Upload
bogdan-tudorache
View
31
Download
0
Embed Size (px)
Citation preview
Cramsession™ for Check Point Certified SecurityAdministrator
This Cramsession will help you to prepare for Check Point ExamCCSA, Check Point Certified Security Administrator. Exam topicsinclude Features, Functions, Basic Components, Requirements, andInstallation of FireWall-1, Network Object Management, NetworkAddress Translation, IP Address Translation Mode Configuration,and Security Policy.
Notice: While every precaution has been taken in the preparation of this material, neither the author nor BrainBuzz.com assumes any liability in the eventof loss or damage directly or indirectly caused by any inaccuracies or incompleteness of the material contained in this document. The information in thisdocument is provided and distributed "as-is", without any expressed or implied warranty. Your use of the information in this document is solely at your ownrisk, and Brainbuzz.com cannot be held liable for any damages incurred through the use of this material. The use of product names in this work is forinformation purposes only, and does not constitute an endorsement by, or affiliation with BrainBuzz.com. Product names used in this work may beregistered trademarks of their manufacturers. This document is protected under US and international copyright laws and is intended for individual, personaluse only. For more details, visit our legal page.
Check for the newest version of this Cramsession
Rate this Cramsession
Feedback Forum for this Cramsession/Exam
More Cramsession Resources:
Search for Related Jobs
IT Resources & Tech Library
SkillDrill - skills assessment
CramChallenge - practice questions
Certification & IT Newsletters
Discounts, Freebies & Product Info
http://cramsession.brainbuzz.com/checkversion.asp?V=2452076&FN=checkpoint/CCSA.pdf
http://cramsession.brainbuzz.com/cramreviews/reviewCram.asp?cert=CCSA
http://boards.brainbuzz.com/boards/vbt.asp?b=690
http://jobs.brainbuzz.com/JobSearch.asp?R=&CSRE
http://itresources.brainbuzz.com
http://skilldrill.brainbuzz.com
http://www.cramsession.com/signup/default.asp#day
http://www.cramsession.com/signup/
http://www.cramsession.com/signup/prodinfo.asp
© 2000 All Rights Reserved - BrainBuzz.com
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
1
Contents:
Contents: ....................................................................................................... 1
Firewall Definition............................................................................................ 3
Different Firewall Technologies ....................................................................... 3
Packet Filtering.......................................................................................... 3
Application Layer Gateway .......................................................................... 3
Stateful Inspection..................................................................................... 4
Firewall-1 Products .......................................................................................... 5
Enterprise Product ........................................................................................ 5
Single Gateway Product................................................................................. 5
Enterprise Management Product ..................................................................... 6
Firewall-1 Firewall Module.............................................................................. 6
Firewall-1 Inspect Module .............................................................................. 6
Firewall-1 Architecture ..................................................................................... 6
Remote Management Putkey Configuration......................................................... 7
Administrator Access ....................................................................................... 8
Log in.......................................................................................................... 9
Security Policy ...............................................................................................10
The Security Policy Tab (Rule 0) .......................................................................12
Applying Gateway Rules to Interface Direction.................................................12
Rule Base .....................................................................................................14
Possible Rule Base actions include .................................................................14
System Status Tool ......................................................................................15
Content Security..........................................................................................15
Anti - Spoofing ............................................................................................15
Network Address Translation (NAT) ..................................................................16
Classful Addressing ......................................................................................16
NAT Modes .................................................................................................17
Applying NAT Modes ....................................................................................17
NAT Rule Base.............................................................................................17
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
2
NAT Rules...................................................................................................18
Address Resolution Protocol (ARP) .................................................................18
ARP Request for Local Network ...................................................................18
ARP Request for Remote Network ...............................................................18
Routing Issues..........................................................................................19
Static Source or Hide modes ......................................................................19
Static Destination .....................................................................................19
Authentication................................................................................................21
User Authentication......................................................................................21
Client Authentication....................................................................................21
Session Authentication .................................................................................22
Implicit Client Authentication ........................................................................22
Internal Authentication Schemes ................................................................22
External Authentication Schemes ................................................................23
Firewall–1 GUIs..............................................................................................23
Log Viewer GUI ...........................................................................................23
Log Viewer Logon ........................................................................................23
Modes ........................................................................................................23
Log File ......................................................................................................24
System Status GUI ......................................................................................24
System Status Updates .............................................................................24
Alerts .........................................................................................................24
Solving SYN Flood Problem ...........................................................................25
SYN Relay ................................................................................................25
SYN Gateway ...........................................................................................25
Passive SYN Gateway ................................................................................25
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
3
Firewall Definition
• A device that enforces a security policy for communication between internal
and/or external networks
• It controls which machines or network users can connect to reach externalelements through the firewall
Note: A Firewall cannot protect against malicious authorised users or connectionsthat do not go through the firewall. There is no 100% guarantee that it cannot be
breached.
