Академический Документы
Профессиональный Документы
Культура Документы
Management (CCSA)
Student User Guide
Ve r s i o n 4 . 0 R e v i s i o n B
Document # CPTS-DOC-C1011
Rev. B
International Headquarters:
3A Jabotinsky Street
Ramat Gan 52520 Israel
Tel: 972-3-613 1833
Fax: 972-3-575 9256
U.S. Headquarters:
Three Lagoon Drive, Suite 400
Redwood City, CA 94065
Tel: 650-628-2000
Fax: 650-654-4233
E-mail: info@checkpoint.com
HTTP://www.checkpoint.com
Rev. B
Document # CPTS-DOC-C1011
Document # CPTS-DOC-C1011
Rev. B
Unit I Chapter 1:
FireWall-1 Architecture
Introduction ........................................................................................................... 9
Objectives .................................................................................................................................... 9
Key Terms .................................................................................................................................... 9
Rev. B
Document # CPTS-DOC-C1011
ii
Review ................................................................................................................ 25
Summary .................................................................................................................................... 25
Review Questions ...................................................................................................................... 26
Unit II Chapter 1:
FireWall-1 Installation and Setup
27
Introduction ......................................................................................................... 27
Objectives .................................................................................................................................. 27
Document # CPTS-DOC-C1011
Rev. B
iii
Review ................................................................................................................ 68
Summary .................................................................................................................................... 68
Review Questions ...................................................................................................................... 68
Unit II Chapter 2:
Navigating in FireWall-1
69
Introduction ......................................................................................................... 69
Objectives .................................................................................................................................. 69
Key Terms .................................................................................................................................. 69
Rev. B
Document # CPTS-DOC-C1011
iv
Review ................................................................................................................ 96
Summary .................................................................................................................................... 96
Review Questions ...................................................................................................................... 97
Unit II Chapter 3:
Management Tools
99
Introduction ......................................................................................................... 99
Objectives .................................................................................................................................. 99
Key Terms .................................................................................................................................. 99
Document # CPTS-DOC-C1011
Rev. B
Rev. B
Document # CPTS-DOC-C1011
vi
175
Document # CPTS-DOC-C1011
Rev. B
vii
219
Rev. B
Document # CPTS-DOC-C1011
viii
Unit IV Chapter 1:
Authentication
235
Document # CPTS-DOC-C1011
Rev. B
ix
Unit IV Chapter 2:
Network Address Translation
259
Final Scenario
287
Rev. B
Document # CPTS-DOC-C1011
Appendix A:
Licensing Issues
291
Appendix B:
Installation Troubleshooting
293
Appendix C:
Port Numbers and Common Services
301
Document # CPTS-DOC-C1011
Rev. B
xi
Appendix D:
Basic Rule Base
305
Glossary
307
Rev. B
Document # CPTS-DOC-C1011
xii
Document # CPTS-DOC-C1011
Rev. B
Unit I Overview
Introduction to CCSA
Chapter 1: FireWall-1 Architecture
Rev. B
Document # CPTS-DOC-C1011
Document # CPTS-DOC-C1011
Rev. B
Introduction to CCSA
Intro
I n t r o d u c t i o n To
Firewall-1 Management
(CCSA)
CCSA Course Description
Welcome to the Check Point Certified Security Administrator (CCSA) course. This
course is intended to provide you with an understanding of basic concepts and skills
necessary to install and configure FireWall-1.
The Check Point Certified Security Administrator (CCSA) course provides you with
the following key elements:
Managing FireWall-1
This course provides hands-on training as you install FireWall-1 on a Solaris and/or
Windows NT system. You will configure a security policy using FireWall-1s
graphical user interface (GUI), and learn about managing a firewalled network. You
are encouraged to follow along in the manual as the class progresses and take notes for
future reference.
Course Objectives
I-1
This course is designed for end users and resellers who need to install and set up the
initial FireWall-1 configuration, and for those who seek CCSA certification.
The following professionals benefit best from this course:
Prerequisites
Systems administrators
Support analysts
Network engineers
Before taking this course, we strongly suggest that you have the following knowledge
base:
Document # CPTS-DOC-C1011
Rev. B
Introduction to CCSA
Check Point
Certified Security
Administrator
Check Point
Certified Security
Engineer
The Check Point Certified Systems Engineer (CCSE) course is an advanced course for
engineers managing multiple FireWall-1 systems and/or needing formal training in
advanced FireWall-1 features. This exam covers techniques in remote management,
encryption, and virtual private networking. It also exploits the built in SNMP features
of FireWall-1, router management, user-defined tracking, load balancing, and firewall
synchronization.
Check Point
Certified Security
Instructor
This exam is for candidates preparing to teach FireWall-1 and who are employees of
an Authorized Training Center. Instructors are required to pass the CCSA and CCSE
exams before they are eligible to take this exam. The CCSI exam is an advanced test,
covering all topics previously reviewed by FireWall-1 CCSA and CCSE exams.
Rev. B
Document # CPTS-DOC-C1011
Introduction to CCSA
Intro
Course Map
Course Map
Introduction to CCSA
I-1
Day 1
Unit I Overview
Introduction
Chapter 1: FireWall-1 Architecture
Unit II Getting Started
Chapter 1: FireWall-1 Installation and Setup
Chapter 2: Navigating in FireWall-1
Chapter 3: Management Tools
Unit III Managing Your Network
Chapter 1: Security Policy Rule Base and Properties Setup
Chapter 2: Administering Security Policy with Rule Base
Day 2
Unit IV Customizing FireWall-1
Chapter 1: Authentication
Chapter 2: Network Address Translation
Final Scenario
Document # CPTS-DOC-C1011
Rev. B
Lab Setup
The following is the setup of your lab:
Rev. B
Document # CPTS-DOC-C1011
Introduction to CCSA
Intro
Lab Setup
Lab Topology
I-1
Introduction to CCSA
Hub:
204.32.38.0
Document # CPTS-DOC-C1011
Rev. B
Intro
Lab Terms
FireWall-1 Server
IP Address
Internet Server
IP Address
fw.detroit.com
204.32.38.101
www.detroit.com
fw.chicago.com
204.32.38.102
www.chicago.com 192.168.2.1
fw.london.com
204.32.38.103
www.london.com 192.168.3.1
fw.newyork.com
204.32.38.104
www.newyork.com
192.168.4.1
fw.paris.com
204.32.38.105
www.paris.com
192.168.5.1
fw.tokyo.com
204.32.38.106
www.tokyo.com 192.168.6.1
fw.moscow.com
204.32.38.107
www.moscow.com
192.168.7.1
fw.berlin.com
204.32.38.108
www.berlin.com
192.168.8.1
192.168.1.1
Site-Number Table
Rev. B
Site Number
Detroit
Chicago
London
New York
Paris
Tokyo
Moscow
Berlin
Document # CPTS-DOC-C1011
Introduction to CCSA
IP Addresses
Encryption
Introduction to CCSA
New Platforms
I-1
Enterprise
Management
LDAP-based user databases are now fully integrated into FireWall-1, and an LDAP
client is included with FireWall-1.
Authentication
Client
Authentication
Authentication can now be performed using a Web browser. The following new
features are available:
Security Servers
All FireWall-1 security servers now support OPSEC version 1.0. The HTTP security
server supports FTP and HTTPS.
Network address translation now supports H-323, NetShow, VXtreme and many other
services that were not supported in earlier versions of FireWall-1. This further extends
FireWall-1s impressive list of over 120 out-of-box supported services.
Document # CPTS-DOC-C1011
Rev. B
Unit I Chapter 1:
FireWall-1 Architecture
Introduction
In reality, the concept of a firewall is simple: Network traffic comes in through the
firewall. The firewall examines and controls the traffic, then sends the traffic to its
destination. It does sound simple, yet firewalls are an important part of network
security. Without a firewall, the possibility of security breaches from external and
internal sources is greatly increased. To protect your network from attacks, installing
and maintaining a firewall is an important part of network operations.
I-1
Objectives
Key Terms
Definition of a firewall
TCP/IP basics
FireWall-1 components
security policy
data packet
IP addresses
packet filtering
Stateful Inspection
Inspection Module
FireWall-1 Architecture
10
Firewall Module
INSPECT
Management Module
Management Server
encryption
Document # CPTS-DOC-C1011
Rev. B
11
Defining a Firewall
What is a Firewall?
Rev. B
Document # CPTS-DOC-C1011
I-1I-1
FireWall-1 Architecture
FireWall-1 Architecture
TCP/IP
12
Defining a Firewall
Packets
A data packet (or packet) is a piece of a message transmitted over a network. A key
feature of a packet is that it contains the destination address in addition to the data.
Packets are like letters and must have addresses. Just as normal letters must have
addresses on the front to make delivery likely, TCP/IP communication depends on
addresses being included in each packet. These addresses are commonly termed
IP addresses.
As these packets of information move through the network, devices use the packets
IP addresses to decide whether to keep the packets in the local network or forward
them to a different network. This is a complex task, because there are many networks
that either comprise the Internet or are attached to it through gateways.
Figure 3 is an example of the layers that comprise a packet, and the many levels of
communication TCP/IP reads:
Document # CPTS-DOC-C1011
Rev. B
13
Packet filtering
Packet filtering examines a packet up to the network layer. The upper four layers are
unexamined and allowed into an internal network (Figure 4). The packet filter looks at
each packet entering or leaving the network and accepts or rejects it based on userdefined rules. Packet filtering is fairly effective and transparent to users, but it is
difficult to configure. The limitation of this type of filtering is its inability to provide
security for the most basic protocols.
Application
Application
Presentation
Presentation
Session
Session
Transport
Transport
Network
Network
DataLink
DataLink
DataLink
Physical
Physical
Physical
Router
Inexpensive
Application transparency
Rev. B
Low security
No screening above the network layer, meaning that packet filters are incapable of
providing communication-derived or application-derived state information
Document # CPTS-DOC-C1011
I-1I-1
FireWall-1 Architecture
FireWall-1 Architecture
Packet Filtering
14
Subject to IP spoofing
Example
Packet filters, historically implemented on routers, filter user defined content,
such as IP addresses. They examine a packet at the network layer and are
application independent, which allows them to deliver good performance and
scalability. They are the least secure type of firewall, because they are not
application aware. They cannot understand the context of a given
communication, making them easier for unauthorized entry to the network.
Packet filters have two choices with regard to outbound FTP connections.
They can either leave the entire upper range (greater than 1023) of ports
open which allows the file transfer session to take place over the dynamically
allocated port, but exposes the internal network, or they can shut down the
entire upper range of ports to secure the internal network which blocks other
services. This is a trade-off between application support and security.
Document # CPTS-DOC-C1011
Rev. B
Application Layer
Gateway (Proxy)
15
FTP
HTTP
Application
Application
Application
Presentation
Presentation
Presentation
Session
Session
Session
Transport
Transport
Transport
Network
Network
Network
DataLink
DataLink
DataLink
Physical
Physical
Physical
I-1I-1
Good security
Rev. B
Each service requires its own application layer gateway, so the number of
available services and their scalability is poor
Proxies cannot provide for UDP, RPC and other services from common protocol
families
Document # CPTS-DOC-C1011
FireWall-1 Architecture
FireWall-1 Architecture
16
Example
Application layer gateways improve on security by examining all application
layers, bringing context information into the decision process. However, they
do this by breaking the client/server model. Every client/server
communication requires two connections: one from the client to the firewall
and one from the firewall to the server. In addition, each proxy requires a
different application process, or daemon, making scalability and support for
new applications a problem.
In using an FTP proxy, the application layer gateway duplicates the number of
sessions, acting as a proxied broker between the client and the server.
Although this approach overcomes the limitation of IP filtering by bringing
application-layer awareness to the decision process, it does so with an
unacceptable performance penalty. In addition, each service needs its own
proxy, so the number of available services and their scalability is limited.
Finally, this approach exposes the operating system to external threats.
Stateful Inspection
A firewall must track and control the flow of communication passing through it. To
reach control decisions for TCP/IP based services (accept, reject, authenticate, encrypt
and/or log communication attempts), a firewall must obtain, store, retrieve and
manipulate information derived from all communication layers and from other
applications.
State information, derived from past communications and other applications, is an
essential factor in making the control decision for new communication attempts.
Depending upon the communication attempt, both the communication state (derived
from past communications) and the application state (derived from other applications)
may be critical in the control decision.
To ensure the highest level of security, a firewall must be capable of accessing,
analyzing and utilizing communication information, communication-derived state,
application-derived state and information manipulation.
Stateful Inspection is a firewall technology introduced in Check Point FireWall-1 and
designed to meet the following security requirements:
Communication Information Information from all seven layers in the packet.
Communication-derived state State derived from previous communications,
such as the outgoing PORT command of an FTP session could be saved so that an
incoming FTP data connection can be verified against it.
Document # CPTS-DOC-C1011
Rev. B
17
Presentation
Application
Presentation
Session
Presentation
Session
Transport
Session
Transport
Network
Transport
DataLink
DataLink
DataLink
Physical
Physical
Physical
Network
INSPECT
Engine
I-1I-1
Dynamic
State Tables
Rev. B
Good security
High performance
Scalability
Extensible
Transparency
Document # CPTS-DOC-C1011
FireWall-1 Architecture
FireWall-1 Architecture
Network
18
Example
Stateful Inspection tracks the FTP session, examining FTP application-layer
data. When the client requests that the server generate the back-connection
(an FTP PORT command), FireWall-1 extracts the port number from the
request. Both client and server IP addresses and both port numbers are
recorded in an FTP-data pending request list. When the FTP data connection
is attempted, FireWall-1 examines the list and verifies that the attempt is in
response to a valid request. The list of connections is maintained dynamically,
so that only the required FTP ports are opened. As soon as the session is
closed, the ports are locked, ensuring maximum security.
Packet filters and application-layer gateways each fall short of Stateful Inspection in
some area (Table 3):
Document # CPTS-DOC-C1011
Packet Filters
Applicationlayer Gateways
Stateful
Inspection
Communication
information
Partial
Partial
Yes
Communicationderived state
No
Partial
Yes
Applicationderived state
No
Yes
Yes
Information
manipulation
Partial
Yes
Yes
Rev. B
19
What is FireWall-1?
FireWall-1 is based upon Stateful Inspection architecture, assuring the highest level of
network security. FireWall-1s Inspection Module analyzes all packet communication
layers, and extracts the relevant communication and application state information. The
Inspection Module understands and can learn any protocol and application.
The FireWall-1 Inspection Module resides in the operating system kernel, below the
network layer, at the lowest software level. By inspecting communications at this
level, the Inspection Module can intercept and analyze all packets before they reach
the operating system. No packet is processed by any of the higher protocol layers
unless FireWall-1 verifies that it complies with the enterprise security policy. The
Inspection Module stores and updates state and context information in dynamic
connection tables. These tables are continually updated, providing cumulative data
against which FireWall-1 checks subsequent communications.
Firewall
Daemon
User Mode
Kernel Mode
TCP/IP
Management
IOCTLs
and
Messages
IP Stack
Inspection Module
Network
Driver
Network
Driver
Network
Driver
Advantages of
Stateful Inspection
Architecture
Rev. B
Document # CPTS-DOC-C1011
I-1I-1
FireWall-1 Architecture
FireWall-1 Architecture
The kernel is the core of the UNIX and NT Server operating systems, managing
memory, files and peripheral devices; maintaining time and date; launching
applications; and allocating system resources.
20
What is FireWall-1?
Inspect Engine in
the Kernel Module
When packets pass through an internal NIC (Figure 8), the FireWall-1 kernel module
inspects the packets by accessing its rule base.
The FireWall-1 kernel module uses the INSPECT engine to control traffic passing
between networks. FireWall-1 inspects packets by accessing all levels of
communication. The FireWall-1 kernel module has access to the lowest level of
communication, and can inspect all layers of a packet and its data.
If packets pass FireWall-1 inspection, the Firewall Module passes the packets through
the TCP/IP stack and to their destination. Packets pass through the NIC to the
INSPECT engine and on up the network stack. Some packets are destined for the
operating systems local processes. In this case, the Firewall Module inspects the
packets and passes them through the TCP/IP stack to the processes (Figure 9):
Document # CPTS-DOC-C1011
Rev. B
21
If packets do not pass inspection, they are rejected or dropped, according to the
FireWall-1 rule base (Figure 10):
I-1I-1
A detailed flow of the packets through the INSPECT engine is shown in Figure 11:
Rev. B
Document # CPTS-DOC-C1011
FireWall-1 Architecture
FireWall-1 Architecture
22
FireWall-1 Products
FireWall-1 Products
The following product options are available during installation. Each option is listed
with its components:
FireWall-1 Enterprise Product
Encryption Module Provides DES encryption (for SKIP and IPSec) and
FWZ1 encryption.
