Académique Documents
Professionnel Documents
Culture Documents
Management (CCSE)
Student User Guide
Ve r s i o n 4 . 0 R e v i s i o n B
Document # CPTS-DOC-C1012 Rev. B
© Copyright 1999 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright
and distribution under licensing restricting their use, copy, and distribution. No part of
this documentation may be reproduced in any form or by any means without prior
written authorization of Check Point Software Inc. While every precaution has been
taken in the preparation of this document, Check Point assumes no responsibility for
errors or omissions. This document and features described herein are subject to
change without notice.
Trademarks:
FireWall-1, SecuRemote, Stateful Inspection, INSPECT, Check Point and the Check
Point logo are trademarks or registered trademarks of Check Point Software
Technologies Ltd. Sun, SPARC, Solaris, and SunOS are trademarks of Sun
Microsystems, Inc. UNIX and OPEN LOOK are registered trademarks of UNIX
System Laboratories.
Unit I — Chapter 1:
The Firewall Challenge 7
Introduction ........................................................................................................... 7
The Firewall Challenge ......................................................................................... 8
The Enterprise Security Challenge .............................................................................................. 9
Evolution of Security Management .............................................................................................. 9
Building Enterprise Security ....................................................................................................... 10
OPSEC ...................................................................................................................................... 11
FireWall-1 Year 2000 Compliance ............................................................................................. 13
Backup ....................................................................................................................................... 13
Unit I - Chapter 2:
FireWall-1 Architecture Overview 15
Unit I — Chapter 3
Product Overview 23
Introduction ........................................................................................................ 23
Objectives .................................................................................................................................. 23
Key Terms .................................................................................................................................. 23
FireWall-1 Product Type ..................................................................................... 24
FireWall-1 Products ................................................................................................................... 24
Product Types ............................................................................................................................ 24
Modules ..................................................................................................................................... 24
Single Products .......................................................................................................................... 25
Enterprise Products ................................................................................................................... 25
Add-On Modules ........................................................................................................................ 26
Installation Considerations ......................................................................................................... 26
Segmented Networks ................................................................................................................. 27
Review ................................................................................................................ 29
Summary .................................................................................................................................... 29
Review Questions ...................................................................................................................... 29
Unit II — Chapter 1:
Advanced Security Policy 33
Introduction ......................................................................................................... 33
Objectives .................................................................................................................................. 33
Key Terms .................................................................................................................................. 34
Security Policy Overview ........................................................................................................... 34
Masking Rules .................................................................................................... 35
Overview .................................................................................................................................... 35
Hiding Rules ............................................................................................................................... 35
Viewing Hidden Rules ................................................................................................................ 37
Unhiding Hidden Rules .............................................................................................................. 38
Querying the Rule Base ..................................................................................... 39
Query Screens ........................................................................................................................... 39
Adding Query to a Rule Base .................................................................................................... 42
Disabling Rules ................................................................................................... 44
Overview .................................................................................................................................... 44
Disabling Rules .......................................................................................................................... 44
Enabling a Disabled Rule ........................................................................................................... 45
Lab 1: Policy Editor ............................................................................................. 46
Blocking Connections ......................................................................................... 54
Starting the Log Viewer .............................................................................................................. 54
Block Intruder ............................................................................................................................. 54
The Block Intruder Screen ......................................................................................................... 55
Block Request ............................................................................................................................ 56
Using Block Request .................................................................................................................. 56
Lab 2: Block Intruder ......................................................................................... 58
Uninstalling a Security Policy ............................................................................. 60
The Uninstall Security Policy Screen ......................................................................................... 60
Steps for Uninstalling a Security Policy ..................................................................................... 60
Security Policy File ............................................................................................. 62
Guidelines for Improving FireWall-1 Performance via a Security Policy ............ 65
Management Module ................................................................................................................. 65
Firewall Module .......................................................................................................................... 65
Unnecessary Services ............................................................................................................... 66
Review ................................................................................................................ 67
Summary .................................................................................................................................... 67
Review Questions ...................................................................................................................... 67
Unit II — Chapter 2:
User Defined Tracking 69
Introduction ......................................................................................................... 69
Objectives .................................................................................................................................. 69
Key Terms .................................................................................................................................. 69
User Defined Tracking ........................................................................................ 70
Configuring a Rule ..................................................................................................................... 71
The Log and Alert Tab ............................................................................................................... 72
Setting up User Defined Tracking .............................................................................................. 73
Adding User Defined Tracking to the Security Policy ................................................................ 74
alertf ........................................................................................................................................... 74
Lab 3: User Defined Tracking with alertf ............................................................ 76
Review ................................................................................................................ 77
Summary .................................................................................................................................... 77
Review Questions ...................................................................................................................... 77
Unit II — Chapter 3:
SYNDefender 79
Overview ............................................................................................................. 79
Objectives .................................................................................................................................. 79
Keywords ................................................................................................................................... 79
TCP/IP Three-Step Handshake .......................................................................... 80
Normal Handshake .................................................................................................................... 80
The SYN Flooding Attack ................................................................................... 81
Network Attack ........................................................................................................................... 81
The Backlog Queue ................................................................................................................... 81
Guidelines for Deploying SYNDefender with FireWall-1 .................................... 83
Deploying SYNDefender Gateway ............................................................................................. 83
Defending Against SYN Flooding Attacks .......................................................... 84
The SYNDefender Properties Screen ........................................................................................ 84
Unit II — Chapter 4:
Content Security 91
Introduction ......................................................................................................... 91
Objectives .................................................................................................................................. 91
Key Terms .................................................................................................................................. 91
Understanding Content Security ......................................................................... 92
Content Security ........................................................................................................................ 92
Content Vectoring Protocol (CVP) ...................................................................... 94
Anti-Virus Inspection .................................................................................................................. 94
Implementing Anti-Virus Inspection ....................................................................................................95
URL Filtering Protocol (UFP) .............................................................................. 96
How UFP Works ........................................................................................................................ 96
Implementing Content Security .......................................................................... 97
HTTP Security Server ................................................................................................................ 97
SMTP Security Server ............................................................................................................... 97
FTP Security Server ................................................................................................................... 97
Java and ActiveX Stripping ........................................................................................................ 97
CVP and UFP Servers ........................................................................................ 98
Creating a New Resource ................................................................................ 100
Add a Resource to a Rule ................................................................................ 102
SMTP, HTTP, FTP Content Security ................................................................ 104
URI Resource .......................................................................................................................... 104
Wild Card Specification Type ................................................................................................... 104
File Specification Type ............................................................................................................. 107
UFP Specification Type ........................................................................................................... 110
SMTP Security Server ............................................................................................................. 112
FTP Security Server ................................................................................................................. 117
RADIUS Server ................................................................................................ 120
Unit IV — Chapter 1:
Router Management 263
Unit IV — Chapter 2:
Account Management Client 285
Unit IV — Chapter 3:
Load Balancing 325
Unit IV — Chapter 4:
Remote Management 361
Unit V — Chapter 1:
Troubleshooting 393
Appendix A:
Account Management Client Installation on HP UX and IBM AIX 409
Appendix B:
Security Considerations 413
Appendix C:
Solaris Command-Line Interface 415
Appendix D:
Check Point Product License Features for Version 4.0 447
Glossary 457
Introduction to CCSE
Introduction to Advanced
FireWall-1 Management
(CCSE)
1
2 CCSE Course Layout
Introduction to CCSA
Course This course is designed for administrators and resellers who require in-depth
Requirements knowledge of FireWall-1 that goes beyond basic installation, setup and
methodologies.
Prerequisites Before taking this course, we suggest that you have the following knowledge base:
You must complete and pass Check Point’s FireWall-1 CCSA test before
taking the CCSE course.
CCSI Course The CCSI course is designed for security engineers and resellers who seek Check
Point Security Instructor certification.
Introduction to CCSE
Day 1 Unit I
Chapter 1: The Firewall Challenge
Unit II
Chapter 1: Advanced Security Policy
Chapter 3: SYNDefender
Chapter 3: SecuRemote
Unit IV
Chapter 1: Router Management
Unit V
Introduction to CCSA
Lab Setup The following is the setup of your lab:
• Firewalled servers (www.yourcity.com) not connected to Internet
• Unique IP address for each firewalled server
• Root password to all systems: _______________________________________
(Your instructor will give you this password. Be careful with root access!)
• OpenWindows mouse-button controls (Solaris only):
Left - selects objects
Middle - selects additional objects or deselects objects
Right - displays menus
IP Addresses Table 1 lists the IP addresses for the FireWall-1 lab: Intro
Introduction to CCSE
FireWall-1 Server IP Address Internet Server IP Address
fw.detroit.com 204.32.38.101 www.detroit.com 192.168.1.1
fw.chicago.com 204.32.38.102 www.chicago.com 192.168.2.1
Lab Terms • Yourcity — the city name for your workstation pair
• Partnercity — the name of your partner city
• Site number — a number between 1 and 8 assigned to your workstation pair
Site-Number Table Table 2 lists site numbers for each of the lab stations.
Chicago 2
London 3
New York 4
Paris 5
Tokyo 6
Moscow 7
Berlin 8
Introduction to CCSA
New Platforms Firewall modules can now be installed on Ipsilon and TimeStep PERMIT/Gate
platforms.
Encryption ISAKMP/Oakley is now supported for VPNs and SecuRemote, including ENTRUST
PKI, and is exportable worldwide.
Authentication A number of major improvements have been implemented in the FireWall-1 version
4.0 authentication feature:
Client Authentication can now be performed using a Web browser. The following new
Authentication features are available:
Security Servers All FireWall-1 security servers now support OPSEC version 1.0. The HTTP security
server supports FTP and HTTPS.
Support for New Network address translation now supports H-323, NetShow, VXtreme and many other
Services services that were not supported in earlier versions of FireWall-1. This further extends
FireWall-1’s impressive list of over 120 out-of-box supported services.
Introduction
The main challenge in any network is security. A security engineer’s dilemma is how
to protect the network not only from outside intrusion but from internal breaches, too.
Passwords alone are not enough. They can be broken, intercepted and given to
individuals within a corporate hierarchy. Other methods of securing a network must be
employed: encryption, router management, security policies and content-vectoring
protocols. FireWall-1 gives you these tools, and more, in order to build a safe, secure I-1
network.
7
8 The Firewall Challenge
FireWall-1 is an enterprise product that reaches beyond a singular device that protects
networks from outside attacks. FireWall-1 can be integrated within a network
structure to deny or allow passage from one section of a network to another.
Corporate Intranet
Manufacturing
Marketing
Router
Firewall
Accounting
Legal
Figure 2: Single Firewall Protects Network
Example
The Enterprise The next challenge is how to design the network with firewall technology and assure
Security Challenge that the network is protected from internal attacks or those just snooping around.
Corporate Intranet
Marketing
Manufacturing Internet
Router
I-1
Legal
Example
Evolution of Back in the old days, the emphasis on network security was quite restrictive, but
Security network security worked. With the evolution and popularity of the Internet, security
Management risks became greater. Security engineers have had to rethink security needs and adapt
them to their networks. Figure 4 illustrates a comparison that was the accepted
paradigm, with what is now considered to be current network considerations.
The structure of a secure network starts with forethought and planning before the
actual installation and implementation of the firewall. Given that, there are many
issues to consider for security needs. Selection of a firewall should be based on the
following:
• Open, flexible system design
• Scalable for enterprise growth
• Rapid extensibility to securely manage new applications and protocols
• Simple to customize
• Integrated via policy-based management:
Define an enterprise-wide security policy
Distribute it to multiple network access points
Centrally manage the policy
Building Enterprise Within an organization, the following steps for building the firewall might be part of
Security the planning process:
Defining
Policy Component
Definition
Education
Enforcement
Reinforcement
Implementing
Technology Component Access control
Standards-compliant authentication and encryption
Defining
Network address translation
Anti-virus, URL and Java/ActiveX screening
Connection control
Enterprise Management
Monitoring
Auditing and Monitoring
Monitoring security status
Configuring changes
Scanning for holes
OPSEC OPSEC allows the FireWall-1 product line to be enhanced with the addition of third
party commercial or customer developed applications. Additionally, OPSEC enables
FireWall-1’s product line to be integrated into existing enterprise management,
application and security environments. I-1
Service Description
LEA Server Provides FireWall-1 log records, in batch or real-time, to an
LEA Client.
OMI Server Provides rule and object information (associated with the
firewalls controlled by the Management Server local to the
OMI Server) to an OMI Client.
UFP Dictionary & Requests the categorization levels offered by the server.
Description Request These categories are then used by the Management
Client Server to build rules associated with the server’s
categorization criteria.
New security-related applications and systems are created by writing special purpose
clients and servers that interact with their corresponding OPSEC clients and servers
on FireWall-1.
FireWall-1 Year 2000 FireWall-1 version 4.x is year 2000 compliant. FireWall-1 uses a four-digit year
Compliance representation in all date fields. This will take effect when the computer system date
changes from the year 1999 to the year 2000. All leap-year date calculations will be
handled properly both before and after the year 2000.
Backup To back up FireWall-1 setup information, you should save the following files:
• Network Objects: $FWDIR/conf/objects.C
• Rule base: $FWDIR/conf/*.W
• Rule bases (on NT or all platforms with version 4.x): $FWDIR/conf/rulebases.fws
• User database: $FWDIR/conf/fwauth.NDB*
FireWall-1 Architecture
FireWall-1’s architecture is based upon two components: Stateful Inspection and the
FireWall-1 Inspection Module. Stateful Inspection, which is the technology upon
which FireWall-1’s enterprise security solution is based, assures the highest level of
network security.
FireWall-1 Architecture
• No packet is processed by any of the higher protocol layers unless FireWall-1
verifies that it complies with the enterprise security policy
• The Inspection Module stores and updates state and context information in
dynamic connections tables
Overview
15
16 How FireWall-1 Works
Inspect Engine in When packets pass through an internal NIC, as shown in Figure 7, the FireWall-1
the Kernel Module kernel module inspects the packets by accessing its rule base and checks the packets
against the control properties (Figure 7):
Packet Inspected in The FireWall-1 kernel module uses the INSPECT engine to control traffic passing
Kernel Module between networks. The FireWall-1 kernel module has access to the lowest level of
communication, and can inspect all layers of a packet and its data.
Inspect Allowing If packets pass FireWall-1 inspection, the Firewall Module passes the packets through
Packets the TCP/IP stack and to their destination. Packets pass through the NIC to the
INSPECT engine and on up the network stack. Some packets are destined for the
operating system’s local processes. In this case, the Firewall Module inspects the
packets and passes them through the TCP/IP stack to the processes (Figure 8):
If packets do not pass inspection, they are rejected or dropped, according to the
FireWall-1 rule base (Figure 8):
I-2
FireWall-1 Architecture
Overview
A detailed flow of the packets through the INSPECT engine is shown in Figure 9:
Sitting at the bottom of the TCP/IP protocol stack, the kernel component receives
packets just before or just after a network card receives them. It is responsible for
inspection, encryption and network address translation.
Kernel Attachment This basic component of the kernel handles the kernel attachment, to ensure that
FireWall-1 inspects all packets passing through the TCP/IP protocol stack. It also
ensures that these packets have a chance to enter the system. Due to the differences in
kernel structure, this part is written differently to every operating system. It is written
with streams to NT and Solaris.
Kernel Virtual The virtual machine executes the INSPECT machine-language code. This is the
Machine compiled form of the firewall flow policy, on packets received by the
Kernel.Attachment. The virtual machine decides on an action and possibly generates
log entries and alerts. It is a stack machine with additional memory in the form of
tables, segment registers, and packet data.
Kernel Address The Kernel.Address_Translation basic component translates the source and
Translation destination IP addresses and the TCP/UDP port numbers, or sequence numbers in
ICMP packets. Address translation rules can come from the following sources:
• Explicit definition in the security policy
• Content security
Two separate mechanisms perform address translation: the first packet of a connection
is checked against the address translation rules table, and is “address translated”
according to the first rule that it matches. The address translation might include the I-2
allocation of a port number. The Kernel.Address_Translation basic component also
records the exact translation in a table. This is then used to translate further packets
FireWall-1 Architecture
belonging to the same TCP/UDP connection or ICMP virtual connection.
The basic component is also responsible for special protocol support with network
address translation, such as FTP port commands. This is necessary because some
protocols send port numbers and/or IP addresses as part of the data payload.
Overview
Kernel Encryption This basic encryption component is used to encrypt and decrypt packets according to
an encryption mechanism and keys determined by the FireWall-1 daemon. It supports
FWZ (with both DES and FWZ-1, a proprietary Check Point algorithm), Manual
IPSec, SKIP and ISAKMP/Oakley (IKE).
Kernel Logging The Kernel.Logging basic component transfers log entries, alerts and kernel traps
from the kernel component to the daemon for further handling. The entries are written
either to a circular buffer or to a stream, which stores them in a buffer.
Kernel loctl Handler When the daemon needs to tell the kernel module to do something, it does so by
issuing ioctl commands. This basic component then receives the ioctl command and
acts accordingly.
The FireWall-1 daemon component does what all kernel components cannot do
because of their limitations. For example, a kernel component cannot open a file or
initiate an IP packet. The daemon, however, can read the log entries from the kernel,
write them to the log file, or send them to the Management Server.
The FireWall-1 daemon also replicates some of the command line utilities code. This
replication makes it possible to execute the same operation remotely without logging
into the firewalled computer. Code is both a part of the FireWall-1 daemon and the
command line utilities.
Daemon Logging The Daemon.Logging basic component reads entries from the FireWall-1
Kernel.Logging basic component. It then acts according to the entry, generates a log
entry, issues an alert or calls the Daemon.Kernel_Trap_Handler basic component.
In firewalled computers that are remotely managed, the logging mechanism attempts
to send the log entries and alerts to the Management Station. The logging mechanism
only logs locally if it fails. This connection is also authenticated, and if possible,
encrypted.
Daemon Kernel Trap The Daemon.Kernel_Trap_Handler accepts kernel traps and performs them on behalf
Handler of the kernel component. For example, there is a kernel trap to ask the daemon to I-2
negotiate encryption keys with another firewall.
Daemon IOCTL This basic component contacts the Kernel.IOCTL_Handler basic component directly FireWall-1 Architecture
when the daemon needs to tell something to the kernel component and there is no
utility with the same functionality.
Overview
Daemon Inet Similar to the Solaris inet daemon, this basic component of FireWall-1 listens for
connections coming to the ports that belong to the content security servers. When it
detects a connection, the daemon inet either runs the relevant content security server,
or (if it’s already running) transfers the connection to the content security server.
UDP Applications
UDP is a packet-based, connectionless protocol. Unlike connection based protocols
(such as TCP), there is no distinction between the originator of the request and the
response to it. UDP based applications (like WAIS, Archie, and Domain Name
Services) are therefore difficult to filter. Old packet-filtering techniques simply
eliminated UDP connections or opened a large portion of the UDP range to bi-
directional communication, exposing the internal network to attacks.
Solution
FireWall-1solves the problem by keeping a virtual connection on top of UDP
communications. This is achieved by keeping state information for each UDP
connection on the gateway. Every UDP request packet permitted to cross the firewall
is recorded.
Each incoming UDP packet is looked up in the list of pending connections. Packets
are delivered only if they are a response to a request, ensuring that all attacks are
blocked while UDP applications are in use.
Unit I — Chapter 3
Product Overview
Product Overview
Introduction
This chapter also describes various thought processes in planning the firewalled
network: where to install the various modules, if needed, and how a company benefits
from a segmented network.
23
24 FireWall-1 Product Type
FireWall-1 Products The FireWall-1 Enterprise Product contains the Management Module and the Firewall
Module. Both modules can be installed on separate machines. The enterprise product
can manage any number of Firewall Modules and Inspection Modules installed on
other machines, as well as routers and switches.
Modules Firewall modules operate independently of the firewall. Modules can operate on
additional Internet gateways, inter-departmental gateways and critical servers.
Management Module
A single Management Module can control and monitor multiple Firewall Modules.
The Graphical User Interface (GUI) Client is the front-end of the Management Server,
which manages the FireWall-1 database: the rule base, network objects, services,
users, and more.
Firewall Module
The Firewall Module includes the Inspection Module, the Security Servers and the
high availability features, where one firewalled gateway fails and another one takes
its place. The Firewall Module is also known as the firewalled gateway or firewalled
host.
Single Products The FireWall-1 line of single products includes the Inspection Module, Firewall-1 I-3
daemons and the FireWall-1 Security Server.
Product Overview
control up to 250 internal nodes (IP addresses) using the single gateway product,
depending upon which node license you purchase.
Inspection Module
The Inspection Module is identical to the Firewall Module, but it does not include the
Security Servers or high availability features. The Inspection Module can be installed
on a gateway, if these features are not required.
Enterprise Products Enterprise Management Console products provide several software options for
console locations including:
• A stand-alone Management Console offering that can manage multiple security
enforcement points
• Management Module license updates for managing by single router extension
• Management Module license updates for managing an unlimited number of
routers
• A stand-alone centralized Management Console that enables security
management for 3Com, Bay Networks, Cisco and Microsoft NT routers and Cisco
PIX firewalls
Add-On Modules Add-on modules provide optional encryption and/or increased quality of service
capabilities. Add-on modules are added and installed at security enforcement points,
and work in conjunction with and require one of the following:
• Enterprise Products
• Firewall Modules
• Inspection Modules
Installation The FireWall-1 Enterprise Product consists of the GUI Client, Management Module
Considerations and Firewall Module. The need to decide where the modules and GUI client reside
should be determined before installing FireWall-1. Security engineers need to plan the
installation of FireWall-1 carefully to assure maximum security.
Client/Server Configuration
With the Enterprise Product, security engineers may separate modules on different
machines. In Figure 11 the GUI Client resides on a separate machine, as does the
Management and Firewalled Modules. This provides the ability to control features of
a firewall from a remote site.
Router
GUI Management Firewall Internet
Module: Module:
Management Firewalled
Server Gateway
Product Overview
Figure 12: Two Internal Networks Protected by Two Firewalled Gateways
Segmented Security policy rules may be simplified if some logical form of segmentation is used
Networks at the client site. While network equipment manufacturing has been the easy
implementation and support of “flat” IP networks, modern network management
methodologies prescribe a level of hierarchical segmentation.
In hierarchical segmentation the network is divided into subnets along some form of
physical or logical boundaries. Subnets along physical boundaries might have a
different subnet per floor. Subnets along logical boundaries might have a different
subnet per business department. The more sophisticated networks will have
syntactical nomenclature systems, where the values of the different octets within the
address space can be encoded to the point that a great deal of information can be
determined just by the address. The most recent trend is in management links, IP
addressing, and host-naming nomenclature systems, where the name of a machine can
be determined by its network address and vice versa. This is becoming more common
as network address translation (NAT) and private addressing become more popular.
(Refer to RFC 1918.)
A simple example of the most recent trend in network nomenclature and general
management would be as follows:
Class A private address (10.a.b.c) sub-netted to Class-B (255.255.0.0) and Class-C
(255.255.255.0)
Where:
Octet (a) = Physical Site0 = the Collapsed backbone
1 = Headquarters
2 = Atlanta
etc….
Octet (b) = department0 = Site Backbone
1 = Executive
2 = Sales
3 = Data Entry
etc….
Octet (c) = Node type1-10 = servers
11-19 = Access Servers
20-30 = Printers
etc….
100 – 200 = User Workstations
201 – 254 = routers/switches
In this example, if the customer wanted to restrict the data entry staff in Atlanta from
having any outside access — or access anywhere internally in the case of internal
firewalling — it would be easier, and much more efficient from the firewall point of
view, to deny network 10.2.3.0 from reaching the outside with one single rule. The
alternative would be to restrict access on a list of hosts, some kind of user
authentication or other complicated mechanism.
Review I-3
Product Overview
Management Module
• Centralized graphical security management
• Single or unlimited security enforcement points
Inspection Module
• Access control
• Client and session authentication
• Network address translation
• Auditing
Firewall Module
• Inspection Module capabilities (above)
• User authentication
• Multiple firewall synchronization
• Content security
Review Questions 1. What are the products in the FireWall-1 product line?
Chapter 3: SYNDefender
Introduction
Rules are made to be broken. That idea might work well in grade school, but when
you want a secure network, the rules cannot be made to break. FireWall-1 gives you
the ability to maintain your rule base by giving you the following tools:
• Masking (hiding) rules
• Viewing hidden rules II-1
• Creating masks
• Unhiding rules
Advanced Security
• Using query to find specific rules
• Disabling rules
In addition to hiding and unhiding rules, FireWall-1 allows you to do the following:
• Block intruders by using three blocking options
Policy
• Install and uninstall a security policy
• Improving FireWall-1’s performance via a security policy
33
34
II-1
Advanced Security
Figure 13: Rule Number
2. Select Mask (hiding rules) from the View menu (Figure 14):
Policy
Figure 14: Selecting Mask
4. The rule is now hidden, but it is still part of the rule base and will be installed
when the security policy is installed.
Figure 16 shows a rule before being hidden. Figure 17 shows the same rule
after it is hidden.
When hiding rule 1 in Figure 17, rules 2 and 3 remain visible, but the rule
numbers do not change.
Example
Two organizations (within the same internal network) share the same security
policy, because they both share the same firewalled device. To hide the rules
for the second organization and display only the first organization’s rules,
security engineers use masking rules.
Figure 18 displays a rule base with all rules displayed for Org (organization) 1 III-3
and Org 2:
Figure 19 displays the rule base with the Org 2’s rules hidden and only Org
1’s rules displayed:
II-1
Advanced Security
Figure 19: Rules for Org 1 Only
Policy
Viewing Hidden If Show Hidden in the Mask menu is checked, then all hidden rules are displayed in
Rules the rule base together with the other rules. Figure 20 is the Show Hidden menu option
under Mask (hiding rules):
When they are revealed, hidden rules are colored differently from other
rules. Different coloring makes it easy to identify hidden rules when they
are revealed (Figure 21):
If Show Hidden is not checked, the hidden rules are not displayed. A thick, colored
horizontal line indicates the presence of hidden rules (Figure 22):
Thick Line
Whether they are displayed or not, hidden rules are installed when the
security policy is installed.
Unhiding Hidden To unhide all hidden rules, select Clear Mask from the Mask menu (Figure 23):
Rules
Query Screens To add a rule base query to FireWall-1, you will utilize the following screens:
• Rule Base Queries
• Rule Base Query
• Rule Base Query Clause
II-1
The Rule Base Queries Screen
The Rule Base Queries screen lists all defined queries, and allows you to add edit,
delete and apply queries (Figure 24):
Advanced Security
Policy
Figure 24: The Rule Base Queries Screen
And Mask — The selected query as a mask, ANDing it with any masks currently
applied.
