Checkpoint - Day 3[1]

8/7/2019 Checkpoint - Day 3[1]

1/51

CSC Private

Day Three Session

Objective

Various authentication methods

Content Security

Network Address Translation


2/51

CSC Private

Chapter 6 Authentication

At the end of the chapter, you should be able to

Understand static and one-time passwords

Understand user, session and client authentication

Understand the best authentication method for a given situation

Integrate 3rd

party authentication servers in Firewall -1


3/51

CSC Private

Passwords

Firewall-1 provides various authentication options

Firewall-1 Password

OS Password S/Key Secure ID RADIUS TACACS

LDAP


4/51

CSC Private

User Authentication

Provides authentication for 5 different services.

Services include

telnet http https rlogin

FTP


5/51

CSC Private

Session Authentication

Session authentication can be used for any service.

Relies on the agent installed on the client machine


6/51


7/51

CSC Private

Client Authentication

Used to authenticate any service

User must authenticate to the firewall before the service is

authorized

Service is provided a specific number of times and/or specific duration of time Authentication may happen in one of the following ways

Telnet to firewall on port 259 HTTP to firewall on port 900 HTTPS to firewall on port 950


8/51

CSC Private

Client Authentication

Two choices in client authentication

Standard Sign-on Authenticates once and perform whatever the authentication allows

Specific Sign-on Requires specific destination and serviceeach time you connect.


9/51

CSC Private

Standard Sign-on


10/51

CSC Private

Client Authentication using HTTP


11/51

CSC Private


12/51

CSC Private


13/51

CSC Private

Specific Sign-on using HTTP


14/51

CSC Private


15/51

CSC Private

Which authentication is best?


16/51

CSC Private


17/51

CSC Private

Steps in setting up user authentication

Create necessary users and groups required for authentication

Create appropriate rules in the rulebase

Configure user authentication action properties

Configure rulebase properties authentication frame

Verify and install policy


18/51

CSC Private

Setting up user authentication

When adding the source, right-click source field and click Add user access Right-click the user authentication and select edit properties in the action field.


19/51

CSC Private

Importance of rule in User Authentication If user authentication rules are present, firewall does notprocess the rule base in order.

Instead all rules are evaluated and the least restrictive ruleapplies.


20/51

CSC Private

Example of User authentication


21/51

CSC Private

Setting Session authentication Similar to User authentication except the action propertiessettings


22/51

CSC Private

Setting Client Authentication

Similar to User Authentication except the action propertiessettings


23/51

CSC Private

Client Authentication (Contd.) You may select standard sign-on or specific sign-on Manual sign-on Authentication happens only via telnet onport 259 or http on port 900 Partially Automatic Firewall-1 allows you to use user authentication (User authentication database) for 5 services(telnet, http, ftp, rlogin and https) Fully Automatic Non-standard services can beauthenticated using session authentication. Agent automatic sign-on Uses session authentication

when the rule is matched. It performs standard sign-on.


24/51

CSC Private

Client Authentication (Contd.)


25/51

CSC Private

Chapter 7 - Content Security At the end of this chapter, you should be able to

Know what CVP and UFP are used for

Restrict content for various tcp services.

Understand performance issues with Content Security.


26/51

CSC Private

Word about content security Checkpoint found that they could not integrate allapplications on Firewall-1 software.

They integrated 3 rd party applications to work with Firewall-1

CVP (Content Vectoring protocol) and UFP (URL FilteringProtocol) are discussed later in this chapter


27/51

CSC Private

CVP It is used to scan content, typically viruses, but can alsoscan malicious java applets and Active X controlsdepending on the CVP server used.

A content stream is intercepted by one of the securityservers on firewall.

Security servers include http daemon, ftp daemon, httpsdaemon, telnet daemon, https daemon. Other generic tcp

services can be added as well.


28/51

CSC Private

CVP Following are the actions taken by CVP server

Send the content as is without any modification Remove the offending content and send the corrected content Do not send the content at all.

Wildcards used in resources.

*- Matches string of any length. E.g. : *@csc.com wouldmatch all email address at csc.com

+ - Matches any single character. E.g. [email protected] wouldmatch [email protected] [email protected] etc. { ,} Matches any of the listed strings. E.g. pinky@ {csc, abc}.com would match [email protected] and [email protected]


29/51

CSC Private

UFP Used for filtering HTTP traffic destined for internet basedURLs

Firewall-1 uses HTTP security server and intercepts anyconnections that goes to the internet.

Based on the defined URL list and security policy access iseither granted or denied.


30/51

CSC Private

URI Resource Click on Manage Resources and select new URI resource


31/51

CSC Private

URI Resource


32/51

CSC Private

URI Resource


33/51

CSC Private

URI Resource


34/51

CSC Private

URI Resource Once the URI resource is defined, It can be used in the rulebase in action field


35/51


36/51

CSC Private

UFP with HTTP Security Server

Creating an OPSEC application Click on icon and select new OPSEC application


37/51

CSC Private

UFP with HTTP security server


38/51


39/51

CSC Private

UFP with http security server Finally add the rule with the resource type in the action field.


40/51

CSC Private

CVP with HTTP security server Following are the steps to configure CVP with http securityserver

Define workstation object on which CVP server is running

Define OPSEC application object of type CVP

Define a URI resource that uses CVP server

Use the rule with resource and install policy.


41/51

CSC Private

CVP using HTTP security server Creating OPSEC application object is similar to UFP,instead use CVP server as the option Create a URI resource of type CVP


42/51

CSC Private

CVP using http security server

V erify and install the policy


43/51


44/51

CSC Private

What NAT does? NAT allows hosts to transparently talk to one another withaddresses that are agreeable to each other.

In other words, it allows illegal/private addresses to talk tohost on public network.

Best utilization of public addresses.


45/51

CSC Private

How it works?


46/51

CSC Private

How NAT Works Give your email, intranet web server, web server, emailserver an external address

Protect your entire internal network.

Allows internal network access to the internet using a singleinternet address

Change ISP without re-numbering your internal network.


47/51

CSC Private

Disadvantages of using NAT NAT must be able to handle new applications. It is unable tohandle some applications and probably more in near future.

Requires some additional work to maintain

Limited addresses can be hidden behind a single address

Requires extra memory and CPU cycles. Negligible withlimited connections, but is noticeable with over 20,000connections.


48/51

CSC Private

Types of NAT Four types of NAT are available on Firewall-1

Source Static Translates source ip address to a specific staticaddress

Source hide Translates the source address to a hideaddress. Also referred as many-to-one translation

Destination Static Translates destination ip address to aspecific static address

Destination port static Translates only destination portnumber to a specific port.


49/51

CSC Private

Order of Operation


50/51

CSC Private

Order of operation

Firewall checks if its is a new connection and there is norecord of the packet in the connections table, theconnection must be checked against the security policy.

The firewall performs an anti-spoofing check on the10.20.30.1 interface. The source of the packet (10.20.30.40)is compared against the valid address setting.

Firewall checks properties and rulebase

OS routes the packet.

Packet goes through the address translation rules.

Packet is routed with/ without translation to the interface.


51/51

Questions

Checkpoint - Day 3[1]

Documents