Академический Документы
Профессиональный Документы
Культура Документы
0 R e v i s i o n B
Document # CPTS-DOC-C1011
Rev. B
Copyright 1999 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distribution under licensing restricting their use, copy, and distribution. No part of this documentation may be reproduced in any form or by any means without prior written authorization of Check Point Software Inc. While every precaution has been taken in the preparation of this document, Check Point assumes no responsibility for errors or omissions. This document and features described herein are subject to change without notice. Trademarks: FireWall-1, SecuRemote, Stateful Inspection, INSPECT, Check Point and the Check Point logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. Sun, SPARC, Solaris, and SunOS are trademarks of Sun Microsystems, Inc. UNIX and OPEN LOOK are registered trademarks of UNIX System Laboratories. All other products or services mentioned herein are trademarks or registered trademarks of their respective owners. Check Point Software Technology Ltd.
International Headquarters: 3A Jabotinsky Street Ramat Gan 52520 Israel Tel: 972-3-613 1833 Fax: 972-3-575 9256 E-mail: info@checkpoint.com
U.S. Headquarters: Three Lagoon Drive, Suite 400 Redwood City, CA 94065 Tel: 650-628-2000 Fax: 650-654-4233 HTTP://www.checkpoint.com
Dallas Courseware Development: 2505 N. Highway 360, Suite 700 Grand Prairie, TX. 75050 Tel: 817-606-6600 Fax: 817-652-9374
Rev. B
Document # CPTS-DOC-C1011
Document # CPTS-DOC-C1011
Rev. B
Introduction ........................................................................................................... 9
Objectives .................................................................................................................................... 9 Key Terms .................................................................................................................................... 9
Rev. B
Document # CPTS-DOC-C1011
ii
Review ................................................................................................................ 25
Summary .................................................................................................................................... 25 Review Questions ...................................................................................................................... 26
27
Introduction ......................................................................................................... 27
Objectives .................................................................................................................................. 27
Firewall-1 System Requirements on Windows NT ............................................. 28 Getting Started with FireWall-1 ........................................................................... 29
Network Configuration ............................................................................................................... 29
Document # CPTS-DOC-C1011
Rev. B
iii
Review ................................................................................................................ 68
Summary .................................................................................................................................... 68 Review Questions ...................................................................................................................... 68
69
Introduction ......................................................................................................... 69
Objectives .................................................................................................................................. 69 Key Terms .................................................................................................................................. 69
Rev. B
Document # CPTS-DOC-C1011
iv
Data (Column) Fields ................................................................................................................. 75 Column Menu ............................................................................................................................. 76 Log Viewer Modes ..................................................................................................................... 77 Log Viewer Toolbar Buttons ....................................................................................................... 77 Navigating and Searching .......................................................................................................... 78 Displaying Selected Entries ....................................................................................................... 81 Selection Options ....................................................................................................................... 84 Viewing/Editing Current Selection Criteria ................................................................................. 85 Creating and Selecting Selection Criteria .................................................................................. 85 Log File Management ................................................................................................................ 86
Review ................................................................................................................ 96
Summary .................................................................................................................................... 96 Review Questions ...................................................................................................................... 97
99
Introduction ......................................................................................................... 99
Objectives .................................................................................................................................. 99 Key Terms .................................................................................................................................. 99
Document # CPTS-DOC-C1011
Rev. B
Group Properties Object ................................................................................... 128 Logical Server Object ....................................................................................... 129 Address Range Properties Object .................................................................... 130
General Tab ............................................................................................................................. 130 NAT Tab ................................................................................................................................... 131
Lab 1: Defining Network Objects ...................................................................... 132 Services Manager ............................................................................................. 134
Allowed Services ...................................................................................................................... 135 TCP .......................................................................................................................................... 135 UDP ......................................................................................................................................... 136 RPC ......................................................................................................................................... 137 ICMP ........................................................................................................................................ 138 Other ........................................................................................................................................ 139 Group ....................................................................................................................................... 139 Port Range ............................................................................................................................... 140
Rev. B
Document # CPTS-DOC-C1011
vi
Time Objects Manager ..................................................................................... 169 Keys Manager .................................................................................................. 172 Review .............................................................................................................. 173
Summary .................................................................................................................................. 173 Review Questions .................................................................................................................... 173
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
175
Document # CPTS-DOC-C1011
Rev. B
vii
Understanding Interface Direction .................................................................... 193 Properties Setup Tabs ...................................................................................... 197
Security Policy Properties ........................................................................................................ 197 Services Properties .................................................................................................................. 200 Log and Alert Properties .......................................................................................................... 201 Security Servers Properties ..................................................................................................... 203 Authentication Properties ......................................................................................................... 206 SYNDefender Properties ......................................................................................................... 207 Lightweight Directory Access Protocol (LDAP) Properties ...................................................... 209 Encryption Scheme Properties ................................................................................................ 211 Miscellaneous (Load Balancing) Properties ............................................................................. 214 Access Lists Properties ............................................................................................................ 215
219
Rev. B
Document # CPTS-DOC-C1011
viii
Lab 3: Defining Basic Rules ............................................................................. 228 Lab 4: Implied Pseudo-Rules ........................................................................... 230 Lab 5: Defining a Time-Based Rule .................................................................. 231 Review .............................................................................................................. 232
Summary .................................................................................................................................. 232 Review Questions .................................................................................................................... 232
235
Lab 6: Set up Authentication Parameters ......................................................... 248 Lab 7: Defining Users and Groups ................................................................... 249 Lab 8: User Authentication with a FireWall-1 Password ................................... 251 Lab 9: User Authentication with S/Key ............................................................. 252 Lab 10: User Authentication for FTP ................................................................ 254 Lab 11: User Authentication for HTTP .............................................................. 255 Lab 12: Client Authentication ............................................................................ 256 Lab 13: Session Authentication ........................................................................ 257 Review .............................................................................................................. 258
Summary .................................................................................................................................. 258 Review Questions .................................................................................................................... 258
Document # CPTS-DOC-C1011
Rev. B
ix
259
Lab 14: NAT Static Mode Manual ................................................................ 276 Lab 15: NAT Static Mode Automatic ............................................................ 279 Lab 16: NAT Hide Mode Manual .................................................................. 281 Lab 17: NAT Hide Mode Automatic ............................................................. 283 Review .............................................................................................................. 285
Summary .................................................................................................................................. 285 Review Questions .................................................................................................................... 285
Final Scenario
287
Rev. B
Document # CPTS-DOC-C1011
291
293
Special Notes for HP-UX 10 ............................................................................. 294 Special Notes for IBM AIX ................................................................................ 295 Special Note for Management Servers ............................................................. 296
Administrators: Solaris Specific ............................................................................................... 296
301
Document # CPTS-DOC-C1011
Rev. B
xi
305
Glossary
307
Rev. B
Document # CPTS-DOC-C1011
xii
Document # CPTS-DOC-C1011
Rev. B
Unit I Overview
Introduction to CCSA Chapter 1: FireWall-1 Architecture
Rev. B
Document # CPTS-DOC-C1011
Document # CPTS-DOC-C1011
Rev. B
This course provides hands-on training as you install FireWall-1 on a Solaris and/or Windows NT system. You will configure a security policy using FireWall-1s graphical user interface (GUI), and learn about managing a firewalled network. You are encouraged to follow along in the manual as the class progresses and take notes for future reference.
Course Objectives
Identify the basic components of FireWall-1 Successfully install FireWall-1 Successfully configure FireWall-1 (Solaris and/or NT) Identify the FireWall-1 elements that you will need to manage Successfully configure FireWall-1 Successfully complete the final scenario at the end of the course
Prerequisites
Before taking this course, we strongly suggest that you have the following knowledge base: General knowledge of TCP/IP Working knowledge of Windows or UNIX Working knowledge of network technology Working knowledge of the Internet
Document # CPTS-DOC-C1011
Rev. B
The Check Point Certified Security Administrator (CCSA) course provides a complete overview of FireWall-1, including hands-on training for stand-alone systems. This exam is for end users and resellers who need a technical understanding of FireWall-1 and who need to install and set up simple configurations.
The Check Point Certified Systems Engineer (CCSE) course is an advanced course for engineers managing multiple FireWall-1 systems and/or needing formal training in advanced FireWall-1 features. This exam covers techniques in remote management, encryption, and virtual private networking. It also exploits the built in SNMP features of FireWall-1, router management, user-defined tracking, load balancing, and firewall synchronization.
This exam is for candidates preparing to teach FireWall-1 and who are employees of an Authorized Training Center. Instructors are required to pass the CCSA and CCSE exams before they are eligible to take this exam. The CCSI exam is an advanced test, covering all topics previously reviewed by FireWall-1 CCSA and CCSE exams.
Rev. B
Document # CPTS-DOC-C1011
Course Map
Course Map
Day 1 Unit I Overview Introduction Chapter 1: FireWall-1 Architecture Unit II Getting Started Chapter 1: FireWall-1 Installation and Setup Chapter 2: Navigating in FireWall-1 Chapter 3: Management Tools Unit III Managing Your Network Chapter 1: Security Policy Rule Base and Properties Setup Chapter 2: Administering Security Policy with Rule Base
Day 2 Unit IV Customizing FireWall-1 Chapter 1: Authentication Chapter 2: Network Address Translation
Final Scenario
Document # CPTS-DOC-C1011
Lab Setup
The following is the setup of your lab: The lab is directly connected to the Internet. The Internet servers (www.yourcity.com) cannot communicate directly with the Internet. (The servers have illegal/reserved IP addresses.) Each firewalled and Internet server has a unique IP address. Root password to all systems is _______________________________________. (Your instructor will give you this password. Be careful with root access!) OpenWindows mouse-button controls (Solaris only): Left Selects objects. Middle Selects additional objects or deselects objects. Right Displays menus.
Rev. B
Document # CPTS-DOC-C1011
Lab Setup
Lab Topology
Document # CPTS-DOC-C1011
IP Addresses
IP Address
204.32.38.101 204.32.38.102 204.32.38.103 204.32.38.104 204.32.38.105 204.32.38.106 204.32.38.107 204.32.38.108
Internet Server
www.detroit.com
IP Address
192.168.1.1
Lab Terms
Yourcity The city name for your workstation pair. Partnercity The name of your partner city. Site number A number between 1 and 8 assigned to your workstation pair.
Site-Number Table
Site Number
1 2 3 4 5 6 7 8
Rev. B
Document # CPTS-DOC-C1011
Encryption
ISAKMP/Oakley (IKE) is now supported for VPNs and SecuRemote, including ENTRUST PKI, and is exportable worldwide.
Enterprise Management
LDAP-based user databases are now fully integrated into FireWall-1, and an LDAP client is included with FireWall-1.
Authentication
A number of major improvements have been implemented in the FireWall-1 version 4.0 authentication feature: Support for TACACS/TACACS+ Support for RADIUS Version 2 Support for MD5 in S/Key Secondary (backup) AXENT servers are supported
Client Authentication
Authentication can now be performed using a Web browser. The following new features are available: Implicit client authentication Automatic client authentication sign-off
Security Servers
All FireWall-1 security servers now support OPSEC version 1.0. The HTTP security server supports FTP and HTTPS.
Network address translation now supports H-323, NetShow, VXtreme and many other services that were not supported in earlier versions of FireWall-1. This further extends FireWall-1s impressive list of over 120 out-of-box supported services.
Document # CPTS-DOC-C1011
Objectives
Describe the purpose of a firewall Describe and compare firewall architectures Identify the different components of FireWall-1
Key Terms
security policy Transmission Control Protocol/Internet Protocol (TCP/IP) data packet IP addresses packet filtering application layer gateway (proxy) Stateful Inspection Inspection Module
10
Firewall Module network address translation (NAT) INSPECT Management Module Management Server Connect Control Module encryption access control lists
Document # CPTS-DOC-C1011
Rev. B
11
Defining a Firewall
What is a Firewall? A firewall is a system designed to prevent unauthorized access to or from an internal network. Firewalls act as locked doors between internal and external networks. Data meeting certain requirements can get through the locked door, whereas unauthorized data never gains access. A firewall is one of the most effective ways of securing a network. Firewalls track and control data, deciding whether to pass, drop, reject, encrypt or log the data. Firewalls ensure data meets the rules of its security policy, which is a set of rules that defines an internal networks security. A firewall is only as effective as its setup within the security policy. A firewall cannot protect the network against malicious authorized users. Seventy-eight percent of network attacks occur within a companys organization. And a firewall cannot protect connections that dont access the firewall. I-1 I-1 FireWall-1 Architecture FireWall-1 Architecture
TCP/IP
Transmission Control Protocol/Internet Protocol (TCP/IP) is one of the most common communication protocols used to connect to the Internet and external networks. Whereas the IP protocol deals only with data packets, which are parts of data streams, TCP enables two networks to establish connections and exchange data streams. TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent (Figure 2).
Rev. B
Document # CPTS-DOC-C1011
12
Defining a Firewall
Packets
A data packet (or packet) is a piece of a message transmitted over a network. A key feature of a packet is that it contains the destination address in addition to the data. Packets are like letters and must have addresses. Just as normal letters must have addresses on the front to make delivery likely, TCP/IP communication depends on addresses being included in each packet. These addresses are commonly termed IP addresses. As these packets of information move through the network, devices use the packets IP addresses to decide whether to keep the packets in the local network or forward them to a different network. This is a complex task, because there are many networks that either comprise the Internet or are attached to it through gateways. Figure 3 is an example of the layers that comprise a packet, and the many levels of communication TCP/IP reads:
Document # CPTS-DOC-C1011
Rev. B
13
Packet Filtering
Packet filtering examines a packet up to the network layer. The upper four layers are unexamined and allowed into an internal network (Figure 4). The packet filter looks at each packet entering or leaving the network and accepts or rejects it based on userdefined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. The limitation of this type of filtering is its inability to provide security for the most basic protocols.
Application Presentation Session Transport Network DataLink Physical DataLink Physical Application Presentation Session Transport Network DataLink Physical
Router
The Pros of Packet Filtering The pros of packet filtering include the following: Inexpensive Application transparency Quicker than application layer gateways
The Cons of Packet Filtering The cons of packet filtering include the following: Low security Access to a limited part of a packet header only No screening above the network layer, meaning that packet filters are incapable of providing communication-derived or application-derived state information Very limited ability to manipulate information
Rev. B
Document # CPTS-DOC-C1011
14
Difficult to configure, monitor and manage Provides inadequate logging and alerting mechanisms Subject to IP spoofing
Example Packet filters, historically implemented on routers, filter user defined content, such as IP addresses. They examine a packet at the network layer and are application independent, which allows them to deliver good performance and scalability. They are the least secure type of firewall, because they are not application aware. They cannot understand the context of a given communication, making them easier for unauthorized entry to the network. Packet filters have two choices with regard to outbound FTP connections. They can either leave the entire upper range (greater than 1023) of ports open which allows the file transfer session to take place over the dynamically allocated port, but exposes the internal network, or they can shut down the entire upper range of ports to secure the internal network which blocks other services. This is a trade-off between application support and security.
Document # CPTS-DOC-C1011
Rev. B
15
An application layer gateway, or proxy, implements firewalls at the application level. As external networks have evolved into dynamic environments that constantly offer new protocols, services and applications, proxies are no longer able to handle the diverse types of communication on external networks. They cannot fulfill the new business needs, high bandwidth and security requirements of todays networks (Figure 5):
Telnet FTP HTTP
I-1 I-1
Figure 5: Application-Layer Gateway Path
The Pros of Application Layer Gateways (Proxy) The pros of application layer gateways include the following: Good security Full application-layer awareness
The Cons of Application Layer Gateways (Proxy) The cons of application layer gateways include the following: Partial communication-derived and full application-derived state information Each service requires its own application layer gateway, so the number of available services and their scalability is poor Implementation at the application level is detrimental to performance Proxies cannot provide for UDP, RPC and other services from common protocol families Most proxies are not transparent Vulnerable to operating system and application level bugs Overlooks information contained in lower layers Expensive performance cost
Rev. B
Document # CPTS-DOC-C1011
16
Example Application layer gateways improve on security by examining all application layers, bringing context information into the decision process. However, they do this by breaking the client/server model. Every client/server communication requires two connections: one from the client to the firewall and one from the firewall to the server. In addition, each proxy requires a different application process, or daemon, making scalability and support for new applications a problem. In using an FTP proxy, the application layer gateway duplicates the number of sessions, acting as a proxied broker between the client and the server. Although this approach overcomes the limitation of IP filtering by bringing application-layer awareness to the decision process, it does so with an unacceptable performance penalty. In addition, each service needs its own proxy, so the number of available services and their scalability is limited. Finally, this approach exposes the operating system to external threats.
Stateful Inspection
A firewall must track and control the flow of communication passing through it. To reach control decisions for TCP/IP based services (accept, reject, authenticate, encrypt and/or log communication attempts), a firewall must obtain, store, retrieve and manipulate information derived from all communication layers and from other applications. State information, derived from past communications and other applications, is an essential factor in making the control decision for new communication attempts. Depending upon the communication attempt, both the communication state (derived from past communications) and the application state (derived from other applications) may be critical in the control decision. To ensure the highest level of security, a firewall must be capable of accessing, analyzing and utilizing communication information, communication-derived state, application-derived state and information manipulation. Stateful Inspection is a firewall technology introduced in Check Point FireWall-1 and designed to meet the following security requirements: Communication Information Information from all seven layers in the packet. Communication-derived state State derived from previous communications, such as the outgoing PORT command of an FTP session could be saved so that an incoming FTP data connection can be verified against it.
Document # CPTS-DOC-C1011
Rev. B
17
Application-derived state State information derived from other applications, such as a previously authenticated user would be allowed access through the firewall for authorized services only. Information manipulation Evaluation of flexible expressions based on communication information, communication-derived state and applicationderived state.
Application Application Presentation Session Transport Network DataLink Physical DataLink Physical Presentation Session Transport Network Application Presentation Session Transport Network DataLink Physical
INSPECT
The Pros of Stateful Inspection The pros of Stateful Inspection (Figure 6) include the following: Good security Full application-layer awareness High performance Scalability Extensible Transparency
Rev. B
Document # CPTS-DOC-C1011
18
Example Stateful Inspection tracks the FTP session, examining FTP application-layer data. When the client requests that the server generate the back-connection (an FTP PORT command), FireWall-1 extracts the port number from the request. Both client and server IP addresses and both port numbers are recorded in an FTP-data pending request list. When the FTP data connection is attempted, FireWall-1 examines the list and verifies that the attempt is in response to a valid request. The list of connections is maintained dynamically, so that only the required FTP ports are opened. As soon as the session is closed, the ports are locked, ensuring maximum security.
Packet filters and application-layer gateways each fall short of Stateful Inspection in some area (Table 3):
Packet Filters
Partial No No Partial
Applicationlayer Gateways
Partial Partial Yes Yes
Stateful Inspection
Yes Yes Yes Yes
Document # CPTS-DOC-C1011
Rev. B
19
What is FireWall-1?
FireWall-1 is based upon Stateful Inspection architecture, assuring the highest level of network security. FireWall-1s Inspection Module analyzes all packet communication layers, and extracts the relevant communication and application state information. The Inspection Module understands and can learn any protocol and application. The FireWall-1 Inspection Module resides in the operating system kernel, below the network layer, at the lowest software level. By inspecting communications at this level, the Inspection Module can intercept and analyze all packets before they reach the operating system. No packet is processed by any of the higher protocol layers unless FireWall-1 verifies that it complies with the enterprise security policy. The Inspection Module stores and updates state and context information in dynamic connection tables. These tables are continually updated, providing cumulative data against which FireWall-1 checks subsequent communications. The kernel is the core of the UNIX and NT Server operating systems, managing memory, files and peripheral devices; maintaining time and date; launching applications; and allocating system resources. I-1 I-1 FireWall-1 Architecture FireWall-1 Architecture
User Mode
Firewall Daemon
TCP/IP Management
Kernel Mode
IP Stack
Inspection Module
Network Driver
Figure 7: Firewall-1 Architecture
Network Driver
Network Driver
Because it processes packets in the operating systems kernel, FireWall-1 saves system processing time and resources. Applications and processes above the kernel layer (Figure 7) suffer little (if any) performance problems. And by placing its kernel module between the Network Interface Cards (NICs) and the TCP/IP stack, FireWall-1 solves the problem of protecting the TCP/IP stack itself.
Rev. B
Document # CPTS-DOC-C1011
20
What is FireWall-1?
When packets pass through an internal NIC (Figure 8), the FireWall-1 kernel module inspects the packets by accessing its rule base.
The FireWall-1 kernel module uses the INSPECT engine to control traffic passing between networks. FireWall-1 inspects packets by accessing all levels of communication. The FireWall-1 kernel module has access to the lowest level of communication, and can inspect all layers of a packet and its data. If packets pass FireWall-1 inspection, the Firewall Module passes the packets through the TCP/IP stack and to their destination. Packets pass through the NIC to the INSPECT engine and on up the network stack. Some packets are destined for the operating systems local processes. In this case, the Firewall Module inspects the packets and passes them through the TCP/IP stack to the processes (Figure 9):
Document # CPTS-DOC-C1011
Rev. B
21
If packets do not pass inspection, they are rejected or dropped, according to the FireWall-1 rule base (Figure 10):
I-1 I-1
Figure 10: INSPECT Engine Drops or Rejects Packet
A detailed flow of the packets through the INSPECT engine is shown in Figure 11:
Rev. B
Document # CPTS-DOC-C1011
22
FireWall-1 Products
FireWall-1 Products
The following product options are available during installation. Each option is listed with its components: FireWall-1 Enterprise Product Management Module Centralized graphical security management for either one or unlimited security enforcement points Inspection Module Access control; client and session authentication; network address translation; auditing Firewall Module Includes the Inspection Module; user authentication; multiple firewall synchronization; content security Encryption Module Provides DES encryption (for SKIP and IPSec) and FWZ1 encryption. Router Security Management Security management for router access control lists across one or more routers Open Security Manager Centralized security management for 3Com, Cisco and Microsoft NT Server routers, and Cisco PIX firewalls
FireWall-1 Single Gateway Product Management Module Centralized graphical security management for either one or unlimited security enforcement points Inspection Module Access control; client and session authentication; network address translation; auditing Firewall Module Includes the Inspection Module; user authentication; multiple firewall synchronization; content security
FireWall-1 Enterprise Management Product Connect Control Module Automatic applications server load balancing across multiple servers (deployed with FireWall-1)
FireWall-1 FireWall Module Inspection Module Access control; client and session authentication; network address translation; auditing User Authentication; multiple firewall synchronization; content security
FireWall-1 Inspection Module Access control; client and session authentication; network address translation; auditing
Document # CPTS-DOC-C1011
Rev. B
23
FireWall-1 Components
FireWall-1 is comprised of the Firewall and Management Modules and accessed through a GUI interface. The modules can reside on the same or separate computers.
The Firewall Module provides access control, client, user and session authentication, and network address translation (NAT), which replaces source and destination network addresses. NAT can be used to hide internal network structure and/or prevent network address conflicts between networks. The Firewall Module also provides auditing, multiple firewall synchronization and content security. The Firewall Module contains the Inspection Module, the FireWall-1 Daemon and the Security Server. Inspection Module The Inspection Module contains the INSPECT Engine, compiled INSPECT code, and various state and context information stored in dynamic tables. INSPECT code is a compiled script that is generated from the information in the security policy and its rule base. The INSPECT script is used to compare the information in a data packet to the rules in the rule base. Actions that make up access control, client, user and session authentication, NAT, auditing capabilities, load balancing and anti-spoofing are triggered based on conditional comparisons made on the packet data by statements in the INSPECT code and context information. Daemon The FireWall-1 Daemon is responsible mainly for communication between modules, clients and hosts (SNMPD, FWD, ALERTD). Security Server The Security Server is a specialized server that is responsible for handling authentication of packets for a specific service or protocol (SMTP, TELNET, FTP and HTTP).
Rev. B
Document # CPTS-DOC-C1011
24
FireWall-1 Components
This Management Module is accessed through the GUI and located on the Management Server. The Management Module is used to control and monitor Firewall Modules either residing on local or remote computers. The GUI and the Management Server can reside on separate computers in a client/server environment. Management Server The Management Server is part of the Management Module and manages the FireWall-1 database: the rule base, network objects, servers, users, and more. The client interacts with the user via the GUI, but all the data (the database and configuration file) is maintained on the Management Server.
