Best Damn Firewall Book Period (eBook)

Front Cover 1
The Best Damn Firewall Book Period, Second Editon 2
Copyright Page 4
Contributing Authors 6
Contents 14
Chapter 1: Installing Check Point NGX 42
Introduction 43
Preparing the Gateway 43
Installation 43
SecurePlatform 44
FireWall-1/VPN-1 Installation 51
SmartCenter Server Installation 55
SmartConsole Installation 59
Putting It All Together 60
SmartDashboard 60
Summary 66
Chapter 2: SmartDashboard and SmartPortal 68
Introduction 69
A Tour of the Dashboard 69
Logging In 69
The Rulebase Pane 70
Security Tab 70
Address Translation Tab 71
SmartDefense Tab 71
Web Intelligence Tab 71
VPN Manager Tab 71
QoS Tab 71
Desktop Security Tab 71
Web Access Tab 71
Consolidation Rules Tab 72
The Objects Tree Pane 72
Network Objects 73
Services 73
Resources 73
Servers and OPSEC Applications 73
Users and Administrators 73
VPN Communities 74
The Objects List Pane 74
The SmartMap Pane 74
Menus and Toolbars 74
Working with Policy Packages 74
Installing the Policy 75
Global Properties 75
FireWall Page 76
NAT-Network Address Translation Page 76
VPN Page 76
VPN-1 Edge/Embedded Page 77
Remote Access Page 77
SmartDirectory (LDAP) Page 77
Stateful Inspection Page 77
New in SmartDashboard NGX 77
Security Policy Rule Names and Unique IDs 77
Group Object Convention 79
Group Hierarchy 79
Clone Object 81
Session Description 81
Tooltips 81
Your First Security Policy 82
Creating Your Administrator Account 84
Hooking Up to the Gateway 84
Reviewing the Gateway Object 85
Defining Your Security Policy 86
Policy Design 87
Creating Rules 88
Network Address Translation 89
Installing the Policy 90
Other Useful Controls on the Dashboard 92
Working with Security Policy Rules 92
Section Titles 92
Hiding Rules 92
Rule Queries 92
Searching Rules 92
Working with Objects 92
Object References 92
Who Broke That Object? 92
Object Queries 93
Working with Policies 93
What Would Be Installed? 93
What's Really Installed? 93
No Security Please 93
For the Anoraks 93
Change Management 93
Managing Connectra and Interspect Gateways 94
Configuring Interspect or Connectra Integration 94
SmartDefense Updates 95
SmartPortal 96
SmartPortal Functionality 97
Installing SmartPortal 97
Tour of SmartPortal 97
Summary 101
Chapter 3: Smart View Tracker 102
Introduction 103
Tracker 103
Log View 104
Active 106
Audit 107
Predefined Queries 108
Use for Predefined Queries 109
Adding Custom Queries 109
Applying Filters 110
Custom Queries 111
Matching Rule Filter 111
Viewing the Matching Rule 112
Viewing Log Records from SmartDashboard 112
Active View 112
Live Connections 112
Custom Commands 113
Following a Source or Destination 113
Block Intruder 113
Audit View 118
Log Maintenance 119
Daily Maintenance 119
Log Switch 121
Summary 122
Chapter 4: SmartDefense and Web Intelligence 124
Introduction 125
Network Security 125
Threats 126
Structured Threats 127
Denial of Service 127
External Threats 128
Welchia Internet Control Message Protocol 129
Network Quota 129
Internal Threats 130
Reconnaissance (Port Scans and Sweeps) 131
The OSI Model 132
Layer 3: The Network Layer 133
Layer 4: The Transport Layer 133
Layer 7: The Application Layer 134
The Need for Granular Inspection 135
Application Intelligence 137
Configuring Hosts and Nodes for AI 137
SmartDefense Technology 138
Central Configuration and the SmartDefense Web Site 139
Updating SmartDefense 140
Defense Against Attacks 140
Peer-to-Peer 140
Preventing Information Disclosure 141
Fingerprint Scrambling 142
Abnormal Behavior Analysis 142
Web Intelligence Technology 143
Malicious Code Protector 143
Active Streaming 143
Application Intelligence 144
Web Application Layer 145
SQL Injection 145
Custom Web Blocking 146
Preventing Information Disclosure 147
Header Spoofing 147
Directory Listing 148
Malicious Code 149
Definition 149
Different Types of Malicious Code 149
General HTTP Worm Catcher 150
Protocol Inspection 151
Conformity 152
DNS Enforcement 152
HTTP Inspection 152
Default Configuration 153
DShield Storm Center 154
Retrieving Blocklist 156
Submitting Logs 156
Summary 158
Chapter 5: Network Address Translation 160
Introduction 161
Global Properties 162
