Scribd
Upload
16 views120 pages

Check Point Security Technology Overview

The document provides an overview of Check Point technology, including its security management architecture, deployment platforms, and security policy management. It details various traffic control mechanisms such as packet filtering, stateful inspection, and application intelligence, as well as deployment methods and the structure of security policies. Additionally, it outlines the importance of rule base management and best practices for creating effective security policies.

Uploaded by

FrazaSetha
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
16 views120 pages

Check Point Security Technology Overview

The document provides an overview of Check Point technology, including its security management architecture, deployment platforms, and security policy management. It details various traffic control mechanisms such as packet filtering, stateful inspection, and application intelligence, as well as deployment methods and the structure of security policies. Additionally, it outlines the importance of rule base management and best practices for creating effective security policies.

Uploaded by

FrazaSetha
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd

Check Point

Training

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone


Content

1. Introduction to Check Point Technology


2. Deployment Platforms
3. Introduction to Security Policy
4. Monitoring Traffic and Connections
5. Network Address Translation
6. Using SmartUpdate
7. User Management and Authentication
8. Identity Awarness
9. Introduction To Check Point VPN
©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 2
2
Chapter
Introduction To Checkpoint Technology
1

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 3


3
Security Management Architecture

Security Management Architecture (SMART) is


core component of checkpoint unified security
architecture.
SMART advantages :
- Integrated Digital Certificate Authority

- Manage

- Monitor

- Log analysis

- Reporting

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 4


4
Security Management Architecture

Checkpoint Core System consists three-


interconnected components :
 Smart Console

 Security Management Server

 Security Gateway

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 5


5
Mechanism for Controlling Traffic

Check Point utilizes the following technologies to


grant or deny network traffic :
 Packet Filtering

 Stateful Inspection

 Application Intelligence

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 6


6
Packet Filtering

»
 Packet filtering is a basic
te

form of firewall
 Cannot understand the
context of communication
 Easier to intruders to
attack

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 7


7
Stateful Inspection

 Developed by Check Point


 Filtering includes the
context that has been
established
 Closing all ports until
specific port is required

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 8


8
Application Intelligent

»
 Advanced Level
te

Protection
 Policy based on
Application
 Detect and prevent
application level attacks

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 9


9
Inspect Engine

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 10


10
Deployment Method

 Standalone Deployment
 Distributed Deployment
 Full HA Deployment
 Management HA
 Bridge Mode

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 11


11
Standalone Deployment

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 12


12
Distributed Deployment

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 13


13
Standalone Full HA

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 14


14
Management HA

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 15


15
Bridge Mode

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 16


16
Smart Console
 SmartDashboard
 SmartView Tracker
 Smart Log
 Smart Event Intro
 Smart Event
 SmartView Monitor
 Smart Reporter
 Smart Update
 Smart Provisioning
 Smart Endpoint
©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 17
17
Securing Channel of Communication
 Security Management
Server must
communicate with all
components
 Information must pass
freely and securely
 Encrypted
 Authenticated
 Data Integrity
 User-friendly process
 Secure internal
communication (SIC)
 Internal Certificate
Authority (ICA)

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 18


18
Exam Question

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 19


19
Chapter
Deployment Platforms
2

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 20


20
Type Of Appliances

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 21


21
Check Point Software Blade

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 22


22
Check Point Operating System

 IPSO
 Secure Platform
 Gaia

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 23


23
CoreXL

 CoreXL makes firewall kernel is replicated


multiple times
 Each replicate instance runs on one
processing core
 Sample Security Gateway with active CoreXL

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 24


24
CoreXL

When you enable CoreXL, the number of kernel


instances is based on the total number of CPU
cores.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 25


25
SecureXL

SecureXL is an acceleration solution that maximize performance of


firewall and does not compromise security.
 Slow Path - Packets and connections that are inspected by the

Firewall and are not processed by SecureXL.


 Accelerated path - Packets and connections that are offloaded to

SecureXL and are not processed by the Firewall.


