Transport
Network
Data Link
Physical
Transport
Network
Data Link
Physical
C H E C K C H E C K
IP TCP/UDP Data
C H E C K
Low Level
Packet Filter
80 80
80
ftp-gw
lp-gw
sy-gw
tn-gw
x-gw
http-gw
plug-gw
http-gw
http-gw
http-gw
VPN-1/Firewall-1 Architecture
12 www.corefacts.com CoreFacts 2002
proxy sends a Syn to the real site and waits for the reply, and at the same
time it checks that the client is allowed to connect to the requested site. If it
is not allowed by the rules it terminates the connection, if it is allowed it
waits for the reply. The remote site sees the connection as coming from the
external Firewall address but the client sees the connection as if it came
from the remote server. This is transparent proxying. Alternatively you
could set the client to explicitly proxy off the Firewall but then the user has
to interact with the Firewall to use some services.
The number of proxies are limited since they are difficult to write and must
be modified to keep up with the version of the protocol they are proxying.
They tend to be memory and processor intensive since they must spawn off
a process for each client request. Just because you are using a proxy like
Apache http server it does not mean it is a Firewall. Application proxy
Firewalls are security aware for the protocol being proxied and designed to
prevent misuse and generate detailed logging and alerts.
Advantages
Considered to be the most secure method of controlling network
connections.
Works at the application level and fully understands the protocol
being used.
Good logging of network and protocol information.
Disadvantages
Can be the bottleneck with high bandwidth connections.
Can be slow and is not for high speed data streams, like VOIP.
Proxies may only be available for TCP services.
The number of proxies supplied is limited.
Each connection requires its own process, can be CPU and
memory intensive.
May be exposed to low level OS and TCP/IP stack compromises.
Even if you do not use an application proxy type firewall it is almost
certain that you will implement application proxies to control user access
to specific services. Only small or low risk sites never use proxies of some
form or another to control protocols passing through the security gateway.
The plug-gw proxy can be used to relay any TCP service which makes its
use no better than a packet filtering router. The low level kernel packet
filters can also be used to control traffic through the gateway.
The TIS Toolkit is still available for personnel use if you would like to
investigate how application proxies work. Gauntlet became the
commercial version of the TIS Toolkit and added a lot more features.
VPN-1/Firewall-1 Architecture
CoreFacts 2002 www.corefacts.com 13
1.5 Securing Networks - Stateful Inspection
Check Point VPN-1/Firewall-1 Stateful Inspection has the ability to extract
information from any part of the IP packet to control the network session.
The Inspection Engine uses a programming language called INSPECT to
create scripts to handle different protocols. Protocols may not all receive
the same degree of inspection. Every release and service pack has extended
the protocol inspection abilities of the Inspection Engine.
Advantages
Faster than application proxies.
Can inspect the whole packet.
Can understand protocol details.
Easy to administer with GUI front end.
Provides good logging.
Adds virtual session information to UDP and ICMP.
Disadvantages
Less secure than application proxies.
Slower than packet filtering routers.
Administrators can be fooled into thinking firewall administration
is easy with a simple GUI.
Too easy to add services that need time for further review.
Provides little or no better protection than a packet filter for some
protocols.
Application
Presentation
Session
Transport
Network
Data Link
Physical
Application
Presentation
Session
Transport
Network
Data Link
Physical
Transport
Network
Data Link
Physical
Application
C a n d o
Dynamic
State Tables
C H E C K C H E C K
IP TCP/UDP Data Session Information
VPN-1/Firewall-1 Architecture
14 www.corefacts.com CoreFacts 2002
Stateful Inspection Stateful Inspection is designed to not only check packets received but also
extract information about connections related to the packets about to be
received.
Communication information - Information derived from inspecting the
Application, Presentation, Session, Transport, and Network headers. For
TCP/IP Application, Presentation and Session are considered to just be part
of the Application data. The OSI model splits the Application data into
three components.
Communication derived state - Information derived from previous
communications, for example extracting the port number of a data
connection in an ftp file transfer. This is session information.
Application derived state - Information derived from an interaction with a
application on the firewall that sets a state in the Inspection Engine to allow
access. For example a user connecting to the in.aclientd and
authenticating before attempting use of a protocol in a rule. (in.aclientd
is explained in Client authentication.)
Information manipulation - Evaluation of flexible expressions
(INSPECT language) based on the communication information,
communication derived state and the application derived state.
Content Security Servers VPN-1/Firewall-1 does have application proxies, they are called Content
Security Servers and work with the following protocols
SMTP
FTP
HTTP
Content Security Servers are explained in the module on Content Security.
VPN-1/Firewall-1 Architecture
CoreFacts 2002 www.corefacts.com 15
Stateful Inspection at Work An example of Stateful Inspection at work extracting communication
derived state information would be for an FTP session.
Client A establishes a connection to the ftp server on B, connection ID 57.
The user then uses the ls command in ftp. The firewall extracts the port
number embedded in the data part for the port number of the data listener
on the client, port 1063. The firewall adds the port details to the state table
and links connections 57 and 58. If the control connection is finished the
data connection is disallowed.
Server B sends a connection, from ftp-data port (20) to 1063 where its been
informed the client is listening. The firewall is expecting the connection
because it extracted the port details from the outgoing ls command.
If the user misses half the directory listing and repeats the process, the
connection ID 58 expires (is complete) and a new entry created for the next
data download after extracting the port details.
FTP Server B
FTP Client A
Firewall-1
Client A Server B
1061 21
login/passwd
port = 1063 ls
1063 20
dir listing (data)
ftp data port
port = 1065 ls
1065 20
dir listing (data)
ftp data port
Control
Connection
Data
Connection
Ctrl
Data
Dest. port= 1063
IP Address Port Address
Src Dst Src Dst ID
A B 1061 21 57
B A 20 1063 58
B A 20 1065 59
Connection State Table Information
1
2
VPN-1/Firewall-1 Architecture
16 www.corefacts.com CoreFacts 2002
This is Stateful Inspection at work, only opening up the ports required for
the protocol to work and requires knowledge of the protocol. This is
looking for and extracting specific values, if it finds them the Inspection
Engine will use them if it does not the protocol may break or may work
depending on the INSPECT scripts associated with the protocol.
This is the area that packet filtering routers do not touch, being aware of
when to open ports, packet filters just open up the ports all the time.
Just because VPN-1/Firewall-1 does it for one protocol does not mean it
does it for all protocols. INSPECT scripts to extract session information do
not exist for every protocol (port number).
Be careful with protocols that are not well used, they are likely to have very
little checking other than simple port or IP protocol number matching.
1.6 VPN-1/Firewall-1
VPN-1/Firewall-1 NG is a scalable modular architecture that allows an
organization to define a single centrally managed Security Policy. The core
components of VPN-1/Firewall-1 are
Policy Editor
Management Server
Enforcement Module
Other modular components involve bandwidth management - Floodgate-1,
IP address management - Meta IP, Software updates - SecureUpdate.
Policy Editor The enterprise Security Policy is defined and managed through the Policy
Editor. The policy is defined through a clear simple rulebase that controls
Source, Destination, Service, Action, Tracking, Install On and Time.
Some settings are through dialog box toggles which turn on/off a specific
feature.
The installed settings and rules are called a rulebase.
A rulebase consists of rules you create using object and service
definitions and settings set in the Global Policy Properties.
VPN-1/Firewall-1 Architecture
CoreFacts 2002 www.corefacts.com 17
Management Server The Management Server is the central point of Security Policy distribution
and stores all configuration information to be distributed to the firewall
module enforcement points. The Management Server maintains the Check
Point databases, including network object definitions, user definitions,
policies and log files for any number of enforcement points. The
configuration information is accessible through the Policy Editor which
connects to the Management Server using a secure encrypted connection.
The Policy Editor can be installed on the same server as the Management
Server or on a separate workstation and connect over the network.
Authentication is required to connect to the Management Server.
There is no limit to the number of Firewall Enforcement Modules that a
single Management Server can manage. However there are practical
limits on how well the Management Server will be able to cope with
logging and rule base management from an administrators view point.
A reasonable ratio of Management to Firewall modules is 1:12 but every
site is different and this is not a fixed limit.
VPN-1/Firewall-1 Architecture
18 www.corefacts.com CoreFacts 2002
Enforcement Module A VPN-1/Firewall-1 NG enforcement module is installed on a network
gateway access point. This may be an Internet gateway at the perimeter of
your organization or an internal gateway to protect specific internal
networks. Multiple enforcement points may be controlled by a central
enterprise Management Server with a single central policy.
The Security Policy is defined by the Policy Editor, saved to the
Management Server as INSPECT and compiled at the Management Server
into a format that can be installed on the enforcement point.
The enforcement module includes the Inspection Engine and security
servers. The enforcement module examines all communications according
to the rules in the Security Policy using the security servers to authenticate
users and further inspect protocol specifics at an application level for
SMTP, FTP and HTTP.
INSPECT Language INSPECT is the language VPN-1/Firewall-1 uses to generate the scripts
that enforces the Security Policy.
INSPECT is a macro based language that allows flexible expressions to be
created to check the contents of an IP packet.
#define ip_p [9 : 1]
define tcp { ip_p = 6 };
define udp { ip_p = 17 };
define icmp { ip_p = 1 };
accept (tcp, telnet or ftp) or (udp, domain_udp)
The script is passed through the C pre-processor and the #define macros
expanded into the script.
The script means
Define a macro ip_p, get byte 9 in the IP header, look at one byte.
Define an entity tcp, which has value 6 in the IP header at byte 9.
Define an entity udp, which has value 17 in the IP header at byte 9.
Define an entity icmp, which has value 1 in the IP header at byte 9.
Accept the packet if it is tcp, telnet or ftp or udp, domain_udp.
Obviously the values for telnet, ftp and domain_udp would also need to
have been defined.
The INPSECT scripts are stored in the $FWDIR\lib directory on the
Management Server. Every time the Policy is installed these files are used
to compile the Security Policy. If these files are compromised then the
resulting Security Policy is compromised. Make sure you protect the
Management Station from internal and external users.
VPN-1/Firewall-1 Architecture
CoreFacts 2002 www.corefacts.com 19
VPN-1/Firewall-1 NG
Architecture
All components of VPN-1/Firewall-1 now use SVN Foundation as a base
which helps protect the Check Point modules from potential OS bugs. SVN
Foundation is also known as CPShared and is the Check Point Operating
System that is installed with every product.
1.7 VPN-1/Firewall-1 Configurations
Combined Management/
Firewall
This is still the most common installed configuration of VPN-1/Firewall-1
since it requires one server and suits small to medium sized organizations
with a single firewall.
Distributed Management/
Firewall Module
This is used by larger organizations that often have multiple firewalls or
those that require High Availability, since Check Point HA requires that
the Firewall-1 Module and Management Server software not be installed
on the same server in a HA configuration. Not necessarily true for other
vendor HA solutions. Rebuilding Firewall module configurations is
simpler in a split configuration. A Firewall module just requires a re-install
of the software and reset of the SIC secret between Management Server
and Firewall module followed by a Policy install.
It is more likely you will upgrade the hardware of the Firewall module than
the Management Server since in the future you will be adding HA and
more VPN links which requires higher specification hardware. You can of
course use the firewall to filter the VPN traffic to a dedicated VPN gateway
box so that the VPN box only ever receives VPN traffic from specific sites.
The firewall then acts as a protector for the VPN box which does not have
to be Check Point based.
VPN-1/Firewall-1 Module
Management Server
GUI - Policy Editor
Log Viewer
Status Manager
GUI Clients
(optional install)
VPN-1/Firewall-1 Architecture
20 www.corefacts.com CoreFacts 2002
License Count The license count for VPN-1/Firewall-1 is based on the number of IP
addresses that the Firewall module recognizes as internal IP addresses. If
you have a limited license version, 25/50/100/250 user license then during
the install one interface will be listed as the external interface. All IP
addresses on all other interfaces will be counted as being internal and
protected by VPN-1/Firewall-1.
The IP addresses collected by the firewall are written into a database file
and can be viewed by the command fw lichosts.
Make sure you count all IP addresses, hosts, servers, routers, printers, and
remote sites with links to internal networks.
The firewall does not stop working if you have extra hosts it just informs
you that you need to upgrade the license. If you are using a DHCP server
you should restrict the address range it allocates addresses from. If you
renumber your network you may need to run fwstop to stop the firewall
delete the database file, then fwstart to start firewall, the address count
will start from scratch again.
VPN-1/Firewall-1 Module
Management Server
GUI - Policy Editor
Log Viewer
Status Manager
GUI Clients
(optional install)
VPN-1/Firewall-1 Architecture
CoreFacts 2002 www.corefacts.com 21
1.8 Secure Internal Communications (SIC)
In NG Check Point have introduced Secure Internal Communications
(SIC) this has replaced the fw putkey authentication method.
SIC is used to secure communications between Check Point SVN
components such as:
Management Servers
VPN-1/Firewall-1 Modules
Customer Log files
SecureUpdate
Policy Servers
OPSEC applications using SDK for NG
With SIC in place a simple SIC initialization procedure for each
component from within the Policy Editor is all that is needed which
removes the need to do fw putkey operations between pairs of
communicating components to secure the link.
SIC Certificates Secure Internal Communication for Check Point SVN components uses
certificates for authentication and SSL for encryption. Certificates are
created by the Internal Certificate Authority (ICA) on the Management
Server which is a standard part of VPN-1/Firewall-1 NG.
The ICA is created automatically during Management Server installation
and only requires each component to have a single certificate created. An
object may only have one certificate issued from a single CA, you cannot
have two certificates for the same object. The Management Server and
modules are identified by their SIC name also known as the Distinguished
Name (DN).
The names of objects and name resolution is important when using
certificates, names must be resolvable to addresses that can be contacted
over the Internet if necessary for remote modules.
You cannot rename objects that have had certificates issued for them, you
need to delete them and recreate the object creating a new certificate for it.
VPN-1/Firewall-1 Architecture
22 www.corefacts.com CoreFacts 2002
1.9 SecureUpdate - Central Licenses
In NG Check Point changed the way that Firewall module licenses were
associated with an IP address. In previous versions the license was
associated with the External IP address of the Firewall module. In a
Combined Management/Firewall module configuration the License for the
Management Module and the Firewall Module were associated with the
same IP address. In a Split Management/Firewall module configuration
there was a license for the Management Station tied to its IP address and a
license for the Firewall module tied to its IP address.
For licenses in NG the only IP address that is required is the address of the
Management Station. The Management Station will then have Firewall
module licenses attached to it for each Firewall it can Manage. This is
known as central licensing and all licenses are added to the Management
Server by either using the Check Point Configuration Tool or
SecureUpdate.
Using SecureUpdate licenses can then be detached from the Management
Station and attached to a Firewall module that has been defined using the
Policy Editor. The license will be attached to the primary address of the
defined Firewall module object which should be the external IP address.
The advantages of Central Licenses are
All licenses can be manage via SecureUpdate.
Only one IP address is required for all licenses.
A license can be detached from one module and attached to another.
The license remains valid when changing the IP address of the
module. There is no need to re-create and re-install a new license
when changing the IP address.
Installing Firewall Module
Licenses
When you install a remote Firewall module if you are using central licenses
then you do not have to add a license during the Firewall module
installation. You will only need to set the SIC secret to get SIC
communications working between the Management Server and Firewall
module. After defining the Firewall object in the Policy Editor you can use
SecureUpdate to attach a license to the new Firewall module.
Central licenses are recommended for all Firewall Modules.
Management Server licenses are local licenses and if you change the IP
address of the Management Station you need to re-create the license and re-
install.
VPN-1/Firewall-1 Architecture
CoreFacts 2002 www.corefacts.com 23
SecureUpdate License
Attachment
Once the Firewall module object has been created in the Policy Editor, save
the settings and start SecureUpdate which can be used to attach a license to
the newly defined Firewall module.
In SecureUpdate the Management and Firewall module should be
displayed, if they do not appear make sure the Firewall object has been
created and the Security Policy saved.
Highlight the Management Server object and select Get Check Point
Node Licenses.
The licenses associated with the Management Server should be displayed.
The local license is the Management Server License and the central the
Firewall module license.
Make sure you Detach the central license and not the local license
otherwise you will have to add the license information back using
SecureUpdate or the Check Point Configuration Tool.
When you install the Management Server copy the license file details
obtained from Check Point into a directory under the $FWDIR\conf that
way you will not have to go hunting for the license details if they are
deleted. They will always be available and backed up as part of the
VPN-1/Firewall-1 Architecture
24 www.corefacts.com CoreFacts 2002
Firewall configuration. License information can be retrieved at any time
from Check Points license center but you need to get there and have your
login details available.
Attach the license to the Firewall Module.
The license details will be displayed for confirmation, if you make a
mistake you can Detach the License and then Attach it somewhere else.
Licenses that have been attached will be listed beside the module in the
License Management display.
To view all licenses use the License Depository display.
VPN-1/Firewall-1 Architecture
CoreFacts 2002 www.corefacts.com 25
1.10 Secure Virtual Network Architecture
Securing Networks, Systems,
Applications and Users
A complete network Security Policy requires the management of many
different areas of network control, including internal, external networks,
remote users, authentication, content control, bandwidth management, PKI
and encryption.
The Check Point suite of products allow all aspects of a Security Policy to
be managed through a single from end, the Policy Editor.
SVN Components Secure Virtual Network (SVN) components that can be used to control
your Security Policy are listed in the following tables.
Security Protection
Product Description
FireWall-1 Provides access control, content security,
authentication, centralized management and
other capabilities, core Inspection/filtering
foundation for enterprise security
deployment.
SmartDefense Protects organizations from known and
emerging attacks using Check Point's
intelligent security technology, was CPMAD
in 4.x.
SecurePlatform
Media Pack
Solution for quickly deploying Check Point's
market-leading security on open platforms.
Installs a core Linux filesystem building the
installation directly from a bootable CD.
VPN-1/FireWall-1
SmallOffice
Security for branch offices and MSPs that
includes web-based management and
seamlessly integrates with Check Point's
Enterprise Management Console, Provider-1
and SiteManager-1.
Safe@ Products Security for small businesses, remote offices
and MSPs that includes web-based
management and supports centralized
managed with the Security Management
Portal.
VPN-1/FireWall-1
VSX
A high-speed, multi-policy security solution
designed for data center environments.
VPN-1/Firewall-1 Architecture
26 www.corefacts.com CoreFacts 2002
VPN-1/FireWall-1
SecureServer
Provides firewall protection for and enables
VPN connectivity to individual servers
running critical applications. Requires a
Management Console to control the security
policies.
FireWall-1 GX
(Wireless)
Security for 2.5G and 3G GPRS enabled
wireless networks.
Security Management
Product Description
SmartCenter &
SmartCenter Pro
Solutions for Check Point's security, VPN
and Quality of Service products. SmartCenter
Pro includes Visual Policy Editor,
SecureUpdate, Account Management
Module and full redundancy for policy
management.
Provider-1 Solution for service providers and large
enterprises that enables the efficient
management of multiple security policies
from a single management console.
SiteManager-1 A system that allows the Provider-1
architecture to enable service providers to
deliver comprehensive, cost-effective
managed security to small and medium-size
businesses.
Security Management
Portal
Centralized management solution for Safe@
products.
Visual Policy Editor Visualisation tool that provides a detailed,
graphical map of an organisation's security
deployment.
Security Protection
Product Description
VPN-1/Firewall-1 Architecture
CoreFacts 2002 www.corefacts.com 27
SecureUpdate Centralised management and distribution tool
for software applications and product
licenses which guarantees enterprise security
is always up to date. Central license
management is free, remote software updates
requires a license for SecureUpdate.
Account Management
Module
Optional module which enables VPN-1/
FireWall-1 gateways to integrate with one or
more LDAP-compliant directory servers and
obtain identification and security information
for network users.
Reporting Module Log consolidation and reporting tool
enabling users to create custom reports for
security audits, activity trending and
accounting.
Real-time Monitor A graphical, real-time VPN performance
analysis solution that presents users with
detailed views of network performance
characteristics.
UserAuthority Unified, secure communication layer for
authenticating users to eBusiness
applications.
Open Security
Extension
Management tool that enables organisations
to define, distribute and centrally manage the
security policies for routers from within the
Check Point Management Console.
Meta IP IP address management solution that
combines secure, enterprise-class DNS and
DHCP services with centralized
management. Integrates into single Sign On
for Client authentication.
Security Management
Product Description
VPN-1/Firewall-1 Architecture
28 www.corefacts.com CoreFacts 2002
Connection Control
Product Description
VPN-1 Pro Integrated VPN/Firewall solution that
supports all deployment types including
remote access, site-to-site and extranet
VPNs.
VPN-1 Net VPN solution for connecting multiple offices
and partners, with a simplified management
interface for creating the VPNs.
SecuRemote Client application that enables remote and
mobile users to securely access corporate
resources. The license for this is free.
SecureClient Client application that enables remote and
mobile users to securely access company
resources and protect systems with personal
firewalls using the central Policy Server.
Performance Accelerators
Product Description
Performance Pack Accelerates encryption and security functions
for VPN-1 and FireWall-1 deployments on
Linux.
ClusterXL Integrated High Availability and Load
Sharing for Check Point Gateways.
FloodGate-1 QoS solution that ensures reliable
performance for VPN and other mission-
critical applications on congested network
links.
VPN-1 Accelerator
Card
Improves VPN-1 Gateway performance by
accelerating intensive cryptographic
operations.
ConnectControl Optional module for VPN-1/FireWall-1 that
intelligently balances incoming connections
among multiple application servers.
VPN-1/Firewall-1 Architecture
CoreFacts 2002 www.corefacts.com 29
1.11 Basic Common Sense Security
There tends to be a Harrods Bag syndrome associated with Firewalls. Just
because you see someone in London with a Harrods bag does not mean that
they have been shopping at Harrods. A Firewall, from all vendors, puts
forward marketing claims regarding security. However, do not assume that
they all do the same level of security for the same service or even
implement security in the way you are possibly thinking.
Do not make assumptions!
If in doubt ask, even if it is just for reassurance that you are correct!
If you do not know, test it! Try and break/abuse it.
Services Only allow the minimum number of services to allow business operations
to function. Force users to justify a service they require for business
purposes.
There is no such thing as a secure service, it is software built using an API,
software has bugs, programmers make mistakes, they just may not have
been found yet. API - Application Programming Interface, a group of
library routines designed to simplify application development.
If you can proxy a service do so, it prevents users tunnelling data directly
through a port number. They can of course tunnel data over the proxied
service.
If you do not have to have a service, for example DNS, coming into your
network, then dont. Let your ISP run your primary and secondary DNS
servers, security of the server becomes their problem. You can run internal
caching DNS servers that only internal hosts have access to.
For smaller organisations Virus screened email services may be worth
investigating, incoming mail will only originate from a single source then.
Servers Have an OS monitor and patch policy. All sites usually patch their exposed
servers but think about the internal servers as well.
Control physical and network access to servers. Apply locks to doors and
enforce strong authentication to servers if necessary. Data is a company
asset.
Locate servers on the network to provide maximum protection and control,
use multiple firewalls if necessary. Firewalls do not have to be from the
same vendor, lower cost solutions may be appropriate for internal
networks. All firewalls have similar filter abilities, once youve learnt one
you are looking for similar filtering functionality in the others.
VPN-1/Firewall-1 Architecture
30 www.corefacts.com CoreFacts 2002
People Users are your biggest problem, they cannot be trusted to do what they are
told. Technical users are often a problem, they think they know what they
are doing and often find ways around security features. Learn from them.
Much as we believe everyone is honest, if you make a mistake and your job
is on the line you will attempt to cover it up.
Peer Pressure If you are responsible for network security then you know more than the
managing director about the security risks. Just because a manager wants a
service does not mean they have to get it.
Persuade managers to set a good example.
Security Policy Procedures Enforce the policy procedures, there is no point in writing them if no-one
knows what they are.
Incorporate criticism and feedback into the procedures they are not cast in
stone and have to work in the business environment otherwise they will be
ignored. Too much red tape results in by passing procedures.
Documentation Every change to the firewall must be documented. Document it at the time
and not 12 hours later, you will make mistakes. Do it even if it is just a
simple wordpad document listing the history of changes. It does not have to
be fancy with screen shots of the rules and Global Properties dialog boxes.
Read your Firewall Configuration and Control Change documentation
before you do updates, especially when multiple administrators are
involved.
Make sure any critical notes are at the front or highlighted.
Log files Firewalls write log files, someone should be looking at them.
Prepare for the unexpected Make sure you have complete backups of all the servers that are
recoverable, if a security breach does occur then you need a plan of action.
Implement Trust procedures Implement procedures that remove the question of trust as much as
possible. This is difficult in an IT environment since a single administrator
has full administration rights to many servers.
No matter how much you know assume someone knows more and think
defensively, never be bold with security.
Site Security Handbook - RFC
2196
Make sure you read this Request For Comments (RFC) an excellent
starting point for writing the overall site security policy.
RFC 2196 - Site Security Handbook
VPN-1/Firewall-1 Architecture
CoreFacts 2002 www.corefacts.com 31
1.12 VPN-1/Firewall-1 Architecture - Review Questions
1. In the OSI protocol stack model, routers traditionally filter up to which
layer?
A. Hardware
B. Transport
C. Network
D. Session
E. Application
2. VPN-1/Firewall-1 is based on a technology called Stateful Inspection
this means that the VPN-1/Firewall-1 NG Module will be able to do
which of the following?
1. look at every layer of the OSI protocol stack.
2. Use flexible expressions to determine packet contents before
allowing connections.
3. Strip viruses from data streams.
4. Strip Java and ActiveX code from data streams.
5. Extract port information for reverse connections.
A. 1, 2
B. 1, 2, 3, 4
C. 2, 3, 4, 5
D. 2, 4, 5
E. 1, 2, 4, 5
3. VPN-1/Firewall-1 NG uses an Inspection Engine above which layer in
the OSI protocol stack model does the Inspection Engine sit?
A. Data link
B. Network
C. Transport
D. Physical
E. Application
4. VPN-1/Firewall-1 implements its Security Policy based on which of
the following general security principles?
A. Allow only that which is explicitly allowed, deny everything else.
B. Allow everything except that which is explicitly disallowed.
C. Allow all traffic that is from internal networks, deny all incoming
traffic.
D. All traffic is denied unless permitted by the implied rules.
E. Allow all traffic from external to internal NAT servers.
VPN-1/Firewall-1 Architecture
32 www.corefacts.com CoreFacts 2002
5. Which of the Following describes the behaviour of VPN-1/Firewall-1
NG?
1. Inspects packets at the Network layer.
2. Inspects packets at the Session Layer.
3. Extracts information like port details from the Application layer to
control reverse connections.
4. Uses flexible expressions to extract information from all layers of
the TCP/IP protocol stack to control connections.
A. 1, 2
B. 3, 4
C. 1, 4
D. 1, 2, 3, 4
E. 2, 3
6. CPShared is the Check Point Operating System that is silently installed
with every Check Point product. The main components of CPShared
are?
1. cpstop/cpstart
2. Check Point Registry
3. CPShared Daemon
4. Watch Dog
5. SNMP Daemon
A. 1, 3, 4, 5
B. 2, 3, 4, 5
C. 1, 2, 3, 4, 5
D. 1, 3
E. 1, 2, 5
33
2
Security Policy & Rules Setup
This module is perhaps the most important, if you do not completely understand
and are comfortable with all of the objectives, you will at some point incorrectly
configure an aspect of the Security Policy. This module covers the creation of
network objects and the interaction of the rules and the limitations of the services
as defined by default.
