Académique Documents
Professionnel Documents
Culture Documents
This Cramsession will help you to prepare for Check Point Exam CCSA, Check Point Certified Security Administrator. Exam topics include Features, Functions, Basic Components, Requirements, and Installation of FireWall-1, Network Object Management, Network Address Translation, IP Address Translation Mode Configuration, and Security Policy.
Check for the newest version of this Cramsession
http://cramsession.brainbuzz.com/checkversion.asp?V=2452076&FN=checkpoint/CCSA.pdf
Notice: While every precaution has been taken in the preparation of this material, neither the author nor BrainBuzz.com assumes any liability in the event of loss or damage directly or indirectly caused by any inaccuracies or incompleteness of the material contained in this document. The information in this document is provided and distributed "as-is", without any expressed or implied warranty. Your use of the information in this document is solely at your own risk, and Brainbuzz.com cannot be held liable for any damages incurred through the use of this material. The use of product names in this work is for information purposes only, and does not constitute an endorsement by, or affiliation with BrainBuzz.com. Product names used in this work may be registered trademarks of their manufacturers. This document is protected under US and international copyright laws and is intended for individual, personal use only. For more details, visit our legal page.
2000 All Rights Reserved - BrainBuzz.com
TM
Contents:
Contents: ....................................................................................................... 1 Firewall Definition............................................................................................ 3 Different Firewall Technologies ....................................................................... 3 Packet Filtering.......................................................................................... 3 Application Layer Gateway .......................................................................... 3 Stateful Inspection ..................................................................................... 4 Firewall-1 Products .......................................................................................... 5 Enterprise Product ........................................................................................ 5 Single Gateway Product................................................................................. 5 Enterprise Management Product ..................................................................... 6 Firewall-1 Firewall Module.............................................................................. 6 Firewall-1 Inspect Module .............................................................................. 6 Firewall-1 Architecture ..................................................................................... 6 Remote Management Putkey Configuration ......................................................... 7 Administrator Access ....................................................................................... 8 Log in.......................................................................................................... 9 Security Policy ...............................................................................................10 The Security Policy Tab (Rule 0) .......................................................................12 Applying Gateway Rules to Interface Direction.................................................12 Rule Base .....................................................................................................14 Possible Rule Base actions include .................................................................14 System Status Tool ......................................................................................15 Content Security..........................................................................................15 Anti - Spoofing ............................................................................................15 Network Address Translation (NAT) ..................................................................16 Classful Addressing ......................................................................................16 NAT Modes .................................................................................................17 Applying NAT Modes ....................................................................................17 NAT Rule Base.............................................................................................17
TM
NAT Rules ...................................................................................................18 Address Resolution Protocol (ARP) .................................................................18 ARP Request for Local Network ...................................................................18 ARP Request for Remote Network ...............................................................18 Routing Issues..........................................................................................19 Static Source or Hide modes ......................................................................19 Static Destination .....................................................................................19 Authentication................................................................................................21 User Authentication......................................................................................21 Client Authentication ....................................................................................21 Session Authentication .................................................................................22 Implicit Client Authentication ........................................................................22 Internal Authentication Schemes ................................................................22 External Authentication Schemes ................................................................23 Firewall1 GUIs ..............................................................................................23 Log Viewer GUI ...........................................................................................23 Log Viewer Logon ........................................................................................23 Modes ........................................................................................................23 Log File ......................................................................................................24 System Status GUI ......................................................................................24 System Status Updates .............................................................................24 Alerts .........................................................................................................24 Solving SYN Flood Problem ...........................................................................25 SYN Relay ................................................................................................25 SYN Gateway ...........................................................................................25 Passive SYN Gateway ................................................................................25
TM
Firewall Definition
A device that enforces a security policy for communication between internal and/or external networks It controls which machines or network users can connect to reach external elements through the firewall
Note: A Firewall cannot protect against malicious authorised users or connections that do not go through the firewall. There is no 100% guarantee that it cannot be breached.
TM
Pros: good security; full Application-layer awareness Cons: application level implementation is detrimental to performance; cannot provide RPC and other services; most proxies are non-transparent; vulnerable to OS and application level bugs; poor scalability (each service requires its own application layer gateway); overlooks information in other layers; expensive performance costs Note: Every client server communication requires two connections: 1. One from client to FireWall 2. One from FireWall to server
Stateful Inspection
Communication information from top 5 packet layers State derived from previous communications (Outgoing Port etc.) Application derived state such that a previously authenticated user would be allowed access for authorised services only Evaluation of flexible expressions based on communication information, application derived state and communication-derived state Benefits: good security, full application awareness, high performance, scalability, extensibility and transparency Packet Filters Partial No No Partial Application Layer Gateways Partial Partial Yes Yes Stateful Inspection Yes Yes Yes Yes
FireWall Capability Communication Information Communication Derived State Application Derived State Information Manipulation
TM
Note: The Inspect Engine is located in the Kernel Module It can Accept, Reject or Drop packets It saves system processing time
Firewall-1 Products
Checkpoint uses OPSEC Open Platform for Secure Enterprise Connectivity architecture, which provides a scalable framework for security implementation by means of separating the firewall product into different modules.