Connect Control Module The Connect Control Module provides automatic, application-server load balancing across multiple servers. The Encryption Module The Encryption Module enables both firewall-to-firewall and client-to-firewall encryption, which ensures data is secured when coming from or going to a firewalled computer. Router Security Management Provides for management of access control lists, which allow rule bases for 3Com, Bay Networks and Cisco routers.
The GUI is the front end to the Management Server. The Windows NT Server version of FireWall-1 uses a Windows GUI; the Solaris version uses FireWall-1s proprietary command-line interface and the X/Motif GUI. Following are the three GUIs that can be accessed in FireWall-1: Security Policy Editor GUI Creates rules and network objects Controls installation of security policy
Log Viewer GUI Views connections that pass through the firewall that are selected for logging Identifies threats when the network is under attack
System Status GUI Status of firewalled objects Alerts from all Firewall Modules
Document # CPTS-DOC-C1011
Rev. B
25
Review
Summary A firewall is a system designed to prevent unauthorized access to or from an internal network. Firewalls act as locked doors between internal and external networks. Data meeting certain requirements can get through the locked door, whereas unauthorized data never gains access. A firewall is one of the most effective ways of securing a network. Transmission Control Protocol/Internet Protocol (TCP/IP) is one of the most common communication protocols used to connect to the Internet and external networks. Whereas the IP protocol deals only with data packets, which are parts of data streams, TCP enables two networks to establish connections and exchange data streams. TCP guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent. Packet filtering and application layer gateways were traditionally used as a means to protect the network. FireWall-1s Stateful Inspection architecture and its INSPECT engine utilize the best features of these two methods plus added features to insure the most reliable protection of a network. Stateful Inspection enforces the security policy on the firewalled computer on which it resides and provides support for a large number of protocols and applications. The components of FireWall-1 include the following: The Firewall Module: Inspection Module Daemon Security Server The Management Module: Management Server Other FireWall-1 Components: Connect Control Module Encryption Module Router Security Management Graphical User Interface Security Policy Editor Log Viewer System Status I-1 I-1 FireWall-1 Architecture FireWall-1 Architecture
Rev. B
Document # CPTS-DOC-C1011
26
Review
Review Questions
2. Why is Stateful Inspection more reliable than packet filtering and application layer gateways for protecting internal networks?
Document # CPTS-DOC-C1011
Rev. B
Rev. B
Document # CPTS-DOC-C1011
Document # CPTS-DOC-C1011
Rev. B
FireWall-1 for Solaris Installing FireWall-1 on Solaris Configuring FireWall-1 for Solaris Installing the X/MOTIF GUI Client FireWall-1 Installation and Setup
27
II-1
Objectives
List the minimum system requirements to run FireWall-1 Demonstrate how to install FireWall-1 on Windows NT Server Demonstrate how to install FireWall-1 on Solaris Outline the procedure for uninstalling FireWall-1
28
Document # CPTS-DOC-C1011
Rev. B
29
30
Firewall Module
Inspection Module
Management Module
Management Server
GUI
The functionality of the Management Module is divided between two workstations: The GUI on one and the Management Server, including the FireWall-1 database, is on the server. The user working on the GUI maintains the FireWall-1 security policy and database, which resides on the server. The Firewall Module is installed on the firewalled gateway, which enforces the security policy and protects the network.
Document # CPTS-DOC-C1011
Rev. B
31
Installation Procedure
To install the firewall on both NT Server and Solaris systems, follow these steps: 1. Install FireWall-1 on the Management Station computer (the computer housing the Management Server). 2. Install and start the Firewall Module on each of the firewalled hosts. 3. Start the FireWall-1 GUI on the Management Station or on a remote GUI client machine.
Components to Install
32
For this example, the Firewall and Management Modules are installed on one machine. The GUI is installed later. However, you can install the GUI at the same time by selecting both the FireWall and the FireWall User Interface.
Document # CPTS-DOC-C1011
Rev. B
33
7. Select FireWall-1 and click Next. 8. The Software License Agreement screen appears (Figure 14):
9. Click Yes to accept the agreement. 10. The FireWall-1 Welcome screen appears (Figure 15):
11. Click Next. 12. The command line for installation appears on the Choose Destination Location screen (Figure 16 on page 34):
Rev. B
Document # CPTS-DOC-C1011
34
13. Accept the default location and click Next or change it by selecting the Browse command. 14. In the Selecting Product Type screen, select Firewall-1 Enterprise Product (Figure 17):
The FireWall-1 Enterprise Product is a total package that includes gateway and management products and Firewall and Inspection Modules with incremental licenses. If a different product needs to be installed, then one of the products or modules below the FireWall-1 Enterprise Product option would be selected.
Document # CPTS-DOC-C1011
Rev. B
35
15. Click Next. The Selecting Product Type screen remains on the screen but with the Firewall Modules and Management Server options only (Figure 18):
16. Select both the Firewall Module and Management Server components to install on the firewall server. The Firewall Module and Management Server do not have to be installed on the same server. One or the other can be installed on another machine, invoking the client/server model. When installing to a firewall module, only select the Firewall Module option. You will install both items on one machine for this class. 17. Click Next. The FireWall-1 product will now install on the Windows NT Server system. All FireWall-1 products require a license for operation. Without a license, you cannot use FireWall-1. II-1 FireWall-1 Installation and Setup
Rev. B Document # CPTS-DOC-C1011
36
18. After the installation of FireWall-1, the Licenses screen appears (Figure 19):
19. Click Add and the Add Licenses screen appears (Figure 20):
20. Type the appropriate information for each field. Use the tab key to move from field to field. Figure 21 shows a sample installation license string:
Document # CPTS-DOC-C1011
Rev. B
37
21. Click OK when finished entering license information. Notice that the Current Licenses field now lists the newly entered license information. 22. Click Next. You are now ready to configure FireWall-1 on the Windows NT Server system.
38
Administrators
The next step is to specify the administrators allowed to use the GUI client with the Management Server just installed. At least one administrator must be defined to use the Management Server. Each administrator added must be assigned a level of permission. Choose from the following permission levels: Read/Write All permissions. Only one FireWall-1 administrator at a time can be logged on with Read/Write permission. User Edit At this level, the administrator can modify user information. The rest of the information is read only. Read Only This permission level allows read-only access to the security Policy Editor. Administrators with higher permission levels can sometimes log in at this permission level. Monitor Only This is the lowest permission level. It only allows access to the Log Viewer and the System Status tools.
Document # CPTS-DOC-C1011
Rev. B
39
To set up administrators follow these steps: 1. The Administrators screen appears (Figure 22):
2. Click Add and the Add Administrator screen appears (Figure 23):
3. Type the administrators name (fwadmin) and password (abc123) and select the level of permission from the menu. (The first administrator must be given Read/ Write permission.)
Rev. B
Document # CPTS-DOC-C1011
After adding an administrator, the new administrator will appear on the Administrator screen.
II-1
40
4. Click OK. 5. Repeat the above process for other administrators. 6. When all administrators have been added, click Next.
GUI Clients
The next step is to set up the GUI clients. The GUI clients information is a list of remote GUI clients allowed to access this station. The Management Station is always allowed as a GUI client. You do not need to add the name of the Management Station to this list for class. 1. The GUI Clients screen appears (Figure 24):
2. In the Remote hostname text box, type the name or IP address. Click Add to add to the list of GUI clients 3. To remove a name, highlight it and click Remove. 4. Repeat to add additional GUI clients. 5. When all GUI clients have been added, click Next. This is used for remote management configuration.
Document # CPTS-DOC-C1011
Rev. B
41
Remote Modules
If a Management Module is the only module installed on this computer, you must specify the remote Firewall Modules for which this Management Module is defined as Master. For this class you will not specify a remote module. 1. The Remote Modules screen appears (Figure 25):
2. In the hostname text box, type the name or IP address. Click Add to add to the list of remote firewall modules. 3. Repeat the above process for other remote modules. 4. When all remote modules have been added, click Next. Remote modules are used for remote management configuration.
42
IP Forwarding
The next step in configuring FireWall-1 is to specify whether you want FireWall-1 to control IP forwarding on the gateway. IP forwarding also determines how the firewalled machine will react during specific vulnerable times, such as when the system boots-up before the firewall service starts. 1. Two choices are listed on the IP Forwarding screen (Figure 26):
Control IP Forwarding This selection stops packets from passing through the firewall. Because no security policy is defined, packets are dropped after the timeout. When a security policy is defined, packets are handled according to the settings. It is advisable to select this option unless there is some specific reason not to use this feature. Do not control IP Forwarding This selection has no security policy and allows all packets to pass through the firewall security policy. 2. Select IP Forwarding and click Next.
Document # CPTS-DOC-C1011
Rev. B
43
The SMTP security server does not provide authentication, because there is not a user at the keyboard who can be challenged for authentication data. The SMTP security server provides content security, enabling a security administrator to perform the following functions: Provide mail address translation Drop mail from a given address Strip MIME attachments of specified types of mail Strip the Received information from outgoing mail Drop mail messages above a given size Protect against viruses
To set up the SMTP security server, follow these steps: 1. In the SMTP Security Server screen, type the appropriate information for the SMTP security server (Figure 27):
II-1
Figure 27: SMTP Security Server Screen
2. Click Next.
Rev. B
Document # CPTS-DOC-C1011
44
The next step is to set up a random key. 1. In the Random Characters box of the Key Hit Session screen, type a string of random keys until the bar is full (Figure 28):
As you type in random characters, the bar fills up until completely full, as shown at left.
Figure 28: Key Hit Session Screen
2. Try not to type the same character twice, and try to vary the delay between the characters. A light bulb indicates accepted characters while a bomb indicates ignored characters. 3. After the bar is full, click Next.
Document # CPTS-DOC-C1011
Rev. B
45
CA Keys
The next step is to configure the certificate of authority (CA). The host uses this RSA key to generate a digital signature for authenticating its communications. This digital signature is used to authenticate keys for encryption. 1. The CA Keys screen appears (Figure 29):
2. Select one of the options: Generate a new key (do this for class) Dont generate a new key
46
You have reached the end of the installation procedure (Figure 30):
1. Check Yes, I want to restart my computer now. In order for FireWall-1 to take effect, you must restart your computer. 2. Windows NT Server shuts down all applications and restarts the operating system.
Document # CPTS-DOC-C1011
Rev. B
47
6. Click Next.
Rev. B
Document # CPTS-DOC-C1011
48
7. In the Choose Destination Location screen, select where to install the required GUI Client files (Figure 32):
8. To accept the default location, click Next. To change the directory where the files will be installed, click Browse and choose an alternate directory. 9. The Select Components screen appears (Figure 33):
10. Select the appropriate components to install, as described in Table 5 on page 49. For this class select all components. 11. Click Next. The installation process starts.
Document # CPTS-DOC-C1011
Rev. B
49
Definition
Provides configuration of rules, definition and management of objects Provides a quick and easy way to obtain, at-a-glance, status information about internal firewalled objects and allows you to see alerts Is an interface for viewing, sorting, and obtaining details of various logged activities
Log Viewer
12. After all components are installed, the following message appears (Figure 34):
13. Click OK. The installation of the FireWall-1 GUI client is complete.
50
Supported Platforms Sun SPARC-Based Systems Intel x86 and Pentium HP PA-RISC 700/800 RS 6000, Power PC Operating Systems Solaris 2.5 and higher HP-UX 10.x AIX Versions 4.2.1 and 4.3.0 Disk Space 21MB Memory 48MB Minimum, 64MB Recommended Network Interface All interfaces supported by the operating systems Media CD-ROM
Supported Platforms Sun SPARC-Based Systems Intel x86 and Pentium HP PA-RISC 700/800 RS 6000, Power PC Operating Systems Solaris 2.5 and higher HP-UX 10.x AIX Versions 4.2.1 and 4.3.0 Window System X11R5/OPEN LOOK (Open Windows 3) or X/Motif
Document # CPTS-DOC-C1011
Rev. B
51
Disk Space 21MB (50MB for AIX) Memory 16MB Minimum, 32MB Recommended No special requirements for Firewall Module Network Interface All Interfaces supported by the OS Media CD-ROM
52
directory name is the name of the directory where the packages reside. Typically /cdrom/fw1_4_0_des/solaris2/. The following screen output appears with a list of packages to install: The following packages are available: 1 AMC Check Point Account Management Client (sparc) 1.0 2 CKPagent Check Point FireWall-1 Load Agent (sparc) 4.0 3 CKPfw Check Point FireWall-1 (sparc) 4.0 4 CKPfwgui Check Point FireWall-1 GUI (sparc) 4.0 5 CKPfwmap FireWall-1 HP OpenView Extension (sparc) 4.0,REV=98.01.26 Select package(s) you wish to process or all to process all packages(s) default: all.
Document # CPTS-DOC-C1011
Rev. B
53
4. The following screen output appears: Processing package instance <CKPfw> from </tmp/rm_me> Check Point FireWall-1 (sparc) 4.0 Copyright 1994-98 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this software package, Check Point assumes no responsibility for errors or omissions. This software package and its features are subject to change without notice.
The selected base directory </opt/CKPfw> must exist before installation is attempted. Do you want this directory created now [y,n,?] 5. Type Y and Enter. 6. The following screen output appears: Using </opt/CKPfw> as the package base directory. ## Processing package information. ## Processing system information. ## Verifying disk space requirements. ## Checking for conflicts with packages already installed. ## Checking for setuid/setgid programs. This package contains scripts which will be executed with super-user permission during the process of installing this package. Do you want to continue with the installation of <CKPfw> [y,n,?] 7. Type Y and Enter.
Rev. B
Document # CPTS-DOC-C1011
54
8. To install Check Point FireWall-1 as <CKPfw>, the following screen output appears: ## Installing part 1 of 1. /opt/CKPfw/conf/ahclientd/ahclientd1.html /opt/CKPfw/conf/ahclientd/ahclientd2.html /opt/CKPfw/conf/ahclientd/ahclientd3.html /opt/CKPfw/conf/ahclientd/ahclientd4.html /opt/CKPfw/conf/ahclientd/ahclientd5.html /opt/CKPfw/conf/ahclientd/ahclientd6.html /opt/CKPfw/conf/ahclientd/ahclientd7.html /opt/CKPfw/conf/auth.C /opt/CKPfw/conf/default.W ## Executing postinstall script. 9. Then the following screen output appears: DONT FORGET TO: 1. Add the line: setenv FWDIR /opt/CKPfw to .cshrc or FWDIR=/opt/CKPfw; export FWDIR to .profile 2. Add $FWDIR/bin to path (Path=$Path:$FWDIR/bin;Export Path) 3. Add $FWDIR/man to MANPATH environment (MANPATH=$MANPATH:$FWDIR/man;Export MANPATH) Important: Please run fwconfig to install the license and to configure FireWall-1. Installation of <CKPfw> was successful. press <Return> to continue 10. Press Enter. 11. Type fwconfig, the following screen ouput appears: Checking available options. Please wait..................... Which of the following FireWall-1 options do you wish to install/configure? ---------------------------------------------------------------------------(1) FireWall-1 Enterprise Product (2) FireWall-1 Single Gateway Product (3) FireWall-1 Enterprise Management Console Product (4) FireWall-1 FireWall Module (5) FireWall-1 Inspection Module 12. Type 1 to select FireWall-1 Enterprise Product and Enter.
Document # CPTS-DOC-C1011
Rev. B
55
13. The following screen output appears: Installing/Configuring FireWall-1 Enterprise Product. Which Component would you like to install? ------------------------------------------(1) FireWall & Management Modules (2) FireWall Module only (3) Management Module only Enter your selection (1-3/a): 14. Type 1 to install both FireWall & Management Modules. 15. The following screen output appears: **************** FireWall-1 kernel module installation **************** installing FireWall-1 kernel module... Done. **************** Interface Configuration **************** Scanning for unknown interfaces... Do you wish to start FireWall-1 automatically from /etc/rc3.d (y/n)? 16. Type Y and Enter.
56
Document # CPTS-DOC-C1011
Rev. B
57
Configuring Administrators
To configure the administrators for FireWall-1, follow these steps: 1. The following screen output appears: No FireWall-1 Administrators are currently defined for this Management Station. Do you want to add users (y/n)? 2. Type Y and Enter. 3. The following screen output appears: User: enter user name 4. Enter the name of the administrator to add. 5. The following screen output appears: Permissions ([M]onitor-only,[R]ead-only,[U]sers-edit,read/[W]rite): 6. Type W and Enter. 7. The following screen output appears: Password: enter password Verify Password: repeat password User Administrators added successfully 8. Enter the password the administrator will use, then reenter it to verify the password. 9. The following screen output appears: Add another one (y/n)? II-1 10. Type N and Enter. FireWall-1 Installation and Setup
Rev. B
Document # CPTS-DOC-C1011
58
To configure the GUI clients, follow these steps: 1. The following screen output appears: GUI clients are trusted hosts from which FireWall-1 Administrators are allowed to log on to this Management Station using Windows/X-Motif GUI. Do you want to add GUI clients (y/n)? 2. Type N and Enter.
To configure remote modules, follow these steps: 1. The following screen output appears: Remote Modules are Firewall or Inspection Modules that are going to be controlled by this Management Station. Do you want to add Remote Modules (y/n)? 2. Type N and Enter.
To configure the SMTP Server, follow these steps: 1. The following screen output appears: Following are the current values of the SMTP Server configuration: timeout: 900 scan_period: 2 resend_period: 600 abandon_time: 432000 maxrecipients: 50 rundir: postmaster: postmaster default_server: error_server: Would you like to modify the above configuration (y/n)? 2. Type N and Enter.
Document # CPTS-DOC-C1011
Rev. B
59
To configure the SNMP Extension, follow these steps: 1. The following screen output appears: The SNMP daemon enables FireWall-1 to export its status to external network management tools. Would you like to activate FireWall-1 SNMP? (y/n)? 2. Type N and Enter.
Configuring Groups
To configure groups for FireWall-1, follow these steps: 1. The following screen output appears: FireWall-1 access and execution permissions. Usually, FireWall-1 is given group permission for access and execution. You may now name such a group or instruct the installation procedure to give no group permissions to FireWall-1. In the latter case, only the Super-User will be able to access and execute FireWall-1. Please specify group name [<RET> for no group permissions]: 2. Press Enter for no group permissions. 3. The following screen output appears: No group permissions will be granted. Is this ok (y/n)? 4. Type Y and Enter. II-1 FireWall-1 Installation and Setup
Configuring IP Forwarding
To configure IP forwarding, follow these steps: 1. The following prompt appears: Do you wish to disable IP-Forwarding on boot time (y/n)? 2. Type Y and Enter.
Rev. B
Document # CPTS-DOC-C1011
60
To configure the default filter, follow these steps: 1. The following screen output appears: Do you wish to modify your /etc/rcS.d boot scripts to allow a default filter to be automatically installed during boot (y/n)? 2. Type Y and Enter. 3. The following screen output appears: Which default filter do you wish to use? (1) Allow only traffic necessary for boot (2) Drop all traffic Enter your selection (1-2): 4. Type 1 and Enter. 5. The default filter will now be generated.
To configure the certificate authority key, follow these steps: 1. The following screen output appears: You are now asked to perform a short random keystroke session. The random data collected in this session will be used for generating Certificate Authority RSA keys. Please enter random text containing at least six different characters. You will see the * symbol after keystrokes that are too fast or too similar to preceding keystrokes. These keystrokes will be ignored. Please keep typing until you hear the beep and the bar is full. *********************** Thank you. 2. Enter random text containing at least six different characters until you hear a beep and the bar displayed on the screen is full. 3. A random key will now be generated.
Document # CPTS-DOC-C1011
Rev. B
61
4. The following screen output appears: Configuring Entrust PKI... FireWall-1 can use certificate management software from Entrust (R) Technolgies, Inc. Do you want to configure FireWall-1 to work with an Entrust PKI? (y/n) 5. Type N and Enter. 6. The following screen output appears: Configuring CA Keys... Do you want to create an FWZ Certificate Authority key? (y/n) 7. Type Y and Enter. 8. The following screen output appears: Do you want to create a SKIP Certificate Authority key? (y/n) 9. Type Y and Enter. 10. The following screen output appears: The installation procedure is now creating an FW Certificate Authority Key for this host. This can take several minutes. Please wait... Key created successfully The installation procedure is now creating a SKIP Certificate Authority key for this host. This can take several minutes. Please wait... Key created successfully. In order to complete the installation of FireWall-1 you must reboot the machine. After the machine reboots, you can start FireWall-1 by running fwstart Do you want to reboot? (y/n) 11. Type Y and Enter. 12. After rebooting, you can log on to FireWall-1 by running fwstart. II-1 FireWall-1 Installation and Setup
Rev. B
Document # CPTS-DOC-C1011
62
Platforms SunOS Solaris (except for x86) HP-UX IBM AIX Disk Space 15 MB Memory 16 MB Network Interface All Interfaces supported by the Operating System Media CD-ROM Software Motif Libraries FireWall-1 Management Module The FireWall-1 GUI client does not have to reside on the Management Server computer.
Document # CPTS-DOC-C1011
Rev. B
63
To install FireWall-1 on Solaris, use the command line utility pkgadd, which transfers the FireWall-1 installation files to the Solaris machine. Follow these steps: 1. Become superuser: hostname% su password: your root password 2. Start the installation process:
hostname% pkgadd -d directory name
3. directory name is the name of the directory where the packages reside. Typically /cdrom/fw1_4_0_des/solaris2/. 4. The following screen output appears with a list of packages to install: The following packages are available: 1 AMC Check Point Account Management Client (sparc) 1.0 2 CKPagent Check Point FireWall-1 Load Agent (sparc) 4.0 3 CKPfw Check Point FireWall-1 (sparc) 4.0 4 CKPfwgui Check Point FireWall-1 GUI (sparc) 4.0 5 CKPfwmap FireWall-1 HP OpenView Extension (sparc) 4.0,REV=98.01.26 Select package(s) you wish to process or all to process all packages(s) default: all. 5. Type 4 to select FireWall-1 GUI and Enter. II-1 FireWall-1 Installation and Setup
Rev. B Document # CPTS-DOC-C1011
64
6. The following screen output appears: Processing package instance <CKPfwgui> from </cdrom/fw1_4_0_des/ solaris2> Check Point FireWall-1 GUI (sparc) 4.0 Copyright 1994-98 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this software package, Check Point assumes no responsibility for errors or omissions. This software package and its features are subject to change without notice.
The selected base directory </opt/CKPfwgui> must exist before installation is attempted. Do you want this directory created now? (y/n) 7. Type Y and Enter. 8. The following screen output appears: Using </opt/CKPfwgui> as the package base directory. ## Processing package information. ## Processing system information. ## Verifying disk space requirements. ## Checking for conflicts with packages already installed. ## Checking for setuid/setgid programs. This package contains scripts which will be executed with super-user permission during the process of installing this package. Do you want to continue with the installation of <CKPfwgui>? (y/n) 9. Type Y and Enter.
Document # CPTS-DOC-C1011
Rev. B
65
10. The following screen output appears: Installing Check Point FireWall-1 GUI as <CKPfwgui> (file list) Installation of <CKPfwgui> was successful.
66
To uninstall a FireWall-1 component on a Windows NT Server system, follow these steps: 1. From the Start menu, select Settings, Control Panel and Add/Remove Programs. 2. Select the FireWall-1 component to uninstall (Figure 35).
Document # CPTS-DOC-C1011
Rev. B
67
To uninstall a FireWall-1 component on a Solaris system, follow these steps: 1. Type: cd /opt pkgrm component or change directory to the location of the package to be removed. Choose the name of the component you wish to remove from the following: AMC CKPagent CKPfw CKPfwgui CKPfwmap Check Point Account Management Client Check Point FireWall-1 Load Agent Check Point FireWall-1 Check Point FireWall-1 GUI FireWall-1 HP OpenView Extension
2. The following screen output appears: The following package is currently installed: CKPfwgui Check Point FireWall-1 GUI (sparc) 4.0 Do you want to remove this package? (y/n) 3. Type Y and Enter. 4. The following screen output appears: Removing installed package instance <CKPfwgui> This package contains scripts which will be executed with super-user permission during the process of removing this package. Do you want to continue with the removal of this package? (y/n) 5. Type Y and Enter. 6. The following screen output appears: Verifying package dependencies. Processing package information. Removing pathnames in class <base> Removal of <CKPfwgui> was successful. 7. The X/Motif GUI client has been successfully removed. Repeat steps 1-6 for any other component. II-1 FireWall-1 Installation and Setup
Rev. B
Document # CPTS-DOC-C1011
68
Review
Review
Summary The FireWall-1 installation process can be accomplished easily on both the Windows NT Server and Solaris platforms. It is best that the system administrator have all the necessary information before starting this process to ensure that the installation goes smoothly. There are many elements to configure during installation. These elements include the following: Administrators GUI Clients Remote modules IP forwarding Security servers SMTP security server Certificate of authority key
It is important to know what the minimum system requirements are for FireWall-1 to run on the platform of your choice. This ensures you have the available drive capacity and memory in order to run FireWall-1 properly.
