checkpoint - day 4[1]

8/7/2019 Checkpoint - Day 4[1]

1/39

CSC Private

Day Four Session

Objective

Understand how various components of Firewall-1 and how theyinteract

Troubleshoot common problems with Remote Management

Configure and Troubleshoot VPN


2/39

CSC Private

Chapter 9 Remote Management

At the end of the chapter, you should be able to

Understand how various firewall components interact

Effectively manage various firewall modules

Troubleshoot common remote management problems


3/39

CSC Private

Components

A Firewall Module Device that enforces the securitypolicy. Also referred as the enforcement module

A management Module Stores, compiles and installs thesecurity policy

Smart Console Client programs that allows you to viewlogs, manage security policy


4/39

CSC Private

Components


5/39

CSC Private

Components

Smart Clients connect to the management server on tcpport 18190.

All communication between the client and the managementserver is encrypted

Client ip address, username and password are supplied tothe management server

Once authenticated, security policy, network objects andusers are downloaded to client machine.


6/39

CSC Private

Components

Management Module stores the security policy andconfiguration of your firewall modules.

It compiles and loads the security policy to the firewallmodules.

It connects to remote firewall module on tcp port 18191 toload security policy.

Applications are monitored on tcp port 18192.


7/39

CSC Private

Components

Firewall module enforces your security policy

It connects to management module on tcp port 257 to send

the logs

Communication between the management server and thefirewall module is encrypted via SIC


8/39

CSC Private

SIC

Secure Internal Communication It provides securecommunication between the management server and thefirewall module.

Uses SSL to encrypt all data between the two system.

Management station is the ICA and issues certificate to allmanaged nodes for authentication.


9/39

CSC Private

SIC


10/39

CSC Private

SIC

SIC should be established between the management serverand firewall module.

SIC ensures the trust between the management server andfirewall module and is used to fetch the security policy.

Policy fetching may fail if SIC is not established.


11/39

CSC Private

Remote Management with NAT

Number of steps to configure remote management withNAT

Configure a object of type checkpoint host providing the NATaddress of the management module.

Select Master frame under Log and Alert

Select Use local definitions for Masters

On Firewall module run cpstop command

Edit the FWDIR/conf/masters file

Under [Policy] , [Log] and [Alert], add the new checkpoint

object On firewall module run cpstart command


12/39

CSC Private

Using CLI to load policies

Run FWM load command to install policy on firewallmodule.

E.g. fwm load abc.w fwmaidstone

Abc.w is the policy name

Fwmaidstone is the name of the firewall module

Run FWM unload command to unload the last installedpolicy

Run fetch command on firewall module to fetch the policyfrom management server.


13/39

CSC Private

Common issues with Remote Management

Checking SIC Failures

Check connectivity between management server and firewallmodule

telnet on firewall module on tcp 18191.

The firewall itself might be blocking port 18191.

SIC relies on a process called CPD. This runs on port 18211.

Port 18211 should be running and listening on firewall module.

SIC uses certificates, lastly, need to check the system date and

time. If there is time difference between management serverand the firewall module, the generated certificate might not bevalid


14/39

CSC Private

Resetting SIC

SIC needs to reset if there is change of name of the firewallmodule

To reset the SIC for the management server use thecpstop command on the server and then fw sic_reset.

This resets SIC for all firewall modules managed bymanagement server. SIC needs to be established with eachfirewall module.


15/39

CSC Private

Large Scale management issues

Security policy Although single policy can be enforced onall firewall modules, there are several limitations ofmanaging the security policy in general

Network Objects Management GUI and fwm processcannot handle large number of objects over 10,000. Tomitigate this, give your hardware loads of memory.

Number of rules Ideally firewall supports any number of

rules, but over 150 rules shows the effect.

Number of firewall modules Ideally, a management servercan manage any number, but the max number is 12. Againit depends how much logging happens and the kind ofhardware the management server holds.


