Scribd Logo
Unggah

Selamat datang di Scribd!

  • VPN1 Firewall Architecture

    Diunggah oleh

    Karthik Raja
    48 tayangan34 halaman
    A firewall is a system designed to prevent unauthorised access to or from a secured network act as a locked security door between internal and external networks. Note that a firewall can only protect a network from traffic filtered by an application layer gateway (proxy) a Virtual Private Network (vpn) is a true security architecture Integrates multiple capabilities, including firewall security, VPNs, IP address management etc, all within a common management framework.

    Deskripsi Asli:

    Hak Cipta

    © Attribution Non-Commercial (BY-NC)

    Format Tersedia

    PDF, TXT atau baca online dari Scribd

    Apakah menurut Anda dokumen ini bermanfaat?

    Apakah konten ini tidak pantas?

    Laporkan Dokumen Ini
    A firewall is a system designed to prevent unauthorised access to or from a secured network act as a locked security door between internal and external networks. Note that a firewall can only protect a network from traffic filtered by an application layer gateway (proxy) a Virtual Private Network (vpn) is a true security architecture Integrates multiple capabilities, including firewall security, VPNs, IP address management etc, all within a common management framework.

    Hak Cipta:

    Attribution Non-Commercial (BY-NC)
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    48 tayangan34 halaman

    VPN1 Firewall Architecture

    Diunggah oleh

    Karthik Raja
    A firewall is a system designed to prevent unauthorised access to or from a secured network act as a locked security door between internal and external networks. Note that a firewall can only protect a network from traffic filtered by an application layer gateway (proxy) a Virtual Private Network (vpn) is a true security architecture Integrates multiple capabilities, including firewall security, VPNs, IP address management etc, all within a common management framework.

    Hak Cipta:

    Attribution Non-Commercial (BY-NC)
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    dari 34

    CCSA-Module 1

    AITA\SWBU\CCSA\08

    Module 1
    VPN-1/FireWall-1 NG Architecture

    AITA\SWBU\CCSA\08

    Module 1
    Introduction Objectives Describe the purpose of a firewall Describe and compare firewall architectures Identify the different components of VPN-1/FireWall-1 NG

    AITA\SWBU\CCSA\08

    Module 1
    Key Terms Firewall Packet Filtering Application Layer Gateway (Proxy) Client/Server Model Stateful Inspection Management Client Secure Internal Communication (SIC) Virtual Private Network (VPN) Secure Virtual Network (SVN)
    AITA\SWBU\CCSA\08 4

    Module 1
    Check Point Product Overview Securing the Internet An emerging requirement Securing Networks, Systems, Application and Users

    AITA\SWBU\CCSA\08

    Module 1
    Secure Virtual Network (SVN) is a true security architecture Integrates multiple capabilities, including firewall security, VPNs, IP address management etc, all within a common management framework enables security to be defined and enforced in a single policy incorporating all aspects of network security

    AITA\SWBU\CCSA\08

    Module 1
    Emerging requirements To enjoy benefits of an eBusiness model a robust security infrastructure needs to be deployed Integrating the security infrastructure with application environment providing full security for eBusiness allowing easily established and maintained trusted relationships

    AITA\SWBU\CCSA\08

    Module 1
    SVN Architecture designed to meet the challenges of eBusiness connects the four elements common to any enterprise network Networks Systems Applications User

    AITA\SWBU\CCSA\08

    Module 1
    SVN Diagram

    AITA\SWBU\CCSA\08

    Module 1
    VPN-1/FireWall-1 Key component of SVN architecture Access Control User Authentication Network Address Translation (NAT) Virtual Private Networking High Availability Content Security Auditing and Reporting LDAP-based user management
    AITA\SWBU\CCSA\08 10

    Module 1
    VPN-1/FireWall-1-continued Intrusion Detection Malicious Activity Detection Third-party Device Management High Availability and Load Sharing

    AITA\SWBU\CCSA\08

    11

    Module 1
    Internet Firewall Technologies A firewall is a system designed to prevent unauthorised access to or from a secured network act as a locked security door between internal and external networks data meeting certain criteria will be allowed through However, note that a firewall can only protect a network from traffic filtered through it
    AITA\SWBU\CCSA\08 12

    Module 1
    Stateful Inspection Technology invented by CheckPoint Software Technologies utilises the INSPECT Engine Programmable using the INSPECT language Provides for system extensibility Dynamically loaded into the OS kernel Intercepts and inspects all inbound and outbound packets on all interfaces Verifies that packets comply with the security policy

