Check Point R75 Management Essentials - Part 1

Transcription

1 Check Point R75 Management Essentials - Part 1 Training course materials Preparation for CCSA Certification Inspection Engine Suspicious Activity monitoring (SAM) Rules Anti-Spoofing Rules arp_table IKE_peers connections udp_services Expected packet or new entry added by rule match Accept Handle Packet by OS IP Stack Accept Update State Tables Action Reject Send Nack Drop UDP TCP Gus Bouser & Neil Mackie IPSec

2 Copyright Lezha Publications. All rights reserved. Lezha Publications acknowledge all registered trademarks. All references to trademarks are purely editorial. These training course materials have no affiliation with or endorsement from any company whose trademark may have been referenced. All rights reserved. This product and related documentation are protected by copyright and distribution under licensing restricting their use. No part of this work may be reproduced in any form or by any means graphic, electronic, or mechanical including but not limited to photocopying, recording, taping or storage in an information retrieval system, without the prior written permission of the copyright owner. The information in this book is distributed on an As Is basis, without warranty or liability. While every precaution has been taken in the preparation of this book, neither the printer, or copyright owner shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by information contained in this book or by the computer software or hardware products described herein. Printed and distributed under license from Lezha Publications by ITSec Solutions Ltd.

3 1 - Networks and Firewalls Objectives Know how packet filtering works Know how application proxies work Know how Stateful Inspection works Know how to apply basic filters in tcpdump Know how to create a pcap file for analysis by WireShark Approximate time for completing each section Section 1 Securing Networks 20 Minutes Section 2 Basic Network Packet Analysis 10 Minutes Total time 35 Minutes Prerequisites Basic understanding of TCP/IP Knowledge of MS-Windows Have VMWare Workstation or a Hypervisor Installed Have the Virtual Machines ready for use 1-CPMgmt1-NetworksAndFirewalls-R75 DN Lezha Publications 2012

4 Contents 1 Securing Networks All Firewalls are Not Equal Primary Organization Network Hosted Services Network Remote Office Networks Basic Protocols IP Protocol TCP Protocol UDP Protocol ICMP Protocol Protection Using Simple Packet Filters Packet Filter Protection Protection Using Application Proxies Application Proxy Protection Protection Using Hybrids Stateful Inpsection Stateful Inspection Protection Building State Tables Check Point Filtering Modules Check Point State Tables Basic Network Packet Analysis Sniffing Packets tcpdump Wireshark CPMgmt1-NetworksAndFirewalls-R75 2 Lezha Publications 2012

5 2 - Check Point Components Objectives Understand Check Point products Secure the Global network Understand the function of the SmartCenter Understand the function of the VPN-1 Power/UTM Module Understand the Interaction between GUI Clients, SmartCenter & Firewalls Understand the product options for NGX R75 and Blades Understand the Blade options using Containers Approximate time for completing each section Section 1 Check Point Components 20 Minutes Section 2 Product Combinations 10 Minutes Total time 30 Minutes Prerequisites Complete Module 1 The contents of this module should not be relied on when purchasing products. It is only meant as a simple overview. The product combinations and offers continually change and a qualified reseller with access to the latest information and datasheets should be consulted before any purchase decisions are made. Make sure you always get the latest product data sheets from 2-CPMgmt1-CheckPointComponents-R75 DN Lezha Publications 2012

6 Contents 1 Check Point Components Product Overview Securing the Global Organization Perimeter Remote Access Check Point VPN-1 UTM/Power Components Component Overview SmartCenter VPN-1 Power/UTM Modules/Blades GUI Clients Product Combinations Modules/blades Check Point Power Check Point UTM Check Point UTM-1 Edge Check Point Software Gateways Check Point Software SmartCenter & Gateway Bundles R70 onwards Products Blades Check Point Gateway Appliances Power Check Point Gateways IP Appliances Check Point Gateways UTM-1 Appliances Check Point Gateways UTM-1 Edge Check Point Software Security Gateways Bundles Check Point Gateways Security Management Bundles Check Point Gateways EndPoint Security Check Point Gateways Abra CPMgmt1-CheckPointComponents-R75 2 Lezha Publications 2012

7 3 - Installing the Firewall SecurePlatform Objectives Check the Virtual Machine template for the Firewall Install a SecurePlatform Firewall Configure the Firewall Interfaces Understand the difference between CPShell & Expert Shell/Mode Understand the use of fw unloadlocal Understand the InitialPolicy & Defaultfilter Security policies Understand the security risks of using cpstop & fwstop Understand debugging connectivity issues for a new firewall Approximate time for completing each section Section 1 Creating and configuring the Virtual Machine 20 Minutes Section 2 Installing the SecurePlatform Base Build 15 Minutes Section 3 Installing VPN-1 on SecurePlatform 30 Minutes Section 4 SecurePlatform with VPN-1 Installed - Basics 45 Minutes Total time 1Hr 50 Min Prerequisites VMWare Workstation or Server The virtual machine ClassRouter needs to be started, IP address The virtual machine Host1 needs to be started, IP address SecurePlatform ISO image available on the local disk 3-CPMgmt1-fwinstall-R75 DN Lezha Publications 2012

