You are previewing Check Point NGX R65 Security Administration.
O'Reilly logo
Check Point NGX R65 Security Administration

Book Description

Check Point NGX R65 is the next major release of Check Point's flagship firewall software product, which has over 750,000 registered users. Check Point's NGX is the underlying security software platform for all of the company's enterprise firewall, VPN and management solutions. It enables enterprises of all sizes to reduce the cost and complexity of security management and ensure that their security systems can be easily extended to adapt to new and emerging threats. This title is a continuation of Syngress' best-selling references on Check Point's market leading Firewall and VPN products.

* First book to market covering Check Point's new, flagship NGX R65 Firewall/VPN.
* Provides bonus coverage for Check Point's upcoming NGX R65 Certification exams.
* Companion Web site offers customized scripts for managing log files.

Table of Contents

  1. Copyright
  2. Technical Editor
  3. Assistant Technical Editor
  4. Contributing Authors
  5. 1. NGX R65 Operational Changes
    1. Introduction
    2. New SmartPortal Features
      1. Eventia Correlation Unit and Eventia Analyzer Server
      2. SmartView Tracker
        1. IPv6 Reporting
        2. DNS Implementation
        3. Remote License Management
        4. Eventia Reporter on Multiple Versions of SmartCenter Management
        5. Eventia Reporter and Analyzer Integration
    3. New FireWall-1/VPN-1 Features
      1. SmartDefense Profiles
      2. AMT Support
      3. Aggressive Aging
      4. Cooperative Enforcement
        1. Monitor-Only Deployment Mode
        2. Handling an Unauthorized Host
      5. Internal URL Web Filtering
      6. Internal Antivirus Scanning
        1. Signature Updates
        2. Continuous Download
        3. Scanning Files
      7. Layer 2 Firewalling
      8. VoIP Features
      9. SYN Cookies
    4. Edge Support for CLM
      1. Management Plug-In System
      2. Connectra Management
        1. Connectra Tab
        2. Provider-1 Support
        3. SmartView Monitor
    5. Integrity Advanced Server
    6. New VPN Features
      1. Understanding the New VPN Options
        1. Allowing Directional VPN Rules
        2. Allowing Backup Links and On-Demand Links
        3. Allowing Wire Mode VPN Connectivity
        4. Allowing Route-Based VPNs
        5. Allowing Permanent Tunnels
        6. Same Local IP and Cluster IP Address for VTIs
        7. Antispoofing for Unnumbered Interfaces on IPSO
        8. Dynamic Routing and VTIs
        9. Configurable Metrics for Dial-up Routes
        10. Interoperability between SecurePlatform and IPSO
        11. Route-Based VPN Improvements
        12. Customer-Defined Scripts for VPN Peers
        13. Route-Based VPN and IP Clustering Support
        14. RIM Performance Improvements on IPSO
      2. SSL Extender
      3. SecureClient Mobile
    7. ClusterXL
      1. Interface Bonding
      2. Multicast Routing Failover Support
    8. Summary
    9. Solutions Fast Track
      1. New SmartPortal Features
      2. New FireWall-1/VPN-1 Features
      3. Edge Support for CLM
      4. Integrity Advanced Server
      5. New VPN Features
      6. ClusterXL
    10. Frequently Asked Questions
  6. 2. SmartClients and SmartManagement
    1. Introduction
    2. SmartDashboard
      1. The SmartDashboard Log-in Dialog Box
      2. Key Components
        1. The Object Tree Pane
        2. The Rule Base Pane
          1. The Security Tab
          2. The NAT Tab
          3. The SmartDefense and SmartDefense Services Tabs
          4. The Connectra Tab
        3. The Objects List Pane
        4. The SmartMap Pane
          1. Configuring SmartMap Display and Characteristics
    3. SmartView Tracker
      1. Log View Types
        1. The Log Tab
