CheckPoint Certified Security Administrator
-
Upload
razvan-capra -
Category
Documents
-
view
86 -
download
8
description
Transcript of CheckPoint Certified Security Administrator
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
1
Contents:
Contents: ....................................................................................................... 1 Firewall Definition............................................................................................ 3
Different Firewall Technologies ....................................................................... 3 Packet Filtering.......................................................................................... 3 Application Layer Gateway .......................................................................... 3 Stateful Inspection..................................................................................... 4
Firewall-1 Products .......................................................................................... 5 Enterprise Product ........................................................................................ 5 Single Gateway Product................................................................................. 5 Enterprise Management Product ..................................................................... 6 Firewall-1 Firewall Module.............................................................................. 6 Firewall-1 Inspect Module .............................................................................. 6
Firewall-1 Architecture ..................................................................................... 6 Remote Management Putkey Configuration......................................................... 7 Administrator Access ....................................................................................... 8
Log in.......................................................................................................... 9 Security Policy ...............................................................................................10 The Security Policy Tab (Rule 0).......................................................................12
Applying Gateway Rules to Interface Direction.................................................12 Rule Base .....................................................................................................14
Possible Rule Base actions include .................................................................14 System Status Tool ......................................................................................15 Content Security..........................................................................................15 Anti - Spoofing ............................................................................................15
Network Address Translation (NAT) ..................................................................16 Classful Addressing ......................................................................................16 NAT Modes .................................................................................................17 Applying NAT Modes ....................................................................................17 NAT Rule Base.............................................................................................17
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
2
NAT Rules...................................................................................................18 Address Resolution Protocol (ARP) .................................................................18
ARP Request for Local Network ...................................................................18 ARP Request for Remote Network ...............................................................18 Routing Issues..........................................................................................19 Static Source or Hide modes ......................................................................19 Static Destination .....................................................................................19
Authentication................................................................................................21 User Authentication......................................................................................21 Client Authentication....................................................................................21 Session Authentication .................................................................................22 Implicit Client Authentication ........................................................................22
Internal Authentication Schemes ................................................................22 External Authentication Schemes ................................................................23
Firewall–1 GUIs..............................................................................................23 Log Viewer GUI ...........................................................................................23 Log Viewer Logon ........................................................................................23 Modes ........................................................................................................23 Log File ......................................................................................................24 System Status GUI ......................................................................................24
System Status Updates .............................................................................24 Alerts .........................................................................................................24 Solving SYN Flood Problem ...........................................................................25
SYN Relay ................................................................................................25 SYN Gateway ...........................................................................................25 Passive SYN Gateway ................................................................................25
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
3
Firewall Definition
• A device that enforces a security policy for communication between internal and/or external networks
• It controls which machines or network users can connect to reach external elements through the firewall
Note: A Firewall cannot protect against malicious authorised users or connections that do not go through the firewall. There is no 100% guarantee that it cannot be breached.
Different Firewall Technologies
Packet Filtering
• Works at the Network Layer
• Only examines the packet header
• Two choices with regard to outbound, passive FTP connections.
1. Leave the entire range of upper ports (port number > 1023) open to allow a session to take place over the dynamically allocated port, which exposes the internal network
2. Shut down the entire upper range of ports thus securing the internal network but blocking other services
(This is the trade off between application support and security.)
Pros: low cost; low overhead; application transparency; quicker than application gateways
Cons: low security; access limited to a small part of the packet header; screening limited above network layer; information manipulation very limited; difficult to configure, manage and monitor; inadequate logging and alerting mechanisms; subject to IP spoofing
Application Layer Gateway
• Works at the Application Layer
• Uses complicated application logic to determine intruder attempts
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
4
Pros: good security; full Application-layer awareness
Cons: application level implementation is detrimental to performance; cannot provide RPC and other services; most proxies are non-transparent; vulnerable to OS and application level bugs; poor scalability (each service requires its own application layer gateway); overlooks information in other layers; expensive performance costs
Note: Every client server communication requires two connections:
1. One from client to FireWall
2. One from FireWall to server
Stateful Inspection
• Communication information from top 5 packet layers
• State derived from previous communications (Outgoing Port etc.)