 Medium path - Packets that require deeper inspection cannot use the

accelerated path. It is not necessary for the Firewall to inspect these


packets, they can be offloaded and do not use the slow path. For
example, packets that are inspected by IPS cannot use the
accelerated path and can be offloaded to the IPS PSL (Passive
Streaming Library). SecureXL processes these packets more quickly
than packets on the slow path.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 26


26
Secure Network Distributor

The SND (Secure Network Distributor) is part of SecureXL and CoreXL. It


processes and helps to accelerate network traffic:
 SecureXL - Distributes traffic to the accelerated or slow path

 CoreXL - Processes traffic on a specified Firewall instance

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 27


27
Exam Question

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 28


28
Chapter
Introduction To Security Policy
3

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 29


29
Policy Package Management

The Policy Package is a set of rules that defines network Security using a
Rule Base, rules comprised of network objects, such as gateways, hosts,
networks, routers and domains. Once a Rule Base is defined, the policy is
distributed to all Security Gateways across a network

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 30


30
Policy Package Management

Some circumstances require multiple version of a Security Policy, but


the object database needs to stay the same. In these circumstances,
using Policy Package Management is better than creating multiple
versions of the system database.

These two points are worth consideration when saving your Policies:
 The new Policy Package includes Firewall, Address Translation,
Application & URL Filtering, Anti-Bot & Anti-Virus, QoS and Desktop
Security policies.
 It is an ideal management utility for a distributed installation with
multiple Security Gateways; specific Policies are created for specific
Security Gateways.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 31


31
Policy Package Management

The Security Management Server provides a wide range of tools that


address various Policy management tasks, both at the definition stage
and at the maintenance stage:

 Policy Packages
 Predefined Installation Target
 Section Titles
 Queries
 Sorting

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 32


32
Rule Base

Each rule in a Rule Base specifies the source, destination, service, and
action to be taken for each session. A rule also specifies how a
communication is tracked. Events can be logged, and then trigger an
alert message. The figure is an example of a Rule Base:

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 33


33
Managing Objects in SmartDashboard

Objects are created by the System Administrator to represent actual


hosts and devices, as well as intangible components, such as
services (For example, HTTP and TELNET) and resources (FTP).

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 34


34
Object Types

The objects lists are divided into the following categories:


 Network
 Services
 Resources
 Server and OPSEC Applications
 User and Administrators
 VPN Communities

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 35


35
Creating the Rule Base

Each rule in a Rule Base defines the packets that match the rule –
based on source, destination, service, and the time the packet is
inspected. The first rule that matches a packet is applied, and the
specified Action is taken. The communication may be logged and/or
an alert may be issued, depending on what has been entered in the
Track field.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 36


36
Basic Rule Base Concept

The SmartDashboard allows to create a Rule Base which builds


Security Policy from a collection of individual rules. Choose from the
following options:
 Add Rule - The position where the rule is to be placed: Bottom, Top, After,
Before
 Delete Rule - Deletes the currently selected rule from the Rule Base
 Disable Rule - Disables a rule when testing a security policy disabling a rule
can also allow access to previously restricted source or destination.
 Hide - Hides, unhides, views, and manages hidden rules; hidden rules still
aply, but just not visible in the SmartDashboard. This feature is normally used
to temporarily move groups of rules out of view, to minimize confusion when
an Administrator is working on a comple Rule Base.
 Rule Expiration – Allows a rule to be set with an activation date and time, and
an expiration date and time, or a rule can be restricted to specific hours and
days

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 37


37
Default Rule

The Default Rule is added when add a rule to the Rule Base.

 No  Service
 Hits  Action
 Name  Track
 Source  Install On
 Destination  Time
 VPN  Comment

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 38


38
Basic Rule

There are two basic rules used by nearly all Security Gateway
Administrators, the Cleanup Rule and the Stealth Rule

 Stealth Rule - To prevent any users from connecting directly to the


Gateway. All traffic to one of the Security Gateways (Corporate-gw) is
dropped.
 Cleanup Rule - Security gateways drop all communication attempts
that do not match a rule, drops all communication not described by
any other rules, and allows you to specify logging for everything being
dropped by this rule.