Document # CPTS-DOC-C1011
Rev. B
23
FireWall-1 Components
FireWall-1 is comprised of the Firewall and Management Modules and accessed
through a GUI interface. The modules can reside on the same or separate computers.
The Firewall Module provides access control, client, user and session authentication,
and network address translation (NAT), which replaces source and destination
network addresses. NAT can be used to hide internal network structure and/or prevent
network address conflicts between networks. The Firewall Module also provides
auditing, multiple firewall synchronization and content security.
The Firewall Module contains the Inspection Module, the FireWall-1 Daemon and the
Security Server.
The INSPECT script is used to compare the information in a data packet to the rules in
the rule base. Actions that make up access control, client, user and session
authentication, NAT, auditing capabilities, load balancing and anti-spoofing are
triggered based on conditional comparisons made on the packet data by statements in
the INSPECT code and context information.
Daemon
The FireWall-1 Daemon is responsible mainly for communication between modules,
clients and hosts (SNMPD, FWD, ALERTD).
Security Server
The Security Server is a specialized server that is responsible for handling
authentication of packets for a specific service or protocol (SMTP, TELNET, FTP and
HTTP).
Rev. B
Document # CPTS-DOC-C1011
I-1I-1
FireWall-1 Architecture
FireWall-1 Architecture
Inspection Module
The Inspection Module contains the INSPECT Engine, compiled INSPECT code, and
various state and context information stored in dynamic tables. INSPECT code is a
compiled script that is generated from the information in the security policy and its
rule base.
24
FireWall-1 Components
The Management
Module
This Management Module is accessed through the GUI and located on the
Management Server. The Management Module is used to control and monitor
Firewall Modules either residing on local or remote computers. The GUI and the
Management Server can reside on separate computers in a client/server environment.
Management Server
The Management Server is part of the Management Module and manages the
FireWall-1 database: the rule base, network objects, servers, users, and more. The
client interacts with the user via the GUI, but all the data (the database and
configuration file) is maintained on the Management Server.
Other FireWall-1
Components
Graphical User
Interface (GUI)
The GUI is the front end to the Management Server. The Windows NT Server version
of FireWall-1 uses a Windows GUI; the Solaris version uses FireWall-1s proprietary
command-line interface and the X/Motif GUI. Following are the three GUIs that can
be accessed in FireWall-1:
Security Policy Editor GUI
Views connections that pass through the firewall that are selected for logging
Document # CPTS-DOC-C1011
Rev. B
25
Review
Summary
Rev. B
Document # CPTS-DOC-C1011
I-1I-1
FireWall-1 Architecture
FireWall-1 Architecture
Packet filtering and application layer gateways were traditionally used as a means to
protect the network. FireWall-1s Stateful Inspection architecture and its INSPECT
engine utilize the best features of these two methods plus added features to insure the
most reliable protection of a network. Stateful Inspection enforces the security policy
on the firewalled computer on which it resides and provides support for a large
number of protocols and applications.
26
Review
Review Questions
2. Why is Stateful Inspection more reliable than packet filtering and application
layer gateways for protecting internal networks?
Document # CPTS-DOC-C1011
Rev. B
Rev. B
Document # CPTS-DOC-C1011
Document # CPTS-DOC-C1011
Rev. B
Unit II Chapter 1:
FireWall-1 Installation
and Setup
Introduction
The first step in utilizing FireWall-1 is its installation. The hands-on procedure
simulates a first-time installation, whether you use the installation GUI for Windows
NT Server or use command line input for Solaris.
By default, FireWall-1 follows the security principle of All communications are
denied unless expressly permitted. Until the security policy is configured, FireWall-1
will prevent access to the network and drop all traffic.
Installation in this chapter includes the following topics:
FireWall-1 for Windows NT Server
II-1
FireWall-1 Installation
and Setup
Objectives
27
28
Document # CPTS-DOC-C1011
Rev. B
29
Before installing FireWall-1, make sure that your network is properly configured, with
special emphasis on routing. Ensure that each of the internal networks and the
gateway (the firewall) can see each other. (Make sure the routing tables are correctly
defined.) Do this by logging on to each of the hosts and pinging other hosts in the
internal networks and on to the Internet. FireWall-1 is comprised of two primary
modules:
Management Module Resides on the Management Server. The Management
Module manages the FireWall-1 database: the rule base, network objects, services,
users, and is accessed through the GUI. The Management Server is used for adding,
updating and removing administrators.
Firewall Module Includes the Inspection Module, daemon and security server. The
Firewall Module implements the security policy, logs events and communicates with
the Management Module using the daemons.
The two components of the Management Module (the GUI and the Management
Server) can be installed on the same machine or on two different machines. When
installed on two different machines, FireWall-1 implements the client/server model, in
which a GUI client running on Windows or X/Motif workstation controls a
Management Server running on a Windows NT Server or Solaris workstation (Figure
):
FireWall-1 Installation
and Setup
II-1
Rev. B
Document # CPTS-DOC-C1011
30
Firewall
Module
Inspection
Module
Management
Module
Management
Server
GUI
Install on
Management Server
Separate
Computer
Document # CPTS-DOC-C1011
Rev. B
31
Installation Procedure
To install the firewall on both NT Server and Solaris systems, follow these steps:
1. Install FireWall-1 on the Management Station computer (the computer housing
the Management Server).
2. Install and start the Firewall Module on each of the firewalled hosts.
3. Start the FireWall-1 GUI on the Management Station or on a remote GUI client
machine.
Components
to Install
Management Server
Management Module
GUI Client
Firewall
Firewall Module
FireWall-1 Installation
and Setup
II-1
Rev. B
Document # CPTS-DOC-C1011
32
Document # CPTS-DOC-C1011
Rev. B
33
Rev. B
Document # CPTS-DOC-C1011
FireWall-1 Installation
and Setup
II-1
34
13. Accept the default location and click Next or change it by selecting the Browse
command.
14. In the Selecting Product Type screen, select Firewall-1 Enterprise Product
(Figure 17):
Document # CPTS-DOC-C1011
Rev. B
35
15. Click Next. The Selecting Product Type screen remains on the screen but with the
Firewall Modules and Management Server options only (Figure 18):
16. Select both the Firewall Module and Management Server components to install on
the firewall server.
The Firewall Module and Management Server do not have to be installed on
the same server. One or the other can be installed on another machine,
invoking the client/server model. When installing to a firewall module, only
select the Firewall Module option. You will install both items on one
machine for this class.
17. Click Next. The FireWall-1 product will now install on the Windows NT Server
system.
All FireWall-1 products require a license for operation. Without a license,
you cannot use FireWall-1.
FireWall-1 Installation
and Setup
II-1
Rev. B
Document # CPTS-DOC-C1011
36
18. After the installation of FireWall-1, the Licenses screen appears (Figure 19):
19. Click Add and the Add Licenses screen appears (Figure 20):
20. Type the appropriate information for each field. Use the tab key to move from
field to field. Figure 21 shows a sample installation license string:
Document # CPTS-DOC-C1011
Rev. B
37
21. Click OK when finished entering license information. Notice that the Current
Licenses field now lists the newly entered license information.
22. Click Next.
You are now ready to configure FireWall-1 on the Windows NT Server system.
FireWall-1 Installation
and Setup
II-1
Rev. B
Document # CPTS-DOC-C1011
38
IP Forwarding
CA keys
You may modify the configuration at any time by running the FireWall-1
configuration application.
Administrators
The next step is to specify the administrators allowed to use the GUI client with the
Management Server just installed. At least one administrator must be defined to use
the Management Server.
Each administrator added must be assigned a level of permission. Choose from the
following permission levels:
Read/Write All permissions. Only one FireWall-1 administrator at a time can be
logged on with Read/Write permission.
User Edit At this level, the administrator can modify user information. The rest of
the information is read only.
Read Only This permission level allows read-only access to the security Policy
Editor. Administrators with higher permission levels can sometimes log in at this
permission level.
Monitor Only This is the lowest permission level. It only allows access to the Log
Viewer and the System Status tools.
Document # CPTS-DOC-C1011
Rev. B
39
2. Click Add and the Add Administrator screen appears (Figure 23):
After adding an
administrator, the new
administrator will appear
on the Administrator
screen.
3. Type the administrators name (fwadmin) and password (abc123) and select the
level of permission from the menu. (The first administrator must be given Read/
Write permission.)
Rev. B
Document # CPTS-DOC-C1011
FireWall-1 Installation
and Setup
II-1
40
4. Click OK.
5. Repeat the above process for other administrators.
6. When all administrators have been added, click Next.
GUI Clients
The next step is to set up the GUI clients. The GUI clients information is a list of
remote GUI clients allowed to access this station. The Management Station is always
allowed as a GUI client. You do not need to add the name of the Management Station
to this list for class.
1. The GUI Clients screen appears (Figure 24):
2. In the Remote hostname text box, type the name or IP address. Click Add to add
to the list of GUI clients
3. To remove a name, highlight it and click Remove.
4. Repeat to add additional GUI clients.
5. When all GUI clients have been added, click Next.
This is used for remote management configuration.
Document # CPTS-DOC-C1011
Rev. B
Remote Modules
41
If a Management Module is the only module installed on this computer, you must
specify the remote Firewall Modules for which this Management Module is defined as
Master. For this class you will not specify a remote module.
1. The Remote Modules screen appears (Figure 25):
2. In the hostname text box, type the name or IP address. Click Add to add to the list
of remote firewall modules.
3. Repeat the above process for other remote modules.
4. When all remote modules have been added, click Next.
Remote modules are used for remote management configuration.
FireWall-1 Installation
and Setup
II-1
Rev. B
Document # CPTS-DOC-C1011
42
IP Forwarding
The next step in configuring FireWall-1 is to specify whether you want FireWall-1 to
control IP forwarding on the gateway. IP forwarding also determines how the
firewalled machine will react during specific vulnerable times, such as when the
system boots-up before the firewall service starts.
1. Two choices are listed on the IP Forwarding screen (Figure 26):
Control IP Forwarding This selection stops packets from passing through the
firewall. Because no security policy is defined, packets are dropped after the timeout. When a security policy is defined, packets are handled according to the
settings. It is advisable to select this option unless there is some specific reason
not to use this feature.
Do not control IP Forwarding This selection has no security policy and
allows all packets to pass through the firewall security policy.
2.
Document # CPTS-DOC-C1011
Rev. B
SMTP Security
Server
43
The SMTP security server does not provide authentication, because there is not a user
at the keyboard who can be challenged for authentication data. The SMTP security
server provides content security, enabling a security administrator to perform the
following functions:
II-1
FireWall-1 Installation
and Setup
2. Click Next.
Rev. B
Document # CPTS-DOC-C1011
44
2. Try not to type the same character twice, and try to vary the delay between the
characters. A light bulb indicates accepted characters while a bomb indicates
ignored characters.
3. After the bar is full, click Next.
Document # CPTS-DOC-C1011
Rev. B
CA Keys
45
The next step is to configure the certificate of authority (CA). The host uses this RSA
key to generate a digital signature for authenticating its communications. This digital
signature is used to authenticate keys for encryption.
1. The CA Keys screen appears (Figure 29):
FireWall-1 Installation
and Setup
II-1
Rev. B
Document # CPTS-DOC-C1011
46
Completing the
Installation
You have reached the end of the installation procedure (Figure 30):
Document # CPTS-DOC-C1011
Rev. B
47
6. Click Next.
FireWall-1 Installation
and Setup
II-1
Rev. B
Document # CPTS-DOC-C1011
48
7. In the Choose Destination Location screen, select where to install the required
GUI Client files (Figure 32):
8. To accept the default location, click Next. To change the directory where the files
will be installed, click Browse and choose an alternate directory.
9. The Select Components screen appears (Figure 33):
10. Select the appropriate components to install, as described in Table 5 on page 49.
For this class select all components.
11. Click Next. The installation process starts.
Document # CPTS-DOC-C1011
Rev. B
49
Definition
Security Policy
System Status
Log Viewer
12. After all components are installed, the following message appears (Figure 34):
13. Click OK. The installation of the FireWall-1 GUI client is complete.
FireWall-1 Installation
and Setup
II-1
Rev. B
Document # CPTS-DOC-C1011
50
Client/Server
Hardware and
Operating System
Requirements
Supported Platforms
Sun SPARC-Based Systems
Intel x86 and Pentium
HP PA-RISC 700/800
RS 6000, Power PC
Operating Systems
Solaris 2.5 and higher
HP-UX 10.x
AIX Versions 4.2.1 and 4.3.0
Disk Space
21MB
Memory
48MB Minimum, 64MB Recommended
Network Interface
All interfaces supported by the operating systems
Media
CD-ROM
Non-Client/Server
Hardware and
Operating System
Requirements
Supported Platforms
Sun SPARC-Based Systems
Intel x86 and Pentium
HP PA-RISC 700/800
RS 6000, Power PC
Operating Systems
Solaris 2.5 and higher
HP-UX 10.x
AIX Versions 4.2.1 and 4.3.0
Window System
X11R5/OPEN LOOK (Open Windows 3) or X/Motif
Document # CPTS-DOC-C1011
Rev. B
51
Disk Space
21MB (50MB for AIX)
Memory
16MB Minimum, 32MB Recommended
No special requirements for Firewall Module
Network Interface
All Interfaces supported by the OS
Media
CD-ROM
FireWall-1 Installation
and Setup
II-1
Rev. B
Document # CPTS-DOC-C1011
52
directory name is the name of the directory where the packages reside.
Typically /cdrom/fw1_4_0_des/solaris2/.
The following screen output appears with a list of packages to install:
The following packages are available:
1
AMC
Check Point Account Management Client
(sparc) 1.0
2
CKPagent
Check Point FireWall-1 Load Agent
(sparc) 4.0
3
CKPfw
Check Point FireWall-1
(sparc) 4.0
4
CKPfwgui
Check Point FireWall-1 GUI
(sparc) 4.0
5
CKPfwmap
FireWall-1 HP OpenView Extension
(sparc) 4.0,REV=98.01.26
Select package(s) you wish to process or all to process all packages(s)
default: all.
Document # CPTS-DOC-C1011
Rev. B
53
Rev. B
Document # CPTS-DOC-C1011
II-1
FireWall-1 Installation
and Setup
54
Document # CPTS-DOC-C1011
Rev. B
55
FireWall-1 Installation
and Setup
II-1
Rev. B
Document # CPTS-DOC-C1011
56
Licenses
SNMP Extension
Groups
IP Forwarding
Default filter
Random Pool
CA Keys
When you first install FireWall-1, the following configuration screens are a
continuation of the initial installation. However, you may modify the
configurations at any time after the initial installation by running the
FireWall-1 configuration application fwconfig at the command prompt.
Configuring
Licenses
Document # CPTS-DOC-C1011
Rev. B
Configuring
Administrators
57
Rev. B
Document # CPTS-DOC-C1011
58
Configuring
GUI Clients
Configuring Remote
Modules
Configuring
SMTP Server
Document # CPTS-DOC-C1011
Rev. B
Configuring
SNMP Extension
59
Configuring Groups
Rev. B
Document # CPTS-DOC-C1011
FireWall-1 Installation
and Setup
Configuring IP
Forwarding
60
Configuring
Default Filter
Auto-Configuring
the Certificate
Authority Key
Document # CPTS-DOC-C1011
Rev. B
61
Rev. B
Document # CPTS-DOC-C1011
II-1
FireWall-1 Installation
and Setup
62
Hardware and
Operating System
Requirements
Platforms
SunOS
Solaris (except for x86)
HP-UX
IBM AIX
Disk Space
15 MB
Memory
16 MB
Network Interface
All Interfaces supported by the Operating System
Media
CD-ROM
Software
Motif Libraries
FireWall-1 Management Module
The FireWall-1 GUI client does not have to reside on the Management
Server computer.
Document # CPTS-DOC-C1011
Rev. B
Installing X/Motif
GUI Client
63
To install FireWall-1 on Solaris, use the command line utility pkgadd, which
transfers the FireWall-1 installation files to the Solaris machine. Follow these
steps:
1. Become superuser:
hostname% su
password: your root password
2. Start the installation process:
hostname% pkgadd -d directory name
3. directory name is the name of the directory where the packages reside.
Typically /cdrom/fw1_4_0_des/solaris2/.
4. The following screen output appears with a list of packages to install:
The following packages are available:
1
AMC
Check Point Account Management Client
(sparc) 1.0
2
CKPagent
Check Point FireWall-1 Load Agent
(sparc) 4.0
3
CKPfw
Check Point FireWall-1
(sparc) 4.0
4
CKPfwgui
Check Point FireWall-1 GUI
(sparc) 4.0
5
CKPfwmap
FireWall-1 HP OpenView Extension
(sparc) 4.0,REV=98.01.26
Select package(s) you wish to process or all to process all packages(s)
default: all.