Or Mask — The selected query as a mask, ORing it with any masks currently
applied. The difference between And Mask and Or Mask is as follows:
And Mask hides the (zero or more) rules that satisfy the query, in addition to any rules
that are already hidden.
Or Mask unhides the (zero or more) hidden rules that satisfy the query, in addition to
any rules that are already not hidden.
II-1
Advanced Security
Policy
Figure 26: The Rule Base Query Clause Screen
The only rules that are displayed, that is, the only rules that are not hidden, are those
whose Source includes localnet. Note that the Rule Base Queries screen is still open, II-1
allowing you to continue to define or use additional queries.
Example
Advanced Security
Refine a query so that the only rules displayed are those that satisfy the
following criteria. Source includes localnet and Service includes FTP:
Policy
2. Define a new query that specifies only the second criterion and apply both
queries, one after the other.
Figure 29 displays a rule base with the above two criteria applied:
Disabling Rules
Overview When security engineers disable a rule, the rule is no longer part of the rule base and is
not installed when the security policy is installed. However, the rule is still displayed
in the rule base, and you can re-enable it any time. This feature is useful for
experimenting with the rule base.
When a rule is disabled, a large red cross is drawn over its rule number (Figure 31): III-3
II-1
Advanced Security
Policy
Figure 32: Right-Click to Deselect Disable Rule
Objective: Use some of the new features in the policy editor. New features covered
will be disabling of individual rules, hiding of rules, queries and viewing implied
rules.
In this lab, use FTP instead of TELNET, if your web server is not running
the TELNET client.
Advanced Security
rule in the text box that appears.
11. Click OK.
Policy
Define a rule that allows any host outside of your network to get to your Web server
using an FTP service:
1. Pull down the Edit menu, and select Add Rule and After.
2. Right-click in the Source column of the new rule and select Add.
3. A dialog box listing the defined network objects appears. Select the network
object for your local network (net_yourcity) and click OK.
4. Right-click in the Source column again and select Negate.
5. Right-click in the Destination column of the new rule and select Add.
6. A dialog box listing the defined network objects appears. Select the Web server
and click OK.
7. Right-click in the Service column of the new rule and select Add.
8. A dialog box listing the defined services/protocols appears. Scroll the dialog box
screen down, select FTP and click OK.
9. Right-click in the Action column of the new rule and select Accept.
10. In the Comment column, double-click and enter an appropriate description of the
rule in the text box that appears.
11. Click OK.
8. A dialog box listing the defined services/protocols appears. Scroll the dialog box III-3
screen down and select SMTP and click OK.
Advanced Security
rule in the text box that appears.
7. Click OK.
Policy
Define a clean-up rule (one that rejects all traffic) as the last rule in your rule base:
1. Pull down the Edit menu, and select Add Rule and Bottom.
2. Right-click in the Action column of the new rule and select Reject.
3. In the Comment column, double-click and enter an appropriate description of the
rule in the text box that appears.
4. Click OK.
ftp www.yourpartnercity.com
ftp www.yourpartnercity.com
Advanced Security
4Connect to your partnercity
Verify that you can FTP from www.yourcity.com to www.yourpartnercity.com. On
www.yourcity.com, FTP to www.yourpartnercity.com with the following command:
ftp www.yourpartnercity.com
Policy
Does it work? (It should).
4Create HTTPrules query
Create a query called HTTPrules that will cause the rule-base editor to display only
rules that contain the HTTP service:
1. Pull down the View menu and select the Queries menu item. The Rule Base
Queries dialog appears.
2. Click the Add button from the Rule Base Queries dialog. The Rule Base Query
dialog box appears.
3. Enter the name HTTPrules for this query and click the Add button to add criteria.
This will cause the Rule Base Query Clause dialog to appear.
4. In the Clause Statement box, pull down the Column list and select services. This
will cause the left box (Not in list) to contain a list of the services available to
FireWall-1.
5. Select the HTTP service from the left box and click Add. This will transfer the
Advanced Security
4List visible rules
List the rules that are still visible in the rule base: Move the Rule Base Queries screen
so that you can see the rules in the rule base.
Policy
4Use HTTPRules query
Use the HTTPrules query as well to show rules that have HTTP in them:
1. Select the HTTPrules query in the Rule Base Queries screen.
2. Click the Or button in the Masks box of the Rule Base Queries screen.
Blocking Connections
Starting the Log To start the Log Viewer, follow these steps:
Viewer
Windows 95 or NT
1. Click Start> Programs> FireWall-1, or choose Log from the view menu in the
security policy window.
2. Select Log Viewer.
Solaris
1. Run $FWDIR/bin/fwlog.
Block Intruder FireWall-1 allows you to terminate and block any connection from or to a specific IP
address. There are two ways to terminate a connection: Block Intruder and Block
Request.
The Block Intruder The Block Intruder screen allows you to set the parameters to block out an intruder III-3
Screen (Figure 34):
Advanced Security
Figure 34: Block Intruder Widow
The fields you may set on the Block Intruder screen are as follows:
Policy
Connection ID and Connection Parameters — Those of the selected connection.
Blocking Scope — Select one of the options:
Block only this connection — The selected connection is terminated, and all
further attempts to establish a connection from the same source IP address to the
same destination IP address and port will be blocked.
Block access of this source — The selected connection is terminated, and all
further attempts to establish connections from the source IP address of the
selected connection will be denied.
Block access to this destination — The selected connection is terminated, and all
further attempts to establish connections to the destination IP address of the
selected connection will be denied.
Blocking Timeout — Select one of the options:
Indefinite — Block all further access until the firewall is stopped.
For... minutes — Block all further access attempts for the specified number of
minutes.
Block Request Block Request (Figure 35) is an option if the connection ID of the user is known. This
eliminates the need to search for the connection in the Log Viewer, and allows a
simple entry of the connection ID to access the Block Intruder screen.
Scenario: Someone from outside your internal network has initiated a TELNET
session into your Web server (www.yourcity.com). You wish to kill the TELNET
connection because you suspect it was sent with malicious intent.
1. Pull down the Edit menu, select Add Rule and then select After.
2. Right-click in the Source field of the new rule and select Add.
3. A dialog box listing the defined network objects will appear. Select the Web
server (www.yourcity.com) and click OK.
II-1
4. Right-click in the Destination field of the new rule and select Add.
5. A dialog box listing the defined network objects will appear. Select the network
object for your local network and then click OK.
Advanced Security
6. Right-click in the Destination field again and select Negate.
7. Right-click in the Service column of the new rule and select Add.
8. A dialog box listing the defined services/protocols will appear. Scroll the dialog
box screen down and select TELNET and click OK.
Policy
9. Right-click in the Action column of the new rule and select Accept.
10. In the Comment column, double-click and enter an appropriate description of the
rule in the text box that appears. Click OK.
4Allow incoming TELNET sessions to your Web server
Verify that you have an installed rule that allows incoming TELNET sessions directed
to your www.yourcity.com machine. If not, then define a rule that allows any host
outside of your network to get to your Web server using the TELNET service:
1. Pull down the Edit menu, select Add Rule and then select After.
2. Right-click in the Source field of the new rule and select Add.
3. A dialog box listing the defined network objects will appear. Select the network
object for your local network and then click OK.
4. Right-click in the Source field again and select Negate.
5. Right-click in the Destination field of the new rule and select Add.
6. A dialog box listing the defined network objects will appear. Select the Web
server and click OK.
7. Right-click in the Service column of the new rule and select Add.
8. A dialog box listing the defined services/protocols will appear. Scroll the dialog
box screen down and select TELNET and click OK.
9. Right-click in the Action column of the new rule and select Accept.
10. In the Comment column, double-click and enter an appropriate description of the
rule in the text box that appears. Click OK.
11. Save and install the policy.
When you install new security policies, do not delete the original policy.
Deleting the original policy could provide a way for external hackers to
threaten an internal network.
The Uninstall The Uninstall Security Policy screen (Figure 36) lists all internal, firewalled hosts and
Security Policy routers. By default, all internal, firewalled hosts and routers are already selected.
Screen
II-1
Advanced Security
Policy
Figure 36: The Uninstall Security Policy Screen
II-1
Advanced Security
Figure 38: The Default SPF
Policy
Security policy rules are kept in an individual SPF on the Management Station or
combined with rules of other FireWall-1 modules into a combined SPF.
Example
Name an SPF something that relates it to the Firewall Module. For example
the Detroit Firewall Module’s SPF (fw.detroit.com) could be named detroit.W
and would contain the options appearing in Figure 39:
In the Install On column of a rule base, specify the target as the Firewall
Module (Figure 40). The security engineer cannot accidentally load the SPF
onto the wrong Firewall Module.
You can combine SPFs by including combined rules of multiple Firewall III-3
Modules (Figure 41):
Advanced Security
In the Install On column of each rule, specify the targets as the Firewall
Module (Figure 42):
Policy
Figure 42: Multiple Targets in a Rule Base
Management Installation time for creating network objects can often be decreased by listing
Module machine names and IP addresses in the hosts files:
• /etc/hosts (Solaris)
• /winnt/system32/drivers/etc/hosts (Windows)
Firewall Module FireWall-1 performance depends on the hardware, the security policy, and the
characteristics of the network traffic. While the Firewall Module is inspecting packets,
the amount of time a packet spends in the kernel increases. The conclusion is that
Firewall-1 has a greater impact on latency — connection latency or transaction
latency — and less on bandwidth.
Rule base — Keep the rule base simple. Performance degrades when there is a very
large number of rules, or when the rules are complex.
Try to position the most frequently applied rules first in the rule base. For example, if
most connections are HTTP packets, the rule that accepts HTTP should be the first
rule in the rule base (Figure 43). Be sure to keep this rule as simple as possible.
Accounting and Live Connections — When using Accounting (Log Viewer), your
system performance may decrease (for NT, up to 10%; for Solaris, up to 13%). To
alleviate decreased performance, disable Accounting.
Figure 44 displays Account as part of the Track option for a specific rule:
III-3
Unnecessary When setting up security policy properties, do not include unnecessary services, such
Services as Real-Audio (Figure 45). You can add services to the rule base as needed.
II-1
Advanced Security
Policy
Figure 45: Real-Audio Service
Review
Summary It can become cumbersome when working with the rule base if you apply many
different rules that have many different functions. To make the rule base more
manageable, security engineers can apply rule masks, which allow engineers to see
only the rules they want to see. Masking involves hiding and unhiding rules. You may
even disable rules temporarily without deleting them from the rule base.
FireWall-1 also gives you the ability to query the rule base in order to find rules that
match specific criteria. This is a useful tool for rule bases that have many rules, or to
find rules that are very specific in their function.
You can create a security policy that specifies the types of rules that are to be
followed. A security policy can be shared among other firewalled systems. If the
security policy contains rules that do not apply to a certain system, those rules can be
hidden or disabled for that system. You may also uninstall a security policy, if
necessary. You may also find an improvement in FireWall-1’s performance if you
follow the guidelines for implementing a security policy.
When necessary you may specify that an intruder be blocked. You can block the
intruder in one of three ways:
• Block only this connection.
• Block access of this source.
• Block access to this destination.
If the intruder’s connection ID is known, then the Block Request option can be used.
This eliminates the need to search for the connection in the Log Viewer, and allows a
simple entry of the connection ID to access the Block Intruder window.
Review Questions 1. List the steps for hiding and unhiding rules.
4. Explain the process for sharing and maintaining a security policy between two III-3
different organizations within the same network.
6. What three methods of blocking an intruder can be used? How are they different
from each other?
II-1
7. What option could you use when the intruder’s connection ID is known?
Advanced Security
8. What data file is used to store the security policy? Where is the file located?
Policy
9. Define some guidelines for improving FireWall-1’s performance via a security
policy.
Introduction
FireWall-1 provides you with the ability to extend the alert handling capabilities
beyond what is typically provided with the firewall. Security engineers have the
option of writing their own custom alert handlers. This allows you to generate more
detailed, custom messages in alert situations, as well as associating priority/actions
with the alert handler. For example, you may want an audible alarm when spoofing is
detected on an external network interface, but only record some information to a file if
spoofing occurs on your internal network.
II-2
69
70 User Defined Tracking
User defined tracking is the process by which the option of an alert or log is
established. For example: Figure 46 shows the process of creating a mail (SMTP)
definition. The parameters are defined and alert is selected as the Exception Track.
Security engineers need to define how they will be notified by the alert.
The difference between FireWall-1 logs and user-defined alerts is that logging allows
you to view connection information, for example, viewing an IP address for an
incoming packet. Alerts are usually custom-written, and can be applied to any of the
user defined tracking properties of a security policy.
Add logs and alerts to user defined tracking to allow the following:
• Custom log filter programs to log screen entries generated by a specific rule
• Alerts when a complex condition is met
• A single rule to generate different types of alarms for different conditions
Example
Configuring a Rule Configuring a rule for user-defined alerts involves the following steps:
1. Write the user defined application script and install it on the firewall.
2. Specify the application name in the User Defined property field, located in the
Control Properties under the Log and Alert tab.
3. Add/modify a rule for User Defined Alert (a rule whose tracking field is
configured for UserDefined).
User-defined applications can be compiled or written using the following:
• C/C++
• Perl
• Bourne Shell
• C-Shell
II-2
The Log and Alert To set up user defined tracking, modify the Log and Alert tab of the Properties Setup
Tab screen (Figure 47):
Excessive Log Grace Period — Click on the arrow to set the minimum amount of
time (in seconds) between consecutive logs of similar packets.
Popup Alert Command — Type the operating-system command to execute on the
firewalled machine when an alert is issued. If you change this command, you may not
become aware of the condition that caused the alert. The default directory is $FWDIR/
bin/alert.
Mail Alert Command — Type the operating-system command to execute on the
firewalled machine when mail is the specified track of a rule. You can specify
commands other than mail.
SNMP Trap Alert Command — Type the operating-system command to be
executed on the firewalled machine when SNMP Trap is specified as the action in a
rule.
User Defined Alert Command — Type the operating-system command to be
executed when User-Defined is specified as the action in a rule.
The User Defined Alert Command is the option where security engineers
add the executable for the user-defined alert.
II-2
Adding User When the UserDefined property is set up, write it to the security policy (Figure 48):
Defined Tracking to
the Security Policy
alertf The user defined program alertf can be used to monitor the logging activity of a rule
and issue a specific alert when a condition is met.
Example
alertf 60 4 fwalert
Will run the normal alert script if there are four or more alerts in the last sixty
seconds.
The alertf program will generate a log entry (in the log directory) for each alert
in the N seconds in c:\winnt\system32\alertf.log. For Solaris administrators,
alertf generates a log entry in the directory where the firewall was started.
II-2
4Add User Defined tracking (if you already have a stealth rule skip this
step)
Add user defined tracking to the security policy:
1. Add a stealth rule: Pull down the Edit menu, and select Add Rule and Top.
2. In the Destination column of the new rule, right-click, select Add and Select your
firewall object. Click OK.
3. In the Action column, right-click and select Reject.
The stealth rule tracking is changed to reject for just this exercise. It
should normally be set to drop.
Review
Summary Firewall-1 provides security engineers the ability to write custom applications to be
invoked as alerts. Applications can summon a very simple alert, such as a notification
that shows up on the monitor or complex alerts that, perhaps, notify you through a
pager.
Review Questions 1. Why would you need to use user defined tracking? Be specific.
4. Under what circumstances would you use user defined tracking in your network? II-2
SYNDefender
Overview
SYNDefender
Protecting your network is not the same as using shields to protect the starship
Enterprise from an alien attack. There will be people who will want to bring down
your network by attacking it from the inside as well as the outside. If successful, they
will bring down all network communications, leaving you unable to communicate
both externally and internally.
79
80 TCP/IP Three-Step Handshake
With a normal TCP handshake, a client starts a connection to the server asking for
permission to talk. The server, in return, sends the client an acknowledgment. The
next step from the client is to return that acknowledgment to the server and thus begin
the communication.
Normal Handshake In a normal three-way handshake, both the client and server acknowledge and allow
communications (Figure 49):
I want Server
to talk
1.
SYN
Client
I’m
ready
Server
2.
SYN/ACK
Client
Let’s
go!
Server
3.
ACK
Client
A SYN flooding attack is a type of attack against a service that is designed to make
the service unavailable. The SYN flooding attack exploits the limitations of TCP/IP
protocols. II-3
Network Attack Figure 50 illustrates a SYN flooding attack that sends multiple SYN requests to a
server:
SYNDefender
Figure 50: SYN Flooding Attack
1 A SYN flood, from the client, puts the server on hold by sending multiple SYN
packets that have spoofed invalid IP addresses.
2 For each SYN packet, the server computer keeps waiting for a response to its
SYN/ACK packet until the connection attempts time out. The backlog queue’s
buffers fill up with the connection attempts and the server becomes unreachable
by legitimate clients.
3 ACK is not received from Client.
The Backlog Queue Each time a SYN packet arrives on a valid port, the packet must be allocated. If there
were no limit, a busy server could easily exhaust all of its memory just trying to
process TCP connections. However, there is an upper limit to the amount of
concurrent connection requests a given connection can have outstanding for a port.
This limit is the backlog queue, which is the length of the queue where incoming
connections are kept. The backlog queue refers to how the server deals with TCP.
This queue limit applies to both the number of incomplete connections (the three-way
handshake has not been completed), and the number of completed connections that
have not been pulled from the queue by the application through the accept call.
If this backlog limit is reached, the network server silently discards all incoming
connection requests until the pending connections can be dealt with. The backlog is
not large.
While there are no strict rules for when to use either of the SYNDefender solutions,
some basic guidelines will help you establish the appropriate policy for a given
situation. II-3
SYNDefender
server will not incur any delay in connection setup time.
2. The second advantage is that there is very little overhead on FireWall-1. However,
since connections are being established on the server, that is, moved from the
backlog queue, it is important to consider how many established connections the
protected server can support relative to the normal load handled by the server.
The SYNDefender To set up defenses against SYN attacks, modify the SYNDefender properties screen in
Properties Screen the FireWall-1 Security Policy GUI (Figure 51):
Timeout — Specifies how long FireWall-1 waits for the ACK from the client before
terminating the connection.
Maximum Sessions — Specifies the maximum number of protected sessions from
one connection. The maximum sessions allowed are the number of pending sessions
FireWall-1 allows from outside a network. If the value is changed, the new value will II-3
not take effect until the security policy is reinstalled.
For Solaris platforms, additional actions must be taken for the new value to take
effect. After the security policy is installed type, the following at the command
prompt:
$FWDIR/bin
SYNDefender
# fwstop
rem_drv fw
sync
add_drv fw
sync
fwstart
Display Warning Messages — Displays warnings to the system’s console in Solaris
and the Event Viewer in Windows NT.
SYNDefender Gateway
FireWall-1 tracks the state of the handshaking process (it does not perform any
handshaking on behalf of the server), and will reset "invalid" connection attempts as
necessary.
SYN Gateway Figure 52 illustrates how FireWall-1 handles the SYN gateway handshake:
Handshake
Clients Servers
SYN
SYN
SYN/ACK
SYN/ACK
Start time
ACK
ACK
End time
if no ACK:
RST (reset)
1 Client attempts to make a connection to the server. FireWall-1 intercepts the SYN
packet and passes it to the server.
2 The server returns a SYN/ACK to the firewall and FireWall-1 sends the SYN/
ACK to the client, starts it’s timer and compares it to the corresponding SYN
packet sent by the client.
3 If the client returns an ACK packet, the firewall allows it through to the server and
the TCP handshake is complete; stopping the timer. II-3
4 If the client does not return and ACK packet, then the firewall will send a RST to
the server after the timeout period.
Passive The Passive SYN Gateway tracks the state of the handshake. The primary difference
SYNDefender
SYNDefender between the two modes is that the Passive SYN Gateway will not “open” the
Gateway connection to the server without receiving the final ACK from the client. This means
connections may open unnecessarily, but they will be reset if SYNDefender does not
see the final ACK packet from the client.
Waits for the ACK from the source before allowing connection
Clients Servers
SYN SYN
SYN/ACK SYN/ACK
Start time
ACK ACK
End time
if no ACK:
RST (reset)
1 Client attempts to make a connection to the server. FireWall-1 intercepts the SYN
packet and passes it to the server.
2 The server returns a SYN/ACK to the firewall, allowing the SYN/ACK to pass to
the client.
3 The firewall sends an ACK to the server to complete the TCP handshake, starting
the timer.
4 If the firewall receives an ACK from the client, the connection is complete and the
timer stops.
5 If the firewall does not receive an ACK from the client, it will send a RST to the
server after the timeout period.
Review
Summary The SYN flooding attack is a type of attack on a server that is designed to bring a
server to its knees by flooding it with useless traffic. Such attacks can quickly fill up II-3
the backlog queue, preventing legitimate clients from reaching the server.
SYNDefender
SYDefender Gateway instructs the firewall to open a connection by sending its own
ACK to a server. The Passive SYN Gateway is similar to the SYNDefender Gateway.
The difference is SYNDefender Passive Gateway makes the firewall wait for a
response to the SYN/ACK before any connection is made to the server.
Review Questions 1. What happens to the backlog queue during a SYN attack?
3. What is the server looking for when a client makes a communication attempt?
4. What steps would you need to take if a client’s ACK needs 20 seconds to reach a
firewall?
Introduction
Content security is a generic process for verifying the content of FTP, HTTP or SMTP
data passed through the firewall. Content security is comprised of FireWall-1’s
Content Vectoring Protocol (CVP) and URI Filtering Protocol (UFP) which
integrate third-party content inspection programs, as well as being implemented at the II-4
firewall without the use of a third-party server.
FireWall-1’s content security may be implemented at the firewall without the use of a
Content Security
content vectoring server. The security server by itself matches certain schemes and
methods that allow HTML weeding and JAVA blocking actions.
Content security is an integral part of the FireWall-1 system. Without it there is limited
protection against malicious intrusions via e-mail, the Web and FTP accesses. Content
security specifies what users cannot download and ensures that what they download is
secure.
91
92 Introduction
Content Security Content security works by inspecting data at the highest protocol, achieving highly
Content Security
tuned access control to network resources. FireWall-1 provides content security for
HTTP, FTP and SMTP. For each connection established through the security server,
the administrator is able to control specific access according to fields that belong to a
specific service: URLs, file names, PUT/GET (FTP commands), type of requests and
others.
When a rule specifies a resource in the service field of the rule base, the FireWall-1
Content Security
Inspection Module diverts all packets in the connection to the corresponding security
server, which performs the required content security inspection. If the connection is
allowed, the security server opens a second connection to the final destination
(Figure 54):
smtp.detroit.com
SMTP
Anti-Virus Server
email.detroit.com
3 Original
2 SMTP Server
Incoming 1 4
SMTP e-mail Recipients on
from Internet Intranet
fw.detroit.com
3 After scanning e-mail for viruses, e-mail is passed from the firewall and onto the
SMTP server.
4 The SMTP server receives e-mail and stores it until Intranet users retrieve it.
Security enhancements enabled by the content security feature are anti-virus checking
for files transferred and URL filtering. When a resource specifies anti-virus checking
or URL screening, the security server diverts the connection to one of the following
servers:
Content Vectoring Protocol (CVP) — A CVP server providing anti-virus inspection
for files transferred.
URL Filtering Protocol (UFP) — A server maintaining a list of URL’s and their
categories.
CVP uses port 18181 and is designed to reroute data streams (packets) to an external
virus-scanning server. With CVP accessing this server, the security is further enhanced
Content Security
by allowing virus detection capabilities.
Anti-Virus FireWall-1’s content security allows anti-virus inspection, reducing the vulnerability
Inspection of hosts and gateways. With the use of an external anti-virus module or a CVP server,
the anti-virus option checks all files transferred for HTTP, FTP and SMTP protocols.
The configuration, including which files to check and how to handle infected files, is II-4
available for URI, SMTP and FTP resources. Figure 55 illustrates how FireWall-1
CVP allows for virus checking in an FTP connection:
Content Security
4
fw.london.com
3 Files
al FTP
Origin Anti-Virus
FTP ort 18181)
CVP (P
iles Server
Security FTP F
Clean (av.london.com)
Server
5
FTP Client FTP Server
6
(www.detroit.com) 2 (ftp.london.com)
1 1
Port 21: FTP Commands
INSPECT
Engine
Port 20: FTP Data Transfer
2 6
Figure 55: FTP to Anti-Virus Server Process
6 The FTP Security Server then relays the FTP file on to the FTP server
ftp.london.com.
Content Security
control access to specific URL addresses through the OPSEC security management
framework.
A UFP server is used to specify a list of URLs. A UFP server has a predefined list of
categories, which can be downloaded. You can select individual categories from the
list in the definition of the resource that uses this UFP server.
UFP uses port 18182 and is designed to reroute data streams (packets) to an external
web-scanning server (Figure 56):
II-4
Firewalled gateway
Content Security
Client
Third Party
Content
Security Server Server
FireWall-1
Inspection
Server Module
HTTP Security The HTTP security server provides Uniform Resource Locator (URL) filtering for
Server control over Web access, allowing administrators to define undesirable Web pages. A
URL is an address format used by Internet communications protocols such as HTTP
and typically identifies the type of service required to access an item, its location on an
Internet host and the file name or item name on that machine. Implement HTTP
security server with a URI resource.
SMTP Security The SMTP protocol provides control over SMTP connections. The SMTP resource
Server definition allows hiding of internal IP addresses from outgoing e-mail, strips specific
attachment types, drops messages above a given size, and rewrites e-mail addresses.
Implement SMTP security server with a SMTP resource.
FTP Security Server The FTP security server provides authentication services and content security based
on FTP commands (PUT/GET), file name restrictions and anti-virus checking for
files. (The PUT command uploads files from a host to an FTP server; the GET
command downloads files from an FTP server to a host.) Implement FTP security
server with a FTP resource.
Java and ActiveX Administrators can control incoming Java and ActiveX code according to specific
Stripping conditions, such as host, URL or authenticated user name.
Servers must be defined before you can use them in content security. To access
Servers, follow these steps:
Content Security
1. Select Servers from the Manage menu.
2. The Servers screen appears (Figure 57):
II-4
Content Security
Figure 57: Servers New Menu
3. Click New and select the type of server you want to create from the menu (Figure
58):
Content Security
be performed at the protocol specific level in a data packet. You can define FireWall-1
Resources for use with the following protocols: HTTP, FTP and SMTP.
Anti-virus checking, URL screening and e-mail address translations are major security
enhancements enabled by the content security. These options are enforced using UFP
and CVP server objects.