Different Firewall Technologies
Packet Filtering
• Works at the Network Layer
• Only examines the packet header
• Two choices with regard to outbound, passive FTP connections.
1. Leave the entire range of upper ports (port number > 1023) open to
allow a session to take place over the dynamically allocated port, whichexposes the internal network
2. Shut down the entire upper range of ports thus securing the internal
network but blocking other services
(This is the trade off between application support and security.)
Pros: low cost; low overhead; application transparency; quicker than applicationgateways
Cons: low security; access limited to a small part of the packet header; screening
limited above network layer; information manipulation very limited; difficult toconfigure, manage and monitor; inadequate logging and alerting mechanisms;
subject to IP spoofing
Application Layer Gateway
• Works at the Application Layer
• Uses complicated application logic to determine intruder attempts
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
4
Pros: good security; full Application-layer awareness
Cons: application level implementation is detrimental to performance; cannotprovide RPC and other services; most proxies are non-transparent; vulnerable to OS
and application level bugs; poor scalability (each service requires its own applicationlayer gateway); overlooks information in other layers; expensive performance costs
Note: Every client server communication requires two connections:
1. One from client to FireWall
2. One from FireWall to server
Stateful Inspection
• Communication information from top 5 packet layers
• State derived from previous communications (Outgoing Port etc.)
• Application derived state such that a previously authenticated user would be
allowed access for authorised services only
• Evaluation of flexible expressions based on communication information,application derived state and communication-derived state
• Benefits: good security, full application awareness, high performance,scalability, extensibility and transparency
FireWallCapability
PacketFilters
ApplicationLayer
Gateways
StatefulInspection
CommunicationInformation
Partial Partial Yes
Communication
Derived StateNo Partial Yes
ApplicationDerived State
No Yes Yes
Information
ManipulationPartial Yes Yes
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
5
Note:
• The Inspect Engine is located in the Kernel Module
• It can Accept, Reject or Drop packets
• It saves system processing time
Firewall-1 Products
Checkpoint uses OPSEC Open Platform for Secure Enterprise Connectivity
architecture, which provides a scalable framework for security implementation bymeans of separating the firewall product into different modules.
Enterprise Product
• Management Module – Centralised graphical security management foreither one or unlimited security enforcement points
• Inspection Module – Access Control; client and session authentication;
network address translation; auditing
• Firewall Module – Includes inspection module; user authentication; multiple
firewall synchronisation; content security
• Encryption Module – Provides DES and FWZ1 Encryption
• Router Security Management – Security management for router ACL’sacross one or more routers
• Open Security Manager – Centralised security management for 3Com,
Cisco and Microsoft NT Server routers, and Cisco Pix firewalls
Single Gateway Product
• Management Module – Centralised graphical security management foreither one or unlimited security enforcement points
• Inspection Module – Access Control; client and session authentication;network address translation; auditing
• Firewall Module – Includes inspection module; user authentication; multiple
firewall synchronisation; content security
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
6
Enterprise Management Product
Connect Control Module – Automatic application server load balancing across
multiple servers (deployed with Firewall-1)
Firewall-1 Firewall Module
Inspection Module – Access Control; client and session authentication; networkaddress translation; auditing User Authentication; multiple firewall synchronisation;content security
Firewall-1 Inspect Module
Access control; client and session authentication; network address translation;
auditing
The Encryption Module
• DES Encryption Module for use in North America
• FWZ1 Module for worldwide export
Firewall-1 Architecture
• A 3-tier architecture: there can be many different firewall modules running in
different locations (security enforcement points) controlled by a central
Management Console. Administrators can administer the security systemeither directly via the console, or by running GUI clients connected to theManagement Console through the network from another desktop
• For Single Gateway Product, there is only one Firewall Module controlled byone Management Console, and both must be installed on the same machine,which means that there is only one security enforcement point. However, you
can still run the GUI client form another desktop. Firewall Internet
Gateway/25 is a Firewall Internet Gateway (including one firewall module andmanagement server) that protects 25 nodes or IP addresses. The numberincluded with the product name pertains to the number of IP addresses a user
needs to protect: e.g., 25/50/100/250/Unlimited.