Objectives
When you have completed this module you should be able to
Use the Policy Editor.
Validate the Management Server fingerprint during Policy Editor
connections.
Create and edit enforcement type objects.
Create and edit general network objects.
Add and delete rules.
Verify and Install the Security Policy.
Understand the use of implied rules.
Know what makes up a rulebase.
Know the rulebase filtering order.
Understand the options in the Install On column in the rulebase.
Know the exceptions to rule base filtering order.
Know how to correctly configure DNS rules.
Know how to stop and start the Firewall module.
Know how to recover after locking out Security Policy installs.
Formulate a plan and procedure for testing the Security Policy.
Security Policy & Rules Setup
34 www.corefacts.com CoreFacts 2002
2.1 First Contact with the Management Server
When you start the Policy Editor from the Windows start menu you must
logon to a VPN-1/Firewall-1 Management Server unless you are using the
GUI in demo mode.
Demo mode is a new tick box selection in the Policy Editor logon dialog
box in NG FP2, in previous versions it was called *local. To use *local you
could enter anything for the Username, anything for the Password, and
*local for the Management Server. Demo or *local mode uses a local copy,
on the GUI client machine, of the configuration files. Demo mode is useful
for technical support and familiarization with the Policy Editor when a
Management Server is not available. In demo mode sample objects and
rules have already been created and may provide guidance on how a
feature should be configured.
Demo mode does not connect to a Management Server therefore some
functionality is disabled.
GUI Login To login to a Management Server you must have
A Valid administrator Username
A Valid Password or authentication token
The IP address or hostname of the Management Server
The Client IP address must be allowed to connect to the
Management Server, this is the GUI clients list. The GUI clients
list is configured in the Check Point Configuration Tool on the
Management Server. If you are using the GUI from the
Management Server you can use 127.0.0.1 as the address to connect
to.
Administrators can have different levels of permission, to fully administer
the firewall you will need Read/Write access and be allowed to use all of
the GUI clients.
Only one administrator at a time can be logged on with Read/Write
access, however, as many administrators as required can log on with Read
Only access.
Do not leave yourself logged on with Read/Write access in an environment
with multiple administrators as it may make it difficult for others to have
access if your screen lock prevents access to closing down your GUI.
Read/Write access is controlled by a simple lock file that is checked when
you connect to the Management Server, if it exists you will only be allowed
to connect in Read only mode.
Security Policy & Rules Setup
CoreFacts 2002 www.corefacts.com 35
The lock file is $FWDIR\tmp\manage.lock and contains the hostname
(GUI client) and username (administrator) who is currently logged on with
Read/Write access. The lock file may be left after a GUI crash and no
Read/Write access is available until the lock file is removed.
$FWDIR is the root directory where you installed the VPN-1/Firewall-1
configuration files. In Windows environments this is usually
C:\WINNT\FW1\NG but it can be any directory.
Start Policy Editor You can run as many instances of the GUI as you like there is no license
required. It is only useful for technical support and basic learning without a
Management Server to connect to which you have to license.
Administrator Authentication For the first Policy Editor logon use the administrator username and
password created during installation, fwadmin/abc123, if you followed
the installation in the Appendix for the test environment.
Either enter the hostname or IP address of the Management Server.
The login details for administrators created during installation or through
the Check Point Configuration tool are stored in $FWDIR\conf\fwmusers.
This is a plain text file and portable between Management Stations. Its
contents may look similar to the following.
fwadmin d0fae92ce4124cfc0a190b9c72a82a92b679b745 ffffffff
The ffffffff controls the GUI clients and type of access - read/write.
Security Policy & Rules Setup
36 www.corefacts.com CoreFacts 2002
You need OS administrator access on the Management Station to modify
this file.
Fingerprint Check The first time a GUI client connects to the Management Server the
Fingerprint check is displayed for approval. This is to prevent connecting
to the wrong Management Server. To check this value you need the value
from the Check Point Configuration tool on the Management Server.
This can be checked by looking at the Fingerprint details on the
Management Server.
The GUI client will store the Fingerprint details on the local client, if you
need to rebuild the Management Server and reconnect to the same IP
Security Policy & Rules Setup
CoreFacts 2002 www.corefacts.com 37
address the Fingerprint will be different and the following will be dislayed.
In the above case the hostname of the Firewall was changed and the
Management Server was re-installed.
If you want to compromise VPN-1/Firewall-1 your target should be the
Management Server as it is usually the weakest access point and has
control over the gateways through the INPSECT scripts and the object
definition files. Secure the Management Server.
Policy Editor When you login to the Management Server for the first time several objects
will automatically have been created during install. The objects created
will be slightly different in a combined Management/Firewall Module than
a split environment. In a split configuration the LocalMachine is always
Security Policy & Rules Setup
38 www.corefacts.com CoreFacts 2002
created, the other object will either be the Management Server or the
Firewall.
The Policy Editor in this case displays the Visual Policy Editor (VPE) as
well as the standard areas. The VPE requires a separate license and may not
be available on your live system. From NG FP2 you can have the VPE
displayed in a separate independent window (undocked or docked). The
VPE just clutters the view and is best turned off while learning the basics
of managing the Security Policy.
Use the tool bar toggle to turn off the unwanted areas of the Policy editor.
The areas are
Rules
Object tree
Object list
Visual Policy Editor
A common simple configuration is to use the Rules and Objects Tree, the
other two areas just crowd the screen unless you have a large, greater than
1024x768, screen.
If you are doing VPN-1/Firewall-1 managed firewalls for large
organisations or a large number of clients a high resolution 1600x1200 19
or 20 screen is a useful asset.
2.2 Creating Network Objects
The first stage in configuring your Security Policy is creating the network
objects, there is not a lot you can do until you have them configured.
The topics and examples in this book have used a configuration with two
Firewalls in a split Management/Firewall Configuration. To complete the
CCSA topics and some of the CCSE topics using the examples a network
configuration with one firewall and three hosts are required. All the basic
objects will be created now. Two firewalls are required for the site to site
VPN topics.
You can create the objects as you read through the next section.
The diagram below shows the configuration used for the example
configurations used in this book.
Security Policy & Rules Setup
CoreFacts 2002 www.corefacts.com 39
Create the following objects, you only need one pair configured, all sites
that are part of a full classroom/test environment are listed below.
Before you do the next part you need a hosts file with all the hosts you will
be using, this will allow you to use the hostname and resolve the IP
addresses.
Check Points, Firewalls For a full classroom/test environment the following sites and firewalls have
been used.
fw.f14.com 172.21.1.1 (Site 1 - Tomcat)
fw.f15.com 172.22.2.1 (Site 2 - Eagle)
fw.f16.com 172.23.3.1 (Site 3 - Falcon)
fw.f18.com 172.24.4.1 (Site 4 - Hornet)
fw.f22.com 172.25.5.1 (Site 5 - Raptor)
fw.sr71.com 172.26.6.1 (Site 6 - Blackbird)
www.f16.com www.f18.com
fw.f16.com fw.f18.com
www.server.com
10.3.3.0/24 10.4.4.0/24
172.24.4.0/24 172.23.3.0/24
172.23.3.254
172.24.4.254
www.server.com has virtual addresses so it can be on both networks and act as the router between
the two networks. The full configuration is required for CCSE VPN topics, only one half is required to
complete CCSA topics.
10.3.3.1
172.23.3.1 172.24.4.1
10.4.4.1
(254) (254)
Security Policy & Rules Setup
40 www.corefacts.com CoreFacts 2002
Nodes, Hosts www.f14.com 10.1.1.1
www.f15.com 10.2.2.1
www.f16.com 10.3.3.1
www.f18.com 10.4.4.1
www.f22.com 10.5.5.1
www.sr71.com 10.6.6.1
Nodes, Hosts Only create one of the following www.server.com depending on which site
you are
www.server.com 172.21.3.254 (if you are site 1 Tomcat)
www.server.com 172.22.2.254 (if you are site 2 Eagle)
www.server.com 172.23.3.254 (if you are site 3 Falcon)
www.server.com 172.24.4.254 (if you are site 4 Hornet)
www.server.com 172.25.5.254 (if you are site 5 Raptor)
www.server.com 172.26.6.254 (if you are site 6 Blackbird)
Networks Site object Name Net Address Mask
1 - Tomcat net-10.1.1.0 10.1.1.0 255.255.255.0
2 - Eagle net-10.2.2.0 10.2.2.0 255.255.255.0
3 - Falcon net-10.3.3.0 10.3.3.0 255.255.255.0
4 - Hornet net-10.4.4.0 10.4.4.0 255.255.255.0
5 - Raptor net-10.5.5.0 10.5.5.0 255.255.255.0
6 - Blackbird net-10.6.6.0 10.6.6.0 255.255.255.0
Create the Firewall Object Objects can be created from several locations in the User Interface
Menu bar, Manage -> Network Objects.
Objects Tree, 2nd mouse button, New.., type of object.
Objects List, shows specific type of object, use 2nd mouse button,
New (must have blank area to click on).
In NG Objects can now also be created on the fly when you need them
from dialog boxes within the user interface instead of having to exit the
dialog, create the object and re-enter the dialog box.
fw.f16.com This is a Check Points type object since it is an enforcement point with
VPN-1/Firewall-1 installed. Previous (4.x) versions only had object type
Workstation with dialog settings to indicate VPN-1/Firewall-1 was
installed.
Security Policy & Rules Setup
CoreFacts 2002 www.corefacts.com 41
In NG FP2 a wizard can step you through the creation but this is more for
novices and it is better to remove the Wizards option and use Classic mode.
The Wizard is not very helpful if the object settings are not fully
completed, you then have to manually edit the object anyway.
Turn off Wizard prompts for the future, this can be changed or set in the
Policy - Global Properties.
Enter the Name of the object, DNS or hosts file resolvable and Select the
Get address button.
Security Policy & Rules Setup
42 www.corefacts.com CoreFacts 2002
Get Address The Get Address button retrieves the IP address given the hostname of the
object using the system settings of the Management Server, usually hosts
file, and DNS.
Description Add a suitable description in the Comment area.
Version Make sure the version displayed is correct, this ensures the Management
Server generates the correct version of the INSPECT code.
Product Selection Select VPN-1 Pro, since this object is an encryption enabled enforcement
point.
SIC setup You must setup the Secure Internal Communications (SIC) before trying to
get the Interfaces from the Topology dialog. In a combined Management/
Firewall Module SIC is configured during install since both are on the
same host.
The secret you configure here is the same one you entered during the install
Security Policy & Rules Setup
CoreFacts 2002 www.corefacts.com 43
of the Firewall module.
If the secrets are the same then trust should be established. If trust failed
then you will need to reset the secret on the firewall module and try again.
If you select Reset you will need to reset the SIC secret on the Firewall
module, only do this if that is the intention, a warning dialog will appear.
You can Test the SIC status at any time.
Topology Change to the Topology dialog and get the Interface details.
The topology may take up to 90 seconds to respond.
Security Policy & Rules Setup
44 www.corefacts.com CoreFacts 2002
The interfaces on the firewall module will be displayed.
This is where Anti-Spoofing will be configured. Anti-Spoofing is an
important part of your Security Policy configuration but is explained in
detail later.
The basic details for your firewall object have been set, Select OK to
complete the object creation.
Internal Certificate The Internal CA will create a certificate for this object because VPN-1 Pro
is selected and this is a VPN object.
The Firewall object is now complete and should be listed in the Objects
Tree and Objects List.
External Partner Firewall This object is not strictly needed for the CCSA topics but is useful to have
it ready for the CCSE topics. Your Management Server does not control
this object and cannot install Security Policies or get topology information
from it, but you know it is a VPN-1/Firewall-1 gateway, important for Site
Security Policy & Rules Setup
CoreFacts 2002 www.corefacts.com 45
to Partner Site (Extranet) VPN configuration.
Create Partner Gateway This is a Check Point type object.
Only set the basic details, Name, use Get address, if the hostname is
resolvable or fill in the IP address, add a Comment and select the Version
and Product Installed. No other options needs to be set on this object until
VPN configuration with a partner.
www.yoursite.com Create the web server object for your site, www.f16.com.
Do this even if you have a www-f16 object created by default. You would
have this object if you installed in a split environment and the machine
name is www-f16.
This is a Nodes, Host type object.
Security Policy & Rules Setup
46 www.corefacts.com CoreFacts 2002
Enter the name and use the Get address if the name is resolvable, add a
Comment and select a Color.
The object definition is complete, select OK.
Since an object with this IP address already exists, www-f16, a warning
message will appear, Confirm that you want to create the object.
You can safely have multiple objects with the same IP address but as
general practise you should avoid doing so as too many duplicate objects
can make the rulebase difficult to follow or debug.
www.partner.com Create your partner web server object, again this is type Nodes, Host.
Fill in the name and complete the object details.
www.server.com Create the external test server, the name will be www.server.com but the
address will be different for each site. Type Nodes, Host
www.server.com 172.21.3.254 (if you are site 1 Tomcat)
www.server.com 172.22.2.254 (if you are site 2 Eagle)
www.server.com 172.23.3.254 (if you are site 3 Falcon)
www.server.com 172.24.4.254 (if you are site 4 Hornet)
www.server.com 172.25.5.254 (if you are site 5 Raptor)
www.server.com 172.26.6.254 (if you are site 6 Blackbird)
Security Policy & Rules Setup
CoreFacts 2002 www.corefacts.com 47
Networks Create two network objects, one for your site, and one for your partner site.
In the classroom/test environment partners are.
Site 1 & Site 2
Site 3 & site 4
Site 5 & Site 6
net-10.3.3.0 You should consider a naming convention for all objects, some objects are
easy like web, ftp and email.
Set the network and subnet mask, the object name is net-10.3.3.0, this is a
simple naming convention which allows easy identification of network
objects in the rulebase.
Note the Broadcast address setting is Not included. This means that
10.3.3.255 will not be considered to be part of the network and match a rule
if the source is net-10.3.3.0. This is a normal configuration in Security
Policies for network objects.
You do not want a packet leaving your network with source address
10.3.3.255, when replies came back they could create a broadcast storm.
Security Policy & Rules Setup
48 www.corefacts.com CoreFacts 2002
net-10.4.4.0 Create the partner network object.
Object Tree Expanded You should now have the following objects created and are ready to start
creating rules. The objects may be different if you are not site 3 or 4.
Security Policy & Rules Setup
CoreFacts 2002 www.corefacts.com 49
2.3 Adding Rules to the Security Policy
The Security Policy is created by adding rules and using the object
definitions as either Sources or Destinations along with the type of service
allowed between them. Note Any in a rule is a default value that acts as a
group that contains all possible values, not always what you want even if it
is convenient.
Rule base Elements The rulebase elements are the headings for each column in a rule. In a
default NG FP2 this includes the If Via column used for simplified VPNS.
Removing the If Via Element The If Via Column only applies when doing simplified VPNs. For the
moment it is just a distraction, to remove it change the setting in Global
Properties - VPN Pro, to Traditional VPNs. It is currently set to
Traditional and Simplified (default for NG FP2 install). VPNs, Traditional
and Simplified are explained in the CCSE topics.
This setting will apply to new Security Policies, not the existing default
Policy currently being used. The default Policy currently being used is
called Standard.
New Security Policy Create a new Security Policy called mgmt-1, which will be used for the
CCSA topics. Managing Security Policies and reversion control is
explained later.
You will be prompted to Save any changes made to the current Security
Policy and objects. The objects you create are common to all Security
Policies.
Security Policy & Rules Setup
50 www.corefacts.com CoreFacts 2002
Select Security and Address Translation and Desktop Security.
Rulebase Elements without If
Via
The new Security Policy should not have the If Via Column, this would be
the same as all pre NG versions of the Policy Editor rules.
Adding rules To add a rule use the Rules - Add, from the menu.
Default settings Every time you add a rule, it is added with default settings as shown below.
To set any value for the rulebase elements use the 2nd Mouse button in the
rule element area.
Security Policy & Rules Setup
CoreFacts 2002 www.corefacts.com 51
Rule Number This indicates the position in the rulebase, rule order is very important,
rules are executed in 1 to n order, the first matching rule is executed, no
other rules are tested There is an exception to this if the Action is
Authenticated and when using Simplified VPN rules.
Source and Destination Add a source or destination to the rule, select from the list of existing
objects or you can create the object if it does not exist.
Service To add services select from the pre-defined list of services, new services
can be created if they are not defined as standard. Note you can select
multiple services by using Mouse Button 1 + Ctrl.
Security Policy & Rules Setup
52 www.corefacts.com CoreFacts 2002
Action The Action determines what happens to a packet when it matches a rule.
The encrypt actions are covered in the CCSE topics.
Track This determines the type of tracking that is done for the rule. The size of
your log file growth will depend on the number of rules set to log and the
volume of traffic through the firewall.
Install On This determines which enforcement points the rule will apply to, a single
rule could apply to multiple gateways or you could specify a specific
target.
Gateways, applies the rule to any object with Check Point VPN-1/
Firewall-1 installed and checked as a gateway and under control of the
Management Server.
Dst, applies the rule to the firewalled object(s) in the Destination element
and the firewall filters in an inbound direction.
Src, applies the rule to the firewalled object(s) in the Source element and
Accept -allow the packet if it matches the rule.
Drop - discard the packet giving no reply to the client.
Reject - reject the packet provide a response to the client.
User Auth - requires a User Authentication, service http/telnet/
ftp/rlogin.
Client Auth - requires a Client Authentication, any service.
Session Auth - requires a Session Authentication, any service.
Encrypt - apply encryption between the source and
destinations, site to site encryption.
Client Encrypt - apply a client to gateway encryption, requires
the user to authenticate.
Security Policy & Rules Setup
CoreFacts 2002 www.corefacts.com 53
the firewall filters in an outbound direction.
OSE Devices - Open Security Extension Devices can be Cisco, BayRS,
3Com routers. The rule will be converted to ACL format of the device and
installed on that device. Requires a separate license.
Embedded Devices - Apply the rule to the objects in the objects database
that are defined as Embedded objects. These objects can be type Nokia
IP5x or Xylan, they have a Firewall-1 module installed on them.
Targets, installs the rule on the specific target firewalled object.
The majority of rule examples in this book will use Policy Targets as the
setting. This is a common setting if you only have one firewall module.
You do not need to use Targets Specific for the CCSA examples in this
book as you will only be controlling a single VPN-1/Firewall-1 module. It
may be used in the CCSE topics for VPNs, where different rules are
installed on different targets. Policy Targets means install the rule on all
targets under the control of the Management Server.
Time This element can control when the rule will apply, Time objects need to be
created and selected from the list.
Comment Comments in rules are important, it is your front line documentation,
however, comments cannot be more than 255 characters. This is not a
substitute for a firewall Security Policy configuration and change control
document.
Security Policy & Rules Setup
54 www.corefacts.com CoreFacts 2002
Create the following Rules.
Stealth Rule This rule is usually in the rulebase to prevent access to the Firewall.
Management connections for installing Policies are treated separately by
the implied rules. This is known as the stealth rule because no response to
any incoming packet is made. The target destination is the Firewall which
silently drops the packets and in this case logs the event.
It is not always the first rule but is usually somewhere near the start of the
rules.
Change the rule added from the defaults to have a destination -
fw.yoursite.com and Track - log, if you did not previously add a rule, add a
rule now and change the default settings.
Anything Out Bound Rule This rule allows anything from the internal network to Any destination,
including the IP addresses of the firewall (that is why the stealth rule is
above it). In this form it is a fairly liberal rule in that Any service is
allowed. Allowing all services is convenient for the time being as the
Policy evolves a limited set of services can be configured. On a live
Firewall always start with the minimum number of services required.
Add the Anything out bound rule.
Clean up Rule This rule is almost always in a Security Policy and is the last rule. Although
you do not strictly need it because if a packet has not matched a previous
rule and reaches the end of the rulebase the packet is dropped. However,
the packet is silently dropped and not logged, usually you need to know
what is being dropped.
Add the clean up rule
Broadcast Junk Some packets, like broadcasts will arrive at the firewall and be dropped and
logged by the Clean up rule. To reduce the amount of logging, a rule can be
configured to drop the traffic without logging by matching a rule higher up
in the rulebase.
If you have a large amount of broadcast traffic that is visible to the firewall
Security Policy & Rules Setup
CoreFacts 2002 www.corefacts.com 55
this rule should be near the top of the rule base. You want to have the
packets match without dropping through all the rules. Depending on your
network configuration there may be very little visible broadcast traffic.
Add a rule to the beginning of the rulebase, it will become rule 1, all other
rules will be renumbered.
Add nbname and nbdatagram as the services, there may be others but this
will do to start.
If there are a lot of different broadcast services then a cleaner method is to
create a Service Group and put the services into the group.
For example you might want to create a group Broadcast_junk and use
that.
Create a new Group.
Security Policy & Rules Setup
56 www.corefacts.com CoreFacts 2002
Add nbname and nbdatagram to the group.
Now you could change the rule to use the Service Group name instead of
adding services individually to the rule. The use of groups keeps the
rulebase tidy, however you cannot just look at the rule to see the list of
services.
The rule would change to.
In NG FP2 you can drag and drop rules to change their position.
Current Rulebase check Make sure you do a file save, although for each object you create it is saved
at the time of creation this is not true for rules you have added.
Your rulebase should look similar to the following.
Security Policy & Rules Setup
CoreFacts 2002 www.corefacts.com 57
Negating objects in Rules Since anti-spoofing has not yet been configured, rule 3 might be better
written using the negate option which can be applied to Source,
Destination or Service elements.
You could change rule 3 to the following.
Notice the destination is net-10.3.3.0 negated and not Any, the negate
means anywhere but net-10.3.3.0. This means that if a packet arrived from
an external site with an IP address with a source IP address in net-10.3.3.0
and destination IP address in net-10.3.3.0 it would not match this rule and
drop to the next (rule 4) which would drop it.
The previous version of the rule would accept a packet with source
10.3.3.1, destination 10.3.3.252 as the packet contents would match the
rule, even if the packet originated from the external network.
Once anti-spoofing is configured this would not be an issue and there
would be no need to negate the destination.
Having a lot of negates in a rulebase makes it more difficult to follow the
rulebase logic.
When you install your Security Policy there may be warnings about anti-
spoofing configuration until you configure the settings for anti-spoofing.
Anti-spoofing is only set on your firewalled objects.
Security Policy & Rules Setup
58 www.corefacts.com CoreFacts 2002
2.4 Installing and Verifying the Security Policy
For changes to take place in your rulebase and affect your firewall you
must install the policy. Any change to an object or setting within the
Security Policy Editor will require a Policy install, except User database
changes which can be installed separately.
Verify the Security Policy Policy - Verify does some integrity checks on the rules to make sure there
are no conflicting rules or settings that will result in the Policy failing to
compile. The verify does not catch everything and sometimes the verify
may be OK but the Policy install fails.
You should get into the habit of doing Policy - Verify, then Policy - Install.
If you do not verify the Policy and just do an install, the Policy compilation
may fail but it will not break your firewall.
Installing the Security Policy To install your Security Policy select Policy - Install... and select the target
Firewalls you want to install the Policy on. In this case there should only be
one Firewall.
Uninstall Policy
Revision Control
Install Policy
Verify Policy
Security Policy & Rules Setup
CoreFacts 2002 www.corefacts.com 59
You will be warned about implied rules which are set in the Global
Properties dialog box. Just select OK and continue the Policy install,
implied rules are explained later.
If you have multiple firewalls you can select the firewalls that this Policy
install will apply to.
Warning about no anti-spoofing configuration.
Security Policy & Rules Setup
60 www.corefacts.com CoreFacts 2002
Policy install complete.
You should now have a policy installed on your firewall ready for testing.
Your firewall will now be able to route packets through it providing a rule
is matched.
Uninstalling the Security
Policy
To uninstall the Security Policy, select Policy - Uninstall..., you do not
have to uninstall policies before installing new ones. New policies
override the INSPECT code of the current installed policy. There may be
times when you need to unload the policy but that is usually because you
have installed a policy that prevents any access to the Firewall, including
policy installs.
Uninstalling the policy can be done from the command line on the
Management Server or firewall. Using fw unloadlocal on the Firewall
module and fwm unload target where target is the hostname of the
Firewall from the Management Station, providing it can communicate with
the Firewall module.
Do not uninstall your policy at this time! If you did then install it again.
2.5 Testing the Security Policy
Test your Security Policy by using ftp or a web browser. You should at
least be able to connect to the server www.server.com, in your
environment. You could attempt access from an external server to the
internal server to check drops as well.
Testing a Security Policy is vital to having confidence in the policy that is
currently installed. Just because it is a Firewall does not mean it is
secure, administrators make mistakes. Make sure the rules work the way
you expect. It is a piece of software, software has features.
Track events you expect in the log file and in some cases, snoop the traffic
to ensure its in the format you expect - encrypted maybe.
Never just trust the Firewall Security Policy, this is regardless of which
product you are using. That is why companies pay to have their Firewall
Security Policy & Rules Setup
CoreFacts 2002 www.corefacts.com 61
audited, you could create your own audit tools and procedures. There are
plenty of scanners around, languard, nmap, iss.
Your Firewall is now controlling network connections, once in place it will
be the first location of blame for failed network connections and you
should start to think about how you will prove this not to be the case. When
using Unix Firewalls this is fairly simple, use snoop or tcpdump on the
internal and external interfaces to prove the packet is visible on both
networks. Then send the dump to the administrator complaining your
firewall is blocking his/her connections. When using NT firewalls
depending on accessibility you may need snooping tools either side of the
Firewall.
In small organizations this is not an issue but larger networks it is definitely
an issue.
2.6 Basic Log Viewer information
You can start the Log Viewer and see the logged events to check that
packets are being accepted, logged, dropped or rejected as you expect.
Your logged events may look similar to the following.
The log viewer has standard filter views, select the required view from the
toolbar
The General view does not show full Source/Destination IP address and
service, the Firewall-1 view does that.
Security Policy & Rules Setup
62 www.corefacts.com CoreFacts 2002
2.7 Implicit and Explicit Rules in the Security Policy
Most, if not all firewalls implement a Policy that assumes, That which is
not expressly permitted is prohibited. This means that until there is a
rule that allows traffic through the firewall nothing is allowed.
In order to simplify the installation for the majority of users there are
certain rules that are added by some firewall vendors by default.
In VPN-1/Firewall-1 these rules are known as implied rules.
You have created four explicit rules, and if the question came up as to how
many rules you have just installed, your answer would probably be four.
If fact, you installed forty five rules, four that you created and 41 that
Check Point set as default rules. The 41 implied rules apply to a default
install of NG FP2, there were less in previous versions.
Implied rules are installed to simplify Policy installs and reduce the
number of technical support calls regarding the firewall not working. For
full time network engineers the services in the implied rules can be
evaluated and removed if necessary without much difficulty since they are
using network services regularly. If you remove implied rules and need
the service you will have to add an explicit rule.
For the novice who is thrown in at the deep end, if these services had to be
added manually before the firewall would work they would probably use a
different product.
The default implied rules can be turned off but only if you know what you
are doing, and in the process of setting the right explicit rules you may
block the ability to install Policies. (You are going to do this so you will
know how to recover if it happens.)
