ngx i r65 slides

7/31/2019 Ngx i r65 Slides

1/183

2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity

Check Point Security Administration I

NGX (R65)


2/183


Slide Graphic Legend


3/183


Course Objectives

Part 1: Getting Started Chapter 1: Introduction to VPN-1

Given your understanding of Check Points three-tierarchitecture and basic firewall concepts, design and install adistributed deployment of VPN-1.

Test to verify the VPN-1 deployment, based on SICestablishment between the SmartCenter Server and theGateway using SmartDashboard.

Chapter 2: Introduction to SecurePlatform

Given the most current configuration, update the appropriatenetwork interface using the sysconfig utility to change themanagement interface.

Given specific instructions, perform a backup and restore of thecurrent Gateway installation from the command line.


4/183


Course Objectives

Part 2: Security Policy Chapter 3: Introduction to the Security Policy

Given the network topology, create and configure network, host,and gateway objects for your city site.

In SmartMap view, actualize your city sites network objects.

In SmartMap, given your partner citys network data, create and

configure your partner citys Web server object.

Create a basic Rule Base in SmartDashboard that includespermissions for administrative users, external services, and LANoutbound use. Test your Rule Base with your partner city, andevaluate logs in SmartView Tracker.

Given your Policys implicit rules, configure an implied rule for

logging purposes.


5/183


Course Objectives

Manually configure NAT rules on your Web-server and Gatewayobjects. Refer to the Global Properties of the Gateway object.

Configure the Policy using Database Revision Control.

Part 3: Access Control and Management

Chapter 4: Monitoring Traffic and Connections Given a deployment strategy, test and verify a new Policy using

SmartView Tracker.

Given evidence of a potential intrusion or attack usingSmartView Tracker, change the Policy to block the offendingconnection.

Use SmartView Monitor to block and monitor a users activities

by implementing the SAM rule.

Given accumulated raw-logged data, configure Eventia Reporterto monitor and audit network traffic.


6/183


Course Objectives

Chapter 5: Authentication Create and configure users in SmartDirectory for access to your

LAN.

Modify your Rule Base to provide permissions for users.

Configure partially automatic Client Authentication, and install,

test, and verify the Policy in SmartView Tracker.

Chapter 6: Check Point QoS Given a distributed network deployment, design a strategy for

implementing QoS.

Based on an implementation of QoS, configure the requiredbandwidth allocation for the network.


7/18372003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity

Course Objectives

Part 4: SmartDefense Chapter 7: Basic SmartDefense and Content Inspection

Using content inspection, Application Intelligence, and/or WebIntelligence, configure for port scanning and HTTP wormcatcher.

Create a SmartDefense profile, and incorporate port-scanningand successive-events settings into the profile. Test theconfiguration with your partner citys Web server, and evaluate

logs using SmartView Tracker.

Block connections, given evidence of a potential intrusion or

attack. Evaluate logs.

Based on network analysis disclosing threats by specific sites,configure a Web-filtering and antivirus Policy to filter and/or scanthe threatening traffic.



PrefaceCheck Point Security Administration I

NGX (R65)



Course Layout

Prerequisites Check Point Certified Security Administrator (CCSA)



Recommended Setup for Labs

Recommended Lab Topology



Recommended Setup for Labs

IP Addresses Lab Terms



Check Point Security Architecture

PURE Security




Check Point Components


14/183




Broad Range of Security Solutions




Network Security Data Security

Security Management

Services


17/183172003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.

puresecurity

Training and Certification

CCMA Learn More



puresecurity

Part 1: Introduction to VPN-1

Chapter 1: VPN-1 Overview

Chapter 2: Introduction to SecurePlatform


19/183



puresecurity

Objectives

Given your understanding of Check Points three-tierarchitecture and basic firewall concepts, design andinstall a distributed deployment of VPN-1.

Test to verify the VPN-1 deployment, based on SICestablishment between the SmartCenter Server and theGateway using SmartDashboard.

1



puresecurity

VPN-1 Fundamentals

VPN-1 Components

1



puresecurity

Check Points Security Gateway

OSI Communication Stack

1


23/183



Packet Filtering

1


24/183



Stateful Inspection

1


25/183



Application Intelligence

1


26/183



Bridge Mode and STP

1


27/183



VPN-1 Gateway Inspection Architecture Inspection Module Flow

1


28/183


Security Policy Management

SmartConsole Components

1


29/183


Check Point SmartDashboard1


30/183


SmartView Tracker1

S Vi M i


31/183


SmartView Monitor1

S LSM


32/183


SmartLSM1

E ti R t


33/183


Eventia Reporter1

E ti A l


34/183


Eventia Analyzer1

VPN 1 S tC t S


35/183


VPN-1 SmartCenter Server

Basic Concepts and Terminology Using Management Plug-Ins

Securing Channels of Communication

1

VPN 1 S tC t S


36/183



Distributed VPN-1 Configuration Showing Componentswith Certificates

1

VPN 1 S tC t S


37/183



Administrative Login Using SIC

1

SmartUpdate and Managing Licenses


38/183


SmartUpdate and Managing Licenses

Understanding SmartUpdate

Overview of Managing Licenses

Contracts/Services

Service Contracts

Working with Contract Files

1


39/183

2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.