• GUI is available only for Win95/98/NT and Motif. The exam focuses on theGUI, not the command line. The three different GUIs are: Security Policy
Editor for setting up the security settings, Log Viewer for viewing the logs,
and System Status tool for viewing the current statistics of different firewallcomponents. Network Object Manager is a function within the Policy Editor,
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
7
which is for creating objects so that we can place the objects in the rule baseand set up corresponding security rules.
• FWD Firewall Daemon is the process responsible for moving data between the
components.
• When the server is started and the Firewall-1 services have not finishedloading, the server’s IP forwarding function can provide hackers with securityholes to get in. This is the specific vulnerable time we need to pay attention
to. The best way is to let Firewall-1 control the server’s IP forwarding
function.
Firewall-1 as a service in Control Panel – Services
Remote Management Putkey Configuration
Putkey’s must be exchanged for both Management Server and the Firewall Gatewaybefore remote management can take place. The steps for configuring Management
Station and Firewall are as follows:
Configure key (password) used by master and remote devices to authenticatesessions.
• From the OS prompt change directory to $FWDIR\bin
• Add authorisation key to be used by master to authenticate to remote device
(e.g., password = abc123, sample IP address = 205.30.32.111)
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
8
fw putkey –p abc123 205.30.32.111
Edit masters file on computer with firewall module.
• From the OS prompt change directory to $FWDIR\conf
• Add the IP of the management station to the masters file
Echo 205.30.32.111 > masters
Stop and start the Firewall causing it to re-read the local masters file. This in turnallows the Management Station to remotely install the security policy
• From the OS prompt change directory to $FWDIR\bin
• Type fwstop, press Enter; Type fwstart, press Enter
• When the FW-1 started message appears, exit the command window.
An authentication key is required for each firewall that the management console willremotely manage. This is achieved by using the fw putkey command with thefollowing arguments:
Fw putkey –p password firewall-module-ipaddress
To remove remote management, remove the masters file from the $FWDIR/conf
directory and reboot the Firewall.
Administrator Access
• You can set up as many administrator accounts as you like.
• When logging on, you must supply the user name, password and the name orIP address of the management server
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
9
Log in
The administrator can have four different levels of access rights:
1. Monitor Only - Read Only access to the log viewer and system status tool
2. Read Only - includes Monitor Only rights, plus Read Only rights to the
Security Policy Editor
3. User Access - administrator can modify user information, but nothing else
4. Read/Write Access - administrator can do everything. Only one administrator
at a time can log in using this mode
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
10
Administrators access mode
Security Policy
• Definition: a set of rules that collectively determine what traffic is allowedand what is not
• Enforcement Directions: there are three different directions
1. Default Inbound
2. Outbound
3. Eitherbound
• Inbound – If an inbound rule is applied, packets going into the FireWall arechecked
• Outbound – If an outbound rule is applied, packets leaving the FireWall are
checked
• Eitherbound –If an eitherbound rule is applied, packets going into and
leaving the Firewall are checked. Checking traffic both ways is CPU intensive.
