Check Point NGX R65 Security Administration (eBook)

Front Cover 1
Check Point NGX R65 Security Administration 2
Copyright Page 4
Technical Editor 6
Assistant Technical Editor 7
Contributing Authors 8
Contents 12
Chapter 1: NGX R65 Operational Changes 26
Introduction 27
New SmartPortal Features 27
Eventia Correlation Unit and Eventia Analyzer Server 28
SmartView Tracker 29
IPv6 Reporting 29
DNS Implementation 29
Remote License Management 29
Eventia Reporter on Multiple Versions of SmartCenter Management 29
Eventia Reporter and Analyzer Integration 29
New FireWall-1/VPN-1 Features 30
SmartDefense Profiles 30
AMT Support 30
Aggressive Aging 31
Cooperative Enforcement 31
Monitor-Only Deployment Mode 31
Handling an Unauthorized Host 31
Internal URL Web Filtering 32
Internal Antivirus Scanning 32
Signature Updates 33
Continuous Download 33
Scanning Files 33
Layer 2 Firewalling 33
VoIP Features 33
SYN Cookies 34
Edge Support for CLM 34
Management Plug-In System 34
Connectra Management 35
Connectra Tab 35
Provider-1 Support 35
SmartView Monitor 35
Integrity Advanced Server 35
New VPN Features 36
Understanding the New VPN Options 36
Allowing Directional VPN Rules 36
Allowing Backup Links and On-Demand Links 36
Allowing Wire Mode VPN Connectivity 36
Allowing Route-Based VPNs 36
Allowing Permanent Tunnels 37
Same Local IP and Cluster IP Address for VTIs 37
Antispoofing for Unnumbered Interfaces on IPSO 37
Dynamic Routing and VTIs 37
Configurable Metrics for Dial-up Routes 37
Interoperability between SecurePlatform and IPSO 37
Route-Based VPN Improvements 37
Customer-Defined Scripts for VPN Peers 37
Route-Based VPN and IP Clustering Support 38
RIM Performance Improvements on IPSO 38
SSL Extender 38
SecureClient Mobile 38
ClusterXL 39
Interface Bonding 39
Multicast Routing Failover Support 39
Summary 40
Solutions Fast Track 40
Frequently Asked Questions 43
Chapter 2: SmartClients and SmartManagement 46
Introduction 47
SmartDashboard 47
The SmartDashboard Log-in Dialog Box 47
Key Components 49
The Object Tree Pane 51
The Rule Base Pane 52
The Security Tab 52
The NAT Tab 53
The SmartDefense and SmartDefense Services Tabs 53
The Connectra Tab 53
The Objects List Pane 53
The SmartMap Pane 54
Configuring SmartMap Display and Characteristics 54
SmartView Tracker 56
Log View Types 56
The Log Tab 57
The Active Tab 58
The Audit Tab 58
Filters and Queries 58
Configuring a Filter 58
Query 59
SmartView Monitor 60
The SmartView Monitor Interface 60
Gateway Status 62
The System Information Tab 62
The Network Activity Tab 62
The Licenses Tab 63
Traffic View 63
System Counters View 64
Tunnels View 64
Remote Users View 66
Cooperative Enforcement 66
Custom Views 66
Alerts 67
Suspicious Activity Rules 67
SmartUpdate 68
License Management 69
Package Management 71
CPInfo 73
SmartLSM 73
How It Works 74
GUI and Basic Functionality 74
The SecureClient Packaging Tool 75
Using the SecurClient Packaging Tool 76
Creating an Installation Profile 76
Generating the Package 77
Management Plug-ins 79
Installing the Connectra Management Plug-in 79
Uninstalling the Connectra Management Plug-in 80
The Check Point Configuration Tool/cpconfig 81
cpconfig Configuration Options 81
Licenses 82
Administrator 82
GUI Clients 82
SNMP Extension 82
Secure Internal Communication (SIC) 83
Automatic Start of Check Point Modules 83
Summary 84
Solutions Fast Track 84
Frequently Asked Questions 87
Chapter 3: Management Portal 92
Introduction 93
