RO: aie al pro)
Security Administration
Student Manual
ava =e]iK(o)a)
Check Point Education Series
Check Point
SOFTWARE TECHNOLOGIES INC.
Security Administration
Student Manual
R77 Edition
PIN 705982
© 2014 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distib-
uted under licensing restricting their use, copying, distribution, and de-compilation. No part ofthis,
product or related documentation may be reproduced in any form or by sny means without prior
‘written authorization of Check Point. While every precaution has been taken in the preparation of
this book, Check Point assumes no responsibility for erors or omissions. This publication and fea-
tures described herein are subject to change without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subpa
‘graph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-
7013 and FAR 52.227-19.
‘TRADEMARKS:
Refer to the Copyright page (hitp:/www.checkpoint.com/copyright html) fora list of our trade-
marks.
Refer to the Third Party copysight notices (hitp:/ www.checkpoint.com/
3rd_party_copyright him) for alist of relevant copyrights and thiparty licenses.
Tntemational Headquarters
US. Headquarers
“Technical Support, Education
& Professional Services:
Document #
Revision:
Content:
Graphics:
‘Contributors
5 Ha’Solelim Street
Tek 972-3183 4555
989 Skyway Road, Suite 300
San Carlos, CA 94070
“Te: 630-626.2000
Fax 630-6542253
{6330 Commerce Drive, Suite 120
living, TX 75063
rei or24a4 612
Fa 9725062913
smal any comments questions aout ur auteur to cousovar@us check-
For quate comments shout ether Check Pin dace, «mail CP_Tesh-
Pub Fedinck@ebeckpoin com
DOC-Manval-CCSA-RI6
R772018
Mark Hoefle, Joey Witt
Charming Jia
‘Beta Testing and Technical Review
Chris Albtas - Arrow ECS - UK
Robin Bay - Arrow ECS -Cz Republic
Kishin Feinani - K-Secure - India
Patrick Felsner - Arrow ECS ~ Austria
‘Tim Hall - Shadow Peak -USA
‘Thomas Norbeck - Glasspaper - Norway
Alejandro Diez Rodrigues - Afina - Spain
Ich Tathanie, - INTAS - Slovakia
Erik Wagemans - JCA - Belgium
‘Test Development:
Ken Finley ~ Check Point
‘Check Point Technical Publications Team:
Rochelle Fisher, DalyYam, Eli Har-Even, Paul Grigg, Richard
Levine, Rivkah Albinder, Shira Rosenfield, Yaakov Simon
Contents
Preface: Security Administration ...
Security Administration Overview ...
Course Layout
Prerequisites
Certification Title
Course Chapters
Sample Setup for Labs
Chapter 1: Introduction to Check Point Technology .
Check Point Technology Overview 7
Leaming Objectives:
‘The Check Point Security Management Architecture (SMART)
‘SmartConsole ... =
Security Management Server ..
Security Gateway .. on
‘The Check Poin Firewall... oo = n
‘Mechanisms for Controlling Network Traffic — wool
Packet Filtering .. B
Stateful Inspection 4
Application Intelligence... so : ened S
Security Gateway Staeful Inspection Architecture 16
INSPECT Bngine Packet Flow : 16
Deployment Considerations 18
Check Point SmartConsole Clients — : 21
‘SmartDashboard one so evans 21
‘SmartLog 23
SmantBvent ... 24
Check Point Security Administration - i
‘Table of Contents
‘SmartView Monitor...
‘SmartEndpoint
‘SmartView Tracker . 7
‘SmartUpdate ee
‘SmartReporter
‘SmartProvisioning
Security Management Server ...
‘Managing Users in SmartDashboard,
Users Database o
‘Securing Channels of Communication ..
‘Secure Internal Communications ...
‘Testing the SIC Status .....
Resetting the Trust State ...
Practice and Review
Practice Labs
Review
Chapter 2: Deployment Platforms ..........+--+-
Deployment Platforms
Leaming Objectives:
Check Point Deployment Platforms.
Security Appliances ..
Dedicated Appliances
Carrer & Ulva High-Bod Data Center Security Systems
Data Center Security Systems
Enterprise Network Security Systems
Small/Branch Office .
Virtual Systems
Management ..
More Check Point Appliances 1.
Check Point Software Blade Architecture
‘Software Blade Bundles
Cheek Point Gaia ...
History - Power of Two
Gaia...
Benefits of Gaia
Gaia Architecture
Gaia System Information
Practice and Review
Practice LabS oso
Review
Chapter 3: Introduction to the Security Policy .
Introduction to the Security Policy
Learning Objectives:
Security Policy Basics
The Rule Base
Managing Objects in SmartDashboard
‘SmartDashboard and Objects...
Object-Tree Pane
Objects-List Pane .....
Object Types
Rule Base Pane
‘Managing Objects
Classic View of the Objects Tree
Group View of the Objects Tree
Creating the Rule Base
Basic Rule Base Concepts
Default Rule
Basic Rules 7
ImplicivExplicit Rules
Control Connections
Detecting IP Spoofing
Configuring Anti-Spoofing
Rule Base Management
Understanding Rule Base Order
Completing the Rule Base
Policy Management and Revision Control
Policy Package Management ..
Database Revision Control
Multicasting.....
Practice and Review ..
Student Manual
58
59
60
60
‘Table of Contents
Practice Labs ..c.n ee 82
Review ...
Chapter 4: Monitoring Traffic and Connections
‘Monitoring Traffic and Connections ....
Learning Objectives
SmartView Tracker
Log Types
SmartView Tracker Tabs
Action Icons
Working with Smartview Tracker.
Log-File Management
Administrator Auditing
Global Logging and Alerting
‘Time Settings
Blocking Connections ...
‘SmartView Monitor
Customized Views ..
Gateway Status Vi
Traffic View
‘Tunnels View
Remote Users View 7
Cooperative Enforcement View
‘Monitoring Suspicious Activity Rules
‘Monitoring Alerts
Gateway Status .
Overall Status
Software Blade Status...
Displaying Gateway Information -
‘SmartView Tracker vs, SmartView Monitor ....
Practice and Review
Practice Lab ..
Review ..
Chapter 5: Network Address Translation ........... ponbapucsoGG +++ 107
Network Address Translation ere = sve 108,
nnn ee ee
iv ‘Check Point Security Administration
Learning Objectives: a . 108
Introduction to NAT esc semen er)
IP Addressing a 110
Hide NAT so o 110
Choosing the Hide Address in Hide NAT... sevens MEL
Static NAT. ut
Original Packet o . sons MD,
Reply Packet : . sow HD
NAT - Global Properties ae soe LB
Object Configuration - Hide NAT .... sn eee a)
Hide NAT Using Another Interface IP Address sown 116
Static NAT... _ o 17
Manual NAT a a 18.
Configuring Manual NAT woos nse sooo : 118
Special Considerations ht)
ARP oo a HD
Practice and Review .... — so 120
Practice Labs . = ove 120
Review a sn 120
Chapter 6: Using SmartUpdate . eeeeereni2t
Using SmartUpdate E : . 122
Leaming Objectives: ....... soe so 122
SmartUpdate and Managing Licenses 0... : 123,
SmartUpdate Architecture : : 124
‘SmartUpdate Introduction oso nnn oe 126
Overview of Managing Licenses svn os 128
Licensing Terminology 129
Upgrading Licenses... 131
Retrieving License Data fiom Security Gateways 131
‘Adding New Licenses to the License & Contract Repository . 131
Importing License Files. 132
Adding License Details Manually 132
Attaching Licenses ... 133
133
Detaching Licenses
Deleting Licenses From License & Contact Repository 133
Student Manual ~ v
‘Table of Contents
Installation Process
Viewing Livense Properties
‘Checking for Expired Licenses
‘To Export a License to a File
Service Contracts...
Managing Contracts
Updating Contracts ..
Practice and Review
Review ..
Chapter 7: User Management and Authentication .
User Management and Authentication
Learning Objectives:
(Creating Users and Groups...
User Types...
Security Gateway Authentication
‘Types of Legacy Authentication
Authentication Schemes
Remote User Authentication
‘Authentication Methods
User Authentication (Legacy) «0.»
User Authentication Rule Base Considerations
Session Authentication (Legacy)...
Configuring Session Authentication
Client Authentication (Legacy) 1 mmesnnm
Client Authentication and Sign-On Overview ...
Sign-On Methods ..
Wait Mode
Configuring Authentication Tracking ....
LDAP User Management with UserDirectory
LDAP Feattte sono nonnen
Distinguished Name se
‘Multiple LDAP Servers
Using an Existing LDAP Server senso
Configuring Entities to Work with the Gateway ...
Defining an Account Unit ... 7
vi Check Point Security Administration
Managing Users... : . oe 61
UserDitectory Groups 162
Practice and RevieW ou. = : sonene 163
Practice Lab voc so sone 163
Review... son 163
Chapter 8: Identity Awareness... ee ceeees 165
entity Awareness ... oe . 166
Learning Objectives:
Install Database... from the menu, Security Gateways that do not include a
‘Management Software Blade do not receive the Users Database.
Student Manual
3
Introduction fo Check Point Technology
Securing Channels of Communication
‘The Security Management Server must be able to communicate with all
‘components and partner-OPSEC applications that it manages, even though they
may be installed on different machines. The interaction must take place to ensure
that the components receive all necessary information from the Security
‘Management Server (such as the Security Policy). While information must be
allowed to pass freely, it also has to pass securely, This means that
+ The communication must be encrypted so that an impostor cannot send,
receive or intercept communication meant for someone else,
+ The communication must be authenticated; there can be no doubt as to the
identity ofthe communicating peers.
+ The transmitted communication should have data integrity; thats, the
communication must not be altered or distorted in any form.
* The SIC setup process allowing the intercommunication to take place must be
user-friendly.
If these criteria are met, secure channels of communication between
intercommunieating components of the system can be set up and enforced, to
protect the free and secure flow of information.
Secure Internal Communications
Secure Internal Communication (SIC) lets Check Point platforms and products
‘authenticate with each other. The SIC procedure creates a trusted status between
‘gateways, management servers and other Check Point components. SIC is
required to install polices on gateways and to send logs between gateways and
‘management servers.
‘These security measures ensure the security of SIC:
© Certificates for authentication
* Standards-based SSL for the ereation of the secure channel
© 3DES for encryption
The Internal Certificate Authority (ICA)
‘The ICA is created during the Security Management server installation process.
‘The ICA is responsible for issuing certificates for authentication, For example,
4
Check Point Security Administration
—
‘Securing Channels of Communication
ICA issues certificates such as SIC certificates for authentication purposes to
administrators and VPN certificates to users and gateways,
Initializing the Trust Establishment Process
Communication Initialization establishes a trust between the Security
Management server and the Check Point gateways. This trust lets Check Point
‘components communicate securely. Trust can only be established when the
gateways and the server have SIC certificates.
Note: For SIC to succeed, the clocks of the gateways and servers
‘must be synchronized.
‘The Internal Certificate Authority (ICA) is created when the Security
Management server is installed. The ICA issues and delivers a certificate to the
Security Management server,
Administrative Login Using SIC
‘The login process, in which Administrators connect to the Security Management
Server, is common to all Check Point SmartConsole components
(SmartDashboard, SmartUipdate, etc.) This process consists of a bidirectional
‘operation, in which the Administrator and the Security Management Server
authenticate each other and create a secure channel of communication between
them using SIC, Once both the Administrator and the Security Management
Server have been successfully authenticated, Security Management launches the
selected SmartConsole.
Testing the SIC Status
‘The SIC status reflects the state of the Gateway afer it has received the
certificate issted by the ICA. This status conveys whether or not the Security
Management server is able to communicate securely with the gateway. The most
typical status is Communicating. Any other status indicates thatthe SIC
communication is problematic. For example, ifthe SIC status is Unknown then
there is no connection between the Gateway and the Security Management
server. Ifthe SIC status is Not Communicating, the Security Management server
is able to contact the gateway, but SIC communication cannot be established. In
this case an error message will appear, which may contain specifi instructions
hhow to remedy the situation,
Student Manual 35
Introduction to Check Point Technology
Resetting the Trust State
Resetting the Trust State revokes the gateway's SIC certificate, This must be done
if the security of the gateway has been breached, or if for any other reason the
gateway functionality must be stopped. When the gateway is reset, the Certificate
Revocation List (CRL) is updated to include the name of the revoked certificate.
‘The CRL is signed by the ICA and issued to all the gateways in this system the
next time a SIC connection is made. If there isa discrepancy between the CRL of |
‘wo communicating components, the newest CRL is always used. The gateways
refer tothe latest CRL and deny a connection from an impostor posing as a
‘gateway and using a SIC certificate that has already been revoked.
Important - The SIC reset must be performed on the gateway’s object using
SmartDashboard, and from a command prompt on the gateway using the
epconfig tool. Performing the SIC reset on the gateway will cause an outage
until SIC is reestablished and policy reinstalled, The £w stat command can
be used to verify a Gateway’s Policy installed status.
SIC Between Security Management Servers and Components
‘The following is an example of the SIC process:
2 vconecicertenesto
‘ins ook Pat occ
anagenent Sever }
seeuriy”
Gateway,
Figure 23 ~ SIC Ameng Security Management Servers and Components
‘The graphic illustrates the SIC process in a distributed environment
36 ‘Check Point Security Administration
=
‘Securing Channels of Communication
4. The ICA creates a Certificate forthe Security Management Server during the
Security Management Server installation. The ICA is ereated automatically
during the installation procedure.
2. Corlificates for the Security Gateways, and any other communicating compo-
nents, are created via.a simple initialization from the SmartConsole. Upon ini-
tialization, the ICA creates, signs, and delivers a Cerificate tothe
communication component. Every component can then verify the Certificate
for authenticity.
Communication between a Security Management Server and its components
depends on a Security Policy specified ina Policy file on each machine, Com
munication using Certificates will take place provided thatthe comsmunicat-
ing components are of the appropriate version, and agree on the
authentication and encryption methods. The Security Management Server and
its components are identified by their SIC name, also known asthe Distin-
suished Name.
Student Manual 37
Introduction to Check Point Technology
Practice and Review
Practice Labs
Lab 1: Distributed Installation
Lab 2: Branch Office Security Gateway Installation
Review
4. What is the strength of Check Point's Stateful Inspection technology?
2. What are the advantages of Check Point's Secure Management Architecture
(SMART)? In what way does it benefit an enterprise network and its adminis
trators?
3. What is the main purpose for he Security Management Server? Which func
tion is it necessary to perform on the Security Management Server when
incorporating Security Gateways into the network?
3B Check Point Security Administration
cuaprer2 __- Deployment Platforms
Check Point Security Administration
39
a
Deployment Platforms
Deployment Plaiforms
Before delving into the intricacies of creating and managing Security Policies, it
is beneficial to know about Check Point's different deployment platforms, and
‘understand the basic workings of Check Point's Linux operating systems such as,
Gaia, that support many Check Point products - and what those products are.
Learning Objectives:
* Given network specifications, perform a backup and restore the current
Gateway installation from the command line,
+ Identify critical files needed to purge or backup, import and export users and
groups and add or delete administrators from the command line.
© Deploy Gateways from the Gateway command line.
wD Check Point Security Administration
Check Point Deployment Platiorms
Check Point Deployment Platforms
Security Appliances
Dedicated Appliances
Check Point security appliances deliver powerful turkey systems for deploying
‘and managing Check Point's award winning Software Blades to address virtually
any security need for businesses of all sizes. All Check Point appliances are built
around the unified Software Blade Architecture, enabling organizations to protect
against rapidly evolving threats and perform all aspects of security management
via a single, unified console. Strong and proven, the Check Point security
appliances provide reliable services for thousands of businesses worldwide.
Private Cloud Emulation Appliances:
© Threat Emulation prevents infections from
undiscovered exploits, zero-day and targeted
attacks. This innovative solution quickly
inspects incoming files, launches suspicious
files in a virtual sandbox, discovers malicious
behavior and then prevents discovered malware from entering the network.
‘The Private Cloud Emulation Appliance is an on-premise solution to emulate
threats,
Threat Prevention Appliances
+ deine ppliane focused on revenng
thea tempting to ener our neon The .
Theat Prevention Aplinces pre ret i
ling pret suas ni, An Bt
URL ering, Met Avene sa se
int one content ppc
Secure Web Gateway
© Check Point's Secure Web Gateway Appliance
enables secure use of Web 2.0 with the largest
application coverage, unified control of all
aspects of web, end-user education, integrated
anti-malware and 360 degrees visibility ofall
web activities,
Student Manual
ai
Deployment Platforms
DDoS Protector
© The Check Point DDoS Protector™
Appliances protect business-critical networks
and block Denial of Service attacks with multi-
layered protection and up to 12Gbps of
performance.
ier & Ultra High-End Data Center Security Systems
41000 and 61000 Security Systems
‘+ Check Point Security Systems deliver high-
performance, highly sealable Security
Gateways that are cartier-grade designed for
data centers, telecommunication and cloud
services providers.
21000 Appliances
+ The 21000 Appliances deliver total protection
with unmatched performance and flexibility.
Equipped with the Security Acceleration
Modul, it delivers up to 110 Gbps of firewall
throughput with sub Sys latency —making it an
ideal solution for performance & time-
sensitive applications,
Data Center Security Systems
13500 Appliances
+ Experience breakthrough Next
Generation Firewall performance and
unmatched scalability and serviceability
in compact 2 rack-unit to seoure even
the most demanding enterprise and data
center environments
a ‘Check Point Security Administration
“Theck Paint Deployment Platforms
12000 Appliances
* These datacenter-grade security appliances,
with its multi-core and acceleration
technologies, redundant components and
superior mulfi-Software Blade performance
are designed for high-performance and
reliability for even the most demanding
enterprise network environments.
Enterprise Network Security Systems.
‘Small/Branch Office
4000 Appliances
© Today's enterprise security gateway needs to
>be more than just a firewall ~ it must use
‘multiple technologies to secure and protect
networks against evolving threats. The Check
Point 4000 Appliances with its flexible
network interface options and multi-core
technology offer the best performance for its
class,
2200 Appliances
* The Check Point 2200 Appliance offers
enterprise-class security with leading price/
performance in # compact desktop form factor,
Combined with the Software Blade Architecture, itis an ideal solution for
securing small offices and branch offices,
1100 Appliances
extensible Software Blades to deliver big security
to the small branch office. These all-in-one
appliances offer robust multi-layered protection
with flexible network interfaces in a compact
desktop form factor.
© The Check Point 1100 Appliances leverage the | |
Student Manual
a3
Virtual Systems
Management
600 Appliance
* Check Point 600 Appliances deliver proven
enterprise-grade security in simple, affordable, all-
{n-one security solution to proteet your employees,
‘your applications and your data from eyber-theft for
small offices like yours,
Check Point Virtual Systems
* Check Point Virtual Systems consolidate and
simplify security for private clouds. It enables
Software Blades for customized protections agninst
evolving network threats.
‘Smart-U/Smart-1 SmartEvent Appliances
© Smart-1 —Check Point Smart-1 Appliances
deliver market-leading security management
‘ona dedicated hardware platform specifically
designed for mid-size and large enterprise
networks.
‘© Smart-1 Smartlevent — Check Point Smart
1 Appliances deliver market-leading event
management on a dedicated hardware
platform specifically designed for mid-size
and large enterprise networks.
‘Check Point Security Administration
Ghock Paint boploymont Pratorne
More Check Point Appliances
X-Series Appliances
* Check Point X-Series Appliances provides
organizations with the ultimate choice in carrier-grade
chassis - integrated software and hardware bundles
customized to their exact specifications,
TAS Appliances
* Check Point Integrated Appliance Solutions
(IAS) Bladed Hardware provides organizations
with the ultimate choice in earrier-grade chassis,
IAS Bladed Hardware delivers integrated
software and hardware solutions that are
customized to your exact security needs-all
while maintaining the network performance you require
‘Small Business Appliances
* Check Point Safe@Ofice and UTM-1 Edge N
appliances deliver proven, cost effective and bestin-
class security to small businesses quickly and easily,
itegrating firewall, IPS, anti-malware, URL Filtering
and more,
‘Student Manual oi
eS
Deployment Platforms
Security Power - Choosing a Security Appliance
Check Point's SecurityPower™is a new benchmark metric that allows customers
to select security appliances by their capacity to handle real-world network
traffic, multiple advanced security functions and a typical security policy.
SecurityPower helps customers to accurately size and determine the appropriate
appliances that can best meet their network security needs today, as well as
support anticipated future traffic increases and additional security functions.
Leveraging the new Check Point Appliance Selection Tool, the Check Point
‘account team or Check Point partners can take criteria of the customer's network
including the required throughput performance and desired security functions ~
2g inputs, and produce a SecurityPower requirement value, That value is then
‘compared against the SecurityPower capacities of the range of Check Point
appliances to determine and present candidates that can best meet the customer's
network security and performance requirements.
Figure 24 — Securty Power
Check Point Security Administration
Thack Pont Software Blade Architecture
Check Point Software Blade Architecture
Student Manwat
Sceurity environments become more complex as companies ofall sizes defend
themselves against new and varied threats. With these new threais come new
security solutions, new vendors, costly new hardware, and increasing complexity,
As IT comes under increasing pressure to do more with existing hardware and
human resources, this approach becomes increasingly unacceptable,
Check Point's Software Blade architecture offers a better way, enabling
organizations to efficiently tailor targeted managed solutions that meet targeted
business security needs, All solutions are centrally managed through a single
console that reduces complexity and operational overhead. And as new threats
emerge, Check Points Software blade architecture quickly and flexibly expands
services as needed without the addition of new hardware or management
complexity. Our pre-defined Software Blade Bundles take the guesswork out of
choosing the right security with targeted, comprehensive security protections.
‘The Check Point Software Blade architecture is the fist and only security
architecture that delivers total, flexible and manageable security to companies of
any size, With this unprecedented capability, Check Point Software Blades
deliver lower cost of ownership and cost-efficient protection that meet any
network security or endpoint secusity need, today and in the future.
A software blade is a logical security building block that is independent, modular
and centrally managed, Software Blades can be quickly enabled and configured
into a solution based on specific business needs, And as needs evolve, additional
blades can be quickly activated to extend security to an existing configuration
within the same hardware foundation.
Key Benefits of the Check Point Software Blade Architecture
‘+ Flexibility ~ Provides the right level of protection at the right level of
investment
© Manageability ~ Enables fast deployment of security services. Increases
productivity through centralized blade management.
* Total Security — Provides the right level of security, at all enforcement points,
‘and at all layers ofthe network
+ Lower TCO - Protects investment through consolidation and use of existing
hardware infrastructure
© Guaranteed performance ~ Enables provisioning of resources that guarantee
service levels
Software Blades can be deployed on Check Point security appliances, IP
appliances, open servers, within virtualized environments, and on endpoints.