8 Contents 1 Check the Status the Virtual Machine for fw-site1 & mgmt-site Check the VM settings for fw-site Virtual Machine fw-site Machine mgmt-site Installing the SecurePlatform Base Build Install SecurePlatform (SPLAT) Set Keyboard Layout Set an Administration IP Address Set the Port for Web GUI Access Format the Hard Disk & Reboot Installing Firewall Blades on SecurePlatform Configure the Base OS Parameters & Check Point Products Initial Login Run sysconfig Set the Hostname Set the Domain Set Network parameters for Interface eth Set Network Parameters for Interface eth Set the Date and Time Import Check Point Products Configuration Check Point Product Install Select Installation Type Select Check Point Products Security Gateway Select Check Point Products Basic Configuration Set the Activation Key for SIC Gateway Reboot SecurePlatform with VPN-1 Installed - Basics SecurePlatform Access Level & Shells Initial Debugging fw unloadlocal CPShell Command List Setting the idle Timeout Expert Mode Understanding cpstop Security Risks Testing cpstop Basic tcpdump Packets on an Interface Using cpstop fwflag default Using cpstop fwflag proc Using fwstop Basic Network Scan Using Superscan Superscan - InitialPolicy Superscan - Defaultfilter Superscan fw unloadlocal No Policy installed Firewall installation Summary CPMgmt1-fwinstall-R75 2 Lezha Publications 2012

9 4 - Installing the Check Point SmartCenter Objectives Check the status of the Virtual Machine mgmt-site1 Install the SmartCenter Know the difference between a Primary and Secondary SmartCenter Install the SmartConsole clients Understand the importance of a rebuild strategy for the SmartCenter Know why the SmartCenter needs to be protected Know where log files are stored Know the use and limitation of the initial administrator Know the purpose of the remote GUI clients list Set the FQDN for the Certificate Authority Know the purpose and use of the SmartCenter fingerprint Approximate time for completing each section Section 1 Management Server Virtual Machine 10 Minutes Section 2 Installing the Check Point SmartCenter 45 Minutes Section 3 Installing the SmartConsole Clients 10 Minutes Total time 65 Minutes Prerequisites VMWare Workstation or Server The virtual machine mgmt-site1 base machine should exist with no OS installed Check Point SPLAT & Windows ISO available on the local disk 4-CPMgmt1-MgmtInstall-R75 DN Lezha Publications 2012

10 Contents 1 Management Server Virtual Machine Virtual Machine Setup mgmt-site Set the CDROM Boot Device Installing the Check Point SmartCenter and SmartConsole Install SecurePlatform (SPLAT) for the SmartCenter Set Keyboard Layout Set an Administration IP Address Set the Port for Web GUI Access Format the Hard Disk & Reboot Configure the Base OS & Check Point SmartCenter Initial Login Run sysconfig Set the Hostname Set the Domain Network Parameters Set the Date and Time Import Check Point Products Configuration Check Point Product Install Select Installation Type Select Check Point Products Security Gateway SmartCenter License SmartCenter Administrator SmartCenter GUI Clients SmartCenter CA & Fingerprint SmartCenter Reboot & Check Network Connectivity Set the expert Password cpconfig and sysconfig on the SmartCenter SmartConsole Clients Installing the SmartConsole Clients on Host Location and Clients to Install Getting the SmartConsole from SPLAT CPMgmt1-MgmtInstall-R75 2 Lezha Publications 2012

11 5 - Connecting to the SmartCenter Objectives Understand the options in cpconfig on a SmartCenter Know the main configuration file for storing the SmartCenter objects Objects_5_0.C Know what is required to connect to the SmartCenter Know why some objects are automatically created Understand the use of Logs Servers & Masters Know how to select products installed on a Check Point Object Understand the elements of a rule, SRC/DST/VPN/Service/Action/Track/Install On/Time/Comment Approximate time for completing each section Section 1 Check Point Configuration 10 Minutes Section 2 Basic SmartDashboard Connecting to the SmartCenter 15 Minutes Section 3 Basic Rule Parameters 15 Minutes Total time 40 Minutes Prerequisites Complete Module 4 Virtual Machine mgmt-site1 must be running Virtual Machine Host1 must be running 5-CPMgmt1-MgmtConnect-R75 DN Lezha Publications 2012

