ccsa study guide
TRANSCRIPT
-
7/28/2019 CCSA Study Guide
1/8
CCSA Study Guide NGX 156-215.1
Licensing
* Central
The new license remains valid when changing the IP address of the Check Point Gateway.
There is no need to create and install a new license. Only one IP address is needed for all licenses.
A license can be taken from one Check Point Gateway and given to another
Q: Must request a central license for one remote gateway, how would you request and apply
the license?
A: Request central license using the Smart Center Servers ip, attach license to remote
gateway using smart update.
LDAP
* Sequence for configuring user management
1. Enable LDAP in Global properties2. Configure host node for LDAP server
3. Configure object for the LDAP account unit
* In NGX, if a distinguished name (DN) is NOT found in LDAP, NGX takes the common-name
value from the certificate subject, and searches the LDAP account unit for a matching user
id.
* When you add LDAP users to a client authentication rule you need an LDAP group in the
client authentication rule.
* A user attempts authentication using secure remote, and the users password is rejected.
A valid cause would be that the LDAP and security gateways databases are not
synchronized.* On smart Center server - $FWDIR/lib/ldap/schema_microsoft_ad.ldif
* Profiles Microsoft_AD, Novell_DS, Netscape_DS, OPSEC_DS
Authentication
* Checks 3 places Internal users database, LDAP Server, Generic profile
* User-authentication
1. Five services allowed telnet / ftp / rlogin / http / https
2. Two connections are created after successful authentication; client to gateway, and
gateway to target server
3. Per user basis Best if used if user is connecting from different machines
4. 3 auth attempts by default5. Security server first checks if the connection can be allowed by a rule that does not
require authentication. If one exists, the user will be connected through the less-restrictive
rules, bypassing the user authentication rule. I had 2 questions on this
* Session-authentication
1. Any service
2. Requires session auth agent which performs automatic authentication
-
7/28/2019 CCSA Study Guide
2/8
* Client authentication
1. Any service
2. Grants access on a per host/ip address basis
3. Need to be above stealth rule in rule base to connect to the gateway first
4. Best used for workstations, single-user machines5. It is possible to set a refreshable time-out for client authentication. This means that for
every new connection the time-out is reset (default=30 minutes)
6. Required Sign-on options
a. Standard Sign on User on a client machines allowed to use for all services, and does
not have to log on for each service used.
b. Specific Sign on The user must re authenticate for each service accessed
7. Sign-On Methods
a. Manual - Telnet to security gateway port 259 or http port 900
b. Partial Automatic all client authentication rules for users are activated. User
authentication is used as trigger. Session authentication is never used
c. Fully Automatic Attempts session authentication, if it does not support userauthentication. User authentication is used as a trigger wherever it can be. Session is used
otherwise.
d. Agent Automatic Attempts session and has to have the agent installed. Session
authentication is always used. User authentication is never used.
i. Difference between fully automatic and agent automatic, is that agent automatic always
uses session authentication. With fully, user authentication is used where it is supported.
e. Single Sign on NGX send query to user authority with the packets source ip address. IT
returns the name of the user who is registered to that IP address. If its the users name
authenticated then the traffic is passed, otherwise it is dropped.
Multicast Typical use for real time audio and video to a set of hosts
Configured on the gateways interfaces settings
Control access of multicast traffic to specific groups, ensuring that multicast applications
are not inadvertently broadcast to outside groups.
Multicast traffic to and from specific objects is controlled via policy rules
show ip mroute - Display contents of the muticast routing table
224.0.0.1
show ip multicast boundary - obtain summarized info for all boundaries within all
interfaces
Attacks Common attacks:
o Teardrop DoS, Attack uses IP's packet fragmentation algorithm to send corrupted
packets to the victim machine. This confuses the victim machine and may hang it.
o LAND DoS, SYN packet in which the source address and port are the same as the
destination
o SmallPMTU TCP, a bandwidth, the client fools the server into sending large amounts of
data using small packets. Creates a "bottleneck" on the server.
-
7/28/2019 CCSA Study Guide
3/8
o PingOfDeath DoS, simply sending ping packets hat exceed ip packet size, larger than
64KB
TCP Handshake
o The active open is performed by sending a SYN to the server.
o In response, the server replies with a SYN-ACK.
o Finally the client sends an ACK back to the server.
Smart Defense
* Smart Defense is subscription based
* Settings are global when creating two or more policy packages
* Dshield.org integrates with Smart Defense by using a block list which is refreshed every 3
hours. The object that needs to be created is called CPDShield.
* You can send alert and user defined alerts back to Dshield I had 2 questions about this
* Place the Block List rule as high as possible in the Security Rule Base, but below all
authentication rules, and any other rules you are absolutely certain have a reputable
Source.* Host port scan, sweep scan
* peer to peer
* Explicitly protect low ports dynamic ports
Web Intelligence - This is a separate TAB in the Smart Dashboard
* Host configuration
* HTTP worm catcher worm self replicating malware
* Cross-site-scripting between user and websites. Malicious scripts. Steal users identities.