New blades can be added simply by enabling their functionality in software; no
a
Deployment Platforms
additional hardware, firmyvare or drivers are necessary. This enables
organizations to deploy secutity dynamically, as needed, with lower total cost of
deployment.
Software Blade Bundles
Next Generation Firewall
‘The Check Point Next Generation Firewall extends the power of the firewall
beyond stopping unauthorized access by adding IPS and Application Control
protections. Next Generation Firewalls come in many sizes and offer throughput
of up to 110Gbps
Next Generation Threat Prevention
Unified next generation solution that prevents advanced threats and malware
attacks and enables an organization to easily and confidently control access to
millions of web sites. Protections include stopping application-specific attacks,
botnets, targeted attacks, APTs, and zero-day threats,
Next Generation Secure Web Gateway
Embracing the current paradigm shift from simple URL filtering to
comprehensive malware protection, the Check Point Secure Web Gateway
provides an intuitive solution that enables secure use of Web 2.0 with real time
multi-layered protection against web-borne malware, largest application
coverage in the industry, advanced granular control, intuitive centralized
‘management, and essential end-user education functionality.
Next Generation Data Protection
Next Generation Data Protection solutions encompass all facets of protecting
content from getting into the wrong hands. Data Loss Prevention (DLP) is an
integral part of a data protection solution, however to fully protect data, multiple
layers must be put into place. Check Point combines these layers into a complete
solution protecting against confidential data inadvertently leaving the
organization
® Check Point Security Administration
Student Manual
‘hack Paint Software Blade Architecture
Security Gateway Software Blades
* Firewall — The Check Point Firewall Software Blade
builds on the award winning technology first offered in
Check Point’s FireWall-1 solution to provide the industry's
strongest level of gateway security and idemity awareness,
Check Point's firewalls are trusted by 100% of the Fortune
100 and deployed by over 170,000 customers, and have
demonstrated industry leadership and continued innovation since the
introduction of FireWall-1 in 1994.
* IPSec VPN — The Check Point IPSec VPN Software
Blade provides secure connectivity to corporate networks
for remote and mobile users, branch offices and business
partners. The Software Blade integrates access control,
authentication and encryption to guarantee the security of
network connections over the public Internet,
© Mobile Access Software Blade — Check Point Mobile
‘Access Software Blade is the safe and easy solution to
‘connect to corporate applications over the internet with
your Smartphone, tablet or PC, The solution provides 7
enterprise-grade remote access via both Layer-3 VPN and
SSL VPN, allowing you simple, safe and secure
connectivity to your email, calendar, contacts and corporate applications.
© Identity Awareness — Check Point Identity Awareness
Software Blade provides granular visibility of users, groups
‘nd machines, providing unmatched application and access
‘control through the creation of accurate, identity-based
policies. Centralized management and monitoring allows
for policies to be managed from a single, unified console,
‘* Application Control — The Check Point Application
Control Software Blade provides the industry's strongest
application security and identity control to organizations of,
all sizes. It enables IT teams to easily create granular
policies—based on users or groups—to identify, block or
limit usage of over 240,000 Web 2.0 applications and
widgets.The Application Control Software Blade is a key component of the
Secure Web Gateway Appliance.
+ IPS — The Check Point Intrusion Prevention System (IPS)
Software Blade combines industry-leading IPS protection
with breakthrough performance at a lower cost than
traditional, stand-alone IPS solutions. The IPS Software
Blade delivers complete and proactive intrusion
Deployment Platiorme
prevention—all with the deployment and management advantages of a
unified and extensible next-generation firewall solution,
DLP — The Check Point DLP Software Blade combines
technology and processes to revolutionize Data Loss
Prevention (DLP), helping businesses to pre-emptively
protect sensitive information from unintentional loss,
educating users on proper data handling policies and
empowering them to remediate incidents in real-time,
Web Security — The Check Point Web Security Software
Blade provides a set of advanced capabilites that detect and
prevent attacks launched against the Web infrastructure.
‘The Web Security Software Blade delivers comprehensive
protection when using the Web for business and
communication.
URL Filtering — ‘The Check Point URL Filtering Software
Blade provides optimized web security through full
integration in the gateway to prevent bypass through
‘external proxies. Integration of policy enforcement with
‘Application Control means full Web and Web 2.0
protection, and UserCheck technology empowers and
educates users on web usage policy in realtime. The URL Filtering Software
Blade is a key component of the Secure Web Gateway Appliance.
Anti-Bot — The Check Point Anti-Bot Software Blade
detects bot infected machines, prevents bot damages by
blocking bot C&C communications, and is continually
updated from ThreaiCloud™, the first collaborative
network to fight eybererime.
‘Threat Emulation — Check Point ThreatCloud Emulation
Service prevents infections from undiscovered exploits,
zero-day and targeted attacks. This innovative solution.
quickly inspects files and runs them in a virtual sandbox to
discover malicious behavior. Discovered malware is
prevented from entering the network.
Antivirus & Anti-Malware — The enhanced Check Point
Antivirus Software Blade uses real-time virus signatures
and anomaly-based protections from ThreatCloud™, the
first collaborative network to fight cybercrime, to detect
and block malware at the gateway before users are affected.
‘The Antivinss Software Blade isa key component ofthe
Secure Web Gateway Appliance and Threat Prevention Appliance
30
Check Point Security Administration
‘Check Point Software Biads Architecture
© Anti-Spam & Email Security —The Check Point Anti-
Spam & Email Security Software Blade provides
comprehensive protection for messaging infrastructure. A.
‘multidimensional approach protects email infrastructure,
provides highly accurate anti-spam coverage and defends
organizations from a wide variety of virus and malware
threats delivered within email,
+ Advanced Networking — The Check Point Advanced
Networking and Clustering Software Blade simplifies
network security deployment and management within
complex and highly utilized networks, while maximizing
network performance and security in multi-Gbps
environments. This combination is ideal for high-end
enterprise and datacenter environments where performance and availability
are critical
* Voice over IP (VoIP) — The Check Point VoIP Blade
‘enables you to deploy VoIP applications such as telephony
or video conferencing without introducing new security
threats or needing to redesign your network. Because
worms and VoIP-specific Denial of Service attacks can take
TP phone services down, the Check Point family delivers an
evolving solution that understands and protects against existing and new
threats that may disrupt business continuity. Check Point solutions also
reduce the complexity of VoIP deployment by eliminating such common pain
points as incompatibility between VoIP and Network Address Translation.
© Security Gateway Virtual Edition — The Check Point
Security Gateway Virtual Edition (VE) protects dynamic
virtualized environments and external networks, such as
private and public clouds, from internal and external threats
by securing virtual machines and applications with the full
range of Check Point Software Blades.
Security Management Software Blades
* Network Policy Management — The Check Point
‘Network Policy Management Software Blade provides
‘comprehensive, centralized network security policy
‘management for Check Point gateways and Software
Blades, via SmartDashboard-—a single, unified console that,
provides control over even the most complex security
deployments.
Student Manual
ar
tn
Deployment Platforms
+ Endpoint Policy Management — The Check Point
Endpoint Policy Management Softwate Blade simplifies
endpoint security management by unifying all endpoint
security capabilities for PC & Mac in a single console.
Monitor, manage, educate and enforce poliey, ftom an at-a~
lance dashboard down to user and machine details, all with
a few clicks,
+ Logging and Status — The Check Point Logaing and
Status Software Blade transforms data into security
intelligence with SmartLog, an advanced log analyzer that
delivers split-second search results providing real-time
Visibility into billions of log records over multiple time
periods and domains
‘+ SmartWorkflow — The Check Point SmartWorkflow
Software Blade provides seamless and automated process
for policy change management that helps administrators
reduce errors and enhance compliance. Enforce a formal
process for editing, reviewing, approving and auditing
policy changes from a single console, for one-stop, total
policy lifecycle management.
© Monitoring — The Check Point Monitoring Software
Blade presents a complete picture of network and security
performance, enabling fast responses to changes in traffic
patterns or security events, The Software Blade centrally
monitors Check Point devices and alerts to changes to
gateways, endpoints, tunnels, remote users and security
activities.
© Management Portal — The Check Point Management
Portal Software Blade allows browser-based security
‘management access to outside groups such as support staff
cor auditors, while maintaining centralized control of policy
enforcement. View security policies, the status of all Check
Point products and administrator activity as well as edit,
create and modify internal users.
+ User Directory —The Check Point User Directory
Software Blade leverages LDAP servers to obtain
identification and security information about network users,
climinating the risks associated with manually maintaining
and synchronizing redundant data stores, and enabli
centralized user management throughout the enterprise
2 ‘Check Point Security Administration
a
sok Point Software Blade Arch
‘* SmartProvisioning — The Check Point SmartProvisioning
Software Blade provides centralized administration and
security provisioning of Check Point devices. Using.
profiles, administrators can automate device configuration
and easily roll out changes to settings to multiple,
geographically distributed devices, via a single security
‘management console.
+ Smuariopeiey— The Gin Pec Semper
Software Blas incres th nriny tent teats by
centralizing network security reporting of network, security (/iss a
and usraciviy intoconcisepeiefed craorctait PEAS
eee
intl ctial uy eae or oe
easily manage big data security, and make faster, more informed security.
Sato
+ Mle Domain Secure Management — Seay
Maragamartand Mult Dusan seeety Mecreeet
(Prone delves enciercnlooaa
‘segmenting your security management into multiple virtual
Endpoint Software Blades
* Full Disk Encryption — The Check Point Pull Disk
Encryption Software Blade provides automatic security for
all information on endpoint hard drives, including user data,
operating system files and temporary and erased files. For
‘maximum data protection, multi-factor pre-boot
authentication ensures user identity, while encryption
prevents data loss from theft
Student Manual 33
Deployment Platforms
© Media Eneryption — The Check Point Media Eneryption
Software Blade provides centrally-enforceable encryption
of removable storage media such as USB flash drives,
backup hard drives, CDs and DVDs, for maximum data
protection. Educating users on when to share and not share
‘corporate data via UserCheck prevents future data sharing
mistakes. Port control enables management of all endpoint ports, plus
centralized logging of port activity for auditing and compliance,
‘= Remote Access — The Check Point Endpoint Remote
Access VPN Software Blade provides users with secure,
seamless access to corporate networks and resources when
traveling oF working remotely. Privacy and integrity of
sensitive information is ensured through multi-factor
authentication, endpoint system compliance scanning and
encryption of all transmitted data.
34 Check Point Security Administration
Check Point Gaia
History - Power of Two
Check Point Gaia is the unified cutting-edge secure operating
system for all Check Point Appliances, open servers and virtualized
gateways. Gaia was derived from IPSO and SecurePlatform,
IPSO
Ipsilon Networks, the developers of IPSO, was a computer networking company
specializing in IP switching. The company was a key player in the introduction of
label switching, and published early proposals on the subject, Label switching, or
tag switching (Cisco Systems), was a technology that eventually became
standardized as MPLS (Multiprotocol Label Switching). Nokia purchased
Ipsilon Networks in 1997, and incorporated the IPSO operating system into their
network appliances. Check Point bought Nokia’s Security business unit in April
2008,
IPSO 3.x and 4.x were based on FreeBSD 2.x. IPSO 6.x is based on FreeBSD
6x. Asa stripped down operating system, IPSO provided enough functionality to
ran Check Point firewalls, along with the incorporation of some standard Unix
commands, such as top, ps, df. Italso provided a hardened, secure operating
system (no compilers included). IPSO also provided great visibility into kernel
statistics, such as network counters, interrupts, and more,
IPSO contained many key differentiators from mainline FreeBSD, as well as,
from SecurePlatform:
* ipsetl: comparable to sysctl (BSD) and /proe (Linux)
* ipsrd: comparable to GateD or Quagga
* xpand and configuration database: Single system configuration repository
* Voyager: Web based management GUI for the oper
ig system
* lish: command line shel supporting same festures as Voyager
* iclid ipsrd command line interface daemon
+ VRRP and IP Clustering: High Availability solutions
+ ADP: Accelerated Date Path
* Boot Manager: Similer to OpenBoot on Sun boxes
* CST: Configuration Summary Tool
Student Mamuat
35
ee
Daployment Platforms
SecurePlasform
Check Point's secure operating system, SecurePlatform is based on a kernel from
Red Hat Software, which allows SecurePlatform to benefit from the
compatibility and stability testing performed by Red Hat Software,
SecurePlatform has been hardened to eliminate any components that are not
necessary for a network security device. Components that could present security
exposure were removed or modified. The hardening of SecurePlatform.
components was audited by both Check Point staff and an independent security
consulting organization.
Any software package not needed by network security services was removed
fiom SecurePlatform. Required services, that might present security risks, were
modified as necessary. Where the existing software could not be made secure, it
was replaced. For example, the Web server used by the Web interface for system
administration, was developed internally at Check Point. The Web server is a
small server, designed to perform only the functions required (o allow Web-based
system administration.
Routine management and maintenance of SecurePlatform is performed through @
restricted shell, called Standard Mode. Most utilities needed to managed
‘SecurePlatform and other installed Check Point products are accessed in
Standard Mode. Many Standard Mode commands are ‘wrapped’ in custom
scripts to disable unnecessary options and make the utility easier to use. Standard
Mode enhances the security of SecurePlatform, by restricting access to utilities
that, if used improperly, could damage system stability. Because of the usability
‘enhancements in Standard Mode, extensive Linux knowledge is not required to
perform routine management of SecurePlatform.
Because SecurePlatform does not include unnecessary software, superior
performance is achieved, Resources are not consumed by software such as
graphical user interfaces, office applications, and network file systems. All
system resources are dedicated to the operating system and the installed Check
Point products. SecurePlatform fully supports Check Point SecureXL, which can
boost throughput rates for SecurePlatform installations to speeds up to three
times faster than the throughput realized on similar hardware, with other
operating systems, without SecureXL.
56
Check Point Security Administration
Sack Po a
Gaia
Benefits of Gaia
‘Check Point Gaia is the next generation Secure Operating System for all Check
Point appliances and open servers. Gaia combines the best features from IPSO.
‘and SecurePlatform (SPLAT) into a single unified OS providing greater
efficiency and robust performance. With the support of the full suite of Software
Blades, customers will benefit from improved connection capacity and the full
breadth and power of Check Point security technologies by adopting Gaia
Check Point Gaia announced on April 17th 2012 offers 3 key value propositions:
* Combining the best features of IPSO & SecurePlatform
‘+ Increase operational efficiency with wide range of features
* A secure platform for the most demanding environments
Gaia combines the best features from IPSO and SecurePlatform (SPLAT) into a
single unified OS providing greater efficiency and robust performance. As a 64-
bit operating system, Gaia increases the connection capacity of select appliances.
Customers migrating from [Pv4 to IPv6 networks are secured with Gaia utilizing
the Check Point Acceleration & Clustering technology. Gaia fils into the most
complex networks by supporting dynamic routing, bridge mode and 802.3ed link
aggregation
Gaia simplifies and strengthens management with segregation of duties by
enabling role-based administrative access. Furthermore, Gaia greatly increases
operational efficiency by offering Intelligent Software Updates, Security
‘management is made simple with the intuitive and feature-rich Web-based user
interface and instant search for all commands and properties. Gaia is fully
compatible with IPSO and SPLAT command line interface (CLI) commands,
‘making it an easy transition from existing Check Point operating platforms.
Student Manwat
7
Deployment Platforms
Gaia Architecture
ee
+ Configuration wizards
Ease of Use
+ One-step install
+ One-click registration
Full Software Blade support
Higher connection capacity
+ 64 BiLOs
“v6
+ Supports Dual stack and Tunneling
+ SecureXL and CoreXL acceleration
‘Clustering options
+ ClusterXL and CoreXL acceleration
Enhanced device management
+ Image snapshot,
+ Device replication
‘Automated software update
+ WebUL and CLI
+ Role-based administration
+ Multiple configuration sets
‘Manageable dynamic routing
Higher connection capacity
+ 64 Bit OS
TPv6
+ Supports Dual stack and Tunneling
+ SecureXL and CoreXL
acceleration
Clustering options
+ ClusterXL and CoreXL,
acceleration
Enhanced device management
+ Image snapshot
+ Device replication
“Automated software update
‘Table 2-1: Benefits of Gaia for SecurePlatformn and IPSO Users
Full Compatibility with IPSO and SPLAT CLI Commands
‘Transitioning to Gaia is a breeze for security administrators. The same powerful
‘command line interface (CLI) commands
from IPSO and SPLAT are seamlessly
integrated into Gaia, Additional new commands and capabilities are also added to
the Gaia CLI making powerful CLI interface even more intuitive to use.
3B
Check Point Security Administration
Student Manual
Ghack Point
Web-Based User Interface with Search Navigation
The intuitive WebUI delivers a refteshing user experience for security
administrators. This interface integrates all management functions into a Web-
bbased dashboard that is accessible via the most popular Web browsers ~ Intemet
Explorer, Chrome, Firefox and Safari. The built-in search navigation delivers
instant results on commands and properties. For the CLI-inelined users, a Shetl-
Emulator pop-up window is only a single click away.
Role-Based Administrative Access
Segregation of duties is part of a good security policy and it improves operating
efficiency and auditing of administrative events. The role-based administrative
access gives Gaia customers the ability and granularity to customize their
security management policies that are particular to their business needs. Specific
levels of access can be granted based on ech individual's role and responsibility
— building a stronger security environment.
Support for Industry Standard Authentication
‘The AAA component of the Gaia manages user access to the appliance.
Generally, AAA includes Authentication (identifying a user), Authorization
(determining what a user is permitted to do), and Accounting (tracking some
aspects of a user's activity). Gaia implements Pluggable Authentication Modules
(PAM), an industry-standatd framework for authenticating and authorizing users.
Using PAM, authentication, account management, and session management
algorithms are contained in shared modules that you configure on your appliance.
Support for Industry Standard Monitoring
Gaia supports the user-based security model (USM) component of SNMPv3 fo
supply message-level security. With USM described in RFC 3414, access to the
SNMP service is controlled on the basis of user identities. Each user has a name,
‘an authentication pass phrase to identify the user, and an optional privacy pass
phrase for protection against disclosure of SNMP message payloads. Managed
devices use trap messages to report events to the Network Management Station
(NMS). SNMP traps may be sent to the NMS in the event of a hardware or
product change.
Intelligent Software Updates
Software updates is an important process to maintain robust security performance
and high network integrity. Its also a process that can sometime cause
disruptions to the network services or to your business. With the intelligent
software updates offered by Gaia, new releases and patches can be pre-scheduled
Ey
Deployment Platforma
Practice and Review
Practice Labs
Lab 3: CLI Tools,
Review
What are some of the advantages in deploying UTM-1 Edge Appliances?
2. How do you manage the Gaia Appliance?
3. How would you get Gaia system information?
Check Point Security Administration
caapters Introduction to the
Security Policy
Check Point Security Administration
61
Titroduction tothe Security Polley
Tniroduction to the Security Policy
Learning Objectives:
‘The Security Policy is essential in administrating security for your organization's
network. This chapter examines how to create rules based on network objects,
and modify a Security Policy’s properties. In addition, this chapter will teach you
how to apply Database Revision Control and Policy Package management, to
decrease the burden of management when working with rules and objects.
© Given the network topology, create and configure network, host and gateway
objects.
‘Verify SIC establishment between the Security Management Server and the
Gateway using SmartDashboard.
© Create a basie Rule Base in SmartDashboard that includes permissions for
administrative users, external services, and LAN outbound use.
‘© Evaluate existing policies and optimize the rules based on current corporate
requirements
‘© Maintain the Security Management Server with scheduled backups and policy
versions to ensure seamless upgrades and minimal downtime,
a
‘Check Point Security Administration
OT
“Soourity Polley Basics
Security Policy Basics
The Rule Base
“The Security Policy is a set of rules that defines your network security using a
Rule Base, rules comprised of network objects, such as gateways, hosts,
networks, routers, and domains. Once a Rule Base is defined, the Policy is
distributed to all Security Gateways across a network.
Each rule in a Rule Base specifies the source, destination, service, and action to
bbe taken for each session. A rule also specifics how a communication is tracked.
Events can be logged, and then trigger an alert message. The figure is an example
of a Rule Base:
Figure 26 ~ Rule Base
Managing Objects in SmartDashboard
Objects are created by the System Administrator to represent actual hosts and
devices, as well as intangible components, such as services (for exemple, HTTP
and TELNET) and resources (for example, URI and FTP). Each component of an.
organization has a corresponding object that represents it. Once these objects are
created, they oan be used in the rules of the Security Policy. Objects are the
building blocks of Security Policy rules and are stored in the Objects database on
‘the Security Management Server.
Objects in SmartDashboard are divided into several categories, which can be
viewed in the different tabs of the Objects Tree. For instance, the Network
Student Manual
6
Inroduction to the Security Policy
Objects tab represents the physical machines and logical components, such 2s
dynamie objects and address ranges, that make up your organization.
‘When creating objects, the System Administrator must consider the needs of the
organization:
‘© What are the physical and logical components that mnake up the organization?
Each component that accesses the Security Gateway most likely needs to be
defined.
‘© Who are the users and Administrators, and how should they be divided into
different groups?
Figure 27 — SmartDashboard
‘SmartDashboard and Objects
Object-Tree Pane
SmartDashboerd is comprised of three principal areas, known as panes. From
these panes, objects are created, manipulated, and accessed, From these panes,
objects are created, manipulated, and accessed. The following section describes
the functions and charactersties of each pane.
‘The Objects tree is the main view for managing and displaying objects. Objects
are distributed among logical eategores (called tabs), such es Network Objects
and Services. Each tab orders its objects logically. For example, the Services tab
locates al services using ICMP in the folder called ICMP.
Check Point Security Administration
os ccty Policy Basis
Objects-List Pane
‘The Objects tree works with the Objects list, The Objects list displays current
information for a selected object category. For example, when a Logical Server
network object is selected in the Objects tree, the Objects list displays a list of
Logical Servers, with certain details displayed.
Object Types
‘The objects lists are divided into the following categories:
+ Network
* Services
+ Resources
‘Servers and OPSEC Applications
+ Users and Administrators
+ VPN Communities
Rule Base Pane
Objects are implemented across various Rule Bases, where they are used in the
rules of various Policies. For example, network objects are generally used in the
Source, Destination or Install On columns, while time objects can be applied in
any Rule Base within the Time column,
Student Manual 5
Introduction to the Securlty Polley
Managing Objects
“The Objects Tree is the main view for adding, editing, and deleting objects,
although these operations can also be performed from the menus, toolbars and
other views, such as in Rule Bases. You create objects to represent actual hosts
and devices, intangible components (Such as HTTTP and TELNET services) and
resources (for example, URI and FTP). Make an object for each component in
your organization. Then you ean use the objects in the rules of the Security
Policy. Objects are stored in the Objects database on the Security Management
server.
Bsisieiaie)
Network Objects
Figure 28 — Object Tree
When you create your objects, consider the needs of your organization:
© What are the physical components in your network?
‘© What are the logical components - services, resources, and applications?