        2. The Active Tab
        3. The Audit Tab
      2. Filters and Queries
        1. Configuring a Filter
        2. Query
    4. SmartView Monitor
      1. The SmartView Monitor Interface
        1. Gateway Status
          1. The System Information Tab
          2. The Network Activity Tab
          3. The Licenses Tab
        2. Traffic View
        3. System Counters View
        4. Tunnels View
        5. Remote Users View
        6. Cooperative Enforcement
      2. Custom Views
      3. Alerts
      4. Suspicious Activity Rules
    5. SmartUpdate
      1. License Management
      2. Package Management
      3. CPInfo
    6. SmartLSM
      1. How It Works
      2. GUI and Basic Functionality
    7. The SecureClient Packaging Tool
      1. Using the SecurClient Packaging Tool
      2. Creating an Installation Profile
        1. Generating the Package
    8. Management Plug-ins
      1. Installing the Connectra Management Plug-in
      2. Uninstalling the Connectra Management Plug-in
    9. The Check Point Configuration Tool/cpconfig
      1. cpconfig Configuration Options
        1. Licenses
        2. Administrator
        3. GUI Clients
        4. SNMP Extension
        5. Secure Internal Communication (SIC)
        6. Automatic Start of Check Point Modules
    10. Summary
    11. Solutions Fast Track
      1. SmartDashboard
      2. SmartView Tracker
      3. SmartView Monitor
      4. SmartUpdate
      5. SmartLSM
      6. The SecureClient Packaging Tool
      7. Management Plug-ins
      8. The Check Point Configuration Tool/cpconfig
    12. Frequently Asked Questions
  7. 3. Management Portal
    1. Introduction
    2. SmartCenter Installation
      1. Basic Configurations
      2. Installation Paths
        1. Common Installation Scenarios
        2. Install
        3. Uninstall
        4. Integrity Advanced Server
    3. Dedicated Server Installation
    4. A Tour of the Dashboard
      1. Logging In
      2. The Rulebase Pane
        1. Security Tab
        2. Address Translation Tab
        3. SmartDefense Tab
        4. Web Intelligence Tab
        5. VPN Manager Tab
        6. QoS Tab
        7. Desktop Security Tab
        8. Web Access Tab
        9. Consolidation Rules Tab
      3. The Objects Tree Pane
        1. Network Objects
        2. Services
        3. Resources
        4. Servers and OPSEC Applications
        5. Users and Administrators
        6. VPN Communities
      4. The Objects List Pane
      5. The SmartMap Pane
      6. Menus and Toolbars
      7. Working with Policy Packages
      8. Installing the Policy
      9. Global Properties
        1. FireWall Page
        2. NAT—Network Address Translation Page
        3. VPN Page
        4. VPN-1 Edge/Embedded Page
        5. Remote Access Page
        6. SmartDirectory (LDAP) Page
        7. Stateful Inspection Page
    5. New in SmartDashboard NGX
      1. Security Policy Rule Names and Unique IDs
      2. Group Object Convention
      3. Group Hierarchy
      4. Clone Object
      5. Session Description
      6. Tooltips
    6. Your First Security Policy
      1. Creating Your Administrator Account
      2. Hooking Up to the Gateway
      3. Reviewing the Gateway Object
      4. Defining Your Security Policy
      5. Policy Design
      6. Creating Rules
      7. Network Address Translation
      8. Installing the Policy
    7. Other Useful Controls on the Dashboard
      1. Working with Security Policy Rules
        1. Section Titles
          1. Hiding Rules
          2. Rule Queries
          3. Searching Rules
        2. Working with Objects
          1. Object References
          2. Who Broke That Object?
          3. Object Queries
        3. Working with Policies
          1. What Would Be Installed?
          2. What’s Really Installed?
          3. No Security Please
          4. For the Anoraks
