100% found this document useful (10 votes)

4K views240 pages

Check Point Security Administration Student Manual

Check Point Security Administration Student Manual, R77 Edition

Uploaded by

Econ

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF or read online on Scribd

100% found this document useful (10 votes)

4K views240 pages

Check Point Security Administration Student Manual

Check Point Security Administration Student Manual, R77 Edition

Uploaded by

Econ

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF or read online on Scribd

You are on page 1/ 240

RO: aie al pro) Security Administration Student Manual ava =e]iK(o)a)Check Point Education Series Check Point SOFTWARE TECHNOLOGIES INC. Security Administration Student Manual R77 Edition PIN 705982© 2014 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distib- uted under licensing restricting their use, copying, distribution, and de-compilation. No part ofthis, product or related documentation may be reproduced in any form or by sny means without prior ‘written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for erors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subpa ‘graph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227- 7013 and FAR 52.227-19. ‘TRADEMARKS: Refer to the Copyright page (hitp:/www.checkpoint.com/copyright html) fora list of our trademarks. Refer to the Third Party copysight notices (hitp:/ www.checkpoint.com/ 3rd_party_copyright him) for alist of relevant copyrights and thiparty licenses.Tntemational Headquarters US. Headquarers “Technical Support, Education & Professional Services: Document # Revision: Content: Graphics: ‘Contributors 5 Ha’Solelim Street Tek 972-3183 4555 989 Skyway Road, Suite 300 San Carlos, CA 94070 “Te: 630-626.2000 Fax 630-6542253 {6330 Commerce Drive, Suite 120 living, TX 75063 rei or24a4 612 Fa 9725062913 smal any comments questions aout ur auteur to cousovar@us check- For quate comments shout ether Check Pin dace, «mail CP_Tesh- Pub Fedinck@ebeckpoin com DOC-Manval-CCSA-RI6 R772018 Mark Hoefle, Joey Witt Charming Jia ‘Beta Testing and Technical Review Chris Albtas - Arrow ECS - UK Robin Bay - Arrow ECS -Cz Republic Kishin Feinani - K-Secure - India Patrick Felsner - Arrow ECS ~ Austria ‘Tim Hall - Shadow Peak -USA ‘Thomas Norbeck - Glasspaper - Norway Alejandro Diez Rodrigues - Afina - Spain Ich Tathanie, - INTAS - Slovakia Erik Wagemans - JCA - Belgium ‘Test Development: Ken Finley ~ Check Point ‘Check Point Technical Publications Team: Rochelle Fisher, DalyYam, Eli Har-Even, Paul Grigg, Richard Levine, Rivkah Albinder, Shira Rosenfield, Yaakov SimonContents Preface: Security Administration ... Security Administration Overview ... Course Layout Prerequisites Certification Title Course Chapters Sample Setup for Labs Chapter 1: Introduction to Check Point Technology . Check Point Technology Overview 7 Leaming Objectives: ‘The Check Point Security Management Architecture (SMART) ‘SmartConsole ... = Security Management Server .. Security Gateway .. on ‘The Check Poin Firewall... oo = n ‘Mechanisms for Controlling Network Traffic — wool Packet Filtering .. B Stateful Inspection 4 Application Intelligence... so : ened S Security Gateway Staeful Inspection Architecture 16 INSPECT Bngine Packet Flow : 16 Deployment Considerations 18 Check Point SmartConsole Clients — : 21 ‘SmartDashboard one so evans 21 ‘SmartLog 23 SmantBvent ... 24 Check Point Security Administration - i‘Table of Contents ‘SmartView Monitor... ‘SmartEndpoint ‘SmartView Tracker . 7 ‘SmartUpdate ee ‘SmartReporter ‘SmartProvisioning Security Management Server ... ‘Managing Users in SmartDashboard, Users Database o ‘Securing Channels of Communication .. ‘Secure Internal Communications ... ‘Testing the SIC Status ..... Resetting the Trust State ... Practice and Review Practice Labs Review Chapter 2: Deployment Platforms ..........+--+- Deployment Platforms Leaming Objectives: Check Point Deployment Platforms. Security Appliances .. Dedicated Appliances Carrer & Ulva High-Bod Data Center Security Systems Data Center Security Systems Enterprise Network Security Systems Small/Branch Office . Virtual Systems Management .. More Check Point Appliances 1. Check Point Software Blade Architecture ‘Software Blade Bundles Cheek Point Gaia ... History - Power of Two Gaia... Benefits of GaiaGaia Architecture Gaia System Information Practice and Review Practice LabS oso Review Chapter 3: Introduction to the Security Policy . Introduction to the Security Policy Learning Objectives: Security Policy Basics The Rule Base Managing Objects in SmartDashboard ‘SmartDashboard and Objects... Object-Tree Pane Objects-List Pane ..... Object Types Rule Base Pane ‘Managing Objects Classic View of the Objects Tree Group View of the Objects Tree Creating the Rule Base Basic Rule Base Concepts Default Rule Basic Rules 7 ImplicivExplicit Rules Control Connections Detecting IP Spoofing Configuring Anti-Spoofing Rule Base Management Understanding Rule Base Order Completing the Rule Base Policy Management and Revision Control Policy Package Management .. Database Revision Control Multicasting..... Practice and Review .. Student Manual 58 59 60 60‘Table of Contents Practice Labs ..c.n ee 82 Review ... Chapter 4: Monitoring Traffic and Connections ‘Monitoring Traffic and Connections .... Learning Objectives SmartView Tracker Log Types SmartView Tracker Tabs Action Icons Working with Smartview Tracker. Log-File Management Administrator Auditing Global Logging and Alerting ‘Time Settings Blocking Connections ... ‘SmartView Monitor Customized Views .. Gateway Status Vi Traffic View ‘Tunnels View Remote Users View 7 Cooperative Enforcement View ‘Monitoring Suspicious Activity Rules ‘Monitoring Alerts Gateway Status . Overall Status Software Blade Status... Displaying Gateway Information - ‘SmartView Tracker vs, SmartView Monitor .... Practice and Review Practice Lab .. Review .. Chapter 5: Network Address Translation ........... ponbapucsoGG +++ 107 Network Address Translation ere = sve 108, nnn ee ee iv ‘Check Point Security AdministrationLearning Objectives: a . 108 Introduction to NAT esc semen er) IP Addressing a 110 Hide NAT so o 110 Choosing the Hide Address in Hide NAT... sevens MEL Static NAT. ut Original Packet o . sons MD, Reply Packet : . sow HD NAT - Global Properties ae soe LB Object Configuration - Hide NAT .... sn eee a) Hide NAT Using Another Interface IP Address sown 116 Static NAT... _ o 17 Manual NAT a a 18. Configuring Manual NAT woos nse sooo : 118 Special Considerations ht) ARP oo a HD Practice and Review .... — so 120 Practice Labs . = ove 120 Review a sn 120 Chapter 6: Using SmartUpdate . eeeeereni2t Using SmartUpdate E : . 122 Leaming Objectives: ....... soe so 122 SmartUpdate and Managing Licenses 0... : 123, SmartUpdate Architecture : : 124 ‘SmartUpdate Introduction oso nnn oe 126 Overview of Managing Licenses svn os 128 Licensing Terminology 129 Upgrading Licenses... 131 Retrieving License Data fiom Security Gateways 131 ‘Adding New Licenses to the License & Contract Repository . 131 Importing License Files. 132 Adding License Details Manually 132 Attaching Licenses ... 133 133 Detaching Licenses Deleting Licenses From License & Contact Repository 133 Student Manual ~ v‘Table of Contents Installation Process Viewing Livense Properties ‘Checking for Expired Licenses ‘To Export a License to a File Service Contracts... Managing Contracts Updating Contracts .. Practice and Review Review .. Chapter 7: User Management and Authentication . User Management and Authentication Learning Objectives: (Creating Users and Groups... User Types... Security Gateway Authentication ‘Types of Legacy Authentication Authentication Schemes Remote User Authentication ‘Authentication Methods User Authentication (Legacy) «0.» User Authentication Rule Base Considerations Session Authentication (Legacy)... Configuring Session Authentication Client Authentication (Legacy) 1 mmesnnm Client Authentication and Sign-On Overview ... Sign-On Methods .. Wait Mode Configuring Authentication Tracking .... LDAP User Management with UserDirectory LDAP Feattte sono nonnen Distinguished Name se ‘Multiple LDAP Servers Using an Existing LDAP Server senso Configuring Entities to Work with the Gateway ... Defining an Account Unit ... 7 vi Check Point Security AdministrationManaging Users... : . oe 61 UserDitectory Groups 162 Practice and RevieW ou. = : sonene 163 Practice Lab voc so sone 163 Review... son 163 Chapter 8: Identity Awareness... ee ceeees 165 entity Awareness ... oe . 166 Learning Objectives: Install Database... from the menu, Security Gateways that do not include a ‘Management Software Blade do not receive the Users Database. Student Manual 3Introduction fo Check Point Technology Securing Channels of Communication ‘The Security Management Server must be able to communicate with all ‘components and partner-OPSEC applications that it manages, even though they may be installed on different machines. The interaction must take place to ensure that the components receive all necessary information from the Security ‘Management Server (such as the Security Policy). While information must be allowed to pass freely, it also has to pass securely, This means that + The communication must be encrypted so that an impostor cannot send, receive or intercept communication meant for someone else, + The communication must be authenticated; there can be no doubt as to the identity ofthe communicating peers. + The transmitted communication should have data integrity; thats, the communication must not be altered or distorted in any form. * The SIC setup process allowing the intercommunication to take place must be user-friendly. If these criteria are met, secure channels of communication between intercommunieating components of the system can be set up and enforced, to protect the free and secure flow of information. Secure Internal Communications Secure Internal Communication (SIC) lets Check Point platforms and products ‘authenticate with each other. The SIC procedure creates a trusted status between ‘gateways, management servers and other Check Point components. SIC is required to install polices on gateways and to send logs between gateways and ‘management servers. ‘These security measures ensure the security of SIC: © Certificates for authentication * Standards-based SSL for the ereation of the secure channel © 3DES for encryption The Internal Certificate Authority (ICA) ‘The ICA is created during the Security Management server installation process. ‘The ICA is responsible for issuing certificates for authentication, For example, 4 Check Point Security Administration— ‘Securing Channels of Communication ICA issues certificates such as SIC certificates for authentication purposes to administrators and VPN certificates to users and gateways, Initializing the Trust Establishment Process Communication Initialization establishes a trust between the Security Management server and the Check Point gateways. This trust lets Check Point ‘components communicate securely. Trust can only be established when the gateways and the server have SIC certificates. Note: For SIC to succeed, the clocks of the gateways and servers ‘must be synchronized. ‘The Internal Certificate Authority (ICA) is created when the Security Management server is installed. The ICA issues and delivers a certificate to the Security Management server, Administrative Login Using SIC ‘The login process, in which Administrators connect to the Security Management Server, is common to all Check Point SmartConsole components (SmartDashboard, SmartUipdate, etc.) This process consists of a bidirectional ‘operation, in which the Administrator and the Security Management Server authenticate each other and create a secure channel of communication between them using SIC, Once both the Administrator and the Security Management Server have been successfully authenticated, Security Management launches the selected SmartConsole. Testing the SIC Status ‘The SIC status reflects the state of the Gateway afer it has received the certificate issted by the ICA. This status conveys whether or not the Security Management server is able to communicate securely with the gateway. The most typical status is Communicating. Any other status indicates thatthe SIC communication is problematic. For example, ifthe SIC status is Unknown then there is no connection between the Gateway and the Security Management server. Ifthe SIC status is Not Communicating, the Security Management server is able to contact the gateway, but SIC communication cannot be established. In this case an error message will appear, which may contain specifi instructions hhow to remedy the situation, Student Manual 35Introduction to Check Point Technology Resetting the Trust State Resetting the Trust State revokes the gateway's SIC certificate, This must be done if the security of the gateway has been breached, or if for any other reason the gateway functionality must be stopped. When the gateway is reset, the Certificate Revocation List (CRL) is updated to include the name of the revoked certificate. ‘The CRL is signed by the ICA and issued to all the gateways in this system the next time a SIC connection is made. If there isa discrepancy between the CRL of | ‘wo communicating components, the newest CRL is always used. The gateways refer tothe latest CRL and deny a connection from an impostor posing as a ‘gateway and using a SIC certificate that has already been revoked. Important - The SIC reset must be performed on the gateway’s object using SmartDashboard, and from a command prompt on the gateway using the epconfig tool. Performing the SIC reset on the gateway will cause an outage until SIC is reestablished and policy reinstalled, The £w stat command can be used to verify a Gateway’s Policy installed status. SIC Between Security Management Servers and Components ‘The following is an example of the SIC process: 2 vconecicertenesto ‘ins ook Pat occ anagenent Sever } seeuriy” Gateway, Figure 23 ~ SIC Ameng Security Management Servers and Components ‘The graphic illustrates the SIC process in a distributed environment 36 ‘Check Point Security Administration= ‘Securing Channels of Communication 4. The ICA creates a Certificate forthe Security Management Server during the Security Management Server installation. The ICA is ereated automatically during the installation procedure. 2. Corlificates for the Security Gateways, and any other communicating components, are created via.a simple initialization from the SmartConsole. Upon initialization, the ICA creates, signs, and delivers a Cerificate tothe communication component. Every component can then verify the Certificate for authenticity. Communication between a Security Management Server and its components depends on a Security Policy specified ina Policy file on each machine, Com munication using Certificates will take place provided thatthe comsmunicat- ing components are of the appropriate version, and agree on the authentication and encryption methods. The Security Management Server and its components are identified by their SIC name, also known asthe Distin- suished Name. Student Manual 37Introduction to Check Point Technology Practice and Review Practice Labs Lab 1: Distributed Installation Lab 2: Branch Office Security Gateway Installation Review 4. What is the strength of Check Point's Stateful Inspection technology? 2. What are the advantages of Check Point's Secure Management Architecture (SMART)? In what way does it benefit an enterprise network and its adminis trators? 3. What is the main purpose for he Security Management Server? Which func tion is it necessary to perform on the Security Management Server when incorporating Security Gateways into the network? 3B Check Point Security Administrationcuaprer2 __- Deployment Platforms Check Point Security Administration 39a Deployment Platforms Deployment Plaiforms Before delving into the intricacies of creating and managing Security Policies, it is beneficial to know about Check Point's different deployment platforms, and ‘understand the basic workings of Check Point's Linux operating systems such as, Gaia, that support many Check Point products - and what those products are. Learning Objectives: * Given network specifications, perform a backup and restore the current Gateway installation from the command line, + Identify critical files needed to purge or backup, import and export users and groups and add or delete administrators from the command line. © Deploy Gateways from the Gateway command line. wD Check Point Security AdministrationCheck Point Deployment Platiorms Check Point Deployment Platforms Security Appliances Dedicated Appliances Check Point security appliances deliver powerful turkey systems for deploying ‘and managing Check Point's award winning Software Blades to address virtually any security need for businesses of all sizes. All Check Point appliances are built around the unified Software Blade Architecture, enabling organizations to protect against rapidly evolving threats and perform all aspects of security management via a single, unified console. Strong and proven, the Check Point security appliances provide reliable services for thousands of businesses worldwide. Private Cloud Emulation Appliances: © Threat Emulation prevents infections from undiscovered exploits, zero-day and targeted attacks. This innovative solution quickly inspects incoming files, launches suspicious files in a virtual sandbox, discovers malicious behavior and then prevents discovered malware from entering the network. ‘The Private Cloud Emulation Appliance is an on-premise solution to emulate threats, Threat Prevention Appliances + deine ppliane focused on revenng thea tempting to ener our neon The . Theat Prevention Aplinces pre ret i ling pret suas ni, An Bt URL ering, Met Avene sa se int one content ppc Secure Web Gateway © Check Point's Secure Web Gateway Appliance enables secure use of Web 2.0 with the largest application coverage, unified control of all aspects of web, end-user education, integrated anti-malware and 360 degrees visibility ofall web activities, Student Manual aiDeployment Platforms DDoS Protector © The Check Point DDoS Protector™ Appliances protect business-critical networks and block Denial of Service attacks with multi- layered protection and up to 12Gbps of performance. ier & Ultra High-End Data Center Security Systems 41000 and 61000 Security Systems ‘+ Check Point Security Systems deliver high- performance, highly sealable Security Gateways that are cartier-grade designed for data centers, telecommunication and cloud services providers. 21000 Appliances + The 21000 Appliances deliver total protection with unmatched performance and flexibility. Equipped with the Security Acceleration Modul, it delivers up to 110 Gbps of firewall throughput with sub Sys latency —making it an ideal solution for performance & time- sensitive applications, Data Center Security Systems 13500 Appliances + Experience breakthrough Next Generation Firewall performance and unmatched scalability and serviceability in compact 2 rack-unit to seoure even the most demanding enterprise and data center environments a ‘Check Point Security Administration“Theck Paint Deployment Platforms 12000 Appliances * These datacenter-grade security appliances, with its multi-core and acceleration technologies, redundant components and superior mulfi-Software Blade performance are designed for high-performance and reliability for even the most demanding enterprise network environments. Enterprise Network Security Systems. ‘Small/Branch Office 4000 Appliances © Today's enterprise security gateway needs to >be more than just a firewall ~ it must use ‘multiple technologies to secure and protect networks against evolving threats. The Check Point 4000 Appliances with its flexible network interface options and multi-core technology offer the best performance for its class, 2200 Appliances * The Check Point 2200 Appliance offers enterprise-class security with leading price/ performance in # compact desktop form factor, Combined with the Software Blade Architecture, itis an ideal solution for securing small offices and branch offices, 1100 Appliances extensible Software Blades to deliver big security to the small branch office. These all-in-one appliances offer robust multi-layered protection with flexible network interfaces in a compact desktop form factor. © The Check Point 1100 Appliances leverage the | | Student Manual a3Virtual Systems Management 600 Appliance * Check Point 600 Appliances deliver proven enterprise-grade security in simple, affordable, all- {n-one security solution to proteet your employees, ‘your applications and your data from eyber-theft for small offices like yours, Check Point Virtual Systems * Check Point Virtual Systems consolidate and simplify security for private clouds. It enables Software Blades for customized protections agninst evolving network threats. ‘Smart-U/Smart-1 SmartEvent Appliances © Smart-1 —Check Point Smart-1 Appliances deliver market-leading security management ‘ona dedicated hardware platform specifically designed for mid-size and large enterprise networks. ‘© Smart-1 Smartlevent — Check Point Smart 1 Appliances deliver market-leading event management on a dedicated hardware platform specifically designed for mid-size and large enterprise networks. ‘Check Point Security AdministrationGhock Paint boploymont Pratorne More Check Point Appliances X-Series Appliances * Check Point X-Series Appliances provides organizations with the ultimate choice in carrier-grade chassis - integrated software and hardware bundles customized to their exact specifications, TAS Appliances * Check Point Integrated Appliance Solutions (IAS) Bladed Hardware provides organizations with the ultimate choice in earrier-grade chassis, IAS Bladed Hardware delivers integrated software and hardware solutions that are customized to your exact security needs-all while maintaining the network performance you require ‘Small Business Appliances * Check Point Safe@Ofice and UTM-1 Edge N appliances deliver proven, cost effective and bestin- class security to small businesses quickly and easily, itegrating firewall, IPS, anti-malware, URL Filtering and more, ‘Student Manual oieS Deployment Platforms Security Power - Choosing a Security Appliance Check Point's SecurityPower™is a new benchmark metric that allows customers to select security appliances by their capacity to handle real-world network traffic, multiple advanced security functions and a typical security policy. SecurityPower helps customers to accurately size and determine the appropriate appliances that can best meet their network security needs today, as well as support anticipated future traffic increases and additional security functions. Leveraging the new Check Point Appliance Selection Tool, the Check Point ‘account team or Check Point partners can take criteria of the customer's network including the required throughput performance and desired security functions ~ 2g inputs, and produce a SecurityPower requirement value, That value is then ‘compared against the SecurityPower capacities of the range of Check Point appliances to determine and present candidates that can best meet the customer's network security and performance requirements. Figure 24 — Securty Power Check Point Security AdministrationThack Pont Software Blade Architecture Check Point Software Blade Architecture Student Manwat Sceurity environments become more complex as companies ofall sizes defend themselves against new and varied threats. With these new threais come new security solutions, new vendors, costly new hardware, and increasing complexity, As IT comes under increasing pressure to do more with existing hardware and human resources, this approach becomes increasingly unacceptable, Check Point's Software Blade architecture offers a better way, enabling organizations to efficiently tailor targeted managed solutions that meet targeted business security needs, All solutions are centrally managed through a single console that reduces complexity and operational overhead. And as new threats emerge, Check Points Software blade architecture quickly and flexibly expands services as needed without the addition of new hardware or management complexity. Our pre-defined Software Blade Bundles take the guesswork out of choosing the right security with targeted, comprehensive security protections. ‘The Check Point Software Blade architecture is the fist and only security architecture that delivers total, flexible and manageable security to companies of any size, With this unprecedented capability, Check Point Software Blades deliver lower cost of ownership and cost-efficient protection that meet any network security or endpoint secusity need, today and in the future. A software blade is a logical security building block that is independent, modular and centrally managed, Software Blades can be quickly enabled and configured into a solution based on specific business needs, And as needs evolve, additional blades can be quickly activated to extend security to an existing configuration within the same hardware foundation. Key Benefits of the Check Point Software Blade Architecture ‘+ Flexibility ~ Provides the right level of protection at the right level of investment © Manageability ~ Enables fast deployment of security services. Increases productivity through centralized blade management. * Total Security — Provides the right level of security, at all enforcement points, ‘and at all layers ofthe network + Lower TCO - Protects investment through consolidation and use of existing hardware infrastructure © Guaranteed performance ~ Enables provisioning of resources that guarantee service levels Software Blades can be deployed on Check Point security appliances, IP appliances, open servers, within virtualized environments, and on endpoints. New blades can be added simply by enabling their functionality in software; no aDeployment Platforms additional hardware, firmyvare or drivers are necessary. This enables organizations to deploy secutity dynamically, as needed, with lower total cost of deployment. Software Blade Bundles Next Generation Firewall ‘The Check Point Next Generation Firewall extends the power of the firewall beyond stopping unauthorized access by adding IPS and Application Control protections. Next Generation Firewalls come in many sizes and offer throughput of up to 110Gbps Next Generation Threat Prevention Unified next generation solution that prevents advanced threats and malware attacks and enables an organization to easily and confidently control access to millions of web sites. Protections include stopping application-specific attacks, botnets, targeted attacks, APTs, and zero-day threats, Next Generation Secure Web Gateway Embracing the current paradigm shift from simple URL filtering to comprehensive malware protection, the Check Point Secure Web Gateway provides an intuitive solution that enables secure use of Web 2.0 with real time multi-layered protection against web-borne malware, largest application coverage in the industry, advanced granular control, intuitive centralized ‘management, and essential end-user education functionality. Next Generation Data Protection Next Generation Data Protection solutions encompass all facets of protecting content from getting into the wrong hands. Data Loss Prevention (DLP) is an integral part of a data protection solution, however to fully protect data, multiple layers must be put into place. Check Point combines these layers into a complete solution protecting against confidential data inadvertently leaving the organization ® Check Point Security AdministrationStudent Manual ‘hack Paint Software Blade Architecture Security Gateway Software Blades * Firewall — The Check Point Firewall Software Blade builds on the award winning technology first offered in Check Point’s FireWall-1 solution to provide the industry's strongest level of gateway security and idemity awareness, Check Point's firewalls are trusted by 100% of the Fortune 100 and deployed by over 170,000 customers, and have demonstrated industry leadership and continued innovation since the introduction of FireWall-1 in 1994. * IPSec VPN — The Check Point IPSec VPN Software Blade provides secure connectivity to corporate networks for remote and mobile users, branch offices and business partners. The Software Blade integrates access control, authentication and encryption to guarantee the security of network connections over the public Internet, © Mobile Access Software Blade — Check Point Mobile ‘Access Software Blade is the safe and easy solution to ‘connect to corporate applications over the internet with your Smartphone, tablet or PC, The solution provides 7 enterprise-grade remote access via both Layer-3 VPN and SSL VPN, allowing you simple, safe and secure connectivity to your email, calendar, contacts and corporate applications. © Identity Awareness — Check Point Identity Awareness Software Blade provides granular visibility of users, groups ‘nd machines, providing unmatched application and access ‘control through the creation of accurate, identity-based policies. Centralized management and monitoring allows for policies to be managed from a single, unified console, ‘* Application Control — The Check Point Application Control Software Blade provides the industry's strongest application security and identity control to organizations of, all sizes. It enables IT teams to easily create granular policies—based on users or groups—to identify, block or limit usage of over 240,000 Web 2.0 applications and widgets.The Application Control Software Blade is a key component of the Secure Web Gateway Appliance. + IPS — The Check Point Intrusion