VPN-1/FireWall-1 NGX

Management
Course Objectives

• Identify the basic components of VPN-

1/FireWall-1 NG
• Identify the VPN-1/FireWall-1 NG elements
that you will need to manage
• Successfully create and manage management
objects
• Demonstrate how to use the: Security Policy,
Log Viewer, and System Status
• Successfully apply NAT rules
• Successfully demonstrate the ability to
authenticate users
• Course Requirements (The course is geared towards)
• Systems administrators
• Support analysts
• Network engineers
• Prerequisites
• General knowledge of TCP/IP
• Working knowledge of Windows and/or UNIX
• Working knowledge of network technology
• Working knowledge of the Internet
• Check Point Certified Security Administrator (CCSA)
• demonstrated the knowledge required to configure
and implement a standard installation of NGX
Recommended Setup for Labs
Recommended Lab Topology
IP Addresses
Lab Terms
Lab Stations
Recommended Lab Topology
Introduction
Objectives
Describe the purpose of a firewall

Describe and compare firewall architectures

Identify the different components of

VPN-1/FireWall-1 NGX
Need for Firewall

 Protection Against
 Unauthorised Access

 EavesDropping

 Hacker Attack

 DDoS / DoS
 LAND
 TearDrop
 Virus
 Trojan
Internet Firewall Technologies
A firewall is a system designed to
prevent unauthorised access to or from a secured network
act as a locked security door between internal and external
networks
data meeting certain criteria will be allowed through
However, note that a firewall can only protect a network from
traffic filtered through it
Firewall Technologies
Packet Filters
Application-Layer Gateway
Stateful Inspection
VPN-1/FireWall-1 NGX Enforcement Module
INSPECT Language
VPN-1/FireWall-1 NGX Advantages
Packet Filtering Path in the OSI Model
Packet Filter FTP Example
Packet filters....

Advantage
Compatibility: Packet filters do not modify the packet stream so they
work with any protocol.
Performance: Packet filters are very fast since they look only at the
headers.
Scalability: Since packet filters are simple, it is easy to scale the
solution.
Disadvantage
Low security: Packet filters do not look at the data portion of the
packets, so attacks can flow right through them.
No advanced protocol support: Since these filters do not keep track
of connections, there is no way to support dynamic protocols.
Application-Layer Gateway Path
ALG...

Advantage
Security: Since the proxy buffers the entire connection, it has the
ability to do content filtering on the entire connection.
Application level awareness: Since the proxy fully understands the
protocol, it makes sure all the data follow the standards.
Disadvantage
Performance: Since the entire connection is buffered, and there are
two connections for every connection, proxy firewalls are the
slowest type of firewalls.
Scalability: The Internet standards (RFCs) for TCP/IP state that
communication occurs directly to and from the client and the
server.This is referred to as the Client/Server model. Application
layer firewalls break the Client/Server model, and this breaks
some applications.
Stateful Inspection Technology
invented by CheckPoint Software Technologies
utilises the INSPECT Engine
Programmable using the INSPECT language
Provides for system extensibility
Dynamically loaded into the OS kernel
Intercepts and inspects all inbound and outbound
packets on all interfaces
Verifies that packets comply with the security policy
VPN-1/FireWall-1 NGX Enforcement Module
How VPN-1/FireWall-1 NGX Works
INSPECT Allowing Packets
if a packet passes inspection,the Firewall Module
passes packets through the TCP/IP stack to their
destination
if packets are destined for the OS local processes,
are inspected then passed through the TCP/IP
stack
if packets do not pass inspection, they are rejected,
or dropped and logged.
INSPECT Module Flow
Introduction to security
Firewall Technologies
 Packet Filters
 SIP / DIP / SPort / DPort
 Application Layer Gateways
 Application Awareness
 Caching
 Authentication
 Client -> FW / FW-> Client
 Stateful Inspection
 Communication Information
 Communication Derived State
 Application Derived State
 Information Manipulation
 INSPECT Engine
 Transparency
Differences!!!
VPN-1/FireWall-1 NGX Architecture
SmartConsole
SmartCenter Server
Security Gateway (Enforcement Module)

