w o r l d w i d e l e a d e r i n s e c u r i n g t h e i n t e r n e t technical lab n°1...
Post on 26-Dec-2015
216 Views
Preview:
TRANSCRIPT
W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T
Technical Lab n°1GuidelinesTechnical Lab n°1Guidelines
End-to-End Security
and VPN
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
AgendaAgenda
Introduction Introduction Lab PresentationLab PresentationLab 1-1 : VPN Client to GatewayLab 1-1 : VPN Client to GatewayLab 1-2 : Hybrid ModeLab 1-2 : Hybrid ModeLab 1-3 : SecureClientLab 1-3 : SecureClientLab 1-4 : SecureServerLab 1-4 : SecureServerLab 1-5 : SR/SC behind NAT HideLab 1-5 : SR/SC behind NAT Hide
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
Introduction : ObjectivesIntroduction : Objectives
Understand End-to-End Security and Understand End-to-End Security and secure communicationssecure communications
Setup Hybrid Mode (strong Setup Hybrid Mode (strong authentication)authentication)
Setup / Manage VPN-1 SecureServerSetup / Manage VPN-1 SecureServerUnderstand and setup the new SP2 Understand and setup the new SP2
fonctionnality : UDP encapsulationfonctionnality : UDP encapsulation
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
Lab Architecture – Lab 1Lab Architecture – Lab 1
VPN-1
HUB
FW/VPNModule
+Management
192.168.2.30192.168.1.30
CLIENT
SERVER
192.168.1.25
HUB SecureServer
192.168.2.31
192.168.2.32
Telnet Server
SecureServer
RADIUS
SecureClient
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
ComponentsComponents
VPN-1 VPN-1 NT 4.0 SP6aNT 4.0 SP6a VPN-1 4.1 SP2VPN-1 4.1 SP2
SERVER SERVER NT 4.0 SP6aNT 4.0 SP6a Radius ServerRadius Server
SecureServerSecureServer NT 4.0 SP6aNT 4.0 SP6a Telnet Server + SecureServer 4.1 SP2Telnet Server + SecureServer 4.1 SP2
ClientClient NT 4.0 SP6aNT 4.0 SP6a VPN-1 SecureClient build 4165VPN-1 SecureClient build 4165
W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T
Lab 1-1 : VPN Client to GatewayLab 1-1 : VPN Client to Gateway
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
Logical architectureLogical architecture
VPN-1
HUB
FW/VPNModule
+Management
CLIENT
SERVER
HUB
SecureServer
VPN
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
Lab 1-1 : VPN Client to GatewayLab 1-1 : VPN Client to Gateway
Configure VPN-1 to support client-to-Configure VPN-1 to support client-to-site encryptionsite encryption
Create a remote userCreate a remote userCreate SecuRemote SiteCreate SecuRemote SiteAccess SecureServer with telnetAccess SecureServer with telnet
Check logsCheck logs
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
Lab 1-1 : VPN Client to Gateway (ADVANCED)Lab 1-1 : VPN Client to Gateway (ADVANCED)
Debug SecuRemoteDebug SecuRemote fwenc.log filefwenc.log file SRinfo fileSRinfo file
Debug IKE negotiationDebug IKE negotiation Use IKEviewUse IKEview
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
Lab 1-1 : VPN Client to Gateway (ADVANCED)Lab 1-1 : VPN Client to Gateway (ADVANCED)Ike.elg and IkeviewIke.elg and Ikeview Use with FireWall-1/SecuRemote 4.1:Use with FireWall-1/SecuRemote 4.1:
Generate a file IKE.elg on FW-1 4.1 or SR4.1.Generate a file IKE.elg on FW-1 4.1 or SR4.1.To do it, you need to :To do it, you need to :
Create the environment variable FWIKE_DEBUG=1 (set Create the environment variable FWIKE_DEBUG=1 (set FWIKE_DEBUG=1)FWIKE_DEBUG=1)
On FW-1 : fwstop, fwstartOn FW-1 : fwstop, fwstart On SR4.1 : kill SR, create a log directory (in SRDIR directory) On SR4.1 : kill SR, create a log directory (in SRDIR directory)
and reload SR.and reload SR.
The file IKE.elg will be created in the log directory.The file IKE.elg will be created in the log directory. Load IKEView and open the IKE.elg file.Load IKEView and open the IKE.elg file.
W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T
Lab 1-2 : Hybrid ModeLab 1-2 : Hybrid Mode
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
Logical architectureLogical architecture
VPN-1
HUB
FW/VPNModule
+Management
CLIENT
SERVER
HUB
SecureServer
VPN RADIUS
Auth
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
Lab 1-2 : Hybrid ModeLab 1-2 : Hybrid Mode
Goal : establish a client-to-site IKE VPN Goal : establish a client-to-site IKE VPN using Radius to authenticate the remote using Radius to authenticate the remote user.user.
IMPORTANT: You must define a user IMPORTANT: You must define a user with pre-shared secret to download the with pre-shared secret to download the topology.topology.