    AITA\SWBU\CCSA\08

    13

    Module 1
    Firewall Technologies Packet Filters Application-Layer Gateway Stateful Inspection

    AITA\SWBU\CCSA\08

    14

    Module 1
    Packet Filtering Path in the OSI Model

    AITA\SWBU\CCSA\08

    15

    Module 1
    Packet Filter FTP Example

    AITA\SWBU\CCSA\08

    16

    Module 1
    Application-Layer Gateway Path

    AITA\SWBU\CCSA\08

    17

    Module 1

    Stateful Inspection

    AITA\SWBU\CCSA\08

    18

    Module 1
    VPN-1/FireWall-1 NG Enforcement Module

    AITA\SWBU\CCSA\08

    19

    Module 1
    How VPN-1/FireWall-1 NG FP-1 Works INSPECT Allowing Packets if a packet passes inspection,the Firewall Module passes packets through the TCP/IP stack to their destination if packets are destined for the OS local processes, are inspected then passed through the TCP/IP stack if packets do not pass inspection, they are rejected, or dropped and logged.

    AITA\SWBU\CCSA\08

    20

    Module 1
    INSPECT Module Flow

    AITA\SWBU\CCSA\08

    21

    Module 1
    VPN-1/FireWall-1 NG Architecture The Policy Editor Management Module VPN-1/FireWall-1 NG Enforcement Module SVN Foundation

    AITA\SWBU\CCSA\08

    22

    Module 1
    Check Point Policy Editor

    AITA\SWBU\CCSA\08

    23

    Module 1
    Management Module security policy is defined using the policy editor on the Management client it is then saved to the Management module Management Module maintains FW-1 NG databases including network object definitions user definitions security policy log files
    AITA\SWBU\CCSA\08 24

    Module 1
    VPN-1/Firewall-1 NG Enforcement Module Deployed on the Internet gateway An Inspection script written in INSPECT is generated from the security policy Inspection code is compiled from the script and downloaded to the enforcement module

    AITA\SWBU\CCSA\08

    25

    Module 1
    SVN Foundation CheckPoint SVN Foundation NG (CPShared) is the Operating System integrated with every CheckPoint product All CheckPoint products use the CPOS services via CPShared The SVN Foundation includes :
    Secure Internal Communications (SIC) CheckPoint registry CPShared daemon Watch Dog for critical services Cpconfig License utilities SNMP daemon
    26

    AITA\SWBU\CCSA\08

    Module 1
    Secure Internal Communication (SIC) Communication Components Security Benefits SIC Certificates Communication Between Management Modules and Components Communication Between Management Modules and Management Clients

    AITA\SWBU\CCSA\08

    27

    Module 1
    Communication Components SIC secures communication between CheckPoint SVN components such as management modules management clients VPN-1/Firewall 1 NG modules customer log modules SecureConnect modules policy servers OPSEC applications
    AITA\SWBU\CCSA\08 28

    Module 1
    Security Benefits of SIC confirms a management client connecting to a management modules is authorised verifies that a security policy loaded on a firewall module came from an authorised management module SIC ensures that data privacy and integrity is maintained

    AITA\SWBU\CCSA\08

    29

    Module 1
    SIC Certificates SIC for CheckPoint VPN uses certificates for authentication and standards-based SSL for encryption enables each CheckPoint enabled machine to be uniquely identified certificates are generated by the Internal Certificate of Authority (ICA) on the Management module a unique certificate is generated for each physical machine

    AITA\SWBU\CCSA\08

    30

    Module 1
    Communication between Management Modules and Components the ICA automatically creates a certificate for the Management module during installation certificates for other modules are created via a simple initialisation from the Management Client upon initialisation, the ICA creates, signs and delivers a certificate to the communication component

    AITA\SWBU\CCSA\08

    31

    Module 1
    Communication between Management Modules and Management Clients the management client must be defined as authorised when invoking the Policy Editor on the Management client, the user is asked : to identify themselves specify the IP address of the Management Module the Management Client then initiates an SSL based connection the Management Module verifies the Clients IP address Management Module sends back its certificate
    AITA\SWBU\CCSA\08 32

    Module 1
    Distributed VPN-1/FireWall-1 NG configuration showing the components with certificates

    AITA\SWBU\CCSA\08

    33

    Module 1
    Distributed Client/Server Configuration

    AITA\SWBU\CCSA\08

    34

    Anda mungkin juga menyukai