RS007
Check Point Three-Tier Architecture
Module 1:
Check Point SmartConsole
Module 1

Smartcentre Server
security policy is defined using the smart dashboard on the
Management client
it is then saved to Smartcentre server
Smartcentre server maintains FW-1 NG databases including
network object definitions
user definitions
security policy
log files
Module 1

VPN-1/Firewall-1 NGX Enforcement Module

deployed on the Internet gateway
an Inspection script written in INSPECT is generated from the
security policy
inspection code is compiled from the script and downloaded
to the enforcement module
Distributed Deployments
SVN Foundation
Secure Internal Communications (SIC)
Secure Virtual Network (SVN) is a true security architecture
Integrates multiple capabilities, including
firewall security, VPNs, IP address management etc,
all within a common management framework
enables security to be defined and enforced in a single policy
incorporating all aspects of network security
SVN Architecture designed to meet the challenges of eBusiness
connects the four elements common to any enterprise
network
Networks
Systems
Applications
Use
SVN Diagram
Module 1

SVN Foundation
CheckPoint SVN Foundation NGX (CPShared) is the Operating
System integrated with every CheckPoint product
All CheckPoint products use the CPOS services via CPShared
The SVN Foundation includes :
Secure Internal Communications (SIC)
CheckPoint registry
CPShared daemon
Watch Dog for critical services
Cpconfig
License utilities
SNMP daemon
Module 1:

Secure Internal Communication (SIC)

Communication Components
Security Benefits
SIC Certificates
Communication Between Management Modules and
Components
Communication Between Management Modules and
Management Clients
Module 1

Communication Components
SIC secures communication between CheckPoint SVN
components such as
management modules
management clients
VPN-1/Firewall 1 NG modules
customer log modules
SecureConnect modules
policy servers
OPSEC applications
Module 1

Security Benefits of SIC

confirms a management client connecting to a management
modules is authorised
verifies that a security policy loaded on a firewall module
came from an authorised management module
SIC ensures that data privacy and integrity is maintained
Module 1

SIC Certificates
SIC for CheckPoint VPN uses certificates for authentication
and standards-based SSL for encryption
enables each CheckPoint enabled machine to be uniquely
identified
certificates are generated by the Internal Certificate of
Authority (ICA) on the Management module
a unique certificate is generated for each physical machine
Module 1

Communication between Management Modules and Components

the ICA automatically creates a certificate for the
Management module during installation
certificates for other modules are created via a simple
initialisation from the Management Client
upon initialisation, the ICA creates, signs and delivers a
certificate to the communication component
Module 1

Communication between Management Modules and

Management Clients
the management client must be defined as authorised
when invoking the Policy Editor on the Management client,
the user is asked :
to identify themselves
specify the IP address of the Management Module
the Management Client then initiates an SSL based
connection
the Management Module verifies the Client’s IP address
Management Module sends back it’s certificate
Distributed Client/Server Configuration
Distributed VPN-1/FireWall-1 Configuration Showing the
Components with Certificates
SIC (Secured Internal Communication)
VPN-1/FireWall-1
Key component of SVN architecture
Access Control
User Authentication
Network Address Translation (NAT)
Virtual Private Networking
High Availability
Content Security
Auditing and Reporting
LDAP-based user management
VPN-1/FireWall-1-continued
Intrusion Detection
Malicious Activity Detection
Third-party Device Management
High Availability and Load Sharing
Review Question #1
What is Stateful Inspection?

RS007
Review Question #1
What is Stateful Inspection?
Stateful inspection tracks, analyzes and acts on both state
and context information, including:
Packet header
Connection state
TCP and IP fragmentation data
Packet reassembly, application type, context
verification
Arrival interface
(continued on next slide)

RS007
Review Question #1 (continued)
What is Stateful Inspection?
Departure interface
Layer 2 information
Date and time of packet arrival/departure

RS007
Review Question #2
Why is Stateful Inspection more secure
than packet filtering and application-layer gateways for
protecting networks?

