Download - Checkpoint - Day 4[1]
-
8/7/2019 Checkpoint - Day 4[1]
1/39
CSC Private
Day Four Session
Objective
Understand how various components of Firewall-1 and how theyinteract
Troubleshoot common problems with Remote Management
Configure and Troubleshoot VPN
-
8/7/2019 Checkpoint - Day 4[1]
2/39
CSC Private
Chapter 9 Remote Management
At the end of the chapter, you should be able to
Understand how various firewall components interact
Effectively manage various firewall modules
Troubleshoot common remote management problems
-
8/7/2019 Checkpoint - Day 4[1]
3/39
CSC Private
Components
A Firewall Module Device that enforces the securitypolicy. Also referred as the enforcement module
A management Module Stores, compiles and installs thesecurity policy
Smart Console Client programs that allows you to viewlogs, manage security policy
-
8/7/2019 Checkpoint - Day 4[1]
4/39
CSC Private
Components
-
8/7/2019 Checkpoint - Day 4[1]
5/39
CSC Private
Components
Smart Clients connect to the management server on tcpport 18190.
All communication between the client and the managementserver is encrypted
Client ip address, username and password are supplied tothe management server
Once authenticated, security policy, network objects andusers are downloaded to client machine.
-
8/7/2019 Checkpoint - Day 4[1]
6/39
CSC Private
Components
Management Module stores the security policy andconfiguration of your firewall modules.
It compiles and loads the security policy to the firewallmodules.
It connects to remote firewall module on tcp port 18191 toload security policy.
Applications are monitored on tcp port 18192.
-
8/7/2019 Checkpoint - Day 4[1]
7/39
CSC Private
Components
Firewall module enforces your security policy
It connects to management module on tcp port 257 to send
the logs
Communication between the management server and thefirewall module is encrypted via SIC
-
8/7/2019 Checkpoint - Day 4[1]
8/39
CSC Private
SIC
Secure Internal Communication It provides securecommunication between the management server and thefirewall module.
Uses SSL to encrypt all data between the two system.
Management station is the ICA and issues certificate to allmanaged nodes for authentication.
-
8/7/2019 Checkpoint - Day 4[1]
9/39
CSC Private
SIC
-
8/7/2019 Checkpoint - Day 4[1]
10/39
CSC Private
SIC
SIC should be established between the management serverand firewall module.
SIC ensures the trust between the management server andfirewall module and is used to fetch the security policy.
Policy fetching may fail if SIC is not established.
-
8/7/2019 Checkpoint - Day 4[1]
11/39
CSC Private
Remote Management with NAT
Number of steps to configure remote management withNAT
Configure a object of type checkpoint host providing the NATaddress of the management module.
Select Master frame under Log and Alert
Select Use local definitions for Masters
On Firewall module run cpstop command
Edit the FWDIR/conf/masters file
Under [Policy] , [Log] and [Alert], add the new checkpoint
object On firewall module run cpstart command
-
8/7/2019 Checkpoint - Day 4[1]
12/39
CSC Private
Using CLI to load policies
Run FWM load command to install policy on firewallmodule.
E.g. fwm load abc.w fwmaidstone
Abc.w is the policy name
Fwmaidstone is the name of the firewall module
Run FWM unload command to unload the last installedpolicy
Run fetch command on firewall module to fetch the policyfrom management server.
-
8/7/2019 Checkpoint - Day 4[1]
13/39
CSC Private
Common issues with Remote Management
Checking SIC Failures
Check connectivity between management server and firewallmodule
telnet on firewall module on tcp 18191.
The firewall itself might be blocking port 18191.
SIC relies on a process called CPD. This runs on port 18211.
Port 18211 should be running and listening on firewall module.
SIC uses certificates, lastly, need to check the system date and
time. If there is time difference between management serverand the firewall module, the generated certificate might not bevalid
-
8/7/2019 Checkpoint - Day 4[1]
14/39
CSC Private
Resetting SIC
SIC needs to reset if there is change of name of the firewallmodule
To reset the SIC for the management server use thecpstop command on the server and then fw sic_reset.
This resets SIC for all firewall modules managed bymanagement server. SIC needs to be established with eachfirewall module.
-
8/7/2019 Checkpoint - Day 4[1]
15/39
CSC Private
Large Scale management issues
Security policy Although single policy can be enforced onall firewall modules, there are several limitations ofmanaging the security policy in general
Network Objects Management GUI and fwm processcannot handle large number of objects over 10,000. Tomitigate this, give your hardware loads of memory.
Number of rules Ideally firewall supports any number of
rules, but over 150 rules shows the effect.
Number of firewall modules Ideally, a management servercan manage any number, but the max number is 12. Againit depends how much logging happens and the kind ofhardware the management server holds.
-
8/7/2019 Checkpoint - Day 4[1]
16/39
CSC Private
Hierarchical Management
Organization-wide rules These are also called global rulesand cannot be modified by local firewall admin.
Site-specific additions anything not denied in the globalrule could be set.
Organization-wide default rules This rule applies if theabove 2 does not match.
