Académique Documents
Professionnel Documents
Culture Documents
What is Firewall?
A firewall is a network security system, either hardware or software based, that controls incoming and
outgoing network traffic based on a set of rules.
Types of firewall:
Stateful firewalls: In order to recognize a packet's connection state, a firewall needs to record all
connections passing through it to ensure it has enough information to assess whether a packet is the
start of a new connection, a part of an existing connection, or not part of any connection. This is what's
called "stateful packet inspection." Stateful inspection was first introduced in 1994 by Check Point
Software in its FireWall-1 software firewall, and by the late 1990s, it was a common firewall product
feature.
This additional information can be used to grant or reject access based on the packet's history in the
state table, and to speed up packet processing; that way, packets that are part of an existing connection
based on the firewall's state table can be allowed through without further analysis. If a packet does not
match an existing connection, it's evaluated according to the rule set for new connections.
Application-layer firewalls:As attacks against Web servers became more common, so too did the need
for a firewall that could protect servers and the applications running on them, not merely the network
resources behind them. Application-layer firewall technology first emerged in 1999, enabling firewalls to
inspect and filter packets on any OSI layer up to the application layer.
The key benefit of application-layer filtering is the ability to block specific content, such as
known malware or certain websites, and recognize when certain applications and protocols -- such
as HTTP, FTP and DNS -- are being misused.
Firewall technology is now incorporated into a variety of devices; many routers that pass data between
networks contain firewall components and most home computer operating systems include software-
based firewalls. Many hardware-based firewalls also provide additional functionality like basic routing to
the internal network they protect.
Proxy firewalls: Firewall proxy servers also operate at the firewall's application layer, acting as an
intermediary for requests from one network to another for a specific network application. A proxy
firewall prevents direct connections between either sides of the firewall; both sides are forced to
conduct the session through the proxy, which can block or allow traffic based on its rule set. A proxy
service must be run for each type of Internet application the firewall will support, such as an HTTP proxy
for Web services.
SSL VPN(Secure Socket Layer VPN)
SSL VPN:- This products allow users to establish secure remote access
Sessions from virtually any Internet-connected web browser. Delivering the ability
for people to access e-mail, critical information systems, files, and other network
A resource from virtually anywhere is not a trivial task.
Goals of SSL
1. Confidentiality of communications (primary use)
2. Integrity of Data (primary use—not noticed by users)
3. Authentication of Server (relies on user to be technically well informed)
4. Authentication of Client (rarely used, but has applications for SSL VPN)
IPSEC
CONFIGURE IPSEC
ClusterXL is a software-based Load Sharing and High Availability solution that distributes network
traffic between clusters of redundant Security Gateways and provides transparent failover between
machines in a cluster.
Stateful Failover
When Stateful Failover is enabled, the active unit continually passes per-connection state information to the standby
unit. After a failover occurs, the same connection information is available at the new active unit. Supported end-user
applications are not required to reconnect to keep the same communication session.
Q: - What is Data encryption?
Data encryption ensures data safety and very important for confidential or critical data. It protect data
from being read, altered or forged while transmission.
Ans- At a very high level, all these 3 terms might appear to be similar and people often confuse
between them. But each of the technique is distinct and has different use case. The purpose of
encoding is to transform data so that it can be properly (and safely) consumed by a
different type of system, e.g. binary data being sent over email, or viewing special
characters on a web page. The goal is not to keep information secret, but rather to ensure that
it’s able to be properly consumed. It does not require a key as the only thing required to decode it
is the algorithm that was used to encode it. Examples: ASCII, Unicode, URL Encoding, Base64.
The purpose of encryption is to transform data in order to keep it secret from others. It uses
a key, which is kept secret, in conjunction with the plaintext and the algorithm, in order to
perform the encryption operation. Examples: AES, Blowfish, RSA. The purpose of hashing
is to take arbitrary input and produce a fixed-length string that has the following attributes:
Examples- MD5, SHA1, SHA2 etc. Hashing is often used in computer forensics to verify
integrity of the digital evidence.