The Stealth Rule should be placed above all other rules, for protects
the Gateways from port scanning, spoofing, and other type of direct
attacks

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 39


39
Implicit/Explicit Rrule

The security gateway creates implicit rules, derived from Global


Properties and explicit rules created by the Administrator in the
SmartDashboard.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 40


40
Implicit Rule

Implicit rules are defined by the Security Gateway to allow certain


connections to and from the Gateway, with a variety different services.
The gateway enforces two types of implicit rules that enable the
following:
Control Connections - The security gateway creates a group of implicit rules
that it places first, last, or before last in the explicitly defined Rule Base. These
first implicit rules are based on the accept control connections setting on the
Global Properties window. Three types of Control connections:
 Gateway specific traffic that facilitates functionality, such as logging, management, and key
exchange.
 Acceptance of IKE and RDP traffic for communication and encryption purposes.
 Communication with various type of servers, such as RADIUS, CVP, UFP, TACACS, LDAP, and
Logical Servers.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 41


41
Detecting IP Spoofing

Spoofing is a technique where an intruder attempts to gain


unauthorized access by altering a packet’s IP address.
Anti-spoofing verifies
that packets are coming
from, and going to, the
correct interfaces on a
gateway. Anti spoofing
confirms that packets
claiming claiming to be
from the internal
network are actually
coming from the internal
network interface.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 42


42
Rule Base Management

Before creating a Rule Base for your system, answer the following question:
 Which objects are in the network? Examples include gateways, hosts,
networks, routers, and domains.
 Which user permissions and authentication schemes are needed?
 Which services, including customized services and sessions, are allowed
across the network?

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 43


43
Rule Base Management
The Policy is enforced from top to bottom
 Place the most restrictive rules (not permissive) at the top of the Policy.
 Keep it simple. Grouping objects or combining rules.
 Add a Stealth Rule and Cleanup Rule first to each new Policy Package.
 Limit the use of Reject action in rules. If a rule is configured to reject, a
message return to the source address, informing that the connection is not
permitted
 Use section titles to group similar rules according to their function.
 Comment each rule! Documentation eases troubleshooting, and explains why
rules exist.
 For efficiency, the most frequently used rules are placed above less-frequently
used rules.

Note:
This must done carefully, to ensure a general-accept rule is not placed before
a specific-drop rule.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 44


44
Database Revision Control

Database Revision Control gives the Administrator freedom to create fallback


configurations when implementing new objects and rules, or adjusting rules and objects
as networks change. This can help the Administrator test new Rule Base and object
configurations, or can be used to revert to an earlier configuration for troubleshooting.

 The database version consists of


all Policies on a single Gateway,
and objects and users
configured, including settings in
SmartDefense and Global
Properties.
 It is an ideal management utility
for a stand-alone or distributed
deployment with a single
Gateway.
 It is configurable to automatically
create new database versions on
policy installation.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 45


45
Exam Question

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 46


46
Chapter
Monitoring Traffic and Connections
4

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 47


47
SmartView Tracker

Check Point’s SmartView Tracker provides visual tracking, monitoring,


and accounting information for all connections, control every event,
including those causing alerts, as well as certain important system
events, such as Security Policy installation or uninstallation.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 48


48
SmartView Tracker - Log Types

 The format of log entries requested by a rule is determined by the log


type specified in the rule. Administrators can display one of several log
types from the Network & Endpoint Queries tree, as shown

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 49


49
SmartView Tracker Tabs

SmartView Tracker has three predefined, optional views. These views can be
modified and saved. Select views with tabs located above the main log-
viewing area, as shown in below:
 Network & Endpoint tab – Displays the default view for SmartView Tracker,
and shows all security-related events.
 Active tab – Shows currently open, active connections in SmartView Tracker
 Management tab – Displays only audit entries in SmartView Tracker; this
enables administrators to track changes made to objects in the Rule Base,
and tracks general SmartDashboard use.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 50