In early versions of VPN-1/Firewall-1 the default rules had DNS tcp, DNS
udp and RIP turned on by default which was not necessary, NG has these
turned off by default. If you upgrade your Firewall the settings are
inherited from the previous configuration.
If you have a environment where the Management and Firewall module is
installed on the same box then you can turn the implied rules off without
Security Policy & Rules Setup
CoreFacts 2002 www.corefacts.com 63
having to set explicit rules for the majority of installations.
To view the implied rules, select View - Implied Rules, this is a toggle,
select once to show and again to show only explicit rules.
The implied rules in a default install are.
Security Policy & Rules Setup
64 www.corefacts.com CoreFacts 2002
This shows the implied rules integrated into your explicit rules.
Implied rules are set in the Policy - Global Properties dialog box.
To turn off most of the implied rules untick Accept VPN-1 & Firewall-1
control connections.
Security Policy & Rules Setup
CoreFacts 2002 www.corefacts.com 65
The rulebase with implied rules shown should now look like the following.
If you are in a split environment with the Management and Firewall
module on separate boxes and install the above Policy then you will not be
able to install new Security Policies. The install of the above policy would
appear to hang half way through the install since you would cut connects
off because of the new rulebase but the Policy would get installed.
Do not install this policy yet.
The implied rules that are left apply to the remaining tick boxes in the
Firewall-1 Implied Rules dialog box.
Notice the position of the implied rules, some are before your first
explicit rule, and one before your last rule.
First, Before Last, Last Implied rules can be positioned, First, before your first explicit rule,
Before Last, before your last explicit rule, and Last, after your last explicit
rule. You may think that since you have an explicit last rule that drops
everything that no rules will apply after it, since it would drop everything at
this point. Not true, implicit rules may apply but it depends where the
packet originated, if it is from the Firewall then the implied rule may apply
and be matched.
2.8 Rule Base Filtering Order
Packets are filtered in a simple top down order, it is an if then else step
ladder, the first matching rule will apply and no further rules will be tested.
However, you must consider, SAM (Suspicious Activity Monitoring),
Anti-spoofing, implied and explicit rules and how they are merged to
form a single rulebase.
Security Policy & Rules Setup
66 www.corefacts.com CoreFacts 2002
SAM and Anti-Spoofing are explained later.
2.9 Rule Base Filtering Order, Exception - Authentication
Consider the following rules.
Both rule 3 & 4 have an action of User Auth, explained in Authentication
topics, which requires a user account authentication before matching the
rule.
There are 2 groups, Sales and Techs. Until the user types in an account
name the Firewall will not know which rule to match against therefore it
must always match the first authentication rule even if it does not end up
applying. Normally the first matched rule will be the only rule checked but
in this case the user may belong to Techs and not Sales so the packet would
tcp_timeouts
proxied_conn
connections
udp_services
tcp_services
State Tables
Accept and Handle
packet by OS IP
stack
Expected packet or
new entry added by
rule match Accept
Action
Update state
tables
Send Nack
No matching rule - Action is drop
Inspection
Engine
Anti-Spoofing rules
SAM rules (See Block Intruder)
Reject
Drop
Accept
Builds the state
table
Useful command, fw tab -t connections -s
Find first matching rule
No details of connection in
state tables - check rules
Security Policy & Rules Setup
CoreFacts 2002 www.corefacts.com 67
not be Rejected/Dropped by rule 3 but passed through all rules that have an
action Auth. In fact because of the way the Inspection Engine works with
Authentication, rule 5 will also be checked and since the source,
destination and service matches the User Auth rules it applies and the user
would go out without getting authenticated.
It may appear that the least restrictive rule is being applied but that is just
the way the Inspection Engine handles groups of users and an
Authentication Action. It would not matter if the Action is User Auth,
Session Auth or Client Auth.
This will only be a potential problem if you are authenticating users from
Internal to external networks. You would never normally have a rule that
just let you in to your internal networks without authentication. Always
check the rules work in the manner you expect, never make assumptions.
2.10 Policy Properties, Controlling Implied Rules
Turning Implied Rules off If you are using a combined Management/Firewall module installation you
can turn off the implied rules for simple Firewall configurations without
any problems.
If you are in a split environment then you will break Management to
Firewall module communications and will not be able to install a new
Security Policy.
Your rulebase should look something like the following, this is with the
implied rules displayed and the Accept VPN-1 & Firewall-1 control
connections turned off.
Install this Security Policy
This assumes you installed the software in a split environment, which is
more interesting for learning.
The Security Policy may appear to hang and you will not get the usual
close button. The rules will have successfully been installed. To check you
Security Policy & Rules Setup
68 www.corefacts.com CoreFacts 2002
could run the command fw stat on the Firewall module and it will
display the current Policy name and install time.
On the Management Server you would normally be able to run fw stat
fw.f16.com but the connection would be blocked in this case. In versions
before NG FP2 the fw command applied to Firewall modules and
Management Servers, FP2 split the command into fw for commands on a
Firewall Module and fwm for commands on a Management Server.
The service CPD is used to install Policies, it is now no longer allowed
between the Management and Firewall module and is being dropped. You
will not be able to install a new Security Policy even if you set the VPN-1
control connections in the Global Properties.
Locked out of Policy Installs -
Recovery Procedure
Make sure that you have ticked the VPN-1 control connections. Otherwise
you will end up installing a Policy once and block the next install.
This will turn on all the implied rules.
You will need to install the Policy but you cannot currently do that since
the current installed rules drop all connections to the Firewall, that is the
stealth rule at work.
On the firewall module workstation, not the Management you must
unload the Security Policy.
Logon to the firewall module box and bring up a command prompt and run
the following command.
fw unload fw.f16.com
Note: This command is obsolete.
Calling "C:\WINNT\FW1\NG\bin\fwm unload fw.f16.com" instead
Uninstalling Policy From: fw.f16.com
VPN-1/FireWall-1 policy successfully uninstalled from
fw.f16.com...
VPN-1/FireWall-1 policy Uninstallation complete
Note from NG FP2 the command you should use is
Security Policy & Rules Setup
CoreFacts 2002 www.corefacts.com 69
fw unloadlocal
This will unload the Security Policy from the Firewall module, this means
that there is no Policy installed and connections can be made to the firewall
on any of its interfaces. Connections cannot pass through the firewall but
they can go to it. [Yes, it does matter that the firewall box is running a
minimum set of services and they are patched, this may be a point of
vulnerability, that is why people like appliances the OS is stripped and
secured].
Since there is no Policy you should be able to install a new Policy on the
Firewall module - go ahead and install your Policy.
If you want to load the Policy from the command line instead of through
the GUI then you can use the following on the Management Station.
fwm load c:\winnt\fw1\ng\conf\mgmt-1.W fw.f16.com
mgmt-1.W: Security Policy Script generated into mgmt-1.pf
mgmt-1:
Compiled OK.
Installing Databases On: localhost
Database installed successfully on www-f16...
Database installation complete
Database installation Succeeded for:
www-f16
Installing VPN-1/FireWall-1 policy On: fw.f16.com ...
VPN-1/FireWall-1 policy installed successfully on
fw.f16.com...
VPN-1/FireWall-1 policy installation complete
VPN-1/FireWall-1 policy installation Succeeded for:
fw.f16.com
A rule that you may want to consider adding if you are installing Security
Policies on remote Firewall modules is the following.
This has to come before the stealth rule that drops all packets to the
firewall. This would allow you to Secure Shell to the firewall to perform
the Policy unload without having to physically be at the module console. It
does assume that you have Secure Shell installed on the Firewall module
which may not be the case in Windows environments.
For Nokia firewalls you would need to configure and turn on the sshd
package.
Your site Security Policy procedures may dictate that you must physically
Security Policy & Rules Setup
70 www.corefacts.com CoreFacts 2002
be at the console and remove all external cables before doing the Policy
unload. Or you may have to bring down a perimeter router to prevent
incoming connections until the unload and new Policy install has been
done.
Note the log file will have logged the unload and load so you cannot hide it.
DNS as an Implied Rule Most sites, since the Firewall is at the perimeter to the Internet require DNS
udp (domain queries) through the Firewall.
The simple and usually incorrect way of doing this is to use the implied
rules. If your technical support suggest that you should just turn on the
implied DNS rules, either they do not know what they are doing or they
believe you do not and will be a technical headache if they have to explain.
For clarify, but do not install the Security Policy, untick VPN-1 &
Firewall-1 control connections in the Global properties. This is just to
reduce the number of rules you are looking at. Remember to set it again
before you install a Policy.
You should now be back to the following.
In the Global Properties, Firewall-1 Implied Rules there are two settings
that relate to DNS.
For your internal hosts to do DNS queries to external DNS servers, you
Security Policy & Rules Setup
CoreFacts 2002 www.corefacts.com 71
need Domain name queries (UDP port 53).
For external DNS servers to copy your zone records you need Domain
Name Zone transfer (TCP port 53)
Just so you are clear, you do not need to tick either of these in a live
firewall, use explicit rules. Internal firewalls may be a different situation.
Heres why you do not want
to turn these on.
Turn them on and look at the implied rules that have just been added.
When you look at the rules, alarm bells should start immediately, the
source and destination is Any. A rule that has Source = Any, Destination
= Any and Action = Accept should set off alarm bells.
You might of course be thinking that since this is an Inspection Engine and
it is protocol aware that nothing would get through that was not DNS
traffic so the risk is small. Well maybe the only thing the Inspection Engine
checks is the port number 53, you would only ever know by testing the port
with tunnelled data. If you could tunnel any protocol through the port then
only the port details are checked. There will be timeouts, fragmentation,
overlay checks but that is irrelevant if you can tunnel other protocols
through it.
In this case you can tunnel anything over port 53, may change for NG FP3
DNS udp queries.
This would appear to be bad, since you can go either way through the
Firewall and no logging is done by default for implied rules. For a large
number of sites you probably cannot come from the Internet on port 53 to
just any host because the perimeter router will have Access Control Lists
controlling access to specific ports and hosts, port 53 one of them. You may
have no ACLs on your perimeter router, you need to know as they can
interfere with services you want to allow. Perimeter routers are often
owned and configured by your ISP.
Remember, implied rules are to simplify user configuration, they usually
provide wider access than required. This applies to anything that is a
simplified configuration.
Unset the DNS implied rules and make sure Accept VPN-1/Firewall-1
control connections are allowed i.e. ticked.
Security Policy & Rules Setup
72 www.corefacts.com CoreFacts 2002
Configuring DNS in a Live
Environment
There is no single correct solution but a common configuration for larger
organizations would be. Actually size has nothing to do with it, security
risk assessment and what you have to lose are the main considerations.
Two internal DNS servers, set to forward all unknown queries to ISP DNS
servers, all internal hosts resolve off the internal DNS servers.
A rule in the Security Policy would only allow DNS queries to specific
destinations, for example.
The ISP can be Primary and Secondary for your DNS records. They will
only have to handle a few records since DNS records only need to advertise
Internet visible Name/Address space and for most organisations this is a
small number.
As a minimum you could set all internal hosts to query from the ISP DNS
servers and add an appropriate rule.
If you are running a Primary DNS server at your site this will usually be
located in the DMZ. It should not be located on the Internal network,
everyone requires access to it that wants to resolve your Name Space.
Security Policy & Rules Setup
CoreFacts 2002 www.corefacts.com 73
2.11 Management/Firewall-1 Module communications and services
VPN-1/Firewall-1 Services - FW1
Service
Port/
Transport
Description
FW1 256/TCP VPN-1 & FireWall-1 Service, Management to Fire-
wall module policy installs pre-NG
FW1_log 257/TCP VPN-1 & FireWall-1 Logs
FW1_mgmt 258/TCP GUI client to Management Server (Pre NG)
FW1_clntauth_telnet 259/TCP VPN-1 & FireWall-1 Client Authentication (Telnet)
FW1_snmp 260/UDP VPN-1 & FireWall-1 SNMP Agent
FW1_snauth 261/TCP VPN-1 & FireWall-1 Session Authentication
FW1_topo 264/TCP VPN-1 SecuRemote Topology Requests
FW1_key 265/TCP VPN-1 Public Key Transfer Protocol
FW1_clntauth_http 900/TCP VPN-1 & FireWall-1 Client Authentication (HTTP)
FW1_Encapsulation 94/IP VPN-1 SecuRemote FWZ Encapsulation Protocol
FW1_cvp 18181/TCP OPSEC Content Vectoring Protocol
FW1_ufp 18182/TCP OPSEC URL Filtering Protocol
FW1_sam 18183/TCP OPSEC Suspicious Activity Monitor API
FW1_lea 18184/TCP OPSEC Log Export API
FW1_omi 18185/TCP OPSEC Objects Management Interface
FW1_omi-sic 18186/TCP OPSEC Objects Management Interface with Secure
Internal Communication
FW1_ela 18187/TCP OPSEC Event Logging API
FW1_amon 18193/TCP OPSEC Application Monitoring
FW1_pslogon 18207/TCP Policy Server Logon protocol
FW1_CPRID 18208/TCP Remote Installation Protocol
FW1_ica_pull 18210/TCP Internal CA Pull Certificate Service
FW1_ica_push 18211/TCP Internal CA Push Certificate Service
FW1_load_agent 18212/UDP ConnectControl Load Agent
Security Policy & Rules Setup
74 www.corefacts.com CoreFacts 2002
FW1_pslogon_NG 18231/TCP NG Policy Server Logon protocol
FW1_sds_logon 18232/TCP SecuRemote Distribution Server Protocol
FW1_scv_keep_alive 18233/UDP SecureClient Verification Keepalive Protocol
tunnel_test 18234/TCP Check Point tunnel testing application
FW1_ica_services 18264/TCP Internal CA Fetch CRL and User Registration Serv-
ices
FW1_netso 19190/TCP User Authority simple protocol
FW1_uaa 19191/TCP OPSEC User Authority API
VPN-1/Firewall-1 Services - FW1
Service
Port/
Transport
Description
Check Point Services - CP
Service
Port/
Transport
Description
CPMI 18190/TCP GUI to Management Server Interface
CPD 18191/TCP Management Server/Firewall Module communication
CPD_amon 18192/TCP Internal Application Monitoring
CP_rtm 18202/TCP Real Time Monitoring
CP_reporting 18205/TCP Reporting Client Protocol
CP_redundant 18221/TCP Redundant Management Protocol
CP_Exnet_PK 18262/TCP Extranet public key advertisement
CP_Exnet_resolve 18263/TCP Extranet remote objects resolution
Security Policy & Rules Setup
CoreFacts 2002 www.corefacts.com 75
2.12 Stopping and Starting the Firewall
There may be times when you have to stop and start the firewall module or
all processes related to Check Point. This is usually when something stops
working or a configuration change requires the firewall to be bounced.
fwstop/fwstart In previous versions of Check Point VPN-1/Firewall-1 (pre NG), the
following commands would be used.
fwstop
fwstart
This will stop the firewall, flush any cached information, read
configuration files and start the Firewall module. Sometimes the module
did not log, and after a restart worked, or changing VPN configurations
from FWZ to IKE did not take affect until an fwstop/fwstart. Sometimes
it required a complete system reboot.
During an fwstop, the firewall box is vulnerable as there is no Policy
installed, no packets can go through it but they can go to it.
In NG extra options have been added to the fwstop command to protect
the firewall box.
These are
fwstop -default
this stops the firewall module and loads a default Security Policy that
allows Management GUI control connections so Policies can be installed
but all other traffic is rejected.
fwstop -proc
This stops the firewall module and loads a default Security Policy that
allows Management control connections and drops all other traffic.
If you run fw stat after running the fwstop -default, the status
shows a defaultfilter policy installed.
The default filter was available in previous versions but buried in the
documentation. You can create your own default filter with rules you
create, instructions are in the Check Point Reference manual.
Security Policy & Rules Setup
76 www.corefacts.com CoreFacts 2002
The correct way to bounce the firewall in NG is
fwstop -default
fwstart
cpstop/cpstart NG introduced the SVN foundation, also known as CPShared, this is the
module that sits between the OS and Check Point components. The
components can be VPN-1, Firewall-1, Floodgate, MetaIP or any other
Check Point product. This provides a layered model that better suits
security implementation as the SVN module can provide controlled
interaction with the OS.
The commands cpstop and cpstart will stop or start all Check Point
components running on the box.
In some cases you may have to turn the VPN driver on/off
vpn drv off
vpn drv on
This is usually when changing from one VPN configuration to another, for
example, two networks using IKE shared secrets changing to IKE
certificates. If you do not stop and start the driver then they would continue
using shared secrets. Alternatively you can just run fwstop/fwstart.
Security Policy & Rules Setup
CoreFacts 2002 www.corefacts.com 77
2.13 Security Policy & Rules Setup - Review Questions
1. When you first connect to the Management Server using the Policy
Editor a Fingerprint is displayed this is used to.
A. Verify that the Firewall Module is authorised to communicate with
the Management Server.
B. Verify that the user is authorised to connect to the Management
Server.
C. Verify that the Management Server is the correct Management
Server and not an imposter.
D. Verify that the GUI is a valid client to the Management Server.
E. Verify that the GUI executable is a valid version and is not a trojan.
2. In Global Security Policy Properties, if you uncheck Accept VPN-1/
Firewall-1 Control Connections you will break Management Server to
Firewall Module communications. This option must always be left
checked.
A. True
B. False
3. Implied rules are by default logged to the implied rules log file.
A. True
B. False
4. In most Security Policies a Clean Up rule is added which is the last
rule in the rulebase, this is because.
A. It is the only method of accepting packets that have not matched a
previous rule.
B. It is the only method of rejecting or dropping packets with a
destination of the firewall.
C. It is the only method of logging implied rules.
D. It is the only method of logging packets that are not matched any
previous rules.
E. None of the above are correct.
Security Policy & Rules Setup
78 www.corefacts.com CoreFacts 2002
5. The Stealth rule is used to ensure what.
A. That all packets with a destination of the firewall are accepted
silently.
B. That all packets are checked for a stealth scan before being passed
through the rulebase.
C. That all packets with a destination of the firewall will be dropped.
D. That all packets are watermarked to track which route they take in a
HA environment.
E. That all packets with the stealth bit set are invisible to monitoring to
prevent the log file from growing too large.
6. When defining objects like www.yourcity.com the Get Address
button does what.
A. An inverse address lookup to get the fully qualified domain name
B. Finds the Mac address and IP address information needed for
configuring Anti-Spoofing.
C. Uses the system setting for retrieving an IP address given a
hostname.
D. Finds the address of the object by using NIS.
E. None of the above.
7. A VPN-1/Firewall-1 NG Security policy is NOT responsible for which
of the following.
1. Enforcing rules in a specific order
2. Tracking user Authentication
3. Authenticating and Encrypting user connections
4. Tracking events and generating alerts
5. Tracking Operating System bugs
A. 1
B. 2
C. 3
D. 4
E. 5
8. Implicit rules are generic rules that are required by most VPN-1/
Firewall-1 implementations.
A. True
B. False
Security Policy & Rules Setup
CoreFacts 2002 www.corefacts.com 79
9. You have three Firewall modules under the control of a single
Management Station. The same implicit rules would be applied to all
three Firewall modules.
A. True
B. False
10. The VPN-1/Firewall-1 NG Firewall consists of which components.
A. Policy Editor, log Viewer, Status Viewer
B. Management Server, Firewall Module
C. Management Server, Firewall Module, Policy Editor
D. Firewall Module, Visual Policy Editor, Management Server
E. Firewall Module, Management Server, GUI Clients
11. A 25 user VPN-1/Firewall-1 NG module dynamically tracks the
number of users going through the firewall and ensures that only 25
users are passing through the firewall at any one time even if you have
75 internal hosts.
A. True
B. False
12. In VPN-1/Firewall-1 NG licenses are always tied to the IP address of
the Firewall Module.
A. True
B. False
13. You have a 50 user license for VPN-1/Firewall-1, where is the
external.if file located.
A. $FWDIR\database
B. $FWDIR\conf
C. $FWDIR\tmp
D. $FWDIR\lib
E. Not used in NG
14. When you Verify a Security Policy you are testing the rules will work
as intended.
A. True
B. False
Security Policy & Rules Setup
80 www.corefacts.com CoreFacts 2002
15. When you unload a Security Policy in NG by selecting Policy unload
from the GUI the firewall is safe because a default Security Policy is
installed which prevents all access except VPN-1/Firewall-1 Control
connections.
A. True
B. False
16. During the installation of the Management Server you must add an
administrator to allow GUI logins, the file that the administrator details
are stored in is called.
A. fwauth
B. fwmusers
C. fwadmindb
D. fwdbadmin
E. Not used in NG
17. An Administrator with permissions set to read only is allowed to do
which of the following.
1. View the log files.
2. View the Status.
3. Rotate and update log files.
4. Add a new network to the objects.
5. Install patches using Secure Update.
A. 1, 4
B. 1, 2, 4
C. 1, 3, 4
D. 1, 2
E. All of them
18. Changes made to the Security Policy do not have an affect until which
of the following takes place.
A. The Security Policy is Saved.
B. The Security Policy is Installed.
C. The Security Policy is Verified.
D. The firewall module is stopped and started forcing a fetch of the
new Security Policy.
E. The Management Server is stopped and restarted.
Security Policy & Rules Setup
CoreFacts 2002 www.corefacts.com 81
19. In VPN-1/Firewall-1 NG the rules can be enforced in an inbound,
outbound or eitherbound direction depending on the setting in the
Global Security Policy Properties.
A. True
B. False
20. The OSE module is used to install Security Policies on what kind of
object.
A. Firewalls
B. Routers
C. Switches
D. Appliances
E. Not used for Security Policies
21. Security Policies are limited to how many rules in a single rulebase.
A. 200
B. 300
C. 400
D. 500
E. no limit
22. You have a large complex Security Policy that enforces rules on 4
different Firewall modules all under the control of the same
Management Server. It is taking a long time to install the Security
Policies. Which of the following are you most likely to take to reduce
the time to install Security Policies in the future.
A. Delete all rules that involve domain objects.
B. Remove rules that use group objects and replace them with un-
grouped objects.
C. Split the Security Policy into 4 different Policies to have a smaller
rule set which can be installed individually on each module.
D. Upgrade the memory and processor on the Management Station.
E. Upgrade the memory and processor on all the firewall modules.
23. In a split Management & Firewall Module configuration in NG it is not
possible to install a Security Policy that will prevent you from installing
new Security Policies.
A. True
B. False
Security Policy & Rules Setup
82 www.corefacts.com CoreFacts 2002
24. A Security Policy enforces rules based on which of the following
1. Authentication
2. Encryption
3. Drop
4. Reject
5. Pass Through
A. 1, 2, 4
B. 2, 3
C. 2, 3, 4, 5
D. 1, 2, 3, 4
E. All of the above
25. What does fw load do.
A. Loads the state tables into memory ready for accepting packets.
B. Loads the user database so users can be authenticated through the
Management Server.
C. Loads the Security Policy on the specified firewall.
D. Loads the log files into the log consolidation engine.
E. Loads the Security Policy into the Policy Editor.
26. What does fw fetch do.
A. Fetches the last installed Security Policy from the Management
Server, if it cannot connect to the Management Server loads the last
installed Security Policy.
B. Fetches the last installed Security policy from the Firewall module
C. Fetches the user authentication database.
D. Fetches the Security Policy and displays the rules in ASCII format
to allow viewing from the command line.
E. Updates the current installed Security Policy with any changes that
have been made and is a method of auto updating the Security
Policy to make sure the latest modifications are installed.
27. When you do a cpstop command which of the following occurs.
A. The firewall module stops.
B. The SVN process stops and the firewall installs a default filter.
C. The VPN-1/Firewall service stops and a default filter is installed.
D. All Services related to Check Point running on the Server are
stopped.
E. The Floodgate and VPN-1/Firewall Services are stopped.
Security Policy & Rules Setup
CoreFacts 2002 www.corefacts.com 83
28. When you do an fwstop -default command which of the following
occurs.
A. The firewall continues logging events but does not pass packets
through the gateway.
B. The firewall stops logging events but does pass firewall
administration traffic through the gateway.
C. The firewall drops all packets until you run the fwstart command.
D. The firewall will allow a new Security Policy to be loaded using the
GUI.
E. None of the above happens
29. When you install the Security Policy all information about current
connections going through the firewall is cleared and packets must be
rematched against the rulebase.
A. True
B. False
30. If you install the Security Policy and a time out error message appears
then this means that the Security Policy did not get installed.
A. True
B. False
31. What command would you run to check the currently installed Security
Policy.
A. fw ver
B. fw ver -k
C. fw stat
D. fw view
E. fw tab -t policy
32. In a split configuration when you need to check the currently installed
Security Policy from the command line, this can be done.
A. From only the firewall module.
B. From only the Management module.
C. From either the Management or Firewall Module.
D. Never done from the command line, always use the GUI Status
Viewer.
E. The firewall module broadcasts its state to the Management
Station(s) every 5 minutes with status information and all the
information required is held in $FWDIR\database\fwstatus.
Security Policy & Rules Setup
84 www.corefacts.com CoreFacts 2002
33. Rules in a Security Policy can be in any order and changing their order
will not affect the Security Policy.
A. True
B. False
34. When you save a Security Policy the file extension used for saved
Security Policies is.
A. W
B. fws
C. pf
D. ndb
E. isp
35. If you have two firewalls and a single Management Station, each on
separate workstations, how many objects with Firewall-1 Module
installed will you have in your Objects database. Two other machines
are going to be used as GUI clients.
A. 1
B. 2
C. 3
D. 4
E. 5
36. The Security Policy can have a maximum of how many rules.
A. 50
B. 100
C. 200
D. 400
E. unlimited
37. When using the Visual Policy Editor, what does the option Actualize
Network do.
A. Tests network connectivity.
B. Connects the network to the Internet object in the Visual Policy
editor.
C. Creates the implied network object and adds the network to the
objects database.
D. Displays the subnet mask associated with the network object.
E. Causes the network to flash in the visual Policy Editor to highlight
it.
Security Policy & Rules Setup
CoreFacts 2002 www.corefacts.com 85
38. In a distributed Management/ Firewall Module for an NG
configuration, the administrator has un-checked Accept VPN-1/
Firewall-1 Control connections. Which port number must be allowed to
the Firewall to allow Policy installs.
A. 80
B. 256
C. 259
D. 900
E. None of the Above
39. The default action for a packet that does not match a rule is?
A. Drop the packet and send an ICMP destination un-reachable back
to the client
B. Drop the packet and send an ICMP port un-reachable back to the
client
C. Drop the packet and send nothing back to the client
D. Put the packet in a hold for refresh state table and watch for the next
packet
E. Drop the packet and mark the source as suspicious in the internal
state tables
40. When you perform a fw fetch what can you expect from this
command?
A. The Security Policy to be fetched from the firewall module and
installed
B. The Security Policy to be fetched from the Management Station
C. The inspect code to be compiled
D. The objects.C and fwauth.NDB files to be down loaded to the
Firewall module.
E. None of the above
41. You have a split Management Server and Firewall Module each
installed on separate workstations, how many copies of SVN
foundation will you need to install? You are going to install two copies
of the GUI on separate workstations.
A. 0
B. 1
C. 2
D. 3
E. 4
F. None of the above
86
87
3
System Manager and Log Viewer
Objectives
When you have completed this module you should be able to
Use the Log Viewer.
Use the System Manager.
Know how to rotate log files.