Cookies
* HTTP protocol inspection strict enforcement of the http protocol. (i.e. format size, ASCII
only request/response headers,)* MAIL Strict enforcement of the SMTP protocol
1. Prevent the SMTP server from being a spam relay, the most efficient way would be to
configure the SMTP security server to perform filtering, based on IP address and SMTP
protocols
* FTP - To create more granular control over FTP commands, like CWD and FIND, use FTP
security server settings in Smart Defense
1. Radio Button Configurations apply to all connections forward all ftp connections to the
ftp security server
* Microsoft Networks CIFS File and print sharing
* DNS Cache poisoning can make the DNS server accept incorrect information. If the
server does not correctly validate DNS responses to ensure that they have come from anauthoritative source, the server will end up caching the incorrect entries.
* VOIP validates SIP headers
* Sweep scan many hosts
Security Servers
* CVP = TCP port 18181 UFP = TCP port 18182
* Control maximum mail messages in a spool directory the gateway objects SMTP
-
7/28/2019 CCSA Study Guide
4/8
settings under advanced
NAT
* Know how many NAT entry's are created for automatic/manual and host/network object
NAT.* If you use automatic NAT on a network object, there will be two NAT rules added to the
firewall
* Static NAT
* Hide NAT
* RFC 1918 - Address allocation for private IP networks, these IP networks cannot traverse
public IP networks
* Port numbers are assigned dynamically: 600-1023 10000-60000. If the original port
number is less than 1024, a port number is assigned from te first pool. Else a port number
is assigned from the second pool.
* The high port number pool can be changed with DbEdit
* Manual NAT rules (example: necessary to do PAT for 1 static IP address, SMTP to192.168.1.1 and http to 192.168.1.2)
* Bi-directional NAT both automatic NAT rules are applied, and both objects will be
translated, so connections between the two objects will be allowed in both directions.
1. Lets a connection match 2 NAT rules. Normally the NAT rule base only permits one match
and then subsequently exits the process. In the case of bidirectional NAT, if the source
match is an Automatic NAT rule, the gateway continues to traverse the NAT rules to identify
if there is a destination rule match. If the gateway finds a second match, it applies both NAT
rules to the connection so that the packet it routed properly between source and
destination.
* Translate destination on client side packet must be sent from an external host to an
internal host performing static NAT. Translates the destination IP address in the kernelnearest the client to prevent conflicts between anti-spoofing and NAT.
* When the option Translate Destination on Client side is not enabled for automatic and/or
manual NAT rules problems can occur with anti-spoofing. Make sure to configure anti-
spoofing correctly. Furthermore when using manual static NAT and this option is disabled
you need host routing entries in the FW ip routing table to the private IP address.
* For a manual NAT static a manual ARP entry is necessary in the firewall OS
* When using automatic static/hide NAT, two NAT rules are always created
Security Policy
Database Revision, Anti-spoofing, implied rules, Global Policy* Rule 0 = implied rules. To show click, View, Implied rules. These rules have no
numbering. Anti-Spoofing rule drop
* Which traffic is automatically permitted by implied rules: IKE, RDP, FW-
CONTROL/LOG/KEY-EXCHANGE, RADIUS, CVP, TACACS, LDAP and logical servers
* RIP, ICMP and UDP are not permitted by default
* Rule 1 = first explicit rule (user-created), there rules are numbered
* Address spoofing is not logged with a rule number, just as a Smart Defense event. This is
-
7/28/2019 CCSA Study Guide
5/8
because they are enforced before any rule in the security policy's rule base.
* Stealth rule: drop all traffic to the firewall and log, if you use client authentication,
encryption or CVP, these rules must be positioned before the Stealth rule
* Cleanup rule: drop all traffic and log, this need to be the last rule in the rulebase
* Hidden rules: you can hide rules, but they still apply to the security policy. The hide
feature is used for managing complex security policy's. To unhide: click Rules, Hide, Unhideall.
* The default rule: this rule will default to any any drop don't log
* Rule base enforcement order:
* 1. IP spoofing/IP options
* 2. NAT
* 3. Security policy FIRST rule
* 4. Administrator-defined rule base
* 5. Security policy BEFORE-LAST rule
* 6. Cleanup rule or security policy LAST rule
* Policy package: security rule base and NAT, QoS, Desktop Security
* Use the copy policy wizard to copy a policy to an existing policy
* Database revision control: create fallback configuration package. All policies, objects,
users, smart defense and global settings. You must know when to use these two
packages!!!
* Network configuration and IP routing is not included in any of the above packages. You
will need to create a backup of the system configuration in order to save this information.
VPN and Encryption
* Symmetric Pre-Shared Key Fast anyone steals key can steal data currently* Asymmetric public/private key slower Diffie-helman
* Privacy No one else can see it other then intended parties - encryption
* Integrity no tampering hash function one way
* Authenticity true communication - digital signature
* ICA (Internal Certificate Authority)
* Tunnel-mode encryption works by encapsulation an entire IP packet and then adding it's
own encryption header to the packet (encrease of total packet size) More Secure
* SIC (secure internal communications) uniquely identifies checkpoint enabled machines.
