Cramsession for Check Point Certified Security Administrator

This Cramsession will help you to prepare for Check Point Exam CCSA, Check Point Certified Security Administrator. Exam topics include Features, Functions, Basic Components, Requirements, and Installation of FireWall-1, Network Object Management, Network Address Translation, IP Address Translation Mode Configuration, and Security Policy.
Check for the newest version of this Cramsession
http://cramsession.brainbuzz.com/checkversion.asp?V=2452076&FN=checkpoint/CCSA.pdf

Rate this Cramsession

http://cramsession.brainbuzz.com/cramreviews/reviewCram.asp?cert=CCSA

Feedback Forum for this Cramsession/Exam

http://boards.brainbuzz.com/boards/vbt.asp?b=690

More Cramsession Resources:

Search for Related Jobs
http://jobs.brainbuzz.com/JobSearch.asp?R=&CSRE =

CramChallenge - practice questions

http://www.cramsession.com/signup/default.asp#day

IT Resources & Tech Library

http://itresources.brainbuzz.com

Certification & IT Newsletters

http://www.cramsession.com/signup/

SkillDrill - skills assessment

http://skilldrill.brainbuzz.com

Discounts, Freebies & Product Info

http://www.cramsession.com/signup/prodinfo.asp

Notice: While every precaution has been taken in the preparation of this material, neither the author nor BrainBuzz.com assumes any liability in the event of loss or damage directly or indirectly caused by any inaccuracies or incompleteness of the material contained in this document. The information in this document is provided and distributed "as-is", without any expressed or implied warranty. Your use of the information in this document is solely at your own risk, and Brainbuzz.com cannot be held liable for any damages incurred through the use of this material. The use of product names in this work is for information purposes only, and does not constitute an endorsement by, or affiliation with BrainBuzz.com. Product names used in this work may be registered trademarks of their manufacturers. This document is protected under US and international copyright laws and is intended for individual, personal use only. For more details, visit our legal page.
2000 All Rights Reserved - BrainBuzz.com

TM

Cramsession: Certified Checkpoint Security Administrator

Contents:
Contents: ....................................................................................................... 1 Firewall Definition............................................................................................ 3 Different Firewall Technologies ....................................................................... 3 Packet Filtering.......................................................................................... 3 Application Layer Gateway .......................................................................... 3 Stateful Inspection ..................................................................................... 4 Firewall-1 Products .......................................................................................... 5 Enterprise Product ........................................................................................ 5 Single Gateway Product................................................................................. 5 Enterprise Management Product ..................................................................... 6 Firewall-1 Firewall Module.............................................................................. 6 Firewall-1 Inspect Module .............................................................................. 6 Firewall-1 Architecture ..................................................................................... 6 Remote Management Putkey Configuration ......................................................... 7 Administrator Access ....................................................................................... 8 Log in.......................................................................................................... 9 Security Policy ...............................................................................................10 The Security Policy Tab (Rule 0) .......................................................................12 Applying Gateway Rules to Interface Direction.................................................12 Rule Base .....................................................................................................14 Possible Rule Base actions include .................................................................14 System Status Tool ......................................................................................15 Content Security..........................................................................................15 Anti - Spoofing ............................................................................................15 Network Address Translation (NAT) ..................................................................16 Classful Addressing ......................................................................................16 NAT Modes .................................................................................................17 Applying NAT Modes ....................................................................................17 NAT Rule Base.............................................................................................17

2001 All Rights Reserved BrainBuzz.com

TM

Cramsession: Certified Checkpoint Security Administrator

NAT Rules ...................................................................................................18 Address Resolution Protocol (ARP) .................................................................18 ARP Request for Local Network ...................................................................18 ARP Request for Remote Network ...............................................................18 Routing Issues..........................................................................................19 Static Source or Hide modes ......................................................................19 Static Destination .....................................................................................19 Authentication................................................................................................21 User Authentication......................................................................................21 Client Authentication ....................................................................................21 Session Authentication .................................................................................22 Implicit Client Authentication ........................................................................22 Internal Authentication Schemes ................................................................22 External Authentication Schemes ................................................................23 Firewall1 GUIs ..............................................................................................23 Log Viewer GUI ...........................................................................................23 Log Viewer Logon ........................................................................................23 Modes ........................................................................................................23 Log File ......................................................................................................24 System Status GUI ......................................................................................24 System Status Updates .............................................................................24 Alerts .........................................................................................................24 Solving SYN Flood Problem ...........................................................................25 SYN Relay ................................................................................................25 SYN Gateway ...........................................................................................25 Passive SYN Gateway ................................................................................25