50
SmartView Tracker Action

Action icons provide a visual representation of


the log’s operation. The following table gives a
description types of actions recorded by
SmartView Tracker:

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 51


51
SmartView Tracker Blocking
Connection
Administrator can terminate an active connection and block further
connections from and to specific IP address, using SmartView Tracker
Block Intruder function.
To block an active connection with Block Intruder, select the
connection that want to block, then Tools > Block Intruder from the
menu

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 52


52
SmartView Monitor

SmartView Monitor is a high-performance network-and security


analysis system that helps you easily administer your network, by
establishing work habits based on learned system-resource pattern.
Below are some of function of SmartView Monitor
 Gatway Status
 Traffic View
 Tunnels View
 Remote Users View
 Cooperative Enforcement View

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 53


53
Gateway Status

SmartView Monitor enables information about the status of all


gateways in a network, such as its IP addresses, the last time it was
update, and its status.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 54


54
Traffic View

SmartView Monitor makes Administrators aware of traffic associated


with specific network activities, servers, clients, etc. This knowledge
enables
 Administrators to:
 Block specific traffic when a threat is imposed
 Learn about how many connections are currently open, or about the
rate of new connections passing through the Security Gateway.
 Learn what is the highest connection based on the throughput
 Filtering based on direction, specific interface and gateway

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 55


55
Tunnel View

Once VPN tunnels are created and put to use, administrators can
keep track of their normal functions, so possible malfunctions and
connectivity problems can be accessed and solved as soon as
possible.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 56


56
Remote Users View

The Remote Users view allows administrators to keep track of VPN


remote users currently logged in (i.e., SecuRemote, SecureClient, and
SSL Network Extender, and in general any IPSec client connecting to
the Security Gateway)

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 57


57
Cooperative Enforcement View

Cooperative Enforcement is a feature that works in conjuction with the


Endpoint Server. The gateway generates logs for unauthorized hosts.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 58


58
SmartView Tracker Vs Monitor

SmartView Tracker Benefits


 Ensure network components are operating properly

 Troubleshoot system and security issues

 Gather information for legal or audit purposes

 Generate reports to analyze network-traffic patterns

 Temporarily or permanently terminate connections from specific IP

addresses, in case of an attack or other suspicious network activity.


SmartView Monitor Benefits
 Centrally monitor Check Point and OPSEC devices

 Present a complete picture of changes to gateways, tunnels, remote

users, and security activities


 Maintain high network availability

 Improve efficiency of bandwith use

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 59


59
Exam Question

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 60


60
Chapter
Network Address Translation
5

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 61


61
Network Address Translation

The Security Gateway supports two type of NAT where the source
and/or the destination are translated :

 Hide NAT - Hide NAT is a many to one relationship, where multiple


computers on the internal network are represented by a single unique
address.
 Static NAT - Static NAT is a one to one relationship, where each host
is translated to a unique address. This allows connections to be
initiated internally and externally. An example would be a Web server
or a mail server that needs to allow connections initiated externally

Note :
Hide NAT can translate up to 50,000 connections

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 62


62
Hide NAT

Firewalls that do Hide NAT use different port numbers to translate


internal IP address to one external IP address. External computers
cannot start a connection to an internal computer.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 63


63
Hide NAT

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 64


64
Hide NAT

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 65


65
Static NAT

Firewalls that do Static NAT, translate each internal IP address to a


different external IP address.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 66


66
Static NAT

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 67


67
Static NAT

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 68


68
NAT Rule Base

The NAT Rule Base has two sections that specify how the IP
addresses are translated:
 Original Packet
 Translated Packet

Each section in the NAT Rule Base is divided into cells that define the
Source, Destination, and Service for the traffic.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 69


69
Automatic and Manual NAT Rule

There are two types of NAT rules for network objects:


 Rules that SmartDashboard automatically creates and adds to the
NAT Rule Base
 Rules that you manually create and then add to the NAT Rule Base