‘© What components will access the firewall?
‘© Who are the users, and how should they be grouped?
‘+ Who are the administrators, and what are their roles?
‘© Will you use VPN, and ifso, will it allow remote users?
Creating an Object with the Objects Tree
‘To add anew object, right-click the object type you would like to add. For
example, in the Network Objects tab, right-click Networks and select Network
from the displayed menu, or elick the Action button on the Object List menu bar.
6
Check Point Security Administration
ee Wianaging Objects
Editing an Object with the Objects Tree
‘To edit an existing object, right-click the desired object in the Objects tree and
select Edit fiom the displayed menu. Or double-click the object you would like to
modify.
Deleting an Object with the Objects Tree
To delete an existing object, right-click the object in the Objects tree and click
Delete from the displayed menu,
Classic View of the Objects Tree
In Classic view, network objects are displayed beneath their object type. For
example, a corporate mail server would appear under the Node category.
Check Point management stations and Security Gateways appear under the
category Check Point, DAIP servers appear in the category Dynamic Objects,
ete. Organizing objects by category is preferred for small-to-medium-sized
deployments. SmartDashboard opens to classic view by default, unless set to
Group view.
Group View of the Objects Tree
In Group view, network objects are organized by the group objects to which they
belong. For instance, group GW-group could include all of the gateway abjects in
‘an organization. You can switch to Group view by right-clicking Network
‘Objects, and selecting Arrange by groups. As changing views can at first be
disorienting, a warning appears.
‘Shudent Manual a
Introduction to the Security Policy
Creating the Rule Base
Each rule in a Rule Base defines the packets that match the rule — based on
source, destination, service, and the time the packet is inspected. The first rule
that matches a packet is applied, and the specified Action is taken. The
‘communication may be logged and/or an alert may be issued, depending on what
hhas been entered in the Track field.
Figure 29 — Adding a Rule
Basic Rule Base Concepts
‘The SmartDashboard allows you to create a Rule Base, which builds your
Security Policy from a collection of individual rules. Choose from the following,
options:
Add Rule — The position where the rule is to be placed: Bottom, Top, After,
Before,
Delete Rule — Deletes the currently selected rule from the Rule Base,
Disable Rule — Disables a rule when testing a Security Policy; disabling a
rule can also allow access to a previously restricted source or destination,
Hide — Hides, unhides, views, and manages hidden rules; hidden rules still
apply, they are just not visible in the SmartDashboard. This feature is nor=
mally used to temporarily move groups of rules out of view, to minimize con-
fusion when an Administrator is working on a complex Rule Base.
Rule Expiration — Allows a rule to be set with an activation date and time,
and an expiration date and time, or a rule can be restricted to specific hours
and days.
e
Check Point Security Administration
Sean
Greating the Rule Base
Default Rule
‘The Default Rule is added when you add a rue tothe Rule Base. You can
configute this rule with all objects, services, and uses installed on your database
=
tame [aay
Borne Sey [ow | nme [a rertvone
Figure 30 —Defavit Rule
‘The Default Rule is defined with the following information
No. — Defines the number order of each rule; the first rule in the Rule
Base is No. |
Hits — Tacks the number of connections each rule matches on this gateway
Name — Gives Administrators a space to name the rule, helping to annotate
the Rule Base; by default, itis blank.
Source — Displays the Object Manager screen, from which you can select
network objecis or a group of users, to add to the Rule Base; the default is
Any.
Destination — Displays the Object Manager screen, from which you can
select resource objects to add to the rule; the default is Any.
VPN — Displays the Add Objects VPN Communities screen, from which
you can select a VPN Community to add to the rule; the default is Any Traf-
fie,
Service — Displays the Service Manager screen, from which you can select,
services to add to the rules the default is Any.
Action — Accepts, drops, or rejects the session, or provides authentication
and encryption; the default is drop.
‘Track — Defines logging or alerting for this rule; the default is none.
‘The options are: Account, Alert, Log, Mail, None, SampTrap, and UserDe-
fined
Install On — Specifies which firewalled objects will enforce the rule; the
default is Policy Targets, which means all internal firewalled objects,
(Throughout this handbook, all labs and examples assume this default, and the
Install On column is not shown.)
‘Student Manwal - 9
Introduction to the Security Policy
Basic Rules
70
‘Time — Specifies the time period for the rule; the default is Any. (Through-
‘out this handbook, all labs and examples assume this default and the Time
column is not shown.)
Comment — Allows Administrators to add notes about this rule; the default
isa blank comment field,
‘There are two basic rules used by nearly all Security Gateway Administrators
the Cleanup Rule and the Stealth Rule
fs boa fomm [ove len cmseen fa aan
stir foam bw arf wi
Figure 31 — Basic Rules
Both the Cleanup and Stealth Rules are important for creating basic security
‘measures, and tacking important information in SmartView Tracker.
Cleanup Rule — The Security Gateway follows the principle, “That which is
not expressly permitted is prohibited”. Security Gateways drop all communi-
cation attempts that do not match a rule, The only way to monitor the dropped
packets is to create a Cleanup Rule that logs all dropped traffic. The Cleanup
Rule, also known as the “None of the Above” rule, drops all communication
not described by any other rules, and allows you to specify logging for every-
thing being dropped by this rule.
Stealth Rule— To prevent any users from connecting directly to the Gate-
way, you should add a Stealth Rule to your Rule Base. Protecting the Gateway
in this manner makes the Gateway transparent to the network. The Gateway
‘becomes invisible to users on the network. The figure above displays a sam-
ple Stealth Rule.
In most cases, the Stealth Rule should be placed above all other rules. Placing the
Stealth Rule at the top of the Rule Base protects your Gateway from port
scanning, spoofing, and other types of direct attacks. Connections that need to be
made directly (o the Gateway, such as Client Authentication, encryption and
Content Vectoring Protocol (CVP) rules, always go above the Stealth Rule.
(Check Point Security Administration
Rules
Control Connections
‘The Security Gateway creates a Rule Base by translating the Security Policy into
collection of individual rules. The Security Gateway creates implicit rules,
derived from Global Properties and explicit rules, created by the Administrator in
the SmartDashboard
Figure 32 — implicivExplct Rules
An explicit rule is a rule that you create in the Rule Base. Explicit rules are
displayed together with implicit rules in the eorrect sequence, when you select to
view implied 1ules. To see how properties and rules interact, select Implied
Rules from the View menu. Implicit rules appear without numbering, and
explicit rules appear with numbering.
Implicit rules are defined by the Security Gateway to allow certain connections to
and from the Gateway, witha variety of different services, The Gateway enforces
two types of implicit rules that enable the following:
* Control Connections
© Outgoing packets
‘The Security Gateway creates a group of implicit rules that it places fist, las, or
before last in the explicitly defined Rule Base. These first implicit rules are based
on the Accept control connections seting on the Global Properties window.
‘The Gateway anticipates other possible connections relating to Gateway
‘communication, and also creates implicit niles for those scenarios.
‘There are three types of Control Connections, defined by default rules:
* Gateway specific traffic that facilitates functionality, such as logging,
‘management, and key exchange
Student Manual
7i
Introduction to the Security Policy
Detecting IP Spoofing
© Acceptance of IKE and RDP traffic for communication and encryption
purposes
© Cormunication with various types of servers, such as RADIUS, CVP, UFP,
TACACS, LDAP, and Logical Servers, even if these servers are not
specifically defined resources in your Security Policy
Implied rules are generated in the Rule Base through Global Properties. Check
the properties enforced in the FireWall Implied Rules screen, then choose &
position in the Rule Base for the implied rule:
© First — first in the Rule Base
+ Before Last — before the last rule in the Rule Base
© Last — last rule in the Rule Base
Spoofing is a technique where an intruder attempts to gain unauthorized access
by altering a packet's IP address. This alteration makes it appear as though the
packet originated in the part of a network with higher access privileges. The
Security Gateway has a sophisticated anti-spoofing feature that detects such
packets, by requiring that the interface on which a packet enters a gateway
corresponds to its IP address.
7a
Check Point Security Administration
eee
‘Creating the Rule Base
Anti-spoofing verifies that packets are coming fiom, and going to, the correct
interfaces on a gateway. Anti-spoofing confirms that packets claiming to be from
the intemal network are actually coming fiom the intemal-network interface. It
also verifies that, once a packet is routed, it is going through the proper interface.
Configuring Anti-Spoofing
‘To properly configure anti-spoofing, networks that are reachable from an
interface need tobe defined appropriately, For anti-spoofing to be most effective,
itshould be configured on all gateway interfaces. If antispoofing is implemented
na specific interface, spoof tracking fr that interface should also be defined.
This wil help with both intrusion detection and troubleshooting
‘To activate anti-spoofing, configure the firewalled-interface properties. The
‘Topology tab of the Interface Properties window allows you to configure anti-
spoofing properties of a gateway.
‘Student Marwal B
eee
Introduction to the Security Pol
Rule Base Management
[Asa network infiastructure grows, so will the Rule Base created to manage the
network's traffic, Ifnot managed propetly, Rule Base order can affect Secutity
Gateway performance and negatively impact traffic on the protected networks.
Here are some gencral guidelines to help you manage your Rule Base effectively,
Before creating a Rule Base for your system, answer the following questions:
4. Which objects are in the network? Examples include gateways, hosts, net-
‘works, routers, and domains,
2, Which user permissions and authentication schemes are needed?
3, Which services, including customized services and sessions, are allowed
‘across the network?
‘As you formulate the Rule Base for your Policy, these tips are useful to consider:
‘The Policy is enforced from top to bottom.
© Place the most restrictive rules at the top of the Policy, then proceed with the
generalized rules further down the Rule Base. If more permissive rules are
located at the top, the restrictive rule may not be used properly. This allows
misuse or unintended use of access, or an intrusion, due to improper rule
configuration.
© Keep it simple. Grouping objects or combining rules makes for visual clarity
and simplifies debugging. If more than 50 rules are used, the Security Policy
becomes hard to manage. Security Administrators may have difficulty
determining how rules interact.
+ Adda Stealth Rule and Cleanup Rule first to each new Policy Package. A
Stealth Rule blocks access to the Gateway. Using an Explicit Drop Rule is
recommended for logging purposes.
‘Limit the use of the Reject action in rules. If rule is configured to reject, a
‘message is returned to the source address, informing that the connection is not
permitted.
‘© Use section titles to group similar rules according to their function, For
example, rules controlling access to a DMZ should be placed together. Rules
allowing an internal network access to the Intemet should be placed together,
‘and so on. This allows easier modification of the Rule Base, as itis easier to
locate the appropriate rules,
a
‘Check Point Security Administration
+ Comment each rule! Documentation eases troubleshooting, and explains why
rules exist. This assists when reviewing the Security Policy for errors and
‘modifications. This is particularly important when the Policy is managed by
‘multiple Administrators. In addition, this Comment option is available when
saving database versions. See the Database Revision Control section in this
chapter
* For efficiency, the most frequently used rules are placed above less-frequently
used rules. This must be done carefully, to ensure a general-accept rule is not
placed before a specific-drop rule,
Understanding Rule Base Order
Before you can define Security Policy properties, you must consider Rule Base
order, The Security Gateway inspects packets by comparing them to the Security
Policy, one rule at atime. For this reason, itis important to define each rule in the
Security Policy in the appropriate order. Firewall implied rules are placed first,
last, or before last in the Rule Base and can be logged. Rules are processed in the
following order:
IP spoofing/IP options:
4. First: This rule cannot be modified or overwritten in the Rule Base because
the fist rule that matches is always applied to the packet and no rules ean be
placed before it. Implied rules are processed before administrator explictly-
defined rules.
2. Explicit: These are the administrator-defined rules, which may be located
between the first and the before-last rules.
3. Before Last: These are more specific implicd rules that are enforced before
the last rule is applied.
4. Last: A rule that is enforced after the last rule in the Rule Base, which nor-
mally rejects all packets, usually referred to as the Cleanup Rule.
5, Implicit Drop Rule: No logging occurs.
‘Student Manual
5
‘traduction tothe Security Policy
Completing the Rule Base
When you have defined the desired rules, you must install the Security Policy.
‘The installation process specifies the network object on which the Security
Policy is installed. Only managed objects are available for Policy installation. In
‘contrast, the Install On element in the Rule Base specifies the network object that
is to enforce a specific rule.
‘There are times when verifying a Security Policy is useful to System
Administrators, By verifying a Security Policy, you check that rules are
consistent, and that there are no redundant rules before Secutity Policy
instalation.
76 (Check Point Security Administration
Policy Management and Revision Control
Policy Management and Revision Control
Policies are created by the system administrator and managed via the Security
Management server. Different versions of these policies can be seved. Each
version includes backups of the various databases (objects, users, Certificate
Authority data, ete.) This information is zipped and saved.
‘The existing versions are recorded in a “Version table". This table can be viewed
and the versions which are displayed can be modified. Itis possible to:
© Create a Version
© Export and Import a Version
+ View a Version
© Revert to a Previous Version
© Delete a Version
Versions can be created manually by the system administrator, or the system can
be set o automaticaly create a new version everytime Security Policy
installation takes place. It is recommended to create a version before upgrading
the system. This enables the administrator to back out toa functioning,
environment in case of problems during the upgrade operation,
Important - The Revision Control feature is not supported when the Security
Management database contains VSX objects. You must not select the Create
database version option in SmartDashboard when you install a policy..
Policy Package Management
Student Manual
Some circumstances require multiple versions of a Security Policy, but the abject,
database needs to stay the same. Often this will be when adding or consolidating
rules in an existing Rule Base, or creating a new set of rules on a Gateway. In
these circumstances, using Policy Package management is better than creating
‘multiple versions of the system database
‘These two points are worth consideration when saving your Policies:
+ Thenew Policy Package includes Firewall, Address Translation, Application
& URL Filtering, Anti-Bot & Anti-Virus, QoS and Desktop Security policies.
© It isan ideal management utility for a distributed installation with multiple
Security Gateways; specific Policies are created for specific Security
Gateways.
Ti
Introduction tothe Securlly Polley a
‘The Security Management Server provides a wide range of tools that address
various Policy management tasks, both atthe definition stage and at the
‘maintenance stage:
+ Policy Packages — Allow you to easily group different types of Policies, to
be installed together on the same installation target(s)
+ Predefined Installation Targets — Allow you to associate each Policy
Package with the appropriate set of Gateways; this feature frees you of the
need to repeat the Gateway selection process every time you install (or install)
the Package, with the option to easily modify the list at any given time. In
addition, it minimizes the risk of installing Policies on inappropriate targets
+ Section Titles — Allow you to visually break your Rule Base into subjects,
thereby instantly improving your orientation and ability to locate rules and
objects of interest
© Queries — Provide versatile search capabilites for both objects end the rules
in which they are used,
* Sorting — Using the Objects tree and Objects list pane is a simple and quick
‘way to locate objects; this feature is greatly facilitated by consistent use of
‘naming and coloring conventions.
Database Revision Controt
Database Revision Control gives the Administrator freedom to create fallback
configurations when implementing new objects and rules, or adjusting rules and
objects as networks change. This can help the Administrator test new Rule Base
and object configurations, or can be used to revert to an earlier configuration for
‘troubleshooting,
Consider these points when saving your Policies:
© The database version consists of all Policies on a single Gateway, and objects
and users configured, including setings in SmartDefense and Global
Properties
‘+ Itis an ideal management utility fora stand-alone or distributed deployment
with a single Gateway.
* Itis configurable to automatically create new database versions on Policy
installation,
B (Check Point Security Administration
Policy Management and Revision Contral
‘This table compares the advantages of using Database Revision Contral and
Policy Package Management:
Database Revision Control | + Database version consists of all Policies,
‘objects and users configured, including
settings in SmartDefense and Global
Properties
+ Ideal management utility for a stand-alone
deployment, or distributed with a single
Gateway deployment
* Configurable to automatically create new
database versions on Policy installation
Policy Package Management | Policy Package including only Security and
NAT, QoS, and Desktop Security settings.
+ Ideal management utility for a distributed
installation with multiple Security
Gateways; specific Policies created for
specific Security Gateways,
Shudent Manual 9
Tntveduction to the Sec
iy Policy
Multicasting
Multicasting transmits a single message to a select group of recipients. Atypical
use of multicasting is to distribute real-time audio and video to a set of hosts that
have joined a distributed conference. IP multicasting applications send one copy
of each IP packet, and address it a group of computers that want to receive it.
This technique addresses datagrams toa group of receivers ata multicast address,
rather than toa single receiver ata unicast address. Network routers forward the
datagrams to only those routers and hosts that need to receive them.
Figure 34 — Multicast Address Range Properties
‘The Multicast Restrictions tab in the Interface Properties window drops multicast
packets according to configured conditions. Security Administrators can
configure alist of address ranges to drop or accept.
grease
ce
Figure 35 — Interface Properties
30 Check Point Security Administration
Policy Management and Revision Contra
To configure multicast access control:
4, Inthe Topology window of the Gateway’s General Properties, edit the appro-
priate interface.
2. In the Interface Properties window's Multicast Restrictions tab, select Drop
Multicast packets by the following conditions.
3, After selecting your drop option and clicking Add, you are prompted to select
‘2 Multicast Address Range in the Add Object window. Click Add, and in the
Multicast Address Range Properties window, define either an IP address
range or a single IP address that is in the range 224.0.0,0-239.255.255.255,
4. Inthe Rule Base, add a rule to allow the required multicast groups. In the des-
tination of the rule, specify the multicast groups defined in step 1
5. Save and install the Policy,
Student Manual a1
Introduction to the Security Policy
Practice and Review
Practice Labs
Lab 4: Building a Security Policy
Lab 5: Configuring the DMZ
Review
4. Objects are created by the Security Administrator to represent actual hosts
and devices, as well as services and resources, to use when developing the
‘Security Policy. What should the Administrator consider before creating
objects?
2, What are some important considerations when formulating or updating a Rule
Base?
2 Cheek Point Security Administration
GHAPTER 4 Monitoring Traffic and
Connections
Check Point Security Administration 83
Wonitoring Traffic and Connections
Monitoring Traffic and Connections
Learning Objectives
‘To manage your network effectively and to make informed decisions, you need to
gather information on the network’s traffic patterns,
Use Queries in SmartView Tracker to monitor IPS and common tetwork
traffic and troubleshoot events using packet data.
© Using packet data on a given corporate network, generate reports,
troubleshoot system and security issues, and ensure network functionality.
‘Using Smart View Monitor, configure alerts and traffic counters, view a
Gateway’s status, monitor suspicious activity rules, analyze tunnel activity
‘and monitor remote user access based on corporate requirements.
@
Check Point Security Administration
Fees
‘Sinariviow wacker
SmartView Tracker
Log Types
Siudent Manuat
Check Point's SmartView Tracker provides visual tracking, monitoring, and
accounting information for all connections logged by Check Point components,
Online viewing features enable real-time monitoring of network activity
‘SmartView Tracker provides control over every event, including those causing
alerts, a well as certain important system events, such as Security Policy
installation or uninstallation.
‘To log in to SmartView Tracker, select SmartConsole > SmartView Tracker
from the SmartDashboard main menu, or click Start > Programs > Check Point
‘SmartConsole R77 > SmartView Tracker
Figure 36 — SmartViow Tracker
‘The format of log entries requested by a rule is determined by the log type
specified in the rule, You can select the log entries and data fields to display.
‘SmartView Tracker also allows you to navigate the log file. You can display one
of several log types from the Network & Endpoint Queries tree, as shown.
‘Log types are defined as either predefined or custom. The predefined types
include log details specific to that type. For instance, UA WebAccess displays
UserAuthority Web access log data for SecureClient entries, and the Account
type displays changes made to fields over time.
8S
Monitoring Waffic and Connections
Figure 37 — Log Types
‘SmartView Tracker toolbar buttons also enable Administrators to define custom
log queries that can be saved for recurring use. The custom query allows the
column widths to be modified, and also allows selection of various log
information to display.
6 ‘Check Point Security Administration
‘SmartView Tracker Tabs
Student Manwat
SmartView Tracker has three predefined, optional views. These views can be
‘modified and saved. Select views with tabs located above the main log-viewing
area, as shown in below:
Network & Endpoint tab— Displays the default view for SmartView
‘Tracker, and shows all security-related events,
Active tab — Shows currently open, active connections in SmartView
‘Tracker. The Active Connections screen displays as shown in Figure 5- 3, and
also includes the Elapsed or duration of the connection, the Bytes or amount
of data passed on the connection, and any additional information about the
connection,
Management tab — Displays only audit entries in SmartView Tracker; this
enables you to track changes made to objects in the Rule Base, and tracks
general SmartDashboard use.
= All Records (lyctecs. fws)
ES nemboiecaernnintoueres |. ee
BG panned ETE bat
at recoras yo erons e
511 Network Security 61 2 ANov2008 15:00:41. a
1B Frew lage 3 ovzo0e 150693 TH cal
te ) Ps iade 4 ANow2008 15:41:29 Gai
8D dbos poteaor 5 inovaees 164313 EG cat
$8 [JJ Appliation and URL ite) 5 pee eat
BD Threat Prevention: a ANov2008 18:35:14 Sa
Ah amesinpecton fy ttmaatetasmar HES ale
Figure 38 — Smartvew Tracker Tabs
7
Monitoring Traffic and Connections
Action Icons
Each tab displays log fields regarding both the product that generated the log, and
the type of operation performed. Action icons provide a visual representation of
the log's operation. The following table gives a description of some of the
different types of actions recorded by Smart View Tracker:
Reject — The connection was blocked.
‘Drop — The connection was dropped without noti-
© fying the source.
: ~~ | Bnerypt — The connection was encrypted.
SS
BES
on
8
‘Check Point Security Administration
Working with Smariview Tracker
Working with Smartview Tracker
Log-File Management
Administrator Auditing
‘The SmartView Tracker toolbar allows you to perform the following tasks;
4, Open Log File — When you select Open, you can open other log files.
2. Save Log File As — When saving a log file, the current log entries will be
‘written to file. Only the records that match the selection criteria will be saved
to the file; both entries that are visible in the screen, and those that are not vis-
ible.
3. Switch Log File — In this window, you can select the default log file or spec-
ify a particular log file name. This operation actually performs a log file
switch,
4. Remote Files Management — In this window, you can transfer log files
from a remote machine to the machine to which the SmartView Tracker is
‘currently connected
5. Show or hide Fetch Progress — Afer clicking Get File List from the
Remote Files Management window, you can click Fetch Files and toggle the
display of the Files Fetch Progress window. The file transfer operation will
continue even if the Files Fetch Progress window is closed. It is interrupted
only if you click the Abort button,
6. Query Options — These buttons allow you to toggle the display of the query
tree pane, open an existing query, save a custom query, or save a custom
query under a new name,
SmartView Tracker logs Security Administrator activities, including:
© Administrator login and logout.
© Object creation, deletion, and editing,
* Rule Base changes.