Enterprise Product
Management Module Centralised graphical security management for either one or unlimited security enforcement points Inspection Module Access Control; client and session authentication; network address translation; auditing Firewall Module Includes inspection module; user authentication; multiple firewall synchronisation; content security Encryption Module Provides DES and FWZ1 Encryption Router Security Management Security management for router ACLs across one or more routers Open Security Manager Centralised security management for 3Com, Cisco and Microsoft NT Server routers, and Cisco Pix firewalls
TM
Firewall-1 Architecture
A 3-tier architecture: there can be many different firewall modules running in different locations (security enforcement points) controlled by a central Management Console. Administrators can administer the security system either directly via the console, or by running GUI clients connected to the Management Console through the network from another desktop For Single Gateway Product, there is only one Firewall Module controlled by one Management Console, and both must be installed on the same machine, which means that there is only one security enforcement point. However, you can still run the GUI client form another desktop. Firewall Internet Gateway/25 is a Firewall Internet Gateway (including one firewall module and management server) that protects 25 nodes or IP addresses. The number included with the product name pertains to the number of IP addresses a user needs to protect: e.g., 25/50/100/250/Unlimited. GUI is available only for Win95/98/NT and Motif. The exam focuses on the GUI, not the command line. The three different GUIs are: Security Policy Editor for setting up the security settings, Log Viewer for viewing the logs, and System Status tool for viewing the current statistics of different firewall components. Network Object Manager is a function within the Policy Editor,
TM
which is for creating objects so that we can place the objects in the rule base and set up corresponding security rules. FWD Firewall Daemon is the process responsible for moving data between the components. When the server is started and the Firewall-1 services have not finished loading, the servers IP forwarding function can provide hackers with security holes to get in. This is the specific vulnerable time we need to pay attention to. The best way is to let Firewall-1 control the servers IP forwarding function.
TM
fw putkey p abc123 205.30.32.111 Edit masters file on computer with firewall module. From the OS prompt change directory to $FWDIR\conf Add the IP of the management station to the masters file
Echo 205.30.32.111 > masters Stop and start the Firewall causing it to re-read the local masters file. This in turn allows the Management Station to remotely install the security policy From the OS prompt change directory to $FWDIR\bin Type fwstop, press Enter; Type fwstart, press Enter When the FW-1 started message appears, exit the command window.
An authentication key is required for each firewall that the management console will remotely manage. This is achieved by using the fw putkey command with the following arguments: Fw putkey p password firewall-module-ipaddress To remove remote management, remove the masters file from the $FWDIR/conf directory and reboot the Firewall.
Administrator Access
You can set up as many administrator accounts as you like. When logging on, you must supply the user name, password and the name or IP address of the management server
TM
Log in The administrator can have four different levels of access rights: 1. Monitor Only - Read Only access to the log viewer and system status tool 2. Read Only - includes Monitor Only rights, plus Read Only rights to the Security Policy Editor 3. User Access - administrator can modify user information, but nothing else 4. Read/Write Access - administrator can do everything. Only one administrator at a time can log in using this mode
TM
Security Policy
Definition: a set of rules that collectively determine what traffic is allowed and what is not Enforcement Directions: there are three different directions 1. Default Inbound 2. Outbound 3. Eitherbound Inbound If an inbound rule is applied, packets going into the FireWall are checked Outbound If an outbound rule is applied, packets leaving the FireWall are checked Eitherbound If an eitherbound rule is applied, packets going into and leaving the Firewall are checked. Checking traffic both ways is CPU intensive.
2001 All Rights Reserved BrainBuzz.com
10
TM
The effective security settings are a combination of settings found in the Security Policy Properties and the Rule Base. Packets are matched in the following order: Anti Spoofing Any properties marked FIRST in the Security Policy Properties Rule base order (except for the last rule) Any properties marked BEFORE LAST in the Security Policy Properties Rule Bases last rule Any properties marked LAST in the Security Policy Properties Implicit Drop Rule (drop everything not mentioned above)
Sample Rule Base Define a Rule in the Rule base - you must specify a minimum of Source, Destination, Service, Action, and where to install the policy (e.g., the enforcement point, generally the default Gateway). Implicit Drop Rule Drops everything without logging. Explicit Clean-up Rule As you will probably want to know what other traffic is attempting to come through the Firewall you should create an explicit clean-up rule and add logging. This should be the last rule in the rule base and needs the following details ANY - ANY - ANY DROP LONG Stealth Rule - The first rule in the rule base that prevents direct access to the firewall.