-
8/7/2019 Checkpoint - Day 4[1]
17/39
CSC Private
End of Chapter 9
-
8/7/2019 Checkpoint - Day 4[1]
18/39
CSC Private
Chapter 10 - VPN
At the end of this chapter, you should be able to
Plan your VPN
Determine which key and algorithm firewall-1 uses
Set up VPN on firewall-1
Troubleshoot VPN problems
-
8/7/2019 Checkpoint - Day 4[1]
19/39
CSC Private
What is VPN
Virtual Private Network allows you to securely connect twoor more locations/networks over a public network.
Encryption, authentication and integrity are the key enablersof VPN.
Can limit the networks to individual hosts and security policycan be set to limit access on certain protocols.
-
8/7/2019 Checkpoint - Day 4[1]
20/39
CSC Private
Key Concepts
Encryption Keys Encryption keys are used to encrypt data
Kind of keys depends on the type of encryption algorithmused.
Number of bits in the key defines how strong the encryptionalgorithm is.
-
8/7/2019 Checkpoint - Day 4[1]
21/39
CSC Private
Key Concepts
Symmetric Encryption Uses the same key for encryptionand decryption. E.g. DES, AES
Becomes difficult to manage and scale if there are largenumber of VPN tunnels.
Asymmetric Encryption Uses different key for encryptingand decrypting data. E.g. RSA
Over 1000 times slower than Symmetric Encryption
-
8/7/2019 Checkpoint - Day 4[1]
22/39
CSC Private
Key Concepts
Hash Functions Uses variable length input and convertsto fixed length output
Used to ensure the integrity of data in transit
They do NOT provide encryption but provides validation ofdata.
If there is network noise and the data is corrupted, the hashcomputed by remote peer is different and hence validationfails.
Hash is performed after encryption.
E.g. MD5, SHA-1
-
8/7/2019 Checkpoint - Day 4[1]
23/39
CSC Private
Key Concepts
Diffie Hellman Keys- These are used to authenticate theremote peer.
Initial communication between the peers needs to beauthenticated in secure manner. DH keys ensures thisoperation.
There are 4 different DH keys
DH1 768 bits
DH2 1536 bits
DH5 not used
DH7 not used or supported at this time.
-
8/7/2019 Checkpoint - Day 4[1]
24/39
CSC Private
VPN Licenses
VPN-1 Pro Its the traditional license defined by thenumber of protected nodes it can protect.
VPN-1 Net Its the new license defined by the number ofVPN tunnels it can create.
VPN-1 Net is far less expensive than VPN-1 Pro but haslimited functionality.
-
8/7/2019 Checkpoint - Day 4[1]
25/39
CSC Private
How to configure encryption.
-
8/7/2019 Checkpoint - Day 4[1]
26/39
CSC Private
Planning your VPN deployment
Which hosts/remote networks the remote site will be able toaccess via VPN (This is referred to as encryption domain inFirewall-1)
Which hosts/networks will be accessible via VPN at theremote site.
Certificates or Pre-shared will be used.
What algorithms/functions will be used for IKE and IPSEC.
IKE and IPSEC timeouts.
-
8/7/2019 Checkpoint - Day 4[1]
27/39
CSC Private
Simplified mode VPN
Simplified mode
Uses VPN community which is similar to a group.
Contains all firewalls and encryption domain that will participatein the VPN
Community defines the VPN properties, algorithms, encryptionschemas etc. which is general for all encryption domains and
firewall modules.
Simplifies VPN dramatically.
-
8/7/2019 Checkpoint - Day 4[1]
28/39
CSC Private
Traditional Mode VPN
Traditional mode VPN is similar to what we configure onother VPN devices.
There is no VPN community defined.
Encryption domain is defined but its the final rulebasewhich determines which hosts within encryption domain areallowed access to remote site.
Ease of configuration.
-
8/7/2019 Checkpoint - Day 4[1]
29/39
CSC Private
Traditional mode VPN configuration.
Modify Global Properties to include Traditional modeconfiguration.
-
8/7/2019 Checkpoint - Day 4[1]
30/39
CSC Private
Traditional mode VPN configuration.
Define network objects that defines encryption domain forboth Site-A and Site-B
Define a Checkpoint object for remote firewall or VPNdevice.
Modify Gateway Properties of Site-A Firewall and Site-BFirewall to include the encryption domains. (see below)
-
8/7/2019 Checkpoint - Day 4[1]
31/39
CSC Private
Traditional mode VPN configuration.
-
8/7/2019 Checkpoint - Day 4[1]
32/39
CSC Private
Traditional mode VPN configuration.
-
8/7/2019 Checkpoint - Day 4[1]
33/39
CSC Private
Traditional mode VPN configuration.
-
8/7/2019 Checkpoint - Day 4[1]
34/39
CSC Private
Traditional mode VPN configuration.
-
8/7/2019 Checkpoint - Day 4[1]
35/39
CSC Private
Traditional mode VPN configuration.
-
8/7/2019 Checkpoint - Day 4[1]
36/39
CSC Private
Traditional mode VPN configuration.
-
8/7/2019 Checkpoint - Day 4[1]
37/39
CSC Private
Traditional mode VPN configuration.
-
8/7/2019 Checkpoint - Day 4[1]
38/39
CSC Private
Traditional mode VPN configuration.
-
8/7/2019 Checkpoint - Day 4[1]
39/39
Questions