        4. Change Management
    8. Managing Connectra and Interspect Gateways
      1. Configuring Interspect or Connectra Integration
        1. SmartDefense Updates
          1. SmartUpdate Enhancements
        2. Connectra Central Management
          1. Connectra Tab
          2. SmartDashboard and SmartDefense Update
          3. Provider-1 Support
          4. SmartView Monitor
    9. SmartPortal
      1. SmartPortal Functionality
      2. Installing SmartPortal
      3. Tour of SmartPortal
    10. Summary
    11. Solutions Fast Track
      1. A Tour of the Dashboard
      2. New in SmartDashboard NGX
      3. Your First Security Policy
      4. Other Useful Controls on the Dashboard
      5. Managing Connectra and Interspect Gateways
      6. SmartPortal
    12. Frequently Asked Questions
  8. 4. Advanced Authentication
    1. Introduction
    2. Authentication Overview
      1. Using Authentication in Your Environment
    3. Users and Administrators
      1. Managing Users and Administrators
        1. Permissions Profiles
        2. Administrators
          1. General Tab
          2. Personal Tab
          3. Groups
          4. Admin Auth
          5. Admin Certificates
        3. Administrator Groups
        4. User Templates
          1. General
          2. Personal
          3. Groups
          4. Authentication
          5. Location
          6. Time
          7. Encryption
        5. User Groups
        6. Users
          1. General
          2. Personal
          3. Groups
          4. Authentication
          5. Location
          6. Time
          7. Certificates
          8. Encryption
        7. External User Profiles
          1. Match by Domain
          2. Match All Users
        8. LDAP Group
      2. Understanding Authentication Schemes
        1. Undefined
        2. SecurID
        3. Check Point Password
        4. RADIUS
        5. TACACS
    4. SmartDirectory
      1. Configuring SmartDirectory
      2. Account Units
        1. Accessing the LDAP Server
        2. LDAP Groups
    5. User Authentication
      1. Configuring User Authentication in the Rulebase
      2. Interacting with User Authentication
        1. Telnet and rlogin
        2. FTP
        3. HTTP
        4. Placing Authentication Rules
      3. Advanced Topics
        1. Changing the Banner
        2. Use Host Header As Destination
    6. Session Authentication
    7. Client Authentication
      1. Configuring Client Authentication in the Rulebase
        1. ClientAuth | Edit Properties | General | Source
        2. ClientAuth | Edit Properties | General | Destination
        3. ClientAuth | Edit Properties | General | Apply Rule Only if Desktop Configuration Options are Verified
        4. ClientAuth | Edit Properties | General | Required Sign-On
        5. ClientAuth | Edit Properties | General | Sign On Method
          1. Manual Sign-On
          2. Partially Automatic Sign-On
          3. Fully Automatic Sign-On
          4. Agent Automatic Sign-On
          5. Single Sign-On
        6. General | Successful Authentication Tracking
        7. Limits | Authorization Timeout
        8. Limits | Number of Sessions Allowed
      2. Advanced Topics
        1. Check Point Gateway | Authentication
          1. Enabled Authentication Schemes
          2. Authentication Settings
          3. HTTP Security Server
        2. Global Properties | Authentication
          1. Failed Authentication Attempts
          2. Authentication of Users with Certificates
          3. Brute Force Password-Guessing Protection
          4. Early Versions Compatibility
        3. Registry Settings
          1. New Interface
          2. Use Host Header As Destination
          3. Opening All Client Authentication Rules
        4. Configuration Files
          1. Enabling Encrypted Authentication
          2. Custom Pages