Note :
When you create manual NAT rules, it can be necessary to create the
translated NAT objects for the rule.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 70


70
Automatic Rule - Hide NAT

Hide NAT Using Security Hide NAT not Using Security


Gateway Interface IP Gateway Interface IP

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 71


71
Automatic Rule - Static NAT

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 72


72
Manual NAT Consideration

 Situation where translation is desired for some services, and not for
others
 Enterprises where Address Translation Rule Base must be
manipulated
 Where port address translation/port forwarding is required
 Environtments where the granular control of address translation
between internal networks is required
 When source address and destination address is need to be
translated

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 73


73
NAT on Global Properties

 Allow bi-directional NAT


 Translate destination on client side
 Automatic ARP configuration
 Merge Manual proxy ARP configuration
 Translate destination on client side (Manual NAT Rules)

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 74


74
Chapter
Using Smart Update
6

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 75


75
Understanding SmartUpdate

SmartUpdate installs two repositories on the Security Management


Server:
 License & Contract Repository, which is stored on all platforms in the
directory $FWDIR\conf\.
 Package Repository, which is stored:
 On Windows machines in C:\SUroot.
 On UNIX machines in /var/suroot.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 76


76
Understanding SmartUpdate

Packages and licenses are loaded into these repositories from several
sources:
 the Download Center web site (packages)
 the Check Point DVD (packages)
 the User Center (licenses)
 by importing a file (packages and licenses)
 by running the cplic command line

Note: Upgrade operations require the cprid daemon, and license


operations use the cpd daemon.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 77


77
SmartUpdate Introduction

SmartUpdate has two tabs:


 Packages tab - shows the pac kages and Operating Systems installed
on the Check Point Security Gateways.
 Licenses tab - shows the licenses and contracts on the managed
Check Point Security Gateways.

Additionally, the following panes can be displayed:


 Package Repository - shows all the packages available for installation.
 License & Contract Repository - shows all licenses (attached or
unattached)
 Operation Status - shows past and current SmartUpdate operations.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 78


78
SmartUpdate Terminology

 Add
 Attach
 Detach
 Central License
 Local License
 Certificate Key
 CPLIC

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 79


79
Condition of Attaching License

New License need to be attached when :


 An existing license expires

 An existing license is upgraded to a newer license

 A local license is replaced with a central license

 The IP Address of the Security Management Server

change

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 80


80
Retrieving License Data From Gateway

 To retrieve license data from a single remote


gateway, right-click the gateway object in the
License Management window, and select Get
License.
 To retrieve license data from multiple Check
Point Security Gateways, select Get All
License from the license menu

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 81


81
Adding New License

To install a license, you must first add it to the License & Contract
Repository. You can add licenses to the License & Contract
Repository in the following ways:

 Download From the User Center


 Importing License Files
 Add License Details Manually

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 82


82
Download From the User Center

 Select Network Objects License & Contract tab > Add License > From
User Center
 Enter your credentials. Perform one of the following:
 Generate a new license - if there are no identical licenses, the license is added to
the License & Contract Repository.
 Change the IP address of an existing license, that is, Move IP.
 Change the license from Local to Central.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 83


83
Importing License File

 Select Licenses & Contract > Add License > From File
 Browse to the location of the license file, select it, and click Open.

Note : A license file can contain multiple licenses. Unattached Central


licenses appear in the License & Contract Repository, and Local
licenses are automatically attached to their Check Point Security
Gateway. All licenses are assigned a default name in the format
SKU@ time date, which you can modify at a later time.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 84