• Application derived state such that a previously authenticated user would be allowed access for authorised services only
• Evaluation of flexible expressions based on communication information, application derived state and communication-derived state
• Benefits: good security, full application awareness, high performance, scalability, extensibility and transparency
FireWall Capability
Packet Filters
Application Layer Gateways
Stateful Inspection
Communication Information
Partial Partial Yes
Communication Derived State
No Partial Yes
Application Derived State
No Yes Yes
Information Manipulation
Partial Yes Yes
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
5
Note:
• The Inspect Engine is located in the Kernel Module
• It can Accept, Reject or Drop packets
• It saves system processing time
Firewall-1 Products
Checkpoint uses OPSEC Open Platform for Secure Enterprise Connectivity architecture, which provides a scalable framework for security implementation by means of separating the firewall product into different modules.
Enterprise Product
• Management Module – Centralised graphical security management for either one or unlimited security enforcement points
• Inspection Module – Access Control; client and session authentication; network address translation; auditing
• Firewall Module – Includes inspection module; user authentication; multiple firewall synchronisation; content security
• Encryption Module – Provides DES and FWZ1 Encryption
• Router Security Management – Security management for router ACL’s across one or more routers
• Open Security Manager – Centralised security management for 3Com, Cisco and Microsoft NT Server routers, and Cisco Pix firewalls
Single Gateway Product
• Management Module – Centralised graphical security management for either one or unlimited security enforcement points
• Inspection Module – Access Control; client and session authentication; network address translation; auditing
• Firewall Module – Includes inspection module; user authentication; multiple firewall synchronisation; content security
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
6
Enterprise Management Product
Connect Control Module – Automatic application server load balancing across multiple servers (deployed with Firewall-1)
Firewall-1 Firewall Module
Inspection Module – Access Control; client and session authentication; network address translation; auditing User Authentication; multiple firewall synchronisation; content security
Firewall-1 Inspect Module
Access control; client and session authentication; network address translation; auditing
The Encryption Module
• DES Encryption Module for use in North America
• FWZ1 Module for worldwide export
Firewall-1 Architecture
• A 3-tier architecture: there can be many different firewall modules running in different locations (security enforcement points) controlled by a central Management Console. Administrators can administer the security system either directly via the console, or by running GUI clients connected to the Management Console through the network from another desktop
• For Single Gateway Product, there is only one Firewall Module controlled by one Management Console, and both must be installed on the same machine, which means that there is only one security enforcement point. However, you can still run the GUI client form another desktop. Firewall Internet Gateway/25 is a Firewall Internet Gateway (including one firewall module and management server) that protects 25 nodes or IP addresses. The number included with the product name pertains to the number of IP addresses a user needs to protect: e.g., 25/50/100/250/Unlimited.
• GUI is available only for Win95/98/NT and Motif. The exam focuses on the GUI, not the command line. The three different GUIs are: Security Policy Editor for setting up the security settings, Log Viewer for viewing the logs, and System Status tool for viewing the current statistics of different firewall components. Network Object Manager is a function within the Policy Editor,
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
7
which is for creating objects so that we can place the objects in the rule base and set up corresponding security rules.
• FWD Firewall Daemon is the process responsible for moving data between the components.
• When the server is started and the Firewall-1 services have not finished loading, the server’s IP forwarding function can provide hackers with security holes to get in. This is the specific vulnerable time we need to pay attention to. The best way is to let Firewall-1 control the server’s IP forwarding function.
Firewall-1 as a service in Control Panel – Services
Remote Management Putkey Configuration
Putkey’s must be exchanged for both Management Server and the Firewall Gateway before remote management can take place. The steps for configuring Management Station and Firewall are as follows:
Configure key (password) used by master and remote devices to authenticate sessions.
• From the OS prompt change directory to $FWDIR\bin
• Add authorisation key to be used by master to authenticate to remote device (e.g., password = abc123, sample IP address = 205.30.32.111)
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
8
fw putkey –p abc123 205.30.32.111
Edit masters file on computer with firewall module.
• From the OS prompt change directory to $FWDIR\conf
• Add the IP of the management station to the masters file
Echo 205.30.32.111 > masters
Stop and start the Firewall causing it to re-read the local masters file. This in turn allows the Management Station to remotely install the security policy
• From the OS prompt change directory to $FWDIR\bin
• Type fwstop, press Enter; Type fwstart, press Enter
• When the FW-1 started message appears, exit the command window.