1

VPN-1 Distributed Installation

Review Questions & Answers


40/183



1. What is the primary purpose for the VPN-1 three-tierarchitecture?

1



41/183



Separate components provide a more securemanagement environment.

1



42/183



2. What are the primary components of the Check PointSecurity Gateway? Explain Stateful Inspection as itrelates to the OSI Model?

1



43/183



Packet filtering

Stateful Inspection

SmartDefense and Application Intelligence

Stateful Inspection incorporates layer 4 awareness to

the standard packet-filtering technology. It examinesthe contents of the packet up through the applicationlayer of the OSI Model.

1



44/183



3. What are the advantages of Check Points SecureManagement Architecture (SMART)? In what way doesit benefit an enterprise network and its Administrators?

1



45/183



SMART is a unified approach to centralizing Policymanagement and configuration, including monitoring,logging, analysis, and reporting within a single controlcenter.

1

Review Questions & Answers1


46/183



4. What is the main purpose for the SmartCenter Server?Which function is it necessary to perform on theSmartCenter Server when incorporating SecurityGateways into the network?

1



47/183



Used by the Security Administrator, the SmartCenterServer manages the Security Policy. In order toperform that role, the SmartCenter Server mustestablish SIC with other components, so thatcommunication is verified and management can be

performed on any component on the network.

1


48/183

2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.

2

Introduction to SecurePlatform

Objectives2


49/183


Objectives

Given the most current configuration, update theappropriate network interface using the sysconfig utilityto change the management interface.

Given specific instructions, perform a backup of thecurrent Gateway installation from the command line.

2

Introduction2


50/183


Introduction

SecurePlatform allows easy configuration of yourcomputer and networking aspects, along with installedCheck Point products.

2

Hardware Requirements/Setup2


51/183


Hardware Requirements/Setup

Intel Pentium III 300+ MHz or equivalent processor

10 GB free disk space

256 MB (512 MB recommended)

One or more supported network-adapter cards

CD-ROM drive (bootable)

1024 x 768 video-adapter card

2

Hardware Requirements/Setup2


52/183


Hardware Requirements/Setup

Hardware Compatibility Testing Tool

2

Using the Command Line2


53/183


Using the Command Line

Linux File Structure

2

Using the Command Line2


54/183


Using the Command Line

Basic Linux Commands sysconfig

cpconfig

Backup and Restore

Viewing Scheduling Status in the WebUI

Restoring the Backup via the Command Line

Restoring Older Versions of SecurePlatform

Scheduling a Backup in the WebUI

Viewing the Backup Log in the WebUI

Generating CPInfo

2

Critical Check Point Directories2


55/183


Critical Check Point Directories

$FWDIR/conf

$FWDIR/bin

Log Files

objects.C and objects_5_0.C

rulebases_5_0.fws

fwauth.NDB

Exporting User Database Only

Backing Up Using upgrade_export

2

Managing Your System2


56/183


Managing Your System

Connecting to SecurePlatform Using Secure Shell

User Management

2

SecurePlatform Command Shell2


57/183


SecurePlatform Command Shell

Command Shell

Management Commands

Documentation Commands

System Commands

Snapshot-Image Management

System-Diagnostic Commands

Check Point Commands

Network-Diagnostic Commands

Network-Configuration Commands

User and Administrative Commands

2


58/183


2

Configuring VPN-1 Using the CLI



59/183


e e Quest o s & s e s

1. What are the two primary utilities that provideinteractive menu options for all configuration aspects?

2



60/183


Q

sysconfig

cpconfig

2



61/183


2. When is it useful to use backed-up information?

2



62/183


When the current configuration stops working, it maybe necessary to revert or restore to a previous systemstate.

When upgrading to a new version

2



63/183


3. What is fw monitor and fw unloadlocal?

2



64/183


fw monitor is a built-in utility used to capture networkpackets at multiple capture points within the packettransfer.

fw unloadlocal is a command used to detach theSecurity Policy from the local machine.

