Check Point Security

75Administrator R

Eran Shaham
Mct,Mcitp,Ccna,Ccse,Wci

Course Agenda

Module 1: Check Point Three Tier Architecture

Module 2: Implementing a Distributed installation
Module 3: Configuring The RuleBase
Module 4: Tracking Activity using SmartView Tracker
Module 5: Filtering Offensive Web Content
Module 6: Scanning the Network
Module 7: Deploying Site to Site VPN
Module 8: Course Summary

Module 1:
Check Point Three Tier
Architecture

Perimeter
Internal
Web

Brief Info

Check Point is an Israeli information security software company that

was the first to invent and implement a network firewall solution.

Checkpoint products are installed on 100% of fortune 100

companies.

It has a 60% market share of enterprise firewalls in the market

today.

Check Point implements a complete security solution with enterprise

management of the complete network

The Three Tier Architecture Concept

Check Point is configured of three major components:

The Smart console is installed only on windows machines

It has to connect to the Smart Center Server with a valid ip + username/password

The Smart Center Server is installed on various oss

Smart Console A gui client that have all the administrative tools installed
Smart Center Server A database that contains the security policy (rulebase) for
the firewall it manages
Security gateway A firewall that scans and filters the traffic. Also called an
enforcement module.

It contains the security policy (rulebase) created by the Smart Console

It distributes the rulebase to the firewall

The Security Gateway is installed mostly on SPLAT and appliances

SPLAT (secure platform) is a hardened linux of a Red Hat enterprise edition

distribution

Standalone Vs. Distributed Installation

A standalone installation is when the smart center server and the

security gateway installed on the same machine

A distributed installation is when the smart center server and the

security gateway are installed on separate machine

We will use a distributed configuration in the class:

SMny will be the smart console and the smart center server
SGny will be the security gateway
Ldap will be and external server

Module2:
Implementing a Distributed
installation

SMny Virtual Machine Configuration

SMny is a preconfigured virtual machine with the following

characteristics:

Win XP sp2
Ram is configured with 1gb of memory
Nic is connected to vmnet1
CD is attached to an iso image file
Floppy has been removed

SGny Virtual Machine Configuration

SGny is a virtual machine that we install with the following

characteristics:

Splat R75
Ram is configured with 768 MB of memory
Nic is connected to vmnet1 to Smny
Nic is connected to vmnet2 to DMZny (we will not use it in the course)
Nic is connected to vmnet3 to Ldap
CD is attached to an iso image file

Ldap Virtual Machine Configuration

Ldap is a preconfigured virtual machine with the following

characteristics:

Win server 2003 with a web and a mail server

Ram is configured with 512 MB of memory
Nic is connected to vmnet3
Floppy has been removed

Smart Console and Smart Center Center installation

In SMny launch the setup application from the cdrom drive and press next
Choose New Installation
Press Next and verify that Typical-Management is selected
Press Next again

Smart Console and Smart Center Center installation (Cont.)

The final screen shows the components selected

Press Finish
Connect the cdrom drive in the virtual machine to avoid the error messages.
The machine is rebooting.

Launching the SmartDashboard at SMny

Start -> Programs-> Check Point R75 -> SmartDashboard

Enter username admin , password admin and server localhost
Approve the fingerprint as valid
Change the administrator password to vpn123
Approve the trial period and close the window showing R75 components

Configure SPLAT at SGny

PowerUp SGny
Press the Enter button
Press OK to start the installation of SPLAT
Note that pressing ALT+CTRL will exit to the host. Pressing the mouse inside the
black windows will let you configure the SPLAT.
Moving inside the console is done with the Arrows , Tab button and the Enter key.
Dont press anything yet.

Configure SPLAT at SGny (Cont.)

Press OK to choose the keyboard.

Press OK to Choose eth0 as the management interface to configure SPLAT.
Configure the interface IP settings as shown above.

Configure SPLAT at SGny (Cont.)

Press OK to enable the web interface on eth0.

Approve formatting the SPLAT.

After the format complete ,note that the administrative account

to configure the SPLAT is admin and the password is admin.

Press OK to reboot and switch to SMny.

Configure SPLAT from the web interface at SMny

Wait until SPLAT finishes the boot process.

From the RUN command launch https://10.2.1.1

Accept the Certificate. Press OK.

Accept the license aggrement.

Login using login name admin and password admin.

Configure SPLAT from the web interface at SMny (Cont.)

Change the new password to vpn123.

Press Next to start the web configuration wizard.

Change the IP settings on eth1 and eth2 as shown above.