2001 All Rights Reserved BrainBuzz.com

TM

Cramsession: Certified Checkpoint Security Administrator

Firewall Definition
A device that enforces a security policy for communication between internal and/or external networks It controls which machines or network users can connect to reach external elements through the firewall

Note: A Firewall cannot protect against malicious authorised users or connections that do not go through the firewall. There is no 100% guarantee that it cannot be breached.

Different Firewall Technologies Packet Filtering

Works at the Network Layer Only examines the packet header Two choices with regard to outbound, passive FTP connections. 1. Leave the entire range of upper ports (port number > 1023) open to allow a session to take place over the dynamically allocated port, which exposes the internal network 2. Shut down the entire upper range of ports thus securing the internal network but blocking other services (This is the trade off between application support and security.) Pros: low cost; low overhead; application transparency; quicker than application gateways Cons: low security; access limited to a small part of the packet header; screening limited above network layer; information manipulation very limited; difficult to configure, manage and monitor; inadequate logging and alerting mechanisms; subject to IP spoofing

Application Layer Gateway

Works at the Application Layer Uses complicated application logic to determine intruder attempts

2001 All Rights Reserved BrainBuzz.com

TM

Cramsession: Certified Checkpoint Security Administrator

Pros: good security; full Application-layer awareness Cons: application level implementation is detrimental to performance; cannot provide RPC and other services; most proxies are non-transparent; vulnerable to OS and application level bugs; poor scalability (each service requires its own application layer gateway); overlooks information in other layers; expensive performance costs Note: Every client server communication requires two connections: 1. One from client to FireWall 2. One from FireWall to server

Stateful Inspection
Communication information from top 5 packet layers State derived from previous communications (Outgoing Port etc.) Application derived state such that a previously authenticated user would be allowed access for authorised services only Evaluation of flexible expressions based on communication information, application derived state and communication-derived state Benefits: good security, full application awareness, high performance, scalability, extensibility and transparency Packet Filters Partial No No Partial Application Layer Gateways Partial Partial Yes Yes Stateful Inspection Yes Yes Yes Yes

FireWall Capability Communication Information Communication Derived State Application Derived State Information Manipulation

2001 All Rights Reserved BrainBuzz.com

TM

Cramsession: Certified Checkpoint Security Administrator

Note: The Inspect Engine is located in the Kernel Module It can Accept, Reject or Drop packets It saves system processing time

Firewall-1 Products
Checkpoint uses OPSEC Open Platform for Secure Enterprise Connectivity architecture, which provides a scalable framework for security implementation by means of separating the firewall product into different modules.

Enterprise Product
Management Module Centralised graphical security management for either one or unlimited security enforcement points Inspection Module Access Control; client and session authentication; network address translation; auditing Firewall Module Includes inspection module; user authentication; multiple firewall synchronisation; content security Encryption Module Provides DES and FWZ1 Encryption Router Security Management Security management for router ACLs across one or more routers Open Security Manager Centralised security management for 3Com, Cisco and Microsoft NT Server routers, and Cisco Pix firewalls

Single Gateway Product

Management Module Centralised graphical security management for either one or unlimited security enforcement points Inspection Module Access Control; client and session authentication; network address translation; auditing Firewall Module Includes inspection module; user authentication; multiple firewall synchronisation; content security

2001 All Rights Reserved BrainBuzz.com

TM

Cramsession: Certified Checkpoint Security Administrator

Enterprise Management Product

Connect Control Module Automatic application server load balancing across multiple servers (deployed with Firewall-1)

Firewall-1 Firewall Module

Inspection Module Access Control; client and session authentication; network address translation; auditing User Authentication; multiple firewall synchronisation; content security

Firewall-1 Inspect Module

Access control; client and session authentication; network address translation; auditing The Encryption Module DES Encryption Module for use in North America FWZ1 Module for worldwide export

