checkpoint

VPN-1/FireWall-1 NG VPN-1/FireWall-1 NG Management IManagement I


Course DescriptionCourse DescriptionObjectivesObjectives Identify the basic components of VPN-1/FireWall-1 Identify the basic components of VPN-1/FireWall-1

NGNG Successfully configure VPN-1/FireWall-1 NG (NT Successfully configure VPN-1/FireWall-1 NG (NT

and/or Solaris)and/or Solaris) Identify the VPN-1/FireWall-1 NG elements that you Identify the VPN-1/FireWall-1 NG elements that you

will need to managewill need to manage Successfully create and manage management Successfully create and manage management

objectsobjects Demonstrate how to use the: Security Policy, Log Demonstrate how to use the: Security Policy, Log

Viewer, and System StatusViewer, and System Status Successfully apply NAT rulesSuccessfully apply NAT rules Successfully demonstrate the ability to authenticate Successfully demonstrate the ability to authenticate

usersusers


Course LayoutCourse LayoutCourse RequirementsCourse Requirements

PrerequisitesPrerequisites

Check Point Certified Security Check Point Certified Security Administrator (CCSA)Administrator (CCSA)

Course RequirementsCourse Requirements

The course is geared towardsThe course is geared towardsSystem administatorsSystem administators

Support analystsSupport analysts

Network engineersNetwork engineers

Pre-requisitesPre-requisites

Each delegate should have :Each delegate should have :

General knowledge of tcp/ipGeneral knowledge of tcp/ip

Working knowledge of Windows and/or Working knowledge of Windows and/or UnixUnix

Working knowledge of network Working knowledge of network technologytechnology

Working knowledge of the InternetWorking knowledge of the Internet

Checkpoint Certified Security Checkpoint Certified Security Administator (CCSA)Administator (CCSA)

The exam is wide ranging and covers The exam is wide ranging and covers all aspects of Checkpoint Firewall 1 all aspects of Checkpoint Firewall 1 NG. Some of the topics can be found NG. Some of the topics can be found on pages 2-3, however all on pages 2-3, however all documentation covered on the course documentation covered on the course CD should be reviewed including CD should be reviewed including PDFs PDFs


Course MapCourse MapModule 1:Module 1: VPN-1/FireWall-1 NG VPN-1/FireWall-1 NG ArchitectureArchitecture

Module 2:Module 2: Security Policy Rule Base and Security Policy Rule Base and Properties SetupProperties Setup

Module 3:Module 3: Advanced Security Policy Advanced Security Policy

Module 4:Module 4: Log Management Log Management

Module 5:Module 5: Authentication Parameters: Authentication Parameters: User, Client, and Session AuthenticationUser, Client, and Session Authentication


Course Map-continuedCourse Map-continuedModule 6:Module 6: Network Address Translation Network Address Translation


Lab SetupLab SetupLab TopologyLab Topology

IP AddressesIP Addresses

Lab TermsLab Terms

Lab StationsLab Stations


Lab TopologyLab Topology

VPN-1/FireWall-1 NGVPN-1/FireWall-1 NGManagement IManagement I

VPN-1/FireWall-1 NG System VPN-1/FireWall-1 NG System RequirementsRequirements

Management ClientManagement Client PlatformPlatform :: Windows 9x, ME, NT Windows 9x, ME, NT

4.0, 4.0, Windows 2000 Windows 2000 Pro.Pro.

Disk SpaceDisk Space :: 40 Mbytes40 Mbytes MemoryMemory :: 128 Mbytes128 Mbytes Network I/fNetwork I/f :: All interfaces supported All interfaces supported

:: by Operating by Operating SystemSystem



Firewall-1 NG FP2 Modules on Windows Firewall-1 NG FP2 Modules on Windows PlatformPlatform OSOS :: Windows NT and Windows NT and

Windows 2000Windows 2000 ProcessorProcessor :: Intel Pentium II 300+ MHz Intel Pentium II 300+ MHz

or equivalentor equivalent Disk SpaceDisk Space :: 40 Mbytes40 Mbytes MemoryMemory :: 128 Mbytes128 Mbytes Network I/FNetwork I/F :: All interfaces supported All interfaces supported

:: by Operating by Operating SystemSystem


VPN-1/FireWall-1 NG System RequirementsVPN-1/FireWall-1 NG System RequirementsManagement Server or Firewall-1 Module on Management Server or Firewall-1 Module on SolarisSolaris OSOS :: Solaris 7 (SunOS Solaris 7 (SunOS

5.7) 5.7) Solaris 8 Solaris 8 (SunOS 5.8)(SunOS 5.8)

CPU ArchitectureCPU Architecture Solaris 7 - 32 Bit mode Solaris 7 - 32 Bit mode Solaris 8 – 32 Bit & Solaris 8 – 32 Bit &

64 Bit 64 Bit modemode Disk SpaceDisk Space :: 40Mbytes (software 40Mbytes (software

installation only)installation only) MemoryMemory :: 128 Mbytes128 Mbytes CPUCPU :: 360 MHz360 MHz Required OSRequired OS :: Check latest release notes Check latest release notes

PatchesPatches for requd. patchesfor requd. patches



Management Server or Firewall-1 Module Management Server or Firewall-1 Module on a Linux Platformon a Linux Platform OSOS :: Red Hat Linux Red Hat Linux

6.2 and 7.06.2 and 7.0 CPU ArchitectureCPU Architecture 32 bit and 64 bit32 bit and 64 bit Disk SpaceDisk Space :: 40 Mbytes40 Mbytes MemoryMemory :: 128 Mbytes128 Mbytes CPUCPU :: Intel Pentium II Intel Pentium II

300+ MHz 300+ MHz

Module 1:Module 1:

VPN-1/FireWall-1 NG ArchitectureVPN-1/FireWall-1 NG Architecture

Module 1:Module 1:

IntroductionIntroductionObjectivesObjectives Describe the purpose of a firewallDescribe the purpose of a firewall

Describe and compare firewall architecturesDescribe and compare firewall architectures

Identify the different components of Identify the different components of VPN-1/FireWall-1 NG VPN-1/FireWall-1 NG

Module 1Module 1

Key TermsKey TermsFirewallFirewall

Packet FilteringPacket Filtering

Application Layer Gateway (Proxy)Application Layer Gateway (Proxy)

Client/Server ModelClient/Server Model

Stateful InspectionStateful Inspection

Management ClientManagement Client

Secure Internal Communication (SIC)Secure Internal Communication (SIC)

Virtual Private Network (VPN)Virtual Private Network (VPN)

Secure Virtual Network (SVN)Secure Virtual Network (SVN)

Module 1:Module 1:

Check Point Product OverviewCheck Point Product Overview Securing the InternetSecuring the Internet An emerging requirementAn emerging requirement Securing Networks, Systems, Application and Securing Networks, Systems, Application and

UsersUsers

Module 1Module 1

Secure Virtual Network (SVN) is a true Secure Virtual Network (SVN) is a true security architecturesecurity architecture

Integrates multiple capabilities, includingIntegrates multiple capabilities, including firewall security, VPNs, IP address firewall security, VPNs, IP address

management etc, all within a common management etc, all within a common management frameworkmanagement framework

enables security to be defined and enables security to be defined and enforced in a single policy incorporating enforced in a single policy incorporating all aspects of network securityall aspects of network security

Module 1Module 1

Emerging requirementsEmerging requirementsTo enjoy benefits of an eBusiness model To enjoy benefits of an eBusiness model a robust security infrastructure needs to a robust security infrastructure needs to be deployedbe deployed