Content Security
Figure 59: Manage Menu
To add a resource to a rule after defining your URI, follow these steps:
Content Security
1. Create or select an established rule base.
2. Position the cursor under the Service heading and right-click to display the
shortcut menu (Figure 61):
II-4
Content Security
Figure 61: Rule Base Editor with Shortcut Menu
3. Select Add With Resource and the Service with Resource screen appears (Figure
62). Select the service and resource.
The new rule base appears (Figure 63). Notice that the Service column displays the
name as defined when the General tab information was entered in the URI definition.
The content security setup is in many ways the same procedure for all services.
Screens in the setup process vary depending on the service being installed.
Content Security
The following sections illustrate the URI/HTTP content security setup.
URI Resource A Uniform Resource Identifier (URI) resource is an extension of the rule base. The
URI goes beyond the source, destination and service fields and provides more details
about the content of the service. HTTP security servers must be installed with default
options for the URI to work.
After creating a CVP or UFP server object if required, you must define the resource
for HTTP to create a URI resource. II-4
Wild Card If you select Wild Cards specification type in the General tab, the following
Content Security
Specification Type information is necessary (Figure 64):
Name — Type in the name you want for the URI definition.
Comment — Type in the comment for the URI definition.
Color — Defines the color scheme of the object.
Connection Methods — Check the methods of connection. Your choices are:
Transparent, Proxy and Tunneling.
Exception Track — Select the method of reporting. Your choices are: None, Log and
Alert.
URI Match Specification Type — Check the specification type. Your choices are:
Wild Cards, File and UFP.
If you select Wild Cards specification type, the following information is necessary in
the Match tab (Figure 65):
Schemes — Check http and type in a wildcard (*) in the Other text box.
Methods — Type in a wildcard (*) in the Other text box.
Host, Path and Query — Type in wildcards (*) in these text boxes.
If you select Wild Cards specification type, the following action criteria can be II-4
defined in the action tab. Action is what the URI will do if all other criteria are met. In
the Action tab, the following information is necessary (Figure 66):
Content Security
II-4
Content Security
Figure 66: URI Action Tab for Wild Cards Specification
File Specification If you select File specification type in the General tab, the following information is
Type necessary (Figure 67):
Name — Type in the name you want for the URI definition.
Comment — Type in the comment for the URI definition.
Color — Defines the color scheme of the object.
Connection Methods — Check the methods of connection. Your choices are:
Transparent, Proxy and Tunneling.
Exception Track — Select the method of reporting. Your choices are: None, Log and
Alert.
URI Match Specification Type — Check the specification type. Your choices are:
Wild Cards, File and UFP.
If you select File specification type, the following information is necessary in the II-4
Match tab (Figure 68):
Content Security
II-4
Content Security
Figure 68: URI Match Tab for File Specification
Import — Click to import a URI specification file (a list of URIs to which access will
be denied or allowed, depending on the Action in the rule).
Export — Click to export a previously imported URI specification file. You will be
asked to specify a file name under which the file will be saved.
If you select File specification type, the following action criteria can be defined in the
action tab. Action is what the URI will do if all other criteria are met. In the Action
tab, the following information is necessary (Figure 69):
www.checkpoint.com/warning.html
UFP Specification If you select UFP specification type in the General tab, the following information is II-4
Type necessary (Figure 70):
Content Security
II-4
Content Security
Figure 70: URI General Tab for UFP Specification
Name — Type in the name you want for the URI definition.
Comment — Type in the comment for the URI definition.
Color — Defines the color scheme of the object.
Connection Methods — Check the methods of connection. Your choices are:
Transparent, Proxy and Tunneling.
Exception Track — Select the method of reporting. Your choices are: None, Log and
Alert.
URI Match Specification Type — Check the specification type. Your choices are:
Wild Cards, File and UFP.
If you select UFP specification type, the following information is necessary in the
Match tab (Figure 71):
UFP Server — Select the UFP server from the menu. The UFP server should have
already been defined in the Servers manager.
Categories — Check the categories you wish to include in the resource definition.
If you select UFP specification type, the following action criteria must be defined in
the Action tab. Action is what the URI will do if all other criteria are met. In the
Action tab, the following information is necessary (Figure 72):
www.checkpoint.com/warning.html
Replacement URI — Type in your alternate IP address to be sent back to any II-4
unauthorized source.
HTML Weeding — Check Strip Script Tags, Strip Applet Tags and Strip ActiveX
tags. This weeds out tags so they are not displayed. If a CVP server is present, the
Content Security
choice to select the server and the action that the server takes is available.
Response Scanning — Check Block JAVA Code.
CVP — Specify the inspection options for the third-party CVP server.
None — The file is not inspected.
Read Only — The file is inspected by the CVP server. If the CVP server rejects
the file, it is not retrieved.
Read/Write — The file is inspected by the CVP server. If the CVP server detects
that the file is invalid (for example, it may contain a virus), the CVP server
corrects the file before returning it to the firewall. II-4
SMTP Security The SMTP protocol provides control over SMTP connections. The SMTP resource
Content Security
Server definition allows hiding of internal IP addresses from outgoing e-mail, strips specific
attachment types, drops messages above a given size, and rewrites e-mail addresses.
Implement SMTP security server with a SMTP resource.
In the SMTP General tab, the following information is necessary (Figure 73):
In the SMTP Match tab, the following information is necessary (Figure 74):
The Action1 tab defines transformations to be performed on the given fields. The data II-4
in the field is modified in accordance with the defined transformation. The left part of
the transformation is a match field. The right part specifies the form of the new
transformed data. In the SMTP Action1 tab, the following information is necessary
Content Security
(Figure 75):
II-4
Content Security
Figure 75: SMTP Action1 Tab screen
In the SMTP Action2 tab, the following information is necessary (Figure 76):
Strip MIME of Type — MIME attachments of the specified type will be stripped
from the message. Allowed types are: text, multipart, message, image, audio, video
and application. If you strip MIME of type text, the text in the body of the message is
not stripped.
Don’t Accept Mail Larger Than — Mail messages larger than this size will not be
allowed to pass.
Server — Select the CVP server from the menu. The CVP server should have already
been defined in the Servers manager.
CVP — Select one of the following:
None — The file is not inspected.
Read Only — The file is inspected by the CVP server. If the CVP server rejects
the file, it is not retrieved.
Read/Write — The file is inspected by the CVP server. If the CVP server detects
that the file is invalid (perhaps because it contains a virus), the CVP server
corrects the file before returning it to the firewall.
Allowed Characters — Select one of the following:
8 bit — Allow 8 bit ASCII.
7 bit — Allow only 7 bit ASCII (but no control characters).
FTP Security Server The FTP security server provides authentication services and content security based II-4
on FTP commands (PUT/GET), file name restrictions and anti-virus checking for
files. (The PUT command uploads files from a host to an FTP server; the GET
command downloads files from an FTP server to a host.) Implement FTP security
Content Security
server with a FTP resource.
In the FTP General tab, the following information is necessary (Figure 77):
II-4
Content Security
Figure 77: FTP General Tab screen
In the FTP Match tab, the following information is necessary (Figure 78):
In the FTP Action tab, the following information is necessary (Figure 79):
Server — Select the CVP server from the menu. The CVP server should have already II-4
been defined in the Servers manager.
CVP — Select one of the options:
Content Security
None — The file is not inspected.
Read Only — The file is inspected by the CVP server. If the CVP server rejects
the file, it is not retrieved.
Read/Write — The file is inspected by the CVP server. If the CVP server detects
that the file is invalid (for example, because it may contain a virus), the CVP
server corrects the file before returning it to the firewall.
II-4
Content Security
RADIUS Server
Content Security
Version — Choose from the menu the version of the RADIUS server (either RADIUS
Version 1.0 or Version 2.0).
II-4
Content Security
Objective: You will modify the firewall, such that the SMTP security server will
redirect incoming mail to a CVP compliant anti-virus application server. Once the
incoming e-mail has been scanned/disinfected, the firewall will forward the e-mail to
the internal e-mail server.
Scenario: Due to the number of viruses that have come into the company network via
e-mail, you will set up an anti-virus check for incoming e-mail. A new server has been
purchased and it has anti-virus software that is CVP compliant. The name of the CVP
server will be ccheck.yourcity.com. Modify your security policy to implement this
change in business rules.
Content Security
3. Enter the IP address or name of your internal e-mail server in Mail Server field.
4. Enter the IP address or name of your internal e-mail server in Error Handling
Server field.
5. Next select the Match tab and specify a sender of “*” and a recipient of
*@yourcity.com.
6. Next select the Action2 tab and size limitation on incoming mail to 5 MB.
7. In the CVP box, pull down the Server list and select Virus_Checker.
8. Make sure that the Read/Write button is selected beneath the Server field.
II-4
9. Click OK.
Define a rule that allows any host outside of your network to get to your firewall using
Content Security
the SMTP service with the Yourcity_Internet_Email resource:
10. Click Edit, select Add Rule and then select After.
11. Right-click in the Source column of the new rule and select Add from the menu
that appears.
12. A dialog box listing the defined network objects will appear. Select the network
object for your local network and then click OK.
13. Right-click in the Source column again and select Negate.
14. Right-click in the Destination column of the new rule and select Add from the
menu that appears.
15. A dialog box listing the defined network objects will appear. Select the network
object for your firewall and click OK.
16. Right-click in the Service column of the new rule and select Add With Resource
from the menu that appears.
17. A dialog box listing the defined services that have associated resources will
appear. Select SMTP for the Service and select the Yourcity_Internet_Email
Resource in the Resource box. Click OK.
18. Right-click in the Action column of the new rule and select Accept from the menu
that appears.
19. Right-click in the Track column of the new rule and select Long from the menu
that appears.
20. In the Comment column, double-click and enter an appropriate description of the
rule in the text box that appears. Then click OK.
7. Right-click in the Track column of the new rule and select Long from the menu II-4
that appears.
8. In the Comment column, double-click and enter an appropriate description of the
rule in the text box that appears. Then click OK.
Content Security
4Log attempts on internal e-mail
Define a rule that logs any attempts on your internal e-mail server from any host
outside of your network using any protocol/service:
1. Click Edit, select Add Rule and then select After.
2. Right-click in the Source column of the new rule and select Add from the menu
that appears.
3. A dialog box listing the defined network objects will appear. Select the network
object for your local network and then click OK. II-4
4. Right-click in the Source column again and select Negate.
5. Right-click in the Destination column of the new rule and select Add from the
Content Security
menu that appears.
6. A dialog box listing the defined network objects will appear. Select the network
object for your e-mail server and click OK.
7. Right-click in the Action column of the new rule and select Drop from the menu
that appears.
8. Right-click in the Track column of the new rule and select Long from the menu
that appears.
9. In the Comment column, double-click and enter an appropriate description of the
rule in the text box that appears. Then click OK.
Objective: You will modify the firewall to make use of a UFP server to block Web
browser access to adult sites on the Internet/World Wide Web.
Scenario: Management wants to block Web browser access to adult sites on the
Internet. Your company has purchased UFP type software and has loaded it onto
ccheck.yourcity.com. Use an HTTP resource check for attempted access to the
restricted sites. Also, if access is attempted, redirect the user’s browser to an internal
Web page that presents a warning.
If you are not able to perform this lab, then this becomes a discussion lab.
Content Security
1. Click Edit, select Add Rule and then select Top.
2. Right-click in the Source column of the new rule and select Add from the menu
that appears.
3. A dialog box listing the defined network objects will appear. Select the network
object for your local network (net-yourcity) and then click OK.
4. Right-click in the Destination column of the new rule and select Add from the
menu that appears.
5. A dialog box listing the defined network objects will appear. Select the network
object for your local network (net-yourcity) and click OK. II-4
6. Right-click in the Destination column again and select Negate.
7. Right-click in the Service column of the new rule and select Add With Resource
Content Security
from the menu that appears.
8. A dialog box listing the defined services that have associated resources will
appear. Select HTTP. Click OK.
9. In the Resource section, select HTTP for the Service and select the Adult_filter
Resource in the Resource box.
10. Right-click in the Action column of the new rule and select Reject from the menu
that appears.
11. Right-click in the Track column of the new rule and select Long from the menu
that appears.
12. In the Comment column, double-click and enter an appropriate description of the
rule in the text box that appears. Then click OK.
Objective: You will modify the firewall to make use of a UFP server to block Web
browser access to adult sites on the Internet/World Wide Web.
Scenario: Management wants to block Web browser access to adult sites on the
Internet. Your company has purchased UFP type software and has loaded it onto
ccheck.yourcity.com. Use an HTTP resource check for attempted access to the
restricted sites. Also, if access is attempted, redirect the user’s browser to an internal
Web page that presents a warning.
If you are not able to perform this lab, then this becomes a discussion lab.
Content Security
rule.
3. Test by connecting to www.boogeyman.com.
4. Click the Warez link. What is the result?
II-4
Content Security
Objective: You will modify the firewall to make use of a UFP server to restrict access
to FTP sites on the Internet/World Wide Web.
Scenario: Management wants to block Web browser access to adult sites on the
Internet. Your company has purchased UFP type software and has loaded it onto
ccheck.yourcity.com. Use an HTTP resource check for attempted access to the FTP
sites.
If you are not able to perform this lab, then this becomes a discussion lab.
Content Security
2. Try to put a file on www.boogeyman.com. Did it work?
II-4
Content Security
Objective: You will modify the firewall to make use of a UFP server to block Web
browser access to java applets on the Internet/World Wide Web.
Scenario: Management wants to block Web browser access to java applets on the
Internet. Your company has purchased UFP type software and has loaded it onto
ccheck.yourcity.com. Use an HTTP resource check to filter java applets.
If you are not able to perform this lab, then this becomes a discussion lab.
Content Security
Connect to www.boogeyman.com and select the Java link.
II-4
Content Security
Objective: You will modify the firewall to make use of a UFP server to block Web
browser access to restricted sites on the Internet/World Wide Web.
Scenario: Management wants to block Web browser access to restricted sites on the
Internet. Your company has purchased UFP type software and has loaded it onto
ccheck.yourcity.com. Use an HTTP resource check for attempted access to the
restricted sites. Also, if access is attempted, redirect the user’s browser to an internal
Web page that presents a warning.
If you are not able to perform this lab, then this becomes a discussion lab.
Content Security
4Test the security policy
1. Remove your HTTP authentication rule, and replace it with an anything outbound
rule.
2. Test by connecting to www.boogeyman.com.
3. Press the Warez link. What is the result?
II-4
Content Security
Review
Summary Content security is necessary in a firewalled system, because without it, internal
networks have limited protection against external attacks. Content security allows
system administrators to specify what can and cannot enter or exit internal networks.
Content security works by inspecting data at the highest protocol. And content
security allows administrators to control network access according to specified
services, such as anti-virus applications.
Content security works by inspecting data at the highest protocol, achieving highly
tuned access control to network resources. FireWall-1 provides content security for
HTTP, FTP and SMTP. Content security enables intelligent inspection of
communications content and protects users from various hazards, including the
following:
• Computer viruses
• Java Applets and ActiveX code
• Undesirable Web content
2. From which types of hazards does content security protect internal networks?
3. Can you use FireWall-1’s content vectoring protocol without the use of a content
vectoring server? Why or why not?
Content Security
II-4
Content Security
Chapter 3: SecuRemote
Introduction
Overview Encryption is a method of modifying packet data so that the data can only be
decrypted with an encryption key. You can use FW-1 to build VPN’s, which provides
secure communications between two defined participants by encrypting packets
across the Internet. FireWall-1’s encryption works through the use of four encryption
schemes: FWZ, Manual IPSec, ISAKMP/Oakley (IKE) and SKIP.
141
142
Overview Encryption is a method of modifying packet data so that the data can only be
decrypted with an encryption key. You use encryption with FireWall-1 through a
virtual private network (VPN). A VPN provides secured connections between points
where encrypted data may travel through the Internet.
Encryption
Encryption works by encrypting data with encryption software and a secret key, which
is known only to the recipient and those VPNs authorized to view the data. This
shared secret key is used to verify and decrypt the encrypted packet.
1 The original data (cleartext) is passed through an encryption algorithm that uses
the secret key to uniquely scramble the data.
2 The result is called ciphertext.
3 The VPN receives the cipher text and uses a secret key to decrypt the text.
Virtual Private Encryption in a VPN provides secured connections between points where encrypted
Networks (VPNs) data travels along unsecured portions of a network. A VPN typically uses the Internet
as the transport backbone to establish secure links with business partners, extend
communications to regional and isolated offices, and significantly decrease the cost of III-1
communications for an increasingly mobile workforce.
Firewall-to-Firewall FireWall-1 VPNs support the following encryption schemes. These encryption
VPN schemes are security engineers’ tools for creating and configuring VPNs:
• FWZ
• Manual IPSec
• ISAKMP/Oakley (IKE)
• SKIP
As shown in Figure 82, data traveling from the Detroit network to the Chicago
network is encrypted. (Data arriving from protected networks is authenticated and
then decrypted.)
Firewall Firewall
Module Module
#1 #2
Client-to-Firewall FireWall-1 SecuRemote, which is a separate Check Point product and is based on a
VPN (SecuRemote) technology called client encryption, allows remote network users secure access to
their internal networks. This is called client-to-firewall VPN encryption and is used
for remote access. Using SecuRemote is not the same as managing a network
remotely.
Encryption
well as strong encryption using FWZ-1 and DES
III-1
FireWall-1 FWZ
Encryption FWZ is Check Point’s proprietary encryption scheme, which utilizes both asymmetric
Schemes and symmetric keys during key management and encryption. FWZ manages
encryption keys automatically, including updating public keys.
Manual IPSec
Short for IP Security, IPSec (and Manual IPSec) is a set of protocols that supports
secure exchange of packets at the IP layer. For IPsec to work, the sending and
receiving devices must decide upon a unique public key and then manually generate
that key.
ISAKMP/Oakley (IKE)
Internet Security Association and Key Management Protocol (ISAKMP) —
otherwise known as IKE (Internet Key Exchange) — is the encryption standard of the
Internet Engineering Task Force (IETF), the main standards organization for the
Internet. The ISAKMP protocol provides a consistent framework for transferring key
and authentication data, independent of the encryption and authentication
mechanisms.
Oakley (IKE) is an Internet encryption protocol that enables two authenticated parties
to agree on secure and secret keying material. The basic mechanism is the Diffie-
Hellman key exchange algorithm, where one firewall’s public key and another
firewall’s private key creates a shared secret key. The Oakley protocol supports
compatibility with the ISAKMP protocol for encryption.
SKIP
Simple Key Management for Internet Protocols (SKIP) provides a hierarchy of keys
that change over time. These keys are used to encrypt connections as well as to
implement a key management protocol. SKIP also includes ESP and AH and adds its
own header to packets. ESP and AH are: The protocol formats for the IP
Authentication Header (AH) and IP Encapsulating Security Payload (ESP) will be
independent of the cryptographic algorithm. The preliminary goals will specifically
pursue host-to-host security followed by subnet-to-subnet and host-to-subnet
topologies.
Overview The encryption schemes discussed earlier include Manual IPSec, SKIP, FWZ and
ISAKMP/Oakley (IKE). FireWall-1 security engineers set up these encryption
schemes. Encryption algorithms are FireWall-1’s way of determining how to encrypt
data.
Encryption
FireWall-1 supports the following encryption algorithms:
• FWZ-1
• DES
• Triple DES
• DES-40 (bit), RC2-40, RC4-40
DES (International Short for Data Encryption Standard, DES (and Triple DES) is a symmetric key
Customers) encryption method that uses a 56-bit key and is illegal to export out of the United
States or Canada. DES allows interoperability with other ISAKMP and SKIP
compliant firewalls, and provides one standard for encryption.
Triple DES addresses security concerns resulting from its relatively short, 56-bit key
length. Triple DES encrypts under three different DES keys in succession, equivalent
to doubling the DES key length to 112 bits.
Four Encryption FireWall-1 offers four levels of encryption, including Triple DES (Table 4):
Levels
Table 4: Four Levels of Encryption in FireWall-1 Version 4.0
Level Encryption
Locations Allowed
Algorithms
1. None None Anywhere
Encryption
• Digital signatures
Symmetric Symmetric encryption, in which the same key is used to encrypt and decrypt data, is
Encryption (Shared also called shared key encryption. Symmetric encryption is used primarily for faster
Key) encryption performance. An example of symmetric encryption is shown in Figure 84:
Do not send private keys through unsecured networks, such as the Internet.
Use “sneaker-net”: Mail, fax or phone the private key to a certificate
authority.
Asymmetric Asymmetric encryption, which uses one key to encrypt a message and another to
Encryption (Public decrypt the message, is a FireWall-1 encryption technology used for the following:
Key)
• Secure key exchange mechanisms
• Authentication
• Data-integrity checking
Asymmetric encryption is called public-key encryption, because the encryption
scheme uses two keys: one private and one public. These keys are created using the
Diffie-Hellman key scheme, where one firewall’s public key and another firewall’s
private key creates a shared secret key. This shared secret key is used to verify and
decrypt the encrypted packet. It is mathematically impossible to derive the private key
from the public key.
1 The Detroit firewall sends its public key to the Chicago firewall. The Chicago II-4
key shares the same public key.
2 The private key is combined with the receiver’s public key, using the Diffie-
Hellman algorithm to generate the shared secret key.
3 Encryption is secure because no one, except Detroit and Chicago, can derive the
shared secret key.
Encryption
Due to performance issues, asymmetric cryptography, which is 1,000
times slower than symmetric cryptography, is typically used to encrypt
small amounts of data, such as keys, for symmetric cryptography.
III-1
Digital Signatures
Digital signatures use public key cryptography, which uses two different but
mathematically related keys: the first key is used to encrypt the data, and the second
key is used to verify the signature or decrypt the data. The process is similar to
assymetric cryptography.
Hash Functions
Hash functions are used to create and verify digital signatures. A hash function is an
algorithm that creates a digital representation or "fingerprint" in the form of a "hash
value" or "hash result" of a standard length. The hash value is usually much smaller
than the message but nevertheless substantially unique to it. If any changes to a
message occur, the hash result will be different, indicating the message has been
tampered with.
In the case of a secure hash function, also called a one-way hash function, it is
mathematically infeasible to derive the original message from the resulting hash
value.
Using Digital The use of digital signatures usually involves two processes, one performed by the
Signatures signer and the other by the receiver of the digital signature:
1. Digital signature creation uses a hash result derived from and unique to both the
signed message and a given private key. For the hash result to be secure, there
must be only a negligible possibility that the same digital signature could be
created by the combination of any other message or private key.
2. Digital signature verification is the process of checking a digital signature by
reference to an original message and a given public key, thereby determining
whether the digital signature was created for that same message using the private
key that corresponds to the referenced public key.
Creating the Digital A digital key is created using the one way hash function, as follows: II-4
Signature
1 The original message is created (Figure 86):
Encryption
Figure 86: One Way Hash Function
Applying Digital A digital signature is applied to a document or other information, using the following
Signatures/ process (Figure 87 on page 154):
Certificates
1 The signer delimits the borders of what is to be signed (the document) using their
private key.
2 The signer’s software using the hash function computes a unique hash result.
3 The signer’s software transforms the hash result into a digital signature, which is
unique to both the document and the private key used to generate it.
4 The digital signature is verified using the hash function of the software used to III-1
create the digital signature.
5 The verifier uses the public key to verify:
a. Whether the digital signature was created using the associated private key Encryption and VPNs
b. Whether the newly computed hash result matches the original hash result
6 If both hash results match, then the digital signature is verified as authentic.
A certificate authority (CA) is a trusted third party from whom a public key can be
obtained reliably, even via the Internet. The CA certifies a public key by generating a
certificate. The digital signature acts as proof of the sender’s identity. A digital
signature is created using a public encryption key scheme.
Encryption
Manual IPSec is the only encryption scheme that does not use a CA.
The CA and DH When you configure encryption for a network object, you must choose to generate a
Keys certificate authority (CA) or Diffie-Hellman (DH) key. In public-key encryption, keys
are created using the Diffie-Hellman key scheme, where one firewall’s public key and
another firewall’s private key creates a shared secret key. This shared secret key is
used to verify and decrypt the encrypted packet.
Creating the CA Key To create a CA key, security engineers must modify options in the following screens
and tabs. These screens and tabs are located within the Workstation Properties screen:
• Encryption tab
• CA Key tab
III-1
• Certificate Authority Key screen
What to Encrypt?
Packet Headers Before encrypting data, it is important to understand what part of a packet to encrypt.
Versus Data Figure 88 displays the IP header being encrypted. The IPSec encryption scheme adds
a new IPSec and IP header to a packet. IPSec encrypts the new headers while
authenticating the IP and TCP header and packet data.
New Header New IPSec Header IP Header TCP Header Packet Data
Figure 89 displays the data being encrypted, not the IP header. This means the IP and
TCP headers within the packet will not be encrypted. Therefore, the packet will be
able to reach its destination. Only the data is encrypted.
Tunneling-Mode FireWall-1 uses two encryption modes, depending upon the encryption scheme
Versus In-Place chosen: tunneling-mode and in-place encryption (Table 5 on page 158).
Encryption
Encryption
3. You then place the addressed envelope (packet) into an another envelope that
contains a different destination address and return address.
4. The envelope is then mailed.
A drawback to using tunneling-mode encryption is that packet size is increased since
you have encapsulated the original packet with the decryption protocol header;
however, the security of the packet is increased (Figure 90):
In-place encryption encrypts the payload portion of the packet and leaves the header
intact (Figure 91). This allows for greater performance than that provided by Manual
IPSec, ISAKMP/Oakley (IKE) or SKIP encryption.
III-1
A drawback to using in-place encryption is the header remains intact, indicating the
origin IP address and destination IP address; however, there is no performance
degradation since the packet size has not changed.
Encryption
Figure 92: The Encryption Tab
Encryption
Figure 94: Generated CA Key
Creating a CA Key
The following are the steps for creating a CA Key: III-1
1. Click Manage > Network Objects from the FireWall-1 Security Policy main
menu.
2. Highlight the firewalled device to which you want to add the certificate authority. Encryption and VPNs
Click Edit.
3. Click the Encryption tab.
4. Click Other under Encryption Domain and select the network to be encrypted.
5. Click the encryption method defined and click Edit. The CA Key tab displays
(Figure 93 on page 160).
Creating the DH Key To create a DH key, security engineers must modify options in the following screens
and tabs. These screens and tabs are located within the Workstation Properties screen:
• Encryption tab
• DH Key tab
• Diffie-Hellman Key screen
Encryption
Figure 96: DH Key Tab
Creating a DH Key
The following are the steps for creating a DH Key:
1. Click Manage > Network Objects from the FireWall-1 Security Policy main
menu.
2. Highlight the firewalled device to which you want to add the certificate authority.
Click Edit.
