Download - Ngx II r65 Slides
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Check Point Security Administration IINGX R65
2©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Slide Graphic LegendSlide Graphic Legend
3©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Course ObjectivesCourse Objectives
Part 1: Updating and Upgrading Chapter 1: SmartUpdate
– Identify the common operational features of SmartUpdate.– Use SmartUpdate to create an upgrade package.– Upgrade and attach product licenses using SmartUpdate.
Chapter 2: Upgrading VPN-1– Determine which VPN-1 upgrade strategy is appropriate, given
a variety of scenarios.– Determine VPN-1 license requirements, based on upgrade
strategy.
4©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Course ObjectivesCourse Objectives
Part 2: Virtual Private Networks Chapter 3: Encryption and VPNs
– Explain encryption for VPNs.– Compare and contrast common encryption methods.– Describe the process for setting up a encrypted VPN tunnels.
Chapter 4: Introduction to VPNs– Select the appropriate VPN deployment to meet requirements,
given a variety of scenarios.– Configure VPN-1 to support site-to-site VPNs, given a variety of
business requirements.– Adjust NGX R65 VPN configuration settings to correct a
problem, given symptoms of a configuration problem.
5©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Course ObjectivesCourse Objectives
Chapter 5: Site-to-Site VPNs– Select the appropriate VPN deployment to meet requirements,
given a variety of scenarios.– Configure VPN-1 to support site-to-site VPNs, given a variety of
business requirements.– Adjust VPN configuration settings to correct a problem, given
symptoms of a configuration problem.
Chapter 6: Remote Access VPNs– Configure VPN-1 to support remote-access VPNs, given a
variety of business requirements.
6©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Course ObjectivesCourse Objectives
Part 3: High Availability and ClusterXL Chapter 7: High Availability and ClusterXL
– Identify the features and limitations of Management High Availability.
– Identify the benefits and limitations of different modes in a ClusterXL configuration.
– Configure a ClusterXL VPN, given a specific business scenario.– Implement and test State Synchronization, given a business
scenario.
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
PrefaceCheck Point Security Administration II
NGX (R65)
8©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Course LayoutCourse Layout
Prerequisites Check Point Certified Security Expert (CCSE)
9©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Recommended Setup for LabsRecommended Setup for Labs
Recommended Lab Topology
10©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Recommended Setup for LabsRecommended Setup for Labs
IP Addresses Lab Terms
11©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Check Point Security ArchitectureCheck Point Security Architecture
PURE Security
12©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Check Point Security ArchitectureCheck Point Security Architecture
Check Point Components
13©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Check Point Security ArchitectureCheck Point Security Architecture
Unified Security Architecture
14©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Check Point Security ArchitectureCheck Point Security Architecture
Broad Range of Security Solutions
15©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Check Point Security ArchitectureCheck Point Security Architecture
Network Security Data Security Security Management Services
16©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Training and CertificationTraining and Certification
CCMA Learn More
17©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Part 1: Updating and UpgradingPart 1: Updating and Upgrading
Chapter 1: SmartUpdate
Chapter 2: Upgrading VPN-1
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
1
SmartUpdateSmartUpdate
19©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
ObjectivesObjectives
Identify the common operational features of SmartUpdate.
Use SmartUpdate to create an upgrade package. Upgrade and attach product licenses using
SmartUpdate.
11
20©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Introduction to SmartUpdateIntroduction to SmartUpdate
Optional component of VPN-1 that automatically distributes software applications and updates for Check Point and OPSEC certified products
Manages product licenses
11
21©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Introduction to SmartUpdateIntroduction to SmartUpdate
SmartUpdate Architecture
11
22©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Upgrading PackagesUpgrading Packages
Prerequisites for Remote Upgrades Retrieving Data From VPN-1 Gateways Adding New Packages to the Package Repository Verifying the Viability of a Distribution Transferring Files to Remote Devices Upgrading Edge Firmware with SmartUpdate Rebooting the VPN-1 Gateway Recovering From a Failed Upgrade Deleting Packages From the Package Repository
11
23©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Managing LicensesManaging Licenses
Central license: package license tied to IP address of SmartCenter Server
Local license: package license tied to IP address of VPN-1 Gateway, and cannot be transferred to Gateway with different IP address
License Upgrade Retrieving License Data From VPN-1 Gateways CPInfo SmartUpdate Command Line
11
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
1Updating an Installation with Updating an Installation with
SmartUpdateSmartUpdate
25©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
1. What can be upgraded remotely using SmartUpdate?
11
26©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
VPN-1 Gateways Hotfixes, HFAs, and patches Third-party OPSEC applications UTM Edge devices Nokia operating systems Check Point SecurePlatform
11
27©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
2. What two repositories does SmartUpdate install on the SmartCenter Server?
11
28©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
License & Contract Repository in $FWDIR\conf Package Repository in C:\SUroos (Windows),
/var/suroot (UNIX)
11
29©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
3. What does the Pre-Install Verifier check?
11
30©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
Operating-system compatibility Disk-space availability Package not already installed Package dependencies met
11
31©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
4. What are the benefits of using a central license?
11
32©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
Only one IP address is needed for all licenses. A license can be moved from one Gateway to another. A license remains valid when changing Gateway IP
addresses.