Network Address Translation 163
Configuring Dynamic Hide Mode NAT 165
Dynamic NAT Defined 165
Advanced Understanding of NAT 166
When to Use It 169
Routing and ARP 171
Adding ARP Entries 172
Secure Platform 172
Solaris 172
Windows 173
IPSO 173
Configuring Static Mode NAT 173
Static NAT Defined 174
When to Use It 174
Inbound Connections 176
Configuring Automatic NAT 178
When to Use It 179
NAT Rule Base 181
Access Control Settings 182
Configuring Port Translation 183
When to Use It 183
NAT Rule Base 184
Security Policy Implications 185
Summary 186
Chapter 6: Authentication 188
Introduction 189
Authentication Overview 189
Using Authentication in Your Environment 189
Users and Administrators 190
Managing Users and Administrators 190
Permission Profiles 191
Administrators 194
General Tab 194
Personal Tab 195
Groups 195
Admin Auth 195
Admin Certificates 195
Administrator Groups 196
User Templates 197
General 198
Personal 198
Groups 198
Authentication 198
Location 198
Time 199
Encryption 199
User Groups 199
Users 200
General 201
Personal 201
Groups 201
Authentication 201
Location 202
Time 202
Certificates 202
Encryption 202
External User Profiles 202
Match by Domain 202
Match All Users 203
LDAP Group 204
Understanding Authentication Schemes 204
Undefined 204
SecurID 204
Check Point Password 204
RADIUS 204
TACACS 206
User Authentication 207
Configuring User Authentication in the Rulebase 207
UserAuth | Edit Properties | General | Source 208
UserAuth | Edit Properties | General | Destination 209
UserAuth | Edit Properties | General | HTTP 209
Interacting with User Authentication 209
Telnet and RLOGIN 209
FTP 210
HTTP 210
Placing Authentication Rules 212
Advanced Topics 213
Eliminating the Default Authentication Banner 214
Changing the Banner 214
Use Host Header as Destination 215
Session Authentication 216
Configuring Session Authentication in the Rulebase 217
SessionAuth | Edit Properties | General | Source 218
SessionAuth | Edit Properties | General | Destination 218
SessionAuth | Edit Properties | General | Contact Agent At 218
SessionAuth | Edit Properties | General | Accept only SecuRemote/SecureClient Encrypted Connections 218
SessionAuth | Edit Properties | General | Single Sign-On 218
Configuring Session Authentication Encryption 218
The Session Authentication Agent 219
Configuration | Passwords | Ask for Password 221
Configuration | Allowed Firewall-1 | Allow authentication request from 221
Configuration | Allowed Firewall-1 | Options 222
Interacting with Session Authentication 223
Client Authentication 225
Configuring Client Authentication in the Rulebase 225
ClientAuth | Edit Properties | General | Source 226
ClientAuth | Edit Properties | General | Destination 226
ClientAuth | Edit Properties | General | Apply Rule Only if Desktop Configuration Options Are Verified 226
ClientAuth | Edit Properties | General | Required Sign-In 227
ClientAuth | Edit Properties | General |Sign-On Method 227
Manual Sign-On 227
Part ially Automatic Sign-O 232
Fully Automatic Sign-O 233
Agent Automatic Sign-On 233
Single Sign-On 233
General | Successful Authentication Tracking 233
Limits | Authorization Timeout 234
Limits | Number of Sessions Allowed 234
Advanced Topics 234
Check Point Gateway | Authentication 235
Enabled Authentication Schemes 236
Authentication Settings 236
HTTP Security Server 236
Global Properties | Authentication. 236
Failed Authentication Attempts 237
Authentication of Users with Certificates 237
Brute-Force Password Guessing Protection 238
Early Version Compatibility 238
Registry Settings 238
New Interface 238
Use Host Header as Destination 239
Opening All Client Authentication Rules 239
Configuration Files 240
Enabling Encrypted Authentication 240
Custom Pages 240
Installing the User Database 240
Summary 242
Chapter 7: Content Security and OPSEC 244
Introduction 245
OPSEC 245
Part nership 246
Anti-virus 246
Web Filtering 246
OPSEC Applications 246
Security Servers 247
URI 248
SMTP 251
FTP 255
TCP 257
CIFS 258
CVP 259
Resource Creation 259
UFP 260
Resource Creation 261
MDQ 262
How to Debug 262
Secure Internal Communication 262
Summary 263
Chapter 8: VPN 264
Introduction 265