2



65/183


4. What is the difference between the snapshot andbackup commands?

2



66/183


snapshot backs up the entire SecurePlatform operatingsystem and all of its products.

backup reproduces the system-configuration settingsonly.

2

Part 2: Security Policy


67/183


Chapter 3: Introduction to the Security Policy


68/183


3

Introduction to the Security Policy

Objectives3


69/183


Given the network topology, create and configure network, host,

and gateway objects for your city site. In SmartMap view, actualize your city sites network objects.

In SmartMap, given your partner citys network data, create and

configure your partner citys Web server object.

Create a basic Rule Base in SmartDashboard that includespermissions for administrative users, external services, and LANoutbound use. Test your Rule Base with your partner city, andevaluate logs in SmartView Tracker.

Given your Policys implicit rules, configure an implied rule for

logging purposes.

Manually configure NAT rules on your Web-server and Gatewayobjects. Refer to the Global Properties of the Gateway object.

Configure the Policy using Database Revision Control.

3

Security Policy Basics3


70/183


The Rule Base

3

Managing Objects in SmartDashboard3


71/183


g g j

SmartDashboard and Objects

Managing Objects

Changing the View in the Objects Tree

3


72/183


3

Creating Objects, Establishing Trust

and Configuring SmartMap

Creating the Rule Base3


73/183


Basic Rule Base Concepts

Default Rule

Basic Rules

Implicit/Explicit Rules

Control Connections

Completing the Rule Base3


74/183


Understanding Rule Base Order

Rule Base Management3


75/183


Review

Useful Tips

Policy Managementand Revision Control3


76/183


and Revision Control

Two utilities are used for providing backups and

incremental changes: Policy Package management

Database Revision Control

Policy-Management Overview3


77/183


Policy Packages Sample Organization with Different Types of Sites

Policy-Management Overview3


78/183


Installation Targets

Querying and Sorting Rules and Objects

Database Revision Control3


79/183


Implementing Database Revision Control


80/183


4

Configuring the Security Policy

Network Address Translation3


81/183


RFC 3022, Traditional IP Network Address Translator

(Traditional NAT)

IP Addressing



82/183


Dynamic (Hide) NAT



83/183


Static NAT



84/183


Hide Versus Static

Choosing the Hide Address in Hide NAT

Configuring NAT

Dynamic NAT Object Configuration

Manual NAT


85/183


5

Configuring Static NAT

Enabling VoIP Traffic3


86/183


Supported Protocols

Session Initiation Protocol



87/183


SIP Proxies in a VoIP Deployment



88/183


H.323-Based VoIP Topology



89/183


Allowed Routing Mode

Detecting IP Spoofing3


90/183


Configuring Anti-Spoofing

Multicasting3


91/183


Configuring Multicast Access Control



92/183


1. Objects are created by the Security Administrator to

represent actual hosts and devices, as well as servicesand resources, to use when developing the SecurityPolicy. What should the Administrator consider beforecreating objects?



93/183


What are the physical and logical components that

make up the organization?

Who are the users and Administrators, and how shouldthey be grouped, i.e., access permissions, location(remote or local), etc?



94/183


2. What are some important considerations when

formulating or updating a Rule Base?



95/183


Which objects are in the network, i.e., gateways,

routers, hosts, networks, or domains?

Which user permissions and authentication schemesare required?

Which services, including customized services and

sessions, are allowed across the network?



96/183


3. For which deployment scheme would Database

Revision Control be most appropriate?



97/183


It is ideal for a stand-alone deployment, or distributed

with a single Gateway.



98/183


4. What are some reasons for employing NAT in a

network?



99/183


When requiring private IP addresses in internal

networks

To limit external-network access

To ease network administration



100/183


5. What is the difference between sip and sip_any

services when implementing VoIP in the Rule Base?



101/183


When using the sip service, you would use a VoIP

domain in the source or destination of the rule. sip_anyor sip-tcp_any are used if not enforcing handover, andyou would not place a VoIP domain in the source ordestination of the rule. Instead, you would use Any or a

network object with the sip_any service

Part 3: Access Controland Management


102/183


Chapter 4: Monitoring Traffic and Connections

Chapter 5: Authentication

Chapter 6: Check Point QoS


103/183


4

Monitoring Traffic and Connections

Objectives4


104/183


Given a deployment strategy, test and verify a new

Policy using SmartView Tracker. Given evidence of a potential intrusion or attack using

SmartView Tracker, change the Policy to block theoffending connection.

Use SmartView Monitor to block and monitor a usersactivities by implementing the SAM rule.

Given accumulated raw-logged data, configure EventiaReporter to monitor and audit network traffic.