Review Questions
1. What are the minimum system requirements for your FireWall-1 system?
2. Which elements will you need information about before installing FireWall-1?
3. What is the difference between installing FireWall-1 components and the GUI installation?
Document # CPTS-DOC-C1011
Rev. B
Objectives
Demonstrate how to log on to FireWall-1s GUI List the three FireWall-1 GUI programs Describe what happens when multiple FireWall-1 administrators are logged on Identify the most frequently used shortcut buttons Identify the three display modes of Log Viewer Specify selection criteria and save log files Identify and define System Status icons Assign network objects to display in System Status Enable automatic updating of System Status
Key Terms
Security Policy Editor Log Viewer System Status Security Log Accounting Entries Active Connections
70
FireWall-1 GUIs
FireWall-1 GUIs
FireWall-1 has three GUI programs for easy configuration of your security policy and access to information. Administrators are assigned varying access privileges to the GUI programs during installation. An administrator with Read/Write privileges can access all three GUI programs from within any one of the GUIs. This chapter will help you navigate through each of the following GUI programs: Security Policy Editor The Security Policy Editor GUI provides you with management tools to add rules and define properties to create your security policy. Log Viewer The Log Viewer GUI allows you to view entries in the Log File. System Status The System Status GUI presents a high-level view of operation and flow statistics for all firewalled objects.
Logon Information
To access FireWall-1s management features, you must first log on. If multiple administrators log on at the same time, only one administrator will have Read/Write privileges. You will need to have the following information available to log on: User Name Defined administrator of the firewall Password Defined password of the administrator Firewall server Management station
Document # CPTS-DOC-C1011
Rev. B
71
To log onto the Security Policy Editor in Windows NT, follow these steps: 1. Open the Start menu and select Programs and FireWall-1. 2. Select Security Policy and the Login screen appears (Figure 36):
3. Type in the user name, password and FireWall server. 4. Click OK and the Security Policy Editor GUI appears (Figure 37):
If the Log Viewer GUI or System Status GUI is open, you can open the Security Policy Editor GUI from the Window menu.
Rev. B
Document # CPTS-DOC-C1011
72
To log on to the Security Policy in Solaris, follow these steps: 1. At the prompt type: cd $FWDIR/bin 2. At the prompt type: ./fwpolicy 3. The Login screen appears (Figure 36 on page 71). 4. Type in the User Name, Password and the name of the Firewall server. 5. Click OK.
The toolbar buttons are shortcuts for menu commands. The actions of the buttons duplicate actions that are available in the menus. Position the pointer over each button for a description of the buttons function. The most commonly used commands are available with the use of shortcut buttons (Figure 38 and Table 6):
Table 6: Security Policy Editor Toolbar Buttons Defined Button Menu Command
File>Save File>Print File>Print Preview File>Refresh Edit>Cut Edit>Copy Edit>Paste Manage>Network Objects Manage>Services Manage>Resources
Description
Save the current Security Policy. Print the current Security Policy. Print Preview of the current Security Policy. Refresh the Security Policy from the management server. Delete the selected rule (or rules) and copy to the clipboard. Copy the selected rule (or rules) to the clipboard. Paste the contents of the clipboard. Add, remove or edit Network Objects. Add, remove or edit Services. Add, remove or edit Resources.
Document # CPTS-DOC-C1011
Rev. B
73
Table 6: Security Policy Editor Toolbar Buttons Defined (Continued) Button Menu Command
Manage>Servers Manage>Users Manage>Users on LDAP Account Unit Policy>Properties Edit>Add Rule>Bottom Edit>Add Rule>Top Edit>Add Rule>Before Edit>Add Rule>After Edit>Delete Rule Policy>Access Lists Policy>Verify Policy>View Policy>Install Policy>Uninstall Help>Help Topics
Description (Continued)
Add, remove or edit Servers. Add, remove or edit Users. Add, remove or edit Users on LDAP Account Unit. Display the Properties Setup screen. Add rule at the bottom. Add rule at the top. Add rule before the selected rule. Add rule after the selected rule. Delete selected rule. Display the Router Access Lists Operations screen. Verify the Security Policy. View the Inspection Script. Install the Security Policy on the targets. Remove the Security Policy from the targets. Display context sensitive help.
Rev. B
Document # CPTS-DOC-C1011
74
To log onto the Log Viewer, follow these steps: 1. Open the Start menu and select Programs and FireWall-1. 2. Select Log Viewer and the Login screen appears (Figure 39):
3. Type in the user name, password and management server to connect. Log events are sent by one or more Firewall Module to a log server. One of these Firewall Modules may be running on the log server. 4. Click OK.
Document # CPTS-DOC-C1011
Rev. B
75
If the Security Policy Editor GUI or System Status GUI is open, you can open Log Viewer GUI from the Window menu.
You can specify which of the available data fields (columns) to display in the Log Viewer. In addition, you can change the width of columns, and define selection criteria based on the columns. Only entries matching the selection criteria will be displayed. To customize your Log File, choose from the following fields: Bytes The number of bytes transferred. Conn. ID The connection ID, a fixed number which uniquely identifies each connection (active Connections only). Date The date the event occurred. Destination The destination of the communication. DstKeyID The KeyIP of the destination of an encrypted communication. Elapsed The duration of the connection, calculated to the time of the last byte transferred. Info Additional information (for example, messages generated during Inspection Code installation) not included in other fields. Inter. Hardware interface at which the logged event occurred. No Number of the log entry (a sequential number assigned by FireWall-1). Origin Name of the host enforcing the rule that caused the logged event. Port The source port. Proto. The communication protocol used. Rule The number of the rule in the rule base that was applied to this packet. Service The service (destination port) requested by this communication.
Rev. B
Document # CPTS-DOC-C1011
76
Source The source of the communication. SrcKeyID The KeyID of the source of an encrypted communication. Start date The date on which the connection began. Time The time of day the event occurred. Type Type of action that caused the event to be logged. User The user name. Xlate Address translation data: source and destination addresses and ports.
Column Menu
Right-click anywhere in a column of the Log Viewer GUI, and the Column menu appears (Figure 41):
The Column Menu contains the following information: Hide Select to hide a column. To display a column which is hidden, choose Hide/ Unhide from the View menu and check the column to display (unhide). Selection Select to display only entries of interest in the Log Viewer and to hide other entries. The appropriate selection Criteria screen for that column will be displayed. Only the log entries that match the selection criteria will be displayed in the Log Viewer. Find Select to find a specific record in the Log File based on a value in a specific column. Enter the desired criteria and click OK to move to the specified location. Width Select to change the width of a column. Specify the column width in pixels or reset the columns width to its default value.
Document # CPTS-DOC-C1011
Rev. B
77
You can display one of three different log modes from the toolbar (Figure 42):
To view varied log information, choose from the following log modes: Security Log This log shows all security-related events. Accounting Entries This log shows accounting entries in addition to the security log. The additional accounting entries include Elapsed, Bytes and Start date. Active Connections This log shows connections currently open through any of the firewalled hosts and gateways that are logging to the currently open log file. In addition to the security log, the additional active connections entries include Elapsed, Bytes, Start date and Conn. ID.
Some of the log viewer toolbar buttons are shortcuts for menu commands. Other buttons have no corresponding menu commands (Figure 43 and Table 7).
Definition
Open a new log file Open an existing log file Save the current log file
Rev. B
Document # CPTS-DOC-C1011
78
Definition (Continued)
Print the current log file Print preview the current log file Open the current selection criteria screen Apply the current selection criteria Go to the top of the log file Go to the bottom of the log file Stop retrieving data from the log file Reload data from the log file Toggle the online updating of the log viewer from the log file Block a connection Choose the view of the Log Viewer: Log, Account and Active.
There are several ways to navigate in the Log Viewer. You can scroll through the entries using the scrollbars on the side and bottom of the Log Viewer. You can also use the arrow, Page Up and Page Down keys. From the edit menu you can navigate to specific areas by selecting from the following options: Find To find a record in the Log File based on a value in a specific column. Go To Top Select to go to the beginning of the Log File. Go To Bottom Select to go to the end of the Log File.
Document # CPTS-DOC-C1011
Rev. B
79
1. On the Edit menu, select Find and the list of Column Fields appears (Figure 44):
2. Select the column with the information you are searching to find. For example, if you select the Date column, the Find Date screen appears (Figure 45):
Rev. B
Document # CPTS-DOC-C1011
To Find Record by Column To find a specific record in the Log File based on a value in a specific column, follow these steps:
II-2 II-2
80
4. Repeat these steps for any column and the Find screen for that column appears (Figure 46):
To Find Record in All Columns The All Columns option allows you to search for a text string in any specified data column in the Log File. To search for a text string in all the columns, follow these steps: 1. On the Edit menu (Figure 44 on page 79), select Find and All Columns and the Find in all fields screen appears (Figure 47):
2. In the Pattern field, type the text string for the search. You can specify a regular expression in this field. 3. Select one of the Direction options to specify the desired search direction: Forward (from the current entry), Backward (from the current entry) or From Top. 4. Click OK to go to the specified log entry, which will be highlighted.
Document # CPTS-DOC-C1011
Rev. B
81
1. On the Edit menu (Figure 44 on page 79), select Go To Top or Go To Bottom. 2. Your view is moved to the location you specify.
To display only entries of interest in the Log Viewer and to hide other entries, you can specify selection criteria. Specify as many selection criteria as you want to appear. A log entry is displayed only if it matches all the selection criteria. You can also specify selection criteria using the Select menu. To specify selection criteria, follow these steps: 1. On the Select menu, select By Columns. The Column Selection menu appears (Figure 48):
Rev. B
Document # CPTS-DOC-C1011
To Change Location To go to the top or bottom of the log file, follow these steps:
II-2 II-2
82
2. Select the name of the column for which to define selection criteria. For example, if you select Services, the Services Selection Criteria screen appears (Figure 49):
3. Select a service from the list of services. 4. Click Add to add it to the list of selected objects. You may also add a service by double-clicking on the services name.
5. Click Apply. 6. You will then see the prompt seen in Figure 50:
If you select Yes, the currently selected Selection Criteria is applied to the log view. Any other Selection Criteria will automatically be applied to the log view. If you select No, then the prompt seen in Figure 50 will continue to appear each time you click Apply.
Document # CPTS-DOC-C1011
Rev. B
83
7. Repeat these steps for any other column and the selection criteria screen for that column appears (Figure 51):
Each time you add an additional Selection Criteria, the view in the log viewer will change to match the selected information. If you wish to apply or change your selection criteria, review the information in the Selection Options on page 84.
Rev. B
Document # CPTS-DOC-C1011
84
Selection Options
When using selection criteria you can specify certain viewing options by following these steps: 1. On the Select menu, select Options and the Options screen appears (Figure 52):
The following fields can be selected: Apply Selection Criteria Applies any selection criteria already defined. Hide Repeating Lines Does not show lines of data that are repeated that differ only by date and time. Show Null Matches Displays null matches that are neither included or excluded from current selection criteria. Resolve Address If checked, will show the host and domain names. If not checked, will display the IP address in numeric form. 2. Check Apply Selection Criteria. 3. Click OK to apply the selection criteria.
Document # CPTS-DOC-C1011
Rev. B
85
in {telnet} in {le0.all}
2. Any current selection criteria appears in the Show records matching field. 3. You may then perform any of the following functions: Edit To edit the current selection criteria. Delete To delete a particular selection criteria. Clear To clear all selection criteria. 4. Click OK to save your changes. Only Log entries matching the criteria in the Current Selection Criteria screen are displayed in the Log Viewer.
To save your selection criteria in a file to use later, follow these steps: 1. On the Select menu, click New Selection. 2. The new Selection screen appears (Figure 54 on page 86).
Rev. B
Document # CPTS-DOC-C1011
To view and/or edit the current selection criteria, follow these steps: 1. On the Select menu, select Find and Current to view the list of matching records based on your selection criteria (Figure 53):
II-2 II-2
86
3. Enter a name for the new selection criteria. 4. Modify the selection criteria as required. 5. On the Select menu, choose Save Selection. To reuse the selection criteria file, follow these steps: 1. On the Select menu, choose Open Selection. 2. Specify the file name to use. The entries in the Log Viewer will display based on selection criteria you have set.
The File menu allows you to perform the following tasks: Open New Purge Save Print Export
Important: The following statements affect these menu choices: When you create a new Log File, the current Log File is closed and written to disk with a name that contains the current date and time. Only one log file can be open in the Log Viewer at a time. When you select Purge, you delete all the entries in the log file, regardless of which entries are selected. When printing or saving, only the log entries that match the selection criteria will be printed or saved. You can print all entries displayed in the Log Viewer or all the entries
Document # CPTS-DOC-C1011
Rev. B
87
in the file that match the Selection Criteria. To print to a file or to a printer in ASCII (text) format, select the appropriate options in the Print window. When saving a log file, the current log entries will be written to file. Only the records that match the selection criteria will be saved to the file (both the entries that are visible in the window and those that are not visible).
Rev. B
Document # CPTS-DOC-C1011
88
To log on to the System Status GUI, follow these steps: 1. On the Start menu, select Programs and then FireWall-1. 2. Select System Status and the Login screen appears (Figure 55):
3. Type the user name, password and management server to connect. 4. Click OK. 5. The System Status GUI appears (Figure 56 on page 89).
Document # CPTS-DOC-C1011
Rev. B
89
If the Security Policy Editor GUI or Log Viewer GUI is open, you can open System Status GUI from the Window menu.
Some of the toolbar buttons in the System Status screen are shortcuts for menu commands on the View menu (Table 8):
Definition
Opens the Update Status screen.
Rev. B
Document # CPTS-DOC-C1011
90
Before FireWall-1 updates the status display, it broadcasts a status request message to all firewalled objects. For each firewalled object whose status is displayed, the following information is shown: Date the security policy was installed on the firewalled object Firewalled objects status Objects name Rule base name the name of the file containing the rule base Date and time this objects status was last updated in the System Status View screen, manually or automatically
An object status icon appears for each object to indicate its status (Table 9):
Unprotected; the security policy is not loaded. No response; the firewalled object does not respond to requests from FireWall-1 for status updates. FireWall-1 is unable to resolve this objects IP address.
Icon
Document # CPTS-DOC-C1011
Rev. B
91
Alerts
Play Sound To play a sound when an alert is received. Show This Window To display the Alerts screen when an alert is received. Clear To clear alerts, select the alert(s). Dismiss To close the Alerts screen. To set up the Alert screen, follow these steps: 1. On the View menu, select Alert (Figure 57):
3. Check the action you desire on new alerts. 4. Select Dismiss or Clear to return to the System Status screen.
Rev. B
Document # CPTS-DOC-C1011
Alerts are sent by Firewall Modules to the management server, which sends them in turn to all the GUI client system status applications connected to the management server at that moment. The Alert screen contains the following information:
II-2 II-2
92
To display a firewalled objects status, choose from settings in the Show Status screen. To set up the Show Status screen, follow these steps: 1. On the View menu, select Gateways (Figure 59):
3. Select which firewalled objects to display: Select specific firewalled objects Select All to display all firewalled objects Select Clear to not display firewalled objects
Document # CPTS-DOC-C1011
Rev. B
93
Automatic updating Click Enabled or Disabled. If Enabled, you can set the number of minutes between automatic updates. Firewalled objects Check the firewalled objects you wish to be updated. To set up the Update Status screen, follow these steps: 1. Select Auto Update from the View menu (Figure 61):
Rev. B
Document # CPTS-DOC-C1011
To immediately update the status of a firewalled object, double-click on the object. You can enable or disable automatic updating of the status for specific firewalled objects with the Update Status screen. The Update Status screen contains the following information:
II-2 II-2
94
3. Check Enabled or Disabled for automatic updating. 4. If you check Enabled, set the number of minutes between intervals. 5. Check the firewalled objects to update. 6. Click OK to return to System Status screen.
You can specify the actions to be taken when the status of a firewalled object changes in the Options screen. The Options screen contains the following information: Action on Transition: Alert Issue an alert as defined in the Properties Setup screen. Mail Send a mail alert as defined in the Properties Setup screen. SNMP Trap Issue an SNMP trap as defined in the properties Setup screen. User Defined Issue a User Defined Alert as defined in the Properties Setup screen. To set up the Options screen, follow these steps: 1. Select Options from the View menu (Figure 63):
Document # CPTS-DOC-C1011
Rev. B
95
3. Check the actions to be taken when the status of a firewalled object changes. 4. Click OK to return to System Status screen.
Rev. B
Document # CPTS-DOC-C1011
96
Review
Review
Summary The FireWall-1 logon procedure is simple on both the Windows NT and Solaris platforms. Knowledge and use of the shortcut buttons can add to the efficiency of navigating in each of the following FireWall-1 GUIs: Security Policy Editor Provides management tools for adding rules and defining properties to create a security policy. Log Viewer Displays the log file consisting of all logged and critical activities on the network. System Status Displays status of all firewalled objects. In the Security Policy Editor GUI, you create a rule base and define properties to create your security policy. The Log Viewer GUI allows you to view entries in the log file. Each entry in the log file is a record of an event that, according to the rule base or the properties, is to be logged. The Log Viewer gives you control over which information in the log file is displayed by selecting which log entries and data fields to display. When displaying events through the Log Viewer, you can view in either one of three modes: Security Log Accounting Active Connections
The System Status GUI presents a high-level view of operation and flow statistics for all firewalled objects. You can set your System Status to provide the status of your network automatically on the network objects you specify. For each firewalled object whose status is displayed, the following information is shown: Date the security policy was installed on the firewalled object Firewalled objects status Objects name Rule base name for firewalled objects, the name of the file containing the rule base Date and time this objects status was last updated in the System Status View screen, manually or automatically
Document # CPTS-DOC-C1011
Rev. B
97
Review Questions
2. How many administrators can access FireWall-1 with Read/Write privileges at the same time?
5. What are the three display modes of the Log Viewer and how is each different?
6. How do you display the list of selection criteria that you have specified in the Log Viewer?
7. What are the three status choices that can be reported on firewalled objects?
Rev. B
Document # CPTS-DOC-C1011
98
Review
Document # CPTS-DOC-C1011
Rev. B
Unit II Chapter 3: M a n a g e m e n t To o l s
Introduction
After installing FireWall-1, a configuration process is necessary. This ensures that gateways, intranets and other objects connected to the network are recognized by FireWall-1. These objects consisting of network objects, services, resources, servers, users and time become part of the security policy that protects your network. In this chapter, you will learn about creating objects for use in your security policy. To configure these objects, you will learn to use the following management tools: Network Objects Manager Services Manager Resources Manager Servers Manager Users Manager Time Objects Manager II-3 Managmement Tools
99
Although you do not have to define all the objects related to your network, it is important that you have an understanding of each. You will define only the objects that are a part of your network. As each rule or object is defined, it becomes an integral part of the security policy. Objects needed for basic configuration are defined in this chapter. More complex objects are defined in later chapters or in the CCSE course.
Objectives
Identify, define and access the management tools Explain the difference between internal and external management stations List the common services already defined by FireWall-1
Key Terms
100
Manual IPSec SKIP ISAKMP/Oakley (IKE) Virtual Local Area Network (VLAN) Transmission Control Protocol (TCP) User Datagram Protocol (UDP) Remote Procedure Call (RPC) Internet Control Message Protocol (ICMP) URL Filtering Protocol (UFP) Content Vectoring Protocol (CVP) RADIUS TACACS AXENT Defender LDAP Account Units URL Filtering Protocol (UFP) Uniform Resource Locator (URL) Uniform Resource Identifier (URI)
Document # CPTS-DOC-C1011
Rev. B
101
Management Tools
Various management tools are provided in FireWall-1 to define the objects that are in contact with the network. Before an object can be included in the rule base, its properties must first be defined. Management tools can be accessed through the Manage menu of the Security Policy Editor.
To access the management tools, follow these steps: 1. Select Manage from the Security Policy Editor toolbar (Figure 65):
2. Select from the following management tools: Network Objects Services Resources Servers Users Users on account unit Time Keys
3. The corresponding management screen appears. Create a new object to be used in the rule base.
Color Scheme
It is helpful to determine a color scheme before defining the objects to include in your rule base. By assigning the same color to related objects, managing your firewall is made easier. A simple color scheme enables you to quickly identify and select objects, rather than scroll through long lists with little or no distinction between objects. To develop a color scheme for your objects, consider the following categories: Green Internal elements, Blue External elements and Red Firewalls.
Rev. B
102
The Network Objects Manager is a tool used to define the following network objects: networks and subnetworks, hosts, gateways and servers (firewalled or not), routers, Internet domains and logical servers. Before an object is included in the rule base, its properties must first be defined. To access the Network Objects Manager, follow these steps: 1. Select Network Objects from the Manage menu (Figure 65 on page 101). 2. The Network Objects Manager appears (Figure 66):
Document # CPTS-DOC-C1011
Rev. B
103
3. Click New and select the object to manage. There are nine options that allow you to manage your network objects. To configure each network object, select from the following: Workstation Network Domain Router Switch Integrated Firewall Group Logical Server Address Range The screen options and tabs vary depending on whether FireWall-1 is installed on each object. This is because certain options are not applicable unless the object is a gateway or has FireWall-1 installed. II-3 Managmement Tools
Rev. B Document # CPTS-DOC-C1011
104
General Tab
The General tab for Workstation Properties allows definition of basic information about the workstation. Defining the General tab allows access to the other tabs within the Workstation Properties screen (Figure 67):
The General tab contains the following information: Name The hostname of the workstation. IP Address The IP address that identifies this workstation. Get Address Retrieves the IP address. Reduces the possibility of entering the address incorrectly. Comment Any information that describes this workstation. Location Internal objects on the management station should appear as external to other management stations (Figure 68 on page 105): Internal Managed by this management station. External Not managed by this management station.
Document # CPTS-DOC-C1011
Rev. B
105
Management Station #1
FW A FW B FW C
Management Station #2
FW D FW E FW F
Each circled management station with its associated firewalls is internal to itself and can make rules. Neither management station can make rules for the other management station. For example, Management Station 1 can make rules for A, B and C but cannot make rules for D, E and F since these are external to the management station.
Figure 68: Internal and External Management Stations
Type Defines the type of workstation: Host A device with a single IP address. Gateway A device with multiple IP addresses. Color Defines the color scheme of the object. Exportable Allows remote users access to the internal network. FireWall-1 Installed Indicates a FireWall-1 module installed on workstation. Version FireWall-1 version installed on the workstation. General Tab Setup To set up the General tab, follow these steps: 1. Define the workstation by completing the information in the fields. 2. Select another tab to continue the Workstation Properties setup or click OK to return to the Network Objects Manager.
Rev. B
Document # CPTS-DOC-C1011
106
Interfaces Tab
The Interfaces tab allows definition and display of interface names, IP addresses and network masks for the workstation (Figure 69):
The Interfaces tab contains the following information: Add Allows access to the Interface Properties screen to add an interface. Edit Allows access to the Interface Properties screen to edit an interface. Remove Delete an interface by highlighting an interface and click Remove. Get Retrieves necessary information for all interfaces. Interfaces Tab Setup To set up the Interfaces tab, follow these steps: 1. Define the interfaces by selecting one of the commands. 2. Select another tab to continue the Workstation Properties setup or click OK to return to the Network Objects Manager.
Document # CPTS-DOC-C1011
Rev. B
107
Interfaces Properties When you add or edit an interface, the Interface Properties screen appears (Figure 70):
The Interface Properties Screen contains the following information: Name The interface associated with the host name. Net Address The IP address of the host. Net Mask If the network is a standard class A, B, or C network, the Net Mask does not need to be specified. Valid Addresses: Any Default selection. Does not allow spoof tracking. This net Packets are allowed whose source IP addresses are part of the network connected to this interface. Used on the Internal NIC, mostly for DMZs, and only if there is one network. No security policy! No security policy is installed on this interface. Used when the security policy is enforced on another interface of this object. Others Packets are allowed except those whose resource IP addresses belong to the networks listed under Valid Addresses for this objects interface. Used on the external NIC when you have identified the network and Other is anything other than the identified network.