Prevention System (IPS) Software Blade combines industry-leading IPS protection with breakthrough performance at a lower cost than traditional, stand-alone IPS solutions. The IPS Software Blade delivers complete and proactive intrusionDeployment Platiorme prevention—all with the deployment and management advantages of a unified and extensible next-generation firewall solution, DLP — The Check Point DLP Software Blade combines technology and processes to revolutionize Data Loss Prevention (DLP), helping businesses to pre-emptively protect sensitive information from unintentional loss, educating users on proper data handling policies and empowering them to remediate incidents in real-time, Web Security — The Check Point Web Security Software Blade provides a set of advanced capabilites that detect and prevent attacks launched against the Web infrastructure. ‘The Web Security Software Blade delivers comprehensive protection when using the Web for business and communication. URL Filtering — ‘The Check Point URL Filtering Software Blade provides optimized web security through full integration in the gateway to prevent bypass through ‘external proxies. Integration of policy enforcement with ‘Application Control means full Web and Web 2.0 protection, and UserCheck technology empowers and educates users on web usage policy in realtime. The URL Filtering Software Blade is a key component of the Secure Web Gateway Appliance. Anti-Bot — The Check Point Anti-Bot Software Blade detects bot infected machines, prevents bot damages by blocking bot C&C communications, and is continually updated from ThreaiCloud™, the first collaborative network to fight eybererime. ‘Threat Emulation — Check Point ThreatCloud Emulation Service prevents infections from undiscovered exploits, zero-day and targeted attacks. This innovative solution. quickly inspects files and runs them in a virtual sandbox to discover malicious behavior. Discovered malware is prevented from entering the network. Antivirus & Anti-Malware — The enhanced Check Point Antivirus Software Blade uses real-time virus signatures and anomaly-based protections from ThreatCloud™, the first collaborative network to fight cybercrime, to detect and block malware at the gateway before users are affected. ‘The Antivinss Software Blade isa key component ofthe Secure Web Gateway Appliance and Threat Prevention Appliance 30 Check Point Security Administration‘Check Point Software Biads Architecture © Anti-Spam & Email Security —The Check Point Anti- Spam & Email Security Software Blade provides comprehensive protection for messaging infrastructure. A. ‘multidimensional approach protects email infrastructure, provides highly accurate anti-spam coverage and defends organizations from a wide variety of virus and malware threats delivered within email, + Advanced Networking — The Check Point Advanced Networking and Clustering Software Blade simplifies network security deployment and management within complex and highly utilized networks, while maximizing network performance and security in multi-Gbps environments. This combination is ideal for high-end enterprise and datacenter environments where performance and availability are critical * Voice over IP (VoIP) — The Check Point VoIP Blade ‘enables you to deploy VoIP applications such as telephony or video conferencing without introducing new security threats or needing to redesign your network. Because worms and VoIP-specific Denial of Service attacks can take TP phone services down, the Check Point family delivers an evolving solution that understands and protects against existing and new threats that may disrupt business continuity. Check Point solutions also reduce the complexity of VoIP deployment by eliminating such common pain points as incompatibility between VoIP and Network Address Translation. © Security Gateway Virtual Edition — The Check Point Security Gateway Virtual Edition (VE) protects dynamic virtualized environments and external networks, such as private and public clouds, from internal and external threats by securing virtual machines and applications with the full range of Check Point Software Blades. Security Management Software Blades * Network Policy Management — The Check Point ‘Network Policy Management Software Blade provides ‘comprehensive, centralized network security policy ‘management for Check Point gateways and Software Blades, via SmartDashboard-—a single, unified console that, provides control over even the most complex security deployments. Student Manual artn Deployment Platforms + Endpoint Policy Management — The Check Point Endpoint Policy Management Softwate Blade simplifies endpoint security management by unifying all endpoint security capabilities for PC & Mac in a single console. Monitor, manage, educate and enforce poliey, ftom an at-a~ lance dashboard down to user and machine details, all with a few clicks, + Logging and Status — The Check Point Logaing and Status Software Blade transforms data into security intelligence with SmartLog, an advanced log analyzer that delivers split-second search results providing real-time Visibility into billions of log records over multiple time periods and domains ‘+ SmartWorkflow — The Check Point SmartWorkflow Software Blade provides seamless and automated process for policy change management that helps administrators reduce errors and enhance compliance. Enforce a formal process for editing, reviewing, approving and auditing policy changes from a single console, for one-stop, total policy lifecycle management. © Monitoring — The Check Point Monitoring Software Blade presents a complete picture of network and security performance, enabling fast responses to changes in traffic patterns or security events, The Software Blade centrally monitors Check Point devices and alerts to changes to gateways, endpoints, tunnels, remote users and security activities. © Management Portal — The Check Point Management Portal Software Blade allows browser-based security ‘management access to outside groups such as support staff cor auditors, while maintaining centralized control of policy enforcement. View security policies, the status of all Check Point products and administrator activity as well as edit, create and modify internal users. + User Directory —The Check Point User Directory Software Blade leverages LDAP servers to obtain identification and security information about network users, climinating the risks associated with manually maintaining and synchronizing redundant data stores, and enabli centralized user management throughout the enterprise 2 ‘Check Point Security Administrationa sok Point Software Blade Arch ‘* SmartProvisioning — The Check Point SmartProvisioning Software Blade provides centralized administration and security provisioning of Check Point devices. Using. profiles, administrators can automate device configuration and easily roll out changes to settings to multiple, geographically distributed devices, via a single security ‘management console. + Smuariopeiey— The Gin Pec Semper Software Blas incres th nriny tent teats by centralizing network security reporting of network, security (/iss a and usraciviy intoconcisepeiefed craorctait PEAS eee intl ctial uy eae or oe easily manage big data security, and make faster, more informed security. Sato + Mle Domain Secure Management — Seay Maragamartand Mult Dusan seeety Mecreeet (Prone delves enciercnlooaa ‘segmenting your security management into multiple virtual Endpoint Software Blades * Full Disk Encryption — The Check Point Pull Disk Encryption Software Blade provides automatic security for all information on endpoint hard drives, including user data, operating system files and temporary and erased files. For ‘maximum data protection, multi-factor pre-boot authentication ensures user identity, while encryption prevents data loss from theft Student Manual 33Deployment Platforms © Media Eneryption — The Check Point Media Eneryption Software Blade provides centrally-enforceable encryption of removable storage media such as USB flash drives, backup hard drives, CDs and DVDs, for maximum data protection. Educating users on when to share and not share ‘corporate data via UserCheck prevents future data sharing mistakes. Port control enables management of all endpoint ports, plus centralized logging of port activity for auditing and compliance, ‘= Remote Access — The Check Point Endpoint Remote Access VPN Software Blade provides users with secure, seamless access to corporate networks and resources when traveling oF working remotely. Privacy and integrity of sensitive information is ensured through multi-factor authentication, endpoint system compliance scanning and encryption of all transmitted data. 34 Check Point Security AdministrationCheck Point Gaia History - Power of Two Check Point Gaia is the unified cutting-edge secure operating system for all Check Point Appliances, open servers and virtualized gateways. Gaia was derived from IPSO and SecurePlatform, IPSO Ipsilon Networks, the developers of IPSO, was a computer networking company specializing in IP switching. The company was a key player in the introduction of label switching, and published early proposals on the subject, Label switching, or tag switching (Cisco Systems), was a technology that eventually became standardized as MPLS (Multiprotocol Label Switching). Nokia purchased Ipsilon Networks in 1997, and incorporated the IPSO operating system into their network appliances. Check Point bought Nokia’s Security business unit in April 2008, IPSO 3.x and 4.x were based on FreeBSD 2.x. IPSO 6.x is based on FreeBSD 6x. Asa stripped down operating system, IPSO provided enough functionality to ran Check Point firewalls, along with the incorporation of some standard Unix commands, such as top, ps, df. Italso provided a hardened, secure operating system (no compilers included). IPSO also provided great visibility into kernel statistics, such as network counters, interrupts, and more, IPSO contained many key differentiators from mainline FreeBSD, as well as, from SecurePlatform: * ipsetl: comparable to sysctl (BSD) and /proe (Linux) * ipsrd: comparable to GateD or Quagga * xpand and configuration database: Single system configuration repository * Voyager: Web based management GUI for the oper ig system * lish: command line shel supporting same festures as Voyager * iclid ipsrd command line interface daemon + VRRP and IP Clustering: High Availability solutions + ADP: Accelerated Date Path * Boot Manager: Similer to OpenBoot on Sun boxes * CST: Configuration Summary Tool Student Mamuat 35ee Daployment Platforms SecurePlasform Check Point's secure operating system, SecurePlatform is based on a kernel from Red Hat Software, which allows SecurePlatform to benefit from the compatibility and stability testing performed by Red Hat Software, SecurePlatform has been hardened to eliminate any components that are not necessary for a network security device. Components that could present security exposure were removed or modified. The hardening of SecurePlatform. components was audited by both Check Point staff and an independent security consulting organization. Any software package not needed by network security services was removed fiom SecurePlatform. Required services, that might present security risks, were modified as necessary. Where the existing software could not be made secure, it was replaced. For example, the Web server used by the Web interface for system administration, was developed internally at Check Point. The Web server is a small server, designed to perform only the functions required (o allow Web-based system administration. Routine management and maintenance of SecurePlatform is performed through @ restricted shell, called Standard Mode. Most utilities needed to managed ‘SecurePlatform and other installed Check Point products are accessed in Standard Mode. Many Standard Mode commands are ‘wrapped’ in custom scripts to disable unnecessary options and make the utility easier to use. Standard Mode enhances the security of SecurePlatform, by restricting access to utilities that, if used improperly, could damage system stability. Because of the usability ‘enhancements in Standard Mode, extensive Linux knowledge is not required to perform routine management of SecurePlatform. Because SecurePlatform does not include unnecessary software, superior performance is achieved, Resources are not consumed by software such as graphical user interfaces, office applications, and network file systems. All system resources are dedicated to the operating system and the installed Check Point products. SecurePlatform fully supports Check Point SecureXL, which can boost throughput rates for SecurePlatform installations to speeds up to three times faster than the throughput realized on similar hardware, with other operating systems, without SecureXL. 56 Check Point Security AdministrationSack Po a Gaia Benefits of Gaia ‘Check Point Gaia is the next generation Secure Operating System for all Check Point appliances and open servers. Gaia combines the best features from IPSO. ‘and SecurePlatform (SPLAT) into a single unified OS providing greater efficiency and robust performance. With the support of the full suite of Software Blades, customers will benefit from improved connection capacity and the full breadth and power of Check Point security technologies by adopting Gaia Check Point Gaia announced on April 17th 2012 offers 3 key value propositions: * Combining the best features of IPSO & SecurePlatform ‘+ Increase operational efficiency with wide range of features * A secure platform for the most demanding environments Gaia combines the best features from IPSO and SecurePlatform (SPLAT) into a single unified OS providing greater efficiency and robust performance. As a 64- bit operating system, Gaia increases the connection capacity of select appliances. Customers migrating from [Pv4 to IPv6 networks are secured with Gaia utilizing the Check Point Acceleration & Clustering technology. Gaia fils into the most complex networks by supporting dynamic routing, bridge mode and 802.3ed link aggregation Gaia simplifies and strengthens management with segregation of duties by enabling role-based administrative access. Furthermore, Gaia greatly increases operational efficiency by offering Intelligent Software Updates, Security ‘management is made simple with the intuitive and feature-rich Web-based user interface and instant search for all commands and properties. Gaia is fully compatible with IPSO and SPLAT command line interface (CLI) commands, ‘making it an easy transition from existing Check Point operating platforms. Student Manwat 7Deployment Platforms Gaia Architecture ee + Configuration wizards Ease of Use + One-step install + One-click registration Full Software Blade support Higher connection capacity + 64 BiLOs “v6 + Supports Dual stack and Tunneling + SecureXL and CoreXL acceleration ‘Clustering options + ClusterXL and CoreXL acceleration Enhanced device management + Image snapshot, + Device replication ‘Automated software update + WebUL and CLI + Role-based administration + Multiple configuration sets ‘Manageable dynamic routing Higher connection capacity + 64 Bit OS TPv6 + Supports Dual stack and Tunneling + SecureXL and CoreXL acceleration Clustering options + ClusterXL and CoreXL, acceleration Enhanced device management + Image snapshot + Device replication “Automated software update ‘Table 2-1: Benefits of Gaia for SecurePlatformn and IPSO Users Full Compatibility with IPSO and SPLAT CLI Commands ‘Transitioning to Gaia is a breeze for security administrators. The same powerful ‘command line interface (CLI) commands from IPSO and SPLAT are seamlessly integrated into Gaia, Additional new commands and capabilities are also added to the Gaia CLI making powerful CLI interface even more intuitive to use. 3B Check Point Security AdministrationStudent Manual Ghack Point Web-Based User Interface with Search Navigation The intuitive WebUI delivers a refteshing user experience for security administrators. This interface integrates all management functions into a Web- bbased dashboard that is accessible via the most popular Web browsers ~ Intemet Explorer, Chrome, Firefox and Safari. The built-in search navigation delivers instant results on commands and properties. For the CLI-inelined users, a Shetl- Emulator pop-up window is only a single click away. Role-Based Administrative Access Segregation of duties is part of a good security policy and it improves operating efficiency and auditing of administrative events. The role-based administrative access gives Gaia customers the ability and granularity to customize their security management policies that are particular to their business needs. Specific levels of access can be granted based on ech individual's role and responsibility — building a stronger security environment. Support for Industry Standard Authentication ‘The AAA component of the Gaia manages user access to the appliance. Generally, AAA includes Authentication (identifying a user), Authorization (determining what a user is permitted to do), and Accounting (tracking some aspects of a user's activity). Gaia implements Pluggable Authentication Modules (PAM), an industry-standatd framework for authenticating and authorizing users. Using PAM, authentication, account management, and session management algorithms are contained in shared modules that you configure on your appliance. Support for Industry Standard Monitoring Gaia supports the user-based security model (USM) component of SNMPv3 fo supply message-level security. With USM described in RFC 3414, access to the SNMP service is controlled on the basis of user identities. Each user has a name, ‘an authentication pass phrase to identify the user, and an optional privacy pass phrase for protection against disclosure of SNMP message payloads. Managed devices use trap messages to report events to the Network Management Station (NMS). SNMP traps may be sent to the NMS in the event of a hardware or product change. Intelligent Software Updates Software updates is an important process to maintain robust security performance and high network integrity. Its also a process that can sometime cause disruptions to the network services or to your business. With the intelligent software updates offered by Gaia, new releases and patches can be pre-scheduled EyDeployment Platforma Practice and Review Practice Labs Lab 3: CLI Tools, Review What are some of the advantages in deploying UTM-1 Edge Appliances? 2. How do you manage the Gaia Appliance? 3. How would you get Gaia system information? Check Point Security Administrationcaapters Introduction to the Security Policy Check Point Security Administration 61Titroduction tothe Security Polley Tniroduction to the Security Policy Learning Objectives: ‘The Security Policy is essential in administrating security for your organization's network. This chapter examines how to create rules based on network objects, and modify a Security Policy’s properties. In addition, this chapter will teach you how to apply Database Revision Control and Policy Package management, to decrease the burden of management when working with rules and objects. © Given the network topology, create and configure network, host and gateway objects. ‘Verify SIC establishment between the Security Management Server and the Gateway using SmartDashboard. © Create a basie Rule Base in SmartDashboard that includes permissions for administrative users, external services, and LAN outbound use. ‘© Evaluate existing policies and optimize the rules based on current corporate requirements ‘© Maintain the Security Management Server with scheduled backups and policy versions to ensure seamless upgrades and minimal downtime, a ‘Check Point Security AdministrationOT “Soourity Polley Basics Security Policy Basics The Rule Base “The Security Policy is a set of rules that defines your network security using a Rule Base, rules comprised of network objects, such as gateways, hosts, networks, routers, and domains. Once a Rule Base is defined, the Policy is distributed to all Security Gateways across a network. Each rule in a Rule Base specifies the source, destination, service, and action to bbe taken for each session. A rule also specifics how a communication is tracked. Events can be logged, and then trigger an alert message. The figure is an example of a Rule Base: Figure 26 ~ Rule Base Managing Objects in SmartDashboard Objects are created by the System Administrator to represent actual hosts and devices, as well as intangible components, such as services (for exemple, HTTP and TELNET) and resources (for example, URI and FTP). Each component of an. organization has a corresponding object that represents it. Once these objects are created, they oan be used in the rules of the Security Policy. Objects are the building blocks of Security Policy rules and are stored in the Objects database on ‘the Security Management Server. Objects in SmartDashboard are divided into several categories, which can be viewed in the different tabs of the Objects Tree. For instance, the Network Student Manual 6Inroduction to the Security Policy Objects tab represents the physical machines and logical components, such 2s dynamie objects and address ranges, that make up your organization. ‘When creating objects, the System Administrator must consider the needs of the organization: ‘© What are the physical and logical components that mnake up the organization? Each component that accesses the Security Gateway most likely needs to be defined. ‘© Who are the users and Administrators, and how should they be divided into different groups? Figure 27 — SmartDashboard ‘SmartDashboard and Objects Object-Tree Pane SmartDashboerd is comprised of three principal areas, known as panes. From these panes, objects are created, manipulated, and accessed, From these panes, objects are created, manipulated, and accessed. The following section describes the functions and charactersties of each pane. ‘The Objects tree is the main view for managing and displaying objects. Objects are distributed among logical eategores (called tabs), such es Network Objects and Services. Each tab orders its objects logically. For example, the Services tab locates al services using ICMP in the folder called ICMP. Check Point Security Administrationos ccty Policy Basis Objects-List Pane ‘The Objects tree works with the Objects list, The Objects list displays current information for a selected object category. For example, when a Logical Server network object is selected in the Objects tree, the Objects list displays a list of Logical Servers, with certain details displayed. Object Types ‘The objects lists are divided into the following categories: + Network * Services + Resources ‘Servers and OPSEC Applications + Users and Administrators + VPN Communities Rule Base Pane Objects are implemented across various Rule Bases, where they are used in the rules of various Policies. For example, network objects are generally used in the Source, Destination or Install On columns, while time objects can be applied in any Rule Base within the Time column, Student Manual 5Introduction to the Securlty Polley Managing Objects “The Objects Tree is the main view for adding, editing, and deleting objects, although these operations can also be performed from the menus, toolbars and other views, such as in Rule Bases. You create objects to represent actual hosts and devices, intangible components (Such as HTTTP and TELNET services) and resources (for example, URI and FTP). Make an object for each component in your organization. Then you ean use the objects in the rules of the Security Policy. Objects are stored in the Objects database on the Security Management server. Bsisieiaie) Network Objects Figure 28 — Object Tree When you create your objects, consider the needs of your organization: © What are the physical components in your network? ‘© What are the logical components - services, resources, and applications? ‘© What components will access the firewall? ‘© Who are the users, and how should they be grouped? ‘+ Who are the administrators, and what are their roles? ‘© Will you use VPN, and ifso, will it allow remote users? Creating an Object with the Objects Tree ‘To add anew object, right-click the object type you would like to add. For example, in the Network Objects tab, right-click Networks and select Network from the displayed menu, or elick the Action button on the Object List menu bar. 6 Check Point Security Administrationee Wianaging Objects Editing an Object with the Objects Tree ‘To edit an existing object, right-click the desired object in the Objects tree and select Edit fiom the displayed menu. Or double-click the object you would like to modify. Deleting an Object with the Objects Tree To delete an existing object, right-click the object in the Objects tree and click Delete from the displayed menu, Classic View of the Objects Tree In Classic view, network objects are displayed beneath their object type. For example, a corporate mail server would appear under the Node category. Check Point management stations and Security Gateways appear under the category Check Point, DAIP servers appear in the category Dynamic Objects, ete. Organizing objects by category is preferred for small-to-medium-sized deployments. SmartDashboard opens to classic view by default, unless set to Group view. Group View of the Objects Tree In Group view, network objects are organized by the group objects to which they belong. For instance, group GW-group could include all of the gateway abjects in ‘an organization. You can switch to Group view by right-clicking Network ‘Objects, and selecting Arrange by groups. As changing views can at first be disorienting, a warning appears. ‘Shudent Manual aIntroduction to the Security Policy Creating the Rule Base Each rule in a Rule Base defines the packets that match the rule — based on source, destination, service, and the time the packet is inspected. The first rule that matches a packet is applied, and the specified Action is taken. The ‘communication may be logged and/or an alert may be issued, depending on what hhas been entered in the Track field. Figure 29 — Adding a Rule Basic Rule Base Concepts ‘The SmartDashboard allows you to create a Rule Base, which builds your Security Policy from a collection of individual rules. Choose from the following, options: Add Rule — The position where the rule is to be placed: Bottom, Top, After, Before, Delete Rule — Deletes the currently selected rule from the Rule Base, Disable Rule — Disables a rule when testing a Security Policy; disabling a rule can also allow access to a previously restricted source or destination, Hide — Hides, unhides, views, and manages hidden rules; hidden rules still apply, they are just not visible in the SmartDashboard. This feature is nor= mally used to temporarily move groups of rules out of view, to minimize con- fusion when an Administrator is working on a complex Rule Base. Rule Expiration — Allows a rule to be set with an activation date and time, and an expiration date and time, or a rule can be restricted to specific hours and days. e Check Point Security AdministrationSean Greating the Rule Base Default Rule ‘The Default Rule is added when you add a rue tothe Rule Base. You can configute this rule with all objects, services, and uses installed on your database = tame [aay Borne Sey [ow | nme [a rertvone Figure 30 —Defavit Rule ‘The Default Rule is defined with the following information No. — Defines the number order of each rule; the first rule in the Rule Base is No. | Hits — Tacks the number of connections each rule matches on this gateway Name — Gives Administrators a space to name the rule, helping to annotate the Rule Base; by default, itis blank. Source — Displays the Object Manager screen, from which you can select network objecis or a group of users, to add to the Rule Base; the default is Any. Destination — Displays the Object Manager screen, from which you can select resource objects to add to the rule; the default is Any. VPN — Displays the Add Objects VPN Communities screen, from which you can select a VPN Community to add to the rule; the default is Any Traf- fie, Service — Displays the Service Manager screen, from which you can select, services to add to the rules the default is Any. Action — Accepts, drops, or rejects the session, or provides authentication and encryption; the default is drop. ‘Track — Defines logging or alerting for this rule; the default is none. ‘The options are: Account, Alert, Log, Mail, None, SampTrap, and UserDe- fined Install On — Specifies which firewalled objects will enforce the rule; the default is Policy Targets, which means all internal firewalled objects, (Throughout this handbook, all labs and examples assume this default, and the Install On column is not shown.) ‘Student Manwal - 9Introduction to the Security Policy Basic Rules 70 ‘Time — Specifies the time period for the rule; the default is Any. (Through- ‘out this handbook, all labs and examples assume this default and the Time column is not shown.) Comment — Allows Administrators to add notes about this rule; the default isa blank comment field, ‘There are two basic rules used by nearly all Security Gateway Administrators the Cleanup Rule and the Stealth Rule fs boa fomm [ove len cmseen fa aan stir foam bw arf wi Figure 31 — Basic Rules Both the Cleanup and Stealth Rules are important for creating basic security ‘measures, and tacking important information in SmartView Tracker. Cleanup Rule — The Security Gateway follows the principle, “That which is not expressly permitted is prohibited”. Security Gateways drop all communication attempts that do not match a rule, The only way to monitor the dropped packets is to create a Cleanup Rule that logs all dropped traffic. The Cleanup Rule, also known as the “None of the Above” rule, drops all communication not described by any other rules, and allows you to specify logging for every- thing being dropped by this rule. Stealth Rule— To prevent any users from connecting directly to the Gate- way, you should add a Stealth Rule to your Rule Base. Protecting the Gateway in this manner makes the Gateway transparent to the network. The Gateway ‘becomes invisible to users on the network. The figure above displays a sample Stealth Rule. In most cases, the Stealth Rule should be placed above all other rules. Placing the Stealth Rule at the top of the Rule Base protects your Gateway from port scanning, spoofing, and other types of direct attacks. Connections that need to be made directly (o the Gateway, such as Client Authentication, encryption and Content Vectoring Protocol (CVP) rules, always go above the Stealth Rule. (Check Point Security AdministrationRules Control Connections ‘The Security Gateway creates a Rule Base by translating the Security Policy into collection of individual rules. The Security Gateway creates implicit rules, derived from Global Properties and explicit rules, created by the Administrator in the SmartDashboard Figure 32 — implicivExplct Rules An explicit rule is a rule that you create in the Rule Base. Explicit rules are displayed together with implicit rules in the eorrect sequence, when you select to view implied 1ules. To see how properties and rules interact, select Implied Rules from the View menu. Implicit rules appear without numbering, and explicit rules appear with numbering. Implicit rules are defined by the Security Gateway to allow certain connections to and from the Gateway, witha variety of different services, The Gateway enforces two types of implicit rules that enable the following: * Control Connections © Outgoing packets ‘The Security Gateway creates a group of implicit rules that it places fist, las, or before last in the explicitly defined Rule Base. These first implicit rules are based on the Accept control connections seting on the Global Properties window. ‘The Gateway anticipates other possible connections relating to Gateway ‘communication, and also creates implicit niles for those scenarios. ‘There are three types of Control Connections, defined by default rules: * Gateway specific traffic that facilitates functionality, such as logging, ‘management, and key exchange Student Manual 7iIntroduction to the Security Policy Detecting IP Spoofing © Acceptance of IKE and RDP traffic for communication and encryption purposes © Cormunication with various types of servers, such as RADIUS, CVP, UFP, TACACS, LDAP, and Logical Servers, even if these servers are not specifically defined resources in your Security Policy Implied rules are generated in the Rule Base through Global Properties. Check the properties enforced in the FireWall Implied Rules screen, then choose & position in the Rule Base for the implied rule: © First — first in the Rule Base + Before Last — before the last rule in the Rule Base © Last — last rule in the Rule Base Spoofing is a technique where an intruder attempts to gain unauthorized access by altering a packet's IP address. This alteration makes it appear as though the packet originated in the part of a network with higher access privileges. The Security Gateway has a sophisticated anti-spoofing feature that detects such packets, by requiring that the interface on which a packet enters a gateway corresponds to its IP address. 