5. Type 4 to select FireWall-1 GUI and Enter.
FireWall-1 Installation
and Setup
II-1
Rev. B
Document # CPTS-DOC-C1011
64
Document # CPTS-DOC-C1011
Rev. B
65
FireWall-1 Installation
and Setup
II-1
Rev. B
Document # CPTS-DOC-C1011
66
FireWall-1
Windows NT Server
Uninstall
Document # CPTS-DOC-C1011
Rev. B
FireWall-1 Solaris
Uninstall
67
CKPagent
CKPfw
CKPfwgui
CKPfwmap
Rev. B
Document # CPTS-DOC-C1011
FireWall-1 Installation
and Setup
II-1
68
Review
Review
Summary
The FireWall-1 installation process can be accomplished easily on both the Windows
NT Server and Solaris platforms. It is best that the system administrator have all the
necessary information before starting this process to ensure that the installation goes
smoothly.
There are many elements to configure during installation. These elements include the
following:
Administrators
GUI Clients
Remote modules
IP forwarding
Security servers
It is important to know what the minimum system requirements are for FireWall-1 to
run on the platform of your choice. This ensures you have the available drive capacity
and memory in order to run FireWall-1 properly.
Review Questions
1. What are the minimum system requirements for your FireWall-1 system?
2. Which elements will you need information about before installing FireWall-1?
3. What is the difference between installing FireWall-1 components and the GUI
installation?
Document # CPTS-DOC-C1011
Rev. B
Navigating In FireWall-1
II-2
Unit II Chapter 2:
Navigating in FireWall-1
Introduction
Theres nothing worse than not knowing how to fully utilize a new piece of software.
There are always shortcuts available, if you know how to use them. Learning how to
navigate in the FireWall-1 GUI programs using shortcut buttons and menu options
will assist you in finding these important shortcuts.
Objectives
Key Terms
Log Viewer
System Status
Security Log
Accounting Entries
Active Connections
69
70
FireWall-1 GUIs
FireWall-1 GUIs
FireWall-1 has three GUI programs for easy configuration of your security policy and
access to information. Administrators are assigned varying access privileges to the
GUI programs during installation. An administrator with Read/Write privileges can
access all three GUI programs from within any one of the GUIs. This chapter will help
you navigate through each of the following GUI programs:
Security Policy Editor The Security Policy Editor GUI provides you with
management tools to add rules and define properties to create your security policy.
Log Viewer The Log Viewer GUI allows you to view entries in the Log File.
System Status The System Status GUI presents a high-level view of operation and
flow statistics for all firewalled objects.
Logon Information
To access FireWall-1s management features, you must first log on. If multiple
administrators log on at the same time, only one administrator will have Read/Write
privileges. You will need to have the following information available to log on:
User Name Defined administrator of the firewall
Password Defined password of the administrator
Firewall server Management station
Document # CPTS-DOC-C1011
Rev. B
71
Windows NT
Security Policy
Editor Logon
To log onto the Security Policy Editor in Windows NT, follow these steps:
1. Open the Start menu and select Programs and FireWall-1.
2. Select Security Policy and the Login screen appears (Figure 36):
fwadmin
abc123
localhost
If the Log Viewer GUI or System Status GUI is open, you can open the Security
Policy Editor GUI from the Window menu.
Rev. B
Document # CPTS-DOC-C1011
Navigating In FireWall-1
Navigating In FireWall-1
II-2
II-2
72
X/Motif Security
Policy Editor Logon
Security Policy
Editor Toolbar
Buttons
The toolbar buttons are shortcuts for menu commands. The actions of the buttons
duplicate actions that are available in the menus. Position the pointer over each button
for a description of the buttons function. The most commonly used commands are
available with the use of shortcut buttons (Figure 38 and Table 6):
Document # CPTS-DOC-C1011
Menu Command
Description
File>Save
File>Print
File>Print Preview
File>Refresh
Edit>Cut
Edit>Copy
Edit>Paste
Manage>Network Objects
Manage>Services
Manage>Resources
Rev. B
73
Rev. B
Menu Command
Description (Continued)
Manage>Servers
Manage>Users
Manage>Users on LDAP
Account Unit
Policy>Properties
Edit>Add Rule>Bottom
Edit>Add Rule>Top
Edit>Add Rule>Before
Edit>Add Rule>After
Edit>Delete Rule
Policy>Access Lists
Policy>Verify
Policy>View
Policy>Install
Policy>Uninstall
Help>Help Topics
Document # CPTS-DOC-C1011
II-2
II-2
Navigating In FireWall-1
Navigating In FireWall-1
74
fwadmin
abc123
localhost
Document # CPTS-DOC-C1011
Rev. B
75
Navigating In FireWall-1
Navigating In FireWall-1
II-2
II-2
If the Security Policy Editor GUI or System Status GUI is open, you can open Log
Viewer GUI from the Window menu.
Data (Column)
Fields
You can specify which of the available data fields (columns) to display in the Log
Viewer. In addition, you can change the width of columns, and define selection criteria
based on the columns. Only entries matching the selection criteria will be displayed.
To customize your Log File, choose from the following fields:
Bytes The number of bytes transferred.
Conn. ID The connection ID, a fixed number which uniquely identifies each
connection (active Connections only).
Date The date the event occurred.
Destination The destination of the communication.
DstKeyID The KeyIP of the destination of an encrypted communication.
Elapsed The duration of the connection, calculated to the time of the last byte
transferred.
Info Additional information (for example, messages generated during Inspection
Code installation) not included in other fields.
Inter. Hardware interface at which the logged event occurred.
No Number of the log entry (a sequential number assigned by FireWall-1).
Origin Name of the host enforcing the rule that caused the logged event.
Port The source port.
Proto. The communication protocol used.
Rule The number of the rule in the rule base that was applied to this packet.
Service The service (destination port) requested by this communication.
Rev. B
Document # CPTS-DOC-C1011
76
Column Menu
Right-click anywhere in a column of the Log Viewer GUI, and the Column menu
appears (Figure 41):
Document # CPTS-DOC-C1011
Rev. B
You can display one of three different log modes from the toolbar (Figure 42):
II-2
II-2
Navigating In FireWall-1
Navigating In FireWall-1
77
To view varied log information, choose from the following log modes:
Security Log This log shows all security-related events.
Accounting Entries This log shows accounting entries in addition to the security
log. The additional accounting entries include Elapsed, Bytes and Start date.
Active Connections This log shows connections currently open through any of the
firewalled hosts and gateways that are logging to the currently open log file. In
addition to the security log, the additional active connections entries include Elapsed,
Bytes, Start date and Conn. ID.
Some of the log viewer toolbar buttons are shortcuts for menu commands. Other
buttons have no corresponding menu commands (Figure 43 and Table 7).
Rev. B
Menu
Definition
File, New
File, Open
File, Save
Document # CPTS-DOC-C1011
78
Navigating and
Searching
Menu
Definition (Continued)
File, Print
File, Print
Preview
n/a
n/a
Edit,
Go to top
Edit,
Go to Bottom
n/a
n/a
View, Online
Select, Block
Intruder
Block a connection
View mode
There are several ways to navigate in the Log Viewer. You can scroll through the
entries using the scrollbars on the side and bottom of the Log Viewer. You can also use
the arrow, Page Up and Page Down keys. From the edit menu you can navigate to
specific areas by selecting from the following options:
Find To find a record in the Log File based on a value in a specific column.
Go To Top Select to go to the beginning of the Log File.
Go To Bottom Select to go to the end of the Log File.
Document # CPTS-DOC-C1011
Rev. B
79
2. Select the column with the information you are searching to find. For example, if
you select the Date column, the Find Date screen appears (Figure 45):
Rev. B
Document # CPTS-DOC-C1011
II-2
II-2
Navigating In FireWall-1
Navigating In FireWall-1
80
4. Repeat these steps for any column and the Find screen for that column appears
(Figure 46):
2. In the Pattern field, type the text string for the search. You can specify a regular
expression in this field.
3. Select one of the Direction options to specify the desired search direction:
Forward (from the current entry), Backward (from the current entry) or From Top.
4. Click OK to go to the specified log entry, which will be highlighted.
Document # CPTS-DOC-C1011
Rev. B
81
To Change Location
To go to the top or bottom of the log file, follow these steps:
1. On the Edit menu (Figure 44 on page 79), select Go To Top or Go To Bottom.
2. Your view is moved to the location you specify.
Displaying Selected
Entries
To display only entries of interest in the Log Viewer and to hide other entries, you can
specify selection criteria. Specify as many selection criteria as you want to appear. A
log entry is displayed only if it matches all the selection criteria. You can also specify
selection criteria using the Select menu.
To specify selection criteria, follow these steps:
1. On the Select menu, select By Columns. The Column Selection menu appears
(Figure 48):
Rev. B
Document # CPTS-DOC-C1011
II-2
II-2
Navigating In FireWall-1
Navigating In FireWall-1
82
2. Select the name of the column for which to define selection criteria. For example,
if you select Services, the Services Selection Criteria screen appears (Figure 49):
5. Click Apply.
6. You will then see the prompt seen in Figure 50:
If you select Yes, the currently selected Selection Criteria is applied to the
log view. Any other Selection Criteria will automatically be applied to the
log view. If you select No, then the prompt seen in Figure 50 will continue to
appear each time you click Apply.
Document # CPTS-DOC-C1011
Rev. B
83
II-2
II-2
Navigating In FireWall-1
Navigating In FireWall-1
7. Repeat these steps for any other column and the selection criteria screen for that
column appears (Figure 51):
Each time you add an additional Selection Criteria, the view in the log
viewer will change to match the selected information. If you wish to apply
or change your selection criteria, review the information in the Selection
Options on page 84.
Rev. B
Document # CPTS-DOC-C1011
84
Selection Options
When using selection criteria you can specify certain viewing options by following
these steps:
1. On the Select menu, select Options and the Options screen appears (Figure 52):
Document # CPTS-DOC-C1011
Rev. B
Viewing/Editing
Current Selection
Criteria
85
To view and/or edit the current selection criteria, follow these steps:
1. On the Select menu, select Find and Current to view the list of matching records
based on your selection criteria (Figure 53):
in {telnet}
in {le0.all}
2. Any current selection criteria appears in the Show records matching field.
3. You may then perform any of the following functions:
Edit To edit the current selection criteria.
Delete To delete a particular selection criteria.
Clear To clear all selection criteria.
4. Click OK to save your changes.
Only Log entries matching the criteria in the Current Selection Criteria screen are
displayed in the Log Viewer.
Creating and
Selecting Selection
Criteria
To save your selection criteria in a file to use later, follow these steps:
1. On the Select menu, click New Selection.
2. The new Selection screen appears (Figure 54 on page 86).
Rev. B
Document # CPTS-DOC-C1011
II-2
II-2
Navigating In FireWall-1
Navigating In FireWall-1
86
Log File
Management
Open
New
Purge
Save
Export
Document # CPTS-DOC-C1011
Rev. B
87
in the file that match the Selection Criteria. To print to a file or to a printer in ASCII
(text) format, select the appropriate options in the Print window.
When saving a log file, the current log entries will be written to file. Only the records
that match the selection criteria will be saved to the file (both the entries that are
visible in the window and those that are not visible).
Rev. B
Document # CPTS-DOC-C1011
II-2
II-2
Navigating In FireWall-1
Navigating In FireWall-1
88
System Status
Logon
fwadmin
abc123
localhost
Document # CPTS-DOC-C1011
Rev. B
89
Navigating In FireWall-1
Navigating In FireWall-1
II-2
II-2
If the Security Policy Editor GUI or Log Viewer GUI is open, you can open System
Status GUI from the Window menu.
System Status
Toolbar Buttons
Some of the toolbar buttons in the System Status screen are shortcuts for menu
commands on the View menu (Table 8):
Rev. B
Menu
Definition
View, Auto
Update
n/a
View, Alert
Document # CPTS-DOC-C1011
90
System Status
Update
Before FireWall-1 updates the status display, it broadcasts a status request message to
all firewalled objects. For each firewalled object whose status is displayed, the
following information is shown:
Objects name
Rule base name the name of the file containing the rule base
Date and time this objects status was last updated in the System Status View
screen, manually or automatically
An object status icon appears for each object to indicate its status (Table 9):
Icon
Document # CPTS-DOC-C1011
Rev. B
Alerts
91
Alerts are sent by Firewall Modules to the management server, which sends them in
turn to all the GUI client system status applications connected to the management
server at that moment. The Alert screen contains the following information:
Play Sound To play a sound when an alert is received.
Show This Window To display the Alerts screen when an alert is received.
Clear To clear alerts, select the alert(s).
Dismiss To close the Alerts screen.
To set up the Alert screen, follow these steps:
1. On the View menu, select Alert (Figure 57):
Rev. B
Document # CPTS-DOC-C1011
II-2
II-2
Navigating In FireWall-1
Navigating In FireWall-1
92
Display Firewalled
Objects
To display a firewalled objects status, choose from settings in the Show Status screen.
To set up the Show Status screen, follow these steps:
1. On the View menu, select Gateways (Figure 59):
Document # CPTS-DOC-C1011
Rev. B
Updating and
Changing the Status
Display
93
Rev. B
Document # CPTS-DOC-C1011
II-2
II-2
Navigating In FireWall-1
Navigating In FireWall-1
94
Changes to
Firewalled Objects
You can specify the actions to be taken when the status of a firewalled object changes
in the Options screen. The Options screen contains the following information:
Action on Transition:
Alert Issue an alert as defined in the Properties Setup screen.
Mail Send a mail alert as defined in the Properties Setup screen.
SNMP Trap Issue an SNMP trap as defined in the properties Setup screen.
User Defined Issue a User Defined Alert as defined in the Properties Setup
screen.
To set up the Options screen, follow these steps:
1. Select Options from the View menu (Figure 63):
Document # CPTS-DOC-C1011
Rev. B
95
Navigating In FireWall-1
Navigating In FireWall-1
II-2
II-2
3. Check the actions to be taken when the status of a firewalled object changes.
4. Click OK to return to System Status screen.
Rev. B
Document # CPTS-DOC-C1011
96
Review
Review
Summary
The FireWall-1 logon procedure is simple on both the Windows NT and Solaris
platforms. Knowledge and use of the shortcut buttons can add to the efficiency of
navigating in each of the following FireWall-1 GUIs:
Security Policy Editor Provides management tools for adding rules and defining
properties to create a security policy.
Log Viewer Displays the log file consisting of all logged and critical activities on
the network.
System Status Displays status of all firewalled objects.
In the Security Policy Editor GUI, you create a rule base and define properties to
create your security policy.
The Log Viewer GUI allows you to view entries in the log file. Each entry in the log
file is a record of an event that, according to the rule base or the properties, is to be
logged. The Log Viewer gives you control over which information in the log file is
displayed by selecting which log entries and data fields to display. When displaying
events through the Log Viewer, you can view in either one of three modes:
Security Log
Accounting
Active Connections
The System Status GUI presents a high-level view of operation and flow statistics for
all firewalled objects. You can set your System Status to provide the status of your
network automatically on the network objects you specify. For each firewalled object
whose status is displayed, the following information is shown:
Objects name
Rule base name for firewalled objects, the name of the file containing the rule
base
Date and time this objects status was last updated in the System Status View
screen, manually or automatically
Document # CPTS-DOC-C1011
Rev. B
Review Questions
97
II-2
II-2
2. How many administrators can access FireWall-1 with Read/Write privileges at the
same time?
Navigating In FireWall-1
Navigating In FireWall-1
5. What are the three display modes of the Log Viewer and how is each different?
6. How do you display the list of selection criteria that you have specified in the Log
Viewer?
7. What are the three status choices that can be reported on firewalled objects?
Rev. B
Document # CPTS-DOC-C1011
98
Review
Document # CPTS-DOC-C1011
Rev. B
Unit II Chapter 3:
M a n a g e m e n t To o l s
Introduction
In this chapter, you will learn about creating objects for use in your security policy. To
configure these objects, you will learn to use the following management tools:
II-3
Services Manager
Resources Manager
Servers Manager
Users Manager
Managmement Tools
Although you do not have to define all the objects related to your network, it is
important that you have an understanding of each. You will define only the objects
that are a part of your network. As each rule or object is defined, it becomes an
integral part of the security policy.
Objects needed for basic configuration are defined in this chapter. More
complex objects are defined in later chapters or in the CCSE course.
Objectives
Key Terms
network objects
FWZ
99
100
Manual IPSec
SKIP
ISAKMP/Oakley (IKE)
RADIUS
TACACS
AXENT Defender
Document # CPTS-DOC-C1011
Rev. B
101
Management Tools
Various management tools are provided in FireWall-1 to define the objects that are in
contact with the network. Before an object can be included in the rule base, its
properties must first be defined. Management tools can be accessed through the
Manage menu of the Security Policy Editor.