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
11
The effective security settings are a combination of settings found in the SecurityPolicy Properties and the Rule Base. Packets are matched in the following order:
• Anti Spoofing
• Any properties marked FIRST in the Security Policy Properties
• Rule base order (except for the last rule)
• Any properties marked BEFORE LAST in the Security Policy Properties
• Rule Bases last rule
• Any properties marked LAST in the Security Policy Properties
• Implicit Drop Rule (drop everything not mentioned above)
Sample Rule Base
• Define a Rule in the Rule base - you must specify a minimum of Source,Destination, Service, Action, and where to install the policy (e.g., theenforcement point, generally the default Gateway).
• Implicit Drop Rule – Drops everything without logging.
• Explicit Clean-up Rule – As you will probably want to know what othertraffic is attempting to come through the Firewall you should create an explicit
clean-up rule and add logging. This should be the last rule in the rule base
and needs the following details ANY - ANY - ANY – DROP – LONG
• Stealth Rule - The first rule in the rule base that prevents direct access to
the firewall.
Note: Rule Base Order is very important. The Firewall will implement rules in a TopDown order.
Verify the Rule Base to ensure the rule base settings are usable.
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
12
Install the Rule Base so that Firewall-1 will compile them, generate thecorresponding script, and make it run in the enforcement point.
The Security Policy Tab (Rule 0)
Applying Gateway Rules to Interface Direction
• Inbound (Default) – Enforces the security policy only on packets entering
the Gateway. Packets will be allowed to leave ONLY if Accept OutgoingPackets is selected.
• Outbound - Enforces the security policy only on packets leaving the
Gateway. A rule can still be enforced in the incoming direction by selectingDestination under Install On and specifying the Gateway in the Rule Base. At
least one rule like this must be present or no packets will be allowed to enter
the gateway.
• Eitherbound - Enforces the security policy only on packets entering andleaving the Gateway. Firewall-1 inspects packets twice, once on entry and
again when leaving.
TCP Session Timeout – Specify time in seconds after which TCP session times out.
Accept UDP Replies – Check to accept reply data in a two-way UDPcommunication.
UDP Virtual Session Timeout – Specify time in seconds a UDP reply channelremains open without packets being returned.
Enable Decryption on Accept – Check to decrypt incoming, accepted packets even
when the rule does not include encryption.
Implied Rules: Implied rules are generated in the Rule Base for global properties.
Check the properties enforced in the Security Policy and then choose a position inthe Rule base for the implied rule.
First – place first in the Rule Base
Before last – place before the last rule in the Rule Base
Last – place as the last rule in the Rule Base
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
13
Accept VPN/Firewall-1 Control Connection – Used by Firewall-1 forcommunication between Firewall daemons on different machines and for connecting
to external servers such as RADIUS and TACACS.
Accept RIP – Check to accept RIP used by routed daemon.
Accept Domain Name Over UDP (Queries) – Check to accept DNS queries used
by named.
Resolves names by associating them with their IP address. If named does not know
the IP address of a host name, it issues a query to the name server on the Internet.UDP replies must therefore be enabled to receive the replies.
Accept Domain Name Over TCP (Zone Transfer) – Check to allow upload of Domain Name resolving tables.
Accept ICMP – Check to accept Internet Control Messages. This protocol is used toensure proper and efficient operation of IP.
Accept Outgoing Packets Originating From Gateway – Check to accept all
outgoing packets from Firewall-1 not from the internal network. Gateway rules areusually enforced in the inbound direction. When packets passing through the
Gateway leave, it will be allowed to pass only if one of the following conditions istrue:
• Accept Outgoing Packets property is checked
• Rules are enforced in both directions (Eitherbound), and there is a rule toallow packets to leave the Gateway.
Log Implied Rules – Implied rules are generated in the Rule Base from the
properties defined in this window. If this is checked Firewall-1 generates log records
for communications matching the implied rules.
Install Security Policy only if it can be successfully installed on ALL selectedtargets – The Security Policy will either be installed on all or none of the selectedtargets. Allows Administrator to ensure the same Security Policy is being enforced at
all enforcement points.