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
Lab 1-2 : Hybrid ModeLab 1-2 : Hybrid Mode
Define a user with pre-shared secret to dowload the Define a user with pre-shared secret to dowload the topologytopology
Not member of any groupNot member of any group Create the Internal CA on the Management StationCreate the Internal CA on the Management Station Create a Certificate for the VPN/Firewall ModuleCreate a Certificate for the VPN/Firewall Module Allow "Hybrid" Mode SecuRemote Authentication on the Allow "Hybrid" Mode SecuRemote Authentication on the
Firewall Object (IKE Tab)Firewall Object (IKE Tab) Define a User with one of the classical authentication Define a User with one of the classical authentication
methods (ex: RADIUS)methods (ex: RADIUS) Update the SecuRemote Site with the first userUpdate the SecuRemote Site with the first user Test authenticationTest authentication
Check logsCheck logs
W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T
Lab 1-3 : SecureClientLab 1-3 : SecureClient
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
Logical architectureLogical architecture
VPN-1
HUB
FW/VPNModule
+Management
+Policy Server
CLIENT
SERVER
HUB
SecureServer
VPN
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
Lab 1-3 : SecureClientLab 1-3 : SecureClient
Define a Policy ServerDefine a Policy Server Define a policy (encrypt only)Define a policy (encrypt only) Update SecureClient SiteUpdate SecureClient Site Reach TelnetServerReach TelnetServer
Try to ping 192.168.6.1Try to ping 192.168.6.1 Configure SCV (Desktop Configuration Verification)Configure SCV (Desktop Configuration Verification)
Then bind NetBeui on the clientThen bind NetBeui on the client Try to reach TelnetServerTry to reach TelnetServer
Then uncheck SCVThen uncheck SCV
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
Lab 1-3 : SecureClient (Advanced)Lab 1-3 : SecureClient (Advanced)
View unauthorized actions on View unauthorized actions on SecureClientSecureClient View SR.log fileView SR.log file
W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T
Lab 1-4 : SecureServerLab 1-4 : SecureServer
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
Logical architectureLogical architecture
VPN-1
HUB
FW/VPNModule
+Management
CLIENT
SERVER
HUB
SecureServer
VPN
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
Lab 1-4 : SecureServerLab 1-4 : SecureServer Goal is to establish end-to-end VPN between Goal is to establish end-to-end VPN between
client and Server.client and Server.
Create new encryption domain for VPN1Create new encryption domain for VPN1 Change VPN properties for VPN1Change VPN properties for VPN1
Encryption domainEncryption domain Enable VPN for SecureServerEnable VPN for SecureServer Create Certificate for Secureserver (Hybrid Create Certificate for Secureserver (Hybrid
mode)mode) Register SecureServer as a Radius ClientRegister SecureServer as a Radius Client
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
Lab 1-4 : SecureServerLab 1-4 : SecureServer
Update topologyUpdate topologyAccess Secureserver with telnetAccess Secureserver with telnetCheck LogsCheck Logs
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
Lab 1-4 : SecureServerLab 1-4 : SecureServerWarning:Warning: A security rule, with the field « Install on » A security rule, with the field « Install on »
filled with « Gateways », doesn’t take care of filled with « Gateways », doesn’t take care of SecureServer (just gateways SecureServer (just gateways ) )
Features not available on SecureServerFeatures not available on SecureServer User AuthenticationUser Authentication Content Security (CVP, UFP..)Content Security (CVP, UFP..) NATNAT IP forwarding is turned off (…)IP forwarding is turned off (…)
W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T
Lab 1-5 : SR/SC behind NAT HideLab 1-5 : SR/SC behind NAT Hide
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
Logical architectureLogical architecture
SecureServer
VPN-1
HUB
FW/VPNModule
+Management
CLIENT
SERVER
HUB
SecureServer
VPN
SR/SC is NATed Hide behind this
address
(=Routeur)
Customer site
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
NAT with SecuRemote Cont.NAT with SecuRemote Cont.
Create a new network object for Net Create a new network object for Net 192.168.1.0192.168.1.0 Nated Hide behind 192.168.2.30Nated Hide behind 192.168.2.30
Uncheck VPN properties for VPN1Uncheck VPN properties for VPN1 Bind Policy Server to SecureServerBind Policy Server to SecureServer Modify RulebaseModify Rulebase Create new SR site (Secureserver)Create new SR site (Secureserver) Access SecureServer with telnetAccess SecureServer with telnet Check LogsCheck Logs
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential
AgendaAgenda
Lab 1-1 : VPN Client to GatewayLab 1-1 : VPN Client to GatewayLab 1-2 : Hybrid ModeLab 1-2 : Hybrid ModeLab 1-3 : SecureClientLab 1-3 : SecureClientLab 1-4 : SecureServerLab 1-4 : SecureServerLab 1-5 : SR/SC behind NAT HideLab 1-5 : SR/SC behind NAT Hide
top related