SmartCenter Installation 93
Basic Configurations 93
Installation Paths 94
Common Installation Scenarios 94
Install 94
Uninstall 95
Integrity Advanced Server 95
Dedicated Server Installation 95
A Tour of the Dashboard 96
Logging In 96
The Rulebase Pane 98
Security Tab 98
Address Translation Tab 98
SmartDefense Tab 98
Web Intelligence Tab 99
VPN Manager Tab 99
QoS Tab 99
Desktop Security Tab 99
Web Access Tab 99
Consolidation Rules Tab 100
The Objects Tree Pane 100
Network Objects 101
Services 101
Resources 101
Servers and OPSEC Applications 102
Users and Administrators 102
VPN Communities 102
The Objects List Pane 102
The SmartMap Pane 103
Menus and Toolbars 103
Working with Policy Packages 103
Installing the Policy 103
Global Properties 104
FireWall Page 105
NAT-Network Address Translation Page 106
VPN Page 106
VPN-1 Edge/Embedded Page 106
Remote Access Page 106
SmartDirectory (LDAP) Page 106
Stateful Inspection Page 106
New in SmartDashboard NGX 107
Security Policy Rule Names and Unique IDs 107
Group Object Convention 109
Group Hierarchy 110
Clone Object 111
Session Description 111
Tooltips 111
Your First Security Policy 112
Creating Your Administrator Account 115
Hooking Up to the Gateway 115
Reviewing the Gateway Object 117
Defining Your Security Policy 120
Policy Design 121
Creating Rules 122
Network Address Translation 124
Installing the Policy 126
Other Useful Controls on the Dashboard 127
Working with Security Policy Rules 127
Section Titles 127
Hiding Rules 127
Rule Queries 128
Searching Rules 128
Working with Objects 128
Object References 128
Who Broke That Object? 128
Object Queries 128
Working with Policies 128
What Would Be Installed? 129
What's Really Installed? 129
No Security Please 129
For the Anoraks 129
Change Management 130
Managing Connectra and Interspect Gateways 131
Configuring Interspect or Connectra Integration 131
SmartDefense Updates 134
SmartUpdate Enhancements 134
Connectra Central Management 135
Connectra Tab 135
SmartDashboard and SmartDefense Update 135
Provider-1 Support 135
SmartView Monitor 135
SmartPortal 135
SmartPortal Functionality 136
Installing SmartPortal 136
Tour of SmartPortal 137
Summary 142
Solutions Fast Track 143
Frequently Asked Questions 145
Chapter 4: Advanced Authentication 148
Introduction 149
Authentication Overview 149
Using Authentication in Your Environment 149
Users and Administrators 150
Managing Users and Administrators 150
Permissions Profiles 151
Administrators 154
General Tab 154
Personal Tab 155
Groups 155
Admin Auth 156
Admin Certificates 156
Administrator Groups 156
User Templates 156
General 156
Personal 156
Groups 157
Authentication 157
Location 157
Time 157
Encryption 157
User Groups 157
Users 158
General 159
Personal 159
Groups 159
Authentication 160
Location 160
Time 160
Certificates 160
Encryption 160
External User Profiles 160
Match by Domain 161
Match All Users 162
LDAP Group 162
Understanding Authentication Schemes 162
Undefined 162
SecurID 162
Check Point Password 162
RADIUS 163
TACACS 164
SmartDirectory 166
Configuring SmartDirectory 167
Account Units 168
Accessing the LDAP Server 174
LDAP Groups 174
User Authentication 175
Configuring User Authentication in the Rulebase 176
Interacting with User Authentication 178
Telnet and rlogin 178
FTP 178
HTTP 179
Placing Authentication Rules 183
Advanced Topics 183
Changing the Banner 183
Use Host Header As Destination 183
Session Authentication 184
