You are previewing Configuring Check Point NGX VPN-1/FireWall-1.
O'Reilly logo
Configuring Check Point NGX VPN-1/FireWall-1

Book Description

Configuring Check Point NGX VPN-1/FireWall-1 is the perfect reference for anyone migrating from earlier versions of Check Point's flagship firewall/VPN product as well as those deploying VPN-1/FireWall-1 for the first time. This book covers all of NGX's dramatic changes and new, enhanced features. You'll learn how to secure the integrity of your network's data, communications, and applications from a multitude of blended threats. Protect your network against breaches of its perimeter and Internet access points. Also, learn to recognize and prevent internal threats. Written by an all-star team of Check Point-Certified experts, this is the only book you will need to securely and efficiently deploy, troubleshoot, and maintain Check Point NGX. This book is also the perfect complementary study tool for Check Point's certification exams.

Table of Contents

  1. Copyright
  2. Register for Free Membership to solutions@syngress.com
  3. Acknowledgments
  4. Contributing Authors
  5. Technical Editor
  6. Assistant Technical Editor
  7. Foreword
  8. 1. Introduction to Firewalls and VPN-1/FireWall-1
    1. Introduction
    2. History of Firewalls
      1. Why Firewalls Began
        1. Types of Firewalls
    3. Firewall Innovations
    4. Packet Filters
      1. How Packet Filters Work
        1. Advantages
        2. Disadvantages
    5. Application Layer Gateways
      1. How Application Gateways Work
        1. Advantages
        2. Disadvantages
    6. Stateful Inspection
      1. How Stateful Inspection Works
        1. Advantages
    7. Perimeter, Internal, and Web Security
      1. Perimeter
      2. Internal
      3. Web
    8. INSPECT Script
    9. FireWall-1 Decision Making
      1. Daemon Thought Process
    10. Summary
    11. Solutions Fast Track
      1. History of Firewalls
      2. Firewall Innovations
      3. Packet Filters
      4. Application Later Gateways
      5. Stateful Inspection
      6. Perimeter, Internal, and Web Security
      7. INSPECT Script
      8. FireWall-1 Decision Making
    12. Frequently Asked Questions
  9. 2. What’s New in NGX
    1. Introduction
    2. SmartPortal
      1. Browser Compatibility
      2. Deploying SmartPortal
        1. Choosing Dedicated Server versus the SmartCenter Server
        2. Limiting Access to Specific IP Addresses
      3. Learning More about SmartPortal
    3. SmartDefense/Web Intelligence
      1. Understanding the Capabilities of SmartDefense and Web Intelligence
        1. Defenses against Attacks
        2. Implicit Defenses
        3. Abnormal-Behavior Analysis
      2. Configuring SmartDefense/Web Intelligence
      3. Considering the SmartDefense Subscription Service
      4. Understanding SmartDefense and Web Intelligence
      5. Learning More about SmartDefense/Web Intelligence
    4. Eventia Reporter
      1. Choosing Stand-Alone versus Distributed Installation
        1. Choosing Stand-Alone Installation
        2. Choosing Distributed Installation
      2. Configuring a Consolidation Policy
      3. Choosing Standard Reports versus Express Reports
      4. Learning More about Eventia Reporter
    5. VPN Functionality
      1. Understanding the New VPN Options
        1. Allowing Directional VPN Rules
        2. Allowing Backup Links and On-Demand Links
        3. Allowing Wire Mode VPN Connectivity
        4. Allowing Route-Based VPNs
        5. Allowing Always-on Tunnels
      2. Learning More about VPN Changes
    6. Dynamic Routing
      1. Considering the Security Implications in Choosing a Routing Protocol
      2. Choosing a Dynamic Routing Protocol
      3. Configuring Dynamic Routing
      4. Learning More about Dynamic Routing
    7. SecurePlatform
      1. Understanding the New SecurePlatform Split Product Line
      2. Understanding Other Improvements