Know how to export log files for further analysis.
Know how to display different log file views.
Know how to search log entries using the Log Viewer.
Know how to use Active Mode to block Intruder connections.
Know the different states displayed in the Status Manager.
Know how to set alert types in the Status Manager.
System Manager and Log Viewer
88
3.1 System Manager
This used to be called the System Status in previous versions but changed
its name in NG FP2, it has developed into a useful tool for monitoring the
status and OS information of Check Point and/or OPSEC components.
OPSEC Open Platform for Secure Enterprise Connectivity - see www.opsec.com, a
Check Point web site. Over 200 third party vendors now have products that
integrate into VPN-1/Firewall-1.
The Status Manager can either be started from the Windows menu or from
another GUI client like the Policy Editor.
When it first starts it shows the Check Point and/or OPSEC components
under its control.
Status Information This shows that there is a Management Station and Firewall module. Each
component can be expanded to view the details of the SVN foundation,
Firewall module and VPN-1 component.
The details area shows the currently connected GUI clients. In this example
the Management Station is not configured to synchronise its configuration
with another (secondary backup), that is Management high availability
(HA). HA for Management Stations allows another Management Server to
take over Policy installs while the primary is being upgraded or is broken.
In this case two clients are connected the Policy Editor and the Status
Manager by administrator fwadmin. Generic named administrators is not
System Manager and Log Viewer
89
good practise but in a training/learning environment is simpler. All changes
are audited and tracking of who did what and when is meaningful only if
each administrator has their own account name.
This shows the SVN Foundation details of the Firewall module, including
the amount of disk space available. Not specifically important on the
Firewall module since logging is rarely done to the Firewall module but the
same information on the Management Station is useful. Alerts can be set
when disk space reaches a specific value.
Policy Uninstalled State If you unload the Security Policy from the Firewall module, either from the
Policy Editor or at the command prompt the Firewall status will change
and the ! will be displayed.
The ! means that there is no policy installed on the Firewall module, not a
good status, immediate action is required. The administrator probably did
the uninstall so this is likely to just be informative. It can also mean that the
status of the object is problematic, the Status Manager cannot determine
the full cause and further investigation is required.
System Manager and Log Viewer
90
Note, more than one administrator may be running the Status Manager and
all connected Status Managers will display the same information.
To unload the policy you can use the command
fwm unload fw.f16.com
from the Management Station or
fw unloadlocal
from the Firewall module.
Disconnected State If you disconnect the cable from the internal interface of the Firewall then
the Management Station will loose connectivity from the Firewall module
and display the disconnected icon and have ? beside each component
because the status is unknown.
The firewall, although disconnected from the Management Station will
continue to work, you just cannot install new Security Policies. The
Firewall module will start to log locally. Use fw log on the Firewall
module to see the logged events.
If you connect the cable back the status will update, this may take a few
minutes. To force an update, highlight the component and the 2nd mouse
button pops up an update box.
Note SVN Foundation is installed as a base for all Check Point
components.
Use the online help to check the meaning of the other Status Icons.
System Manager and Log Viewer
91
3.2 Configuring Status Manager Alerts
The Status Manager can be configured to generate alerts of different types
to specific events like Policy installs, uninstalls or disk space size.
The System Alert tab allows configuration of the type of event and type of
alert generated.
The default setting is Same as Global, this means that whatever is set for
Global event types and alert method will apply to each of the modules.
The Global settings are.
Different event types apply to different components.
The alert type can be
None - do not generate an alert
Log - Generate a event in the log file
Alert - Send an alert to the Status Manager with the event details
Mail - Send an email containing the event details, email command
System Manager and Log Viewer
92
and address needs to be correctly configured in the Policy Editor
Global Properties - Log and Alert tab.
Snmptrap - Where to send the trap is configured in the Log and
Alert Tab in Global properties in the Policy Editor.
User defined[1,2,3] - User defined scripts 1, 2, or 3 are configured
in the Log and Alert tab in Global properties in the Policy Editor.
Previous versions of VPN-1/Firewall-1 only allowed a single user
defined script to be run.
Overriding the Global Setting Individual settings for each component can be set, for example if you want
a Mail alert each time the Policy is installed or uninstalled.
Highlight the Firewall icon and change the setting to Custom, then set the
type of alert in the VPN-1 & Firewall-1 tab.
You would of course have to configure the mail command correctly in the
Policy Editor, Global Properties - Log and Alert.
Note the Policy has been installed event only applies when there is no
Policy installed. You will get an alert if you just install a new Security
Policy changing the existing installed policy, this is different from previous
versions where policy overwrites did not generate an alert.
The Policy install event details will always be written to the log file.
System Manager and Log Viewer
93
3.3 Log Viewer
The Log Viewer is the main front end into viewing the logged events. Each
record in the log file is a complete record of the event. The Log Viewer has
different modes and pre-defined filters to view separate log details
alternatively you can filter for specific details.
If you need reporting and log analysis tools you could use
Check Point Reporting Module.
OPSEC Log and Analysis tools - www.opsec.com
Dump the log file to a text file and write your own tools.
Logon The Log Viewer can either be started from the Windows menu or from
another GUI client like the Policy Editor or System Manager.
Log Viewer Modes The Log Viewer has three modes, Log, Active, Audit that can be switched
between using the combo box.
Log This view shows events for all Products depending on the filter being used.
The default view when started is the Log mode.
This displays different filtered views of the log file depending on the
current pre-defined selection.
System Manager and Log Viewer
94
The different filtered views are set from the Selection menu or toolbar
buttons.
These are pre-defined filters applied to the log file you can create
customised filters for your own use. The pre-defined filters are
General
Firewall-1
Account Management
VPN-1
Floodgate-1
Virtual Link Monitoring
SecureClient
UA WebAccess
Active The Active Mode shows the current connections in the state table, some of
these events are not necessarily active. They may relate to an http
connection that has completed but not yet expired from the state table and
the log file takes time to update its display.
System Manager and Log Viewer
95
Audit The Audit mode shows the GUI client interaction with the Management
Server.
The audit events were integrated into the Log Viewer in NG, in previous
versions this information was written into a plain text file in the log
directory. In previous versions, the Log Viewer had Log, Account and
Active as its three display modes. Account information is now a pre-
defined filter.
Searching The Log Viewer is a table format database and therefore any of its
columns can be searched. You can search the columns either by Number,
Date and/or Time, or a search pattern
System Manager and Log Viewer
96
Selections If you want to view only specific records you can apply a selection criteria.
By Product Select to view records of a particular Product.
By Origin Select to view records by Origin, useful if managing multiple Firewall
modules. The Origin is the Firewall module that generated the event.
By Event Type Select the type of event.
System Manager and Log Viewer
97
By Action Select the type of Action.
By Service Select the type of Service(s) to display, can be negated to show everything
except a specific service.
Useful if you have not filtered out all nbname and nbdatagram events,
select to show all protocols except these.
By Source/Destination Select the Source or Destination to display.
You can type in the IP address, not just pre-defined objects, or use wild
cards for example 10.3.* would find all event in the 10.3.x.x network.
System Manager and Log Viewer
98
Selection Criteria - Toggle Once you have set a selection criteria you can toggle the display between
showing and not showing the selection from the toolbar.
Resolve Addresses The Log Viewer is notoriously slow at displaying records, this has been a
feature from way back and is just the way the records are written and the
problem with doing DNS inverse address lookups.
DNS forward lookups, given www.corefacts.com will always find an IP
address, providing the site wants to be found.
DNS inverse address lookups are an optional configuration, given an IP
address find a name. This causes the display of records to be slow. For
services like smtp and ftp some sites will not allow the client application to
connect unless the server can do an inverse address lookup on the
connecting IP address. Although optional, DNS reverse address
configuration should at least be configured for names that are visible to the
Internet.
Every time a record is created it is the source and destination IP address
that is written into the log record. When the record is displayed and
Resolve Addresses is turned on, the Management Server does an inverse
address lookup to find the name to display. The name may be in its cache
or the local DNS server cache which the Management Server will be
resolving from, in which case a fast response will occur. The problem starts
when no inverse address records exist and a large number of lookups are
required.
The Management Server only resolves a page of information at a time, and
the resolver page time out is 20 seconds by default. This means that if you
hit the page down key 4 times it could take 80 seconds to get to the page of
interest.
System Manager and Log Viewer
99
Setting Resolver time out
period
The resolver time out period is set in the Policy Editor in Global Properties.
You can usually reduce the time out period to 5 seconds if you have a good
DNS server to resolve from. If within the time period it fails to resolve the
IP address to a name then the IP address is displayed and not the hostname.
A side affect of resolving the addresses at the time of viewing is what
happens if you look at last months logs and the IP address has changed
hands. It might have belonged to www.innocent.com but now belongs to
www.ultrasexysex.com.
System Manager and Log Viewer
100
3.4 Block Intruder (Suspicious Activity Monitoring)
This is an OPSEC protocol that Check Point introduced in Version 4.x and
allows third party products to communicate with the firewall to allow it to
Drop/Reject connections if the product recognizes an attack.
The Block Intruder from within the Log Viewer when in Active mode is
a sample implementation of the protocol and demonstrates its potential.
This will alter your Security Policy and in some circumstances if integrated
through a third party could result in a really good denial of service on your
site. For example if the source address appears to come from a business
partner and an attack was recognized you could end up dropping legitimate
packets. Automatic changes to a Security Policy is always tricky it just
depends on what you have to loose if you do not react immediately. It may
be appropriate for ecommerce servers but not for partner VPNs.
Block Intruder from within the
Log Viewer
Block Intruder is accessed from the Log Viewer in Active mode.
Note you must have resolve addresses turned on for block intruder to
work from within the Log Viewer. Block Intruder can also be done through
the command line using the fw sam command.
If resolve addresses is not turned on you will get the following error.
Make sure you have a telnet or ftp session going through the firewall to
your external server, www.server.com.
Make sure you have the System Manager GUI running as alerts will be sent
to it every time you try to connect to the blocked destination until the
blocking is cleared.
Log Viewer Telnet entry Once you have a telnet connection look at the Active mode in the Log
Viewer, all connections have a connection id.
System Manager and Log Viewer
101
In previous versions of the Log Viewer you could double click on the log
entry to bring up the block intruder dialog box, now you have to select
Block intruder from the tools menu.
Note, there is also a clear blocking, this clears all blocked connections not
just a single blocked request. This can also be done from the command line
with.
fw sam -f All -D
Deletes all blocked connections on All firewalls, a specific target firewall
could have been specified.
If you have not highlighted the telnet entry then you will be requested for
the connection id to block.
If you did highlight the connection id the Block Intruder dialog box will be
displayed.
You can
Block only this connection
Block from this source
Block to the destination.
System Manager and Log Viewer
102
The time out period allows you to set how long the block will last.
For this blocking request, set the time out to 1 minute.
Select the OK to proceed with the block request.
Now try and make a telnet connection to the server, try several times. The
Log Viewer in normal Log mode should display the attempts.
The Status Manager would display the alerts.
If you have blocked a source that you need to clear then you can use the
Clear Blocking option in the tools menu. This clears all blocked
connections.
System Manager and Log Viewer
103
The diagram below illustrates the interaction between the GUI (Log
Viewer), Management Server and the Firewall Module.
The Management Station must be able to connect to the Firewall module
on port 18183 (FW1_sam), this is one of the implied rules in NG FP2, but
not in 4.x. If the Management Server and Firewall module are on the same
box this will not be a problem.
1. The Log Viewer connects to the Management Server on port 18190
(CPMI), in 4.x this is port 258 (FW1_mgmt).
2. Display the Active mode connections and highlight the connection to
block. Make the Block Intruder request. The request goes to the
Management Server.
3. Management Server connects to the firewall on port 18183 (FW1_sam)
with the block request details, source/destination Address, source/
destination port, and time out period.
4. Firewall Module accepts the request and adds a SAM rule, which is not
displayed in any Security Policy viewing area.
5. Current connection is blocked and packets rejected.
6. New connection attempts are blocked by the sam rule, alerts are sent to
the System Manager.
FW
GUI
telnetd
Mgmt
18183 (Sam)
Sam Rules
Log Viewer in
Active Mode
18190(CPMI)
Anti-Spoof
Policy Rules
Rules Check
Block
Request
System Manager and Log Viewer
104
3.5 Log Viewer & Status Manager - Review Questions
1. In NG the Log Viewer has three modes these are.
A. Log, State, Active
B. Log, Audit, Active
C. Log, Status, Active
D. Account, Audit, Active
E. Security, Audit, Suspicious Activity
2. When in the Active mode you can use block connections to stop
Suspicious Activity, an alternative way of doing this is to use which
command.
A. fw kill
B. fw tab -t connection
C. fw sam
D. fw stop
E. fw xfer
3. When in the Active log and you block a connection with the default
setting, which one of the following applies.
A. All connections to the destination IP address will be dropped.
B. All connections from the Source IP address will be blocked.
C. The current connection is blocked but new connections are allowed.
D. The current connection is blocked but new connections are allowed
after an 60 second time out period.
E. All connections are blocked but new connections are allowed after
a 60 second time out period.
4. You see a telnet connection going to the company web server from an
internal host and for security reasons you have told all web
administrators to use Secure Shell and not telnet. You use block request
from the Log Viewer to block the connection for 5 minutes from this
source, this will
A. Block the current telnet connection and any other telnet
connections from this source.
B. Block the current telnet connection and any other connections from
this source.
C. Block the current telnet connection and allow Secure shell access.
D. Block all telnet connections to the web server.
E. Block all connections to the web server.
System Manager and Log Viewer
105
5. If you see ! against the Firewall-1 icon in the Status Manager, the most
likely meaning is.
A. A Security Policy with a different name has been installed.
B. The Management Server and Firewall module have lost network
connectivity.
C. The firewall has no policy installed.
D. The firewall has a policy installed and this is displaying the normal
state.
E. None of the above.
6. You have a split Management Server and Firewall Module, network
connectivity between the Management Server and firewall has failed.
Which of the following statement would be true.
A. The firewall can no longer send log files to the Management Server
and log events will be lost until the Management Server is back
online.
B. The firewall will stop all traffic going through the firewall until
logging ability is established.
C. The Management Server will issue a network broadcast to all
administrators to inform them that the firewall module connectivity
is lost.
D. The Firewall will start writing log files to a local log and continues
working.
E. The Firewall will stop logging for 300 seconds then if it cannot
establish connectivity with the Management Server will start to log
locally.
7. In the Log Viewer the option in the file menu purge does what.
A. Removes the currently displayed entries from the log file.
B. Compresses the log files and removes all control events.
C. Stops logging to the current log file and starts a new log file.
D. Deletes all entries in the current log file.
E. Deletes all log files older than the Keep log files for setting in the
policy Editor.
System Manager and Log Viewer
106
8. What does the fw logswitch command do.
A. This will date stamp the current Security Policy and refresh the
state tables.
B. This will date stamp the user authentication logs and start a new
one.
C. This will date stamp the log files and start new ones.
D. This will date stamp and compress the log files.
E. This will dump the log files to a text file for post processing by a
third party.
9. What does the fw logexport command do.
A. Dumps the log files to Check Point log manager.
B. Exports the log files to a text file.
C. Exports the log environment variables so the log server knows
which directory to put log files into.
D. Sets which Management Server will be the log server for this
firewall.
E. None of the above.
10. The Log Viewer is notoriously slow to display log details (feature not
bug), what action would you take to speed up the display of log data.
A. Increase the memory in the Management Station.
B. Increase the Graphics card memory to speed up redisplays.
C. Disable resolve addresses.
D. Enable resolve addresses.
E. Add a rule to the rulebase to allow it to accept FW_log connections
from DNS servers.
107
4
Anti-Spoofing & Services
Objectives
When you have completed this module you should be able to
Know the importance of configuring Anti-Spoofing.
Know how to configure Anti-Spoofing.
Know that not all pre-defined services extract session information.
Know how to define new services, TCP, UDP, and type Other.
Know how to tunnel services through open ports.
Know how Stateful Inspection handles ICMP and UDP protocols with
timeouts.
Know the time out periods for TCP, UDP, ICMP.
Know how to override the default time out periods.
Anti-Spoofing & Services
108
4.1 Configuring Anti-Spoofing
This is IP address spoofing not service (or port) spoofing and explained
here because it introduces a useful reminder about details of TCP, UDP and
ICMP sessions.
Port spoofing is simple to do and can be difficult to detect, that is the job of
a Firewall (Stateful Inspection or otherwise), application proxies and
Intrusion Detection Systems (IDS).
IP Spoofing You can never just trust the Source IP address in an IP packet. That is why
authentication systems like SecurID exist and why client to server VPN
implementations with certificate based authentication are increasing in
popularity.
In the diagram shown below, to get a packet delivered from host A to the
server 10.3.3.1 you need to send it to the firewall and if the right rulebase is
installed the packet will get through. It does not matter which type of
service used, TCP, UDP or ICMP in the example shown you will not see
the replies. The replies would never be routed back through the firewall.
For TCP the worst you can do is a Denial of Service (Dos), not much of
one either. For UDP you can send commands and hope to compromise the
service.
The packet matches the rule in the rulebase since it is a fairly liberal rule
and allows Any service and no anti-spoofing has been configured on the
gateway. The replies would of course be sent to an internal host since that
is the source address.
FW
host
SRC/10.3.3.31
Srv
Packet matches rule (no anti-spoofing configured)
Replies
1
10.3.3.0/24
172.23.3.0/24
DST/10.3.3.1
Net-10.3.3.0 Any Any Accept
A
Anti-Spoofing & Services
109
TCP Sessions The TCP transport protocol has session information as part of the protocol
for re-sending lost or corrupt packets. The protocol keeps track of how
many packets are sent and received. There is a setup, data (command) and
close phase for every connection.
Before data (commands) can be sent the client must go through the setup
phase.
TCP sessions can be spoofed and stolen (that is why we have VPNs). With
the introduction of Network Address Translation (NAT) on gateways it
became a lot easier to spoof IP addresses.
UDP Sessions The UDP transport protocol has no concept of how many packets it should
receive or what order they should be received in. The integrity of the data is
left to the application to understand and request the data be resent if
necessary. The client does not know if it gets connected to the server until it
receives replies. The client waits for a time out period and just retries if it
gets no reply.
Data (commands) can just be sent as the first packet dispatched. It is easy
to spoof IP addresses and protocols when using UDP as the server never
checks who it is getting a connection from before accepting the data. It is
up to the service being used to validate the data, might be through
authentication or encryption or both.
Client Server
Syn
Syn/Ack
Ack
Data
Ack
Fin
Ack
Setup
Data
Close
(commands)
Client Server
Data
Reply
Data
Data
Reply
Data
(commands)
Anti-Spoofing & Services
110
Anti-Spoofing Anti-spoofing is configured as part of the Firewall object settings in the
Topology tab.
If you have a combined Management/Firewall Module your configuration
defaults may be different to those that have a split environment. The details
are the same but in NG FP2 when you get the Interfaces the Policy Editor
tries to guess which is the external interface and sets some defaults. The
external interface will be set to the IP address used for the definition of the
firewall object.
At the moment you should have a Security Policy that looks similar to the
following, the implied rules are not shown but for convenience the Accept
VPN-1/Firewall control connections is turned on. If not when you install
the policy you will lock yourself out with this policy.
Topology of fw.f16.com Edit your Firewall object and look at the Topology dialog.
When you first created the object you got the topology to fill in the
interface details. If you do a Get Topology again you will loose any IP
address spoofing that was configured.
Not a problem in this case since it has not been set. If you add network
cards to your firewall you will need to do the get topology or manually add
the interface and set spoofing for the new interface.
Do a Get Topology now.
Anti-Spoofing & Services
111
This may take over a minute.
The results are displayed accept the results, they can be edited if necessary.
External Interface Highlight the External network interface and edit the settings.
You are not going to change anything since the settings are correct in this
example, just view the options.
Anti-Spoofing & Services
112
Only one interface can be set to external, this is the interface that leads to
the Internet or your largest group of networks if this is an internal firewall.
DMZ Interface Highlight and select the DMZ network if you have one, that is the
192.168.22.103 in this example.
This is set to Network defined by this interface and IP address mask, this is
Anti-Spoofing & Services
113
correct for a single flat network on this interface. It is just the network and
subnet mask associated with 192.168.22.103, network 192.168.22.0/24.
Internal Interface The internal interface setting for the classroom/test configuration could be
the same as the DMZ interface because there is only a single flat network.
In a live firewall it is likely that more than one network resides internally
and you would have to create a group that contained all the networks and
use Specific, selecting the group.
In this case use Specific but select your internal network.
For Anti-Spoofing to become part of the Security Policy you must install
the policy.
Testing Anti-Spoofing Just because you have configured and installed the policy does not mean it
is working the way you expect you may have selected the wrong interface.
Well, in this case it will be correct but the rule is TEST, TEST and TEST
again. It is just as important to test that existing rules still work as it is to
test the changes.
Youll need a network tool that allows you to create packets with any
source address.
Anti-Spoofing & Services
114
4.2 Predefined Services
A general guideline before you start adding lots of services to your firewall
and letting users have access to chat and web services.
If you increase the number of services, sources and destinations you will
increase the security risk.
There is a balance between business requirements and security practise,
make users justify why they need the service. That is part of the Site
Security Policy documented procedures.
The firewall is there to reduce the risks to an acceptable level but cannot
fully eliminate the risks.
It is a piece of software.
It is designed to allow connections through it.
It needs to be configured, depends on the experience of the
administrator.
Question In VPN-1/Firewall-1 do all pre-defined services have INSPECT code that
extracts session or protocol information from the packets to secure the
service and stop tunnelled data over open ports through the firewall?
Answer No! There is no list anywhere of which services do and do not have
INSPECT that extracts session information. Check Point are hardly going
to supply one and state that if service X is used then only the IP protocol
Number or TCP/UDP port number is checked. State information is kept for
every session but that is not the same as extracting protocol data (session
details, even at a basic level) to check the correct protocol is going through
the right port number.
Check Point VPN-1/Firewall-1 will do session extraction of information
for many protocols but not all. The number of protocols that do have
session protocol extracted information increases with each release.
The only way to know for sure is to try and tunnel a protocol over the port
you want to use and if it works then there is no INPSECT session protocol
extraction going on. It may use INSPECT but only do something if the
right byte values are found.
This is nearly always an internal to external site risk and applies to all
firewalls. You could of course tunnel one protocol on top of another and
satisfy the INSPECT or application proxy requirements. However, that for
the moment is beyond most users, but not hackers. Hackers will have
written there own tools to do this. Check out http://www.http-tunnel.com
Anti-Spoofing & Services
115
they have a commercial product that will tunnel TCP and UDP over http
connections. Port 80 is becoming the ultimate tunnel since most sites allow
it out.
Caution Pre-defined services may just be a port number definition or contain
INPSECT or be a port number definition with more detailed INPSECT
when you use the protocol.
Tunnelled Protocol Example If you want to see a tunnelled protocol then install a telnet server on port 53
to your www.server.com box and add the following rule.
This example would work on your existing rule 3 but an explicit rule with
just domain_tcp in it illustrates it more clearly since you might be thinking
that a defined service from the pre-defined list would do some protocol
checking and Any might not. (It makes no difference, if there is INSPECT
at the back it will be used for the appropriate port number if it exists).
Try telnet www.server.com 53, you should get a login prompt unless
your telnet server is not listening on port 53. If you get no login try telnet
127.0.0.1 53 on the box running the telnet server.
The entry in the log file would look like a domain-tcp connection, not
telnet, after all it is going through port 53 (DNS).
This is an Internal to external problem since you would never have a rule
that allowed incoming connections to controlled servers without knowing
the integrity of the service being connected to. Unless of course you have
turned on the implied DNS TCP rule, but you would not have done that.
Integrity of the service means you know it is a valid server that only works
with the protocol intended and is not a trojan. You have control over this,
well sort of, so it should not be a problem.
If you can trust your internal users and all internal hosts are guaranteed not
to have trojans installed you do not have a problem. Just because you can
do it does not necessarily mean you have a problem, only that it can be
done.
Anti-Spoofing & Services
116
Adding Services Add a rule to your Security Policy to allow http and ftp to your web server.
The add services dialog box has all the pre-defined services, over 150 of
them.
The rule should look like the following.
Adding services is easy, just select from the list the service required.
Rule 4 is a bit liberal in that Any service can be used, give users and inch
and they will take a foot. Always start with a strict, reduced set of services
and add services as needed.
It is easier to add than take away.
Change your Anything outbound rule to allow only http, ftp and telnet.
Although telnet is frowned upon now since passwords are clear text and
Secure Shell (ssh) would be better, for this environment it will not matter.
The Secure Shell server and client may not be installed in the classroom/
test environment.
Anti-Spoofing & Services
117
Your rules should look like the following.
Before you install and test your Security Policy you should be aware that if
you install this you will break DNS host name resolution, since at the
moment this is allowed through the Anything Outbound rule.
Since DNS is a service that is continually used it is best positioned higher
in the rulebase. Remember you do not really want to just turn on the
implied DNS UDP setting in the Policy Global Properties.
Add a rule after the first rule to allow internal networks access to DNS
servers. If you know what the servers are create objects for them and add
the rule.
Object DNS NS0/NS1 Create the DNS server Nodes.
Anti-Spoofing & Services
118
With the DNS rule added your rulebase should look something like.
Install and test the Security Policy
You should be able to connect to the internal web server using ftp and http
from an external host.
When adding and changing rules you should be beginning to see that
although it is easy to do, care must be taken in case you prevent a service
that was previously allowed.
With the number of rules in use at the moment maintaining the Security
Policy is easy, 40+ rules requires more care and a good degree of
familiarization with the network environment being used. Multiple
firewalls in a single policy needs even more care. Good documentation
helps, did you remember to comment the rules?
4.3 Policy Properties - Stateful Inspection
Stateful Inspection builds virtual session information about connections
that would not necessarily have connection details. Both UDP and ICMP
protocols are connectionless and do not keep track of how many packets
are sent or received or if all packets for this protocol request have been
completed. Both protocols have no means of knowing when a session has
ended, therefore timeouts are added by the firewall to decide when to end
the session.
Default timeouts and protocol settings can be set in the Global Properties,
these settings apply to all firewalls under the control of the Management
Server.
Anti-Spoofing & Services
119
The timeouts for TCP and UDP services can be set for individual services
in the advanced dialog box for each defined service.
TCP time out is 3600 seconds
UDP time out is 40 seconds
4.4 Creating New Services
Creating new services (port number definition) is required when you have
a service that is not one of the pre-defined services or when you use the
pre-defined service and it does not work with your client/server
implementation.
In some cases the INSPECT code may be looking for details that are not in
the protocol communication and the connection fails. This is either an
implementation problem with the Client/Server or the INSPECT, depends
on who interpreted the RFC.
Sometimes you may have to tweak the INPSECT scripts to get your client/
server implementation to work, this is usually documented in the FAQs
somewhere as someone has usually been there before you.
Anti-Spoofing & Services
120
Create a Service New services of the following type can be configured.
If you only want to view specific types of service use the filter options.
TCP Create a new TCP service called vidi_printer. There used to be a service
called vidi_printer which displayed teletype information in a web page.
Tunnelling over http replaced it because firewalls prevented user access to
the service.
The advanced dialog allows individual time out settings for each protocol,
this will override the Global setting in the Policy Properties.