Integrating the security infrastructure Integrating the security infrastructure with application environment with application environment providing full security for eBusinessproviding full security for eBusiness allowing easily established and maintained allowing easily established and maintained

trusted relationshipstrusted relationships

Module 1Module 1

SVN Architecture designed to meet SVN Architecture designed to meet the challenges of eBusinessthe challenges of eBusiness

connects the four elements common to connects the four elements common to any enterprise networkany enterprise network NetworksNetworks SystemsSystems ApplicationsApplications UseUse

Module 1:Module 1:

SVN DiagramSVN Diagram

Module 1:Module 1:

VPN-1/FireWall-1VPN-1/FireWall-1Key component of SVN architectureKey component of SVN architecture Access ControlAccess Control User AuthenticationUser Authentication Network Address Translation (NAT)Network Address Translation (NAT) Virtual Private NetworkingVirtual Private Networking High AvailabilityHigh Availability Content Security Content Security Auditing and ReportingAuditing and Reporting LDAP-based user managementLDAP-based user management

Module 1:Module 1:

VPN-1/FireWall-1-continuedVPN-1/FireWall-1-continued Intrusion DetectionIntrusion Detection Malicious Activity DetectionMalicious Activity Detection Third-party Device Management Third-party Device Management High Availability and Load High Availability and Load

SharingSharing

Module 1:Module 1:

Internet Firewall TechnologiesInternet Firewall TechnologiesA firewall is a system designed toA firewall is a system designed to prevent unauthorised access to or from a prevent unauthorised access to or from a

secured networksecured network act as a locked security door between internal act as a locked security door between internal

and external networksand external networks data meeting certain criteria will be allowed data meeting certain criteria will be allowed

throughthrough

However, note that a firewall can only However, note that a firewall can only protect a network from traffic filtered protect a network from traffic filtered through itthrough it

Module 1Module 1

Stateful Inspection TechnologyStateful Inspection Technologyinvented by CheckPoint Software invented by CheckPoint Software TechnologiesTechnologies

utilises the INSPECT Engineutilises the INSPECT Engine Programmable using the INSPECT languageProgrammable using the INSPECT language Provides for system extensibilityProvides for system extensibility Dynamically loaded into the OS kernelDynamically loaded into the OS kernel Intercepts and inspects all inbound and Intercepts and inspects all inbound and

outbound packets on all interfacesoutbound packets on all interfaces Verifies that packets comply with the security Verifies that packets comply with the security

policypolicy

Module 1:Module 1:

Firewall TechnologiesFirewall TechnologiesPacket FiltersPacket Filters

Application-Layer GatewayApplication-Layer Gateway

Stateful InspectionStateful Inspection

VPN-1/FireWall-1 NG Enforcement ModuleVPN-1/FireWall-1 NG Enforcement Module

INSPECT LanguageINSPECT Language

VPN-1/FireWall-1 NG AdvantagesVPN-1/FireWall-1 NG Advantages

Module 1:Module 1:

Packet Filtering Path in the OSI ModelPacket Filtering Path in the OSI Model

Module 1:Module 1:

Packet Filter FTP ExamplePacket Filter FTP Example

Module 1:Module 1:

Application-Layer Gateway PathApplication-Layer Gateway Path

Module 1:Module 1:


Module 1:Module 1:

How VPN-1/FireWall-1 NG FP-1 WorksHow VPN-1/FireWall-1 NG FP-1 WorksINSPECT Allowing PacketsINSPECT Allowing Packets if a packet passes inspection,the Firewall if a packet passes inspection,the Firewall

Module passes packets through the TCP/IP Module passes packets through the TCP/IP stack to their destinationstack to their destination

if packets are destined for the OS local if packets are destined for the OS local processes, are inspected then passed through processes, are inspected then passed through the TCP/IP stackthe TCP/IP stack

if packets do not pass inspection, they are if packets do not pass inspection, they are rejected, or dropped and logged.rejected, or dropped and logged.

Module 1:Module 1:

INSPECT Module FlowINSPECT Module Flow

Module 1:Module 1:

VPN-1/FireWall-1 NG ArchitectureVPN-1/FireWall-1 NG ArchitectureThe Policy EditorThe Policy Editor

Management ModuleManagement Module


SVN FoundationSVN Foundation

Module 1:Module 1:

Check Point Policy EditorCheck Point Policy Editor

Module 1Module 1

Management ModuleManagement Modulesecurity policy is defined using the policy security policy is defined using the policy editor on the Management clienteditor on the Management client

it is then saved to the Management it is then saved to the Management modulemodule

Management Module maintains FW-1 NG Management Module maintains FW-1 NG databases includingdatabases including network object definitionsnetwork object definitions user definitionsuser definitions security policysecurity policy log fileslog files

Module 1Module 1

VPN-1/Firewall-1 NG Enforcement VPN-1/Firewall-1 NG Enforcement ModuleModule

deployed on the Internet gatewaydeployed on the Internet gateway

an Inspection script written in INSPECT is an Inspection script written in INSPECT is generated from the security policygenerated from the security policy

inspection code is compiled from the inspection code is compiled from the script and downloaded to the script and downloaded to the enforcement module enforcement module

Module 1Module 1

SVN FoundationSVN FoundationCheckPoint SVN Foundation NG (CPShared) is CheckPoint SVN Foundation NG (CPShared) is the Operating System integrated with every the Operating System integrated with every CheckPoint productCheckPoint productAll CheckPoint products use the CPOS services All CheckPoint products use the CPOS services via CPSharedvia CPSharedThe SVN Foundation includes :The SVN Foundation includes : Secure Internal Communications (SIC)Secure Internal Communications (SIC) CheckPoint registryCheckPoint registry CPShared daemonCPShared daemon Watch Dog for critical servicesWatch Dog for critical services CpconfigCpconfig License utilitiesLicense utilities SNMP daemonSNMP daemon

Module 1:Module 1:

Secure Internal Communication (SIC)Secure Internal Communication (SIC)Communication ComponentsCommunication Components

Security BenefitsSecurity Benefits

SIC CertificatesSIC Certificates

Communication Between Management Communication Between Management Modules and ComponentsModules and Components

Communication Between Management Communication Between Management Modules and Management Clients Modules and Management Clients

Module 1Module 1

Communication ComponentsCommunication ComponentsSIC secures communication between SIC secures communication between CheckPoint SVN components such asCheckPoint SVN components such as management modulesmanagement modules management clientsmanagement clients VPN-1/Firewall 1 NG modulesVPN-1/Firewall 1 NG modules customer log modulescustomer log modules SecureConnect modulesSecureConnect modules policy serverspolicy servers OPSEC applicationsOPSEC applications

Module 1Module 1

Security Benefits of SICSecurity Benefits of SICconfirms a management client confirms a management client connecting to a management modules is connecting to a management modules is authorisedauthorised

verifies that a security policy loaded on a verifies that a security policy loaded on a firewall module came from an authorised firewall module came from an authorised management modulemanagement module

SIC ensures that data privacy and SIC ensures that data privacy and integrity is maintainedintegrity is maintained

