CCSA Study Guide NGX 156-215.

.1 Licensing * Central The new license remains valid when changing the IP address of the Check Point Gateway. There is no need to create and install a new license. Only one IP address is needed for all licenses. A license can be taken from one Check Point Gateway and given to another Q: Must request a central license for one remote gateway, how would you request and apply the license? A: Request central license using the Smart Center Servers ip, attach license t o remote gateway using smart update.

LDAP * Sequence for configuring user management 1. Enable LDAP in Global properties 2. Configure host node for LDAP server 3. Configure object for the LDAP account unit * In NGX, if a distinguished name (DN) is NOT found in LDAP, NGX takes the common-name value from the certificate subject, and searches the LDAP account unit for a matching user id. * When you add LDAP users to a client authentication rule you need an LDAP group in the client authentication rule. * A user attempts authentication using secure remote, and the users password is rejected. A valid cause would be that the LDAP and security gateways databases are not synchronized. * On smart Center server - $FWDIR/lib/ldap/schema_microsoft_ad.ldif * Profiles Microsoft_AD, Novell_DS, Netscape_DS, OPSEC_DS Authentication * Checks 3 places Internal users database, LDAP Server, Generic profile * User-authentication 1. Five services allowed telnet / ftp / rlogin / http / https 2. Two connections are created after successful authentication; client to gateway, and gateway to target server 3. Per user basis Best if used if user is connecting from different machines 4. 3 auth attempts by default 5. Security server first checks if the connection can be allowed by a rule that does not require authentication. If one exists, the user will be connected through the less-restrictive rules, bypassing the user authentication rule. I had 2 questions on this * Session-authentication 1. Any service 2. Requires session auth agent which performs automatic authentication

* Client authentication 1. Any service 2. Grants access on a per host/ip address basis 3. Need to be above stealth rule in rule base to connect to the gateway first 4. Best used for workstations, single-user machines 5. It is possible to set a refreshable time-out for client authentication. This means that for every new connection the time-out is reset (default=30 minutes) 6. Required Sign-on options a. Standard Sign on User on a client machines allowed to use for all services, and does not have to log on for each service used. b. Specific Sign on The user must re authenticate for each service accessed 7. Sign-On Methods a. Manual - Telnet to security gateway port 259 or http port 900 b. Partial Automatic all client authentication rules for users are activated. User authentication is used as trigger. Session authentication is never used c. Fully Automatic Attempts session authentication, if it does not support user authentication. User authentication is used as a trigger wherever it can be. Session is used otherwise. d. Agent Automatic Attempts session and has to have the agent installed. Session authentication is always used. User authentication is never used. i. Difference between fully automatic and agent automatic, is that agent automatic always uses session authentication. With fully, user authentication is used where it is supported. e. Single Sign on NGX send query to user authority with the packets source ip address. IT returns the name of the user who is registered to that IP address. If its the users name authenticated then the traffic is passed, otherwise it is dropped. Multicast Typical use for real time audio and video to a set of hosts Configured on the gateways interfaces settings Control access of multicast traffic to specific groups, ensuring that multicast applications are not inadvertently broadcast to outside groups. Multicast traffic to and from specific objects is controlled via policy rules show ip mroute - Display contents of the muticast routing table 224.0.0.1 show ip multicast boundary - obtain summarized info for all boundaries within all interfaces Attacks Common attacks: o Teardrop DoS, Attack uses IP's packet fragmentation algorithm to send corrupted packets to the victim machine. This confuses the victim machine and may hang it. o LAND DoS, SYN packet in which the source address and port are the same as the destination o SmallPMTU TCP, a bandwidth, the client fools the server into sending large amounts of data using small packets. Creates a "bottleneck" on the server.

o PingOfDeath DoS, simply sending ping packets hat exceed ip packet size, larger than 64KB TCP Handshake o The active open is performed by sending a SYN to the server. o In response, the server replies with a SYN-ACK. o Finally the client sends an ACK back to the server.