Encryption Overview 265
Symmetric and Asymmetric Encryption 265
Certificate Authorities 266
Exchanging Keys 266
Tunnel Mode vs. Transport Mode 267
Encryption Algorithms 267
Hashing Algorithms 267
Public Key Infrastructure 268
Simplified vs. Traditional 268
Using the Simplified Configuration Method 269
VPN Communities 270
Meshed VPN Communities 270
Star VPN Communities 274
Multiple Entry Point (MEP) 277
Installing the Policy 279
Configuring a VPN with a Cisco PIX 281
Using the Traditional VPN Configuration Method 282
VPN Directional Matching 284
Route-Based VPN 285
Routing Protocols 285
Configuring VTIs 286
Configuring VTI Example 286
Tunnel Management and Debugging 287
Using SmartView Tracker 288
Using cpstat 289
Summary 292
Chapter 9: SecuRemote, SecureClient, and Integrity 294
Introduction 295
SecuRemote 295
What's New with SecuRemote in NGX? 295
Standard Client 296
Basic Remote Access 296
Defining the Connection Policy 297
SecuRemote Installation and Configuration on Microsoft Windows 315
Connecting to the VPN-1 Gateway 326
SecureClient 328
What's New in SC NGX? 328
Installing SecureClient on Microsoft Windows 329
Policy Server 329
Desktop Security Policies 329
Configuring Desktop Security Policies 330
Disabling the Security Policy 335
Secure Configuration Verification 336
Office Mode 336
Why Office Mode? 337
Client IP Pool 337
Configuring Office Mode with IP Pools 337
Configuring the VPN-1 Gateway for Office Mode 338
Configuring SecureClient for Office Mode 341
Secure Configuration Verification (SCV) 342
What's New with Secure Configuration Verification (SCV) in NGX? 343
Configuring the Policy Server to Enable Secure Configuration Verification (SCV) 344
Secure Configuration Verification (SCV) Checks Available 345
Check Point OPSEC Vendor SCV Checks 345
Other Third-Party Checks 345
Create Your Own Checks 345
Integrity 345
History of Integrity 346
Integrity Client Installation 347
Integrity Client Configuration 350
Integrity Clientless Security 350
Summary 351
Chapter 10: Adaptive Security Device Manager 352
Introduction 353
Features, Limitations, and Requirements 353
Supported PIX Firewall Hardware and Software Versions 354
PIX Device Requirements 354
Host Requirements for Running ASDM 354
Adaptive Security Device Manager Limitations 354
Unsupported Commands 355
Unsupported Characters 355
ASDM CLI Does Not Support Interactive Commands 355
Printing from ASDM 356
Installing, Configuring, and Launching ASDM 356
Preparing for Installation 356
Installing or Upgrading ASDM 356
Obtaining a DES Activation Key 357
Configuring the PIX Firewall for Network Connectivity 357
Installing a TFTP Server 358
Upgrading the PIX Firewall and Configuring the DES Activation Key 358
Installing or Upgrading ASDM on the PIX Device 358
Enabling and Disabling ASDM 359
Launching ASDM 359
Configuring the PIX Firewall Using ASDM 373
Using the Startup Wizard 374
Configuring System Properties 381
The AAA Menu 384
The Advanced Menu 386
The ARP Static Table Menu 390
The Auto Update Menu 391
The DHCP Services Menu 393
The DNS Client Menu 395
The Failover Menu 395
The History Metrics Category 399
The IP Audit Menu 400
The Logging Menu 402
The Priority Queue Category 408
The SSL Category 409
The SunRPC Server Category 410
The URL Filtering Category 411
Configuring VPNs Using ASDM 412
Configuring a Site-to-Site VPN Using ASDM 412
Configuring a Remote Access VPN Using ASDM 419
Summary 427
Chapter 11: Application Inspection 428
New Features in PIX 7.0 429
Supporting and Securing Protocols 430
TCP, UDP, ICMP, and the PIX Firewall 431
Application Layer Protocol Inspection 433
Defining a Traffic Class 433
Associating a Traffic Class with an Action 436
Customizing Application Inspection Parameters 438
Applying Inspection to an Interface 438
Domain Name Service 438
Remote Procedure Call 439
SQL*Net 440
Internet Locator Service and Lightweight Directory Access Protocol 441
HTTP Inspection 442
FTP Inspection 443
Active versus Passive Mode 443
ESMTP Inspection 446
ICMP Inspection 447
H.323 447
Simple Network Management Protocol (SNMP) 448
Voice and Video Protocols 449
SIP 449
CTIQBE 449
SCCP 450