Rev. B
Document # CPTS-DOC-C1011
108
Others + Used to allow traffic for non-standard packet flow such as with NAT. Packets are allowed except those whose resource IP addresses belong to the networks listed under Valid Addresses for this objects interface. Use on the external NIC when you have identified the network and Other+ is anything other than the identified network. Specific Packets are allowed only from this group. This is typically a group of network objects. Spoof tracking Spoofed packets are always dropped. Specific action is taken by selecting one of the following options: Anti-spoofing and its relation to the Interfaces tab is defined in Unit III Chapter 2: Administering Security Policy with Rule Base on page 221. None No additional action is taken. Log The spoofing attempt is logged. Alert The action specified in the Anti Spoof Alert command field in the Log and Alert tab of the Properties Setup screen is taken. When anti-spoofing is specified, an implicit anti-spoof rule is generated. This rule comes first in the rule base, even before properties specified in the Security Policy tab of the properties setup screen. Interface Properties Setup To set up the Interface Properties screen, follow these steps: 1. Define the interface by completing the information in the fields. 2. Click OK to return to the Interfaces tab.
Authentication Tab
Encryption Tab
The Encryption tab of the Workstation Properties specifies encryption parameters for network objects (Figure 71 on page 109). For a gateway to perform encryption, the encryption domain must first be defined. The gateway can then conduct encrypted sessions on network objects in the encryption domain. This only applies to workstations or gateways with FireWall-1 installed on them.
Document # CPTS-DOC-C1011
Rev. B
109
The Encryption tab contains the following information: Encryption Domain A domain that will use encryption; disabled is the default setting. If all gateway interfaces have been defined in the Interfaces tab of the gateways Workstation Properties screen, then Valid addresses can be selected in the Encryption domain. Encryption Methods Defined Encryption method used on a selected domain. Encryption Methods An encryption method consists of the following elements: An encryption algorithm for encrypting messages An authentication algorithm for ensuring integrity, that is, that messages have not been tampered with Key management protocol for generating and exchanging keys
Encryption Schemes Firewall-1 supports the following encryption schemes: FWZ, IPSec, SKIP and ISAKMP/Oakley (IKE). FWZ FWZ is a FireWall-1 proprietary symmetric encryption scheme. FWZ manages key encryption automatically, including updating public keys. FWZ encryption does the following: Encrypts all data behind the IP and TCP headers, using in-place encryption Uses reliable-data protocol to manage VPN session keys, encryption methods and data integrity
Rev. B
Document # CPTS-DOC-C1011
110
Obtains certified Diffie-Hellman public keys from a trusted certificate authority Supports FWZ-1, DES and Triple DES algorithms, using a 40-bit encryption key that is exportable outside the United States Uses FWZ scheme to authenticate passwords
Manual IPSec IPSec is an encryption and authentication scheme. A security association is associated with each packet, consisting of: Functionality Indicates whether the packet is encrypted, authenticated or both Algorithms Specifies the encryption algorithm and authentication algorithm used in the packet Keys used in the above algorithms Additional data
IPSec has two shortcomings: The keys are fixed over duration of the connection There is mechanism for exchanging keys
SKIP SKIP overcomes the shortcomings of IPSEC by providing a hierarchy of keys that change over time. This is used to encrypt the connection as well as to implement a key protocol. ISAKMP/Oakley (IKE) ISAKMP/Oakley, also known as Internet Key Exchange (IKE), is a standard for negotiating Security Associations (SA) between two hosts that will be using IPSec, and is the key management scheme that was chosen for IP Version 6. In IP Version 4, ISAKMP/Oakley is optional. ISAKMP/Oakley offers improved authentication (HMAC) and Perfect Forward Secrecy (PFS). Encryption Tab Setup To set up the Encryption tab, follow these steps: 1. Define the Encryption by completing the information in the fields. 2. Choose another tab to continue the Workstation Properties setup or click OK to return to the Network Objects Manager.
NAT Tab
To configure the NAT tab, see Unit IV Chapter 2: Network Address Translation on page 259.
SNMP Tab
Document # CPTS-DOC-C1011
Rev. B
111
General Tab
The General tab for the Network Properties allows definition of basic information about the network (Figure 72):
The General tab contains the following information: Name The user-defined name to indicate the network definition. IP Address Defines the network address. This is made by appending one or more zeros (0) to the host portion of an IP address. Net Mask If this is a standard Class A, B or C network, this field does not apply. If non-standard, enter the net mask in this field. Comment Any information that describes this network. Color Defines the color scheme of the object. Location Internal objects on the management station should appear as external to other management stations. Internal Protected by the firewall. External Outside the firewall. Broadcast: Allowed/Disallowed Specifies whether to consider the networks broadcast address as specified in the network.
Rev. B
Document # CPTS-DOC-C1011
112
General Tab Setup To set up the General tab, follow these steps: 1. Define the network by completing the information in the fields. 2. Select another tab to continue the Network Properties setup or click OK to return to the Network Objects Manager.
NAT Tab
To configure the NAT tab, see Unit IV Chapter 2: Network Address Translation on page 259.
Document # CPTS-DOC-C1011
Rev. B
113
Workstation
Workstation
Workstation
Workstation
Workstation
Workstation
The first time a rule containing a domain object is applied to a specific IP address, there is a slight delay while the Inspection Module reverse resolves the IP address. The resolved address is then stored in a local cache, so the delay occurs only one time per IP address per rule. In order to minimize these delays, it is recommended that rules containing domain objects should be positioned as far down as possible in the rule base.
Rev. B
114
General Tab
The General tab for Domain Properties allows definition of basic information about the domain (Figure 74):
Name Enter an Internet or intranet domain name. In Figure 74, the domain name is .checkpoint.com and starts with a period ( . ). Comment Any information that describes this domain. Color Defines the color scheme of the object. General Tab Setup To set up the General tab, follow these steps: 1. Define the Domain by completing the information in the fields. 2. Click OK to complete the Domain Properties setup and return to the Network Objects Manager.
Document # CPTS-DOC-C1011
Rev. B
115
General Tab
The General tab for Router Properties allows definition of basic information about the router. Defining the General tab allows access to the other tabs (Figure 75):
The General tab contains the following information: Name The name of the router. IP Address The IP address that identifies this router: Get Address Retrieves the IP address. Reduces the possibility of entering the address incorrectly. Type Select the router from the drop-down menu. Comment Any information that describes this router. Color Defines the color scheme of the object. Location Internal objects on the management station appear as external to other management stations. Internal Managed by the management station. External Not managed by the management station. FireWall-1 Installed Indicates a FireWall-1 module installed on router.
Rev. B
116
General Tab Setup To set up the General tab, follow these steps: 1. Define the workstation by completing the information in the fields. 2. Select another tab to continue the Router Properties setup or click OK to return to the Network Objects Manager.
Interfaces Tab
The Interfaces tab allows definition and display of interface names, IP addresses and network masks for the router (Figure 76):
The Interface tab contains the following information: Add Allows access to the Interface Properties screen to add an interface. Edit Allows access to the Interface Properties screen to edit an interface. Remove Delete an interface by highlighting an interface and clicking Remove. Get Retrieves necessary information for all interfaces. Interfaces Tab Setup To set up the Interfaces tab, follow these steps: 1. Define the interfaces by selecting one of the commands. 2. Select another tab to continue the Router Properties setup or click OK to return to the Network Objects Manager.
Document # CPTS-DOC-C1011
Rev. B
117
Interfaces Properties When you add or edit an interface, the Interface Properties screen appears (Figure 77):
router
This Interfaces Properties screen contains the following information: Name The interface associated with the host name. Net Address The IP address of the host. Net Mask If the network is a standard class A, B, or C network, the Net Mask does not need to be specified. Valid Addresses: Any Default selection. Does not allow spoof tracking. This net Packets are allowed whose source IP addresses are part of the network connected to this interface. Used on the Internal NIC, mostly for DMZs, and only if there is one network. No security policy! No security policy is installed on this interface. Used when the security policy is enforced on another interface of this object. Others Packets are allowed except those whose resource IP addresses belong to the networks listed under Valid Addresses for this objects interface. Used on the external NIC when you have identified the network and Other is anything other than the identified network.
Rev. B
Document # CPTS-DOC-C1011
118
Others + Used to allow traffic for non-standard packet flow such as with NAT. Packets are allowed except those whose resource IP addresses belong to the networks listed under Valid Addresses for this objects interface. Use on the external NIC when you have identified the network and Other+ is anything other than the identified network. Specific Packets are allowed only from this group. This is typically a group of network objects. Spoof tracking Spoofed packets are always dropped. Specific action is taken by selecting one of the following options: Anti-spoofing and its relation to the Interfaces tab is defined in Unit III Chapter 2: Administering Security Policy with Rule Base on page 221. None No additional action is taken. Log The spoofing attempt is logged. Alert The action specified in the Anti Spoof Alert command field in the Log and Alert tab of the Properties Setup screen is taken. When anti-spoofing is specified, an implicit anti-spoof rule is generated, which comes first in the rule base, even before properties specified in the Security Policy tab of the properties setup screen. Interface Properties Setup To set up the Interface Properties screen, follow these steps: 1. Define the interface by completing the information in the fields. 2. Click OK to return to the Interfaces tab.
NAT Tab
To configure the NAT tab, see Unit IV Chapter 2: Network Address Translation on page 259.
SNMP Tab
Document # CPTS-DOC-C1011
Rev. B
119
Setup Tab
In the case of access lists and filters, the Setup tab allows for the entry of parameters like router manager IDs and passwords. The Setup tab contains various information depending on the router selected (Figure 78):
The information in the Setup screen varies depending on the router selected.
CISCO
Bay Networks
3Com
Steelhead
Figure 78: Router Properties - Setup Tab
Setup Tab Setup To complete the Setup tab, follow these steps: 1. Define the parameters by completing the information in the fields. 2. Choose another tab to continue the Router Properties setup or click OK to return to the Network Objects Manager.
Rev. B
Document # CPTS-DOC-C1011
120
The General tab contains the following information: Name The name of the switch. IP Address The IP address that identifies this switch. Get address Retrieves the IP address. Reduces the possibility of entering the address incorrectly. Comment Any information that describes this switch. Type Select the type of switch. Color Defines the color scheme of the object. Location Internal objects on the management station appear as external to other management stations: Internal Managed by the management station. External Not managed by the management station. FireWall-1 Installed Indicates a FireWall-1 module installed on the switch.
Document # CPTS-DOC-C1011
Rev. B
121
General Tab Setup To set up the General tab, follow these steps: 1. Define the workstation by completing the information in the fields. 2. Choose another tab to continue the Switch Properties setup or click OK to return to the Network Objects Manager.
Interfaces Tab
NAT Tab
To configure the NAT tab, see Unit IV Chapter 2: Network Address Translation on page 259.
SNMP Tab
To configure the SNMP tab, see SNMP Tab on page 124. II-3
VLANs Tab
The VLANs tab contains the following information: Add Click Add and the Interface Properties screen appears. Edit Click Edit to edit existing interfaces and the Interface Properties screen appears. Remove Highlight an interface and click Remove.
Rev. B
Document # CPTS-DOC-C1011
Managmement Tools
The VLANs tab allows you to configure and display the properties of the Virtual Local Area Network (VLAN) associated with a switch (Figure 80):
122
SNMP Get Click to retrieve necessary information for all interfaces. VLANs Tab Setup To set up the VLANs tab, follow these steps: 1. Define the VLAN by selecting one of the commands. 2. Choose another tab to continue the Switch Properties setup or click OK to return to the Network Objects Manager.
Setup Tab
The Setup tab for switch properties contains the External Interface and License Type (Figure 81):
le0
The Setup tab contains the following information: External Interface Name of the external interface. License Type Pull-down list of license type (number of users allowed per license). Setup Tab Setup To complete the Setup tab, follow these steps: 1. Define the switch properties by completing the information in the fields. 2. Choose another tab to continue the Switch Properties setup or click OK to return to the Network Objects Manager.
Document # CPTS-DOC-C1011
Rev. B
123
The General tab contains the following information: Name The name of the integrated firewall. IP Address The address that uniquely defines this interface. Get Address Retrieves the IP address. Reduces the possibility of entering the address incorrectly. Comment Any information that describes this integrated firewall. Type Choose between TimeStep PermitGate and CISCO PIX Firewall. Color Defines the color scheme of the object. Location Internal objects on the management station appear as external to other management stations: Internal Managed by the management station. External Not managed by the management station. FireWall-1 Installed Indicates a FireWall-1 module installed on the integrated firewall.
Rev. B
124
General Tab Setup To set up the General tab, follow these steps: 1. Define the integrated firewall by completing the information in the fields. 2. Choose another tab to continue the Integrated FireWall Properties setup or click OK to return to the Network Objects Manager.
Interfaces Tab
SNMP Tab
The SNMP tab enables you to retrieve or set SNMP information for the integrated firewall (Figure 83):
The SNMP tab contains the following information: sysName The objects name. sysLocation The objects location. sysContact The name of a contact person. Get Retrieves necessary information about this network object. Set Set the objects properties to those shown in this window. Read Community The community with read permission for this object. Write Community The community with write permission for this object.
Document # CPTS-DOC-C1011
Rev. B
125
SNMP Tab Setup To set up the SNMP tab, follow these steps: 1. Define the integrated firewall by completing the information in the fields. 2. Select another tab to continue the Integrated Firewall Properties setup or click OK to return to the Network Objects Manager.
NAT Tab
To configure the NAT tab, see Unit IV Chapter 2: Network Address Translation on page 259.
The Setup tabs of the Integrated Firewall Properties screens contain fields that are specific to the type of Firewall you selected on the General tab (Figure 84):
The Setup-A tab contains the following information: Inside Addresses The networks for which the PIX Integrated FireWall performs address translation. Xlate Timeout The time after which a PIX address translation slot times out and a global address is returned to the available pool. Conn Timeout The period after which a PIX connection slot times out. Enable Password The password required to modify PIX settings. PIX Password The password required to enable communication between the Management Server and the PIX Integrated FireWall. Version The drop-down list that displays the PIX version.
Rev. B
Document # CPTS-DOC-C1011
126
Authentication: Server Drop-down list of authentication servers previously defined. Enable Outbound Authenticatio n Sets the option to request authentication for outbound connections. Enable Inbound Authentication Sets the option to request authentication for inbound connections. Shared Secret Specifies the public key to encrypt communication between PIX and the authentication server. Type Specifies an authentication scheme: RADIUS or TACACS
For Cisco PIC integrated firewalls, a second tab appears (Figure 85):
The Setup-B tab contains the following information: RIP Inside Defines RIP settings on the PIX inside interface. Default: Sets the broadcast for a default route to the inside network. Passive: Enables passive RIP. RIP Outside Defines RIP settings for the PIX outside interface. Default: Sets the broadcast for a default route to the outside network. Passive: Enables passive RIP.
Document # CPTS-DOC-C1011
Rev. B
127
Failover Defines the PIX failover feature in which a secondary PIX firewall takes over connections if the primary PIX fails. Private Link Key Duration Sets the interval in minutes in which PIX Private Link keys are changed. Private Link Connections Lists the remote PIX units with which you want to establish PIX Private Link communications. Connections between the local PIX blackbox and the remote PIX blackbox will be encrypted. New: Adds a remote PIX. Edit: Opens the encryption properties of the remote Integrated FireWall. Remove: Removes a selected remote PIX.
When you select TimeStep on the General tab, the following setup screen appears (Figure 86): II-3 Managmement Tools
Figure 86: Integrated FireWall Properties - Setup Tab
The TimeStep Setup screen contains the following information: External Interface Name of the external interface. License Type Pull-down list of license type (number of users allowed per license). Setup Tab Setup To complete the Setup tab, follow these steps: 1. Complete the information in the fields. 2. Select another tab to continue the Integrated Firewall Properties setup or click OK to return to the Network Object Manager.
Rev. B
Document # CPTS-DOC-C1011
128
The Group Properties screen contains the following information: Name A defined group. Comment Any information that describes this group. Color Defines the color scheme of the object. Not in Group Selects the objects to include in the group. Add Adds the selected object to the group. Remove Removes a selected object from the group. Group Properties Setup To set up the Group Properties, follow these steps: 1. Define the group by completing the information in the fields. 2. Click OK to save the Group Properties setup and return to the Network Objects Manager.
Document # CPTS-DOC-C1011
Rev. B
129
130
General Tab
Address Range Properties is a range of IP addresses used in hide mode IP translation (Figure 88):
The General tab contains the following information: Name The name of the range. First IP Address First IP Address in the range. Last IP Address Last IP Address in the range. Comment Any information that describes this address range. Color Defines the color scheme of the object.
Document # CPTS-DOC-C1011
Rev. B
131
General Tab Setup To set up the General tab, follow these steps: 1. Define the address range by completing the information in the fields. 2. Select another tab to continue the Address Range Properties setup or click OK to return to the Network Objects Manager.
NAT Tab
To configure the NAT tab, see Unit IV Chapter 2: Network Address Translation on page 259.
132
4Define gateways
Define the following firewalled gateways. Color all brick-red: fw.detroit.com 204.32.38.101 fw.chicago.com 204.32.38.102 fw.london.com 204.32.38.103 fw.newyork.com 204.32.38.104 fw.paris.com 204.32.38.105 fw.tokyo.com 204.32.38.106 fw.moscow.com 204.32.38.107 fw.berlin.com 204.32.38.108
Document # CPTS-DOC-C1011
Rev. B
133
4Define networks
Define the following local networks. Color yours green, others blue: net-detroit 192.168.1.0 net-chicago 192.168.2.0 net-london 192.168.3.0 net-newyork 192.168.4.0 net-paris 192.168.5.0 net-tokyo 192.168.6.0 net-moscow 192.168.7.0 net-berlin 192.168.8.0
134
Services Manager
Services Manager
FireWall-1 controls access to hosts and networks, not only based on the source and destination addresses, but also according to the service requested or used in each packet of data. Service Object Setup Before you can use a service in a rule base, you must define its properties. To set up Services, follow these steps: 1. Select Services from the Manage menu (Figure 89):
3. Click New and select the service to define from the menu.
Document # CPTS-DOC-C1011
Rev. B
135
Allowed Services
You can set up the following types of services: TCP UDP RPC ICMP Other Group Port Range
TCP
Transmission Control Protocol (TCP) allows hosts to send and receive streams of data. TCP guarantees that data sent from one side will be received at the other side without loss from being garbled. The majority of Internet services are built on top of TCP.
The TCP Service Properties screen contains the following information (Figure 91): Name The name in the services file enables FireWall-1 to retrieve the port number automatically. If Network Information Service (NIS) is used on the system, FireWall-1 will consult the NIS services file. (NIS is a service under UNIX that sends configuration information automatically across the network.) The following are the Windows NT and Solaris services files: NT: c:\winnt\system32\drivers\etc\services Solaris: /etc/services
Rev. B
Document # CPTS-DOC-C1011
136
Services Manager
Comment Any information that describes this service. Color Defines the color scheme of the object. Port (Get) The number of the port used to provide this service. If the Port Number is omitted, FireWall-1 will attempt to resolve the Port Number (based on the services name) when the rule base is installed. If resolution fails, an error message is issued and installation will fail. Source port range Only packets with source ports in the range will be considered to belong to this service. Protocol Type Specifies which type of resource can be associated with this service. Fast Mode If Fast Mode is enabled for a service, packets belonging to this service and established connections will be accepted without further inspection. In most cases you will want to select Fast Mode.
UDP
User Datagram Protocol (UDP) is primarily used for protocols where performance is more important than getting all of the packets. For example, audio stream protocols usually use UDP because they can stand to lose a few packets. They cannot, however, stand remissions of lost packets that take time.
The UDP Service Properties screen contains the following information (Figure 92): Name The name assigned here should be identical to the server service name as it appears in the services file. If Network Information Service (NIS) is used, FireWall-1 will automatically retrieve the information from the NIS. Comment Any information that describes this service.
Document # CPTS-DOC-C1011
Rev. B
137
Color Defines the color scheme of the object. Port (Get) The port number used to provide this service. If the Port Number is omitted, FireWall-1 will attempt to resolve the Port Number (based on the services name) when the rule base is installed. If resolution fails, an error message is issued and installation will fail. Source port range Only packets with source ports in the range will be considered to belong to this service.
RPC
Remote Procedure Call (RPC) allows a program on one computer to execute a program on a server computer. The client program sends a message to the server with appropriate arguments and the server returns a message containing the results of the program executed.
The RCP Service Properties screen contains the following information (Figure 93): Name The name in the RPC file allows FireWall-1 to retrieve the port number automatically. (The RPC file is /etc/rapt in Solaris; not available in NT.) If Network Information Service (NIS) is used on the system, FireWall-1 will consult the NIS services file. Comment Information that describes this service. Color Defines the color scheme of the object. Program Number The program number is simply the RPC equivalent for a service port number. For standard services, you can retrieve the program number from the RPC database. If the program number is omitted, FireWall-1 will attempt to resolve the program number when the rule base is installed. If resolution fails, an error message is issued and installation will fail.
Rev. B
Document # CPTS-DOC-C1011
138
Services Manager
ICMP
Internet Control Message Protocol (ICMP) is an extension to the IP. ICMP supports packets containing error, control, and informational messages. The PING command, for example, uses ICMP to test an Internet connection. All ICMP services are predefined in FireWall-1.
The ICMP Service Properties screen contains the following information (Figure 94): Name The services name. The name assigned here should be identical to the server service name as it appears in the services file. FireWall-1 will retrieve some properties automatically. Comment Any information that describes this service. Color Defines the color scheme of the object. Match Enter the code string residing in the INSPECT language that determines whether the packet belongs to this service. Pre-Match INSPECT language command to be executed prior to the rule base. Prologue (optional) Add a fixed code string to the rules at the head of the rule base.
Document # CPTS-DOC-C1011
Rev. B
139
Other
Other or user-defined uses INSPECT to check for a specific unidentifiable item in a packet. Use Other for protocols that do not use TCP, UDP, RPC or accepted standard services.
The User Defined Service Properties screen contains the following information (Figure 95): Name The services name. The name assigned here should be identical to the server service name as it appears in the services file. Comment Any information that describes this service. Color Defines the color scheme of the object. Match Enter the code string (residing in the INSPECT language) which determines whether the packet belongs to this service. For example, dport = telnet. The file tcpip.def lists some predefined components that can be used in expressions. Pre-Match INSPECT language command to be executed prior to the rule base. Prologue (optional) Add a fixed code string to the rules at the head of the rule base, before the Properties macros.
Group
Group Properties allows the administrator to define a service and add it to a named group. This eliminates the need to list each service, individually, in the rule base. When forming groups, follow these guidelines: Groups do not have to be of the same type of service Groups can be part of other groups
Rev. B
Document # CPTS-DOC-C1011
140
Services Manager
The Group Properties screen contains the following information (Figure 96): Name The group name. Comment Any information that describes this group. Color Defines the color scheme of the object. Not in Group Services not included in the named group. In Group Services added to the named group.
Port Range
Most well known services have an associated port. For example: TELNET is port 23, FTP is port 21 and SMTP is port 25. Some protocols or services may operate with a range of ports, especially for the reverse connection back to the client that initiated the connection. Port Range allows setup of either UDP, TCP or FTP protocols with a starting and ending port range. If specified, only those port numbers will be accepted, dropped or rejected when inspecting packets considered to belong to the service.
Document # CPTS-DOC-C1011
Rev. B
141
The Port range properties screen contains the following information (Figure 97): Name Name of the port. First Port A single port number or the starting port number within a range or ports. Last Port The ending port number within the range of ports. Comment Any information that describes this service. Color Defines the color scheme of the object. Protocol Select TCP or UPD.