    8. Summary
    9. Solutions Fast Track
      1. Authentication Overview
      2. Users and Administrators
      3. SmartDirectory
      4. User Authentication
      5. Session Authentication
      6. Client Authentication
    10. Frequently Asked Questions
  9. 5. Advanced VPN Concepts and Tunnel Monitoring
    1. Introduction
    2. Encryption Overview
      1. IKE Overview
        1. Main Mode and Aggressive Mode
      2. Renegotiating IKE and IPSec Lifetimes
      3. Perfect Forward Secrecy
      4. IP Compression
      5. IKE DoS Attacks
      6. IKE Phase I
      7. IPSEC Phase II
        1. Configuring Advanced IKE Properties
        2. IKE Policies
          1. Priority
          2. Encryption
          3. Hash Function
          4. Authentication Mode
          5. Digital Certificates (Using RSA Algorithms)
          6. Preshared Keys
          7. Diffie-Hellman Group
          8. Lifetime
          9. IKE SA Negotiation
    3. VPN Communities
      1. Remote Access Community
      2. Mesh Topology
      3. Star Topology
        1. VPN Routing
          1. Configuring VPN Routing for Gateways via SmartDashboard
        2. Route Injection
        3. Permanent Tunnels
        4. Wire Mode
        5. PKI Solutions
        6. PKI Deployments and VPN
    4. Policy-Based VPN
      1. vpn_route.conf
    5. Route-Based VPN
      1. Virtual Tunnel Interfaces
        1. Numbered VTI
        2. Unnumbered VTI
      2. Dynamic VPN Routing
      3. VPN Directional Match
      4. Nokia Configuration
      5. Secure Platform Configuration
        1. Routing
    6. Summary
    7. Solutions Fast Track
      1. Encryption Overview
      2. Configuring SecuRemote/SecureClient VPNs
      3. VPN Tunnel Interfaces (VTI)
    8. Frequently Asked Questions
  10. 6. Advanced VPN Client Installations
    1. Introduction
    2. SecuRemote
      1. IP Pool NAT
    3. SecureClient
      1. Desktop Policies
      2. Office Mode
      3. Visitor Mode
      4. Connection Profiles
      5. Windows L2TP Integration
    4. SSL Network Extender
      1. Backup Gateways
        1. Multiple Entry Point VPNs
        2. Userc.C
    5. Summary
    6. Solutions Fast Track
      1. SecuRemote
      2. SecureClient
      3. SSL Network Extender
    7. Frequently Asked Questions
  11. 7. SmartDefense
    1. Introduction
    2. Configuring SmartDefense
      1. Updating SmartDefense with the Latest Defenses
    3. Network Security
      1. Denial of Service
        1. Aggressive Aging
        2. Teardrop Attacks
        3. The Ping of Death
        4. LAND Attacks
        5. Non-TCP Flooding
      2. IP and ICMP
        1. Packet Sanity
        2. Max PING Size
        3. IP Fragments
        4. Network Quota
      3. TCP
        1. SYN Attack Configuration
        2. Small PMTU
        3. Sequence Verifier
      4. Fingerprint Scrambling
        1. ISN Spoofing
        2. TTL
        3. IP ID
      5. Successive Events
      6. DShield Storm Center
        1. Retrieve and Block Malicious IPs
        2. Report to DShield
      7. Port Scans
        1. Host Port Scan
        2. Sweep Scan
      8. Dynamic Ports
    4. Application Intelligence
      1. Mail
        1. SMTP Content
        2. Mail and Recipient Content
        3. POP3/IMAP Security
      2. FTP
        1. FTP Bounce
        2. FTP Security Server
        3. Allowed FTP Commands
        4. Preventing Port Overflow Checks
      3. Microsoft Networking
        1. File and Print Sharing
      4. Peer-to-Peer Applications
        1. Kazaa
        2. Gnutella et al.
        3. Yahoo!
        4. ICQ
      5. Instant Messaging
        1. MSN over SIP
      6. DNS
        1. Protocol Enforcement
        2. Domain Black Lists
        3. Cache Poisoning
          1. Scrambling
          2. Dropping Inbound Requests
          3. Detecting Mismatched Replies
      7. Voice over IP (VoIP)