‘Administrator auditing simplifies the process of tracking and troubleshooting.
Security Policy changes, especially in environments with more than one
Administrator. Via the Management tab, itis possible to see the changes made by
‘particular Administrator, or see who modified an object and what changes were
made.
Student Manual
ES)
ing Traffic and Connections
He Remon
Figure 39 — Auditing
Logging provides « historical record of logged connections. Logs are essential for
security management, so properly configuring Security Gateway to log
‘connections of interest is important,
‘The Global Properties - Log and Alert window, accessed by clicking Policy >
Global Properties > Log and Alert, allows you to define global log-and-alert
parameters.
VPN successful key exchange — Specifies the action to be taken then VPN keys,
are successfully exchanged.
VEN packet handling errors — Specifies the action to be taken when
encryption or decryption errors occur
VEN configuration and key exchange errors — Specifies the action to be taken
‘when logging configuration or key-exchange errors occu for example, when
90 ‘Check Point Security Administration
Time Settings
Working with Smariview Tracker
‘attempting to establish encrypted communication with a network object inside
the same VPN Domain,
IP Options drop — Specifies the action to take when a packet with IP options is
‘encountered; the Security Gateway always drops these packets, but you can log,
them or issue an alert
ications — Specifies the action to be taken when an
administrative event occurs, for example, when a Certificate is about to expire.
SLA violation — Specifies the action to be taken when an SLA violation occurs,
a defined in the Virtual Links window.
Connection matched by SAM — Specifies the action to be taken when a
connection is blocked by Suspicious Activities Monitoring (SAM); for
information about SAM, see htp:/Awww.opsec.com.
Dynamic object resolution failure — Specifies the action to be taken when a
dynamic object cannot be resolved.
Log every authenticated HTTP connection — Specifies that a log entry should
bbe generated for every authenticated HTTP connection.
Log VoIP connection — Generates additional log entries for every VoIP
connection; additional log entries for SIP contain information about the user (SIP
URL, for example, fred@bloggs.com). Additional log entries for H.323 contain
information about phone numbers.
‘The Time Settings window allows you to configure time settings associated with
system-wide logging-and-alert parameters.
Excessive log grace period — Specifies the minimum amount of time
between consecutive logs of similar packets; two packets are considered simi-
lar, if they have the same source address, source port, destination address and
destination port, and the same protocol was used. After the first packet, simi-
lar packets encountered within the grace period will be acted upon according
to the Security Policy, but only the first packet generates a log entry or an
alert
SmartView Tracker resolving — After a specified amount of time, displays
a log page, without resolving names and showing only IP addresses,
Suudent Manual
oI
‘onitoring Watfle and Ganneclions
Blocking Connections
Virtual Link statistics logging interval — Specifies the frequency with
which Virtual Link statisties will be logged this parameter is relevant only for
Virtual Links defined with Log SLA values enabled in the SLA Parameters
tab of the Virtual Link window. Virtual Links are defined by clicking Manage
> SmartView Monitor > Virtual Links from the main menu.
‘Status fetching interval — Specifies the frequency at which the Security
Management Server queries the Security Gateway, Check Point QoS, and
other software it manages for status information; any value from 30 to 900
seconds can be entered in this field.
‘You can terminate an active connection and block further connections from and
to specific IP addresses, using the SmartView Tracker Block Intruder function.
‘To block an active connection with Block Intruder, select the connection you
‘want to block, then select Tools > Block Intruder from the menu.
Figure 40 — lock intruder
‘The Block Intruder window displays. In the Blocking Scope fields, select one of
the options:
Block all connections with the same source, destination and service —
Block the connection or any other connection with the same service, source oF
destination,
2
‘Check Potnt Security Administration
—+{
ee
‘Working with Smarviow Tracker
Block access from this source — The connection is terminated, and all fur-
ther attempts to establish connections from this source IP address will be
denied
Block access to this destination — The connection is terminated, and all fur-
ther attempts to establish connections to this destination IP address will be
denied,
In the Blocking Timeout field, select one of the options: Indefinite — Block
all further access. For... minutes — Block all further access attempis for the
specified number of minutes.
In the Force this blocking field, select one of the options:
‘Only on... — Block access attempts through the indicated Security Gateway.
‘On any Security Gateway — Block access attempts through Security Gate-
ways defined as gateways or hosts on the log server, The connection will
remain blocked, until you choose Tools > Clear Blocking fiom the main
menu
Student Manual
w
Wonitoring Traffic and Gannat
SmartView Monitor
‘SmaitView Monitor isa high-performance network- and security analysis system
that helps you easily administer your network, by establishing work habits based
con leamed system-resource patterns. Smart View Monitor provides a single,
central interface for monitoring netwotk activity and performance of Check Point
applications. SmartView Monitor allows Administrators to easily configure and
‘monitor different aspects of network activities. Graphical views can easily be
viewed from an integrated, intuitive GUI
Figure 41 — SmartView Monitor
Predefined views include the most frequently used traffic, counter, tunnel,
‘gateway, and remote-user information. For example, Check Point system
‘counters collect information on the status and activities of Check Point Blades
(for example, Firewall). Using custom or predefined views, Administrators can
drill down on the status ofa specific gateway and/or segment of traffic to identify
top bandwidth hosts that may be affecting network performance. If suspicious
activity is detected, Administrators can immediately apply a security rule to the
‘appropriate Security Gateway to block that activity. These security rules can be
created dynamically via the graphical interface, and can be set to expire within a
certain time period,
Real-time and historical reports of monitored events can be generated to provide
a comprehensive view of gateways, tunnels, remote users, network, security, and
Security Gateway performance over time. To log in to SmartView Monitor, select,
Window > SmartView Monitor from the SmartDashboard main menu. Or, click
Start > Programs > Check Point SmartConsole R76 > SmartView Monitor.
4
Check Point Security Administration
Customized Views
Customized Views
Gateway Status View
Traffic View
Student Manual
‘SmartView Monitor enables graphical views depicting data for several types of
measurements, including bandwidth, round-trip time, packet rate, CPU use, te
‘The most efficient way to yield helpful information i to create a view based on
‘your specific needs. It is possible to create customized views for view types (for
example, status, taflc, system statistics, and tunnels). The customization
provides the ability to filter specific data and how the data is to be displayed
‘SmartView Monitor enables information about the status of all Gateways in a
network, The data in the results pane (upper right) provides information about all
Gateways in the organization, as well as pertinent information about the Gateway
(ouch as its IP addresses, the last time it was updated, and its status). This,
information is directly linked to the view selected inthe tree pane (lef). Each 1ow
in the table represents a Gateway.
SmartView Monitor makes Administrators aware of traffic associated with
specific network activities, servers, clients, etc, as well as activities, hardware,
and sofware use of different Check Point products in realtime. Among other
things this knowledge enables Administrators to:
* Block specific traffic when a threat is imposed.
‘+ Assume instant contro! of traffic low on a Gateway.
+ Leam about how many tunnels are curently open, or about the rate of new
connections passing through the Security Gateway.
‘You can generate fully detailed or summarized graphs and charts forall
connections and for numerous rates and figures when calculating network use.
‘System Counters provides in-depth details on Gateway use and activity. As a
Security Administrator, you can generate system stats information about
* Resource use forthe variety of components associated with the Security
Gateway.
+ Gateway performance statistics for a variety of firewalled components.
* Detect and monitor suspicious activity.
95
Tnitoring Traffic and Connections
Tunnels View
Remote Users View
VPN nunnels are secure links between Security Gateways, and ensure secure
connections between an organization's gateways and its remoteaccess clients.
Once tunnels are created and put fo use, Administrators can keep track of their
normal functions, so possible malfunctions and connectivity problems can be
accessed and solved as soon as possible.
Figure 42 — Tunnels
“To ensure this security level, SmartView Monitor can recognize malfunctions and
connectivity problems, by constantly monitoring and analyzing the status of an
organizations’ tunnels. With the use of tunnel queries, Administrators can
generate fully detailed reports that include information about all tunnels that
{fulfil specific tunnel-query conditions. With this information, itis possible to
‘monitor tunnel status the VPN Community with which a tunnel is associated, the
Gateways to which a tunnel is connected, et.
‘The Remote Users view allows you to keep track of VPN remote users currently
logged in (i-e., SecuRemote, SecureClient and SSL Network Extender, and in
general any IPSec client connecting to the Security Gateway). It provides you
‘with filtering capabilities, making it easier to navigate through the entries.
96
‘Check Point Security Administration
—_—_
Customized Views
Figure 43 — Remote Users
‘The Remote Users view provides detailed real-time information about remote
users" connectivity, using data collected from sources such as current open
sessions, overlapping sessions, route traffic, and connection time,
Student Mamuat 7
Monitoring Traffic and Connections
Cooperative Enforcement
we
Cooperative Enforcement is a feature that works in conjunction with the
Endpoint Server. The Cooperative Enforcement view utilizes the Endpoint Server
compliance capability to verify connections artiving from vatious hosts across
the internal network. Easily deployed and managed, the Endpoint Server
mitigates the risk of hackers, worms, spyware, and other security threats.
Figure 44 — Cooperative Enforcement
Using Cooperative Enforcement, any host initiating a connection through a
Gateway is tested for compliance. (The Gateway generates logs for unauthorized
hosts. The logs generated for both authorized and unauthorized hosts can be
viewed in SmartView Monitor. This increases the integrity ofthe network,
because it prevents hosts with malicious software components from accessing the
network,
‘This feature acts as a middleman between hosts managed by an Endpoint Server
and the Endpoint Server itself. It relies on the Endpoint Server compliance
feature, which defines whether a hast is secure and can block connections that do
not meet the defined prerequisites of software components.
8 Check Point Security Administration
Monitoring Suspicious Activity Rules
Monitoring Suspicious Activity Rules
‘The fast-changing network environment demands the ability to immediately react
to a security problem, without having to change the entire network's Rule Base
(for example, to instantly block a specific user). All inbound and outbound
network activity should be inspected and identified as suspicious when necessary
(for instance, when network or system activity indicates that someone is
attempting to break in),
«<] Non-Compliant Hosts By Gateway - Ret
et een 4. es
;
ie
ii iar S56 fee
pasa ETD Se
“Ri
2
& Sn el
Figure 45 — External Suspicious Activity Rules
‘SmartView Monitor enables the integration of a suspicious-activity monitoring
‘program that is used to modify access privileges, upon detection of any
suspicious network activity. This detection is based on the creation of Suspicious
Activity rules. Suspicious Activity rules are security rules that enable the
Administrator to instantly block suspicious connections that are not restricted by
the currently enforced Security Policy. These rules can be applied immediately,
‘without the need to install a Policy.
Student Marsial
99
Wonitorng
Monitoring Alerts
fic and Connections
‘Alerts provide real-time information about vulnerabilities to computing systems
and how they can be eliminated,
Check Point alerts users to potential threats to the security of their systems, and
provides information about how to avoid, minimize, or recover from the damage,
‘Alerts are sent by the Security Gateways to the Security Management Server. The
Security Management Server then forwards these alerts to the SmartView
‘Monitor SmartConsole, which is actively connected to the Security Management
Server. Alerts are sent to draw the Administrator's attention to problematic
Gateways, and are displayed in SmartView Monitor. These alerts are sent:
© Ifcertain rules or attributes, which are set to be tracked as alerts, are matched
by a passing connection.
© Ifsystem events, also called System Alerts, are configured to trigger an alert
when various thresholds are surpassed.
‘The Administrator can define alerts to be sent for different Gateways. These
alerts are sent under certain conditions, such is if they have been defined for
certain Policies, or if they have been set for different properties. By default, an
alert is sent as a message to the Administrator’s desktop when a new alert arrives
in SmartView Monitor. Alerts can also be sent for certain system events. If
certain conditions are set, you can receive System Alerts for critical situation
updates; for example, if free disk space is less than 10 percent, or if a Security
Policy has been changed. System Alerts are characterized as follows:
* ‘They are defined per product. For instance, you may define certain System
Alerts for Check Point QoS that would not apply to Connectra
+ ‘They may be global or per Gateway. You can set global alert parameters for
all Gateways in the system, or you can specify a particular alert for a
particular Gateway.
© They are displayed and viewed via the same user-friendly window. The
information SmantView Monitor gathers also includes status information
about OPSEC gateways and network objects
‘After reviewing the status of certain clients in SmartView Monitor, you may
decide to take decisive action for a particular client or cluster member, for
instance:
* Disconnect client — If you have the correct permissions, you can choose to
disconnect one or more of the connected SmartConsole clients, Click the
Disconnect Client button on the Results pane toolbar.
© Start/Stop Cluster Member — All cluster members of a given gateway
cluster can be viewed via SmartView Monitor. You can start or stop a selected
100
Check Point Security Administration
{
L
Monitoring Suspicious Activity Rules
cluster member. To do this, right-click the cluster member, From the pull~
down menu, select Start Member or Stop Member
‘To configure an alert in Smart View Monitor from SmartDashboard, select Poliey
> Global Properties > Log and Alert > Alerts. To view the active alerts from
‘Smart View Monitor, select the Alerts icon from the toolbar,
Student Manual TOI
Monitoring Traffic and Connections
Gateway Status
Check Point enables information about the status of all gateways in the system to
be collected by the Security Management server and viewed in Smart View
Monitor. The information gathered includes status information about:
+ Check Point gateways
* OPSEC gateways
Check Point Software Blades
‘A Gateways Status view displays a snapshot of all Check Point Software Blades,
such as VPN and ClusterXL, as well as third party products (for example,
OPSEC-partner gateways), Gateways Status is very similar in operation to the
‘SNMP daemon that also provides a mechanism to ascertain information about
gateways in the system,
Figure 46 — Gateway Status Example
102
Check Point Security Administration
em Gateway States
‘The Security Management server acts as an AMON (Application Monitoring)
client. It collects information about specific Check Point Software Blades
installed, using the AMON protocol. Each Check Point gateway, or any other
OPSEC gateway which runs an AMON server, acts as the AMON server itself.
Each gateway makes a status update request, via APIs, from various other
components such as.
© The “kernel”
© Security Servers
Analtemate source for status collection may be any AMON client, such as an
OPSEC partner, which uses the AMON protocol.
‘The information is fetched at a subscribed interval which is defined by the system
administrator. The AMON protocol is SIC- based so information can be retrieved
‘once SIC has been initialized
Note: There are general statuses which occur for both the gateway or
‘machine on which the Check Point Software Blade is
installed, and the Software Blade which represents the
‘components installed on the gateway.
Overall Status
‘An Overall status is the result of the blades’ statuses. The most serious Software
Blades status determines the Overall status. For example, if all the Software
Blades statuses are OK except for the SmartReporter blade, which has a Problem
status, then the Overall status will be Problem.
+ OK — indicates that the gateway is working properly
© Attention — at least one of the Software Blades indicates that there is 2
‘minor problem but it can still continue to work. Attention can also indicate
that, although a Software Blade isnot installed, itis selected in the General
Properties > Check Point Products associated with a specific gateway.
‘+ Problem — indicates that one of the Software Blades reported a specific
‘malfunction, To see details of this malfunction open the gateways status
‘window by double-clicking it in the Gateways view. Problem can also
indicate a situation in which the Firewall, VPN and ClusterXL Software
Blades are selected in the General Properties > Software Blades but are not
installed,
© Waiting — from the time thatthe view starts to run until the time that the first
status message is received, This takes no more than thirty seconds.
+ Disconnected — the Security Gateway cannot be reached.
Sudent Manual 103
Monitoring Traffic and Connections
© Untrusted — Secure Internal Communication failed. The gateway is
‘connected, but the Security Management server is not the master of the
gateway,
Software Blade Status
Software Blades include components such as VPN, SmartReporter, Endpoint
Security, and Qos.
© OK — indicates that the blade (for example, SmartReporter, VPN, Firewall,
ete.) is working properly.
* Attention — the blade indicates that there is a minor problem but it can still
continue to work,
‘+ Problem — indicates that the blade reported a specific malfunction, To see
details of this malfimetion open the gateways status window associated with
the blade by double-clicking it in the Gateways Status view
© Waiting — displayed from the time that the view starts to run until the time
thatthe first status message is received. This takes no more than thitty
seconds
isconnected — the gateway cannot be reached.
© Untrusted — Secure Internal Communication failed. ‘The gateway is
connected, but the Security Management server is not the master of the |
gateway,
Displaying Gateway Information
Gateways Status, information is displayed per Check Point or OPSEC gateway.
To display information about the gateway, click the specific gateway in the
Gateway Results view. Details about the gateway will be displayed in the
Gateway Details pane.
‘This information includes general information such asthe name, IP Adress,
version, operating system, and the status of the specified gateway, as well as a
yrid of gateway specific information,
104 Check Point Security Administration
Cee
‘SmariView Tracker vs, SmariView Monitor
SmartView Tracker vs. SmartView Monitor
Here are some key points when considering which product addresses your needs
better:
‘SmartView Tracker Benefits — Administrators can use SmattView Tracker to:
Ensure network components are operating properly.
* Troubleshoot system and security issues
‘+ Gather information for legal or audit purposes.
* Generate reports to analyze network-taffic patterns.
* Temporarily or permanently terminate connections from specific IP
addresses, in case of an attack or other suspicious network activity.
‘SmartView Monitor Benefits — Administrators can use SmartView Monitor to:
© Centrally monitor Check Point and OPSEC devices.
* Present a complete picture of changes to Gateways, tunnels, remote users, and
security activities. Immediately identify changes in network-traffic flow
pattems thet may signify malicious activity.
© Maintain high network availability
* Improve efficiency of bandwidth use
© Track SLA compliance.
Student Manual 105
Tonitoring Tralfle and Connections
Practice and Review
Practice Lab
Lab 6: Monitoring with SmartView Tracker
Review
4. Discuss the benefits of using SmartView Monitor instead of SmartView
‘Tracker in monitoring network activity.
2, Why is there a warning message when switching to Active mode in Smart-
View Tracker?
106 Check Point Security Administration
ciapters Network Address
Translation
Check Point Security Administration
107
‘Network Address Translation
Network Address Translation
Learning Objectives:
In computer networking, network address translation (NAT) is the process of
‘modifying IP address information in IP packet headers while in transit across @
‘uaffic outing device |
* Configure NAT rules on Web and Gateway servers,
108
Introduction to NAT
Introduction to NAT
Student Marat
Network Address Translation (NAT) allows Security Administrators to overeome
IP addressing limitations, allowing private IP-address allocation and unregistered.
internal-addressing schemes.
Enterprises employ NAT for a variety of reasons, including
* Private IP addresses used in intemal networks.
* Limiting external network access,
+ Ease and flexibility of network administration.
Network Address Translation (NAT) can be used to translate either IP address in
‘connection. When translating the IP of the machine initiating the connection
(typically the “client” of the connection) this is referred to as Source NAT. When.
‘translating the IP address of the machine receiving the connection this is referred
10 as Destination NAT,
The Security Gateway supports two types of NAT where the source and/or the
destination are translated
Hide NAT - Hide NAT is @ many-to-one relationship, where multiple
‘computers on the internal network are represented by a single unique address,
This enhances security because connections can only be initiated from the
protected side of the Security Gateway. This type of NAT is also referred to as
Dynamic NAT.
* Static NAT - Static NAT is a one-to-one relationship, where each host is
translated to a unique address. This allows connections to be initiated
internally and externally. An example would be a Web server or a mail server
that needs (0 allow connections initiated externally.
NAT can be configured on Check Point hosts, nodes, networks, address ranges
‘and dynamic objects. NAT can be configured automatically or by creating
‘manual NAT rules. Manual NAT rules offer flexibility because it can allow the
‘translation of both the source and destination of the packet and allow the
translation of services,
109
Notwork Address Translation
IP Addressing
Hide NAT
Inan IP network, each computer is assigned a unique IP address. Because public
IP addresses are scarce and expensive, many enterprises choose to use private
addresses for their intemal networks. The following blocks of IP addresses were
set aside for internal-network use in RFC 1918, “Address Allocation for Private
Networks”:
© Class A network numbers: 10.0.0.0-10.255.255.255
‘© Class B network numbers: 172.16.0.0-172,31.255.255
© Class C network numbers: 192.168.0,0-192.168,.255.255
Best practices recommend using only these address ranges for intranets. RFC.
1918 addresses cannot traverse public networks.
In Hide NAT, the source is translated, the sourve port is modified and translation
‘occurs on the server side. As shown in the illustration below, notice the source
packet with address 10.1.1.101 going to destination x.x.x.x. As the packet hits the
interface on pre-in, ‘itis processed by the firewall kernel and forwarded to
post-in, I” where itis then routed to the extemal interface. It arrives, pre-out, ‘o',
and is then processed by the NAT rule base. The firewall modifies the source port
and adds the port information to a state table. The packet translates on post-out,
‘0’ as it leaves the Gateway. For protocols where the port number cannot be
changed, Hide NAT cannot be used.
6-2-2
ply Packet (Translated)
naan
Figure 47 — Hide NAT
110
‘Check Point Security Administration
ees
introduction to NAT
Choosing the Hide Address in Hide NAT
Static NAT
Siudent Maral
‘The Hide Address is the address behind which the network, address range, or
node is hidden. Itis possible to hide behind either the interface of the Gateway or
a specified IP address.
Choosing a fixed public IP address is a good option if you want to hide the
address of the Security Gateway. However, it means you have to use an extra
publicly outabte IP address. Choosing to hide behind the address of the Gateway
§ 2 good option for administrative purposes. For example, ifthe external IP
address ofthe Gateway changes, there is no need to change the NATT settings,
A static translation is assigned to a server that needs to be accessed directly from
outside the Security Gateway, So, the packet is typically initiated from a host
outside the firewall. When the client initiates traffic to the static NAT address, the
destination of the packet is translated.
Criginal Packet
Original Packet Translated)
ep Packet
Figure 48 — Stavle NAT
Ti
Network Address Translation
Original Packet
Reply Packet
In the past, all destination NAT occurred at the “server side” of the kemel, ie., on
the outbound side of the kernel closest to the server. When NAT occurs in this
configuration, a host route is required on the Security Gateway to route to the
destination server, As of VPN-1 NGX, the default method for Destination NAT is
“client side”, where NAT occurs on the inbound interface closest to the client
Assume the client is outside the Gateway, and the server is inside the Gateway
with automatic Static NAT configured. When the client starts a connection fo
access the server's NAT IP address, the following happens to the original packet
in a client-side NAT:
1. The packet from outside the Gateway arrives atthe inbound interface, ‘i’, des-
tined for the Web server, and passes Security Policy and NAT rules.
2. If accepted, the packet information is added to the connections table and the
destination is translated on the post-in side of the interface, ‘T’ before it is
routed.
3. ‘The packet arrives at the TCPIIP stack of the Gateway, and is routed tothe
outbound interface, ‘o"
4. The packet is then forwarded through the kemel, “O° and routed to the Web
1. The Web server replies and hits the inbound interface, ‘i’, of the Gateway.
2. The packet is passed by the Policy, since it is found in the connections table
and arrives at the post-in side of the kernel, ‘I’.
