technical lab n°1 guidelines

W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T

Technical Lab n°1GuidelinesTechnical Lab n°1Guidelines

End-to-End Security

and VPN

©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential

AgendaAgenda

Introduction Introduction Lab PresentationLab PresentationLab 1-1 : VPN Client to GatewayLab 1-1 : VPN Client to GatewayLab 1-2 : Hybrid ModeLab 1-2 : Hybrid ModeLab 1-3 : SecureClientLab 1-3 : SecureClientLab 1-4 : SecureServerLab 1-4 : SecureServerLab 1-5 : SR/SC behind NAT HideLab 1-5 : SR/SC behind NAT Hide


Introduction : ObjectivesIntroduction : Objectives

Understand End-to-End Security and Understand End-to-End Security and secure communicationssecure communications

Setup Hybrid Mode (strong Setup Hybrid Mode (strong authentication)authentication)

Setup / Manage VPN-1 SecureServerSetup / Manage VPN-1 SecureServerUnderstand and setup the new SP2 Understand and setup the new SP2

fonctionnality : UDP encapsulationfonctionnality : UDP encapsulation


Lab Architecture – Lab 1Lab Architecture – Lab 1

VPN-1

HUB

FW/VPNModule

+Management

192.168.2.30192.168.1.30

CLIENT

SERVER

192.168.1.25

HUB SecureServer

192.168.2.31

192.168.2.32

Telnet Server

SecureServer

RADIUS

SecureClient


ComponentsComponents

VPN-1 VPN-1 NT 4.0 SP6aNT 4.0 SP6a VPN-1 4.1 SP2VPN-1 4.1 SP2

SERVER SERVER NT 4.0 SP6aNT 4.0 SP6a Radius ServerRadius Server

SecureServerSecureServer NT 4.0 SP6aNT 4.0 SP6a Telnet Server + SecureServer 4.1 SP2Telnet Server + SecureServer 4.1 SP2

ClientClient NT 4.0 SP6aNT 4.0 SP6a VPN-1 SecureClient build 4165VPN-1 SecureClient build 4165


Lab 1-1 : VPN Client to GatewayLab 1-1 : VPN Client to Gateway


Logical architectureLogical architecture

VPN-1

HUB

FW/VPNModule

+Management

CLIENT

SERVER

HUB

SecureServer

VPN


Lab 1-1 : VPN Client to GatewayLab 1-1 : VPN Client to Gateway

Configure VPN-1 to support client-to-Configure VPN-1 to support client-to-site encryptionsite encryption

Create a remote userCreate a remote userCreate SecuRemote SiteCreate SecuRemote SiteAccess SecureServer with telnetAccess SecureServer with telnet

Check logsCheck logs


Lab 1-1 : VPN Client to Gateway (ADVANCED)Lab 1-1 : VPN Client to Gateway (ADVANCED)

Debug SecuRemoteDebug SecuRemote fwenc.log filefwenc.log file SRinfo fileSRinfo file

Debug IKE negotiationDebug IKE negotiation Use IKEviewUse IKEview


Lab 1-1 : VPN Client to Gateway (ADVANCED)Lab 1-1 : VPN Client to Gateway (ADVANCED)Ike.elg and IkeviewIke.elg and Ikeview Use with FireWall-1/SecuRemote 4.1:Use with FireWall-1/SecuRemote 4.1:

Generate a file IKE.elg on FW-1 4.1 or SR4.1.Generate a file IKE.elg on FW-1 4.1 or SR4.1.To do it, you need to :To do it, you need to :

Create the environment variable FWIKE_DEBUG=1 (set Create the environment variable FWIKE_DEBUG=1 (set FWIKE_DEBUG=1)FWIKE_DEBUG=1)

On FW-1 : fwstop, fwstartOn FW-1 : fwstop, fwstart On SR4.1 : kill SR, create a log directory (in SRDIR directory) On SR4.1 : kill SR, create a log directory (in SRDIR directory)

and reload SR.and reload SR.

The file IKE.elg will be created in the log directory.The file IKE.elg will be created in the log directory. Load IKEView and open the IKE.elg file.Load IKEView and open the IKE.elg file.


Lab 1-2 : Hybrid ModeLab 1-2 : Hybrid Mode



VPN-1

HUB

FW/VPNModule

+Management

CLIENT

SERVER

HUB

SecureServer

VPN RADIUS

Auth



Goal : establish a client-to-site IKE VPN Goal : establish a client-to-site IKE VPN using Radius to authenticate the remote using Radius to authenticate the remote user.user.

IMPORTANT: You must define a user IMPORTANT: You must define a user with pre-shared secret to download the with pre-shared secret to download the topology.topology.