RS007
Review Question #2
Why is Stateful Inspection more secure
than packet filtering and application-layer gateways for
protecting networks?
Packets are intercepted at the network layer
for best performance, as in packet filters. But the data derived
from all communication layers is analyzed, not just layers 4-7
(as in application-layer gateways)

RS007
Review Question #3
Which component does VPN-1/FireWall-1 use to accept, drop
or reject packets?

RS007
Review Question #3
Which component does VPN-1/FireWall-1 use to accept, drop
or reject packets?
The Enforcement Module

RS007
Review Question #4
What are the three components that make up VPN-
1/FireWall-1?

RS007
Review Question #4
What are the three components that make up VPN-
1/FireWall-1?
SmartConsole
SmartCenter Management Server
Securty Gateway (Enforcement Module)

RS007
OS Support...
VPN-1/FireWall-1 NGX
Management I
VPN-1/FireWall-1 NGX System Requirements
Management Client
Disk Space : 40 Mbytes
Memory : 128 Mbytes
Network I/f : All interfaces supported
: by Operating System
VPN-1/FireWall-1 NGX
Management I

VPN-1/FireWall-1 NGX System Requirements

Firewall-1 NGX on Windows Platform
Processor : Intel Pentium II 300+ MHz
or equivalent
Disk Space : 40 Mbytes
Memory : 128 Mbytes
Network I/F : All interfaces supported
: by Operating System
VPN-1/FireWall-1 NGX
Management I

VPN-1/FireWall-1 NGX System Requirements

Management Server or Firewall-1 Module on Solaris
CPU Architecture Solaris 7 - 32 Bit mode
Solaris 8 – 32 Bit & 64 Bit
mode
Disk Space : 40Mbytes (software
installation only)
Memory : 128 Mbytes
CPU : 360 MHz
Required OS : Check latest release notes
Patches for requd. patches
VPN-1/FireWall-1 NGX
Management I

VPN-1/FireWall-1 NGX System Requirements

Management Server or Firewall-1 Module on a Linux Platform
CPU Architecture 32 bit and 64 bit
Disk Space : 40 Mbytes
Memory : 128 Mbytes
CPU : Intel Pentium II 300+
MHz
Distributed Deployment: When the gateway and the SmartCenter server are
installed on separate machines.
Gateway: The VPN-1 engine that enforces the organization’s security
policy and acts as a security enforcement point.
Security Policy: The policy created by the system administrator that
regulates the flow of incoming and outgoing communication.
Standalone Deployment: When Check Point components
responsible for the anagement of the security policy (the
SmartCenter server and the gateway) are installed on the
same machine.
SmartCenter Server: The server used by the system administrator to
manage the security policy. The organization’s databases and security
policies are stored on the SmartCenter server and downloaded to the
gateway.
SmartConsole: GUI applications that are used to manage various
aspects of security policy enforcement. For example,
SmartView Tracker is a SmartConsole application that
manages logs.
SmartDashboard: A SmartConsole GUI application that is used by
the system administrator to create and manage the security
policy.
Key Terms
Firewall
Packet Filtering
Application Layer Gateway (Proxy)
Client/Server Model
Stateful Inspection
Secure Virtual Network (SVN)
Secure Internal Communication (SIC)
Virtual Private Network (VPN)
Implementation Scenario
Standalone Setup

External
Interface

Checkpoint
Firewall Module + SmartCenter
Server
Internal
Interface

LAN

GUI Client /
Smart Console

FRONT END
Distributed Setup

External
Interface

Checkpoint
Firewall -1 / VPN - 1

Internal
Interface

LAN

(SmartCenter Server) aka

Management Server GUI Client /
Smart Console
MIDDLE TIER
FRONT END