11
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
2Upgrading VPN-1Upgrading VPN-1
34©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
ObjectivesObjectives
Determine which VPN-1 upgrade strategy is appropriate, given a variety of scenarios.
Determine VPN-1 license requirements, based on upgrade strategy.
22
35©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Preinstallation ConfigurationPreinstallation Configuration
– Remove any services not running that might be considered a security risk.
– Ensure your network and Gateway are properly configured, with special emphasis on routing.
– Log in to each of the hosts, and Ping the other hosts.– Enable IP routing/forwarding.– Confirm that DNS is working properly. – Note names/IP addresses of the Gateway’s interfaces.– Confirm Gateway’s name corresponds to IP address of
Gateway’s external interface.– Isolate the computers on which you will be installing VPN-1
components from the network.– Verify you have correct version of software for all VPN-1
components.
22
36©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Distributed InstallationDistributed Installation
VPN-1 Client/Server Configuration
22
37©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Upgrading To VPN-1 NGX R65Upgrading To VPN-1 NGX R65
Upgrade Guidelines Upgrade Order Upgrade Export/Import Upgrading via SmartUpdate
22
38©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
VPN-1 Backward CompatibilityVPN-1 Backward Compatibility
Supported Versions
22
39©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Licensing VPN-1Licensing VPN-1
Obtaining Licenses Supported Upgrade Paths Contract Verification
22
40©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Performing License UpgradePerforming License Upgrade
Two Upgrade Methods Trial Licenses
22
41©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Pre-Upgrade ConsiderationsPre-Upgrade Considerations
Pre-Upgrade Verification Tool Web Intelligence License Enforcement Upgrading on SecurePlatform
22
42©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Upgrading SmartCenter ServerUpgrading SmartCenter Server
Using the Pre-Upgrade Verification Tool
22
43©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Gateway UpgradeGateway Upgrade
Gateway Upgrade with SmartUpdate
22
44©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
1. What is the correct order for a VPN-1 upgrade?
22
45©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
SmartCenter Server first, then Security Gateway
22
46©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
2. What should be done before installing a VPN-1 Security Gateway?
22
47©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
– Remove any services not running that may be a security risk.– Make sure your network and Gateway are properly configured.– Test network communication.– Enable IP routing/forwarding– Confirm DNS is working properly.– Note the names and IP addresses of the Gateway’s interfaces.– Confirm the Gateway is shown in the hosts files correctly.– Isolate the computers.– Verify the correct version of software for you OS
22
48©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
3. What methods are there for upgrading licenses?
22
49©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
Centrally, from the SmartCenter Server via SmartUpdate
Locally at the Check Point machine
22
50©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
4. Which products can be upgraded to NGX R65?
22
51©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
– VPN-1 Pro Gateways– SecurePlatform– SmartView Monitor– Eventia Reporter– UserAuthority Server– Policy Server– Check Point QoS– Nokia OS– UTM-1
22
52©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Part 2: Virtual Private NetworksPart 2: Virtual Private Networks
Chapter 3: Encryption and VPNs
Chapter 4: Introduction to VPNs
Chapter 5: Site-to-Site VPNs
Chapter 6: Remote Access VPNs
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
3
Encryption and VPNsEncryption and VPNs
54©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
ObjectivesObjectives
Explain encryption for VPNs. Compare and contrast common encryption methods. Describe the process for setting up a encrypted VPN
tunnels.