An authentication key is required for each firewall that the management console will remotely manage. This is achieved by using the fw putkey command with the following arguments:
Fw putkey –p password firewall-module-ipaddress
To remove remote management, remove the masters file from the $FWDIR/conf directory and reboot the Firewall.
Administrator Access
• You can set up as many administrator accounts as you like.
• When logging on, you must supply the user name, password and the name or IP address of the management server
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
9
Log in
The administrator can have four different levels of access rights:
1. Monitor Only - Read Only access to the log viewer and system status tool
2. Read Only - includes Monitor Only rights, plus Read Only rights to the Security Policy Editor
3. User Access - administrator can modify user information, but nothing else
4. Read/Write Access - administrator can do everything. Only one administrator at a time can log in using this mode
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
10
Administrators access mode
Security Policy
• Definition: a set of rules that collectively determine what traffic is allowed and what is not
• Enforcement Directions: there are three different directions
1. Default Inbound
2. Outbound
3. Eitherbound
• Inbound – If an inbound rule is applied, packets going into the FireWall are checked
• Outbound – If an outbound rule is applied, packets leaving the FireWall are checked
• Eitherbound –If an eitherbound rule is applied, packets going into and leaving the Firewall are checked. Checking traffic both ways is CPU intensive.
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
11
The effective security settings are a combination of settings found in the Security Policy Properties and the Rule Base. Packets are matched in the following order:
• Anti Spoofing
• Any properties marked FIRST in the Security Policy Properties
• Rule base order (except for the last rule)
• Any properties marked BEFORE LAST in the Security Policy Properties
• Rule Bases last rule
• Any properties marked LAST in the Security Policy Properties
• Implicit Drop Rule (drop everything not mentioned above)
Sample Rule Base
• Define a Rule in the Rule base - you must specify a minimum of Source, Destination, Service, Action, and where to install the policy (e.g., the enforcement point, generally the default Gateway).
• Implicit Drop Rule – Drops everything without logging.
• Explicit Clean-up Rule – As you will probably want to know what other traffic is attempting to come through the Firewall you should create an explicit clean-up rule and add logging. This should be the last rule in the rule base and needs the following details ANY - ANY - ANY – DROP – LONG
• Stealth Rule - The first rule in the rule base that prevents direct access to the firewall.
Note: Rule Base Order is very important. The Firewall will implement rules in a Top Down order.
Verify the Rule Base to ensure the rule base settings are usable.
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
12
Install the Rule Base so that Firewall-1 will compile them, generate the corresponding script, and make it run in the enforcement point.
The Security Policy Tab (Rule 0)
Applying Gateway Rules to Interface Direction
• Inbound (Default) – Enforces the security policy only on packets entering the Gateway. Packets will be allowed to leave ONLY if Accept Outgoing Packets is selected.
• Outbound - Enforces the security policy only on packets leaving the Gateway. A rule can still be enforced in the incoming direction by selecting Destination under Install On and specifying the Gateway in the Rule Base. At least one rule like this must be present or no packets will be allowed to enter the gateway.
• Eitherbound - Enforces the security policy only on packets entering and leaving the Gateway. Firewall-1 inspects packets twice, once on entry and again when leaving.
TCP Session Timeout – Specify time in seconds after which TCP session times out.
Accept UDP Replies – Check to accept reply data in a two-way UDP communication.
UDP Virtual Session Timeout – Specify time in seconds a UDP reply channel remains open without packets being returned.
Enable Decryption on Accept – Check to decrypt incoming, accepted packets even when the rule does not include encryption.
Implied Rules: Implied rules are generated in the Rule Base for global properties. Check the properties enforced in the Security Policy and then choose a position in the Rule base for the implied rule.
First – place first in the Rule Base
Before last – place before the last rule in the Rule Base
Last – place as the last rule in the Rule Base
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
13
Accept VPN/Firewall-1 Control Connection – Used by Firewall-1 for communication between Firewall daemons on different machines and for connecting to external servers such as RADIUS and TACACS.
Accept RIP – Check to accept RIP used by routed daemon.
Accept Domain Name Over UDP (Queries) – Check to accept DNS queries used by named.
Resolves names by associating them with their IP address. If named does not know the IP address of a host name, it issues a query to the name server on the Internet. UDP replies must therefore be enabled to receive the replies.
Accept Domain Name Over TCP (Zone Transfer) – Check to allow upload of Domain Name resolving tables.