Accessing
Management Tools
Managmement Tools
II-3
Network Objects
Services
Resources
Servers
Users
Users on account unit
Time
Keys
Color Scheme
It is helpful to determine a color scheme before defining the objects to include in your
rule base. By assigning the same color to related objects, managing your firewall is
made easier. A simple color scheme enables you to quickly identify and select objects,
rather than scroll through long lists with little or no distinction between objects.
To develop a color scheme for your objects, consider the following categories: Green
Internal elements, Blue External elements and Red Firewalls.
Rev. B
Document # CPTS-DOC-C1011
102
Defining Network
Objects
The Network Objects Manager is a tool used to define the following network objects:
networks and subnetworks, hosts, gateways and servers (firewalled or not), routers,
Internet domains and logical servers. Before an object is included in the rule base, its
properties must first be defined.
To access the Network Objects Manager, follow these steps:
1. Select Network Objects from the Manage menu (Figure 65 on page 101).
2. The Network Objects Manager appears (Figure 66):
Document # CPTS-DOC-C1011
Rev. B
103
3. Click New and select the object to manage. There are nine options that allow you
to manage your network objects. To configure each network object, select from
the following:
Workstation
Network
Domain
Router
Switch
Integrated Firewall
Group
Logical Server
Address Range
The screen options and tabs vary depending on whether FireWall-1 is
installed on each object. This is because certain options are not applicable
unless the object is a gateway or has FireWall-1 installed.
Managmement Tools
II-3
Rev. B
Document # CPTS-DOC-C1011
104
General Tab
The General tab for Workstation Properties allows definition of basic information
about the workstation. Defining the General tab allows access to the other tabs within
the Workstation Properties screen (Figure 67):
Document # CPTS-DOC-C1011
Rev. B
Management
Station #1
FW A
Management
Station #2
105
FW D
FW B
FW E
FW C
FW F
II-3
Rev. B
Document # CPTS-DOC-C1011
Managmement Tools
106
Interfaces Tab
The Interfaces tab allows definition and display of interface names, IP addresses and
network masks for the workstation (Figure 69):
Document # CPTS-DOC-C1011
Rev. B
107
Interfaces Properties
When you add or edit an interface, the Interface Properties screen appears (Figure 70):
Rev. B
Document # CPTS-DOC-C1011
Managmement Tools
II-3
108
Others + Used to allow traffic for non-standard packet flow such as with NAT.
Packets are allowed except those whose resource IP addresses belong to the
networks listed under Valid Addresses for this objects interface. Use on the
external NIC when you have identified the network and Other+ is anything
other than the identified network.
Specific Packets are allowed only from this group. This is typically a group of
network objects.
Spoof tracking Spoofed packets are always dropped. Specific action is taken by
selecting one of the following options:
Anti-spoofing and its relation to the Interfaces tab is defined in Unit III
Chapter 2: Administering Security Policy with Rule Base on page 221.
None No additional action is taken.
Log The spoofing attempt is logged.
Alert The action specified in the Anti Spoof Alert command field in the Log
and Alert tab of the Properties Setup screen is taken.
When anti-spoofing is specified, an implicit anti-spoof rule is generated.
This rule comes first in the rule base, even before properties specified in the
Security Policy tab of the properties setup screen.
Interface Properties Setup
To set up the Interface Properties screen, follow these steps:
1. Define the interface by completing the information in the fields.
2. Click OK to return to the Interfaces tab.
Authentication Tab
Encryption Tab
The Encryption tab of the Workstation Properties specifies encryption parameters for
network objects (Figure 71 on page 109). For a gateway to perform encryption, the
encryption domain must first be defined. The gateway can then conduct encrypted
sessions on network objects in the encryption domain. This only applies to
workstations or gateways with FireWall-1 installed on them.
Document # CPTS-DOC-C1011
Rev. B
109
Encryption Domain A domain that will use encryption; disabled is the default
setting.
If all gateway interfaces have been defined in the Interfaces tab of the
gateways Workstation Properties screen, then Valid addresses can be
selected in the Encryption domain.
Encryption Methods Defined Encryption method used on a selected domain.
Encryption Methods
An encryption method consists of the following elements:
An authentication algorithm for ensuring integrity, that is, that messages have not
been tampered with
Encryption Schemes
Firewall-1 supports the following encryption schemes: FWZ, IPSec, SKIP and
ISAKMP/Oakley (IKE).
FWZ FWZ is a FireWall-1 proprietary symmetric encryption scheme. FWZ
manages key encryption automatically, including updating public keys. FWZ
encryption does the following:
Rev. B
Encrypts all data behind the IP and TCP headers, using in-place encryption
Uses reliable-data protocol to manage VPN session keys, encryption methods and
data integrity
Document # CPTS-DOC-C1011
Managmement Tools
II-3
110
Supports FWZ-1, DES and Triple DES algorithms, using a 40-bit encryption key
that is exportable outside the United States
Additional data
NAT Tab
SNMP Tab
To configure the NAT tab, see Unit IV Chapter 2: Network Address Translation
on page 259.
Document # CPTS-DOC-C1011
Rev. B
111
General Tab
The General tab for the Network Properties allows definition of basic information
about the network (Figure 72):
Rev. B
Document # CPTS-DOC-C1011
Managmement Tools
II-3
112
NAT Tab
To configure the NAT tab, see Unit IV Chapter 2: Network Address Translation
on page 259.
Document # CPTS-DOC-C1011
Rev. B
113
Workstation
Workstation
II-3
Managmement Tools
Workstation
Workstation
Workstation
Workstation
Using Domain
Objects in a Rule
Rev. B
The first time a rule containing a domain object is applied to a specific IP address,
there is a slight delay while the Inspection Module reverse resolves the IP address.
The resolved address is then stored in a local cache, so the delay occurs only one time
per IP address per rule. In order to minimize these delays, it is recommended that rules
containing domain objects should be positioned as far down as possible in the rule
base.
Document # CPTS-DOC-C1011
114
General Tab
The General tab for Domain Properties allows definition of basic information about
the domain (Figure 74):
Name Enter an Internet or intranet domain name. In Figure 74, the domain name is
.checkpoint.com and starts with a period ( . ).
Comment Any information that describes this domain.
Color Defines the color scheme of the object.
General Tab Setup
To set up the General tab, follow these steps:
1. Define the Domain by completing the information in the fields.
2. Click OK to complete the Domain Properties setup and return to the Network
Objects Manager.
Document # CPTS-DOC-C1011
Rev. B
115
General Tab
The General tab for Router Properties allows definition of basic information about the
router. Defining the General tab allows access to the other tabs (Figure 75):
Managmement Tools
II-3
Rev. B
Document # CPTS-DOC-C1011
116
Interfaces Tab
The Interfaces tab allows definition and display of interface names, IP addresses and
network masks for the router (Figure 76):
Document # CPTS-DOC-C1011
Rev. B
117
Interfaces Properties
When you add or edit an interface, the Interface Properties screen appears (Figure 77):
router
Rev. B
Document # CPTS-DOC-C1011
Managmement Tools
II-3
118
Others + Used to allow traffic for non-standard packet flow such as with NAT.
Packets are allowed except those whose resource IP addresses belong to the
networks listed under Valid Addresses for this objects interface. Use on the
external NIC when you have identified the network and Other+ is anything
other than the identified network.
Specific Packets are allowed only from this group. This is typically a group of
network objects.
Spoof tracking Spoofed packets are always dropped. Specific action is taken by
selecting one of the following options:
Anti-spoofing and its relation to the Interfaces tab is defined in Unit III
Chapter 2: Administering Security Policy with Rule Base on page 221.
None No additional action is taken.
Log The spoofing attempt is logged.
Alert The action specified in the Anti Spoof Alert command field in the Log
and Alert tab of the Properties Setup screen is taken.
When anti-spoofing is specified, an implicit anti-spoof rule is generated,
which comes first in the rule base, even before properties specified in the
Security Policy tab of the properties setup screen.
Interface Properties Setup
To set up the Interface Properties screen, follow these steps:
1. Define the interface by completing the information in the fields.
2. Click OK to return to the Interfaces tab.
NAT Tab
SNMP Tab
To configure the NAT tab, see Unit IV Chapter 2: Network Address Translation
on page 259.
Document # CPTS-DOC-C1011
Rev. B
Setup Tab
119
In the case of access lists and filters, the Setup tab allows for the entry of parameters
like router manager IDs and passwords. The Setup tab contains various information
depending on the router selected (Figure 78):
CISCO
Bay Networks
3Com
Steelhead
Figure 78: Router Properties - Setup Tab
Rev. B
Document # CPTS-DOC-C1011
Managmement Tools
II-3
120
The General tab allows you to define general information about the switch object that
is installed. Completing the information in the General tab allows access to the other
tabs (Figure 79):
Document # CPTS-DOC-C1011
Rev. B
121
Interfaces Tab
NAT Tab
SNMP Tab
To configure the NAT tab, see Unit IV Chapter 2: Network Address Translation
on page 259.
VLANs Tab
The VLANs tab allows you to configure and display the properties of the Virtual
Local Area Network (VLAN) associated with a switch (Figure 80):
Rev. B
Document # CPTS-DOC-C1011
Managmement Tools
II-3
122
Setup Tab
The Setup tab for switch properties contains the External Interface and License Type
(Figure 81):
le0
Document # CPTS-DOC-C1011
Rev. B
123
The General tab for the Integrated FireWall Properties allows definition of basic
information about the firewall (Figure 82):
Managmement Tools
II-3
Rev. B
Document # CPTS-DOC-C1011
124
Interfaces Tab
SNMP Tab
The SNMP tab enables you to retrieve or set SNMP information for the integrated
firewall (Figure 83):
Document # CPTS-DOC-C1011
Rev. B
125
NAT Tab
To configure the NAT tab, see Unit IV Chapter 2: Network Address Translation
on page 259.
The Setup tabs of the Integrated Firewall Properties screens contain fields that are
specific to the type of Firewall you selected on the General tab (Figure 84):
Managmement Tools
II-3
Rev. B
Document # CPTS-DOC-C1011
126
Authentication:
Server Drop-down list of authentication servers previously defined.
Enable Outbound Authentication Sets the option to request authentication for
outbound connections.
Enable Inbound Authentication Sets the option to request authentication for
inbound connections.
Shared Secret Specifies the public key to encrypt communication between PIX
and the authentication server.
Type Specifies an authentication scheme: RADIUS or TACACS
For Cisco PIC integrated firewalls, a second tab appears (Figure 85):
Document # CPTS-DOC-C1011
Rev. B
127
Failover Defines the PIX failover feature in which a secondary PIX firewall takes
over connections if the primary PIX fails.
Private Link Key Duration Sets the interval in minutes in which PIX Private Link
keys are changed.
Private Link Connections Lists the remote PIX units with which you want to
establish PIX Private Link communications. Connections between the local PIX
blackbox and the remote PIX blackbox will be encrypted.
New: Adds a remote PIX.
Edit: Opens the encryption properties of the remote Integrated FireWall.
Remove: Removes a selected remote PIX.
When you select TimeStep on the General tab, the following setup screen appears
(Figure 86):
Managmement Tools
II-3
Rev. B
Document # CPTS-DOC-C1011
128
Document # CPTS-DOC-C1011
Rev. B
129
Managmement Tools
II-3
Rev. B
Document # CPTS-DOC-C1011
130
General Tab
Document # CPTS-DOC-C1011
Rev. B
131
NAT Tab
To configure the NAT tab, see Unit IV Chapter 2: Network Address Translation
on page 259.
Managmement Tools
II-3
Rev. B
Document # CPTS-DOC-C1011
132
4Define gateways
Define the following firewalled gateways. Color all brick-red:
fw.detroit.com
204.32.38.101
fw.chicago.com
204.32.38.102
fw.london.com
204.32.38.103
fw.newyork.com
204.32.38.104
fw.paris.com
204.32.38.105
fw.tokyo.com
204.32.38.106
fw.moscow.com
204.32.38.107
fw.berlin.com
204.32.38.108
Document # CPTS-DOC-C1011
Rev. B
133
4Define networks
Define the following local networks. Color yours green, others blue:
net-detroit
192.168.1.0
net-chicago
192.168.2.0
net-london
192.168.3.0
net-newyork
192.168.4.0
net-paris
192.168.5.0
net-tokyo
192.168.6.0
net-moscow
192.168.7.0
net-berlin
192.168.8.0
Managmement Tools
II-3
Rev. B
Document # CPTS-DOC-C1011
134
Services Manager
Services Manager
FireWall-1 controls access to hosts and networks, not only based on the source and
destination addresses, but also according to the service requested or used in each
packet of data.
Service Object Setup
Before you can use a service in a rule base, you must define its properties. To set up
Services, follow these steps:
1. Select Services from the Manage menu (Figure 89):
3. Click New and select the service to define from the menu.
Document # CPTS-DOC-C1011
Rev. B
Allowed Services
TCP
UDP
RPC
ICMP
Other
Group
Port Range
Transmission Control Protocol (TCP) allows hosts to send and receive streams of
data. TCP guarantees that data sent from one side will be received at the other side
without loss from being garbled. The majority of Internet services are built on top of
TCP.
II-3
Managmement Tools
TCP
135
The TCP Service Properties screen contains the following information (Figure 91):
Name The name in the services file enables FireWall-1 to retrieve the port number
automatically. If Network Information Service (NIS) is used on the system, FireWall-1
will consult the NIS services file. (NIS is a service under UNIX that sends
configuration information automatically across the network.) The following are the
Windows NT and Solaris services files:
Rev. B
NT: c:\winnt\system32\drivers\etc\services
Solaris: /etc/services
Document # CPTS-DOC-C1011
136
Services Manager
UDP
User Datagram Protocol (UDP) is primarily used for protocols where performance is
more important than getting all of the packets. For example, audio stream protocols
usually use UDP because they can stand to lose a few packets. They cannot, however,
stand remissions of lost packets that take time.
The UDP Service Properties screen contains the following information (Figure 92):
Name The name assigned here should be identical to the server service name as it
appears in the services file. If Network Information Service (NIS) is used, FireWall-1
will automatically retrieve the information from the NIS.
Comment Any information that describes this service.
Document # CPTS-DOC-C1011
Rev. B
137
RPC
Managmement Tools
II-3
The RCP Service Properties screen contains the following information (Figure 93):
Name The name in the RPC file allows FireWall-1 to retrieve the port number
automatically. (The RPC file is /etc/rapt in Solaris; not available in NT.) If Network
Information Service (NIS) is used on the system, FireWall-1 will consult the NIS
services file.
Comment Information that describes this service.
Color Defines the color scheme of the object.
Program Number The program number is simply the RPC equivalent for a service
port number. For standard services, you can retrieve the program number from the
RPC database. If the program number is omitted, FireWall-1 will attempt to resolve
the program number when the rule base is installed. If resolution fails, an error
message is issued and installation will fail.
Rev. B
Document # CPTS-DOC-C1011
138
Services Manager
ICMP
Internet Control Message Protocol (ICMP) is an extension to the IP. ICMP supports
packets containing error, control, and informational messages. The PING command,
for example, uses ICMP to test an Internet connection. All ICMP services are
predefined in FireWall-1.
The ICMP Service Properties screen contains the following information (Figure 94):
Name The services name. The name assigned here should be identical to the
server service name as it appears in the services file. FireWall-1 will retrieve some
properties automatically.
Comment Any information that describes this service.
Color Defines the color scheme of the object.
Match Enter the code string residing in the INSPECT language that determines
whether the packet belongs to this service.
Pre-Match INSPECT language command to be executed prior to the rule base.
Prologue (optional) Add a fixed code string to the rules at the head of the rule
base.
Document # CPTS-DOC-C1011
Rev. B
Other
139
The User Defined Service Properties screen contains the following information
(Figure 95):
Name The services name. The name assigned here should be identical to the
server service name as it appears in the services file.
Comment Any information that describes this service.
Color Defines the color scheme of the object.
Match Enter the code string (residing in the INSPECT language) which
determines whether the packet belongs to this service.
For example, dport = telnet. The file tcpip.def lists some predefined
components that can be used in expressions.
Pre-Match INSPECT language command to be executed prior to the rule base.
Prologue (optional) Add a fixed code string to the rules at the head of the rule
base, before the Properties macros.
Group
Rev. B
Group Properties allows the administrator to define a service and add it to a named
group. This eliminates the need to list each service, individually, in the rule base.
When forming groups, follow these guidelines:
Document # CPTS-DOC-C1011
Managmement Tools
II-3
140
Services Manager
The Group Properties screen contains the following information (Figure 96):
Name The group name.
Comment Any information that describes this group.
Color Defines the color scheme of the object.
Not in Group Services not included in the named group.
In Group Services added to the named group.
Port Range
Most well known services have an associated port. For example: TELNET is port 23,
FTP is port 21 and SMTP is port 25. Some protocols or services may operate with a
range of ports, especially for the reverse connection back to the client that initiated the
connection.