33
55©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Securing CommunicationSecuring Communication
Privacy
33
56©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Securing CommunicationSecuring Communication
Shared-Secret Key
33
57©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Securing CommunicationSecuring Communication
Symmetric Encryption
33
58©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Securing CommunicationSecuring Communication
Symmetric Disadvantages Asymmetric Encryption
33
59©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Securing CommunicationSecuring Communication
Diffie-Hellman Encryption
33
60©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Securing CommunicationSecuring Communication
Integrity– Hash Function
33
61©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Securing CommunicationSecuring Communication
Authentication– Digital Signature
33
62©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Securing CommunicationSecuring Communication
Two Phases of Encryption Encryption Algorithms
33
63©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
IKEIKE
ISAKMP Oakley ISAKMP/Oakley Phase 1 Phase 2 IKE Example
33
64©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
IKEIKE
Tunneling-Mode Encryption– Encrypted Packet
33
65©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Certificate AuthoritiesCertificate Authorities
Certificates Multiple Certificate
Authorities Certificate Authority
Hierarchy
33
66©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Certificate AuthoritiesCertificate Authorities
Local Certificate Authority
33
67©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Certificate AuthoritiesCertificate Authorities
CA Service via the Internet
33
68©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Certificate AuthoritiesCertificate Authorities
Internal Certificate Authority CA Public Keys
– CA Action
33
69©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Certificate AuthoritiesCertificate Authorities
Creating Certificates
33
70©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
1. What three tenets of network communication do Security Administrators need to ensure?
33
71©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
Confidentiality — No one, other than the intended parties, can understand the communication.
Integrity — The sensitive data passed between the communicating parties is unchanged.
Authentication — The communicating parties must be sure they are connecting with the intended party.
33
72©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
2. Which encryption system uses a different key for encryption and decryption?
33
73©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
Asymmetric cryptographic systems
33
74©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
3. What two modes does VPN-1 supply for IKE Phase 1 between Gateways?
33
75©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
Main mode (default) Aggressive mode
33
76©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
4. Which encryption method encapsulates an entire packet, adding its own encryption protocol header to the packet?
33
77©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
Tunnel-mode encryption
33
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
4Introduction to VPNsIntroduction to VPNs
79©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
ObjectivesObjectives
Select the appropriate VPN deployment to meet requirements, given a variety of scenarios.
Configure VPN-1 to support site-to-site VPNs, given a variety of business requirements.
Adjust NGX R65 VPN configuration settings to correct a problem, given symptoms of a configuration problem.
44
80©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
The Check Point VPNThe Check Point VPN
– Check Point VPN Topology
44
81©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
The Check Point VPNThe Check Point VPN
Simplified VPN Tunnel
44
82©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
The Check Point VPNThe Check Point VPN
How a VPN Works– Gateway-to-Gateway Network configuration
44
83©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
The Check Point VPNThe Check Point VPN
Specifying Encryption
44
84©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
VPN DeploymentsVPN Deployments
Site-to-Site VPNs
44
85©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
VPN DeploymentsVPN Deployments
Remote-Access VPNs
44
86©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
VPN ImplementationVPN Implementation
Three Critical VPN Components– Complete VPN
44
87©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
VPN ImplementationVPN Implementation
VPN Setup– Two-Network Configuration
44
88©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
VPN ImplementationVPN Implementation
How a VPN Works
44
89©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
VPN ImplementationVPN Implementation
– VPN Tunnel
44
90©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
VPN ImplementationVPN Implementation
VPN Communities
44
91©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
VPN ImplementationVPN Implementation
VPN Topologies– Basic Meshed Community
44
92©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
VPN ImplementationVPN Implementation
– Star VPN Community
44
93©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
VPN ImplementationVPN Implementation
Choosing a Topology– Star and Mesh Combined
44
94©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
VPN ImplementationVPN Implementation
– Different Encryptions in Mesh Communities
44
95©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
VPN ImplementationVPN Implementation
– Special Condition
44
96©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
VPN ImplementationVPN Implementation
– Three VPN Communities
44
97©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
VPN ImplementationVPN Implementation
Authentication Between Community Members Dynamically Assigned IP Gateways Routing Traffic Within a VPN Community Access Control and VPN Communities
44
98©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
VPN ImplementationVPN Implementation
– Access Control in VPN Communities
44
99©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
VPN ImplementationVPN Implementation
Special Considerations for Planning a VPN Topology
44
101©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
VPN ImplementationVPN Implementation
Integrating VPNs into a Rule Base
44
102©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
1. What is a VPN Community?
44
103©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
A collection of VPN enabled Gateways capable of communication via VPN tunnels
44
104©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
2. What is a meshed VPN Community?
44
105©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
A VPN Community in which a VPN site can create a VPN tunnel with any other VPN site within the Community
44
106©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
3. Which is the preferred means of authentication between VPN Community members, and why?
44
107©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
Certificates, because they are more secure than pre-shared secrets
44
108©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
4. If both domain-based VPN and route-based VPN are configured, which will take precedence?
44
109©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
Domain-based VPN
44
110©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
5. When planning a VPN topology, what questions should be asked?
44
111©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
Who needs secure/private access? From the point of view of the VPN, what will be the
structure of the organization? How will externally managed Gateways authenticate?