3. Click the Encryption tab.
4. Click Other under Encryption Domain and select the network to be encrypted.
5. Click the encryption method defined and click Edit. The DH Key tab displays
(Figure 96 on page 163).
Review II-4
Summary For a more secure network over an insecure Internet, encryption is a vital part of
communication. Encryption is FireWall-1’s technology for modifying packet data so
that the data can only be decrypted with an encryption key, which decrypts encrypted
data. Encryption allows communication via a virtual private network (VPN), which is
Encryption
a private network that provides secured connections between points where encrypted
data travels through the Internet. Encryption works by passing data via a shared secret
key. This key decrypts data so that the receiver can view the data. It is important that
data be encrypted but not the packet header; otherwise, the packet cannot reach its
destination.
FireWall-1 uses two encryption modes, depending upon the encryption scheme
chosen: tunneling-mode and in-place encryption. Tunneling-mode encryption works
by encapsulating a network protocol within packets carried by a second network.
Tunneling-mode encryption does this by embedding its own network protocol within a
packet’s TCP/IP headers. In-place encryption encrypts just the data portion of the
packet, leaving the original IPSEC and IP headers intact. This allows for greater
performance than that provided by the other encryption algorithms since it does not
cause packet fragmentation.
VPNs provide a way to secure data traveling from internal to external networks safely.
You can remotely manage a firewall through a VPN, as well as communicate using
Check Point’s SecuRemote application in conjunction with a VPN. You also set up a
VPN between two networks, using SKIP encryption.
Review Questions 1. Why is encrypting the data better than encrypting the packet header?
III-1
2. What is a shared key used for?
4. What is the difference between tunneling mode and in-place encryption? Which is
best?
Encryption Schemes
Unit II — Chapter 4:
Encryption Schemes
Introduction
Overview FireWall-1’s encryption works through the use of four encryption schemes: FWZ,
Manual IPSec, ISAKMP/Oakley (IKE) and SKIP. FireWall-1’s SecuRemote product
is another way for security engineers to ensure that remote communications traveling
through unsecured lines are encrypted.
167
168 FireWall-1 Encryption Schemes
Overview In this section you will learn how FireWall-1 incorporates the concepts described
previously to define the four encryption schemes it supports. You will learn specifics
about how these schemes relate to VPNs. And you will configure and test each of
these schemes to understand how FireWall-1 VPNs work.
Scheme What it is
FWZ Proprietary Check Point software encryption
FWZ II-4
Encryption Schemes
encryption automatically, including updating public keys. FWZ encryption does the
following:
• Encrypts all data behind the IP and TCP headers, using in-place encryption
(Figure 116 on page 187)
• Uses reliable-data protocol to manage VPN session keys, encryption methods and
data integrity
• Gets certified Diffie-Hellman (DH) public keys from a trusted certificate authority
(CA)
• Supports FWZ-1, DES and Triple DES algorithms, using a 40-bit encryption key
that is exportable outside the US
In the VPN+DES+STRONG version of 4.0, the only scheme that can use
3DES is ISAKMP. 3DES is not a current option for the encryption
algorithm when using FWZ, SKIP or Manual IPSec.
• Authenticate passwords:
Each time a connection is made to the firewall, S/Key authentication requires a
different password. S/Key authentication is a FireWall-1 authentication method
that uses the FWZ-1 encryption algorithm to authenticate passwords. S/Key
authentication is based on a table of 100 random passwords. Once one table of
passwords is complete, S/Key generates a new table. In this way, encryption is
secure.
Reliable Datagram Reliable datagram protocol (RDP) is used by FireWall-1 to agree on encryption
Protocol parameters. RDP is used for out-of-band sessions and the following:
• Negotiate session keys
• Agree on encryption algorithms (DES or FWZ-1) for a session
• Decide whether MD5 data integrity will be used for sessions
• Ensure all dropped UDP packets are retransmitted
Encryption Tab
When defining encryption for a firewall, you use the Encryption tab of the
Workstation Properties screen (Figure 98):
Encryption Schemes
local and remote CA and DH keys.
The following are the options for the FWZ Properties screen: II-4
Session Key Encryption Method — Specifies the encryption algorithm for session
keys.
Encryption Schemes
Data Encryption Method — Specifies the encryption algorithm for communications
packets. The available choices depend on the encryption algorithms installed. You
can also choose Clear (meaning no encryption) or Any (meaning the data encryption
method is chosen by the other party).
Data Integrity Method — Specifies the cryptographic checksum method to be used
for ensuring data integrity.
Allowed Peer Gateway — Specifies the gateways with which a gateway encrypting
under this rule is prepared to conduct an encrypted session. This field can be set to the
following values:
Any — Each gateway is prepared to conduct encrypted sessions with all other
gateways.
Gateway name or group of gateways and/or hosts — Each gateway is prepared
to conduct encrypted sessions only with the named gateway or with a gateway
belonging to the given group.
In both cases, a gateway is prepared to conduct encrypted sessions with another
gateway only if the packet’s source IP address (for decryption) or destination IP
address (for encryption) is in the other gateway’s encryption domain.
3. Specify encryption domain: Click the Encryption tab (Figure 103). Select an
encryption domain as either Valid Addresses (all internal objects’ IP addresses).
Or select Other and specify the network or group object that represents the hosts
in the encryption domain.
II-4
Encryption Schemes
Figure 103: Encryption Tab
4. Specify encryption method and generate a CA public key for FWZ. Click Local
to select the local firewall and Generate to begin creating the CA key (Figure
104):
5. FireWall-1 displays the following message before generating the local CA key:
Click Yes to continue.
6. Once FireWall-1 has created the local CA key, it displays a completion message:
Click OK to continue.
7. The generated local CA key appears (Figure 105):
8. Generate the DH public key for FWZ: Select the DH Key tab and click Generate II-4
to generate the DH key (Figure 106). When asked if you want to generate a new
key, click Yes.
Encryption Schemes
Figure 106: Generated DH Key
9. Install the policy for key exchange. After the public keys have been created, the
security policy needs to be reinstalled so the remote firewall (on the other side of
the VPN) can retrieve the keys. Click OK twice and Close.
10. Click Policy > Install from the Security Policy GUI. When prompted for the
firewall on which to install the policy, select your firewall and click OK.
11. When FireWall-1 has installed the security policy, you will see a completion
message (Figure 107). Click Close to continue.
12. Get public keys (CA and DH) from a remote gateway: Click Manage > Network
Objects and select your local firewall.
13. Click Edit and the Encryption tab. Select FWZ and click Edit.
14. In the FWZ Properties screen, click Remote and select the remote gateway from II-4
whom you want to retrieve the remote CA key (Figure 108). Click Get to retrieve
the remote CA key.
Encryption Schemes
Figure 108: Getting the Remote CA Key
15. Click Close. Select the DH Key tab and click Get to retrieve the remote DH key
(Figure 109):
16. Close the DH Key tab, and click OK and Close. Add an encryption rule to the
security policy (Figure 110): Select the local and remote networks as destination
and source. Select Encrypt as the action.
17. Define FWZ encryption for a VPN rule: Right-click the Action column and select
Edit properties (Figure 111):
Encryption Schemes
Figure 112: Encryption Properties Screen
19. Select FWZ as the encryption scheme and click Edit. Edit invokes the FWZ
Properties screen (Figure 113):
20. Once finished modifying the FWZ Properties screen, click OK twice to exit to the
rule base.
21. Verify and install the rule base: From the Security Policy GUI, click Policy >
Verify and wait for the “OK” message, then click Close to continue.
22. Install the rule base by clicking Policy > Install. When prompted to select a
firewall on which to install the policy, select your local firewall (Figure 114):
23. Click OK to continue. When FireWall-1 has installed the rule base, the II-4
completion screen appears (Figure 115):
Encryption Schemes
Figure 115: Installed Security Policy
24. Click Close and save the security policy: Click File > Save from the Security
Policy GUI menu.
Objective: You and your partner will configure your firewalls to be a part of a VPN.
Scenario: You are a part of an organization that has corporate sites in multiple
locations. You wish to link your LANs into a WAN, and use FWZ encryption to
safeguard your transmissions across the Web.
4. In the menu next to Other, select your partner’s network object (that is, II-4
partnercity-net). The encryption domain for your partner’s firewall is now set to
partnercity-net.
Encryption Schemes
4Retrieve the FWZ CA and DH keys
Before proceeding, be sure your partner (fw.partnercity.com) has completed the steps
in the “Specify FWZ encryption” section of this lab. You cannot retrieve the CA and
DH keys from another firewall until they have been generated and the rule base
reinstalled.
Disable your stealth rule!
1. In the Encryption Method Defined field of your partner’s firewall, click the FWZ
check box.
2. Click Edit. The FWZ Properties screen appears.
3. Click Remote, then select your partner’s firewall form the menu at the right (that
is, fw.partnercity.com).
4. Click Get. This retrieves the FWZ CA public key from your partner’s firewall.
5. Click the DH Key tab.
6. Click Get. This retrieves the FWZ Diffie-Hellman public key from your partner’s
firewall.
7. Click OK.
You can view the encrypted/decrypted packets being logged in the Log
Viewer.
2. With the cursor positioned over the Encryption icon in the Action column of the
new rule, click the right mouse button. In the menu that appears, select Edit
properties. The rule’s Encryption Properties screen appears:
Encryption Method: FWZ
Protocol Diagnostics: Log
3. Click OK.
4. Verify and install the rule base.
4Test the VPN
1. Test by viewing your partner’s Web page from your Internet server (that is,
www.yourcity.com).
2. Look at the log entries. Encrypted packets will have blue lines and decrypted
packets will have purple lines. If you do not see this, check the information
generated in the Info column of the rule base.
If the encryption does not work, you may need to remove your firewall
objects for your city and your partner’s city, then rebuild these objects.
Short for IP Security, IPSec is a set of protocols that supports secure exchange of
Encryption Schemes
packets at the IP layer. For IPsec to work, the sending and receiving devices must
decide upon a unique public key and then manually generate that key.
IPSec can be used manually (Manual IPSec) or with encryption schemes such as
ISAKMP and SKIP. The IPSec scheme of encryption adds a new IPSec and IP header
to a packet. IPSec then encrypts the new headers, while authenticating the IP and TCP
header and packet data (Figure 116):
Authenticated
Encrypted
IPSec uses Security Association (SA), which is the encryption standard of the
Internet, to define the security parameters for a specific IP host:
• Usage of encryption and/or data integrity
• Encryption and/or data integrity methods
• Encryption and/or data integrity keys
• The SA is identified using a Security Parameters Index (SPI), which is a 32-bit
number that refers to a specific SA; the SA is generated manually and assigned a
SPI (Figure 117):
SPI 0x32fd567f
Encryption (ESP): DES
Authentication (AH): SHA-1
DES Key (64 bits): 0x2983a7b31abb5f3e
SHA-1 Key (160 bits): 0x354354afbd354ad4354ceaca35c639aec98fbbb8
• Two IPSec headers each contain an SPI reference to identify the relevant SA:
• Authentication Header (AH), containing the message digest
• Encapsulating Security Payload (ESP), containing a per packet initialization
vector (IV), used as an auxiliary key to enhance security
Encryption Tab
When defining encryption for a firewall, you use the Encryption tab of the
Workstation Properties screen (Figure 118):
Encryption Schemes
Figure 119: Manual IPSEC SPI Screen
Keys:
By Seed — Value for Seed; if ESP is checked under IPSec Options, an encryption
key is generated and displayed in Encryption Key. If AH is checked under IPSec
Options, an authentication key is generated and displayed in Authentication Key.
Manually — The typed value of the key.
Encryption Key — ESP checked under IPSec Options; the encryption key will be
read-only unless Manually selected. The encryption key is 16 hex bytes long.
Authentication Key — AH checked under IPSec Options; the authentication key will
be read-only unless Manually selected. The authentication key is 40 hex bytes long.
Encryption Schemes
Figure 120: Manual IPSec Properties Screen
The following are the options in the Manual IPSec Properties screen:
SPI — A number that uniquely identifies a group of security parameter definitions.
Select an SPI from the drop-down list.
Allowed Peer Gateway — Specifies the gateways with which a gateway encrypting
under this rule is prepared to conduct an encrypted session. This field can be set to the
following values:
Any — FireWall-1 will attempt to find a suitable gateway based on encryption
domains.
Gateway Name — FireWall-1 will conduct encrypted sessions only with the
named gateway.
In both cases, a gateway is prepared to conduct encrypted sessions with another
gateway only if the packet’s source IP address (for decryption) or destination IP
address (for encryption) is in the other gateway’s encryption domain.
3. Specify encryption domain: Click the Encryption tab (Figure 122). Select an II-4
encryption domain as either Valid Addresses (all internal objects’ IP addresses),
or select Other and specify the network or group object that represents the hosts in
Encryption Schemes
the encryption domain.
4. Specify encryption method (Figure 123): Select Manual IPSec and click OK and
Close.
5. Create the IPSec SPI key: Click OK and Close to return to the Security Policy
main menu. Click Manage > Keys to enter the Encryption Keys screen (Figure
124):
6. Click New > SPI (from the New pull-down menu). The Manual IPSec screen II-4
appears (Figure 125):
Encryption Schemes
Figure 125: Manual IPSec Screen
7. Complete the Options for your SPI key. Then click OK and Close to return to the
Security Policy GUI main menu.
8. Add two rules to the security policy: One rule with Manual IPSec and the other
rule for a VPN. For the first rule, select the local and remote networks as
destination and source. Select IPSEC as the service and accept as the action.
9. For the second rule, select the local and remote networks as destination and
source. Select Encrypt as the action. Figure 126 shows the completed rule base:
10. Modify the VPN encryption rule: Right-click the Action column and select Edit
properties from the pull-down menu (Figure 127):
11. Select Manual IPSec from the Encryption Properties screen (Figure 128): II-4
Encryption Schemes
Figure 128: Encryption Properties Screen
12. Click Edit to continue. The Manual IPSec Properties screen appears (Figure 129):
13. Specify the SPI key for this VPN Pair. In Figure 129 the SPI key is the previously
defined IPSec key 0x111222. Associate one SPI per peer, then specify exactly
who that peer is in the Allowed Peer Gateway field.
14. Click OK to apply and continue.
15. Verify and install the rule base: From the Security Policy GUI, click Policy >
Verify and wait for the “OK” message, then click Close to continue.
16. Install the rule base by clicking Policy > Install. When prompted to select a
firewall on which to install the policy, select your local firewall (Figure 130):
17. Click OK to continue. When FireWall-1 has installed the rule base, the
completion screen appears.
18. Click Close and save the security policy: Click File > Save from the Security
Policy GUI menu.
Encryption Schemes
Specify Manual IPSec as the Encryption Method on each gateway:
1. From the Network Object Manager, highlight your firewall object
(fw.yourcity.com) and click Edit.
2. In the Workstation Properties window, select the Encryption tab. (The encryption
domain should be net-yourcity.)
3. In the Encryption Method Defined field, select the Manual IPSEC check box.
4. Click OK. The Workstation Properties window disappears.
5. Highlight your partner’s firewall object (fw.partnerycity.com) and click Edit.
6. In the Workstation Properties window, select the Encryption tab. (The encryption
domain should be net-yourpartnercity).
7. In the Encryption Method Defined field, select Manual IPSEC.
8. Click OK.
4Test VPN
Test by viewing your partner’s web page from your Internet server
(www.yourcity.com). Look at the log entries. Encrypted packets will have blue lines
and decrypted packets will have purple lines. If you do not see these lines, check the
information generated in the Info column.
II-4
Encryption Schemes
Encryption Tab
When defining encryption for a firewall, you use the Encryption tab of the
Workstation Properties screen (Figure 131):
Encryption Schemes
the firewalled object itself.
The ISAKMP options define how the ISAKMP/Oakley key exchange is encrypted:
Encryption Method — Check at least one of the methods.
Hash Method — Check at least one of the methods.
Authentication Method — Check at least one of the methods:
Pre-Shared Secret — This workstation can authenticate itself by a pre-shared
secret. If you check Pre-Shared Secrets, click Edit Secrets to display the Shared
Secrets window in which you can define or modify the pre-shared secret.
Public Key Signatures — This workstation can authenticate itself by a public
key signature. If you check Public Key Signatures, click Configure to display the
Public Key Configuration window. You can generate a public key for the
workstation and define the matching criteria.
Supports Aggressive Mode — If checked, the standard six packet ISAKMP Phase 1
exchange is replaced by a three packet exchange.
The ISAKMP properties in this window define how packets are encrypted:
Transform — Check one of the following:
Encryption + Data Integrity (ESP) — The Security Association will include
both encryption and data integrity (authentication).
Data Integrity Only (AH) — The Security Association will include only data
integrity (authentication).
Encryption Algorithm — Specifies the encryption algorithm for the traffic. The
available choices depend on the encryption algorithms installed. You can also choose
Clear (meaning no encryption) or Any (meaning the data encryption method is chosen
by the other party).
Data Integrity — Specifies the cryptographic checksum method to be used for
ensuring data integrity.
Allowed Peer Gateway — Specifies the gateways with which a gateway encrypting
under this rule is prepared to conduct an encrypted session. This field can be set to the
following values:
Any — Each gateway is prepared to conduct encrypted sessions with all other
gateways.
Gateway name or group of gateways and/or hosts — Each gateway is prepared II-4
to conduct encrypted sessions only with the named gateway or with a gateway
belonging to the given group.
Encryption Schemes
In both cases, a gateway is prepared to conduct encrypted sessions with another
gateway only if the packet's source IP address (for decryption) or destination IP
address (for encryption) is in the other gateway's encryption domain.
Use Perfect Forward Security — Perfect Forward Security ensures that an
eavesdropper who uncovers a long-term encryption key will be unable to use it to
decrypt traffic sent in the past.
3. Specify encryption domain: Click the Encryption tab (Figure 135). Select an
encryption domain as either Valid Addresses (all internal objects’ IP addresses),
or select Other and specify the network or group object that represents the hosts in
the encryption domain.
II-4
Encryption Schemes
Figure 136: ISAKMP Properties (within a Firewall Object)
10. Define ISAKMP/Oakley encryption: Right-click the Action column (in the VPN
rule) and select Edit properties from the pull-down menu (Figure 138):
11. Select ISAKMP/OAKLEY from the Encryption Properties screen (Figure 139) II-4
and click Edit:
Encryption Schemes
Figure 139: Encryption Properties Screen
12. Click Edit to continue and the ISAKMP Properties screen appears (Figure 140):
14. Verify and install the rule base: From the Security Policy GUI, click Policy >
Verify and wait for the “OK” message, then click Close to continue.
15. Install the rule base by clicking Policy > Install. When prompted to select a
firewall on which to install the policy, select your local firewall (Figure 141):
Click OK to continue. When FireWall-1 has installed the rule base, the completion
screen appears (Figure 142):
16. Click Close and save the security policy: Click File > Save from the Security II-4
Policy GUI menu.
Encryption Schemes
Scenario: Your company has several remote offices that access the Internet.
Company management wants to use the Internet to link the corporate network
with the remote office network. Management is concerned about protecting
traffic flowing between the corporate and remote network and therefore wants
the traffic to be encrypted. Since both networks are protected from the Internet
by FireWall-1 machines, you will create a VPN and implement an ISAKMP/
Oakley encryption scheme. You will use a shared secret to implement
ISAKMP/Oakley between the two firewalls.
Remove or disable your previous encryption rule before proceeding with this
lab.
Encryption Schemes
1. From the Network Object Manager, highlight your firewall object
(fw.yourcity.com) and click Edit.
2. In the Workstation Properties window, select the Encryption tab. (The encryption
domain should be net-yourcity.)
3. Specify the encryption domain by selecting Other in the Encryption Domain box
and using the pull-down list to select yourpartnercity_net.
4. Specify ISAKMP/Oakley in the Encryption Methods Defined box and click Edit.
The ISAKMP Properties General dialog appears.
5. Specify the Encryption Methods and Hash Methods.
6. Select Pre-Shared Secret in the Authentication Method box.
7. Click the Edit Secrets button: The Shared Secret screen appears. Select your
firewall from the peer list and click Edit.
8. The Enter secret box appears. Type abc123 in the box and click Set.
9. Click OK until you have exited all the dialog boxes and are back to the rule-base
editor.
8. Right click the mouse or button in the Destination field of the new rule again and
select Add from the menu that appears.
9. A screen listing defined network objects will appear again. Select the
yourpartnercity_net object for your local network and click OK.
10. Right click the mouse or button in the Action column of the new rule and select
Encrypt from the menu that appears.
11. Right click the mouse or button in the Track column of the new rule and select
Long from the menu that appears.
12. In the Comment column, double click the mouse or button and enter an
appropriate description of the rule in the text box that appears.
13. Click OK.
14. Right click the mouse or button in the Action column and select Edit properties
from the menu that appears.
15. The Encryption Properties dialog appears. Select Log from the Protocol
Diagnostics box.
16. Select ISAKMP/Oakley from the Encryption schemes defined box, then click
Edit.
17. The ISAKMP Properties screen appears. Select Encryption + Data Integrity (ESP)
in the Transform box.
18. Specify methods for the Encryption Algorithm and Data Integrity.
19. Click OK until you are back at the rule-base editor.
Encryption Schemes
2. Attempt to access your partner city’s Web server.
3. Use the Log Viewer to view the log entries related to encryption, decryption and
key exchange.
Authenticated
Encrypted
Encryption Schemes
When defining encryption for a firewall, you use the Encryption tab of the
Workstation Properties screen (Figure 144):
Encryption Schemes
Figure 146: SKIP Properties (Rule Base) Screen
The following are the options for the SKIP Properties screen:
Crypt Algorithm — The data encryption algorithm.
MAC Algorithm — The data authentication algorithm.
Allowed Peer Gateway — Specifies the gateways with whom a gateway encrypting
under this rule is prepared to conduct an encrypted session. This field can be set to the
following values:
Any — FireWall-1 will attempt to find a suitable gateway based on Encryption
Domains.
Gateway Name — FireWall-1 will conduct encrypted sessions only with the
named gateway.
In both cases, a gateway is prepared to conduct encrypted sessions with another
gateway only if the packet's source IP address (for decryption) or destination IP
address (for encryption) is in the other gateway's encryption domain.
If both gateways are firewalled (FireWall-1 is installed on them both), then there
must be two rules — each one specifying encryption in one direction — and only
one rule must be installed on each of the gateways.
NSID — Name Space ID, the domain from which key IDs in the header are taken.
Select one of the following:
None — The keys are explicitly included in the header.
SKIP MD5 — The KeyIDs are an MD5 hash of the Diffie-Hellman public keys
IPSec Options — At least one option must be checked:
ESP — Encrypt.
AH — Authenticate.
3. Specify encryption domain: Click the Encryption tab (Figure 148). Select an II-4
encryption domain as either Valid Addresses (all internal objects’ IP addresses),
or select Other and specify the network or group object that represents the hosts in
Encryption Schemes
the encryption domain.
5. Generate a CA public key for SKIP: Click Local to select the local firewall and
Generate to begin creating the CA key (Figure 149).
6. Once FireWall-1 has finished generating the CA key, click OK to continue. The
generated CA key appears (Figure 150):
7. Generate the DH public key for SKIP: Select the DH Key tab and click Generate II-4
to generate the DH key (Figure 151). When asked if you want to generate a new
key, click Yes.
Encryption Schemes
Figure 151: SKIP DH Key Tab
8. Install the policy for key exchange: After the public keys have been created, the
security policy needs to be reinstalled so the remote firewall (on the other side of
the VPN) can retrieve the keys: Click OK twice and Close.
9. Click Policy > Install from the Security Policy GUI. When prompted for the
firewall on which to install the policy, select your firewall and click OK.
10. When FireWall-1 has installed the security policy, you will see a completion
message (Figure 152). Click Close to continue.
,QVWDOO6HFXULW\3ROLF\
6.,3BHQFU\SWLRQBSROLF\JHQHUDWHGLQWR6.,3BHQFU\SWLRQBSROLF\SI
&RPSLOHG2.
,QVWDOOLQJ6HFXULW\3ROLF\6.,3BHQFU\SWLRQBSROLF\SIRQDOODOO#IZ
,QVWDOOLQJ6HFXULW\3ROLF\RQIZ,PLDPLFRPVXFFHHGHG
'RQH
&ORVH
11. Get public keys (CA and DH) from a remote gateway: Click Manage > Network
Objects and select your local firewall.
12. Click Edit and the Encryption tab. Select SKIP and click Edit.
13. In the SKIP Properties screen, click Remote and select the remote gateway from II-4
whom you want to retrieve the remote CA key (Figure 153). Click Get to retrieve
the remote CA key.
Encryption Schemes
Figure 153: Getting the Remote CA Key
14. Select the DH Key tab and click Get to retrieve the remote DH key (Figure 154):
15. Add two rules to the rule base: The first rule will define SKIP as a service with
accept as the action. The second rule will define VPN encryption with Encrypt as
the action. For both rules, select the local and remote networks as destination and
source. The final rule base appears in Figure 155:
16. Define SKIP encryption for a VPN rule: Right-click the Action column and select
Edit properties (Figure 156):
Encryption Schemes
Figure 157: Encryption Properties Screen
18. Select SKIP as the encryption scheme and click Edit. Edit invokes the SKIP
Properties screen (Figure 158):
19. Once finished modifying the SKIP Properties screen, click OK twice to exit to the
rule base.
20. Verify and install the rule base: From the Security Policy GUI, click Policy >
Verify and wait for the “OK” message, then click Close to continue.
21. Install the rule base by clicking Policy > Install. When prompted to select a
firewall on which to install the policy, select your local firewall (Figure 159):
22. Click OK to continue. When FireWall-1 has installed the rule base, the II-4
completion screen appears (Figure 160):
Encryption Schemes
Figure 160: Installed Security Policy
23. Click Close and save the security policy: Click File > Save from the Security
Policy GUI menu.
3. In the Encryption Method Defined option, click the SKIP check box.
4. Click Edit. The SKIP Properties screen appears.
5. Click the Generate button. This will generate the SKIP CA key for your firewall.
6. Click the DH Key tab and the Generate button. This will generate the SKIP
Diffie-Hellman key for your firewall.
7. Click OK.
8. Reinstall the rule base. This is needed to update the SKIP CA and DH keys on the
firewall, so your partner can retrieve them.
4Retrieve SKIP keys
Specify SKIP and retrieve the SKIP CA and DH public keys from your partner’s
firewall.
Before proceeding, make sure your partner (fw.partnercity.com) has
completed all steps in the “Generate SKIP CA and DH keys” section in
this lab. You cannot retrieve the CA and DH keys from another firewall
until they have been generated and the rule base has been reinstalled.