A proxy server is a server (a computer system or an application) that acts as an intermediary for
requests from clients seeking resources from other servers. A client connects to the proxy server,
requesting some service, such as a file, connection, web page, or other resource available from a
different server and the proxy server evaluates the request as a way to simplify and control its
complexity. Firewall is basically meant for network traffic control/filtering mainly at layer-3. It
allows/denies packets and connections based on certain pre-defined rules. IDS- Intrusion
Detection System is an application which tries to detect intrusion attempts based on attack
signature database it has. IPS- Intrusion Prevention System detects the intrusion (like IDS) and
goes one step ahead to prevent it as well. It simply drops the packet it thinks suspicious (based
on rules)
Examples:
1. proxy – Squid
2. Firewall- IPTables, CISCO Pix, ZoneAlarm
3. IDS- SNORT
4. IPS- IBM Proventia
Stateful inspection:
also known as dynamic packet filtering, is a firewall technology that monitors the state of active
connections and uses this information to determine which network packets to allow through the
firewall.
Stateful inspection has largely replaced an older technology, static packet filtering. In static packet
filtering, only the headers of packets are checked -- which means that an attacker can sometimes get
information through the firewall simply by indicating "reply" in the header. Stateful inspection, on the
other hand, analyzes packets down to the application layer. By recording session information such as IP
addresses and port numbers, a dynamic packet filter can implement a much tighter security posture
than a static packet filter can.
Anti-Spoof:
Anti-Spoof protection uses the routing table to verify if an incoming packet's source IP address was
spoofed. In most cases, subnets do not overlap across multiple interfaces (each physical interface has a
unique subnet) but when a subnet is configured on more than one interface, configuring Anti-Spoofing
protection can be confusing.
Stealth rule:Stealth rule should prevent all direct connections to the Security gateway
Source: Any
Destination: Security gateway
Service: Any
Action: Drop
This rule will drop all connections to the Security gateway, so it will become "invisible" to the outside
world.
Implied rules allow connections for different services that the Security Gateway uses. For example,
the Accept Control Connectionsoption allows packets that control these services:
ClusterXL is a software-based Load Sharing and High Availability solution that distributes network
traffic between clusters of redundant Security Gateways and provides transparent failover between
machines in a cluster.
ClusterXL provides an infrastructure that ensures that data is not lost due to a failure, by ensuring
that each cluster member is aware of connections passing through the other members. Passing
information about connections and other Security Gateway states between the cluster members is
known as State Synchronization.
Security Gateway Clusters can also be built using OPSEC certified High Availability and Load Sharing
products. OPSEC certified clustering products use the same State Synchronization infrastructure as
ClusterXL.
UPGRADE Process.(Checkpoint)
Export utility tool of the version for which you are creating a backup file. The backup file has the current
system configuration (for example, objects, rules, and users).
Most firewalls support both policy based and route based VPN’s. Which one we are supposed to use in
most cases doesn't really matter, but there are a couple of things to consider.
Route based VPN is more flexible, more powerful and recommended over policy based. However a
policy based VPN is usually simpler to create.
A route based VPN creates a virtual IPSec interface, and whatever traffic hits that interface is encrypted
and decrypted according to the phase 1 and phase 2 IPSec settings.
In policy based VPN the tunnel is specified within the policy itself with an action of "IPSec". Also for
policy based VPN only one policy is required. A route based VPN is created with two policies, one for
inbound and another for outbound with a normal "Accept" action.
A static route is also required for a route based VPN, so anything destined to the remote network must
go through the virtual IPSec interface which was created when specifying this within the Phase 1
settings.
A route based VPN is also required when using redundant VPN connection. A route based VPN only
works in route mode, where policy based VPN works in both route and transparent mode.
Conclusion
If your requirement is to create redundant VPN connections and your firewall is in route\NAT mode
(99% of the time it is) then use a route based VPN. If you don’t require redundant VPN connections then
you can use a policy based VPN. There are other reasons to use one or the other as well but they are
rarely required.
OSI
Model Cheat Sheet
1. Physical Layer (Layer 1)
o Establishes connections among host machines. Can reach any machine on the
network, but cannot reach machines on other networks.
o Breaks data into frames, transmits frames, and processes acknowledgment frames
sent back by receiver--error checking function
o Provides Medium Address Code (MAC)
o A bridge is a layer 2 device
o Responsible for routing and relaying data (packets) from one device to another
through the network
o Routing decisions made by layer 3 address (i.e. IP address)
o A router is a layer 3 device
o Responsible for handling the processes that use the network for communication.