Module 1Module 1

SIC CertificatesSIC CertificatesSIC for CheckPoint VPN uses certificates SIC for CheckPoint VPN uses certificates for authentication and standards-based for authentication and standards-based SSL for encryptionSSL for encryption

enables each CheckPoint enabled enables each CheckPoint enabled machine to be uniquely identifiedmachine to be uniquely identified

certificates are generated by the Internal certificates are generated by the Internal Certificate of Authority (ICA) on the Certificate of Authority (ICA) on the Management moduleManagement module

a unique certificate is generated for each a unique certificate is generated for each physical machinephysical machine

Module 1Module 1

Communication between Management Communication between Management Modules and ComponentsModules and Components

the ICA automatically creates a certificate the ICA automatically creates a certificate for the Management module during for the Management module during installationinstallationcertificates for other modules are created certificates for other modules are created via a simple initialisation from the via a simple initialisation from the Management ClientManagement Clientupon initialisation, the ICA creates, signs upon initialisation, the ICA creates, signs and delivers a certificate to the and delivers a certificate to the communication componentcommunication component

Module 1Module 1

Communication between Management Communication between Management Modules and Management ClientsModules and Management Clients

the management client the management client mustmust be defined as be defined as authorisedauthorised

when invoking the Policy Editor on the when invoking the Policy Editor on the Management client, the user is asked :Management client, the user is asked : to identify themselvesto identify themselves specify the IP address of the Management Modulespecify the IP address of the Management Module

the Management Client then initiates an SSL the Management Client then initiates an SSL based connectionbased connection

the Management Module verifies the Client’s IP the Management Module verifies the Client’s IP addressaddress

Management Module sends back it’s certificateManagement Module sends back it’s certificate

Module 1:Module 1:

Distributed VPN-1/FireWall-1 NG Distributed VPN-1/FireWall-1 NG configuration showing the components configuration showing the components with certificateswith certificates

Module 1:Module 1:

Distributed Client/Server ConfigurationDistributed Client/Server Configuration

Module 1:Module 1:

ReviewReviewSummarySummary

Review QuestionsReview Questions

Module 1:Module 1:

Review Question #1:Review Question #1:What is Stateful Inspection?What is Stateful Inspection?

Class Discussion

Module 1:Module 1:

Review Question #2:Review Question #2:Why is Stateful Inspection more reliable Why is Stateful Inspection more reliable than packet filtering and application layer than packet filtering and application layer gateways for protecting networks?gateways for protecting networks?

Class Discussion

Module 1:Module 1:

Review Question #3:Review Question #3:What process does VPN-1/FireWall-1 NG What process does VPN-1/FireWall-1 NG use to accept, drop, or reject packets?use to accept, drop, or reject packets?

The NG Enforcement Module

Module 1:Module 1:

Review Question #4:Review Question #4:What three components make up What three components make up VPN-1/FireWall-1 NG?VPN-1/FireWall-1 NG?

The Policy Editor

The Management Server

The Enforcement Point

Module 1aModule 1a

Installation of VPN-1/Firewall-1 Installation of VPN-1/Firewall-1 modulemodule

Installation of Management ModuleInstallation of Management Module

Installation of Management ClientInstallation of Management Client

Module 1a:Module 1a:

Pre-installation ConfigurationPre-installation ConfigurationNetwork ConfigurationNetwork Configuration ensure network is properly configured ensure network is properly configured

(especially, routing)(especially, routing) on WinNT & Solaris enable IP on WinNT & Solaris enable IP

routing/forwardingrouting/forwarding for WinNT, disable the NetBUI protocol (not an for WinNT, disable the NetBUI protocol (not an

IP protocol so not intercepted by Firewall-1)IP protocol so not intercepted by Firewall-1) environment variables are set automatically environment variables are set automatically

(via the installation wrapper) on WinNT, (via the installation wrapper) on WinNT, Win2000 & SolarisWin2000 & Solaris


VPN-1/FireWall-1 NG Client-Server VPN-1/FireWall-1 NG Client-Server ConfigurationConfiguration a distributed installation is supporteda distributed installation is supported


Installing VPN-1/FireWall-1 NG Installing VPN-1/FireWall-1 NG Enforcement Module and Enforcement Module and Management Module on Windows NT Management Module on Windows NT ServerServer


Lab 1a:Lab 1a:


Installing VPN-1/FireWall-1 NG Installing VPN-1/FireWall-1 NG Enforcement Module and Enforcement Module and Management Module on Sun SolarisManagement Module on Sun Solaris


Lab 2a:Lab 2a:


Installing VPN-1/FireWall-1 NG Installing VPN-1/FireWall-1 NG Management Client on Windows NTManagement Client on Windows NT


Lab 3a:Lab 3a:

Module 2:Module 2:

Security Policy Rule Base and Security Policy Rule Base and Properties SetupProperties Setup

Module 2:Module 2:

IntroductionIntroductionObjectivesObjectives Explain the function and operation of a Explain the function and operation of a

Security Policy.Security Policy. Demonstrate the creation of network objects Demonstrate the creation of network objects

and groups, using the Management Client.and groups, using the Management Client. Demonstrate the setup of anti-spoofing on the Demonstrate the setup of anti-spoofing on the

firewall.firewall. Demonstrate the setup and operation of an Demonstrate the setup and operation of an

active Security Policy.active Security Policy.

Module 2Module 2

Key TermsKey TermsSecurity PolicySecurity Policy

Rule BaseRule Base

Rule Base ElementsRule Base Elements

spoofingspoofing

anti-spoofinganti-spoofing

implicit rulesimplicit rules

explicit rulesexplicit rules

implicit-drop ruleimplicit-drop rule

Module 2:Module 2:

Security Policy DefinedSecurity Policy DefinedWhat is a Security Policy?What is a Security Policy? a set of rules that defines network securitya set of rules that defines network security

ConsiderationsConsiderations what kind of services, including customised what kind of services, including customised

services and sessions are allowed across the services and sessions are allowed across the networknetwork

what users’ permissions and authentication what users’ permissions and authentication schemes are neededschemes are needed

what objects are in the network e.g. gateways, what objects are in the network e.g. gateways, hosts, networks, routers and domainshosts, networks, routers and domains

Module 2:Module 2:

Check Point Policy EditorCheck Point Policy Editorenables administrators to define security enables administrators to define security policypolicy

Module 2:Module 2:

Access Control for AdministratorsAccess Control for AdministratorsConcurrent SessionsConcurrent Sessions only one administrator with read/write only one administrator with read/write

permissions can be logged in at any one time permissions can be logged in at any one time

Management Module FingerprintManagement Module Fingerprint at the first log-on to a management server, the at the first log-on to a management server, the

management client will receive the management client will receive the management server’s fingerprintmanagement server’s fingerprint

this can be checked against a copy of the this can be checked against a copy of the fingerprint for verification fingerprint for verification

Module 2:Module 2:

Rule Base DefinedRule Base DefinedRule Base ElementsRule Base Elements the individual components that make up a rulethe individual components that make up a rule

No.No. SourceSource DestinationDestination If/ViaIf/Via ServicesServices ActionAction TrackTrack Install onInstall on TimeTime CommentComment

Module 2Module 2

Rule Base Defined Ctd.Rule Base Defined Ctd.