        1. Configuring Speed/Duplex Settings
        2. Supporting SCP in the Patch Add Command
        3. Supporting Netscape 7.1 in the WebUI
      3. Learning More about SecurePlatform
    8. VPN-1 Edge
      1. Understanding the Product Line
        1. Understanding the VPN-1 S Series
        2. Understanding the VPN-1 X Series
      2. Learning More about VPN-1 Edge
    9. Network and Host Object Cloning
    10. Summary
    11. Solutions Fast Track
      1. SmartPortal
      2. SmartDefense/Web Intelligence
      3. Eventia Reporter
      4. VPN Functionality
      5. Dynamic Routing
      6. SecurePlatform
      7. VPN-1 Edge
      8. Network and Host Object Cloning
    12. Frequently Asked Questions
  10. 3. Installing Check Point NGX
    1. Introduction
    2. Preparing the Gateway
    3. Installing SecurePlatform
      1. SecurePlatform
        1. FireWall-1/VPN-1 Installation
    4. SmartCenter Server Installation
      1. SmartConsole Installation
    5. Putting It All Together
      1. SmartDashboard
    6. Installing on Microsoft, Sun, Red Hat, and Nokia
      1. System Requirements
    7. Summary
    8. Solutions Fast Track
      1. Preparing the Gateway
      2. Installing SecurePlatform
      3. SmartCenter Server Installation
      4. Putting It All Together
    9. Frequently Asked Questions
  11. 4. Upgrading to NGX
    1. Introduction
    2. Backup
    3. Upgrade Order
      1. Licenses
      2. Pre_Upgrade_Verifier
      3. SmartCenter
        1. Windows
        2. SecurePlatform
        3. Solaris
      4. Firewall Gateway
    4. Minimal Downtime
    5. Rollback
    6. Summary
    7. Solutions Fast Track
      1. Backup
      2. Upgrade Order
      3. Minimal Downtime
      4. Rollback
    8. Frequently Asked Questions
  12. 5. SmartDashboard and SmartPortal
    1. Introduction
    2. A Tour of the Dashboard
      1. Logging In
      2. The Rulebase Pane
        1. Security Tab
        2. Address Translation Tab
        3. SmartDefense Tab
        4. Web Intelligence Tab
        5. VPN Manager Tab
        6. QoS Tab
        7. Desktop Security Tab
        8. Web Access Tab
        9. Consolidation Rules Tab
      3. The Objects Tree Pane
        1. Network Objects
        2. Services
        3. Resources
        4. Servers and OPSEC Applications
        5. Users and Administrators
        6. VPN Communities
      4. The Objects List Pane
      5. The SmartMap Pane
      6. Menus and Toolbars
      7. Working with Policy Packages
      8. Installing the Policy
      9. Global Properties
        1. FireWall Page
        2. NAT—Network Address Translation Page
        3. VPN Page
        4. VPN-1 Edge/Embedded Page
        5. Remote Access Page
        6. SmartDirectory (LDAP) Page
        7. Stateful Inspection Page
    3. New in SmartDashboard NGX
      1. Security Policy Rule Names and Unique IDs
      2. Group Object Convention
      3. Group Hierarchy
      4. Clone Object
      5. Session Description
      6. Tooltips
    4. Your First Security Policy
      1. Creating Your Administrator Account
      2. Hooking Up to the Gateway
      3. Reviewing the Gateway Object
      4. Defining Your Security Policy
      5. Policy Design
      6. Creating Rules
      7. Network Address Translation
      8. Installing the Policy
    5. Other Useful Controls on the Dashboard
      1. Working with Security Policy Rules
        1. Section Titles
        2. Hiding Rules
        3. Rule Queries
        4. Searching Rules
      2. Working with Objects
        1. Object References
        2. Who Broke That Object?
        3. Object Queries
      3. Working with Policies
        1. What Would Be Installed?
          1. What’s Really Installed?
        2. No Security, Please
        3. For the Anoraks
      4. Change Management
    6. Managing Connectra and Interspect Gateways
      1. Configuring Interspect or Connectra Integration
        1. SmartDefense Updates
    7. SmartPortal
      1. SmartPortal Functionality