44
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
5
Site-to-Site VPNsSite-to-Site VPNs
113©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
ObjectivesObjectives
Select the appropriate VPN deployment to meet requirements, given a variety of scenarios.
Configure VPN-1 to support site-to-site VPNs, given a variety of business requirements.
Adjust VPN configuration settings to correct a problem, given symptoms of a configuration problem.
55
114©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Site-to-Site VPNSite-to-Site VPN
Domain-Based VPN
55
115©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Site-to-Site VPNSite-to-Site VPN
Simple VPN Routing
55
116©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Site-to-Site VPNSite-to-Site VPN
Route-Based VPN VPN Routing Process for VTIs
55
117©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Site-to-Site VPNSite-to-Site VPN
Routing to a Virtual Interface
55
118©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Site-to-Site VPNSite-to-Site VPN
Route-Based VPN
55
119©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Site-to-Site VPNSite-to-Site VPN
Routing Multicast Packets Through VPN Tunnels
55
120©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Site-to-Site VPNSite-to-Site VPN
Multicasting
55
121©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
VPN Tunnel ManagementVPN Tunnel Management
Permanent Tunnels
55
122©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
VPN Tunnel ManagementVPN Tunnel Management
Permanent Tunnel in MEP Environment
55
123©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
VPN Tunnel ManagementVPN Tunnel Management
VPN Tunnel Sharing
55
124©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Wire ModeWire Mode
Wire Mode in a MEP Configuration
55
125©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Wire ModeWire Mode
– Wire Mode in MEP
55
126©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Wire ModeWire Mode
Wire Mode with Route-Based VPN– Wire Mode in a Satellite Community
55
127©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Wire ModeWire Mode
Wire Mode Between Two VPN Communities
55
128©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Directional VPN EnforcementDirectional VPN Enforcement
Directional Enforcement Between Communities
55
129©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Directional VPN EnforcementDirectional VPN Enforcement
Directional Enforcement Within a Community
55
130©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Directional VPN EnforcementDirectional VPN Enforcement
Directional Enforcement Between Communities– Directional VPN between Mesh and Star Communities
55
131©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Multiple Entry Point VPNsMultiple Entry Point VPNs
VPN High Availability with MEP
55
132©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Traditional Mode VPNsTraditional Mode VPNs
Organizations with large VPN deployments with complex networks may continue to work within Traditional Mode.
VPN Domains and Encryption Rules
55
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
2Two-Gateway IKE EncryptionTwo-Gateway IKE Encryption
(Shared Secret)(Shared Secret)
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
3Two-Gateway IKE Encryption
(Certificates)
135©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
1. What type of VPN does the use of VPN tunnel interfaces support?
55
136©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
Route-based VPNs
55
137©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
2. What are the three types of VPN tunnel sharing supported by VPN-1?
55
138©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
One VPN tunnel per each pair of hosts One VPN tunnel per subnet pair One VPN tunnel per Gateway pair
55
139©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
3. What is the advantage of a Wire Mode VPN?
55
140©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
Improves connectivity by allowing existing connections to fail over successfully by bypassing firewall enforcement, and relying on the security of the trusted VPN connection itself
55
141©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
4. What are the primary benefits of Multiple Entry Point VPNs?
55
142©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
High Availability Load Sharing
55
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
6
Remote Access VPNsRemote Access VPNs
144©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
ObjectivesObjectives
Configure VPN-1 to support remote-access VPNs, given a variety of business requirements.
66
145©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Remote Access VPNRemote Access VPN
VPN-1 SecuRemote enables you to create a VPN tunnel between a remote user and your organization’s internal network.
Extending SecuRemote with SecureClient Connect Mode Establishing Remote Access — Workflow
66
146©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Remote Access VPNRemote Access VPN
Workflow for Establishing Remote Access VPN
66
147©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Office ModeOffice Mode
How Office Mode Works
66
148©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Office ModeOffice Mode
– Office Mode Process
66
149©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Office Mode PlanningOffice Mode Planning
IP Pool vs. DHCP Routing-Table Modifications Multiple External Interfaces Before Configuring Office Mode
66
150©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Desktop Security PolicyDesktop Security Policy
Policy Expiration and Renewal Policy Server HA Wireless Hotspot/Hotel Registration Logging SecureClient Mobile
66
151©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
VPN Routing — Remote AccessVPN Routing — Remote Access
VPN routing provides a way of controlling how VPN traffic is directed.
VPN routing can be implemented with Gateways and remote-access clients.
Configuration for VPN routing is performed either through SmartDashboard, or by editing routing-configuration files.
