ccsa - ngx training- vpn_partii_21nov09

8/12/2019 Ccsa - Ngx Training- Vpn_partii_21nov09

1/38

Check Point Security

Administration NGX I

Author ized Check Point Distr ibutor

Module 6: Encryption and Virtual

Private Networks


2/38

Check Point Security

Administration

Course Map

Module 1: Check Point Firewall Architecture &

Installation

Module 2: Security PolicyModule 3: Network Address Translation

Module 4: Log/Monitoring

Module 5: SmartDefense

Module 6: Encryption and VPNsModule 7: Disaster Recovery


3/38

Module 6:

Introduction to Site-to-Site VPNObjectives Demon strate gateway-to-gateway enc rypt io n

using IKE w ith shared secrets.

Demon strate gateway-to-gateway encry pt ion

us ing Ike with cert i f icates.

Discuss the conf igurat ion of Remo te Acc ess usingIPSec and SSL VPN

Key Terms

pre-shared secret

VPN site

VPN commun i ty

Mesh

Star


4/38

Module 6:

The Virtual Private Network

a VPN is a private network that overlays

onto the Internet

this supports a secure communicationlink between partners

VPNs are fast replacing more expensive

leased lines, frame relay circuits and

other forms of dedicated connections


5/38

Site-to-Site VPN

Remote Access (client-to-side)

Module 6: Encryption and VirtualPrivate Networks


6/38

Module 6.a: Site-to-Site VPN


7/38

Module 6:

Two Gateway Network Configurationtwo private networks are connected to the Internet

through firewalled gateways


8/38

Module 6:

Types of site-to-site VPNs

Intranet VPNs

Extranet VPNs


9/38

Module 6:

Intranet VPNs

built to handle secure communication

between internal departments and branch

offices

intranet VPN design requirements

include:

strong data encrypt ion to protect con f ident ial

in format ion

re liabi l ity for m ission -cr i t ical sy stems (e.g.,database management)

scalable to accommodate grow th and ch ange


10/38

Module 6:

Intranet VPN


11/38

Module 6:

Extranet VPNs


between a company and its strategic

partners, customers and suppliers

an extranet VPN design requirements

include:

Internet Proto co l Secu rity standard (IPSec)

t raf f ic contro l to prevent n etwo rk access

point bot t lenecks

fast delivery and respon se t imes for c r i t ical

data


12/38

Module 6:

Extranet VPN


13/38

Module 6:

VPN Implementation

a complete VPN implementation

supports all types of VPN

the complete VPN must include threecritical components:

Secur i ty inc lud ing access c ontro l ,

authent icat ion and encry pt ion

QoS VPN traf fic con tro l should include

bandwidth management and VPNaccelerat ion to ensure QoS

Performance and management shou ld

include pol icy based management


14/38

Module 6:

Complete VPN


15/38

Module 6:

Understanding VPN Deployment

Check Points VPN management model

now enables administrators to directly

define a VPN on a group of gateways

this uses a new entity called a VPN Site

th is is dif ferent from s ites def ined in

SecuRemote o r Secu reClient

VPN Sites can be grouped to create

VPN Communities

this model simplifies the process of

defining VPNs


16/38

16

Simplified Intranet Setup

Two Basic Types of VPN community

Mesh

Star

8


17/38

Module 6:

Star and Mesh VPN communities


18/38

18

Integrating VPNs into a Rule Base8

VPN Rule in a Simplified Rule Base


19/38

Module 6:

Two Gateway IKE Encryption

Configuration


20/38

Module 6:

Lab: Site-to-Site VPN using shared key


21/38

Module 6:

Lab: Site-to-Site VPN using certificates


22/38

Module 6.b:

Remote Access (client-to-side)


23/38

Module 6:

Remote Access VPNs


between a corporate network and

remote or mobile employees

remote access VPN design requirements

include:

stron g authent icat ion to ver i fy remo te and

mobi le users

central ised management

scalable to accommodate user group s


24/38

Module 6:

Remote Access VPN


25/38

Module 6:

Configuring Remote AccessDefine the users, user groups that will beallowed access, and the authentication to beused

configure Gateways to enable RemoteAccess

Configure a Remote Access VPN Community

Define VPN connection rules in the PolicyRule Base

Install SecuRemote/SecureClient on all userscomputers


26/38

Configure Remote Access

Define users/user groups

9


27/38


Configure VPN Community, gateway

9


28/38


Install VPN client (SecuRemote/SecureClient)

9


29/38


SecuRemote/SecureClient

9


30/38

Module 6:

Example NetworkSecuRemote/RecureClient is installed on Bob and

Annas machines and a User Authentication rule in the

Firewall policy

Bob and Anna can connect to netoslo using their own

names and passwords


31/38

Module 6:

Rule Base Configuration

Rule Base without Encryption

Rule Base with RemoteAccess VPN

Object


32/38

Module 6:

Office Modethis mode allows an organisation toassign internal IP addresses toSecureClient users

this IP address is encapsulated inside theVPN tunnel between the client andgateway

this mode enables administrators tocontrol which IP addresses will be used

by remote clients inside the local network


33/38

33

Office ModeOverview

Before VPN-1 NGX, there were only threeways to configure Office Mode:

Off ice Mode by IP poo l

Off ice Mode by DHCP

IP per user (by edit ing ipassignment.conf)

9


34/38

34

Office Mode: How Off ice Mode

Works

9


35/38

Module 6:

Routing Considerations

the default routing must ensure that reply

packets (returning to the SecuRemote

client) are routed through the same

encrypting gateway through which theoriginal packets were delivered


36/38

Module 6: SSL VPN

Business Partner

Mobile Worker

Teleworker

SSL VPN

Gateway

Web-based

Applications

Users SSL

Session to

Gateway

HTTPInternet

Authentication

Server

HTTPS

For IPSec VPN, SecuRemote/SecureClient installed on P

SSL VPN just needs Web browser (IE or firefox)


37/38

Module 6:

Defining SecuRemote Users

Install SecuRemote/SecuClient

Software

Configuring Remote Access in anIKE VPN


38/38

Module 6: SSL VPN

Configure SSL VPN

Access thru web brower

ccsa - ngx training- vpn_partii_21nov09

Documents