Client Authentication 185
Configuring Client Authentication in the Rulebase 186
ClientAuth | Edit Properties | General | Source 188
ClientAuth | Edit Properties | General | Destination 188
ClientAuth | Edit Properties | General | Apply Rule Only if Desktop Configuration Options are Verified 189
ClientAuth | Edit Properties | General | Required Sign-On 189
ClientAuth | Edit Properties | General | Sign On Method 189
Manual Sign-On 189
Part ially Automatic Sign-On 195
Fully Automatic Sign-On 195
Agent Automatic Sign-On 195
Single Sign-On 195
General | Successful Authentication Tracking 195
Limits | Authorization Timeout 196
Limits | Number of Sessions Allowed 196
Advanced Topics 197
Check Point Gateway | Authentication 197
Enabled Authentication Schemes 198
Authentication Settings 198
HTTP Security Server 198
Global Properties | Authentication 198
Failed Authentication Attempts 199
Authentication of Users with Certificates 199
Brute Force Password-Guessing Protection 200
Early Versions Compatibility 200
Registry Settings 200
New Interface 200
Use Host Header As Destination 201
Opening All Client Authentication Rules 202
Configuration Files 202
Enabling Encrypted Authentication 202
Custom Pages 203
Summary 204
Solutions Fast Track 204
Frequently Asked Questions 206
Chapter 5: Advanced VPN Concepts and Tunnel Monitoring 208
Introduction 209
Encryption Overview 209
IKE Overview 210
Main Mode and Aggressive Mode 211
Renegotiating IKE and IPSec Lifetimes 211
Perfect Forward Secrecy 212
IP Compression 213
IKE DoS Attacks 213
IKE Phase I 214
IPSEC Phase II 216
Configuring Advanced IKE Properties 217
IKE Policies 218
Priority 218
Encryption 219
Hash Function 219
Authentication Mode 219
Digital Certificates (Using RSA Algorithms) 219
Preshared Keys 219
Diffie-Hellman Group 219
Lifetime 219
IKE SA Negotiation 220
VPN Communities 220
Remote Access Community 221
Mesh Topology 222
Star Topology 222
VPN Routing 223
Configuring VPN Routing for Gateways via SmartDashboard 224
Route Injection 225
Permanent Tunnels 226
Wire Mode 227
PKI Solutions 229
PKI Deployments and VPN 230
Policy-Based VPN 230
vpn_route.conf 230
Route-Based VPN 231
Virtual Tunnel Interfaces 232
Numbered VTI 235
Unnumbered VTI 235
Dynamic VPN Routing 235
VPN Directional Match 236
Nokia Configuration 238
Secure Platform Configuration 242
Routing 243
Summary 245
Solutions Fast Track 245
Frequently Asked Questions 248
Chapter 6: Advanced VPN Client Installations 250
Introduction 251
SecuRemote 252
IP Pool NAT 257
SecureClient 259
Desktop Policies 260
Office Mode 261
Visitor Mode 262
Connection Profiles 264
Windows L2TP Integration 266
SSL Network Extender 267
Backup Gateways 271
Multiple Entry Point VPNs 271
Userc.C 273
Summary 274
Solutions Fast Track 274
Frequently Asked Questions 276
Chapter 7: SmartDefense 278
Introduction 279
Configuring SmartDefense 279
Updating SmartDefense with the Latest Defenses 280
Network Security 280
Denial of Service 281
Aggressive Aging 282
Teardrop Attacks 283
The Ping of Death 283
LAND Attacks 283
Non-TCP Flooding 284
IP and ICMP 284
Packet Sanity 284
Max PING Size 284
IP Fragments 285
Network Quota 285
TCP 286
SYN Attack Configuration 286
Small PMTU 287
Sequence Verifier 287
Fingerprint Scrambling 288
ISN Spoofing 288
TTL 288
IP ID 289
Successive Events 289
DShield Storm Center 290
Retrieve and Block Malicious IPs 291
Report to DShield 291
Port Scans 293
Host Port Scan 293
Sweep Scan 293