      2. Installing SmartPortal
      3. Tour of SmartPortal
    8. Summary
    9. Solutions Fast Track
      1. A Tour of the Dashboard
      2. New in SmartDashboard NGX
      3. Your First Security Policy
      4. Other Useful Controls on the Dashboard
      5. Managing Connectra and Interspect Gateways
      6. SmartPortal
    10. Frequently Asked Questions
  13. 6. SmartView Tracker
    1. Introduction
    2. Tracker
    3. Log View
      1. Active
        1. Audit
    4. Predefined Queries
      1. Use for Predefined Queries
        1. Adding Custom Queries
          1. Applying Filters
    5. Custom Queries
      1. Matching Rule Filter
        1. Viewing the Matching Rule
          1. Viewing Log Records from SmartDashboard
    6. Active View
      1. Live Connections
        1. Custom Commands
          1. Following a Source or Destination
    7. Block Intruder
      1. Blocking Scope
        1. Block All Connection with the Same Source, Destination and Service
        2. Block Access from This Source
        3. Block Access to This Destination
      2. Blocking Timeout
        1. Indefinite
        2. For... Minutes
      3. Force This Blocking
        1. Only On...
        2. On any VPN-1 & FireWall-1 Module
    8. Audit View
    9. Log Maintenance
      1. Daily Maintenance
        1. Log Switch
    10. Summary
    11. Solutions Fast Track
      1. Tracker
      2. Log View
      3. Predefined Queries
      4. Custom Queries
      5. Active View
      6. Block Intruder
      7. Audit View
      8. Log Maintenance
    12. Frequently Asked Questions
  14. 7. SmartDefense and Web Intelligence
    1. Introduction
    2. Network Security
      1. Threats
        1. Structured Threats
          1. Denial of Service
        2. External Threats
          1. Welchia Internet Control Message Protocol
          2. Network Quota
        3. Internal Threats
          1. Reconnaissance (Port Scans and Sweeps)
      2. The OSI Model
        1. Layer 3: The Network Layer
        2. Layer 4: The Transport Layer
        3. Layer 7: The Application Layer
      3. The Need for Granular Inspection
    3. Application Intelligence
      1. Configuring Hosts and Nodes for AI
      2. SmartDefense Technology
        1. Central Configuration and the SmartDefense Web Site
        2. Updating SmartDefense
        3. Defense against Attacks
          1. Peer to Peer
      3. Preventing Information Disclosure
        1. Fingerprint Scrambling
        2. Abnormal Behavior Analysis
      4. Web Intelligence Technology
        1. Malicious Code Protector
        2. Active Streaming
        3. Application Intelligence
        4. Web Application Layer
        5. SQL Injection
          1. Custom Web Blocking
        6. Preventing Information Disclosure
        7. Header Spoofing
        8. Directory Listing
    4. Malicious Code
      1. Definition
      2. Different Types of Malicious Code
        1. General HTTP Worm Catcher
    5. Protocol Inspection
      1. Conformity
        1. DNS Enforcement
      2. HTTP Inspection
      3. Default Configuration
    6. DShield Storm Center
      1. Retrieving Blocklist
        1. Submitting Logs
    7. Summary
    8. Solutions Fast Track
      1. Network Security
      2. Application Intelligence
      3. Malicious Code
      4. Protocol Inspection
      5. DShield Storm Center
    9. Frequently Asked Questions
  15. 8. Network Address Translation
    1. Introduction
    2. Global Properties
      1. Network Address Translation
    3. Configuring Dynamic Hide Mode NAT
      1. Dynamic NAT Defined
      2. Advanced Understanding of NAT
      3. When to Use It
      4. Routing and ARP
        1. Adding ARP Entries
          1. Secure Platform
          2. Solaris
          3. Windows
          4. IPSO
    4. Configuring Static Mode NAT
      1. Static NAT Defined
        1. When to Use It
          1. Inbound Connections
    5. Configuring Automatic NAT
      1. When to Use It