3. The packet arrives at the TCP/IP stack of the Gateway, and is routed to the
‘outbound interface, ‘0’.
4. ‘The packet goes through the outbound interface and is translated to the static
NAT IP address as it leaves the Security Gateway, ‘O”. The source port does
not change.
‘When the external server must distinguish between clients based on their IP
‘addresses, Hide NAT cannot be used, because all clients share the same IP
address under Hide NAT,
‘To allow connections from the extemal network to the intemal network, only
Static NAT can be used.
112
‘Check Point Security Administration
i
Se
Thiroduction to NAT
NAT - Global Properties
Several Global Properties influence how NAT is handled by a Secutity Gateway.
‘The figure shows the default Global Properties for NAT.
tx
Tins Shes rn
Ti ecabosy lie deren
Cree Adem i
Hix Tae tetmenain et
sihcditmis Pheist
Figure 49 ~ NAT Settings
In most cases, the Security Gateway automatically creates NAT rules, based on
information derived from object properties. The following three Global
Properties can be modified to adjust the behavior of Automatic NAT rules on a
¢lobal level:
+ Allow bi-directional NAT — If more than one Automatic NAT rule matches
connection, both rules are matched. If Allow bidirectional NAT is selected,
the Gateway will check all NAT rules to see if there is a source match in one
rule, and a destination match in another rule. The Gateway will use the first
matches found, and apply both rules concurrently.
+ Translate Destination on client side — For packets from an external host
that are to be translated according to Static NAT rules, select this option to
ttanslate destination IP addresses in the kernel nearest the client.
Student Manuat 113
Wotwork Address Translation
+ Automatic ARP configuration — Select this option to automatically update |
[ARP tables on Security Gateways. For NAT to function properly, a Gateway
must accept packets whose destination addresses differ from the addresses
configured on its interfaces. Automatic ARP configuration adds the ARP
entries needed to accomplish this tsk. This property applies to automatically
‘xeated NAT rules only.
‘+ Merge manual proxy ARP — Select this option to merge automatic and
‘manual ARP configurations. Manual proxy ARP configuration is required for
manual Static NAT rules. Ifa manual ARP configuration is defined in the
local.arp file and automatic ARP configuration is enabled, both definitions are
‘maintained. If there is a conflict between the definitions (the same NAT IP
address appears in both), the manual configuration is used. If this option is not
‘enabled and automatic ARP configuration is enabled, the Gateway ignores the
entries in the local. arp file.
Object Configuration - Hide NAT
Hide NAT can be configured to hide networks using a Security Gateway IP
address or another, externally accessible IP address. The figure illustrates how to
configure the NAT properties for a network using a Security Gateway’s IP
address when dynarmically translated. To configure Hide NAT with automatic
NAT rule creation, select the appropriate options and click OK, which
automatically creates the necessary NAT rules for the object.
Figure 50 — NAT Configured Object |
114
‘Check Point Security Administration
Tntroduction to NAT
Aaddress-translation rules are divided into two elements: Original Packet and
‘Translated Packet. The elements ofthe Original Pecket section inform a Security
Gateway which packets match the rule. The Translated Packet elements define
how the Security Gateway should modify the packet. Configuring the network
‘object as described above creates two rules in the Address Translation Policy.
The first ule prevents translation of packets traveling from the translated object
to itself. The second rule instructs the Security Gateway to translate packets
‘hose source IP address is part ofthe Corporate-finance-net's network. This rule
translates packets from private addresses fo the IP address ofthe exiting interface
of the Security Gateway.
ss
Figure 51 — NAT Rules
seeemia| tn | eine [eine |= a [Benen
a sir [Renee] Sa |
Because Hide NAT also modifies source ports, there is no need to add another
rule for reply packets, Information recorded in a Security Gateway’s state tables
will be used to modify the destination IP address and destination port of reply
packets
Student Manual
115
Nowork Address Translation
Hide NAT Using Another Interface IP Address
“Hiding internal addresses behind a Security Gateway's IP address is not the most
secure way to configure Hide NAT. Using another externally accessible IP
address for Hide NAT is considered best practice. The figure illustrates how to
‘configure the NAT properties for a network that will use another externally
accessible IP address when dynamically translated.
For Automatic NAT rule creation, the Security Gateway makes all necessary
route and ARP table entries on the Security Gateway. In the example above, the
Security Gateway will process packets destined for the HR_Server, even though
that IP address is not bound to its interface, For routing to work properly, the
address selected to hide internal networks should be on the same subnet as the IP
address of the interface where packets will arrive.
Like Hide NAT behind a Security Gateway's IP address, configuration for Hide
NAT using another externally accessible IP address also creates two rules. The
first rule instructs the Security Gateway not to translate traffic whose source and
destination is the object for which Hide NAT is configured, The second rule
‘anslates the source address of packets not destined for the object for which Hide
NAT is configured
116 Check Point Security Administration
Tniroduction to NAT
Static NAT
Configuring a Security Gateway to perform Static NAT for a host is similar to
configuring a Security Gateway to perform Hide NAT using another extemally
accessible IP address.
Figure 53 — Stale NAT Configured Object
‘The figure illustrates how to configure NAT properties, when Static NAT is used.
to translate a host’s IP address.
For routing to work properly, the Translate to IP Address must be on the same
subnet as the Security Gateway’s IP address. When Automatic NAT rule creation
is used, it makes the necessary adjustments to the ARP configuration,
Configuring an object for automati creation of Static NAT rules adds two rules
to the Address Translation Policy. For Static NAT, both rues are translating rules,
In the example above, the Security Gateway changes the source address from a
private address tothe public address (172.22.102.112).
Student Manual 7
TWotwork Address Translation
Manual NAT
‘The Security Gateway ellows Security Administrators to create Manual NAT
uration than automatic NAT rule
ezeation, but provides additional flexibility in Rule Base design.
Automatic NAT rule creation is appropriate for most installations. Properly
configured objects, well-planned networks, and Global Properties settings make
‘Manual NAT rule creation unnecessary for most enterprises. For Security
Administrators faced with legacy networks where design issues prevent the use
of automatic NAT rules, Manual NAT rules may provide solutions.
Some of the situations where Manual NAT rule creation may be warranted,
include:
‘Instances where remote networks only allow specific IP addresses.
‘© Situations where translation is desired for some services, and not for others.
Environments where more granular control of address translation in VPN
tunnels is needed,
‘© Enterprises where Address Translation Rule Base order must be manipulated.
‘© When port address translation is required (port forwarding).
© Environments where granular control of address translation between internal
networks is required.
‘® When a range of IP addresses, rather than a network, will be translated.
Configuring Manual NAT
118
Manual NAT requires configuration of objects and rules, The amount of
configuration varies between Hide NAT and Static NAT. Global Properties for
Manual NAT Rules On the NAT window of Global Properties, only one global
property can be set for manually created NAT rules. The Translate destination on
client side property performs the same function for Manual NAT rules as it does
for automatic NAT rules.
‘Translate destination on client side — For packets fom an extemal host
‘undergoing Static NAT, translate destination IP addresses in the kernel nearest the
client,
Enable IP Pool NAT — If IP pools are used on a Gateway, SecuRemote/
‘SecureClient connections are modified, so a target host sends reply packets to the
appropriate Gateway.
‘Check Point Security Administration
Serene
‘anual NAT
Special Considerations
ARP.
When Automatic NAT rule creation is used, it makes all necessary adjustments to
the Security Gateway’s ARP and routing tables. Using Automatic NAT rule
creation also eliminates potential anti-spoofing issues. If Manual NAT rule
creation is used, special consideration must be paid to ARP and routing-table
entries, and anti-spoofing issues.
‘When Automatic NAT rule creation is used, the Security Gateway makes all
necessary adjustments to the Security Gateway’s ARP table. If Manual NAT rule
creation is used, the Security Administrator must edit the Security Gateway's
ARP table (Local . arp), as follows:
+ Hide NAT, Security Gateway in Translated Packet, Source field —No
additional ARP table entries are required.
‘* Hide NAT, hiding behind an IP address not assigned to the Security
Gateway — Add an ARP table entry to the Security Gateway for the hiding
address,
© Static NAT — Add ARP table entries to the Security Gateway for all hiding
addresses.
For information creating persistent ARP table entries, consult your OS
documentation, and sk30197.
Student Manwal
119
Network Address Translation
Practice and Review
Practice Labs
Lab 7: Configuring NAT
Review
4. What are some reasons for employing NAT in a network when requiting pri-
vate IP addresses in internal networks, to limit external-network access, or to
cease network administration?
2. When would an Administrator favor using Manual NAT over automatic NAT?
120 Check Point Security Administration
carters Using SmartUpdate
Check Point Security Administration
121
Tsing SmartUpdate
Using SmartUpdate
‘SmartUpdate extends your organization's ability to provide centralized policy
management across enterprise-wide deployments. SmartUpdate can deliver
automated software and license updates to hundreds of distributed Security
Gateways from a single management console,
Learning Objectives:
‘© Monitor remote Gateways using SmartUpdate to evaluate the need for
upgrades, new installations, and license modifications.
‘© Use SmartUpdate to apply upgrade packages to single or multiple VPN-1
Gateways.
© Upgrade and attach product licenses using SmartUpdate.
122 Check Point Security Administration
i
‘SmartUpdate and Managing Licenses
SmartUpdate and Managing Licenses
‘SmartUpdate automatically distributes applications and updates for Check Point
and OPSEC Certified products, and manages product licenses
StuartUpdate extends your organization’s ability to provide centralized policy
management across enterprise-wide deployments. SmartUpdate can deliver
automated software and license updates to hundreds of distributed Security
Gateways fiom a single management console. SmartUpdate ensures security
deployments are always up-to-date by enforcing the most current security
software. This provides greater control and efficieney while dramatically
decreasing maintenance costs of managing global security installations
Figure 54 — Managing Licenses
SmartUpdate enables remote upgrade, instalation and license management to be
performed securely and easly. I is possible to remotely upgrade:
© Check Point Seourity Gateways.
© Hotfixes, Hotfix Accumulators (HFAs) and patches.
© Third-party OPSEC applications.
‘+ UTM-I Edge Gateways,
© Operating System
Student Manat 123
as
Tsing SmartUpdate
SmartUpdate Architecture
SSmartlpdate installs two repositories on the Security Management Server:
4. License & Contract Repository, which is stored on ll platforms inthe dines-
tory $EWDIR\conf\.
2. Package Repository, whic is stored on:
Windows machines in CASUroot.
UNIX machines in Man/suroot
wel
Beare
Figure 85 — SmartUpdate Architecture
Packages and licenses are loaded into these repositories from several sources:
+ Download Center Web site (packages)
+ Check Point DVD (packages)
+ User Center (licenses)
‘+ Running eplic from the command line
‘Of the many processes that run on Security Gateways distributed across the
corporate network, two in particular are used for SmartUpdate. Upgrade
operations require the eprid daemon, and license operations use the opd demon.
‘These processes listen and wait for the information to be summoned by the
Security Management Server.
Ta ‘Check Point Security Administration
ee
‘SimarUpdate Architecture
From a remote location, an Administrator logged into the Security Management
Server initiates operations using the SmartUpdate tool. The Security
‘Management Server makes contact with the Security Gateways via the processes
that are running on these components fo execute the operations initiated by the
System Administrator (eg. attacha license or upload an upgrade). Information is
taken from the repositories on the Security Management Server, For instance, ifa
new installation is being initiated, the information is retrieved from the Package
Repository; ifa new license is being attached toa remote Gateway, information is
retrieved from the License & Contract Repository.
This entire process is SIC based, and is completely secure.
Student Manual 125
ee
Tsing SmartUpdate
SmariUpdate Introduction
SmartUpdate has two tabs:
‘© The Packages tab — shows the packages and Operating Systems installed on
the Check Point Security Gateways managed by the Security Management
server, Operations that relate to packages can only be performed in the
Packages tab,
‘© The Licenses & Contracts tab — shows the licenses on the managed Check
Point Security Gateways, Operations that relate to licenses can only be
performed here.
‘These tabs are divided into a tree structure that displays the packages installed
and the licenses attached to each managed Security Gateway. The tree has three
levels:
‘© The root level shows the name of the Security Management server to which,
the GUI is connected.
‘+ The second level shows the names of the Check Point Security Gateways
configured in SmartDashboard.
The third level shows the Check Point packages or installed licenses on the
‘Check Point Security Gateway.
Figure 56 — SmartUpdate
126 Check Point Security Administration
‘SrmatUpaate
Additionally, the following panes can be displayed:
* The Package Repository shows all the packages available for installation. To
view this pane, select Packages > View Repository.
‘+ The License & Contract Repository shows all licenses (attached or
unattached), To view this pane, select Licenses & Contracts > View
Repository
* The Operation Status shows past and current SmartUpdate operations. To
‘view this pane, select Operations > View Status.
+ The Operations performed (i. Installing package on Gateway , or
‘Attaching license to Gateway ),
* The status ofthe operation being performed, throughout all the stages ofits
development (ie., operation started, oF a warning).
+ A progress indicator
¢ The time that the operation takes to complete
Student Mannal
127
——
Using SmartUpdate
Overview of Managi
ig Licenses
With SmartUpdate, you can manage all licenses for Check Point packages
throughout the organization from the Security Management Server. StnartUpdate
provides a global view of all available and installed licenses, allowing you to
perform such operations as adding new licenses, attaching licenses and upgrading
licenses to Check Point Security Gateways, and deleting expired licenses. Check
Point licenses come in two forms, Central and Local.
Figure 57 — SmartUpdate - Licenses
‘The Central license is the preferred method of licensing. A Central license ties
the package license to the IP address of the Security Management Server. That
‘means that there is one IP address forall licenses; thatthe license remains valid if
‘you change the IP address of the gateway; and that a license can be taken from
‘one Check Point Security Gateway and given to another with ease.
‘The Local license is an older method of licensing, however its still supported by
SmartUpdate. A Local license ties the package license to the IP address of the
specific Check Point Security Gateway, and cannot be transferred to a Gateway
with a different IP address.
128
‘Check Point Security Administration
— —————
‘Gverviow of Managing Li
When you add a license to the system using SmartUpdate, itis stored in the
Livense & Contract Repository. Once there, it must be installed to the Gateway
‘and registered with the Security Management Server. Installing and registering &
license is accomplished through an operation known as attaching a license.
Central licenses require an administrator to designate a Gateway for attachment,
while Local licenses are automatically attached to their respective Check Point
Security Gateways
Licensing Terminology
Common terms used with respect to licensing include the following:
# Add —Licenses received from the User Center should first be added to the
‘SmartUpdate License & Contract Repository. Adding a local license to the
License & Contract Repository also attaches it to the gateway.
© Attach — Licenses are attached to a Gateway via SmartUpdate. Attaching &
license to a Gateway involves installing the license on the remote Gateway,
and associating the license with the specific Gateway in the License &
Contract Repository.
© Central License — A Central License is a license attached to the Security
‘Management server IP address, rather than the gateway IP address. The
benefits of a Central License are:
© Only one IP address is needed for all licenses
+ A license can be taken from one gateway and given to another
+ ‘The new license remains valid when changing the gateway TP
address, There is no need to create and install a new license.
© Certificate Key — The Certificate Key is a string of 12 alphanumeric
characters. The number is unique to each package. For an evaluation license,
your Certificate Key can be found inside the mini pack. For a permanent
license, you should receive your Certificate Key fiom your reseller.
+ CPLIC—A command line for managing local licenses and local license
operations. For additional information, refer to the R76 Command Line
Interface Reference Guide.
® Detach — Detaching a license from a Gateway involves uninstalling the
license from the remote Gateway, and making the license in the License &
Contract Repository available to any Gateway.
+ State — Licenses can be in one of the following states: Requires Upgrade, No
License, Obsolete or Assigned. The license state depends on whether the
license is associated with the Gateway in the License & Contract Repository,
Student Manual 129
ee
Using SmantUpdate
and whether the license is installed on the remote Gateway. The license state
definitions are as follows:
+ Attached — indicates thatthe license is associated with the Gateway
in the License & Contract Repository, and is installed on the remote
Gateway.
+ Unattached — indicates that the license is not associated with the
Gateway in the License & Contract Repository, and is not installed on
any Gateway,
+ Assigned — is a license that is associated with the Gateway in the
License & Contract Repository, but bas not yet been installed om the
Gateway as a replacement for an existing NG license,
Upgrade Status — A field in the License & Contract Repository
that contains an error message from the User Center if the upgrade process
fails.
Get — Locally installed licenses can be placed in the License & Contract
Repository, to update the repository with all licenses across the installation.
‘The Get operation is a two-way process that places all locally installed
licenses in the License & Contract Repository and removes all locally deleted
licenses from the License & Contract Repository.
License Expiration — Licenses expire on a particular date, or never. After a
license has expired, the functionality of the Check Point package may be
impaired.
Local License — A Local License is tied to the IP address of the specific
‘gateway end can only be used with a gateway or a Security Management
server with the same address.
‘Multi-License File — Licenses can be conveniently added to a Gateway or
Security Management Server via a file rather than by typing long text strings.
‘Multi-license files contain more than one license, and can be downloaded
from the User Center. Multi-license files are supported by the eplic put, and
eplic add command-line commands.
Features — A character string that identifies the features of a package.
130
Check Point Security Administration
‘Overview of Managing Licenses
‘When a Central license is placed in the License & Contract Repository,
‘SmartUpdate allows you to attach it to Check Point packages. Ataching a license
installs it to the remote Gateway and registers it with the Security Management
Server.
New licenses need to be attached when:
An existing license expires.
© Anexisting license is upgraded to a newer license.
* A local license is replaced with a central license
* The IP address of the Security Management Server changes.
Attaching a license is a three-step process:
41. Get real-time license data from the remote Gateway.
2. Add the appropriate license to the License & Contract Repository.
3. Attach the license to the device.
Retrieving License Data from Security Gateways
‘To know exactly what type of license is on each remote Gateway, you can
telrieve that data direetly from the Gateway.
+ Torctrieve license data from a single remote Gateway, right-click the gateway
object in the License Management window, and select Get Licenses.
+ To retrieve license data from multiple Check Point Security Gateways, select
Get All Licenses from the Licenses menu,
Adding New Licenses to the License & Contract Repository
‘To installa license, you must first add it othe License & Contract Repository
You can add licenses to the License & Contract Repository in the following
ways:
Downloading from the User Center
Solect Network Objects Licenses & Contracts > Add License > From User
Center,
2. Bnter your credentials
Student Manwal 31
eee
Using SmartUpaate
Importing License Files
3. Perform one of the following:
+ Generate a new license — If there are no identical licenses, the
license is added to the License & Contract Repository.
* Change the IP address of an existing license (Move IP)
© Change the license from Local to Central,
> Upgrade the license.
4. Select Licenses & Contract > Add License > From File.
2, Browse to the location of the license file, select it, and click Open.
A license file ean contain multiple licenses, Unattached Central licenses appear
in the License & Contract Repository, and Local licenses are automatically
attached to their Security Gateway. All licenses are assigned a default name inthe
format SKU@ time date, which you can modify ata later time
Adding License Details Manually
‘You may add licenses that you have received from the Licensing Center by e-
mail. The e-mail contains the license-installation instructions.
41. Locate the license — if you have received a license by e-mail, copy the
license tothe clipboard. Copy the string that starts with eplic putlc...and ends
with the last SKU/feature. For example:
eplic putlic 1.1.1.1 06pec2002 éw59uea2-
eLLQSNEgPuyHzvQ- WKreSod%x CPSUITE-BVAL-3DES-NGX CK-
1234567890
2. Select the License & Contracts tab in SmartUpdate,
3. Select Licenses & Contracts > Add License > Manually. The Add License
‘window appears.
4, Enter the license details. you copied the license to the clipboard, click Paste
License, The fields will be populated with the license details.
Altematively, enter the license details from a printout
5. Click Calculate, and make sure the result matches the vali
received from the User Center.
6, You may assign a name to the license, if desired, If you leave the Name field
‘empty, the license is assigned a name inthe format SKU@ time date
7. Click OK to complete the operation.
tion code
132
Check Point Security Administration
Attaching Licenses
Detaching Licenses
‘Overview of Managing Licenses
‘After licenses have been added to the License & Contract Repository, select one
or mote licenses to attach to a Security Gateway,
1. Select the license(s).
2. Select Network Objects Licenses & Contracts > Attach,
3. From the Attach Licenses window, select the desired device,
Ifthe attach operation fails, the local licenses are deleted from the Repository.
Detaching a license involves deleting a single Central license ftom a remote
Check Point Security Gateway and merking it as unattached in the License &
Contract Repository. This license is then available to be used by any Check Point
‘Security Gateway. To detach a license, select Licenses & Contracts > Detach and
select the licenses to be detached from the displayed window.
Deleting Licenses From License & Contract Repository
Installation Process
Livenses that are not attached to any Check Point Security Gateway and are no
longer needed can be deleted from the License & Contract Repository. To delete
a license:
1. Right-olick anywhere in the License & Contract Repository and select View
Unattached Licenses.
2, Select the unattached license(s) to be deleted, and click Delete.
‘The following operations are performed during the installation process:
‘+ Check Point Remote Installation Daemon connects to Check Point gateway.
* Verification for sufficient disk space,
* Verification of the package dependencies.
© The package is transferred to the gateway if tis not already there.
‘© The package is installed on the gateway,
* Enforcement policies are compiled for the new version,
* The gateway is rebooted if the Allow Reboot option was selected and the
package requires it.
The gateway version is updated in SmartDashboard
+ The installed packages are updated in SmartUpdate,
Student Manat
133
a
Using SmartUpdate
Viewing License Properties
To Export a License to a File
ing for Expired Licenses
4. In the License Expiration window, set the Search for licenses expiring within
2, Click Apply to run the search.
‘To delete expired licenses from the License Expiration window, select the
detached license(s) and click Delete,
4. In the Licenses Repository select one or more license, right-click, and from
2 In the Choose File to Export License(s) To window, name the file (or select an
All selected licenses are exported. Ifthe file already exists, the new licenses are
added to the file,
‘The overall view of the License & Contract Repository displays general
information on each license such as the name of the license and the IP address of
the machine to which it is attached. You can view other properties as well, such
as expiration date, SKU, license type, certificate key and signature key. To view
license properties, double-click on the license in the Licenses & Contracts tab
‘fier a license has expired, the functionality of the Check Point package will be
impaired; therefore, it is advisable to be aware of the pending expiration dates of
all licenses. To check for expired licenses, select Licenses & Contracts > Show
Expired Licenses. To check for licenses nearing their dates of expiration:
the next x days property.
the menu select Export to File.
ing file), and browse to the desired location. Click Save,
134
Check Point Security Administration
Service Contracts
Service Contracts
| Managing Contracts
Before upgrading a Gateway or Security Management Server, you need to have a
valid support contract that includes software upgrade and major releases
registered to your Check Point User Center account. The contract file i stored on
‘Security Management Server and downloaded to Check Point Security Gateways
during the upgrade process. By verifying your status withthe User Center, the
contract file enables you to easily remain compliant with current Check Point
licensing standards,
EGR 9) on soconn ude an aE es
Eiaeae i
ae Fata eae es
mariah
Figure 58 — Service Contracts
As in all upgrade procedures, first upgrade your Security Management server or
Multi Domain Management before upgrading the Gateways. Once the
‘management has been successfully upgraded and contains a contract ile, the
contract file is transferred toa Gateway when the Gateway is upgraded (the
contract file is retrieved from the management).