Note: Rule Base Order is very important. The Firewall will implement rules in a Top Down order. Verify the Rule Base to ensure the rule base settings are usable.
11
TM
Install the Rule Base so that Firewall-1 will compile them, generate the corresponding script, and make it run in the enforcement point.
TCP Session Timeout Specify time in seconds after which TCP session times out. Accept UDP Replies Check to accept reply data in a two-way UDP communication. UDP Virtual Session Timeout Specify time in seconds a UDP reply channel remains open without packets being returned. Enable Decryption on Accept Check to decrypt incoming, accepted packets even when the rule does not include encryption. Implied Rules: Implied rules are generated in the Rule Base for global properties. Check the properties enforced in the Security Policy and then choose a position in the Rule base for the implied rule. First place first in the Rule Base Before last place before the last rule in the Rule Base Last place as the last rule in the Rule Base
2001 All Rights Reserved BrainBuzz.com
12
TM
Accept VPN/Firewall-1 Control Connection Used by Firewall-1 for communication between Firewall daemons on different machines and for connecting to external servers such as RADIUS and TACACS. Accept RIP Check to accept RIP used by routed daemon. Accept Domain Name Over UDP (Queries) Check to accept DNS queries used by named. Resolves names by associating them with their IP address. If named does not know the IP address of a host name, it issues a query to the name server on the Internet. UDP replies must therefore be enabled to receive the replies. Accept Domain Name Over TCP (Zone Transfer) Check to allow upload of Domain Name resolving tables. Accept ICMP Check to accept Internet Control Messages. This protocol is used to ensure proper and efficient operation of IP. Accept Outgoing Packets Originating From Gateway Check to accept all outgoing packets from Firewall-1 not from the internal network. Gateway rules are usually enforced in the inbound direction. When packets passing through the Gateway leave, it will be allowed to pass only if one of the following conditions is true: Accept Outgoing Packets property is checked Rules are enforced in both directions (Eitherbound), and there is a rule to allow packets to leave the Gateway.
Log Implied Rules Implied rules are generated in the Rule Base from the properties defined in this window. If this is checked Firewall-1 generates log records for communications matching the implied rules. Install Security Policy only if it can be successfully installed on ALL selected targets The Security Policy will either be installed on all or none of the selected targets. Allows Administrator to ensure the same Security Policy is being enforced at all enforcement points.
13
TM
Rule Base
Possible Rule Base actions include
Accept Reject - reject the packet and inform the sender Drop - reject without informing the sender User Auth - use User Authentication on this packet Session Auth - use Session Authentication on this packet Client Auth - use Client Authentication on this packet Encrypt - encrypt outgoing and decrypt incoming traffic used with the extra VPN module not covered in this exam Client Encrypt - encrypt outgoing and decrypt incoming traffic with the help of a secure remote client
14
TM
Content Security
Uses CVP (Content Vectoring Protocol), a TCP based protocol developed by Checkpoint that uses port 18181 to transparently re-route the data stream to an external content scanning server. A CVP server object needs to be created for content security to work Supports SMTP, HTTP and FTP; each has a corresponding resource object type that can be defined in the rulebase SMTP security functions: hides outgoing emails FROM field, redirects email sent to given TO or CC addresses, drops emails from particular senders or messages above a particular size, strips MIME attachments, strips the RECEIVED field, and transparently relays email to a third party anti-virus server FTP security functions: controls the GET and PUT operations, and transparently relays data stream to third party anti-virus server HTTP security functions: URL screening, blocks Java code, strips all the script/applet/ActiveX tags in the HTML code (known as HTML weeding), and anti-virus using third party server URI (Uniform Resource Identifier) is the resource object type for HTTP
Anti - Spoofing
Configuration done in Firewall's Interface properties - Valid Addresses section Possible options: o o Any - the default choice, no anti-spoof config in place No Security Policy - nothing at all
15
TM
Others - all packets are allowed except those with source IP addresses from networks listed under Valid Addresses for this object's other interfaces Others+ - same as Others, but packets from addresses listed under the Others+ section are allowed This Net - only packets from network attached to this interface are allowed Specific - only packets from a specifically defined object we define are allowed
o o o
Classful Addressing
INVALID/RESERVED ADDRESSES 10.0.0.0 172.16.0.0 192.168.0.0 10.255.255.255 172.31.255.255 192.168.255.255 CLASS 1 Class A Network 16 Class B Networks 256 Class C Networks NETWORK RANGE 10.0.0.0 176.16-31.0.0 192.168.0-255.0
Firewall1 translates packet addresses transparently. This is done in the kernel module before they reach their destination. NAT updates its internal table and translates the packet. When the packet leaves, Firewall1 rewrites the invalid/reserved IP address to its original legal address. This takes place in the ADDRESS TRANSLATION MODULE. The KERNEL MODULE does NOT translate addresses. It verifies packet addresses before passing them out from an internal network It verifies packet addresses before passing them to the address translation module
16
TM
NAT Modes
STATIC SOURCE MODE Translates invalid/reserved INTERNAL addresses to legal IP addresses when packets EXIT an Internal Network. Translates legal INTERNAL addresses to invalid/reserved IP addresses when packets ENTER an Internal Network. Hides one or more invalid/reserved IP addresses behind one legal IP address.