SmartView Tracker4


105/183


SmartView Tracker Login

SmartView Tracker4


106/183


Log Types

SmartView Tracker Tabs

Action Icons

Log-File Management

Administrator Auditing Global Logging and Alerting

Time Settings

Blocking Connections4


107/183


Terminating and Blocking Active Connections

SmartView Monitor4


108/183


SmartView Monitor Login

SmartView Monitor4


109/183


Customizable Views

Monitoring Suspicious Activity Rules

Monitoring Alerts

SmartView Tracker vs. SmartView Monitor Review

Eventia Reporter4


110/183


Eventia Reporter GUI

Eventia Reporter4


111/183


Eventia Reporter Consolidation Process

Eventia Reporter4


112/183


Eventia Reporter Server Report Creation

Eventia Reporter4


113/183


Report Types

Standard Report

Eventia Reporter4


114/183


Architecture for Express Reports

Eventia Reporter4


115/183


Predefined Reports

Customizing Predefined Reports

Eventia Reporter Considerations

Eventia Reporter Licensing


116/183


6

Blocking Intruder Connections


117/183


7

Configuring Suspicious Activity Rulein SmartView Monitor



118/183


1. Discuss the benefits of using SmartView Monitor

instead of SmartView Tracker in monitoring networkactivity.



119/183


SmartView Monitor presents an overall view of changes

throughout the network. SmartView Tracker focuses onindividual connections. SmartView Monitor also helpsthe Administrator identify traffic-flow patterns that maysignify malicious activity, maintain network availability,

and improve efficient bandwidth use.



120/183


2. Why is there an error message when switching to

Active mode in SmartView Tracker?



121/183


There are performance implications for memory and

network resources in Active mode, since data is beingactively logged.



122/183


3. What does the Consolidation Policy in Eventia Reporter

do?



123/183


After examining the original or raw log files, the

Consolidation Policy compresses similar events, andwrites this list into a database. Eventia Reporter reportsare generated from this database.


124/183

Objectives5


125/183


Create and configure users in SmartDirectory for access

to your LAN. Modify your rule base to provide permissions to users.

Configure partially automatic client authentication,install, test and verify policy in SmartView Tracker.

Creating Users and Groupsin SmartDashboard5


126/183


Define users with VPN-1 user database,

or LDAP, RADIUS or ACE server.

Introduction to VPN-1 Authentication5


127/183


Introduction to Authentication Methods

Authentication Schemes

Authentication Methods5


128/183


User Authentication

Configuring User Authentication

Session Authentication Configuring Session Authentication

Client Authentication

Configuring Client Authentication

Resolving Access Conflicts

Configuring Authentication Tracking

LDAP User Managementwith SmartDirectory5


129/183


LDAP Features



130/183


LDAP Tree Structure



131/183


Multiple LDAP Servers

LDAP Servers on a Firewalled Network



132/183


Using an Existing LDAP Server

Configuring Entities to Work with VPN-1

Managing Users

SmartDirectory Groups

8


133/183


8

Configuring Client Authentication

9


134/183


9

Configuring LDAP Authenticationwith SmartDirectory



135/183


1. Which services are most commonly associated with

User Authentication?



136/183


Telnet

rlogin HTTP

HTTPS

FTP



137/183


2. Which authentication scheme requires an

authentication agent installed on the client?



138/183


Session Authentication



139/183


3. What is the main advantage with using Client

Authentication?



140/183


It can be used on any number of connections for any

service, and authentication can be validated for aspecified time.

6


141/183


6

Check Point QoS

Objectives6


142/183


Given a distributed network deployment, design a

strategy for implementing QoS. Based on an implementation of QoS, configure the

required bandwidth allocation for the network.

Check Point QoS Overview6


143/183


Stateful Inspection

Intelligent Queuing Engine Weighted Flow Random Early Drop

Retransmission Detection Early Drop

Check Point QoS Architecture6


144/183


Basic Architecture

QoS SmartCenter Server



145/183


QoS SmartConsole

QoS Tab in SmartDashboard



146/183


The Security Gateway

Deploying QoS6


147/183


QoS Distributed Deployment

Deploying QoS6


148/183


Check Point QoS Topology Restrictions

Deploying QoS6


149/183


Two Lines to a Router

Deploying QoS6


150/183


Correct Configuration

Check Point QoS Rule Base6


151/183


Bandwidth Allocation and Rules

Traditional and Express Modes QoS Action Properties

Bandwidth Allocation and Subrules

Implementing the Rule Base

QoS Rule Considerations

Differentiated Services6


152/183


DiffServ Marks for IPSec Packets

Interaction Between DiffServ Rules and Other Rules

Low Latency Queuing6


153/183


Low Latency Classes

Low Latency Class Priorities When to Use Low Latency Queuing

Authenticated QoS

Monitoring QoS Policy6


154/183


SmartView Tracker

SmartView Monitor Eventia Reporter

Optimizing Check Point QoS6


155/183


Upgrade to the newest Check Point QoS version

available. Install Check Point QoS only on the external interfaces

of the Security Gateway.