        1. Important Capabilities
        2. H.323 Voice Protocol
        3. SIP Voice Protocol
        4. MGCP Voice Protocol
        5. SCCP Voice Protocol
        6. VoIP Enhancements
      8. SNMP
      9. VPN Protocols
        1. Small IKE Phase II Proposals
        2. VPN Attack Prevention
      10. Content Protection
      11. MS-RPC
        1. Important Capabilities
      12. MS-SQL
      13. Routing Protocols
      14. SUN-RPC
      15. DHCP
      16. SOCKS
    5. Web Intelligence
      1. Connectivity Implications of Specific Protections
      2. Malicious Code
      3. Application Layer
      4. Information Disclosure
      5. HTTP Protocol Inspection
        1. Monitor-Only Mode
        2. Protection for Specific Servers
        3. Variable Security Levels
      6. Web Intelligence License Enforcement
    6. Summary
    7. Solutions Fast Track
      1. Configuring SmartDefense
      2. Application Intelligence
      3. Web Intelligence
    8. Frequently Asked Questions
    9. Protocol Summary
  12. 8. High Availability and Clustering
    1. Introduction
    2. ClusterXL Overview
      1. The Cluster Control Protocol
      2. Legacy High Availability Mode
      3. New Mode High Availability Mode
      4. Load-Sharing Multicast
      5. Load-Sharing Unicast
    3. Configuring ClusterXL
      1. Monitoring the Cluster
    4. Third-Party Solutions
      1. Resilience
      2. Nokia IPSO Clustering
      3. Crossbeam
    5. ISP Redundancy
    6. Solutions Fast Track
      1. ClusterXL Overview
      2. Configuring ClusterXL
      3. Third-Party Solutions
      4. ISP Redundancy
    7. Frequently Asked Questions
  13. 9. SecurePlatform
    1. Introduction
    2. Installation
      1. Installation Using the NGX R65 CD
        1. Bootable Floppy and Network Installation
    3. Configuration
      1. Web User Interface
      2. Command Line Configuration
      3. Sysconfig
      4. Setting the Host Name
      5. Setting the Domain Name
        1. Setting the DNS Servers
      6. Configuring the Network Connections
      7. Setting Time and Date
      8. Setting up the Check Point Product Suite
      9. Installing a Firewall Module
      10. Installing a SmartCenter Server
    4. Platform Shell
      1. Expert Mode
      2. Useful Commands
        1. Backup and Restore
          1. Backup
          2. Restore
      3. Other Ways to Back up and Restore Your System
        1. Upgrade_export and Upgrade_import
      4. Patch Command
    5. Secure Shell
    6. SecurePlatform Pro
    7. Hot Fix Accumulators
      1. HFA Installation
    8. Summary
    9. Solutions Fast Track
      1. Installation
      2. Configuration
      3. SecurePlatform Shell
      4. Secure Shell
      5. SecurePlatform Pro
      6. Hot Fix Accumulators
    10. Frequently Asked Questions
  14. 10. Advanced Troubleshooting
    1. Introduction
    2. NGX Debugging
      1. SIC Troubleshooting
    3. Packet Analysis
      1. snoop
      2. tcpdump
      3. fw monitor
      4. CPethereal and Wireshark
    4. Log Troubleshooting
    5. VPN Analysis
      1. Encryption failure, decrypted methods did not match rule
      2. Received notification from peer: no proposal chosen
      3. Cannot identify peer for encrypted connection
      4. Encryption failure: packet is dropped as there is no valid SA
      5. Encryption failure: Clear text packet should be encrypted or clear text packet received within an encrypted packet
      6. Encryption Failure: Packet was decrypted, but policy says connection should not be decrypted
    6. VPN Client Analysis
    7. ClusterXL Troubleshooting
    8. Summary
    9. Solutions Fast Track
      1. NGX Debugging
      2. Packet Analysis
      3. Log Troubleshooting
      4. VPN Analysis
      5. VPN Client Analysis
      6. ClusterXL Troubleshooting
    10. Frequently Asked Questions