Once you have successfully upgraded the Security Management Server, you can
use SmartUpdate to display and manage your contracts. From the License
‘Management window, its possible to see whether a particular license is
associated with one or more contracts. The Licence Repository window in
SmartUpdate displays contracts as well as licenses,
Student Manual
135
ae
Tsing SmarUpdate
Updating Contracts
BE
“The Licenses & Contracts on the menu ber has enhanced functionality for
handling contracts.
+ Licenses & Contracts > Update Contracts — Installs contract information
on the Security Management Server. Each time you obtain a new contract,
you can use this option to make sure the new contrac is displayed in the
license repository.
+ Licenses & Contracts > Get all Licenses — Collects licenses ofall
Gateways managed by the Security Management Server, and updates the
contract file on the Server ifthe file on the Gateway is newer.
| lee | aks
iL le | ro
a
|e topos te
Gem copeaetonye
i
|] FP evattcrne uo
| Gencooneae renter ont
| | fie
[| Ei ampmede-tese TERT
| ase ven
Bowman tore
Figure 59 — Updating Contracts
Check Point Security Administration
| Practice and Review
Review
4. What can be upgraded remotely Using SmartUpdate?
| 2. What two repositories does SmarUpdate install on the Security Management
| Server? Management Server?
3. What docs the Pre-Install Verifier check?
|
L Student Manwat 137
Using SmartUpdate
18 ‘Check Point Security Administration
CHAPTER? User Management and
Authentication
139
eerManagement and Authentication
User Management and Authentication —
If you do not have a user-management infrastructure in place, you can make a
choice between managing the intenal-user database or choosing to implement an
LDAP server. If you have a large user count, Check Point recommends opting for
‘an extemal user-management database, such as LDAP.
Check Paint authentication features enable you to verify the identity of users
logging in to the Security Gateway, but also allow you to control security by
allowing some users access and disallowing others, Usets authenticate by
proving their identities, according to the scheme specified under a Gateway
authentication scheme, such as LDAP, RADIUS, SecurlD and TACACS.
\9 Objectives:
© Centrally manage users to ensure only authenticated users securely access the
corporate network either locally or remotely
‘© Manage users to access to the corporate LAN by using extemal databases,
140 ‘Check Point Security Administration
Seen
Creating Usore and Groups
Creating Users and Groups
Authentication rules are defined by user groups rather than individual users,
‘Therefore, you must first define users and then add them to groups to define
authentication rules. You can define users using the Security Gateway proprietary
user database or using an LDAP, RADIUS or ACE server:
For the procedure describing how to create Security Gateway users using a
template, create a group, adding users to the group and installing user
information in the database, refer to the lab “Creating Users and Groups” in this
chapter.
User Types
‘SmariDashboard allows you to manage a variety of user types
External User Profiles — Extemally defined users who are not defined in the
internal users database or on an LDAP server. External user profiles are used to
avoid the burden of maintaining multiple Users Databases, by defining a single,
generic profile for all external users. External users are authenticated based on
either their name or their domain,
LDAP Groups — An LDAP group specifies certain LDAP user characteristics,
AIL LDAP users defined on the LDAP server that match these characteristics are
included in the LDAP group. LDAP groups are required for performing a variety
of operations, such as defining LDAP user access rules or LDAP remote access
communities, For detailed information on LDAP groups, see chapter, “User
Management and Authentication”.
‘Templates — User templates facilitate the user definition process and prevent
mistakes, by allowing you to create a new user based on the appropriate template
‘and change only a few relevant properties as needed.
User Groups — User groups consist of users and of user sub-groups. Including
users in groups is required for performing a variety of operations, such as
defining user access rules or remote access communities,
Users — These are either local clients or remote clients, who access your
network and its resources.
Student Manuai iat
Teer Management and Authentication
Security Gateway Authentication
‘The Security Gateway authenticates individual users using credentials, and
‘manages them using different authentication schemes. All authentication
schemes require a username and password.
Types of Legacy Authentication
‘There are three ways to access a network resource and authenticate using the
Legacy Authentication in the Security Gateway:
‘© User Authentication ~— Grants access on a per-user basis. This method can
only be used for Telnet, FTP, HTTP, rlogin and HTTPS services. User
Authentication is secure, because the authentication is valid only for one
connection, but intrusive, because each connection requires another
authentication. For example, accessing a single Web page could display
several dozen User Authentication windows, as different components are
loaded,
+ Session Authentication — Provides an authentication mechanism for any
service, and requites users to supply their credentials fo each authentication
session; a Session Authentication Agent must be installed on every
authenticating client. Therefore, this method is not suitable for authenticating
HTTP services, as they open multiple connections per session, Session
‘Authentication ean be used to authenticate any service on aper-session basis.
‘After the user initiates a connection directly to the server, the Security
Gateway — located between the user and the destination — intercepts the
connection. The Gateway recognizes that user-level authentication is
required, and initiates @ connection with a Session Authentication Agent.
Similar to Client Authentication, Session Authentication is best used on
single user machines, where only one user can authenticate from a given TP at
any onetime.
+ Client Authentication — Permits multiple users and connections from the
authorized IP address or host; authorization is performed per machine, For
example, if finger is authorized fora client machine, all users on the client are
authorized to use finger and are not asked to supply a password during the
authorization process. Client Authentication is slightly less secure than User
Authentication, because it allows any user access from the IP address or host,
but is also less intrusive then Session Authentication. Client Authentication is
best used when the client is single-user machine, such as desktop
computer. The main advantage of this method is that it can be used on any
number of connections for any service, and authentication can be validated
for a specified time period,
(Check Point Security Administration
‘Security Gateway Authentication
‘This table presents a comparison of the three Security Gateway authentication
methods;
All services
HTTPS
Connection | Session IP address
Bach timea | Bach time auser | Only once, and
user uses one of | uses any service | uses any service
the supported | (requires a Ses- | until signing out
services sion Authentica-
tion Agent on the
client)
Authentication is required for remote-access communication such as SSL VPN,
IPSec VPN and Endpoint clients. However, these authentication methods are not
often employed in such environments. For more information about user access
and VPNs, see chapters, “Encryption and VPNs” and “Introduction to VPNs” in
this manual
Authentication Schemes
Authentication schemes employ usernames and passwords to identify valid users.
Some schemes are maintained locally and store usernames and passwords on the
Security Gateway, while others are maintained externally and store User
‘Authentication information on an external authentication server. Certain
schemes, such as SecurID, are based on providing a one-time password. All of
the schemes can be used with users defined on an LDAP server. For additional
information on configuring the Security Gateway to integrate with an LDAP
server, refer to the “UserDirectory and User Management” section in this chapter.
Cheek Point Password — The Security Gateway can store a static password in
the local user database of each user configured on the Security Management
Server. No additional software is required. Alternatively, to permit alteration of
this credential, store the Check Point password in UserDirectory.
Operating System Password — The Security Gateway can authenticate using
the username and password that is stored on the operating system of the machine
Student Marsal
18
‘User Management and Authentication
‘on which the Security Gateway is installed. You can also use passwords that are
stored in a Windows domain. No additional software is required.
RADIUS — RADIUS is an extemal authentication scheme that provides security
and scalability by separating the authentication function from the access server.
Using RADIUS, the Gateway forwards authentication requests by remote users
to the RADIUS server. The RADIUS server, which stores user account
information, authenticates the users.
‘The RADIUS protocol uses UDP to communicate with the Gateway, RADIUS
servers and RADIUS server-group objects are defined in SmartDashboard.
SecurlD — SccurlD requires users to both possess 2 token authenticator and to
supply a PIN or password, Token authenticators generate one-time passwords
that are synchronized to an RSA ACEIserver, and may come in the form of
hardware or software. Hardware tokens are key-ring or credit card-sized devices,
‘hile software tokens reside on the computer or device from which the user
wants to authenticate, All tokens generate @ random, one-time-use access code
that changes approximately every minute. When a user attempts to authenticate
to a protected resource, the one-time-use code must be validated by the ACE
server,
Using SecurID, the Security Gateway forwards authentication requests by remote
users to the ACE/server. ACE manages the database of RSA users and their
assigned hard or soft tokens. The Security Gateway acts as ACEV/Agent 5.0, and
irects all access requests to the RSA. ACE/server for authentication, For
additional information on agent configuration, refer to your ACE/Server
‘documentation,
‘There are no specific parameters required for the SecurID authentication scheme.
‘TACACS — TACACS is an extemal-authentication scheme that provides
verification services. TACACS provides access control for routers, network
access servers and other networked devices through one or more centralized
servers. Using TACACS, the Gateway forwards authentication requests by
remote users to a TACACS server. The TACACS server, which stores user-
‘account information, authenticates users. The system supports card-key devices
‘or token cards and Kerberos secret-key authentication. TACACS encrypts the
username, password, authentication services, and accounting information of all
authentication requests to ensure secure communication,
Undefined — The authentication scheme for a user can be undefined. Ifa uset
with an undefined authentication scheme is matched to a rule with some form of
authentication, access is always denied,
144
Check Point Security Administration
a
‘Security Gateway Authentic
Remote User Authenticat
n
Configure the authentication method that all users will use to authenticate to the
Mobile Access portal or to IPsec VPN Clients,
‘You can configure one authentication method for Mobile Access on the
‘Authentication for Mobile Access page and a different method for IPsec VPN
Clients on the Authentication for IPsec VPN page. You can configure different
Authentication methods for the different blades, even if they are on the same
‘gateway
For Mobile Access, you can also configure if the settings for Two Factor
Authentication with DynamicID are Global or specific to the gateway.
If you do not configure authentication settings on this page, the gateway. takes
authentication settings fiom Gateway object Properties > Legacy
Authentication,
Figure 60 — Remote User Authentication
Student Marsal 145
ue
User Management and Authentication
Authentication Types
Defined on user record — Takes the authentication method from Gateway
‘object Properties > Legacy Authentication
Username and Password — Uses a username and password defined for the user
on the gateway.
RADIUS — Users are challenged for a response, as defined by the RADIUS.
SecurID — Users are challenged to enter the number displayed on the Security
Dynamics SecurID card.
Personal certificate —Digital Certificates are issued by the Internal Certificate
‘Authority or by a third party OPSEC certified Certificate Authority.
For Mobile Access: Two Factor Authentication with DynamicID
+ Global Settings - The gateway takes the global settings from the
Authentication to Gateway page of the Mobile Access tab
+ Custom Settings for this Gateway ~ This gateways has its own two-
factor authentication settings. Click Configure to change the settings
for this gateway.
& aa
Figure 61 — Authentication for Mobile Access
146
Check Point Security Administration
a
‘Security Gateway Authent
| Authentication Methods
Each method ean be configured to connect and authenticate clients to the
Security Gateway before the connection is passed tothe desired resource (a
process known as noniransparent authentication). Altematvely, each method can
| be configured to connect clients directly tothe target server (a process known as
| transparent authentication)
This section describes how users authenticate using each authentication method,
along with guidelines for configuring each method,
[Sten anual 147
User Management and Amhentication
User Authentication (Legacy)
User Authentication provides authentication for the Telnet, FTP, HTTP, and.
rlogin services. By default, User Authentication is transparent. The user does not
connect directly to the Security Gateway, but initiates a connection to the target
server.
Figure 62— Rule Base with User Authentication Definad
User Authentication Rule Base Considerations
‘Although itis true that the Gateway processes rules in order, an exception to this
is when User Authentication is employed. In this case, the most permissive rule
in the Rule Base is used by the Gateway. Ifa User Authentication nile matches a
packet, all rules are evaluated before authentication occurs, and the least
restrictive rule is applied.
ia Check Point Security Administration
a
‘Session Authentication (Legacy)
Session Authentication (Legacy)
In the Session Authentication Action Properties, you can define the session
authentication behavior for a connection that is matched on a Session
Authentication rule,
‘You can also define how to treat the user when the allowed location of the user is
different than the location allowed to the user in the Rule,
Trem gee gona ete arm Le i
eine tt, BERT enemies fqn oe ;
Figure 63 — Session Authentication
Session Authentication can be used for any service, but requires either a Session
Authentication agent to get the user identity, or UserAuthority. Like User
Authentication, it requires an authentication procedure for each connection.
UserAuthority can be used to get the user identity, It can do this in one of three
ways:
4. From a SecureAgent.
2, From SecureClient, if the user authenticated via SecureClient connected to
the Check Point Security Gateway.
3. From the Check Point Security Gateway, ifthe user authenticated via an
HTTP connection to port 900 or Telnet o port 259 on the gateway,
A Session Authentication agent can also be used to get the user identity. The
‘Session Authentication agent is normally installed on the authenticating client, in
which case the person who wants the connection to the destination host supplies
the authentication credentials. However, the Session Authentication agent cen
also be installed on the destination machine, or on some other machine in the
network. In that case, the person at the machine on which the Agent is installed is
asked to supply the username and a password,
‘A Session Authentication agent can also be used to get the user identity. The
Session Authentication agent is normally installed on the authenticating client, in
‘which case the person who wants the connection to the destination host supplies
the authentication credentials. However, the Session Authentication agent can
also be installed on the destination machine, or on some other machine in the
IE Student Manwal
149
network. In that case, the person at the machine on which the Agent is installed is
asked to supply the usemame and a password,
Source and Destination both have the following possible settings:
‘+ Intersect with User Database means that ifa user who successfully
authenticates is at a source or trying to reach a destination which is allowed to
the user according to the rule, but the User Properties for that user do not
allow this location, the user will be denied.
© Ignore User Database - Users who would otherwise denied as a result of the
allowed source or destination defined in the User Properties are allowed
anyway.
© Contact Agent At ells the Check Point Security Gateway on which host to
altempt to contact. An Agent can be a SecureAgent installed on the client
‘machine, a SecureClicnt installed on the client machine, or a Session
‘Authentication Agent installed on the client machine or another host. The
possibilities are
© Steto specify that the Agent on the rule's Source object will authenticate the
'* Other to specify that the Session Authentication Agent on the specified object
will authenticate the session. This allows authentication credentials to be
provided by someone other than the person requesting access.
+ Accept only SecuRemote/SecureClient encrypted connections applies the rule
only ifthe connection is encrypted (that is, only ifthe source is a SecureClient
machine.)
+ Single Sign On means that when a user opens a connection that matches this
rule, the Check Point Security Gateway queries UserAuthority for the user
identity. 1f User Authority replies with the username (and the user belongs to
groups, if defined), the connection is allowed, Otherwise, itis dropped.
Figute 64 — Session Authentication Action Properties
Check Point Security Administration
eee ge re eee ee eee ree eee
‘Session Authentication (Legacy)
ing Session Authentication
To configure Session Authentication:
If using the Session Authentication Agent, install and configure it for all
‘machine desktops with Session Authentication enabled.
Configure the required users and groups for authentication, and install the
user database,
In the Authentication window from the Gateway object’s General Proper-
ties, cnable the requited authentication schemes, The Gateway must support
all user-defined authentication schemes, For example, if some users must pro-
vide a Check Point password and others RADIUS authentication, select both
scheines,
Define a Session Authentication access rule by following the same instruc-
tions as those under “Configuring User Authentications, except select Session
Auth in the Action column of the Rule Base.
frequired, adjust the Failed Authentication Attempts settings for Session
Authentication in the Authentication window of the Global Properties:
Toihtewanan BH oe
£ Sete ae leche BE ca
imonitor ctntndids’ Bete
eter | Tot tenet
Ste | scan
? ete yeaa aan gale peg ar
Boao”, Seo pmmdiemry pate) ——
[Se omens
* Sirota “Dacian ET] ee
ane
2 Retain
Figure 65 — Session Authentication
Student Manual
151
‘iser Management and Aut
Client Authentication (Legacy)
ication
Client Authentication can be used to authenticate any service. It enables access
from a specific IP address for an unlimited number of connections. ‘The client
user performs the authentication process, but itis the client machine that is
‘granted access, Client Authentication is less secure than User Authentication,
because it permits access for multiple users and connections from authorized IP
addresses or hosts. Authorization is performed on a per-machine basis for
services that do not have an initial login procedure. The advantages of Client
Authentication are that it can be used for an unlimited number of connections, for
any service, and is valid for any length of time.
Client Authentication and Sign-On Overview
Client Authentication works with all sign-on methods. The table below shows
how different sign-on methods provide a choice when selecting an authentication
‘method for authenticated services and others. For sign-on methods other than
‘Manual Client Authentication, the Security Gateway is transparent to users who
authenticate directly to the destination host.
‘Telnet to port 259 ‘Telnet to port 259
on Gateway ‘on Gateway
HTTP to port 900 HTTP to port 900
oon Gateway ‘on Gateway
Partially automatic _| User Authentication Not available
Fully automatic | User Authentication ‘Session Authentication
‘Agent automatic | Session Authentication | Session Authentication
Single Sign On | UserAuthority ‘UserAuthority
152
Check Point Security Administration
Wait Mode
‘lient Authentication (Legacy)
‘The following are the two Client Authentication sign-on options:
+ Standard Sign-on — Enables users to access all services permitted by the
rule, without authenticating for each service
© Specific Sign-on — Enables users to access only the services that they
specify when they authenticate, even ifthe rule allows more than one service;
ifusers want to use another service, they must reauthenticate for that specific
At the end of an authentication session, users can sign off. When users sign off,
they are disconnected from all services and the remote host.
* Manual Sign On — Available for any service that is specified in the Client
Authentication rule; the user must first connect to the Gateway and
authenticate in one of the following two ways:
‘Through a Telnet session to the Gateway on port 259,
‘Through an HTTP connection to the Gateway on port 900 and a Web browser;
the requested URL must include the Gateway name and port number, for
example, http: //Gateway : 900
Wait Mode is « Client Authentication feature for Manual Sign On, when the user
initiates a Client Authenticated connection with a Telnet session on port 259 on
the Gateway. Wait Mode eliminates the need to open a new Telnet session to sign
off and withdraw Client Authentication privileges. In Wait Mode, the initial
Telnet session connection remains open, as long as Client Authentication
privileges remain valid. Client Authentication privileges are withdrawn when the
‘Telnet session is closed.
‘The Security Gateway keeps the Telnet session open by Pinging the
‘authenticating client, If for some reason the client machine stops running, the
Gateway closes the Telnet session, and Client Authentication privileges fiom the
connected IP address are withdrawn,
* Partially Automatic Sign On — Partially Automatic Sign On is available for
‘authenticated services (Telnet, FTP, HTTP, and rlogin), only if they are
specified in the Client Authentication rule. Ifusers attempt to connect to a
remote host using one of the authenticated services, they must authenticate
with User Authentication. When using partially automatic Client
Authentication, ensure that port 80 is accessible on the Gateway.
Student Manual
153
ser Management and Authentication
+ Fully Automatic Sign On — Fully Automatic Sign On is available for any
service, only ifthe requited service is specified in the Client Authentication
rule. IF users attempt to connect to remote host using an authenticated
service (Telnet, FTP, HTTP, and slogin), they must authenticate with User
Authentication. If users attempt to connect to a remote host using any other
service, they must authenticate through a properly installed Session
‘Authentication Agent. When using fully automatic Client Authentication,
‘ensure that port 80 is accessible on the Gateway.
‘+ Agent Automatic Sign On — Agent Automatic Sign On is available only it
the required service is specified in the Client Authentication rule, andthe
Session Authentication Agent is properly installed. users attempt to connect
to a remote host using any service, they must authenticate through a Session
Authentication Agent.
+ Single Sign On — Single Sign On is available for any service, only ifthe
required service is specified inthe Client Authentication rule and
UserAuthority is installed. Single Sign On is a Check Point address-
‘management feature that provides transparent network access. The Gateway
consults the user IP address records to determine which users are logged into
any given IP address, When a connection matches a Single Sign On enabled
rule, the Gateway queries UserAuthorty withthe packet's source IP
UserAuthorty retums the name ofthe user who is registered tothe IP. Ifthe
user's name is authenticated, the packet is accepted. If not, itis dropped
Configuring Authentication Tracking
‘Successful and unsuccessful authentication attempts can be monitored in
‘SmartView Tracker or using other tracking options, for example, e-mail and
alerts, Authentication tracking can be configured for the following types of
authentication attempts:
+ Failed authentication attempts — Can be tracked forall forms of
authentication; to track failed authentication attempts, in the Authentication
window of a gateway object, set the Authentication Failure Track property
to define the tacking option when authentication failures occur
«Successful authentication attempts — Can only be tracked for Client
‘Authentication; in the Client Authentication Action Properties window, set
the Successful Authentication Tracking property to define the tracking.
option forall successful Client Authentication attempts. These options
include None, Log, and Alert. The default setting is Log,
© All Authentication attempts — Can be tracked forall forms of
‘authentication; select an option in the Track column of any rule that uses
some form of authentication, Some tracking options may not take effect if the
i54
‘Check Point Security Administration
-— ehhh
gateway object is set to log all failed authentication attempts. For example,
setting a rule to None has no effect, and failed authentication attempts are stil
logged in SmmartView Tracker. However, setting the rule to Alert causes an
alert to be sent for each failed authentication attempt.
Student Manual 155
‘User Management and Authentication
LDAP User Management with UserDirectory
LDAP Features
Lightweight Directory Access Protocol (LDAP) is an open industry standard
that is used by multiple vendors, Itis used to maintain information about users
and items within an organization. LDAP is widely accepted as the directory-
access method of the Internet, One of the reasons that itis the obvious choice for
so many vendors is because of its cross-platform compliancy. LDAP is,
automatically installed on different operating systems (e.g., the Microsoft Active
Directory) and servers (such as Novell, Netscape, etc.).
‘When integrated with Security Management, LDAP is referred to as
UserDirectory (LDAP)
Features of LDAP are as follows:
+ LDAP is based on a client/server model, in which an LDAP client makes a
‘TCP connection to an LDAP server.
© Bach entry has a unique Distinguished Name (DN).
+ Default port numbers are 389 for standard connections, and 636 for Secure
Sockets Layer (SSL) connections.
* Bach LDAP server is called an Account Unit.