Anti-Spoofing & Services
121
In previous versions you needed to edit the INPSECT scripts to override
the default time outs.
After creating the service you could then use it in the rulebase. Remember
you have just defined a port number definition and although the Inspection
Engine will track TCP data, it will know nothing about the vidi_printer
protocol. This could be used to tunnel anything.
Use it with care and try not to have a rule like this.
Which would allow internal users to tunnel any protocol to Any destination
through port 5150. Restrict the rule and protocol use to a known destination
if possible.
Anti-Spoofing & Services
122
UDP Create a new UDP service on port 3130 called mytunnel_test.
Other Service type Other is used for User Defined services where you might
specify the source port a connection comes from or the IP protocol number
for a service that is tunnelled over IP but not already defined.
IP protocol numbers can be found at
www.iana.org/assignments/protocol-numbers
Protocol port numbers for TCP and UDP services can be found at
www.iana.org/assignments/port-numbers
Anti-Spoofing & Services
123
Defining a service type Other may just result in anything being able to be
tunnelled through your firewall using the IP header protocol number.
As an example, you could defined a service type Other using IP protocol
number 6.
In a Security Policy you could then have the following rule, not a good
thing to do since specific services have already been defined and this will
not work will all TCP services.
A service that definitely will not work correctly for this rule is ftp, or
anything that has reverse data connections that the Inspection Engine
handles because of the protocol type.
The outgoing connection will work but any reserve data connections will
fail, allowing them would be Stateful Inspection at work.
If possible you should always use the defined services and only resort to
defining your own when all else fails and then the rule should be from a
known source to a known destination.
The following is a service that some administrators created to control UDP
replies in early versions of firewall-1. This is no longer needed.
Anti-Spoofing & Services
124
Early versions of Firewall-1 had a single tick box to Accept UDP replies
for every UDP protocol even if you only used DNS queries. The dnsreplies
service just allowed the administrator to add a rule that accepted anything
from source port 53 (supposedly only DNS relies). Usually ended up more
open then required since depending on the Source the rule could let
anything in.
The Inspection Engine handles UDP replies as a virtual Stateful session,
controlling the replies and where they came from is based on time outs. It
may also extract session information from the replies.
Anti-Spoofing & Services
125
4.5 Anti-Spoofing & Services - Review Questions
1. Anti-Spoofing prevents which of the following.
A. The firewall from accepting packets that arrive on the internal
interface with a source address of an internal network.
B. The firewall from accepting packets that arrive on the external
interface with a source address of an external network.
C. The firewall from accepting packets that arrive on the external
interface with a source address of an internal network.
D. The firewall from accepting stealth scan packets coming from tools
like nmap.
E. The firewall from accepting packets on the internal network with an
external destination address.
2. Given the following network diagram, what would the settings be for
anti-spoofing
The options for setting Anti-spoofing on each Interface are shown in the
dialog box below. What would be the correct setting for the firewall in the
diagram.
Its a Bad
Bad World
External Net - 172.21.1.0
net-10.1.1.0
FW-Mgmt
net-192.168.22.0
254
254
1
fw.detroit.com
10.2.2.0 10.3.3.0
Router
Anti-Spoofing & Services
126
A. 172.21.1.254 set to External, 192.168.22.254 set to Network
defined by Interface, 10.1.1.254 set to Network defined by
Interface.
B. 172.21.1.1 set to Specific, 192.168.22.254 set to specific,
10.1.1.254 set to Network defined by Interface.
C. 172.21.1.1 set to Network defined by Interface, 10.1.1.254 set to
External, 192.168.22.254 set to specific.
D. Network 172.21.1.1 set to External, 192.168.22.254 set to Network
defined by Interface, 10.1.1.254 set to Specific containing a group
that has all internal networks.
E. None of the above are correct.
3. The default time out for an established TCP connection is
A. 50 Milli-Seconds
B. 1 Second
C. 60 Seconds
D. 3600 Seconds
E. infinite
4. When using a Stateful Inspection engine like VPN-1/Firewall-1 NG it
is not possible to tunnel protocols through port numbers like port 53
because Stateful Inspection checks protocol details for all protocols.
A. True
B. False
Anti-Spoofing & Services
127
5. For a TCP session the default time out that the Inspection engine will
wait for an Ack packet reply to a Syn/Ack at the start of a TCP session
will be.
A. 50 Milli-Seconds
B. 1 Second
C. 60 Seconds
D. 3600 Seconds
E. infinite
6. When defining a new TCP service in the Advanced Service Properties
the option Match for Any means.
A. Ignore Stateful Inspection session information for this service, even
if it is available.
B. If this service is used in the rule then match for any service to the
source or destination.
C. If the service is Any in the rule then use this service definition in
the rule and not any other service associated with the same port
number.
D. Match the service for any service using this port number regardless
of the type of transport session being used.
E. Only match the first packet of a session to test against the rules, all
other packets are assumed to be part of the established connection
from then on.
7. The default time out period for UDP sessions is.
A. 10 Seconds
B. 40 Seconds
C. 3600 Seconds
D. 180 Seconds
E. 50 Mill-Seconds
8. The most secure method of allowing DNS queries from Internal hosts
to external DNS servers is to turn on the Implied rule for Domain UDP.
A. True
B. False
Anti-Spoofing & Services
128
9. You run the weekly firewall audit tools against the firewall, this is done
from the external side of the firewall, and you see in the log file that a
IP spoof generated packet was accepted by the firewall. You know from
last weeks records that Anti-spoofing was working correctly and
rejecting the packets. Which of the following is the most likely cause
given that the Firewall module and Management Server are on the same
box.
A. Your colleague has done a Get Topology request on the firewall
object which gets the interface details and deletes any existing
Anti-spoof configuration and they did not reset it.
B. Someone has run the command fwstop -default and the Inspection
Engine is currently not doing Anti-spoofing.
C. The spoof packet matched the first rule in the rulebase which comes
before Anti-spoof checking so it was allowed.
D. The rulebase included encryption rules that were added during the
week and Anti-spoofing does not work if encryption rules exist.
E. The setting for External (leads out to the Internet) has been set
wrong and is the Internal interface not the external IP address.
10. You are having problems with a UDP service on port 3130, the client/
server communication never seems to complete reliably, you suspect
the network and server latency to be a problem. Which of the following
would you most likely do.
A. Tell the users that this protocol is broken going through the firewall
and they cannot use it.
B. Tell the administrator of the server that they will need to upgrade
the hardware of the server as the time outs for relies are excessive.
C. Edit the Global properties and increase the UDP time out period.
D. Edit the virtual time out period for the service on port 3130 and
increase it.
E. Position the rule higher in the rulebase and try using the service
again.
129
5
Working with the Security Policy
Objectives
When you have completed this module you should be able to
Know how revision control works.
Use a sensible Security Policy naming convention.
Know how to view the installed policy compared to the saved policy file.
Know how to hide rules.
Know how to use rule masks and searches.
Know basic performance guidelines.
Know how to uninstall the Security Policy and the consequences.
Add Firewall administrators that can use strong authentication, like
certificates and SecurID.
Working with the Security Policy
130
5.1 Revision Control
Keeping control of which version of the Security Policy is installed and
following a naming convention simplifies the Security Policy changes.
In VPN-1/Firewall-1 prior to NG FP2 there was no Revision Control
method other than manually adding the date and time stamp every time you
changed the Policy.
Administrators usually open the policy, do a Save As, and use a filename
with the current date and time i.e. fw16-Jun212002-1545,
Firewall fw16
Date of policy change Jun 21st 2002
Time of policy change 3:45 PM
If you have Management Stations in multiple countries then time zones
need to be considered. Work with a single central time, GMT only, or use a
different naming convention.
Log files would also be switched when the new Policy was installed, that
would keep the rule numbers in the log file and Security Policy
synchronised.
If you have a policy with 6 rules, then rule 4 may allow and show in the log
file access attempts to your http and ftp servers, if you add a rule before
rule 4 then the log file for the same events will now be displaying rule 5.
If you change your policy by adding new rules it is a good idea to rotate the
log files at the same time. You could then open the Policy file that relates to
the log file and when looking at the rule entry be able to match the events
to the rule that allowed it.
In NG FP2, revision control has been added, this allows a new Revision
Version of the Policy to be created when you make changes to the Security
Policy.
Revision Control is accessed, from the file menu or the toolbar.
Working with the Security Policy
131
To create a Revision Controlled Policy select - Create.
You must save the current Security Policy settings before creating a
Revision Controlled version.
Provide the Policy version with a name and comment, it does not have to
be the same as the Policy name.
Working with the Security Policy
132
You are now working with Version 1 of this Policy.
Changes to your Policy Make a simple change to your Security Policy and create a new version.
Your policy should look similar to the following at the moment.
Create a group object called ISP_dns_servers and change rule 3 to the
following.
Creating a Group Create the Group
Working with the Security Policy
133
Modify the Rule
Before you install the Security Policy you need to create a new version,
maybe in future versions this will automatically be done but for now you
have to manually do it.
If you get an error when creating the new version it will be because you
have not made any changes this should not happen here since you have just
modified a rule. New versions can be created not only for rule changes but
changes to any service or other dialog box setting in the Policy Editor.
Revision database files are stored on the Management Station
Install the new Security Policy.
To revert back to the old policy you can use the Show Version, then install
the Policy. Well, actually you cannot do that in FP2 but you can in FP3.
FP2 only lets you take snapshots of the Security Policy Configuration.
Working with the Security Policy
134
Viewing the Installed Policy In NG FP2 you can view the policy that is currently installed on a firewall
module.
The policy you are editing may not be the policy that is installed, this may
not always be clear when you open the Policy Editor as someone may have
made changes to the policy, then saved the changes but not installed them.
You could use the Status Manager to see when the policy was last installed
and check the date and time stamp of the Security Policy file that the OS
gave when it saved the file.
5.2 Hiding Rules
When working with a small rulebase the ability to hide rules may not
appear useful, however, when you are dealing with a single policy
managing multiple Firewalls the rules soon exceed the available viewing
area.
The average rulebase, excluding the implied rules if turned on, is between
18 - 30 rules and for some sites 10 rules may be adequate. Some
administrators may chuckle at that since they may have over 200 rules.
There is no limit to the number of objects you can create or the rules that a
Security Policy may have.
Working with the Security Policy
135
Our rulebase only has 6 rules and hiding rules may seem trivial but
knowing you can do it, will at some time be useful.
The current rulebase should look similar to the following.
Hiding a Rule To hide a rule use one of the menu options, or Select the rule then use the
popup menu.
It does not matter which rule you hide for this example.
Rule numbers are still consistent with the number of rules and if you install
the Security Policy then hidden rules still get installed as part of the
Policy.
Working with the Security Policy
136
Viewing Hidden Rules When working with a Security Policy you may have hidden several rules to
allow yourself to focus on a specific group of rules. To view the hidden
rule(s), this acts like a toggle, view or do not view, use View Hidden
Unhiding Rules To unhide a single rule you can double click on the hidden rule.
To unhide all hidden rules use the menu option.
5.3 Rules Masks and Searches
With a large rulebase you may want to find instances of rules that contain
network objects or services this can be done using the Query Column...
Working with the Security Policy
137
For example you may want to find every rule that has the firewall as a
destination.
This displays all rules that contain the Firewall object but also any rule that
has Any since this is a group that contains all objects and could apply.
To only show rules with the specific object requested.
The result excludes group objects.
Working with the Security Policy
138
5.4 Disabling Rules
This will take the rule out of the Security Policy that is being installed but
leave it in the rulebase for future use. This would be like commenting out a
section of code before you compile the program, it is still there but not
being used for this version.
You can use the Shift key to select more than one rule at a time and disable
them all.
Remember to tidy up disabled rules, if you have multiple administrators it
is easy to end up with a Security Policy that has many disabled rules. Each
administrator being unsure they can delete the disabled rules.
The disable rule menu option is a toggle, select once to disable and again to
enable.
You do not want any of your current rules disabled, enable the selected
rules if you disabled them.
The disabled rules do not take affect until the policy install takes place.
5.5 Uninstalling the Security Policy
You do not normally have to uninstall the Security Policy you just make
changes and install the new Policy.
If you must uninstall the policy you can do this from the menu, be careful
the Install and Uninstall option are right next to each other and the
dialog boxes look very similar.
Working with the Security Policy
139
Install and Uninstall dialog boxes
You will soon realise if you make a mistake, everyone will start
complaining the Internet is down. You might also realise that the normal
Security Policy compilation messages did not appear.
5.6 Basic Performance Guidelines
Hosts file Object creation and Security Policy compilations are helped if the
Management Station has a hosts file with the names of all the objects you
create in the Policy Editor. At least make sure the names are resolvable,
could be through an Internal DNS server.
DNS lookup The Management Server does a large amount of DNS lookups, make sure it
resolves from an efficient DNS server. Helps with viewing the log file with
resolve addresses on.
Log Viewer Resolve
Addresses
To increase the display performance of the Log Viewer switch off Resolve
Addresses.
Module Performance The VPN-1/Firewall-1 performance depends on the hardware, OS, Security
Policy, network bandwidth and network traffic characteristics.
Simple Rulebase The rulebase is essentially an if then else ladder, the more rules the more
steps to drop through. Note the number of rules is not normally an issue
since the Firewall throughput even with a large number of rules often
outstrips the network bandwidth available, especially true for the Internet.
Not all firewalls lead to the Internet and bandwidth may exceed the
available throughput, load sharing/balancing should be considered in that
case.
Working with the Security Policy
140
Rule Order In some cases, when using large rulebases, positioning the most commonly
execute rules like DNS and SMTP, higher in the rulebase will increase
throughput.
Rule Number Keep the rules to a minimum.
Use of Groups Use groups not individual workstations. A network is a group that contains
all workstations, may not be exactly what you want but it is efficient.
Group services together instead of adding them individually
Services Do not add services if they are not used, why have gopher, archie, finger
if the rule is never matched on that service. This would just be another
service to test against before dropping through to the next rule.
Appliance specific features Nokia Flows, and RapidStream Cut Through, will both increase the
packet throughput. FASTPATH for TCP services is no longer available for
NG at FP2, not recommended anyway unless desperate for throughput.
Logging Only log what you need to log, your email and web servers have their own
log files and usually provide more information.
Log the interesting events, like drops and rejects not day to day http traffic,
this will be determined by your Site Security Policy and in some cases
every event may have to be logged. Use a internal caching proxy server,
then all the links users access will be available from it. You will probably
get better log analysis as well.
Active This requires the firewall module to track session times and packet counts
for every session, CPU usage will increase.
Accounting This will require the firewall to keep track of the amount of packets passing
through a particular session, for a busy firewall CPU usage will increase.
Working with the Security Policy
141
5.7 Multiple Firewall Administrators and Authentication Methods
Every administrator should have their own account name, generic accounts
although convenient do not allow audit tracking of individual administrator
actions.
There are two places that Firewall administrator accounts can be created.
Management Configuration Tool - Administrators
Policy Editor - Manage -> Users & Administrators
Management Configuration
Tool
On the Management Station Console from the windows start menu start the
Check Point Configuration Tool. On Unix systems type cpconfig and use
the simple ASCII menu to select adding an administrator. You can also
directly edit the gui-clients file.
To modify administrator details from the command line you can use
fwm -a
Administrator accounts created using the configuration tool use simple
reusable passwords with no strong authentication.
fwmusers The administrators created using the configuration tool are stored in a file
$FWDIR\NG\conf\fwmusers.
You must have at least one administrator account in this file, it is created
during the Management Server install.
On the Management Station
Working with the Security Policy
142
From NG FP2 onwards firewall administrators can be created from within
the Policy Editor and additional administrators no longer need to be created
with the Configuration Tool. Only one account needs to be in fwmusers
and it is created during the Management Server install. In fact once you
have created administrator accounts in the Policy Editor you could delete
the account in the fwmusers file and always use the strong authentication.
Policy Editor - Manage ->
Users &Administrators
Creating an Administrator account in the Manage -> Users &
Administrators allows accounts to be created that use strong
authentication or certificates.
The account information is stored in the fwauth.NDB database file which
also stores the user account information for authenticating users through
the firewall.
Create an administrator account
User accounts
General details Provide a user name for this account it cannot be the same as a user name
that is stored in the fwmusers file. The fwmusers file will take precedence.
Working with the Security Policy
143
Account Profile Create a new account profile, this will set the GUI clients and permissions
that this administrator will be able to have access to.
This is a Read/Write account and full access to all clients needs to be set. In
larger enterprises with multiple administrators then restricted access can be
set limiting the user to specific GUI clients. For example an administrator
may not be qualified to use Floodgate-1, (Qos Policy) because they have
not completed training or done the Check Point certification.
Working with the Security Policy
144
Select the type of authentication to be used, VPN-1/Firewall-1 Password
and OS Password are no better than using the fwmusers file. SecurID or
another two factor authentication scheme integrated with a RADIUS server
is the ideal choice. RADIUS requires a radius server and SecurID requires
an ACE server.
Authentication Schemes For this example you are going to use Admin Certificates, so leave the
Admin Auth scheme set to Undefined.
Working with the Security Policy
145
Administrator Certificate Generate a new certificate for this administrator.
You cannot undo the certificate create but you can revoke it, revoking the
certificate would have to be done if the administrator was no longer
responsible for the firewall administration.
Certificate Password In order to protect the certificate a password is required. Enter a password.
Do not forget it, you would have to revoke the certificate and issue a new
one if you do.
The certificate will be created and stored in the InternalCA.
The certificate will be saved to your local disk, this would be the PC you
will be using the GUI client from.
Working with the Security Policy
146
Before you create any certificates make sure the hostname of the
Management Station is resolvable and has the correct DNS domain
settings.
The new firewall administrator will be added, the icon has a crown to
distinguish them from other user accounts.
Install User Database Install the user database on both the Firewall and Management Server, this
example is a split Management/Firewall module configuration.
Working with the Security Policy
147
Test Admin Certificate login To test the new administrator account, exit the Policy Editor and login
using the certificate you saved to your local disk.
Select the certificate you want to use.
Working with the Security Policy
148
Type in the password, if you forget it you will not be able to use the
certificate.
Working with the Security Policy
149
5.8 Working With the Security Policy - Review Questions
1. Rule masks allow administrators to.
A. Create search criteria for automatically removing rules that are no
longer required.
B. Create masks to display only relevant rules to the task on hand.
C. Create masks to hide rules and then automatically remove them
from the Security Policy during the next policy install.
D. Search the state table for specific connections.
E. Search the state table and block specific connections using source,
destination or service.
2. When you hide a rule, then the next time you install the Security Policy
that rule will not be enforced.
A. True
B. False
3. VPN-1/Firewall-1 NG introduced integrating firewall administrator
details into the standard user authentication database. Which of the
following authentication methods can now be used to authenticate
VPN-1/Firewall-1 NG administrators.
1. OS Password
2. SecurID
3. VPN-1/Firewall-1 Password
4. Radius
5. Certificates
A. 1, 3
B. 2, 4
C. 1, 2, 4
D. 2, 3, 4
E. 1, 2, 3, 4, 5
4. If you have to work in a command line environment which of the
following commands would you use to edit the firewall administrator
details.
A. fwadmin
B. fwm -a
C. fw edit
D. fwm fetch admin
E. None of the above the administrator details can only be changed
using the Configuration tool.
Working with the Security Policy
150
5. You are setting the permissions for an administrator and have selected
the following in the permissions profile. This will allow the
administrator to do what.
A. Create and edit network objects and add user authentication
account information.
B. Create new users and edit existing users and block connection in
the log file using block Intruder.
C. Create new users and edit exiting users and install the user
database.
D. Change the rule to add groups of users in the rulebase and create
and edit users in the User authentication database.
E. Delete objects from the database and install user databases after
modifying the user account details.
6. If you mark a rule as being disabled, in order for it to take affect you
must install the Security Policy.
A. True
B. False
7. Which component of Firewall-1 allows log files to be exported to third
party products.
A. CVP
B. LEA
C. ELA
D. UFP
E. RTM
151
6
Setting up Authentication
Objectives
When you have completed this module you should be able to
Know the database used to store authentication details.
Know the authentication schemes supported by VPN-1/Firewall-1.
Create Users and Groups.
Know the authentication daemons and where they are configured.
Understand the use of the account name generic*.
Setting up Authentication
152
6.1 Authentication Methods
Authentication is required because the source IP address in the IP header
cannot be trusted, IP addresses can be spoofed therefore additional
information is required to prove that the connection is coming from a valid
user.
In VPN-1/Firewall-1 there are three types of authentication
User
Client
Session
They all use authentication servers that reside on the firewall and are
automatically started if required by a connection passing through the
firewall.
If a rule is matched with Action Auth then the Inspection Engine hands the
connection onto the authentication server.
$FWDIR/conf/fwauthd.conf The $FWDIR/conf/fwauthd.conf file contains the daemons and port
numbers used. The port numbers can be changed from the defaults by
editing the port number and doing an fwstop/fwstart. Alternatively you
can add a new entry with the port number you want to use.
21 fwssd in.aftpd wait 0
80 fwssd in.ahttpd wait 0
513 fwssd in.arlogind wait 0
25 fwssd in.asmtpd wait 0
23 fwssd in.atelnetd wait 0
259 fwssd in.aclientd wait 259
10081 fwssd in.lhttpd wait 0
900 fwssd in.ahclientd wait 900
0 fwssd in.pingd respawn 0
0 fwssd in.asessiond respawn 0
0 fwssd in.aufpd respawn 0
0 vpn vpnd respawn 0
0 fwssd mdq respawn 0
0 xrm xrmd respawn 0 -pr
Setting up Authentication
153
6.2 Authentication Schemes
An authentication scheme is the process of how a user is authenticated, in
VPN-1/Firewall-1 this can be one of the following.
SecurID*
AXENT Pathworks Defender*
RADIUS*
TACACS*
S/Key*
VPN-1/Firewall-1 Password
OS Password
Schemes marked * are considered to be strong authentication, i.e. they do
not use simple reusable passwords that can be snooped.
SecurID SecurID is currently the most popular two factor authentication scheme
and requires a token which generates a number every sixty seconds (the
time frame can vary for different types of tokens), and a pin number that
the user knows.
Put the token number and the pin number together to form the
authentication. Stealing the token does little good since you do not have the
pin number. Stealing the pin is no good without the token. Users need to
take care of the tokens!
Stolen/lost tokens need to be disabled at the SecurID ACE server.
AXENT AXENT Pathworks defender, challenges the user with a challenge when
they enter their user name. The user generates the response using a special
calculator by entering their pin number and the challenge. The number
generated becomes the password for that authentication.
RADIUS Requires a RADIUS server to be configured and the Firewall must be able
to communicate with it. The Policy Properties implied rules allow this,
however, you may have turned the implied rules off.
Any authentication scheme that works with your RADIUS server can be
used.
If you need a radius server to test firewall integration with try
www.freeradius.org
Safeword integrates into Firewall-1 through a RADIUS server.
TACACS Similar to RADIUS but uses TCP instead of UDP protocols.
Setting up Authentication
154
S/Key A One Time Password (OTP) based authentication scheme. Generate the
passwords in advance or use an S/Key client to generate the password
when presented with the challenge. The user knows the secret to enter into
the client.
Simple to use and better than reusable passwords, users usually need to
have the client installed on their computer.
VPN-1/Firewall-1 Password This is a simple reusable password stored in the fwauth.NDB database and
not recommended except for authenticating users from internal to external
networks.
OS Password This is a simple reusable password and not recommended except for
authenticating users from internal to external networks. It uses the OS
password database on the firewall, NT passwords for NT firewalls and
Unix passwords for Unix based firewalls.
Unix firewalls could be configured to use NIS/NIS+, and NT Firewalls
could be part of a Domain and use the PDC, neither methods are
recommended.
6.3 Set the Authentication Schemes
Since this is a test configuration and strong authentication may not be
available for the authentication exercises, Firewall-1 Password is going to
be used.
Set your Firewall to use VPN-1/Firewall-1 Password authentication.
If you do not set this when you try to use Firewall-1 Password the firewall
informs the user that it is not supported on this gateway.
Setting up Authentication
155
6.4 Creating Users
Access to creating users is done either from the User Object Tree or from
the Manage - Users & Administrators.
Default is a template with some of the settings already configured. You can
create templates for your live environment to simplify user account
creation. The Default template has no authentication scheme defined but
you could create a new template called SecurID and set the scheme to
SecurID. Every time you needed a new user that used SecurID you would
then use the SecurID template.
You will just use the Default template and change the values as required.
Setting up Authentication
156
You will be creating the following users.
Note, user names are case sensitive, bob and Bob would be two different
users, passwords are case sensitive.
General Enter the user name.
Personal This controls when the user account expires, if you blank the expiration
date then the account will not expire. This requires some input from the site
user account management policy. Add a comment, might be useful to
identify the department or main manager contact for this user. It helps
when you want to delete the user account, the firewall administrator is
usually the last person to be told that this user has left the company.
User Authentication Scheme
bob VPN-1 & Firewall-1 Password
jenny VPN-1 & Firewall-1 Password
joe VPN-1 & Firewall-1 Password
linda VPN-1 & Firewall-1 Password
ann VPN-1 & Firewall-1 Password
Setting up Authentication
157
Groups Users must belong to at least one group, (except administrators), since no
groups have been created yet, no change to this tab. The group Any exists
by default. The groups for this example will be created after you have
created all the users.
Authentication Set the authentication scheme that is going to be used. In this example all
users will be using VPN-1 & Firewall1 Password.
Select the scheme and set the password.
Setting up Authentication
158
Encryption The encryption tab is for SecuRemote/SecureClient, Remote Access
VPNs, no changes for this example.
Certificates This allows creation of a certificate for this user, this is covered later, no
changes for this example.
Time This controls when the account can be used, no changes for this example.
Setting up Authentication
159
Location This controls the sources and destinations that the account can be used
from or to.
Repeat the creation process for the four other user accounts.
You should now have the following user accounts.
Note, if you want to disable a user account but not delete it you can set the
Authentication to Undefined. In the Encryption tab of the user account,
IKE shared secrets and certificate authentication would still work but these
are used with SecuRemote/SecureClient and explained in the Client VPN
modules.
Setting up Authentication
160
6.5 Creating User Groups
You cannot specify a single user in a rule in the rulebase, only groups of
users. Therefore every user must belong to at least one group. By default
all users belong to the group Any which could be used in a rule but it not
normally what is intended. You can nest groups as well.
Create the following groups.
Support Group Create the Support group and add the users that belong to Support.
Group Users
Support bob, jenny
Sales joe, linda, ann
Setting up Authentication
161
Sales Group Create the Sales group and add the users that belong to Sales.
If you use a colour scheme it helps to identify the users and the groups they
belong to when displaying the users in the Objects tree.
You should now have the users and groups created.
External Groups External Groups are used where the user account information is stored in
an LDAP server. The account information for external Groups is not stored
in the fwauth.NDB database.
When using external groups the fwauth.NDB is always checked first
therefore you cannot have an account name in the external LDAP database
that is the same as an account name in the fwauth.NDB.
You will not be creating external groups, that is part of the CCSE+ topics.
You need a license for VPN-1/Firewall-1 to use the LDAP authentication
database.
Setting up Authentication
162
6.6 User generic*
Authentication for most sites through a firewall involves a small number of
users, less than 25, however large sites could have thousands of users. For a
large number of users you have to decide where and how to implement
authentication.