Press the new -> default Route and choose 172.17.2.1. with
metric on 1. The new entry is now added to the routing table.

Configure SPLAT from the web interface at SMny (Cont.)

Skip the dns server page.

Configure SGny on the Host and Domain name page.

Press Next on the device date and time setup.

Press Next on the web/ssh clients page.

Choose Security Gateway and Performance Pack check boxes.

Configure SPLAT from the web interface at SMny (Cont.)

Skip the Gateway Type Page.

Configure a preshared secret between the gateway to the dashboard.

Enter 123456.

Press Finish and Start to send the settings configured to the SPLAT.

Look at the settings configured and close the browser.

Configuring SIC at SMny

From the Dshboard look at the management icon of Smny

(crown).

Right click on checkpoint and choose security

management/gateway.

Enter the Name , Platform and IP address shown above.

Configuring SIC at SMny (Cont.)

Enter 123456 as the one-time password. This is the same

preshared secret key inserted at SGny.

After trust was established, view that IP addresses and interfaces are
configured correctly. How did it know that eth2 is external?

Press Finish and look at the icon of SGny (Red Door)

Note that when the Red Door and the Crown are on separate objects,
it indicates a distributed installation.

Module 3:
Configuring The RuleBase

RuleBase floatchart

Top Down concept

Must have an accept statement to pass the packet

Accepted traffic is routed via the operating system

Prefer Drop over Reject

Create the following network objects:

NYlan

NYdmz

Ldap_Server
Delete the CP_default_Office_Mode_addresses_pool network

Configure a basic RuleBase

Top Down concept

Stealth Rule

Traffic Rules

Cleanup Rule

Install the Policy on SGny

From the menu Policy -> Install

Accept the message and mark the checkbox

Press OK and wait for the installation to complete

Remember that changes to the RuleBase take effect just after policy
installation. The policy is enforced until a new policy is installed.

Module 4:
Tracking Activity using
SmartView Tracker

Open Smartview Tracker from within SmartDashboard

Window -> Smartview Tracker

Configure Autoscroll in Smartview Tracker

Query -> Autoscroll

Tracking http Connections

PowerUp Ldap and login (alt+ctrl+ins) with password vpn123

From Smny http://ldap

Note that a web site displaying LdapAtlantis has opened.

Tracking http Connections (Cont.)

Maximize the Smartview Tracker window and double click on the first
green http line.

Double Click on that line and view the detailed information.

Module 5:
Filtering Offensive Web Content

Configure Web Filtering on SMny (to be enfored on SGny)

Dashboard: DoubleClick SGny and checkbox URL Filtering

In the popup box choose Use the trial license

Open the Anti-virus and URL Filtering tab

Configure Web Filtering on SMny (Cont.)

Expand URL Filtering and watch the settings in the right pane.

Expand the Advanced option and press the Blocked URLs/IPs

Add the ldap and 172.31.2.101 as shown above.

Press the Blocking Notifications option and write your own content.

Install the Security Policy.

Configure Web Filtering on SMny (Cont.)

http://ldap and watch the message displayed instead of the website.

Watch the specified event monitored by the SmartView Tracker.

Module 6:
Scanning the Network

Configure IPS on SMny (to be enfored on SGny)

Dashboard: DoubleClick SGny and checkbox IPS

Dashboard: Open the IPS tab and look at the settings

Configure IPS on Smny (Cont.)

Expand Protections and press the Port Scan as shown above.

Double Click Host Port Scan

Double Click Default_Protection

Change the setting to Overide IPS Policy with Detect

Configure IPS on Smny (Cont.)

Close the opened windows.

Double Click Sweep Scan.

Double Click Default_Protection

Change the setting to Overide IPS Policy with Detect

Install the security policy.

Gather information about opened ports using Superscan at Ldap

Run Supescan from the desktop.

Add IP address of SMny and SGny as shown above.

On the Host and Service Discovery tab deselect the Host Discovery.

On the Scan tab press the play button and watch the results.

Open the Smartview Tracker and find the port scan attempt.

Module 7:
Deploying Site to Site VPN

The VPN Concept

VPN (Virtual Private Network) is used to transfer private data

between private networks through an insecure public network.

The term Virtual Private Network means establishing a Private

Network over the wan and Virtual means encryption.

Encryption makes the wan virtually private.

Edge devices as routers and firewalls are used to encrypt and

decrypt the traffic between them.

Deploying Site to Site VPN

In this scenario the private networks are VMNET1 and VMNET4

and the public network is VMNET3.