12 Contents 1 Check Point Configuration Check Point Configuration - cpconfig cpconfig on a SPLAT SmartCenter Adding Administrators Checking the GUI Client List Displaying the SmartCenter Fingerprint Moving the Fingerprint File to a Workstation Time, SmartCenter and Firewall Install NTP Server on Host Set Time Synchronization for SmartCenter and Firewall Basic SmartDashboard Connecting to the SmartCenter The SmartConsole Clients Initial Login to the SmartCenter The SmartCenter Fingerprint Check Point Software Blades The SmartDashboard Layout Turning Display Areas On/Off The Objects List SmartDashboard Security Policy Tabs Editing the SmartCenter Object Objects Tree Comment & Color Topology Log and Masters Basic Rule Parameters Introduction to Rules Adding a Rule Rule Elements Rule number and Name Setting Source/Destination Setting the VPN Column Setting the Service Setting the Type of Action Setting the Type of Logging Gateway Installation Install On Comment Field Starting the Other SmartConsole Clients CPMgmt1-MgmtConnect-R75 2 Lezha Publications 2012

13 6 - Creating Network Objects Objectives Understand the type of objects that can be used in a Security Policy Create the Firewall object and change some parameters Establish trust between the SmartCenter and Firewall Understand how to set Anti-spoofing Know how to set the maximum concurrent connections through the Firewall Know how to break and reset Secure Internal communications (SIC) between a SmartCenter and Firewall Create the basic objects required for the classroom environment Approximate time for completing each section Section 1 Object Types 15 Minutes Section 2 Creating the Firewall Object 15 Minutes Section 3 Breaking SmartCenter & Firewall SIC 15 Minutes Section 3 Creating General Network Objects 25 Minutes Total time 70 Minutes Prerequisites Complete Module 5 Virtual machines Host1, mgmt-site1 & fw-site1 must be running 6-CPMgmt1-CreateObj-R75 DN Lezha Publications 2012

14 Contents 1 Object Types Object Types Creating Objects Network Objects Check Point Nodes Network Groups Dynamic Security Zones Others VoIP Domains Services, Resources, OPSEC, Users & VPN Communities Services Resources Servers & OPSEC Applications Users and Administrators VPN Communities Creating the Firewall Object Check Point Gateway Object Create a New Check Point Gateway Set the Hostname and IP address Set the Color to Red Select Check Point Software Blades Set Secure Internal Communications Changes to the Firewall Tab Option List HTTPS Inspection SecurePlatform Setting Logs And Masters Capacity Optimization Breaking SmartCenter and Firewall Communications Breaking and Resetting SIC Reset SIC on the Firewall Test Trust for the Firewall Object in the SmartCenter Reset SIC in the Firewall Object Creating General Network Objects Creating the Network Type Objects Create the Internal Network Network Object Broadcast Address Create the DMZ Network Create the External Network Create the Remote Site2 Network Creating Node Type Objects Create the Internal Server adsrv Create the Internal Workstation host Create the DMZ SMTP Server Host Create the DMZ Web/FTP Server Host Create the Class Room Web Server Host Creating External FTP servers for ftp.hp.com Using nslookup Creating the FTP Servers Cloning Objects Creating a Group Object Create the Classroom Router Gateway Object Summary of Objects Created Dealing with Anti-spoofing Setting the Topology Get Interfaces Setting Topology Get Interfaces with Topology (Anti-spoofing) Making Topology Changes CPMgmt1-CreateObj-R75 2 Lezha Publications 2012

15 7 - Creating Rules and Installing the Security Policy Objectives Create a Policy Package Add Rules to a Security Policy Understand how rules interact with each other Know how to install security policies Understand how to check the policy currently installed on a firewall Understand the difference between Implicit and Explicit rules Understand the risk of using implied rules for allowing DNS Understand how to break and reset SIC trust between a SmartCenter and Firewall Understand that Security Policies can be pulled from the SmartCenter as well as being pushed to a firewall Be aware of the services Check Point products use Approximate time for completing each section Section 1 Dealing with Policy Packages 10 Minutes Section 2 Adding Rules 40 Minutes Section 3 Policy installs 20 Minutes Section 4 Explicit and Implicit Rules 30 Minutes Section 5 Saved Versus the Installed Policy 10 Minutes Total time 110 Minutes Prerequisites Complete Module 6 Virtual machines Host1, Mgmt-Site1 & fw-site1 must be running 7-CPMgmt1-CreateRules-R75 DN Lezha Publications 2012