1. In the Encryption Method Defined option of your partner’s firewall Workstation
Properties screen, click the SKIP check box. (The encryption domain should still
be set to partnercity-net.)
2. Click Edit. The SKIP Properties screen appears.
3. Click the Remote button. Select your partner’s firewall from the menu at the right
(that is, fw.partnercity.com).
4. Click the Get button. This will retrieve the SKIP CA public key from your
partner’s firewall.
5. Click the DH Key tab and the Get button. This will retrieve the SKIP Diffie-
Hellman public key from your partner’s firewall.
6. Click OK.
Encryption Schemes
1. Add a rule to the top of the rule base:
Destination: net-yourcity and partnercity-net
Source: net-yourcity and partnercity-net
Service: Any
Action: Encryption
Track: Long (You can see the encrypted/decrypted packets being logged in the
Log Viewer.)
2. With the cursor positioned over the Encryption icon in the Action column of the
new rule, click the right mouse button.
3. Select Edit Properties. The rule’s Encryption Properties screen appears.
4. Click SKIP as the Encryption Method.
5. Click Log as the Protocol Diagnostics.
6. Click OK.
4Add SKIP rule
1. Add a SKIP rule to the top of the rule base and install:
Destination: fwyourcity.com and fw.partnercity
Source: fw.yourcity.com and fw.partnercity.com
Service: SKIP
Action: accept
Track: Long
2. Install the new security policy.
4Test VPN
Test the VPN by viewing your partner’s Web page from your Internet server (that is,
www.yourcity.com). Look at the log entries. Encrypted packets will have blue lines
and decrypted packets will have purple lines. If you do not see this, check the
information generated in the Info column.
Review
Summary FireWall-1’s encryption works through the use of four encryption schemes: FWZ,
Manual IPSec, ISAKMP/Oakley (IKE) and SKIP.
Short for IP Security, IPSec is a set of protocols that supports secure exchange of
packets at the IP layer. For IPsec to work, the sending and receiving devices must
share a public key.
IPSec can be used manually (Manual IPSec) or with encryption schemes such as
ISAKMP and SKIP. The IPSec scheme of encryption adds a new IPSec and IP header
to a packet. IPSec then encrypts the new headers, while authenticating the IP and TCP
header and packet data.
Kijn — A longer-term key (changed every hour) that is used to encrypt Kp. Derived II-4
by computing MD5 over Kij and the number of hours since Jan 1, 1995.
Kp — Packet encrypting key that is used to derive encryption and/or authentication
Encryption Schemes
keys (equivalent to FWZ session key). By default, key is changed every two minutes/
10MBytes of data. Inserted into the SKIP header using Kijn.
FireWall-1’s SecuRemote product is another way for security engineers to ensure that
remote communications traveling through unsecured lines are encrypted.
Review Questions 1. What are the four types of encryption scheme? Which one is applicable to your
network?
Introduction
Overview Encryption is a method of modifying packet data so that the data can only be
decrypted with an encryption key. You use encryption with FireWall-1 through a
virtual private network, which provides secured connections between points where
encrypted data travels through the Internet.
FireWall-1’s SecuRemote product is another way for security engineers to ensure that
remote communications traveling through unsecured lines are encrypted.
SecuRemote
• SecuRemote Client
• SecuRemote service
• encapsulation
235
236 SecuRemote
SecuRemote
SecuRemote and FireWall-1 SecuRemote allows remote network users secure access to their internal
VPNs networks. This is called client-to-firewall VPN encryption and is used for remote
access.
SecuRemote User Figure 161 illustrates how SecuRemote allows a remote user to access their network: II-4
Encryption
Firewalled Gateway SecuRemote
Client Installed
3. The firewall passes the connection to the destination PC within the network.
SecuRemote
Client-to-Firewall SecuRemote runs on a remote client computer. The SecuRemote software on the
VPN (How client is called SecuRemote Client, and it communicates with the firewalled computer
SecuRemote Works) (Figure 162):
SecuRemote The SecuRemote service is the SecuRemote application that runs when Windows 95
Service or NT on the client computer starts. The SecuRemote service does the following:
• Loads the SecuRemote kernel module with information about all known firewalls
and their encryption domains; the SecuRemote kernel module is the core of the
SecuRemote service, and performs encryption functions
• Provides a GUI for adding, updating and removing sites (firewalled computers)
• Maintains a site list
Encryption
The FireWall-1 GUI Use the following FireWall-1 Security Policy GUI screens to configure SecuRemote:
Screens
• Workstation Properties (Encryption and Authentication tabs)
• User Properties (Authentication and Encryption tabs)
III-3
SecuRemote
Encryption options for the firewall are as follows:
Encryption Methods Defined — Encryption schemes defined for a firewall.
Encryption Domain — A network object (usually a network or domain) for which
this firewall performs encryption.
Security engineers use the Workstation Properties (Authentication Tab) screen (Figure
164) to configure a firewall with authentication for SecuRemote:
II-4
Encryption
Figure 165: Encrypted Topology Selected
III-3
SecuRemote
The Encryption tab defines the client encryption properties for SecuRemote users:
Client Encryption Methods — FWZ or ISAKMP/Oakley.
Successful Authentication Track — Logging options for Encryption attempts.
Configuring The following lists the steps for configuring the firewall for SecuRemote:
SecuRemote
1. Define user authentication and encryption.
2. Configure the firewall.
3. Install the security policy.
Encryption
3. Click the Authentication tab and choose an authentication scheme (Figure 166 on
page 241).
4. Click the Encryption tab to display the user’s encryption scheme (Figure 167 on
page 242).
5. Click the appropriate encryption scheme to enable it for the user. Click OK and
Close to continue.
SecuRemote
Security Policy GUI) whose action is Client Encrypt (Figure 168).
Services — Any
Action — Client encrypt for SecuRemote
Track — Short
Install On — Firewalled gateways
Time — Any time
Comment — VPN for all remote users
6. Save and install the security policy.
A Note about Default routing must ensure that reply packets returning to the SecuRemote client are
Routing routed through the same encrypting gateway through which the original packets were
routed.
If this is not the case, force reply packets back through the gateway via network
address translation on the gateway, hiding all outside addresses not in the internal
network behind the gateway.
Encryption
Figure 169: Specifying Encapsulation
III-3
SecuRemote
Software and The following lists the software and hardware requirements for installing
Hardware SecuRemote:
Requirements
• Windows 95 or NT (Intel x86)
• 6 MB disk space
• 24 MB memory (Windows 95); 32 MB memory (Windows NT)
• Microsoft MSTCP TCP/IP support
• CD-ROM or Internet capability
SecuRemote Before installing SecuRemote, you must know the topology of the site to which
Topology SecuRemote Client will connect by doing one of the following:
Requirements
1. Defining a site and downloading the topology. Download the site’s topology
when it changes at the initial setup and when the firewalled computer’s encryption
keys change.
2. Installing a standard userc.C file for SecuRemote users. This allows SecuRemote
Client to run transparently to end users. End users do not need to download the
topology of the sites to which they will connect.
Installing userc.C
To install userc.C, copy a standard userc.C file to the SecuRemote installation disk. If
you install SecuRemote from CD-ROM, copy userc.C to the
C:\WINNT\FW\DATABASE directory. userc.C ensures that all end users have the
same site configuration for SecuRemote Client. This file contains the following:
(
:options (
:default_key_scheme (isakmp)
:expire (15)
)
:gws ()
:managers ()
)
Since SecuRemote Client is not installed during FireWall-1 installation, you must
install SecuRemote Client on a remote device (such as a laptop computer). You must
install the Windows 95 version on Windows 95 only, and the Windows NT version on
Windows NT only.
1. Insert the disk or CD-ROM and click Start > Run. Browse the CD-ROM or disk
Encryption
for the file setup.exe. Click OK to begin the installation. The setup wizard
appears (Figure 170).
2. The first installation screen appears (Figure 171). Click Next to continue.
III-3
SecuRemote
3. At the Software License Agreement screen, click Yes to continue (Figure 172).
4. Select the destination directory for SecuRemote (Figure 173). Click Next to
continue.
II-4
After rebooting, the client PC displays the SecuRemote icon in the lower
right-hand corner of your task bar.
Encryption
III-3
SecuRemote
In this section you will learn how to configure a SecuRemote site so that a remote user
can connect to the internal firewalled network.
The SecuRemote To configure SecuRemote Client, security engineers use the FireWall-1 SecuRemote
Client GUI and Client GUI (Figure 174) and Sites screen (Figure 176):
Screens
Pull Down Menus This section describes the SecuRemote pull-down menus and icons. They are as
follows:
File:
Close — Close the SecuRemote daemon. The daemon remains active, but its screen is
closed. To open it again, click on its icon.
Kill— Deactivate the SecuRemote daemon. The kernel remains in the stack but it
does nothing.
View:
Toolbar — Toggle the display of the SecuRemote Client toolbar.
Status Bar — Toggle the display of the SecuRemote Client status bar. II-4
Large Icons — Display sites as large icons.
Small Icons — Display sites as small icons.
List — Display sites as a list.
Details — Display sites as a list showing details.
Encryption
Sites:
Make New — Create a site.
Delete — Delete a site.
Properties — Display a site’s properties.
Passwords:
Set Password — Enter a new password to be used for the next authentication.
Erase Password — Erase all passwords from the SecuRemote daemon’s memory.
Tools:
Options — Display the Options screen.
Entrust:
Create User — Create a user profile.
Recover User — Recover a user profile.
Select INI File — Specify the location of an ENTRUST.INI file. III-3
SecuRemote
Icon Function
Sites/Make New
Sites/Delete
Sites/Properties
Passwords/Set
Password
Passwords/Erase
Passwords
The Sites Screen The Sites screen defines the IP address of the firewall with which SecuRemote must II-4
communicate (Figure 176):
Encryption
Figure 176: The Sites Screen
SecuRemote
Last Update is useful to know when updating SecuRemote.
Configuring Configuring SecuRemote Client involves adding client sites and specifying the
SecuRemote Client firewall with which SecuRemote connects, as follows:
1. Click Sites > New from the FireWall-1 SecuRemote Client GUI’s main menu
(Figure 174 on page 250).
2. Type the name or IP address of the firewall with which SecuRemote must
communicate (Figure 176). Click OK when finished.
3. The final SecuRemote screen displays the firewalled computer as a site, with its
IP address displayed.
Authenticating with When you start a session that requires authentication by SecuRemote, the screen seen
SecuRemote in Figure 177 appears.
Users must be defined on the firewalled system before you can use SecuRemote. See
“Other Considerations for SecuRemote” on page 255.
Support for Public SecuRemote supports public-key infrastructures using X.509 digital certificates and
Key Infrastructures Entrust certificate authority. SecuRemote can request and validate Entrust certificates
on a user’s behalf to initial an Internet key exchange (IKE) key negotiating with a
FireWall-1 gateway.
Encryption
SecuRemote supports the public-key cryptography standard (PKCS) #11 interface for
accessing information contained in hardware or software tokens. PKCS #11-
compatible tokens provide secure storage of private keys used for data encryption and
digital signatures.
Other Firewalls If there are other firewalls along the path connecting the SecuRemote client and
SecuRemote server, configure the other firewalls to allow SecuRemote Client and
SecuRemote Server to connect.
For FWZ encryption, allow RDP (UDP on port 259). For ISAKMP/Oakley, you
should allow IPSec and ISAKMP/Oakley UDP on port 500.
Control Properties Some services provided by a server inside an encryption domain are configured, by
default, for SecuRemote users. These services are in the Properties Setup screen in
the FireWall-1 Security Policy GUI, as follows:
III-3
• FTP
• RealAudio
• VDOLive
• RPC
SecuRemote
Configuring a Objective: Set up a firewall to accept secure connections from SecuRemote clients.
Network with The traffic exchanged between the firewall and the SecuRemote client will be
SecuRemote encrypted using FireWall-1’s proprietary FWZ encryption features.
Scenario: Your company has several sales persons that access the Internet while they
are on the road. Company management wants to allow these sales persons to use the
Internet to link with the corporate network. Management is concerned about
protecting traffic flowing between the corporate network and these individual
machines on the Internet, and therefore wants the traffic to be encrypted. In order to
implement this, the clients will have SecuRemote client software installed. The
firewall and client will be configured to implement an FWZ encryption scheme.
4Yourcity firewall
On the firewall for yourcity, do the following:
1. From the Network Object Manager, highlight your firewall object
(fw.yourcity.com) and click Edit.
2. In the Workstation Properties window, select the Encryption tab. (The encryption
domain should be net-yourcity.)
Generate a Diffie-Hellman key by clicking the DH Key tab and clicking Generate. II-4
5. Click the OK button until you have exited all screens and are back to the rule-base
editor.
Encryption
screen appears:
Enter user name guest.
Select the appropriate color.
Leave the Expiration Date field empty.
Select the Authentication tab and verify that FireWall-1 password is selected as
the authentication method.
Enter password abc123 for the user.
2. Select the Encryption Tab:
In the Successful Authentication Track box, click Log.
In the Client Encryption Methods box, click the check box by FWZ. Then click
the Edit button. The FWZ Properties FWZ Encryption dialog will appear.
Verify that the session-key encryption method and data-encryption method are
both set to FWZ1.
In the Data Integrity Method box, click MD5. III-3
3. Click OK.
SecuRemote
2. Right click your mouse or pointer button in the Source field of the new rule and
select Add User Access from the menu that appears.
3. A dialog box listing the defined user and user group objects will appear. Select
the All Users user group object and click OK.
4. Right click the mouse or button in the Destination field of the new rule and select
Add from the menu that appears.
5. A dialog box listing the defined network objects appears. Select the net-yourcity
object for your local network and click OK.
6. Right click the mouse or button in the Action column of the new rule and select
Client Encrypt from the menu that appears.
7. Right click the mouse or button in the Track column of the new rule and select
Encryption
III-3
SecuRemote
Review
Summary In this chapter you learned about SecuRemote, a type of virtual private network
(VPN), which is a secured (private) network overlaid on an unsecured (public) IP
network infrastructure such as the Internet. SecuRemote provides secured
connections between points where encrypted communications travel along the
Internet. A VPN typically uses the Internet as the transport backbone to establish
secure links with business partners, extend communications to regional and isolated
offices, and significantly decrease the cost of communications for an increasingly
mobile workforce.
Review Questions 1. How do security engineers configure VPNs for use with SecuRemote?
Router Management
Unit IV — Chapter 1:
Router Management
Introduction
Routers are an integral part of an enterprise network, often sitting at the edge of
network boundaries. As you have already learned, routers can be used to filter
unwanted network traffic and are considered to be first-generation firewalls,
performing rudimentary packet filtering.
For the most part, router interfaces have not changed, still relying heavily on
character-based interfaces. Defining router specifications and filters can be difficult,
time consuming and error-prone. Because router commands are typically based on
sets of key words in combination with IP addresses, a high level of skill in router
configuration is required in order to set up a router filter list. And each router typically
has to be managed separately, providing no overall view of a network’s filtering.
263
264
Router Management
reducing the load on network firewalls and adding efficiency to router-security
management. Figure 178 displays two external networks using routers to
communicate through the Internet:
Supported Features
• Cisco PIX Import Security Policy
• PIX, Cisco, 3Com Logging
IV-1
Router Management
Router Interfaces Before configuring interfaces, security engineers must create a router object in the
Screens FireWall-1 Security Policy GUI. After defining the general router properties, security
engineers can create the appropriate interfaces.
Router Management
Figure 179: The General Tab of the Router Properties Screen
IV-1
A router is internal to its own management station and external to other
management stations. You cannot install a security policy on an object
from a management station where that object is defined as external. Only
Router Management
internal routers appear in the Log Viewer; security engineers can only
modify or control internal routers.
Type — The appropriate third-party vendor from the drop-down list.
This Net — Only packets whose source IP addresses are part of the network III-1
connected to this interface are allowed.
Specific — Only packets from this object allowed.
Router Management
Spoof Tracking Box — Options for spoof tracking; each option is available only if
routers support anti-spoofing:
None — No additional action taken.
Log — Spoofing attempt is logged; available only if router supports logging.
Alert — Action specified in the Anti Spoof Alert Command field in the Log and
Alert tab of the Properties Setup screen is taken; available only if router supports
logging.
Configuring SNMP Enable SNMP on a router so that FireWall-1 can get and set SNMP information from
a router. SNMP read and write passwords need to be chosen and added to the router
manually. Figure 181 shows the SNMP tab of the Router Properties screen.
IV-1
Router Management
Defining the Enable To define the enable password on a Cisco router follow these steps:
Password (Cisco)
1. Select Setup on the Router Properties screen (Figure 182).
III-1
Router Management
Figure 182: Router Properties for a Cisco Router
Defining Access A router access control list is a list of rules to be enforced on the routers. The access Router Management
Control List list contains the rules in the order in which they are to be enforced. All properties set
Properties up for an access control list affect routers in the same way that the security-policy
properties affect FireWall-1. The router term “access control list” is equivalent to the
FireWall-1 term “security policy.”
Figure 183 shows the Access Lists tab of the Properties Setup screen in the FireWall-1
Security Policy GUI.
A rule that is first is applied before all other rules. A rule that is before last
allows security engineers to define more detailed router-related rules that
will be enforced before the last rule is enforced. The cleanup rule is always
last in a rule base.
Accept Established TCP Connections — First, Last or Before Last to accept packets
of established TCP connections. Routers do not contain connection tables. FireWall-1
allows all packets that claim to be part of an established TCP connection through
(unless they are spoofed). This does not pose a security risk, however, because the
firewall’s operating system would discard packets not part of an established
connection.
Accept RIP — First, Last or Before Last for routing-information protocol (RIP) used III-1
by the routed daemon. RIP maintains information about reachable systems and routes
to those systems. Normally, you will use RIP.
Accept Domain Name Queries (UDP) — First, Last or Before Last for domain-name
Router Management
queries used by named.
Accept Domain Name Download (TCP) — First, Last or Before Last to upload the
domain name-resolving tables.
Accept ICMP — First or Before Last to accept Internet control messages.
Adding Set the Install On column to install on a router in the rule base in your security policy
Router-Enforced (Figure 184).
Rules to a Security
Policy
In Figure 184 the router rule allows any communications destined for the local
network. The router accepts all communications and logs it in long format (if it
supports logging).
IV-1
Router Management
2. The Install screen lists all internal firewalled hosts and routers. By default, all
internal firewalled hosts and routers are already selected (Figure 185).
You can clear specific items. The security policy will not be installed on
cleared items.
Objective: You need to define a router that you will add to your FireWall-1 Network
Router Management
objects.
IV-1
Router Management
Overview Setting up access lists allows FireWall-1 to provide router-logging support. The
FireWall-1 Log Viewer displays system log messages for supported routers and
security devices.
Router-Logging To add router logging to FireWall-1, security engineers modify the following screens:
Screens
• Router Properties
• UDP Service Properties
• Router Access List Operations
Router Management
Figure 188: UDP Service Properties
Router Management
To import routers, security engineers click Import Access List and specify the routers
by selecting them from the Router pull-down menu.
5. Define and install a security policy on your router, in which at least one rule is III-1
enforced by the router. Define the Track field as Long (Figure 191). The router
sends logs to the gateway; view the log with the FireWall-1 Log Viewer.
Router Management
Figure 191: Long Tracking in a Security Policy
Graphical Rule Base — Check to display the access list in the rule base.
6. Click OK to finish.
Lab 16: Importing Router Access Lists into the Rule Base (Solaris Only) III-1
Objective: Use the router access-list importation feature to turn a router’s access list
Router Management
into a rule base. This lab only works for Solaris.
Scenario: In order to bring an existing Cisco router under the control of a security
policy, you will import the router's access list and turn it into rules in a rule base.
If you cannot perform this lab in class, then this becomes a discussion lab.
Review III-1
Summary Routers are an integral part of an enterprise network, often sitting at the edge of
Router Management
network boundaries. FireWall-1 allows security engineers to manage a variety of
routers, manage the security policies of routers within security policies, and manage
multiple routers. FireWall-1 allows security engineers to maintain security on routers,
thus reducing the load on network firewalls and adding efficiency to router-security
management. FireWall-1 supports the following routers and features:
In addition, FireWall-1 provides the means to add extra security by using routers in a
firewalled network.
IV-1
3. How do you implement router security using FireWall-1?
Router Management
Navigating In FireWall-1
Unit IV — Chapter 2: IV-2
Account Management
Account Management
Client
Introduction
Client
Account management for a large network can be a daunting task. Maintaining
synchronized user databases is a time consuming chore. Organizations that have
multiple user databases in one firewalled network can appreciate a process where all
databases are maintained from one location. FireWall-1 allows such a process through
the use of the Account Management Client.
Security engineers have the ability to define and maintain databases through the
Account Management Client using the Lightweight Directory Access Protocol
(LDAP). The Account Management Client is an independent module used to integrate
an LDAP server with FireWall-1 user authentication. This chapter includes the
following topics:
• Definition of LDAP and X.500 Standard
• Installation and set up of Account Management Client
• Application of Account Management Client to the FireWall-1 security policy
285
286
Navigating In FireWall-1
Lightweight Directory Access Protocol (LDAP) is used to communicate with a server
that holds information about users and items within an organization. LDAP is the
lightweight version of the X.500 ISO standard. Each LDAP server is called an IV-2
“Account Unit.” Three features of LDAP are as follows:
Account Management
• LDAP is based on a client/server model in which an LDAP client makes a TCP
connection to an LDAP server
• Each entry has a unique distinguished name
• Default port numbers are 389 for a standard connection and 636 for a Secure
Sockets Layer (SSL) connection.
Client
X.500 History The purpose of electronic directories is not much different from that of printed
directories. Printed directories provide names, locations and other information about
people and organizations. In a LAN or WAN, this directory information may be used
for e-mail addressing, user authentication (such as logging on and passwords), or
network security (such as user-access rights). A directory may also contain
information on the physical devices on a network (such as PCs, servers, printers,
routers and communication servers) and the services available on a specific device
(such as operating systems, applications, shared-file systems and print queues). This
information may be accessible to applications and end users.
Early network directories were most often developed specifically for particular
applications. In these proprietary directories, system developers had little or no
incentive to work with any other system. But systems users, in an effort to rationalize
their ever-increasing workload, sought ways to share access to and maintenance of
directory databases with more than one application. This dilemma engendered the
concept of the directory as a collection of open systems that cooperate to hold a
logical database of information. In this view, users of the directory, including people
and computer programs, would be able to read or modify the information or parts of it,
as long as they had the authorization to do so. This idea grew into the definition of
X.500.
Multiple LDAP There are several advantages in using more than one LDAP server, including the
Servers following:
• Compartmentalization by allowing a large number of users to be distributed
across several servers
• High availability by duplicating information on several servers
• Remote sites can have their own LDAP servers that contain the database, thus
speed up access time
Distinguished Name A globally unique name for an entry, called a distinguished name (DN), is made by
associating the sequence of DNs from the lowest level of a hierarchal structure to the
root; the root becomes the relative DN. This structure becomes apparent when setting
up the Account Management Client (AMC), which manages multiple user databases
in one firewalled network.
Example
If searching for the name John Brown, the search path would start with John
Brown’s commonName. You would then narrow the search from that point, to
the organization he works for, to the country. In Figure 193, if John Brown
(commonName) works for the ABC Company, the DN syntax is:
II-2
Navigating In FireWall-1
root
IV-2
Account Management
US UK
country
(c)
ABC 123
Co. organization Co.
Client
(o)
John
John John
Brown commonName Brown
(cn)
The syntax “John Brown of ABC Company in the United States” composes
John Brown’s DN. A different John Brown who works at the 123 Company
could have a DN of the following:
The two common names “John Brown” belong to two different organizations
with different DNs.
Windows The AMC application, included with FireWall-1, can be installed directly from the
Installation Screens CD-ROM or copied to the directory of choice and installed.
Navigating In FireWall-1
starts from the correct drive or directory:
IV-2
Account Management
Client
Figure 195: Run Installation Program Screen
Solaris
To install AMC on a Solaris platform:
1. Become superuser.
2. Change to the directory in which the installation files are located (either on CD-
ROM or on the hard disk).
3. Type the following to install the AMC:
hostname# # pkgadd -d .
4. Select number 1 to install the AMC. Choices are as follows:
1) AMC Check Point Account Management Client (sparc) 1.0
2) CKPagent Check Point FireWall-1 Load Agent (sparc) 4.0
3) CKPfw Check Point FireWall-1 (sparc) 4.0
4) CKPfwgui Check Point FireWall-1 GUI (sparc) 4.0
5) CKPfwmap FireWall-1 HP OpenView Extension (sparc) 4.0,REV=98.01.26
Select package(s) you wish to process (or ’all’ to process all packages). (default:
all)
Navigating In FireWall-1
The LDAP server must be running in the background before starting the
AMC. The server and management client must bind with each other before
being able to talk to one another. IV-2
Account Management
1. Ensure Use LDAP Account Management is checked in the LDAP tab of the
Security Policy GUI’s Properties Setup Screen (Figure 196):
Client
Figure 196: The LDAP Tab
3. Create a server object for an LDAP server using the LDAP Account Unit
Properties tabs (Figure 197):
4. Use the same logon DN that you created when you created the Netscape LDAP
server (cn=loginname, no spaces).
Navigating In FireWall-1
To add LDAP authentication to the security policy, security engineers use the
following screens:
IV-2
• Security Policy Properties Setup
• LDAP Account Unit Properties
Account Management
The Security Policy Modify the LDAP tab of the Security Policy Properties Setup screen to add LDAP
Properties Setup authentication (Figure 198):
screen
Client
Figure 198: LDAP Properties Setup
Use LDAP Account Management — Check this option if User Authentication will
use LDAP Account Units, in addition to the FireWall-1 internal User Database.
If this option is checked, the other options in the screen are enabled. If this option
is not checked, User Authentication will use only the FireWall internal user
database.
Time-out on LDAP Requests: — An LDAP request will be considered to have timed
out after this period (specified in seconds).
Time-out on Cached Users — A cached user will be considered to no longer be valid
after this period (specified in seconds), and will be fetched again from the LDAP
Server.
Cache Size (Users) — This option specifies the number of users that will be cached.
Days before passwords Expire — Is the password specified in the General tab of the
Account Unit Properties screen expire after this period (specified in days).
This option is enabled when the checkbox is checked.
Number of entriesAU can return: — This option specifies the number of users that
can be returned in response to a single query to the account unit.
Display user’s DN at login: — Displays the user’s Distinguished Name at login. For
security purposes, it is recommended that this option not be enabled.
LDAP Account Unit Modify the LDAP Account Unit Properties screen to add LDAP authentication to a
Properties network object (Figure 199):
LDAP Rights — Privileges on the LDAP Server. Make sure that Read and Write are II-2
both checked.
