check point software technologies education services

CHECK POINT SOFTWARE TECHNOLOGIES

Education Services

S e c u r i t y E n g i n e e r i n g

L a b S e t u p G u i d e

E D U C A T I O N S E R V I C E S

Security Engineering - Lab Setup Guide

Check Point Software Technologies www.CheckPoint.com

[email protected] 6330 Commerce Dr., Suite 120, Irving, TX 75063

March 20, 2017

S E C U R I T Y E N G I N E E R I N G - L A B S E T U P P R O C E D U R E S

Configuring the Lab Environment

The Check Point Security Engineering class topology was designed as a “sandbox” environment. All student machines have the same set of IP addresses. The virtual machines do connect to the Internet, NATed through the host machine. Internet connectivity is required for each host machine used by students attending the course.

Follow the steps below to configure the virtual machines needed for the students to perform all Security Administration labs. ATCs may use whatever virtualization software they choose, but Check Point assumes most Virtual Machines will be created in either a VMware Workstation or an ESX environment. Our tests were all performed on VMware Workstation 12.

A Special Note about Licensing

The built-in 15 day evaluation licenses are no longer used in this classroom configuration. All Check Point servers at the Alpha site are required to have a license before the students begin this class. The Bravo license will be added during a specific lab by the students and should not be preloaded. To get 6-month BCK licenses provided to you for use in this and other Check Point classes, contact your ATC coordinator.

Configuring Virtual Machine Settings

All virtual machines should be configured with the following options:

Snapshots – Just Power off

VMware Tools – Installed

Remove the Floppy from the Hardware Settings

Time Synchronization – Synchronization between Guest and Host should be active.

LDAP Information

Configure the virtual machines on the Alpha Internal network to be in the alpha.cp domain. All users should log into the domain and not the local virtual machine.


Lab Topology

Configure each student machine with the following virtual environment:


Configuring the Virtual Machines

Configure each of the virtual machines listed below on all student machines. The specifications shown here in terms of Hard Drive and RAM are considered minimum requirements. For better performance, these numbers should be increased. All user, OS, and application passwords should be: Chkp!234

A-GUI

Use the information below to configure the Alpha GUI Client virtual machine:

Name: A-GUI OS: Windows Client Hard Drive: 40GB RAM: 2GB

The following Check Point modules will be installed during the labs:

SmartConsole R77.30

Use the following information to configure the interface for this virtual machine:

IP Address: 10.1.1.201 Subnet Mask: 255.255.255.0 Default Gateway: 10.1.1.1 Interface: eth0 Network: Management (LAN 1)

Special instructions for the Alpha GUI Client virtual machine:

1. Configure a folder on the desktop that can be shared with Read/Write privileges to anonymous users. This will be used to transfer files through FTP.

2. Install and configure an FTP client and server.


A-SMS

Use the information below to configure the Alpha Security Management Server virtual machine:

Name: A-SMS OS: Gaia R77.30 Hard Drive: 80GB RAM: 10GB

The following Check Point modules should be installed and configured:

Security Management Server

Use the following information to configure the interface this virtual machine:


Special instructions for the Alpha Security Management Server virtual machine:

1. The server should be fully licensed with licenses obtained from the BCK. This server should contain four Central licenses. Use SmartUpdate to assign licenses to the three pre-configured Security Gateways in this environment.

A-SMS-02

Use the information below to configure the Alpha Security Management Server virtual machine:

Name: A-SMS-02 OS: Gaia R80.10 Hard Drive: 80GB RAM: 10GB


Security Management Server

Use the following information to configure the interface this virtual machine:


Special instructions for the secondary Alpha Security Management Server virtual machine:

1. Complete only the initial configuration and reboot. The students should do the first time configuration of this server during the lab.