Static Mode translates addresses using a one-to-one relationship. When generating address translation rules automatically, static source and destination mode rules are always generated in pairs.
17
TM
NAT Rules
Each of the address translation rules consists of the following three elements: 1. Conditions that specify when a rule is to be applied 2. Action to be taken when the rule is applied 3. The network object to enforce the action WHEN RULE IS APPLIED Original Packet Translated Packet Install On ACTION TO BE TAKEN Define source, destination and service Define source, destination and service Define firewall objects to enforce this rule
18
TM
The local host checks its local route table for a path to the remote host or network. If no path is found, the source host determines the IP address of the default gateway and checks its ARP cache for an IP to MAC address mapping for the gateway. The source host sends the data packet to the router The router then handles the process beyond this point
Routing Issues
With Firewall1 there are two routing issues: 1. Ensuring packets reach the gateway 2. Ensuring the gateway forwards packets to the correct interface and host
\Winnt\fw\state\local.arp
Stop and Start the Firewall-1 Service after creating this file.
Static Destination
When using Static Destination mode translation, translation takes place in the firewall AFTER internal routing, but BEFORE transmission. To ensure the packet is correctly routed use static routing.
19
TM
Defining NAT
20
TM
Authentication
Features Transparent Connection Services FTP, HTTP, HTTPS, Telnet, RLOGIN Password through Clients GUI User Yes Client No Telnet Port 259 or HTTP Port 900 All Services Session Yes
All Services
None
Software
User Authentication
Client initiates connection to destination server Firewall1 uses same connection as Client and asks for authorisation Client responds with Username and Password Firewall1 allows the connection
Transparent user authentication Firewall1s default and the user must provide: Username and password on the gateway Username and password on target host
Client Authentication
Client initiates a TELNET (Port 259) or HTTP (Port 900) connection to the Firewall and Firewall1 requests clients username and password and verifies it is authentic Firewall1 recognises clients IP address and allows access to the destination server. Time-out, Logout, or number of sessions closes connections.
21
TM
Session Authentication
Client attempts contact with server Firewall1 blocks the packet and contacts the session authentication agent Agent opens on Client screen User enters username and password Username and password are sent to Firewall1 Firewall1 accepts and allows connection to server
1st time user and session rules are applied 2nd time client authentication rules are applied User authentication rules are always applied for HTTP preventing the browser from sending authentication password to the HTTP server as client authentication rules DO NOT use Firewall1 security servers.
22
TM
Use generic users account for external authentication schemes to avoid overhead of maintaining duplicate user accounts.
Firewall1 GUIs
Firewall1 has three GUI programs Log Viewer System Status Policy Editor
Modes
Security Log Shows all the security-related events Accounting Entries Shows Elapsed, Bytes and Start Date in addition to security log events.
23
TM
Active Connection Mode Views current connections through the firewall. Shows Elapsed, Bytes, Start Date and Connection ID in addition to security log events.
Log File
New Log File - Creating a new log file closes the current log which is written to disk with a name containing the current date and time. Purge Log File Deletes ALL entries in the log file. Print Log File Only log entries that match the current selection criteria will be printed. Saving a Log File Only records that match the current selection criteria will be saved to file.
Alerts
The Firewall module sends alerts to the Management Server, which sends them to the GUI client. The Alert is actioned as follows: Play Sound Show this Window Clear Dismiss
24
TM
Changes to Firewalled Objects - Action on Transition: Alert Mail SNMP Trap Issue an alert (Defined in properties set-up screen) Issue a mail alert (Defined in properties set-up screen) Issue an SNMP Trap (Defined in properties set-up screen)
SYN Relay
Have the firewall validate every connection before passing it to the original destination Safest from servers' point of view Connection is validated only if validated by the firewall
SYN Gateway
Have the firewall open a connection to the original destination first, but wait for the ACK from the source before allowing the connection to actually start
25
TM
The firewall keeps track of the handshake state If the timer expires, use a reset packet that closes the connection on the server Timeout value is critical as it determines how long the firewall should wait for an ACK before assuming that the connection is a SYN attack
26