Firewall-1 Architecture
A 3-tier architecture: there can be many different firewall modules running in different locations (security enforcement points) controlled by a central Management Console. Administrators can administer the security system either directly via the console, or by running GUI clients connected to the Management Console through the network from another desktop For Single Gateway Product, there is only one Firewall Module controlled by one Management Console, and both must be installed on the same machine, which means that there is only one security enforcement point. However, you can still run the GUI client form another desktop. Firewall Internet Gateway/25 is a Firewall Internet Gateway (including one firewall module and management server) that protects 25 nodes or IP addresses. The number included with the product name pertains to the number of IP addresses a user needs to protect: e.g., 25/50/100/250/Unlimited. GUI is available only for Win95/98/NT and Motif. The exam focuses on the GUI, not the command line. The three different GUIs are: Security Policy Editor for setting up the security settings, Log Viewer for viewing the logs, and System Status tool for viewing the current statistics of different firewall components. Network Object Manager is a function within the Policy Editor,

2001 All Rights Reserved BrainBuzz.com

TM

Cramsession: Certified Checkpoint Security Administrator

which is for creating objects so that we can place the objects in the rule base and set up corresponding security rules. FWD Firewall Daemon is the process responsible for moving data between the components. When the server is started and the Firewall-1 services have not finished loading, the servers IP forwarding function can provide hackers with security holes to get in. This is the specific vulnerable time we need to pay attention to. The best way is to let Firewall-1 control the servers IP forwarding function.

Firewall-1 as a service in Control Panel Services

Remote Management Putkey Configuration

Putkeys must be exchanged for both Management Server and the Firewall Gateway before remote management can take place. The steps for configuring Management Station and Firewall are as follows: Configure key (password) used by master and remote devices to authenticate sessions. From the OS prompt change directory to $FWDIR\bin Add authorisation key to be used by master to authenticate to remote device (e.g., password = abc123, sample IP address = 205.30.32.111)

2001 All Rights Reserved BrainBuzz.com

TM

Cramsession: Certified Checkpoint Security Administrator

fw putkey p abc123 205.30.32.111 Edit masters file on computer with firewall module. From the OS prompt change directory to $FWDIR\conf Add the IP of the management station to the masters file

Echo 205.30.32.111 > masters Stop and start the Firewall causing it to re-read the local masters file. This in turn allows the Management Station to remotely install the security policy From the OS prompt change directory to $FWDIR\bin Type fwstop, press Enter; Type fwstart, press Enter When the FW-1 started message appears, exit the command window.

An authentication key is required for each firewall that the management console will remotely manage. This is achieved by using the fw putkey command with the following arguments: Fw putkey p password firewall-module-ipaddress To remove remote management, remove the masters file from the $FWDIR/conf directory and reboot the Firewall.

Administrator Access
You can set up as many administrator accounts as you like. When logging on, you must supply the user name, password and the name or IP address of the management server

2001 All Rights Reserved BrainBuzz.com

TM

Cramsession: Certified Checkpoint Security Administrator

Log in The administrator can have four different levels of access rights: 1. Monitor Only - Read Only access to the log viewer and system status tool 2. Read Only - includes Monitor Only rights, plus Read Only rights to the Security Policy Editor 3. User Access - administrator can modify user information, but nothing else 4. Read/Write Access - administrator can do everything. Only one administrator at a time can log in using this mode

2001 All Rights Reserved BrainBuzz.com

TM

Cramsession: Certified Checkpoint Security Administrator

Administrators access mode

Security Policy
Definition: a set of rules that collectively determine what traffic is allowed and what is not Enforcement Directions: there are three different directions 1. Default Inbound 2. Outbound 3. Eitherbound Inbound If an inbound rule is applied, packets going into the FireWall are checked Outbound If an outbound rule is applied, packets leaving the FireWall are checked Eitherbound If an eitherbound rule is applied, packets going into and leaving the Firewall are checked. Checking traffic both ways is CPU intensive.
2001 All Rights Reserved BrainBuzz.com