16 Contents 1 Dealing With Policy Packages Policy Packages Simplified or Traditional Policy Creating a New Policy Package Adding rules Adding rules Stealth Rule Internal Network Out bound Rule Cleanup Rule Broadcast Junk Rule SMTP Inbound Rule SMTP Outbound Rule Web Inbound Rule Firewall Secure Shell Access Rule Negating Objects in a Rule Reviewing the rules Rule Review - Firewall at Risk from the SMTP Server Internal Network at Risk from the SMTP Server Adding Rule Section Titles Rule Summary Policy Installs Installing the Policy Verifying the Security Policy Correcting the Policy after Verification Failures Setting the Policy Targets Installing the Policy Checking the Firewall Status Testing the Rules Firewall Existing Connections - Behavior Explicit and Implicit Rules Implicit Rules Viewing Implied Rules Turning Implied Rules Off Configuring DNS as an Implied Rule (Don t) Accept ICMP requests Rule Base Filtering Order Breaking SmartCenter to Firewall Connectivity with Implied rules Break SmartCenter to Firewall Connectivity SmartCenter Connectivity Recovery - cpstop/cpstart SmartCenter Connectivity Recovery SIC Reset SmartCenter Connectivity Recovery fw unloadlocal SmartCenter Connectivity Recovery fw fetch mgmt (Use this) SmartCenter and Firewall Services Check Point FW Services Check Point CP Services SmartCenter to Firewall Explicit Rule (For Safety) Saved Versus the Installed Policy Saved Policy Installed Policy CPMgmt1-CreateRules-R75 2 Lezha Publications 2012

17 8 - SmartView Tracker Objectives Create log events using a scanner Know the different tabs in the SmartView Tracker, Log, Active, Management Use filters to display different log details Understand the events in the Active view Understand the events in the Management view Know how to rotate log files Know how to export log files to third party products Fetch log files from remote firewall modules Create simple filtered searches Know how to create custom commands in SmartView Tracker Approximate time for completing each section Section 1 Generate Traffic Using a Network Scanner 10 Minutes Section 2 SmartView Tracker 40 Minutes Total time 50 Minutes Prerequisites Complete Module 7 Virtual Machines mgmt-site1, fw-site1, host1 & ClassRouter must be running 8-CPMgmt1-SmartViewTracker-R75 DN Lezha Publications 2012

18 Contents 1 Generate Traffic Using a Network Scanner Scan Set the IP Address Range to Scan Check the Type and Ports to Scan Run the Scan Check Log Events Generated SmartView Tracker Log Tabs, Log, Active, Audit Network & Endpoint Active Management Predefined Filters Rotating, Archiving and Exporting Logs Rotating Log Files Archiving Log Files Exporting Log Files Fetching Log Files from the Firewall Searching and Custom Filters Filter Options Doing Simple Searches Custom Filters View Query Properties Custom Commands Adding a Secure Shell Custom Command Log Parameters in the SmartDashboard Log Type Firewall Object SmartCenter Policy Global Properties Logging to an Alternative Directory CPMgmt1-SmartViewTracker-R75 2 Lezha Publications 2012

19 9 - SmartView Monitor Objectives Know the type of information monitored Know how to set alert types for specific events Know the licensing requirement for SmartView Monitor Use SmartTracker Active Log to block connections User SmartView Monitor to view blocked connections Use SmartView Monitor to block connections Approximate time for completing each section Section 1 SmartView Monitor General Status 10 Minutes Section 2 SmartView Monitor Traffic Statistics 20 Minutes Section 3 Suspicious Activity Monitoring (SAM) 20 Minutes Total time 50 Minutes Prerequisites Complete Module 8 Virtual Machines mgmt-site1, fw-site1, Host1 & ClassRouter must be running 9-CPMgmt1-SmartViewMonitor-R75 DN Lezha Publications 2012

20 Contents 1 SmartView Monitor Gateway Status Filtered views Gateway Properties Other Objects SmartCenter Object System Information Licences Certificate Authority Status and Connected Clients Disconnecting SmartConsole Clients Firewall Object System Information Threshold Settings Global, None, Custom System Alert Daemon SmartView Monitor Traffic Statistics Traffic Statistics Enable SmartMonitor on the Firewall Generate Some Traffic Traffic & System Counters Suspicious Activity Monitoring (SAM) Suspicious Activity Monitoring and Filter Location Using SmartView Tracker Active Log Create a Suspicious Connection View Connection in the SmartView Tracker Active Tab Select Tools Block Intruder Kill Connection for three Minutes Test Connection Rejects and Alerts Clear all SAM Connections fw sam f All D Test Connections Work Using SmartView Monitor - Tools Create a Suspicious Connection View Connection in SmartView Tracker Active Tab Select Tools and Block Intruder View all SAM rules using SmartView Monitor Delete the SAM Rule Create a New SAM Rule Using SmartView Monitor Test the New SAM Rule CPMgmt1-SmartViewMonitor-R75 2 Lezha Publications 2012

21 10 - SmartUpdate Objectives Know how to access the Check Point User Center Know how to manage licenses Understand the purpose of the Contracts file Know how to attach and detach licenses Know the functions that a free in SmartUpdate Approximate time for completing each section Section 1 Check Point User Center 10 Minutes Section 2 SmartUpdate Managing Licenses 15 Minutes Total time 25 Minutes Prerequisites Complete Module 9 Virtual machines mgmt-site1, fw-site1, Host1 and ClassRouter should be running 10-CPMgmt1-SmartUpdate-R75 DN Lezha Publications 2012