We will use 4 virtual machines to configure a VPN between the sites of NY and
LA: SMny, SGny, SGla, PCla.
SMny will communicate with PCla via the VPN.
SGny will encrypt the traffic and SGla will decrypt
To summarize: Traffic is encrypted only between the firewalls to allow private data
to pass between the sites.

Configuring SMny for Site to Site VPN

To save time, we will use SMny in a preconfigured stage (snapshot)

In the snapshot, SMny is conrolling SGny and SGla via SIC.

Start SMny from snapshot and launch Smart Dashboard

From the menu: VM-> snapshot ->snapshot manager

Click on Site to site VPN and then on the GO To button.
Press the PLAY button to start the virtual machine.
Verify that the time and date are correct.
Drag and drop the license files that the trainer gave you from the host to
desktop at SMny.

Configure Date and Time settings on SGNY-VPN virtual machine

To save time, we will use SGny-VPN ,which is a preconfigured version

of SGny. This is a different virtual machine from the one you installed
before.

From the Vmware menu File> Open and then browse to the SGnyVPN folder. Click on the folder and then click on SGny.vmx file.

Power on the virtual machine after it is added and authenticate to the

firewall.

From the command line change the date to reflect todays date in the
following format: Date MM-DD-YYYY.

Verify that the date is changed using the Date command.

Verify that the time is correct using sysconfig from the command line.

Configure the Date and Time settings on SGla virtual machine

From the Vmware menu File> Open and then browse to the SGla
folder. Click on the folder and then click on the vmx file.

Power on the virtual machine after it is added and authenticate to

the firewall.

From the command line change the date to reflect todays date in
the following format: Date MM-DD-YYYY.

Verify that the date is changed using the Date command.

Verify that the time is correct using sysconfig from the command
line.

Install license files centrally from SMny

Point to Start -> Check Point SmartConsole R75 -> SmartUpdate

Enter vpn123 as the password and press ok

On the warining message press ok. This is a trial version that

doesnt contain contract license.

Install license files centrally from SMny (Cont.)

Click on Network Objects Licenses & Contracts Tab.

Notice that both gateway objects appear with pink triangle in the
upper right of the object. It means that they are controlled by SMny
and connected to it via SIC.

From the Licenses & Contracts tab in SmartUpdate checkbox View

Repository.
The License & Contract Repository opens as a windows at the
buttom.

Install license files centrally from SMny (Cont.)

From the License and Contracts menu choose Add License and
then From File

Select the first license file and press open.

An information dialog box appers. Press OK. The first component of
the license file is local license and is immediately attached to SMny.

Install license files centrally from SMny (Cont.)

Right Click SGny and choose Attach Licenses

An Attach Licenses window opens. Click on the second part of the

license file ,a central license, and choose Attach.
An information dialog box appers. Press OK. The first component of
the license file is local license and is immediately attached to SMny.

Install license files centrally from SMny (Cont.)

From the License and Contracts menu choose Add License and
then From File

Select the second license file and press open.

An information dialog box appers. Press OK.

Install license files centrally from SMny (Cont.)

From the License and Contracts Repository highlight the line that
its type is local in the right coloum.

Right click on the unattached license in the left and choose Attach
License

Choose SGla and press Attach.

The display should show three licenses attached to the objects.

Configuring SMny for Site to Site VPN (Cont.)

Open SmartDashboard.

DoubleClick SGny object and checkbox Ipsec VPN and press OK.

Do the same for SGlas Object.

Note that both object contain a lock symbol now. This indicates vpn
capabilities.

Press on the IPSec VPN Tab. You can see MyIntranet object that
contain common settings to establish the VPN.

Configuring SMny for Site to Site VPN (Cont.)

DoubleClick Myintranet object.

Press the Participating Gateways Tab

and add both gateways to the community.

Press OK and watch that the Participant Gateways

window shows both gateways.

Configuring SMny for Site to Site VPN (Cont.)

Configure the security policy shown above and install it on both

gateways.

Note, the vpn rule states that when traffic passes between networks
the firewalls will encrypt and decrypt it by the parameters defined in
the MyIntranet object.

Test the VPN rule

From SMny open the run command and http://pcla

The Browser opens and PCLAs web site is displayed.

Open SmartView Tracker and see that a lock sign (enryption

activity performed by SGny) and a lock with a key sign (decryption
activity performed by SGla) took place.

Module 8:
Course Summary

Building a Multilayer protection Suite

ACL, encryption

Secure Coding, antivirus ,Url filter

OS hardening, update management,

authentication
Network segments, IPSec

Firewalls, VPN, IPS

Guards, locks, monitoring and

tracking devices

User education against social

engineering