        1. NAT Rule Base
          1. Access Control Settings
    6. Configuring Port Translation
      1. When to Use It
        1. NAT Rule Base
          1. Security Policy Implications
    7. Summary
    8. Solutions Fast Track
      1. Global Properties
      2. Configuring Dynamic Hide Mode NAT
      3. Configuring Static Mode NAT
      4. Configuring Automatic NAT
      5. Configuring Port Translation
    9. Frequently Asked Questions
  16. 9. Authentication
    1. Introduction
    2. Authentication Overview
      1. Using Authentication in Your Environment
    3. Users and Administrators
      1. Managing Users and Administrators
        1. Permission Profiles
        2. Administrators
          1. General Tab
          2. Personal Tab
          3. Groups
          4. Admin Auth
          5. Admin Certificates
        3. Administrator Groups
        4. User Templates
          1. General
          2. Personal
          3. Groups
          4. Authentication
          5. Location
          6. Time
          7. Encryption
        5. User Groups
        6. Users
          1. General
          2. Personal
          3. Groups
          4. Authentication
          5. Location
          6. Time
          7. Certificates
          8. Encryption
        7. External User Profiles
          1. Match by Domain
          2. Match All Users
        8. LDAP Group
      2. Understanding Authentication Schemes
        1. Undefined
        2. SecurID
        3. Check Point Password
        4. RADIUS
        5. TACACS
    4. User Authentication
      1. Configuring User Authentication in the Rulebase
        1. UserAuth | Edit Properties | General | Source
        2. UserAuth | Edit Properties | General | Destination
        3. UserAuth | Edit Properties | General | HTTP
      2. Interacting with User Authentication
        1. Telnet and RLOGIN
        2. FTP
        3. HTTP
        4. Placing Authentication Rules
      3. Advanced Topics
        1. Eliminating the Default Authentication Banner
        2. Changing the Banner
        3. Use Host Header as Destination
    5. Session Authentication
      1. Configuring Session Authentication in the Rulebase
        1. SessionAuth | Edit Properties | General | Source
        2. SessionAuth | Edit Properties | General | Destination
        3. SessionAuth | Edit Properties | General | Contact Agent At
        4. SessionAuth | Edit Properties | General | Accept Only SecuRemote/SecureClient Encrypted Connections
        5. SessionAuth | Edit Properties | General | Single Sign-On
      2. Configuring Session Authentication Encryption
      3. The Session Authentication Agent
        1. Configuration | Passwords | Ask for Password
        2. Configuration | Allowed FireWall-1 | Allow Authentication Request From
        3. Configuration | Allowed FireWall-1 | Options
      4. Interacting with Session Authentication
    6. Client Authentication
      1. Configuring Client Authentication in the Rulebase
        1. ClientAuth | Edit Properties | General | Source
        2. ClientAuth | Edit Properties | General | Destination
        3. ClientAuth | Edit Properties | General | Apply Rule Only If Desktop Configuration Options Are Verified
        4. ClientAuth | Edit Properties | General | Required Sign-On
        5. ClientAuth | Edit Properties | General | Sign-On Method
          1. Manual Sign-On
          2. Partially Automatic Sign-On
          3. Fully Automatic Sign-On
          4. Agent Automatic Sign-On
          5. Single Sign-On
        6. General | Successful Authentication Tracking
        7. Limits | Authorization Timeout
        8. Limits | Number of Sessions Allowed
      2. Advanced Topics
        1. Check Point Gateway | Authentication
          1. Enabled Authentication Schemes
          2. Authentication Settings
          3. HTTP Security Server
        2. Global Properties | Authentication
          1. Failed Authentication Attempts