Port Range allows setup of either UDP, TCP or FTP protocols with a starting and
ending port range. If specified, only those port numbers will be accepted, dropped or
rejected when inspecting packets considered to belong to the service.
Document # CPTS-DOC-C1011
Rev. B
141
The Port range properties screen contains the following information (Figure 97):
II-3
First Port A single port number or the starting port number within a range or ports.
Last Port The ending port number within the range of ports.
Comment Any information that describes this service.
Color Defines the color scheme of the object.
Protocol Select TCP or UPD.
Rev. B
Document # CPTS-DOC-C1011
Managmement Tools
142
Resources Manager
Resources Manager
A FireWall-1 resource is used in conjunction with content security. FireWall-1
resource specification defines further protocol-specific matching as well as actions to
be performed at the protocol specific level in a data packet. You can define FireWall-1
Resources for use with the following protocols: HTTP, FTP and SMTP.
Anti-virus checking, URL screening and e-mail address translations are major security
enhancements enabled by the content security. These options are enforced using UFP
and CVP server objects.
The Resources Manager is covered in detail in the CCSE manual.
Resource Object Setup
To set up a new Resource, follow these steps:
1. Select Resources from the Manage menu (Figure 98):
Document # CPTS-DOC-C1011
Rev. B
143
URI Resource
A Uniform Resource Identifier (URI) resource is an extension of the rule base. The
URI goes beyond the source, destination and service fields and provides more details
about the content of the service. HTTP security servers must be installed with default
options for the URI to work.
After creating a CVP or UFP server object if required, you must define the resource
for HTTP to create a URI resource.
URI Match Specification Type
In the General tab of the URI Definition screen, you select from one of the following
URI Match Specification types:
Wild Cards The URIs are described on the Match tab of the Resource screen.
Under this method, many URIs are described by a single wild card. For example, the
wild card www.elvis* describes a large number of URIs. The URIs will be allowed or
disallowed, depending on the Action in the rule that uses the resource.
Rev. B
Document # CPTS-DOC-C1011
Managmement Tools
II-3
144
Resources Manager
File The URIs are listed by name in the file specified in the Match tab of the
Resource screen. Under this method, each URI is individually listed in the given file.
The URIs will be allowed or disallowed, depending on the Action in the rule that uses
the resource.
UFP A list of URIs in selected categories is provided by the server specified in the
Match tab of the Resource screen.
Wild Cards is the first specification type listed in the General tab (Figure 100):
Document # CPTS-DOC-C1011
Rev. B
145
If you select Wild Cards specification type, the following Match tab appears
(Figure 101):
II-3
Rev. B
Document # CPTS-DOC-C1011
Managmement Tools
146
Resources Manager
If you select Wild Cards specification type, the following criteria must be defined in
the action tab. Action is what the URI will do if all other criteria are met (Figure 102):
www.badweb.com/warning.html
Document # CPTS-DOC-C1011
Rev. B
147
File is the second specification type listed in the General tab (Figure 103):
II-3
Rev. B
Document # CPTS-DOC-C1011
Managmement Tools
148
Resources Manager
If you select File specification type, the following Match tab appears (Figure 104):
Document # CPTS-DOC-C1011
Rev. B
149
If you select File specification type, the following action criteria must be defined in
the action tab. Action is what the URI will do if all other criteria are met (Figure 105):
www.badweb.com/warning.html
Rev. B
Document # CPTS-DOC-C1011
Managmement Tools
II-3
150
Resources Manager
UFP is the third specification type listed in the General tab (Figure 106):
Document # CPTS-DOC-C1011
Rev. B
151
If you select UFP specification type, the following Match screen appears (Figure 107):
II-3
Rev. B
Document # CPTS-DOC-C1011
Managmement Tools
152
Resources Manager
If you select UFP specification type, the following action criteria must be defined in
the Action tab. Action is what the URI will do if all other criteria are met (Figure 108):
www.badweb.com/warning.html
Document # CPTS-DOC-C1011
Rev. B
SMTP Security
Server
153
The SMTP protocol provides exact control over SMTP connections. The SMTP
resource definition allows hiding of internal IP addresses from outgoing e-mail, strips
specific attachment types, drops messages above a given size, and rewrites e-mail
addresses. Implement SMTP security server with a SMTP resource.
If you select SMTP from the Resource Manager, the following information must be
defined in the general tab (Figure 109):
Managmement Tools
II-3
Rev. B
Document # CPTS-DOC-C1011
154
Resources Manager
Document # CPTS-DOC-C1011
Rev. B
155
The Action1 tab defines transformations to be performed on the given fields. The data
in the field is modified in accordance with the defined transformation. The left part of
the transformation is a match field. The right part specifies the form of the new
transformed data (Figure 111):
Rev. B
Document # CPTS-DOC-C1011
Managmement Tools
II-3
156
Resources Manager
If your select the SMTP Action2 tab, the following screen appears (Figure 112):
Document # CPTS-DOC-C1011
Rev. B
157
The FTP security server provides authentication services and content security based
on FTP commands (PUT/GET), file name restrictions and anti-virus checking for
files.Implement FTP security server with an FTP resource (Figure 113):
Rev. B
Document # CPTS-DOC-C1011
Managmement Tools
II-3
158
Resources Manager
If you select the FTP Match tab, the following screen appears (Figure 114):
Document # CPTS-DOC-C1011
Rev. B
159
Managmement Tools
II-3
Rev. B
Document # CPTS-DOC-C1011
160
Server Manager
Server Manager
A Server object represents a server running on a specific host. The available server
objects are:
URL Filtering Protocol (UFP) A UFP server can be used in defining a URI
Resource.
Content Vectoring Protocol (CVP) A CVP server examines the contents of a file or
data stream.
RADIUS A RADIUS server is used to provide authentication services.
TACACS A TACACS server is used to provide authentication services.
AXENT Defender An AXENT Defender server is used to provide authentication
services.
LDAP Account Units The FireWall-1 Account Management system is an
independent module that enables the Security Manager to integrate an LDAPcompliant user database with FireWall-1 user authentication.
The Server Manager is covered in detail in the CCSE manual.
Document # CPTS-DOC-C1011
Rev. B
161
3. Click New and select the type of server you want to create from the menu, as
follows:
Rev. B
UFP
CVP
RADIUS
RADIUS Group
TACACS
DEFENDER
LDAP Account Unit
Document # CPTS-DOC-C1011
Managmement Tools
II-3
162
Users Manager
Users Manager
When you define users and user groups, you can use these as the Source in rules which
specify Authentication as the Action. The users properties are then applied. In this
way, you can specify, for example, that users in one group can connect only during the
day, while users in another group can connect only at night. In addition, you can
define templates upon which future user definitions will be based. To create a new
user or a new user group, select Users from the Manage menu and click New. The
following screens appear.
General Tab
The General tab is identical for user properties and template properties (Figure 118):
Document # CPTS-DOC-C1011
Rev. B
Groups Tab
163
The Groups tab in identical when setting up users and templates (Figure 119):
Authentication Tab
Rev. B
Document # CPTS-DOC-C1011
Managmement Tools
II-3
164
Users Manager
Location Tab
The Location tab in identical when setting up users and templates (Figure 120):
Document # CPTS-DOC-C1011
Rev. B
Time Tab
165
The Time tab in identical when setting up users and templates (Figure 121):
Encryption Tab
Rev. B
Document # CPTS-DOC-C1011
Managmement Tools
II-3
166
Users Manager
Once you have created a template, any user you create based on the template will
inherit all of the templates properties, including membership in groups. If you modify
a templates properties, the change will affect all users created from the template in the
future. Users already created from the template will not be affected.
To setup a user template, follow these steps:
1. Select Users from the Manage menu (Figure 122):
Document # CPTS-DOC-C1011
Rev. B
167
3. Click New and the New User Object menu appears, listing the types of objects
you can create: Group, External group and Template. The Default template is
listed in the bottom part of the menu until User Templates are defined and listed.
Creating External Groups is defined in the CCSE manual.
4. Create a new template before creating a new user by selecting Template from the
New User Object menu.
5. The User Properties screens appear. Complete the properties setup in each of the
tabs.
6. Click OK and the name of the new template appears in the bottom of the New
User Object menu.
Rev. B
Document # CPTS-DOC-C1011
II-3
Managmement Tools
168
Users Manager
3. Complete the properties setup. Select names of Users shown in the Not in Group
list and click Add. They are now shown in the In Group list.
4. Click OK and the new group appears in the User Manager list.
Document # CPTS-DOC-C1011
Rev. B
169
II-3
Managmement Tools
3. Click New to set up a new user. A menu appears, listing the types of objects you
can create. Choose from Time or Group.
Rev. B
Document # CPTS-DOC-C1011
170
Document # CPTS-DOC-C1011
Rev. B
171
Day in Month The times of day specified in the General tab of the Time Object
Properties screen apply only on the days of the month checked under Days in Month.
Day in Week The times of day specified in the General tab of the Time Object
Properties screen apply on the days of the month checked under days in Week.
Month The times of day specified in the General tab of the Time Object Properties
screen apply only during the month specified. This field is enable only if Days
Specification is days in Month.
Managmement Tools
II-3
Rev. B
Document # CPTS-DOC-C1011
172
Keys Manager
Keys Manager
The Keys Manager is defined in the CCSE course.
Document # CPTS-DOC-C1011
Rev. B
173
Review
Summary
Before an object is included in a rule base, its properties must first be defined. Only
those objects that are used in the rule base need to be defined.
It is helpful to determine a color scheme before defining your objects. By assigning
the same color to related objects, managing your firewall is made easier. A simple
color scheme enables you to quickly identify and select objects, rather than scroll
through long lists with little or no distinction between objects.
Understanding internal and external management stations is essential for defining
objects. Grouping your objects gives you a better overview of the security policy and
will lead to a more readable rule base. As your network changes, you can add, delete
or modify objects as needed.
A server object represents a server running on a specific host. The available server
objects include UFP, CVP, RADIUS, TACACS, AXENT Defender, and LDAP
Account Units. You must create the server object before adding it to a rule in the rule
base.
Review Questions
Rev. B
Document # CPTS-DOC-C1011
II-3
Managmement Tools
FireWall-1 comes with several of the most common services predefined. These
services include TCP, HTTP and HTTPS, SMTP, UDP and RPC. Most well known
services have an associated port, such as port 23 for telnet. Some types of protocols or
services may operate with a range of ports, especially for the reverse connection back
to the client that initiated the connection.
174
Review
4. List the associated port numbers for TELNET, FTP, and SMTP.
Document # CPTS-DOC-C1011
Rev. B
Rev. B
Document # CPTS-DOC-C1011
Document # CPTS-DOC-C1011
Rev. B
A security policy defines the way you and your organization view internalnetwork security
A security policy is divided into two parts the policies and the rule base
In this chapter, you will learn how to create rules and modify a security policys
properties. You must modify security policy properties because a security policy is
made up of its rule base and fields specified in the Properties Setup screens.
Identify the process of how security policy rules are applied to a packet
III-1
Security Policy Rule Base
and Properties Setup
Objectives
175
176
Key Terms
security policy
rule base
pseudo rule
implicit rule
explicit rule
implicit-drop rule
security server
authentication schemes
SYNDefender
SYN packets
load balancing
III-1
Document # CPTS-DOC-C1011
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
177
A security policy is a set of rules that defines your internal networks security. In
FireWall-1, the security policy is defined using a rule base, which translates your
security policy to a collection of individual rules. These rules are created with the
FireWall-1 rule base editor (security policy GUI), which is a tool for creating a
security policy.
Each rule can be comprised of any combination of network objects, users, services
and actions. Once a rule is defined, FireWall-1 provides the ability to define which
network enforcement points should be distributed across your internal network.
Considerations
Before creating a security policy for your system, you must answer the following
questions:
What kind of services, including customized services and sessions, are allowed in
your system?
What are your users permissions and authentication schemes?
What objects are in your system? Examples include gateways, hosts, networks, routers
and domains.
Creating the
Security Policy
III-1
Rev. B
Document # CPTS-DOC-C1011
178
III-1
Document # CPTS-DOC-C1011
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
179
Each rule is made up of rule base elements, which are the individual components that
make up a rule. The rule base elements are shown in Table 10:
Rev. B
Element
Definition
No.
Source
Destination
Services
Action
Track
Install On
Time
III-1
Comment
Document # CPTS-DOC-C1011
180
To customize rules in the rule base, right-click on each element and select from the
available menu options (Table 11):
Description
Add
Edit
Delete
Negate
Cut
Copy
Paste
Description
Add
Edit
Delete
Negate
Cut
Copy
Paste
III-1
Document # CPTS-DOC-C1011
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
181
Description
Add
Add a resource.
Edit
Delete
Negate
Cut
Copy
Paste
Rev. B
Icon
n/a
Edit properties
n/a
Add
Encryption
n/a
Remove
Encryption
n/a
Edit
Encryption
Accept
Drop
Reject
User
Authentication
Client
Authentication
Document # CPTS-DOC-C1011
III-1
182
Encrypt
Client Encrypt
n/a
None
Short Log
Long Log
Accounting
Alert
Issue an alert.
SNMP Trap
User Defined
III-1
Icon
Document # CPTS-DOC-C1011
Destination
Source
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
183
Integrated
FireWalls
Target
Description
Add
Edit
Delete
Description
Double-click
III-1
Rev. B
Document # CPTS-DOC-C1011
184
Add Rule To add a new rule, choose the position where the rule is to be placed:
Bottom, Top, After, Before.
The following options can be accessed after you have created a rule.
Delete Rule To delete the currently selected rule from the rule base.
Cut To remove (cut) the selected data and put it on the clipboard.
Copy To copy selected data onto the clipboard.
Paste To paste the selected data from the clipboard. Choose the position of where
the rule is to be pasted from the following: Bottom, Top, After, Before.
III-1
Disable Rule To disable a rule, when testing a security policy without affecting the
actual firewalled network. Disabling a rule allows local testing only. Also, to allow
access to a previously restricted source or destination.
Document # CPTS-DOC-C1011
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
Add a Rule
185
The Default
Rule
III-1
Rev. B
Document # CPTS-DOC-C1011
186
Creating the
Cleanup Rule
The cleanup rule should be the first rule you create in the rule base. A cleanup rule
allows you to specify logging for remaining packets, and drops all communication not
described by other rules.
To create a cleanup rule, follow these steps:
1. Select Add Rule from the Edit menu.
2. Select Bottom from the Add Rule menu.
3. The default rule has now been added to the security policy (Figure 134):
For the cleanup rule to be effective, be sure to add all other rules above the
cleanup rule. The last rule in the rule base must be the cleanup rule.
III-1
Document # CPTS-DOC-C1011
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
Creating the
Stealth Rule
187
To prevent any users from connecting to the firewall, you must add a Stealth Rule to
your rule base. Protecting the firewall in this manner makes it transparent, that is, it
becomes an invisible network object that, from the point of view of network users,
does not even exist.
To create a stealth rule, follow these steps:
1. Right-click in the Number column of the cleanup rule and select Add Rule from
the Edit menu.
2. Select Top from the Add Rule menu.
3. Right-click in the Destination column and select the firewall.
4. Right-click in the Action column and select Drop.
5. Right-click in the Tracking column and select Long Log.
6. Right-click in the Comment column, type Stealth Rule in the dialog box and click
OK.
7. The stealth rule now appears in the rule base (Figure 137):
For the stealth rule to fully protect your firewall, be sure to add all other
rules below it. In this way, the stealth rule should always be the first rule and
the cleanup rule should always be the last rule.
III-1
Rev. B
Document # CPTS-DOC-C1011
188
Adding Additional
Rules
Add additional rules to your security policy below the stealth rule and above the
cleanup rule. To add additional rules, follow these steps:
1. Right-click in the Number column of an existing rule and select Add Rule from
the Edit menu.
2. Select the position for the rule to be located from the Add Rule menu, choosing
from After or Before.
3. Right-click in the Source column of the new rule and the Source menu appears
(Figure 138):
4. Select Add from the Source menu and the Add Object screen appears (Figure
139):
III-1
Document # CPTS-DOC-C1011
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
189
5. Choose the appropriate network object and click OK. The object is added to the
rule base.
6. Repeat these steps for other rule base elements: Service, Action, Track, Install On,
Time and Comment.
Completing the
Rule Base
When you have defined the desired rules, you must install the rule base. The Install
On element specifies the network object on which the security policy is installed. In
contrast, the Install On element in the rule base editor specifies the network object that
is to enforce a specific rule.