Rev. B
Document # CPTS-DOC-C1011
142
Resources Manager
Resources Manager
A FireWall-1 resource is used in conjunction with content security. FireWall-1 resource specification defines further protocol-specific matching as well as actions to be performed at the protocol specific level in a data packet. You can define FireWall-1 Resources for use with the following protocols: HTTP, FTP and SMTP. Anti-virus checking, URL screening and e-mail address translations are major security enhancements enabled by the content security. These options are enforced using UFP and CVP server objects. The Resources Manager is covered in detail in the CCSE manual. Resource Object Setup To set up a new Resource, follow these steps: 1. Select Resources from the Manage menu (Figure 98):
Document # CPTS-DOC-C1011
Rev. B
143
3. Click New and select a resource to create from the menu. 4. Select each tab and complete the fields. 5. Click OK to save your settings. The resource can now be used in a rule. If the source and destination meet in a rule, the service must comply with what is outlined in the URI as a match and action.
URI Resource
A Uniform Resource Identifier (URI) resource is an extension of the rule base. The URI goes beyond the source, destination and service fields and provides more details about the content of the service. HTTP security servers must be installed with default options for the URI to work. After creating a CVP or UFP server object if required, you must define the resource for HTTP to create a URI resource. URI Match Specification Type In the General tab of the URI Definition screen, you select from one of the following URI Match Specification types: Wild Cards The URIs are described on the Match tab of the Resource screen. Under this method, many URIs are described by a single wild card. For example, the wild card www.elvis* describes a large number of URIs. The URIs will be allowed or disallowed, depending on the Action in the rule that uses the resource.
Rev. B
Document # CPTS-DOC-C1011
144
Resources Manager
File The URIs are listed by name in the file specified in the Match tab of the Resource screen. Under this method, each URI is individually listed in the given file. The URIs will be allowed or disallowed, depending on the Action in the rule that uses the resource. UFP A list of URIs in selected categories is provided by the server specified in the Match tab of the Resource screen.
Wild Cards is the first specification type listed in the General tab (Figure 100):
The General tab contains the following information: Name Type in the name you want for the URI definition. Comment Type in the comment for the URI definition. Color Defines the color scheme of the object. Connection Methods Check the methods of connection. Your choices are: Transparent, Proxy and Tunneling. Exception Track Select the method of reporting. Your choices are: None, Log and Alert. URI Match Specification Type Check the specification type. Your choices are: Wild Cards, File and UFP.
Document # CPTS-DOC-C1011
Rev. B
145
If you select Wild Cards specification type, the following Match tab appears (Figure 101):
II-3
Figure 101: URI Match Tab for Wild Cards Specification
The Wild Cards Match tab contains the following information: Schemes Check http and type in a wild card (*) in the Other text box. Methods Type in a wild card (*) in the Other text box. Host, Path and Query Type in wild cards (*) in these text boxes.
Rev. B
Document # CPTS-DOC-C1011
Managmement Tools
146
Resources Manager
If you select Wild Cards specification type, the following criteria must be defined in the action tab. Action is what the URI will do if all other criteria are met (Figure 102):
www.badweb.com/warning.html
The Wild Cards Action tab contains the following information: Replacement URI Type in your alternate IP address to be sent back to any unauthorized source. HTML Weeding Check Strip Script Tags, Strip Applet Tags and Strip ActiveX tags. This weeds out tags so they are not displayed. If a CVP server is present, the choice to select the server and the action that the server takes is available. Response Scanning Check Block JAVA Code. CVP Specify the inspection options for the third-party CVP server. None The file is not inspected. Read Only The file is inspected by the CVP server. If the CVP server rejects the file, it is not retrieved. Read/Write The file is inspected by the CVP server. If the CVP server detects that the file is invalid (perhaps because it contains a virus), the CVP server corrects the file before returning it to the firewall.
Document # CPTS-DOC-C1011
Rev. B
147
File is the second specification type listed in the General tab (Figure 103):
II-3
Figure 103: URI General Tab for File Specification
The General tab contains the following information: Name Type in the name you want for the URI definition. Comment Type in the comment for the URI definition. Color Defines the color scheme of the object. Connection Methods Check the methods of connection. Your choices are: Transparent, Proxy and Tunneling. Exception Track Select the method of reporting. Your choices are: None, Log and Alert. URI Match Specification Type Check the specification type. Your choices are: Wild Cards, File and UFP.
Rev. B
Document # CPTS-DOC-C1011
Managmement Tools
148
Resources Manager
If you select File specification type, the following Match tab appears (Figure 104):
The File Match tab contains the following information: Import Click to import a URI specification file (a list of URIs to which access will be denied or allowed, depending on the Action in the rule). Export Click to export a previously imported URI specification file. You will be asked to specify a file name under which the file will be saved. A URI Specification file is an ASCII file of records.
Document # CPTS-DOC-C1011
Rev. B
149
If you select File specification type, the following action criteria must be defined in the action tab. Action is what the URI will do if all other criteria are met (Figure 105):
www.badweb.com/warning.html
The File Action tab contains the following information: Replacement URI Type in your alternate IP address to be sent back to any unauthorized source. HTML Weeding Check Strip Script Tags, Strip Applet Tags and Strip ActiveX tags. This weeds out tags so they are not displayed. If a CVP server is present, the choice to select the server and the action that the server takes is available. Response Scanning Check Block JAVA Code. CVP Specify the inspection options for the third-party CVP server. None The file is not inspected. Read Only The file is inspected by the CVP server. If the CVP server rejects the file, it is not retrieved. Read/Write The file is inspected by the CVP server. If the CVP server detects that the file is invalid (perhaps because it contains a virus), the CVP server corrects the file before returning it to the firewall.
Rev. B
Document # CPTS-DOC-C1011
150
Resources Manager
UFP is the third specification type listed in the General tab (Figure 106):
The General tab contains the following information: Name Type in the name you want for the URI definition. Comment Type in the comment for the URI definition. Color Defines the color scheme of the object. Connection Methods Check the methods of connection. Your choices are: Transparent, Proxy and Tunneling. Exception Track Select the method of reporting. Your choices are: None, Log and Alert. URI Match Specification Type Check the specification type. Your choices are: Wild Cards, File and UFP.
Document # CPTS-DOC-C1011
Rev. B
151
If you select UFP specification type, the following Match screen appears (Figure 107):
II-3
Figure 107: URI Match Tab for UFP Specification
The UFP Match tab contains the following information: UFP Server Select the UFP server from the menu. The UFP server should have already been defined in the Servers manager. Categories Check the categories you wish to include in the resource definition. This list displays the categories defined by the UFP Server properties.
Rev. B
Document # CPTS-DOC-C1011
Managmement Tools
152
Resources Manager
If you select UFP specification type, the following action criteria must be defined in the Action tab. Action is what the URI will do if all other criteria are met (Figure 108):
www.badweb.com/warning.html
The UFP Action tab contains the following information: Replacement URI Type in your alternate IP address to be sent back to any unauthorized source. HTML Weeding Check Strip Script Tags, Strip Applet Tags and Strip ActiveX tags. This weeds out tags so they are not displayed. If a CVP server is present, the choice to select the server and the action that the server takes is available. Response Scanning Check Block JAVA Code. CVP Specify the inspection options for the third-party CVP server. None The file is not inspected. Read Only The file is inspected by the CVP server. If the CVP server rejects the file, it is not retrieved. Read/Write The file is inspected by the CVP server. If the CVP server detects that the file is invalid (for example, it may contain a virus), the CVP server corrects the file before returning it to the firewall.
Document # CPTS-DOC-C1011
Rev. B
153
The SMTP protocol provides exact control over SMTP connections. The SMTP resource definition allows hiding of internal IP addresses from outgoing e-mail, strips specific attachment types, drops messages above a given size, and rewrites e-mail addresses. Implement SMTP security server with a SMTP resource. If you select SMTP from the Resource Manager, the following information must be defined in the general tab (Figure 109):
The General tab contains the following information: Name The resources name. Comment Descriptive text. Color Defines the color scheme of the object. Mail Server Mail is forwarded to this server. Error Handling Server If Notify Sender on Error is checked, then: If Error Handling Server is empty, the error notification is sent to the server specified under default_server in: $FWDIR/conf/smtp.conf. If default_server in $FWDIR/conf/smtp.conf is not specified, then the error notification is sent to the originator of the mail. If Notify Sender on Error is not checked, then no error notification is generated. If multiple servers are defined, then they are tried until successful. Exception Track This option determines if an action taken as a result of a resource definition is logged. Select one of the following: None No logging or alerting.
Rev. B
154
Resources Manager
Log Log the event. Alert Issue and alert. Notify Sender on Error Notify the sender if the message was not delivered. If you select the SMTP Match tab, the following screen appears (Figure 110):
The SMTP Match tab contains the following information: Sender The From field in the envelope. Recipient The To field in the envelope. You may use wild card characters in specifying these fields.
Document # CPTS-DOC-C1011
Rev. B
155
The Action1 tab defines transformations to be performed on the given fields. The data in the field is modified in accordance with the defined transformation. The left part of the transformation is a match field. The right part specifies the form of the new transformed data (Figure 111):
The SMTP Action1 tab contains the following information: Sender The From field in the header. Recipient The To field in the header. It is recommended that the transformed data not include embedded spaces. Field The name of a field in the SMTP header (case-sensitive). Contents The contents of the specified field. Stripping fields such as From and To is discouraged, since it makes it impossible to deliver the mail message.
Rev. B
Document # CPTS-DOC-C1011
156
Resources Manager
If your select the SMTP Action2 tab, the following screen appears (Figure 112):
The SMTP Action2 tab contains the following information: Strip MIME of Type MIME attachments of the specified type will be stripped from the message. Allowed types are: text, multipart, message, image, audio, video and application. If you strip MIME of type text, the text in the body of the message is not stripped. Dont Accept Mail Larger Than Mail messages larger than this size will not be allowed to pass. Server Select the CVP server from the menu. The CVP server should have already been defined in the Servers manager. CVP Select on the the following: None The file is not inspected. Read Only The file is inspected by the CVP server. If the CVP server rejects the file, it is not retrieved. Read/Write The file is inspected by the CVP server. If the CVP server detects that the file is invalid (perhaps because it contains a virus), the CVP server corrects the file before returning it to the firewall. Allowed Characters Select one of the following: 8 bit Allow 8 bit ASCII. 7 bit Allow only 7 bit ASCII (but no control characters).
Document # CPTS-DOC-C1011
Rev. B
157
The FTP security server provides authentication services and content security based on FTP commands (PUT/GET), file name restrictions and anti-virus checking for files.Implement FTP security server with an FTP resource (Figure 113):
The FTP General tab contains the following information: Name The resources name. Comment Descriptive text. Color Defines the color scheme of the object. Exception Track This option determines if an action (specified in the Action tab) taken as a result of a resource definition is logged. Select one of the following: None No logging or alerting. Log Log the event. Alert Issue an alert.
Rev. B
Document # CPTS-DOC-C1011
158
Resources Manager
If you select the FTP Match tab, the following screen appears (Figure 114):
The FTP Match tab contains the following information: Path Full path name of the file. Methods Select one of the following: GET Getting a file from the server to the client. PUT Sending a file from the client to the server. If you select the FTP Action tab, the following information appears (Figure 115):
Document # CPTS-DOC-C1011
Rev. B
159
The FTP Action tab contains the following information: Server Select the CVP server from the menu. The CVP server should have already been defined in the Servers manager. CVP Select one of the options: None The file is not inspected. Read Only The file is inspected by the CVP server. If the CVP server rejects the file, it is not retrieved. Read/Write The file is inspected by the CVP server. If the CVP server detects that the file is invalid (for example, because it may contain a virus), the CVP server corrects the file before returning it to the firewall.
160
Server Manager
Server Manager
A Server object represents a server running on a specific host. The available server objects are: URL Filtering Protocol (UFP) A UFP server can be used in defining a URI Resource. Content Vectoring Protocol (CVP) A CVP server examines the contents of a file or data stream. RADIUS A RADIUS server is used to provide authentication services. TACACS A TACACS server is used to provide authentication services. AXENT Defender An AXENT Defender server is used to provide authentication services. LDAP Account Units The FireWall-1 Account Management system is an independent module that enables the Security Manager to integrate an LDAPcompliant user database with FireWall-1 user authentication. The Server Manager is covered in detail in the CCSE manual.
Server Objects Setup Servers must be created before you can add them to the rule base. To set up servers, follow these steps: 1. Select Servers from the Manage menu (Figure 116):
Document # CPTS-DOC-C1011
Rev. B
161
3. Click New and select the type of server you want to create from the menu, as follows: UFP CVP RADIUS RADIUS Group TACACS DEFENDER LDAP Account Unit
Rev. B
Document # CPTS-DOC-C1011
162
Users Manager
Users Manager
When you define users and user groups, you can use these as the Source in rules which specify Authentication as the Action. The users properties are then applied. In this way, you can specify, for example, that users in one group can connect only during the day, while users in another group can connect only at night. In addition, you can define templates upon which future user definitions will be based. To create a new user or a new user group, select Users from the Manage menu and click New. The following screens appear.
General Tab
The General tab is identical for user properties and template properties (Figure 118):
The General tab contains the following information: Name The user (or template) name. Comment Descriptive text. Color Defines the color scheme of the object. Expiration Date after which the user will be denied.
Document # CPTS-DOC-C1011
Rev. B
163
Groups Tab
The Groups tab in identical when setting up users and templates (Figure 119):
II-3
Figure 119: User Properties Groups Tab
The Groups tab contains the following information: Add Adds a user to a group. Delete Deletes a user from a group.
Authentication Tab
Rev. B
Document # CPTS-DOC-C1011
Managmement Tools
164
Users Manager
Location Tab
The Location tab in identical when setting up users and templates (Figure 120):
The Location tab contains the following information: Source The user will be allowed access only from the listed network objects. Add Adds a network object to the list of accessible sources. Delete Deletes a network object from the list of accessible sources. Destination The user will be allowed access only to the listed network objects. Add Adds a network object to the list of accessible destinations. Delete Deletes a network object from the list of accessible destinations.
Document # CPTS-DOC-C1011
Rev. B
165
Time Tab
The Time tab in identical when setting up users and templates (Figure 121):
II-3
Figure 121: User Properties Time Tab
The Time tab contains the following information: Days in Week The days on which the user will be allowed access. Time of day Hours, from and to, between which the user will be allowed access.
Encryption Tab
Rev. B
Document # CPTS-DOC-C1011
Managmement Tools
166
Users Manager
Once you have created a template, any user you create based on the template will inherit all of the templates properties, including membership in groups. If you modify a templates properties, the change will affect all users created from the template in the future. Users already created from the template will not be affected. To setup a user template, follow these steps: 1. Select Users from the Manage menu (Figure 122):
Document # CPTS-DOC-C1011
Rev. B
167
3. Click New and the New User Object menu appears, listing the types of objects you can create: Group, External group and Template. The Default template is listed in the bottom part of the menu until User Templates are defined and listed. Creating External Groups is defined in the CCSE manual. 4. Create a new template before creating a new user by selecting Template from the New User Object menu. 5. The User Properties screens appear. Complete the properties setup in each of the tabs. 6. Click OK and the name of the new template appears in the bottom of the New User Object menu.
To create a new user, follow these steps: 1. Choose the template on which the new users properties will be based from the New User Object menu. 2. The User Properties screens appear. Complete the properties setup in each of the tabs. You can modify the templates properties for each user, but they will be changed for the new user only. The template remains unchanged. 3. Click OK and the new user appears in the User Manager list. II-3 Managmement Tools
Rev. B
Document # CPTS-DOC-C1011
168
Users Manager
To create a new group, follow these steps: 1. Select Group from the New User Object menu. 2. The Group Properties screens appears (Figure 124).
3. Complete the properties setup. Select names of Users shown in the Not in Group list and click Add. They are now shown in the In Group list. 4. Click OK and the new group appears in the User Manager list.
Document # CPTS-DOC-C1011
Rev. B
169
3. Click New to set up a new user. A menu appears, listing the types of objects you can create. Choose from Time or Group.
Rev. B
170
The General tab contains the following information: Name The objects name. Comment Descriptive text. Time of Day Enter up to three From-To pairs in 24-hour notation. To specify all day, set From: 00:00 and To: 23:59. 5. Select the Days tab (Figure 128):
The Days tab contains the following information: None The times of day specified in the general tab of the Time Object Properties screen apply on all days.
Document # CPTS-DOC-C1011
Rev. B
171
Day in Month The times of day specified in the General tab of the Time Object Properties screen apply only on the days of the month checked under Days in Month. Day in Week The times of day specified in the General tab of the Time Object Properties screen apply on the days of the month checked under days in Week. Month The times of day specified in the General tab of the Time Object Properties screen apply only during the month specified. This field is enable only if Days Specification is days in Month.
172
Keys Manager
Keys Manager
The Keys Manager is defined in the CCSE course.
Document # CPTS-DOC-C1011
Rev. B
173
Review
Summary Before an object is included in a rule base, its properties must first be defined. Only those objects that are used in the rule base need to be defined. It is helpful to determine a color scheme before defining your objects. By assigning the same color to related objects, managing your firewall is made easier. A simple color scheme enables you to quickly identify and select objects, rather than scroll through long lists with little or no distinction between objects. Understanding internal and external management stations is essential for defining objects. Grouping your objects gives you a better overview of the security policy and will lead to a more readable rule base. As your network changes, you can add, delete or modify objects as needed. FireWall-1 comes with several of the most common services predefined. These services include TCP, HTTP and HTTPS, SMTP, UDP and RPC. Most well known services have an associated port, such as port 23 for telnet. Some types of protocols or services may operate with a range of ports, especially for the reverse connection back to the client that initiated the connection. A server object represents a server running on a specific host. The available server objects include UFP, CVP, RADIUS, TACACS, AXENT Defender, and LDAP Account Units. You must create the server object before adding it to a rule in the rule base. II-3 Managmement Tools
Review Questions
Rev. B
Document # CPTS-DOC-C1011
174
Review
4. List the associated port numbers for TELNET, FTP, and SMTP.
Document # CPTS-DOC-C1011
Rev. B
Rev. B
Document # CPTS-DOC-C1011
Document # CPTS-DOC-C1011
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
Introduction
The FireWall-1 security policy is an essential part of FireWall-1 administration. Defining and implementing a security policy maximizes FireWall-1s effectiveness. Without a well-defined security policy, FireWall-1 is limited to its ability to be an effective security solution. The following are key concepts about security policies: A security policy defines the way you and your organization view internalnetwork security A well-defined rule base is the key to the effectiveness of a security policy A security policy is divided into two parts the policies and the rule base
In this chapter, you will learn how to create rules and modify a security policys properties. You must modify security policy properties because a security policy is made up of its rule base and fields specified in the Properties Setup screens.
Objectives
Explain why it is important to correctly set up a security policy Explain the order FireWall-1 matches policies and rules Be able to name and define the rule base elements Show how to create a rule base Show how to add rules to the rule base Identify the process of how security policy rules are applied to a packet Define the ways rules can be applied to interface direction Successfully define and configure properties for a security policy III-1 Security Policy Rule Base and Properties Setup
175
176
Key Terms
security policy rule base rule base elements rule base editor pseudo rule implicit rule explicit rule implicit-drop rule accounting log entry security server authentication schemes SYNDefender SYN packets Lightweight Directory Access Protocol (LDAP) load balancing
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
177
Considerations
Before creating a security policy for your system, you must answer the following questions: What kind of services, including customized services and sessions, are allowed in your system? What are your users permissions and authentication schemes? What objects are in your system? Examples include gateways, hosts, networks, routers and domains.
To create a new security policy, follow these steps: 1. Select New from the File menu (Figure 129):
Rev. B
178
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
179
Each rule is made up of rule base elements, which are the individual components that make up a rule. The rule base elements are shown in Table 10:
Definition
Rule number, defines the order in which FireWall-1 enforces each rule. The source of the packet. Where the packet is going. Source and destination can be any network objects. TCP, HTTP, HTTPS, SMTP, UDP, RPC and ICMP protocols. What to do with a packet. Log or alert rule. Which firewalled objects will enforce the rule. When a rule is effective. Define times as needed. User-defined description of the rule.
Rev. B
Document # CPTS-DOC-C1011
180
To customize rules in the rule base, right-click on each element and select from the available menu options (Table 11):
Description
Select network objects to add to the rules Source. Select user group(s) to add to the rules Source. Edit the selected object. Delete the selected object. Negate the selected object, when system administrators need to include all objects or users and exclude a specific object or user. Negating the selected object (or user) is sometimes a more efficient way to manage a security policy. Cut the selected object and copy onto the clipboard. Copy the selected object onto the clipboard. Paste the object from the clipboard in the rules Source.
Description
Select network objects to add to the rules Destination. Edit the selected object. Delete the selected object. Negate the selected object, when system administrators need to include all objects or users and exclude a specific object or user. Negating the selected object (or user) is sometimes a more efficient way to manage a security policy. Cut the selected object and copy onto the clipboard. Copy the selected object onto the clipboard. Paste the object from the clipboard in the rules Destination.
Document # CPTS-DOC-C1011
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
181
Description
Select network objects to add to the rules Services. Add a resource. Edit the selected object. Delete the selected object. Negate the selected object, when system administrators need to include all objects or users and exclude a specific object or user. Negating the selected object (or user) is sometimes a more efficient way to manage a security policy. Cut the selected object and copy onto the clipboard. Copy the selected object onto the clipboard. Paste the object from the clipboard in the rules Service.
Rev. B
Document # CPTS-DOC-C1011
182
Table 14: Action Element (Continued) Icon Menu Options Definition (Continued)
Session Authentication Encrypt Client Encrypt Invoke session authentication for this connection. Encrypt outgoing packets; accept incoming encrypted packets and decrypt them. Accept only SecuRemote communications, which allows remote.
Document # CPTS-DOC-C1011
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
183
Table 16: Install On Element (Continued) Icon Menu Options Definition (Continued)
Router Integrated FireWalls Target Enforce on specified routers. Enforce on specified integrated firewalls. Enforce on the specified target object(s) only, in the inbound and outbound (eitherbound) directions.
Install On: Enforced on all the interfaces of a firewalled host or gateway. Enforced differently for incoming and outgoing packets, depending on the rules Install On field.
Description
Displays the Time Objects screen, from which you can select time objects to add to the rules Time. Edit the selected object. Delete the selected object.
Description
Add a descriptive comment that you wish to appear in the comment area of the rule and click OK.
184
Add Rule To add a new rule, choose the position where the rule is to be placed: Bottom, Top, After, Before. The following options can be accessed after you have created a rule. Delete Rule To delete the currently selected rule from the rule base. Cut To remove (cut) the selected data and put it on the clipboard. Copy To copy selected data onto the clipboard. Paste To paste the selected data from the clipboard. Choose the position of where the rule is to be pasted from the following: Bottom, Top, After, Before. Disable Rule To disable a rule, when testing a security policy without affecting the actual firewalled network. Disabling a rule allows local testing only. Also, to allow access to a previously restricted source or destination.
Document # CPTS-DOC-C1011
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
185
Add a Rule
To add a rule, follow these steps: 1. Select Add Rule from the Edit menu. 2. Select Top from the Add Rule menu, since this is the first rule. 3. A new rule the default rule is added to the security policy (Figure 134):
The default rule is defined with the following information: No. Defines the number order of each rule. The first rule in the rule base is No. 1. Source Displays the object manager screen, from which you can select network objects or a group of users to add to the rule base. The default is Any. Destination Displays the object manager screen, from which you can select network objects to add to the rule. The default is Any. Service Displays the service manager screen, from which you can select services to add to the rule. The default is Any. Action Accepts, drops or rejects data, or provides authentication and encryption. The default is drop. Track Defines logging or alerting for this rule. The default is no tracking. Install On Specifies which firewalled objects will enforce the rule. The default is Gateways, which means all internal firewalled objects. Time Defines when this rule base takes effect. The default is Any. Comments Allows system administrators to add notes about this rule. The default is no comments. III-1 Security Policy Rule Base and Properties Setup
Rev. B
Document # CPTS-DOC-C1011
186
The cleanup rule should be the first rule you create in the rule base. A cleanup rule allows you to specify logging for remaining packets, and drops all communication not described by other rules. To create a cleanup rule, follow these steps: 1. Select Add Rule from the Edit menu. 2. Select Bottom from the Add Rule menu. 3. The default rule has now been added to the security policy (Figure 134):
4. Right-click in the Tracking column and select Long Log. 5. Right-click in the Comment column, type Cleanup Rule in the dialog box and click OK. 6. The default rule now becomes the cleanup rule (Figure 136):
For the cleanup rule to be effective, be sure to add all other rules above the cleanup rule. The last rule in the rule base must be the cleanup rule.