          2. Authentication of Users with Certificates
          3. Brute-Force Password Guessing Protection
          4. Early Version Compatibility
        3. Registry Settings
          1. New Interface
          2. Use Host Header as Destination
          3. Opening All Client Authentication Rules
        4. Configuration Files
          1. Enabling Encrypted Authentication
          2. Custom Pages
      3. Installing the User Database
    7. Summary
    8. Solutions Fast Track
      1. Authentication Overview
      2. Users and Administrators
      3. User Authentication
      4. Session Authentication
      5. Client Authentication
    9. Frequently Asked Questions
  17. 10. Content Security and OPSEC
    1. Introduction
    2. OPSEC
      1. Partnership
        1. Antivirus
          1. Web Filtering
          2. OPSEC Applications
    3. Security Servers
      1. URI
      2. SMTP
      3. FTP
      4. TCP
      5. CIFS
    4. CVP
      1. Resource Creation
    5. UFP
      1. Resource Creation
    6. MDQ
      1. How to Debug
    7. Secure Internal Communication
    8. Summary
    9. Solutions Fast Track
      1. OPSEC
      2. Security Servers
      3. CVP
      4. UFP
      5. MDQ
      6. Secure Internal Communication
    10. Frequently Asked Questions
  18. 11. VPN
    1. Introduction
    2. Encryption Overview
      1. Symmetric and Asymmetric Encryption
      2. Certificate Authorities
        1. Exchanging Keys
      3. Tunnel Mode versus Transport Mode
      4. Encryption Algorithms
      5. Hashing Algorithms
        1. Public Key Infrastructure
    3. Simplified versus Traditional VPN Configuration
      1. Using the Simplified Configuration Method
        1. VPN Communities
          1. Meshed VPN Communities
          2. Star VPN Communities
          3. Multiple Entry Point (MEP)
          4. Installing the Policy
        2. Configuring a VPN with a Cisco PIX
      2. Using the Traditional VPN Configuration Method
      3. VPN Directional Matching
    4. Route-Based VPNs
      1. Routing Protocols
      2. Configuring VTIs
        1. Configuring VTI Example
    5. Tunnel Management and Debugging
      1. Using SmartView Tracker
      2. Using cpstat
    6. Summary
    7. Solutions Fast Track
      1. Encryption Overview
      2. Simplified versus Traditional VPN Configuration
      3. Route-Based VPNs
      4. Tunnel Management and Debugging
    8. Frequently Asked Questions
  19. 12. SecuRemote, SecureClient, and Integrity
    1. Introduction
    2. SecuRemote
      1. What’s New with SecuRemote in NGX?
      2. Standard Client
        1. Basic Remote Access
      3. Defining the Connection Policy
      4. SecuRemote Installation and Configuration on Microsoft Windows
      5. Connecting to the VPN-1 Gateway
    3. SecureClient
      1. What’s New in SC NGX?
      2. Installing SecureClient on Microsoft Windows
      3. Policy Server
        1. Desktop Security Policies
        2. Configuring Desktop Security Policies
        3. Disabling the Security Policy
        4. Secure Configuration Verification
    4. Office Mode
      1. Why Office Mode?
        1. Client IP Pool
        2. Configuring Office Mode with IP Pools
          1. Configuring the VPN-1 Gateway for Office Mode
          2. Configuring SecureClient for Office Mode
    5. Secure Configuration Verification (SCV)
      1. What’s New with Secure Configuration Verification (SCV) in NGX?
      2. Configuring the Policy Server to Enable Secure Configuration Verification (SCV)
      3. Secure Configuration Verification (SCV) Checks Available
        1. Check Point OPSEC Vendor SCV Checks
        2. Other Third-Party Checks
        3. Create Your Own Checks
    6. Integrity
      1. History of Integrity
        1. Integrity Client Installation
        2. Integrity Client Configuration
      2. Integrity Clientless Security
    7. Summary
    8. Solutions Fast Track
      1. SecuRemote
      2. SecureClient
      3. Office Mode