10

TM

Cramsession: Certified Checkpoint Security Administrator

The effective security settings are a combination of settings found in the Security Policy Properties and the Rule Base. Packets are matched in the following order: Anti Spoofing Any properties marked FIRST in the Security Policy Properties Rule base order (except for the last rule) Any properties marked BEFORE LAST in the Security Policy Properties Rule Bases last rule Any properties marked LAST in the Security Policy Properties Implicit Drop Rule (drop everything not mentioned above)

Sample Rule Base Define a Rule in the Rule base - you must specify a minimum of Source, Destination, Service, Action, and where to install the policy (e.g., the enforcement point, generally the default Gateway). Implicit Drop Rule Drops everything without logging. Explicit Clean-up Rule As you will probably want to know what other traffic is attempting to come through the Firewall you should create an explicit clean-up rule and add logging. This should be the last rule in the rule base and needs the following details ANY - ANY - ANY DROP LONG Stealth Rule - The first rule in the rule base that prevents direct access to the firewall.

Note: Rule Base Order is very important. The Firewall will implement rules in a Top Down order. Verify the Rule Base to ensure the rule base settings are usable.

2001 All Rights Reserved BrainBuzz.com

11

TM

Cramsession: Certified Checkpoint Security Administrator

Install the Rule Base so that Firewall-1 will compile them, generate the corresponding script, and make it run in the enforcement point.

The Security Policy Tab (Rule 0)

Applying Gateway Rules to Interface Direction
Inbound (Default) Enforces the security policy only on packets entering the Gateway. Packets will be allowed to leave ONLY if Accept Outgoing Packets is selected. Outbound - Enforces the security policy only on packets leaving the Gateway. A rule can still be enforced in the incoming direction by selecting Destination under Install On and specifying the Gateway in the Rule Base. At least one rule like this must be present or no packets will be allowed to enter the gateway. Eitherbound - Enforces the security policy only on packets entering and leaving the Gateway. Firewall-1 inspects packets twice, once on entry and again when leaving.

TCP Session Timeout Specify time in seconds after which TCP session times out. Accept UDP Replies Check to accept reply data in a two-way UDP communication. UDP Virtual Session Timeout Specify time in seconds a UDP reply channel remains open without packets being returned. Enable Decryption on Accept Check to decrypt incoming, accepted packets even when the rule does not include encryption. Implied Rules: Implied rules are generated in the Rule Base for global properties. Check the properties enforced in the Security Policy and then choose a position in the Rule base for the implied rule. First place first in the Rule Base Before last place before the last rule in the Rule Base Last place as the last rule in the Rule Base
2001 All Rights Reserved BrainBuzz.com

12

TM

Cramsession: Certified Checkpoint Security Administrator

Accept VPN/Firewall-1 Control Connection Used by Firewall-1 for communication between Firewall daemons on different machines and for connecting to external servers such as RADIUS and TACACS. Accept RIP Check to accept RIP used by routed daemon. Accept Domain Name Over UDP (Queries) Check to accept DNS queries used by named. Resolves names by associating them with their IP address. If named does not know the IP address of a host name, it issues a query to the name server on the Internet. UDP replies must therefore be enabled to receive the replies. Accept Domain Name Over TCP (Zone Transfer) Check to allow upload of Domain Name resolving tables. Accept ICMP Check to accept Internet Control Messages. This protocol is used to ensure proper and efficient operation of IP. Accept Outgoing Packets Originating From Gateway Check to accept all outgoing packets from Firewall-1 not from the internal network. Gateway rules are usually enforced in the inbound direction. When packets passing through the Gateway leave, it will be allowed to pass only if one of the following conditions is true: Accept Outgoing Packets property is checked Rules are enforced in both directions (Eitherbound), and there is a rule to allow packets to leave the Gateway.

Log Implied Rules Implied rules are generated in the Rule Base from the properties defined in this window. If this is checked Firewall-1 generates log records for communications matching the implied rules. Install Security Policy only if it can be successfully installed on ALL selected targets The Security Policy will either be installed on all or none of the selected targets. Allows Administrator to ensure the same Security Policy is being enforced at all enforcement points.