22 Contents 1 Check Point User Center Logging into the User Center Viewing Account Information Viewing Product information Products and Licenses Contracts File Creating Licenses Central or Local licenses SmartCenter IP Address Changing Licensed IP Address Full Version Upgrades Require New Licenses R75 Blade licenses Management Blades Network Security Blades SmartUpdate Managing Licenses Using SmartUpdate Licenses and Contracts Product and Package Information Generating cpinfo data Adding Licenses & Contracts Attaching and Detaching Licenses CPMgmt1-SmartUpdate-R75 2 Lezha Publications 2012

23 11 - Working with the Security Policy Objectives Know how to use Revision Control. Use the features of the SmartDashboard to Disable, hide and search for objects in the rulebase. Understand pre-defined services and the timeouts associated with them. Understand how to create new services (ports) and the risks associated with them. Understand how to abuse and tunnel services over standard ports. Adjust the security policy to increase the security checking of the policy. Understand that even a simple addition to the security policy rules can require careful risk analysis. Approximate time for completing each section Section 1 Policy Revision Control 20 Minutes Section 2 Rule display 15 Minutes Section 3 Dealing with Services 30 Minutes Section 4 Adding More Rules 30 Minutes Section 5 Simple Systems Analysis for Rule Evaluation 10 Minutes Total time 105 Minutes Prerequisites Complete Module 10 Virtual machines mgmt-site1, fw-site1 Host1 & ClassRouter must be running 11-CPMgmt1-WorkingWiththePolicy-R75 DN Lezha Publications 2012

24 Contents 1 Policy Revision Control Database Revision Control Creating Revisions Where are Revisions Stored Viewing Revisions Rolling Back Revisions Rule Display Rule Display and Policy Interaction Hiding Rules Disabling Rules Rule Filters Object Location Where Used Finding Objects in Rules Dealing with Services Predefined Services and the Inspection Engine TCP UDP ICMP RPC DCE RPC Other Basic Filtering & IPS Interaction Creating Services Creating a TCP Service and Naming Convention Advanced Properties - Session Timeout and Filtering Two Service Objects Using the Same Port Number Applying the New Service to a Rule Abusing a Standard Service Tunneling over DNS (TCP) IPS Filtering for DNS TCP Default is Off Turn on DNS TCP in the Policy Global Properties Edit the Telnet Server Port on & host1.site1.com Test the Security Policy Oops Adding More Rules Current Rules check DNS rule Create the DNS Server Objects Type Host Add the DNS Rule Add the Internal DNS Servers Modify the DNS Rule Outgoing Rule for HP FTP Servers Add the FTP Outgoing Rule Restricting the Outgoing Rule Modify the Outgoing Rule Modify the FTP Outgoing Rule Delete the Disabled Outgoing Rule Current Security Policy Rules Check Verify and Install the policy Simple Systems Analysis for Rule Evaluation How to Evaluate From A to B allow FTP when B is your Server How to Solve the Problem of Abusing Ports CPMgmt1-WorkingWiththePolicy-R75 2 Lezha Publications 2012

25 12 - Setting up User Account Authentication Objectives Know how to add new SmartCenter administrator accounts Know the authentication schemes that Check Point can use, OS Password, Internal Password, RADIUS, TACACS, SecurID Create User Accounts, Groups and Templates Know the authentication database and Daemons used for Authentication Know how to export the user database Know the three types of authentication used, User, Session & Client Approximate time for completing each section Section 1 Creating Administrator Accounts 30 Minutes Section 2 Creating Firewall Rule Authentication Accounts 20 Minutes Section 3 Authentication Processes 20 Minutes Total time 70 Minutes Prerequisites Complete Module 11 Virtual Machines mgmt-site1, fw-site1, Host1 & ClassRouter must be running 12-CPMgmt1-SettingUpAuth-R75 DN Lezha Publications 2012

26 Contents 1 Creating Administrator Accounts Administrator Accounts cpconfig SmartDashboard Administrators Administrator Profile Admin - Groups Administrator Authentication Schemes Using Certificates Testing Administrator Account Using a RADIUS Server Create a RADIUS Server Object Create another administrator Use - RADIUS Authentication Creating Firewall Rule Authentication Accounts Users for Firewall Rule Authentication Supported Authentication Schemes Firewall - Enabled Authentication Schemes Access Role and Legacy Users Access Creating User Groups Creating User Templates Creating User Accounts Authentication Processes User Administration Database & Daemons fwauth.ndb fwauthd.conf Exporting & Importing the User Database External User Profiles Match all Users Match by Domain Authentication and Security Rules User Authentication Session Authentication Client Authentication CPMgmt1-SettingUpAuth-R75 2 Lezha Publications 2012