They have the same function as authentication certificates
* Assume an intruder has compromised your current IKE Phase 1 and Phase 2 keys. Which
of the following options will end the intruder's access, after the next Phase 2 exchangeoccurs?
Perfect Forward Secrecy - provides additional security by means of a Diffie-Hellman
shared secret value. With PFS, if one key is compromised, previous and subsequent keys
are secure because they are not derived from previous keys.
* Use Aggressive Mode - standard six-packet IKE Phase 1 exchange is replaced by a three-
packet exchange
* You want to establish a VPN, using Certificates. Your VPN will exchange Certificates with
-
7/28/2019 CCSA Study Guide
6/8
an external partner. Which of the following activities should you do first?
Create a new server object, to represent your partner's Certificate Authority (CA)
* What encryption scheme provides "In-place" encryption? DES
* Key Management Protocol IKE
* Encryption Alogrithm
DES(56 bit), 3DES (3-56bit=168bit),
CAST(40-128bit, not as strong as DES),
AES(256 bit)
* Authentication Algorithm
MD5
SHA1
* Encryption is encapsulated IPSec
* VPN Tunnel Sharing settings include: one VPN tunnel per gateway pair, per each pair of
hosts, and per subnet pair
* IKE DoS attacks global properties
SmartView Tracker
* Three modes: LOG-mode, ACTIVE-mode, AUDIT-mode
* Verifies installed security policy name
* How to block an intruder: Go to Active-mode, select a connection, click Tools, click Block
Intruder
* You can block based on source, destination, or source-destination-service
* The name of the logs is dependant of the MODE:
LOG=.logACTIVE=.vlog
AUDIT=.alog
* Export to .txt is possible from the File menu
* Switch logfile: current fw.log is closed and will be written to disk with a name that
contains the current date and time.
* Only one logfile can be open at a time
* Exported logs can not be viewed with the smartview tracker
SmartView Monitor
Create suspicious activity rues can do it for only an hour with out creating rule base rule Check if VPN phase 2 negotiations are failing
Commandline and kernel
* Kernel memory settings without manually modifying $FWDIR/lib settings on gateway
objects capacity optimization screen Max IKE, Max Concurrent connections, Max tunnels
* Reset password for administrator which was created during initial install cpconfig, delete
-
7/28/2019 CCSA Study Guide
7/8
administrators account and recreate with the same name.
* cpstart: launches all Checkpoint applications
* cpstop: stop all Checkpoint applications
* fw start
* fw stop
* fw ver: display Checkpoint version* fw fetch [target]: fetches last policy
* cpstop -fwflag -default: stop all Checkpoint processes and leave the default filter running
* cpstop -fwflag -proc: stop all Checkpoint processes and leave the security policy running
* fw ctl arp: Display the firewall ARP entry's voor automatic NAT objects
* fw dbexport -f bla.ldif -l -s "o=bla,c=nl"
* fw unloadlocal: unload the local security policy. This is a very convenient feature if you
are not able to access the SmartDashboard, for example a too strict security policy
* fwm unload [target]: unload a policy on target enforcement module
* fwm lock_admin used to unlock admin account(s), and view locked administrators
* cplic print: print the details of the installed Checkpoint licenses
* fw tab x u display kernel table content* fw tab t sam_blocked_ips display blocked ips via block intruder feature of smartview
tracker
/conf rule bases, objects, users database, and certificates
/lib base.def
Performance
Remove old or unused security policies from policy package
Reduce logging
Putting most used rules at top
Eventia Reporter
* Only connections that are logged by the firewall policy are available for Eventia reporting
* Reports are saved in HTML format and in CSV format
* To change the Eventia database-cache size to match the memory in the server, edit the
$RTDIR/DATABASE/CONF/MY.INI (.INI=windows and .CNF=UNIX)
* rmdstop: stop all Eventia Reporter services
* rmdstart: start all Eventia Reporter services
* Change Eventia database settings with utility UpdateMySQLConfig (stop Eventia Reporter
services first!)
Ram R
Temp directories T Log files L
Add new data file A
To move file M
* Eventia Reporter is licensed per gateway
* Predefined Reports Two kinds - Standard Generated form info in the log files through
the consolidation process to yield relevant analysis of activity. Express Generated from the
smartView monitor history file. Express can not be filtered
-
7/28/2019 CCSA Study Guide
8/8
Security (Standard and Express) All security related traffic. Origin/destination of
gateway. Blocked connections. Policy installs, analyze rule base order
Network Activity (Standard, Express) most popular activities in your network, can focus
ion directionVPN-1 (Standard, Express) encrypted traffic
System Info (Express) CPU, kernel. memory
VPN-1 My Reports (Standard, Express) customized
* What is the consolidation policy
OSE Device Open Security Extension 3rd party enforcement product the represents the
router and influences and enforces the security policy.
ROBO Gateway managed in smartLSM entry point to LAN