Smart Defense * Smart Defense is subscription based * Settings are global when creating two or more policy packages * Dshield.org integrates with Smart Defense by using a block list which is refreshed every 3 hours. The object that needs to be created is called CPDShield. * You can send alert and user defined alerts back to Dshield I had 2 questions about this * Place the Block List rule as high as possible in the Security Rule Base, but below all authentication rules, and any other rules you are absolutely certain have a reputable Source. * Host port scan, sweep scan * peer to peer * Explicitly protect low ports dynamic ports Web Intelligence - This is a separate TAB in the Smart Dashboard * Host configuration * HTTP worm catcher worm self replicating malware * Cross-site-scripting between user and websites. Malicious scripts. Steal users identities. Cookies * HTTP protocol inspection strict enforcement of the http protocol. (i.e. format size, ASCII only request/response headers,) * MAIL Strict enforcement of the SMTP protocol 1. Prevent the SMTP server from being a spam relay, the most efficient way would be to configure the SMTP security server to perform filtering, based on IP address and SMTP protocols * FTP - To create more granular control over FTP commands, like CWD and FIND, use FTP security server settings in Smart Defense 1. Radio Button Configurations apply to all connections forward all ftp connections to the ftp security server * Microsoft Networks CIFS File and print sharing * DNS Cache poisoning can make the DNS server accept incorrect information. If the server does not correctly validate DNS responses to ensure that they have come from an authoritative source, the server will end up caching the incorrect entries. * VOIP validates SIP headers * Sweep scan many hosts Security Servers * CVP = TCP port 18181 UFP = TCP port 18182 * Control maximum mail messages in a spool directory the gateway objects SMTP

settings under advanced

NAT * Know how many NAT entry's are created for automatic/manual and host/network object NAT. * If you use automatic NAT on a network object, there will be two NAT rules added to the firewall * Static NAT * Hide NAT * RFC 1918 - Address allocation for private IP networks, these IP networks cannot traverse public IP networks * Port numbers are assigned dynamically: 600-1023 10000-60000. If the original port number is less than 1024, a port number is assigned from te first pool. Else a port number is assigned from the second pool. * The high port number pool can be changed with DbEdit * Manual NAT rules (example: necessary to do PAT for 1 static IP address, SMTP to 192.168.1.1 and http to 192.168.1.2) * Bi-directional NAT both automatic NAT rules are applied, and both objects will be translated, so connections between the two objects will be allowed in both directions. 1. Lets a connection match 2 NAT rules. Normally the NAT rule base only permits one match and then subsequently exits the process. In the case of bidirectional NAT, if the source match is an Automatic NAT rule, the gateway continues to traverse the NAT rules to identify if there is a destination rule match. If the gateway finds a second match, it applies both NAT rules to the connection so that the packet it routed properly between source and destination. * Translate destination on client side packet must be sent from an external host to an internal host performing static NAT. Translates the destination IP address in the kernel nearest the client to prevent conflicts between anti-spoofing and NAT. * When the option Translate Destination on Client side is not enabled for automatic and/or manual NAT rules problems can occur with anti-spoofing. Make sure to configure antispoofing correctly. Furthermore when using manual static NAT and this option is disabled you need host routing entries in the FW ip routing table to the private IP address. * For a manual NAT static a manual ARP entry is necessary in the firewall OS * When using automatic static/hide NAT, two NAT rules are always created

Security Policy Database Revision, Anti-spoofing, implied rules, Global Policy * Rule 0 = implied rules. To show click, View, Implied rules. These rules have no numbering. Anti-Spoofing rule drop * Which traffic is automatically permitted by implied rules: IKE, RDP, FWCONTROL/LOG/KEY-EXCHANGE, RADIUS, CVP, TACACS, LDAP and logical servers * RIP, ICMP and UDP are not permitted by default * Rule 1 = first explicit rule (user-created), there rules are numbered * Address spoofing is not logged with a rule number, just as a Smart Defense event. This is

because they are enforced before any rule in the security policy's rule base. * Stealth rule: drop all traffic to the firewall and log, if you use client authentication, encryption or CVP, these rules must be positioned before the Stealth rule * Cleanup rule: drop all traffic and log, this need to be the last rule in the rulebase * Hidden rules: you can hide rules, but they still apply to the security policy. The hide feature is used for managing complex security policy's. To unhide: click Rules, Hide, Unhide all. * The default rule: this rule will default to any any drop don't log * * * * * * * Rule base enforcement order: 1. IP spoofing/IP options 2. NAT 3. Security policy FIRST rule 4. Administrator-defined rule base 5. Security policy BEFORE-LAST rule 6. Cleanup rule or security policy LAST rule