2001 All Rights Reserved BrainBuzz.com

13

TM

Cramsession: Certified Checkpoint Security Administrator

Rule Base
Possible Rule Base actions include
Accept Reject - reject the packet and inform the sender Drop - reject without informing the sender User Auth - use User Authentication on this packet Session Auth - use Session Authentication on this packet Client Auth - use Client Authentication on this packet Encrypt - encrypt outgoing and decrypt incoming traffic used with the extra VPN module not covered in this exam Client Encrypt - encrypt outgoing and decrypt incoming traffic with the help of a secure remote client

Rule Base Actions

2001 All Rights Reserved BrainBuzz.com

14

TM

Cramsession: Certified Checkpoint Security Administrator

System Status Tool

Tells the number of packets dropped/rejected/inspected/logged Tells whether or not a security policy is installed on the firewall, the name of the policy installed, and the date the security policy was installed on the firewall The most important display shows the status of the Firewall-1 Daemon, whether it is INSTALLED (daemon is running, and security policy is installed), NOT INSTALLED (daemon is running, but no security policy is installed), and DISCONNECTED (no response from the daemon at all)

Content Security
Uses CVP (Content Vectoring Protocol), a TCP based protocol developed by Checkpoint that uses port 18181 to transparently re-route the data stream to an external content scanning server. A CVP server object needs to be created for content security to work Supports SMTP, HTTP and FTP; each has a corresponding resource object type that can be defined in the rulebase SMTP security functions: hides outgoing emails FROM field, redirects email sent to given TO or CC addresses, drops emails from particular senders or messages above a particular size, strips MIME attachments, strips the RECEIVED field, and transparently relays email to a third party anti-virus server FTP security functions: controls the GET and PUT operations, and transparently relays data stream to third party anti-virus server HTTP security functions: URL screening, blocks Java code, strips all the script/applet/ActiveX tags in the HTML code (known as HTML weeding), and anti-virus using third party server URI (Uniform Resource Identifier) is the resource object type for HTTP

Anti - Spoofing
Configuration done in Firewall's Interface properties - Valid Addresses section Possible options: o o Any - the default choice, no anti-spoof config in place No Security Policy - nothing at all

2001 All Rights Reserved BrainBuzz.com

15

TM

Cramsession: Certified Checkpoint Security Administrator

Others - all packets are allowed except those with source IP addresses from networks listed under Valid Addresses for this object's other interfaces Others+ - same as Others, but packets from addresses listed under the Others+ section are allowed This Net - only packets from network attached to this interface are allowed Specific - only packets from a specifically defined object we define are allowed

o o o

Network Address Translation (NAT)

Conceals internal computers and users from outside networks and is a separate component of the Firewall 1 security policy. NAT changes (translates) or hides IP addresses.

Classful Addressing
INVALID/RESERVED ADDRESSES 10.0.0.0 172.16.0.0 192.168.0.0 10.255.255.255 172.31.255.255 192.168.255.255 CLASS 1 Class A Network 16 Class B Networks 256 Class C Networks NETWORK RANGE 10.0.0.0 176.16-31.0.0 192.168.0-255.0

Firewall1 translates packet addresses transparently. This is done in the kernel module before they reach their destination. NAT updates its internal table and translates the packet. When the packet leaves, Firewall1 rewrites the invalid/reserved IP address to its original legal address. This takes place in the ADDRESS TRANSLATION MODULE. The KERNEL MODULE does NOT translate addresses. It verifies packet addresses before passing them out from an internal network It verifies packet addresses before passing them to the address translation module

2001 All Rights Reserved BrainBuzz.com

16

TM

Cramsession: Certified Checkpoint Security Administrator

NAT Modes
STATIC SOURCE MODE Translates invalid/reserved INTERNAL addresses to legal IP addresses when packets EXIT an Internal Network. Translates legal INTERNAL addresses to invalid/reserved IP addresses when packets ENTER an Internal Network. Hides one or more invalid/reserved IP addresses behind one legal IP address.

STATIC DESTINATION MODE HIDE MODE

Static Mode translates addresses using a one-to-one relationship. When generating address translation rules automatically, static source and destination mode rules are always generated in pairs.

Applying NAT Modes

To add address translation modes to Firewall1, you edit or add network objects, servers, gateways and routers. Define source or destination static mode by placing the network object as source or destination in the Rule Base.