Real-Time Streaming Protocol (RTSP), NetShow, and VDO Live 450
Summary 452
Chapter 12: Filtering, Intrusion Detection, and Attack Management 454
New Features in PIX 7.0 455
Enhanced TCP Security Engine 455
Improved Websense URL Filtering Performance 455
Introduction 455
Filtering Web and FTP Traffic 455
Filtering URLs 456
Websense and Sentian by N2H2 456
Fine-Tuning and Monitoring the Filtering Process 457
Configuring HTTP URL Filtering 460
Configuring HTTPS Filtering 461
Setting Up FTP Filtering 461
Active Code Filtering 462
Filtering Java Applets 463
Filtering ActiveX Objects 463
Virus Filtering Spam, Adware, Malware, and Other-Ware Filtering
TCP Attack Detection and Response 465
PIX Intrusion Detection 466
Supported Signatures 466
Configuring Intrusion Detection/Auditing 469
Disabling Signatures 471
Configuring Shunning 471
Attack Containment and Management 472
Placing Limits on Fragmentation 472
SYN FloodGuard 473
The TCP Intercept Feature 473
Preventing IP Spoofing 473
Other Ways the PIX Can Prevent, Contain, or Manage Attacks 474
Configuring Connection Limits and Timeouts 474
Preventing MAC Address Spoofing 476
Summary 478
Chapter 13: Services 480
Introduction 481
DHCP Functionality 481
DHCP Servers 481
Cisco IP Phone-Related Options 483
DHCP Relay 484
DHCP Clients 484
PPPoE 485
EasyVPN 487
EasyVPN Server 487
Routing and the PIX Firewall 488
Unicast Routing 489
Static Routes 489
RIP 490
OSPF 491
Network Address Translation as a Routing Mechanism 492
Multicast Routing 492
Stub Multicast Routing 493
PIM Multicast Routing 493
BGP through PIX Firewall 494
Queuing and Policing 494
Summary 496
Chapter 14: Configuring Authentication, Authorization, and Accounting 498
Introduction 499
New and Changed Commands in 7.0 499
Introducing AAA Concepts 500
Authentication 502
Authorization 503
Accounting 504
AAA Security Protocols 504
RADIUS 504
Authentication Methods Used by RADIUS 505
RADIUS Functions Available on the Cisco PIX 505
How RADIUS Works 505
TACACS+ 507
Authentication Methods Used by TACACS+ 507
TACACS+ Functions Available to the Cisco PIX 507
How TACACS+ Works 508
Optional Security Protocols and Methods 509
AAA Servers 510
Configuring Console Authentication 510
Configuring Local Authentication 511
Configuring Local AAA Using the ASDM 513
Configuring Command Authorization 515
Configuring Local Command Authorization 516
Configuring TACACS+ and RADIUS Console Authentication 517
Configuring TACACS+ Command Authorization 521
Configuring Authentication for Traffic through the Firewall 524
Configuring Cut-through Proxy 524
Virtual HTTP 525
Virtual Telnet 527
Configuring Authorization for Traffic through the Firewall 528
Configuring Accounting for Traffic through the Firewall 529
Summary 531
Chapter 15: PIX Firewall Management 532
Introduction 533
Configuring Logging 533
Logging Levels 534
Dropped and Changed Syslog Messages from 6.x 535
Logging Facility 542
Local Logging 543
Buffered Logging 544
Console Logging 544
Terminal Logging 545
Remote Logging via Syslog 545
Disabling Specific Syslog Messages 550
Configuring Remote Access 551
Secure Shell 551
Enabling SSH Access 552
Troubleshooting SSH 557
Telnet 560
Restrictions 561
Configuring Simple Network Management Protocol 561
Configuring System Identification 562
Configuring Polling 562
Configuring Traps 565
Managing SNMP on the PIX 565
Configuring System Date and Time 567
Setting and Verifying the Clock and Time Zone 567
Configuring and Verifying the Network Time Protocol 570
NTP Authentication 571
Management Using the Cisco PIX Adaptive Security Device Manager (ASDM) 573
Summary 578
Chapter 16: Configuring Virtual Private Networking 580
Introduction 581
What's New in PIX 7.0 582
IPsec Concepts 582
IPsec 582
IPsec Core Layer 3 Protocols: ESP and AH 583
Authentication Header 583
Encapsulating Security Payload 584
IPsec Communication Modes: Tunnel and Transport 584
Internet Key Exchange 586
Security Associations 588
Certificate Authority Support 591
Configuring a Site-to-Site VPN 591
Planning 592
Allowing IPsec Traffic 593
Enabling IKE 593
Creating an ISAKMP Protection Suite 594
Defining an ISAKMP Preshared Key 595
Configuring Certificate Authority Support 595
