What is a firewall?

Controls traffic between trusted and untrusted networks, and provides network
partitioning
Restricts the entrance and exit of traffic based on acceptability
A wall is a bad analogy
Your firewall may have more than two sides
You may install enforcement points throughout your network
more like a honeycomb?
Even when we allow traffic through, we watch it carefully
We dont just punch holes in the firewall

Best of Breed security applications

VPN-1/Firewall-1 NGX

VPN-1/Firewall-1 NGX

Logical components of FW-1 NGX

Multiple firewall modules (FWM) Enforcement Points

Enforces security
policy, reports status
and log data to
management server.

Management
Server
(SmartCenter
Server)

Management Clients
(SmartConsole)/SMART clients

Manages security policy

and object DBs, log DB,
concurrent
administrative access.
User interfaces for
building objects and
security policy rules.
Views logs and FW status.

Check Point components for various

architectures
SmartConsole (GUI)
SmartCenter (Management) Server
Enforcement (Firewall) Module

FWM

FWD*

Databases

Windows
Solaris

SVN** Foundation

Nokia IPSO
Solaris
Linux
Windows
2000
Windows
2003
HP-UX
CP secure
* FWD: Firewall Daemon
platform

** SVN: Secure Virtual Networking

FWD Security
servers
SNMP Inspecti
on
Module
SVN
Foundation

Nokia IPSO
Solaris
Linux
Windows 2000
Windows 2003
HP-UX
AIX
CP secure
platform

CP logical components can be physically

different
GUI

Firewall Enforcement Point

StandAlone

GUI
Distributed, Single
Management,
Redundant
FEPs (VRRP)

GUI
Distributed, Redundant
Management, Redundant
FEPs (VRRP)

Management Server

Manageme
nt Server

Firewall Enforcement Point

Managemen Firewall Enforcement Point

t Server

About the boot manager

The partition menu probably defaults to
1: Bootmgr
Nokia allows booting direct to
IPSO (2), or
IPSO using boot manager (1)
The boot manager has a command
mode
We dont need it just at the moment
so dont press a key
Boot manager commands
Boot an alternate kernel
Reinstalling IPSO
Single user boot
(& password recovery)
Diagnostic Info

The
The boot
boot manager
manager includes
includes a
a
small
small subset
subset IPSO
IPSO OS
OS on
on a
a
separate
separate partition
partition or
or disk
disk
You
You can
can reinstall
reinstall a
a corrupt
corrupt IPSO
IPSO
from
boot
manager
from boot manager
You
You can
can reinstall
reinstall a
a corrupt
corrupt boot
boot
manager
manager from
from IPSO
IPSO

Set the IP address, default route and

speeds

Set the IP address

In the class use 10.x.x.1/16 on the LAN side interface
The LAN interface will be eth1
Configure the default route according to the class topology
Its okay that it is not reachable yet - configure it anyway

Configure the speed and duplex to 100M full duplex

CHECK with the instructor in case speed/duplex are different
Confirm the configuration

Accessing features in Voyager

Access all the features from the navigation
tree
Expand Tree to view all the features at a
glance
Navigation frame width is adjustable
The Current feature is highlighted
Tree hierarchy is consistent with IPSO 3.9
Voyager

The main interfaces screen

We will have three interfaces in this class. The third one is configured using
clish

Check that they appear here as you would expect

Note the physical and link layer status lights
Red, Green, or Blue
Blue means hot swap interface not present

Adding static routes

Static Routes will allow team1fw1 to get to team3-net

Interface routes allow team1fw1 to get through to team1-Net and to the Internet

Internet

team1-Net

team3-Net

10.1.1.0/16

10.1.3.0/16
Lab router

team1fw1 172.21.101.
2 /16

team1pc1
10.1.1.101

10.1.1.1
192.168.22.1
01

172.23.103.
2 /16

10.1.3.103

172.21.101.
1/16

team3fw1
172.23.103.1

team1pc2
10.1.1.10

team3pc1

192.168.22.0 /24

10.1.3.1

192.168.22.1
03

team3pc2
10.1.3.10

Network Testing

Ping !..!!!..!!!!!!!!!...........!!!!!!!!!!!!!!!!!!!

Installing CheckPoint through Voyager

Four step procedure
Download the FTP package

In IPSO 4.2, HTTP Upload is very

useful

Installing CheckPoint through Voyager

Package configuration is from the UNIX

command line

Package configuration is from the UNIX command line similar to the

Solaris and Linux versions
Be sure to log out and log back in so that the CP software is in your path
before you run cpconfig

Distributed installation

Configuring secure internal

communications

Final Steps

Basic components of VPN1/FireWall-1 NGX

Introduction to SmartDashboard and

Objects

Create a gateway and take control of it

Install an Allow All policy

The default policy is
drop-all
You may have
noticed that you
currently cant
SSH or use
Voyager
Allow all isnt very
secure
Your instructor
may show you
more if you have
extra time
You need to attend
CP Mgmt I or an
equivalent class to
learn Check Point
specific-security
information

On the desktop, or
Start/Program/
Check Point Smart Clients

Save, Verify, Compile, and Install the policy

The Policy / Install does all of this in one easy step

Policies are always installed from a saved copy

SmartView Monitor

DEMO

Thanks for coming