27 13 - Using User Authentication Objectives Know the Services that can be used with User Authentication Know the daemons associated with User Authentication Complete User Authentication using telnet Complete User Authentication using FTP Complete User authentication using HTTP Understand the problem with User Auth & Accept rule clashes Use tcpdump to sniff Usernames/Passwords Approximate time for completing each section Section 1 User Authentication 35 Minutes Section 2 Using Authentication from internal Networks Rule clashes 30 Minutes Section 3 User Login Details - tcpdump 15 Minutes Total time 80 Minutes Prerequisites Complete Module 12 Virtual machines mgmt-site1, fw-site1, Host1, asdrv01 & ClassRouter must be running 13-CPMgmt1-AuthUser-R75 DN Lezha Publications 2012

28 Contents 1 User Authentication User Authentication Daemons & Process Authentication Daemons and Supported Services User Authentication Policy Global Properties Welcome Message Authentication Using Telnet Add a telnet Authentication rule Check Rule Properties Intersect with User Database Installing the Policy and Testing Authentication Authentication Using http Add an http Authentication rule Check Rule Properties Allowed http Servers Adding predefined servers Installing the policy and Testing Authentication Authentication Using FTP Add an Authentication rule Format of User/Password for Authenticating Using FTP Installing the Policy and Testing Authentication Basic Authentication Summary Multiple Rules or a Single Rule Removing the Check Point Prompt Using Authentication from Internal Networks Rule clashes Authentication Behavior Source IP Address Changing the Behavior GuiDBedit Using http for Authentication from Internal Networks Adding the Internal Out http Authentication Rule Reason for Authentication Not Being Enforced Correctly Implementing the Authentication Rules User Login Details tcpdump Stealing User Login Information Packet trace using tcpdump Packet trace using tcpdump and Wireshark CPMgmt1-AuthUser-R75 2 Lezha Publications 2012

29 14 - Using Session Authentication Objectives Understand how Session Authentication works Install and use the Session Agent Understand the limitation of Session authentication Approximate time for completing each section Section 1 Session Authentication 35 Minutes Total time 35 Minutes Prerequisites Complete Module 13 Virtual machines mgmt-site1, fw-site1 Host1 & ClassRouter must be running 14-CPMgmt1-AuthSession-R75 DN Lezha Publications 2012

30 Contents 1 Session Authentication Session Authentication Daemon & Process Authentication Daemon & Supported Services Installing the Session Agent Agent Install Agent Behavior Every Connection or Per Session Problems with Agent Access Port Authentication Using FTP Add an Authentication rule Installing the Policy and Testing Authentication Session Agent Using SSL Encryption Using Every request Authentication CPMgmt1-AuthSession-R75 2 Lezha Publications 2012

31 15 - Using Client Authentication Objectives Know the daemons that Client Authentication uses Know the port numbers used by Client Authentication daemons Know the different sign-on methods for Client Authentication Use client authentication with FTP Approximate time for completing each section Section 1 Client Authentication 60 Minutes Section 2 External User Database - LDAP 40 Minutes Total time 100 Minutes Prerequisites Complete Module 14 Virtual machines mgmt-site1, fw-site1, Host1, adsrv01, & ClassRouter must be running 15-CPMgmt1-AuthClient-R75 DN Lezha Publications 2012

32 Contents 1 Client Authentication Client Authentication Daemons & Process Authentication Daemons & Supported Services Client Authentication Policy Global Properties Welcome Message Client Authentication and the Perimeter Router/Firewall Client Authentication Details Client Authentication aclientd, Port Client Authentication ahclientd, Port Controlling the Number of Sessions and Time Period Client Authentication Sign On Methods Authentication Using FTP Manual Authentication Add an Authentication rule Installing the Policy and Testing FTP Access Authentication Using Secure Shell Add an Authentication rule Installing the Policy and Testing Secure Shell Access Authentication Using a Different Port Number Edit the fwauthd.conf File Test the Authentication Using a Different Port Number Add a Rule to Allow Port 2590 Access to the Firewall Port 259 and 900 Versus a Different Port Client Authentication Using https Edit the fwauthd.conf File on the firewall External User Database LDAP LDAP Server Using Active Directory Check the Details of the AD Server Listing the DN for all Users Create an AD Account for Check Point Firewall Service Access Create an LDAP Account Unit Turn on SmartDirectory for Security Gateways Create an LDAP User Group Fetching the LDAP Account Unit Tree of Data Add a Client Authentication Rule for the LDAP Group Test the LDAP Authentication Check Point LDAP Account, Domain Admin or Not Change Privilege Level Remove Domain Admin Enable LDAP SSL Encryption CPMgmt1-AuthClient-R75 2 Lezha Publications 2012