A-GW-01

Use the information below to configure the first Security Gateway virtual machine:

Name: A-GW-01 OS: Gaia R80.10 Hard Drive: 60GB RAM: 1GB


Security Gateway

Use the following information to configure the interfaces for the Security Gateway virtual machine:

IP Address: 10.1.1.2 Subnet Mask: 255.255.255.0 Interface: eth0 Network: Management (LAN 1)

IP Address: 203.0.113.2 Subnet Mask: 255.255.255.0 Default Gateway: 203.0.113.254 Interface: eth3 Network: External (vmnet8 - NAT)

IP Address: 192.168.11.2 Subnet Mask: 255.255.255.0 Interface: eth1 Network: Alpha Internal (LAN 11)

IP Address: 192.168.12.2 Subnet Mask: 255.255.255.0 Interface: eth4 Network: DMZ (LAN 12)

IP Address: 192.168.10.2 Subnet Mask: 255.255.255.0 Interface: eth2 Network: Synchronization (LAN 10)

IP Address: 192.168.13.2 Subnet Mask: 255.255.255.0 Interface: eth5 Network: WiFi (LAN 13)


A-GW-02

Use the information below to configure the second Security Gateway virtual machine:

Name: A-GW-01 OS: Gaia R80.10 Hard Drive: 60GB RAM: 1GB


Security Gateway

Use the following information to configure the interfaces for the Security Gateway virtual machine:

IP Address: 10.1.1.3 Subnet Mask: 255.255.255.0 Interface: eth0 Network: Management (LAN 1)

IP Address: 203.0.113.3 Subnet Mask: 255.255.255.0 Default Gateway: 203.0.113.254 Interface: eth3 Network: External (vmnet8 - NAT)

IP Address: 192.168.11.3 Subnet Mask: 255.255.255.0 Interface: eth1 Network: Alpha Internal (LAN 11)

IP Address: 192.168.12.3 Subnet Mask: 255.255.255.0 Interface: eth4 Network: DMZ (LAN 12)

IP Address: 192.168.10.3 Subnet Mask: 255.255.255.0 Interface: eth2 Network: Synchronization (LAN 10)

IP Address: 192.168.13.3 Subnet Mask: 255.255.255.0 Interface: eth5 Network: WiFi (LAN 13)


A-Host

Use the information below to configure a protected host virtual machine:

Name: A-Host OS: Windows Client Hard Drive: 40GB RAM: 2GB


IP Address: 192.168.11.201 Subnet Mask: 255.255.255.0 Default Gateway: 192.168.11.1 Interface: eth0 Network: Alpha Internal (LAN 11)

Special instructions for the Alpha host virtual machine:



3. Install and configure an updated web browser.

4. A-Host must be part of the alpha.cp domain.

5. Create a PDF file that is free from viruses on the desktop. Call the file: Safe.pdf

6. Install and configure a mail client. (optional)

Note: The Mail server is not currently used in the CCSE class but will be used in other courses and may be used at a later date.


A-LDAP

Use the information below to configure the Alpha LDAP server virtual machine:

Name: A-LDAP OS: Windows Sever Hard Drive: 40GB RAM: 2GB


IP Address: 192.168.11.101 Subnet Mask: 255.255.255.0 Default Gateway: 192.168.11.1 Interface: eth0 Network: Alpha Internal (LAN 11)

Special instructions for the Alpha Active Directory virtual machine:

1. Configure the following rules in the Manage Your Server applet:

Active Directory Server (LDAP)

3. The domain for this site is: alpha.cp

4. The following are the required users. Each should be configured with Chkp!234 as their password.

User1

User2

User3

User4

Guest

5. The following are the required groups.

Odd (include all odd numbered users)

Even (include all even numbered users)

Note: The Guest user is not part of any user group.

6. Configure A-LDAP to be the DNS server for the Alpha site.

7. Install and configure the NTP server for the Alpha site.


A-DMZ

Use the information below to configure the FTP, SMTP, and Web Server virtual machine:

Name: A-DMZ OS: Windows Server Hard Drive: 40GB RAM: 2GB

Use the following information to configure the interface for the FTP and Web Server virtual machine:

IP Address: 192.168.12.101 Subnet Mask: 255.255.255.0 Default Gateway: 192.168.12.1 Interface: eth0 Network: DMZ (LAN 12)

Special instructions for the Alpha DMZ virtual machine:

1. Configure a Web Server to run at startup.

2. Install and configure an FTP server.

3. Install and configure a Web server.

4. Install and configure a Mail server. (optional)

Note: The Mail server is not currently used in the CCSE class but will be used in other courses and may be used at a later date.