Preparing the PIX to Use Certificates 597
Generating a Key Pair 598
Configure a CA as a Trustpoint 599
Authenticating and Enrolling with the CA 600
Configuring Crypto Access-Lists 601
Defining a Transform Set 602
Bypassing Network Address Translation 603
Configuring a Crypto Map 603
Troubleshooting 605
Remote Access-Configuring Support for the Cisco Software VPN Client 606
Enabling IKE and Creating an ISAKMP Protection Suite 608
Defining a Transform Set 608
Crypto Maps 608
Tunnel Groups and Group Policies 609
Address Pool Configuration 609
Split Tunneling 610
NAT Issues 611
Authentication against Radius, TACACS+, SecurID, or Active Directory 611
Automatic Client Update 612
Configuring Client Firewall Requirements 612
Sample Configurations of PIX and VPN Clients 612
Summary 618
Chapter 17: ISA Server 2006 Client Types and Automating Client Provisioning 620
Introduction 621
Understanding ISA Server 2006 Client Types 621
Understanding the ISA Server 2006 SecureNAT Client 623
SecureNAT Client Limitations 625
SecureNAT Client Advantages 628
Name Resolution for SecureNAT Clients 630
Name Resolution and "Looping Back" Through the ISA Server 2006 Firewall 630
Understanding the ISA Server 2006 Firewall Client 634
Allows Strong User/Group-Based Authentication for All Winsock Applications Using TCP and UDP Protocols 635
Allows User and Application Information to be Recorded in the ISA Server 2006 Firewall's Log Files 635
Provides Enhanced Support for Network Applications, Including Complex Protocols That Require Secondary Connections 636
Provides "Proxy" DNS Support for Firewall Client Machines 636
The Network Routing Infrastructure Is Transparent to the Firewall Client 637
How the Firewall Client Works 639
Installing the Firewall Client Share 640
Installing the Firewall Client 641
Firewall Client Configuration 642
Centralized Configuration Options at the ISA Server 2006 Firewall Computer 642
Enabling Support for Legacy Firewall Client/Winsock Proxy Clients 645
Client Side Firewall Client Settings 646
Firewall Client Configuration Files 648
.ini Files 649
Advanced Firewall Client Settings 650
Firewall Client Configuration at the ISA Server 2006 Firewall 652
ISA Server 2006 Web Proxy Client 654
Improved Performance for the Firewall Client and SecureNAT Client Configuration for Web Access 654
Ability to Use the Autoconfiguration Script to Bypass Sites Using Direct Access 655
Allows You to Provide Web Access (HTTP/HTTPS/FTP Download) without Enabling Users Access to Other Protocols 655
Allows You to Enforce User/Group-based Access Controls Over Web Access 656
Allows you to Limit the Number of Outbound Web Proxy Client Connections 662
Supports Web Proxy Chaining, Which Can Further Speed Up Internet Access 664
ISA Server 2006 Multiple Client Type Configuration 664
Deciding on an ISA Server 2006 Client Type 665
Automating ISA Server 2006 Client Provisioning 667
Configuring DHCP Servers to Support Web Proxy and Firewall Client Autodiscovery 668
Install the DHCP Server 669
Create the DHCP scope 669
Create the DHCP 252 Scope Option and Add It to the Scope 672
Configure the Client as a DHCP Client 675
Configure the Client Browser to Use DCHP for Autodiscovery 676
Configure the ISA Server 2006 Firewall to Publish Autodiscovery Information 676
Making the Connection 677
Configuring DNS Servers to Support Web Proxy and Firewall Client Autodiscovery 679
Creating the wpad Entry in DNS 679
Configure the Client to Use the Fully-Qualified wpad Alias 682
Configure the client browser to use autodiscovery 685
Configure the ISA Server 2006 Firewall to Publish Autodiscovery Information 686
Making the Connection Using DNS for Autodiscovery 686
Automating Installation of the Firewall Client 687
Configuring Firewall Client and Web Proxy Client Configuration in the ISA Management Console 688
Group Policy Software Installation 692
Silent Installation Script 695
Systems Management Server (SMS) 695
Summary 696
Chapter 18: Installing and Configuring the ISA Firewall Software 698
Pre-installation Tasks and Considerations 699
System Requirements 699
Configuring the Routing Table 701
DNS Server Placement 702