156
‘Check Point Security Administration
Distinguished Name
TDAP User Management with UserDirectony
‘A Distinguished Name (DN) is a globally unique name for an entity, constructed
bby appending the sequence of DN fiom the lowest level ofa hierarchical
structure, o the root, The root becomes the relative DN. This structure becomes
apparent when setting up SmartDashboard user management
Figure 68 — Distinguished Name
For example, if searching for the name John Brown, the search path would start
‘with John Brown's Common Name (CN). You would then narrow the search to
‘the organization he works for, then to the country. If John Brown works for ABC
‘Company, one possible DN is show below:
en=John Brown, ousMarketing,o=ABC Company, c=US
This can be read as, “John Brown, in Marketing, of ABC Company, in the United
States”. A different John Brown, who works at the XYZ Company, might have a
DN, as follows:
ensJohn Brown,o=KYZ Company, csUS
‘The two CNs “John Brown” belong to two different organizations with different
DNs. This can be outlined as an inverted tree, asin the figure.
Student Manuai
137
User Management and Authentication
Multiple LDAP Servers
‘There are several advantages to using more than one LDAP server, including the
following:
© Compartmentalization, by allowing a large number of users to be distributed
across several servers
© High Availability, by replicating the same information on several servers,
+ Faster access time, by placing LDAP servers containing the database at
remote sites
pee sever
ee
Galery
Lap Server
Soe
UAB
ents
Figure 67 — Multiple LDAP Servers
Ifthe Security Gateway includes the appropriate license, account management is
allowed for an unlimited number of LDAP servers. Therefore, as many LDAP
servers as needed may be managed through SmartDashboard, as shown below:
Using an Existing LDAP Server
Ifthere is an existing LDAP user database, integration with the Security Gateway
is relatively simple. The LDAP server maintains all user information, including
Jogin name and password. Addition and deletion of users is performed on the
LDAP server through the LDAP user interface or SmartDashboatd,
158 ‘Check Point Security Administration
Configuring Ent
TOAP User Management with UserDrectory
ies to Work with the Gateway
‘The predominant reasons for integrating the Security Gateway and UserDirectory
(LDAP) are:
© To query user information.
* To enable Certificate Revocation List (CRL) retrieval
* Toenable user management,
© To authenticate users.
‘The first step is to enable the option Use UserDirectory (LDAP) in Global
Properties. Then, it is necessary to define an Account Unit. Ifyou are
implementing UserDirectory user management, you will need to know which
entities to define, and how fo manage the users defined by the UserDirectory
Account Unit. UserDirectory user management requires a special license,
Fe ear recy er Sey Gao areal
it oma |e ein Een
UH Edge Ge FE porno chomp nha urs Ave acto pte mores
|B FnoieAeoe =
7 UW Aah Tse cst eo ag lens
|| cracaes | | cess ooh [ae aa
| See Cott) | 1 Ped eoter ste: [cemRENT
sstticede
Sree
| cle er De Lag
COent Denby © Oey | C Delon Pee
Faroe Seg
Nnatesenl oak: [FB cence :
fF omtroc || [plc ud nae note chee i
[Gena | |
Foun [7 EMail cae |
Newmeetth! | Pamedmattaeeeget |
irs
Sore UPS eatin laraaee Ger
Saishoecte | atacentetoen nape oar
Smt
Figure 68 — Configuring Entities to Work wth he Gateway
‘The graphic shows the global settings for UserDirectory (LDAP):
Student Manual
159
Defining an Account Unit
Create a new UserDirectory Account unit via the Servers tab of the Objects tree,
as shown.
Figure 69 — LDAP Account Unit Properties
‘The LDAP Account Unit Properties window consists of several tabs:
© General tab — Defines the general settings of the LDAP Account Unit;
decide whether this Account Unit is to be used for CRL retrieval, user
‘management, or both.
* Profile — Select a profile to be applied to the new Account Unit. Four
profiles are defined by default, each corresponding to a specific LDAP server:
+ OPSEC_DS — The default profile for a standard OPSEC
certified UserDirectory server.
+ Netseape_DS — The profile for a Netscape Directory Server.
© Novell DS — The profile for a Novell Directory Server.
+ Microsoft_AD — The profile for Microsoft Active Directory.
‘+ Servers tab — Displays the LDAP servers to be used by the Account Unit;
the order in which they are displayed is the default query order.
160
‘Check Point Security Administration
| Managing Users
TDAP User Management with UserDirectory
+ Objects Management tab — Allows you to select the LDAP server on
‘which objects are managed: the branches forthe selected LDAP server can be
reirieved by selecting Fetch branches, or they can be added manually. Some
versions of LDAP do not suppor automatic branch retrieval using Feteh
branches, These branches wil be searched when this LDAP server is
queried. The Administrator can add or modify the branches.
© Authentication tab — Allows you to define an authentication scheme for
the LDAP account.
Note: For enhanced security, this Account Unit object can be locked
with a password that must be entered when this Account Unit,
is accessed from SmartDashboard for managing users
Users defined in the Account Unit are managed in the Users tab of the Objects
‘tee, This intuitive tree structure enables users to be managed as if all the users
‘were actually sitting on the internal Security Gateway database. For instance, you
can add, edit or delete users by right-clicking them in the Objeets tree, and by
selecting the option of your choice.
&/Sia]e 8/6 °
"jaeaeowe
‘iy adometr Gos
1 atnevats
7 giesunati ote
[puircam
(ep Tewttes
1 [gh ar cee
Figure 70 — Managing Users
Student Manual
161
Teer Management and Authentication
UserDirectory Groups
UserDitectory groups are ereated to classify users within certain group types.
‘These UserDirectory groups are then applied in Policy rules, Define a
UserDitectory group in the LDAP Group Properties window in the Users and
Administrators tab of the Objects tree:
Figure 71 —LOAP Group Properties
Once UserDirectory groups are created, they can be applied in various Policy
niles, such as the Security Policy. In this window, you can select the Account
Unit on which the UserDirectory group is defined, and apply an advanced filter to
increase the granularity of a group definition. Only those users who match the
defined criteria will be included as members of the UserDirectory group. For
instance, you can include all users defined in the selected Account Unit as part of
the UserDirectory group, or only members ofa specified branch, or only
members ofa specified group on the branch,
162
‘Check Point Security Administration
raclice and Review
Practice and Review
Practice Lab
Lab 8:Configuring User Directory
Review
4. User Auth can be only used for what services?
2, When using Session Authentic:
tity?
|. What is needed to retrieve a user's iden-
3. What are the advantages of using multiple LDAP servers?
4. Why integrate the Security Gateway and UserDirectory?
Student Manual 163
164 ‘Check Point Security Administration
CHAPTER 8
~ Identity Awareness
Check Point Security Administration
Teentity Awareness
Identity Awareness
Check Point Identity Awareness Software Blade provides granular visibility of
users, groups and machines, providing unmatched application and access control
through the creation of accurate, identity-based policies. Centralized
management and monitoring allows for policies to be managed from a single,
unified console.
Learning Objectives:
+ Use Identity Awareness to provide granular level access to network resources.
+ Acquire user information used by the Security Gateway to control access.
* Define Access Roles for use in an Identity Awareness nile
+ Implementing Identity Awareness in the Firewall Rule Base.
166 Check Point Security Administration
Introduction to dently Awareness
Introduction to Identity Awareness
‘Traditionally, firewalls use IP addresses to monitor traffic and are unaware of the
user and machine identities behind those IP addresses. Identity Awareness
removes this notion of anonymity since it maps users and machine ident
‘This lets you enforce access and audit data based on identity
Identity Awareness is an easy to deploy and scalable solution. It is applicable for
both Active Directory and non-Active Directory based networks as well as for
employees and guest users, It is currently available on the Firewall blade and
Application Control blade and will operate with other blades in the future.
Identity Awareness lets you easily configure network access and auditing based
‘on network location and:
The identity of a user
© The identity ofa machine
‘When Identity Awareness identifies a source or destination, it shows the IP
address of the user or machine with a name, For example, this lets you create
firewall rules with any of these properties. You can define a firewall rule for
specific users when they send traffic ftom specific machines or a firewall nile for
a specific user regardless of which machine they send traffic from.
In SmartDashboard, you use Access Role objects to define users, machines, and
network locations as one object.
“Figure 72 — Acooss Role
Student Manual
167
Tentity Awareness
Identity Awareness also lets you see user activity in SmartView Tracker and
‘SmartEvent based on user anid machine name and not just IP addresses,
es
Figure 73 — Record Detaiis
Identity Awareness gets identities from these acquisition sources:
© AD Query
+ Browser-Based Authentication
‘© Endpoint Identity Agent
‘© Terminal Servers Identity Agent
© Remote Access
AD Query
AD Query gets identity data seamlessly from Microsoft Active Directory (AD),
AD Query for Identity Awareness is recommended for
© Identity based auditing and logging
* Leveraging identity in Internet application control
* Basic identity enforcement in the intemal network
‘AD Query is an easy to deploy, clientless identity acquisition method. It is based
on Active Directory integration and it is completely transparent tothe user
Check Point Security Administration
Introduction to laenity Awarenose
‘The AD Query option operates when:
‘+ An identified asset (user or machine) tries to access an Intranet resource that
creates an authentication request. For example, when a user logs in, unlocks a
screen, shares a network drive, reads emails through Exchange, or accesses an.
Intranet portal.
* AD Query is selected as a way to acquire identities,
‘The technology is based on querying the Active Directory Security Event Logs
and extracting the user and machine mapping to the network address from them.
It is based on Windows Management Instrumentation (WMD, a standard
Microsoft protocol, The Security Gateway communicates directly with the
Active Directory domain controllers and does not require a separate setver.
‘No installation is necessary on the clients or on the Active Directory server.
Identity Awareness supports connections to Microsoft Active Directory on
‘Windows Server 2003 and 2008.
Firewall Rule Base Example
Suc Gta wets
ent vars
Figure 74 — Firewall Example
41. The Security Gateway registers to receive security event logs from the Active
Directory domain controllers
2 A.user logs in to a desktop computer using his Active Directory credentials,
3. The Active Directory DC sends the security event Ing to the Security Gate-
way. The Security Gateway extracts the user and IP information (user
name@domain, machine name and source IP address).
4, The user initiates @ connection to the Internet
8. The Security Gateway confirms that the user has been identified and lets him
access the Internet based on the policy,
Siudent Manual
169
‘When you set the AD Query option to get identities, you are configuring
clicatless employee access for all Active Directory users. To enforce access
‘options, make rules in the Firewall Rule Base that contain access role objects. An
access role object defines users, machines and network locations as one object,
‘Active Directory users that log in and are authenticated will have seamless access
to resources based on Firewall Rule Base rules.
Scenario: Laptop Access
John Adams is an HR partner in the ACME organization, ACME IT’ wants to
limit access to HR servers to designated IP addresses to minimize malware
infection and unauthorized access risks. Thus, the gateway policy permits access
‘only from John's desktop which is assigned a static IP address 10.0.0.19.
He received a laptop and wants to access the HR Web Server from anywhere in
the organization. The IT department gave the laptop a static IP address, but that
limits him to operating it only from his desk. The current Rule Base contains a
rule that lets John Adams access the HR Web Server from his laptop witha static
IP (10.00.19).
Figure 75 — Rule
4. He wants to move around the organization and continue to have access tothe
THR Web Server. To make this scenario work, the IT administrator does these
steps:
2. Enables Identity Awareness on a gateway, selects AD Query as one of the
Identity Sources and installs the policy.
3. Checks SmartView Tracker to make sure the system identifies John Adams in
the logs.
‘Adds an access tole object tothe Firewall Rule Base that lets Jobn Adams
access the HR Web Server from any machine and from any location.
'5. Sees how the system tracks the actions ofthe access role in Smart View
Tracker.
‘The Smart View Tracker logs show how the system recognizes John Adams as the
user behind IP 10.0.0.19:
170
‘Check Point Security Administration
Tatroduction te Identity Awareness
=)
Qescnease
(7 marae ceil) Ser
‘Disyioaence
ane
i
|
rage 2 Bante
Desetion aaa
oo
=. [Soe |
net (Sete |
Laer =
Figure 76 ~ John Adams
‘This log entry shows that the system maps the source TP to the user John Adams
from CORPACME.COM. This uses the identity acquired from AD Query.
Note: AD Query maps the users based on AD activity. This can take
some time and depends on user activity. If John Adams is not
identified (the IT administrator does not sce the log), he should
lock and unlock the computer.
Using Access Roles
‘To let John Adams access the HR Web Server from any machine, itis necessary
for the administrator to change the current rule in the Rule Base. To do this, itis
necessary to create an access role for John Adams that includes the specific user
John Adams from any network and any machine.
Student Manual 171
identity Awareness
Ofeven
OBatiesetwes Diousereaisee
OB creer bg ten
_ leo adaes
8 Amt
Figure 77 — Access Role Change
‘Then the IT administrator replaces the source object of the current rule with the
HR_Partner access role object and installs the policy for the changes to be
updated.
[enoescen (Gwen [bv Ser me
Figure 78 — Rule Change
‘The IT administrator can then remove the static IP from John Adam's laptop and
sive it a dynamic IP. The Security Gateway lets the user John Adams access the
HR Web server from his laptop with a dynamic IP as the HR_Partner access role
tells it thatthe user John Adams from any machine and any network is permitted
mm Check Point Security Administration
Introduction to Identity Awareness
Browser-Based Authentication
Browser-Based Authentication acquites identities from unidentified users. You
‘can configure these acquisition methods:
* Captive Portal
» Transparent Kerberos Authentication
Captive Portal is a simple method that authenticates users through a web
interface before granting them access to Intranet resources. Captive Portal for
Identity Awareness is recommended for:
> Identity based enforcement for non-AD users (non-Windows and
_Buest users)
+ For deployment of Endpoint Identity Agents,
When users try to access a protected resource, they get a web page that must fill
out to continue.
Figure 79 — Captive Portal
With Transparent Kerberos Authentication, the browser attempts to authenticate
users transparently by getting identity information before the Captive Portal
usemame/password page opens. When you configure this option, the Captive
Portal requests authentication data from the browser. Upon successful
authentication, the user is redirected to its original destination. If authentication
fails, the user must enter credentials in the Captive Portal,
Student Manual 173
Teemtty Awareness
‘The Captive Portal option operates when a user tries to access a web resource and
all of these apply:
© ‘The Captive Portal is selected as a way to acquire identities and the
redirect option has been set for the applicable rule.
+ Unidentified users cannot access that resource because of rules with
access roles in the Firewall / Application Rule Base. But if users are
identified, they might be able to access the resource.
+ Transparent Kerberos Authentication was configured, but
authentication failed.
When these criteria are true, Captive Portal acquires the identities of users. From
the Captive Portal users can
Enter an existing user name and password if they have them.
© Forguest users, enter required credentials. Configure what is required
in the Portal Settings.
* Click a link to download an Identity Awareness agent. Configure this
in the Portal Settings.
Security Gataway with
Taenaty Awareness
Intranet
Figure 80 — Captive Portal
‘The diagram shows how Captive Portal works - in the Firewall rule base:
4. A user wants to access the Internal Data Center.
2. Identity Awareness does not recognize him and redirects the browser to the
Captive Portal,
3. The user enters his regular office credentials. The credentials can be AD or
other Check Point supported authentication methods, such as LDAP, Check
Point internal credentials, or RADIUS.
174 ‘Check Point Security Administration
Introduction to entity Awareness
4, The credentials are sent to the Sec
against the AD server.
5. The user can now go to the originally requested URL.
Gateway and verified in this example
If Transparent Kerberos Authentication is configured, the browser attempts to
authenticate users transparently by getting identity information before the
Captive Portal Usemname/password page is shown to the user. Transparent
Kerberos for Identity Awareness is recommended for use in:
* AD environments, when usersare already logged in to the domain and
the browser obtains identity information from the credentials used in
the original log in (SSO).
‘Transparent Kerberos authentication works this way:
1. A.user wants to access the Internal Data Center,
2 Identity Awareness does not recognize the user and reditects the browser to
the Transparent Authentication page.
‘The Transparent Authentication page asks the browser to authenticate itself,
4. The browser gets a Kerberos ticket from the Active Directory and presents it
to the Transparent Authentication page.
5. The Transparent Authentication page sends the ticket to the Security Gate-
way which authenticates the user and redirects ito the originally requested
URL.
6. If Kerberos authentication fails for some reason, Identity Awareness redirects
the browser to the Captive Portal,
Browser-Based Authentication lets you acquire identities from unidentified users
such as:
© Managed users connecting to the network from unknown devices
such as Linux computers or iPhones,
* Unmanaged, guest users such as partners ot contractors.
unidentified users try to connect to resources in the network that aze restricted
to identified users, they are automatically sent to the Captive Portal. IF
‘Transparent Kerberos Authentication is configured, the browser will atempt to
‘identify users that are logged into the domain using SSO before it shows the
Captive Portal
Student Manual
175
Teentity Awareness
Scenario: Recognized User from Unmanaged Device
‘The CEO of ACME, Iennifer McHanry, recently bought her own personal iPad.
She wants to access the internal Finance Web server from her iPad. Because the
iPad is not a member of the Active Directory domain, she cannot identify
seamlessly with AD Query. However, wants to be able fo enter her AD
‘credentials in the Captive Portal and then get the same access as on her office
‘computer. Her access to resources is based on rules in the Firewall Rule Base
‘To make this scenario work, the IT administrator must:
4. Enable Identity Awareness on a gateway and select Browser-Based Authenti-
cation as one of the Identity Sources.
2. In the Portal Settings window in the User Access section, make sure that
‘Name and password login is selected,
3. Create a new rule in the Firewall Rule Base to let Jennifer McHanry access
network destinations. Select accept as the Action.
4. Right-click the Action column and select Edit Properties. The Action Proper-
ties window opens.
5. Select the Redirect http connections to an authentication (captive) portal
Note: redirection will not oceur ifthe source IP is already mapped to a user
checkbox,
6. Click OK,
7. From the Soutce of the nule, right-click to create an Access Role.
a. Enter a Name for the Access Role.
b. Inthe Users tab, select Specific users and choose Jennifer MeHanry.
©. Inthe Machines tab make sure that Any machine is selected,
4, Click OK. The Access Role is added to the rule,
Figure 81 — Access Rule
Jennifer McHanry does these steps:
4. Browses to the Finance server from her iPad. The Captive Portal opens
because she is not identified and therefore cannot access the Finance Server.
2. She enters her usual system credentials in the Captive Portal. A Welcome to
the network window opens.
3. She can successfully browse to the Finance server.
176
Check Point Security Administration
Eee
Introduction to lanity Awareness
Siecetctniein |
rept ‘|
[patton Arete fl
Figure 82 — SmartView Tracker Log
This log entry shows that the system maps the source “Jennifer McHanry” to the
user name, This uses the identity acquired from Captive Portal,
Student Mansal 177
Taentity Aver
Scenario: Guest Users from Unmanaged Devices
‘Guests frequently come to the ACME company. While they visit, the CEO wants
to let them access the Intemet on their own laptops.
Amy, the IT administrator configures the Captive Portal to let unregistered guests
log in to the portal to get network access. She makes a rule in the Firewall Rule
Base to Jet unauthenticated guests access the Internet only.
‘When guests browse to the Internet, the Captive Portal opens. Guests enter their
‘name, company, email address, and phone number in the portal. They then agree
to the terms and conditions written in a network access agreement. Afterwards
they are given access to the Internet for a specified period of time.
‘To make this scenario work, the IT administrator must
4. Enable Identity Awareness on a gateway and select Browser-Based Authent
cation as one of the Identity Sources.
2, Inthe Portal Settings window in the User Access section, make sure that
Unregistered guest login is selected.
3. Click Unregistered guest login - Settings.
4. In the Unregistered Guest Login Settings window, configure:
~ The data guests must enter.
- For how long users can access the network resources.
- Ifa user agreement is required and its text.
4, Create two new rules in the Firewall Rule Base:
Ifit isnot already there, create a rule that identified users can access the Inter-
net fiom the organization.
From the Source of the rule, right-click to create an Access Role.
a
, Enter a Name for the Access Role.
In the Users tab, select All identified users.
4d. Click OK.
‘e. The Access Role is added to the rule,
Figure 83 — Access Role
Create a rule to let Unauthorized Guests access only the Intemet
178
Check Point Security Administration
Introduction to ldontly Awareness
8. From the Source of the rule, right-click to create an Access Role.
. Enter a Name for the Access Role.
©. Inthe Users tab, select Specific users and choose Unauthenticated Guests.
d. Click OK. The Access Role is added to the rule.
@, Select accept as the Action.
f. Right-click the Action column and select Edit Properties. The Action
Properties window opens.
8g, Select Redirect http connections to an authentication (captive) portal. Note:
redirection will not occur if the source IP is already mapped to a user.
h. Click OK.
ees
as is SEE ea se oe
emai [rv 32m | ty na
Figure 84 — Internat Rule
From the perspective of a guest at ACME, He or she does these steps:
4. Browses to an Internet site from her laptop.
‘The Captive Portal opens because she is not identified and therefore cannot
access the Internet.
2. She enters her identifying data in the Captive Portal and reads through and
accepts a network access agreement.
A Welcome to the network window opens.
3. She can successfully browse to the Intemet for a specified period of time,
Student Manual 179
‘The SmartView tracker log shows how the system recognizes a
guest
Gimiau
Bap malt ae ey
Figure 85 — Guest Record
Identity Agents
‘There are two types of Identity Agents:
‘+ Endpoint Identity Agents - dedicated client agents installed on uscts!
‘computers that acquire and report identities to the Security Gateway.
‘+ Terminal Servers Identity Agent - an agent installed on an application server
‘that hosts Citrix/Terminal services. It identifies individual users whose source
is the same IP address.
180 a ‘Check Point Security Administration
Seen
Thiroduction to ldentity Awareness
Figure 86 — Identity Agent
Endpoint Identity Agent for Identity Awareness is recommended for:
+ Leveraging identity for Data Center protection
Protecting highly sensitive servers
© When accuracy in detecting identity is crucial
Using Endpoint Identity Agents gives you:
* User and machine identity
© Minimal user intervention - all necessary configuration is done by
administrators and does not require user input
© Seamless connectivity - transparent authentication using Kerberos
Single Sign-On (SSO) when users are logged in o the domain. Ifyou
do not want to use SSO, users enter thei credentials manually. You
cam let them save these credentials
* Connectivity through roaming - users stay automatically identified
when they move between networks, as the client detects the
‘movement and reconneets.
» Added security - you can use the patented packet tagging technology
to prevent IP Spoofing. Endpoint Identity Agents also gives you
strong (Kerberos based) user and machine authentication,
Student Manual 181
Taentity Awareness
‘These are the types of Endpoint [dentity Agents you can install:
© Full — requires administrator permissions for installation, Ifinstalled
by a.user without administrator permissions, it will automatically
revert to installing the Light agent. The Full agent performs packet
tagging and machine authentication.
© Light — does not require administrator permissions for installation
Cannot be configured with packet tagging or machine authentication.