A-Guest

Use the information below to configure the guest tablet virtual machine:

Name: A-Guest OS: Windows 10 in Mobile Mode/Android Tablet Hard Drive: 20GB RAM: 1GB

Use the following information to configure the interface for the Guest tablet virtual machine:

IP Address: 192.168.13.201 Subnet Mask: 255.255.255.0 Default Gateway: 192.168.13.1 Interface: eth0 Network: WiFi (LAN 13)


Bravo Host

Use the information below to configure the B-Host virtual machine:

Name: B-Host OS: Windows Client Hard Drive: 20GB RAM: 1GB


IP Address: 192.168.21.201 Subnet Mask: 255.255.255.0 Default Gateway: 192.168.21.1 Interface: eth0 Network: Bravo Internal (LAN 21)

Special instructions for the B-Host virtual machine:



3. Install and configure an updated web browser.


B-GW

Use the information below to configure the Bravo Security Gateway virtual machine:

Name: B-GW OS: Gaia R77.30 Hard Drive: 60GB RAM: 1GB

The following Check Point modules will be installed during the labs:

Security Gateway

Use the following information to configure the interfaces for the Bravo Security Gateway virtual machine:

Interface: eth0 (Disabled) Network: Bravo Management (LAN 2)

Interface: eth2 (Disabled) Network: Bravo Sync (LAN 20)

Interface: eth1 Network: Bravo Internal (LAN 21)

Interface: eth3 Network: External (vmnet8 - NAT)

Note: The eth0 and eth2 interfaces for B-GW are not used at the beginning of this class but should be configured so that the eth1 connects to the internal network and the eth3 interfaces connects to the external network. The other two interfaces should not be connected or powered on until they are needed.

Special instructions for the B-GW virtual machine:

1. Configure this server with two snapshots. The first should be the classroom start point, with R77.30 fully installed and configured with license and policy from A-SMS. The second snapshot should be with a fully configured R80.10 gateway fully installed and configured with license.

NOTE: The upgrade does not currently work and won’t until after GA. For now, pre-stage the machine with a second snapshot that would essentially be at the point it would be at, had the upgrade worked.

B-GW-02

Use the information below to configure the Bravo Security Gateway virtual machine:

Name: B-GW OS: Other/Other Hard Drive: 60GB RAM: 1GB

Use the following information to configure the interfaces for the second Bravo Security Gateway virtual machine:

Interface: eth0 (Disabled) Network: Bravo Management (LAN 2)

Interface: eth2 Network: Bravo Sync (LAN 20)

Interface: eth1 Network: Bravo Internal (LAN 21)

Interface: eth3 Network: External (vmnet8 - NAT)


Router

The router may be either a specific virtual machine or you may use the virtualization software’s router function. In our testing, we use VMware’s Network Editor to configure a NAT address on the 203.0.113.0/24 network that NATs “guest” VM traffic out through the “host” machine’s physical address.

All external interfaces of gateways in the topology should all point to 203.0.113.254 (router) as their default gateway. Network routes for all internal networks should be placed on both the Alpha and Bravo gateways. This will allow traffic between the two sites but also traffic to exit the environment and reach the Internet.


Configuring the Security Policies

Alpha Security Policy

The Alpha Gateways and Management Server should be configured and licensed before the students arrive for class. You must also configure a basic Security Policy (Alpha_Standard) that includes the cluster object.