      4. Secure Configuration Verification
      5. Integrity
    9. Frequently Asked Questions
  20. 13. SmartUpdate
    1. Introduction
      1. SmartUpdate Licensing
      2. SmartUpdate Views/Screens
      3. NGX Differences
    2. License Management
      1. License Repository
      2. Attaching Licenses
      3. Detaching Licenses
      4. Deleting Licenses
    3. Package Management
      1. Package Repository
      2. Installing/Distributing Packages
    4. Administration
      1. Command Line
      2. CPInfo
    5. Upgrade Examples
      1. Nokia Upgrade
      2. SecurePlatform Upgrade
    6. Summary
    7. Solutions Fast Track
      1. License Management
      2. Package Management
      3. Administration
      4. Upgrade Examples
    8. Frequently Asked Questions
  21. 14. SecurePlatform
    1. Introduction
    2. Installation
      1. Bootable CD
      2. Bootable Floppy and Network Installation
    3. Web User Interface
      1. OS Configuration
    4. Command-Line Configuration
      1. Sysconfig
        1. Set the Hostname
        2. Set the Domain Name
        3. Set the DNS Servers
        4. Set the Time and Date
        5. Configuring Interfaces
        6. Configuring Routing
        7. Completing the Installation
    5. CPShell
    6. Expert Mode
      1. Patch Add
      2. Backup, Scheduled Backup, and Restore
      3. Snapshot, Revert, and Snapshot Image Management
    7. Dynamic Routing
      1. Accessing the Router
    8. Summary
    9. Solutions Fast Track
      1. Installation
      2. Web User Interface
      3. Command-Line Configuration
      4. CPShell
      5. Expert Mode
      6. Dynamic Routing
    10. Frequently Asked Questions
  22. 15. Monitoring Tools
    1. Introduction
    2. Installation
      1. Gateway
        1. Licensing
    3. Reports
      1. Gathering Reporting Data
        1. Segregating Report Data
          1. Report Results
    4. Definitions
      1. Standard versus Express
        1. Custom Reports
    5. Creating Reports
      1. Generating a Report
        1. Creating a Graph
    6. Scheduling Reports
      1. Report Filters
    7. Report Management
      1. Consolidation Policy
        1. Log Consolidation Process
      2. Database Maintenance
        1. Activity Queue and Log
    8. Navigating through SmartView Monitor
      1. SmartView Monitor Layout
        1. Alerts and Suspicious Activity Rules
          1. Predefined Views
    9. Gateway Status
      1. System Information
        1. Network Activity
          1. Licenses
    10. Traffic
      1. Applying Filters
        1. Creating a Custom View
          1. Exporting Views
    11. System Counters
      1. The Need for Custom Counters
        1. Studying History
          1. Attack Profiles
    12. Tunnels and Remote Users
      1. VPN Gateway versus Community
        1. Viewing Users
          1. Down Tunnels
    13. Summary
    14. Solutions Fast Track
      1. Installation
      2. Reports
      3. Definitions
      4. Creating Reports
      5. Report Management
      6. Navigating through SmartView Monitor
      7. Gateway Status
      8. Traffic
      9. System Counters
      10. Tunnels and Remote Users
    15. Frequently Asked Questions
  23. 16. Enabling Voice-over-IP Traffic
    1. Introduction
    2. Why Secure VoIP?
    3. VoIP Security Features
      1. Protocol Management
        1. H.323
        2. SIP
        3. MGCP
        4. SCCP
        5. RTP
      2. Converged Networks
      3. Voice Quality
      4. VoIP NAT
        1. SIP Support
        2. H.323 Support
    4. How VoIP Calls Are Made
      1. SIP Calls
    5. VoIP NGX-VPN-1 Configuration
    6. VoIP QoS Options
    7. VoIP SmartDefense Options
    8. Summary
    9. Solutions Fast Track
      1. Why Secure VoIP?
      2. VoIP Security Features
      3. How VoIP Calls Are Made
      4. VoIP NGX-VPN-1 Configuration
      5. VoIP QoS Options
      6. VoIP SmartDefense Options
    10. Frequently Asked Questions