Navigating In FireWall-1
Color — The color of the server’s icon.
Priority — This account unit’s priority in relation to other account units.
IV-2
Branches — The branches of the LDAP directory which will be available when
connecting to this LDAP Server.
Account Management
Adding LDAP Add LDAP authentication as follows:
Authentication
1. Launch the FireWall-1 Security Policy GUI.
2. Select Policy, Properties from the main screen.
Client
3. Click the LDAP tab and modify the appropriate options.
4. Click OK and exit the Security Policy Properties Setup screen.
hostname# /opt/AMC/accountMgm
Navigating In FireWall-1
The first time you access the AMC, there is no account unit set up. The AMC must
bind to the LDAP server. You will be prompted to set up the parameters for the
General, Encryption and Authentication tabs (Figure 201 on page 300, Figure 202 on IV-2
page 301, and Figure 203 on page 302).
Account Management
The Account Unit
Properties Screen Access this screen from the FireWall-1 Security Policy GUI.
The Account Unit Properties screen defines how to access an account unit on an
Client
LDAP server. By entering the DN, the AMC will connect to the server with the
specific DN for the branches that were set up in the LDAP database.
To configure account management, use the following tabs on the Account Unit
Properties screen:
• General
• Authentication
• Encryption
The General Tab The General tab sets up the host and account unit for the AMC (Figure 201):
Delete — To delete a branch from the list, select the branch and click Delete. II-2
Navigating In FireWall-1
The Authentication The Authentication tab sets up authentication properties for the LDAP server (Figure
Tab 202): IV-2
Account Management
Client
Figure 202: Account Unit Properties — Authentication Tab
The Authentication tab specifies the authentication schemes that will be supported by
the Firewall Module for users defined on this LDAP account unit.
The default scheme is the authentication scheme used when the LDAP server does not
provide a user’s authentication scheme. When an authentication scheme for the user is
defined on the account unit, but is not one of those checked in this window, then the
user will always fail authentication. However, if the LDAP server is read-only, then it
does not contain any FireWall-1-specific information (for example, authentication
schemes). The default scheme specifies which authentication scheme to use in this
case.
The Encryption Tab The Encryption tab sets up encryption properties for the LDAP server (Figure 203):
External User Group An external group is a user group whose members are defined in an external LDAP II-2
Screen directory server. You will add an external user group to your rule base.
Navigating In FireWall-1
IV-2
Account Management
Client
Figure 204: External User Group (LDAP) Screen
Name —The group’s name. This is the name that you will use in a rule base.
Color — The color of the group’s icon.
Account Unit — The account unit (LDAP server) on which the users in the external
group are defined. Select an account unit from the drop-down list. The account units
listed are those that were defined as LDAP account units in the LDAP Account Unit
Properties window. There are three possible ways of defining an external group based
on the users defined on the account unit:
All Account Unit’s Users — The external group includes all the users defined on
the account unit.
Only Branch — The external group includes all the users defined in the specified
branch on the account unit.
Only Group in Branch — The external group includes all the users defined in
the specified group on the account unit.
5. Click the Encryption tab and modify (Figure 203 on page 302).
6. Click OK when finished.
7. Click Manage > Users > New > External Group to create an external user group
(Figure 204 on page 303).
Before entering a new user, group or organizational unit, make sure that ‘schema
checking’ is disabled in the LDAP server. When schema checking is turned off, restart
both the LDAP server and the AMC before trying to enter information. If not, you get
the error seen in Figure 205.
2. Type the password. The password comes from the LDAP account unit that was II-2
installed and set up before installing the AMC.
Navigating In FireWall-1
3. Click OK.
IV-2
Account Management
Client
Creating an Object
When the AMC first binds to the account unit (the LDAP server), the account unit
name appears with a red X next to its icon (Figure 207). The X indicates that the
account unit has not been created within the AMC.
Navigating In FireWall-1
The toolbar buttons are shortcuts for menu commands. The actions of the buttons
duplicate actions that are available in the menus. To see a description for each button,
pass the mouse pointer slowly over the button. IV-2
Account Management
Figure 208: Account Management Client Toolbar Buttons
Client
File > New User Add a new user to the organization.
An organizational unit is created to hold lists of users, groups and templates. After
connecting to the LDAP server, the Account Management screen allows
organizational units, users, groups, and templates to exist as part of the LDAP
database. Likewise; if users and organizational units are created in the LDAP server
itself, they will also appear in the AMC database.
The left pane displays organizations and units within an organization. The right pane
displays all the users, groups and templates defined below the highlighted unit in the
tree shown in the left pane.
Creating an After creating the initial account unit, the next step is to add an organizational unit.
Organizational Unit Typically, an organizational unit is a major department name, but an organization is
represented by a company name, such as “Check Point.”
2. Select Add an Organizational Unit to open the New Organizational Unit screen II-2
(Figure 210):
Navigating In FireWall-1
IV-2
Account Management
Figure 210: Adding a New Organizational Unit
Client
3. Type the name (ou=organizational unit) of the new unit.
If you make a mistake while typing the organizational-unit name, use an
editor in Solaris or Windows NT to delete the incorrect organizational unit
in the LDAP server. Once you have done so, restart the above process. You
will not be able to correct a mistyped name after you press Add.
4. Click Add.
Deleting an The AMC does not allow deletion of an organizational unit from the GUI (true for
Organizational Unit Netscape’s LDAP server). The organizational unit is part of the directory setup and
must be edited/deleted with the command line in both NT and Solaris (Figure 211):
Navigating In FireWall-1
Before creating a user, group, or organizational unit, be certain that Schema Checking
is disabled in the LDAP server (see page 304).
IV-2
The New User Use the New User screen (Figure 212) to set up AMC for each network user. The
Account Management
Screen following tabs are part of the New User screen:
• Identification
• General
• Authentication
Client
• Location
• Time
• Encryption
• Groups
Identification Tab
This initial screen (Figure 212) is the starting point to identify and set up properties for
each user. Users can be defined individually or you can add users to a group.
General Tab
The General tab (Figure 213) allows you to add information about selected or new
users.
User expires on (dd-mmm-yyyy): — Enter the month, date and year the user’s
access will expire.
From Template — If the user acquires properties from a defined template, select
From Template to implement the expiration date of this user.
Comment: — Enter comments regarding the user.
From Template — If the user acquires its properties from a defined template,
select From Template to pull comments from the previously-defined template.
Email: — Enter the user’s e-mail address.
Navigating In FireWall-1
additional data is required. After selecting a scheme, the content of the screen changes
and displays the required options.
IV-2
Account Management
Client
Figure 214: New User — Authentication Tab
Location Tab
The location tab (Figure 215) controls a user’s allowed source and destination. You
can control which users are prohibited from certain segments of the network. For
example, a user may be allowed in the human resources area, but not in the accounting
area.
Navigating In FireWall-1
user is allowed to connect.
IV-2
Account Management
Client
Figure 216: New User — Time Tab
If certain days are selected with a certain time period, the time period
applies to all selected days.
From Template — Check this option to use the template given in the Link to
Template option in the Identification tab of the New User screen.
Encryption Tab
The Encryption tab (Figure 217) specifies the encryption and data integrity methods
for Client Encryption (SecuRemote) for the user:
FWZ Settings
Session Key Encryption Method — The encryption algorithm for session keys.
Available choices depend on the encryption algorithms installed.
Clear — Means no encryption.
Any — Means the session key encryption method is chosen by another party.
FWZ1 — Signifies the encryption algorithm for session-key encryption and data
encryption.
Data Encryption Method — is the encryption algorithm for communication packets.
Available choices depend on the encryption algorithms installed.
Clear — Means no encryption.
Any — Means the session key encryption method is chosen by another party.
DES and Triple DES — Signifies the encryption algorithm for session-key
encryption and data encryption.
Data Integrity Method — Sets the cryptographic checksum method used for
ensuring data integrity.
Password expires after — Sets the time (minutes) after which the password will II-2
expire, if you use a single-use password.
Navigating In FireWall-1
Successful Authentication Track — Sets the tracking method.
Account Management
Client
Figure 218: New User — Groups Tab
Add Template’s Groups — The groups defined in the template given in the Link to
Template option in the Identification tab.
Users can inherit data from a template by specifying the name of the
template on the Identification tab and checking From Template in each tab.
Managing Templates
A definition of a user can be based on a template from which the user inherits outlined
properties. In AMC, a template is “live,” which means that changes made to a
template are applied to all users who continue to inherit at least some of their
properties from the template.
The tabs and options of the New Template screen correspond to those of the New User
screen. Security engineers set up the Identification tab based on the needs of a global
template.
The New Template In the New Template Screen (Figure 219), security engineers modify the Identification
Screen tab to add user templates:
Navigating In FireWall-1
Templates are defined and listed in the Link to Template option (Figure 220). Click
the drop-down list to view and select template to apply to the user.
IV-2
Account Management
Client
Figure 220: New User to Template
Managing Groups
Groups are used as a single holding place for users with like properties. To define a
new group, use the New Group screen (Figure 221):
Navigating In FireWall-1
Objective: Student will set up the firewall to use LDAP to access a directory server
(X.500) for a user database.
IV-2
Scenario: Your company has begun using LDAP to manage its resources. You will
modify the firewall to use LDAP for external user groups in authentication.
Account Management
4Enable LDAP Account Management
Check to verify that LDAP Account Management is enabled:
1. Click Policy > Properties and click the LDAP tab.
2. Verify that Use LDAP Account Management is checked.
Client
3. Check the option for Display User’s DN at Login (for classroom purposes).
4. Click OK.
Navigating In FireWall-1
2. Telnet to port 259 of firewall from the internal client.
3. Enter LDAP login name and password. IV-2
Account Management
The firewall should authenticate successfully.
Client
Review
Summary The Account Management Client (AMC) is a means of authenticating and managing
users through a Lightweight Directory Access Protocol (LDAP) server. Individual and
multiple LDAP servers can be used. The benefit of multiple servers includes:
• Compartmentalization by allowing a large number of users to be distributed
across several servers
• High availability by duplicating information on several servers
• Remote sites can have their own LDAP servers that contain the database, thus
speeding up access time
A globally unique name for an entry, called a distinguished name (DN), is made by
associating the sequence of DNs from the lowest level of a hierarchal structure up to
the root that becomes the relative distinguished name. Organizational units are part of
the root and are built upon with additions of company names and departments. Users
and groups of users are added to departments.
Templates are used to apply features to users without having to recreate those features
for each user.
2. What is an object?
Unit IV — Chapter 3:
Load Balancing
Load Balancing
Introduction
Consider the following scenario: A network uses one server that cannot handle the
amount of traffic flowing through it. The security engineer obtains additional servers
to handle the load, but this creates another problem. Most of the network traffic is still
flowing through only one of the servers.
IV-3
To alleviate this problem, FireWall-1 load balancing redirects traffic and distributes it
among several servers. This reduces the load on any one server. Load balancing helps
security engineers manage network traffic from one firewalled computer.
Load Balancing
FireWall-1 load balancing tools include the following:
• HTTP redirect
• Load measuring
• HTTP logical server
• Load balancing algorithms
• Rule base order
325
326
Load balancing allows several servers to share and distribute the network load. The
FireWall-1 security engineer does this by creating a network objects of physical
servers, which is a group of physical servers that distributes network traffic among its
Load Balancing
group. Each server has a unique IP address, which is the address of the device through
which packets are routed for load balancing. Using address resolution protocol
(ARP), which is a TCP/IP protocol used to convert an IP address into a physical
address, FireWall-1 load balancing ensures packets destined to the IP address of a
logical server pass through the Firewall Module and to the appropriate physical server.
Figure 222 illustrates how load balancing works in FireWall-1: When a packet comes
through the Firewall Module, FireWall-1 decides to which physical server to send the
packet. Using a specified load balancing method, FireWall-1 routes the packet to the
specific physical server — whether in Group A, B or C — depending upon which
logical server is contacted. IV-3
Load Balancing
Packets flow
through the
firewall to the
logical servers.
Group A Group C
Group B
Load Balancing There are several load balancing components in FireWall-1. Each component has a
Components different function for managing traffic in a firewalled network. The Connect Control
Module is the FireWall-1 module containing the load balancing algorithms.
FireWall-1 load balancing algorithms determine which physical server will fulfill a
communication request. Connect Control provides a redirection mechanism, ensuring
that all traffic (from the same connection) is directed to the same server.
Persistent server mode allows a session to retain its load balancing method
until the session has ended (See “Logical Server Properties Screen” on
page 345). One example of this is loading multiple Web pages from one
site. Because each page is from the same site, FireWall-1 does not require a
new session to re-establish the original load balancing algorithm.
Load-Balancing Algorithms
When a communication request to a logical server’s IP address reaches the Firewall
Module, the FireWall-1 load balancing algorithm determines which physical server
will fulfill the request. FireWall-1 includes five load balancing algorithms. Each
algorithm prevents any server from handling a disproportionate volume of traffic.
Round Trip — Determines round trips between the firewall and each physical
server.
Round Robin — Chooses the next physical server in the server group.
Random — Chooses the physical server closest to the client, based on domain III-4
name; this is only useful for HTTP load balancing, because “others” load
balancing requires connections to pass through the firewall.
Domain — Chooses the physical server closest to the client, based on domain
name; this is only useful for HTTP load balancing, because “others” load
balancing requires connections to pass through the firewall.
Load Balancing
Connect Control is used for HTTP load balancing; all other load
balancing uses dynamic address translation.
IV-3
Load Balancing
HTTP Redirect HTTP load balancing uses a redirection mechanism ensuring that all communication
requests are directed to the appropriate server. This is vital for many Web applications,
such as HTTP applications. HTTP redirect is FireWall-1’s mechanism for directing
HTTP requests destined for a single HTTP logical server to multiple HTTP physical
servers.
When a client initiates communication with a logical server, HTTP redirects the
connection to the proper physical server, through the load balancing daemon. The
daemon notifies the client that subsequent connections should be directed to the IP
address of the selected server, rather than the IP address of the logical server.
The remainder of the session is conducted without the load balancing daemon’s
intervention. All operations are transparent to security engineers and end users (Figure
223).
n Step 1:
Client Ø Firewall Ø Daemon
Firewall with
Load
Balancing
Daemon
n Step 2:
Daemon Ø Server
Server 3
Server 1
1 FireWall-1 detects an HTTP request to a logical server and redirects the request to
the load balancing daemon, which resides on the firewalled computer.
2 The daemon notifies the client that the request is being redirected to the
destination physical (HTTP) server.
3 The rest of the session is conducted between the client and the destination server, III-4
without the intervention of the load balancing daemon.
If you are using HTTP redirect on the firewall, you must create two rules:
the first rule specifies the logical server for the HTTP session to connect.
The second rule specifies the physical server group that will communicate
Load Balancing
directly with the client throughout the remainder of the session.
Other Load Other load balancing places entries in the FireWall-1 address translation tables for a
Balancing connection. Other load balancing allows a server’s IP address to be a logical server’s
address from a firewall to a client, and a physical server’s IP address from a server to
the firewall.
IV-3
Load Balancing
The Connect Control Module is built into FireWall-1 and contains the load balancing
algorithms. FireWall-1 load balancing algorithms determine which physical server
will fulfill a communication request. When a service request reaches a firewalled
computer, the FireWall-1 load balancing daemon uses an algorithm to determine
which load balancing method to use.
The FireWall-1 load balancing algorithm prevents any server from handling a
disproportionate volume of traffic. In the case of the server load algorithm, each
incoming connection request is directed to the server with the lightest load.
Server load and round trip are HTTP load balancing algorithms. The main difference
between the two is that server load uses FireWall-1 load measuring — and therefore
requires the FireWall-1 load measuring agent installed on the physical servers — and
round trip does not.
n Step 1: Client
sends HTTP request n Step 2: Load Balancing Daemon uses
Firewall with
Load
Server-Load Algorithm to query traffic
Balancing on the physical servers
Daemon
Client
Server 1
with Load Measuring
n Step 3: Redirect Server 2
with Load Measuring
client request to server
Server 3
with Load Measuring
Load Balancing
3 The client communicates directly with the physical server, assuming the server is
using persistent-server mode.
Security engineers use the round trip algorithm when there is no load
measuring agent installed. When an internal network is not using an
architecture supported by FireWall-1, such as LINUX, HP MPE or IBM
IV-3
AS/400, load measuring cannot be installed. Figure 225 illustrates how the
round trip algorithm distributes communication requests.
Load Balancing
PINGs each server 3 times and
Firewall with
Load averages the shortest round-trip time
Balancing
Daemon
Server 3
Server 2 Server 1
n Step 3: Redirect
client request to server with
shortest round-trip time
Round Robin
With round robin load balancing, the FireWall-1 daemon chooses the next server in
the list. (Round robin is a sequential algorithm.) The round robin algorithm assumes
that all physical servers are equally capable of servicing connection requests,
regardless of location or server loading. Requests are directed to servers in sequential
order. If a server fails or is unreachable, the daemon ceases directing connections to
that server until it is available.
n Step 1: Client
sends request n Step 2: Load Balancing Daemon
Firewall with chooses next server in sequence
Load
Balancing
Daemon
Client 1H[W
Server 3
Server 2 Server 1
n Step 3: Redirect
client request to selected server
Random
The load balancing daemon chooses a server at random. When all other network
variables are deemed equal, the daemon directs connection requests to servers on a
random basis.
n Step 1: Client
sends request n Step 2: Load Balancing Daemon
Firewall with chooses a server at random
Load Balancing
Load
Balancing
Daemon
Client 5ROOWKHGLFH
Server 3
Server 2 Server 1
n Step 3: Redirect
client request to selected server
IV-3
Figure 227: Random Load Balancing
Domain
In this load balancing algorithm, FireWall-1 chooses the closest server based on
domain names. This algorithm is useful outside a network, such as when a domain
Load Balancing
name identifies the location of a remote device.
n Step 2: Load
n Step 1: Client Balancing Daemon
sends request notifies client of
Firewall with
Load redirection based on
Balancing domain name
Daemon
*REDFN
Client DQRWKHU
n Step 3: Redirect ZD\
client request to a closer domain
Load Measuring Load measuring is the FireWall-1 load balancing component that is installed on any
type of server using the server load algorithm for load balancing. Using load
measuring, the firewall is able to direct communication requests to a server with the
lightest traffic.
Load Measurement Interval — The interval at which load measurement measures III-4
the network load. FireWall-1 provides the default interval.
Log Viewer Resolver Properties — The Firewall load balancing daemon that
monitors load balancing. Security engineers do not view this directly.
Load Balancing
Configuring Load Load measuring is installed on the firewall during the FireWall-1 installation. To
Measuring configure load measuring, follow these steps:
1. Click Policy > Properties from the Security Policy GUI main screen.
2. Click the Miscellaneous tab and select options (Figure 229).
IV-3
Load Balancing
Use the FireWall-1 Security Policy GUI to choose which load balancing algorithm to
use. Figure 230 shows the round robin algorithm for an FTP server selected in the
Logical Server Properties screen.
The Logical Server The set up load balancing algorithms, modify the Logical Server Properties screen
Properties Screen (Figure 230):
Balance Method — Server Load, Round Trip, Round Robin, Random or Domain. III-4
Load Balancing
2. Select the appropriate logical server and click Edit.
3. Click the appropriate balance method.
IV-3
Load Balancing
Load balancing allows several servers in one network to share and distribute the load
among themselves, all while being protected by one firewalled computer. FireWall-1
does this through a logical server, which represents a group of servers that provide the
same services. The logical server is a legal IP address that is mapped to the external
interface of your firewall. The logical server points to a group of servers on which
your firewall is performing load balancing.
The Workstation Before creating a logical server, define the physical servers that will be part of the
Properties Screen logical server group. Add a network object to create an HTTP server (Figure 231).
Get Address — Retrieves the IP address; reduces the possibility of entering the III-4
address incorrectly.
Comment — Any information that describes this server.
Location — Internal objects on the server appear as external to other management
servers:
Load Balancing
Internal — Protected by the firewall.
External — Outside the firewall.
Type — Defines the type of server:
Host — A server with a single IP address.
Gateway — A server with multiple IP addresses.
FireWall-1 Installed — Indicates a FireWall-1 module is installed on the server.
Exportable — Allows remote users access to the server.
IV-3
Version — The FireWall-1 version installed on the server.
Load Balancing
Security Policy main screen.
2. On the General tab, select the appropriate options (Figure 231 on page 340).
3. Repeat for additional HTTP servers, for example: HTTP_Server_2,
HTTP_Server_3, and so on.
The Group To create an HTTP server group, include all physical servers providing the same
Properties Screen services in the Group Properties screen (Figure 232):
Creating a Server To create a new server group, follow these steps: III-4
Group
1. Click Manage > Network Objects from the Security Policy GUI main screen.
2. Select New and Group from the Network Objects pull-down menu.
3. The Group Properties screen appears (Figure 233):
Load Balancing
IV-3
Load Balancing
Figure 233: The Group Properties Screen
5. Enter a description of the server group in the Comment field. This text is
displayed on the bottom of the Network Object screen when this group is selected
(Figure 234):
The Logical Server The logical server is the server controlling the group of physical servers and displays III-4
Properties Screen in the Logical Server Properties screen (Figure 235):
Load Balancing
IV-3
Load Balancing
Refer to Figure 230 on page 338 for a description of each of the Logical
Server Properties option.
2. Click New > Logical Server. The Logical Server Properties screen appears
(Figure 235 on page 345).
3. Type an object (server) name in the Name option.
4. Enter the server’s IP Address in the IP Address field. (The logical server’s IP
address is the address of the device routed to the Firewall Module or the device
through which packets are routed for load balancing.)
5. Click Get Address to resolve the server’s name and IP address. If FireWall-1
cannot resolve the name and address, an error message appears (Figure 236):
6. Add descriptive text to the Comment field, if necessary. This text displays at the
bottom of the network-object screen (Figure 234 on page 344) when you highlight
the logical server.
7. Select the color of the server’s icon from the pull-down Color menu.
8. Select the server type, in this case, HTTP.
9. Click or deselect Persistent Server Mode.
10. Choose a server group from the pull-down Servers menu (Figure 237): III-4
Load Balancing
IV-3
Load Balancing
12. The completed Logical Server Properties screen is shown in Figure 238:
Load Balancing
Action: accept
IV-3
Load Balancing
Overview In the Logical Server Properties screen, choose Other when the server is an FTP
(Figure 239):
When you need to create other server types, you must understand how FireWall-1
handles load balancing. FTP (or other) load balancing is different from HTTP load
balancing. When Other is chosen under Server’s Type, load balancing is performed
using network address translation (Figure 240):
Load Balancing
1 The client sends a packet to the firewall; the packet is sent to the FTP logical
server, using IP address 204.32.38.101.
2 The load balancing daemon ensures the packet is load balanced via address
translation. The kernel translates the packet to the physical server’s IP address
(192.168.1.1), so that it can be properly load balanced.
3 When the packet exits the network, the load balancing kernel translates the packet
from 192.168.1.1 to 85.10.1.4 using backward address translation. The kernel
does this so the client will be able to match the reply IP address to its original IP
address.
IV-3
Address Resolution As mentioned earlier, in load balancing for other services, the IP address for a logical
Protocol (ARP) server is routed to the Firewall Module or the device through which packets are routed
for load balancing. Using ARP, the load balancing daemon ensures packets destined to
the IP address of a logical server pass through the Firewall Module and to the
Load Balancing
appropriate physical server.
To enable ARP:
1. Solaris engineers — On the gateway, link the IP address of your network’s router
to the physical address of the gateway’s external interface, as shown below:
arp -s 199.203.73.3 <MAC Address> pub
Load Balancing for As described earlier, before creating another logical server, define a server group and
Other Services the physical servers that comprise it. Figure 241 and Figure 242 display the properties
for an FTP server group and FTP logical server:
Load Balancing
• Balance Method = Round Trip
• Color = the predefined color for logical servers
IV-3
Load Balancing
Load Balancing
IV-3
Load Balancing
HTTP Logical When adding load balancing to a security policy, security engineers must consider rule
Servers in a Rule base order. In FireWall-1, packets are matched against the first three components of a
Base rule: Source, Destination and Service. Because rules are examined sequentially per
each packet, only packets not described by previous rules are examined by the
FireWall-1 implicit rule, which drops all packets not covered by previous rule bases.
2. There must be a different rule that allows the connection between the client and
the HTTP logical server (group). That rule can specify another action, for
example, client authentication (Figure 244):
Other Logical There are no special considerations for using FTP or other logical servers in a rule.
Servers in a Rule One rule, with the logical server as destination, is sufficient (Figure 245):
Problem You wish to hide the true IP address of the physical server to which your HTTP
redirect rule directs HTTP traffic. HTTP load balancing always rewrites the HTTP
logical server’s name when you tie several logical server names to one IP address. The
Load Balancing
HTTP protocol has a feature that uses a server’s name in the HTTP request. HTTP
load balancing rewrites the logical server name to the actual physical server it
represents.
Solution The way to solve this problem is to choose Server’s Type: Other for HTTP logical
servers sharing the same IP address (Figure 246):
IV-3
Load Balancing
Figure 246: HTTP Logical Server Configured as Other Server Type
Review
Summary Load balancing allows several servers in one network to share and distribute traffic
among themselves, thus using network resources efficiently.
In a rule base, packets are matched against the first three components of the rule base:
Source, Destination and Service. Since rules are examined sequentially per each
packet, only packets not described by previous rules are examined by the FireWall-1
clean-up rule, which drops all packets not covered by previous rules.
4. What are the load balancing algorithms and how are they used?
6. Why is rule base order an important consideration when setting up load III-4
balancing?
Load Balancing
IV-3
Load Balancing
Remote Management
Unit IV — Chapter 4:
Remote Management
Introduction
Some organizations are spread over a wide area, comprising the use of LANs and
WANs to aid in day-to-day operations. Many internal networks can be firewalled to
protect parts of the networks from internal intrusions, as well as protecting the
networks from outside attacks. With so many parts of an organization protected by
firewalls, it is important to give the security engineer the ability to control each
firewall from a central point.
361
362 Remote Management Architecture
• Sun & HP
• Windows NT Multiple Firewall Modules
• IBM RS/6000
• Bay Networks, Cisco and • Enforces security policy
• Reports status and log data
3Com Routers to its management server
• Xylan and Ipsilon Switches
• SunOS4
• Solaris2 • Manages object DBs, rule
• Solaris x86 bases, log files.
• HP-UX • Concurrent administrative
• Windows NT Management Module access with varying rights
• AIX
• Windows 95/NT
• X/Motif (Sun, HP & AIX) • Builds objects, rules.