7a Check Point Security Administrationeee ‘Creating the Rule Base Anti-spoofing verifies that packets are coming fiom, and going to, the correct interfaces on a gateway. Anti-spoofing confirms that packets claiming to be from the intemal network are actually coming fiom the intemal-network interface. It also verifies that, once a packet is routed, it is going through the proper interface. Configuring Anti-Spoofing ‘To properly configure anti-spoofing, networks that are reachable from an interface need tobe defined appropriately, For anti-spoofing to be most effective, itshould be configured on all gateway interfaces. If antispoofing is implemented na specific interface, spoof tracking fr that interface should also be defined. This wil help with both intrusion detection and troubleshooting ‘To activate anti-spoofing, configure the firewalled-interface properties. The ‘Topology tab of the Interface Properties window allows you to configure anti- spoofing properties of a gateway. ‘Student Marwal Beee Introduction to the Security Pol Rule Base Management [Asa network infiastructure grows, so will the Rule Base created to manage the network's traffic, Ifnot managed propetly, Rule Base order can affect Secutity Gateway performance and negatively impact traffic on the protected networks. Here are some gencral guidelines to help you manage your Rule Base effectively, Before creating a Rule Base for your system, answer the following questions: 4. Which objects are in the network? Examples include gateways, hosts, net- ‘works, routers, and domains, 2, Which user permissions and authentication schemes are needed? 3, Which services, including customized services and sessions, are allowed ‘across the network? ‘As you formulate the Rule Base for your Policy, these tips are useful to consider: ‘The Policy is enforced from top to bottom. © Place the most restrictive rules at the top of the Policy, then proceed with the generalized rules further down the Rule Base. If more permissive rules are located at the top, the restrictive rule may not be used properly. This allows misuse or unintended use of access, or an intrusion, due to improper rule configuration. © Keep it simple. Grouping objects or combining rules makes for visual clarity and simplifies debugging. If more than 50 rules are used, the Security Policy becomes hard to manage. Security Administrators may have difficulty determining how rules interact. + Adda Stealth Rule and Cleanup Rule first to each new Policy Package. A Stealth Rule blocks access to the Gateway. Using an Explicit Drop Rule is recommended for logging purposes. ‘Limit the use of the Reject action in rules. If rule is configured to reject, a ‘message is returned to the source address, informing that the connection is not permitted. ‘© Use section titles to group similar rules according to their function, For example, rules controlling access to a DMZ should be placed together. Rules allowing an internal network access to the Intemet should be placed together, ‘and so on. This allows easier modification of the Rule Base, as itis easier to locate the appropriate rules, a ‘Check Point Security Administration+ Comment each rule! Documentation eases troubleshooting, and explains why rules exist. This assists when reviewing the Security Policy for errors and ‘modifications. This is particularly important when the Policy is managed by ‘multiple Administrators. In addition, this Comment option is available when saving database versions. See the Database Revision Control section in this chapter * For efficiency, the most frequently used rules are placed above less-frequently used rules. This must be done carefully, to ensure a general-accept rule is not placed before a specific-drop rule, Understanding Rule Base Order Before you can define Security Policy properties, you must consider Rule Base order, The Security Gateway inspects packets by comparing them to the Security Policy, one rule at atime. For this reason, itis important to define each rule in the Security Policy in the appropriate order. Firewall implied rules are placed first, last, or before last in the Rule Base and can be logged. Rules are processed in the following order: IP spoofing/IP options: 4. First: This rule cannot be modified or overwritten in the Rule Base because the fist rule that matches is always applied to the packet and no rules ean be placed before it. Implied rules are processed before administrator explictly- defined rules. 2. Explicit: These are the administrator-defined rules, which may be located between the first and the before-last rules. 3. Before Last: These are more specific implicd rules that are enforced before the last rule is applied. 4. Last: A rule that is enforced after the last rule in the Rule Base, which normally rejects all packets, usually referred to as the Cleanup Rule. 5, Implicit Drop Rule: No logging occurs. ‘Student Manual 5‘traduction tothe Security Policy Completing the Rule Base When you have defined the desired rules, you must install the Security Policy. ‘The installation process specifies the network object on which the Security Policy is installed. Only managed objects are available for Policy installation. In ‘contrast, the Install On element in the Rule Base specifies the network object that is to enforce a specific rule. ‘There are times when verifying a Security Policy is useful to System Administrators, By verifying a Security Policy, you check that rules are consistent, and that there are no redundant rules before Secutity Policy instalation. 76 (Check Point Security AdministrationPolicy Management and Revision Control Policy Management and Revision Control Policies are created by the system administrator and managed via the Security Management server. Different versions of these policies can be seved. Each version includes backups of the various databases (objects, users, Certificate Authority data, ete.) This information is zipped and saved. ‘The existing versions are recorded in a “Version table". This table can be viewed and the versions which are displayed can be modified. Itis possible to: © Create a Version © Export and Import a Version + View a Version © Revert to a Previous Version © Delete a Version Versions can be created manually by the system administrator, or the system can be set o automaticaly create a new version everytime Security Policy installation takes place. It is recommended to create a version before upgrading the system. This enables the administrator to back out toa functioning, environment in case of problems during the upgrade operation, Important - The Revision Control feature is not supported when the Security Management database contains VSX objects. You must not select the Create database version option in SmartDashboard when you install a policy.. Policy Package Management Student Manual Some circumstances require multiple versions of a Security Policy, but the abject, database needs to stay the same. Often this will be when adding or consolidating rules in an existing Rule Base, or creating a new set of rules on a Gateway. In these circumstances, using Policy Package management is better than creating ‘multiple versions of the system database ‘These two points are worth consideration when saving your Policies: + Thenew Policy Package includes Firewall, Address Translation, Application & URL Filtering, Anti-Bot & Anti-Virus, QoS and Desktop Security policies. © It isan ideal management utility for a distributed installation with multiple Security Gateways; specific Policies are created for specific Security Gateways. TiIntroduction tothe Securlly Polley a ‘The Security Management Server provides a wide range of tools that address various Policy management tasks, both atthe definition stage and at the ‘maintenance stage: + Policy Packages — Allow you to easily group different types of Policies, to be installed together on the same installation target(s) + Predefined Installation Targets — Allow you to associate each Policy Package with the appropriate set of Gateways; this feature frees you of the need to repeat the Gateway selection process every time you install (or install) the Package, with the option to easily modify the list at any given time. In addition, it minimizes the risk of installing Policies on inappropriate targets + Section Titles — Allow you to visually break your Rule Base into subjects, thereby instantly improving your orientation and ability to locate rules and objects of interest © Queries — Provide versatile search capabilites for both objects end the rules in which they are used, * Sorting — Using the Objects tree and Objects list pane is a simple and quick ‘way to locate objects; this feature is greatly facilitated by consistent use of ‘naming and coloring conventions. Database Revision Controt Database Revision Control gives the Administrator freedom to create fallback configurations when implementing new objects and rules, or adjusting rules and objects as networks change. This can help the Administrator test new Rule Base and object configurations, or can be used to revert to an earlier configuration for ‘troubleshooting, Consider these points when saving your Policies: © The database version consists of all Policies on a single Gateway, and objects and users configured, including setings in SmartDefense and Global Properties ‘+ Itis an ideal management utility fora stand-alone or distributed deployment with a single Gateway. * Itis configurable to automatically create new database versions on Policy installation, B (Check Point Security AdministrationPolicy Management and Revision Contral ‘This table compares the advantages of using Database Revision Contral and Policy Package Management: Database Revision Control | + Database version consists of all Policies, ‘objects and users configured, including settings in SmartDefense and Global Properties + Ideal management utility for a stand-alone deployment, or distributed with a single Gateway deployment * Configurable to automatically create new database versions on Policy installation Policy Package Management | Policy Package including only Security and NAT, QoS, and Desktop Security settings. + Ideal management utility for a distributed installation with multiple Security Gateways; specific Policies created for specific Security Gateways, Shudent Manual 9Tntveduction to the Sec iy Policy Multicasting Multicasting transmits a single message to a select group of recipients. Atypical use of multicasting is to distribute real-time audio and video to a set of hosts that have joined a distributed conference. IP multicasting applications send one copy of each IP packet, and address it a group of computers that want to receive it. This technique addresses datagrams toa group of receivers ata multicast address, rather than toa single receiver ata unicast address. Network routers forward the datagrams to only those routers and hosts that need to receive them. Figure 34 — Multicast Address Range Properties ‘The Multicast Restrictions tab in the Interface Properties window drops multicast packets according to configured conditions. Security Administrators can configure alist of address ranges to drop or accept. grease ce Figure 35 — Interface Properties 30 Check Point Security AdministrationPolicy Management and Revision Contra To configure multicast access control: 4, Inthe Topology window of the Gateway’s General Properties, edit the appropriate interface. 2. In the Interface Properties window's Multicast Restrictions tab, select Drop Multicast packets by the following conditions. 3, After selecting your drop option and clicking Add, you are prompted to select ‘2 Multicast Address Range in the Add Object window. Click Add, and in the Multicast Address Range Properties window, define either an IP address range or a single IP address that is in the range 224.0.0,0-239.255.255.255, 4. Inthe Rule Base, add a rule to allow the required multicast groups. In the destination of the rule, specify the multicast groups defined in step 1 5. Save and install the Policy, Student Manual a1Introduction to the Security Policy Practice and Review Practice Labs Lab 4: Building a Security Policy Lab 5: Configuring the DMZ Review 4. Objects are created by the Security Administrator to represent actual hosts and devices, as well as services and resources, to use when developing the ‘Security Policy. What should the Administrator consider before creating objects? 2, What are some important considerations when formulating or updating a Rule Base? 2 Cheek Point Security AdministrationGHAPTER 4 Monitoring Traffic and Connections Check Point Security Administration 83Wonitoring Traffic and Connections Monitoring Traffic and Connections Learning Objectives ‘To manage your network effectively and to make informed decisions, you need to gather information on the network’s traffic patterns, Use Queries in SmartView Tracker to monitor IPS and common tetwork traffic and troubleshoot events using packet data. © Using packet data on a given corporate network, generate reports, troubleshoot system and security issues, and ensure network functionality. ‘Using Smart View Monitor, configure alerts and traffic counters, view a Gateway’s status, monitor suspicious activity rules, analyze tunnel activity ‘and monitor remote user access based on corporate requirements. @ Check Point Security AdministrationFees ‘Sinariviow wacker SmartView Tracker Log Types Siudent Manuat Check Point's SmartView Tracker provides visual tracking, monitoring, and accounting information for all connections logged by Check Point components, Online viewing features enable real-time monitoring of network activity ‘SmartView Tracker provides control over every event, including those causing alerts, a well as certain important system events, such as Security Policy installation or uninstallation. ‘To log in to SmartView Tracker, select SmartConsole > SmartView Tracker from the SmartDashboard main menu, or click Start > Programs > Check Point ‘SmartConsole R77 > SmartView Tracker Figure 36 — SmartViow Tracker ‘The format of log entries requested by a rule is determined by the log type specified in the rule, You can select the log entries and data fields to display. ‘SmartView Tracker also allows you to navigate the log file. You can display one of several log types from the Network & Endpoint Queries tree, as shown. ‘Log types are defined as either predefined or custom. The predefined types include log details specific to that type. For instance, UA WebAccess displays UserAuthority Web access log data for SecureClient entries, and the Account type displays changes made to fields over time. 8SMonitoring Waffic and Connections Figure 37 — Log Types ‘SmartView Tracker toolbar buttons also enable Administrators to define custom log queries that can be saved for recurring use. The custom query allows the column widths to be modified, and also allows selection of various log information to display. 6 ‘Check Point Security Administration‘SmartView Tracker Tabs Student Manwat SmartView Tracker has three predefined, optional views. These views can be ‘modified and saved. Select views with tabs located above the main log-viewing area, as shown in below: Network & Endpoint tab— Displays the default view for SmartView ‘Tracker, and shows all security-related events, Active tab — Shows currently open, active connections in SmartView ‘Tracker. The Active Connections screen displays as shown in Figure 5- 3, and also includes the Elapsed or duration of the connection, the Bytes or amount of data passed on the connection, and any additional information about the connection, Management tab — Displays only audit entries in SmartView Tracker; this enables you to track changes made to objects in the Rule Base, and tracks general SmartDashboard use. = All Records (lyctecs. fws) ES nemboiecaernnintoueres |. ee BG panned ETE bat at recoras yo erons e 511 Network Security 61 2 ANov2008 15:00:41. a 1B Frew lage 3 ovzo0e 150693 TH cal te ) Ps iade 4 ANow2008 15:41:29 Gai 8D dbos poteaor 5 inovaees 164313 EG cat $8 [JJ Appliation and URL ite) 5 pee eat BD Threat Prevention: a ANov2008 18:35:14 Sa Ah amesinpecton fy ttmaatetasmar HES ale Figure 38 — Smartvew Tracker Tabs 7Monitoring Traffic and Connections Action Icons Each tab displays log fields regarding both the product that generated the log, and the type of operation performed. Action icons provide a visual representation of the log's operation. The following table gives a description of some of the different types of actions recorded by Smart View Tracker: Reject — The connection was blocked. ‘Drop — The connection was dropped without noti- © fying the source. : ~~ | Bnerypt — The connection was encrypted. SS BES on 8 ‘Check Point Security AdministrationWorking with Smariview Tracker Working with Smartview Tracker Log-File Management Administrator Auditing ‘The SmartView Tracker toolbar allows you to perform the following tasks; 4, Open Log File — When you select Open, you can open other log files. 2. Save Log File As — When saving a log file, the current log entries will be ‘written to file. Only the records that match the selection criteria will be saved to the file; both entries that are visible in the screen, and those that are not visible. 3. Switch Log File — In this window, you can select the default log file or specify a particular log file name. This operation actually performs a log file switch, 4. Remote Files Management — In this window, you can transfer log files from a remote machine to the machine to which the SmartView Tracker is ‘currently connected 5. Show or hide Fetch Progress — Afer clicking Get File List from the Remote Files Management window, you can click Fetch Files and toggle the display of the Files Fetch Progress window. The file transfer operation will continue even if the Files Fetch Progress window is closed. It is interrupted only if you click the Abort button, 6. Query Options — These buttons allow you to toggle the display of the query tree pane, open an existing query, save a custom query, or save a custom query under a new name, SmartView Tracker logs Security Administrator activities, including: © Administrator login and logout. © Object creation, deletion, and editing, * Rule Base changes. ‘Administrator auditing simplifies the process of tracking and troubleshooting. Security Policy changes, especially in environments with more than one Administrator. Via the Management tab, itis possible to see the changes made by ‘particular Administrator, or see who modified an object and what changes were made. Student Manual ES)ing Traffic and Connections He Remon Figure 39 — Auditing Logging provides « historical record of logged connections. Logs are essential for security management, so properly configuring Security Gateway to log ‘connections of interest is important, ‘The Global Properties - Log and Alert window, accessed by clicking Policy > Global Properties > Log and Alert, allows you to define global log-and-alert parameters. VPN successful key exchange — Specifies the action to be taken then VPN keys, are successfully exchanged. VEN packet handling errors — Specifies the action to be taken when encryption or decryption errors occur VEN configuration and key exchange errors — Specifies the action to be taken ‘when logging configuration or key-exchange errors occu for example, when 90 ‘Check Point Security AdministrationTime Settings Working with Smariview Tracker ‘attempting to establish encrypted communication with a network object inside the same VPN Domain, IP Options drop — Specifies the action to take when a packet with IP options is ‘encountered; the Security Gateway always drops these packets, but you can log, them or issue an alert ications — Specifies the action to be taken when an administrative event occurs, for example, when a Certificate is about to expire. SLA violation — Specifies the action to be taken when an SLA violation occurs, a defined in the Virtual Links window. Connection matched by SAM — Specifies the action to be taken when a connection is blocked by Suspicious Activities Monitoring (SAM); for information about SAM, see htp:/Awww.opsec.com. Dynamic object resolution failure — Specifies the action to be taken when a dynamic object cannot be resolved. Log every authenticated HTTP connection — Specifies that a log entry should bbe generated for every authenticated HTTP connection. Log VoIP connection — Generates additional log entries for every VoIP connection; additional log entries for SIP contain information about the user (SIP URL, for example, [email protected]). Additional log entries for H.323 contain information about phone numbers. ‘The Time Settings window allows you to configure time settings associated with system-wide logging-and-alert parameters. Excessive log grace period — Specifies the minimum amount of time between consecutive logs of similar packets; two packets are considered similar, if they have the same source address, source port, destination address and destination port, and the same protocol was used. After the first packet, similar packets encountered within the grace period will be acted upon according to the Security Policy, but only the first packet generates a log entry or an alert SmartView Tracker resolving — After a specified amount of time, displays a log page, without resolving names and showing only IP addresses, Suudent Manual oI‘onitoring Watfle and Ganneclions Blocking Connections Virtual Link statistics logging interval — Specifies the frequency with which Virtual Link statisties will be logged this parameter is relevant only for Virtual Links defined with Log SLA values enabled in the SLA Parameters tab of the Virtual Link window. Virtual Links are defined by clicking Manage > SmartView Monitor > Virtual Links from the main menu. ‘Status fetching interval — Specifies the frequency at which the Security Management Server queries the Security Gateway, Check Point QoS, and other software it manages for status information; any value from 30 to 900 seconds can be entered in this field. ‘You can terminate an active connection and block further connections from and to specific IP addresses, using the SmartView Tracker Block Intruder function. ‘To block an active connection with Block Intruder, select the connection you ‘want to block, then select Tools > Block Intruder from the menu. Figure 40 — lock intruder ‘The Block Intruder window displays. In the Blocking Scope fields, select one of the options: Block all connections with the same source, destination and service — Block the connection or any other connection with the same service, source oF destination, 2 ‘Check Potnt Security Administration —+{ee ‘Working with Smarviow Tracker Block access from this source — The connection is terminated, and all further attempts to establish connections from this source IP address will be denied Block access to this destination — The connection is terminated, and all further attempts to establish connections to this destination IP address will be denied, In the Blocking Timeout field, select one of the options: Indefinite — Block all further access. For... minutes — Block all further access attempis for the specified number of minutes. In the Force this blocking field, select one of the options: ‘Only on... — Block access attempts through the indicated Security Gateway. ‘On any Security Gateway — Block access attempts through Security Gate- ways defined as gateways or hosts on the log server, The connection will remain blocked, until you choose Tools > Clear Blocking fiom the main menu Student Manual wWonitoring Traffic and Gannat SmartView Monitor ‘SmaitView Monitor isa high-performance network- and security analysis system that helps you easily administer your network, by establishing work habits based con leamed system-resource patterns. Smart View Monitor provides a single, central interface for monitoring netwotk activity and performance of Check Point applications. SmartView Monitor allows Administrators to easily configure and ‘monitor different aspects of network activities. Graphical views can easily be viewed from an integrated, intuitive GUI Figure 41 — SmartView Monitor Predefined views include the most frequently used traffic, counter, tunnel, ‘gateway, and remote-user information. For example, Check Point system ‘counters collect information on the status and activities of Check Point Blades (for example, Firewall). Using custom or predefined views, Administrators can drill down on the status ofa specific gateway and/or segment of traffic to identify top bandwidth hosts that may be affecting network performance. If suspicious activity is detected, Administrators can immediately apply a security rule to the ‘appropriate Security Gateway to block that activity. These security rules can be created dynamically via the graphical interface, and can be set to expire within a certain time period, Real-time and historical reports of monitored events can be generated to provide a comprehensive view of gateways, tunnels, remote users, network, security, and Security Gateway performance over time. To log in to SmartView Monitor, select, Window > SmartView Monitor from the SmartDashboard main menu. Or, click Start > Programs > Check Point SmartConsole R76 > SmartView Monitor. 