16/39

CSC Private

Hierarchical Management

Organization-wide rules These are also called global rulesand cannot be modified by local firewall admin.

Site-specific additions anything not denied in the globalrule could be set.

Organization-wide default rules This rule applies if theabove 2 does not match.


17/39

CSC Private

End of Chapter 9


18/39

CSC Private

Chapter 10 - VPN

At the end of this chapter, you should be able to

Plan your VPN

Determine which key and algorithm firewall-1 uses

Set up VPN on firewall-1

Troubleshoot VPN problems


19/39

CSC Private

What is VPN

Virtual Private Network allows you to securely connect twoor more locations/networks over a public network.

Encryption, authentication and integrity are the key enablersof VPN.

Can limit the networks to individual hosts and security policycan be set to limit access on certain protocols.


20/39

CSC Private

Key Concepts

Encryption Keys Encryption keys are used to encrypt data

Kind of keys depends on the type of encryption algorithmused.

Number of bits in the key defines how strong the encryptionalgorithm is.


21/39

CSC Private

Key Concepts

Symmetric Encryption Uses the same key for encryptionand decryption. E.g. DES, AES

Becomes difficult to manage and scale if there are largenumber of VPN tunnels.

Asymmetric Encryption Uses different key for encryptingand decrypting data. E.g. RSA

Over 1000 times slower than Symmetric Encryption


22/39

CSC Private

Key Concepts

Hash Functions Uses variable length input and convertsto fixed length output

Used to ensure the integrity of data in transit

They do NOT provide encryption but provides validation ofdata.

If there is network noise and the data is corrupted, the hashcomputed by remote peer is different and hence validationfails.

Hash is performed after encryption.

E.g. MD5, SHA-1


23/39

CSC Private

Key Concepts

Diffie Hellman Keys- These are used to authenticate theremote peer.

Initial communication between the peers needs to beauthenticated in secure manner. DH keys ensures thisoperation.

There are 4 different DH keys

DH1 768 bits

DH2 1536 bits

DH5 not used

DH7 not used or supported at this time.


24/39

CSC Private

VPN Licenses

VPN-1 Pro Its the traditional license defined by thenumber of protected nodes it can protect.

VPN-1 Net Its the new license defined by the number ofVPN tunnels it can create.

VPN-1 Net is far less expensive than VPN-1 Pro but haslimited functionality.


25/39

CSC Private

How to configure encryption.


26/39

CSC Private

Planning your VPN deployment

Which hosts/remote networks the remote site will be able toaccess via VPN (This is referred to as encryption domain inFirewall-1)

Which hosts/networks will be accessible via VPN at theremote site.

Certificates or Pre-shared will be used.

What algorithms/functions will be used for IKE and IPSEC.

IKE and IPSEC timeouts.


27/39

CSC Private

Simplified mode VPN

Simplified mode

Uses VPN community which is similar to a group.

Contains all firewalls and encryption domain that will participatein the VPN

Community defines the VPN properties, algorithms, encryptionschemas etc. which is general for all encryption domains and

firewall modules.

Simplifies VPN dramatically.


28/39

CSC Private

Traditional Mode VPN

Traditional mode VPN is similar to what we configure onother VPN devices.

There is no VPN community defined.

Encryption domain is defined but its the final rulebasewhich determines which hosts within encryption domain areallowed access to remote site.

Ease of configuration.


29/39

CSC Private

Traditional mode VPN configuration.

Modify Global Properties to include Traditional modeconfiguration.


30/39

CSC Private


Define network objects that defines encryption domain forboth Site-A and Site-B

Define a Checkpoint object for remote firewall or VPNdevice.

Modify Gateway Properties of Site-A Firewall and Site-BFirewall to include the encryption domains. (see below)


31/39

CSC Private



32/39

CSC Private



33/39

CSC Private



34/39

CSC Private



35/39

CSC Private



36/39

CSC Private



37/39

CSC Private



38/39

CSC Private



39/39

Questions

checkpoint - day 4[1]

Documents