ccsa study guide

7/28/2019 CCSA Study Guide

1/8

CCSA Study Guide NGX 156-215.1

Licensing

* Central

The new license remains valid when changing the IP address of the Check Point Gateway.

There is no need to create and install a new license. Only one IP address is needed for all licenses.

A license can be taken from one Check Point Gateway and given to another

Q: Must request a central license for one remote gateway, how would you request and apply

the license?

A: Request central license using the Smart Center Servers ip, attach license to remote

gateway using smart update.

LDAP

* Sequence for configuring user management

1. Enable LDAP in Global properties2. Configure host node for LDAP server

3. Configure object for the LDAP account unit

* In NGX, if a distinguished name (DN) is NOT found in LDAP, NGX takes the common-name

value from the certificate subject, and searches the LDAP account unit for a matching user

id.

* When you add LDAP users to a client authentication rule you need an LDAP group in the

client authentication rule.

* A user attempts authentication using secure remote, and the users password is rejected.

A valid cause would be that the LDAP and security gateways databases are not

synchronized.* On smart Center server - $FWDIR/lib/ldap/schema_microsoft_ad.ldif

* Profiles Microsoft_AD, Novell_DS, Netscape_DS, OPSEC_DS

Authentication

* Checks 3 places Internal users database, LDAP Server, Generic profile

* User-authentication

1. Five services allowed telnet / ftp / rlogin / http / https

2. Two connections are created after successful authentication; client to gateway, and

gateway to target server

3. Per user basis Best if used if user is connecting from different machines

4. 3 auth attempts by default5. Security server first checks if the connection can be allowed by a rule that does not

require authentication. If one exists, the user will be connected through the less-restrictive

rules, bypassing the user authentication rule. I had 2 questions on this

* Session-authentication

1. Any service

2. Requires session auth agent which performs automatic authentication


2/8

* Client authentication

1. Any service

2. Grants access on a per host/ip address basis

3. Need to be above stealth rule in rule base to connect to the gateway first

4. Best used for workstations, single-user machines5. It is possible to set a refreshable time-out for client authentication. This means that for

every new connection the time-out is reset (default=30 minutes)

6. Required Sign-on options

a. Standard Sign on User on a client machines allowed to use for all services, and does

not have to log on for each service used.

b. Specific Sign on The user must re authenticate for each service accessed

7. Sign-On Methods

a. Manual - Telnet to security gateway port 259 or http port 900

b. Partial Automatic all client authentication rules for users are activated. User

authentication is used as trigger. Session authentication is never used

c. Fully Automatic Attempts session authentication, if it does not support userauthentication. User authentication is used as a trigger wherever it can be. Session is used

otherwise.

d. Agent Automatic Attempts session and has to have the agent installed. Session

authentication is always used. User authentication is never used.

i. Difference between fully automatic and agent automatic, is that agent automatic always

uses session authentication. With fully, user authentication is used where it is supported.

e. Single Sign on NGX send query to user authority with the packets source ip address. IT

returns the name of the user who is registered to that IP address. If its the users name

authenticated then the traffic is passed, otherwise it is dropped.

Multicast Typical use for real time audio and video to a set of hosts

Configured on the gateways interfaces settings

Control access of multicast traffic to specific groups, ensuring that multicast applications

are not inadvertently broadcast to outside groups.

Multicast traffic to and from specific objects is controlled via policy rules

show ip mroute - Display contents of the muticast routing table

224.0.0.1

show ip multicast boundary - obtain summarized info for all boundaries within all

interfaces

Attacks Common attacks:

o Teardrop DoS, Attack uses IP's packet fragmentation algorithm to send corrupted

packets to the victim machine. This confuses the victim machine and may hang it.

o LAND DoS, SYN packet in which the source address and port are the same as the

destination

o SmallPMTU TCP, a bandwidth, the client fools the server into sending large amounts of

data using small packets. Creates a "bottleneck" on the server.


3/8

o PingOfDeath DoS, simply sending ping packets hat exceed ip packet size, larger than

64KB

TCP Handshake

o The active open is performed by sending a SYN to the server.

o In response, the server replies with a SYN-ACK.

o Finally the client sends an ACK back to the server.

Smart Defense

* Smart Defense is subscription based

* Settings are global when creating two or more policy packages

* Dshield.org integrates with Smart Defense by using a block list which is refreshed every 3

hours. The object that needs to be created is called CPDShield.

* You can send alert and user defined alerts back to Dshield I had 2 questions about this

* Place the Block List rule as high as possible in the Security Rule Base, but below all

authentication rules, and any other rules you are absolutely certain have a reputable

Source.* Host port scan, sweep scan

* peer to peer

* Explicitly protect low ports dynamic ports

Web Intelligence - This is a separate TAB in the Smart Dashboard

* Host configuration

* HTTP worm catcher worm self replicating malware

* Cross-site-scripting between user and websites. Malicious scripts. Steal users identities.