4 Check Point Security AdministrationCustomized Views Customized Views Gateway Status View Traffic View Student Manual ‘SmartView Monitor enables graphical views depicting data for several types of measurements, including bandwidth, round-trip time, packet rate, CPU use, te ‘The most efficient way to yield helpful information i to create a view based on ‘your specific needs. It is possible to create customized views for view types (for example, status, taflc, system statistics, and tunnels). The customization provides the ability to filter specific data and how the data is to be displayed ‘SmartView Monitor enables information about the status of all Gateways in a network, The data in the results pane (upper right) provides information about all Gateways in the organization, as well as pertinent information about the Gateway (ouch as its IP addresses, the last time it was updated, and its status). This, information is directly linked to the view selected inthe tree pane (lef). Each 1ow in the table represents a Gateway. SmartView Monitor makes Administrators aware of traffic associated with specific network activities, servers, clients, etc, as well as activities, hardware, and sofware use of different Check Point products in realtime. Among other things this knowledge enables Administrators to: * Block specific traffic when a threat is imposed. ‘+ Assume instant contro! of traffic low on a Gateway. + Leam about how many tunnels are curently open, or about the rate of new connections passing through the Security Gateway. ‘You can generate fully detailed or summarized graphs and charts forall connections and for numerous rates and figures when calculating network use. ‘System Counters provides in-depth details on Gateway use and activity. As a Security Administrator, you can generate system stats information about * Resource use forthe variety of components associated with the Security Gateway. + Gateway performance statistics for a variety of firewalled components. * Detect and monitor suspicious activity. 95Tnitoring Traffic and Connections Tunnels View Remote Users View VPN nunnels are secure links between Security Gateways, and ensure secure connections between an organization's gateways and its remoteaccess clients. Once tunnels are created and put fo use, Administrators can keep track of their normal functions, so possible malfunctions and connectivity problems can be accessed and solved as soon as possible. Figure 42 — Tunnels “To ensure this security level, SmartView Monitor can recognize malfunctions and connectivity problems, by constantly monitoring and analyzing the status of an organizations’ tunnels. With the use of tunnel queries, Administrators can generate fully detailed reports that include information about all tunnels that {fulfil specific tunnel-query conditions. With this information, itis possible to ‘monitor tunnel status the VPN Community with which a tunnel is associated, the Gateways to which a tunnel is connected, et. ‘The Remote Users view allows you to keep track of VPN remote users currently logged in (i-e., SecuRemote, SecureClient and SSL Network Extender, and in general any IPSec client connecting to the Security Gateway). It provides you ‘with filtering capabilities, making it easier to navigate through the entries. 96 ‘Check Point Security Administration—_—_ Customized Views Figure 43 — Remote Users ‘The Remote Users view provides detailed real-time information about remote users" connectivity, using data collected from sources such as current open sessions, overlapping sessions, route traffic, and connection time, Student Mamuat 7Monitoring Traffic and Connections Cooperative Enforcement we Cooperative Enforcement is a feature that works in conjunction with the Endpoint Server. The Cooperative Enforcement view utilizes the Endpoint Server compliance capability to verify connections artiving from vatious hosts across the internal network. Easily deployed and managed, the Endpoint Server mitigates the risk of hackers, worms, spyware, and other security threats. Figure 44 — Cooperative Enforcement Using Cooperative Enforcement, any host initiating a connection through a Gateway is tested for compliance. (The Gateway generates logs for unauthorized hosts. The logs generated for both authorized and unauthorized hosts can be viewed in SmartView Monitor. This increases the integrity ofthe network, because it prevents hosts with malicious software components from accessing the network, ‘This feature acts as a middleman between hosts managed by an Endpoint Server and the Endpoint Server itself. It relies on the Endpoint Server compliance feature, which defines whether a hast is secure and can block connections that do not meet the defined prerequisites of software components. 8 Check Point Security AdministrationMonitoring Suspicious Activity Rules Monitoring Suspicious Activity Rules ‘The fast-changing network environment demands the ability to immediately react to a security problem, without having to change the entire network's Rule Base (for example, to instantly block a specific user). All inbound and outbound network activity should be inspected and identified as suspicious when necessary (for instance, when network or system activity indicates that someone is attempting to break in), «<] Non-Compliant Hosts By Gateway - Ret et een 4. es ; ie ii iar S56 fee pasa ETD Se “Ri 2 & Sn el Figure 45 — External Suspicious Activity Rules ‘SmartView Monitor enables the integration of a suspicious-activity monitoring ‘program that is used to modify access privileges, upon detection of any suspicious network activity. This detection is based on the creation of Suspicious Activity rules. Suspicious Activity rules are security rules that enable the Administrator to instantly block suspicious connections that are not restricted by the currently enforced Security Policy. These rules can be applied immediately, ‘without the need to install a Policy. Student Marsial 99Wonitorng Monitoring Alerts fic and Connections ‘Alerts provide real-time information about vulnerabilities to computing systems and how they can be eliminated, Check Point alerts users to potential threats to the security of their systems, and provides information about how to avoid, minimize, or recover from the damage, ‘Alerts are sent by the Security Gateways to the Security Management Server. The Security Management Server then forwards these alerts to the SmartView ‘Monitor SmartConsole, which is actively connected to the Security Management Server. Alerts are sent to draw the Administrator's attention to problematic Gateways, and are displayed in SmartView Monitor. These alerts are sent: © Ifcertain rules or attributes, which are set to be tracked as alerts, are matched by a passing connection. © Ifsystem events, also called System Alerts, are configured to trigger an alert when various thresholds are surpassed. ‘The Administrator can define alerts to be sent for different Gateways. These alerts are sent under certain conditions, such is if they have been defined for certain Policies, or if they have been set for different properties. By default, an alert is sent as a message to the Administrator’s desktop when a new alert arrives in SmartView Monitor. Alerts can also be sent for certain system events. If certain conditions are set, you can receive System Alerts for critical situation updates; for example, if free disk space is less than 10 percent, or if a Security Policy has been changed. System Alerts are characterized as follows: * ‘They are defined per product. For instance, you may define certain System Alerts for Check Point QoS that would not apply to Connectra + ‘They may be global or per Gateway. You can set global alert parameters for all Gateways in the system, or you can specify a particular alert for a particular Gateway. © They are displayed and viewed via the same user-friendly window. The information SmantView Monitor gathers also includes status information about OPSEC gateways and network objects ‘After reviewing the status of certain clients in SmartView Monitor, you may decide to take decisive action for a particular client or cluster member, for instance: * Disconnect client — If you have the correct permissions, you can choose to disconnect one or more of the connected SmartConsole clients, Click the Disconnect Client button on the Results pane toolbar. © Start/Stop Cluster Member — All cluster members of a given gateway cluster can be viewed via SmartView Monitor. You can start or stop a selected 100 Check Point Security Administration { LMonitoring Suspicious Activity Rules cluster member. To do this, right-click the cluster member, From the pull~ down menu, select Start Member or Stop Member ‘To configure an alert in Smart View Monitor from SmartDashboard, select Poliey > Global Properties > Log and Alert > Alerts. To view the active alerts from ‘Smart View Monitor, select the Alerts icon from the toolbar, Student Manual TOIMonitoring Traffic and Connections Gateway Status Check Point enables information about the status of all gateways in the system to be collected by the Security Management server and viewed in Smart View Monitor. The information gathered includes status information about: + Check Point gateways * OPSEC gateways Check Point Software Blades ‘A Gateways Status view displays a snapshot of all Check Point Software Blades, such as VPN and ClusterXL, as well as third party products (for example, OPSEC-partner gateways), Gateways Status is very similar in operation to the ‘SNMP daemon that also provides a mechanism to ascertain information about gateways in the system, Figure 46 — Gateway Status Example 102 Check Point Security Administrationem Gateway States ‘The Security Management server acts as an AMON (Application Monitoring) client. It collects information about specific Check Point Software Blades installed, using the AMON protocol. Each Check Point gateway, or any other OPSEC gateway which runs an AMON server, acts as the AMON server itself. Each gateway makes a status update request, via APIs, from various other components such as. © The “kernel” © Security Servers Analtemate source for status collection may be any AMON client, such as an OPSEC partner, which uses the AMON protocol. ‘The information is fetched at a subscribed interval which is defined by the system administrator. The AMON protocol is SIC- based so information can be retrieved ‘once SIC has been initialized Note: There are general statuses which occur for both the gateway or ‘machine on which the Check Point Software Blade is installed, and the Software Blade which represents the ‘components installed on the gateway. Overall Status ‘An Overall status is the result of the blades’ statuses. The most serious Software Blades status determines the Overall status. For example, if all the Software Blades statuses are OK except for the SmartReporter blade, which has a Problem status, then the Overall status will be Problem. + OK — indicates that the gateway is working properly © Attention — at least one of the Software Blades indicates that there is 2 ‘minor problem but it can still continue to work. Attention can also indicate that, although a Software Blade isnot installed, itis selected in the General Properties > Check Point Products associated with a specific gateway. ‘+ Problem — indicates that one of the Software Blades reported a specific ‘malfunction, To see details of this malfunction open the gateways status ‘window by double-clicking it in the Gateways view. Problem can also indicate a situation in which the Firewall, VPN and ClusterXL Software Blades are selected in the General Properties > Software Blades but are not installed, © Waiting — from the time thatthe view starts to run until the time that the first status message is received, This takes no more than thirty seconds. + Disconnected — the Security Gateway cannot be reached. Sudent Manual 103Monitoring Traffic and Connections © Untrusted — Secure Internal Communication failed. The gateway is ‘connected, but the Security Management server is not the master of the gateway, Software Blade Status Software Blades include components such as VPN, SmartReporter, Endpoint Security, and Qos. © OK — indicates that the blade (for example, SmartReporter, VPN, Firewall, ete.) is working properly. * Attention — the blade indicates that there is a minor problem but it can still continue to work, ‘+ Problem — indicates that the blade reported a specific malfunction, To see details of this malfimetion open the gateways status window associated with the blade by double-clicking it in the Gateways Status view © Waiting — displayed from the time that the view starts to run until the time thatthe first status message is received. This takes no more than thitty seconds isconnected — the gateway cannot be reached. © Untrusted — Secure Internal Communication failed. ‘The gateway is connected, but the Security Management server is not the master of the | gateway, Displaying Gateway Information Gateways Status, information is displayed per Check Point or OPSEC gateway. To display information about the gateway, click the specific gateway in the Gateway Results view. Details about the gateway will be displayed in the Gateway Details pane. ‘This information includes general information such asthe name, IP Adress, version, operating system, and the status of the specified gateway, as well as a yrid of gateway specific information, 104 Check Point Security AdministrationCee ‘SmariView Tracker vs, SmariView Monitor SmartView Tracker vs. SmartView Monitor Here are some key points when considering which product addresses your needs better: ‘SmartView Tracker Benefits — Administrators can use SmattView Tracker to: Ensure network components are operating properly. * Troubleshoot system and security issues ‘+ Gather information for legal or audit purposes. * Generate reports to analyze network-taffic patterns. * Temporarily or permanently terminate connections from specific IP addresses, in case of an attack or other suspicious network activity. ‘SmartView Monitor Benefits — Administrators can use SmartView Monitor to: © Centrally monitor Check Point and OPSEC devices. * Present a complete picture of changes to Gateways, tunnels, remote users, and security activities. Immediately identify changes in network-traffic flow pattems thet may signify malicious activity. © Maintain high network availability * Improve efficiency of bandwidth use © Track SLA compliance. Student Manual 105Tonitoring Tralfle and Connections Practice and Review Practice Lab Lab 6: Monitoring with SmartView Tracker Review 4. Discuss the benefits of using SmartView Monitor instead of SmartView ‘Tracker in monitoring network activity. 2, Why is there a warning message when switching to Active mode in Smart- View Tracker? 106 Check Point Security Administrationciapters Network Address Translation Check Point Security Administration 107‘Network Address Translation Network Address Translation Learning Objectives: In computer networking, network address translation (NAT) is the process of ‘modifying IP address information in IP packet headers while in transit across @ ‘uaffic outing device | * Configure NAT rules on Web and Gateway servers, 108Introduction to NAT Introduction to NAT Student Marat Network Address Translation (NAT) allows Security Administrators to overeome IP addressing limitations, allowing private IP-address allocation and unregistered. internal-addressing schemes. Enterprises employ NAT for a variety of reasons, including * Private IP addresses used in intemal networks. * Limiting external network access, + Ease and flexibility of network administration. Network Address Translation (NAT) can be used to translate either IP address in ‘connection. When translating the IP of the machine initiating the connection (typically the “client” of the connection) this is referred to as Source NAT. When. ‘translating the IP address of the machine receiving the connection this is referred 10 as Destination NAT, The Security Gateway supports two types of NAT where the source and/or the destination are translated Hide NAT - Hide NAT is @ many-to-one relationship, where multiple ‘computers on the internal network are represented by a single unique address, This enhances security because connections can only be initiated from the protected side of the Security Gateway. This type of NAT is also referred to as Dynamic NAT. * Static NAT - Static NAT is a one-to-one relationship, where each host is translated to a unique address. This allows connections to be initiated internally and externally. An example would be a Web server or a mail server that needs (0 allow connections initiated externally. NAT can be configured on Check Point hosts, nodes, networks, address ranges ‘and dynamic objects. NAT can be configured automatically or by creating ‘manual NAT rules. Manual NAT rules offer flexibility because it can allow the ‘translation of both the source and destination of the packet and allow the translation of services, 109Notwork Address Translation IP Addressing Hide NAT Inan IP network, each computer is assigned a unique IP address. Because public IP addresses are scarce and expensive, many enterprises choose to use private addresses for their intemal networks. The following blocks of IP addresses were set aside for internal-network use in RFC 1918, “Address Allocation for Private Networks”: © Class A network numbers: 10.0.0.0-10.255.255.255 ‘© Class B network numbers: 172.16.0.0-172,31.255.255 © Class C network numbers: 192.168.0,0-192.168,.255.255 Best practices recommend using only these address ranges for intranets. RFC. 1918 addresses cannot traverse public networks. In Hide NAT, the source is translated, the sourve port is modified and translation ‘occurs on the server side. As shown in the illustration below, notice the source packet with address 10.1.1.101 going to destination x.x.x.x. As the packet hits the interface on pre-in, ‘itis processed by the firewall kernel and forwarded to post-in, I” where itis then routed to the extemal interface. It arrives, pre-out, ‘o', and is then processed by the NAT rule base. The firewall modifies the source port and adds the port information to a state table. The packet translates on post-out, ‘0’ as it leaves the Gateway. For protocols where the port number cannot be changed, Hide NAT cannot be used. 6-2-2 ply Packet (Translated) naan Figure 47 — Hide NAT 110 ‘Check Point Security Administrationees introduction to NAT Choosing the Hide Address in Hide NAT Static NAT Siudent Maral ‘The Hide Address is the address behind which the network, address range, or node is hidden. Itis possible to hide behind either the interface of the Gateway or a specified IP address. Choosing a fixed public IP address is a good option if you want to hide the address of the Security Gateway. However, it means you have to use an extra publicly outabte IP address. Choosing to hide behind the address of the Gateway § 2 good option for administrative purposes. For example, ifthe external IP address ofthe Gateway changes, there is no need to change the NATT settings, A static translation is assigned to a server that needs to be accessed directly from outside the Security Gateway, So, the packet is typically initiated from a host outside the firewall. When the client initiates traffic to the static NAT address, the destination of the packet is translated. Criginal Packet Original Packet Translated) ep Packet Figure 48 — Stavle NAT TiNetwork Address Translation Original Packet Reply Packet In the past, all destination NAT occurred at the “server side” of the kemel, ie., on the outbound side of the kernel closest to the server. When NAT occurs in this configuration, a host route is required on the Security Gateway to route to the destination server, As of VPN-1 NGX, the default method for Destination NAT is “client side”, where NAT occurs on the inbound interface closest to the client Assume the client is outside the Gateway, and the server is inside the Gateway with automatic Static NAT configured. When the client starts a connection fo access the server's NAT IP address, the following happens to the original packet in a client-side NAT: 1. The packet from outside the Gateway arrives atthe inbound interface, ‘i’, destined for the Web server, and passes Security Policy and NAT rules. 2. If accepted, the packet information is added to the connections table and the destination is translated on the post-in side of the interface, ‘T’ before it is routed. 3. ‘The packet arrives at the TCPIIP stack of the Gateway, and is routed tothe outbound interface, ‘o" 4. The packet is then forwarded through the kemel, “O° and routed to the Web 1. The Web server replies and hits the inbound interface, ‘i’, of the Gateway. 2. The packet is passed by the Policy, since it is found in the connections table and arrives at the post-in side of the kernel, ‘I’. 3. The packet arrives at the TCP/IP stack of the Gateway, and is routed to the ‘outbound interface, ‘0’. 4. ‘The packet goes through the outbound interface and is translated to the static NAT IP address as it leaves the Security Gateway, ‘O”. The source port does not change. ‘When the external server must distinguish between clients based on their IP ‘addresses, Hide NAT cannot be used, because all clients share the same IP address under Hide NAT, ‘To allow connections from the extemal network to the intemal network, only Static NAT can be used. 112 ‘Check Point Security Administration iSe Thiroduction to NAT NAT - Global Properties Several Global Properties influence how NAT is handled by a Secutity Gateway. ‘The figure shows the default Global Properties for NAT. tx Tins Shes rn Ti ecabosy lie deren Cree Adem i Hix Tae tetmenain et sihcditmis Pheist Figure 49 ~ NAT Settings In most cases, the Security Gateway automatically creates NAT rules, based on information derived from object properties. The following three Global Properties can be modified to adjust the behavior of Automatic NAT rules on a ¢lobal level: + Allow bi-directional NAT — If more than one Automatic NAT rule matches connection, both rules are matched. If Allow bidirectional NAT is selected, the Gateway will check all NAT rules to see if there is a source match in one rule, and a destination match in another rule. The Gateway will use the first matches found, and apply both rules concurrently. + Translate Destination on client side — For packets from an external host that are to be translated according to Static NAT rules, select this option to ttanslate destination IP addresses in the kernel nearest the client. Student Manuat 113Wotwork Address Translation + Automatic ARP configuration — Select this option to automatically update | [ARP tables on Security Gateways. For NAT to function properly, a Gateway must accept packets whose destination addresses differ from the addresses configured on its interfaces. Automatic ARP configuration adds the ARP entries needed to accomplish this tsk. This property applies to automatically ‘xeated NAT rules only. ‘+ Merge manual proxy ARP — Select this option to merge automatic and ‘manual ARP configurations. Manual proxy ARP configuration is required for manual Static NAT rules. Ifa manual ARP configuration is defined in the local.arp file and automatic ARP configuration is enabled, both definitions are ‘maintained. If there is a conflict between the definitions (the same NAT IP address appears in both), the manual configuration is used. If this option is not ‘enabled and automatic ARP configuration is enabled, the Gateway ignores the entries in the local. arp file. Object Configuration - Hide NAT Hide NAT can be configured to hide networks using a Security Gateway IP address or another, externally accessible IP address. The figure illustrates how to configure the NAT properties for a network using a Security Gateway’s IP address when dynarmically translated. To configure Hide NAT with automatic NAT rule creation, select the appropriate options and click OK, which automatically creates the necessary NAT rules for the object. Figure 50 — NAT Configured Object | 114 ‘Check Point Security AdministrationTntroduction to NAT Aaddress-translation rules are divided into two elements: Original Packet and ‘Translated Packet. The elements ofthe Original Pecket section inform a Security Gateway which packets match the rule. The Translated Packet elements define how the Security Gateway should modify the packet. Configuring the network ‘object as described above creates two rules in the Address Translation Policy. The first ule prevents translation of packets traveling from the translated object to itself. The second rule instructs the Security Gateway to translate packets ‘hose source IP address is part ofthe Corporate-finance-net's network. This rule translates packets from private addresses fo the IP address ofthe exiting interface of the Security Gateway. ss Figure 51 — NAT Rules seeemia| tn | eine [eine |= a [Benen a sir [Renee] Sa | Because Hide NAT also modifies source ports, there is no need to add another rule for reply packets, Information recorded in a Security Gateway’s state tables will be used to modify the destination IP address and destination port of reply packets Student Manual 115Nowork Address Translation Hide NAT Using Another Interface IP Address “Hiding internal addresses behind a Security Gateway's IP address is not the most secure way to configure Hide NAT. Using another externally accessible IP address for Hide NAT is considered best practice. The figure illustrates how to ‘configure the NAT properties for a network that will use another externally accessible IP address when dynamically translated. For Automatic NAT rule creation, the Security Gateway makes all necessary route and ARP table entries on the Security Gateway. In the example above, the Security Gateway will process packets destined for the HR_Server, even though that IP address is not bound to its interface, For routing to work properly, the address selected to hide internal networks should be on the same subnet as the IP address of the interface where packets will arrive. Like Hide NAT behind a Security Gateway's IP address, configuration for Hide NAT using another externally accessible IP address also creates two rules. The first rule instructs the Security Gateway not to translate traffic whose source and destination is the object for which Hide NAT is configured, The second rule ‘anslates the source address of packets not destined for the object for which Hide NAT is configured 116 Check Point Security AdministrationTniroduction to NAT Static NAT Configuring a Security Gateway to perform Static NAT for a host is similar to configuring a Security Gateway to perform Hide NAT using another extemally accessible IP address. Figure 53 — Stale NAT Configured Object ‘The figure illustrates how to configure NAT properties, when Static NAT is used. to translate a host’s IP address. For routing to work properly, the Translate to IP Address must be on the same subnet as the Security Gateway’s IP address. When Automatic NAT rule creation is used, it makes the necessary adjustments to the ARP configuration, Configuring an object for automati creation of Static NAT rules adds two rules to the Address Translation Policy. For Static NAT, both rues are translating rules, In the example above, the Security Gateway changes the source address from a private address tothe public address (172.22.102.112). Student Manual 7TWotwork Address Translation Manual NAT ‘The Security Gateway ellows Security Administrators to create Manual NAT uration than automatic NAT rule ezeation, but provides additional flexibility in Rule Base design. Automatic NAT rule creation is appropriate for most installations. Properly configured objects, well-planned networks, and Global Properties settings make ‘Manual NAT rule creation unnecessary for most enterprises. For Security Administrators faced with legacy networks where design issues prevent the use of automatic NAT rules, Manual NAT rules may provide solutions. Some of the situations where Manual NAT rule creation may be warranted, include: ‘Instances where remote networks only allow specific IP addresses. ‘© Situations where translation is desired for some services, and not for others. Environments where more granular control of address translation in VPN tunnels is needed, ‘© Enterprises where Address Translation Rule Base order must be manipulated. ‘© When port address translation is required (port forwarding). © Environments where granular control of address translation between internal networks is required. ‘® When a range of IP addresses, rather than a network, will be translated. Configuring Manual NAT 118 Manual NAT requires configuration of objects and rules, The amount of configuration varies between Hide NAT and Static NAT. Global Properties for Manual NAT Rules On the NAT window of Global Properties, only one global property can be set for manually created NAT rules. The Translate destination on client side property performs the same function for Manual NAT rules as it does for automatic NAT rules. ‘Translate destination on client side — For packets fom an extemal host ‘undergoing Static NAT, translate destination IP addresses in the kernel nearest the client, Enable IP Pool NAT — If IP pools are used on a Gateway, SecuRemote/ ‘SecureClient connections are modified, so a target host sends reply packets to the appropriate Gateway. ‘Check Point Security AdministrationSerene ‘anual NAT Special Considerations ARP. When Automatic NAT rule creation is used, it makes all necessary adjustments to the Security Gateway’s ARP and routing tables. Using Automatic NAT rule creation also eliminates potential anti-spoofing issues. If Manual NAT rule creation is used, special consideration must be paid to ARP and routing-table entries, and anti-spoofing issues. ‘When Automatic NAT rule creation is used, the Security Gateway makes all necessary adjustments to the Security Gateway’s ARP table. If Manual NAT rule creation is used, the Security Administrator must edit the Security Gateway's ARP table (Local . arp), as follows: + Hide NAT, Security Gateway in Translated Packet, Source field —No additional ARP table entries are required. ‘* Hide NAT, hiding behind an IP address not assigned to the Security Gateway — Add an ARP table entry to the Security Gateway for the hiding address, © Static NAT — Add ARP table entries to the Security Gateway for all hiding addresses. For information creating persistent ARP table entries, consult your OS documentation, and sk30197. Student Manwal 119Network Address Translation Practice and Review Practice Labs Lab 7: Configuring NAT Review 4. What are some reasons for employing NAT in a network when requiting private IP addresses in internal networks, to limit external-network access, or to cease network administration? 