To install the rules, follow these steps:
1. Select Install from the Policy menu (Figure 140):
3. Select the firewall to install on, then click OK to install the security policy.
Rev. B
Document # CPTS-DOC-C1011
III-1
190
III-1
Document # CPTS-DOC-C1011
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
Understanding Rule
Base Order
191
Before you can define security policy properties, you must consider the rule base
order. FireWall-1 examines the rule base rule by rule. FireWall-1 inspects packets
by comparing them to the security policy, one rule at a time. For this reason, it is
important to define each rule in a security policy in the appropriate order.
The order in which FireWall-1 applies the rules in a security policy to packets is
shown in Figure 143:
Properties labeled
First are matched
prior to the numbered
rules. The property
labeled Last is
matched last. The
property labeled
Before Last is
matched prior to the
last numbered rule.
Rev. B
Document # CPTS-DOC-C1011
III-1
192
Checked properties in the Security Policy tab of the Properties Setup screen
labeled First are matched prior to the numbered rules.
Rules are matched according to their order in the rule base, except for the last rule
in the rule base. FireWall-1 reads rule base 1, 2 and 3, in that order.
Checked properties labeled Before Last are matched after all but the last rule in
the rule base.
Match
Order
1
2
3
4
5
6
7
III-1
IP Spoofing / IP Options
Security Policy First Rule
$Q\
PDLOVYU
WFS VPWS
DFFHSW
6KRUW
IZ
DFFHSW
6KRUW
IZ
Rule Base
ORFDOQHW
$Q\
$Q\
$Q\
$Q\
$Q\
GURS
/RQJ
IZ
Document # CPTS-DOC-C1011
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
193
Inbound
Outbound
Eitherbound
FireWall-1 can inspect packets going into or coming from an internal network moving
in a one-way (inbound or outbound) or two-way (eitherbound) direction. This is
important for administrators, because FireWall-1 must provide the greatest level of
security when inspecting packets.
It is important to note that packet filtering must be considered from the firewalls point
of view, and not the Internet or Intranet point of view. Figure 145 and Figure 146
illustrate the concept of one-way packet filtering. In Figure 145, the inbound packet
(from the firewall point of view) is inspected at the outer NIC if packet filtering is set
to inbound.
Inbound
Packet
INSPECTED HERE
Internet
Outer
NIC
Inner
NIC
III-1
Figure 145: Inspecting Inbound packets from the Internet
Rev. B
Document # CPTS-DOC-C1011
194
In Figure 146, the packet coming from the Intranet is inbound from the perspective of
the firewall. Therefore, the packet gets inspected on the inner NIC.
Outer
NIC
Inner
NIC
INSPECTED HERE
Internet
Intranet
Inbound
Packet
In an outbound scenario, the opposite would be true. In Figure 147, a packet coming in
from the Internet would not get inspected until it hits the firewalls inner NIC, because
in an outbound scenario the packet does not get inspected until it is leaving the
firewall.
FireWall-1 Rule Base
and Inspect Engine
Intranet
Outer
NIC
III-1
Outbound
Packet
Inner
NIC
INSPECTED HERE
Internet
Document # CPTS-DOC-C1011
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
195
In Figure 148, a packet originating from the Intranet enters the firewall from the inner
NIC. This is an inbound packet from the firewalls perspective. It therefore doesnt get
inspected until it hits the outer NIC, which is outbound from the firewall.
Intranet
INSPECTED HERE
Outer
NIC
Outbound
Packet
Inner
NIC
Figure 149 illustrates how eitherbound inspects packets at both the inner and outer
NICs. This provides the greatest level of security, with minimal performance
degradation, since the inspect engine is operating in the kernel and not in user
memory.
FireWall-1 Rule Base
and Inspect Engine
Internet
Intranet
Inner
NIC
III-1
Intranet
Internet
Inner
NIC
INSPECTED HERE
INSPECTED HERE
Outer
NIC
Outbound
Packet
Figure 149: Inspecting Eitherbound packets from the Internet and Intranet
Rev. B
Document # CPTS-DOC-C1011
Outer
NIC
INSPECTED HERE
INSPECTED HERE
Inbound
Packet
196
One important aspect of this security is missing: What about a user directly on the
firewall? If a user is operating on the firewall, by definition, all packets are outbound,
since from the firewalls perspective everything is going out. If inbound is specified in
the properties, then users on the firewall are not bound by the rule base. If outbound is
specified in the properties, the user is now bound by the rule base; however, traffic
going through the firewall is not inspected until it has reached the outgoing NIC.
Example
Scenario
Properties
Advantage
Disadvantage
Firewall is in
secure room;
operator is
trusted
Inbound
Inspects packets
before entering
firewall
Firewall is in
secure room;
operator is not
trusted
Inbound
Inspects packets
before entering
firewall, but does not
inspect packets
originating from the
firewall
Firewall
operator is
free to surf the
Web with no
restrictions
Firewall is in
secure room;
operator is not
trusted
Outbound
May leave
inbound
interface
vulnerable
Firewall is in
secure room; is
not in secure
room; operator
not trusted
Eitherbound
Inspects packets
coming in and out of
firewall; greatest
amount of security
Some
degradation in
performance
III-1
Document # CPTS-DOC-C1011
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
197
Security Policy
Properties
A security policy is defined not only by the rule base, but also by parameters specified
in the Security Policy tab of the Properties Setup screen. These parameters enable the
user to control all aspects of a packets inspection, without having to add repetitive
detail in the rule base.
Security Policy Tab Setup
To access the Security Policy tab, follow these steps:
1. Choose Properties from the Policy menu (Figure 150):
III-1
Rev. B
Document # CPTS-DOC-C1011
198
2. Select the Security Policy tab on the Properties Setup screen (Figure 151):
.
Figure 151: Security Policy Tab
III-1
Interface direction is related to the firewall, not the network and regardless
of the packets source or destination.
TCP Session Timeout Specify the time period (in seconds) after which a TCP
session times out.
Accept FireWall-1 Control Connections Check to have FireWall-1 use these
connections for downloading Inspection Code.
Document # CPTS-DOC-C1011
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
199
In Figure 151 on page 198, the Accept ICMP property is set to Before Last to enable
the user to define more detailed ICMP related rules that will be enforced before this
property. If this property were First, then there would be no opportunity for the user to
relate to ICMP in the rule base. If it were Last, then it would be enforced after the last
rule (which typically rejects all packets) and would thus have no effect. Enabling this
option does not enable ICMP Redirect. If you want to enable ICMP redirect, you must
do so in the rule base.
Rev. B
Document # CPTS-DOC-C1011
III-1
Security Policy Rule Base
and Properties Setup
Click the arrow to select the rule base order (First, Last or Before Last).
200
Services Properties
The services properties allow you to define what services can be enabled by the
firewall.
Services Tab Setup
To set up the Services tab, follow these steps:
1. Select Properties from the Policies menu.
2. Select the Services tab on the Properties Setup screen.
3. The Services tab appears (Figure 152):
III-1
Document # CPTS-DOC-C1011
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
201
III-1
Excessive Log Grace Period Click the arrow to set the minimum amount of time
(in seconds) between consecutive logs of similar packets.
Rev. B
Document # CPTS-DOC-C1011
202
The Mail Alert Command field (Figure 153) contains a command for an NT
operating system. This field will vary depending on your operating system.
SNMP Trap Alert Command Type in the OS command to be executed on the
firewalled machine when SNMP Trap is specified as the action in a rule.
User Defined Alert Command Type in the OS command to be executed when
User-Defined is specified as the action in a rule.
Anti Spoof Alert Command Type in the OS command(s) to be executed (default
is $FWDIR/bin/alert) on the firewalled machine when Alert is specified for AntiSpoofing detection in the Interface Properties window.
User Authentication Alert Command Type in the OS command to execute on the
firewalled machine when an alert is specified for any of the following:
IP Options Drop Track Select the action to take when a packet with IP Options is
encountered. None, Log or Alert. FireWall-1 always drops these packets, but you can
log them or issue an alert.
Log Established TCP Packets Check to log TCP packets for previously
established TCP connections or packets whose connections have timed out.
III-1
Document # CPTS-DOC-C1011
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
Security Servers
Properties
203
The FireWall-1 security server, which is a server that has FireWall-1 installed, resides
above the INSPECT engine in the FireWall-1 kernel module (Figure 154). The
security server provides two features: authentication and content security.
III-1
Rev. B
Document # CPTS-DOC-C1011
204
4. To configure a predefined HTTP Server, click New and the HTTP Server
Definition screen appears (Figure 156):
5. Complete the information on the HTTP Server Definition screen and click OK to
return to the Security Servers tab.
The Security Servers tab contains the following information:
Telnet Welcome Message File Type in the name of the file to display when an
authenticated user begins a TELNET session.
FTP Welcome Message File Type in the name of the file to display when an
authenticated user begins an FTP session.
Rlogin Welcome Message File Type in the name of the file to display when an
authenticated user begins an RLOGIN session.
Client Authentication Welcome File Type in the name of the file to display when
an authenticated user begins a Client Authenticated session.
III-1
SMTP Welcome Message File Type in the name of the file whose contents are to
be displayed when a user begins an SMTP session.
HTTP Next Proxy Type in the Host name and the Port number of the HTTP proxy
behind the FireWall-1 HTTP Security Server (if one exists).
HTTP Servers Click New, Edit or Remove HTTP servers.
In the HTTP Server Definition screen (Figure 156), the following information must be
defined when configuring a predefined HTTP server:
Logical Name The servers logical name.
Host The host on which the server runs.
Port The port number on the host.
Server for Null Requests Can be checked for only one server.
Document # CPTS-DOC-C1011
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
205
Reauthentication Options:
Standard Authentication The timeout period is measured from the last
successful access. The user will not be required to enter a password again during
the authorization period (as specified in the Session Timeout field in the Control
Properties/Authentication screen). Each successful access resets the timer to zero.
Reauthentication for POST Requests Every request sent by the client which
may change the servers configuration or data requires the user to enter a new
password.
Reauthentication for Every Request Every request for a connection requires
the user to enter a new password. This option is useful when access to some pages
must be severely restricted. It is recommended that pages such as these be handled
by a separate server.
III-1
Rev. B
Document # CPTS-DOC-C1011
206
Authentication
Properties
FireWall-1 Version 4.0 provides authentication schemes that validate all connection
attempts within an internal network. FireWall-1 authenticates connections based on
users, clients or sessions, depending on how system administrators set up FireWall-1
authentication.
Authentication Tab Setup
To set up the Authentication tab, follow these steps:
1. Select Properties from the Policy menu.
2. Select the Authentication tab from the Properties Setup screen.
3. The Authentication tab appears (Figure 157):
III-1
User Authentication/Session Timeout Click the arrow to set the amount of time
(in minutes) before the session will time out if there is no activity. This applies to FTP,
TELNET, RLOGIN, and the HTTP Authenticating Server.
Client Authentication Check to have FireWall-1 automatically sign off the
connection if there is no activity during the authorization period of a clientauthentication session.
Authentication Failure Track Select the action to take if authentication fails
(applies to all authentication rules): None, Log and Alert.
Document # CPTS-DOC-C1011
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
SYNDefender
Properties
207
SYNDefender is a proprietary FireWall-1 application that protects against denial-ofservice attacks from external networks. SYNDefender does this by intercepting all
SYN packets, which are communication packets from an external-network client to an
internal-network server. SYNDefender then mediates any connection attempts before
they reach the internal network.
By sending several SYNs at once, the attacking client can effectively tie up internalnetwork servers, making it impossible for legitimate users to access the internal
network (Figure 158):
Rev. B
Document # CPTS-DOC-C1011
208
III-1
Maximum Sessions Click the arrow to set the maximum number of protected
sessions. This number specifies the number of entries in an internal connection table
maintained by SYNDefender. If the table is full, SYNDefender will not examine new
connections.
Display Warning Messages Check to have SYNDefender print console messages
regarding its status.
Document # CPTS-DOC-C1011
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
Lightweight
Directory Access
Protocol (LDAP)
Properties
209
Netscape support
III-1
Rev. B
Document # CPTS-DOC-C1011
210
III-1
Document # CPTS-DOC-C1011
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
Encryption Scheme
Properties
211
Encrypts all data behind the IP and TCP headers, using in-place encryption
Uses reliable-data protocol to manage VPN session keys, encryption methods and
data integrity
Supports FWZ-1, DES and Triple DES algorithms, using a 40-bit encryption key
that is exportable outside the United States
Additional data
Rev. B
Document # CPTS-DOC-C1011
III-1
Security Policy Rule Base
and Properties Setup
212
III-1
Enable Exportable SKIP Check to generate keys for exportable SKIP, in addition
to non-exportable SKIP keys, and conduct SKIP encryption with other hosts that are
enabled only for exportable SKIP:
Change SKIP key every Type in the number of seconds after which the SKIP
session key is changed.
Change SKIP key every Type in the number of bytes transferred after which
the SKIP session key is changed.
Document # CPTS-DOC-C1011
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
213
III-1
Rev. B
Document # CPTS-DOC-C1011
214
Miscellaneous
(Load Balancing)
Properties
The Miscellaneous screen of the Properties Setup window defines properties relating
to load balancing, which is a FireWall-1 algorithm that prevents internal-network
(system) servers from handling a disproportionate amount of network traffic.
Incoming packets routed through a FireWall-1 computer are directed to the system
servers with the lightest loads.
Miscellaneous Tab Setup
To set up the Miscellaneous tab, follow these steps:
1. Select Properties from the Policy menu.
2. Select the Miscellaneous tab from the Properties Setup screen.
3. The Miscellaneous tab appears (Figure 162):
III-1
Load Balancing:
Load Agents Port Type the port on which the Log Measurement Agent
communicates.
Load Measurement Interval Click the arrow to set the intervals at which the
Load Measuring Agent measures the load.
Log Viewer Resolver Properties:
Page Timeout Click the arrow to set the time (in seconds) before a page
timeout occurs.
Document # CPTS-DOC-C1011
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
Access Lists
Properties
215
When a rule is installed on a router, FireWall-1 generates access lists and loads them
to the router. Access lists can be viewed and verified before installing a security
policy. Verification checks that the rules are consistent and that no rule is redundant. If
a rule base fails the verification, an appropriate message will appear.
Access Lists Tab Setup
To set up the Access Lists tab, follow these steps:
1. Select Properties from the Policy menu.
2. Select the Access Lists tab from the Properties Setup screen.
3. The Access Lists tab appears (Figure 163):
Click the arrow to select the rule base order (First, Last or Before Last).
Accept RIP Check to enable the routing information protocol used by the routed
daemon.
Click the arrow to select the rule base order (First, Last or Before Last).
Accept Domain Name Queries (UDP) Check to accept domain-name queries
used by named. As in the Enable Domain Name Queries in the Security Policy screen,
if named does not know the IP address associated with a particular host name, it issues
a query to the name server on the Internet.
Click the arrow to select the rule base order (First, Last or Before Last).
Rev. B
Document # CPTS-DOC-C1011
III-1
Security Policy Rule Base
and Properties Setup
216
III-1
Document # CPTS-DOC-C1011
Rev. B
Unit III Chapter 1: Security Policy Rule Base and Properties Setup
217
Gateway
Hosts
Network
Routers
Domains
Rev. B
Document # CPTS-DOC-C1011
III-1
218
Review
Review
Summary
FireWall-1 allows administrators to define and enforce security policies to provide the
most effective security for their internal networks. In this chapter, you learned why
creating the best security policy for your system is so important.
A security policy is a set of rules that defines your internal networks security. In
FireWall-1, the security policy is defined using a rule base, which translates your
security policy to a collection of individual rules. FireWall-1 creates pseudo rules, also
called implicit rules, derived from the properties and explicit rules created in the rule
base.
When defining security policy properties, you must consider the rule base order.
FireWall-1 examines the rule base rule by rule. FireWall-1 inspects packets by
comparing them to the existing security policy, one rule at a time. For this reason, it is
important to define each rule in a security policy in the appropriate order. A security
policy is defined not only by the rule base, but also by parameters specified in the
security policy tab of the properties setup screen. These parameters enable the user to
control all aspects of a packets inspection, while at the same time freeing the user of
the need to specify repetitive detail in the rule base.
Review Questions
III-1
3. What order are policies and rules matched?
Document # CPTS-DOC-C1011
Rev. B
Administering Security
Policy with Rule Base
III-2
Objectives
Key Terms
anti-spoofing in general
Demonstrate how to use the FireWall-1 rule base editor to create a security policy
219
220
There are times when verifying a security policy is useful to system administrators. By
verifying a security policy, you can do the following:
2. If the security policy fails verification, refer to the error message to determine
which rule (or rules) is in conflict. Analyze the conflicting rule (or rules) and
modify the security policy as needed.