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
14
Rule Base
Possible Rule Base actions include
• Accept
• Reject - reject the packet and inform the sender
• Drop - reject without informing the sender
• User Auth - use User Authentication on this packet
• Session Auth - use Session Authentication on this packet
• Client Auth - use Client Authentication on this packet
• Encrypt - encrypt outgoing and decrypt incoming traffic used with the extraVPN module not covered in this exam
• Client Encrypt - encrypt outgoing and decrypt incoming traffic with the help of
a secure remote client
Rule Base Actions
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
15
System Status Tool
• Tells the number of packets dropped/rejected/inspected/logged
• Tells whether or not a security policy is installed on the firewall, the name of the policy installed, and the date the security policy was installed on thefirewall
• The most important display shows the status of the Firewall-1 Daemon,
whether it is INSTALLED (daemon is running, and security policy is installed),NOT INSTALLED (daemon is running, but no security policy is installed), and
DISCONNECTED (no response from the daemon at all)
Content Security
• Uses CVP (Content Vectoring Protocol), a TCP based protocol developed by
Checkpoint that uses port 18181 to transparently re-route the data stream toan external content scanning server. A CVP server object needs to be createdfor content security to work
• Supports SMTP, HTTP and FTP; each has a corresponding resource object
type that can be defined in the rulebase
• SMTP security functions: hides outgoing emails FROM field, redirects emailsent to given TO or CC addresses, drops emails from particular senders ormessages above a particular size, strips MIME attachments, strips the
RECEIVED field, and transparently relays email to a third party anti-virusserver
• FTP security functions: controls the GET and PUT operations, and
transparently relays data stream to third party anti-virus server
• HTTP security functions: URL screening, blocks Java code, strips all thescript/applet/ActiveX tags in the HTML code (known as HTML weeding), and
anti-virus using third party server
• URI (Uniform Resource Identifier) is the resource object type for HTTP
Anti - Spoofing
• Configuration done in Firewall's Interface properties - Valid Addresses section
• Possible options:
o Any - the default choice, no anti-spoof config in place
o No Security Policy - nothing at all
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
16
o Others - all packets are allowed except those with source IP addressesfrom networks listed under Valid Addresses for this object's other
interfaces
o Others+ - same as Others, but packets from addresses listed under theOthers+ section are allowed
o This Net - only packets from network attached to this interface areallowed
o Specific - only packets from a specifically defined object we define areallowed
Network Address Translation (NAT)
Conceals internal computers and users from outside networks and is a separate
component of the Firewall – 1 security policy. NAT changes (translates) or hides IPaddresses.
Classful Addressing
INVALID/RESERVED
ADDRESSES
CLASS NETWORK
RANGE
10.0.0.0 10.255.255.255 1 Class A
Network
10.0.0.0
172.16.0.0 172.31.255.255 16 Class B
Networks
176.16-31.0.0
192.168.0.0 192.168.255.255 256 Class CNetworks
192.168.0-255.0
Firewall–1 translates packet addresses transparently. This is done in the kernel
module before they reach their destination. NAT updates its internal table andtranslates the packet. When the packet leaves, Firewall–1 rewrites the
invalid/reserved IP address to its original legal address. This takes place in theADDRESS TRANSLATION MODULE.
The KERNEL MODULE does NOT translate addresses.
• It verifies packet addresses before passing them out from an internal network
• It verifies packet addresses before passing them to the address translation
module
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
17
NAT Modes
STATIC SOURCE MODE Translates invalid/reserved INTERNAL
addresses to legal IP addresses whenpackets EXIT an Internal Network.
STATIC DESTINATION
MODE
Translates legal INTERNAL addresses to
invalid/reserved IP addresses when
packets ENTER an Internal Network.
HIDE MODE Hides one or more invalid/reserved IP
addresses behind one legal IP address.
• Static Mode translates addresses using a one-to-one relationship.
• When generating address translation rules automatically, static source anddestination mode rules are always generated in pairs.
Applying NAT Modes
To add address translation modes to Firewall–1, you edit or add network objects,
servers, gateways and routers. Define source or destination static mode by placing
the network object as source or destination in the Rule Base.