2. When would an Administrator favor using Manual NAT over automatic NAT? 120 Check Point Security Administrationcarters Using SmartUpdate Check Point Security Administration 121Tsing SmartUpdate Using SmartUpdate ‘SmartUpdate extends your organization's ability to provide centralized policy management across enterprise-wide deployments. SmartUpdate can deliver automated software and license updates to hundreds of distributed Security Gateways from a single management console, Learning Objectives: ‘© Monitor remote Gateways using SmartUpdate to evaluate the need for upgrades, new installations, and license modifications. ‘© Use SmartUpdate to apply upgrade packages to single or multiple VPN-1 Gateways. © Upgrade and attach product licenses using SmartUpdate. 122 Check Point Security Administration i‘SmartUpdate and Managing Licenses SmartUpdate and Managing Licenses ‘SmartUpdate automatically distributes applications and updates for Check Point and OPSEC Certified products, and manages product licenses StuartUpdate extends your organization’s ability to provide centralized policy management across enterprise-wide deployments. SmartUpdate can deliver automated software and license updates to hundreds of distributed Security Gateways fiom a single management console. SmartUpdate ensures security deployments are always up-to-date by enforcing the most current security software. This provides greater control and efficieney while dramatically decreasing maintenance costs of managing global security installations Figure 54 — Managing Licenses SmartUpdate enables remote upgrade, instalation and license management to be performed securely and easly. I is possible to remotely upgrade: © Check Point Seourity Gateways. © Hotfixes, Hotfix Accumulators (HFAs) and patches. © Third-party OPSEC applications. ‘+ UTM-I Edge Gateways, © Operating System Student Manat 123as Tsing SmartUpdate SmartUpdate Architecture SSmartlpdate installs two repositories on the Security Management Server: 4. License & Contract Repository, which is stored on ll platforms inthe dines- tory $EWDIR\conf\. 2. Package Repository, whic is stored on: Windows machines in CASUroot. UNIX machines in Man/suroot wel Beare Figure 85 — SmartUpdate Architecture Packages and licenses are loaded into these repositories from several sources: + Download Center Web site (packages) + Check Point DVD (packages) + User Center (licenses) ‘+ Running eplic from the command line ‘Of the many processes that run on Security Gateways distributed across the corporate network, two in particular are used for SmartUpdate. Upgrade operations require the eprid daemon, and license operations use the opd demon. ‘These processes listen and wait for the information to be summoned by the Security Management Server. Ta ‘Check Point Security Administrationee ‘SimarUpdate Architecture From a remote location, an Administrator logged into the Security Management Server initiates operations using the SmartUpdate tool. The Security ‘Management Server makes contact with the Security Gateways via the processes that are running on these components fo execute the operations initiated by the System Administrator (eg. attacha license or upload an upgrade). Information is taken from the repositories on the Security Management Server, For instance, ifa new installation is being initiated, the information is retrieved from the Package Repository; ifa new license is being attached toa remote Gateway, information is retrieved from the License & Contract Repository. This entire process is SIC based, and is completely secure. Student Manual 125ee Tsing SmartUpdate SmariUpdate Introduction SmartUpdate has two tabs: ‘© The Packages tab — shows the packages and Operating Systems installed on the Check Point Security Gateways managed by the Security Management server, Operations that relate to packages can only be performed in the Packages tab, ‘© The Licenses & Contracts tab — shows the licenses on the managed Check Point Security Gateways, Operations that relate to licenses can only be performed here. ‘These tabs are divided into a tree structure that displays the packages installed and the licenses attached to each managed Security Gateway. The tree has three levels: ‘© The root level shows the name of the Security Management server to which, the GUI is connected. ‘+ The second level shows the names of the Check Point Security Gateways configured in SmartDashboard. The third level shows the Check Point packages or installed licenses on the ‘Check Point Security Gateway. Figure 56 — SmartUpdate 126 Check Point Security Administration‘SrmatUpaate Additionally, the following panes can be displayed: * The Package Repository shows all the packages available for installation. To view this pane, select Packages > View Repository. ‘+ The License & Contract Repository shows all licenses (attached or unattached), To view this pane, select Licenses & Contracts > View Repository * The Operation Status shows past and current SmartUpdate operations. To ‘view this pane, select Operations > View Status. + The Operations performed (i. Installing package on Gateway , or ‘Attaching license to Gateway ), * The status ofthe operation being performed, throughout all the stages ofits development (ie., operation started, oF a warning). + A progress indicator ¢ The time that the operation takes to complete Student Mannal 127—— Using SmartUpdate Overview of Managi ig Licenses With SmartUpdate, you can manage all licenses for Check Point packages throughout the organization from the Security Management Server. StnartUpdate provides a global view of all available and installed licenses, allowing you to perform such operations as adding new licenses, attaching licenses and upgrading licenses to Check Point Security Gateways, and deleting expired licenses. Check Point licenses come in two forms, Central and Local. Figure 57 — SmartUpdate - Licenses ‘The Central license is the preferred method of licensing. A Central license ties the package license to the IP address of the Security Management Server. That ‘means that there is one IP address forall licenses; thatthe license remains valid if ‘you change the IP address of the gateway; and that a license can be taken from ‘one Check Point Security Gateway and given to another with ease. ‘The Local license is an older method of licensing, however its still supported by SmartUpdate. A Local license ties the package license to the IP address of the specific Check Point Security Gateway, and cannot be transferred to a Gateway with a different IP address. 128 ‘Check Point Security Administration— ————— ‘Gverviow of Managing Li When you add a license to the system using SmartUpdate, itis stored in the Livense & Contract Repository. Once there, it must be installed to the Gateway ‘and registered with the Security Management Server. Installing and registering & license is accomplished through an operation known as attaching a license. Central licenses require an administrator to designate a Gateway for attachment, while Local licenses are automatically attached to their respective Check Point Security Gateways Licensing Terminology Common terms used with respect to licensing include the following: # Add —Licenses received from the User Center should first be added to the ‘SmartUpdate License & Contract Repository. Adding a local license to the License & Contract Repository also attaches it to the gateway. © Attach — Licenses are attached to a Gateway via SmartUpdate. Attaching & license to a Gateway involves installing the license on the remote Gateway, and associating the license with the specific Gateway in the License & Contract Repository. © Central License — A Central License is a license attached to the Security ‘Management server IP address, rather than the gateway IP address. The benefits of a Central License are: © Only one IP address is needed for all licenses + A license can be taken from one gateway and given to another + ‘The new license remains valid when changing the gateway TP address, There is no need to create and install a new license. © Certificate Key — The Certificate Key is a string of 12 alphanumeric characters. The number is unique to each package. For an evaluation license, your Certificate Key can be found inside the mini pack. For a permanent license, you should receive your Certificate Key fiom your reseller. + CPLIC—A command line for managing local licenses and local license operations. For additional information, refer to the R76 Command Line Interface Reference Guide. ® Detach — Detaching a license from a Gateway involves uninstalling the license from the remote Gateway, and making the license in the License & Contract Repository available to any Gateway. + State — Licenses can be in one of the following states: Requires Upgrade, No License, Obsolete or Assigned. The license state depends on whether the license is associated with the Gateway in the License & Contract Repository, Student Manual 129ee Using SmantUpdate and whether the license is installed on the remote Gateway. The license state definitions are as follows: + Attached — indicates thatthe license is associated with the Gateway in the License & Contract Repository, and is installed on the remote Gateway. + Unattached — indicates that the license is not associated with the Gateway in the License & Contract Repository, and is not installed on any Gateway, + Assigned — is a license that is associated with the Gateway in the License & Contract Repository, but bas not yet been installed om the Gateway as a replacement for an existing NG license, Upgrade Status — A field in the License & Contract Repository that contains an error message from the User Center if the upgrade process fails. Get — Locally installed licenses can be placed in the License & Contract Repository, to update the repository with all licenses across the installation. ‘The Get operation is a two-way process that places all locally installed licenses in the License & Contract Repository and removes all locally deleted licenses from the License & Contract Repository. License Expiration — Licenses expire on a particular date, or never. After a license has expired, the functionality of the Check Point package may be impaired. Local License — A Local License is tied to the IP address of the specific ‘gateway end can only be used with a gateway or a Security Management server with the same address. ‘Multi-License File — Licenses can be conveniently added to a Gateway or Security Management Server via a file rather than by typing long text strings. ‘Multi-license files contain more than one license, and can be downloaded from the User Center. Multi-license files are supported by the eplic put, and eplic add command-line commands. Features — A character string that identifies the features of a package. 130 Check Point Security Administration‘Overview of Managing Licenses ‘When a Central license is placed in the License & Contract Repository, ‘SmartUpdate allows you to attach it to Check Point packages. Ataching a license installs it to the remote Gateway and registers it with the Security Management Server. New licenses need to be attached when: An existing license expires. © Anexisting license is upgraded to a newer license. * A local license is replaced with a central license * The IP address of the Security Management Server changes. Attaching a license is a three-step process: 41. Get real-time license data from the remote Gateway. 2. Add the appropriate license to the License & Contract Repository. 3. Attach the license to the device. Retrieving License Data from Security Gateways ‘To know exactly what type of license is on each remote Gateway, you can telrieve that data direetly from the Gateway. + Torctrieve license data from a single remote Gateway, right-click the gateway object in the License Management window, and select Get Licenses. + To retrieve license data from multiple Check Point Security Gateways, select Get All Licenses from the Licenses menu, Adding New Licenses to the License & Contract Repository ‘To installa license, you must first add it othe License & Contract Repository You can add licenses to the License & Contract Repository in the following ways: Downloading from the User Center Solect Network Objects Licenses & Contracts > Add License > From User Center, 2. Bnter your credentials Student Manwal 31eee Using SmartUpaate Importing License Files 3. Perform one of the following: + Generate a new license — If there are no identical licenses, the license is added to the License & Contract Repository. * Change the IP address of an existing license (Move IP) © Change the license from Local to Central, > Upgrade the license. 4. Select Licenses & Contract > Add License > From File. 2, Browse to the location of the license file, select it, and click Open. A license file ean contain multiple licenses, Unattached Central licenses appear in the License & Contract Repository, and Local licenses are automatically attached to their Security Gateway. All licenses are assigned a default name inthe format SKU@ time date, which you can modify ata later time Adding License Details Manually ‘You may add licenses that you have received from the Licensing Center by e- mail. The e-mail contains the license-installation instructions. 41. Locate the license — if you have received a license by e-mail, copy the license tothe clipboard. Copy the string that starts with eplic putlc...and ends with the last SKU/feature. For example: eplic putlic 1.1.1.1 06pec2002 éw59uea2- eLLQSNEgPuyHzvQ- WKreSod%x CPSUITE-BVAL-3DES-NGX CK- 1234567890 2. Select the License & Contracts tab in SmartUpdate, 3. Select Licenses & Contracts > Add License > Manually. The Add License ‘window appears. 4, Enter the license details. you copied the license to the clipboard, click Paste License, The fields will be populated with the license details. Altematively, enter the license details from a printout 5. Click Calculate, and make sure the result matches the vali received from the User Center. 6, You may assign a name to the license, if desired, If you leave the Name field ‘empty, the license is assigned a name inthe format SKU@ time date 7. Click OK to complete the operation. tion code 132 Check Point Security AdministrationAttaching Licenses Detaching Licenses ‘Overview of Managing Licenses ‘After licenses have been added to the License & Contract Repository, select one or mote licenses to attach to a Security Gateway, 1. Select the license(s). 2. Select Network Objects Licenses & Contracts > Attach, 3. From the Attach Licenses window, select the desired device, Ifthe attach operation fails, the local licenses are deleted from the Repository. Detaching a license involves deleting a single Central license ftom a remote Check Point Security Gateway and merking it as unattached in the License & Contract Repository. This license is then available to be used by any Check Point ‘Security Gateway. To detach a license, select Licenses & Contracts > Detach and select the licenses to be detached from the displayed window. Deleting Licenses From License & Contract Repository Installation Process Livenses that are not attached to any Check Point Security Gateway and are no longer needed can be deleted from the License & Contract Repository. To delete a license: 1. Right-olick anywhere in the License & Contract Repository and select View Unattached Licenses. 2, Select the unattached license(s) to be deleted, and click Delete. ‘The following operations are performed during the installation process: ‘+ Check Point Remote Installation Daemon connects to Check Point gateway. * Verification for sufficient disk space, * Verification of the package dependencies. © The package is transferred to the gateway if tis not already there. ‘© The package is installed on the gateway, * Enforcement policies are compiled for the new version, * The gateway is rebooted if the Allow Reboot option was selected and the package requires it. The gateway version is updated in SmartDashboard + The installed packages are updated in SmartUpdate, Student Manat 133a Using SmartUpdate Viewing License Properties To Export a License to a File ing for Expired Licenses 4. In the License Expiration window, set the Search for licenses expiring within 2, Click Apply to run the search. ‘To delete expired licenses from the License Expiration window, select the detached license(s) and click Delete, 4. In the Licenses Repository select one or more license, right-click, and from 2 In the Choose File to Export License(s) To window, name the file (or select an All selected licenses are exported. Ifthe file already exists, the new licenses are added to the file, ‘The overall view of the License & Contract Repository displays general information on each license such as the name of the license and the IP address of the machine to which it is attached. You can view other properties as well, such as expiration date, SKU, license type, certificate key and signature key. To view license properties, double-click on the license in the Licenses & Contracts tab ‘fier a license has expired, the functionality of the Check Point package will be impaired; therefore, it is advisable to be aware of the pending expiration dates of all licenses. To check for expired licenses, select Licenses & Contracts > Show Expired Licenses. To check for licenses nearing their dates of expiration: the next x days property. the menu select Export to File. ing file), and browse to the desired location. Click Save, 134 Check Point Security AdministrationService Contracts Service Contracts | Managing Contracts Before upgrading a Gateway or Security Management Server, you need to have a valid support contract that includes software upgrade and major releases registered to your Check Point User Center account. The contract file i stored on ‘Security Management Server and downloaded to Check Point Security Gateways during the upgrade process. By verifying your status withthe User Center, the contract file enables you to easily remain compliant with current Check Point licensing standards, EGR 9) on soconn ude an aE es Eiaeae i ae Fata eae es mariah Figure 58 — Service Contracts As in all upgrade procedures, first upgrade your Security Management server or Multi Domain Management before upgrading the Gateways. Once the ‘management has been successfully upgraded and contains a contract ile, the contract file is transferred toa Gateway when the Gateway is upgraded (the contract file is retrieved from the management). Once you have successfully upgraded the Security Management Server, you can use SmartUpdate to display and manage your contracts. From the License ‘Management window, its possible to see whether a particular license is associated with one or more contracts. The Licence Repository window in SmartUpdate displays contracts as well as licenses, Student Manual 135ae Tsing SmarUpdate Updating Contracts BE “The Licenses & Contracts on the menu ber has enhanced functionality for handling contracts. + Licenses & Contracts > Update Contracts — Installs contract information on the Security Management Server. Each time you obtain a new contract, you can use this option to make sure the new contrac is displayed in the license repository. + Licenses & Contracts > Get all Licenses — Collects licenses ofall Gateways managed by the Security Management Server, and updates the contract file on the Server ifthe file on the Gateway is newer. | lee | aks iL le | ro a |e topos te Gem copeaetonye i |] FP evattcrne uo | Gencooneae renter ont | | fie [| Ei ampmede-tese TERT | ase ven Bowman tore Figure 59 — Updating Contracts Check Point Security Administration| Practice and Review Review 4. What can be upgraded remotely Using SmartUpdate? | 2. What two repositories does SmarUpdate install on the Security Management | Server? Management Server? 3. What docs the Pre-Install Verifier check? | L Student Manwat 137Using SmartUpdate 18 ‘Check Point Security AdministrationCHAPTER? User Management and Authentication 139eerManagement and Authentication User Management and Authentication — If you do not have a user-management infrastructure in place, you can make a choice between managing the intenal-user database or choosing to implement an LDAP server. If you have a large user count, Check Point recommends opting for ‘an extemal user-management database, such as LDAP. Check Paint authentication features enable you to verify the identity of users logging in to the Security Gateway, but also allow you to control security by allowing some users access and disallowing others, Usets authenticate by proving their identities, according to the scheme specified under a Gateway authentication scheme, such as LDAP, RADIUS, SecurlD and TACACS. \9 Objectives: © Centrally manage users to ensure only authenticated users securely access the corporate network either locally or remotely ‘© Manage users to access to the corporate LAN by using extemal databases, 140 ‘Check Point Security AdministrationSeen Creating Usore and Groups Creating Users and Groups Authentication rules are defined by user groups rather than individual users, ‘Therefore, you must first define users and then add them to groups to define authentication rules. You can define users using the Security Gateway proprietary user database or using an LDAP, RADIUS or ACE server: For the procedure describing how to create Security Gateway users using a template, create a group, adding users to the group and installing user information in the database, refer to the lab “Creating Users and Groups” in this chapter. User Types ‘SmariDashboard allows you to manage a variety of user types External User Profiles — Extemally defined users who are not defined in the internal users database or on an LDAP server. External user profiles are used to avoid the burden of maintaining multiple Users Databases, by defining a single, generic profile for all external users. External users are authenticated based on either their name or their domain, LDAP Groups — An LDAP group specifies certain LDAP user characteristics, AIL LDAP users defined on the LDAP server that match these characteristics are included in the LDAP group. LDAP groups are required for performing a variety of operations, such as defining LDAP user access rules or LDAP remote access communities, For detailed information on LDAP groups, see chapter, “User Management and Authentication”. ‘Templates — User templates facilitate the user definition process and prevent mistakes, by allowing you to create a new user based on the appropriate template ‘and change only a few relevant properties as needed. User Groups — User groups consist of users and of user sub-groups. Including users in groups is required for performing a variety of operations, such as defining user access rules or remote access communities, Users — These are either local clients or remote clients, who access your network and its resources. Student Manuai iatTeer Management and Authentication Security Gateway Authentication ‘The Security Gateway authenticates individual users using credentials, and ‘manages them using different authentication schemes. All authentication schemes require a username and password. Types of Legacy Authentication ‘There are three ways to access a network resource and authenticate using the Legacy Authentication in the Security Gateway: ‘© User Authentication ~— Grants access on a per-user basis. This method can only be used for Telnet, FTP, HTTP, rlogin and HTTPS services. User Authentication is secure, because the authentication is valid only for one connection, but intrusive, because each connection requires another authentication. For example, accessing a single Web page could display several dozen User Authentication windows, as different components are loaded, + Session Authentication — Provides an authentication mechanism for any service, and requites users to supply their credentials fo each authentication session; a Session Authentication Agent must be installed on every authenticating client. Therefore, this method is not suitable for authenticating HTTP services, as they open multiple connections per session, Session ‘Authentication ean be used to authenticate any service on aper-session basis. ‘After the user initiates a connection directly to the server, the Security Gateway — located between the user and the destination — intercepts the connection. The Gateway recognizes that user-level authentication is required, and initiates @ connection with a Session Authentication Agent. Similar to Client Authentication, Session Authentication is best used on single user machines, where only one user can authenticate from a given TP at any onetime. + Client Authentication — Permits multiple users and connections from the authorized IP address or host; authorization is performed per machine, For example, if finger is authorized fora client machine, all users on the client are authorized to use finger and are not asked to supply a password during the authorization process. Client Authentication is slightly less secure than User Authentication, because it allows any user access from the IP address or host, but is also less intrusive then Session Authentication. Client Authentication is best used when the client is single-user machine, such as desktop computer. The main advantage of this method is that it can be used on any number of connections for any service, and authentication can be validated for a specified time period, (Check Point Security Administration‘Security Gateway Authentication ‘This table presents a comparison of the three Security Gateway authentication methods; All services HTTPS Connection | Session IP address Bach timea | Bach time auser | Only once, and user uses one of | uses any service | uses any service the supported | (requires a Ses- | until signing out services sion Authentica- tion Agent on the client) Authentication is required for remote-access communication such as SSL VPN, IPSec VPN and Endpoint clients. However, these authentication methods are not often employed in such environments. For more information about user access and VPNs, see chapters, “Encryption and VPNs” and “Introduction to VPNs” in this manual Authentication Schemes Authentication schemes employ usernames and passwords to identify valid users. Some schemes are maintained locally and store usernames and passwords on the Security Gateway, while others are maintained externally and store User ‘Authentication information on an external authentication server. Certain schemes, such as SecurID, are based on providing a one-time password. All of the schemes can be used with users defined on an LDAP server. For additional information on configuring the Security Gateway to integrate with an LDAP server, refer to the “UserDirectory and User Management” section in this chapter. Cheek Point Password — The Security Gateway can store a static password in the local user database of each user configured on the Security Management Server. No additional software is required. Alternatively, to permit alteration of this credential, store the Check Point password in UserDirectory. Operating System Password — The Security Gateway can authenticate using the username and password that is stored on the operating system of the machine Student Marsal 18‘User Management and Authentication ‘on which the Security Gateway is installed. You can also use passwords that are stored in a Windows domain. No additional software is required. RADIUS — RADIUS is an extemal authentication scheme that provides security and scalability by separating the authentication function from the access server. Using RADIUS, the Gateway forwards authentication requests by remote users to the RADIUS server. The RADIUS server, which stores user account information, authenticates the users. ‘The RADIUS protocol uses UDP to communicate with the Gateway, RADIUS servers and RADIUS server-group objects are defined in SmartDashboard. SecurlD — SccurlD requires users to both possess 2 token authenticator and to supply a PIN or password, Token authenticators generate one-time passwords that are synchronized to an RSA ACEIserver, and may come in the form of hardware or software. Hardware tokens are key-ring or credit card-sized devices, ‘hile software tokens reside on the computer or device from which the user wants to authenticate, All tokens generate @ random, one-time-use access code that changes approximately every minute. When a user attempts to authenticate to a protected resource, the one-time-use code must be validated by the ACE server, Using SecurID, the Security Gateway forwards authentication requests by remote users to the ACE/server. ACE manages the database of RSA users and their assigned hard or soft tokens. The Security Gateway acts as ACEV/Agent 5.0, and irects all access requests to the RSA. ACE/server for authentication, For additional information on agent configuration, refer to your ACE/Server ‘documentation, ‘There are no specific parameters required for the SecurID authentication scheme. ‘TACACS — TACACS is an extemal-authentication scheme that provides verification services. TACACS provides access control for routers, network access servers and other networked devices through one or more centralized servers. Using TACACS, the Gateway forwards authentication requests by remote users to a TACACS server. The TACACS server, which stores user- ‘account information, authenticates users. The system supports card-key devices ‘or token cards and Kerberos secret-key authentication. TACACS encrypts the username, password, authentication services, and accounting information of all authentication requests to ensure secure communication, Undefined — The authentication scheme for a user can be undefined. Ifa uset with an undefined authentication scheme is matched to a rule with some form of authentication, access is always denied, 144 Check Point Security Administrationa ‘Security Gateway Authentic Remote User Authenticat n Configure the authentication method that all users will use to authenticate to the Mobile Access portal or to IPsec VPN Clients, ‘You can configure one authentication method for Mobile Access on the ‘Authentication for Mobile Access page and a different method for IPsec VPN Clients on the Authentication for IPsec VPN page. You can configure different Authentication methods for the different blades, even if they are on the same ‘gateway For Mobile Access, you can also configure if the settings for Two Factor Authentication with DynamicID are Global or specific to the gateway. If you do not configure authentication settings on this page, the gateway. takes authentication settings fiom Gateway object Properties > Legacy Authentication, Figure 60 — Remote User Authentication Student Marsal 145ue User Management and Authentication Authentication Types Defined on user record — Takes the authentication method from Gateway ‘object Properties > Legacy Authentication Username and Password — Uses a username and password defined for the user on the gateway. RADIUS — Users are challenged for a response, as defined by the RADIUS. SecurID — Users are challenged to enter the number displayed on the Security Dynamics SecurID card. Personal certificate —Digital Certificates are issued by the Internal Certificate ‘Authority or by a third party OPSEC certified Certificate Authority. For Mobile Access: Two Factor Authentication with DynamicID + Global Settings - The gateway takes the global settings from the Authentication to Gateway page of the Mobile Access tab + Custom Settings for this Gateway ~ This gateways has its own two- factor authentication settings. Click Configure to change the settings for this gateway. & aa Figure 61 — Authentication for Mobile Access 146 Check Point Security Administrationa ‘Security Gateway Authent | Authentication Methods Each method ean be configured to connect and authenticate clients to the Security Gateway before the connection is passed tothe desired resource (a process known as noniransparent authentication). Altematvely, each method can | be configured to connect clients directly tothe target server (a process known as | transparent authentication) This section describes how users authenticate using each authentication method, along with guidelines for configuring each method, [Sten anual 147User Management and Amhentication User Authentication (Legacy) User Authentication provides authentication for the Telnet, FTP, HTTP, and. rlogin services. By default, User Authentication is transparent. The user does not connect directly to the Security Gateway, but initiates a connection to the target server. Figure 62— Rule Base with User Authentication Definad User Authentication Rule Base Considerations ‘Although itis true that the Gateway processes rules in order, an exception to this is when User Authentication is employed. In this case, the most permissive rule in the Rule Base is used by the Gateway. Ifa User Authentication nile matches a packet, all rules are evaluated before authentication occurs, and the least restrictive rule is applied. ia Check Point Security Administrationa ‘Session Authentication (Legacy) Session Authentication (Legacy) In the Session Authentication Action Properties, you can define the session authentication behavior for a connection that is matched on a Session Authentication rule, ‘You can also define how to treat the user when the allowed location of the user is different than the location allowed to the user in the Rule, Trem gee gona ete arm Le i eine tt, BERT enemies fqn oe ; Figure 63 — Session Authentication Session Authentication can be used for any service, but requires either a Session Authentication agent to get the user identity, or UserAuthority. Like User Authentication, it requires an authentication procedure for each connection. UserAuthority can be used to get the user identity, It can do this in one of three ways: 4. From a SecureAgent. 