Rule Base Element OptionsRule Base Element Options to customise the element options in to customise the element options in

the rule basethe rule base

Module 2:Module 2:

Example Policy EditorExample Policy Editor

Module 2:Module 2:

Lab 1: Launching the Policy EditorLab 1: Launching the Policy Editor

Module 2:Module 2:

VPN-1/FireWall-1 NG LicensingVPN-1/FireWall-1 NG LicensingLicense TypesLicense Types central – the license is linked to the IP number central – the license is linked to the IP number

of the management serverof the management server local – tied to the IP number to which the local – tied to the IP number to which the

license will be appliedlicense will be applied

Obtaining LicensesObtaining Licenses locate certificate key on the CD cover of the locate certificate key on the CD cover of the

CP CDCP CD contact contact www.checkpoint.comwww.checkpoint.com - selecting User - selecting User

Center to obtain eval or permanent licenseCenter to obtain eval or permanent license

Check Point User CenterCheck Point User Center

http://www.checkpoint.com/

Module 2:Module 2:

SecureUpdateSecureUpdateMade up of two components – Installation Made up of two components – Installation Manager and License ManagerManager and License Manager allows tracking of currently installed versions allows tracking of currently installed versions

of CP and OPSEC productsof CP and OPSEC products updating of installed CP and OPSEC software updating of installed CP and OPSEC software

remotely from a centralised locationremotely from a centralised location centrally managing licensescentrally managing licenses

Module 2:Module 2:

SecureUpdate Architecture, Distributed SecureUpdate Architecture, Distributed ConfigurationConfiguration

Module 2:Module 2:

Defining Basic ObjectsDefining Basic Objects

Module 2:Module 2:

Detecting SpoofingDetecting SpoofingSpoofing is a technique used by intruders Spoofing is a technique used by intruders attempting to gain unauthorised accessattempting to gain unauthorised access a packet’s source IP address is altered to a packet’s source IP address is altered to

appear to come from a part of the network with appear to come from a part of the network with higher privilegeshigher privileges

Anti-spoofing verifies that packets are Anti-spoofing verifies that packets are coming from, and going to, the correct coming from, and going to, the correct interfaces on the gatewayinterfaces on the gateway i.e. packets claiming to originate in the internal i.e. packets claiming to originate in the internal

network, actually DO come from that networknetwork, actually DO come from that network

Module 2Module 2

Detecting SpoofingDetecting SpoofingConfiguring Anti-SpoofingConfiguring Anti-Spoofing networks reachable from an interface need to networks reachable from an interface need to

be defined appropriatelybe defined appropriately

should be configured on all interfacesshould be configured on all interfaces

spoof tracking is recommendedspoof tracking is recommended

anti-spoofing rules are enforced before any anti-spoofing rules are enforced before any

rule in the Security Policy rule baserule in the Security Policy rule base

Module 2:Module 2:

Anti-SpoofingAnti-Spoofing

Module 2:Module 2:

Creating the Rule BaseCreating the Rule BaseBasic Rule Base ConceptsBasic Rule Base Concepts each rule in a rule base defines the packets each rule in a rule base defines the packets

that match the rule based on Source, that match the rule based on Source, Destination, Service and the Time the packet is Destination, Service and the Time the packet is inspectedinspected

the first rule that matches a packet is appliedthe first rule that matches a packet is applied

Module 2Module 2

The default ruleThe default ruleadded when you add a rule to the Rule added when you add a rule to the Rule BaseBase

Module 2:Module 2:

The Basic RulesThe Basic RulesCleanup RuleCleanup Rule CP follows the principle “that which is not CP follows the principle “that which is not

expressly permitted, is prohibited”expressly permitted, is prohibited” all communication attempts not matching a all communication attempts not matching a

rule will be droppedrule will be dropped the cleanup rule drops all the communication the cleanup rule drops all the communication

but allows specific loggingbut allows specific logging

Module 2Module 2

The Basic RulesThe Basic RulesThe Stealth RuleThe Stealth Rule prevents users from connecting directly to the prevents users from connecting directly to the

firewallfirewall

Module 2:Module 2:

Defining Basic RulesDefining Basic Rules

Module 2:Module 2:

Implicit and Explicit RulesImplicit and Explicit RulesCompleting the Rule BaseCompleting the Rule Base Firewall-1 NG creates implicit rules derived Firewall-1 NG creates implicit rules derived

from the policy properties and includes from the policy properties and includes explicit rules created by the user in the Policy explicit rules created by the user in the Policy Editor Editor

Understanding Rule Base OrderUnderstanding Rule Base Order viewing implied rules will show both sets of viewing implied rules will show both sets of

rules merged in the correct sequencerules merged in the correct sequence

Module 2:Module 2:

Implied RulesImplied Rules

Module 2:Module 2:

Verifying and Installing a Security Verifying and Installing a Security PolicyPolicy

Module 2:Module 2:

Command Line Options for the Command Line Options for the Security Policy Security Policy

Basic OptionsBasic Options cpstart/cpstop starts and stops all CP cpstart/cpstop starts and stops all CP

applications running on the machineapplications running on the machine cplic print displays the details of the Firewall cplic print displays the details of the Firewall

licenseslicenses fwstart/fwstop starts and stops the Firewall fwstart/fwstop starts and stops the Firewall

NG module, firewall daemon (fwd), NG module, firewall daemon (fwd), management module (fwm), SNMP daemon management module (fwm), SNMP daemon (snmpd) and authentication deamons (snmpd) and authentication deamons

Module 2:Module 2:



Module 2:Module 2:

Review Question #1:Review Question #1:What are the steps for creating and What are the steps for creating and enforcing a Security Policy?enforcing a Security Policy?

Name your policy, add rules with objects, install the policy

Module 2:Module 2:

Review Question #2:Review Question #2:What is the difference between implicit What is the difference between implicit and explicit rules?and explicit rules?

Implicit (or pseudo) rules are created by VPN-1/FireWall-1 NG, and are derived from the security properties.

Explicit rules are created by the user.

Module 2:Module 2:

Review Question #3:Review Question #3:What order are policies and rules What order are policies and rules matched?matched?

Policies and rules are matched in order on the Rule Base, one rule at a time.

Module 3:Module 3:

Advanced Security PolicyAdvanced Security Policy

Module 3:Module 3:

IntroductionIntroductionObjectivesObjectives Demonstrate how to perform the following:Demonstrate how to perform the following:

Hide and unhide rulesHide and unhide rules View hidden rulesView hidden rules Define a rule maskDefine a rule mask Apply rule masksApply rule masks

Show how to install and uninstall a Security Show how to install and uninstall a Security PolicyPolicy

Module 3:Module 3:

IntroductionIntroductionObjectives (continued)Objectives (continued) List the guidelines for improving List the guidelines for improving

VPN-1/FireWall-1 NG performance, using a VPN-1/FireWall-1 NG performance, using a Security PolicySecurity Policy

Key TermKey Term masking rulesmasking rules

Module 3:Module 3:

Masking RulesMasking RulesOverviewOverview rules in a rule base can be hidden to allow rules in a rule base can be hidden to allow

easier reading of a complex rulebase (masking easier reading of a complex rulebase (masking rules)rules)

all other rules will be visible however their all other rules will be visible however their numbers wont changenumbers wont change

hidden rules are still enforced on the gatewayhidden rules are still enforced on the gateway

Module 3Module 3

Masking RulesMasking RulesViewing Hidden RulesViewing Hidden Rules if View Hidden in the Rules>Hide menu is if View Hidden in the Rules>Hide menu is

checked, all rules set as hidden are displayedchecked, all rules set as hidden are displayed

Unhiding Hidden RulesUnhiding Hidden Rules select Unhide All from the Rules>hide menuselect Unhide All from the Rules>hide menu

Module 3:Module 3:

Disabling RulesDisabling RulesDisabling RulesDisabling Rules a disabled rule will only take effect after the a disabled rule will only take effect after the

security policy is reinstalledsecurity policy is reinstalled the rule will still be displayed in the policy the rule will still be displayed in the policy

editor rulebaseeditor rulebase

Enabling a Disabled RuleEnabling a Disabled Rule select the disabled rule and right click select the disabled rule and right click select Disable Rule to deselectselect Disable Rule to deselect remember to reinstall the policyremember to reinstall the policy

Module 3:Module 3:

Uninstalling a Security PolicyUninstalling a Security PolicySteps for Uninstalling a Security PolicySteps for Uninstalling a Security Policy select Policy>Uninstall from the Security select Policy>Uninstall from the Security

Policy Editor main screenPolicy Editor main screen click Select All to select all items on the click Select All to select all items on the

screen (specific items may be deselected)screen (specific items may be deselected) click OKclick OK

Module 3:Module 3:

Guidelines for Improving Guidelines for Improving VPN-1/FireWall-1 NG Performance via VPN-1/FireWall-1 NG Performance via a Security Policya Security Policy

Management ModuleManagement Module listing machine names and IP addresses in a listing machine names and IP addresses in a

hosts file will decrease installation time for hosts file will decrease installation time for created network objectscreated network objects

/etc/hosts (Solaris)/etc/hosts (Solaris) \winnt\system32\drivers\hosts (Windows)\winnt\system32\drivers\hosts (Windows)

Module 3Module 3

Guidelines for Improving Guidelines for Improving VPN-1/FireWall-1 NG Performance via VPN-1/FireWall-1 NG Performance via a Security Policya Security Policy

Enforcement ModuleEnforcement Module keep the rulebase simplekeep the rulebase simple position the most frequently used rules at the position the most frequently used rules at the

top of the rulebasetop of the rulebase don’t log unnecessary connectionsdon’t log unnecessary connections use a network object in place of many use a network object in place of many

workstation objectsworkstation objects use IP address ranges in rules instead of a set use IP address ranges in rules instead of a set

of workstationsof workstations

Module 3:Module 3:



Module 3:Module 3:

Review Question #1:Review Question #1:If a rule is masked or hidden, is it If a rule is masked or hidden, is it disabled and no longer part of the Rule disabled and no longer part of the Rule Base?Base?

No, masked or hidden rules are still part of the Rule Base, and are installed when a Security Policy is installed.

Module 3:Module 3:

Review Question #2:Review Question #2:When you select a rule, and then select When you select a rule, and then select “Disable Rule(s)” from the menu, what “Disable Rule(s)” from the menu, what must you also do before the rule is must you also do before the rule is actually disabled?actually disabled?

Install the Security Policy

Module 3:Module 3:

Review Question #3:Review Question #3:How does masking help you maintain a How does masking help you maintain a Rule Base?Rule Base?

Discussion

Module 3:Module 3:

Review Question #4:Review Question #4:Define some guidelines for improving Define some guidelines for improving VPN-1/FireWall-1 NG’s performance via a VPN-1/FireWall-1 NG’s performance via a Security Policy.Security Policy.

Discussion

Module 4:Module 4:

Log ManagementLog Management

Module 4:Module 4:

IntroductionIntroductionObjectivesObjectives Identify the three display modes of the Log Identify the three display modes of the Log

ViewerViewer

Identify and define Status Manager iconsIdentify and define Status Manager icons

Assign network objects to display in Status Assign network objects to display in Status ManagerManager

Enable automatic updating of Status ManagerEnable automatic updating of Status Manager

Module 4:Module 4:

IntroductionIntroductionObjectives (continued)Objectives (continued) Specify selection criteria and save log filesSpecify selection criteria and save log files

Describe the steps needed to block an intruderDescribe the steps needed to block an intruder

List the three blocking scope options and their List the three blocking scope options and their usesuses

Describe how block request is usedDescribe how block request is used

Module 4Module 4

Key TermsKey Terms

log viewerlog viewer

status managerstatus manager

Module 4:Module 4:

Log ViewerLog Viewerprovides visual tracking, monitoring and provides visual tracking, monitoring and accounting informationaccounting information

provides control over the log files displayprovides control over the log files display

allows quick access to informationallows quick access to information

any event which causes an alert is any event which causes an alert is logged, including some system events logged, including some system events such as an install of a policysuch as an install of a policy

Module 4:Module 4:

LoggingLogging

Module 4Module 4

Log ViewerLog ViewerKernel SideKernel Side FWD merges log fragments producted the FW-FWD merges log fragments producted the FW-

1 Kernel components into one log record1 Kernel components into one log record each log record is stamped with a Log each log record is stamped with a Log

Unificiation Unique ID (LUUID)Unificiation Unique ID (LUUID)

Server SideServer Side FWD transfers the log record to the log FWD transfers the log record to the log

database (fw.log) on the log database (fw.log) on the log server/management moduleserver/management module

a single connection is represented by one a single connection is represented by one entry in the log viewerentry in the log viewer

Module 4Module 4

Log ViewerLog ViewerLog Viewer LogonLog Viewer Logon Select Window>Log Viewer from the security Select Window>Log Viewer from the security

policy main menupolicy main menu

Data (Column) FieldsData (Column) Fields the administrator can specify which of the the administrator can specify which of the

available data fields (columns) to displayavailable data fields (columns) to display

Column MenuColumn Menu right clicking anywhere in the column of the right clicking anywhere in the column of the

log viewer will invoke the column menulog viewer will invoke the column menu

Module 4Module 4

Log ViewerLog ViewerLog Viewer Toolbar ButtonsLog Viewer Toolbar Buttons

Module 4Module 4

Log ViewerLog ViewerLog TypesLog Types there are seven types of log which can be there are seven types of log which can be

displayed from the toolbardisplayed from the toolbar general predefined selectiongeneral predefined selection firewall-1 predefined selectionfirewall-1 predefined selection account predefined selectionaccount predefined selection FloodGate-1 predefined selectionFloodGate-1 predefined selection SecureClient predefined selectionSecureClient predefined selection UA Webaccess predefined selectionUA Webaccess predefined selection

Module 4Module 4

Log ViewerLog ViewerLog Viewer ModeLog Viewer Mode there are three different predefined selection there are three different predefined selection

viewsviews log modelog mode active modeactive mode audit modeaudit mode

Module 4:Module 4:

Log Viewer (continued)Log Viewer (continued)Log File ManagementLog File Management the File menu allows the administrator to the File menu allows the administrator to

perform the following tasks :perform the following tasks : Log SwitchLog Switch OpenOpen Save asSave as PurgePurge PrintPrint ExportExport

Module 4:Module 4:

Configuring the Security Policy for Configuring the Security Policy for LoggingLogging

System-wide logging and alertingSystem-wide logging and alerting Global Properties window allows an Global Properties window allows an

administrator to define system-wide logging administrator to define system-wide logging and alert parameters for options such asand alert parameters for options such as

VPN successful key exchangeVPN successful key exchange VPN packet handling errorsVPN packet handling errors VPN configuration and key exchange VPN configuration and key exchange

errors etc.errors etc.