Accept ICMP – Check to accept Internet Control Messages. This protocol is used to ensure proper and efficient operation of IP.
Accept Outgoing Packets Originating From Gateway – Check to accept all outgoing packets from Firewall-1 not from the internal network. Gateway rules are usually enforced in the inbound direction. When packets passing through the Gateway leave, it will be allowed to pass only if one of the following conditions is true:
• Accept Outgoing Packets property is checked
• Rules are enforced in both directions (Eitherbound), and there is a rule to allow packets to leave the Gateway.
Log Implied Rules – Implied rules are generated in the Rule Base from the properties defined in this window. If this is checked Firewall-1 generates log records for communications matching the implied rules.
Install Security Policy only if it can be successfully installed on ALL selected targets – The Security Policy will either be installed on all or none of the selected targets. Allows Administrator to ensure the same Security Policy is being enforced at all enforcement points.
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
14
Rule Base
Possible Rule Base actions include
• Accept
• Reject - reject the packet and inform the sender
• Drop - reject without informing the sender
• User Auth - use User Authentication on this packet
• Session Auth - use Session Authentication on this packet
• Client Auth - use Client Authentication on this packet
• Encrypt - encrypt outgoing and decrypt incoming traffic used with the extra VPN module not covered in this exam
• Client Encrypt - encrypt outgoing and decrypt incoming traffic with the help of a secure remote client
Rule Base Actions
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
15
System Status Tool
• Tells the number of packets dropped/rejected/inspected/logged
• Tells whether or not a security policy is installed on the firewall, the name of the policy installed, and the date the security policy was installed on the firewall
• The most important display shows the status of the Firewall-1 Daemon, whether it is INSTALLED (daemon is running, and security policy is installed), NOT INSTALLED (daemon is running, but no security policy is installed), and DISCONNECTED (no response from the daemon at all)
Content Security
• Uses CVP (Content Vectoring Protocol), a TCP based protocol developed by Checkpoint that uses port 18181 to transparently re-route the data stream to an external content scanning server. A CVP server object needs to be created for content security to work
• Supports SMTP, HTTP and FTP; each has a corresponding resource object type that can be defined in the rulebase
• SMTP security functions: hides outgoing emails FROM field, redirects email sent to given TO or CC addresses, drops emails from particular senders or messages above a particular size, strips MIME attachments, strips the RECEIVED field, and transparently relays email to a third party anti-virus server
• FTP security functions: controls the GET and PUT operations, and transparently relays data stream to third party anti-virus server
• HTTP security functions: URL screening, blocks Java code, strips all the script/applet/ActiveX tags in the HTML code (known as HTML weeding), and anti-virus using third party server
• URI (Uniform Resource Identifier) is the resource object type for HTTP
Anti - Spoofing
• Configuration done in Firewall's Interface properties - Valid Addresses section
• Possible options:
o Any - the default choice, no anti-spoof config in place
o No Security Policy - nothing at all
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
16
o Others - all packets are allowed except those with source IP addresses from networks listed under Valid Addresses for this object's other interfaces
o Others+ - same as Others, but packets from addresses listed under the Others+ section are allowed
o This Net - only packets from network attached to this interface are allowed
o Specific - only packets from a specifically defined object we define are allowed
Network Address Translation (NAT)
Conceals internal computers and users from outside networks and is a separate component of the Firewall – 1 security policy. NAT changes (translates) or hides IP addresses.
Classful Addressing
INVALID/RESERVED ADDRESSES
CLASS NETWORK RANGE
10.0.0.0
10.255.255.255 1 Class A Network
10.0.0.0
172.16.0.0 172.31.255.255 16 Class B Networks
176.16-31.0.0
192.168.0.0 192.168.255.255 256 Class C Networks
192.168.0-255.0
Firewall–1 translates packet addresses transparently. This is done in the kernel module before they reach their destination. NAT updates its internal table and translates the packet. When the packet leaves, Firewall–1 rewrites the invalid/reserved IP address to its original legal address. This takes place in the ADDRESS TRANSLATION MODULE.
The KERNEL MODULE does NOT translate addresses.
• It verifies packet addresses before passing them out from an internal network
• It verifies packet addresses before passing them to the address translation module
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
17
NAT Modes
STATIC SOURCE MODE Translates invalid/reserved INTERNAL addresses to legal IP addresses when packets EXIT an Internal Network.