66
152©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
VPN Routing — Remote AccessVPN Routing — Remote Access
– Simple VPN Routing
66
153©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
VPN Routing — Remote AccessVPN Routing — Remote Access
Hub Mode
66
154©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
SSL Network ExtenderSSL Network Extender
SSL Network Extender is connected to an SSL enabled Web server that is part of the Security Gateway.
SSL Network Extender It is via SmartDashboard. How SSL Network Extender Works Prerequisites
66
155©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Clientless VPNClientless VPN
Clientless VPN provides secure SSL-based communication between clients and servers that support HTTPS.
Two phases:– Establishing a secure channel– Communication phase
66
156©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Clientless VPNClientless VPN
– Communication Phase
66
157©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Clientless VPNClientless VPN
Special Considerations for Clientless VPN Configuring Clientless VPN Creating Appropriate Rules in the Rule Base
66
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
4Configuring Remote Access in an IKE
VPN
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
5Using SecuRemote in an IKE VPN
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
6Remote Access and Office Mode
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
7SSL Network Extender
162©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
1. When a SecuRemote/SecureClient needs to know the elements of the organization’s internal network to build a connection, how is that information sent?
66
163©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
Over a connection secured and authenticated using IKE over SSL
66
164©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
2. What is the most recommended and manageable method for client-Gateway authentication?
66
165©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
Digital Certificates
66
166©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
3. What problem does Office Mode solve?
66
167©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
Nonroutable IP addresses; Office Mode enables a VPN-1 Gateway to assign a remote client an IP address.
66
168©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
4. What is the advantage of SSL Network Extender
66
169©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
Simple to implement, easy-to-use remote-access solution
66
170©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Part 3: High AvailabilityPart 3: High Availability
Chapter 7: High Availability and ClusterXL
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
7
High Availability and ClusterXLHigh Availability and ClusterXL
172©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
ObjectivesObjectives
Identify the features and limitations of Management High Availability.
Identify the benefits and limitations of different modes in a ClusterXL configuration.
Configure a ClusterXL VPN, given a specific business scenario.
Implement and test State Synchronization, given a business scenario.
77
173©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Management High AvailabilityManagement High Availability
– Management High Availability Deployment
77
174©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Management High AvailabilityManagement High Availability
Management High Availability Environment Synchronization Status
77
175©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Management High AvailabilityManagement High Availability
– Typical Management High Availability Example
77
176©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
ClusterXLClusterXL
– VPN-1 Gateway Cluster
88
177©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
ClusterXLClusterXL
Load Sharing
88
178©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
ClusterXL ModesClusterXL Modes
Legacy High Availability Mode New High Availability Mode Load Sharing Multicast Mode Load Sharing Unicast (Pivot) Mode
88
179©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
ClusterXL ModesClusterXL Modes
– Load Sharing Unicast Mode
88
180©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
ClusterXL ModesClusterXL Modes
– Cluster Member Forwarding Packet
88
181©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
ClusterXL ModesClusterXL Modes
Cluster Control Protocol
88
182©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Synchronizing ClustersSynchronizing Clusters
The Synchronization Network How State Synchronization Works Synchronized-Cluster Restrictions
88
183©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Sticky ConnectionsSticky Connections
The Sticky Decision Function
88
184©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
cpha Commandscpha Commands
cphastart cphastop cphaprob cphaprob Syntax cphaprob Example fw hastat
88
185©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Debugging ClusterXL IssuesDebugging ClusterXL Issues
fw ctl pstat Sync Output
88
186©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
ClusterXL Configuration IssuesClusterXL Configuration Issues
Modes of ClusterXL Supporting SecureXL Crossover-Cable Support
88
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
8Deploying New Mode HA
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
9Load Sharing Unicast (Pivot) Mode
©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
10Configuring Load Sharing Multicast
Mode (Optional)
190©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
1. For Management HA to function properly, what data must be synchronized and backed up?
88
192©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
2. In ClusterXL, what benefit does State Synchronization provide?
88
193©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
Ensures no data is lost in case of a cluster member failure; all connection information and VPN state information is synchronized between the members.
88
194©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
3. What does Load Sharing in Multicast Mode do?
88
195©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
Enables you to distribute network traffic between cluster members
88
196©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
4. In what two modes does State Synchronization work?
88
197©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
Full sync, which transfers all VPN-1 kernel-table information from one cluster member to another
Delta sync, which transfers changes in the kernel tables between cluster members
88
198©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
5. What is a “sticky” connection?
88
199©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.puresecurity
Review Questions & AnswersReview Questions & Answers
When all of a connection’s packets are handled, in either direction, by a single cluster member
77