Configuring the ISA Firewall's Network Interfaces 704
Installation via a Terminal Services Administration Mode Session 709
Performing a Clean Installation on a Multihomed Machine 709
Default Post-installation ISA Firewall Configuration 715
The Post-installation System Policy 717
Performing a Single NIC Installation (Unihomed ISA Firewall) 727
Quick Start Configuration for ISA Firewalls 729
Configuring the ISA Firewall's Network Interfaces 731
IP Address and DNS Server Assignment 731
Configuring the Internal Network Interface 731
Configuring the External Network Interface 732
Network Interface Order 732
Installing and Configuring a DNS Server on the ISA Server Firewall 733
Installing the DNS Service 733
Installing the DNS Server Service on Windows Server 2003 734
Configuring the DNS Service on the ISA Firewall 734
Configuring the DNS Service in Windows Server 2003 734
Configuring the DNS Service on the Internal Network DNS Server 737
Installing and Configuring a DHCP Server on the ISA Server Firewall 739
Installing the DHCP Service 739
Installing the DHCP Server Service on a Windows Server 2003 Computer 739
Configuring the DHCP Service 740
Installing and Configuring the ISA Server 2006 Software 741
Configuring the ISA Firewall 744
DHCP Request to Server Rule 746
DHCP Reply from Server Rule 748
Internal DNS Server to DNS Forwarder Rule 749
Internal Network to DNS Server 751
The All Open Rule 751
Configuring the Internal Network Computers 752
Configuring Internal Clients as DHCP Clients 753
Hardening the Base ISA Firewall Configuration and Operating System 755
ISA Firewall Service Dependencies 756
Service Requirements for Common Tasks Performed on the ISA Firewall 758
Client Roles for the ISA Firewall 761
ISA Firewall Administrative Roles and Permissions 763
Lockdown Mode 765
Lockdown Mode Functionality 765
Connection Limits 766
DHCP Spoof Attack Prevention 768
Summary 772
Chapter 19: Creating and Using ISA 2006 Firewall Access Policy 774
ISA Firewall Access Rule Elements 777
Protocols 777
User Sets 778
Content Types 778
Schedules 780
Network Objects 780
Configuring Access Rules for Outbound Access through the ISA Firewall 780
The Rule Action Page 781
The Protocols Page 781
The Access Rule Sources Page 784
The Access Rule Destinations Page 784
The User Sets Page 785
Access Rule Properties 786
The General Tab 786
The Action Tab 786
The Protocols Tab 787
The From Tab 789
The To Tab 790
The Users Tab 791
The Schedule Tab 792
The Content Types Tab 793
The Access Rule Context Menu Options 794
Configuring RPC Policy 795
Configuring FTP Policy 796
Configuring HTTP Policy 797
Ordering and Organizing Access Rules 797
How to Block Logging for Selected Protocols 798
Disabling Automatic Web Proxy Connections for SecureNAT Clients 799
Using Scripts to Populate Domain Name Sets 800
Using the Import Scripts 803
Extending the SSL Tunnel Port Range for Web Access to Alternate SSL Ports 808
Avoiding Looping Back through the ISAFirewall for Internal Resources 811
Anonymous Requests Appear in Log File Even When Authentication is Enforced For Web (HTTP Connections) 811
Blocking MSN Messenger using an Access Rule 812
Allowing Outbound Access to MSN Messenger via Web Proxy 815
Changes to ISA Firewall Policy Only Affects New Connections 816
Allowing Intradomain Communications through the ISA Firewall 817
Summary 826
Chapter 20: Creating Remote Access and Site-to-Site VPNs with ISA Firewalls 828
Overview of ISA Firewall VPN Networking 829
Firewall Policy Applied to VPN Client Connections 830
Firewall Policy Applied to VPN Site-to-Site Connections 832
VPN Quarantine 832
User Mapping of VPN Clients 834
SecureNAT Client Support for VPN Connections 835
Site-to-Site VPN Using Tunnel Mode IPSec 836
Publishing PPTP VPN Servers 836
Pre-shared Key Support for IPSec VPN Connections 836
Advanced Name Server Assignment for VPN Clients 837
Monitoring of VPN Client Connections 838
An Improved Site-to-Site Wizard (New ISA 2006 feature) 838
The Create Answer File Wizard (New ISA 2006 feature) 839
The Branch Office Connectivity Wizard (New ISA 2006 feature) 839
The Site-to-Site Summary (New ISA 2006 feature) 840
Creating a Remote Access PPTP VPN Server 840