STATIC DESTINATION MODE
Translates legal INTERNAL addresses to invalid/reserved IP addresses when packets ENTER an Internal Network.
HIDE MODE Hides one or more invalid/reserved IP addresses behind one legal IP address.
• Static Mode translates addresses using a one-to-one relationship.
• When generating address translation rules automatically, static source and destination mode rules are always generated in pairs.
Applying NAT Modes
To add address translation modes to Firewall–1, you edit or add network objects, servers, gateways and routers. Define source or destination static mode by placing the network object as source or destination in the Rule Base.
NAT Rule Base
When defining network objects during set-up of Firewall–1, NAT rules are generated automatically. You can add or edit rules manually to the automatically generated rules and provide complete control over Firewall–1 NAT. Firewall–1 validates address translation rules, helping avoid mistakes in the set-up process.
For complete control over Firewall–1 address translation you can do one or more of the following:
• Specify objects by name or IP address
• Restrict rules to specific destination and/or source IP addresses
• Translate source and destination IP addresses in the same packet
• Restrict rules to specific services (Ports)
• Translate ports
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
18
NAT Rules
Each of the address translation rules consists of the following three elements:
1. Conditions that specify when a rule is to be applied
2. Action to be taken when the rule is applied
3. The network object to enforce the action
WHEN RULE IS APPLIED
ACTION TO BE TAKEN
Original Packet Define source, destination and service
Translated Packet Define source, destination and service
Install On Define firewall objects to enforce this rule
Address Resolution Protocol (ARP)
ARP resolves IP Addresses to hardware MAC Addresses.
ARP Request for Local Network
• IP determines that the address it wants to send to is on the local network
• Source host checks its own list (ARP cache) for the MAC of the destination host
• If no match is found, ARP builds a request which includes its own IP and MAC and broadcasts for the IP and MAC address of the destination host
• Every host on the local network responds to the broadcast by checking if the IP address of the destination host matches its own
• The destination host recognises a match and sends an ARP reply to the directly to the sending host with its MAC address.
• The ARP cache on both hosts is updated
• When the source host receives the reply, communication is established between them.
ARP Request for Remote Network
• The source host determines that the IP address it wants is not on the local network
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
19
• The local host checks its local route table for a path to the remote host or network.
• If no path is found, the source host determines the IP address of the default gateway and checks its ARP cache for an IP to MAC address mapping for the gateway.
• The source host sends the data packet to the router
• The router then handles the process beyond this point
Routing Issues
With Firewall–1 there are two routing issues:
1. Ensuring packets reach the gateway
2. Ensuring the gateway forwards packets to the correct interface and host
Static Source or Hide modes
When using Static Source or Hide modes, you must ensure the translated (legal) addresses are published so that replies will be routed back to the Firewall.
For NT Systems the ARP command does not allow permanent entries. Checkpoint created the following feature:
\Winnt\fw\state\local.arp
Format of local.arp is:
IP Address <TAB> External MAC Address
Stop and Start the Firewall-1 Service after creating this file.
Static Destination
When using Static Destination mode translation, translation takes place in the firewall AFTER internal routing, but BEFORE transmission. To ensure the packet is correctly routed use static routing.
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
20
Defining NAT
NAT in the Rule Base
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
21
Authentication
Features User Client Session
Transparent
Yes No Telnet Port 259 or HTTP Port 900
Yes
Connection Services
FTP, HTTP, HTTPS, Telnet, RLOGIN
All Services All Services
Software
Password through Clients GUI
None Authentication Agent Software required by Client
User Authentication
• Client initiates connection to destination server
• Firewall–1 uses same connection as Client and asks for authorisation
• Client responds with Username and Password
• Firewall–1 allows the connection
Transparent user authentication – Firewall–1’s default and the user must provide:
• Username and password on the gateway
• Username and password on target host
Client Authentication
• Client initiates a TELNET (Port 259) or HTTP (Port 900) connection to the Firewall and Firewall–1 requests client’s username and password and verifies it is authentic
• Firewall–1 recognises client’s IP address and allows access to the destination server. Time-out, Logout, or number of sessions closes connections.
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
22
Session Authentication
• Client attempts contact with server
• Firewall–1 blocks the packet and contacts the session authentication agent
• Agent opens on Client screen
• User enters username and password
• Username and password are sent to Firewall–1
• Firewall–1 accepts and allows connection to server
Implicit Client Authentication
Extends access privileges to specific clients without requiring the user to initiate additional sessions on the gateway.