84
Add License Details Manually

You may add licenses that you have received from the Licensing Center by email. The
email contains the license installation instructions.
 Locate the license:
 If you have received a license by email, copy the license to the clipboard. Copy the string that
starts with cplic putlic... and ends with the last SKU/Feature. For example: cplic putlic [Link]
06Dec2002 dw59Ufa2-eLLQ9NB-gPuyHzvQ-WKreSo4Zx CPSUITE-EVAL-3DES-NGX CK-
1234567890
 If you have a hard copy printout, continue to step 2.
 Select the Network Objects License & Contract tab in SmartUpdate.
 Select Licenses > Add License > Manually. The Add License window appears.
 Enter the license details:
 If you copied the license to the clipboard, click Paste License. The fields will be populated with
the license details.
 Alternatively, enter the license details from a hard copy printout.
 Click Calculate, and make sure the result matches the validation code received from the
User Center.
 You may assign a name to the license, if desired. If you leave the Name field empty, the
license is assigned a name in the format SKU@ time date
 Click OK to complete the operation.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 85


85
Service Contract

Before upgrading a gateway or Security Management Server, you


need to have a valid support contract that includes software upgrade
and major releases registered to your Check Point User Center
account. The contract file is stored on Security Management Server
and downloaded to Check Point Security Gateways during the
upgrade process. By verifying your status with the User Center, the
contract file enables you to easily remain compliant with current
Check Point licensing standards.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 86


86
Exam Question

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 87


87
Chapter
Identity Awareness
8

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 88


88
Introduction

Traditionally, firewalls use IP addresses to monitor traffic and are


unaware of the user and computer identities behind those IP
addresses. Identity Awareness removes this notion of anonymity since
it maps users and computer identities.
It is applicable for both Active Directory and non-Active Directory
based networks as well as for employees and guest users.
Identity Awareness lets you easily configure network access and
auditing based on network location and:
 The identity of a user
 The identity of a computer

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 89


89
Introduction

Identity Awareness gets identities from these acquisition sources:


 AD Query
 Browser-Based Authentication
 Endpoint Identity Agent
 Terminal Servers Identity Agent
 Remote Access

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 90


90
AD Query

AD Query is an easy to deploy, clientless identity acquisition method.


It is based on Active Directory integration and it is completely
transparent to the user.
The AD Query option operates when:
 An identified asset (user or computer) tries to access an Intranet
resource that creates an authentication request.
 AD Query is selected as a way to acquire identities.

It is based on Windows Management Instrumentation (WMI), a


standard Microsoft protocol. No installation is necessary on the clients
or on the Active Directory server.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 91


91
How AD Query Works

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 92


92
Browser Based Authentication

Browser-Based Authentication gets identities and authenticates users


with one of these acquisition
methods:
 Captive Portal
 Transparent Kerberos Authentication

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 93


93
Captive Portal

Captive Portal is a simple method that authenticates users with a web


interface. The Captive Portal shows when a user tries to access a web
resource and all of these conditions apply:
 Captive Portal is enabled.
 The redirect option enabled for the applicable rule.
 Firewall or Application Control and URL Filtering rules block access by
unidentified users to resources that would be allowed if they were
identified.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 94


94
Tranparent Kerberos Authentication

Transparent Kerberos Authentication authenticates users by getting


authentication data from the browser without any user input.
 A user wants to access the Internal Data Center.
 Identity Awareness does not recognize the user and redirects the
browser to the Transparent Authentication page.
 The Transparent Authentication page asks the browser to
authenticate itself.
 The browser gets a Kerberos ticket from Active Directory and
presents it to the Transparent Authentication page.
 The Transparent Authentication page sends the ticket to the Security
Gateway, which authenticates the user and redirects it to the
originally requested URL.
 If Kerberos authentication fails for some reason, Identity Awareness
redirects the browser to the Captive Portal.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 95


95
Captive Portal

From the Captive Portal, users can:


 Enter their user name and password.
 Enter guest user credentials (Configured in the Portal Settings).
 Click a link to download an Identity Awareness agent (Configured in
the Portal Settings).

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 96


96
Identity Agents

There are different Identity Agents:


 Endpoint Identity Agents - dedicated client agents installed on users‘

computers that acquire and report identities to the Security Gateway.