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
187
To prevent any users from connecting to the firewall, you must add a Stealth Rule to your rule base. Protecting the firewall in this manner makes it transparent, that is, it becomes an invisible network object that, from the point of view of network users, does not even exist. To create a stealth rule, follow these steps: 1. Right-click in the Number column of the cleanup rule and select Add Rule from the Edit menu. 2. Select Top from the Add Rule menu. 3. Right-click in the Destination column and select the firewall. 4. Right-click in the Action column and select Drop. 5. Right-click in the Tracking column and select Long Log. 6. Right-click in the Comment column, type Stealth Rule in the dialog box and click OK. 7. The stealth rule now appears in the rule base (Figure 137):
For the stealth rule to fully protect your firewall, be sure to add all other rules below it. In this way, the stealth rule should always be the first rule and the cleanup rule should always be the last rule.
188
Add additional rules to your security policy below the stealth rule and above the cleanup rule. To add additional rules, follow these steps: 1. Right-click in the Number column of an existing rule and select Add Rule from the Edit menu. 2. Select the position for the rule to be located from the Add Rule menu, choosing from After or Before. 3. Right-click in the Source column of the new rule and the Source menu appears (Figure 138):
4. Select Add from the Source menu and the Add Object screen appears (Figure 139):
Document # CPTS-DOC-C1011
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
189
5. Choose the appropriate network object and click OK. The object is added to the rule base. 6. Repeat these steps for other rule base elements: Service, Action, Track, Install On, Time and Comment.
When you have defined the desired rules, you must install the rule base. The Install On element specifies the network object on which the security policy is installed. In contrast, the Install On element in the rule base editor specifies the network object that is to enforce a specific rule. To install the rules, follow these steps: 1. Select Install from the Policy menu (Figure 140):
3. Select the firewall to install on, then click OK to install the security policy.
Rev. B
Document # CPTS-DOC-C1011
190
Document # CPTS-DOC-C1011
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
191
Before you can define security policy properties, you must consider the rule base order. FireWall-1 examines the rule base rule by rule. FireWall-1 inspects packets by comparing them to the security policy, one rule at a time. For this reason, it is important to define each rule in a security policy in the appropriate order. The order in which FireWall-1 applies the rules in a security policy to packets is shown in Figure 143:
Properties labeled First are matched prior to the numbered rules. The property labeled Last is matched last. The property labeled Before Last is matched prior to the last numbered rule.
The # 5 rule, the cleanup rule, drops all remaining connections that do not match the previous rules.
Figure 143: Rule Base Order
Rev. B
Document # CPTS-DOC-C1011
192
1 2 3 4 5 6 7
Any anti-spoofing rules are applied. Checked properties in the Security Policy tab of the Properties Setup screen labeled First are matched prior to the numbered rules. Rules are matched according to their order in the rule base, except for the last rule in the rule base. FireWall-1 reads rule base 1, 2 and 3, in that order. Checked properties labeled Before Last are matched after all but the last rule in the rule base. The last rule in the rule base is matched. The checked property labeled Last is matched last. The implicit drop rule is matched. The implicit rules are not shown when viewing the rule base unless you select Implied Pseudo Rules from the View menu (Figure 144):
Match Order
1 2 3 4 5 6 7
6 yphyr
WFS
hppr
Tu
Rule Base
6 6 hppr Tu s
Gt
Document # CPTS-DOC-C1011
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
193
FireWall-1 can inspect packets going into or coming from an internal network moving in a one-way (inbound or outbound) or two-way (eitherbound) direction. This is important for administrators, because FireWall-1 must provide the greatest level of security when inspecting packets. It is important to note that packet filtering must be considered from the firewalls point of view, and not the Internet or Intranet point of view. Figure 145 and Figure 146 illustrate the concept of one-way packet filtering. In Figure 145, the inbound packet (from the firewall point of view) is inspected at the outer NIC if packet filtering is set to inbound.
Inbound Packet
Outer NIC
Inner NIC
III-1
Figure 145: Inspecting Inbound packets from the Internet
Rev. B
Document # CPTS-DOC-C1011
194
In Figure 146, the packet coming from the Intranet is inbound from the perspective of the firewall. Therefore, the packet gets inspected on the inner NIC.
Intranet
Internet
Outer NIC
Inner NIC
Inbound Packet
In an outbound scenario, the opposite would be true. In Figure 147, a packet coming in from the Internet would not get inspected until it hits the firewalls inner NIC, because in an outbound scenario the packet does not get inspected until it is leaving the firewall.
FireWall-1 Rule Base and Inspect Engine Intranet Internet
INSPECTED HERE
Outer NIC
Outbound Packet
Inner NIC
Document # CPTS-DOC-C1011
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
195
In Figure 148, a packet originating from the Intranet enters the firewall from the inner NIC. This is an inbound packet from the firewalls perspective. It therefore doesnt get inspected until it hits the outer NIC, which is outbound from the firewall.
Intranet
Outer NIC
Outbound Packet
Inner NIC
Figure 149 illustrates how eitherbound inspects packets at both the inner and outer NICs. This provides the greatest level of security, with minimal performance degradation, since the inspect engine is operating in the kernel and not in user memory.
FireWall-1 Rule Base and Inspect Engine Intranet
INSPECTED HERE INSPECTED HERE
Internet
Inbound Packet
Outer NIC
Inner NIC
III-1
Intranet
Outer NIC
Inner NIC
Outbound Packet
Figure 149: Inspecting Eitherbound packets from the Internet and Intranet
Rev. B
Document # CPTS-DOC-C1011
196
One important aspect of this security is missing: What about a user directly on the firewall? If a user is operating on the firewall, by definition, all packets are outbound, since from the firewalls perspective everything is going out. If inbound is specified in the properties, then users on the firewall are not bound by the rule base. If outbound is specified in the properties, the user is now bound by the rule base; however, traffic going through the firewall is not inspected until it has reached the outgoing NIC.
Example
Scenario Firewall is in secure room; operator is trusted Firewall is in secure room; operator is not trusted
Properties Inbound
Advantage Inspects packets before entering firewall Inspects packets before entering firewall, but does not inspect packets originating from the firewall Inspects traffic only when leaving the gateway; covers firewall operator Inspects packets coming in and out of firewall; greatest amount of security
Disadvantage
Inbound
Firewall operator is free to surf the Web with no restrictions May leave inbound interface vulnerable Some degradation in performance
Firewall is in secure room; operator is not trusted Firewall is in secure room; is not in secure room; operator not trusted
Outbound
Eitherbound
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
197
A security policy is defined not only by the rule base, but also by parameters specified in the Security Policy tab of the Properties Setup screen. These parameters enable the user to control all aspects of a packets inspection, without having to add repetitive detail in the rule base. Security Policy Tab Setup To access the Security Policy tab, follow these steps: 1. Choose Properties from the Policy menu (Figure 150):
198
2. Select the Security Policy tab on the Properties Setup screen (Figure 151):
.
Figure 151: Security Policy Tab
The Security Policy tab contains the following information: Apply Gateway Rules to Interface Direction Click the arrow and select one of the following choices: Inbound (Default) To enforce the security policy only on packets entering the gateway. Packets will be allowed to leave the gateway only if you select Accept Outgoing Packets. Outbound To enforce the security policy only on packets leaving the gateway. (You can still enforce a rule in the incoming direction by choosing Destination under Install On, and specifying the gateway in the rule base.) You must have at least one rule like this that allows packets to enter the gateway, otherwise no packets will be allowed to enter the gateway. III-1 Security Policy Rule Base and Properties Setup Eitherbound To enforce the Security Policy on packets entering and leaving the gateway. FireWall-1 inspects packets twice: once when packets come into the internal network and again when packets leave. Interface direction is related to the firewall, not the network and regardless of the packets source or destination. TCP Session Timeout Specify the time period (in seconds) after which a TCP session times out. Accept FireWall-1 Control Connections Check to have FireWall-1 use these connections for downloading Inspection Code.
Document # CPTS-DOC-C1011
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
199
Accept UDP Replies Check to accept reply data in a two-way UDP communication. Reply Timeout Specify the amount of time (in seconds) a UDP reply channel may remain open without any packets being returned. Accept Outgoing Packets Check to accept all outgoing packets (from FireWall-1, not from the internal network). On gateways, rules are usually enforced in the inbound direction only. When a packet passing through the gateway leaves the gateway, it will be allowed to pass only if one of the following conditions is true: a.) the Accept Outgoing Packets property is checked, or b.) rules are enforced both directions (eitherbound), and there is a rule which allows the packet to leave the gateway. Click the arrow button to select the rule base order (First, Last or Before Last). Enable Decryption on Accept Check to decrypt incoming accepted packets even if the rule does not include encryption. Accept RIP Check to accept Routing Information Protocol (RIP) used by the routed daemon. Click the arrow button to select the rule base order (First, Last or Before Last). Accept Domain Name Queries (UDP) Check to accept Domain Name Queries used by named. This resolves names by associating them with their IP address. If named does not know the IP address associated with a particular host name, it issues a query to the name server on the Internet. Enable UDP Replies must be enabled to receive the reply. Domain Name Queries are issued as needed. Click the arrow to select the rule base order (First, Last or Before Last). Accept Domain Name Download (TCP) Check to allow uploading of domain name-resolving tables. Click the arrow to select the rule base order (First, Last or Before Last). Accept ICMP Check to accept Internet Control Messages. The IP on each system uses ICMP (Internet Control Message Protocol) to send control messages (for example, destination unreachable, source quench, route change) to other systems. This protocol is commonly used to assure proper and efficient operation of IP. Click the arrow to select the rule base order (First, Last or Before Last). In Figure 151 on page 198, the Accept ICMP property is set to Before Last to enable the user to define more detailed ICMP related rules that will be enforced before this property. If this property were First, then there would be no opportunity for the user to relate to ICMP in the rule base. If it were Last, then it would be enforced after the last rule (which typically rejects all packets) and would thus have no effect. Enabling this option does not enable ICMP Redirect. If you want to enable ICMP redirect, you must do so in the rule base. III-1 Security Policy Rule Base and Properties Setup
Rev. B
Document # CPTS-DOC-C1011
200
Services Properties
The services properties allow you to define what services can be enabled by the firewall. Services Tab Setup To set up the Services tab, follow these steps: 1. Select Properties from the Policies menu. 2. Select the Services tab on the Properties Setup screen. 3. The Services tab appears (Figure 152):
The Services tab contains the following options: Enable FTP Port Data Connections Check to accept all FTP data coming from established FTP connections. III-1 Security Policy Rule Base and Properties Setup Enable FTP PASV Connections Check to allow FTP PASV (passive) connections. Enable RSH/REXEC Reverse stderr Connections Check to allow RSH and REXEC to open reverse connections for the stderr file. Enable RPC Control Check to enable the inspection module to handle the dynamic port numbers assigned by portmapper to RPC service.
Document # CPTS-DOC-C1011
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
201
For each packet entering or leaving an internal network, FireWall-1 generates an accounting log entry, which includes the packets connection duration, the number of bytes and the number of packets transferred. Log and Alert Tab Setup To set up the Log and Alert tab, follow these steps: 1. Select Properties from the Policy menu. 2. Select the Log and Alert tab from the Properties Setup screen. 3. The Log and Alert tab appears (Figure 153):
The Log and Alert tab contains the following information: Excessive Log Grace Period Click the arrow to set the minimum amount of time (in seconds) between consecutive logs of similar packets. Popup Alert Command Type in the OS command (normally $FWDIR/bin/ alert) to execute on the firewalled machine when an alert is issued. If you change this command, you may not become aware of the condition that caused the alert. Mail Alert Command Type in the OS command to execute on the firewalled machine when mail is the specified track of a rule. You can specify commands other than mail.
Rev. B
Document # CPTS-DOC-C1011
202
The Mail Alert Command field (Figure 153) contains a command for an NT operating system. This field will vary depending on your operating system. SNMP Trap Alert Command Type in the OS command to be executed on the firewalled machine when SNMP Trap is specified as the action in a rule. User Defined Alert Command Type in the OS command to be executed when User-Defined is specified as the action in a rule. Anti Spoof Alert Command Type in the OS command(s) to be executed (default is $FWDIR/bin/alert) on the firewalled machine when Alert is specified for AntiSpoofing detection in the Interface Properties window. User Authentication Alert Command Type in the OS command to execute on the firewalled machine when an alert is specified for any of the following: Authentication Failure Track in the screen of the Properties Setup screen Successful Authentication Tracking in the General tab of the Client Authentication Action Properties screen
IP Options Drop Track Select the action to take when a packet with IP Options is encountered. None, Log or Alert. FireWall-1 always drops these packets, but you can log them or issue an alert. Log Established TCP Packets Check to log TCP packets for previously established TCP connections or packets whose connections have timed out.
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
203
The FireWall-1 security server, which is a server that has FireWall-1 installed, resides above the INSPECT engine in the FireWall-1 kernel module (Figure 154). The security server provides two features: authentication and content security.
Security Servers Tab Setup To set up the Security Servers tab follow these steps: 1. Select Properties from the Policy menu. 2. Select the Security Servers tab from the Properties Setup screen. 3. The Security Servers tab appears (Figure 155):
Rev. B
204
4. To configure a predefined HTTP Server, click New and the HTTP Server Definition screen appears (Figure 156):
5. Complete the information on the HTTP Server Definition screen and click OK to return to the Security Servers tab. The Security Servers tab contains the following information: Telnet Welcome Message File Type in the name of the file to display when an authenticated user begins a TELNET session. FTP Welcome Message File Type in the name of the file to display when an authenticated user begins an FTP session. Rlogin Welcome Message File Type in the name of the file to display when an authenticated user begins an RLOGIN session. Client Authentication Welcome File Type in the name of the file to display when an authenticated user begins a Client Authenticated session. III-1 Security Policy Rule Base and Properties Setup SMTP Welcome Message File Type in the name of the file whose contents are to be displayed when a user begins an SMTP session. HTTP Next Proxy Type in the Host name and the Port number of the HTTP proxy behind the FireWall-1 HTTP Security Server (if one exists). HTTP Servers Click New, Edit or Remove HTTP servers. In the HTTP Server Definition screen (Figure 156), the following information must be defined when configuring a predefined HTTP server: Logical Name The servers logical name. Host The host on which the server runs. Port The port number on the host. Server for Null Requests Can be checked for only one server.
Document # CPTS-DOC-C1011
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
205
Reauthentication Options: Standard Authentication The timeout period is measured from the last successful access. The user will not be required to enter a password again during the authorization period (as specified in the Session Timeout field in the Control Properties/Authentication screen). Each successful access resets the timer to zero. Reauthentication for POST Requests Every request sent by the client which may change the servers configuration or data requires the user to enter a new password. Reauthentication for Every Request Every request for a connection requires the user to enter a new password. This option is useful when access to some pages must be severely restricted. It is recommended that pages such as these be handled by a separate server.
206
Authentication Properties
FireWall-1 Version 4.0 provides authentication schemes that validate all connection attempts within an internal network. FireWall-1 authenticates connections based on users, clients or sessions, depending on how system administrators set up FireWall-1 authentication. Authentication Tab Setup To set up the Authentication tab, follow these steps: 1. Select Properties from the Policy menu. 2. Select the Authentication tab from the Properties Setup screen. 3. The Authentication tab appears (Figure 157):
The Authentication tab contains the following information: III-1 Security Policy Rule Base and Properties Setup User Authentication/Session Timeout Click the arrow to set the amount of time (in minutes) before the session will time out if there is no activity. This applies to FTP, TELNET, RLOGIN, and the HTTP Authenticating Server. Client Authentication Check to have FireWall-1 automatically sign off the connection if there is no activity during the authorization period of a clientauthentication session. Authentication Failure Track Select the action to take if authentication fails (applies to all authentication rules): None, Log and Alert.
Document # CPTS-DOC-C1011
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
207
SYNDefender Properties
SYNDefender is a proprietary FireWall-1 application that protects against denial-ofservice attacks from external networks. SYNDefender does this by intercepting all SYN packets, which are communication packets from an external-network client to an internal-network server. SYNDefender then mediates any connection attempts before they reach the internal network. By sending several SYNs at once, the attacking client can effectively tie up internalnetwork servers, making it impossible for legitimate users to access the internal network (Figure 158):
SYNDefender Tab Setup To set up the SYNDefender tab, follow these steps: 1. Select Properties from the Policy menu. 2. Select the SYNDefender tab from the Properties Setup screen. III-1 Security Policy Rule Base and Properties Setup
Rev. B Document # CPTS-DOC-C1011
208
The SYNDefender tab contains the following information: Method Choose one of the following: None SYNDefender is not deployed. (If you choose this option, your network will not be protected from SYN attacks.) SYN Gateway Deploy the SYN Gateway method. Passive SYN Gateway Deploy the Passive SYN Gateway method. Timeout Click the arrow to set the amount of time (in seconds) SYNDefender waits for an acknowledgment before concluding that the connection is a SYN attack. Maximum Sessions Click the arrow to set the maximum number of protected sessions. This number specifies the number of entries in an internal connection table maintained by SYNDefender. If the table is full, SYNDefender will not examine new connections. Display Warning Messages Check to have SYNDefender print console messages regarding its status.
Document # CPTS-DOC-C1011
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
209
Lightweight Directory Access Protocol (LDAP) , which is a set of protocols for accessing information directories, supports FireWall-1 TCP/IP connections, necessary for any type of Internet access. LDAP support allows for LDAP-based user databases to be fully integrated into FireWall-1. Other features of FireWall-1 LDAP support include the following: Internet client access and management of users over TCP/IP connections Netscape support Included in Windows NT version 5.x Support for multiple, distributed and redundant user databases GUI to manage LDAP servers and support FireWall-1 authentication FireWall-1 access to LDAP server for user-properties management SSL encryption support
LDAP Tab Setup To set up the LDAP tab, follow these steps: 1. Select Properties from the Policy menu. 2. Select the LDAP tab from the Properties Setup screen. 3. The LDAP tab appears (Figure 160):
Rev. B
210
The LDAP tab contains the following information: Use LDAP Account Management Check to allow User Authentication to use LDAP Account Units, in addition to the FireWall-1 internal user database. When this field is checked, the other fields in the window are enabled. If this field is not checked, User Authentication will use only the FireWall-1 internal user database. AccountManagement-1 Properties: Time-Out on LDAP Requests Type in the amount (in seconds) before an LDAP request will be considered to have timed out. Time-Out on Cached Users Type in the amount (in seconds) before a cached user will be considered to no longer be valid, and will be fetched again from the LDAP Server. Cache Size (Users) Type in the number of users that will be cached. Days before Password Expires Check and type in the number of days before the Password (specified in the General tab of the Account Unit Properties window) expires. This field is disabled until checked. Number of Entries Account Unit Can Return Type in the number of users that can be returned in response to a single query to the Account Unit. Display Users DN at login Check when an LDAP user logs in, DN will be displayed before prompted for a password.
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
211
FireWall-1 provides multiple encryption schemes. Key management and an internal certificate authority are fully integrated with other FireWall-1 features. Firewall-1 supports the following encryption schemes: FWZ, IPSec, SKIP and ISAKMP/Oakley: FWZ FWZ is a FireWall-1 proprietary encryption scheme. FWZ manages key encryption automatically, including updating public keys. FWZ encryption does the following: Encrypts all data behind the IP and TCP headers, using in-place encryption Uses reliable-data protocol to manage VPN session keys, encryption methods and data integrity Obtains certified Diffie-Hellman public keys from a trusted certificate authority Supports FWZ-1, DES and Triple DES algorithms, using a 40-bit encryption key that is exportable outside the United States Uses FWZ scheme to verify Public Keys
Manual IPSec IPSec is an encryption scheme with optional Message Authentication (MAC). A security association is associated with each packet, consisting of: Functionality Indicates whether the packet is encrypted, authenticated or both. Algorithms Specifies the encryption algorithm and authentication algorithm used in the packet. Keys used in the above algorithms Additional data
IPSec has two shortcomings: The keys are fixed over duration of the connection There is no mechanism for exchanging keys III-1 Security Policy Rule Base and Properties Setup
SKIP SKIP overcomes the shortcomings of IPSEC by providing a hierarchy of keys that change over time. This is used to encrypt the connection as well as to implement a key protocol. ISAKMP/Oakley ISAKMP/Oakley is a standard for negotiating Security Associations (SA) between two hosts that will be using IPSec, and is the key management scheme that was chosen for IP Version 6. In IP Version 4, ISAKMP/ Oakley is optional. ISAKMP/Oakley offers improved authentication (HMAC) and Perfect Forward Secrecy (PFS).
Rev. B
Document # CPTS-DOC-C1011
212
Encryption Tab Setup To set up the Encryption tab, follow these steps: 1. Select Properties from the Policy menu. 2. Select the Encryption tab from the Properties Setup screen. 3. The Encryption tab appears (Figure 161):
The Encryption tab contains the following information: Respond to unauthenticated cleartext topology requests Check to respond to topology requests from SecuRemote Clients even if the request is not encrypted. This feature enables backwards-compatibility with earlier versions of the SecuRemote Clients. III-1 Security Policy Rule Base and Properties Setup Enable Exportable SKIP Check to generate keys for exportable SKIP, in addition to non-exportable SKIP keys, and conduct SKIP encryption with other hosts that are enabled only for exportable SKIP: Change SKIP key every Type in the number of seconds after which the SKIP session key is changed. Change SKIP key every Type in the number of bytes transferred after which the SKIP session key is changed.
Document # CPTS-DOC-C1011
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
213
ISAKMP Key Renegotiation: Renegotiate IPSec SAs every Type in the number of seconds after which the IPSec session key is changed. Renegotiate ISAKMP SAs every Type in the number of minutes after which the ISAKMP session key is changed. Manual IPSec SPI Allocation Range Type in the range reserved for allocations of Manual IPSec SPIs, and ISAKMP will allocate SPIs from outside this range.
214
The Miscellaneous screen of the Properties Setup window defines properties relating to load balancing, which is a FireWall-1 algorithm that prevents internal-network (system) servers from handling a disproportionate amount of network traffic. Incoming packets routed through a FireWall-1 computer are directed to the system servers with the lightest loads. Miscellaneous Tab Setup To set up the Miscellaneous tab, follow these steps: 1. Select Properties from the Policy menu. 2. Select the Miscellaneous tab from the Properties Setup screen. 3. The Miscellaneous tab appears (Figure 162):
The Load Balancing tab contains the following information: III-1 Security Policy Rule Base and Properties Setup Load Balancing: Load Agents Port Type the port on which the Log Measurement Agent communicates. Load Measurement Interval Click the arrow to set the intervals at which the Load Measuring Agent measures the load. Log Viewer Resolver Properties: Page Timeout Click the arrow to set the time (in seconds) before a page timeout occurs.
Document # CPTS-DOC-C1011
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
215
When a rule is installed on a router, FireWall-1 generates access lists and loads them to the router. Access lists can be viewed and verified before installing a security policy. Verification checks that the rules are consistent and that no rule is redundant. If a rule base fails the verification, an appropriate message will appear. Access Lists Tab Setup To set up the Access Lists tab, follow these steps: 1. Select Properties from the Policy menu. 2. Select the Access Lists tab from the Properties Setup screen. 3. The Access Lists tab appears (Figure 163):
The Access Lists tab contains the following information: Accept Established TCP Connections Check to accept packets of established TCP connections. Click the arrow to select the rule base order (First, Last or Before Last). Accept RIP Check to enable the routing information protocol used by the routed daemon. Click the arrow to select the rule base order (First, Last or Before Last). Accept Domain Name Queries (UDP) Check to accept domain-name queries used by named. As in the Enable Domain Name Queries in the Security Policy screen, if named does not know the IP address associated with a particular host name, it issues a query to the name server on the Internet. Click the arrow to select the rule base order (First, Last or Before Last). III-1 Security Policy Rule Base and Properties Setup
Rev. B
Document # CPTS-DOC-C1011
216
Accept Domain Name Download (TCP) Check to allow uploading of domain name-resolving tables. Tables of Internet host names and their associated IP addresses and other data can be uploaded from designated servers on the Internet. Click the arrow to select the rule base order (First, Last or Before Last). Accept ICMP Check to accept Internet Control Messages. The IP on each system uses ICMP (Internet Control Message Protocol) to send control messages (for example, destination unreachable, source quench, route change) to other systems. This protocol is commonly used to assure proper and efficient operation of IP. Click the arrow to select the rule base order (First, Last or Before Last). In Figure 163 on page 215, the Accept ICMP property is set to Before Last to enable the user to define more detailed ICMP related rules that will be enforced before this property. If this property were First, then there would be no opportunity for the user to relate to ICMP in the rule base. If it were Last, then it would be enforced after the last rule (which typically rejects all packets) and would thus have no effect. Enabling this option does not enable ICMP Redirect. If you wish to enable ICMP Redirect, you must do so in the rule base.