These functions include flow control, error detection and correction & congestion
control.
o Get’s data from one computer’s port to another’s
o Example: TCP
Packet-->
Routing for the destination IP -->
Rule base for a matching rule to allowed--> -->
NAT (WHAT IS THE sequence on which it checks for the differnt type of translation) -->
VPN -->
Anti-virus check -->
URL filtering -->
IPS module INSPCETION -->
ARP --> egress interface.
Q: - If you are a victim of Denial of Service (Dos) then what you do?
The function of a denial of service attack is to flood its target machine with too much traffic and
prevents it from being accessible to any other requests or providing services.
To prevent DoS attacks firewall can be configured as a relay; in this approach the firewall responds on
behalf of the internal host. During the attack, the firewall responds to the SYN sent by the attacker;
since the ACK never arrives, the firewall terminates the connection.
By Keeping protocols and Antivirus software up-to-date, we can prevent to be a victim of DoS. A
regular scanning of the machine is also necessary in order to detect any “anomalous― behavior.
Q: - if We have to generate a hash function then what characteristics are needed in a secure
hash function?
A secure hash function should have the following characteristics:
If you had to both encrypt and compress data during transmission, which would
you do first, and why?
If they don’t know the answer immediately it’s ok. The key is how they react. Do they panic, or
do they enjoy the challenge and think through it? I was asked this question during an interview at
Cisco. I told the interviewer that I didn’t know the answer but that I needed just a few seconds to
figure it out. I thought out loud and within 10 seconds gave him my answer: “Compress then
encrypt. If you encrypt first you’ll have nothing but random data to work with, which will
destroy any potential benefit from compression.
Standard stuff here: single key vs. two keys, etc, etc.
In public-key cryptography you have a public and a private key, and you often
perform both encryption and signing functions. Which key is used for which
function?
You encrypt with the other person’s public key, and you sign with your own private. If they
confuse the two, don’t put them in charge of your PKI project.
What’s the difference between Diffie-Hellman and RSA?
Core Technologies: - Check Point uses a common set of core technologies, such as INSPECT
for security inspection, across multiple layers of security.
Central Management: - All Check Point products can be managed and monitored from a single
administrative console.
Open Architecture: - Check Point has built its security architecture to be open and
interoperable in a heterogeneous environment. For example, Check Point products can
interoperate with other network and security equipment from third-party vendors to enable
cooperative enforcement of Security Policies.
Universal-update Ability: - Check Point has consolidated multiple security-alert and update
functions to ease update procedures and help Administrators ensure that security is always up-
to-date
Q.2 How Checkpoint Component communicate and Syns with each other?
Ans.
Secure Internal Communications (SIC) is the Check Point feature that ensures components,
such as Security Gateways, SmartCenter Server, SmartConsole, etc. can communicate with
each other freely and securely using a simple communication-initialization process.
Q.3 What are the major differences between SPLAT and GAIA?
Ans.
Gaia is the latest version of Checkpoint which is a combination of SPLAT and IPSO. Here are
some benefits of Gaia as compare to SPLAT/IPSO.
Q.5 How SIC work? What are the different ports of SIC?
Ans.
Secure Internal Communication (SIC) lets Check Point platforms and products authenticate
with each other. The SIC procedure creates a trusted status between gateways, management
servers and other Check Point components. SIC is required to install polices on gateways and
to send logs between gateways and management servers.
The ICA is created during the Security Management server installation process. The ICA is
responsible for issuing certificates for authentication. For example, ICA issues certificates such
as SIC certificates for authentication purposes to administrators and VPN certificates to users
and gateways.
Communication Initialization establishes a trust between the Security Management server and
the Check Point gateways. This trust lets Check Point components communicate securely. Trust
can only be established when the gateways and the server have SIC certificates.
Q.4 What are the different – different Checkpoint Ports and purpose of these ports?
Ans.