 Terminal Servers Endpoint Identity Agent - an Endpoint Identity Agent

installed on an application server that hosts Citrix/Terminal services.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 97


97
Benefit of Endpoint Identity Agent

Using Endpoint Identity Agents gives you:


 User and computer identity
 Minimal user intervention
 Seamless connectivity
 Connectivity through roaming
 Added security

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 98


98
Exam Question

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone | 99


99
Chapter
Introduction To Checkpoint VPN
9

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone 100
|100
Understanding Terminology

 VPN  Remote Access Community


 Virtual Tunnel Interface  Start Topology
 VPN Peer  Meshed Topology
 VPN Domain  Domain based VPN
 VPN Community  Route based VPN
 Site To Site VPN  IKE
 Remote Access VPN  IPSEC

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone 101
|101
Site To Site VPN

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone 102
|102
VPN Community

A VPN community is a collection of VPN enabled gateways, tunnels


and the attributes capable of communicating via VPN tunnels. To
understand VPN Communities, a number of terms need to be defined:
 VPN Community - the Security Gateway that resides at one end of a
VPN tunnel.
 VPN domain - the hosts behind the Security Gateway. The VPN
domain can be the whole network that lies behind the Security
Gateway or just a section of that network.
 VPN Site - Community member plus VPN domain. A typical VPN site
would be the branch office of a bank.
 Domain Based VPN - Routing VPN traffic based on the encryption
domain behind each Security Gateway in the community. 
 Route Based VPN - Traffic is routed within the VPN community based
on the routing information, static or dynamic, configured on the
Operating Systems of the Security Gateways.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone 103
|103
VPN Community

Note : A Security Management Server can manage multiple VPN


communities, which means communities can be created and organized
according to specific needs

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone 104
|104
Meshed VPN Community

A mesh is a VPN Community in which a VPN site can create a VPN


Tunnel with any VPN Site in the community:

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone 105
|105
Star VPN Community

A star is a VPN community consisting of central Security Gateways (or


"hubs") and satellite Security Gateways (or "spokes"). In this type of
community, a satellite can create a tunnel only with other sites whose
Security Gateways are defined as central.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone 106
|106
Combination VPN Community

For more complex scenarios, consider a company with headquarters in two countries,
London and New York. Each headquarters has a number of branch offices. The branch
offices only need to communicate with the HQ in their country, not with each other; only
the HQ's in New York and London need to communicate directly. To comply with this
policy, define two star communities, London and New York. Configure the London and
New York Security Gateways as "central" Security Gateways. Configure the Security
Gateways of New York and London branch offices as "satellites." This allows the branch
offices to communicate with the HQ in their country. Now create a third VPN community,
a VPN mesh consisting of the London and New York Security Gateways.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone 107
|107
Special Condition for VPN Security
Gateways
Two Security Gateways that can create a VPN link between them in
one community can appear in another VPN community provided that
they are incapable of creating a link between them in the second
community.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone 108
|108
Authentication Between Community
Members
Security Gateways authenticate to each other by presenting one of
two types of "credentials":

 Certificates - Each Security Gateway presents a certificate which


contains identifying information of the Security Gateway itself, and the
Security Gateway public key, both of which are signed by the trusted
CA.
 Pre-shared Key - A pre-shared is defined for a pair of Security
Gateways. Each Security Gateway proves that it knows the agreed
upon pre-shared secret.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone 109
|109
Routing Traffic within a VPN
Community
VPN routing provides a way of controlling how VPN traffic is directed.
There are two methods for VPN routing:
 Domain Based VPN - This method routes VPN traffic based on the
encryption domain behind each Security Gateway in the community.
 Route Based VPN - Traffic is routed within the VPN community based
on the routing information, static or dynamic, configured on the
Operating Systems of the Security Gateways.