Module 4:Module 4:

Blocking ConnectionsBlocking ConnectionsTerminating a Connection with Block Terminating a Connection with Block IntruderIntruder it is possible to block an active connection it is possible to block an active connection

using the source IP addressusing the source IP address the scope of the blocked connection can bethe scope of the blocked connection can be

block only this connectionblock only this connection block access from this sourceblock access from this source block access to this destinationblock access to this destination

Module 4:Module 4:

Block IntruderBlock Intruder

Module 4:Module 4:

Status ManagerStatus ManagerStatus Manager LogonStatus Manager Logon

Working with the Status Manager Working with the Status Manager InterfaceInterface

Modules ViewModules View

Module StatusModule Status

Product Details Windows Product Details Windows

Critical NotificationsCritical Notifications

Module 4:Module 4:

Checking VPN-1/FireWall-1 NG Status Checking VPN-1/FireWall-1 NG Status in the Status Managerin the Status Manager

Module 4:Module 4:



Module 4:Module 4:

Review Question #1:Review Question #1:What are the three display modes of Log What are the three display modes of Log Viewer?Viewer?

Log

Audit

Active

Module 4:Module 4:

Review Question #2:Review Question #2:What are the three blocking scope What are the three blocking scope options and their uses?options and their uses?

Block only this connection

Block access from this source IP

Block access to this destination

Module 4:Module 4:

Review Question #3:Review Question #3:What option could you use to block an What option could you use to block an intruder whose connection ID is known?intruder whose connection ID is known?

Block request

Module 5:Module 5:

Authentication Parameters: User, Authentication Parameters: User, Client, and Session AuthenticationClient, and Session Authentication

Module 5:Module 5:

IntroductionIntroductionObjectivesObjectives Demonstrate how to implement authentication.Demonstrate how to implement authentication.

Demonstrate the process of creating users Demonstrate the process of creating users and groups.and groups.

Demonstrate the setup of authentication Demonstrate the setup of authentication parameters.parameters.

Module 5:Module 5:

IntroductionIntroductionObjectives (continued)Objectives (continued) Demonstrate how to implement user authentication, Demonstrate how to implement user authentication,

using various authentication schemes.using various authentication schemes.

List types of services supported by List types of services supported by VPN-1/FireWall-1 NG requiring user name and VPN-1/FireWall-1 NG requiring user name and password.password.

Demonstrate how to implement client Demonstrate how to implement client authentication.authentication.

Demonstrate how to implement session Demonstrate how to implement session authentication.authentication.

Module 5Module 5

Key TermsKey TermsUser AuthenticationUser Authentication

Client AuthenticationClient Authentication

Session AuthenticationSession Authentication

Session Authentication AgentSession Authentication Agent

Module 5:Module 5:

Understanding AuthenticationUnderstanding AuthenticationUser AuthenticationUser Authentication grants access on a per user basisgrants access on a per user basis can be used for Telnet, FTP, RLOGIN, HTTPcan be used for Telnet, FTP, RLOGIN, HTTP requires separate authentication for each requires separate authentication for each

connectionconnection

Module 5:Module 5:

Understanding AuthenticationUnderstanding AuthenticationSession AuthenticationSession Authentication requires authentication for each connectionrequires authentication for each connection can be used with any servicecan be used with any service requires a Session Authentication Agentrequires a Session Authentication Agent

Module 5Module 5

Understanding AuthenticationUnderstanding AuthenticationClient AuthenticationClient Authentication grants access on a per host basisgrants access on a per host basis allows connections for a specific IP address allows connections for a specific IP address

after successful authenticationafter successful authentication can be used for any number of connectionscan be used for any number of connections can be used for any servicecan be used for any service most commonly used authentication methodmost commonly used authentication method

Module 5Module 5

Understanding AuthenticationUnderstanding AuthenticationAuthentication SchemesAuthentication Schemes skeyskey OS PasswordOS Password VPN-1/Firewall-1 PasswordVPN-1/Firewall-1 Password SecurIDSecurID RadiusRadius Axent DefenderAxent Defender TACACSTACACS

Module 5:Module 5:

User Authentication OverviewUser Authentication Overviewuser authentication provided by the user authentication provided by the security servers on the gatewaysecurity servers on the gateway

when a rule specifies user authentication when a rule specifies user authentication the corresponding security server is the corresponding security server is invoked (TELNET, FTP, HTTP and invoked (TELNET, FTP, HTTP and RLOGINRLOGIN

if authentication is successful the if authentication is successful the security server opens a separate security server opens a separate connection to target serverconnection to target server

Module 5:Module 5:

Defining User TemplatesDefining User Templates

Module 5:Module 5:

Defining Users from TemplatesDefining Users from Templates

Module 5:Module 5:

Set Up Authentication ParametersSet Up Authentication Parameters

Module 5:Module 5:

HTTP User Authentication with a HTTP User Authentication with a VPN-1 & FireWall-1 PasswordVPN-1 & FireWall-1 Password

Module 5:Module 5:

Telnet User Authentication with a Telnet User Authentication with a VPN-1 & FireWall-1 Password VPN-1 & FireWall-1 Password (Optional)(Optional)

Module 5:Module 5:

FTP User Authentication with a FTP User Authentication with a VPN-1 & FireWall-1 Password VPN-1 & FireWall-1 Password (Optional)(Optional)

Module 5:Module 5:

Client AuthenticationClient AuthenticationHow Client Authentication WorksHow Client Authentication Works enables administrators to grant access enables administrators to grant access

privileges to a specific IP addressprivileges to a specific IP address authentication is by username and password, authentication is by username and password,

but access is granted to the host machine (IP)but access is granted to the host machine (IP) can be used for any number of connections, can be used for any number of connections,

for any service, for any length of timefor any service, for any length of time

Module 5:Module 5:


Module 5:Module 5:

Sign On MethodsSign On MethodsSource FieldSource Field sources field in the User Properties window sources field in the User Properties window

may specify that the user is not allowed may specify that the user is not allowed access from the source address – but the rule access from the source address – but the rule allows access. This field specifies how to allows access. This field specifies how to resolve the problemresolve the problem

Destination FieldDestination Field destination field in the User Properties window destination field in the User Properties window

may specify that that the user is now allowed may specify that that the user is now allowed access to the destination address. This field access to the destination address. This field specifies how to resolve that problemspecifies how to resolve that problem

Module 5Module 5

Sign On MethodsSign On MethodsRequired Sign OnRequired Sign On Standard Sign On – user is allowed to use all Standard Sign On – user is allowed to use all

the services permitted by the rule for the the services permitted by the rule for the authorisation periodauthorisation period

Specific Sign OnSpecific Sign On only connections that match the original only connections that match the original

connection are allowed without additional connection are allowed without additional authenticationauthentication

Module 5Module 5

Sign on MethodsSign on MethodsSign On MethodSign On Method Manual – the user has to initiate Client Manual – the user has to initiate Client

Authentication by Authentication by telnet to port 259 telnet to port 259 http to port 900http to port 900

Partially Automatic Client AuthenticationPartially Automatic Client Authentication Fully Automatic Client AuthenticationFully Automatic Client Authentication Agent Automatic Sign OnAgent Automatic Sign On Single sign onSingle sign on

Module 5Module 5

Sign on MethodsSign on MethodsSuccessful Authentication TrackingSuccessful Authentication Tracking logging option for Client Authentication logging option for Client Authentication

attempts for the sessionattempts for the session

Module 5:Module 5:


Module 5:Module 5:

Additional Features of Single Sign OnAdditional Features of Single Sign OnSingle Sign On For Multiple UsersSingle Sign On For Multiple Users privileged user can sign on and off on behalf privileged user can sign on and off on behalf

of other usersof other users

User Authority SecureAgentUser Authority SecureAgent extends UA capabilities to the LAN by having extends UA capabilities to the LAN by having

the SecureAgent on the desktopthe SecureAgent on the desktop

Module 5:Module 5:

Single Sign On Example NetworkSingle Sign On Example Network

User on Localnet would normally TELNET to port 259 on London and authenticate then request access to BigBen. With the single sign on system extension anther user can open the connection to BigBen in advance on behalf of a user on Localnet

Module 5:Module 5:

Additional Features of Client Additional Features of Client AuthenticationAuthentication

Redirection of HTTP Requests According Redirection of HTTP Requests According to Host Headerto Host Header it is possible to configure Firewall-1 to it is possible to configure Firewall-1 to

complete the connection according to the complete the connection according to the destination specified in the HTTP host headerdestination specified in the HTTP host header

used when several http hosts share the used when several http hosts share the same virtual IP addresssame virtual IP address

Module 5Module 5

Additional Features of Client Additional Features of Client AuthenticationAuthentication

Authorizing All Standard Sign on RulesAuthorizing All Standard Sign on Rules Firewall-1 will automatically open all standard Firewall-1 will automatically open all standard

rules after successful authentication through rules after successful authentication through partial or fully automatic sign onpartial or fully automatic sign on

if user successfully authenticates according to if user successfully authenticates according to an automatic sign on rule all standard sign on an automatic sign on rule all standard sign on rules which specify that user and source are rules which specify that user and source are opened.opened.

Module 5:Module 5:

Session Authentication OverviewSession Authentication OverviewHow Session Authentication WorksHow Session Authentication Works based on a pre-session authentication methodbased on a pre-session authentication method can be integrated with any applicationcan be integrated with any application CP Session Agent must be loaded on the CP Session Agent must be loaded on the

client machineclient machine authentication performed by the daemon authentication performed by the daemon

modulemodule

Module 5:Module 5:

Session AuthenticationSession Authentication1. User initiates a

connection directly to the server

2. Firewall-1 Inspection module intercepts the connection and connects to Session Authentication agent

3. Session agent prompts for authentication data and returns this to the inspection module

4. if successful, Firewall-1 module allows the connection to pass through the gateway

Module 5:Module 5:

Session AuthenticationSession Authentication

Module 5:Module 5:



Module 5:Module 5:

Review Question #1:Review Question #1:What are the three types of What are the three types of VPN-1/FireWall-1 NG authentication?VPN-1/FireWall-1 NG authentication?

User Authentication

Client Authentication

Session Authentication

Module 5:Module 5:

Review Question #2:Review Question #2:When you want a user to authenticate When you want a user to authenticate once, and then be able to use any service once, and then be able to use any service until logging off, which authentication until logging off, which authentication type would you use?type would you use?

Client Authentication

Module 5:Module 5:

Review Question #3:Review Question #3:When defining user authentication, where When defining user authentication, where do you add the authentication rule-above do you add the authentication rule-above or below the stealth rule?or below the stealth rule?

Below the stealth rule

Module 5:Module 5:

Review Question #4:Review Question #4:What is the advantage of using session What is the advantage of using session authentication, over client authentication authentication, over client authentication and user authentication?and user authentication?

The advantage session authentication has over user authentication is that session authentication can be used with any service.

The advantage session authentication has over client authentication is that the user is prompted automatically with session authentication, where client authentication encompasses a manual process the user has to remember.

Module 5:Module 5:

Review Question #5:Review Question #5:Why would the client authentication rule Why would the client authentication rule need to be placed above the stealth rule?need to be placed above the stealth rule?

Client authentication requires a connection made to the firewall, that the stealth rule prevents, so either the client rule must be above the stealth rule to allow the connection, or a rule must be placed above the client authentication rule that allows connections to port 259/900 on the firewall.

Module 6:Module 6:

Network Address TranslationNetwork Address Translation

Module 6:Module 6:

IntroductionIntroductionObjectivesObjectives List the reasons and methods for Network List the reasons and methods for Network

Address TranslationAddress Translation

Demonstrate how to set up Static NATDemonstrate how to set up Static NAT

Demonstrate how to set up Dynamic (Hide) Demonstrate how to set up Dynamic (Hide) NATNAT

Describe basic network configurations using Describe basic network configurations using NATNAT

Module 6Module 6

Key TermsKey TermsNetwork Address Translation (NAT)Network Address Translation (NAT)

Static Source NATStatic Source NAT

Static Destination NATStatic Destination NAT

Dynamic (Hide) NATDynamic (Hide) NAT

Automatic and Manual NAT rulesAutomatic and Manual NAT rules

Address Resolution Protocol (ARP)Address Resolution Protocol (ARP)

Module 6Module 6

Network Address TranslationNetwork Address TranslationNAT conceals internal computers from NAT conceals internal computers from outside networksoutside networks

as a component of VPN-1/Firewall-1 it is as a component of VPN-1/Firewall-1 it is used for three things :used for three things : to make use of private IP addresses on the to make use of private IP addresses on the

internal networkinternal network to limit external network access for security to limit external network access for security

reasonsreasons to give ease and flexibility to network to give ease and flexibility to network

administrationadministration

Module 6:Module 6:

NATNATIP AddressingIP Addressing RFC 1918 details the reserved address groupsRFC 1918 details the reserved address groups

Class A network numbers Class A network numbers – 10.0.0.0 – 10.255.255.25510.0.0.0 – 10.255.255.255

Class B network numbersClass B network numbers– 172.16.0.0 – 172.31.255.255172.16.0.0 – 172.31.255.255

Class C network numbersClass C network numbers– 192.168.0.0 – 192.168.255.255192.168.0.0 – 192.168.255.255

Module 6Module 6

Network SecurityNetwork Security additional benefit of NAT is increased network additional benefit of NAT is increased network

securitysecurity internal host can connect both inside and internal host can connect both inside and

outside intranetoutside intranet external unknown host outside the external unknown host outside the

network cannot connect to internal hostnetwork cannot connect to internal host external connections with a spoofed external connections with a spoofed

internal address will be recognised and internal address will be recognised and prevented from gaining accessprevented from gaining access

internal public servers are made available internal public servers are made available with inbound mapping of well know TCP with inbound mapping of well know TCP ports to specific internal addressesports to specific internal addresses

Module 6Module 6

Network AdministrationNetwork Administration VPN-1/Firewall-1 supports two types of NATVPN-1/Firewall-1 supports two types of NAT

Static NATStatic NAT Dynamic (Hide) NATDynamic (Hide) NAT

Static NATStatic NAT translates each private address to a translates each private address to a

corresponding public addresscorresponding public address two modes, static source and static two modes, static source and static

destinationdestination

Module 6Module 6

Static Source NATStatic Source NAT translates private internal source IP addresses translates private internal source IP addresses

to a public external source IP addressto a public external source IP address

initiated by internal clients with private IP initiated by internal clients with private IP

addressaddress

Module 6:Module 6:

Static Source NATStatic Source NAT

Module 6:Module 6:

Address Translation Using Static Source Address Translation Using Static Source ModeMode

Module 6Module 6

Static Destination NATStatic Destination NAT translates public addresses to private translates public addresses to private

addressesaddresses initiated by external clientsinitiated by external clients

Module 6:Module 6:

Address Translation Using Static Address Translation Using Static Destination ModeDestination Mode

Module 6:Module 6:

Address Translation Using Static Address Translation Using Static Destination ModeDestination Mode