33 16- Identity Awareness Objectives Understand how Identity Awareness works Understand the use of AD Query Understand the use of Captive Portal Understand the use of Identity Agents Approximate time for completing each section Section 1 Current Rules Check 5 Minutes Section 2 Current Objects Check 10 Minutes Section 3 Identity Awareness 45 Minutes Total time 60 Minutes Prerequisites Complete Module 15 Virtual machines mgmt-site1, fw-site1, Host1, adsrv01 & ClassRouter must be running. 16-CPMgmt1-IdentityAwareness-R75 DN Lezha Publications 2012

34 Contents 1 Current Rules Check Current Rules Disable the Legacy Authentication Rules Current Objects Check Current Objects Network Objects Services Servers and OPSEC Applications Users and Administrators Identity Awareness Identity Awareness User Databases AD Query Captive Portal Identity Agent Enabling Identity Awareness Blade License Check the AD User Account Enabling Identity Awareness on the Gateway Object Using Identity Awareness with AD Query Check the AD Server Users Security Rules using Active Directory Query Standalone Workstation Domain Member Workstation Using Identity Awareness with Captive Portal Configuring the Captive Portal Security Rule using Captive Portal Extending the Rule for Captive Portal Add Telnet and FTP to the Access Role Rule Using Identity Awareness with Identity Agents Type of Agents Deployment of Agents Security Rule using Identity Agent CPMgmt1-IdentityAwareness-R75 2 Lezha Publications 2012

35 17 - Network Address Translation Objectives Know the networks defined in RFC1918 Understand that NAT may cause Client/Server connection problems Understand the NAT setting in Global Properties Know how to use Hide/Dynamic NAT Know how to use Static NAT Know which NAT method to apply for a given situation Understand the important of ARPs in relation to Static NAT Use NAT in a Security Policy Approximate time for completing each section Section 1 Rules Check 10 Minutes Section 2 Network Address Translation 30 Minutes Section 3 Using Network Address Translation - Basic 35 Minutes Section 4 Using Network Address Translation - Advanced 30 Minutes Total time 1 Hr 45 Min Prerequisites Complete Module 16 Virtual machines mgmt-site1, fw-site1, ClassRouter & Host1 must be running 17-CPMgmt1-NAT-R75 DN Lezha Publications 2012

36 Contents 1 Rules Check Current Rules Create a New Policy using Save As Clean up the Current Rules Rule Summary before starting Network Address Translation Network Address Translation Basic Network Address Translation RFC Problems with NAT NAT Properties Policy Global Properties - NAT Client Side NAT Server Side NAT Objects and the NAT Tab Hide/Dynamic NAT Hide NAT - Automatic Rules Hide NAT - Manual Rules Static NAT Static NAT Automatic Rules Static NAT Manual Rules Problems with Static NAT Manual Rules Why does the Firewall need Proxy ARPs Creating Proxy ARPs Using Network Address Translation - Basic Testing a connection without NAT Create a Connection to Check the Source Address using netstat a on Implementing Hide/Dynamic NAT Hide NAT - Automatic Rules Hide NAT - Automatic Rule Testing Hide NAT - Manual Rules Hide NAT - Manual Rules Testing Implementing Static NAT Static NAT Automatic Rules State Table ARP Entries fw tab t arp_table or fw ctl arp Static NAT Automatic Rule Testing Static NAT Automatic Rules, Policy Rule Matching Static NAT Manual Rules Using Network Address Translation - Advanced Implementing Static NAT and Port Mapping Static NAT Automatic Rule Problem Using Different Ports Static NAT Manual Rules with Port Mapping Hiding a Server on the External Network from the Internet Taking advantage of ARPs Static NAT without Proxy ARPs, Routed Networks CPMgmt1-NAT-R75 2 Lezha Publications 2012

37 18 Intrusion Prevention System (IPS) Objectives Know how to create IPS Profiles Understand the typical network features IPS protects against Understand where Application Intelligence fits into the Security Policy Know how to use the features of Web Intelligence to protect web servers and http traffic Change settings in IPS, apply them a Security Policy and test the features Approximate time for completing each section Section 1 IPS and Firewalls 10 Minutes Section 2 IPS Features 40 Minutes Total time 50 Minutes Prerequisites Complete Module 17 Virtual machines mgmt-site1, fw-site1, ClassRouter & Host1 must be running 18-CPMgmt1-IPS-R75 DN Lezha Publications 2012

38 Contents 1 IPS and Firewalls Basic Intrusion Prevention System (IPS) IPS Blade Requires a License Profile Management Profile Assignment Protections IPS Blade Features Network Security Streaming Engine Settings Anti-Spoofing Configuration Status Denial of Service IP and ICMP TCP Fingerprint Scrambling DShield Storm Center Port Scan NTP Application Intelligence Mail FTP Microsoft Networks Peer to Peer Instant Messengers DNS VOIP VPN Protocols Remote Control Applications The Others Web Intelligence Malicious Code Application Layer Information Disclosure HTTP Protocol Inspection CPMgmt1-IPS-R75 2 Lezha Publications 2012