NAT Rule Base

When defining network objects during set-up of Firewall1, NAT rules are generated automatically. You can add or edit rules manually to the automatically generated rules and provide complete control over Firewall1 NAT. Firewall1 validates address translation rules, helping avoid mistakes in the set-up process. For complete control over Firewall1 address translation you can do one or more of the following: Specify objects by name or IP address Restrict rules to specific destination and/or source IP addresses Translate source and destination IP addresses in the same packet Restrict rules to specific services (Ports) Translate ports

2001 All Rights Reserved BrainBuzz.com

17

TM

Cramsession: Certified Checkpoint Security Administrator

NAT Rules
Each of the address translation rules consists of the following three elements: 1. Conditions that specify when a rule is to be applied 2. Action to be taken when the rule is applied 3. The network object to enforce the action WHEN RULE IS APPLIED Original Packet Translated Packet Install On ACTION TO BE TAKEN Define source, destination and service Define source, destination and service Define firewall objects to enforce this rule

Address Resolution Protocol (ARP)

ARP resolves IP Addresses to hardware MAC Addresses.

ARP Request for Local Network

IP determines that the address it wants to send to is on the local network Source host checks its own list (ARP cache) for the MAC of the destination host If no match is found, ARP builds a request which includes its own IP and MAC and broadcasts for the IP and MAC address of the destination host Every host on the local network responds to the broadcast by checking if the IP address of the destination host matches its own The destination host recognises a match and sends an ARP reply to the directly to the sending host with its MAC address. The ARP cache on both hosts is updated When the source host receives the reply, communication is established between them.

ARP Request for Remote Network

The source host determines that the IP address it wants is not on the local network

2001 All Rights Reserved BrainBuzz.com

18

TM

Cramsession: Certified Checkpoint Security Administrator

The local host checks its local route table for a path to the remote host or network. If no path is found, the source host determines the IP address of the default gateway and checks its ARP cache for an IP to MAC address mapping for the gateway. The source host sends the data packet to the router The router then handles the process beyond this point

Routing Issues
With Firewall1 there are two routing issues: 1. Ensuring packets reach the gateway 2. Ensuring the gateway forwards packets to the correct interface and host

Static Source or Hide modes

When using Static Source or Hide modes, you must ensure the translated (legal) addresses are published so that replies will be routed back to the Firewall. For NT Systems the ARP command does not allow permanent entries. Checkpoint created the following feature:

\Winnt\fw\state\local.arp

Format of local.arp is:

IP Address <TAB> External MAC Address

Stop and Start the Firewall-1 Service after creating this file.

Static Destination
When using Static Destination mode translation, translation takes place in the firewall AFTER internal routing, but BEFORE transmission. To ensure the packet is correctly routed use static routing.

2001 All Rights Reserved BrainBuzz.com

19

TM

Cramsession: Certified Checkpoint Security Administrator

Defining NAT

NAT in the Rule Base

2001 All Rights Reserved BrainBuzz.com

20

TM

Cramsession: Certified Checkpoint Security Administrator

Authentication
Features Transparent Connection Services FTP, HTTP, HTTPS, Telnet, RLOGIN Password through Clients GUI User Yes Client No Telnet Port 259 or HTTP Port 900 All Services Session Yes

All Services

None

Software

Authentication Agent Software required by Client

User Authentication
Client initiates connection to destination server Firewall1 uses same connection as Client and asks for authorisation Client responds with Username and Password Firewall1 allows the connection

Transparent user authentication Firewall1s default and the user must provide: Username and password on the gateway Username and password on target host

Client Authentication
Client initiates a TELNET (Port 259) or HTTP (Port 900) connection to the Firewall and Firewall1 requests clients username and password and verifies it is authentic Firewall1 recognises clients IP address and allows access to the destination server. Time-out, Logout, or number of sessions closes connections.

2001 All Rights Reserved BrainBuzz.com

21

TM

Cramsession: Certified Checkpoint Security Administrator

Session Authentication
Client attempts contact with server Firewall1 blocks the packet and contacts the session authentication agent Agent opens on Client screen User enters username and password Username and password are sent to Firewall1 Firewall1 accepts and allows connection to server

Implicit Client Authentication

Extends access privileges to specific clients without requiring the user to initiate additional sessions on the gateway. If the client authenticates under a user or session authentication rule, Firewall1 knows which user is on the client and additional client authentication sessions are not necessary. If implicit Client authentication is enabled and automatic sign-on rule is opened, all the standard sign-on rules are opened. Define the rules in the following order: User authentication rules for HTTP Client authentication rules User and session authentication rules for non-HTTP services

1st time user and session rules are applied 2nd time client authentication rules are applied User authentication rules are always applied for HTTP preventing the browser from sending authentication password to the HTTP server as client authentication rules DO NOT use Firewall1 security servers.