• Views logs and FW status.
The Firewall Module can reside on internal and external gateways or hosts.
Figure 248 displays a management module controlling internal and external firewalls: IV-2
Remote Management
Management
Module with GUI
Firewall
Module
EXTERNAL REMOTE
INTERNAL REMOTE
Firewall
Firewall Firewall Firewall Module
Module Module Module
In Figure 249 the Firewall Modules are considered remote, even though they are
inside the network.
Setup The following are key points to consider when setting up remote management within a
Considerations firewalled network:
1. The Remote Management Module provides security between your network and
your firewall module by using encryption.
Remote Management
1 There are two firewalls between the Firewall Module and Management Module
(on the Management Station), and between the Management Module and the GUI
client. This is so that external hackers cannot access the Management Module.
2 The GUI client has multiple-user access, but is only allowed read access to the
Management Module.
3 With one Management Module, the FireWall-1 database is updated on the
Management Module only.
Remote Management
access rights and database info
The IP address is for the client who can access the Management Console.
A Note about the The FireWall-1 user database contains information about each user defined in
User Database FireWall-1, including authentication schemes and encryption keys. The user
database resides on the Management Station and on the firewalled devices.
A FireWall-1 user database does not contain information about users defined
externally to FireWall-1 (for example, users in external groups). But the database does
contain information about the external group (for example, on which account unit the
external group is defined). For this reason, changes to external groups take effect only
after a security policy is installed or a user database is downloaded.
To configure the remote GUI, you will set up a Management Station and a remote
Remote Management
Firewall Module. This ensures that the Firewall Module and Management Station are
connecting.
GUIs and Screens When configuring a Management Station, use the following FireWall-1 GUIs, tabs
and screens:
• The Configuration GUI and the following tabs:
Administrators
GUI Clients
Remote Modules
• The Security Policy GUI and the following tabs:
General
Interfaces
• The System Status GUI
Remote Management
Figure 253 displays the opening tab of the Windows NT FireWall-1 Configuration
screen:
Remote Management
Figure 254: The Administrators Tab
IV-4
Remote Management
Remote GUI 1. Start the FireWall-1 Configuration GUI. The FireWall-1 Configuration screen IV-2
Configuration Steps appears (Figure 253 on page 368).
2. Click the Administrators tab. The Administrators tab information opens (Figure
Remote Management
254 on page 369).
3. Click Add and the Add Administrator screen appears (Figure 255 on page 369).
4. Enter the administrator name, password and select the access level (Figure 257).
Click OK to continue.
Select the
Administrators tab
and press Add …
Solaris Engineers
IV-4
To add an administrator account in Solaris, run the following command:
# fwm -a
Remote Management
Select additional options as follows:
User — fwadmin
Permissions ([M]onitor-only,[R]ead-only,[U]sers-edit,read/[W]rite) — w
Password — abc123
5. Click the GUI Clients tab (Figure 256 on page 370).
6. Type the name or IP address of the remote host and click Add. Add as many
remote GUI clients as necessary and click OK to finish (Figure 258):
Select OK
Figure 258: Add the GUI Client
Solaris Engineers
To add the GUI client hostname to the gui-clients file, use the following commands:
Remote Management
Check the Read Only box
if the administrator has this
access level.
Figure 259: Logging on to the GUI Client
IV-4
Remote Management
Objective: You will attempt to manage a firewall that has been installed on a remote
(your partner’s) machine.
Scenario: Your company has multiple firewalls but only one firewall administrator.
Instead of physically moving to each firewall to administer the rule base you will
control each of the firewall’s remotely.
Remote Management
Remote Configuring the Management Station and Firewall has its limitations:
Management
• Single bundled products (licensed limited versions) do not support the separation
Limitations
of the Firewall Module and the Management Station.
• GUI Client access is supported for remotely accessing the Management Station on
all bundled products, including single bundled products.
Management Station Configuring the Management Station and firewall is a seven-step process:
and Firewall
1. On the Firewall Module, define the Management Station authentication key.
Configuration
2. Create the masters file on the firewall. Add the IP address of the Management
Station allowed to remotely manage the firewall.
3. Stop (fwstop) and start (fwstart) the firewall.
4. Create the firewall’s authentication key on the Management Station.
5. Define the Firewall Module workstation object in the Network Objects Manager.
6. Define a rule base on Management Station.
7. Install the rule base on Firewall Module gateway.
IV-4
Remote Management
Remote Management
Figure 261: The General Tab of the Workstation Properties screen
Remote Management
FireWall-1 Installed — The Firewall Module with FireWall-1 installed
Exportable — Information about this module can be made available to SecuRemote
clients
Location — Internal for this Firewall Module
Type — Gateway for this Firewall Module
Version — The Firewall Module version
Remote The following lists the steps for configuring the Management Station and Firewall:
Management
1. Click the Remote Modules tab (Figure 260 on page 376).
Configuration
2. Type the host name for the remote Firewall Modules.
3. Click Add to add each name.
4. Click OK to exit the Configuration screen.
5. Configure the key (password) that the master and remote devices will use to
authentication sessions:
a. From the OS prompt, change to the $FWDIR\bin directory. (Solaris
engineers, switch to the cd $FWDIR/bin directory.)
b. Add the authorization key that will allow the master device to authenticate to
the remote device (where abc123 is a sample external password, and
204.32.38.101 is a sample IP address):
fw putkey abc123 204.32.38.101
6. Edit the masters file on the firewalled computer, as follows:
a. From the OS prompt, change to the $FWDIR\conf directory.
b. Add the IP address of the Management Station that remotely manages the
firewalled computer; add the address to the masters file as follows (where
204.32.38.101 is an example IP address):
echo 204.32.38.101 > masters
c. Solaris engineers, create or edit the masters file, as follows:
cat | $FWDIR/conf/masters
204.32.38.101
^D
7. Stop and start the firewall: This causes the Firewall Module to reread the local
masters file and allow the Management Station to remotely install security
policies:
a. From the OS prompt, change to the $FWDIR\bin directory.
b. Type fwstop and press Enter; type fwstart and press Enter.
Solaris: ./fwstop and ./fwstart
c. When you see the message FW-1 started, exit the OS.
8. Create an authentication key: On the Management Console, an authentication key
needs to be created for each Firewall Module that this Management Console will
remotely manage. This is done using the fw putkey command with the following
arguments:
fw putkey -p password firewall-module-ipaddress
Remote Management
defined as an Internal object in order to be remotely managed.
10. Start the FireWall-1 Security Policy GUI. On the Login screen, click the Read
Only box for administrators or security engineers with read-only access (Figure
263):
IV-4
Remote Management
11. Create and install the security policy. After compiling the security policy, fwd on
the Management Station initiates a connection to fwd on the firewall and sends the
encrypted putkey password (Figure 264):
Objective: Configure the local management module and a remote FireWall Module in
Remote Management
order to have the local management module manage both the local and remote firewall
modules.
Scenario: Your company has remote networks in other cities. The networks at the
remote sites are protected by FireWall-1. You will administer the remote FireWall
Module at the selected cities as well as the local firewall. With your partner city
decide which one will be the master and which one will be the remote.
3. Add the address of the management module to the masters file in the
$FWDIR\conf directory by using the following commands:
NT
> cd $FWDIR\conf
> echo 204.32.38.n > masters
Solaris
# cd $FWDIR/conf
# cat | masters
# 204.32.38.n
# ^D
NT
> cd $FWDIR\bin
> fwstop
> fwstart
Solaris
# cd $FWDIR/bin
# ./fwstop
# ./fwstart
Remote Management
4Verify and Install the Policy
1. TELNET to an address behind the remote module that is not allowed by another
rule.
2. Use the Log Viewer to view the log entries. Are there any entries from the remote
module? (If you don’t see any check with the instructor.)
3. Start the System Status GUI. What do you see on the status screen? (You should
see both systems (Master and Remote) behind the firewall.)
IV-4
Remote Management
1. Start the System Status GUI. Type the name of your firewall server, your user
name and password, when prompted at the System Status login screen. Solaris
engineers, type the following command:
# $FWDIR/bin/fwstatus &
2. The Status screen appears (Figure 266). The GUI displays all remote devices,
allowing you to confirm that FireWall-1 recognizes all remote clients and
firewalls.
Remote Management
1. Remove the masters file from the $FWDIR/conf directory of the Firewall Module.
2. Bounce the firewall.
3. Start the Security Policy GUI; change the location of the Firewall Module to
external in the FireWall-1 Security Policy GUI.
IV-4
Remote Management
Using FireWall-1, security engineers can manage security policies among several
FireWall-1 applications in geographically different areas. Figure 267 displays the
concept of remote-security management:
Steps for Managing When configuring a security policy to manage a remote network, security engineers
a Remote Security create a security policy on the Management Module, as follows:
Policy
1 Create a security policy on the Management Module. In Figure 267 the security
policy is installed on the US FireWall-1 computer.
2 Install FireWall-1 remotely. In Figure 267 FireWall-1 is installed on a Firewall
Module in Israel.
3 Set up a security policy for a remote location. In Figure 267 the security policy is
set up for the Israel router.
2. Select Targets.
3. Choose the remote location object (Figure 269 and Figure 270): IV-2
Remote Management
Figure 269: Adding a Remote Firewalled Location
4. The remote security policy reflects the remote firewall (Figure 271):
Remote Management
Review
Summary The remote management capabilities of FireWall-1 are integral to the management of
firewalled systems from one centrally located management module. The components
that make up the remote management architecture are the Management Module, the
remote Firewall Module, and the Management Station.
Review Questions 1. What are the components of the remote management architecture?
2. Why must you configure both the remote management and Firewall management?
3. Why should you “bounce” the system after removing remote management?
Remote Management
IV-4
Remote Management
Chapter 1: Troubleshooting
Chapter 1: Trouble-
Unit V — Chapter 1: V-1
Tro u b l e s h o o t i n g
shooting
Troubleshooting
Introduction
This chapter covers some common FireWall-1 problems and offers solutions. This
material is not a comprehensive list of all potential problems. It is only meant to
initiate discussion.
393
394 Troubleshooting Error Messages
SMTP Mail-Server This error is an error-handling message that lists an error for the server, not the actual
Error firewalled device. In the event of the error Error Handling Server, the server is
notified.
FireWall-1 Cannot If FireWall-1 cannot resolve a name and address in a security policy, check the domain
Resolve a Name and name for the object to ensure the IP address is correct.
Address
Every time you use a domain name, a domain-name service (DNS)
translates the name into the corresponding IP address. For example, the
domain name www.example.com might translate to 198.105.232.4.
Installing SecuRemote 4.0 Beta-1 installs a defunct (beta) version of the Entrust API DLL
SecuRemote (kmpapi32.dll). Later versions of SecuRemote install a later version of the DLL, but
do not overwrite the older one, since both DLLs use the same version number.
Solution
If security engineers have installed SecuRemote 4.0 Beta-1 and are now installing a
later version, they must delete the kmpapi32.dll file from their SecuRemote device’s
c:\Windows\System directory (System32 on a Windows NT Server device).
Troubleshooting HTTP load balancing always rewrites the HTTP logical server’s name (URL). When
Load Balancing and security engineers tie several logical-server names to one IP address, FireWall-1 does
HTTP Logical the following:
Servers
1. The HTTP protocol has a feature that uses a server’s name in the HTTP URL
request.
2. HTTP load balancing, which redirects the HTTP request to a different IP address,
rewrites the logical-server name to the actual physical server it represents.
Solution V-1
To solve this problem, security engineers must choose other load balancing with
HTTP logical servers sharing the same IP address:
Chapter 1: Trouble-
Select Server Type Other in the Logical Server Properties screen (Figure 272). V-1
shooting
Troubleshooting
Figure 272: Logical Server Properties Screen
FireWall-1 Displays When systems administrators try to view the contents that were entered in the Account
an Account Management Client (AMC) and in the actual LDAP server, they may receive an
Management Client authentication error regarding the administration server. This error means the
Authentication Error Netscape Directory Server has not been set up completely.
Solution
1. Enter the directory manager’s password in the SuiteSpot settings.
2. Confirm the administrator’s name and password. This establishes
communications between the LDAP and administration server.
Deleting an Security engineers cannot delete organizational units in Account Management Client,
Organizational Unit once they are created.
Solution
Use an editor to do the following:
1. Delete the wrong name.
2. Open Account Management Client and re-enter the name.
Account FireWall-1 rejects the user’s password. This might happen if the user is defined
Management differently in the FireWall-1 user database, or in an Account Unit with a higher
priority.
Solution
Check the Display user’s DN at login field in the LDAP tab of the Properties Setup
screen and try again. The user’s DN appears and you can determine from where
FireWall-1 is getting the user’s password.
User not Found 1. Make sure that Use LDAP Account Management in the LDAP tab of the
Properties Setup screen is checked.
2. Using the Account Management Client, verify that the user is indeed defined in
the Account Unit.
Changes Made in Changes take effect only after one of the following happens:
the Account
• The cache times out
Management Client
Do not Affect • The Security Policy is installed
FireWall-1 • The User Database is downloaded
User Authentication If user authentication fails when you or a user attempts to connect, check the
following:
If this process is not running, start it. Check the process soon after user authentication
fails.
Authentication The two most common types of computers which run FireWall-1 are Management
Modules and Firewall Modules. Several possible scenarios exist for problems with
authentication. Each of the scenarios below present possible solutions.
Scenario A V-1
The key is not matched. In this case, when the fwstart command is issued on the
Management Module, the Firewall Module would report that the log connection could
not be authenticated.
Chapter 1: Trouble-
The Management Module message is: V-1
To solve this problem, use the fw putkey command to synchronize the keys:
shooting
Troubleshooting
4Type fw putkey <target> [-p password]
Scenario B
The Firewall Module does not recognize the Management Module. In this case,
attempting to install the security policy on the Firewall Module, would create the
following error:
Scenario C
Sometimes it is necessary to control a non-VPN Module from a VPN Management.
Since by default the Management would attempt to encrypt the communication with
the Firewall Module, which cannot decrypt it, this could cause a problem.
2. Copy the line that begins with the word CLIENT and place the copy above the
CLIENT line.
3. In the new line, replace the word CLIENT with the IP address of the Firewall
Module main interface.
4. In the new line, replace the word fwa1 with the word skey.
The new line should now look like the example below:
MASTERS : stat,getkey,gettopo/none opsec/fwn1 */fwa1
123.122.133.3: load,db_download,fetch,log/skey opsec/fwn1 */none
CLIENT: load,db_download,fetch,log/fwa1 opsec/fwn1 */none
* : stat,getkey,gettopo/none
unload,ioctl,load,db_download/deny opsec/fwn1 */fwa1
Internet Resources There are several Internet resources available to FireWall-1 security engineers. Figure
Chapter 1: Trouble-
273 displays the Check Point Resource Library Web page. V-1
shooting
Troubleshooting
Figure 273: Check Point Library Web Page
Other Check Point Web and Internet sites of interest include the following:
• www.checkpoint.com/products/technology/prodtec.html — Check Point
product technology
• www.checkpoint.com/corporate/contact_list.html — how to contact Check
Point in Israel and the US, including relevant e-mail addresses
• http://www.checkpoint.com/services/mailing.html — Check Point’s mailing
list
Encryption
The following Web sites are useful resources for help with ISAKMP/Oakley (IKE)
and IPSec encryption:
• www.ietf.cnri.reston.va.us/internet-drafts/draft-ietf-ipsec-oakley-02.txt
• www.ietf.cnri.reston.va.us/internet-drafts/draft-ietf-ipsec-isakmp-09.txt
• www.ietf.cnri.reston.va.us/html.charters/ipsec-charter.html
Overview This section will introduce you to two tools to help you debug FireWall-1: the -d
Chapter 1: Trouble-
switch and fwinfo. V-1
The -d switch A strong debugging tool is the -d option when added to the fwd, fwm and snmpd
shooting
To execute:
Troubleshooting
1. Kill the daemons, using the following commands:
fw kill fwd, fw kill fwm, fw kill snmpd
2. Rerun the daemons using the -d option, using the following commands for
Solaris:
fwd -d, fwm -d, snmpd -d
Use the following for Windows NT Server:
fw d -d fw m -m
Example
4. The connection that was from c0a86e05 (192.168.110.5) port 449 (1097) to
c7cb471e (199.203.71.30) port 15 (21) ip protocol 6 (TCP) was translated to
(the destination) c7cb47db (199.203.71.219) port 15 (21), using type other
(server type as defined in the logical server).
Environment Variables
Some processes, like security servers, do not print to the console, and therefore cannot
be seen by the fwd -d or fwm -d options. In these cases you will need an environment
variable.
Environment variables are set before the daemon begins running. To set environment
variables, do the following:
1. Kill the daemon.
2. Set env variable.
3. Restart daemon.
When variables are set, they write to a file and that information can be analyzed:
FWACLIENTD_DEBUG: Prints debug information into the aclientd.log file.
$FWDIR/log dir: Performs a sleep of 20 (default) on Solaris, and on NT Server
activates the debugger.
FWAFTPD_DEBUG: Prints debug information to $FWDIR/log/aftpd.log
FWAHTTPD_DEBUG: Prints debug information into the ahttpd.log file in the
$FWDIR/log dir. Performs a sleep of 20 (default) on Solaris, and on NT Server
activates the debugger.
HTTP_DEBUG: Prints debug information to the $FWDIR/log/ahttpd.log
HTTP_SLEEP: Performs a sleep of 20 seconds (by default, can be changed).
Chapter 1: Trouble-
the $FWDIR/log dir. Performs a sleep of 20 (default) on Solaris, and on NT V-1
Server activates the debugger.
FUNCCHAIN_DEBUG: This switch shows the debugging information of the
processes that are initiated by the procchain such as secureID authentication and
shooting
http resolving.
Troubleshooting
FUNCCHAIN_SLEEP: Sets the funcchain to a certain sleep period that a
debugger can be initiated.
FW_RESOLVE_DEBUG 1: Outputs debug information to consol regarding the
FireWall-1 resolving mechanism.
FWMDQ_DEBUG: Records all major actions (errors, AV handling, File
handling) to consol
MDQ_DEBUG: When set allows interactive debugging on NT Server (waits for
the debugger)
SMTP_DEBUG: Valid values are 1-3. When set outputs verbose information on
the smtp information to the file asmtpd.log.
If the latest smtp patch is installed, SMTP_DEBUG and MDQ_DEBUG can be
used in another way:
• Insert these switches into the $FWDIR/conf/smtp.conf file
• Kill the process using the -USR1 switch
• The debugging information will start immediately without the need to restart
the daemons
NT Server Issues
In addition to the debugging tools that are built into FireWall-1, some other methods
can be used to debug problems that are FireWall-1 related. On Solaris, use the core
dump and crash dump, and on NT Server, their equivalents: Dr. Watson and
memory.dmp.
Example
This example is a typical Dr. Watson which shows a FireWall-1 that crashed:
Using fwinfo as a This section will show you how to use fwinfo as a debugging tool.
Debugging Tool
Reproducing Configuration
Check the following:
1. What is the exact version of FireWall-1? Use fw ver to determine the version.
2. On what OS is FireWall -1 installed? If it is NT Server, then tar is not used. If it is
Solaris, this can be verified by looking for a Solaris command (date, hostname,
uname -a, w -u,…) being issued at the beginning of the fwinfo file.
3. Are the Firewall Module and the Control Module on the same machine? Check
this by looking at $FWDIR/conf/product.conf
To reproduce the policy we need to put a few files on our FireWall-1. Copy the policy
file, the object network file and the users file.
Copying files in Solaris platform is done after opening the fw.tar by regular cp.
1. In NT Server, open an empty new file and copy/paste from the fwinfo. The policy
file and object file will be in the fwinfo under "FireWall-1 Configuration, database
and state". The user files are under "Users Files".
The Policy file is in $FWDIRwdir\conf. It will usually be in the file rulebases.fws.
This file holds all the policies together.
2. This file is copied to $FWDIR\conf on your machine.
If you want to know the last policy that was installed and compiled, go to
$FWDIR\state\local.fc file. You will find the date, time and name of the last policy.
Example
V-1
2. On Solaris platform: $FWDIR/bin fwm -g ../conf/rule.W
3. Object network file is in $FWDIR\conf in the file object.C. Copy this file to
the firewalled device to the same place. The user’s file is copied only if it is
Chapter 1: Trouble-
being used in the policy. V-1
4. In Solaris, the file to be copied is fwauth.NDB (from the directory /conf) after
doing tar xvf to fw.tar to your machine. The backup files on the firewalled
shooting
device need to be deleted. These are: fwauth.NDBBKP from $FWDIR/conf
Troubleshooting
and fwuth.NDB from $FWDIR/database
5. Back up those three files on your machine before copying the files from the
fwinfo.
6. In NT Server, create the file by using copy/paste to a "file" (the user’s data
will be in the fwinfo under the title - "user files").
7. Issue the command: fw dbimport -r -f "file", which will put the user’s data in
the file fwauth.NDB. (Delete all other user data files).
HP-UX Installation To install the Account Management Client (AMC) for HP-UX, use the swinstall
application, as follows:
1. Become superuser.
2. Change to the directory in which the installation files are located (either the CD-
ROM or on the hard disk).
3. Enter the following command to register FireWall-1:
hostname# swreg -1 depot -x select_local=true -x\
target_directory=/directory_name
409
410
IBM AIX Installation To install the Account Management Client (AMC) for IBM AIX.
1. Become superuser.
2. Change to the directory in which the installation files are located (either the CD-
ROM or on the hard disk).
3. Enter the following command to register the directory for the installation process:
hostname# smit &
4. Click on Software Installation and Maintenance.
5. Click on Install/Update Software.
6. Click on Install/Update Selectable Software (Custom Install).
7. Click on Install Software Products at Latest Level.
8. Click on New Software Products at Latest Level.
9. In the New Software Products at Latest Level screen, enter the input device or the
name of the directory where the FireWall-1 installation files are located.
Appendix F: Security
Appendix B: Security
Considerations
Considerations
Solaris Notes The Security Association expiration time that the gateway sends in its IPSec proposals
(ISAKMP phase 2) can be configured using an environmental variable. Security
engineers do so with the following Solaris commands:
fw stop
setenv FWISAKMP_SAEXPIRE n
fwstart
Additional 1. Security engineers must modify the cms.ini file on all machines running the
Information Firewall Module.
2. Security engineers must enable the connection between the FireWall-1 daemon
and the PKI, as part of the security policy. This can be done easily by defining
two TCP services for the CA and for the LDAP server and enabling them in the
rule base. (The TCP ports of these services are defined in the cms.ini file.)
3. The daemon which communicates with the PKI uses some run-time libraries
which are available in the $FWDIR/lib directory after FireWall-1 installation.
4. The environmental variable LD_LIBRARY_PATH has to be defined and
$FWDIR/lib must be specified as one of the directories in the list on each Firewall
Module to enable the FireWall-1 daemon to function.
413
414
Solaris/NT Syntax The command line syntax presented in this section is in Solaris syntax. Differences
Differences between Solaris and NT command line syntax are illustrated in the table below:
Solaris NT
/ in file names \ in file names
fwm fw m (space after fw)
Setup Setup commands are used to reconfigure existing setups, install or uninstall
FireWall-1 software and to load/or kill various FireWall daemons.
fwconfig
fwconfig reconfigures an existing FireWall-1 installation.
Syntax
fwconfig
Windows NT
In Windows NT, the reconfiguration application is a GUI application that displays all
the configuration screens from the FireWall-1 installation as tabs in the same screen.
415
416
To reconfigure an option, select the appropriate tab and modify the fields as required.
Click OK to apply the changes.
Solaris
fwconfig displays the following screen. Choose the configuration options you
wish to reconfigure.
Thank You...
fwinstall fwinstall installs the FireWall-1 software from the files extracted from the distribution
media. The configure option of fwinstall can be used to modify an existing
configuration, and the upgrade option can be used to upgrade to a newer version of
FireWall-1.
fwstop fwstop kills the FireWall-1 daemon (fwd), the Management Server (fwm), the
FireWall-1 SNMP daemon (snmpd), and the authentication daemons, and then
unloads the FireWall Module. It tells the Kernel Module to detach itself from the TCP/
IP protocol stack and removes it from the kernel in architectures where possible.
This component is security enforcing.
fw The fw program manages the system. Its specific action is determined by the first
command line argument. Commands may have a subject (target). Three options
(parameters) specify the targets. If more than one is used, the command executes on
the combination of targets.
Control The control commands compile and install a Security Policy and Inspection Script as
well as create Log Files, install FireWall-1 authentication passwords and licenses and
download user database objects.
fw load fw load compiles INSPECT code. It then installs the security policy on the target
computers, using either ioctl’s (if it needs to install the security policy on the local
computer), or calling a remote fwd (if it needs to install the security policy on remote
computers). The same functionality is also available in the daemon and the
Management. This component is security enforcing.
Syntax
fw load [-all | -conf confile] [filter-file | rule-base] targets
fw load compiles and installs an Inspection Script (*.pf) file into the targets’ FireWall
Modules. It converts a Rule Base (*.W) file created by the GUI into an Inspection
Script (*.pf) file and performs the above operations. If no target is specified, the
Inspection Code is installed on the local host.
Targets
-conf confile — the command is executed on targets specified in confile; each line
in confile has the syntax of a target in a target.
-all — the command is executed on all targets specified in the default system
configuration file ($FWDIR/conf/sys.conf).
targets — the command is executed on the specific named target; the dot (.) and
the at-sign (@) are part of the format; spaces around them are not allowed.
For each option, it is sufficient to type the first character.
Formats
interface.direction@host
host
interface.direction
Example
le0.in@host1
all@host2
host3
all.out
all.all
Parameters
interface — name of an interface on the target host; if all is specified, all configured
interfaces on the target host are loaded. Examples: le0; lo0; all.
direction — in, out, or all; the reference point for the direction is the target host.
host — target host specified using the host’s name (the name returned by the
hostname command) or its IP address
all — different meanings according to its place; may specify both directions, all
interfaces or both directions on all interfaces.
If host is not specified, localhost is assumed. If only host is specified, all is assumed
(meaning both directions on all interfaces).
Several targets may be specified in various formats. Command line separators are
subject to the rules of the shell. Spaces and tabs are the most common separators.
The format of configuration files is identical to the format of targets. In configuration
files, the following separators may be used:
Space,
Tab
Comma
New Line
Before loading any interface of a target host, FireWall-1 first completely unloads it.
Hence, some interfaces on a target host might be left unloaded (if the new Rule Base
or compiled FireWall Module does not contain a rule for them).
The scope of a set of rules in a Rule Base and the targets of a Rule Base
installation are not the same. The system will install the entire Rule Base
on the designated targets. However, only the rules whose scope includes
the target system are actually enforced on a target.