NAT Rule Base
When defining network objects during set-up of Firewall–1, NAT rules are generatedautomatically. You can add or edit rules manually to the automatically generatedrules and provide complete control over Firewall–1 NAT. Firewall–1 validates address
translation rules, helping avoid mistakes in the set-up process.
For complete control over Firewall–1 address translation you can do one or more of the following:
• Specify objects by name or IP address
• Restrict rules to specific destination and/or source IP addresses
• Translate source and destination IP addresses in the same packet
• Restrict rules to specific services (Ports)
• Translate ports
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
18
NAT Rules
Each of the address translation rules consists of the following three elements:
1. Conditions that specify when a rule is to be applied
2. Action to be taken when the rule is applied
3. The network object to enforce the action
WHEN RULE IS
APPLIED
ACTION TO BE TAKEN
Original Packet Define source, destination and service
Translated Packet Define source, destination and service
Install On Define firewall objects to enforce this rule
Address Resolution Protocol (ARP)
ARP resolves IP Addresses to hardware MAC Addresses.
ARP Request for Local Network
• IP determines that the address it wants to send to is on the local network
• Source host checks its own list (ARP cache) for the MAC of the destination host
• If no match is found, ARP builds a request which includes its own IP and MAC and
broadcasts for the IP and MAC address of the destination host
• Every host on the local network responds to the broadcast by checking if the IPaddress of the destination host matches its own
• The destination host recognises a match and sends an ARP reply to the directly to
the sending host with its MAC address.
• The ARP cache on both hosts is updated
• When the source host receives the reply, communication is established between
them.
ARP Request for Remote Network
• The source host determines that the IP address it wants is not on the local
network
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
19
• The local host checks its local route table for a path to the remote host ornetwork.
• If no path is found, the source host determines the IP address of the default
gateway and checks its ARP cache for an IP to MAC address mapping for thegateway.
• The source host sends the data packet to the router
• The router then handles the process beyond this point
Routing Issues
With Firewall–1 there are two routing issues:
1. Ensuring packets reach the gateway
2. Ensuring the gateway forwards packets to the correct interface and host
Static Source or Hide modes
When using Static Source or Hide modes, you must ensure the translated (legal)addresses are published so that replies will be routed back to the Firewall.
For NT Systems the ARP command does not allow permanent entries. Checkpoint
created the following feature:
\Winnt\fw\state\local.arp
Format of local.arp is:
IP Address <TAB> External MAC Address
Stop and Start the Firewall-1 Service after creating this file.
Static Destination
When using Static Destination mode translation, translation takes place in the
firewall AFTER internal routing, but BEFORE transmission. To ensure the packet is
correctly routed use static routing.
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
20
Defining NAT
NAT in the Rule Base
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
21
Authentication
Features User Client Session
Transparent
Yes No Telnet Port259 or HTTPPort 900
Yes
Connection
ServicesFTP, HTTP,HTTPS, Telnet,
RLOGIN
All Services All Services
Software
Passwordthrough ClientsGUI
None AuthenticationAgent Softwarerequired by
Client
User Authentication
• Client initiates connection to destination server
• Firewall–1 uses same connection as Client and asks for authorisation
• Client responds with Username and Password
• Firewall–1 allows the connection
Transparent user authentication – Firewall–1’s default and the user mustprovide:
• Username and password on the gateway
• Username and password on target host
Client Authentication
• Client initiates a TELNET (Port 259) or HTTP (Port 900) connection to the
Firewall and Firewall–1 requests client’s username and password and verifies
it is authentic
• Firewall–1 recognises client’s IP address and allows access to the destination
server. Time-out, Logout, or number of sessions closes connections.
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
22
Session Authentication
• Client attempts contact with server
• Firewall–1 blocks the packet and contacts the session authentication agent
• Agent opens on Client screen
• User enters username and password
• Username and password are sent to Firewall–1
• Firewall–1 accepts and allows connection to server
Implicit Client Authentication
Extends access privileges to specific clients without requiring the user to initiateadditional sessions on the gateway.
If the client authenticates under a user or session authentication rule, Firewall–1
knows which user is on the client and additional client authentication sessions arenot necessary.