2, From SecureClient, if the user authenticated via SecureClient connected to the Check Point Security Gateway. 3. From the Check Point Security Gateway, ifthe user authenticated via an HTTP connection to port 900 or Telnet o port 259 on the gateway, A Session Authentication agent can also be used to get the user identity. The ‘Session Authentication agent is normally installed on the authenticating client, in which case the person who wants the connection to the destination host supplies the authentication credentials. However, the Session Authentication agent cen also be installed on the destination machine, or on some other machine in the network. In that case, the person at the machine on which the Agent is installed is asked to supply the username and a password, ‘A Session Authentication agent can also be used to get the user identity. The Session Authentication agent is normally installed on the authenticating client, in ‘which case the person who wants the connection to the destination host supplies the authentication credentials. However, the Session Authentication agent can also be installed on the destination machine, or on some other machine in the IE Student Manwal 149network. In that case, the person at the machine on which the Agent is installed is asked to supply the usemame and a password, Source and Destination both have the following possible settings: ‘+ Intersect with User Database means that ifa user who successfully authenticates is at a source or trying to reach a destination which is allowed to the user according to the rule, but the User Properties for that user do not allow this location, the user will be denied. © Ignore User Database - Users who would otherwise denied as a result of the allowed source or destination defined in the User Properties are allowed anyway. © Contact Agent At ells the Check Point Security Gateway on which host to altempt to contact. An Agent can be a SecureAgent installed on the client ‘machine, a SecureClicnt installed on the client machine, or a Session ‘Authentication Agent installed on the client machine or another host. The possibilities are © Steto specify that the Agent on the rule's Source object will authenticate the '* Other to specify that the Session Authentication Agent on the specified object will authenticate the session. This allows authentication credentials to be provided by someone other than the person requesting access. + Accept only SecuRemote/SecureClient encrypted connections applies the rule only ifthe connection is encrypted (that is, only ifthe source is a SecureClient machine.) + Single Sign On means that when a user opens a connection that matches this rule, the Check Point Security Gateway queries UserAuthority for the user identity. 1f User Authority replies with the username (and the user belongs to groups, if defined), the connection is allowed, Otherwise, itis dropped. Figute 64 — Session Authentication Action Properties Check Point Security Administrationeee ge re eee ee eee ree eee ‘Session Authentication (Legacy) ing Session Authentication To configure Session Authentication: If using the Session Authentication Agent, install and configure it for all ‘machine desktops with Session Authentication enabled. Configure the required users and groups for authentication, and install the user database, In the Authentication window from the Gateway object’s General Proper- ties, cnable the requited authentication schemes, The Gateway must support all user-defined authentication schemes, For example, if some users must provide a Check Point password and others RADIUS authentication, select both scheines, Define a Session Authentication access rule by following the same instructions as those under “Configuring User Authentications, except select Session Auth in the Action column of the Rule Base. frequired, adjust the Failed Authentication Attempts settings for Session Authentication in the Authentication window of the Global Properties: Toihtewanan BH oe £ Sete ae leche BE ca imonitor ctntndids’ Bete eter | Tot tenet Ste | scan ? ete yeaa aan gale peg ar Boao”, Seo pmmdiemry pate) —— [Se omens * Sirota “Dacian ET] ee ane 2 Retain Figure 65 — Session Authentication Student Manual 151‘iser Management and Aut Client Authentication (Legacy) ication Client Authentication can be used to authenticate any service. It enables access from a specific IP address for an unlimited number of connections. ‘The client user performs the authentication process, but itis the client machine that is ‘granted access, Client Authentication is less secure than User Authentication, because it permits access for multiple users and connections from authorized IP addresses or hosts. Authorization is performed on a per-machine basis for services that do not have an initial login procedure. The advantages of Client Authentication are that it can be used for an unlimited number of connections, for any service, and is valid for any length of time. Client Authentication and Sign-On Overview Client Authentication works with all sign-on methods. The table below shows how different sign-on methods provide a choice when selecting an authentication ‘method for authenticated services and others. For sign-on methods other than ‘Manual Client Authentication, the Security Gateway is transparent to users who authenticate directly to the destination host. ‘Telnet to port 259 ‘Telnet to port 259 on Gateway ‘on Gateway HTTP to port 900 HTTP to port 900 oon Gateway ‘on Gateway Partially automatic _| User Authentication Not available Fully automatic | User Authentication ‘Session Authentication ‘Agent automatic | Session Authentication | Session Authentication Single Sign On | UserAuthority ‘UserAuthority 152 Check Point Security AdministrationWait Mode ‘lient Authentication (Legacy) ‘The following are the two Client Authentication sign-on options: + Standard Sign-on — Enables users to access all services permitted by the rule, without authenticating for each service © Specific Sign-on — Enables users to access only the services that they specify when they authenticate, even ifthe rule allows more than one service; ifusers want to use another service, they must reauthenticate for that specific At the end of an authentication session, users can sign off. When users sign off, they are disconnected from all services and the remote host. * Manual Sign On — Available for any service that is specified in the Client Authentication rule; the user must first connect to the Gateway and authenticate in one of the following two ways: ‘Through a Telnet session to the Gateway on port 259, ‘Through an HTTP connection to the Gateway on port 900 and a Web browser; the requested URL must include the Gateway name and port number, for example, http: //Gateway : 900 Wait Mode is « Client Authentication feature for Manual Sign On, when the user initiates a Client Authenticated connection with a Telnet session on port 259 on the Gateway. Wait Mode eliminates the need to open a new Telnet session to sign off and withdraw Client Authentication privileges. In Wait Mode, the initial Telnet session connection remains open, as long as Client Authentication privileges remain valid. Client Authentication privileges are withdrawn when the ‘Telnet session is closed. ‘The Security Gateway keeps the Telnet session open by Pinging the ‘authenticating client, If for some reason the client machine stops running, the Gateway closes the Telnet session, and Client Authentication privileges fiom the connected IP address are withdrawn, * Partially Automatic Sign On — Partially Automatic Sign On is available for ‘authenticated services (Telnet, FTP, HTTP, and rlogin), only if they are specified in the Client Authentication rule. Ifusers attempt to connect to a remote host using one of the authenticated services, they must authenticate with User Authentication. When using partially automatic Client Authentication, ensure that port 80 is accessible on the Gateway. Student Manual 153ser Management and Authentication + Fully Automatic Sign On — Fully Automatic Sign On is available for any service, only ifthe requited service is specified in the Client Authentication rule. IF users attempt to connect to remote host using an authenticated service (Telnet, FTP, HTTP, and slogin), they must authenticate with User Authentication. If users attempt to connect to a remote host using any other service, they must authenticate through a properly installed Session ‘Authentication Agent. When using fully automatic Client Authentication, ‘ensure that port 80 is accessible on the Gateway. ‘+ Agent Automatic Sign On — Agent Automatic Sign On is available only it the required service is specified in the Client Authentication rule, andthe Session Authentication Agent is properly installed. users attempt to connect to a remote host using any service, they must authenticate through a Session Authentication Agent. + Single Sign On — Single Sign On is available for any service, only ifthe required service is specified inthe Client Authentication rule and UserAuthority is installed. Single Sign On is a Check Point address- ‘management feature that provides transparent network access. The Gateway consults the user IP address records to determine which users are logged into any given IP address, When a connection matches a Single Sign On enabled rule, the Gateway queries UserAuthorty withthe packet's source IP UserAuthorty retums the name ofthe user who is registered tothe IP. Ifthe user's name is authenticated, the packet is accepted. If not, itis dropped Configuring Authentication Tracking ‘Successful and unsuccessful authentication attempts can be monitored in ‘SmartView Tracker or using other tracking options, for example, e-mail and alerts, Authentication tracking can be configured for the following types of authentication attempts: + Failed authentication attempts — Can be tracked forall forms of authentication; to track failed authentication attempts, in the Authentication window of a gateway object, set the Authentication Failure Track property to define the tacking option when authentication failures occur «Successful authentication attempts — Can only be tracked for Client ‘Authentication; in the Client Authentication Action Properties window, set the Successful Authentication Tracking property to define the tracking. option forall successful Client Authentication attempts. These options include None, Log, and Alert. The default setting is Log, © All Authentication attempts — Can be tracked forall forms of ‘authentication; select an option in the Track column of any rule that uses some form of authentication, Some tracking options may not take effect if the i54 ‘Check Point Security Administration-— ehhh gateway object is set to log all failed authentication attempts. For example, setting a rule to None has no effect, and failed authentication attempts are stil logged in SmmartView Tracker. However, setting the rule to Alert causes an alert to be sent for each failed authentication attempt. Student Manual 155‘User Management and Authentication LDAP User Management with UserDirectory LDAP Features Lightweight Directory Access Protocol (LDAP) is an open industry standard that is used by multiple vendors, Itis used to maintain information about users and items within an organization. LDAP is widely accepted as the directory- access method of the Internet, One of the reasons that itis the obvious choice for so many vendors is because of its cross-platform compliancy. LDAP is, automatically installed on different operating systems (e.g., the Microsoft Active Directory) and servers (such as Novell, Netscape, etc.). ‘When integrated with Security Management, LDAP is referred to as UserDirectory (LDAP) Features of LDAP are as follows: + LDAP is based on a client/server model, in which an LDAP client makes a ‘TCP connection to an LDAP server. © Bach entry has a unique Distinguished Name (DN). + Default port numbers are 389 for standard connections, and 636 for Secure Sockets Layer (SSL) connections. * Bach LDAP server is called an Account Unit. 156 ‘Check Point Security AdministrationDistinguished Name TDAP User Management with UserDirectony ‘A Distinguished Name (DN) is a globally unique name for an entity, constructed bby appending the sequence of DN fiom the lowest level ofa hierarchical structure, o the root, The root becomes the relative DN. This structure becomes apparent when setting up SmartDashboard user management Figure 68 — Distinguished Name For example, if searching for the name John Brown, the search path would start ‘with John Brown's Common Name (CN). You would then narrow the search to ‘the organization he works for, then to the country. If John Brown works for ABC ‘Company, one possible DN is show below: en=John Brown, ousMarketing,o=ABC Company, c=US This can be read as, “John Brown, in Marketing, of ABC Company, in the United States”. A different John Brown, who works at the XYZ Company, might have a DN, as follows: ensJohn Brown,o=KYZ Company, csUS ‘The two CNs “John Brown” belong to two different organizations with different DNs. This can be outlined as an inverted tree, asin the figure. Student Manuai 137User Management and Authentication Multiple LDAP Servers ‘There are several advantages to using more than one LDAP server, including the following: © Compartmentalization, by allowing a large number of users to be distributed across several servers © High Availability, by replicating the same information on several servers, + Faster access time, by placing LDAP servers containing the database at remote sites pee sever ee Galery Lap Server Soe UAB ents Figure 67 — Multiple LDAP Servers Ifthe Security Gateway includes the appropriate license, account management is allowed for an unlimited number of LDAP servers. Therefore, as many LDAP servers as needed may be managed through SmartDashboard, as shown below: Using an Existing LDAP Server Ifthere is an existing LDAP user database, integration with the Security Gateway is relatively simple. The LDAP server maintains all user information, including Jogin name and password. Addition and deletion of users is performed on the LDAP server through the LDAP user interface or SmartDashboatd, 158 ‘Check Point Security AdministrationConfiguring Ent TOAP User Management with UserDrectory ies to Work with the Gateway ‘The predominant reasons for integrating the Security Gateway and UserDirectory (LDAP) are: © To query user information. * To enable Certificate Revocation List (CRL) retrieval * Toenable user management, © To authenticate users. ‘The first step is to enable the option Use UserDirectory (LDAP) in Global Properties. Then, it is necessary to define an Account Unit. Ifyou are implementing UserDirectory user management, you will need to know which entities to define, and how fo manage the users defined by the UserDirectory Account Unit. UserDirectory user management requires a special license, Fe ear recy er Sey Gao areal it oma |e ein Een UH Edge Ge FE porno chomp nha urs Ave acto pte mores |B FnoieAeoe = 7 UW Aah Tse cst eo ag lens || cracaes | | cess ooh [ae aa | See Cott) | 1 Ped eoter ste: [cemRENT sstticede Sree | cle er De Lag COent Denby © Oey | C Delon Pee Faroe Seg Nnatesenl oak: [FB cence : fF omtroc || [plc ud nae note chee i [Gena | | Foun [7 EMail cae | Newmeetth! | Pamedmattaeeeget | irs Sore UPS eatin laraaee Ger Saishoecte | atacentetoen nape oar Smt Figure 68 — Configuring Entities to Work wth he Gateway ‘The graphic shows the global settings for UserDirectory (LDAP): Student Manual 159Defining an Account Unit Create a new UserDirectory Account unit via the Servers tab of the Objects tree, as shown. Figure 69 — LDAP Account Unit Properties ‘The LDAP Account Unit Properties window consists of several tabs: © General tab — Defines the general settings of the LDAP Account Unit; decide whether this Account Unit is to be used for CRL retrieval, user ‘management, or both. * Profile — Select a profile to be applied to the new Account Unit. Four profiles are defined by default, each corresponding to a specific LDAP server: + OPSEC_DS — The default profile for a standard OPSEC certified UserDirectory server. + Netseape_DS — The profile for a Netscape Directory Server. © Novell DS — The profile for a Novell Directory Server. + Microsoft_AD — The profile for Microsoft Active Directory. ‘+ Servers tab — Displays the LDAP servers to be used by the Account Unit; the order in which they are displayed is the default query order. 160 ‘Check Point Security Administration| Managing Users TDAP User Management with UserDirectory + Objects Management tab — Allows you to select the LDAP server on ‘which objects are managed: the branches forthe selected LDAP server can be reirieved by selecting Fetch branches, or they can be added manually. Some versions of LDAP do not suppor automatic branch retrieval using Feteh branches, These branches wil be searched when this LDAP server is queried. The Administrator can add or modify the branches. © Authentication tab — Allows you to define an authentication scheme for the LDAP account. Note: For enhanced security, this Account Unit object can be locked with a password that must be entered when this Account Unit, is accessed from SmartDashboard for managing users Users defined in the Account Unit are managed in the Users tab of the Objects ‘tee, This intuitive tree structure enables users to be managed as if all the users ‘were actually sitting on the internal Security Gateway database. For instance, you can add, edit or delete users by right-clicking them in the Objeets tree, and by selecting the option of your choice. &/Sia]e 8/6 ° "jaeaeowe ‘iy adometr Gos 1 atnevats 7 giesunati ote [puircam (ep Tewttes 1 [gh ar cee Figure 70 — Managing Users Student Manual 161Teer Management and Authentication UserDirectory Groups UserDitectory groups are ereated to classify users within certain group types. ‘These UserDirectory groups are then applied in Policy rules, Define a UserDitectory group in the LDAP Group Properties window in the Users and Administrators tab of the Objects tree: Figure 71 —LOAP Group Properties Once UserDirectory groups are created, they can be applied in various Policy niles, such as the Security Policy. In this window, you can select the Account Unit on which the UserDirectory group is defined, and apply an advanced filter to increase the granularity of a group definition. Only those users who match the defined criteria will be included as members of the UserDirectory group. For instance, you can include all users defined in the selected Account Unit as part of the UserDirectory group, or only members ofa specified branch, or only members ofa specified group on the branch, 162 ‘Check Point Security Administrationraclice and Review Practice and Review Practice Lab Lab 8:Configuring User Directory Review 4. User Auth can be only used for what services? 2, When using Session Authentic: tity? |. What is needed to retrieve a user's iden- 3. What are the advantages of using multiple LDAP servers? 4. Why integrate the Security Gateway and UserDirectory? Student Manual 163164 ‘Check Point Security AdministrationCHAPTER 8 ~ Identity Awareness Check Point Security AdministrationTeentity Awareness Identity Awareness Check Point Identity Awareness Software Blade provides granular visibility of users, groups and machines, providing unmatched application and access control through the creation of accurate, identity-based policies. Centralized management and monitoring allows for policies to be managed from a single, unified console. Learning Objectives: + Use Identity Awareness to provide granular level access to network resources. + Acquire user information used by the Security Gateway to control access. * Define Access Roles for use in an Identity Awareness nile + Implementing Identity Awareness in the Firewall Rule Base. 166 Check Point Security AdministrationIntroduction to dently Awareness Introduction to Identity Awareness ‘Traditionally, firewalls use IP addresses to monitor traffic and are unaware of the user and machine identities behind those IP addresses. Identity Awareness removes this notion of anonymity since it maps users and machine ident ‘This lets you enforce access and audit data based on identity Identity Awareness is an easy to deploy and scalable solution. It is applicable for both Active Directory and non-Active Directory based networks as well as for employees and guest users, It is currently available on the Firewall blade and Application Control blade and will operate with other blades in the future. Identity Awareness lets you easily configure network access and auditing based ‘on network location and: The identity of a user © The identity ofa machine ‘When Identity Awareness identifies a source or destination, it shows the IP address of the user or machine with a name, For example, this lets you create firewall rules with any of these properties. You can define a firewall rule for specific users when they send traffic ftom specific machines or a firewall nile for a specific user regardless of which machine they send traffic from. In SmartDashboard, you use Access Role objects to define users, machines, and network locations as one object. “Figure 72 — Acooss Role Student Manual 167Tentity Awareness Identity Awareness also lets you see user activity in SmartView Tracker and ‘SmartEvent based on user anid machine name and not just IP addresses, es Figure 73 — Record Detaiis Identity Awareness gets identities from these acquisition sources: © AD Query + Browser-Based Authentication ‘© Endpoint Identity Agent ‘© Terminal Servers Identity Agent © Remote Access AD Query AD Query gets identity data seamlessly from Microsoft Active Directory (AD), AD Query for Identity Awareness is recommended for © Identity based auditing and logging * Leveraging identity in Internet application control * Basic identity enforcement in the intemal network ‘AD Query is an easy to deploy, clientless identity acquisition method. It is based on Active Directory integration and it is completely transparent tothe user Check Point Security AdministrationIntroduction to laenity Awarenose ‘The AD Query option operates when: ‘+ An identified asset (user or machine) tries to access an Intranet resource that creates an authentication request. For example, when a user logs in, unlocks a screen, shares a network drive, reads emails through Exchange, or accesses an. Intranet portal. * AD Query is selected as a way to acquire identities, ‘The technology is based on querying the Active Directory Security Event Logs and extracting the user and machine mapping to the network address from them. It is based on Windows Management Instrumentation (WMD, a standard Microsoft protocol, The Security Gateway communicates directly with the Active Directory domain controllers and does not require a separate setver. ‘No installation is necessary on the clients or on the Active Directory server. Identity Awareness supports connections to Microsoft Active Directory on ‘Windows Server 2003 and 2008. Firewall Rule Base Example Suc Gta wets ent vars Figure 74 — Firewall Example 41. The Security Gateway registers to receive security event logs from the Active Directory domain controllers 2 A.user logs in to a desktop computer using his Active Directory credentials, 3. The Active Directory DC sends the security event Ing to the Security Gate- way. The Security Gateway extracts the user and IP information (user name@domain, machine name and source IP address). 4, The user initiates @ connection to the Internet 8. The Security Gateway confirms that the user has been identified and lets him access the Internet based on the policy, Siudent Manual 169‘When you set the AD Query option to get identities, you are configuring clicatless employee access for all Active Directory users. To enforce access ‘options, make rules in the Firewall Rule Base that contain access role objects. An access role object defines users, machines and network locations as one object, ‘Active Directory users that log in and are authenticated will have seamless access to resources based on Firewall Rule Base rules. Scenario: Laptop Access John Adams is an HR partner in the ACME organization, ACME IT’ wants to limit access to HR servers to designated IP addresses to minimize malware infection and unauthorized access risks. Thus, the gateway policy permits access ‘only from John's desktop which is assigned a static IP address 10.0.0.19. He received a laptop and wants to access the HR Web Server from anywhere in the organization. The IT department gave the laptop a static IP address, but that limits him to operating it only from his desk. The current Rule Base contains a rule that lets John Adams access the HR Web Server from his laptop witha static IP (10.00.19). Figure 75 — Rule 4. He wants to move around the organization and continue to have access tothe THR Web Server. To make this scenario work, the IT administrator does these steps: 2. Enables Identity Awareness on a gateway, selects AD Query as one of the Identity Sources and installs the policy. 