To protect a target, you must load a Rule Base that contains rules whose scope
matches the target. If none of the rules are enforced on the target, then all traffic
through the target is blocked.
Example
fw load my_rules.W
fw load gateway.pf gateway1
fw load -all complex_rules.pf
fw unload fw unload uninstalls the currently loaded Inspection Code from selected targets.
Syntax
fw unload [-all | -conf confile] targets
Example
fw unload gateway1
fw unload -a
fw fetch fw fetch fetches the last Inspection Code installed on the local host. You must specify
the Master where the Inspection Code is found. Use “localhost” if there is no Master
or if the Master is down. You may specify a list of Masters, which are then searched in
the order listed. It is security relevant.
Syntax
fw fetch targets
Example
fw fetch gateway1
fw logswitch fw logswitch creates a new Log File. The current Log File is closed and renamed
$FWDIR/log/fw.log current date, and a new Log File with the default name
($FWDIR/log/fw.log) is created. Old Log Files are located in the same directory. You
must have the appropriate file privileges to run fw logswitch . In addition, a
Management Station can use fw logswitch to switch a Log File on a remote machine
and transfer the Log File to the Management Station. The module is security
enforcing. The same functionality is available in the FireWall Management Module.
Syntax
fw logswitch [-h target] [+|-][“” | old_log]
Parameters
target — the resolvable name or IP address of the remote machine (running either a
FireWall Module or a FireWall Management Module) on which the Log File is
located. The Management Station (on which the fw logswitch command is executed)
must be defined as one of target’s Management Stations. In addition, you must
perform fw putkey to establish a control channel between the Management Station and
target.
+ — the Log File is transferred from target to the Management Station. The
transferred Log File is compressed and encrypted. The name of the copied Log File on
the Management Station is prefixed by target. This parameter is ignored if target is not
specified. There should be no spaces between this parameter and the next one.
“” — delete the current Log File (on target if specified; otherwise on the Management
Station).
The following tables list the files created in the $FWDIR/log directory on both target
and the Management Station when the + or - parameters are specified. Note that if “-”
is specified, the Log File on target is deleted rather than renamed.
If target is specified:
Table 9:
Table 10:
Table 11:
Table 12:
Table 13:
If either the Management Station or target is an NT machine, the files are created
using the NT naming convention.
Example
The following command creates a new Log File and moves (renames) the old
Log File to old.log:
fw logswitch old.log
Syntax
fw putkey <target> [-p password]
Parameters
target — the resolvable name of the machine on which you are installing the key
(password); this is not necessarily the “closest” interface to you. If you use the wrong
interface, then you will get error messages such as the following:
“./fwd: Authentication with hostname for command sync failed”
You will be prompted for this if you do not enter it on the command line.
fw putlic putlic installs a FireWall-1 license on a host. You can also configure licenses with the
fwconfig command.
This component is security irrelevant since the FireWall won’t stop protecting a
network because of an invalid license.
Syntax
fw putlic [-overwrite]
[-check-only] [-check-one] [-f licensefile]
[-n netmask] [-kernelonly]
hostname|ip-addr|hostid|eval
k1-k2-k3 features
Parameters
-overwrite — overwrite any existing licenses with the new license.
-check-only — verify the license.
-check-one -
-f licensefile — is the name of the file with the license text.
-kernelonly — copy the user level license to the kernel; takes no parameters.
hostname — is the host’s name (the name returned by the hostname command).
ip-addr — is the host’s IP address.
hostid — on Solaris systems, this is the EPROM number uniquely identifying the
host; on HP-UX systems, this is a hex number preceded by “0x”; on NT systems,
this is the IP address.
eval — is the evaluation license.
k1-k2-k3 — is the license.
features — are the license features.
Example
Typing:
fw dbload fw dbload downloads the user database and network objects information (for example,
encryption keys) to selected targets. If no target is specified, then the database is
downloaded to localhost.
Syntax
fw dbload [targets]
Monitor
Monitor commands display the status of target hosts, print lists of hosts protected,
display or export the content of Log Files, display the version number, and print
license details.
fw stat fw stat displays the status of target hosts in various formats. This is security irrelevant.
Syntax
The default format displays the following information for each host: host name, Rule
Base (or FireWall Module) file name, date and time loaded, and the interface and
direction loaded. If no target is specified, the status of localhost is shown.
Parameters
-short — use short format; for each direction and interface displays: host name,
direction, interface, Rule Base file name and loading date. This is the default format.
-long — use long format; in addition to short format, displays number of packets in
each of the following categories: total, rejected, dropped, accepted, and logged.
fw stat
fw stat -s -a
fw stat -l gateway1
Syntax
fw lichosts
fw log
This component is partially security enforcing and partially security relevant. Similar
functionality is also available in fwm.
Syntax
fw log [-f[t]] [-c action] [-l] [-start time] [-end time]
[-b stime etime]][-h hostname] [log-file] [-n]
Parameters
-f — after current display is completed, do not exit but continue to monitor the Log
File and display it while it is being written.
-ft — same as -f but does not display the current Log, only new events.
-c action — displays only events whose action is action, that is, accept, drop, reject,
authorize, deauthorize, encrypt and decrypt; control actions are always displayed.
-start time — displays only events that were logged after time; time may be a date, a
time, or both. If date is omitted, then today’s date is assumed.
-end time — displays only events that were logged before time; time may be a date, a
time, or both.
-b stime etime — displays only events that were logged between stime and etime,
each of which may be a date, a time, or both; if date is omitted, then today’s date is
assumed.
-h hostname — displays only log entries sent by the firewalled machine hostname.
-n — does not perform DNS resolution of the IP addresses in the Log File (this option
significantly speeds up the processing)
Example
fw log
fw log | more
fw log -c reject
fw log -s Jan1
fw log -f -s 16:00
Syntax
fw logexport [-d delimiter] [-i inputfile] [-o
outputfile]
[-r record_chunk_size] [-n]
Parameters
-d delimiter — output fields will be separated by this character; the default is comma
(,).
-n — does not perform DNS resolution of the IP addresses in the Log File. (This
option significantly speeds the processing.)
fw ver fw ver displays the FireWall-1 version number. This is the version of the FireWall-1
daemon, the compiler and the Inspection Script generator (fw gen). The version of the
GUI is displayed in the opening screen, and can be viewed at any time from the Help
menu. This component is security irrelevant.
Syntax
fw ver
This component is security irrelevant since the FireWall won’t stop protecting a
network because of an invalid license.
Syntax
fw printlic [-k]
Parameter
-k - Print the license in the Kernel ModuleExample
fw sam fw sam enables blocking connections to and from specific IP addresses without
changing the Rule Base.
Syntax
fw sam [-f FireWall-1 module] [-t timeout]
<-s src sport dst dport proto | -i ipaddr | -u ipaddr>
Explanation
The -f FireWall-1 module parameter specifies the FireWall Modules on which to
enforce the action.
Table 14:
-t timeout specifies the time period (in seconds) for which the action will be enforced.
The default is forever.
When the parameter -s src sport dst dport proto | -i ipaddr | -u ipaddr is used, the
connection with the given parameters is closed.
The following parameters are available for use with this parameter:
src — source IP address (dot format) or resolvable name
sport — source port (integer)
dst — destination IP address (dot format) or resolvable name
dport — destination port (integer)
proto — protocol (integer)
-i ipaddr — connections to and from this address (in dot format or resolvable
name) inhibited
-u ipaddr — inhibited connections to and from this address (in dot format or
resolvable name) uninhibited.
Utilities
The Utilities commands perform various actions such as download security policy to a
specific router type, generate alerts, import or export the user database.
fwciscoload fwciscoload downloads a Security Policy to a Cisco router. This component is security
irrelevant unless routers controlled have an E3 certification.
Syntax
If only a password and an enable password are required, then the syntax is:
fwciscoload machine-name conf-file LoginPassword
EnablePassword
Parameters
machine-name — router name
conf-file — security policy file (must be in $FWDIR/conf)
LoginPassword — login password for the Cisco router
EnablePassword — enable password for the Cisco router
If the Cisco router uses the TACACS protocol. If a user name is required in addition to
the password and enable-password, then the syntax is:
fwciscoload machine-name conf-file UserName LoginPassword
EnableName EnablePassword
TACACS Parameters
machine-name — router name
conf-file — security policy file (must be in $FWDIR/conf)
UserName — user name
LoginPassword — login password for the Cisco router
EnableName — enable name
EnablePassword — enable password for the Cisco router
Each of the last four parameters can be XXX to indicate that it is unneeded, or
PROMPT to indicate that the user should be prompted for the parameter. Use
PROMPT when you do not want a password to appear on the command line or if the
password is not fixed (for example, with SecurID).
Alternatively, you can download the Security Policy using a TELNET-like interactive
session. You should use this option when the enable-login is not covered by the above
options. In this case, type:
fwciscoload machine-name conf-file -t
The interactive session will begin. Enter enable mode manually. Type Ctrl-C to exit
fwciscoload.
Type Ctrl-] to return to fwciscoload, which then downloads the Security Policy and
exits.
XXX and PROMPT are case-insensitive and cannot be used as either name
or password. If the TACACS authentication connection between the Cisco
router and the TACACS server passes through a firewalled machine, you
must enable the connection in the Rule Base.
Example
The command:
fwciscoload cis cis.cl XXX 1234 abcd PROMPT
downloads the policy file cis.cl (in $FWDIR/conf) to the router cis.
There is no UserName.
EnableName is abcd.
fw ctl fw ctlcommands send control information to the FireWall-1 Kernel Module. The
fw ctl debugging commands are presented in the debugging section of this
appendix.
Syntax
fw ctl [ip_forwarding option] | pstat | install |
uninstall
Parameters
ip_forwarding never — indicates that FireWall-1 does not control (and thus
never changes) the status of IP Forwarding.
ip_forwarding always — indicates that FireWall-1 controls the status of IP
Forwarding as described below.
fstat pstat prints statistical information gathered by the kernel module since the driver was
installed.
Syntax
fw ctl pstat
Example
Memory: 524288 bytes, 512224 avail, Requests: 637830 alloc, 637635 free,
0 reject
Cookies: 1972405 total, 411870 alloc, 411870 free, 30001 dup, 4344704 get,
120861 put, 2038056 len
Table 15:
Output Explanation
Memory: 524288 bytes, 512224 A pool of 524288 bytes were allocated by the FireWall-1 mod-
avail, Requests: 637830 alloc, ule kernel for its needs (mainly for internal dynamic and static
637635 free, 0 reject kernel tables). 512224 bytes are available in that pool. There
are 637830 allocation operations and 637635 free operations
while none had to be rejected due to memory exhaustion.
Inspct: 1853775 packets, This information relates to the virtual machine’s activity.
215915927 operations, 5098022 (Those are virtual machine operations, and lookups and records
lookups, 241118 record, 94958150 in tables and the number of packets inspected.)
extract
Cookies: 1972405 total, 411870 FireWall-1 uses an abstract data type, call cookie, to represent
alloc, 411870 free, 30001 dup, packets. This statistic relates to the code that handle those
4344704 get, 120861 put, 2038056 cookies and is used only for heuristic tuning of our code.
len
Fragments: 142389 fragments, 0 FireWall-1 performs ’virtual re-assembly’ which means that it
expired, 24012 packets gathers all the fragments of a packet before processing that
packet. This statistics information tells you that the kernel
module has processed 142389 fragments and assembled them
to 24012 packets while nonfragments were expired (fragments
expire when their packet fails to be reassembled in a 20 second
time frame or when, due to memory exhaustion, they cannot be
kept in memory anymore).
Translation: 245/1023021 forw, The information that relates to address translation. 245 of the
222/829627 bckw, 467 tcpudp, 0 1023021 packets, going on the 'forward' direction (forward –
icmp, 36-31 alloc. outgoing, backward - incoming), while 222 of the 829627
packets, going on the 'backward' direction, where translated.
467 of the translations were of TCP/UDP packets while no
ICMP packet had to be translated. 36 TCP/UDP port numbers
were dynamically allocated while 31 were deallocated.
FP Forwarding When FireWall-1 controls the status of IP Forwarding, then FireWall-1 changes the
status as follows:
• When FireWall-1 is stopped (fwstop), IP Forwarding is disabled
• When FireWall-1 is started (fwstart), IP Forwarding is enabled
This ensures that there is never a time (after FireWall-1 has been started for the first
time) that the host is forwarding without the FireWall-1 FireWall Module being loaded
with a Security Policy.
Syntax
fw ctl ip_forwarding always
You may wish to do this in /etc/rc.single, just before the sync command, as follows:
loadkeys -e
# Disable ip forwarding
echo "ip_forwarding/W 0" | adb -w /vmunix /dev/kmem
#
sync
exit 0
) < /dev/null > /dev/null 2>&1
HP–UX 9
To disable IP Forwarding, type (as root):
echo "ipforwarding/W 0" | adb -w /hp-ux /dev/kmem
HP–UX 10
On HP-UX 10, the same commands (as for the HP-UX 9) can be put early in the rc2.d
directory, provided that /usr is mounted locally. In this case, you could put these
statements in /sbin/init.d/noipforward: The files in the rc2.d directory are executed
one after the other, in alphabetical sequence of their names.
#!/sbin/sh
PATH=/sbin:/usr/sbin:/usr/bin
export PATH
case "$1" in
start_msg)
echo "Turn IP-Forwarding OFF"
;;
stop_msg)
echo "(Not Turning IP-Forwarding on)"
;;
’start’)
if [ -x /usr/bin/adb ]; then
echo "ipforwarding/W 0" | adb -w /stand/vmunix
/dev/kmem
fi
;;
esac
exit 0
If /usr is not mounted locally, then put the above statements in a file that is executed
after /usr is mounted.
Windows NT Server
1. When you install FireWall-1, check Control IP Forwarding in the IP Forwarding
screen. If you have already installed FireWall-1, reconfigure FireWall-1 using the
FireWall-1 Configuration application. When you do so, the different configuration
options will be displayed as different tabs in the Configuration screen.
2. Enable the IP Enable Routing option in the Advanced TCP/IP Configuration
screen.
3. This screen is accessible from the TCP/IP Configuration screen in the Networks
applet in the Control Panel.
4. Reboot the computer.
fw gen fw gen generates an Inspection Script (*.pf) file out of a Rule Base (*.W) file. The
command takes a Rule Base file as an argument and the Inspection Script is printed to
the standard output. Rule Base (*.W) files are created by the Graphical User Interface,
but you may edit them and use this command to generate Inspection Scripts (though
this is not recommended).
Syntax
fw gen <RuleBase_filename>
Example
fw gen $FWDIR/conf/default.W
fw gen $FWDIR/conf/corporate.W | more
fw gen $FWDIR/conf/corporate.W > /tmp/corporate.pf
fw kill fw kill sends a signal to FireWall-1 daemons fwd, fwm, snmpd, and any content
security servers running. This component is security irrelevant.
Syntax
fw kill [-t sig_no] proc-name
Parameter
Example
fw kill snmpd
sends signal 15 to the FireWall-1 snmp daemon.
fw kill -t 1 snmpd
fwc fwc is the FireWall-1 language compiler. It compiles an Inspection Script (*.pf) file
but does not install it. Use this command to see if your Inspection Scripts can be
compiled without actually installing them on FireWall Modules.
fwc takes an Inspection Script (*.pf) file as an argument and produces several files:
Inspection Code (*.fc) file, FireWall Module tables (*.ft) file, log format (*.lg) file
and *.set,*.db and *.objects files. These files are produced in the directory $FWDIR/
tmp.
fwm fwm is the FireWall-1 Management Server in the Client-Server implementation of the
Management Module. It is used to communicate with the GUI and to add, update and
remove administrators.
fwm must be running on the Management Server if you want to use the GUI client on
one of the client machines.
Syntax
fwm [-a name [-w{w|u|r|m}] [-s password] [-q]| -r name | -
p | -g]
Parameters
-a name — add or update an administrator.
-w — set access level as follows:
w — Read/Write
u — User Edit
r — Read Only
m — Monitor Only
-s password — set the administrator’s password.
-q — when adding an administrator, don’t prompt for the administrator’s
password (useful for batch updates).
-r name — delete an administrator.
-p — print a list of administrators.
-g — convert the old *.W files to one unified rulebases.fws that is used by fwm.
You are prompted to type the user’s name and password. You are asked to confirm the
password by typing it a second time.
fwell fwell manages Access Lists for Wellfleet routers. This component is security
irrelevant unless routers controlled have an E3 certification.
Syntax
fwell load rulebase-file [-s] [-u] [interface-
name@]router-name
[targets]
fwell unload [-s] [-u] [interface-name@]router-name
targets
fwell stat targets
Parameters
load — loads the Access List to the router.
unload — unloads the Access List.
-s — generate summary output.
stat — show statistics.
-u — specifies list of interfaces.
For example, the command: fwell stat well produces output similar to that
shown in Table 16.
Table 16:
Circuit IF FILTERDATE
E21 - -
S22 - -
When loading a Rule Base to a router, the router’s interfaces are first
unloaded. If the -u parameter is specified, then the virtual router’s
interfaces are unloaded. If the -u parameter is not specified, then the “real”
router’s interfaces are unloaded.
Individual Interface Rather than loading (or unloading) the Security Policy (Access Lists) to (or from) all
Loading for Bay the interfaces of a Bay Router, it is possible to specify individual interfaces.
Routers (Wellfleet)
Example
Suppose a Wellfleet router well has three interfaces: E21, S21 and S22; the
user might wish to define (manually, in objects.C) two “virtual” routers, well1
and well2, as follows:
(well1:ipaddr well:if-1E21)
(well2:ipaddr well:if-0S21:if-2S22)
In practice, specifying E21 in the command line had no effect. All the interfaces were
loaded but well1 has only one interface.
The command:
fwell load -u p.W well2
fw tab fw tab displays the content of Inspection Tables on the target hosts in various formats.
This component is security irrelevant.
Syntax
fw tab [-all | -conf confile] [-short] [-max num] [-u]
[-table name] targets
Default format displays for each host: host name and a list of all tables with their
elements
Parameters
-all — display all tables.
-short — use short format: host name, table name, table ID, and its number of
elements.
-max num — for each table, display only its first num number of elements (default is
16).
fw tab
fw tab -t hostlist1 gateway1
snmp_trap snmp_trap sends an SNMP trap to the specified host. The message may appear in the
command line, or as one line in the program input (stdin).
• host – the name of the host that should receive the trap
• message – the message sent to host.
Usage: snmp_trap [-v var] [-g generic_trap]
[-s specific_trap] host [message]
-v var: an optional object id to bind with the message
-g generic_trap: One of the values:
0 coldStart
1 warmStart
2 linkDown
3 linkUp
4 authenticationFailure
5 egpNeighborLoss
6 enterpriseSpecific (default value)
-s specific_trap: a unique number specifying
the trap type; valid only if generic trap
value is enterpriseSpecific (default value is 0)
snmp_trap is the default command in SNMP Trap Alert Command in the Logging and
Alerting tab of the Properties Setup screen (Windows GUI) and in the Control
Properties/Logging and Altering screen (OpenLook GUI). You can use the -v flag to
send the value of one of the FireWall-1 MIB variables.
In stage A, only the snmp_trap part of the alert component is security enforcing (for
SNMP traps). In stage B, the entire basic component will be security enforcing.
status_alert status_alert generates an alert. status_alert is used in the Command field of the Status
View Actions screen and in the Action on Transition field in the Options screen.
User Database: These components access and modify the user’s database and include the utilities fw
Importing and dbexport and fw dbimport. Similar functionality is available in the management
Exporting daemon. In stage A, this basic component is security irrelevant. In stage B, it will be
security relevant.
Importing
To import users into the FireWall-1 User Database from an external source, you must
create an ASCII (text) file with the required information and import the file into
FireWall-1 using the fw dbimport utility.
Syntax
fw dbimport [-m] [-s] [-v] [-r] [-k errors] [-f file] [-d
delim]
Parameters
-m — indicates that if an existing user is encountered in the import file, the user’s
default values will be replaced by the values in the template (the default template or
the one given in the attribute list for that user in the import file), and the original
values will be ignored; if -m is not specified, then an existing user’s original values
will be not be modified.
-s — suppress the warning messages issued when an existing user’s values are
changed by values in the import file.
-v — is verbose mode.
-k nerrors — continue processing until nerror errors are encountered. The line count
in the error messages starts from one including the attributes line and counting empty
or commented out lines.
-f file — specifies the name of the import file. The default import file is $FWDIR/
conf/user_def_file.
To ensure that there is no dependency on the previous database values, use the -r flag
together with the -m flag.
4. For attributes that contain a list of values (for example, days), enclose the values
in curly braces, {}.
Values in a list must be separated by commas. If there is only one value in a list,
the braces may be omitted.
A + or - character appended to a value list means add to delete the values in the
list from the current default user values.
Otherwise, the default action is to replace the existing values.
5. Legal values for the days attribute are: MON, TUE, WED, THU, FRI, SAT, SUN.
6. Legal values for the authentication method are:
Undefined, S/Key, SecurID, Solaris Password, FireWall-1 Password, RADIUS,
Defender.
7. Time format is hh:mm.
8. Date format is dd-mmm-yy, where mmm is one of Jan, Feb, Mar, Apr, May, Jun,
Jul, Aug, Sep, Oct, Nov, Dec.
9. If the S/Key authentication method is used, all the other attributes regarding this
method must be provided.
10. If the FireWall-1 password authentication method is used, a valid FireWall-1
password should be given as well.
11. The password should be encrypted with the C language encrypt function.
12. Values regarding authentication methods other than the one specified are ignored.
13. The userc field specifies the details of the user’s SecuRemote connections, and
has three parameters, as follows:
Parameter Values
integrity MD5,[blank] =
method no data integ-
rity
“Any” means the best method available for the connection. This depends on the
encryption methods available to both sides of the connection.
Example
If userc is {FWZ1,FWZ1,MD5}:
Key encryption method is FWZ1.
Data encryption method is FWZ1.
Data integrity method is MD5.
If userc is {DES,CLEAR,}
Key encryption method is FWZ1.
No data encryption.
No data integrity.
If userc is {Any,Any,}:
Use “best” key encryption method.
Use “best” data encryption method.
No data integrity. A line beginning with the ! character is considered a
comment.
After preparing the import file, execute fw dbimport to import the users into the
FireWall-1 User Database.
Exporting
You can export your User Database to an ASCII file using fw dbexport.
The generated file has the same syntax as the import file for fw.
Syntax
fw dbexport [-f file] [-u username] [-d delim]
Parameters
-f file — specifies the name of the output file. The default output file is $FWDIR/
conf/user_def_file.
Evaluation Products
CPFW-EVAL-1-40BIT FireWall-1 Evaluation pfmx connect skip isakmp controlx oseu motif
Package with 40 Bit ram1 srunlimit embedded skip isakmp
Encryption srunlimit
CPFW-EVAL-1 FireWall-1 Evaluation pfm activemod control oseu embedded
Package Non-VPN motif
447
448 Single Gateway Products
Enterprise Products
Inspection Module
FireWall Modules
Add On Modules
CPFW-ENC-25-40bit- 40BIT Encryption Module for skip isakmp enc25 skip isakmp ca
V40 25 Nodes
CPFW-ENC-50- 3DES Encryption Module for vpnstrong enc50 vpnstrong ca
3DES-V40 50 Nodes
CPFW-ENC-50-40bit- 40BIT Encryption Module for skip isakmp enc50 skip isakmp ca
V40 50 Nodes
CPFW-ENC-100- 40BIT Encryption Module for skip isakmp enc100 skip isakmp ca
40bit-V40 100 Nodes
CPFW-ENC-U-40bit- 40BIT Encryption Module for skip isakmp encul skip isakmp ca
V40 Unlimited Nodes
Management Consoles
“auth” Authentication
“fwz” FWZ
Name Combination:
“control” “lcontrol” + “remote”
Name Combination:
“pfm” “pfi” + “content” + “auth”
A access list — a list of policies to be enforced on routers. Access lists contain policies
in the order in which they are to be enforced.
alertf — used to monitor the logging activity of a rule and issue a specific alert when
a condition is met.
asymmetric encryption — uses one key to encrypt a message and another to decrypt
the message.
B bouncing the firewall — the process of stopping and restarting the firewalled
computer. This causes the Firewall Module to reread the local masters file and allow
the Management Console to remotely install security policies.
C certificate authority (CA) — a trusted third party from whom a public key can be
obtained reliably, even via the Internet. The CA certifies a public key by generating a
certificate (digital signature). The digital signature acts as proof of the sender’s
identity. A digital signature is created using a public encryption-key scheme.
457
458
distinguished name (DN) — unique name for a FireWall-1 object that is made by
associating the sequence of DNs from the lowest level of a hierarchal structure up to
the root.
encryption — the process that ensures data is secured when coming from or going to a
firewalled computer.
encryption module — the FireWall-1 module that provides DES encryption (for
SKIP and IPSec) and FWZ1 encryption.
F Firewall Module — the FireWall-1 component that implements security policies, log
events and communicates with management modules. The Firewall Module provides
inspection-module capabilities, user authentication, multiple-firewall synchronization
and content security.
G GET — an FTP command that instructs a server to transfer a specified file to a client.
inspection module — the FireWall-1 component that provides access control, client
and session authentication, network-address translation, and auditing.
load balancing — the FireWall-1 algorithm that allows several servers in one network
to share and distribute the load among themselves, all while being protected by one
firewalled computer.
Log Viewer — a FireWall-1 GUI, the Log Viewer displays the login-and-alert fields
specified in the Log and Alert screen of a security policy’s properties.
logical server — a group of machines that provide the same services and are treated as
a group, among whose members a workload is distributed.
M Management Console — a FireWall-1 GUI client that provides for the management
of either a single security enforcement point or multiple distributed security
enforcement points.
management server — manages the FireWall-1 database, the rule base, network
objects, servers, users, and more.
Manual IPSec — an encryption and authentication scheme that uses fixed security
keys that are exchanged manually.
masking rules — a process by which security engineers can make viewing a rule base
easier by hiding rules they do not want to see.
public-key encryption — an encryption scheme that uses two keys: one private and
one public. These keys are created using the Diffie-Hellman key scheme.
router access list — a list of policies to be enforced on the routers. The access list
contains the policies in the order in which they are to be enforced.
security-policy file (SPF) — the FireWall-1 file (default.w) containing all security-
policy parameters; the SPF resides in the c:\winnt\fw\conf directory.
SYN flooding attack — a type of attack on a network that is designed to bring the
network to its knees by flooding it with useless traffic.
X X.500 — used with FireWall-1’s LDAP component, X.500 is an ISO and Internet
standard that defines how global directories should be structured.