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
217
3. Create a rule base: Source: where the communication is coming from Destination: where the communication is going to Services: what kind of communication it is Action: what to do with the communication Track: log or alert Install on: who will enforce the rule Time: During what time can this action take place Comment: description of rule III-1 Security Policy Rule Base and Properties Setup
Rev. B
Document # CPTS-DOC-C1011
218
Review
Review
Summary FireWall-1 allows administrators to define and enforce security policies to provide the most effective security for their internal networks. In this chapter, you learned why creating the best security policy for your system is so important. A security policy is a set of rules that defines your internal networks security. In FireWall-1, the security policy is defined using a rule base, which translates your security policy to a collection of individual rules. FireWall-1 creates pseudo rules, also called implicit rules, derived from the properties and explicit rules created in the rule base. When defining security policy properties, you must consider the rule base order. FireWall-1 examines the rule base rule by rule. FireWall-1 inspects packets by comparing them to the existing security policy, one rule at a time. For this reason, it is important to define each rule in a security policy in the appropriate order. A security policy is defined not only by the rule base, but also by parameters specified in the security policy tab of the properties setup screen. These parameters enable the user to control all aspects of a packets inspection, while at the same time freeing the user of the need to specify repetitive detail in the rule base.
Review Questions
III-1 Security Policy Rule Base and Properties Setup 3. What order are policies and rules matched?
Document # CPTS-DOC-C1011
Rev. B
Objectives
Demonstrate how to use the FireWall-1 rule base editor to create a security policy Verify and install a security policy
Key Terms
220
There are times when verifying a security policy is useful to system administrators. By verifying a security policy, you can do the following: Create a security policy but not install it on a firewalled computer Ensure all rules in a security policy are accurate Test a security policy before installing it on a firewalled computer
To verify a security policy, follow these steps: 1. Select Verify from the Policy menu (Figure 164):
2. If the security policy fails verification, refer to the error message to determine which rule (or rules) is in conflict. Analyze the conflicting rule (or rules) and modify the security policy as needed. 3. If the security policy passes verification, apply it by selecting Install from the Policy menu (Figure 165):
Document # CPTS-DOC-C1011
Rev. B
221
5. Click OK. 6. The security policy will now be installed on all selected firewalled objects.
Rev. B
Document # CPTS-DOC-C1011
222
Detecting Spoofing
Detecting Spoofing
When considering firewall issues, system administrators must consider spoofing, which is a method of making packets appear as if they come from authorized IP addresses. A packet originating on the Internet and going to an internal network may be disguised as a local packet. Or the packet could have a legal IP address that belongs to the internal network. If undetected, this packet might have unrestricted access to the internal network. To solve this problem, FireWall-1 uses an anti-spoofing feature, which ensures the IP addresses of packets entering a system are valid. FireWall-1 examines the IP addresses of incoming packets to validate that these addresses are valid for the network from which they come.
When creating firewalled objects, FireWall-1 defaults to no spoofing. When considering security policy issues, systems administrators must decide whether or not to apply anti-spoofing to objects. This is important, because anti-spoofing rules defined in an objects properties are enforced before any rule in the security policys rule base.
Adding Anti-Spoofing
To add anti-spoofing, modify the firewalled objects properties. The Interfaces tab of the Workstation Properties screen allows you to add an anti-spoofing IP address to a workstation (Figure 167):
Document # CPTS-DOC-C1011
Rev. B
223
To add anti-spoofing to an object, modify the objects properties: 1. Select the object from the Network Objects Manager. 2. Click Edit and select the Interfaces tab (Figure 167). 3. Click Edit on the Interfaces tab. The Interface Properties screen appears (Figure 168):
4. Define the Interface properties by completing the fields. 5. Click OK when finished. Interface Properties Name The interface associated with the host name. Net Address The IP address of the host. Net Mask If the network is a standard class A, B, or C network, the Net Mask does not need to be specified. Valid Addresses: Any Default selection. Does not allow spoof tracking. This net Packets whose source IP addresses are part of the network connected to this interface are allowed. This option is typically used for internal interfaces of the last network. No security policy! This option is used when the security policy is enforced on another interface of this object, while leaving this interface open.
Rev. B
Document # CPTS-DOC-C1011
224
Detecting Spoofing
Others All packets are allowed except those whose resource IP addresses belong to the networks listed under Valid Addresses for this objects interface. Others + All packets are allowed except those whose resource IP addresses belong to the networks listed under Valid Addresses for this objects interface. However, packets from the addresses listed under Others + are allowed. Specific Only packets from this object are allowed. Spoof tracking Spoofed packets are always dropped. Specific action is taken by selecting one of the following options: None No additional action is taken. Log The spoofing attempt is logged. Alert The action specified in the Anti Spoof Alert command field in the Log and Alert tab of the Properties Setup screen is taken. When anti-spoofing is specified, an implicit anti-spoof rule is generated, which comes first in the rule base (even before properties specified in the Security Policy tab of the properties setup screen).
In general, routers examine only destination addresses, but Cisco version 10 and 11 and Bay Networks examine source addresses when anti-spoofing is defined. Routers supported by FireWall-1 have varying anti-spoofing capabilities (Table 19):
Anti-Spoofing Capabilities
No anti-spoofing capabilities. Capable of detecting spoofing in both directions only on the interface connected to the outside. Can detect spoofing in both directions. Can detect spoofing on incoming packets only. No anti-spoofing capabilities.
Document # CPTS-DOC-C1011
Rev. B
225
Valid Addresses
On interface qe1, only packets whose source IP address belongs to the internal network should be allowed to enter. A packet with another source IP address coming in on qe1 is spoofed. The same is true for qe0. On le0, only packets with source IP addresses other than those belonging to the DMZ or the localnet should be allowed to enter.
2 3
Rev. B
Document # CPTS-DOC-C1011
Anti-Spoofing Network Anti-spoofing should be defined on the gateways three interfaces (Figure 169 and Table 20):
III-2
226
2. Select fw.yourcity.com and click Edit. 3. Click the Interfaces tab. 4. Click SNMP Get. This will retrieve the interface properties for your firewall.
Document # CPTS-DOC-C1011
Rev. B
227
3. In Valid Addresses, select This Net. 4. For Spoof Tracking, select Log. 5. Click OK.
Rev. B
Document # CPTS-DOC-C1011
228
Document # CPTS-DOC-C1011
Rev. B
229
Remember: The Stealth rule can not be used as rule #1 if you use Manual Client Authentication and/or use a tunneling encryption scheme.
Rev. B
Document # CPTS-DOC-C1011
230
Document # CPTS-DOC-C1011
Rev. B
231
Rev. B
Document # CPTS-DOC-C1011
232
Review
Review
Summary Defining and installing a security policy is vital to protect your network. There are times when verifying a security policy is useful to system administrators. By verifying a security policy, you can do the following: Create a security policy but not install it on a firewalled computer Ensure all rules in a security policy are accurate Test a security policy before installing it on a firewalled computer
When considering firewall issues, system administrators must consider spoofing, which is a method of making packets appear as if they came from authorized IP addresses. To solve this problem, FireWall-1 uses an anti-spoofing feature, which ensures the IP addresses of packets entering a system are valid. FireWall-1 examines the IP addresses of incoming packets to validate that these addresses are valid for the network from which they come.
Review Questions
3. What is the default action when FireWall-1 adds the first rule base in a security policy?
Document # CPTS-DOC-C1011
Rev. B
233
Rev. B
Document # CPTS-DOC-C1011
234
Review
Document # CPTS-DOC-C1011
Rev. B
Rev. B
Document # CPTS-DOC-C1011
Document # CPTS-DOC-C1011
Rev. B
IV-1
Key Terms
user authentication client authentication session authentication transparent user authentication implicit client authentication transparent session authentication session authentication agent
235
Authentication
Objectives
List types of services supported by FireWall-1 requiring user names and passwords
236
Understanding Authentication
Understanding Authentication
FireWall-1 uses three types of authentication: user, client and session: User authentication authenticates users for specific services (FTP, HTTP, HTTPS, TELNET and RLOGIN). User authentication enables an administrator to grant specific users special access privileges. Client authentication authenticates users of any service (standard or customized). Client authentication requires users to TELNET to port 259 or connect to the firewall with a Web browser on HTTP port 900 to be authenticated for a service. FireWall-1 supports implicit client authentication and automatic clientauthentication sign-off. Session authentication works like client authentication but requires the session authentication agent to be installed. Session authentication does not require users to authenticate (using TELNET or a Web browser) to the firewall. However, the user must be authenticated each session.
User Authentication
FireWall-1s transparent user authentication provides access privileges on a per user basis for FTP, HTTP, HTTPS, TELNET, and RLOGIN, regardless of the users IP address. Depending on authentication scheme properties, a password can be used once or given an expiration parameter by the administrator. The system administrator grants special access privileges to certain users, regardless of IP address. If another user discovers the authentication parameters, he then has access to any client the original user had. User authentication is restricted to the following services: FTP HTTP HTTPS TELNET RLOGIN
Document # CPTS-DOC-C1011
Rev. B
237
How User Authentication Works To understand how user authentication works, follow these steps (Figure 177):
1.
2.
3. IV-1
1 2 3 4
Client initiates an FTP, HTTP, HTTPS, TELNET or RLOGIN connection to the destination server. Using the same connection as the client, FireWall-1 asks for authorization from the client. Client responds with ID and password. FireWall-1 allows the connection.
Transparent user authentication is FireWall-1s default, allowing the user to initiate a connection directly to the server. For transparent authentication, the user must provide the following information: user name on the gateway authentication data (password) on the gateway user name on the target host authentication data (password) on the target host
Rev. B
Document # CPTS-DOC-C1011
Authentication
4.
238
Understanding Authentication
For non-transparent user authentication, a user wishing to use a user authenticated service must first start a session for that service on the gateway. After authenticating on the gateway, FireWall-1 opens a connection to the true destination.
Client Authentication
Client authentication enables an administrator to grant access privileges to a specific IP address: typically a single user machine, such as a PC. In contrast to user authentication, client authentication is not restricted to specific services, but provides a mechanism for authenticating any application: standard or custom. FireWall-1 client authentication is not transparent, and does not require additional software or modifications on either the client or server. The administrator can determine how each individual is authenticated, which servers and applications are accessible, at what times and days, and how many sessions are permitted. How Client Authentication Works To understand how client authentication works, follow these steps (Figure 178):
1.
2.
Client initiates a TELNET or HTTP connection to the firewall. Client authentication requires users to TELNET to port 259 or connect to the firewall with a Web browser on HTTP port 900 to be authenticated for a service. The firewall asks for the ID and password and verifies the user is authentic. FireWall-1 recognizes clients IP address and allows access to the destination server. Connection to the destination server is closed by time-out, logout or number of sessions.
Implicit client authentication also extends access privileges to a specific client without requiring the user to initiate an additional session on the gateway. If the user authenticates under a user authentication or session authentication rule, then FireWall-1 knows which user is on the client, and an additional client authentication session (the TELNET to port 259 or HTTP to port 900) is not necessary.
Document # CPTS-DOC-C1011
Rev. B
239
When implicit client authentication is enabled, and a user successfully performs user or session authentication, then FireWall-1 opens all the standard sign-on client authentication rules in the rule base. In other words, the user is considered to have at the same time successfully performed client authentication on the client at which they successfully performed user or session authentication. This option differs from the partially and fully automatic options, in which only the first matching client authentication rule is opened. If implicit client authentication is enabled, and an automatic sign-on rule is opened, all the standard sign-on rules are opened (in addition to the automatic rule). If you enable implicit client authentication, then you should define your rules in the following order: 1. User authentication rules for HTTP 2. Client authentication rules 3. User and session authentication rules for non-HTTP services The first time through, the user and session authentication rules are applied. The second time through, client authentication rules are applied. However, user authentication rules are always applied for HTTP, preventing the browser from sending the authentication password to the HTTP server. This happens because the client authentication rules do not use the FireWall-1 security servers. IV-1
Session Authentication
System administrators can grant access privileges to a user without regard to the associated IP address. Session authentication provides a transparent per-session authentication that can be integrated with any application. Session authentication is the smoothest and least resource intensive connection. The authentication is performed by the daemon module and then the packets are accepted by the kernel module.
Rev. B
Document # CPTS-DOC-C1011
Authentication
240
Understanding Authentication
How Session Authentication Works To understand how session authentication works, follow these steps (Figure 179):
1.
2.
3.
4.
1 2 3 4
Client attempts to contact server. FireWall-1 blocks the packet and contacts the session authentication agent. Session authentication agent pops up on the clients screen. Client enters ID and password. Clients ID and password are sent to the firewall. FireWall-1 accepts the ID and password and allows connection to the server.
Transparent session authentication can be used to authenticate any service on a per-session basis. After the user initiates a connection directly to the server, the FireWall-1 gateway (located between the user and the destination) intercepts the connection. It recognizes that user-level authentication is required, and initiates a connection with a session authentication agent. The session authentication agent is a utility provided with FireWall-1 and must be installed on any workstation using session authentication. The agent performs the required authentication, which allows the connection to continue to the requested server if permitted.
Document # CPTS-DOC-C1011
Rev. B
241
User
FTP, HTTP, TELNET, RLOGIN Session
Client
All Services IP Address (multiple sessions) in a separate nontransparent authentication session. Access any service defined as client authenticated.
Session
All Services Session
IV-1
Rev. B
Document # CPTS-DOC-C1011
Authentication
242
Implementing Authentication
Implementing Authentication
Authentication Schemes Determine the authentication scheme to assign to a user from the following: Internal Authentication Schemes: S/Key The user enters the value of requested S/Key iteration. A user whose authentication scheme is S/Key can be authenticated only on one gateway. S/Key is more secure than other forms of authentication schemes, however it is more complicated to set up, requiring user training. FireWall-1 Password The user enters an assigned FireWall-1 password. The advantage of a FireWall-1 password over the OS password is that the user does not require an OS account on the gateway to use a FireWall-1 password. OS Password The user enters an OS password and must have an OS account on the firewall in order to authenticate. FireWall-1 refers to local OS user database on firewalled machine. The OS Password is typically the users network logon password. External Authentication Schemes: LDAP The user is prompted for response from the LDAP server. SecurID The user enters the Security Dynamics PASSCODE. RADIUS The user is prompted for response from the RADIUS server. AXENT Pathways Defender The user is prompted for response from the AXENT server. TACACS The user is prompted for response from the TACACS server. S/Key, LDAP, SecurID, RADIUS, AXENT and TACACS are enabled as FireWall-1s default. OS Password and FireWall-1 Password must be selected to enable these authentication schemes.
When any external authentication scheme is used, a generic* user should be created to prevent the administrative overhead of maintaining duplicate user accounts on both the firewall and the external server.
Document # CPTS-DOC-C1011
Rev. B
243
Authentication Setup
User, client and session authentication are set up in a similar manner. When authenticating a user in FireWall-1, follow these steps: 1. Define the user in the User Manager. Select Users from the Manage menu (Figure 180):
3. Click New to set up a new user, or select an existing user. Click Edit to configure the authentication scheme.
Rev. B
Document # CPTS-DOC-C1011
244
Implementing Authentication
4. Select the authentication tab of the User Properties screen (Figure 182):
5. Specify the authentication scheme and other user properties. Authentication properties setup screens vary depending on the authentication scheme selected (Figure 183):
Document # CPTS-DOC-C1011
Rev. B
245
Complete the following fields for the S/Key authentication scheme: Seed A random name or number. Secret Key Chosen by the user (should be at least 10 characters long). Length Number of iterations. Installed On The gateway that will perform the authentication. Method The hashing method. Print Chain Print the password chain. The Print Chain option is available only immediately after generating a new chain.
Erase this password file as soon as possible, so that your passwords will not be compromised. IV-1 6. Click OK and close the User Manager. Authentication 7. Enable the authentication scheme for the firewalled object. Select Network Objects from the Manage menu, and the Network Objects Manager appears (Figure 184):
Rev. B
Document # CPTS-DOC-C1011
246
Implementing Authentication
8. Select the firewalled object and click Edit. Select the Authentication tab and enable the authentication scheme defined in the User Manager by checking the appropriate box (Figure 185):
9. Click OK and Close the Network Object Manager. 10. To add an authentication rule to the rule base, right-click the Action column of a new rule and select User, Client or Session Authentication (Figure 186):
Document # CPTS-DOC-C1011
Rev. B
247
11. Configure the authentication rule by right-clicking the Action column of the rule again and selecting Edit Properties (Figure 187):
IV-1
12. Configure the User, Client or Session Authentication Action Properties (Figure 188): Authentication
Figure 188: Authentication Action Properties screens
13. Click OK and install the security policy by selecting Install from the Policy menu.
Rev. B
Document # CPTS-DOC-C1011
248
Implementing Authentication
Document # CPTS-DOC-C1011
Rev. B
249
User
IV-1
Bob
4Create users
Create the following users: Bob, Larry, Junior, Keeter, Lisa, Brianna, Skippy, JoAnn: 1. Click Manage > Users > New > Default. 2. Enter the users name. 3. Select the appropriate color. 4. Leave the Expiration Date field empty. 5. Select the Authentication tab and verify that FireWall-1 password is selected as the authentication method. 6. Enter a password for the user (abc123). 7. Click OK. Authentication
Rev. B
Document # CPTS-DOC-C1011
250
Implementing Authentication
Document # CPTS-DOC-C1011
Rev. B
251
Rev. B
Document # CPTS-DOC-C1011
252
3. Type 99 guest in the first box. 4. Type in the secret password ( abc1234567). 5. Click Compute one-time password.
Document # CPTS-DOC-C1011
Rev. B
253
6. Note the password that is generated. You will need this later. 7. Now TELNET to www.boogeyman.com. 8. For User type guest. 9. For the S/Key string enter the one-time password you noted earlier. Press Enter. You should now be connected. 10. Check your log file to verify the connection.
IV-1
Rev. B
Document # CPTS-DOC-C1011
Authentication
254
Document # CPTS-DOC-C1011
Rev. B
255
Rev. B
Document # CPTS-DOC-C1011
Authentication
256
Does it work? (It should not.) 2. From your Web server, use client authentication to authenticate the service by connecting to port 259 (using TELNET) of your firewall. Use the following command:
# telnet fw.yourcity.com 259
Document # CPTS-DOC-C1011
Rev. B
257
Make sure the session agent is running. If not, ask your instructor for help.
Rev. B
Document # CPTS-DOC-C1011
Authentication
258
Review
Review
Summary Firewall-1 technology gives networks the ability to distribute security throughout the enterprise. Security implementations can and should be established to protect the inside of the organization from the outside, between groups of users and resources, while ensuring authenticated communications within the organization. FireWall-1 uses three types of authentication: user, client and session: User authentication authenticates users for specific services. Client authentication authenticates users of any service (standard or customized). Client authentication requires users to TELNET to port 259 or connect to the firewall with a Web browser on HTTP port 900 to be authenticated for a service. FireWall-1 supports implicit client authentication and automatic client-authentication sign-off. Session authentication works like client authentication but requires session authentication agent to be installed. Session authentication does not require users to authenticate (using TELNET or a Web browser) to the firewall.
Review Questions
2. What is the advantage of using transparent session authentication verses other types of authentication?
3. When defining user authentication, where do you add the authentication rule?
Document # CPTS-DOC-C1011
Rev. B
Objectives
Describe why network address translation is necessary Outline the process that FireWall-1 uses to translate IP addresses Identify and define the three address translation modes Show how to set up all address translation modes
Key Terms
Network Address Translation (NAT) Internet Protocol (IP) address classful addressing network address translation modes Network Address Translation
259
IV-2
IP address translation static source mode static destination mode hide mode address translation rule base
260
Availability of IP Addresses
Todays computing industry suffers from a limited supply of IP addresses. When you purchase an Internet Service Provider (ISP), you purchase a block of IP addresses that become addresses for the individual computers in your internal network. Because IP addresses are limited in supply, you must know how to translate internal IP addresses to legal external addresses. A reserved and finite set of IP addresses is used for address translation. In order to provide the flexibility required to support different size networks, IP address space is divided into three different address classes: Class A, B and C. This is often referred to as classful addressing, because address space is split into three predefined classes, groupings or categories. Available class network numbers and IP address ranges for address translation are as follows: 1 Class A Network Number: 10.0.0.0 16 Class B Network Numbers: 172.16-31.0.0 256 Class C Network Numbers: 192.168.0-255.0
Document # CPTS-DOC-C1011
Rev. B
261
FireWall-1 translates addresses transparently. When a packet enters the FireWall-1 kernel module, it is translated before reaching its destination. NAT updates its internal table and translates the packet, rewriting the IP address from a legal to an illegal/ reserved IP address. When a packet leaves, NAT translates the packet, rewriting the illegal/reserved IP address to its original legal address (Figure 189):
Intranet
1 2 3 4
A packet with a legal IP address (204.32.38.1) enters a network and passes through the FireWall-1 kernel module. NAT translates the legal IP address to an illegal/reserved address (192.168.1.1). A packet with an illegal/reserved IP address leaves the system. NAT translates the address to a legal address (204.32.38.1) so that it will be accepted by outside networks, then passes the packet through the FireWall-1 kernel module, which passes the packet out of the network and to its destination.
IV-2
Rev. B
Document # CPTS-DOC-C1011
262
NAT Modes
NAT Modes
FireWall-1 supports three network address translation modes, which is another name for IP address translation (which means changing an IP address). NAT allows system administrators to change internal, illegal/reserved IP addresses into legal addresses, thus providing greater protection from external networks and hackers. This eliminates the need to manually change illegal/reserved internal IP addresses. NAT also allows hidden IP addresses, which means system administrators can deal with the issue of fewer available IP addresses. Address translation takes place in the address translation module. The FireWall-1 kernel module does not translate addresses. The kernel module verifies addresses before passing them out of an internal network, and verifies addresses before passing them to the address translation module and into an internal network. Following are the FireWall-1 address translation modes: Static source mode Translates illegal/reserved internal IP addresses to legal IP addresses when packets exit an internal network. Static destination mode Translates legal internal IP addresses to illegal/reserved IP addresses when packets enter an internal network. Hide mode Hides one or more illegal/reserved IP addresses behind one legal address. Source and destination are referred to as static modes, because the address translation is undynamic. Static mode translates IP addresses using a one-toone relationship.
Document # CPTS-DOC-C1011
Rev. B
263
Static source mode translates the clients internal, illegal/reserved IP addresses to legal IP addresses (Figure 190):
EXTERNAL
Legal IP Address 204.32.38.1
Static source mode is used when the connection is initiated by internal clients with invalid IP addresses. Static source mode ensures that the originating hosts have unique, specific valid IP addresses, and is generally used together with static destination mode. When you generate address translation rules automatically, static source mode and static destination mode rules are always generated in pairs.
Static destination mode translates the serverss legal external IP addresses to illegal/ reserved IP addresses (Figure 191):
INTERNAL Static Static Mode Mode
Network
EXTERNAL
Legal IP Address Destination 204.32.38.1 Destination
IV-2
Rev. B
Document # CPTS-DOC-C1011
264
NAT Modes
Static destination mode is used when servers inside the internal network have illegal/ reserved IP addresses, and ensures that packets entering the internal network arrive at their proper destinations. When you generate address translation rules automatically, static source mode and static destination mode rules are always generated in pairs. Static Mode Example In Figure 190 and Figure 191 on page 263, the Bay Networks routers valid IP address is statically translated when the local network translates it to a valid external address once it leaves the internal network. When defining static mode for a firewalled object, you do not specify static source or destination mode. Static source and destination modes are defined in the NAT rule base automatically.
In Figure 192, the Bay Networks routers valid IP address is statically translated to the local networks IP address. When packets leave the Bay Networks router through the local network, the packets IP addresses are translated to illegal/reserved IP addresses; when the packets enter the network, the local network translates the packets back to their legal, internal IP addresses. The translation is done at the local network and at the firewall.
Document # CPTS-DOC-C1011
Rev. B
265
Hide Mode
Todays computing industry suffers from a limited supply of IP addresses. To alleviate this problem, hide mode allows you to hide an entire network of illegal/reserved IP addresses behind one legal IP address (Figure 193). With hide mode, you only need one legal IP address to communicate with external networks or the Internet.