Dynamic Ports 294
Application Intelligence 294
Mail 294
SMTP Content 295
Mail and Recipient Content 296
POP3/IMAP Security 297
FTP 297
FTP Bounce 297
FTP Security Server 298
Allowed FTP Commands 298
Preventing Port Overflow Checks 299
Microsoft Networking 299
File and Print Sharing 299
Peer-to-Peer Applications 300
Kazaa 300
Gnutella et al. 300
Yahoo! 300
ICQ 301
Instant Messaging 301
MSN over SIP 301
DNS 301
Protocol Enforcement 302
Domain Black Lists 302
Cache Poisoning 302
Scrambling 303
Dropping Inbound Requests 303
Detecting Mismatched Replies 303
Voice over IP (VoIP) 304
Important Capabilities 304
H.323 Voice Protocol 304
SIP Voice Protocol 305
MGCP Voice Protocol 305
SCCP Voice Protocol 306
VoIP Enhancements 306
SNMP 307
VPN Protocols 307
Small IKE Phase II Proposals 308
VPN Attack Prevention 308
Content Protection 308
MS-RPC 309
Important Capabilities 310
MS-SQL 310
Routing Protocols 310
SUN-RPC 311
DHCP 312
SOCKS 312
Web Intelligence 312
Connectivity Implications of Specific Protections 314
Malicious Code 314
Application Layer 314
Information Disclosure 314
HTTP Protocol Inspection 315
Monitor-Only Mode 315
Protection for Specific Servers 315
Variable Security Levels 315
Web Intelligence License Enforcement 315
Summary 317
Solutions Fast Track 317
Frequently Asked Questions 319
Protocol Summary 320
Chapter 8: High Availability and Clustering 334
Introduction 335
ClusterXL Overview 335
The Cluster Control Protocol 338
Legacy High Availability Mode 338
New Mode High Availability Mode 338
Load-Sharing Multicast 340
Load-Sharing Unicast 340
Configuring ClusterXL 340
Monitoring the Cluster 346
Third-Party Solutions 348
Resilience 348
Nokia IPSO Clustering 349
Crossbeam 351
ISP Redundancy 351
Solutions Fast Track 357
Frequently Asked Questions 358
Chapter 9: SecurePlatform 360
Introduction 361
Installation 361
Installation Using the NGX R65 CD 361
Bootable Floppy and Network Installation 362
Configuration 363
Web User Interface 363
Command Line Configuration 379
Sysconfig 380
Setting the Host Name 381
Setting the Domain Name 381
Setting the DNS Servers 381
Configuring the Network Connections 382
Setting Time and Date 383
Setting up the Check Point Product Suite 386
Installing a Firewall Module 387
Installing a SmartCenter Server 389
Platform Shell 393
Expert Mode 395
Useful Commands 396
Backup and Restore 396
Backup 396
Restore 397
Other Ways to Back up and Restore Your System 398
Upgrade_export and Upgrade_import 398
Patch Command 399
Secure Shell 400
SecurePlatform Pro 401
Hot Fix Accumulators 402
HFA Installation 403
Summary 406
Solutions Fast Track 406
Frequently Asked Questions 408
Chapter 10: Advanced Troubleshooting 410
Introduction 411
NGX Debugging 411
SIC Troubleshooting 413
Packet Analysis 415
snoop 415
tcpdump 415
fw monitor 415
CPethereal and Wireshark 419
Log Troubleshooting 420
VPN Analysis 420
Encryption failure, decrypted methods did not match rule 421
Received notification from peer: no proposal chosen 421
Cannot identify peer for encrypted connection 422
Encryption failure: packet is dropped as there is no valid SA 422
Encryption failure: Clear text packet should be encrypted or clear text packet received within an encrypted packet 423
Encryption Failure: Packet was decrypted, but policy says connection should not be decrypted 423
VPN Client Analysis 423
ClusterXL Troubleshooting 424
Summary 426
Solutions Fast Track 426
Frequently Asked Questions 428
Index 430