Cookies

* HTTP protocol inspection strict enforcement of the http protocol. (i.e. format size, ASCII

only request/response headers,)* MAIL Strict enforcement of the SMTP protocol

1. Prevent the SMTP server from being a spam relay, the most efficient way would be to

configure the SMTP security server to perform filtering, based on IP address and SMTP

protocols

* FTP - To create more granular control over FTP commands, like CWD and FIND, use FTP

security server settings in Smart Defense

1. Radio Button Configurations apply to all connections forward all ftp connections to the

ftp security server

* Microsoft Networks CIFS File and print sharing

* DNS Cache poisoning can make the DNS server accept incorrect information. If the

server does not correctly validate DNS responses to ensure that they have come from anauthoritative source, the server will end up caching the incorrect entries.

* VOIP validates SIP headers

* Sweep scan many hosts

Security Servers

* CVP = TCP port 18181 UFP = TCP port 18182

* Control maximum mail messages in a spool directory the gateway objects SMTP


4/8

settings under advanced

NAT

* Know how many NAT entry's are created for automatic/manual and host/network object

NAT.* If you use automatic NAT on a network object, there will be two NAT rules added to the

firewall

* Static NAT

* Hide NAT

* RFC 1918 - Address allocation for private IP networks, these IP networks cannot traverse

public IP networks

* Port numbers are assigned dynamically: 600-1023 10000-60000. If the original port

number is less than 1024, a port number is assigned from te first pool. Else a port number

is assigned from the second pool.

* The high port number pool can be changed with DbEdit

* Manual NAT rules (example: necessary to do PAT for 1 static IP address, SMTP to192.168.1.1 and http to 192.168.1.2)

* Bi-directional NAT both automatic NAT rules are applied, and both objects will be

translated, so connections between the two objects will be allowed in both directions.

1. Lets a connection match 2 NAT rules. Normally the NAT rule base only permits one match

and then subsequently exits the process. In the case of bidirectional NAT, if the source

match is an Automatic NAT rule, the gateway continues to traverse the NAT rules to identify

if there is a destination rule match. If the gateway finds a second match, it applies both NAT

rules to the connection so that the packet it routed properly between source and

destination.

* Translate destination on client side packet must be sent from an external host to an

internal host performing static NAT. Translates the destination IP address in the kernelnearest the client to prevent conflicts between anti-spoofing and NAT.

* When the option Translate Destination on Client side is not enabled for automatic and/or

manual NAT rules problems can occur with anti-spoofing. Make sure to configure anti-

spoofing correctly. Furthermore when using manual static NAT and this option is disabled

you need host routing entries in the FW ip routing table to the private IP address.

* For a manual NAT static a manual ARP entry is necessary in the firewall OS

* When using automatic static/hide NAT, two NAT rules are always created

Security Policy

Database Revision, Anti-spoofing, implied rules, Global Policy* Rule 0 = implied rules. To show click, View, Implied rules. These rules have no

numbering. Anti-Spoofing rule drop

* Which traffic is automatically permitted by implied rules: IKE, RDP, FW-

CONTROL/LOG/KEY-EXCHANGE, RADIUS, CVP, TACACS, LDAP and logical servers

* RIP, ICMP and UDP are not permitted by default

* Rule 1 = first explicit rule (user-created), there rules are numbered

* Address spoofing is not logged with a rule number, just as a Smart Defense event. This is


5/8

because they are enforced before any rule in the security policy's rule base.

* Stealth rule: drop all traffic to the firewall and log, if you use client authentication,

encryption or CVP, these rules must be positioned before the Stealth rule

* Cleanup rule: drop all traffic and log, this need to be the last rule in the rulebase

* Hidden rules: you can hide rules, but they still apply to the security policy. The hide

feature is used for managing complex security policy's. To unhide: click Rules, Hide, Unhideall.

* The default rule: this rule will default to any any drop don't log

* Rule base enforcement order:

* 1. IP spoofing/IP options

* 2. NAT

* 3. Security policy FIRST rule

* 4. Administrator-defined rule base

* 5. Security policy BEFORE-LAST rule

* 6. Cleanup rule or security policy LAST rule

* Policy package: security rule base and NAT, QoS, Desktop Security

* Use the copy policy wizard to copy a policy to an existing policy

* Database revision control: create fallback configuration package. All policies, objects,

users, smart defense and global settings. You must know when to use these two

packages!!!

* Network configuration and IP routing is not included in any of the above packages. You

will need to create a backup of the system configuration in order to save this information.

VPN and Encryption

* Symmetric Pre-Shared Key Fast anyone steals key can steal data currently* Asymmetric public/private key slower Diffie-helman

* Privacy No one else can see it other then intended parties - encryption

* Integrity no tampering hash function one way

* Authenticity true communication - digital signature

* ICA (Internal Certificate Authority)

* Tunnel-mode encryption works by encapsulation an entire IP packet and then adding it's

own encryption header to the packet (encrease of total packet size) More Secure

* SIC (secure internal communications) uniquely identifies checkpoint enabled machines.