3. If the security policy passes verification, apply it by selecting Install from the
Policy menu (Figure 165):
Document # CPTS-DOC-C1011
Rev. B
221
III-2
Administering Security
Policy with Rule Base
5. Click OK.
6. The security policy will now be installed on all selected firewalled objects.
Rev. B
Document # CPTS-DOC-C1011
222
Detecting Spoofing
Detecting Spoofing
When considering firewall issues, system administrators must consider spoofing,
which is a method of making packets appear as if they come from authorized IP
addresses. A packet originating on the Internet and going to an internal network may
be disguised as a local packet. Or the packet could have a legal IP address that belongs
to the internal network. If undetected, this packet might have unrestricted access to the
internal network.
To solve this problem, FireWall-1 uses an anti-spoofing feature, which ensures the IP
addresses of packets entering a system are valid. FireWall-1 examines the IP addresses
of incoming packets to validate that these addresses are valid for the network from
which they come.
Anti-Spoofing and
Security Policies
Adding
Anti-Spoofing
To add anti-spoofing, modify the firewalled objects properties. The Interfaces tab of
the Workstation Properties screen allows you to add an anti-spoofing IP address to a
workstation (Figure 167):
Document # CPTS-DOC-C1011
Rev. B
223
III-2
Rev. B
Document # CPTS-DOC-C1011
Administering Security
Policy with Rule Base
224
Detecting Spoofing
Others All packets are allowed except those whose resource IP addresses
belong to the networks listed under Valid Addresses for this objects interface.
Others + All packets are allowed except those whose resource IP addresses
belong to the networks listed under Valid Addresses for this objects interface.
However, packets from the addresses listed under Others + are allowed.
Specific Only packets from this object are allowed.
Spoof tracking Spoofed packets are always dropped. Specific action is taken by
selecting one of the following options:
None No additional action is taken.
Log The spoofing attempt is logged.
Alert The action specified in the Anti Spoof Alert command field in the Log
and Alert tab of the Properties Setup screen is taken.
When anti-spoofing is specified, an implicit anti-spoof rule is generated,
which comes first in the rule base (even before properties specified in the
Security Policy tab of the properties setup screen).
Anti-Spoofing and
Routers
In general, routers examine only destination addresses, but Cisco version 10 and 11
and Bay Networks examine source addresses when anti-spoofing is defined. Routers
supported by FireWall-1 have varying anti-spoofing capabilities (Table 19):
Document # CPTS-DOC-C1011
Anti-Spoofing Capabilities
Cisco version 9
No anti-spoofing capabilities.
Cisco version 10 +
3-Com
Bay Network
Microsoft Steelhead
No anti-spoofing capabilities.
Rev. B
225
Anti-Spoofing Network
Anti-spoofing should be defined on the gateways three interfaces (Figure 169 and
Table 20):
Rev. B
Valid Addresses
le0
Other
qe0
qe1
Specific Intranets
On interface qe1, only packets whose source IP address belongs to the internal
network should be allowed to enter. A packet with another source IP address
coming in on qe1 is spoofed.
On le0, only packets with source IP addresses other than those belonging to the
DMZ or the localnet should be allowed to enter.
Document # CPTS-DOC-C1011
III-2
Administering Security
Policy with Rule Base
226
Document # CPTS-DOC-C1011
Rev. B
227
Rev. B
Document # CPTS-DOC-C1011
III-2
Administering Security
Policy with Rule Base
228
Document # CPTS-DOC-C1011
Rev. B
229
Remember: The Stealth rule can not be used as rule #1 if you use Manual
Client Authentication and/or use a tunneling encryption scheme.
Rev. B
Document # CPTS-DOC-C1011
Administering Security
Policy with Rule Base
III-2
230
Document # CPTS-DOC-C1011
Rev. B
231
Rev. B
Document # CPTS-DOC-C1011
Administering Security
Policy with Rule Base
III-2
232
Review
Review
Summary
Defining and installing a security policy is vital to protect your network. There are
times when verifying a security policy is useful to system administrators. By verifying
a security policy, you can do the following:
Review Questions
3. What is the default action when FireWall-1 adds the first rule base in a security
policy?
Document # CPTS-DOC-C1011
Rev. B
233
III-2
Administering Security
Policy with Rule Base
Rev. B
Document # CPTS-DOC-C1011
234
Review
Document # CPTS-DOC-C1011
Rev. B
Rev. B
Document # CPTS-DOC-C1011
Document # CPTS-DOC-C1011
Rev. B
Unit IV Chapter 1:
Authentication
Introduction
Objectives
Key Terms
user authentication
client authentication
session authentication
235
IV-1
Authentication
Authentication is like a box of chocolates you never know what you get unless you
examine them. Better yet: Authentication is like passing through the airport security
you must prove who you are before you are allowed through the gate. Administrators
need a secure mechanism for authenticating users at the gateway before allowing
entry into and exiting from the gateway. Authentication is simply proving your
identity.
236
Understanding Authentication
Understanding Authentication
FireWall-1 uses three types of authentication: user, client and session:
User authentication authenticates users for specific services (FTP, HTTP,
HTTPS, TELNET and RLOGIN). User authentication enables an administrator to
grant specific users special access privileges.
Client authentication authenticates users of any service (standard or customized).
Client authentication requires users to TELNET to port 259 or connect to the
firewall with a Web browser on HTTP port 900 to be authenticated for a service.
FireWall-1 supports implicit client authentication and automatic clientauthentication sign-off.
Session authentication works like client authentication but requires the session
authentication agent to be installed. Session authentication does not require users
to authenticate (using TELNET or a Web browser) to the firewall. However, the
user must be authenticated each session.
User Authentication
FTP
HTTP
HTTPS
TELNET
RLOGIN
Document # CPTS-DOC-C1011
Rev. B
237
1.
2.
3.
4.
Using the same connection as the client, FireWall-1 asks for authorization from
the client.
Rev. B
Document # CPTS-DOC-C1011
Authentication
IV-1
238
Understanding Authentication
Client
Authentication
1.
2.
Document # CPTS-DOC-C1011
Rev. B
239
When implicit client authentication is enabled, and a user successfully performs user
or session authentication, then FireWall-1 opens all the standard sign-on client
authentication rules in the rule base. In other words, the user is considered to have at
the same time successfully performed client authentication on the client at which they
successfully performed user or session authentication. This option differs from the
partially and fully automatic options, in which only the first matching client
authentication rule is opened.
If implicit client authentication is enabled, and an automatic sign-on rule is opened, all
the standard sign-on rules are opened (in addition to the automatic rule). If you enable
implicit client authentication, then you should define your rules in the following order:
1. User authentication rules for HTTP
2. Client authentication rules
3. User and session authentication rules for non-HTTP services
Session
Authentication
Rev. B
System administrators can grant access privileges to a user without regard to the
associated IP address. Session authentication provides a transparent per-session
authentication that can be integrated with any application. Session authentication is
the smoothest and least resource intensive connection. The authentication is
performed by the daemon module and then the packets are accepted by the kernel
module.
Document # CPTS-DOC-C1011
IV-1
Authentication
The first time through, the user and session authentication rules are applied. The
second time through, client authentication rules are applied. However, user
authentication rules are always applied for HTTP, preventing the browser from
sending the authentication password to the HTTP server. This happens because the
client authentication rules do not use the FireWall-1 security servers.
240
Understanding Authentication
1.
2.
3.
4.
FireWall-1 blocks the packet and contacts the session authentication agent.
Session authentication agent pops up on the clients screen. Client enters ID and
password.
Clients ID and password are sent to the firewall. FireWall-1 accepts the ID and
password and allows connection to the server.
Document # CPTS-DOC-C1011
Rev. B
241
User
Client
Session
FTP, HTTP,
TELNET, RLOGIN
All Services
All Services
Authentication
performed once
per...
Session
IP Address
(multiple sessions)
in a separate nontransparent
authentication
session.
Session
Authenticate each
time one of the
supported
services is used.
Access any
service defined
as client
authenticated.
Authenticate each
time any service
defined as session
authenticated is
used.
IV-1
Authentication
Services
Rev. B
Document # CPTS-DOC-C1011
242
Implementing Authentication
Implementing Authentication
Authentication
Schemes
Document # CPTS-DOC-C1011
Rev. B
Authentication
Setup
243
User, client and session authentication are set up in a similar manner. When
authenticating a user in FireWall-1, follow these steps:
1. Define the user in the User Manager. Select Users from the Manage menu
(Figure 180):
IV-1
Authentication
3. Click New to set up a new user, or select an existing user. Click Edit to configure
the authentication scheme.
Rev. B
Document # CPTS-DOC-C1011
244
Implementing Authentication
4. Select the authentication tab of the User Properties screen (Figure 182):
Document # CPTS-DOC-C1011
Rev. B
245
7. Enable the authentication scheme for the firewalled object. Select Network
Objects from the Manage menu, and the Network Objects Manager appears
(Figure 184):
Rev. B
Document # CPTS-DOC-C1011
Authentication
246
Implementing Authentication
8. Select the firewalled object and click Edit. Select the Authentication tab and
enable the authentication scheme defined in the User Manager by checking the
appropriate box (Figure 185):
Document # CPTS-DOC-C1011
Rev. B
247
11. Configure the authentication rule by right-clicking the Action column of the rule
again and selecting Edit Properties (Figure 187):
IV-1
Authentication
12. Configure the User, Client or Session Authentication Action Properties (Figure
188):
13. Click OK and install the security policy by selecting Install from the Policy menu.
Rev. B
Document # CPTS-DOC-C1011
248
Implementing Authentication
Document # CPTS-DOC-C1011
Rev. B
249
User
Receiving
Accounting
Audit
JoAnn
Sales
Bob
IV-1
Create the following users: Bob, Larry, Junior, Keeter, Lisa, Brianna, Skippy, JoAnn:
1. Click Manage > Users > New > Default.
2. Enter the users name.
3. Select the appropriate color.
4. Leave the Expiration Date field empty.
5. Select the Authentication tab and verify that FireWall-1 password is selected as
the authentication method.
6. Enter a password for the user (abc123).
7. Click OK.
Rev. B
Document # CPTS-DOC-C1011
Authentication
4Create users
250
Implementing Authentication
Document # CPTS-DOC-C1011
Rev. B
251
Rev. B
Document # CPTS-DOC-C1011
Authentication
Add a user authentication rule for TELNET and install the security policy:
252
Document # CPTS-DOC-C1011
Rev. B
253
6. Note the password that is generated. You will need this later.
7. Now TELNET to www.boogeyman.com.
8. For User type guest.
9. For the S/Key string enter the one-time password you noted earlier. Press Enter.
You should now be connected.
10. Check your log file to verify the connection.
Authentication
IV-1
Rev. B
Document # CPTS-DOC-C1011
254
Document # CPTS-DOC-C1011
Rev. B
255
Authentication
Rev. B
Document # CPTS-DOC-C1011
256
Document # CPTS-DOC-C1011
Rev. B
257
IV-1
Rev. B
Document # CPTS-DOC-C1011
Authentication
258
Review
Review
Summary
Firewall-1 technology gives networks the ability to distribute security throughout the
enterprise. Security implementations can and should be established to protect the
inside of the organization from the outside, between groups of users and resources,
while ensuring authenticated communications within the organization.
FireWall-1 uses three types of authentication: user, client and session: User
authentication authenticates users for specific services. Client authentication
authenticates users of any service (standard or customized). Client authentication
requires users to TELNET to port 259 or connect to the firewall with a Web browser
on HTTP port 900 to be authenticated for a service. FireWall-1 supports implicit client
authentication and automatic client-authentication sign-off. Session authentication
works like client authentication but requires session authentication agent to be
installed. Session authentication does not require users to authenticate (using
TELNET or a Web browser) to the firewall.
Review Questions
3. When defining user authentication, where do you add the authentication rule?
Document # CPTS-DOC-C1011
Rev. B
Unit IV Chapter 2:
Network Address
Tr a n s l a t i o n
Introduction
Secret codes are used to hide messages. Foreign languages, while not designed to hide
information, can be considered languages that do hide information because you do not
understand what the sounds and symbols mean. Network address translation is
something in between these two concepts.
Network address translation allows system administrators to conceal internal network
IP addresses from external networks. This can be achieved by using three types of
FireWall-1 address translation modes.
Key Terms
classful addressing
IP address translation
hide mode
IV-2
Network Address
Translation
Objectives
259
260
Availability of
IP Addresses
204.32.38.111
192.168.1.1
204.32.38.112
192.168.1.2
Todays computing industry suffers from a limited supply of IP addresses. When you
purchase an Internet Service Provider (ISP), you purchase a block of IP addresses that
become addresses for the individual computers in your internal network. Because IP
addresses are limited in supply, you must know how to translate internal IP addresses
to legal external addresses.
A reserved and finite set of IP addresses is used for address translation. In order to
provide the flexibility required to support different size networks, IP address space is
divided into three different address classes: Class A, B and C. This is often referred to
as classful addressing, because address space is split into three predefined classes,
groupings or categories.
Available class network numbers and IP address ranges for address translation are as
follows:
Document # CPTS-DOC-C1011
Rev. B
How FireWall-1
Reads IP Addresses
261
1. Legal IP Address
204.32.38.1
Internet
4. Legal IP Address
204.32.38.1
2. Illegal/Reserved
IP Address
192.168.1.1
Intranet
3. Illegal/Reserved
IP Address
192.168.1.1
Translating IP Addresses
To translate IP addresses, FireWall-1 follows these steps:
Network Address
Translation
IV-2
Rev. B
Document # CPTS-DOC-C1011
262
NAT Modes
NAT Modes
FireWall-1 supports three network address translation modes, which is another name
for IP address translation (which means changing an IP address). NAT allows system
administrators to change internal, illegal/reserved IP addresses into legal addresses,
thus providing greater protection from external networks and hackers. This eliminates
the need to manually change illegal/reserved internal IP addresses. NAT also allows
hidden IP addresses, which means system administrators can deal with the issue of
fewer available IP addresses.
Address translation takes place in the address translation module. The
FireWall-1 kernel module does not translate addresses. The kernel module
verifies addresses before passing them out of an internal network, and
verifies addresses before passing them to the address translation module and
into an internal network.
Following are the FireWall-1 address translation modes:
Static source mode Translates illegal/reserved internal IP addresses to legal IP
addresses when packets exit an internal network.
Static destination mode Translates legal internal IP addresses to illegal/reserved IP
addresses when packets enter an internal network.
Hide mode Hides one or more illegal/reserved IP addresses behind one legal
address.
Source and destination are referred to as static modes, because the address
translation is undynamic. Static mode translates IP addresses using a one-toone relationship.
Document # CPTS-DOC-C1011
Rev. B
263
Static source mode translates the clients internal, illegal/reserved IP addresses to legal
IP addresses (Figure 190):
INTERNAL
EXTERNAL
Static
Source
Mode
Illegal/Reserved
IP Address
192.168.1.1
Network
Legal IP Address
204.32.38.1
Static source mode is used when the connection is initiated by internal clients with
invalid IP addresses. Static source mode ensures that the originating hosts have
unique, specific valid IP addresses, and is generally used together with static
destination mode.
When you generate address translation rules automatically, static source
mode and static destination mode rules are always generated in pairs.
Static destination mode translates the serverss legal external IP addresses to illegal/
reserved IP addresses (Figure 191):
INTERNAL
EXTERNAL
Mode
Mode
Illegal/Reserved
IP Address
192.168.1.1
Network
Static
Static
Legal IP Address
Destination
204.32.38.1 Destination
Rev. B
IV-2
Network Address
Translation
Static Destination
Mode
Document # CPTS-DOC-C1011
264
NAT Modes
Static destination mode is used when servers inside the internal network have illegal/
reserved IP addresses, and ensures that packets entering the internal network arrive at
their proper destinations.
When you generate address translation rules automatically, static source
mode and static destination mode rules are always generated in pairs.
Static Mode Example
In Figure 190 and Figure 191 on page 263, the Bay Networks routers valid IP address
is statically translated when the local network translates it to a valid external address
once it leaves the internal network.
When defining static mode for a firewalled object, you do not specify static
source or destination mode. Static source and destination modes are defined
in the NAT rule base automatically.
In Figure 192, the Bay Networks routers valid IP address is statically translated to the
local networks IP address. When packets leave the Bay Networks router through the
local network, the packets IP addresses are translated to illegal/reserved IP addresses;
when the packets enter the network, the local network translates the packets back to
their legal, internal IP addresses. The translation is done at the local network and at the
firewall.
Document # CPTS-DOC-C1011
Rev. B
Hide Mode
265
EXTERNAL
Hide
Mode
Multiple Illegal/
Reserved IP
Addresses:
198.132.176.0
Network
1 Legal IP Address
204.32.38.1
INTERNAL
IV-2
Network Address
Translation
In Figure 194, the firewall hides all internal illegal/reserved IP addresses for packets
leaving the local network. When packets enter the network, the firewall translates the
packets IP addresses and forwards the packets to the appropriate internal device.