You may already have a large authentication database accessible through
RADIUS and want to use that database with the firewall. One way would
be to create an account in the firewall user database for every user and set
the authentication to RADIUS and point it to the RADIUS server. This
requires duplicating all the accounts. This would take a considerable
amount of time to create let alone trying to administer it.
Generic* Generic* is a Check Point internal account username that can be used to
map onto all usernames not matched in the fwauth.NDB.
You could create a user called generic* and set the Authentication type to
be RADIUS.
When the user types in their username the firewall first checks fwauth.NDB
and will not find the name, if generic* exists it will assume the name is
known to the authentication scheme you have set generic* to point to and
hands them off to it for authentication.
The generic* account name can use any of the authentication schemes. Up
to and including NG FP2 you can only have one generic* username
created.
Setting up Authentication
163
6.7 Setting up Authentication - Review Questions
1. When creating users for authentication they are stored in which file.
A. fwauth.NDB
B. rulesbases.fws
C. fwmusers
D. FWDIR/database/userc.c
E. Fwusers.NDB
2. The following error message is reported to appear when a user tries to
login Firewall-1 Password not supported appears as a message.
To fix the problem and allow the user to authenticate, you would
A. Modify the user account details and reset their password.
B. Modify the Authentication tab in the firewall object and enable S/
Key.
C. Modify the Authentication tab in the firewall object and enable
Firewall-1 password.
D. Modify the Authentication tab in the firewall object and enable OS
Password.
E. Change the authentication method for the user to OS Password.
3. After making changes to a users authentication account but no other
changes to the Security Policy what must you do for the user to be able
to use the changes.
A. Run fwstop and fwstart on the firewall Module.
B. Install the User database.
C. Install the Security Policy.
D. Verify and then install the Security Policy.
E. Nothing, changes saved to the database are automatically seen by
the firewall module.
4. In VPN-1/Firewall-1 NG what is the name of the default template for
creating user accounts for general authentication through the firewall.
A. Default
B. Standard User
C. Default User
D. Firewall-1 User
E. External User
Setting up Authentication
164
5. The username generic* is an special username that can be used for
what.
A. To allow a single account to be used by may users.
B. To set global parameters for client authenticated users.
C. To allow unmatched user names in fwauth.NDB to be mapped to a
common authentication scheme.
D. To enable LDAP interaction with the firewall.
E. Generic* does not exist in NG because NG is more flexible than
previous version and it is not required.
6. Strong authentication for users like SecurID is no longer required by
NG because all communication is done using SIC (Secure Internal
Communications).
A. True
B. False
165
7
User Authentication
Objectives
When you have completed this module you should be able to
Know the services supported by User Authentication.
Know how to configure the rulebase for telnet User Authentication.
Know how to configure the rulebase for http User Authentication.
Know how to configure the rulebase for ftp User Authentication.
Understand the use of Intersect user database for Source and Destination.
Understand the problem with authentication and using the least restrictive
rule.
User Authentication
166
7.1 User Authenticated Services
User Authentication User Authentication is limited to four services
telnet
http
ftp
rlogin
All of these protocols have an inbuilt authentication process, telnet, ftp,
rlogin all require a username/password before they can be used. For http an
optional username/password can be used to restrict content access.
You can use User Authentication with https but you have to change the
definition of the service and set the browser to proxy off the firewall,
details are listed in the Firewall-1 FAQ.
Check Point have written authentication daemons for each of the User
Authenticated protocols that run on the firewall module and interact with
the data stream to provide a fairly seamless authentication process.
1. The user tries to connect to www.server.com using telnet.
2. The Inspection Engine matches the User Auth rule and hands the
connection to the in.atelnetd daemon.
3. The in.atelnetd injects into the data stream a prompt for a username.
4. The username entered is checked in the fwauth.NDB. If the user exists
then the prompt for the appropriate authentication is made. If the user
does not exist a prompt for a Firewall-1 password is made. The user
enters the authentication password or token which is checked against the
in.aftpd
in.ahttpd
in.arlogind
in.atelnetd
}
PC
RADIUS
SecurID
Ace server
1
2
3
4
5
telnetd
www.server.com
fwauth.NDB
User Authentication
167
database. At this point the firewall may need to connect to the ACE or
RADIUS server.
5. If the authentication is correct the in.atelnetd passes the connection
onto the target server. All communications to the server are relayed
through the in.atelnetd. Connections appear to come from the IP
address of the firewall.
The same steps are used for ftp, http, and rlogin.
Stealth Authentication If a username is supplied, a password prompt is always presented, even if
the user does not exist. In this way a person making login attempts will not
be able to determine if they have a valid username or password. In Check
Point terms this is known as stealth authentication.
Rulebase Check Before starting, you should have rules similar to the following installed and
have created the users and groups in the previous module.
Rule 5 will cause a minor problem with authentication since the example
below will be doing authentication from the internal network to the
external www.server.com.
7.1 Authentication Using Telnet
This is the easiest protocol to use to illustrate the use of User
Authentication, you will need to have a telnet server running on
www.server.com or have a telnet server you can connect to somewhere on
your network the other side of the firewall.
Add a User Authentication
Rule
Add a rule after rule 3, and change the setting to use authentication for
telnet.
User Authentication
168
Set the Source Use the Add User Access menu and select the group and restrict to your
network.
In this case leave the destination at Any, although in the real world this
would normally be a specific target since authentication is most often used
from external networks to internal targets.
Set the Service to telnet If you authenticate for more than one service with the same group of users
then you can add the services, you do not have to create separate rules for
each authenticated service. Providing of course they work with the
Authentication type you are using, remember User Auth only works with
telnet, ftp, http, rlogin.
Set the Action Set the Action to User Auth and check the Properties for any settings that
may be required.
In this case leave the settings to the defaults. The Add Encryption can be
used if the user has the VPN client installed on their desktop and you have
configured the gateway to do client encryption. Client encryption is a
CCSE topic.
User Authentication
169
Install the Security Policy When you test your Security Policy after installing, it is not going to work
and authenticate you on the User Auth rule as you might expect. Can you
remember why, it was explained in the Module Security Policy & Rules
Setup.
Test your authentication rule by trying to telnet to www.server.com. Users
bob and jenny belong to the support group.
Telnet Not being
Authenticated
You should have got directly connected to the server without having to
authenticate.
Check Point FireWall-1 authenticated Telnet server running
on fw-f16
Connected to 172.23.3.254
Account Name: student
Password:
Rules are matched in order 1 to n, except when a rule has an action of
Authentication in which case the first authentication rule is matched
because until you type in a user name the Inspection Engine does not know
if this is the rule to use. In fact if you have a rule that matches the source,
destination, services, and an action Accept elsewhere in the rulebase then
that rule will be used and no authentication takes place.
User Authentication
170
If you look at your log file you will see that the telnet connection went
through rule 6, which matches everything in your authentication rule.
Disable the rule that lets your network out with telnet, ftp, http.
Install the Security Policy and try accessing the telnet server again.
Does
Authentication or
Resource rule
Apply?
Connection
allowed?
Pass connection
to the Security
Server.
other non-
Authentication rules
Apply?
Are
they all Drop
or Reject?
Apply the first
non-Authentication
rule.
Continue connection
through the Security
Server.
Perform
Authentication
rule.
First Packet
of the connection
Accept the
connection
Reject the
connection
End
No No
No
Yes Yes
Yes
No
Yes
User Authentication
171
Telnet being Authenticated If you get the following error when typing in the username it means you
have not set VPN-1/Firewall-1 as an authentication scheme that can be
used with this gateway.
Check Point FireWall-1 authenticated Telnet server running
on fw-f16
User: jenny
This gateway does not support FireWall-1 Password.
User:
If you have set the Authentication Scheme in Global Properties then you
will be prompted for the Gateway authentication details and then the login
details at the telnet server. In this case user jenny was used and the telnet
server user name is student.
Check Point FireWall-1 authenticated Telnet server running
on fw-f16
User: jenny
password: ******
User jenny authenticated by FireWall-1 authentication
Connected to 172.23.3.254
Account Name: student
Password:
c:\home\student>
The log entry will indicate the user who authenticated and in the info field
which authentication scheme they used.
The problem with letting the user out without authenticating would not
occur for external authentication coming to internal servers since there
would never be another rule that would accept the connection in the first
place. Only the authentication rule would exist for the incoming
connection.
Note that each time you attempt to telnet you are prompted for an
authentication.
User Authentication
172
7.2 Intersect with User database for Source and Destination
In the Properties of the User Auth action, there are settings which allow,
interaction with the user database. This applies to User, Client and Session
Authentication.
Every user account has a location field.
The defaults for the properties in an authentication rule are Intersect with
user database. This means that if a user is restricted to a specific target
destination in their account then even if the rule states Any for the
destination then they would only be allowed to go to the destination in the
account.
If you select Ignore User database, then the settings in the user account
are ignored and whatever is allowed in the rule is used.
You could reduce the number of authentication rules you have by using this
feature by allowing all users to match the rule and set specific locations in
user accounts.
7.3 Authentication Using http
Change your authentication rule and add http as a service. For this to work
you will also need to change the User Auth Properties.
Add http to the Rule Modify the User Auth rule to authenticate http connections.
User Authentication
173
Change the User Properties Change the User Auth Properties to Allow all servers, you could specify
a list of servers that the user could access, but this only works if you set the
http client to proxy off the firewall.
Install the Security Policy and test http through the firewall.
Setting the server list in done in the Global Properties. This is also where
you would set the message file that would be displayed when a user
authenticates.
Note, for every different site connected to you will be prompted for an
authentication. This is extremely annoying if you connect to sites with
advertising banners.
Remember authentication is really designed for external to internal access,
therefore it is likely you will only be connecting to a single server and do
require a single authentication.
If you need to authenticate users coming from internal networks out to the
Internet there are better ways of doing it than controlling the access at the
Firewall.
User Authentication
174
You could set the client to proxy off the firewall and this does reduce the
number of authentications, however, the firewall will not do any caching of
http requests.
7.4 User Authentication Using ftp
Change your authentication rule and add ftp as a service.
Install the Security Policy and try ftp to the server www.server.com
Account on www.server.com
User: anonymous
Password: anything
Account in firewall authentication database - fwauth.NDB
User: jenny
Password: abc123
The in.aftpd authentication server needs all the information required to
authenticate with both the firewall and the remote ftp server, therefore the
prompt for login and password will require the following.
login:
user_at_remote_ftp_server@user_in_fwauth.NDB@target_host
Passwd:
Passwd_for_remote_ftp_server@Passwd_for_fwauth.NDB
The in.aftpd strips off the details up to the @ and uses the right side for
the firewall authentication and the remainder for the ftp server
authentication.
Users find this awkward, although once done a couple of times is in fact
quite simple.
Using the account information above you would need
Login: jenny@anonymous@www.server.com
Password: abc123@anything
Note, you would not be able to use a web browser to do ftp authentication
through Firewall-1 since the browser uses the @ symbol for its own
purposes and the authentication string would cause a problem.
User Authentication
175
To ftp from a browser to an account bob password abc123 at site
193.128.73.254 you would use
ftp://bob:abc123@193.128.73.254
The browser parses the URL and will never present the correct formatted
information to the firewall.
User Authentication
176
7.5 User Authentication - Review Questions
1. User Authentication will provide a seamless transparent authentication
method for which protocols.
A. ftp, http, telnet
B. ftp, http, pop3
C. pop3, http, rlogin
D. http, telnet, nntp
E. all of the above options are correct for NG
2. The User Authentication Session timeouts for ftp, rlogin and telnet in
the Policy properties authentication tab apply to what.
A. How long any session is authenticated for.
B. How many minutes the user can hold a single session open.
C. How long before the next auto refresh of the Security Policy.
D. How long the IP address will stay authenticated after the user has
finished his/her session.
E. How many minutes of inactivity is allowed before the session is
timed out.
3. Stealth authentication means.
A. That users are transparently authenticated using the Security
servers.
B. That users will never see their login and password details displayed
on the screen.
C. That attempts to guess user names or passwords will result in no
feedback for incorrect values.
D. That the stealth rule will match all authentication methods and
select the most appropriate for ease of authenticating the user.
E. That all authentication is encrypted and username and passwords
cannot be snooped.
User Authentication
177
4. Given the following rulebase and user account details will the user be
able to connect to the ftp server nero. Use jim belongs to the ftp_users
group.
A. Yes
B. No
5. User authentication and authentication of ftp sessions are a simple
transparent process and users will have no problems using ftp with user
authentication.
A. True
B. False
6. The ftp and http authentication daemons are used for authentication and
Content Security.
A. True
B. False
User Authentication
178
7. All users in the internal network are allowed out to the Internet
providing they authenticate, the firewall administrator has setup the
following rules, which rule will let the user out for http connections.
A. They will be authenticated by rule 4 but go out through rule 7.
B. They will be authenticated and go out on rule 4.
C. They will not be authenticated and go out on rule 7.
D. The Security Policy will not compile and will complain of
conflicting rules 4 and 7.
E. They will be dropped by rule 8.
8. Management want all users that download ftp to be controlled and
audited by authentication, this is a change to current policy and
everyone in the company in the past was allowed ftp access.
The firewall administrator has created a user group called ftp_users and
added all users that are allowed to use ftp to this group. All outgoing
connections use hide NAT. After adding the authentication rule to the
rulebase the installed rules now look like the following
User Authentication
179
Once the Security Policy is installed will this implement managements
objective of controlling only authorised ftp users.
A. Yes
B. No
180
181
8
Session Authentication
Objectives
When you have completed this module you should be able to
Install the Session Agent.
Understand the difference between Every Request and Once per Session.
Use Session Authentication for authenticating ftp.
Understand the limitations of Session Authentication.
Know the port number used by the Session Agent.
Know the interaction between the firewall and the agent.
Session Authentication
182
8.1 Session Authentication
Session Authentication requires a Session Agent to be installed on the
users PC or one can be centrally configured on the network. Session
authentication will work with all services and authenticates on a per
session basis.
1. The user tries to make a connection to the remote server, the firewall
matches the Session Auth rule and puts the packet on hold.
2. The Inspection Engine informs the in.asessiond that it needs to
negotiate the session authentication.
3. The in.asessiond makes a connection to port 261 on the user
workstation IP address, the agent pops up a dialog box for the user to
enter the user name and authentication token.
4. The in.asessiond checks with the database for the details of the user
name and correct authentication token.
5. The in.asessiond informs the Inspection Engine the authentication is
valid and lets the packet continue to the server.
in.asessiond
PC
RADIUS
SecurID
Ace server
1
2
3
4
5
telnetd
www.server.com
fwauth.NDB
Session
Agent (port 261)
Session Authentication
183
8.2 Install the Session Agent
The session agent is on the Check Point CD and can be installed through
the Auto Play and high level setup by selecting Mobile/Desktop
Components or by going into the windows directory on the CD and directly
running the Session Agent setup program.
If you insert the CD the AutoPlay should start the installation program,
alternatively exit this and go directly to the Session Agent directory.
Select the Desktop component you want to install.
Session Authentication
184
Select the Session Agent directory and run the setup program.
The Agent will be installed and appear as a icon on your toolbar.
Use the default directory
Session Authentication
185
You do not have to reboot after installing the agent.
On the toolbar you should now have a icon for the Session Agent, this
allows configuration of the agent.
You now have a application running that listens on port 261 (FW1_snauth),
this may be important if you are behind a filtering router since the firewall
may not be able to connect to port 261. This is not an issue if using the
classroom/test environment, but will be in the real world.
For the time being you will not make any changes to the agent but if you
want to have a look at the options for configuration select the agent.
Session Authentication
186
The defaults are set to force authentication for every request, have no listed
IP addresses to limit where the authentication request originates and allows
clear text passwords and does reverse DNS lookups on addresses
connecting to it.
Resolve addresses can make the Session Agent responses slow, if this
happens turn it off.
8.3 Session Authentication Using ftp
Since the average user will not like User Authentication using ftp it might
be more appropriate to do it using Session Authentication.
Session Authentication Rule Modify the User Authentication rule to remove ftp as a service and add a
rule to do Session Authentication.
It does not matter if it comes before or after the User Authentication rule.
Session Authentication
Properties
Check the Session Authentication properties, these are going to stay as the
defaults, you only need to change them if you have a central server that is
Session Authentication
187
used for all Session authentications.
Install and Test Session
Authentication
Install the Security Policy and test ftp through the firewall.
You should get a prompt to add the IP address of the firewall to the list of
known IP addresses.
This is done because there is nothing to stop someone from writing a client
that tries to connect to port 261 and get a user to hand out their user name
and password. If the IP address is already in the list this dialog box will not
appear.
The user should enter their user name and password, once the user name is
known the appropriate prompt for the type of password is made.
If a user types the wrong user name they will still be prompted for a
password, but they will then not know which bit they got wrong. This is
Session Authentication
188
Stealth Authentication.
Log Entry for Session auth The log entry for user jenny doing a Session Auth should look like
Agent Settings - Once per
session
If you change the Session Agent setting to authenticate once per session
then the Session Authentication rule could be used with http. Since http
makes a large number of connections to download a single page leaving it
as every request would require repeated authentications.
Try it with the existing ftp rule, you will be able to make multiple ftp
sessions with a single authentication. You do not need to install the
Security Policy this configuration is done at the Session agent.
When will the session timeout and need another authentication?
Once authenticated the user will not need to authenticate again until the
Session Agent is stopped and restarted. Once per session applies to the
agent not the protocol being used.
Session Authentication
189
8.4 Session Authentication - Review Questions
1. For Session Authentication to work it always requires the users host to
have a special agent installed on their machine.
A. True
B. False
2. The Session Agent can be set to authentication on a per session basis
what affect will this have on the client if the client is an http browser
A. The user will be authenticated for every different site they go to.
B. The user will be authenticated once and be allowed to go to other
sites without being asked for authentication.
C. The user will get a session agent dialog popup for every connection
the browser makes, to download text and gifs.
D. The user will not be able to use the browser because the Session
Agent will prevent it from working.
E. The user will have to restart the browser every time they want to go
to a different site.
190
191
9
Client Authentication
Objectives
When you have completed this module you should be able to
Configure rules to use client Authentication.
Know the port numbers used to complete Manual Client Authentication.
Know the risks associated with Client Authentication.
Know the operation of the different Sign On Methods.
Client Authentication
192
9.1 Client Authentication
Client authentication works with any protocol, however it authenticates the
IP address the user initiated the connection from for a specific time period
and/or a specific number of sessions. To use client authentication you only
require a telnet client or a web browser which are usually available.
Client authentication requires the user to go through an authentication
process by connecting to the in.aclientd (port 259) or in.ahclientd
(port 900) and identifying themselves before being allowed through the
firewall.
Once authenticated the user can use the service(s) listed in the Client
Authentication rule.
1. The user makes a connection to in.aclientd (port 259) or
in.ahclientd (port 900) and goes through the authentication process
entering the user name and authentication token.
2. The in.aclientd checks the username/password details.
3. The client authentication daemon sets a flag in the Inspection Engine
that a valid authentication from the IP address has been made.
4. The user can now use any of the services in the Client Auth rule for the
specified time or number of sessions.
5. When the user has finished they may have to unauthenticate by
connecting back to the in.aclientd or in.ahclientd.
in.aclientd
in.ahclientd
}
PC
RADIUS
SecurID
Ace server
4
1
2
telnetd
www.server.com
fwauth.NDB
3
Client Authentication
193
9.2 Client Authentication Using ftp
Modify your Session Authentication rule so that the action is Client Auth.
If you were to just install this rulebase as it is then client authentication will
fail. For client authentication to work you must be able to connect to the
firewall on port 259 or port 900.
In the rulebase shown above, rule 2 the stealth rule, would drop all
connections going to the firewall.
You have two choices, one is the simple way out, which is to position the
Client authentication rule before the stealth rule.
If you have a client authentication rule then you will be allowed to connect
to port 259 or port 900, if there is no client authentication rule the firewall
ignores connections to 259 and 900.
If you position the client authentication rule above the stealth rule then
connections to port 259 and 900 are implicitly allowed. This is not part of
the implied rules.
If you position the client authentication rule below the stealth rule as in the
rules above then you must explicitly add a rule to allow the connection to
the firewall for whichever method you are using. It may be that you only do
this through port 900, web front end. You could of course move the
in.aclientd and in.ahclientd to other port numbers.
If you remove the client authentication rule you should also remove the
rules that allowed access to the firewall on client authentication related
ports.
Add a client Auth Access rule Add a rule above the stealth rule that allows access to port 259 and port 900
on the firewall to complete client authentication. In this case the source will
be Any but in the real world you may be able to limit this to a specific
network or group of networks.
Client Authentication
194
Even if you move the client Authentication rule above the stealth rule
anyone can connect to port 259 or port 900 to attempt a client
authentication.
Remember to comment the rule, this rule should only exist if the Client
Authentication rule exists. If you disable the Client Auth rule you should
disable this rule.
Install and test your Security Policy.
Using telnet on port 259 Use a telnet client to connect to port 259
You will be prompted for the authentication and Sign On method.
In this case select Standard Sign-on, this is the default method and will
authenticate your IP address with the Inspection Engine. The Sign-off
would be used to remove authentication for your IP address from the
Inspection Engine if you had not already used your number of sessions or
time period.
Check Point FireWall-1 Client Authentication Server running on fw-f16
User: jenny
password: ******
User jenny authenticated by FireWall-1 authentication
Choose:
(1) Standard Sign-on
(2) Sign-off
(3) Specific Sign-on
Enter your choice: 1
User authorized for standard services (1 rules)
Client Authentication
195
The telnet connection is disconnected and you will now be able to use the
services listed in the rule.
Question, Can the telnet connection stay connected and not immediately be
disconnected?
Yes, in the firewall gateway object under the Authentication tab, enable the
wait mode.
Try using ftp, you should be able to do 5 ftp sessions and then be blocked
until you do a client authentication again.
Log entries for telnet client
Auth
If you check your log file you should see the connection to the firewall and
the client authorize and then the ftp sessions.
Client Authentication
196
Using http on port 900 Try using a web browser to complete the Client Authentication.
Client Authentication
197
Try the ftp sessions again just to make sure you can only do 5 sessions.
Log entries for http Client
Auth
The log file should show the connection to port 900 and the successful ftp
sessions.
9.3 Controlling the number of sessions or time period
The number of sessions are controlled by the Properties in the Client
Auth rule. The defaults are 5 sessions or 30 minutes.
With the default settings you can have 5 sessions within 30 minutes. If one
session exceeds the 30 minutes it will not be stopped but you cannot start
new sessions until you authenticate again.
Client Authentication
198
Risks with Client
Authentication
Client authentication only authenticates the IP address that the connection
to port 259 or port 900 came from. If the user is on the Internet and goes
through a NAT gateway, the user may not know and the firewall would
only see the NAT gateway address and authenticate it. If you allow more
than one session you are effectively authenticating every host behind the
NAT gateway and not just the authorized user.
Only ever allow one session unless coming from internal trusted networks.
In which case you may have unlimited sessions for a 2 hour time period
configured and users would only have to authenticate every 2 hours.
9.4 Sign On Required
This can be either Standard or Specific, for Standard Sign On any of the
services listed in the client authentication rule can be used once an
authentication has occurred. For Specific Sign On, you will have a list of
services in the rule, however, when the user authenticates they must select
the service they want to use for this authentication. Specific Sign On is not
very user friendly since they must know in advance which service they
want to use and most users have no clue to the service details but only that
they need to run a specific application.
9.5 Sign On Methods
Client authentication has different Sign On methods, the default which was
used is Manual Sign On, this requires an explicit connection to port 259 or
port 900 on the firewall.
In early versions of Check Point Firewall-1 there was something called
implicit client authentication. This could be used to make an authentication
appear like a user type authentication, simple and non intrusive but client
authenticated the user for a number of sessions or time period. This was
replaced by the sign-on methods.
Client Authentication
199
Manual Sign On The Manual Sign On method requires a user to telnet or http to the
firewall before attempting to use the service in the rule. This is not
transparent from a user point of view.
Partially Automatic Partially Automatic Sign On provides Transparent Client
Authentication for authenticated services. A user working with one of
these protocols can directly request access to the target host.
The user is then prompted and signed on through the User Authentication
mechanism. This is only available for User Authenticated services, telnet,
ftp, http, rlogin.
Fully Automatic Fully Automatic Sign On provides Transparent Client Authentication
for all services. A user working with one of these protocols can directly
request access to the target host. Users of User Authenticated services
(http, telnet, rlogin, and ftp) will be signed on through the User
Authentication mechanism, while users working with all other protocols
are signed on using the Session Authentication Agent.
The Session Agent must be available on the users PC and the firewall must
be able to connect to port 261 on the users PC.
If you know the user has an Session Agent installed then Fully Automatic
can be used. However, if it is not installed non User Authenticated
protocols will fail. If you use Partially Automatic the user would be able to
Manually connect to the firewall using Telnet or http to do the
authentication.
Client Authentication
200
Agent Automatic Sign On Agent Automatic Sign On provides Transparent Client Authentication
for all services. Users are signed on through the Session Authentication
Agent.
The Agent must be installed on the user PC and the firewall must be able to
connect to port 261 on the users PC.
Single Sign On Single Sign On is enabled through integration with Meta IP. This is Check
Points address management product which provides transparent network
access. Meta IP requires a separate license.
Client Authentication
201
9.6 Client Authentication - Review Questions
1. Client Authentication Rules should be placed before the stealth rule if
you only want to have one rule to control Client Authentication.
A. True
B. False
2. Client Authentication, authenticates the User for each time they try and
use a client authenticated service.
A. True
B. False
3. Client Authentication with the properties set to Sign-on method Manual
means, that the user.
A. Must explicitly connect to the firewall to authenticate.
B. Will be transparently authenticated if the service is http.
C. Will be transparently authenticated if the service is telnet or rlogin.
D. Will be session authenticated if they have a session agent installed
on their host.
E. Will be session authenticated or user authenticated depending on
the type of service.
4. Client Authentication with the properties set to Sign-on method Fully
Automatic means, that the user.
A. Will have to telnet to the firewall and authenticate, then be allowed
access to the service.
B. If the service matches a rule and the service is an authenticated
service the user will be authenticated after successful user
authentication.
C. If the service matches a rule then the user is signed on after a
session authentication and if the service is an authenticated service
will be authenticated after a successful user authentication.
D. Fully Automatic is a 4.1 feature and only exists in NG for
compatibility.
E. Will be prompted to select a radius server from the available
servers.
Client Authentication
202
5. Client Authentication with the properties set to Sign-on method
Partially Automatic means, that the user.
A. Will have to telnet to the firewall and authenticate, then be allowed
access to the service.
B. If the service matches a rule and the service is an authenticated
service the user will be authenticated after successful user
authentication.
C. If the service matches a rule then the user is signed on after a
session authentication.
D. Partially Automatic is a 4.1 feature and only exists in NG for
compatibility.
E. Will be prompted to select a radius server from the available
servers.
6. Client Authentication with the properties set to Sign-on method SSO
means, that the user.
A. Will be looked up in the UAM to see if they have an IP address and
username registered.
B. If the service matches a rule and the service is an authenticated
service the user will be authenticated after successful user
authentication.
C. If the service matches a rule then the user is signed on after a
session authentication.
D. Partially Automatic is a 4.1 feature and only exists in NG for
compatibility.
E. Will be prompted to select a radius server from the available
servers.