18183 TCP FW1_sam Check Point OPSEC Suspicious Activity monitoring Proto (SAM
API)
18184 TCP FW1_lea Check Point OPSEC Log Export API
18185 TCP FW1_omi Check Point OPSEC Objects Management Interface
18186 TCP FW1_omi-sic Check Point OPSEC Objects management Interface with Secure
Internal Communication
18187 TCP FW1_ela Check Point OPSEC Event Loging API
18190 TCP CPMI Check Point Management Interface
18191 TCP CPD Check Point Daemon Proto NG
18192 TCP CPD_amon Check Point Internal Application Monitoring NG
18193 TCP FW1_amon Check Point OPSEC Appication Monitoring NG
18201 TCP FGD_SVC_PORT
18202 TCP CP_rtm Check Point Real time Monitoring
18203 TCP FGD_RTMP_PORT
18204 TCP CE communication
18205 TCP CP_reporting Check Point Reporting Client Protocol
18207 TCP FW1_pslogon Check Point Policy Server logon Protocol
18208 TCP FW1_CPRID (SmartUpdate) Check Point remote Installation Protocol
18209 TCP FWM CA for establishing SIC communication
18210 TCP FW1_ica_pull Check Point Internal CA Pull Certificate Service
18211 TCP FW1_ica_pull Check Point Internal CA Push Certificate Service
18212 UDP Connect Control – Load Agent port
18213 TCP cpinp: inp (admin server)
18214 TCP cpsmc: SMC
In case of SNAT
Antispoofing
Session lookup
Policy lookup
Routing
Netting
In case of DNAT
Antispoofing
Session lookup
Policy lookup
Netting
Routing
Question 1 Which of the applications in Check Point technology can be used to configure
security
objects?
Answer:SmartDashboard
Question 2 Which of the applications in Check Point technology can be used to view who and
whatthe administrator do to the security policy?
Answer:SmartView Tracker
Question 5 What are the functions of CPD, FWM, and FWD processes?
Answer:CPD
CPD is a high in the hierarchichal chain and helps to execute many services, such as
SecureInternal Communcation (SIC), Licensing and status report.FWM
The FWM process is responsible for the execution of the database activities of theSmartCenter server. It is;
therefore, responsible for Policy installation, Management High Availability (HA) Synchronization, saving the
Policy, Database Read/Write action, LogDisplay, etc.
FWD
The FWD process is responsible for logging. It is executed in relation to logging, Security
5)What is SIC ?
Secure Internal Communications (SIC) is the Check Point feature that ensures
components, such as Security Gateways, SmartCenter Server, SmartConsole, etc. can
communicate with each other freely and securely using a simple communication-
initialization process.
Since the advent of the firewall (though not necessarily true with early access lists), the default behavior
of a firewall is to drop all traffic that is not explicitly allowed. For this reason, an explicitly defined cleanup
rule is effectively redundant to the default behavior of the firewall. - See more at:
/var/CPbackup/backups
Snapshot via the CLI:run the command: snapshot
/var/CPsnapshot/snapshots,
1. log onto the device via https://<IP-Address> (the default port is 443 unless it has been changed to
avoid a clash with SSL VPN)
14)How you can configure Log server and where in CP we configure it?
23)What is FW monitor ?
fw monitor is part of every FW-1 installation and the syntax is the same for all possible
installations. Contrary to snoop or tcpdump, fw monitordoes not put a interface into
promiscuous mode because it works as a kernel module.
CoreXL vs SecureXL
1)From which was the first version of Checkpoint you worked?Answer: From R65
2)What is the difference between CP NG and CP NGX?Answer:
3)In how many mode we can install the checkpoint?
4)What is architecture of Checkpoint?Answer:
5)What is SIC ?Answer:Secure Internal Communication
6)What is NAT and how many type of NAT supported by CP explain ?Answer: NAT is a
short form of Network Address Trans
7)What is the unicast and multicast?
8)What is the rules define Stealth and Clean up rule ?Answer:Stealth Rule is on the top of the policy and
explicitly blocks access tofirewall. Clean up rule is placed at the bottom of the policy and explicitly drops
andlogs all the traffic that has not matched the other rules
9)Can we configure rules above stealth rule?Answer:Yes, Like to allow access for administrator
10)What is the purpose of clean up rule ?Answer:Clean up rule is placed at the bottom of the policy and
explicitly drops andlogs all the traffic that has not matched the other rules
11)How you can configure smart view client in new pc?