* Policy package: security rule base and NAT, QoS, Desktop Security * Use the copy policy wizard to copy a policy to an existing policy * Database revision control: create fallback configuration package. All policies, objects, users, smart defense and global settings. You must know when to use these two packages!!! * Network configuration and IP routing is not included in any of the above packages. You will need to create a backup of the system configuration in order to save this information. VPN and Encryption * Symmetric Pre-Shared Key Fast anyone steals key can steal data currently * Asymmetric public/private key slower Diffie-helman * Privacy No one else can see it other then intended parties - encryption * Integrity no tampering hash function one way * Authenticity true communication - digital signature * ICA (Internal Certificate Authority) * Tunnel-mode encryption works by encapsulation an entire IP packet and then adding it's own encryption header to the packet (encrease of total packet size) More Secure * SIC (secure internal communications) uniquely identifies checkpoint enabled machines. They have the same function as authentication certificates * Assume an intruder has compromised your current IKE Phase 1 and Phase 2 keys. Which of the following options will end the intruder's access, after the next Phase 2 exchange occurs? Perfect Forward Secrecy - provides additional security by means of a Diffie-Hellman shared secret value. With PFS, if one key is compromised, previous and subsequent keys are secure because they are not derived from previous keys. * Use Aggressive Mode - standard six-packet IKE Phase 1 exchange is replaced by a threepacket exchange * You want to establish a VPN, using Certificates. Your VPN will exchange Certificates with

an external partner. Which of the following activities should you do first? Create a new server object, to represent your partner's Certificate Authority (CA) * What encryption scheme provides "In-place" encryption? DES * Key Management Protocol IKE * Encryption Alogrithm DES(56 bit), 3DES (3-56bit=168bit), CAST(40-128bit, not as strong as DES), AES(256 bit) * Authentication Algorithm MD5 SHA1 * Encryption is encapsulated IPSec * VPN Tunnel Sharing settings include: one VPN tunnel per gateway pair, per each pair of hosts, and per subnet pair * IKE DoS attacks global properties SmartView Tracker * Three modes: LOG-mode, ACTIVE-mode, AUDIT-mode * Verifies installed security policy name * How to block an intruder: Go to Active-mode, select a connection, click Tools, click Block Intruder * You can block based on source, destination, or source-destination-service * The name of the logs is dependant of the MODE: LOG=.log ACTIVE=.vlog AUDIT=.alog * Export to .txt is possible from the File menu * Switch logfile: current fw.log is closed and will be written to disk with a name that contains the current date and time. * Only one logfile can be open at a time * Exported logs can not be viewed with the smartview tracker SmartView Monitor Create suspicious activity rues can do it for only an hour with out creating rule base rule Check if VPN phase 2 negotiations are failing Commandline and kernel * Kernel memory settings without manually modifying $FWDIR/lib settings on gateway objects capacity optimization screen Max IKE, Max Concurrent connections, Max tunnels * Reset password for administrator which was created during initial install cpconfig, delete

administrators account and recreate with the same name. * cpstart: launches all Checkpoint applications * cpstop: stop all Checkpoint applications * fw start * fw stop * fw ver: display Checkpoint version * fw fetch [target]: fetches last policy * cpstop -fwflag -default: stop all Checkpoint processes and leave the default filter running * cpstop -fwflag -proc: stop all Checkpoint processes and leave the security policy running * fw ctl arp: Display the firewall ARP entry's voor automatic NAT objects * fw dbexport -f bla.ldif -l -s "o=bla,c=nl" * fw unloadlocal: unload the local security policy. This is a very convenient feature if you are not able to access the SmartDashboard, for example a too strict security policy * fwm unload [target]: unload a policy on target enforcement module * fwm lock_admin used to unlock admin account(s), and view locked administrators * cplic print: print the details of the installed Checkpoint licenses * fw tab x u display kernel table content * fw tab t sam_blocked_ips display blocked ips via block intruder feature of smartview tracker /conf rule bases, objects, users database, and certificates /lib base.def Performance Remove old or unused security policies from policy package Reduce logging Putting most used rules at top Eventia Reporter * Only connections that are logged by the firewall policy are available for Eventia reporting * Reports are saved in HTML format and in CSV format * To change the Eventia database-cache size to match the memory in the server, edit the $RTDIR/DATABASE/CONF/MY.INI (.INI=windows and .CNF=UNIX) * rmdstop: stop all Eventia Reporter services * rmdstart: start all Eventia Reporter services * Change Eventia database settings with utility UpdateMySQLConfig (stop Eventia Reporter services first!) Ram R Temp directories T Log files L Add new data file A To move file M * Eventia Reporter is licensed per gateway * Predefined Reports Two kinds - Standard Generated form info in the log files through the consolidation process to yield relevant analysis of activity. Express Generated from the smartView monitor history file. Express can not be filtered

 Security (Standard and Express) All security related traffic. Origin/destination of gateway. Blocked connections. Policy installs, analyze rule base order Network Activity (Standard, Express) most popular activities in your network, can focus ion directionVPN-1 (Standard, Express) encrypted traffic System Info (Express) CPU, kernel. memory VPN-1 My Reports (Standard, Express) customized * What is the consolidation policy OSE Device Open Security Extension 3rd party enforcement product the represents the router and influences and enforces the security policy. ROBO Gateway managed in smartLSM entry point to LAN