Put more frequent rules at the top of your Rule Base.

Turn per-connection limits into per-rule limits. Turn per-connection guarantees into per-rule

guarantees.

10


156/183


10

Configuring Check Point QoS Policy



157/183


Weighted Flow Random Early Drop (WFRED) is a

mechanism used by Check Point QoS for managingpacket buffers, by selectively dropping packets duringperiods of network congestion.

Retransmission Detection Early Drop (RDED) is also

used by Check Point QoS to reduce the number ofretransmissions and retransmision storms duringperiods of network congestion.



158/183


2. In order to log a QoS Policy rule, what two conditions

must be met?



159/183


The Turn on QoS logging box must be checked in the

Gateway General Properties > Logs and Masters >Additional Logging Configuration window.

The connections matching rule must be marked with

either Log or Account in the rules Track column.



160/183


3. Connections in a QoS Rule Base can be configured by

applying which three elements?



161/183


Weight

Guarantee Limit

Part 4: SmartDefense

C C


162/183


Chapter 7: Basic SmartDefense and Content Inspection

7


163/183


7

Basic SmartDefense and Content Inspection

Objectives

U i i i A li i I lli

7


164/183


Using content inspection, Application Intelligence,

and/or Web Intelligence, configure for port scanning andHTTP worm catcher.

Create a SmartDefense profile, and incorporate port-scanning and successive-events settings into the profile.

Test the configuration with your partner citys Webserver, and evaluate logs using SmartView Tracker.

Block connections, given evidence of a potentialintrusion or attack. Evaluate logs.

Based on network analysis disclosing threats by specificsites, configure a Web-filtering and antivirus Policy tofilter and/or scan the threatening traffic.

Introducing SmartDefense

S tD f T b d N i ti P

7


165/183


SmartDefense Tab and Navigation Pane

Introducing SmartDefense

N t k d A li ti I t lli

7


166/183


Networks and Application Intelligence

Web Intelligence Online Updates

Monitor Only Mode

Network Security

D i l f S i

7


167/183


Denial-of-Service

IP and ICMP TCP

Fingerprint Scrambling

Successive Events

Network Security

DShi ld St C t

7


168/183


DShield Storm Center

Network Security

P t S i

7


169/183


Port Scanning

Application Intelligence

Mail

7


170/183


Mail

FTP Microsoft Networks

Peer-to-Peer

Instant Messaging

DNS

VoIP

SNMP

Web Intelligence

Web Intelligence Protections

7


171/183


Web Intelligence Protections

Web Intelligence License Enforcement

SmartDefense Services

Download Updates Tab

7


172/183


Download Updates Tab

Advisories Tab Security Best Practices Tab

Content Inspection

Introduction to Integrated Antivirus and Web Filtering

7


173/183


Introduction to Integrated Antivirus and Web Filtering

Technologies Database Updates

Antivirus-Scan Settings

Web Filtering

11


174/183


Configuring SmartDefense

12


175/183


Configuring Web-Filteringand Antivirus Settings


1 Explain the role Application Intelligence plays in

7


176/183


1. Explain the role Application Intelligence plays in

network security.


Application Intelligence works primarily with application

7


177/183


Application Intelligence works primarily with application-

layer defenses to address the threats aimed at networkapplications.


2 What is Monitor Only mode and why is it useful?

7


178/183


2. What is Monitor Only mode, and why is it useful?


It is a feature that detects and tracks unauthorized

7


179/183


It is a feature that detects and tracks unauthorized

traffic without blocking it. It is helpful when deployingprotection for the first time by establishing a baseline oftraffic on your network, and by evaluating theeffectiveness of the protection without interruptingconnectivity.


3 What kind of tests does SmartDefense perform to verify

7


180/183


3. What kind of tests does SmartDefense perform to verify

the legitimacy of TCP packets?


Protocol-type verification

7


181/183


Protocol type verification

Protocol-header analysis Protocol-flag analysis and verification


4 How is Web Intelligence licensing enforced?

7


182/183


4. How is Web Intelligence licensing enforced?


By counting the number of Web servers that are

7


183/183

By counting the number of Web servers that are

protected by each Security Gateway

ngx i r65 slides

Documents