8/7/2019 Checkpoint - Day 3[1]
1/51
CSC Private
Day Three Session
Objective
Various authentication methods
Content Security
Network Address Translation
8/7/2019 Checkpoint - Day 3[1]
2/51
CSC Private
Chapter 6 Authentication
At the end of the chapter, you should be able to
Understand static and one-time passwords
Understand user, session and client authentication
Understand the best authentication method for a given situation
Integrate 3rd
party authentication servers in Firewall -1
8/7/2019 Checkpoint - Day 3[1]
3/51
CSC Private
Passwords
Firewall-1 provides various authentication options
Firewall-1 Password
OS Password S/Key Secure ID RADIUS TACACS
LDAP
8/7/2019 Checkpoint - Day 3[1]
4/51
CSC Private
User Authentication
Provides authentication for 5 different services.
Services include
telnet http https rlogin
FTP
8/7/2019 Checkpoint - Day 3[1]
5/51
CSC Private
Session Authentication
Session authentication can be used for any service.
Relies on the agent installed on the client machine
8/7/2019 Checkpoint - Day 3[1]
6/51
8/7/2019 Checkpoint - Day 3[1]
7/51
CSC Private
Client Authentication
Used to authenticate any service
User must authenticate to the firewall before the service is
authorized
Service is provided a specific number of times and/or specific duration of time Authentication may happen in one of the following ways
Telnet to firewall on port 259 HTTP to firewall on port 900 HTTPS to firewall on port 950
8/7/2019 Checkpoint - Day 3[1]
8/51
CSC Private
Client Authentication
Two choices in client authentication
Standard Sign-on Authenticates once and perform whatever the authentication allows
Specific Sign-on Requires specific destination and serviceeach time you connect.
8/7/2019 Checkpoint - Day 3[1]
9/51
CSC Private
Standard Sign-on
8/7/2019 Checkpoint - Day 3[1]
10/51
CSC Private
Client Authentication using HTTP
8/7/2019 Checkpoint - Day 3[1]
11/51
CSC Private
8/7/2019 Checkpoint - Day 3[1]
12/51
CSC Private
8/7/2019 Checkpoint - Day 3[1]
13/51
CSC Private
Specific Sign-on using HTTP
8/7/2019 Checkpoint - Day 3[1]
14/51
CSC Private
8/7/2019 Checkpoint - Day 3[1]
15/51
CSC Private
Which authentication is best?
8/7/2019 Checkpoint - Day 3[1]
16/51
CSC Private
8/7/2019 Checkpoint - Day 3[1]
17/51
CSC Private
Steps in setting up user authentication
Create necessary users and groups required for authentication
Create appropriate rules in the rulebase
Configure user authentication action properties
Configure rulebase properties authentication frame
Verify and install policy
8/7/2019 Checkpoint - Day 3[1]
18/51
CSC Private
Setting up user authentication
When adding the source, right-click source field and click Add user access Right-click the user authentication and select edit properties in the action field.
8/7/2019 Checkpoint - Day 3[1]
19/51
CSC Private
Importance of rule in User Authentication If user authentication rules are present, firewall does notprocess the rule base in order.
Instead all rules are evaluated and the least restrictive ruleapplies.
8/7/2019 Checkpoint - Day 3[1]
20/51
CSC Private
Example of User authentication
8/7/2019 Checkpoint - Day 3[1]
21/51
CSC Private
Setting Session authentication Similar to User authentication except the action propertiessettings
8/7/2019 Checkpoint - Day 3[1]
22/51
CSC Private
Setting Client Authentication
Similar to User Authentication except the action propertiessettings
8/7/2019 Checkpoint - Day 3[1]
23/51
CSC Private
Client Authentication (Contd.) You may select standard sign-on or specific sign-on Manual sign-on Authentication happens only via telnet onport 259 or http on port 900 Partially Automatic Firewall-1 allows you to use user authentication (User authentication database) for 5 services(telnet, http, ftp, rlogin and https) Fully Automatic Non-standard services can beauthenticated using session authentication. Agent automatic sign-on Uses session authentication
when the rule is matched. It performs standard sign-on.
8/7/2019 Checkpoint - Day 3[1]
24/51
CSC Private
Client Authentication (Contd.)
8/7/2019 Checkpoint - Day 3[1]
25/51
CSC Private
Chapter 7 - Content Security At the end of this chapter, you should be able to
Know what CVP and UFP are used for
Restrict content for various tcp services.
Understand performance issues with Content Security.
8/7/2019 Checkpoint - Day 3[1]
26/51
CSC Private
Word about content security Checkpoint found that they could not integrate allapplications on Firewall-1 software.
They integrated 3 rd party applications to work with Firewall-1
CVP (Content Vectoring protocol) and UFP (URL FilteringProtocol) are discussed later in this chapter
8/7/2019 Checkpoint - Day 3[1]
27/51
CSC Private
CVP It is used to scan content, typically viruses, but can alsoscan malicious java applets and Active X controlsdepending on the CVP server used.