Enable the VPN Server 840
Create an Access Rule Allowing VPN Clients Access to Allowed Resources 852
Enable Dial-in Access 854
Test the PPTP VPN Connection 857
Creating a Remote Access L2TP/IPSec Server 859
Issue Certificates to the ISA Firewall and VPN Clients 859
Test the L2TP/IPSec VPN Connection 863
Monitor VPN Clients 864
Using a Pre-shared Key for VPN Client Remote Access Connections 866
Creating a PPTP Site-to-Site VPN 868
Create the Remote Site Network at the Main Office 870
The Network Rule at the Main Office 878
The Access Rules at the Main Office 879
Create the VPN Gateway Dial-in Account at the Main Office 880
Create the Remote Site Network at the Branch Office 881
The Network Rule at the Branch Office 883
The Access Rules at the Branch Office 884
Create the VPN Gateway Dial-in Account at the Branch Office 884
Activate the Site-to-Site Links 885
Creating an L2TP/IPSec Site-to-Site VPN 886
Enable the System Policy Rule on the Main Office Firewall to Access the Enterprise CA 887
Request and Install a Certificate for the Main Office Firewall 889
Configure the Main Office ISA Firewall to use L2TP/IPSec for the Site-to-Site Link 892
Enable the System Policy Rule on the Branch Office Firewall to Access the Enterprise CA 896
Request and Install a Certificate for the Branch Office Firewall 897
Configure the Branch Office ISA Firewall to use L2TP/IPSec for the Site-to-Site Link 898
Activate the L2TP/IPSec Site-to-Site VPN Connection 899
Configuring Pre-shared Keys for Site-to-Site L2TP/IPSec VPN Links 900
IPSec Tunnel Mode Site-to-Site VPNs with Downlevel VPN Gateways 900
Using RADIUS for VPN Authentication and Remote Access Policy 901
Configure the Internet Authentication Services (RADIUS) Server 902
Create a VPN Clients Remote Access Policy 903
Remote Access Permissions and Domain Functional Level 906
Changing the User Account Dial-in Permissions 907
Changing the Domain Functional Level 908
Controlling Remote Access Permission via Remote Access Policy 910
Enable the VPN Server on the ISA Firewall and Configure RADIUS Support 911
Create an Access Rule Allowing VPN Clients Access to Approved Resources 914
Make the Connection from a PPTP VPN Client 916
Using EAP User Certificate Authentication for Remote Access VPNs 918
Configuring the ISA Firewall Software to Support EAP Authentication 919
Enabling User Mapping for EAP Authenticated Users 920
Issuing a User Certificate to the Remote Access VPN Client Machine 921
Supporting Outbound VPN Connections through the ISA Firewall 925
Installing and Configuring the DHCP Server and DHCP Relay Agent on the ISA Firewall 927
Summary 930
Chapter 21: ISA 2006 Stateful Inspection and Application Layer Filtering 932
Introduction 933
Application Filters 933
The SMTP Filter 934
The DNS Filter 935
The POP Intrusion Detection Filter 936
The SOCKS V4 Filter 936
The FTP Access Filter 938
The H.323 Filter 938
The MMS Filter 938
The PNM Filter 939
The PPTP Filter 939
The RPC Filter 939
The RTSP Filter 939
Web Filters 940
The HTTP Security Filter (HTTP Filter) 940
Overview of HTTP Security Filter Settings 941
The General Tab 941
The Methods Tab 943
The Extensions Tab 945
The Headers Tab 946
The Signatures Tab 950
HTTP Security Filter Logging 953
Exporting and Importing HTTP Security Filter Settings 954
Exporting an HTTP Policy from a Web Publishing Rule 954
Importing an HTTP Policy into a Web Publishing Rule 955
Investigating HTTP Headers for Potentially Dangerous Applications 956
Example HTTP Security Filter Policies 960
Commonly Blocked Headers and Application Signatures 964
The ISA Server Link Translator 965
Determining Custom Dictionary Entries 968
Configuring Custom Link Translation Dictionary Entries 968
The Web Proxy Filter 970
The OWA Forms-Based Authentication Filter 971
The RADIUS Authentication Filter 972
IP Filtering and Intrusion Detection/Intrusion Prevention 972
Common Attacks Detection and Prevention 973
DNS Attacks Detection and Prevention 974
IP Options and IP Fragment Filtering 975
Source Routing Attack 976
Summary 978
Chapter 22: Deploying NetScreen Firewalls 980
Introduction 981
Managing the NetScreen Firewall 981
