Checkpoint - Day 2[1]

8/7/2019 Checkpoint - Day 2[1]

1/56

CSC Private

Day Two Session

Objectives

After completion of this session you will be able to-

Install Firewall-1on Windows OS

Build a rulebase

Configure Logging and Alerting


2/56

CSC Private

Chapter 3 - Installing Firewall-1

Selecting the Operating System. Checkpoint can beinstalled on following operating system.

Windows NT 2000 Server

Sun Solaris (SPARC)

AIX

Nokia IP Security Platform (IPSO)

Linux and Secure Platform (SPLAT)


3/56

CSC Private

Windows NT and Windows 2000/Server

Advantages of using Windows

Ease of use The GUI interface is quite familiar to most.Installation and maintenance is quite easy

Widely used Win 2000 is popular choice for firewall-1installations and plenty of documentation is available for bothOS

Third party software integration There are lots of functionsthat third party software provides and which firewall-1 doesnt.


4/56

CSC Private

Windows NT and 2000/Server (Contd.)

Disadvantages

Remote Administration Windows is more difficult to remotelyadminister. Most admin task is performed by GUI. Although,VNC is an option but that poses additional security issues.

Command Line Access Windows lacks the powerful CLI tool.This makes troubleshooting further difficult as compared toother OS


5/56

CSC Private

Sun Solaris (SPARC)

Advantages

Widely used Most widely used and plenty of documentationavailable for support.

Primary Platform for Checkpoint Development of Checkpointfirewall is performed on SUN OS.

CLI access As mentioned earlier, biggest advantage of SUN is theCommand Line access it provides for troubleshooting andmaintenance.


6/56

CSC Private

Sun Solaris (SPARC) Contd.

Disadvantages

Training Like other flavors of UNIX, this needs more skills.Not only this skill is difficult to find, they also cost more.

Policy Editor Costs Requires extra cost for purchasing smartclients.


7/56

CSC Private

AIX

Advantages

Command Line Access UNIX systems has strong CLI access

Hardware Support They have high end hardware support.

Disadvantages

Deployment and Resourcing AIX is not widely deployed as

against Solaris

Training Requires more training to administer

Third party software 3rd parties dont quickly release AIXcompatible software version.


8/56

CSC Private

IPSO

Advantages

Ease of use

CLI Access Hardened OS

Thoroughly tested product

Easier to upgrade

Easy to Manage

Support


9/56

CSC Private

IPSO (Contd )

Disadvantages

Cost Nokia platform has higher acquisition cost than otherh/w and s/w combinations from other vendors

CLI Limited feature set as compared to other UNIX flavors.

3rd Party Integration Few 3rd party application integrate withCheckpoint.


10/56

CSC Private

Secure Platform (SPLAT)

Advantages

UNIX features Shares the same features as other flavors ofUNIX

Lower acquisition costs Since the OS comes for free and canbe installed on common PC hardware, the overall cost less.

Ease of installation Nokia has done the homework. All you

need to do is insert the CD and go!

Support The OS and firewall are supported by single vendor.


11/56

CSC Private

Secure Platform (SPLAT) Contd.

Disadvantages

Customization Any customization on SPLAT makes the OScompletely unsupported by Checkpoint.

Limited interface support Not all interfaces are supported bySPLAT. (e.g. Ethernet PPP etc)

Not easily upgradeable If you want to upgrade from NG FP2

to NG FP3 you need to make a complete reinstall.


12/56

CSC Private

Installing Firewall-1

Run setup.exe file


13/56

CSC Private


14/56

CSC Private


15/56

CSC Private


16/56

CSC Private


17/56

CSC Private


18/56

CSC Private


19/56

CSC Private


20/56

CSC Private


21/56

CSC Private


22/56

CSC Private


23/56

CSC Private


24/56

CSC Private


25/56

CSC Private


26/56

CSC Private

Questions


27/56

CSC Private

Chapter 4 Building the Rulebase

At the end of the Chapter, you should be able to

Manage firewall administrators

Create objects on Firewall

Add rules on firewall

Identify various objects on firewall


28/56

CSC Private

Management GUIs

Smart Dashboard/ Policy Editor View and modify SecurityPolicy

Smart Tracker / Log Viewer View and track logs

Smart Update/ Secure Update Update Checkpoint firewall

Smartview Monitor Traffic monitoring and analysis

User Monitor View Secure client connections


29/56

CSC Private

Smart Dashboard/ Policy Editor


30/56

CSC Private

Adding Administrators

Click on Manage > Users


31/56

CSC Private


32/56

CSC Private


33/56

CSC Private

Once you are added as an Administrator on Policy Editor,you need to define the ip addresses of the Admins who canaccess the Policy Editor.

The list of ip addresses should be clearly defined. Addingnetworks isnt the best of ideas

You can configure ip addresses using cpconfig command


34/56

CSC Private

Default rule on Firewall.


35/56

CSC Private

Adding Stealth Rule

Any connections to the firewall should be dropped. Such rule is called Stealth

rule


36/56

CSC Private


37/56

CSC Private

Creating Objects


38/56

CSC Private


39/56

CSC Private


40/56

CSC Private

Rule base evaluation Chart


41/56

CSC Private

Thumb Rule for managing firewall policy

Client Encryption rules

Firewall- Firewall encryption rules

Incoming accept rules (typical from internet) Outgoing accept rules ( To internet)

Client Authentication rules

Session Authentication rules

User Authentication rules

Cleanup rule


42/56

CSC Private

Creating a rule - Example

Identify number of objects needed?


43/56

CSC Private

Installing the firewall policy

Once the rule base is added, you need to install the policyto confirm the changes and to make the rulebaseoperational.

Select Policy > Install or click on to install the policy


44/56

CSC Private

Chapter 5 Logging and Alerting

At the end of chapter, you should be able to

Determine information displayed in Smartview Status/ Manager

Determine what information is displayed in Smartview Tracker

Identify where logging and alerting occur.


45/56

CSC Private

Smartview Status

Allows you to view the current state of Checkpoint firewallmodules.

Individual installed components status can be determined

Components includes

Firewall Module

VPN Module

Management Server


46/56

CSC Private

Smartview Status


47/56

CSC Private

Firewall -1 Status


48/56

CSC Private

Management Module Status


49/56

CSC Private

VPN Module Status


50/56

CSC Private

Different States of the modules


51/56

CSC Private

Smartview Tracker

Also called the log viewer

Presents historical logs and the active connections

Provides audit history of Administrator actions


52/56

CSC Private

Smartview Tracker/ Log Viewer


53/56

CSC Private

Blocking a connection

Temporarily block the connection

Can only be performed in Active mode

Done without modifying the existing rulebase.

Block can only be removed in following three ways Unloading the firewall module

Rebooting the system

Manually removing the block


54/56

CSC Private

Blocking a connection (Contd.)

Blocking can be performed using following ways


55/56

CSC Private

Audit Mode

Allows you to view what actions administrator performs onvarious applications.

Following details are shown in the audit

Date

Time

Origin

Application

Operation

Object Name

Changes

Administrator


56/56

Questions

Checkpoint - Day 2[1]

Documents