3. Checks SmartView Tracker to make sure the system identifies John Adams in the logs. ‘Adds an access tole object tothe Firewall Rule Base that lets Jobn Adams access the HR Web Server from any machine and from any location. '5. Sees how the system tracks the actions ofthe access role in Smart View Tracker. ‘The Smart View Tracker logs show how the system recognizes John Adams as the user behind IP 10.0.0.19: 170 ‘Check Point Security AdministrationTatroduction te Identity Awareness =) Qescnease (7 marae ceil) Ser ‘Disyioaence ane i | rage 2 Bante Desetion aaa oo =. [Soe | net (Sete | Laer = Figure 76 ~ John Adams ‘This log entry shows that the system maps the source TP to the user John Adams from CORPACME.COM. This uses the identity acquired from AD Query. Note: AD Query maps the users based on AD activity. This can take some time and depends on user activity. If John Adams is not identified (the IT administrator does not sce the log), he should lock and unlock the computer. Using Access Roles ‘To let John Adams access the HR Web Server from any machine, itis necessary for the administrator to change the current rule in the Rule Base. To do this, itis necessary to create an access role for John Adams that includes the specific user John Adams from any network and any machine. Student Manual 171identity Awareness Ofeven OBatiesetwes Diousereaisee OB creer bg ten _ leo adaes 8 Amt Figure 77 — Access Role Change ‘Then the IT administrator replaces the source object of the current rule with the HR_Partner access role object and installs the policy for the changes to be updated. [enoescen (Gwen [bv Ser me Figure 78 — Rule Change ‘The IT administrator can then remove the static IP from John Adam's laptop and sive it a dynamic IP. The Security Gateway lets the user John Adams access the HR Web server from his laptop with a dynamic IP as the HR_Partner access role tells it thatthe user John Adams from any machine and any network is permitted mm Check Point Security AdministrationIntroduction to Identity Awareness Browser-Based Authentication Browser-Based Authentication acquites identities from unidentified users. You ‘can configure these acquisition methods: * Captive Portal » Transparent Kerberos Authentication Captive Portal is a simple method that authenticates users through a web interface before granting them access to Intranet resources. Captive Portal for Identity Awareness is recommended for: > Identity based enforcement for non-AD users (non-Windows and _Buest users) + For deployment of Endpoint Identity Agents, When users try to access a protected resource, they get a web page that must fill out to continue. Figure 79 — Captive Portal With Transparent Kerberos Authentication, the browser attempts to authenticate users transparently by getting identity information before the Captive Portal usemame/password page opens. When you configure this option, the Captive Portal requests authentication data from the browser. Upon successful authentication, the user is redirected to its original destination. If authentication fails, the user must enter credentials in the Captive Portal, Student Manual 173Teemtty Awareness ‘The Captive Portal option operates when a user tries to access a web resource and all of these apply: © ‘The Captive Portal is selected as a way to acquire identities and the redirect option has been set for the applicable rule. + Unidentified users cannot access that resource because of rules with access roles in the Firewall / Application Rule Base. But if users are identified, they might be able to access the resource. + Transparent Kerberos Authentication was configured, but authentication failed. When these criteria are true, Captive Portal acquires the identities of users. From the Captive Portal users can Enter an existing user name and password if they have them. © Forguest users, enter required credentials. Configure what is required in the Portal Settings. * Click a link to download an Identity Awareness agent. Configure this in the Portal Settings. Security Gataway with Taenaty Awareness Intranet Figure 80 — Captive Portal ‘The diagram shows how Captive Portal works - in the Firewall rule base: 4. A user wants to access the Internal Data Center. 2. Identity Awareness does not recognize him and redirects the browser to the Captive Portal, 3. The user enters his regular office credentials. The credentials can be AD or other Check Point supported authentication methods, such as LDAP, Check Point internal credentials, or RADIUS. 174 ‘Check Point Security AdministrationIntroduction to entity Awareness 4, The credentials are sent to the Sec against the AD server. 5. The user can now go to the originally requested URL. Gateway and verified in this example If Transparent Kerberos Authentication is configured, the browser attempts to authenticate users transparently by getting identity information before the Captive Portal Usemname/password page is shown to the user. Transparent Kerberos for Identity Awareness is recommended for use in: * AD environments, when usersare already logged in to the domain and the browser obtains identity information from the credentials used in the original log in (SSO). ‘Transparent Kerberos authentication works this way: 1. A.user wants to access the Internal Data Center, 2 Identity Awareness does not recognize the user and reditects the browser to the Transparent Authentication page. ‘The Transparent Authentication page asks the browser to authenticate itself, 4. The browser gets a Kerberos ticket from the Active Directory and presents it to the Transparent Authentication page. 5. The Transparent Authentication page sends the ticket to the Security Gate- way which authenticates the user and redirects ito the originally requested URL. 6. If Kerberos authentication fails for some reason, Identity Awareness redirects the browser to the Captive Portal, Browser-Based Authentication lets you acquire identities from unidentified users such as: © Managed users connecting to the network from unknown devices such as Linux computers or iPhones, * Unmanaged, guest users such as partners ot contractors. unidentified users try to connect to resources in the network that aze restricted to identified users, they are automatically sent to the Captive Portal. IF ‘Transparent Kerberos Authentication is configured, the browser will atempt to ‘identify users that are logged into the domain using SSO before it shows the Captive Portal Student Manual 175Teentity Awareness Scenario: Recognized User from Unmanaged Device ‘The CEO of ACME, Iennifer McHanry, recently bought her own personal iPad. She wants to access the internal Finance Web server from her iPad. Because the iPad is not a member of the Active Directory domain, she cannot identify seamlessly with AD Query. However, wants to be able fo enter her AD ‘credentials in the Captive Portal and then get the same access as on her office ‘computer. Her access to resources is based on rules in the Firewall Rule Base ‘To make this scenario work, the IT administrator must: 4. Enable Identity Awareness on a gateway and select Browser-Based Authenti- cation as one of the Identity Sources. 2. In the Portal Settings window in the User Access section, make sure that ‘Name and password login is selected, 3. Create a new rule in the Firewall Rule Base to let Jennifer McHanry access network destinations. Select accept as the Action. 4. Right-click the Action column and select Edit Properties. The Action Proper- ties window opens. 5. Select the Redirect http connections to an authentication (captive) portal Note: redirection will not oceur ifthe source IP is already mapped to a user checkbox, 6. Click OK, 7. From the Soutce of the nule, right-click to create an Access Role. a. Enter a Name for the Access Role. b. Inthe Users tab, select Specific users and choose Jennifer MeHanry. ©. Inthe Machines tab make sure that Any machine is selected, 4, Click OK. The Access Role is added to the rule, Figure 81 — Access Rule Jennifer McHanry does these steps: 4. Browses to the Finance server from her iPad. The Captive Portal opens because she is not identified and therefore cannot access the Finance Server. 2. She enters her usual system credentials in the Captive Portal. A Welcome to the network window opens. 3. She can successfully browse to the Finance server. 176 Check Point Security AdministrationEee Introduction to lanity Awareness Siecetctniein | rept ‘| [patton Arete fl Figure 82 — SmartView Tracker Log This log entry shows that the system maps the source “Jennifer McHanry” to the user name, This uses the identity acquired from Captive Portal, Student Mansal 177Taentity Aver Scenario: Guest Users from Unmanaged Devices ‘Guests frequently come to the ACME company. While they visit, the CEO wants to let them access the Intemet on their own laptops. Amy, the IT administrator configures the Captive Portal to let unregistered guests log in to the portal to get network access. She makes a rule in the Firewall Rule Base to Jet unauthenticated guests access the Internet only. ‘When guests browse to the Internet, the Captive Portal opens. Guests enter their ‘name, company, email address, and phone number in the portal. They then agree to the terms and conditions written in a network access agreement. Afterwards they are given access to the Internet for a specified period of time. ‘To make this scenario work, the IT administrator must 4. Enable Identity Awareness on a gateway and select Browser-Based Authent cation as one of the Identity Sources. 2, Inthe Portal Settings window in the User Access section, make sure that Unregistered guest login is selected. 3. Click Unregistered guest login - Settings. 4. In the Unregistered Guest Login Settings window, configure: ~ The data guests must enter. - For how long users can access the network resources. - Ifa user agreement is required and its text. 4, Create two new rules in the Firewall Rule Base: Ifit isnot already there, create a rule that identified users can access the Inter- net fiom the organization. From the Source of the rule, right-click to create an Access Role. a , Enter a Name for the Access Role. In the Users tab, select All identified users. 4d. Click OK. ‘e. The Access Role is added to the rule, Figure 83 — Access Role Create a rule to let Unauthorized Guests access only the Intemet 178 Check Point Security AdministrationIntroduction to ldontly Awareness 8. From the Source of the rule, right-click to create an Access Role. . Enter a Name for the Access Role. ©. Inthe Users tab, select Specific users and choose Unauthenticated Guests. d. Click OK. The Access Role is added to the rule. @, Select accept as the Action. f. Right-click the Action column and select Edit Properties. The Action Properties window opens. 8g, Select Redirect http connections to an authentication (captive) portal. Note: redirection will not occur if the source IP is already mapped to a user. h. Click OK. ees as is SEE ea se oe emai [rv 32m | ty na Figure 84 — Internat Rule From the perspective of a guest at ACME, He or she does these steps: 4. Browses to an Internet site from her laptop. ‘The Captive Portal opens because she is not identified and therefore cannot access the Internet. 2. She enters her identifying data in the Captive Portal and reads through and accepts a network access agreement. A Welcome to the network window opens. 3. She can successfully browse to the Intemet for a specified period of time, Student Manual 179‘The SmartView tracker log shows how the system recognizes a guest Gimiau Bap malt ae ey Figure 85 — Guest Record Identity Agents ‘There are two types of Identity Agents: ‘+ Endpoint Identity Agents - dedicated client agents installed on uscts! ‘computers that acquire and report identities to the Security Gateway. ‘+ Terminal Servers Identity Agent - an agent installed on an application server ‘that hosts Citrix/Terminal services. It identifies individual users whose source is the same IP address. 180 a ‘Check Point Security AdministrationSeen Thiroduction to ldentity Awareness Figure 86 — Identity Agent Endpoint Identity Agent for Identity Awareness is recommended for: + Leveraging identity for Data Center protection Protecting highly sensitive servers © When accuracy in detecting identity is crucial Using Endpoint Identity Agents gives you: * User and machine identity © Minimal user intervention - all necessary configuration is done by administrators and does not require user input © Seamless connectivity - transparent authentication using Kerberos Single Sign-On (SSO) when users are logged in o the domain. Ifyou do not want to use SSO, users enter thei credentials manually. You cam let them save these credentials * Connectivity through roaming - users stay automatically identified when they move between networks, as the client detects the ‘movement and reconneets. » Added security - you can use the patented packet tagging technology to prevent IP Spoofing. Endpoint Identity Agents also gives you strong (Kerberos based) user and machine authentication, Student Manual 181Taentity Awareness ‘These are the types of Endpoint [dentity Agents you can install: © Full — requires administrator permissions for installation, Ifinstalled by a.user without administrator permissions, it will automatically revert to installing the Light agent. The Full agent performs packet tagging and machine authentication. © Light — does not require administrator permissions for installation Cannot be configured with packet tagging or machine authentication. ‘The light agent supports Microsoft Windows and Mac OS X. For supported version information, see the R75.40 Release Notes (http! supporteontent.checkpoint.com/solutions?id-sk67581). © Custom — a customized installation package. Users can download and install Endpoint Identity Agents from the Captive Portal or you can distribute MSI/DMG files to computers with distribution software or any other method (such as telling them where to download the client from). ‘ent Avareneas Figure 87 — Captive Portal Download ‘This is how a user downloads the Endpoint Identity Agent from the Captive Portal: 4. A.user logs in to his PC with his credentials and wants to access the Intemal Data Center. 2. The Security Gateway enabled with Identity Awareness does not recognize ‘him and sends him to the Captive Portal 3. The Security Gateway sends a page that shows the Captive Portal tothe user. It contains a link that he can use to download the Endpoint Identity Agent. 4, The user downloads the Endpoint Identity Agent from the Captive Portal and installs it on his PC. 182 Check Point Security AdministrationSeen Menvar Tntraduction to dently Awareness 5. The Endpoint Identity Agent client connects to the Security Gateway. If $80 with Kerberos is configured, the user is automatically connected 6. The useris authenticated and the Security Gateway sends the connection tits destination according tothe Firewall Rule Base. ‘Terminal Servers Identity Agent is used to identify multiple users that connect from one IP address, where a Terminal Server Identity agent is installed on the application server that hosts Terminal/Citrix services. The Terminal Servers, Identity Agent identifies users that use a Terminal Server or Citrix environment. Scenario: Endpoint Identity Agent Deployment and User Group Access ‘The ACME organization wants to make sure thet only the Finance Department ‘can access the Finance Web server. The current Rule Base uses static IP addresses to define access for the Finance Department. ‘Amy, the IT administrator wants to Ieverage the use of Endpoint Identity Agents * Finance users will automatically be authenticated one time with SSO when logging in (using Kerberos which is built-in into Microsoft Active Directory). ‘+ Users that roam the organization will have continuous access to the Finance Web server. + Access to the Finance Web server will be more secure by preventing IP spoofing attempis. Amy wants Finance users to download the Endpoint Identity Agent from the Captive Portal, She needs to configure: + Identity Agents as an identity source for Identity Awareness. > Agent deployment for the Finance department group from the Captive Portal. She needs to deploy the Full Identity Agent so she can set the IP spoofing protection. No configuration is necessary on the client for IP spoofing protection. + Arule in the Rule Base with an access role for Finance users, from all ‘managed machines and from all locations with IP spoofing protection enabled. 183Tentity Awareness ‘To make this seenario work, the IT administrator must: 41. Enable Identity Awareness on a gateway and select Identity Agents and Browser-Based Authentication as Identity Sources. 2. Click the Browser-Based Authentication Settings button 4. In the Portal Settings window in the Users Access section, select Name and password login. 4. Inthe Identity Agent Deployment from the Portal, select Requite users to download and select Identity Agent - Full option. Note: This configures Endpoint Identity Agent for ell users. Alternatively, you can set Identity Agent download fora specific group. 5. Configure Kerberos SSO. 6. Create a rule in the Firewall Rule Base that lets only Finance Department users access the Finance Web server and install policy: a. From the Source of the mle, right-click to ereate an Access Role, b, Enter a Name for the Access Role c. In the Networks tab, select Specific users and add the Active Directory Finance user group. 4. In the Users tab, select All identified users. . Inthe Machines tab, select All identified machines and select Enforce IP spoofing protection (requires Full Identity Agent) € Click OK. 2 The Access Role is added to the rule. Figure 88 — Rule 7. Install Policy ‘The Finance Department user can now browse to the Finance Web server, where the Captive Portal opens because the user is not identified and cannot access the server. 8. A link to download the Endpoint Identity Agent will be displayed. 184 Check Point Security AdministrationSee Introduction to Identity Awarencos } Figure 89 — Endpoint Identity Agent Link 98. The user clicks the link to download the Endpoint Identity Agent. The user ‘automatically connects to the gateway. A window opens asking the user to trust the server, Note: The trust window opens because the user connects to the Security Gateway with Identity Awareness using the File name based server discovery option. (Note that there are other server discovery methods that do not require user trust confirmation), 10, Click OK. The user automatically connects to the Finance Web server. The user can successfully browse to the Internet for a specified period of time, Other options that can be configured for Endpoint Identity Agents © A method that determines how Endpoint Identity Agents connect to a Security Gateway enabled with Identity Awareness and trusts it, © Access roles to leverage machine awareness * End user interface protection so users cannot access the client settings. Let users defer client installation for a set time and ask for user agreement confirmation, Student Manuat 185Tdentity Awareness Deployment Scenario: Identifying Users Accessing the Internet through Terminal Servers ‘The ACME organization defined a new policy that only allows users to access the Intemet through Terminal Servers. The ACME organization wants to make sure that only the Sales department will be able to access Facebook. The current Rule Base uses static IP addresses to define access for Facebook, but now all connections are initiated from the Terminal Servers’ IP addresses. ‘Amy, the IT'administrator wants to leverage the use of the Terminal Servers solution so that: + Sales users will automaticaly be authenticated with Identity Awareness when logging in tothe Terminal Servers. * All connections to the Internet will be identified and logged. ‘+ Access to Facebook will be restricted tothe Sales depariment's uses. To enable the Terminal Servers solution, Amy must: + Configure Terminal ServeriCit Identity Awareness, Identity Agents as an identity source for ‘Install a Terminal Servers Identity Agent on each of the Terminal Servers. © Configure a shared secret between the Terminal Servers Identity Agents and the Identity Server. ‘After configuration and installation of the policy, users that log in to Terminal Servers and browse to the Internet will be identified and only Sales department users will be able to access Facebook. ‘You can deploy Check Point Security Gateways enabled with Identity Awareness in various scenarios that provide a maximum level of security for your network environment and corporate data. This section describes recommended deployment scenarios and options available with Identity Awareness. * Perimeter security gateway with Identity Awareness — This deployment scenario is the most common scenario, where you deploy the Check Point security gateway at the perimeter where it protects access to the DMZ. and the intemal network. The perimeter security gateway can also control and inspect outbound traffic, targeted to the Internet, In this case, you can create an identity-based firewall security Rule Base together with Application Control + Data Center protection — If you have a Data Center or server farm, segregated from the users’ network, you can protect access to the servers with 186 Gheck Point Security AdministrationStudent Manwal Tntroduction to Identity Awareness the security gateway. To do this, deploy the security gateway inline infront of the Data Center. All trafic that flows is then inspected by the gateway. You ccan control access to resources and applications with an identity-based access policy. You can deploy the security gateway in transparent mode (bridge ‘mode) to avoid significant changes in the existing network infrastructure. Large scale enterprise deployment — In large scale enterprise networks, there is a need to deploy multiple security gateways at different network locations, such as the perimeter firewall and multiple Data Centers. Identity ‘Awareness capability is centrally managed through the Security Management Server and SmartDashboard. You can distribute the identity-based policy to all identity aware security gateways in the network. entity information about all users and machines obtained by each gateway is shared between all gateways in the network to provide a complete Identity Awareness infiastructure Network segregation — The security gateway helps you migrete or design intemal network segregation. Identity Awareness lets you control access between different segments in the network by ereating an identity-based policy. You can deploy the security gateway close to the access network to avoid malware threats and unauthorized access to general resources in the global network Distributed enterprise with branch offices — The distributed enterprise consists of remote branch offices connected to the headquarters through VPN lines. You can deploy the security gateway atthe remote branch offices to avoid malwate threats and unauthorized access to the headquarters’ internal network and Data Centers. When you enable Identity Awareness atthe branch office gateway you make sure that users are authenticated before they reach intemal resources. The identity information learned from the branch office gateways is shared between intemal gateways to avoid unnecessary authentications Wireless campus — Wireless networks are not considered secure for network access, however they are intensively used to provide access to wireless-enabled corporate devices and guests. You can deploy a security gateway enabled with Identity Awareness inline in front ofthe wireless switch, provide an identity aware access policy and inspect the traffic that comes fiom WLAN users Identity Awareness gives guests access by authenticating guests with the web Captive Portal. 187Tdontity Awareness Practice and Review Practice Labs Lab 9: Identity Awareness Review 1. Identity Awareness lets you configure network access based on what? 2, Browser-based Authentication lets you acquire identities from...? 3. What are the two types of Identity Agents? iss Check Point Security Administrationcuaprers —-—- Introduction to Check Point VPNs Check Point Security Administration 189Tnireduction to Check Point VPNs Introduction to VPNs Virtual Private Networking technology leverages the Internet to build and enhance secure network connectivity. Based on standard Intemet secure protocols, a VPN enables secure links between special types of network nodes: the Gateways, Site-to site VPN ensures secure links between Gateways, Remote Access VPN ensures secure links between Gateways and remote access clients, Learning Objectives: © Configure a certificate-based site-to-site VPN. © Configure permanent tunnels for remote access to corporate resources. * Configure VPN tunnel sharing, given the difference between host-based, subnet-based and gateway-based tunnels. 190 ‘Check Point Security AdministrationFees The Check Pom VEN The Check Point VPN A Virtual Private Network (VPN) is a secure-connectivity platform that both ‘connects networks and protects the data passing between them. For example, an organization may have geographically spaced networks connected via the Internet; the company has connectivity but no privacy. The Gateway provides privacy by encrypting those connections that need to be secure. Another company may connect all parts of its geographically spaced network through the use of dedicated leased lines; this company has achieved connectivity and privacy, but at great expense. Gateway offers a cheaper connectivity solution by connecting the different parts of the network via the publie Internet. Extranet Pines ices Cosporat Hate Remote Users (atm 05 eon Se ag Lasts sa <7 breyaed vn net cae Siete Frpince Branch otiees Figute 90 — Check Point VPN Deployment A VPN employs encrypted tunnels to exchange securely protected data, The Security Gateway creates encrypted tunnels by using the Internet Key Exchange (IKE) and IP Security (IPSec) protocols - ESP (Encapsulating Security Payload). IKE creates the VPN tunnel, and this tunnel is used to transfer IPSec encoded data, Think of IKE as the process that builds 2 tunnel, and IPSec packets as trucks that carry the encrypted data along the tunnel Student Manual i9TTniroduction to Check Point VPNe VPN Deployments Site-to-Site VPNs 192 A VPN uses the Internet as its network backbone, allowing the establishment of secure communication links among company offices, business partners, and s0 ‘on. VPNs are replacing more expensive leased lines, Frame Relay circuits, and other forms of dedicated connections. Site-to-site VPNs are built to handle secure communication between @ company’s internal departments and branch offices. A site-to-site VPN’s design requirements include: * Strong data encryption, to protect confidential information, © Reliability for mission-critical systems, such as database management. * Scalability, to accommodate growth and change, DuziPubsic Server(s) Esmail World Wide Web File Transfer Branch Office el Secu sect Satowsy Sion Figure 91 — site-o-Site VPN Check Point Security Administration— WEN Deployments Remote-Access VPNs Remote-access VPNs are built to handle secure communication between & conporate network, and remote or mobile employees. A remote-access VPN’s design requirements include: © Strong authentication, to verify remote and mobile users. * Centralized management. * Scalability, to accommodate user groups. DitziPublic Server(s) E-mail World Wide web File Transfer Mobite Users Figure 92 — Remote-Access VPN Student Manual 193Tmiroduction to Chack Polnt VPN: VPN Implementation A.complete VPN implementation supports both VPN categories: Site-to-site and remote-access VPNs. This allows a company worldwide access to network resources, links mobile workers to corporate intranets, allows customers to place orders, and enables suppliers to check inventory levels — all in a highly secure and costeffective manner, Dinz/Pablic Server{s) customers Email Word Wide Web ile Tranetor Mobile Users Figure 93 ~ Check Point VPN Example ‘The complete VPN must include three critical VPN components: VPN Endpoints — Gateways, clusters of gateways, or remote client software (for mobile users) which negotiate the VPN link. VPN Trust Entities — For example, the Check Point Internal Certificate Authority. The ICA is part of the Check Point suite used for establishing trust for SIC connections between Gateways, authenticating administrators and third party servers. The ICA provides certificates for intemal Gateways and remote access clients which negotiate the VPN link. VPN Management Tools — Security Management Server and Dashboard. ‘SmartDashboard is the SmartConsole component used to access the Security Management Server. The VPN Manager is part of SmartDashboard. 194 Check Point Security AdministrationVPN Setup VPN implementation ‘SmartDashboard enables organizations to define and deploy site-o-site, and remote Access VPNs. Configuring a VPN can be @ complicated task for Security Administrators. Check Point’s management tools provide a simplified VPN setup mode, reducing the ‘VPN configuration process to essentials, and making setup straightforward and simple. Understanding VPN Deployment VPN Communities Sadent Maruai ‘The Check Point VPN management model enables Administrators to directly define a VPN on a group of Gateways. Each Geteway ina group, and al (or part) of its protected domain, constitute a new entity: a VPN site. (A.VPN site isnot tobe confused with a site that is defined for Endpoint Security ‘Secure Access clients.) Each VPN site performs encryption on behalf of a VPN Domain - the protected domain or part of the domain requiring encrypted connections to the peer VPN Site, System Administrators group VPN sites together, creating a VPN ‘Community. A VPN Community is a collection of VPN sites and the enabled ‘VPN tunnels (secure connections) among them, with predefined properties that are automatically applied to each Community member. ‘The structure of the VPN Community is automatically translated into encrypted connections among: its members, so the Administrator is relieved of the task of