NetScreen Management Options 982
Serial Console 982
Telnet 982
Secure Shell 983
WebUI 983
The NetScreen-Security Manager 984
Administrative Users 984
The Local File System and the Configuration File 985
Using the Command Line Interface 989
Using the Web User Interface 992
Securing the Management Interface 992
Updating ScreenOS 1007
System Recovery 1008
Configuring NetScreen 1011
Types of Zones 1011
Security Zones 1011
Tunnel Zones 1012
Function Zones 1012
Virtual Routers 1012
Types of Interfaces 1012
Security Zone Interfaces 1012
Physical Interfaces 1012
Subinterfaces 1013
Aggregate Interfaces 1013
Redundant Interfaces 1013
VLAN1 Interface 1014
Virtual Security Interfaces 1014
Function Zone Interfaces 1014
Management Interfaces 1014
HA Interfaces 1014
Tunnel Interfaces 1014
Loopback Interfaces 1015
Configuring Security Zones 1015
Configuring Your NetScreen for the Network 1020
Binding an Interface to a Zone 1020
Setting up IP Addressing 1021
Configuring the DHCP Client 1021
Using PPPoE 1022
Interface Speed Modes 1024
Port Mode Configuration 1024
Configuring Basic Network Routing 1025
Configuring System Services 1028
Setting The Time 1028
DHCP Server 1030
DNS 1034
SNMP 1035
Syslog 1038
WebTrends 1039
Resources 1040
Summary 1041
Chapter 23: Policy Configuration 1042
Introduction 1043
NetScreen Policies 1043
Theory Of Access Control 1045
Types of NetScreen Policies 1046
Intrazone Policies 1047
Interzone Policies 1048
Global Policies 1048
Default Policy 1048
Policy Checking 1048
Getting Ready to Make a Policy 1050
Policy Components 1051
Zones 1051
Address Book Entries 1051
Creating Address Book Entries 1051
Modifying and Deleting Address Book Entries 1054
Address Groups 1054
Services 1056
Creating Custom Services 1056
Modifying and Deleting Services 1058
Service Groups 1058
Creating Policies 1060
Creating a Policy 1060
Creating a Policy via the WebUI 1060
Reordering Policies in the WebUI 1063
Other Policy Options in the WebUI 1064
Creating a Policy via the CLI 1065
Other Policy Options Available in the CLI 1068
Summary 1070
Chapter 24: User Authentication 1072
Introduction 1073
Types of Users 1073
Uses of Each Type 1073
Auth Users 1073
IKE Users 1074
L2TP Users 1075
XAuth Users 1075
Admin Users 1075
User Databases 1075
Local Database 1075
Types of Users 1076
Features 1076
External Auth Servers 1076
Object Properties 1076
Auth Server Types 1077
RADIUS 1077
Types of Users 1077
Features 1078
How to Configure 1078
SecurID 1079
Types of Users 1079
Features 1079
How to Configure 1079
LDAP 1080
Types of Users 1081
Features 1081
How to Configure 1081
Default Auth Servers 1082
How to Change 1082
When to Use 1083
Authentication Types 1083
Auth Users and User Groups 1083
IKE Users and User Groups 1084
XAuth Users and User Groups 1085
L2TP Users and User Groups 1087
Admin Users and User Groups 1088
Multi-type Users 1090
User Groups and Group expressions 1090
Chapter 25: Routing 1092
Introduction 1093
Virtual Routers 1093
Using Virtual Routers 1093
Creating Virtual Routers 1094
Route Selection 1095
Set Route Preference 1096
Set Route Metric 1097
Route Redistribution 1099
Configuring a Route Access List 1100
Configuring A Route Map 1101
Routing Information Protocol 1102
RIP Concepts 1102
Basic RIP Configuration 1102
Configuring RIP 1103
Open Shortest Path First (OSPF) 1106
OSPF Concepts 1106
Basic OSPF Configuration 1107
Border Gateway Protocol 1111
Basic BGP Configuration 1111
Summary 1115
Chapter 26: Address Translation 1116
Introduction 1117
Purpose of Address Translation 1117
Advantages of Address Translation 1117
Disadvantages of Address Translation 1119
NetScreen NAT Overview 1119
NetScreen Packet Flow 1120
Source NAT 1122
Interface-based Source Translation 1122
MIP 1123
MIP Limitations 1123
MIP Scenarios 1124
Scenario 1 1125
Scenario 2 1125
Scenario 3 1127
Policy-based Source NAT 1128
DIP 1129
Sticky DIP 1131
DIP Shift 1132
Destination NAT 1134
VIP 1134
Policy-based Destination NAT 1135
Destination NAT Scenarios 1135
One-to-One Mapping 1136
Many-to-one Mapping 1136
Many-to-Many Mapping 1138
Destination PAT Scenario 1140
Source and Destination NAT Combined 1141
Summary 1142
Index 1144