Rev. B
Document # CPTS-DOC-C1011
266
Applying
Static Mode
To add static mode NAT to an internal networks FTP server, follow these steps:
1. Select Network Objects from the Manage menu (Figure 195):
Document # CPTS-DOC-C1011
Rev. B
267
5. Select the NAT tab. Note there is no address translation currently selected (Figure
198):
Network Address
Translation
IV-2
Rev. B
Document # CPTS-DOC-C1011
268
To add hide mode NAT to two internal network routers, first add NAT to a Cisco
Router:
1. Select Network Objects from the Manage menu (Figure 200):
Document # CPTS-DOC-C1011
Rev. B
269
Network Address
Translation
IV-2
Rev. B
Document # CPTS-DOC-C1011
270
Document # CPTS-DOC-C1011
Rev. B
271
To add hide mode NAT to a Bay Networks router, follow these steps:
1. After selecting the Bay Networks router from the network objects Manager
screen, modify the IP address if necessary in the General tab of Router Properties
(Figure 204):
2. Use the same IP address for the Cisco router and the Bay Networks router. This
ensures the Cisco and Bay Networks routers IP addresses will be hidden behind
the legal IP address 204.32.38.113 (Figure 205):
Network Address
Translation
IV-2
Rev. B
Document # CPTS-DOC-C1011
272
When you define network objects during the setup of FireWall-1, NAT rules generate
automatically. You can manually specify address translation rules by editing or adding
NAT rules to the automatically generated rules and provide complete control over
FireWall-1 address translation. FireWall-1 validates address translation rules, helping
to avoid mistakes in the setup process.
To provide complete control over FireWall-1 address translation, you can do one or
more of the following:
NAT Rules
Translate ports
Document # CPTS-DOC-C1011
Rev. B
273
Translated packet
Install On
Rev. B
Document # CPTS-DOC-C1011
IV-2
Network Address
Translation
If you choose Targets, then the Select Target window opens, from which you
can choose a firewalled gateway or host (but not a router) on which to install
the address translation rule.
274
NAT Issues
NAT Issues
Routing Issues
Ensuring that the gateway forwards the packet to the correct interface and host
Reconfigure routing tables on the internal networks gateway (and on any
intervening routers) to set up address translation correctly.
Document # CPTS-DOC-C1011
Rev. B
275
Static Destination
First you must get the packet to the firewall by publishing the IP address to the desired
interface of the firewall. When using Static Destination mode, address translation
takes place in the firewall after internal routing but before transmission. To ensure that
the packet is correctly routed, use static routing (the route command) to define the
same next hop for both addresses.
On Solaris systems, most use the following command:
route add 204.32.38.10n 192.168.n.1 1
The route add command in Solaris is a temporary command. In order to
make a permanent route addition an entry must be placed in the appropriate
rc directory in etc.
On NT systems, use the following command:
route add 204.32.38.10n 192.168.n.1 -p
Network Address
Translation
IV-2
Rev. B
Document # CPTS-DOC-C1011
276
Document # CPTS-DOC-C1011
Rev. B
277
Action: accept
Track: Long
3. Add/insert a new rule just after the rule you just defined:
Source: www.yourcity.com
Destination: Any
Service: http and smtp
Action: accept
Track: Long
4. Remove your HTTP authentication rules.
2. Publish an arp entry for the legal address (this is done to get the MAC address of
the external interface):
# arp fw.yourcity.com
# arp-s 204.32.38.11n external MAC-address pub
For NT:
1. Add a static route for the translated host:
c:route -p add 204.32.38.11n 192.168.n.1
where (-p) makes the route permanent between boots. Without this option,
temporary changes can be made; (mask) is the subnet mask to apply to the route
IV-2
>
>
>
>
>
>
>
Rev. B
ipconfig /all
edit $FWDIR\state\local.arp
204.32.38.11n external MAC-address
SAVE and EXIT
cd $FWDIR\bin
fwstop
fwstart
Document # CPTS-DOC-C1011
Network Address
Translation
2. Publish an arp entry for the legal address (from the command prompt):
278
Document # CPTS-DOC-C1011
Rev. B
279
IV-2
Rev. B
Document # CPTS-DOC-C1011
Network Address
Translation
280
1. Click Manage > Network Objects; select the network object for your internal Web
server (www.yourcity.com).
2. Select the NAT tab.
3. Uncheck the Add Automatic Address Translation Rules checkbox.
4. Click OK. Close the Manage Network Objects screen.
Reminder: While the Routing and Arp issues were previously taken care of
in Lab 14: NAT Static Mode - Manual, they are still required to be
completed for Automatic translation.
Document # CPTS-DOC-C1011
Rev. B
281
Rev. B
Document # CPTS-DOC-C1011
Network Address
Translation
282
NT
> ipconfig /all
> edit $FWDIR\state\local.arp
> 204.32.38.12n external MAC-address
> cd $FWDIR\bin
> fwstop
> fwstart
Document # CPTS-DOC-C1011
Rev. B
283
Network Address
Translation
IV-2
Rev. B
Document # CPTS-DOC-C1011
284
Document # CPTS-DOC-C1011
Rev. B
285
Review
Summary
The need for IP address translation replacing one IP address in a packet by another
IP address arises in two cases:
1. The network administrator wishes to conceal the networks internal IP addresses
from the Internet. The administrator may reason that there is nothing to be gained,
from a security point of view, by making a networks internal addresses public
knowledge.
2. An internal networks IP addresses are invalid Internet addresses (that is, as far as
the Internet is concerned, these addresses belong to another network).
This situation may have arisen for historical reasons: An internal network was
originally not connected to the Internet, and its IP addresses were chosen without
regard to Internet conventions. If such a network is then connected to the Internet, its
long-established internal IP addresses cannot be used externally. Changing these
addresses may be impractical or unfeasible.
Review Questions
Rev. B
Network Address
Translation
Document # CPTS-DOC-C1011
286
Review
Document # CPTS-DOC-C1011
Rev. B
Final Scenario
Introduction
You have learned the basics of FireWall-1 and should now be able to install, configure
and administer a FireWall-1 system. The following is an exercise to reinforce the most
important features of FireWall-1. There may be more than one way to achieve the final
results of this exercise. Your instructor will review your results to determine their
accuracy.
287
Final Scenario
Fin
288
Document # CPTS-DOC-C1011
Rev. B
Final Scenario
289
4Solutions
Fin
Final Scenario
Examples of possible solutions to the Final Lab Scenario are shown in Figure 207 and
Figure 208. Your results may vary slightly.
Rev. B
Document # CPTS-DOC-C1011
290
Document # CPTS-DOC-C1011
Rev. B
Appendix A:
Licensing Issues
Resolving Licensing Issues
Licensing
Enforcement for
Single Gateway
Products
Adding License at
the Command
Prompt
Management module
Firewall module
If you need to add a license at the command prompt, follow these steps:
1. In the \fw\bin directory type: fw putlic [host] [key] [features]
2. Enter.
3. Type: fwstop
4. Enter.
5. Type: fwstart
6. Enter and exit the command prompt.
291
292
Removing Old
Licenses
Re-enter your current license string with a -o option. Do this if you have several
expired evaluation licenses, or have licenses for IP addresses or hostids that are not
valid for specific devices.
fw putlic -o [host][key][features]
If you have multiple permanent licenses, use the -o option for the first
license key. Do not use the -o option on subsequent licenses.
How to Contact
Check Point
If you have unresolved licensing issues, contact Check Point via e-mail
(license@checkpoint.com). Or visit Check Points licensing center at http://
license.checkpoint.com.
Document # CPTS-DOC-C1011
Rev. B
Appendix B: Installation
Tro u b l e s h o o t i n g
Installing and Operating in NT and Solaris
NT Systems
Solaris Systems
Symptom
Security Policy Editor (GUI) will not connect to the Management Server.
Solution
The host name for the machine should be the same as the host name as one of the local
interfaces, any one, preferably the external interface. The host name can be set on
Solaris by one of the following methods:
293
294
1. During the installation process, FireWall-1 rebuilds the OS kernel. You must copy
the new kernel to its proper location and then restart the firewalled computer.
FireWall-1 displays instructions for doing this.
2. The first time you start the firewalled computer, you will receive a message that
FireWall-1 failed. This is normal and occurs because there is no security policy at
this point. After you have defined a security policy, subsequent restarts will
proceed normally.
Document # CPTS-DOC-C1011
Rev. B
295
Rev. B
Document # CPTS-DOC-C1011
296
Administrators:
Solaris Specific
To define administrators, run the program fwm on the FireWall-1 Management Server,
as follows:
1. To add an administrator, type the following command at the system prompt:
fwm -a
2. Type the users name and password. Confirm the password by typing it a second
time.
3. To delete an administrator, type the following command at the system prompt:
fwm r
4. Type the users name.
Document # CPTS-DOC-C1011
Rev. B
297
Extracting Files
SunOS
hostname%
Rev. B
Document # CPTS-DOC-C1011
298
Installing FireWall
Installing FireWall
HP-UX 10
cd/tmp
2. hostname% su
3. password: your root password
4. hostname# tar xvf /HPUS/FW1/FW.HPUX.TAR device-name
device-name is usually /cdrom for a CD-ROM drive.
Register FireWall-1
hostname# swreg depot x select_local=true x
target_directory=/tmp
target_directory points to the directory into which you copied the FireWall-1
software with the tar command.
The following steps install FireWall-1:
1. hostname# swinstall &
The SD Install Software Selection window is displayed, and then the Specify
Source window.
2. Click Source Depot Path: In the Depot Path window, select the directory into
which you copied the FireWall-1 software with the tar command.
3. Click OK to close the Depot Path window.
4. Click Ok to close the Specify Source window.
5. In the SD Install Software Selection window, select FireWall-1. If you doubleclick on FireWall-1 you will be able to select individual FireWall-1 components to
install.
6. From the Actions menu, select Install (analysis). When the analysis phase
completes, click OK.
7. When the installation phase completes, click Done. From the File menu, select
Exit.
8. At the command prompt enter the following:
hostname# setenv SWDIR /FireWall-1
hostname# set path= ($FWDIR/bin $path)
Document # CPTS-DOC-C1011
Rev. B
IBM AIX
299
Rev. B
Document # CPTS-DOC-C1011
300
Installing FireWall
Document # CPTS-DOC-C1011
Rev. B
Appendix C:
Port Numbers and
Common Services
Port Numbers
Ports are used to provide services for unknown communications. Table 25 specifies
each service and the port the service uses as its contact port.
For detailed information about port assignments and services, refer to the
UNIX NETSYS.COM port-numbers web page at: www.netsys.com/
ports.html
Port numbers are divided into three ranges: well-known, registered, and dynamic and/
or private ports:
Description
CISCO-FNA
130
Cisco FNATIVE
CISCO-TNA
131
Cisco TNATIVE
CISCO-SYS
132
Cisco SYSMAINT
DOMAIN
53
FTP
21
GOPHER
70
Gopher
HTTP
80
HTTPS
443
ISAKMP
500
ISAKMP
301
302
Document # CPTS-DOC-C1011
Description
LOGIN
513
NETBIOS-NS
137
NETBIOS-DGM
138
NETBIOS-SSN
139
pop2
109
pop3
110
pop3s
995
PRINTER
515
Spooler
RADIUS
1812
RADIUS
ROUTER
520
RTELNET
107
Remote Telnet
SHELL
514
SFTP
115
SMTP
25
SNMP
161
SNMP
SNMPTRAP
162
SNMPTRAP
SQLSRV
156
SQL Service
SYSLOG
514
syslog
TACACS-DS
65
TELNET
23
Telnet
TELNETS
992
3COM-TSMUX
106
3COM-TSMUX
WHO
513
WHOAMI
565
Whoami
WWW
80
WWW-HTTP
80
Rev. B
303
XFER
Ports Common to
Windows NT
82
Description
XFER utility
Rev. B
Port Number
Description
CHARGEN
19
Character Generator
COURIER
530
Courier
DAYTIME
13
Daytime
DISCARD
ECHO
Ping
FINGER
79
Finger
ICMP
IGMP
NETSTAT
15
Network Statistics
NETBIOS_DGM
138
NETBIOS_SSN
139
QUOTD
17
SMS_DB
775
sms_db
SMS_UPDATE
777
sms_update
TDS
1433
TFTP
69
UDP
135
WINS
42
WINS replication
Document # CPTS-DOC-C1011
304
Document # CPTS-DOC-C1011
Rev. B
Appendix D:
Basic Rule Base
Rule bases are customized for specific networks. However, the following rules are
basic to most FireWall-1 rule-base security policies:
Stealth
Inbound e-mail
Load balancing
VPN
Client encrypt
Anti-virus
Anything outbound
Cleanup rule
Review the basic rule base, as shown in Figure 209, making notes in the comment
column.
305
306
Document # CPTS-DOC-C1011
Rev. B
Glossary
A
access control lists Allow rule bases for 3Com, Bay and Cisco routers.
accounting log entry FireWall-1 log file that includes a packets connection
duration, and the number of bytes and packets transferred.
address-translation modes Another name for IP-address translation (changing an
IP address).
address-translation rule base Component of the FireWall-1 security policy. The
address-translation rule base is created when you create the security policy.
anti-spoofing Process that ensures the IP addresses of packets entering an internal
network are valid.
anti-virus inspection Component of FireWall-1 that uses an integrated anti-virus
module to check all files transferred for all protocols, reducing the vulnerability of
hosts and gateways.
application layer gateways A type of firewall architecture which examines packets
at the application level.
authentication scheme Validates all connection attempts within an internal
network.
AXENT Defender Server used to provide authentication services.
classful addressing IP address space that is split into three predefined classes,
groupings, or categories.
client A computer system or process that requests a service of another computer
system or server (using a specific protocol) and then accepts the server's responses.
client authentication Authenticates users of any service. Client authentication
allows an administrator to grant access privileges to a specific IP address.
Connect Control Module Provides automatic application-server load balancing
across multiple servers.
307
308
content-vectoring protocol (CVP) Open protocol for integrating external and thirdparty content inspection programs, plus integrated content inspection capabilities for
anti-virus protection, URL screening and Java security.
Firewall Module Implements the security policy, log events and communicates
with the Management Module using the daemon; includes the Inspection Module,
daemon and security server. Provides inspection-module capabilities, user
authentication, multiple-firewall synchronization and content security.
FWZ A proprietary-key management scheme that uses FWZ-1 (a worldwide
exportable encryption algorithm) and DES (North America only).
hide mode The FireWall-1 network-address translation mode that hides internal IP
addresses behind one legal address.
implicit rule Rule created when defining properties in a security policys properties
setup. Also called pseudo-rule.
Document # CPTS-DOC-C1011
Rev. B
Glossary
309
implicit drop rule Implicit rule automatically added at the end of each rule base
that drops all communication attempts not described by previous rules.
Inbound The direction in which FireWall-1 inspects packets entering the firewall.
INSPECT Check Points high-level scripting language for expressing a security
policy.
Inspection Module Provides access control, client and session authentication,
network-address translation, and auditing.
inspection script The ASCII file generated from the security policy.
Internet Control Message Protocol (ICMP) An extension to the IP, supports
containing error, control and informational messages.
Internet Protocol (IP) address Numbers defining the location of computers in a
network.
IP address translation Changing an IP address.
ISAKMP/Oakley (IKE) Encryption scheme standard for negotiating between two
hosts using IPSec.
kernel The essential part of UNIX or other operating systems responsible for
resource allocation, low-level hardware interfaces and security.
Rev. B
Document # CPTS-DOC-C1011
310
Network Address Translation (NAT) Conceals internal computers and users from
outside networks.
network address translation modes Another name for IP address translation.
network objects Any elements that come in contact with the network; includes
items such as hosts, routers, networks, gateways, switches, domains and logical
servers.
network objects manager A tool to define network objects in FireWall-1.
outbound The direction in which FireWall-1 inspects packets leaving the firewall.
packet A piece of electronic data transmitted as part of a data stream. Also called
data packet.
packet filtering A type of firewall architecture which examines up to the network
layer of a packet.
pseudo rule Created when defining properties in a security policys properties
setup. Also called implicit rule.
Document # CPTS-DOC-C1011
Rev. B
Glossary
311
Rev. B
Document # CPTS-DOC-C1011
312
Uniform Resource Identifier (URI) A scheme for identifying resources that may
be available on the Internet by name, without regard to where they are located. A URI
is not specific, because it can contain wildcards. Ex: http://*.com/jerry/*
Uniform Resource Locator (URL) An address for a resource on the Internet.
URL Filtering Protocol (UFP) A Check Point developed application
programming interface that enables the integration of third-party applications to
categorize and control access to specific URL addresses.
user authentication Provides access privileges on a per-user basis for FTP,
TELNET, HTTP, and RLOGIN, regardless of users IP addresses.
User Datagram Protocol (UDP) Service primarily used for protocols where
performance is more important than getting all the packets.
Document # CPTS-DOC-C1011
Rev. B