What is a firewall?Controls traffic between trusted and untrusted networks, and provides network partitioningRestricts the entrance and exit of traffic based on acceptabilityA wall is a bad analogyYour firewall may have more than two sidesYou may install enforcement points throughout your networkmore like a honeycomb?Even when we allow traffic through, we watch it carefullyWe dont just punch holes in the firewall

Best of Breed security applicationsVPN-1/Firewall-1 NGX

VPN-1/Firewall-1 NGX

Logical components of FW-1 NGXMultiple firewall modules (FWM) Enforcement PointsManages security policy and object DBs, log DB, concurrent administrative access.User interfaces for building objects and security policy rules. Views logs and FW status.Enforces security policy, reports status and log data to management server.Management Server (SmartCenter Server)Management Clients(SmartConsole)/SMART clients

Check Point components for various architecturesEnforcement (Firewall) Module Nokia IPSO Solaris Linux Windows 2000 Windows 2003 HP-UX AIX CP secure platformSmartConsole (GUI)DatabasesFWMFWD*SmartCenter (Management) Server Windows Solaris

Nokia IPSO Solaris Linux Windows 2000 Windows 2003 HP-UX CP secure platformFWDSecurity serversInspection ModuleSNMPSVN** FoundationSVN Foundation* FWD: Firewall Daemon** SVN: Secure Virtual Networking

CP logical components can be physically differentManagement ServerFirewall Enforcement PointGUIGUIGUIDistributed, Single Management, Redundant FEPs (VRRP)StandAloneDistributed, Redundant Management, Redundant FEPs (VRRP)Management ServerManagement ServerFirewall Enforcement PointFirewall Enforcement Point

About the boot managerThe partition menu probably defaults to 1: BootmgrNokia allows booting direct toIPSO (2), orIPSO using boot manager (1)The boot manager has a command modeWe dont need it just at the moment so dont press a keyBoot manager commandsBoot an alternate kernelReinstalling IPSOSingle user boot(& password recovery)Diagnostic InfoThe boot manager includes a small subset IPSO OS on a separate partition or diskYou can reinstall a corrupt IPSO from boot managerYou can reinstall a corrupt boot manager from IPSO

Set the IP address, default route and speedsSet the IP addressIn the class use 10.x.x.1/16 on the LAN side interfaceThe LAN interface will be eth1Configure the default route according to the class topologyIts okay that it is not reachable yet - configure it anywayConfigure the speed and duplex to 100M full duplexCHECK with the instructor in case speed/duplex are differentConfirm the configuration

Accessing features in VoyagerAccess all the features from the navigation tree Expand Tree to view all the features at a glanceNavigation frame width is adjustableThe Current feature is highlightedTree hierarchy is consistent with IPSO 3.9 Voyager

The main interfaces screenWe will have three interfaces in this class. The third one is configured using clish

Check that they appear here as you would expectNote the physical and link layer status lightsRed, Green, or BlueBlue means hot swap interface not present

Adding static routesStatic Routes will allow team1fw1 to get to team3-netInterface routes allow team1fw1 to get through to team1-Net and to the Internet

team1pc110.1.1.101team1pc210.1.1.10Internetteam1fw1Lab routerteam3pc210.1.3.10team3pc110.1.3.103team3-Net10.1.3.0/16team1-Net10.1.1.0/1610.1.1.1172.21.101.1/16172.23.103.110.1.3.1172.21.101.2 /16team3fw1192.168.22.0 /24172.23.103.2 /16192.168.22.103192.168.22.101

Network Testing

Ping !..!!!..!!!!!!!!!...........!!!!!!!!!!!!!!!!!!!

Installing CheckPoint through VoyagerFour step procedureDownload the FTP packageIn IPSO 4.2, HTTP Upload is very useful

Installing CheckPoint through Voyager

Package configuration is from the UNIX command linePackage configuration is from the UNIX command line similar to the Solaris and Linux versionsBe sure to log out and log back in so that the CP software is in your path before you run cpconfig

Distributed installation

Configuring secure internal communicationsFinal Steps

Basic components of VPN-1/FireWall-1 NGX

Introduction to SmartDashboard and Objects

Create a gateway and take control of it

Install an Allow All policyThe default policy is drop-allYou may have noticed that you currently cant SSH or use VoyagerAllow all isnt very secureYour instructor may show you more if you have extra timeYou need to attend CP Mgmt I or an equivalent class to learn Check Point specific-security informationOn the desktop, or Start/Program/ Check Point Smart Clients

Save, Verify, Compile, and Install the policyThe Policy / Install does all of this in one easy stepPolicies are always installed from a saved copy

SmartView Monitor

DEMO

Thanks for coming