You are previewing Essential Check Point™ FireWall-1® NG: An Installation, Configuration, and Troubleshooting Guide.
O'Reilly logo
Essential Check Point™ FireWall-1® NG: An Installation, Configuration, and Troubleshooting Guide

Book Description

"When it comes to security products and technologies, experience is far and away the best teacher. PhoneBoy has been installing, running, and supporting Check Point FireWall-1 for years, and his experience shows in this book. Save yourself the pain of learning from your own mistakes--let PhoneBoy show you the right way to manage your FireWall-1 NG infrastructure."
--Tina Bird, Computer Security Officer, Stanford University

"Dameon has taken his original definitive guide and updated it thoroughly for NG. No other book is informed by his depth of experience with Check Point. Accept no substitutes!"
--Matthew Gast, author of 802.11 Wireless Networks: The Definitive Guide

"PhoneBoy is the de facto expert on this product, and people have been clamoring for an NG book from him since he published the first one. No one can compete with him."
--Valerie M. Leveille, Professional Educator

"Dameon is the foremost authority on FireWall-1. He has the knowledge to give details of FireWall-1 functionality that no other reference on this topic can."
--Paul Keser, Senior Network Security Engineer, Raytheon ITSS/NASA Ames Research Center

"This book is the Swiss army knife solution for Check Point FireWall-1 NG."
--Thomas Warfield, TNT-OK.com

Now there's a definitive insider's guide to planning, installing, configuring, and maintaining the newest version of the world's #1 firewall: Check Point™ FireWall-1® Next Generation™. Leading Check Point support authority Dameon Welch-Abernathy (a.k.a. PhoneBoy) offers exclusive hands-on tips, techniques, checklists, and detailed sample configurations you can use right now to improve reliability, efficiency, and manageability in your Check Point environment.

The author's previous Check Point FireWall-1 guide became an instant bestseller, earning the praise of security professionals worldwide. This new book has been thoroughly revamped to reflect Check Point FireWall-1 NG's powerful new features, and it includes even more expert solutions from PhoneBoy's FireWall-1 FAQ, the Web's #1 independent Check Point support site. Whether you're a security/network architect, administrator, or manager, you'll find it indispensable.

Whether you're running FireWall-1 NG on UNIX or Windows platforms, this book brings together expert guidance for virtually every challenge you'll face: building your rulebase, logging and alerting, remote management, user authentication, inbound/outbound content restriction, managing NAT environments, building site-to-site VPNs with SecuRemote, even INSPECT programming. Welch-Abernathy also covers high availability in detail, identifying proven solutions for the challenges of implementing multiple firewalls in parallel.



0321180615B12192003

Table of Contents

  1. Copyright
  2. Frequently Asked Questions
  3. Preface
  4. Introduction to Firewalls
    1. What Is a Firewall?
    2. What a Firewall Cannot Do
    3. An Overview of Firewall Security Technologies
    4. What Kind of Firewall Is FireWall-1?
    5. Do You Really Need FireWall-1?
    6. More Information
  5. Planning Your FireWall-1 Installation
    1. Network Topology
    2. Developing a Site-Wide Security Policy
    3. Fun with Check Point Licensing
    4. Summary
  6. Installing FireWall-1
    1. Selecting an Operating System
    2. Installing the Operating System
    3. Beginning the FireWall-1 Installation
    4. Upgrading from FireWall-1 4.1
    5. Summary
  7. Building Your Rulebase
    1. The Management GUIs
    2. The Rulebase Components
    3. The Rulebase
    4. Making Your First Rulebase
    5. Frequently Asked Questions
    6. Troubleshooting
    7. Summary
  8. Logging and Alerting
    1. SmartView Status
    2. SmartView Tracker
    3. Alerts
    4. Log Maintenance
    5. Summary
  9. Common Issues
    1. Common Configuration Questions
    2. Common Error Messages in the System Log
    3. Service-Related Questions
    4. Problems with Stateful Inspection of TCP Connections
    5. Problems with FTP
    6. Problems That Aren't the Firewall's Fault
    7. Summary
  10. Remote Management
    1. The Components
    2. Secure Internal Communication
    3. Special Remote Management Conditions
    4. What You Can Do with Remote Management
    5. Moving Management Modules
    6. Highly Availabile Management Modules
    7. Troubleshooting Remote Management Issues
    8. Large-Scale Management Issues
    9. Summary
  11. User Authentication
    1. Passwords
    2. How Users Authenticate
    3. Setting Up Authentication
    4. Setting Up User Authentication
    5. Setting Up Session Authentication
    6. Setting Up Client Authentication
    7. Integrating External Authentication Servers
    8. Clientless VPN
    9. Frequently Asked Questions
    10. Troubleshooting Authentication Problems
    11. Summary
    12. Sample Configurations
  12. Content Security
    1. The Security Servers
    2. The HTTP Security Server
    3. The FTP Security Server
    4. The SMTP Security Server
    5. The TCP Security Server
    6. General Questions about the Security Servers
    7. Debugging the Security Servers
    8. Summary
    9. Sample Configurations
  13. Network Address Translation
    1. Introduction to Address Translation
    2. RFC1918 and Link-Local Addresses
    3. How NAT Works in FireWall-1
    4. Implementing NAT: A Step-by-Step Example
    5. Limitations of NAT
    6. Troubleshooting NAT with a Packet Sniffer
    7. Summary
    8. Sample Configurations
  14. Site-to-Site VPN
    1. Introduction to a VPN
    2. A Word about Licensing
    3. FWZ, IPSec, and IKE
    4. How to Configure Encryption
    5. Frequently Asked Questions about VPNs in FireWall-1
    6. Troubleshooting VPN Problems
    7. Summary
    8. Sample Configurations
  15. SecuRemote and SecureClient
    1. Introduction to SecuRemote and SecureClient
    2. A Word about Licensing
    3. Configuring SecuRemote on FireWall-1
    4. Office Mode
    5. Microsoft L2TP Clients
    6. High-Availability and Multiple Entry Point Configurations
    7. Microsoft Networking and SecureClient
    8. SecureClient Packaging Tool
    9. Frequently Asked Questions
    10. Troubleshooting
    11. Summary
    12. Sample Configurations
  16. High Availability
    1. State Synchronization's Role in High Availability
    2. Implementing High Availability
    3. Frequently Asked Questions Regarding State Synchronization
    4. Error Messages That Occur with ClusterXL or State Synchronization
    5. Summary
  17. INSPECT
    1. What Is INSPECT?
    2. Basic INSPECT Syntax
    3. How Your Rulebase Is Converted to INSPECT
    4. Sample INSPECT Code
    5. Summary
  18. Securing Your Bastion Host
    1. Securing Solaris
    2. Securing Windows NT
    3. Securing Windows 2000
    4. Securing Linux
  19. Sample Acceptable Usage Policy
  20. firewall-1.conf File for Use with OpenLDAP v1
  21. firewall-1.schema File for Use with OpenLDAP v2
  22. Performance Tuning
    1. Number of Entries Permitted in Tables
    2. Memory Used for State Tables
    3. Tweaks for Specific Operating Systems
  23. Sample defaultfilter.pf File
  24. Other Resources
    1. Internet Resources
    2. Software
  25. Further Reading