Ccse R81.40
No ratings yet
Ccse R81.40
1 page
Checkpoint Security Engineering Lab Manual R77
100% (1)
Checkpoint Security Engineering Lab Manual R77
262 pages
Check Point Security Administration Lab Manual
100% (3)
Check Point Security Administration Lab Manual
270 pages
Check Point R80
No ratings yet
Check Point R80
320 pages
Sybex - CCSE - Check Point Certified Security Expert Study Guide
100% (1)
Sybex - CCSE - Check Point Certified Security Expert Study Guide
500 pages
Social Bookmarking Site List With Page Rank
100% (2)
Social Bookmarking Site List With Page Rank
19 pages
Fortinet Basic and Fundamentals
0% (1)
Fortinet Basic and Fundamentals
93 pages
CCSA R80.40 Presentation V 7.5
No ratings yet
CCSA R80.40 Presentation V 7.5
208 pages
Checkpoint Firewall Administration Training Part1
100% (1)
Checkpoint Firewall Administration Training Part1
46 pages
r80 System Administrator Study Guide
100% (1)
r80 System Administrator Study Guide
13 pages
FortiADC GLB Deployment Guide
No ratings yet
FortiADC GLB Deployment Guide
23 pages
VSX Training Guide V2 PDF
No ratings yet
VSX Training Guide V2 PDF
23 pages
Forescout Administrator Training and Certification: The Pathway To Success
0% (1)
Forescout Administrator Training and Certification: The Pathway To Success
3 pages
Caterpillar 994F Wheel Loader: Venue Date
100% (2)
Caterpillar 994F Wheel Loader: Venue Date
97 pages
Ccsar80 Theory
No ratings yet
Ccsar80 Theory
271 pages
Credit Awareness
100% (2)
Credit Awareness
62 pages
Check Point CCSA 156-215.80 PDF Exam Material - Latest 2018
0% (2)
Check Point CCSA 156-215.80 PDF Exam Material - Latest 2018
9 pages
Advanced Firepower IPS Deployment
No ratings yet
Advanced Firepower IPS Deployment
219 pages
Check Point Security Administration Student Manual R77.30
No ratings yet
Check Point Security Administration Student Manual R77.30
240 pages
CP R77 Multi-DomainSecurityManagement AdminGuide
No ratings yet
CP R77 Multi-DomainSecurityManagement AdminGuide
159 pages
FortiGate III Student Guide-Online
100% (8)
FortiGate III Student Guide-Online
521 pages
Checkpoint R80
No ratings yet
Checkpoint R80
122 pages
Configuration Guidefor BIG-IP Global Traffic Manager
No ratings yet
Configuration Guidefor BIG-IP Global Traffic Manager
350 pages
CP R81.10 Installation and Upgrade Guide
No ratings yet
CP R81.10 Installation and Upgrade Guide
622 pages
Check Point Cyber Security Engineering (Ccse) : Course Topics Course Objectives
No ratings yet
Check Point Cyber Security Engineering (Ccse) : Course Topics Course Objectives
1 page
F5 ASM Training
No ratings yet
F5 ASM Training
3 pages
f5 LTM
No ratings yet
f5 LTM
16 pages
CCSM R80.10-Lab Setup Guide
No ratings yet
CCSM R80.10-Lab Setup Guide
26 pages
SRX Troubleshooting
100% (1)
SRX Troubleshooting
53 pages
CP R81 Gaia AdminGuide
No ratings yet
CP R81 Gaia AdminGuide
467 pages
CP R80.20 PerformanceTuning AdminGuide
No ratings yet
CP R80.20 PerformanceTuning AdminGuide
330 pages
Security Management R80.10 (Part of Check Point Infinity) : Administration Guide
No ratings yet
Security Management R80.10 (Part of Check Point Infinity) : Administration Guide
305 pages
Checkpoint Certified Security Administrator: 1. Introduction To Check Point Technology
No ratings yet
Checkpoint Certified Security Administrator: 1. Introduction To Check Point Technology
2 pages
PCNSE Exam - Jan2022
No ratings yet
PCNSE Exam - Jan2022
271 pages
Multi-Domain Security Management R80.10: Administration Guide
No ratings yet
Multi-Domain Security Management R80.10: Administration Guide
76 pages
Spec Hyundai HX210
No ratings yet
Spec Hyundai HX210
10 pages
CP R81.10 Installation and Upgrade Guide
No ratings yet
CP R81.10 Installation and Upgrade Guide
614 pages
CP R80.20 RemoteAccessVPN AdminGuide
No ratings yet
CP R80.20 RemoteAccessVPN AdminGuide
161 pages
Ccsa - 156-215.80 V18.75
No ratings yet
Ccsa - 156-215.80 V18.75
142 pages
Junos OS Network Management Admin Guide
No ratings yet
Junos OS Network Management Admin Guide
922 pages
CP R80.40 SmartProvisioning AdminGuide
No ratings yet
CP R80.40 SmartProvisioning AdminGuide
198 pages
CheckPoint End Security
No ratings yet
CheckPoint End Security
2 pages
CCSA Class Slides
No ratings yet
CCSA Class Slides
285 pages
CheckPoint 156-215.80 Exam Dumps
67% (3)
CheckPoint 156-215.80 Exam Dumps
9 pages
Study Guide: Check Point Security Administration
100% (2)
Study Guide: Check Point Security Administration
20 pages
CCSE Class Slides
No ratings yet
CCSE Class Slides
313 pages
Checkpoint - Premium.156 915.80.by - Vceplus.100q
No ratings yet
Checkpoint - Premium.156 915.80.by - Vceplus.100q
47 pages
Boiler and Boiler Calculations
No ratings yet
Boiler and Boiler Calculations
7 pages
Security Administration Lab Setup Guide: Education Services
100% (2)
Security Administration Lab Setup Guide: Education Services
15 pages
BlueCoat Roger Gotthardsson
No ratings yet
BlueCoat Roger Gotthardsson
81 pages
Administrator Study Guide
No ratings yet
Administrator Study Guide
20 pages
Advanced Junos Security (AJSEC) : What You'll Learn
No ratings yet
Advanced Junos Security (AJSEC) : What You'll Learn
3 pages
Defecte Multiplexare
No ratings yet
Defecte Multiplexare
22 pages
FortiGate Troubleshooting IPsec Connectivity
No ratings yet
FortiGate Troubleshooting IPsec Connectivity
10 pages
Gucci Strategic MGT
0% (1)
Gucci Strategic MGT
18 pages
r80.10 MGMT Architecture Overview
No ratings yet
r80.10 MGMT Architecture Overview
18 pages
CheckPoint Security Administration Module - PartI - 09nov2009
100% (1)
CheckPoint Security Administration Module - PartI - 09nov2009
170 pages
Checkpoint (CCSA-NGX) Course Details
No ratings yet
Checkpoint (CCSA-NGX) Course Details
16 pages
3.CheckPoint Commands
No ratings yet
3.CheckPoint Commands
17 pages
Bintulu HR Management Sarawak Labour Ordinance
No ratings yet
Bintulu HR Management Sarawak Labour Ordinance
6 pages
Ccse 2013 Study Guide
No ratings yet
Ccse 2013 Study Guide
52 pages
Check Point VPN Debugging Guide
No ratings yet
Check Point VPN Debugging Guide
6 pages
Company Profile: /shega Interiors
No ratings yet
Company Profile: /shega Interiors
25 pages
RS21DLMR
No ratings yet
RS21DLMR
98 pages
Check Point Firewall Interview Questions
100% (2)
Check Point Firewall Interview Questions
5 pages
Day1-01-CCSBA-Introduction and Overview-V7.3-169
No ratings yet
Day1-01-CCSBA-Introduction and Overview-V7.3-169
56 pages
Green Building
100% (2)
Green Building
29 pages
Checkpoint CCSA (CBT)
No ratings yet
Checkpoint CCSA (CBT)
3 pages
HT I&ii
No ratings yet
HT I&ii
98 pages
Malasakit Form
100% (1)
Malasakit Form
2 pages
Networking Interview Question
No ratings yet
Networking Interview Question
19 pages
Interview Questions For Check Point Firewall Technology
No ratings yet
Interview Questions For Check Point Firewall Technology
6 pages
IR
No ratings yet
IR
8 pages
CP R81.10 Multi-DomainSecurityManagement AdminGuide
No ratings yet
CP R81.10 Multi-DomainSecurityManagement AdminGuide
622 pages
Model BFV-300 Butterfly Valve Wafer Style General Description Technical Data
No ratings yet
Model BFV-300 Butterfly Valve Wafer Style General Description Technical Data
8 pages
FMX / Cruiso / BW 8-12: Ganzeboom Transmission Parts & Torque Converters
No ratings yet
FMX / Cruiso / BW 8-12: Ganzeboom Transmission Parts & Torque Converters
2 pages
Me170a - Lab 01 - Instrumentation Handout - Edited2015
No ratings yet
Me170a - Lab 01 - Instrumentation Handout - Edited2015
8 pages
Column Layout Plan: Trims International (BD) LTD
No ratings yet
Column Layout Plan: Trims International (BD) LTD
1 page
Load Line 1979
No ratings yet
Load Line 1979
76 pages
Specifications Alphasorb Barrier Fabric Wrapped Acoustic Panels
No ratings yet
Specifications Alphasorb Barrier Fabric Wrapped Acoustic Panels
3 pages
Research Methodology: Types of Taboo Words Are Used in What Is The Function of Taboo Words Are Used in
No ratings yet
Research Methodology: Types of Taboo Words Are Used in What Is The Function of Taboo Words Are Used in
3 pages
Smartax Mt800 Adsl Router: User Manual
No ratings yet
Smartax Mt800 Adsl Router: User Manual
109 pages
(ABRIDGED) RMUN 2021 (UNHCR) - Study Guide
No ratings yet
(ABRIDGED) RMUN 2021 (UNHCR) - Study Guide
15 pages
Tap Magic Eco Oil Sds en Us 2023pdf
No ratings yet
Tap Magic Eco Oil Sds en Us 2023pdf
8 pages
Model Lite
No ratings yet
Model Lite
4 pages
Compensation Management Systems - Paper B - 4
No ratings yet
Compensation Management Systems - Paper B - 4
9 pages
Untitled Design
No ratings yet
Untitled Design
15 pages
Head Assy
No ratings yet
Head Assy
1 page
Image and Video Processing in The Compressed Domain Jayanta Mukhopadhyay
No ratings yet
Image and Video Processing in The Compressed Domain Jayanta Mukhopadhyay
45 pages
Improving The ISOIEC 11770 Standard For Key Manage
No ratings yet
Improving The ISOIEC 11770 Standard For Key Manage
16 pages

Check Point Security Administration Student Manual

Uploaded by

Check Point Security Administration Student Manual

Uploaded by

You might also like