7. When using Client Authentication one of the two default port number
used to connect to for authentication of the username and password is.
A. 264
B. 261
C. 900
D. 256
E. none of the above
Client Authentication
203
8. You have a split Firewall/Management Server configuration. For
security reasons you have decided to change the standard port numbers
used for client authentication, which file do you need to edit.
A. fwauthd.conf on the Firewall module.
B. fwauthd.conf on the Management module.
C. fwuserd.conf on the Firewall module.
D. fwuserd.conf on the Management module
E. the default port numbers cannot be changed, they are well know
ports listed at www.iana.org/assignments/port-numbers, previously
known as RFC1700.
9. Client Authentication allows the number of sessions to be set, the
default is 5 sessions and 30 minutes. If you authenticate using client
authentication from an untrusted network and the number of sessions is
set to one is there a lower risk of compromise than if the sessions were
left at 5.
A. Yes
B. No
10. Which rule in the rule base will block Client Authentication if you have
unchecked Accept VPN-1/Firewall Control connections in the Policy
properties tab.
A. 5
B. 2
C. 3
D. 4
E. Client Authentication will always be allowed to work providing a
rule with action Client Auth is in the rulebase.
Client Authentication
204
9.7 Authentication - General Review Questions
1. SecuRemote allows client to firewall VPNs to be configured, since all
communication is now encrypted this means that authentication is no
longer required.
A. True
B. False
2. Client and Session Authentication are not limited by the type of service
they can authenticate.
A. True
B. False
3. Management have decided that all users will authenticate before going
out to the Internet. Users are only allowed one service outgoing and you
use Dynamic NAT on the Firewall. All users can use http once they
have authenticated, you do not want the users browser to be set to proxy
off the firewall and you only want users to authenticate no more that
twice a day. Which authentication scheme would you consider most
appropriate to implement given the above.
A. Session Authentication
B. User Authentication
C. Dynamic Authentication
D. S/Key One Time Password
E. Client Authentication
Client Authentication
205
4. You have a user that is on contract to a customer and will be working
from their site using a portable PC for the next 4 months. The user will
need access to restricted information at your site which is located on an
internal server. Access is required on the following port numbers 1510,
1520, 1521, all connections will be incoming from the client. The
customer has their own firewall and router with ACLs installed. All
clients except their servers are hidden using hide NAT but agreed to
allow a rule to be added to the firewall to allow the user outgoing access
to ports 1510, 1520, 1521 back to their home site.
Why would Session authentication not be appropriate in this case.
1. Because the user will have to authenticate multiple times.
2. Because there is no rule on the customer firewall to allow incoming
session authentication requests communicating to an agent.
3. Because the portable PC is hidden behind a NAT gateway and no
incoming connections can be initiated to it.
4. The perimeter router has ACLs installed and ports less than 1024
are blocked.
A. 1
B. 1, 2, 3, 4
C. 2, 3
D. 2, 3, 4
E. 4
5. Given the following rulebase and user account details will the user be
able to connect to the http server Zeus. Assume the user belongs to one
of the groups used in the rulebase.
Client Authentication
206
A. Yes
B. No
6. Given the following, Management want to enforce a policy that all
users must be authenticated from internal to external networks for all
services. The firewall administrator needs to control groups of users.
However, users are continually complaining about password
authentication for every service they need to use and say it is interfering
with their work. To ease user complaints but satisfy Management which
of the following would you chose to implement.
A. User Authentication.
B. Client Authentication with web front end authentication.
C. Session Authentication.
D. Client Authentication with telnet front end.
E. User and Session Authentication.
7. In a rule in your rulebase with an Action of Authentication (User/Client
or Session) will in all cases prove that only valid users will be able to
pass through the firewall.
A. True
B. False
8. In a rule in your Security Policy an Action of Authentication (User/
Client or Session) will in all cases only allow authenticated users to
pass through the firewall.
A. True
B. False
207
10
Network Address Translation
Objectives
When you have completed this module you should be able to
Understand the reasons behind using NAT.
Know the RFC1918 NAT Addresses.
Understand the potential problems of using NAT.
Configure Hide/Dynamic Mode NAT - using Automatic configuration.
Know the purpose of hide address 0.0.0.0.
Configure Hide/Dynamic Mode NAT - using Manual configuration.
Configure Static NAT - using Automatic configuration.
Configure Static NAT - using Manual Configuration.
Understand the advantages of using Manual configuration.
Know the difference between client side and server side NAT.
Know when to configure ARPs for NAT.
Know how and when to use the local.arp configuration file.
Know how to check the state table for arp entries.
Know when NAT firewall routes are required.
Network Address Translation
208
10.1 Network Address Translation (NAT)
Reason behind NAT Most companies only require a small number of addresses that need to be
visible to the Internet, some sites only have one. Network Address
Translation may not be a limiting factor on having a presence on the
Internet, however it may cause some problems.
An Internet Service Provider (ISP) will provide you with Internet address
space, at one time the address allocated belonged to you and could be
moved between ISPs. With the number of sites joining the Internet and the
complexity of the routing tables increasing, the addresses allocated to you
now belong to the ISP and if you change providers then you usually need to
change perimeter addresses.
NAT is not much, if any, of a security feature, it was introduced as a
convenience for the shortage of address space.
RFC 1918 Addresses RFC 1918 lists a group of IP addresses that will never be allocated to a
customer of an ISP, they can safely be used for internal networks.
This specifically solved the problem of having a shortage of address space.
The RFC1918 addresses are
Class A: 10.0.0.0 to 10.255.255.255
Class B: 172.16.0.0 to 172.31.255.255
Class C: 192.168.0.0 to 192.168.255.255
The use of these addresses for internal networks satisfies most situations,
however, you will still need to co-ordinate within your organisation which
addresses are allocated to which site or country.
Problems with NAT Network address translation can cause some services not to work and
usually breaks VPNs. Two sites that want to VPN cannot have the same
address space at either end, it must be unique. Some services embed the
port or address in the data part of a packet for reverse connections and
unless the NAT gateway understands the protocol it will not be able to
handle the service correctly.
Check Point VPN-1/Firewall-1 supports two forms of NAT,
Hide mode (also known as Dynamic NAT)
Static NAT
Network Address Translation
209
Rulebase Check Before you start the next section remove any authentication rules and put
back the rule that lets your internal network have ftp, http and telnet access.
If you leave authentication on then you will not see NAT in action as the
user authentication servers always rewrite the connection as if it came from
the firewall.
Your rules should look similar to the following.
Network address Translation rules can either be automatically created or
manually created. Manually creating the rules provides more flexibility.
10.2 Hide Mode NAT or Dynamic NAT - Automatic
Hide mode NAT is used to hide many hosts behind a single address, usually
the firewall address but it can be any address in your valid Internet address
space.
This is a many to one configuration, many hosts mapped to a single
address and usually used for all clients in a network.
The firewall administrator must configure the address to map all hosts to.
Configuring Hide Mode NAT Given the following network configuration then the steps needed to
configure NAT are listed below. Follow the steps and configure NAT.
172.23.3.0/24
10.3.3.0/24
FW
1
254
1
254
Network Address Translation
210
Choose a HIDE address You can choose any address in your external perimeter network that is not
currently being used. VPN-1/Firewall-1 treats the address 0.0.0.0 as a
special case for NAT, this is the address that is going to be used in this
example.
The 0.0.0.0 address is used for Hide NAT only and the NAT component
will take this to mean use the address on the firewall of whichever interface
the packet leaves.
Edit NAT in the Network
object
Edit your internal network object
Select the NAT tab and select Add automatic Address Translation Rules.
The default method is Hide and to use address 0.0.0.0. If you have multiple
firewalls then you can select the specific gateway that these NAT rules will
apply to, HA configurations may require this.
Select OK to create the NAT rules.
View the NAT rules Change your policy editor view to the NAT tab, two rules should have been
added.
Notice that a rule (rule 1) has been added to ensure that connections from
the internal network to the internal network are not natted. If you do not
have this and are in a split Management/Firewall configuration then you
Network Address Translation
211
will break the Management/Firewall communications. You will get to
install the policy once and then it breaks, no policy installs until you fix it.
When manually creating NAT rules this rule is often forgotten and you
break communications until you unload the Security Policy and install a
corrected version.
You cannot edit any of the elements in an automatically generated NAT
rule. If you want to limit the service allowed then you would have to create
manual rules.
Automatic NAT rules are edited in the network object they relate to.
Install your policy and test NAT works by doing a telnet session to
www.server.com.
Use the netstat command to display the network connection details to see
that your internal IP address is not listed. In this case it should be the
external IP address of your firewall.
On Windows use: netstat -n -p tcp
On Linux use: netstat -tn
The output will be similar to the following
TCP 172.23.3.254:23 172.23.3.1:10001 ESTABLISHED
Since you are hiding behind 0.0.0.0, if you had a connection going to a
DMZ network then the address hidden behind would be the DMZ firewall
interface. Whichever firewall interface you exited that will be the hiding
address.
NAT Log Entries The log entry should show the XlateSRC to be your firewall.
10.3 Hide Mode NAT or Dynamic NAT - Manual
Remove the automatic NAT for your network object. Edit your internal
network object and untick Automatic Address Translation, the rules in the
Network Address Translation
212
NAT tab will be removed.
In this example you will hide behind your external firewall address.
Add the following NAT rules, you must be in the Policy Editor viewing the
NAT tab.
You will require the following two rules, basically this will be the same as
the automatic generated rules. Note, you can change any of the rule
elements which can be useful which you cannot do with automatic
generated rule.
Make sure you set the translated source to Hide Mode.
Network Address Translation
213
Install the Security Policy and test NAT using the telnet client again.
When doing a simple NAT of a whole network there is no advantage using
Manual rules, automatic NAT is more appropriate. A rule in the main
Security Policy must be matched before the NAT rule will take affect so
although the automatic rules do not allow you to specify a service you do
not normally need to when using hide NAT.
If you have to NAT the Source and Destination of a packet then you will
need to use manual rules.
If you had an http server in your DMZ listening on port 8080 and you
wanted internal users to always think they are connecting to port 80, you
could do this through a manual rule mapping the source/destination and
service from port 80 to port 8080. You could then run another server on
port 80 for external users.
The manual NAT rule would look like.
This is internal network (net-10.3.3.0) to the DMZ network (192.168.22.0)
do not change the IP source/destination. For the service http change it to
http8080. In NG there is no pre-defined http8080, you would need to
create a service on the appropriate port.
Network Address Translation
214
10.4 Static NAT for Servers - Automatic
Static NAT is a one to one mapping, map a single IP address onto another
single IP address and is usually used for servers.
For example you could have an internal server with address 10.1.1.1 and
map its address to 193.129.1.2. Every time a packet left the gateway it
would appear to be 193.129.1.2 and every time a packet arrived at the
gateway for 193.129.1.2 it would be mapped to 10.1.1.1.
The firewall administrator must specify the addresses to be mapped.
Since we only have one server on the Internal network you cannot have the
hide rules and static rules in place at the same time. Well thats not strictly
true since if you automatically generate the rule the static rules will be
added before the hide rules and the rules are executed in order.
Remove any NAT rules that you have in your Security Policy. The last
rules added were manually added so you will have to explicitly delete the
rules.
Choose an External NAT
Address
This is a one to one mapping you will need an address that is a valid
external network address. In the classroom/test environment use one of the
following.
Site Firewall External Address
1 172.21.1.1 172.21.1.111
2 172.12.2.1 172.22.2.112
3 172.23.3.1 172.23.3.113
4 172.24.4.1 172.24.4.114
5 172.25.5.1 172.25.5.115
6 172.26.6.1 172.26.6.116
For site 3 the external address to use would be 172.23.3.113.
The Problem with Static NAT Hide mode NAT is fairly simple to configure since it will nearly always be
configured using the 0.0.0.0 hiding address. Static NAT is a little different
and care need to be taken with each step when you configure Static NAT
otherwise you may spend a considerable amount of time tracking down the
problem.
The diagram below explains why Static NAT is a little more difficult to
configure.
Network Address Translation
215
1. The smtp server 193.128.73.1 needs to deliver mail to the Company
smtp server which has address 10.3.3.1, problem, this is not a address
you can route to over the Internet.
2. The Company decides to use 172.23.3.100 as the address to advertise in
MX DNS records for mail delivery and configure NAT on the Firewall.
3. The smtp server 193.128.73.1 has some email for the Company, it looks
up the MX records as gets the address 172.23.3.100 and tries to make
the connection. The packets are routed to the perimeter router.
4. Now you have some options here. If you do nothing on the router then
the router will issue an ARP broadcast looking for the MAC address of
172.23.3.100. This address is not tied to any network card, it is only
used for NAT therefore nothing will respond and the packet dies here. If
you configure a static ARP on the router and use the MAC address of
the External interface of the firewall, the ARP broadcast would not be
done and the packet is delivered directly to the firewall. Alternatively
you could use a static route and force the packet to be routed to the
firewall. The ARP is a better configuration. If you do not want to use
static ARPs on the router because it does not belong to you, probably
the ISPs, then you need to get the Firewall to publish a response to the
ARP request or you can use another box on the network if you have one
to do it. Unix can do this NT cannot which is why Check Point created
the local.arp file.
ISP
Router
smtp
smtp
FW
172.23.3.0/24
10.3.3.0/24
10.3.3.1
172.23.3.100
1
254
193.128.73.1
ARP
Static Routes or
Static ARPs
Static Published ARPs
or local.arp file
Host route
classroom/test network
Network Address Translation
216
5. Once the ARP response has been solved the router can send the packet
to the Firewall. However, because of when NAT is done, in pre NG
always server side, the firewall receives a packet with a destination
address 172.23.3.100 and of course the TCP stack knows which
interface the network 172.23.3.0/24 lives and if you do nothing then it
tries to ARP for the MAC address and does not get anywhere. The
packet dies here.
6. If you add a host route on the Firewall you can push the packet towards
the internal interface of the Firewall and NAT is done as the packet is
leaving the Firewall. If NAT was done as the packet came into the
firewall the TCP stack would see the destination as 10.3.3.1 and the host
route would not be required, this is Client side NAT and was added in
NG.
7. Now because of the way the Inspection filter and Anti-spoofing and
NAT is done then you need to add any external NAT address used to the
Internal interface valid addresses, unless you are using client side
NAT, otherwise the Firewall sees the packet as a spoofed packet.
8. If you have configured the NAT rule mapping then 172.23.3.100 should
leave the Firewall with a destination address 10.3.3.1.
Network Address Translation
217
Check the Policy Global Prop-
erties for NAT
VPN-1/Firewall-1 NG introduced client side NAT, this simplified the NAT
configuration and removed the need to create routes and exceptions for
anti-spoofing on the internal firewall interface valid address group.
Check that Translate destination on the client side is ticked - this is
client side NAT. This only applies to static NAT, it is not relevant to
dynamic NAT, hide mode was never a configuration problem in this
respect.
In NG you do not have to configure the static arp(s) for the address(es) you
are about to use if Automatic ARP configuration is ticked and that you
are using the NAT tab in the object to automatically create the NAT rules.
Note, if this is ticked the local.arp file is never read.
IP Pools are used for SecuRemote/SecureClient and VPNs and are part of
the CCSE+ topics.
Private address ranges is relevant to the Visual Policy Editor and any
addresses listed here will be treated as internal networks so it can correctly
draw diagrams.
Network Address Translation
218
Edit the Web Server Object Edit your internal web server object www.yoursite.com.
Select Automatic Address Translation rules, The method is Static and
fill in the external address to map the web server to.
Save the object settings.
Check the NAT Rules Check the NAT rules have been created.
Note two rules are created, Static rules are always in pairs. One for
connections started from the internal server being mapped to the external
address. The other for connections initiated to the external address being
mapped to the internal server.
This is a server mapping, connections are initiated to the server from
external clients, they must be mapped specifically to a single destination
address.
Install and test your Security Policy using a telnet client and the netstat
command.
The result of the netstat command should be similar to
TCP 172.23.3.254:23 172.23.3.113:3997 ESTABLISHED
Network Address Translation
219
Static NAT Log Entry -
Automatic
The log entry for the static NAT should look something like the following,
note you should try this both ways, from your web server going out and an
http connection coming in. The destination address you are trying to
connect to for incoming connections is the external address.
Note, your incoming rule did not have to explicitly have an object with
address 172.23.3.113 as the destination. This is because automatic address
translation was used and the object www.f16.com with address 10.3.3.1
also knows it has address 172.23.3.113 associated with it.
If you manually create the rules you will need to create an object for the
external address of the web server.
10.5 Static NAT for Servers - Manual
Remove the automatic NAT configuration from the www.yoursite.com
object.
You should now have no NAT rules.
This will still be using Translate destination on client side - client side
NAT.
Note for Manual Static NAT the Automatic ARP configuration will not
work even if you have it ticked because the firewall will have no idea
which address you want to arp for. You will need to create a local.arp file
if using NT and untick Automatic Arp.
In NG the local.arp file is located on the firewall module in the
$FWDIR\conf directory.
In previous versions of Firewall-1 the local.arp file was located on the
firewall module in $FWDIR\state directory.
Network Address Translation
220
In Solaris create a start-up file in the rc3.d directory, something like
S69fw1-routes and add any static arps or routes needed to this file.
For unix
arp -s <IP Address> <Mac Address> pub
Create the local.arp File on
the Firewall Module
Find out the MAC address of the external interface of the firewall module,
use ipconfig/all and note the MAC address.
The local.arp file does not exist until you create it.
Add the External hide address and the MAC address, it should not have a
carriage return at the end of the line. The spacing character between the IP
address and MAC address should be a tab but also works with a space.
For example
172.23.3.113 00-08-AD-73-D3-66
If this file is edited the firewall must be stopped and started (fwstop/
fwstart).
State Table arp_table Stop and Start the firewall module, you do not have to do anything with the
Management Server, just the firewall. Connections will not be allowed
through the firewall during this so a live firewall may cause problems for
users.
C:\WINNT\FW1\NG\conf>fwstop
The Check Point FireWall-1 service is stopping.
The Check Point FireWall-1 service was stopped successfully.
C:\WINNT\FW1\NG\conf>fwstart
The Check Point FireWall-1 service is starting.......
The Check Point FireWall-1 service was started successfully.
Check the State Table -
arp_table
You should now have entries for the state table arp_table
fw tab -t arp_table
on the firewall module should show the arp entries.
C:\WINNT\FW1\NG\conf>fw tab -t arp_table
localhost:
-------- arp_table --------
dynamic, id 8186, attributes: limit 25000, hashsize 512
<ac170371; 73ad8000, 000066d3, 00000000>
Network Address Translation
221
If the entry does not appear then the local.arp file is named incorrectly or
is in the wrong directory or has a content error.
If you use Notepad watch out for the file being named local.arp.txt
Create an Object for the
External Web Address
Create an object with the external NAT address, this will be used in the
rulebase to allow connections to your web server.
Rulebase Rule Required Change the rule for incoming http and ftp connections
The rule will currently be.
which works for automatically generated NAT rules but not for manual
NAT rules.
Change the rule to use the Exwww.yoursite.com object.
When connections are made it is to the external address and the rulebase
must make a match before allowing NAT rules to take affect.
Create the NAT Rules Three rules are required, they will basically be the same as the
automatically generated rules but you will be able to edit the service if
needed.
You will need a rule to ensure any connection from the internal network to
the internal network does not get natted, rule 1.
Network Address Translation
222
This will be a problem in a split Management/Firewall module
environment with manual NAT rules. If you forget you may have to use
fw unloadlocal
to unload the Security Policy and correct it. You may be able to install the
policy once but not twice.
Remember it is static NAT that is being used.
Install and test your security Policy using telnet from www.yoursite.com
and an http client from www.server.com to the Exwww.yoursite.com
address.
Static NAT Log entry - Manual Check the log entries.
If you were doing Server side NAT which is the only method availabe
pre-NG you would need to create a group for the valid addresses on the
internal interface of the firewall which would include any External NAT
addresses and set anti-spoofing in the topology tab of the firewall object.
Create a Group, Valid_Internal_addresses, it will contain all internal
network address and all external NAT addresses.
Edit the Firewall object and set the Anti-Spoofing in the topology tab.
This is needed because of where the Inpsection engine does Anti-Spoof
Network Address Translation
223
checking and NAT.
Manual Static NAT -
Advantages
The rulebase is clearer since it is obvious that connections are made to the
external advertised Internet address, in this example Exwww.f16.com.
The main advantage is in situations where you are short of Internet address
space. You could have rules that are mapped to different internal servers
based on the service that is being used.
A example might be four different servers, SMTP, FTP, HTTP, NNTP but
only one internet valid address being available.
The Security Policy rule might look like.
Rule 4 allows incoming ftp, http and smtp connections from any location.
Rule 5 allows the mail server to deliver mail, internal to external sites.
Rule 6 allows the ISP news servers to deliver news articles.
Rule 7 allows the internal news servers to deliver news articles back to the
Network Address Translation
224
ISP news servers.
Rule 8 allows internal users to use telnet, ftp and http.
The NAT rules might look like.
Rule 1 stops breaking connections from internal hosts to the firewall, this
should only be administrator hosts or the Management Server.
Rule 2 maps incoming http connections onto www.f16.com.
Rule 3 maps incoming ftp connections onto ftp.f16.com.
Rule 4 maps incoming smtp connections onto smtp.f16.com.
Rule 5 maps incoming nntp connections onto nntp.f16.com.
Rule 6 hides the www, ftp, smtp, nntp behind Exwww.f16.com.
Rule 7 maps internal hosts onto the external firewall address.
It might seem strange that the internal servers are using Hide mode NAT
when they would use Static if you used Automatic NAT but in this case it
makes sense to do it as it simplifies the rulebase.
Normally for Static NAT there are two rules but there does not have to be,
Destination Static NAT is all that is required for incoming connections.
Outgoing connections from the server can use Hide. This may not work for
all services.
The examples used NAT to internal servers, www, ftp, smtp but in a live
environment they would be located in the DMZ area and not if possible in
the internal network. At least authentication needs to be applied before
access is given to the server if it on the internal network.
Good security starts at the design of the network infrastructure with strict
control of server access and location. Its worth paying for an extra
couple of servers.
Just because something is simple to do, a couple of clicks in a menu, does
not mean you want to do it.
Network Address Translation
225
10.6 Static NAT for Networks - Automatic
Most sites do not have enough address space to do a static NAT for a whole
network, this maps addresses one to one for a network. However, you may
have an internal firewall and want to map a whole network onto another
network address.
For example you could have an internal address space of 172.21.1.0/24 and
an external address space of 193.128.73.0/24, the firewall could do a one to
one mapping for the whole network.
A more likely usage might be in VPNs where you have to hide your
internal address space so that your encryption domain does not include a
network that the other end also uses.
Network Address Translation
226
10.7 Network Address Translation - Review Questions
1. Your organisation has over 2000 hosts that need to access the Internet,
however, the ISP has only allocated you a block of 16 Internet
addresses. To allow users access you will need to configure NAT on the
firewall, which would you consider the most appropriate NAT method
for the 2000 hosts.
A. Source Static NAT
B. Destination Static NAT
C. Hide NAT
D. Source Port NAT
E. Destination Port NAT
2. Which NAT method allows a one to one mapping of IP addresses.
A. Hide NAT
B. Static NAT
C. Service NAT
D. Dual NAT
E. None of the above
3. When you use the address 0.0.0.0 as the address to hide behind when
using hide mode what affect will this have on the outgoing packet.
A. The Source address will be 0.0.0.0.
B. The source address will be the external interface of the firewall.
C. The source address will be the internal interface of the firewall.
D. The source address will be the address of the interface on the
firewall that the packet leaves from.
E. In Firewall-1 NG you cannot set the hide address to be 0.0.0.0.
Network Address Translation
227
4. You have a split Management and Firewall module configuration as
shown in the diagram below. You are going to create manual rules to
hide internal networks behind the Firewall external address. You have
added the following NAT rules but after installing the policy the
Management Station can no longer connect to the Firewall to install
policies, this is because.
A. You also need to configure a static route and arp for the NAT
address.
B. You need to add an explicit rule to the rulebase to allow
connections from the NATed address for Management
connections.
C. You need to add another NAT rule to ensure that connections from
Internal networks to the firewall are not NATed.
D. You need to fwstop and fwstart the firewall module before the NAT
rule sees the Management module.
E. The problem has nothing to do with NAT and the most likely cause
is a cable connection problem somewhere between the
Management Station and the firewall module.
5. When you manually add a NAT rule the position in the rulebase does
not matter since the firewall learns which addresses live on which
interface and uses the best option given the history of traffic flow.
A. True
B. False
Its a Bad
Bad World
External Net
net-10.1.1.0
FW-Mgmt
net-192.168.22.0
254
254
254
fw.detroit.com
Network Address Translation
228
6. When Static NAT is done on the client side the firewall can be
configured to automatically respond to ARPs and does not require a
static route to be added to the firewall.
A. True
B. False
7. When Static NAT is done on the Client side in NG this provides a
simpler NAT configuration than previous version of Check Point VPN-
1/Firewall-1.
A. True
B. False
8. You have configured Static NAT to be done on the server side. You do a
test from the Internal http server and you see in the log file that NAT is
occurring and the packet is going out through the firewall. You are not
getting any reply packets, which of the following is the most likely
cause.
A. The packets are being dropped because you do not have a rule to
allow http reply packets.
B. The perimeter router does not allow incoming http connections
because of the ACLs currently configured.
C. The Mac address used in the static arp file on the firewall has the
wrong MAC address in it.
D. Anti spoofing configuration is dropping the reply packets.
E. The host you are trying to connect to is down and is not sending the
replies.
229
11
NG Feature Pack 3
There are only minor changes to configuration settings, moving to new locations
dialogs or for adding a few new settings that will affect the content and
explanations within this book. The core rules operation and illustrations applied
throughout the book also apply to FP3. You should read the release notes for a
detailed list of fixes and enhancements that FP3 brings to Check Point VPN-1/
Firewall-1.
Objectives
When you have completed this module you should be able to
Complete an upgrade of a Windows Management & Firewall Module
configuration form FP2 to FP3.
Understand the new features of FP3 relevant to CCSA and CCSE topics
within this book.
NG Feature Pack 3
230
11.1 Product Name Changes
For Feature Pack 3 Check Point have gone through a marketing exercise,
re-inventing the names for commonly known products.
To verify the version of a product use the following commands.
For clients use the Help - About menu to display the version information.
For servers use the appropriate command in the table below.
After looking for the Policy Editor in the menu, youll remember that it is
the SmartDashboard that you need and SmartView Tracker for the
LogViewer.
Old Product Name New Product Name
Policy Editor SmartDashboard
VPE (Visual Policy Editor) SmartMap
LogViewer SmartView Tracker
Status Manager SmartView Status
Real-Time Monitor SmartView Monitor
Reporting SmartView Reporter
SecureUpdate SmartUpdate
Management Server SmartCenter Server
Management Clients Smart Clients
Provider-1 Provider-1/SiteManager-1
Product Command
VPN-1/Firewall-1 $FWDIR/bin/fw ver
SVN Foundation $FWDIR/bin/cpshared_ver
User Authority Server $FWDIR/bin/netsod d -v
SmartView Monitor $FWDIR/bin/rtm ver
Floodgate-1 $FWDIR/bin/fgate ver
NG Feature Pack 3
231
11.2 Upgrade from FP2 to FP3
For any service pack upgrade always read the release notes thoroughly,
including the known issues. If possible do the upgrade in a test
environment first and check whether you can remove old packages without
breaking the current install.