Internal Authentication Schemes

S/Key most secure form of internal authentication Firewall1 Password the user enters an assigned Firewall1 password (User does NOT require an OS account on the firewall) OS Password user enters an OS password and must have OS account on firewall
2001 All Rights Reserved BrainBuzz.com

22

TM

Cramsession: Certified Checkpoint Security Administrator

External Authentication Schemes

SecureID user enters Security Dynamics PASSCODE RADIUS (Remote Access Dial In User Service) user prompted for response to RADIUS server AXENT Pathways Defender - user prompted for response to AXENT server TACACS (Terminal Access Controller Access Control System) user prompted for response to TACACS server

Use generic users account for external authentication schemes to avoid overhead of maintaining duplicate user accounts.

Firewall1 GUIs
Firewall1 has three GUI programs Log Viewer System Status Policy Editor

Log Viewer GUI

The management server reads the log file and sends the data to the GUI client for display. The GUI client only displays the data.

Log Viewer Logon

To logon you require: Username Password Management Server

Modes
Security Log Shows all the security-related events Accounting Entries Shows Elapsed, Bytes and Start Date in addition to security log events.

2001 All Rights Reserved BrainBuzz.com

23

TM

Cramsession: Certified Checkpoint Security Administrator

Active Connection Mode Views current connections through the firewall. Shows Elapsed, Bytes, Start Date and Connection ID in addition to security log events.

Log File
New Log File - Creating a new log file closes the current log which is written to disk with a name containing the current date and time. Purge Log File Deletes ALL entries in the log file. Print Log File Only log entries that match the current selection criteria will be printed. Saving a Log File Only records that match the current selection criteria will be saved to file.

System Status GUI System Status Updates

Before Firewall1 updates the status display it broadcasts a status request message to all firewall objects. The following information is obtained: Date security policy was installed on object Firewalled objects status Firewalled objects name Rule Base Name (File containing rule base) Date and time Firewalled objects status was last updated

Alerts
The Firewall module sends alerts to the Management Server, which sends them to the GUI client. The Alert is actioned as follows: Play Sound Show this Window Clear Dismiss

2001 All Rights Reserved BrainBuzz.com

24

TM

Cramsession: Certified Checkpoint Security Administrator

Changes to Firewalled Objects - Action on Transition: Alert Mail SNMP Trap Issue an alert (Defined in properties set-up screen) Issue a mail alert (Defined in properties set-up screen) Issue an SNMP Trap (Defined in properties set-up screen)

Solving SYN Flood Problem

Definition: a simple type of denial of service attack which can halt a mission critical service The Normal Handshake process of TCP: 1. SYN - the client makes a request to the server, asking for a chance to talk 2. SYN/ACK - the server replies by saying OK 3. ACK - the client confirms with the server and establishes a connection Attacker uses SYN Flood to send the target server a large volume of SYN packets with spoofed source IP addresses Server is busy replying to unreachable hosts Firewall-1 uses SYNDefender to protect against SYN Flood attack

SYN Relay
Have the firewall validate every connection before passing it to the original destination Safest from servers' point of view Connection is validated only if validated by the firewall

SYN Gateway
Have the firewall open a connection to the original destination first, but wait for the ACK from the source before allowing the connection to actually start

Passive SYN Gateway

Have the firewall open a connection to the original destination first, but without the ACK from the source, direct connection will not be allowed
2001 All Rights Reserved BrainBuzz.com

25

TM

Cramsession: Certified Checkpoint Security Administrator

The firewall keeps track of the handshake state If the timer expires, use a reset packet that closes the connection on the server Timeout value is critical as it determines how long the firewall should wait for an ACK before assuming that the connection is a SYN attack

Special thanks to Garnet D Newton-Wade for contributing this Cramsession.

2001 All Rights Reserved BrainBuzz.com

26