A content stream is intercepted by one of the securityservers on firewall.
Security servers include http daemon, ftp daemon, httpsdaemon, telnet daemon, https daemon. Other generic tcp
services can be added as well.
8/7/2019 Checkpoint - Day 3[1]
28/51
CSC Private
CVP Following are the actions taken by CVP server
Send the content as is without any modification Remove the offending content and send the corrected content Do not send the content at all.
Wildcards used in resources.
*- Matches string of any length. E.g. : *@csc.com wouldmatch all email address at csc.com
+ - Matches any single character. E.g. [email protected] wouldmatch [email protected] [email protected] etc. { ,} Matches any of the listed strings. E.g. pinky@ {csc, abc}.com would match [email protected] and [email protected]
8/7/2019 Checkpoint - Day 3[1]
29/51
CSC Private
UFP Used for filtering HTTP traffic destined for internet basedURLs
Firewall-1 uses HTTP security server and intercepts anyconnections that goes to the internet.
Based on the defined URL list and security policy access iseither granted or denied.
8/7/2019 Checkpoint - Day 3[1]
30/51
CSC Private
URI Resource Click on Manage Resources and select new URI resource
8/7/2019 Checkpoint - Day 3[1]
31/51
CSC Private
URI Resource
8/7/2019 Checkpoint - Day 3[1]
32/51
CSC Private
URI Resource
8/7/2019 Checkpoint - Day 3[1]
33/51
CSC Private
URI Resource
8/7/2019 Checkpoint - Day 3[1]
34/51
CSC Private
URI Resource Once the URI resource is defined, It can be used in the rulebase in action field
8/7/2019 Checkpoint - Day 3[1]
35/51
8/7/2019 Checkpoint - Day 3[1]
36/51
CSC Private
UFP with HTTP Security Server
Creating an OPSEC application Click on icon and select new OPSEC application
8/7/2019 Checkpoint - Day 3[1]
37/51
CSC Private
UFP with HTTP security server
8/7/2019 Checkpoint - Day 3[1]
38/51
8/7/2019 Checkpoint - Day 3[1]
39/51
CSC Private
UFP with http security server Finally add the rule with the resource type in the action field.
8/7/2019 Checkpoint - Day 3[1]
40/51
CSC Private
CVP with HTTP security server Following are the steps to configure CVP with http securityserver
Define workstation object on which CVP server is running
Define OPSEC application object of type CVP
Define a URI resource that uses CVP server
Use the rule with resource and install policy.
8/7/2019 Checkpoint - Day 3[1]
41/51
CSC Private
CVP using HTTP security server Creating OPSEC application object is similar to UFP,instead use CVP server as the option Create a URI resource of type CVP
8/7/2019 Checkpoint - Day 3[1]
42/51
CSC Private
CVP using http security server
V erify and install the policy
8/7/2019 Checkpoint - Day 3[1]
43/51
8/7/2019 Checkpoint - Day 3[1]
44/51
CSC Private
What NAT does? NAT allows hosts to transparently talk to one another withaddresses that are agreeable to each other.
In other words, it allows illegal/private addresses to talk tohost on public network.
Best utilization of public addresses.
8/7/2019 Checkpoint - Day 3[1]
45/51
CSC Private
How it works?
8/7/2019 Checkpoint - Day 3[1]
46/51
CSC Private
How NAT Works Give your email, intranet web server, web server, emailserver an external address
Protect your entire internal network.
Allows internal network access to the internet using a singleinternet address
Change ISP without re-numbering your internal network.
8/7/2019 Checkpoint - Day 3[1]
47/51
CSC Private
Disadvantages of using NAT NAT must be able to handle new applications. It is unable tohandle some applications and probably more in near future.
Requires some additional work to maintain
Limited addresses can be hidden behind a single address
Requires extra memory and CPU cycles. Negligible withlimited connections, but is noticeable with over 20,000connections.
8/7/2019 Checkpoint - Day 3[1]
48/51
CSC Private
Types of NAT Four types of NAT are available on Firewall-1
Source Static Translates source ip address to a specific staticaddress
Source hide Translates the source address to a hideaddress. Also referred as many-to-one translation
Destination Static Translates destination ip address to aspecific static address
Destination port static Translates only destination portnumber to a specific port.
8/7/2019 Checkpoint - Day 3[1]
49/51
CSC Private
Order of Operation
8/7/2019 Checkpoint - Day 3[1]
50/51
CSC Private
Order of operation
Firewall checks if its is a new connection and there is norecord of the packet in the connections table, theconnection must be checked against the security policy.
The firewall performs an anti-spoofing check on the10.20.30.1 interface. The source of the packet (10.20.30.40)is compared against the valid address setting.
Firewall checks properties and rulebase
OS routes the packet.
Packet goes through the address translation rules.
Packet is routed with/ without translation to the interface.
8/7/2019 Checkpoint - Day 3[1]
51/51
Questions