The Check Point release notes often contain information about a specific
problem or setting available through the Objects_5_0.C file. To edit the
Objects_5_0.C file use the dbedit utility. It is worth keeping an on-line
copy of the release notes for previous service packs as well, the
information in these will be available through the knowledge base but that
takes time to navigate.
Upgrade the Firewall Module Start the installation program and select to upgrade installed products.
SIC communications may need to be reset between the Management
Server and Firewall Module if your policy cannot be installed.
NG Feature Pack 3
232
Upgrade the Management
Server
Select to Upgrade installed components.
Backward compatibility may be an issue if you are upgrading more than
one Firewall module.
You can overwrite the Management clients unless you have another FP2
Management Server. The Management Clients must be patched to the same
version of the Management Server.
NG Feature Pack 3
233
You do not have to change the FQDN.
Since the Management Server has been upgraded the Fingerprint has
changed and Management clients will be prompted to accept the new
Fingerprint when they connect.
Install the Security Policy You must always re-install the Security Policy after doing a Feature
Pack upgrade.
NG Feature Pack 3
234
11.3 Converting a Traditional to Simplified Mode Security Policy
A new menu option has been added to step through the conversion process
of a Traditional to Simplified Security Policy. This includes adding VPN
enabled gateways to a VPN Community if required. You need to
understand VPN Communities before doing this, there is no Encrypt
Action in Simplified Security Policies.
Two firewalls are defined in the Security Policy in this conversion, one
managed by the Management Server the other is Externally Managed
(business partner).
Rules did not exist with an Action Encrypt in this example but the
conversion process still prompts you for at least one gateway to add to a
VPN Community. Community encryption rules can be added through the If
Via column after conversion.
NG Feature Pack 3
235
You can select the Firewalls from the list and drag them into the selected
VPN Community display area. This example is just using the default
Community MyIntranet. This can be edited later if you make a mistake.
The Security Policy will be named, oldname_Simplified by default.
The alternative to doing this is to just Copy and Paste the rules.
You should test your Security Policy thoroughly after doing the conversion.
NG Feature Pack 3
236
11.4 Policy Install Settings
The Policy Install dialog and error messages are much clearer in FP3.
Policy Installs and the
Connection Table
A new option on the Firewall object has been added to configure how
established connections will be handled when a new Security Policy is
installed.
In this case two services using the same port number
have been defined and both are set to Match for
Any. In the Advanced dialog of the service set one
to match if the service is Any in a rule.
NG Feature Pack 3
237
Keep all connections: Keep all control and data connections open until the
connections have ended. The newly installed Policy will be enforced only
for new connections.
Keep data connections: Keep all data connections open until the
connections have ended. Control connections that are not allowed under
the new Policy will be terminated.
Rematch connections: (default) All connections not allowed under the
new Policy will be terminated, unless the Keep connections open after
policy has been installed is enabled in the services Properties window.
Individual service definitions can override the Rematch connections.
Policy Rules, Section
Headings
Rules can now be split into sections and the sections hidden from view but
apply when the Security Policy is installed. Only disabled rules do not
apply. This can be useful if you have replaced the implied rules with
explicit rules. A section for replaced implied rules can be created and
always left in a collapsed view state.
NG Feature Pack 3
238
DNS UDP Queries The implied rule setting Accept Domain Name over UDP (Queries) is
still an open rule the Source and Destination, are set to Any. However, an
option has been added in SmartDefense to turn on DNS UDP protocol
Queries checking.
The DNS UDP rule should still be an explicit rule in a live Internet facing
environment.
SynDefender SynDefender configuration has been removed from the Firewall object
and is now part of SmartDefense.
NG Feature Pack 3
239
The old methods of Syn Gateway and Passive Syn Gateway can still be
set for backwards compatibility.
11.5 SmartView Status
SmartView Status now displays detailed information on VPN
connections.
NG Feature Pack 3
240
11.6 SmartView Tracker
The SmartView Tracker (LogViewer) has a much simpler interface that
allows multiple log files to be viewed at the same time. The filter list on the
toolbar has been replaced with an Objects Tree view which is easier to use.
The details of events are presented in a table format when viewing specific
records. It is now much easier to view the info field and replaces having to
change the width of the column.
NG Feature Pack 3
241
Block Intruder When viewing Active mode log records and using Block Intruder the
default settings have changed to Block only the connection. When applied
it blocks all connections from the source and not just the single connection.
Remote Log File Management There is a new menu option to retrieve remote log files when logging has
been set to the local Firewall module.
You could just switch the log files daily and fetch them at the end of the
week.
The log file will be saved in the $FWDIR\log directory on the Management
Station.
NG Feature Pack 3
242
The log switch and fetch could be done in previous versions through
fw logswitch and fw fetchlogs specifying the target firewall.
11.7 Revision Control
Revision control now works and allows previous Security Policy versions
to be recalled and installed. In previous versions you could only view the
recalled Security Policy.
The revisions are just a tar file of the configuration and stored in the
NG Feature Pack 3
243
version repository. Even if you do not have the Revision control feature the
demo version will illustrate all the files that need to be backed up.
11.8 Content Security
Resource - CIFS CIFS is a new Resource type for controlling Microsoft shares.
Example shares available for mounting.
Create a new Resource type CIFS using the server name or IP address and
the Share name.
NG Feature Pack 3
244
Add a rule that uses the CIFS resource.
Mount the share and try other shares just to check that you have defined
everything correctly.
NG Feature Pack 3
245
URI Filtering - SOAP Simple Object Access Protocol (SOAP). Another way of tunnelling
everything over http/port 80.
Extract from - http://www.w3.org/TR/SOAP/
SOAP is a lightweight protocol for exchange of information in a
decentralized, distributed environment. It is an XML based
protocol that consists of three parts: an envelope that defines a
framework for describing what is in a message and how to process
it, a set of encoding rules for expressing instances of application -
defined data types, and a convention for representing remote
procedure calls and responses. SOAP can potentially be used in
combination with a variety of other protocols; however, the only
bindings defined in this document describe how to use SOAP in
combination with HTTP and HTTP Extension Framework.
The client does not have to be a web browser it just needs to be talking http
protocol. SOAP allows the client and server to agree on the data types that
will be communicated making it ideal for trojans, nearly everyone allows
http out the door and http proxy servers will just treat the data as plain http
traffic.
The URI resource can filter the specific data schemes used by the client/
server communication. Each scheme file needs to define the data types
NG Feature Pack 3
246
being used by the client/server.
11.9 VPN Configuration Changes
The Objects Tree listing for the VPN Community configuration is clearer
and easier to understand. Site to Site VPNs can include Externally
Managed Firewall modules as well as those Managed by your
Management Server. The term Intranet used in the Policy Editor was
confusing in that it was interpreted as meaning Site to Site VPNs within
your own organisation with Firewall Modules being under the control of a
single Management Server. This was true until FP2 which allowed
inclusion of Externally Managed Firewall modules but needed Certificate
IKE authentication. Extranets can easily be configured using the Site To
Site Community setup in FP3 and allows use of Pre-shared secret IKE
authentication.
The Extranet Manager is now clearly a separate additional component
titled Extranet Manager and not just Extranet.
NG Feature Pack 3
247
There are two additional configuration dialogs in Site to Site Community
VPNs, the Services in the Clear allows protocols to be excluded from
encryption. In some cases it may not be necessary to encrypt traffic if this
is already done as part of the Client/Server application process.
For Externally Managed Firewall Modules a Pre-shared secret can now be
used for IKE Authentication.
NG Feature Pack 3
248
The VPN properties on the Firewall object have changed to include a
Traditional mode configuration. In previous versions, Firewall modules
had to be removed from all VPN Communities, configured with specific
gateway IKE parameters and added back to the Communities it belonged
to. This is no longer necessary, Community settings will apply for
Community encryption and individual settings for VPNs between non
Community members.
The IKE properties have changed to remove the Hybrid Mode setting
which applies to Remote Access authentication when using SecuRemote/
SecureClient.
NG Feature Pack 3
249
The Hybrid Mode IKE authentication is now set in the Remote Access tab
in the Global Properties. A new setting for Pre-Shared Secret has been
added for SecuRemote/SecureClient user authentication. The IKE Pre-
shared secret could be set in the User account details and used in previous
versions but Hybrid Mode had to be turned on for it to work.
250
251
Appendix A
VPN-1/Firewall-1 Installation
Objectives
When you have completed this module you should
Be able to Install VPN-1/Firewall-1 on a Windows NT Server.
Know the components that have been installed.
Know the order in which to uninstall the components.
VPN-1/Firewall-1 Installation
252
VPN-1/Firewall-1 Installation
253
A.1 Installing in a Split Management/Firewall Module Configuration
This example installation installs in a split Management/Firewall Module
configuration since this is the most interesting environment to learn the
product. Installing in a split environment will highlight some areas of
configuration that are needed at the Management Station, like Certificate
generation and as well as the communications required between a
Management Server and Firewall Module.
You will need the following before you start.
Three workstations with Windows installed NT4 Sp6a or W2K
Server (works with workstation and Professional as well but not
officially supported, see Check Point release notes).
The workstation that the Firewall will be installed on should be
configured for routing and a ping test done between the Internal and
External workstations.
VPN-1/Firewall-1 NG FP2 CD.
A license for the Management and Firewall Module.
The Internal and External workstations should have telnet, http, and
ftp servers and clients installed to allow rules to be tested through
the Firewall from either direction.
In a live environment you should build the Firewall box in the following
order.
Install the OS and configure all IP addresses and enable routing.
Routing does not have to be enabled on Unix installs.
Patch the OS with the latest patches for the services you are using.
Harden the OS with any recommended configuration changes.
Take a image of the disk.
Install the Check Point Software.
Install a Security Policy and Test that everything works.
If everything does not work restore the image of the disk you took
after hardening the OS, figure out what hardening broken the
install, take a new image dump and Install and test the installation
again until everything works.
The above may or may not be the official Check Point recommended
method for answering a question in the exam but it works for re-sellers that
build and ship NT based firewalls.
SecurePlatform (Linux based) is a viable alternative to an NT based
Firewall since only a minimal amount of Unix expertise is required to
install and maintain the system. In a SecurePlatform configuration you
could have the Firewall Module on Linux with low cost hardware and the
Management Server on a Windows 2000 Server. SecurePlatform is easy to
install and comes with a stripped down hardened Linux OS. If you
VPN-1/Firewall-1 Installation
254
currently have a Windows based Firewall you should consider looking in
detail at SecurePlatform as an alternative for your next upgrade. The
SecurePlatform can also be installed with both the Management Server and
Firewall Module on the same workstation.
Note, in a live environment with a split Management/Firewall Module
configuration the Management Server must be upgraded first and installed
with backward compatibility so that it will be able to continue to manage
the existing Firewall Modules. In a combined Management/Firewall
Module configuration both the Management and Firewall Module software
are patched at the same time.
Sample network Layout The following network layout is required to complete the CCSA topics and
some of the CCSE topics. Two Firewalls are required for the Site to Site
VPN CCSE topics.
Firewall
Management Server
External Server
Network Address
Network Address
Optional connection
to the Internet
Gateway
& Internal Server
VPN-1/Firewall-1 Installation
255
A.2 Installing the Firewall Module
Insert the CD and the installation program should automatically start.
Alternatively run the setup.exe in the Windows directory on the CD.
Select SERVER/GATEWAY COMPONENTS.
Select the Server/Gateway components you are going to install, in this case
the only component is VPN-1/Firewall-1. This will also install SVN
Foundation which is required for every component except the
Management Clients.
The Policy Server will be installed later which is required by
SecureClient. You would not install it unless you had a license to use it.
VPN-1/Firewall-1 Installation
256
The components selected for install will be displayed, if this is not correct
then cancel the installation and restart.
Once SVN Foundation has been installed you can select which of the VPN-
1/Firewall-1 components you are installing. In this case you are installing
in a split Management/Firewall Module configuration and are only
installing an Enforcement Module.
VPN-1/Firewall-1 Installation
257
The installation directory by default will be C:\WINNT\FW1\NG, this
will map to environment variable $FWDIR. You can install in any
directory path the only consideration may be disk space for logging, OS
rebuilds and Firewall backups. The installation will make changes to the
registry.
If you are using central licenses in a split configuration you do not add
licenses at the Firewall Module. Licenses are added through the
Management Server and attached to the Firewall Module using
SecureUpdate.
If you have a local Firewall Module license it must be entered here, in
NG it is recommended you use central Firewall licenses. This is set when
you create the license at Check Points licensing center. It is likely that you
have a local license for the Management Station and central license for a
VPN-1/Firewall-1 Installation
258
Firewall Module(s). Central licenses are available with NG but not
previous versions. See the Section on SecureUpdate.
Enter a random series of key hits, this will be used as random data for parts
of the software that need random number generation.
NG replaced the fw putkey method of authentication with SIC certificates
and authentication secrets for Management to Firewall module
communication. The secret entered here will be required when creating the
Firewall object in the Policy Editor. For this test/classroom environment
use - abc123.
VPN-1/Firewall-1 Installation
259
This Firewall will not participate in High Availability, that is part of the
CCSE+ topics.
The installation will do some basic OS hardening and set the directory and
file permission on the installed files.
To complete the installation reboot the workstation.
VPN-1/Firewall-1 Installation
260
The installed software will be listed in the Add/Remove software list, in
this case the base Feature pack 1 was installed and patched automatically
by the installation program with Feature Pack 2.
The SVN Foundation is installed under Program Files while the Firewall
software is installed in the directory specified during the installation.
SVN Foundation Firewall Module
VPN-1/Firewall-1 Installation
261
Un-installing the Software Un-install the software in the reverse order of installation. Before you un-
install any Check Point software always exit all applications and reboot
and logon and do not start any other applications. You do not have to
explicitly stop the Check Point services. If you are un-installing the Session
Agent or SecuRemote/SecureClient it is a good idea to exit these
applications before un-installing them.
Uninstall additional components like the Policy Server and
Floodgate first.
Then uninstall the VPN-1/Firewall-1 Feature Pack 2.
Then uninstall the SVN Foundation Feature Pack 2.
Then uninstall the VPN-1/Firewall-1 Feature Pack 1.
Then uninstall the SVN Foundation Feature Pack 1.
Do not reboot until all components have been removed.
VPN-1/Firewall-1 Installation
262
A.3 Installing the Management Server and Clients
Insert the CD and the installation program should automatically start.
Alternatively run the setup.exe in the Windows directory on the CD.
Select SERVER/GATEWAY COMPONENTS.
Select the VPN-1 & Firewall-1 and the Management Clients, you will be
prompted for which component you want to install.
VPN-1/Firewall-1 Installation
263
Confirm the install list is correct or cancel the install and start again.
After SVN Foundation has been installed you can select which component
you want to install. Install the Enterprise Primary Management
component.
Enterprise Secondary Management Stations are backup Management
Servers for High Availability configurations and covered in the CCSE+
topics.
VPN-1/Firewall-1 Installation
264
Select the install directory, C:\WINNT\FW1\NG by default.
Select backward compatibility if you have Firewall Modules to Manage
that are not patched to the same level as the Management Server.
Select the Install Directory for the Management Clients.
VPN-1/Firewall-1 Installation
265
Select the Clients to install. Any client not selected can be installed later by
running the Management Client setup.exe installation program on the CD.
Since this is the Management Station you at least need to add a license for
it otherwise you will not be able to login with any of the Management
Clients.
If you do not add a license you would need to run the Check Point
Configuration tool after the install/reboot to add a license.
VPN-1/Firewall-1 Installation
266
Add the Management Server license.
If you have the Firewall Module central license you can also add it here,
alternatively you can use SecureUpdate or the Check Point
Configuration Tool.
At least one administrator must be added during the Management
Server installation.
VPN-1/Firewall-1 Installation
267
Add an Administrator - fwadmin, password - abc123. This is a generic
named administrator which anyone can use. In a live environment every
administrator should have their own account name so that audits trails can
identify who did what and when. This information is available in the Log
Viewer under Audit.
The administrator needs full Read/Write access to all available
Management Clients.
If you have any workstations that are going to have the Management
Clients installed on they should be listed here. You do not need to add the
IP address of the Management Station.
VPN-1/Firewall-1 Installation
268
Select random keys until the buffer is full.
NG uses Certificates which are automatically created if VPN-1 Pro is
selected as installed on an object and needs the Internal Certificate
Authority to be initialized, Select Initialize and Start Certificate
Authority.
The FQDN needs to be set this should be an hostname that the Firewall
Module and any SecuRemote/SecureClient user that uses a certificate
issued by the Internal Certifciate Authority can resolve.
VPN-1/Firewall-1 Installation
269
Once the FQDN is set it should not be changed otherwise checking valid
certificates may become a problem.
The Fingerprint for the Management Server will be displayed, this is used
by Management Clients to confirm that they are connecting to the
correct Management Server.
Reboot the workstation and you should be able to login to the Management
Server using the Policy Editor.
270
271
Appendix B
Review Questions - Answers
Review Questions - Answers
272 www.corefacts.com
Review Questions - Answers
www.corefacts.com 273
B.1 Review Question Answer sheets
Blank answer sheets are available for download at www.corefacts.com
CCSA Topics
Title Question/Answer
1. VPN-1/Firewall-1
Architecture
1 2 3 4 5 6
B E A A D C
2. Security Policy & Rules
Setup
1 2 3 4 5 6 7 8 9 10
C B B D C C E A A E
11 12 13 14 15 16 17 18 19 20
B B B B B B D B B B
21 22 23 24 25 26 27 28 29 30
E C B D C A D C A B
31 32 33 34 35 36 37 38 39 40
C C B A B E C E C B
41
C
3. System Manager & Log
Viewer
1 2 3 4 5 6 7 8 9 10
B C B B C D D C B C
4. Anti-Spoofing &
Services
1 2 3 4 5 6 7 8 9 10
C D D B C C B B A D
5. Working with the
Security Policy
1 2 3 4 5 6 7
B B E B C A B
6. Setting up
Authentication
1 2 3 4 5 6
A C B A C B
7. User Authentication 1 2 3 4 5 6 7 8
A E C A B A C B
8. Session Authentication 1 2
A B
9. Client Authentication 1 2 3 4 5 6 7 8 9 10
A B A C B A C A A C
General Authentication
Questions
1 2 3 4 5 6 7 8
B A E D B B B A
10. Network Address
Translation
1 2 3 4 5 6 7 8
C B D C B A A C
Review Questions - Answers
274 www.corefacts.com
CCSE Topics
Title Question/Answer
11. User Defined Tracking
& Alerts
1 2 3 4 5 6 7
A B C A C B B
12. Load Balancing -
Connect Control
1 2 3 4 5 6 7 8 9
D A B C E A B A C
13. Content Security
Servers
1 2 3 4 5 6 7 8 9 10
B B B C D A B A D D
11
B
14. SynDefender 1 2 3 4 5 6 7 8
B C A B B A D A
15. Encryption & VPNs 1 2 3 4 5 6
C B A C B D A B C B
11 12 13 14 15 16
B A B C B A
16. Certificate Authorities 1 2 3 4 5 6
A A A B B A
17. Implementing IKE -
Traditional Mode
1 2 3 4 5 6
A B B B A B
18. Extranet Management
Interface
1 2 3 4 5 6 7 8 9 10
C B B E C B D B B A
11
D
19. Implementing IKE -
Intranets
1 2 3 4 5
A B B A B
20. SecuRemote 1 2 3 4 5 6 7 8 9 10
C D B B D C C B A B
11 12 13
C C A
21. SecureClient & the
Policy Server
1 2 3 4 5 6 7 8 9 10
B B B A B A B B C B
11 12 13
B B D
Review Questions - Answers
www.corefacts.com 275
22. Voice Over IP 1 2 3
C A E
CCSE Topics
Title Question/Answer
Review Questions - Answers
276 www.corefacts.com
Review Questions - Answers
www.corefacts.com 277
Answer Sheet
.
CCSA Topics
Title Question/Answer
1. VPN-1/Firewall-1
Architecture
1 2 3 4 5 6
2. Security Policy & Rules
Setup
1 2 3 4 5 6 7 8 9 10
11 12 13 14 15 16 17 18 19 20
21 22 23 24 25 26 27 28 29 30
31 32 33 34 35 36 37 38 39 40
41
3. System Manager & Log
Viewer
1 2 3 4 5 6 7 8 9 10
4. Anti-Spoofing &
Services
1 2 3 4 5 6 7 8 9 10
5. Working with the
Security Policy
1 2 3 4 5 6 7
6. Setting up
Authentication
1 2 3 4 5 6
7. User Authentication 1 2 3 4 5 6 7 8
8. Session Authentication 1 2
9. Client Authentication 1 2 3 4 5 6 7 8 9 10
General Authentication
Questions
1 2 3 4 5 6 7 8
10. Network Address
Translation
1 2 3 4 5 6 7 8
Review Questions - Answers
278 www.corefacts.com
CCSE Topics
Title Question/Answer
11. User Defined Tracking
& Alerts
1 2 3 4 5 6 7
12. Load Balancing -
Connect Control
1 2 3 4 5 6 7 8 9
13. Content Security
Servers
1 2 3 4 5 6 7 8 9 10
11
14. SynDefender 1 2 3 4 5 6 7 8
15. Encryption & VPNs 1 2 3 4 5 6
11 12 13 14 15 16
16. Certificate Authorities 1 2 3 4 5 6
17. Implementing IKE -
Traditional Mode
1 2 3 4 5 6
18. Extranet Management
Interface
1 2 3 4 5 6 7 8 9 10
11
19. Implementing IKE -
Intranets
1 2 3 4 5
20. SecuRemote 1 2 3 4 5 6 7 8 9 10
11 12 13
21. SecureClient & the
Policy Server
1 2 3 4 5 6 7 8 9 10
11 12 13
Review Questions - Answers
www.corefacts.com 279
22. Voice Over IP 1 2 3
CCSE Topics
Title Question/Answer
280 www.corefacts.com
281
Index
Numerics
8-bit protocol 3
A
Account Profile 143
ACL 8
Adding Services 116
Administrator
Certificate 145
Agent Automatic 200
Anti-Spoofing 108, 110
Application Proxies 11
arp_table 220
Authentication
Intersect with User database 172
Methods 152
Not being Authenticated 169
Schemes 153
Schemes, setting 154
Setting Scheme 157
Stealth 167
User Properties 173
Using ftp 174
Using http 172
Using Telnet 167
Authentication Schemes 144
Automatic ARP configuration 217
AXENT 153
B
Basic Common Sense Security 29
Basic Performance Guidelines 139
Block Intruder 100
Broadcast
Not included 47
Broadcast Junk 54
C
Central licenses 22
Check Point HA 19
clean up rule 54
Clear Blocking 102
Client Auth
sessions 197
Sign On Methods 198
Sign On Required 198
time period 197
Client Authentication 192
ClusterXL 28
Combined Management/Firewall 19
Connection Table
Persistence 236
Content Security
CIFS 243
SOAP 245
Controlling Implied Rules 67
Converting Traditional to Simplified Security Poli-
cy 234
CPD 74
CPD_amon 74
CPMI 74
CPShared 19
cpstart 76
cpstop 76
D
Disconnected State 90
Distributed Management/ Firewall Module 19
DNS 70
Dynamic NAT 209
E
Embedded Devices 53
Enforcement Module 18
F
Fingerprint Check 36
Firewall Administrators 141
Fully Automatic 199
fw sam 100
fw stat 75
fw unloadlocal 69
FW1_amon 73
FW1_mgmt 73, 103
FW1_sam 73, 103
FW1_ufp 73
fwauthd.conf 152
fwmusers 141
fwstart 75
fwstop 75
282
G
Gauntlet 11
H
HIDE address, 0.0.0.0 210
Hide Mode NAT 209
I
iana 3
ICMP Protocol 5
If Via 49
in.aclientd 192
in.ahclientd 192
INSPECT 13
INSPECT Language 18
Install
User Database 146
Internal Certificate 44
IP Pools 217
IP Protocol 3
IP Spoofing 108
L
License Attachment 23
License Count 20
License Depository 24
Locked out of Policy Installs 68
Log
Active 94
Audit 95
By Origin 96
Resolve Addresses 98
Resolver time out period 99
Searching 95
Selections 96
Log Viewer 93
Log Viewer Modes 93
M
Management Server 17
Manual Sign On 199
Manual Static NAT - Advantages 223
N
nbdatagram 56
nbname 56
Negating objects 57
Network Address Translation 208
Network Connections 2
Network Objects 38
O
Objects
Check Points 39
Get address 41
Networks 40
Nodes 40
OPSEC 88
OSE Devices 53
P
Packet Filters 7
Partially Automatic 199
plug-gw 12
Policy
Uninstalling 138
Viewing, installed 134
Policy Editor 16
*local 34
Demo mode 34
fwmusers 35
license 35
lock file 35
Login 34
Policy Install
fwm load 69
port 259 194
port 900 196
Predefined Services 114
Private address ranges 217
Problems with NAT 208
Product Name Changes 230
Provider-1 26
R
RADIUS 153
Raptor 11
Revision Control 130, 242
Revision database files 133
RFC 1918 Addresses 208
RFC 768 4
RFC 792 5
RFC 793 3
Rule
Action 52
283
Commen 53
Default settings 50
Disabling 138
Hiding 135
Install On 52
Masks and Searches 136
Number 51
Service 51
Source/Destination 51
Time 53
Track 52
Viewing Hidden 136
Rule base Elements 49
Rules
Filtering Orde 65
Filtering Order, Exception 66
First, Before Last, Last 65
Implicit 62
View - Implied 63
S
S/Key 154
Sateful Inpsection
Communication information 14
Secure Internal Communications 21
Secure Virtual Network 25
SecureUpdate 22
SecurID 153
Security
Documentation 30
Implement Trust procedures 30
Log files 30
Peer Pressure 30
People 30
Prepare for the unexpected 30
Procedures 30
Servers 29
Services 29
Security Policy
Installing 58
Testing 60
Uninstalling 60
Verifying 58
Services
create new 119
type Other 122
Session Agent 183
Session Agent, port 261 182
Session Authentication 182
Using ftp 186
Session Authentication Properties 186
SIC Certificates 21
SIC setup 42
simple packet filtering 7
Single Sign On 200
Site Security Handbook 30
SiteManager-1 26
SmartCenter Server 230
SmartDefense 238
SmartView Status 239
SmartView Tracker 240
Stateful Inpsection
Application derived state 14
example of 15
Information manipulation 14
Stateful Inspection 13
Communication derived state 14
Static NAT 214
Status Information 88
Stealth Authentication 167
SVN Components 25
SVN Foundation 19
Syn/Ack 4
SynDefender 238
System Manager 88
T
TACACS 153
TCP Protocol 3
TCP Sessions 109
TCP/IP Stack 2
Timeout
UDP 119
Timeouts
TCP 119
TIS Toolkit 12
Topology 43
Translate destination on the client side 217
Trojans 6
Tunnelled Protocol Example 115
U
UDP Protocol 4
284
UDP Sessions 109
User
generic* 162
User Authenticated Services 166
User Groups
creating 160
External 161
Users
Account expire 156
creating 155
Default 155
Location, src/dst 159
V
Visual Policy Editor 38
VPN-1 & Firewall-1 control connections 64
W
What is a Firewall 6