The following rules should be configured:

1. Do Not Log – Drops but does not log bootp and NBT traffic.

2. Management – Allows A-GUI access to all Check Point modules with HTTPS and ssh_version_2.

3. Stealth – Drops all traffic to A-GW-Cluster.

4. DNS – Allows all dns traffic emanating from Alpha’s internal networks.

5. DMZ – Allows all http and smtp traffic to A-DMZ.

6. Outgoing – Allows https, http, and ftp traffic from the A-INT-NET and A-MGMT-NET networks.

7. LDAP – Allows all internal Alpha LDAP and NTP traffic to the A-LDAP server.

8. Cleanup – Drops and logs all traffic not previously applied to the rules above.

A-GW-Cluster should be in the Install On field for every rule. All rules should be logged except the Do Not Log rule. Save the Standard policy with the name Alpha_Standard. Here is a screen shot of the required initial Security Policy for Alpha:


The following objects are required to be pre-configured in the Security Policy:

A-GUI

A-SMS

A-GW-Cluster

A-LDAP

A-DMZ

A-INT-NET

A-MGMT-NET

A-DMZ-NET

A-WIFI-NET

Alpha-Net (group of all Alpha internal networks)


The cluster virtual IPs for the gateway should be the .1 addresses, whereas the individual gateway interfaces are configured as .2 or .3. For example, the management interface for Alpha should have a VIP of 10.1.1.1 and the individual member interfaces should be configured as 10.1.1.2 on A-GW-01 and 10.1.1.3 on A-GW-02. When defining the Alpha Cluster object, use the 203.0.113.1 IP address for the main IP. When defining the cluster members, they should be defined with their 10.1.1.0 addresses. Here’s a screen shot of the Topology page of the A-GW-Cluster object:

Note: Even though the Management Server is R77.30 and the Security Gateways are R80.10, you will still be able to establish SIC and define interfaces. You will not be able to push policy until after you complete the Management Server upgrade lab.

Add network routes on the gateways (Gaia Portal) to the internal network of Bravo.


Bravo Security Policy

The Bravo Gateway should be configured and licensed before the students arrive for class. You must also configure a basic Security Policy (Bravo_Standard).

The following rules should be configured:

1. Noise – Drops but does not log bootp and NBT traffic.

2. Management – Allows A-GUI access to B-GW with HTTPS and ssh_version_2.

3. Stealth – Drops all traffic to B-GW.

4. DNS – Allows all dns traffic emanating from Bravo’s internal network.

5. Outgoing – Allows https, http, and ftp traffic from the B-INT-NET network.

6. Cleanup – Drops and logs all traffic not previously applied to the rules above.

B-GW should be defined as the Install On target for the Bavo_Standard Security Policy. All rules should be logged except the Noise rule. Save the Standard policy with the name Bravo_Standard. Here is a screen shot of the required initial Security Policy for Bravo:


Network Address Translation Policy

The Bravo Gateway should be configured and licensed before the students arrive for class. You must also configure a basic Security Policy (Bravo_Standard).

The following objects should be configured for NAT:

Object NAT IP Address

A-SMS Static 203.0.113.151

A-LDAP Static 203.0.113.161

A-DMZ Static 203.0.113.171

A-MGMT-NET Hide Gateway IP Address (203.0.113.1)

A-INT-NET Hide Gateway IP Address (203.0.113.1)

B-INT-NET Hide Gateway IP Address (203.0.113.100)

This is a screen shot of the NAT policy for your configuration:


Prior to attempting the first lab, your environment should be completely built as outlined in this document. In R77.30, be sure that the Alpha_Standard Security Policy is the one being viewed prior to running the export command in the CLI:


Acquiring the Upgrade Tools

The upgrade tools for the version of the R80.10 software that the students are upgrading to in the labs are required for this environment. To be sure you have the correct version of the tools, follow the steps below:

1. From the R80.10 iso, browse the folders using a compression tool such as 7Zip File Manager.

2. Navigate to the following location:

linux\upgrade_tools\linux

3. Copy the following file to the desktop:

p1_upgrade_tools.tgz

4. Place the file on A-GUI for use in the class.

check point software technologies education services

Documents