If implicit Client authentication is enabled and automatic sign-on rule is opened, allthe standard sign-on rules are opened. Define the rules in the following order:
• User authentication rules for HTTP
• Client authentication rules
• User and session authentication rules for non-HTTP services
1st time user and session rules are applied
2nd time client authentication rules are applied
User authentication rules are always applied for HTTP preventing the browser fromsending authentication password to the HTTP server as client authentication rules DONOT use Firewall–1 security servers.
Internal Authentication Schemes
• S/Key – most secure form of internal authentication
• Firewall–1 Password – the user enters an assigned Firewall–1 password (Userdoes NOT require an OS account on the firewall)
• OS Password – user enters an OS password and must have OS account onfirewall
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
23
External Authentication Schemes
• SecureID – user enters Security Dynamics PASSCODE
• RADIUS – (Remote Access Dial In User Service) user prompted for response toRADIUS server
• AXENT Pathways Defender - user prompted for response to AXENT server
• TACACS – (Terminal Access Controller Access Control System) user prompted for
response to TACACS server
Use generic user’s account for external authentication schemes to avoid overhead of maintaining duplicate user accounts.
Firewall–1 GUIs
Firewall–1 has three GUI programs
• Log Viewer
• System Status
• Policy Editor
Log Viewer GUI
The management server reads the log file and sends the data to the GUI client for
display. The GUI client only displays the data.
Log Viewer Logon
To logon you require:
• Username
• Password
• Management Server
Modes
• Security Log – Shows all the security-related events
• Accounting Entries – Shows Elapsed, Bytes and Start Date in addition tosecurity log events.
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
24
• Active Connection Mode – Views current connections through the firewall.Shows Elapsed, Bytes, Start Date and Connection ID in addition to security
log events.
Log File
• New Log File - Creating a new log file closes the current log which is written
to disk with a name containing the current date and time.
• Purge Log File – Deletes ALL entries in the log file.
• Print Log File – Only log entries that match the current selection criteria willbe printed.
• Saving a Log File – Only records that match the current selection criteriawill be saved to file.
System Status GUI
System Status Updates
Before Firewall–1 updates the status display it broadcasts a status request message
to all firewall objects. The following information is obtained:
• Date security policy was installed on object
• Firewalled objects status
• Firewalled objects name
• Rule Base Name (File containing rule base)
• Date and time Firewalled objects status was last updated
Alerts
The Firewall module sends alerts to the Management Server, which sends them to
the GUI client. The Alert is actioned as follows:
• Play Sound
• Show this Window
• Clear
• Dismiss
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
25
Changes to Firewalled Objects - Action on Transition:
Alert Issue an alert (Defined in properties set-up screen)
Mail Issue a mail alert (Defined in properties set-up
screen)
SNMPTrap
Issue an SNMP Trap (Defined in properties set-up
screen)
Solving SYN Flood Problem
• Definition: a simple type of denial of service attack which can halt a mission
critical service
• The Normal Handshake process of TCP:
1. SYN - the client makes a request to the server, asking for a chance to
talk
2. SYN/ACK - the server replies by saying OK
3. ACK - the client confirms with the server and establishes a connection
• Attacker uses SYN Flood to send the target server a large volume of SYN
packets with spoofed source IP addresses
• Server is busy replying to unreachable hosts
• Firewall-1 uses SYNDefender to protect against SYN Flood attack
SYN Relay
• Have the firewall validate every connection before passing it to the originaldestination
• Safest from servers' point of view
• Connection is validated only if validated by the firewall
SYN Gateway
• Have the firewall open a connection to the original destination first, but waitfor the ACK from the source before allowing the connection to actually start
Passive SYN Gateway
• Have the firewall open a connection to the original destination first, but
without the ACK from the source, direct connection will not be allowed
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
26
• The firewall keeps track of the handshake state
• If the timer expires, use a reset packet that closes the connection on theserver
• Timeout value is critical as it determines how long the firewall should wait for
an ACK before assuming that the connection is a SYN attack
Special thanks to
Garnet D Newton-Wade
for contributing thisCramsession.