Define a user with pre-shared secret to dowload the Define a user with pre-shared secret to dowload the topologytopology

Not member of any groupNot member of any group Create the Internal CA on the Management StationCreate the Internal CA on the Management Station Create a Certificate for the VPN/Firewall ModuleCreate a Certificate for the VPN/Firewall Module Allow "Hybrid" Mode SecuRemote Authentication on the Allow "Hybrid" Mode SecuRemote Authentication on the

Firewall Object (IKE Tab)Firewall Object (IKE Tab) Define a User with one of the classical authentication Define a User with one of the classical authentication

methods (ex: RADIUS)methods (ex: RADIUS) Update the SecuRemote Site with the first userUpdate the SecuRemote Site with the first user Test authenticationTest authentication

Check logsCheck logs


Lab 1-3 : SecureClientLab 1-3 : SecureClient



VPN-1

HUB

FW/VPNModule

+Management

+Policy Server

CLIENT

SERVER

HUB

SecureServer

VPN


Lab 1-3 : SecureClientLab 1-3 : SecureClient

Define a Policy ServerDefine a Policy Server Define a policy (encrypt only)Define a policy (encrypt only) Update SecureClient SiteUpdate SecureClient Site Reach TelnetServerReach TelnetServer

Try to ping 192.168.6.1Try to ping 192.168.6.1 Configure SCV (Desktop Configuration Verification)Configure SCV (Desktop Configuration Verification)

Then bind NetBeui on the clientThen bind NetBeui on the client Try to reach TelnetServerTry to reach TelnetServer

Then uncheck SCVThen uncheck SCV


Lab 1-3 : SecureClient (Advanced)Lab 1-3 : SecureClient (Advanced)

View unauthorized actions on View unauthorized actions on SecureClientSecureClient View SR.log fileView SR.log file


Lab 1-4 : SecureServerLab 1-4 : SecureServer



VPN-1

HUB

FW/VPNModule

+Management

CLIENT

SERVER

HUB

SecureServer

VPN


Lab 1-4 : SecureServerLab 1-4 : SecureServer Goal is to establish end-to-end VPN between Goal is to establish end-to-end VPN between

client and Server.client and Server.

Create new encryption domain for VPN1Create new encryption domain for VPN1 Change VPN properties for VPN1Change VPN properties for VPN1

Encryption domainEncryption domain Enable VPN for SecureServerEnable VPN for SecureServer Create Certificate for Secureserver (Hybrid Create Certificate for Secureserver (Hybrid

mode)mode) Register SecureServer as a Radius ClientRegister SecureServer as a Radius Client


Lab 1-4 : SecureServerLab 1-4 : SecureServer

Update topologyUpdate topologyAccess Secureserver with telnetAccess Secureserver with telnetCheck LogsCheck Logs


Lab 1-4 : SecureServerLab 1-4 : SecureServerWarning:Warning: A security rule, with the field « Install on » A security rule, with the field « Install on »

filled with « Gateways », doesn’t take care of filled with « Gateways », doesn’t take care of SecureServer (just gateways SecureServer (just gateways ) )

Features not available on SecureServerFeatures not available on SecureServer User AuthenticationUser Authentication Content Security (CVP, UFP..)Content Security (CVP, UFP..) NATNAT IP forwarding is turned off (…)IP forwarding is turned off (…)


Lab 1-5 : SR/SC behind NAT HideLab 1-5 : SR/SC behind NAT Hide



SecureServer

VPN-1

HUB

FW/VPNModule

+Management

CLIENT

SERVER

HUB

SecureServer

VPN

SR/SC is NATed Hide behind this

address

(=Routeur)

Customer site


NAT with SecuRemote Cont.NAT with SecuRemote Cont.

Create a new network object for Net Create a new network object for Net 192.168.1.0192.168.1.0 Nated Hide behind 192.168.2.30Nated Hide behind 192.168.2.30

Uncheck VPN properties for VPN1Uncheck VPN properties for VPN1 Bind Policy Server to SecureServerBind Policy Server to SecureServer Modify RulebaseModify Rulebase Create new SR site (Secureserver)Create new SR site (Secureserver) Access SecureServer with telnetAccess SecureServer with telnet Check LogsCheck Logs


AgendaAgenda

Lab 1-1 : VPN Client to GatewayLab 1-1 : VPN Client to GatewayLab 1-2 : Hybrid ModeLab 1-2 : Hybrid ModeLab 1-3 : SecureClientLab 1-3 : SecureClientLab 1-4 : SecureServerLab 1-4 : SecureServerLab 1-5 : SR/SC behind NAT HideLab 1-5 : SR/SC behind NAT Hide


Q & A ?Q & A ?

Thank you

technical lab n°1 guidelines

Documents