If the client authenticates under a user or session authentication rule, Firewall–1 knows which user is on the client and additional client authentication sessions are not necessary.
If implicit Client authentication is enabled and automatic sign-on rule is opened, all the standard sign-on rules are opened. Define the rules in the following order:
• User authentication rules for HTTP
• Client authentication rules
• User and session authentication rules for non-HTTP services
1st time user and session rules are applied
2nd time client authentication rules are applied
User authentication rules are always applied for HTTP preventing the browser from sending authentication password to the HTTP server as client authentication rules DO NOT use Firewall–1 security servers.
Internal Authentication Schemes
• S/Key – most secure form of internal authentication
• Firewall–1 Password – the user enters an assigned Firewall–1 password (User does NOT require an OS account on the firewall)
• OS Password – user enters an OS password and must have OS account on firewall
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
23
External Authentication Schemes
• SecureID – user enters Security Dynamics PASSCODE
• RADIUS – (Remote Access Dial In User Service) user prompted for response to RADIUS server
• AXENT Pathways Defender - user prompted for response to AXENT server
• TACACS – (Terminal Access Controller Access Control System) user prompted for response to TACACS server
Use generic user’s account for external authentication schemes to avoid overhead of maintaining duplicate user accounts.
Firewall–1 GUIs
Firewall–1 has three GUI programs
• Log Viewer
• System Status
• Policy Editor
Log Viewer GUI
The management server reads the log file and sends the data to the GUI client for display. The GUI client only displays the data.
Log Viewer Logon
To logon you require:
• Username
• Password
• Management Server
Modes
• Security Log – Shows all the security-related events
• Accounting Entries – Shows Elapsed, Bytes and Start Date in addition to security log events.
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
24
• Active Connection Mode – Views current connections through the firewall. Shows Elapsed, Bytes, Start Date and Connection ID in addition to security log events.
Log File
• New Log File - Creating a new log file closes the current log which is written to disk with a name containing the current date and time.
• Purge Log File – Deletes ALL entries in the log file.
• Print Log File – Only log entries that match the current selection criteria will be printed.
• Saving a Log File – Only records that match the current selection criteria will be saved to file.
System Status GUI
System Status Updates
Before Firewall–1 updates the status display it broadcasts a status request message to all firewall objects. The following information is obtained:
• Date security policy was installed on object
• Firewalled objects status
• Firewalled objects name
• Rule Base Name (File containing rule base)
• Date and time Firewalled objects status was last updated
Alerts
The Firewall module sends alerts to the Management Server, which sends them to the GUI client. The Alert is actioned as follows:
• Play Sound
• Show this Window
• Clear
• Dismiss
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
25
Changes to Firewalled Objects - Action on Transition:
Alert Issue an alert (Defined in properties set-up screen)
Mail Issue a mail alert (Defined in properties set-up screen)
SNMP Trap
Issue an SNMP Trap (Defined in properties set-up screen)
Solving SYN Flood Problem
• Definition: a simple type of denial of service attack which can halt a mission critical service
• The Normal Handshake process of TCP:
1. SYN - the client makes a request to the server, asking for a chance to talk
2. SYN/ACK - the server replies by saying OK
3. ACK - the client confirms with the server and establishes a connection
• Attacker uses SYN Flood to send the target server a large volume of SYN packets with spoofed source IP addresses
• Server is busy replying to unreachable hosts
• Firewall-1 uses SYNDefender to protect against SYN Flood attack
SYN Relay
• Have the firewall validate every connection before passing it to the original destination
• Safest from servers' point of view
• Connection is validated only if validated by the firewall
SYN Gateway
• Have the firewall open a connection to the original destination first, but wait for the ACK from the source before allowing the connection to actually start
Passive SYN Gateway
• Have the firewall open a connection to the original destination first, but without the ACK from the source, direct connection will not be allowed
Cramsession: Certified Checkpoint Security Administrator
TM
© 2001 All Rights Reserved – BrainBuzz.com
26
• The firewall keeps track of the handshake state
• If the timer expires, use a reset packet that closes the connection on the server
• Timeout value is critical as it determines how long the firewall should wait for an ACK before assuming that the connection is a SYN attack
Special thanks to
Garnet D Newton-Wade
for contributing this Cramsession.