39 19 - Content Security Servers Objectives Understand how Content Security server work at the application level and not the kernel level Create Resources that can be used with the Content Security Servers Make use of the HTTP Content Security Server Make use of the FTP Content Security Server Understand how CVP Servers integrate with the Content Security Servers Understand how UFP Servers integrate with the Content Security Servers Approximate time for completing each section Section 1 Content Security Servers 10 Minutes Section 2 HTTP Content Security 30 Minutes Section 3 FTP content Security 35 Minutes Section 4 CVP and UFP Servers 30 Minutes Total time 1 Hr 45 Min Prerequisites Complete Module 18 Virtual machines mgmt-site1, fw-site1, Host1 & ClassRouter must be running 19-CPMgmt1-ContentSecurityServers-R75 DN Lezha Publications 2012

40 Contents 1 Security Policy Rules Check Create New Policy with Basic Rules Content Security Servers Content Security Servers Servers and Processes, HTTP, FTP, SMTP Resouces (filters) Example Rules HTTP Content Security Server HTTP Resources Creating an HTTP Resource Query Word Filter Creating an HTTP Resource Strip Java Creating an HTTP Resource Block an IP Address Using URI Resources in Rules Testing the Resources URI Match Example file FTP Content Security Server FTP Resources Creating an FTP Resource Filter Options Apply the Resources to a Rule Testing the Resource SMTP Content Security Server SMTP Resources Creating an SMTP Resource Apply the Resource to a Rule CVP and UFP Servers CVP Creating a CVP Server UFP Creating a UFP Server Using OPSEC Groups Creating a Group Load Balancing or Chaining CPMgmt1-ContentSecurityServers-R75 2 Lezha Publications 2012

41 20 - Managing Multiple Firewalls Objectives Create a second SecurePlatform firewall Establish trust and take control of the firewall Install a Basic Security Policy Understand the use of Single or Multiple Security Policies when managing multiple firewalls Create log data and filter traffic based on the Firewall Origin Approximate time for completing each section Section 1 Managing Multiple Firewalls 15 Minutes Section 2 Creating fw.site2.com 80 Minutes Total time 1Hr 35 Min Prerequisites Complete Module 19 Virtual machines mgmt-site1, fw-site1, Host1 & ClassRouter must be running Virtual machine fw-site2 20-CPMgmt1-ManagingMultipleFirewalls-R75 DN Lezha Publications 2012

42 Contents 1 Managing Multiple Firewalls Creating the Virtual Machine Virutal Machine Type Linux, Red Hat Installing SecurePlatform Installing SPLAT Managing Multiple Firewalls SmartCenter License Firewall Module License Creating fw.site2.com Creating fw.site2.com Turn on Logging for Implied Rules Creating the Firewall Object fw.site2.com Establishing Trust SIC Communication Topology Writing Rules Installing the Policy Testing the Policy & Generating Log Traffic Log Origin Managing Multiple Firewalls Single Policy or Multiple Polices Creating Multiple Policies CPMgmt1-ManagingMultipleFirewalls-R75 2 Lezha Publications 2012

43 21 - Backups and Recovery Procedures Objectives Understand how to use upgrade_export to backup a SmartCenter Understand how to use upgrade_import to clone a SmartCenter Understand how to migrate a SmartCenter from a Windows platform to Check Points SecurePlatform Know how to create backups of the Firewall Know how to restore from backups Know how to create snapshot images Know how to restore from a snapshot image Approximate time for completing each section Section 1 Backing up the SmartCenter 60 Minutes Section 2 Backing up the Firewall on SPLAT 45 Minutes Section 3 SPLAT Maintenance Mode 15 Minutes Total time 2 Hrs Prerequisites Complete Module 20 Virtual machines mgmt-site1, fw-site1, Host1 & ClassRouter must be running 21-CPMgmt1-BackupsAndRecovery-R75 DN Lezha Publications 2012

44 Contents 1 Backing up the SmartCenter SmartCenter Configuration - upgrade_export & upgrade_import Using upgrade_export upgrade_export and Policy Revisions Rebuilding a SmartCenter upgrade_import Building a Virtual Machine for the SecurePlatform SmartCenter Creating a base Install Copying the upgrade_export file cpexport.tgz to the SecurePlatform Completing the Install Run sysconfig Testing the Install Reset the Environment back to using the Original SmartCenter Backing up the Firewall on SecurePlatform Creating Backups backup Create a backup of the Firewall backup is just an alias Setting Automated Backups using the WebGUI Local backup Directory Recovering a Backup file using restore Using Restore to recover a Firewall Snapshot Images snapshot Creating a snapshot The snapshot Directory Restoring snapshot Images revert Restore a snapshot Using revert SPLAT Maintenance Mode Maintenance Mode Single User Mode Boot into Maintenance Mode Single User CPMgmt1-BackupsAndRecovery-R75 2 Lezha Publications 2012