They have the same function as authentication certificates

* Assume an intruder has compromised your current IKE Phase 1 and Phase 2 keys. Which

of the following options will end the intruder's access, after the next Phase 2 exchangeoccurs?

Perfect Forward Secrecy - provides additional security by means of a Diffie-Hellman

shared secret value. With PFS, if one key is compromised, previous and subsequent keys

are secure because they are not derived from previous keys.

* Use Aggressive Mode - standard six-packet IKE Phase 1 exchange is replaced by a three-

packet exchange

* You want to establish a VPN, using Certificates. Your VPN will exchange Certificates with


6/8

an external partner. Which of the following activities should you do first?

Create a new server object, to represent your partner's Certificate Authority (CA)

* What encryption scheme provides "In-place" encryption? DES

* Key Management Protocol IKE

* Encryption Alogrithm

DES(56 bit), 3DES (3-56bit=168bit),

CAST(40-128bit, not as strong as DES),

AES(256 bit)

* Authentication Algorithm

MD5

SHA1

* Encryption is encapsulated IPSec

* VPN Tunnel Sharing settings include: one VPN tunnel per gateway pair, per each pair of

hosts, and per subnet pair

* IKE DoS attacks global properties

SmartView Tracker

* Three modes: LOG-mode, ACTIVE-mode, AUDIT-mode

* Verifies installed security policy name

* How to block an intruder: Go to Active-mode, select a connection, click Tools, click Block

Intruder

* You can block based on source, destination, or source-destination-service

* The name of the logs is dependant of the MODE:

LOG=.logACTIVE=.vlog

AUDIT=.alog

* Export to .txt is possible from the File menu

* Switch logfile: current fw.log is closed and will be written to disk with a name that

contains the current date and time.

* Only one logfile can be open at a time

* Exported logs can not be viewed with the smartview tracker

SmartView Monitor

Create suspicious activity rues can do it for only an hour with out creating rule base rule Check if VPN phase 2 negotiations are failing

Commandline and kernel

* Kernel memory settings without manually modifying $FWDIR/lib settings on gateway

objects capacity optimization screen Max IKE, Max Concurrent connections, Max tunnels

* Reset password for administrator which was created during initial install cpconfig, delete


7/8

administrators account and recreate with the same name.

* cpstart: launches all Checkpoint applications

* cpstop: stop all Checkpoint applications

* fw start

* fw stop

* fw ver: display Checkpoint version* fw fetch [target]: fetches last policy

* cpstop -fwflag -default: stop all Checkpoint processes and leave the default filter running

* cpstop -fwflag -proc: stop all Checkpoint processes and leave the security policy running

* fw ctl arp: Display the firewall ARP entry's voor automatic NAT objects

* fw dbexport -f bla.ldif -l -s "o=bla,c=nl"

* fw unloadlocal: unload the local security policy. This is a very convenient feature if you

are not able to access the SmartDashboard, for example a too strict security policy

* fwm unload [target]: unload a policy on target enforcement module

* fwm lock_admin used to unlock admin account(s), and view locked administrators

* cplic print: print the details of the installed Checkpoint licenses

* fw tab x u display kernel table content* fw tab t sam_blocked_ips display blocked ips via block intruder feature of smartview

tracker

/conf rule bases, objects, users database, and certificates

/lib base.def

Performance

Remove old or unused security policies from policy package

Reduce logging

Putting most used rules at top

Eventia Reporter

* Only connections that are logged by the firewall policy are available for Eventia reporting

* Reports are saved in HTML format and in CSV format

* To change the Eventia database-cache size to match the memory in the server, edit the

$RTDIR/DATABASE/CONF/MY.INI (.INI=windows and .CNF=UNIX)

* rmdstop: stop all Eventia Reporter services

* rmdstart: start all Eventia Reporter services

* Change Eventia database settings with utility UpdateMySQLConfig (stop Eventia Reporter

services first!)

Ram R

Temp directories T Log files L

Add new data file A

To move file M

* Eventia Reporter is licensed per gateway

* Predefined Reports Two kinds - Standard Generated form info in the log files through

the consolidation process to yield relevant analysis of activity. Express Generated from the

smartView monitor history file. Express can not be filtered


8/8

Security (Standard and Express) All security related traffic. Origin/destination of

gateway. Blocked connections. Policy installs, analyze rule base order

Network Activity (Standard, Express) most popular activities in your network, can focus

ion directionVPN-1 (Standard, Express) encrypted traffic

System Info (Express) CPU, kernel. memory

VPN-1 My Reports (Standard, Express) customized

* What is the consolidation policy

OSE Device Open Security Extension 3rd party enforcement product the represents the

router and influences and enforces the security policy.

ROBO Gateway managed in smartLSM entry point to LAN

ccsa study guide

Documents