Note - If both Domain Based VPN and Route Based VPN are
configured, then Domain Based VPN will take precedence

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone |110
110
Access Control and VPN Communities

Configuring Security Gateways into a VPN community does not create


a de facto access control policy between the Security Gateways.
Access control is configured in the Security Policy Rule Base.
Using the VPN column of the Security Policy Rule Base, it is possible
to create access control rules that apply only to members of a VPN
community, for example:

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone |111
111
Tunnel Management

Types of tunnels and the number of tunnels can be managed with the
following features:

 Permanent Tunnels - This feature keeps VPN tunnels active allowing


real-time monitoring capabilities.
 VPN Tunnel Sharing - This feature provides greater interoperability
and scalability between Security Gateways. It also controls the
number of VPN tunnels created between peer Security Gateways.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone |112
112
Tunnel Testing for Permanent Tunnels

Check Point uses a proprietary protocol to test if VPN tunnels are


active, and supports any site-to-site VPN configuration. Tunnel testing
requires two Security Gateways, and uses UDP port 18234. Check
Point tunnel testing protocol does not support 3rd party Security
Gateways.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone |113
113
VPN Tunnel Sharing

VPN Tunnel Sharing provides greater interoperability and scalability


by controlling the number of VPN tunnels created between peer
Security Gateways.
 One VPN Tunnel per each pair of hosts - A VPN tunnel is created
for every session initiated between every pair of hosts.
 One VPN Tunnel per subnet pair - Once a VPN tunnel has been
opened between two subnets, subsequent sessions between the
same subnets will share the same VPN tunnel.
 One VPN Tunnel per Security Gateway pair - One VPN tunnel is
created between peer Security Gateways and shared by all hosts
behind each peer Security Gateway.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone |114
114
Consideration for Planning VPN

When planning a VPN topology, it is important to ask a number of


question :

 Who needs secure/private access ?


 From VPN point of view, what will be the structure of organization ?
 Internally managed gateway authenticate each other using
ceritificates, but how will externally managed gateway authenticate ?
Do these externally managed gateways support PKI ?
Which CA will be trusted ?

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone |115
115
Remote Access VPN

Remote Access VPN are built to handle secure communication


between a corporate network and remote or mobile employees.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone |116
116
Remote Access VPN Solution
 Check Point Endpoint Security - Endpoint Security VPN is an IPsec
VPN client that replaces SecureClient. It is best for medium to large
enterprises
Required Licenses:The IPsec VPN Software Blade on the gateway,
an Endpoint Container license, and an Endpoint VPN Software Blade
license on the Security Management Server.
Supported Platforms : Windows

 SSL Network Extender is a thin SSL VPN on-demand client installed


automatically on the user's machine through a web browser. It
supplies access to all types of corporate resources
Required Licenses : Mobile Access Software Blade on the gateway
Supported Platforms : Windows, Mac OS X, Linux

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone |117
117
Remote Access VPN Solution
 Mobile Access Web Portal - The Mobile Access Portal is a clientless
SSL VPN solution. It is recommended for users who require access to
corporate resources from home, an internet kiosk, or another
unmanaged computer.
Supported Platforms : Windows, Mac OS X, Linux, iOS, Android
Required Licenses : Mobile Access Software Blade on the gateway.

 Checkpoint Capsule - Capsule VPN for Android devices is an L3VPN


client. It supplies secure connectivity and access to corporate
resources using L3 IPSec.
Supported Platforms : Android 4 + (ICS+) & iOS 6.0 +
Required Licenses : Mobile Access Software Blade on the gateway

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone |118
118
Multiple Remote Access VPN
Connectivity Mode

The IPSec Software blade provides various modes to address a


variety of connectivity and routing issues faced by remote users.

 Office Mode - Remote users can be assigned the same or non-


routable IP addresses from the local ISP. Office Mode solves these
routing problems and encapsulates the IP packets with an available IP
address from the internal network.
 Visitor Mode - Remote users can be restricted to use HTTP and
HTTPS traffic only. Visitor Mode lets these users tunnel all protocols
with a regular TCP connection on port 443.
 Hub Mode - All connections the client opens, either to the internal
network or to other parts of the Internet, pass through the gateway.
The packets are encrypted between the client and the gateway but
pass "in clear" between the gateway and the client's peer.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone |119
119
Exam Question

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone 120
|120

You might also like