‘The light agent supports Microsoft Windows and Mac OS X. For
supported version information, see the R75.40 Release Notes (http!
supporteontent.checkpoint.com/solutions?id-sk67581).
© Custom — a customized installation package.
Users can download and install Endpoint Identity Agents from the Captive Portal
or you can distribute MSI/DMG files to computers with distribution software or
any other method (such as telling them where to download the client from).
‘ent Avareneas
Figure 87 — Captive Portal Download
‘This is how a user downloads the Endpoint Identity Agent from the Captive
Portal:
4. A.user logs in to his PC with his credentials and wants to access the Intemal
Data Center.
2. The Security Gateway enabled with Identity Awareness does not recognize
‘him and sends him to the Captive Portal
3. The Security Gateway sends a page that shows the Captive Portal tothe user.
It contains a link that he can use to download the Endpoint Identity Agent.
4, The user downloads the Endpoint Identity Agent from the Captive Portal and
installs it on his PC.
182 Check Point Security Administration
Seen Menvar
Tntraduction to dently Awareness
5. The Endpoint Identity Agent client connects to the Security Gateway.
If $80 with Kerberos is configured, the user is automatically connected
6. The useris authenticated and the Security Gateway sends the connection tits
destination according tothe Firewall Rule Base.
‘Terminal Servers Identity Agent is used to identify multiple users that connect
from one IP address, where a Terminal Server Identity agent is installed on the
application server that hosts Terminal/Citrix services. The Terminal Servers,
Identity Agent identifies users that use a Terminal Server or Citrix environment.
Scenario: Endpoint Identity Agent Deployment and User Group Access
‘The ACME organization wants to make sure thet only the Finance Department
‘can access the Finance Web server. The current Rule Base uses static IP
addresses to define access for the Finance Department.
‘Amy, the IT administrator wants to Ieverage the use of Endpoint Identity Agents
* Finance users will automatically be authenticated one time with SSO when
logging in (using Kerberos which is built-in into Microsoft Active Directory).
‘+ Users that roam the organization will have continuous access to the Finance
Web server.
+ Access to the Finance Web server will be more secure by preventing IP
spoofing attempis.
Amy wants Finance users to download the Endpoint Identity Agent from the
Captive Portal, She needs to configure:
+ Identity Agents as an identity source for Identity Awareness.
> Agent deployment for the Finance department group from the Captive Portal.
She needs to deploy the Full Identity Agent so she can set the IP spoofing
protection. No configuration is necessary on the client for IP spoofing
protection.
+ Arule in the Rule Base with an access role for Finance users, from all
‘managed machines and from all locations with IP spoofing protection
enabled.
183
Tentity Awareness
‘To make this seenario work, the IT administrator must:
41. Enable Identity Awareness on a gateway and select Identity Agents and
Browser-Based Authentication as Identity Sources.
2. Click the Browser-Based Authentication Settings button
4. In the Portal Settings window in the Users Access section, select Name and
password login.
4. Inthe Identity Agent Deployment from the Portal, select Requite users to
download and select Identity Agent - Full option.
Note: This configures Endpoint Identity Agent for ell users.
Alternatively, you can set Identity Agent download fora
specific group.
5. Configure Kerberos SSO.
6. Create a rule in the Firewall Rule Base that lets only Finance Department
users access the Finance Web server and install policy:
a. From the Source of the mle, right-click to ereate an Access Role,
b, Enter a Name for the Access Role
c. In the Networks tab, select Specific users and add the Active Directory
Finance user group.
4. In the Users tab, select All identified users.
. Inthe Machines tab, select All identified machines and select Enforce IP
spoofing protection (requires Full Identity Agent)
€ Click OK.
2 The Access Role is added to the rule.
Figure 88 — Rule
7. Install Policy
‘The Finance Department user can now browse to the Finance Web server, where
the Captive Portal opens because the user is not identified and cannot access the
server.
8. A link to download the Endpoint Identity Agent will be displayed.
184
Check Point Security Administration
See
Introduction to Identity Awarencos
}
Figure 89 — Endpoint Identity Agent Link
98. The user clicks the link to download the Endpoint Identity Agent. The user
‘automatically connects to the gateway. A window opens asking the user to
trust the server,
Note: The trust window opens because the user connects to the
Security Gateway with Identity Awareness using the File
name based server discovery option. (Note that there are other
server discovery methods that do not require user trust
confirmation),
10, Click OK. The user automatically connects to the Finance Web server. The
user can successfully browse to the Internet for a specified period of time,
Other options that can be configured for Endpoint Identity Agents
© A method that determines how Endpoint Identity Agents connect to a Security
Gateway enabled with Identity Awareness and trusts it,
© Access roles to leverage machine awareness
* End user interface protection so users cannot access the client settings.
Let users defer client installation for a set time and ask for user agreement
confirmation,
Student Manuat 185
Tdentity Awareness
Deployment
Scenario: Identifying Users Accessing the Internet through Terminal
Servers
‘The ACME organization defined a new policy that only allows users to access the
Intemet through Terminal Servers. The ACME organization wants to make sure
that only the Sales department will be able to access Facebook. The current Rule
Base uses static IP addresses to define access for Facebook, but now all
connections are initiated from the Terminal Servers’ IP addresses.
‘Amy, the IT'administrator wants to leverage the use of the Terminal Servers
solution so that:
+ Sales users will automaticaly be authenticated with Identity Awareness when
logging in tothe Terminal Servers.
* All connections to the Internet will be identified and logged.
‘+ Access to Facebook will be restricted tothe Sales depariment's uses.
To enable the Terminal Servers solution, Amy must:
+ Configure Terminal ServeriCit
Identity Awareness,
Identity Agents as an identity source for
‘Install a Terminal Servers Identity Agent on each of the Terminal Servers.
© Configure a shared secret between the Terminal Servers Identity Agents and
the Identity Server.
‘After configuration and installation of the policy, users that log in to Terminal
Servers and browse to the Internet will be identified and only Sales
department users will be able to access Facebook.
‘You can deploy Check Point Security Gateways enabled with Identity Awareness
in various scenarios that provide a maximum level of security for your network
environment and corporate data. This section describes recommended
deployment scenarios and options available with Identity Awareness.
* Perimeter security gateway with Identity Awareness — This deployment
scenario is the most common scenario, where you deploy the Check Point
security gateway at the perimeter where it protects access to the DMZ. and the
intemal network. The perimeter security gateway can also control and inspect
outbound traffic, targeted to the Internet, In this case, you can create an
identity-based firewall security Rule Base together with Application Control
+ Data Center protection — If you have a Data Center or server farm,
segregated from the users’ network, you can protect access to the servers with
186
Gheck Point Security Administration
Student Manwal
Tntroduction to Identity Awareness
the security gateway. To do this, deploy the security gateway inline infront of
the Data Center. All trafic that flows is then inspected by the gateway. You
ccan control access to resources and applications with an identity-based access
policy. You can deploy the security gateway in transparent mode (bridge
‘mode) to avoid significant changes in the existing network infrastructure.
Large scale enterprise deployment — In large scale enterprise networks,
there is a need to deploy multiple security gateways at different network
locations, such as the perimeter firewall and multiple Data Centers. Identity
‘Awareness capability is centrally managed through the Security Management
Server and SmartDashboard. You can distribute the identity-based policy to
all identity aware security gateways in the network. entity information
about all users and machines obtained by each gateway is shared between all
gateways in the network to provide a complete Identity Awareness
infiastructure
Network segregation — The security gateway helps you migrete or design
intemal network segregation. Identity Awareness lets you control access
between different segments in the network by ereating an identity-based
policy. You can deploy the security gateway close to the access network to
avoid malware threats and unauthorized access to general resources in the
global network
Distributed enterprise with branch offices — The distributed enterprise
consists of remote branch offices connected to the headquarters through VPN
lines. You can deploy the security gateway atthe remote branch offices to
avoid malwate threats and unauthorized access to the headquarters’ internal
network and Data Centers. When you enable Identity Awareness atthe branch
office gateway you make sure that users are authenticated before they reach
intemal resources. The identity information learned from the branch office
gateways is shared between intemal gateways to avoid unnecessary
authentications
Wireless campus — Wireless networks are not considered secure for
network access, however they are intensively used to provide access to
wireless-enabled corporate devices and guests. You can deploy a security
gateway enabled with Identity Awareness inline in front ofthe wireless
switch, provide an identity aware access policy and inspect the traffic that
comes fiom WLAN users Identity Awareness gives guests access by
authenticating guests with the web Captive Portal.
187
Tdontity Awareness
Practice and Review
Practice Labs
Lab 9: Identity Awareness
Review
1. Identity Awareness lets you configure network access based on what?
2, Browser-based Authentication lets you acquire identities from...?
3. What are the two types of Identity Agents?
iss Check Point Security Administration
cuaprers —-—- Introduction to
Check Point VPNs
Check Point Security Administration
189
Tnireduction to Check Point VPNs
Introduction to VPNs
Virtual Private Networking technology leverages the Internet to build and
enhance secure network connectivity. Based on standard Intemet secure
protocols, a VPN enables secure links between special types of network nodes:
the Gateways, Site-to site VPN ensures secure links between Gateways, Remote
Access VPN ensures secure links between Gateways and remote access clients,
Learning Objectives:
© Configure a certificate-based site-to-site VPN.
© Configure permanent tunnels for remote access to corporate resources.
* Configure VPN tunnel sharing, given the difference between host-based,
subnet-based and gateway-based tunnels.
190 ‘Check Point Security Administration
Fees
The Check Pom VEN
The Check Point VPN
A Virtual Private Network (VPN) is a secure-connectivity platform that both
‘connects networks and protects the data passing between them. For example, an
organization may have geographically spaced networks connected via the
Internet; the company has connectivity but no privacy. The Gateway provides
privacy by encrypting those connections that need to be secure. Another
company may connect all parts of its geographically spaced network through the
use of dedicated leased lines; this company has achieved connectivity and
privacy, but at great expense. Gateway offers a cheaper connectivity solution by
connecting the different parts of the network via the publie Internet.
Extranet Pines
ices
Cosporat Hate Remote Users
(atm 05 eon
Se ag Lasts
sa <7
breyaed
vn net cae Siete Frpince
Branch otiees
Figute 90 — Check Point VPN Deployment
A VPN employs encrypted tunnels to exchange securely protected data, The
Security Gateway creates encrypted tunnels by using the Internet Key Exchange
(IKE) and IP Security (IPSec) protocols - ESP (Encapsulating Security Payload).
IKE creates the VPN tunnel, and this tunnel is used to transfer IPSec encoded
data, Think of IKE as the process that builds 2 tunnel, and IPSec packets as trucks
that carry the encrypted data along the tunnel
Student Manual i9T
Tniroduction to Check Point VPNe
VPN Deployments
Site-to-Site VPNs
192
A VPN uses the Internet as its network backbone, allowing the establishment of
secure communication links among company offices, business partners, and s0
‘on. VPNs are replacing more expensive leased lines, Frame Relay circuits, and
other forms of dedicated connections.
Site-to-site VPNs are built to handle secure communication between @ company’s
internal departments and branch offices. A site-to-site VPN’s design
requirements include:
* Strong data encryption, to protect confidential information,
© Reliability for mission-critical systems, such as database management.
* Scalability, to accommodate growth and change,
DuziPubsic Server(s)
Esmail
World Wide Web
File Transfer
Branch Office
el
Secu sect
Satowsy Sion
Figure 91 — site-o-Site VPN
Check Point Security Administration
— WEN Deployments
Remote-Access VPNs
Remote-access VPNs are built to handle secure communication between &
conporate network, and remote or mobile employees. A remote-access VPN’s
design requirements include:
© Strong authentication, to verify remote and mobile users.
* Centralized management.
* Scalability, to accommodate user groups.
DitziPublic Server(s)
E-mail
World Wide web
File Transfer
Mobite Users
Figure 92 — Remote-Access VPN
Student Manual 193
Tmiroduction to Chack Polnt VPN:
VPN Implementation
A.complete VPN implementation supports both VPN categories: Site-to-site and
remote-access VPNs. This allows a company worldwide access to network
resources, links mobile workers to corporate intranets, allows customers to place
orders, and enables suppliers to check inventory levels — all in a highly secure
and costeffective manner,
Dinz/Pablic Server{s) customers
Email
Word Wide Web
ile Tranetor
Mobile Users
Figure 93 ~ Check Point VPN Example
‘The complete VPN must include three critical VPN components:
VPN Endpoints — Gateways, clusters of gateways, or remote client software
(for mobile users) which negotiate the VPN link.
VPN Trust Entities — For example, the Check Point Internal Certificate
Authority. The ICA is part of the Check Point suite used for establishing trust for
SIC connections between Gateways, authenticating administrators and third party
servers. The ICA provides certificates for intemal Gateways and remote access
clients which negotiate the VPN link.
VPN Management Tools — Security Management Server and Dashboard.
‘SmartDashboard is the SmartConsole component used to access the Security
Management Server. The VPN Manager is part of SmartDashboard.
194
Check Point Security Administration
VPN Setup
VPN implementation
‘SmartDashboard enables organizations to define and deploy site-o-site, and
remote Access VPNs.
Configuring a VPN can be @ complicated task for Security Administrators. Check
Point’s management tools provide a simplified VPN setup mode, reducing the
‘VPN configuration process to essentials, and making setup straightforward and
simple.
Understanding VPN Deployment
VPN Communities
Sadent Maruai
‘The Check Point VPN management model enables Administrators to directly
define a VPN on a group of Gateways. Each Geteway ina group, and al (or part)
of its protected domain, constitute a new entity: a VPN site.
(A.VPN site isnot tobe confused with a site that is defined for Endpoint Security
‘Secure Access clients.)
Each VPN site performs encryption on behalf of a VPN Domain - the protected
domain or part of the domain requiring encrypted connections to the peer VPN
Site, System Administrators group VPN sites together, creating a VPN
‘Community. A VPN Community is a collection of VPN sites and the enabled
‘VPN tunnels (secure connections) among them, with predefined properties that
are automatically applied to each Community member.
‘The structure of the VPN Community is automatically translated into encrypted
connections among: its members, so the Administrator is relieved of the task of
Anda mungkin juga menyukai
- Linux Journal July 2015Dokumen97 halamanLinux Journal July 2015EconBelum ada peringkat
- Check Point Security Administration Lab ManualDokumen270 halamanCheck Point Security Administration Lab ManualEcon100% (3)
- Network Protocols Handbook Osi Model Complete Very Usefull Protocol Used by Layer by Layer AproachDokumen359 halamanNetwork Protocols Handbook Osi Model Complete Very Usefull Protocol Used by Layer by Layer AproachvickygssnBelum ada peringkat
- Pharmacogenetics of Psychotropic Drugs - B. Lerer (Cambridge, 2004) WWDokumen458 halamanPharmacogenetics of Psychotropic Drugs - B. Lerer (Cambridge, 2004) WWEcon100% (1)
- The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeDari EverandThe Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifePenilaian: 4 dari 5 bintang4/5 (5782)
- Hidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space RaceDari EverandHidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space RacePenilaian: 4 dari 5 bintang4/5 (890)
- The Yellow House: A Memoir (2019 National Book Award Winner)Dari EverandThe Yellow House: A Memoir (2019 National Book Award Winner)Penilaian: 4 dari 5 bintang4/5 (98)
- Elon Musk: Tesla, SpaceX, and the Quest for a Fantastic FutureDari EverandElon Musk: Tesla, SpaceX, and the Quest for a Fantastic FuturePenilaian: 4.5 dari 5 bintang4.5/5 (474)
- Shoe Dog: A Memoir by the Creator of NikeDari EverandShoe Dog: A Memoir by the Creator of NikePenilaian: 4.5 dari 5 bintang4.5/5 (537)
- Devil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New AmericaDari EverandDevil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New AmericaPenilaian: 4.5 dari 5 bintang4.5/5 (265)
- The Little Book of Hygge: Danish Secrets to Happy LivingDari EverandThe Little Book of Hygge: Danish Secrets to Happy LivingPenilaian: 3.5 dari 5 bintang3.5/5 (399)
- Never Split the Difference: Negotiating As If Your Life Depended On ItDari EverandNever Split the Difference: Negotiating As If Your Life Depended On ItPenilaian: 4.5 dari 5 bintang4.5/5 (838)
- Grit: The Power of Passion and PerseveranceDari EverandGrit: The Power of Passion and PerseverancePenilaian: 4 dari 5 bintang4/5 (587)
- A Heartbreaking Work Of Staggering Genius: A Memoir Based on a True StoryDari EverandA Heartbreaking Work Of Staggering Genius: A Memoir Based on a True StoryPenilaian: 3.5 dari 5 bintang3.5/5 (231)
- The Emperor of All Maladies: A Biography of CancerDari EverandThe Emperor of All Maladies: A Biography of CancerPenilaian: 4.5 dari 5 bintang4.5/5 (271)
- Team of Rivals: The Political Genius of Abraham LincolnDari EverandTeam of Rivals: The Political Genius of Abraham LincolnPenilaian: 4.5 dari 5 bintang4.5/5 (234)
- On Fire: The (Burning) Case for a Green New DealDari EverandOn Fire: The (Burning) Case for a Green New DealPenilaian: 4 dari 5 bintang4/5 (72)
- The Unwinding: An Inner History of the New AmericaDari EverandThe Unwinding: An Inner History of the New AmericaPenilaian: 4 dari 5 bintang4/5 (45)
- The Hard Thing About Hard Things: Building a Business When There Are No Easy AnswersDari EverandThe Hard Thing About Hard Things: Building a Business When There Are No Easy AnswersPenilaian: 4.5 dari 5 bintang4.5/5 (344)
- Rise of ISIS: A Threat We Can't IgnoreDari EverandRise of ISIS: A Threat We Can't IgnorePenilaian: 3.5 dari 5 bintang3.5/5 (137)
- The World Is Flat 3.0: A Brief History of the Twenty-first CenturyDari EverandThe World Is Flat 3.0: A Brief History of the Twenty-first CenturyPenilaian: 3.5 dari 5 bintang3.5/5 (2219)
- The Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You AreDari EverandThe Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You ArePenilaian: 4 dari 5 bintang4/5 (1090)
- The Sympathizer: A Novel (Pulitzer Prize for Fiction)Dari EverandThe Sympathizer: A Novel (Pulitzer Prize for Fiction)Penilaian: 4.5 dari 5 bintang4.5/5 (119)
- Her Body and Other Parties: StoriesDari EverandHer Body and Other Parties: StoriesPenilaian: 4 dari 5 bintang4/5 (821)
- Literature Review FontsDokumen7 halamanLiterature Review Fontseaibyfvkg100% (1)
- Strathclyde Online Registation GuideDokumen10 halamanStrathclyde Online Registation Guidess4444333Belum ada peringkat
- Studio 1824c and 1810c: Owner's ManualDokumen40 halamanStudio 1824c and 1810c: Owner's ManualRay MercierBelum ada peringkat
- Bus Software Week 7Dokumen5 halamanBus Software Week 7Ashley Niña Lee HugoBelum ada peringkat
- 1 PB PDFDokumen11 halaman1 PB PDFelia eliaBelum ada peringkat
- Find and ReplaceDokumen5 halamanFind and ReplaceYamini ShindeBelum ada peringkat
- Sensors and IoT 1Dokumen39 halamanSensors and IoT 1Kani mozhiBelum ada peringkat
- 50 TOP SOA Multiple Choice Questions and Answers PDF Free Download - Multiple Choice Questions and Answers PDFDokumen7 halaman50 TOP SOA Multiple Choice Questions and Answers PDF Free Download - Multiple Choice Questions and Answers PDFsivaram_500540% (5)
- TCS Case StudyDokumen10 halamanTCS Case StudyKanganFatima100% (2)
- Power Builder Interview Questions and AnswersDokumen34 halamanPower Builder Interview Questions and Answersppdeepak50% (2)
- T7460A, B, C, D, E, F: FeaturesDokumen6 halamanT7460A, B, C, D, E, F: FeaturesQuyết Nguyễn MạnhBelum ada peringkat
- Forecasting Time Series Data With Facebook ProphetDokumen270 halamanForecasting Time Series Data With Facebook ProphetRade Bajic100% (1)
- Module-4 Lex YaccDokumen67 halamanModule-4 Lex YaccH3ck AssassinBelum ada peringkat
- Sample Paper Tallentex Class 5th 2022 23Dokumen1 halamanSample Paper Tallentex Class 5th 2022 23MeeraBelum ada peringkat
- CACE Lab-1 VIVA QSDokumen4 halamanCACE Lab-1 VIVA QSPalaka RahulBelum ada peringkat
- Regula-Falsi Method for Solving Equations (NACADokumen8 halamanRegula-Falsi Method for Solving Equations (NACAmuzamil hussainBelum ada peringkat
- Mathematics Resource Package: I. ObjectivesDokumen8 halamanMathematics Resource Package: I. ObjectivesLorkhanBelum ada peringkat
- Poly Studio x50 Ds en PDFDokumen3 halamanPoly Studio x50 Ds en PDFvariBelum ada peringkat
- First Simulation Exam - Percobaan 1, 2, 3Dokumen81 halamanFirst Simulation Exam - Percobaan 1, 2, 3ANNISABelum ada peringkat
- Using Induction To Design Algorithms: Udi ManberDokumen14 halamanUsing Induction To Design Algorithms: Udi ManberRita CatiniBelum ada peringkat
- (Ranjay Gulati) Managing Network Resources AllianDokumen342 halaman(Ranjay Gulati) Managing Network Resources AllianFabio AppolinarioBelum ada peringkat
- GA-H61M-DS2 DVI Block DiagramDokumen31 halamanGA-H61M-DS2 DVI Block Diagramsỹ QuốcBelum ada peringkat
- Integration Guide - OP 2020Dokumen44 halamanIntegration Guide - OP 2020Kiran JadhavBelum ada peringkat
- Lab 2. TraceroutDokumen20 halamanLab 2. TraceroutNaski KuafniBelum ada peringkat
- AMR Notes - Anil Manal PatilDokumen25 halamanAMR Notes - Anil Manal PatilDuRvEsH RaYsInGBelum ada peringkat
- Scales of Measurement - Level of Measurement - Statistics How ToDokumen3 halamanScales of Measurement - Level of Measurement - Statistics How ToAsif gillBelum ada peringkat
- "Project Title" Open Shortest Path First Group MembersDokumen13 halaman"Project Title" Open Shortest Path First Group MembersGanesh MaliBelum ada peringkat
- (3A) Apoorva A Facility Location Dilemma, Student SpreadsheetDokumen16 halaman(3A) Apoorva A Facility Location Dilemma, Student Spreadsheetkrishna chaitanyaBelum ada peringkat
- 2017 Book Industrial Internet of ThingsDokumen714 halaman2017 Book Industrial Internet of ThingsItzel Morales93% (14)
- PreTrip - Template English ChandlerDokumen4 halamanPreTrip - Template English ChandlerkukarekuBelum ada peringkat