Module 6Module 6

Dynamic (Hide) NATDynamic (Hide) NATused for connections initiated by hosts in used for connections initiated by hosts in an internal network where the hosts’ IP an internal network where the hosts’ IP addresses are privateaddresses are private

private internal addresses are hidden private internal addresses are hidden behind a single public external addressbehind a single public external address

uses dynamically assigned port numbers uses dynamically assigned port numbers to distinguish between themto distinguish between them

Module 6:Module 6:

Dynamic NATDynamic NAT

Module 6Module 6

Dynamic (Hide) NAT Ctd.Dynamic (Hide) NAT Ctd.hide mode packets’ source port numbers are hide mode packets’ source port numbers are modifiedmodified

destination of a packet is determined by the port destination of a packet is determined by the port numbernumber

port numbers are dynamically assigned from two port numbers are dynamically assigned from two pools of numbers :pools of numbers : from 600 to 1023from 600 to 1023 from 10,000 to 60,000from 10,000 to 60,000

hide mode cannot be used for protocols where hide mode cannot be used for protocols where the port number cannot be changed or where the the port number cannot be changed or where the destination IP address is requireddestination IP address is required

Module 6:Module 6:

Hide Mode Address TranslationHide Mode Address Translation

Module 6Module 6

Hiding behind 0.0.0.0Hiding behind 0.0.0.0 if the administrator specifies 0.0.0.0 as the if the administrator specifies 0.0.0.0 as the

hide address, all clients will be hidden behind hide address, all clients will be hidden behind the firewall’s server side interfacethe firewall’s server side interface

Module 6:Module 6:

Hiding Behind 0.0.0.0Hiding Behind 0.0.0.0

Module 6:Module 6:

Automatic and Manual NAT RulesAutomatic and Manual NAT RulesNAT RulesNAT Rules NAT rules consist of two elementsNAT rules consist of two elements

the conditions that specify when the rule is the conditions that specify when the rule is to be appliedto be applied

the action to be taken when the rule is the action to be taken when the rule is appliedapplied

each section in the NAT Rule Base Editor is each section in the NAT Rule Base Editor is divided into Source, Destination and Servicedivided into Source, Destination and Service

Module 6Module 6

Automatic and Manual NAT RulesAutomatic and Manual NAT RulesNAT RulesNAT Rules the action is always the samethe action is always the same

translate source under original packet to translate source under original packet to source under translated packetsource under translated packet

translate destination under original packet translate destination under original packet to destination under translated packetto destination under translated packet

translate service under original packet to translate service under original packet to service under translated packetservice under translated packet

Module 6Module 6

Network Address Translation PropertiesNetwork Address Translation Properties several properties can be applied to several properties can be applied to

automatically generated NAT rulesautomatically generated NAT rules these are enabled by default in new these are enabled by default in new

installations however disabled by default when installations however disabled by default when upgrading from previous versionsupgrading from previous versions

these properties can be configured in the these properties can be configured in the network address translation page of the Global network address translation page of the Global Properties windowProperties window

IP PoolsIP Pools

IP Pool NAT TrackIP Pool NAT Track

Address Translation and RoutingAddress Translation and Routing

Module 6Module 6

Network Address Translation Properties Network Address Translation Properties (Ctd)(Ctd) Allow Bi-directional NATAllow Bi-directional NAT

the firewall will check all of the rules to see the firewall will check all of the rules to see if a source in one rule and destination in if a source in one rule and destination in another rule matchanother rule match

firewall will take the first source rule and firewall will take the first source rule and the first destination rule that are found to the first destination rule that are found to match, applying both rules concurrentlymatch, applying both rules concurrently

Module 6Module 6

Network Address Translation Properties Network Address Translation Properties (Ctd)(Ctd) Translate destination on client sideTranslate destination on client side

prior versions of Firewall performed NAT prior versions of Firewall performed NAT on the server side, requiring special anti on the server side, requiring special anti spoofing and internal routingspoofing and internal routing

Automatic ARP configurationAutomatic ARP configuration ARP tables on the gateway are ARP tables on the gateway are

automatically configured, enabling ARP automatically configured, enabling ARP requests for a NATed machines, network requests for a NATed machines, network or address range are answered by the or address range are answered by the gatewaygateway

Module 6Module 6

IP PoolsIP Pools a range of IP addresses routable to a gatewaya range of IP addresses routable to a gateway encrypted connections opened to a host will encrypted connections opened to a host will

have a substituted IP address from the IP Pool have a substituted IP address from the IP Pool for the source IP addressfor the source IP address

must be routable back to the gatewaymust be routable back to the gateway

Module 6:Module 6:

Address Translation Example-Address Translation Example-Gateway with Two InterfacesGateway with Two Interfaces

RoutingRouting the router routes IP addresses in the network the router routes IP addresses in the network

199.203.73.0 to the gateway199.203.73.0 to the gateway the gateway routes IP address 192.203.73.3 to the gateway routes IP address 192.203.73.3 to

the internal interface (10.0.0.1)the internal interface (10.0.0.1) the gateway routes IP addresses 199.203.73.64 the gateway routes IP addresses 199.203.73.64

through 199.203.73.80 to the internal interface through 199.203.73.80 to the internal interface (10.0.0.1)(10.0.0.1)

Module 6:Module 6:

Gateway with Two InterfacesGateway with Two Interfaces

Module 6:Module 6:

Address Translation Example-Address Translation Example-Gateway with Three InterfacesGateway with Three Interfaces

RoutingRouting ensure router routes IP address in the network ensure router routes IP address in the network

192.45.125.0 to the gateway192.45.125.0 to the gateway the gateway should be able to route IP address the gateway should be able to route IP address

172.45.125.209 to the internal interface 172.45.125.209 to the internal interface (195.9.200.1)(195.9.200.1)

Module 6:Module 6:

Gateway with Three InterfacesGateway with Three Interfaces

Module 6:Module 6:

Address Translation Example Two Address Translation Example Two Networks Statically TranslatedNetworks Statically Translated

Module 6:Module 6:

Two Networks Statically TranslatedTwo Networks Statically Translated

Module 6:Module 6:

Address Translation and Address Translation and Anti-SpoofingAnti-Spoofing

anti spoofing is performed correctly for anti spoofing is performed correctly for automatically generated NAT rules automatically generated NAT rules (provided it is allowed in the Global (provided it is allowed in the Global Properties)Properties)there will be a conflict between anti-there will be a conflict between anti-spoofing and NAT if NAT takes place at spoofing and NAT if NAT takes place at the server sidethe server sideto correct the problem, add the translated to correct the problem, add the translated (i.e the Valid address) is added to the (i.e the Valid address) is added to the public addresses on the Internal Interfacepublic addresses on the Internal Interface

Module 6:Module 6:

Static NATStatic NAT

Module 6:Module 6:

Hide NATHide NAT

Module 6:Module 6:



Module 6:Module 6:

Review Question #1:Review Question #1:What is NAT?What is NAT?

Replacing one IP address in a packet with a different IP address.

Module 6:Module 6:

Review Question #2:Review Question #2:What is the reason for using NAT, as What is the reason for using NAT, as related to IP addressing?related to IP addressing?

To conceal the network’s internal IP addresses from the Internet

To translate private addresses to public addresses, and back

Module 6:Module 6:

Review Question #3:Review Question #3:What is the NAT Rule Base?What is the NAT Rule Base?

Automatically generated and manually entered NAT rules

checkpoint

Business

blocking scope

introduction

advantage

source ip

user properties

client authentication

introduction

public addresses