EXTERNAL
1 Legal IP Address 204.32.38.1
Hide Mode Example In Figure 193, everything in Local_Net will be sent out of the local network as a legal IP address.
In Figure 194, the firewall hides all internal illegal/reserved IP addresses for packets leaving the local network. When packets enter the network, the firewall translates the packets IP addresses and forwards the packets to the appropriate internal device.
IV-2
Rev. B
Document # CPTS-DOC-C1011
266
To add static mode NAT to an internal networks FTP server, follow these steps: 1. Select Network Objects from the Manage menu (Figure 195):
Document # CPTS-DOC-C1011
Rev. B
267
3. Highlight FTP_Server and click Edit. 4. The network object General tab of the Workstation Properties screen appears (Figure 197). Note the IP address of the FTP server is 10.96.1.101. This is the illegal/reserved internal address that will be translated to a legal external (Internet) address.
5. Select the NAT tab. Note there is no address translation currently selected (Figure 198):
IV-2
Rev. B
Document # CPTS-DOC-C1011
268
6. Add Automatic Address Translation Rules Check to add static translation (Figure 199).
This enables the other fields on the screen, as follows: Translation Method Select Static from the menu. Choices are: Static and Hide. Valid IP Address Type in the valid IP address you want for the FTP server when packets that originate at it or are destined to it leave the internal network. Install On Select where to install NAT from the menu. Choices are the internal firewalled objects. 7. Click OK to save your changes.
To add hide mode NAT to two internal network routers, first add NAT to a Cisco Router: 1. Select Network Objects from the Manage menu (Figure 200):
Document # CPTS-DOC-C1011
Rev. B
269
3. Highlight Cisco_Router and click Edit. 4. The General tab of the Router Properties screen appears (Figure 202). Note the IP address of the Cisco router is 10.96.1.112. This is the legal IP address that will be hidden from external networks and the Internet.
IV-2
Rev. B
Document # CPTS-DOC-C1011
270
6. Add Automatic Address Translation Rules Check to add hide translation (Figure 203). This enables the other fields on the screen, as follows: Translation Method Select Hide from the menu to add hide mode translation. Hiding IP Address Type in the valid IP address you want for the Cisco router when packets travel through it to leave the internal network. If you type 0.0.0.0, the firewall will determine the IP address to use (the firewalls own IP address at the outgoing interface). Install On Select where to install NAT from the menu. Choices are the internal firewalled objects. 7. Click OK to save your changes.
Document # CPTS-DOC-C1011
Rev. B
271
To add hide mode NAT to a Bay Networks router, follow these steps: 1. After selecting the Bay Networks router from the network objects Manager screen, modify the IP address if necessary in the General tab of Router Properties (Figure 204):
2. Use the same IP address for the Cisco router and the Bay Networks router. This ensures the Cisco and Bay Networks routers IP addresses will be hidden behind the legal IP address 204.32.38.113 (Figure 205):
IV-2
Rev. B
Document # CPTS-DOC-C1011
272
When you define network objects during the setup of FireWall-1, NAT rules generate automatically. You can manually specify address translation rules by editing or adding NAT rules to the automatically generated rules and provide complete control over FireWall-1 address translation. FireWall-1 validates address translation rules, helping to avoid mistakes in the setup process. To provide complete control over FireWall-1 address translation, you can do one or more of the following: Specify objects by name rather than by IP address Restrict rules to specified destination IP addresses, as well as to specified source IP addresses Translate both source and destination IP addresses in the same packet Restrict rules to specified services (ports) Translate ports
NAT Rules
Each of the address translation rules consists of three elements, as follows: Conditions that specify when a rule is to be applied The action to be taken when a rule is applied The network object to enforce the action
Document # CPTS-DOC-C1011
Rev. B
273
Action to be taken
Define source, destination and service. Define source, destination and service. Define firewall objects to enforce this rule.
Original Packet (When a Rule is Applied) Source The object for the client of the connection. Destination The object for the server of the connection. Service The service, service group or port range. Translated Packet (When a Rule is Applied) Source The object; the type of object depends upon the type of address translation. Destination One object only; the type of object depends on the type of address translation. Service One object only; either TCP, UDP service or port range. Install On Specifies which firewalled objects will enforce the rule. Choose one of the following: Gateways Enforce on all network objects defined as gateways which are firewalled and internal. If you specify Gateways, the rule is enforced on all the hosts that are defined as gateways (in the Workstation Properties window). Targets Enforce on the specified target object(s) only. If you choose Targets, then the Select Target window opens, from which you can choose a firewalled gateway or host (but not a router) on which to install the address translation rule. Comment You can add comments to a rule by double-clicking on the Comments field to open the Comment window and typing any comments. IV-2
Rev. B
Document # CPTS-DOC-C1011
274
NAT Issues
NAT Issues
Routing Issues In an internal network, routers can be managed separately from firewall software. To set up address translation correctly, you must ensure that routing tables are correctly defined. With FireWall-1, there are two routing issues involved, as follows: Ensuring that the packet reaches the gateway Ensuring that the gateway forwards the packet to the correct interface and host Reconfigure routing tables on the internal networks gateway (and on any intervening routers) to set up address translation correctly. Static Source and Hide Mode When using Static Source or Hide modes, you must ensure that the translated (legal) addresses are published, so that replies will be routed back to the firewall. For Solaris Systems use the arp command to publish an IP address. For example: arp -s 204.32.38.10n 00:C0:4F:D0:35:F2 pub For NT Systems the arp command does not allow permanent entries. Because of this, Check Point created the following feature: \winnt\fw\state\local.arp The format of local.arp is: IP address <TAB> External MAC-address Make sure that you dont add anything else to this file that is not needed. After creating local.arp, stop and start the FireWall-1 service.
The local.arp file is not automatically created by FireWall-1, and must be created by the user. This is true whether NAT is automatic or manual.
Document # CPTS-DOC-C1011
Rev. B
275
Static Destination First you must get the packet to the firewall by publishing the IP address to the desired interface of the firewall. When using Static Destination mode, address translation takes place in the firewall after internal routing but before transmission. To ensure that the packet is correctly routed, use static routing (the route command) to define the same next hop for both addresses. On Solaris systems, most use the following command: route add 204.32.38.10n 192.168.n.1 1 The route add command in Solaris is a temporary command. In order to make a permanent route addition an entry must be placed in the appropriate rc directory in etc. On NT systems, use the following command: route add 204.32.38.10n 192.168.n.1 -p
IV-2
Rev. B
Document # CPTS-DOC-C1011
276
Document # CPTS-DOC-C1011
Rev. B
277
Action: accept Track: Long 3. Add/insert a new rule just after the rule you just defined: Source: www.yourcity.com Destination: Any Service: http and smtp Action: accept Track: Long 4. Remove your HTTP authentication rules.
4Verify and install the rule base 4Add static route and arp
Add static route and publish arp for legal address: For Solaris: 1. Add a static route for the translated host:
# route add 204.32.38.11n 192.168.n.1 1
2. Publish an arp entry for the legal address (this is done to get the MAC address of the external interface):
# arp fw.yourcity.com # arp-s 204.32.38.11n external MAC-address pub
where (-p) makes the route permanent between boots. Without this option, temporary changes can be made; (mask) is the subnet mask to apply to the route 2. Publish an arp entry for the legal address (from the command prompt):
> > > > > > > ipconfig /all edit $FWDIR\state\local.arp 204.32.38.11n external MAC-address SAVE and EXIT cd $FWDIR\bin fwstop fwstart
IV-2
Rev. B
Document # CPTS-DOC-C1011
278
Document # CPTS-DOC-C1011
Rev. B
279
IV-2
Test Static Destination translation by using the presentation machine (instructors machine). Connect to your Web Servers Legal Address from the instructors machine.
Rev. B
Document # CPTS-DOC-C1011
280
1. Click Manage > Network Objects; select the network object for your internal Web server (www.yourcity.com). 2. Select the NAT tab. 3. Uncheck the Add Automatic Address Translation Rules checkbox. 4. Click OK. Close the Manage Network Objects screen. Reminder: While the Routing and Arp issues were previously taken care of in Lab 14: NAT Static Mode - Manual, they are still required to be completed for Automatic translation.
Document # CPTS-DOC-C1011
Rev. B
281
Lab 16: NAT Hide Mode Manual 4Create an address range object
Create an address range object in the Network Object Manager called yourcity-range: 1. Create the object yourcity-range: First IP address: 192.168.n.1 Last IP address: 192.168.n.254 2. Click OK.
4Verify and install new rule base 4Publish arp for legal Hide address
Solaris # arp fw.yourcity.com # arp -s 204.32.38.12n external MAC address pub
IV-2
Rev. B
Document # CPTS-DOC-C1011
Use the following arp commands to publish arp entry for legal Hide address:
282
NT > ipconfig /all > edit $FWDIR\state\local.arp > 204.32.38.12n external MAC-address > cd $FWDIR\bin > fwstop > fwstart
Document # CPTS-DOC-C1011
Rev. B
283
IV-2
Rev. B
Document # CPTS-DOC-C1011
284
Document # CPTS-DOC-C1011
Rev. B
285
Review
Summary The need for IP address translation replacing one IP address in a packet by another IP address arises in two cases: 1. The network administrator wishes to conceal the networks internal IP addresses from the Internet. The administrator may reason that there is nothing to be gained, from a security point of view, by making a networks internal addresses public knowledge. 2. An internal networks IP addresses are invalid Internet addresses (that is, as far as the Internet is concerned, these addresses belong to another network). This situation may have arisen for historical reasons: An internal network was originally not connected to the Internet, and its IP addresses were chosen without regard to Internet conventions. If such a network is then connected to the Internet, its long-established internal IP addresses cannot be used externally. Changing these addresses may be impractical or unfeasible.
Review Questions
Rev. B
Document # CPTS-DOC-C1011
286
Review
Document # CPTS-DOC-C1011
Rev. B
Fin
Introduction
You have learned the basics of FireWall-1 and should now be able to install, configure and administer a FireWall-1 system. The following is an exercise to reinforce the most important features of FireWall-1. There may be more than one way to achieve the final results of this exercise. Your instructor will review your results to determine their accuracy.
287
Final Scenario
Final Scenario
288
Document # CPTS-DOC-C1011
Rev. B
Final Scenario
289
4Solutions
Examples of possible solutions to the Final Lab Scenario are shown in Figure 207 and Figure 208. Your results may vary slightly.
Fin
Rev. B
Document # CPTS-DOC-C1011
Final Scenario
290
Document # CPTS-DOC-C1011
Rev. B
If you need to add a license at the command prompt, follow these steps: 1. In the \fw\bin directory type: fw putlic [host] [key] [features] 2. Enter. 3. Type: fwstop 4. Enter. 5. Type: fwstart 6. Enter and exit the command prompt.
291
292
Issue fw printlic and display the current licenses: Type Expiration Features Eval 1Dec95 pfm control routers Eval 1Nov95 control routers Eval 1Oct95 pfm control routers This message displays the following: Which features are available (for example, pfm control routers) To which hostid/IP address these features are licensed When the license will expire
Re-enter your current license string with a -o option. Do this if you have several expired evaluation licenses, or have licenses for IP addresses or hostids that are not valid for specific devices. fw putlic -o [host][key][features] If you have multiple permanent licenses, use the -o option for the first license key. Do not use the -o option on subsequent licenses.
If you have unresolved licensing issues, contact Check Point via e-mail (license@checkpoint.com). Or visit Check Points licensing center at http:// license.checkpoint.com.
Document # CPTS-DOC-C1011
Rev. B
Solaris Systems
Symptom Security Policy Editor (GUI) will not connect to the Management Server. Solution The host name for the machine should be the same as the host name as one of the local interfaces, any one, preferably the external interface. The host name can be set on Solaris by one of the following methods: Manually editing the /etc/nodename file Executing the hostname command
293
294
1. During the installation process, FireWall-1 rebuilds the OS kernel. You must copy the new kernel to its proper location and then restart the firewalled computer. FireWall-1 displays instructions for doing this. 2. The first time you start the firewalled computer, you will receive a message that FireWall-1 failed. This is normal and occurs because there is no security policy at this point. After you have defined a security policy, subsequent restarts will proceed normally.
Document # CPTS-DOC-C1011
Rev. B
295
Rev. B
Document # CPTS-DOC-C1011
296
To define administrators, run the program fwm on the FireWall-1 Management Server, as follows: 1. To add an administrator, type the following command at the system prompt: fwm -a 2. Type the users name and password. Confirm the password by typing it a second time. 3. To delete an administrator, type the following command at the system prompt: fwm r 4. Type the users name.
Document # CPTS-DOC-C1011
Rev. B
297
Extracting Files
SunOS hostname% # tar xvf device-name/sunos/fw1/fw.sunos4.tar
device-name is usually /dev/rfd0c for diskette drives and /cdrom for CD-ROM drives.
Rev. B
Document # CPTS-DOC-C1011
298
Installing FireWall
Installing FireWall
HP-UX 10 FireWall-1 on HP-UX 10 requires the option transitional links to be enabled. In HP-UX 10, FireWall-1 is installed using the swinstall application. 1. hostname% cd/tmp
2. hostname% su 3. password: your root password 4. hostname# tar xvf /HPUS/FW1/FW.HPUX.TAR device-name device-name is usually /cdrom for a CD-ROM drive. Register FireWall-1 hostname# swreg depot x select_local=true x target_directory=/tmp target_directory points to the directory into which you copied the FireWall-1 software with the tar command. The following steps install FireWall-1: 1. hostname# swinstall & The SD Install Software Selection window is displayed, and then the Specify Source window. 2. Click Source Depot Path: In the Depot Path window, select the directory into which you copied the FireWall-1 software with the tar command. 3. Click OK to close the Depot Path window. 4. Click Ok to close the Specify Source window. 5. In the SD Install Software Selection window, select FireWall-1. If you doubleclick on FireWall-1 you will be able to select individual FireWall-1 components to install. 6. From the Actions menu, select Install (analysis). When the analysis phase completes, click OK. 7. When the installation phase completes, click Done. From the File menu, select Exit. 8. At the command prompt enter the following: hostname# setenv SWDIR /FireWall-1 hostname# set path= ($FWDIR/bin $path)
Document # CPTS-DOC-C1011
Rev. B
299
IBM AIX
In IBM AIX, FireWall-1 is installed using the swinstall application. There is no need to copy the software, since the installation reads the CDROM directly. hostname% smit & 1. Click software Installation and Maintenance. Click Install and Update Software. Click Install/Update Selectable Software (Custom Install). 2. Click Install Software Products at Latest Level. Click New Software Products at Latest Level. 3. In the New Software Products at Latest Level window, enter the input device or the name of the directory where the FireWall-1 installation files are located. If you are installing from a CD-ROM, click List and select the CD device in the dialog box. FireWall-1 for AIX is always installed in the /usr/lpp/FireWall-1 directory, so you cannot choose an arbitrary $FWDIR. 4. You will be asked to review the installation parameters and confirm them. In SOFTWARE to install, click List. 5. Select FireWall-1. 6. Click OK to start the installation process. 7. Exit smit. 8. At the command prompt, type the following: hostname# setenv FWDIR/usr/lpp/FireWall-1 hostname# set path=($FWDIR/bin $path) There is no need to copy the software, since the installation reads the CDROM directly. 9. Proceed to Configuring FireWall-1.
Rev. B
Document # CPTS-DOC-C1011
300
Installing FireWall
Document # CPTS-DOC-C1011
Rev. B
Description
Cisco FNATIVE Cisco TNATIVE Cisco SYSMAINT Domain Name Server File Transfer Protocol Gopher World Wide Web HTTP HTTP protocol over TLS/SSL ISAKMP
301
302
Table 25: Common Services and Port Numbers (Continued) Service Name
LOGIN NETBIOS-NS NETBIOS-DGM NETBIOS-SSN pop2 pop3 pop3s PRINTER RADIUS ROUTER RTELNET SHELL SFTP SMTP SNMP SNMPTRAP SQLSRV SYSLOG TACACS-DS TELNET TELNETS 3COM-TSMUX WHO WHOAMI WWW WWW-HTTP
Description
Remote login via Telnet NETBIOS Name Service NETBIOS Datagram Service NETBIOS Session Service Post Office Protocol, version 2 Post Office Protocol, version 3 pop3 protocol over TLS/SSL Spooler RADIUS Local routing process Remote Telnet Command for automatic authentication Simple File Transfer Protocol Simple Mail Transfer Protocol SNMP SNMPTRAP SQL Service syslog TACACS database service Telnet Telnet protocol over TLS/SSL 3COM-TSMUX Who is logged in on the local network Whoami World Wide Web HTTP Word Wide Web HTTP
Document # CPTS-DOC-C1011
Rev. B
303
Table 25: Common Services and Port Numbers (Continued) Service Name
XFER
Description
Port Number
19 530 13 9 7 79 1 2 15 138 139 17 775 777 1433 69 135 42
Description
Character Generator Courier Daytime Discard (sink null) Ping Finger Internet Control Message Protocol Internet Group Management Protocol Network Statistics NetBIOS Datagram Service NetBIOS Session Service Quote of the Day sms_db sms_update Tabular Data Stream DB-library SQLserver Trivial File Transfer Protocol UPD RPC Locator WINS replication
Rev. B
Document # CPTS-DOC-C1011
304
Document # CPTS-DOC-C1011
Rev. B
Review the basic rule base, as shown in Figure 209, making notes in the comment column.
305
306
Document # CPTS-DOC-C1011
Rev. B
Glossary
A
access control lists Allow rule bases for 3Com, Bay and Cisco routers. accounting log entry FireWall-1 log file that includes a packets connection duration, and the number of bytes and packets transferred. address-translation modes Another name for IP-address translation (changing an IP address). address-translation rule base Component of the FireWall-1 security policy. The address-translation rule base is created when you create the security policy. anti-spoofing Process that ensures the IP addresses of packets entering an internal network are valid. anti-virus inspection Component of FireWall-1 that uses an integrated anti-virus module to check all files transferred for all protocols, reducing the vulnerability of hosts and gateways. application layer gateways A type of firewall architecture which examines packets at the application level. authentication scheme Validates all connection attempts within an internal network. AXENT Defender Server used to provide authentication services.
classful addressing IP address space that is split into three predefined classes, groupings, or categories. client A computer system or process that requests a service of another computer system or server (using a specific protocol) and then accepts the server's responses. client authentication Authenticates users of any service. Client authentication allows an administrator to grant access privileges to a specific IP address. Connect Control Module Provides automatic application-server load balancing across multiple servers.
307
308
content-vectoring protocol (CVP) Open protocol for integrating external and thirdparty content inspection programs, plus integrated content inspection capabilities for anti-virus protection, URL screening and Java security.
daemon Provides communication between modules, clients and hosts. data packet A piece of electronic data transmitted as part of a data stream. Also called packet. data stream A block of electronic data transmitted as a unit. A data stream is made up of packets. domain Groups of computers and devices.
eitherbound The direction in which FireWall-1 inspects packets entering and leaving the firewall. elements Individual components that make up a rule; includes rule number order, source, destination, services, action, tracking, install on, time and comments. encryption Process that ensures data is secured when coming from or going to a firewalled computer. Encryption Module The FireWall-1 module that provides DES encryption (for SKIP and IPSec) and FWZ1 encryption. explicit rule Rule created in the security policy editor and added to your rule base.
Firewall Module Implements the security policy, log events and communicates with the Management Module using the daemon; includes the Inspection Module, daemon and security server. Provides inspection-module capabilities, user authentication, multiple-firewall synchronization and content security. FWZ A proprietary-key management scheme that uses FWZ-1 (a worldwide exportable encryption algorithm) and DES (North America only).
H I
hide mode The FireWall-1 network-address translation mode that hides internal IP addresses behind one legal address. implicit rule Rule created when defining properties in a security policys properties setup. Also called pseudo-rule.
Document # CPTS-DOC-C1011
Rev. B
Glossary
309
implicit drop rule Implicit rule automatically added at the end of each rule base that drops all communication attempts not described by previous rules. Inbound The direction in which FireWall-1 inspects packets entering the firewall. INSPECT Check Points high-level scripting language for expressing a security policy. Inspection Module Provides access control, client and session authentication, network-address translation, and auditing. inspection script The ASCII file generated from the security policy. Internet Control Message Protocol (ICMP) An extension to the IP, supports containing error, control and informational messages. Internet Protocol (IP) address Numbers defining the location of computers in a network. IP address translation Changing an IP address. ISAKMP/Oakley (IKE) Encryption scheme standard for negotiating between two hosts using IPSec.
K L
kernel The essential part of UNIX or other operating systems responsible for resource allocation, low-level hardware interfaces and security. LDAP Account Units Integrates an LDAP-compliant user database with FireWall-1 user authentication. Lightweight Directory Access Protocol (LDAP) A protocol that allows Internet clients to access and manage databases of users over a TCP/IP connection. LDAP is supported by Netscape and included in Windows NT version 5.x. load balancing FireWall-1 algorithm that prevents internal-network servers from handling a disproportionate amount of network traffic. Log Viewer Displays the login-and-alert fields specified in the Log and Alert screen of a security policys properties. logical server A group of machines that provide the same services and are treated as a group, among whose members a workload is distributed.
Rev. B
Document # CPTS-DOC-C1011
310
Management Module Provides centralized, GUI-based security management control and monitoring of firewall modules residing on local or distributed computers. Management Server Manages the FireWall-1 database: the rule base, network objects, servers, users and more. Manual IPSec An encryption and authentication scheme that uses fixed security keys that are exchanged manually.
Network Address Translation (NAT) Conceals internal computers and users from outside networks. network address translation modes Another name for IP address translation. network objects Any elements that come in contact with the network; includes items such as hosts, routers, networks, gateways, switches, domains and logical servers. network objects manager A tool to define network objects in FireWall-1.
O P
outbound The direction in which FireWall-1 inspects packets leaving the firewall.
packet A piece of electronic data transmitted as part of a data stream. Also called data packet. packet filtering A type of firewall architecture which examines up to the network layer of a packet. pseudo rule Created when defining properties in a security policys properties setup. Also called implicit rule.
RADIUS A RADIUS server is used to provide authentication services. Remote Procedure Call (RPC) Protocol that allows a program on one computer to execute a program on a server computer. Router Security Management Provides security management for router-access control lists across one or more routers. rule base Translates a security policy to a collection of individual rules, which are created with the FireWall-1 rule-base editor
Document # CPTS-DOC-C1011
Rev. B
Glossary
311
rule base elements Individual components that make up a rule. rule-base editor A tool for creating a security policy.
security policy A set of rules that defines an internal networks security. Security Server Resides above the INSPECT engine in the FireWall-1 kernel module and provides authentication and content security. session authentication Provides a transparent per-session authentication that can be integrated with any application. session authentication agent Utility provided with FireWall-1 that must be installed on any workstation using session authentication. Simple Key Management for Internet Protocol (SKIP) A key management protocol that defines the way encryption and authentication keys can be shared securely between two parties. spoofing A means to make packets appear as if they come from authorized IP addresses. Stateful Inspection A type of firewall architecture introduced by Check Point which examines packets before the network layer. static destination mode Translates legal internal IP addresses to illegal IP addresses when packets leave an internal network. static source mode Translates illegal internal IP addresses to legal IP addresses when packets enter an internal network. SYNDefender A proprietary FireWall-1 application that protects against denial-ofservice attacks from external networks. SYN packets Communication packets from an external network client to an internal network server.
TACACS A server used to provide authentication services. Transmission Control Protocol/Internet Protocol (TCP/IP) One of the most common communication protocols used to connect to the Internet and external networks.
Rev. B
Document # CPTS-DOC-C1011
312
Uniform Resource Identifier (URI) A scheme for identifying resources that may be available on the Internet by name, without regard to where they are located. A URI is not specific, because it can contain wildcards. Ex: http://*.com/jerry/* Uniform Resource Locator (URL) An address for a resource on the Internet. URL Filtering Protocol (UFP) A Check Point developed application programming interface that enables the integration of third-party applications to categorize and control access to specific URL addresses. user authentication Provides access privileges on a per-user basis for FTP, TELNET, HTTP, and RLOGIN, regardless of users IP addresses. User Datagram Protocol (UDP) Service primarily used for protocols where performance is more important than getting all the packets.
Document # CPTS-DOC-C1011
Rev. B