CCSA Class Slides

Security Administration
2013 Edition
2012 Check Point Software Technologies Ltd. [PROTECTED] All rights reserved.
2013 Check Point Software Technologies Ltd. [Confidential] For Check Point users and approved third parties
Preface
2013 Check Point Software Technologies Ltd. [Confidential] For Check Point users and approved third parties | 2
Training Blades and Certification
2 WAYS to EXTEND CCSA / CCSE for 1 YEAR
1.
Take and pass
any 2 Training
Blades OR
+
AppControl Introduction to Gaia
Attend and pass

1 Instructor-led Based on a 2 day course
class
Advanced IPS
Certification Renewal Examples
CCSA Certification CCSE Certification

Extension Options Extension Options
Training Blades: Instructor Led Training

Application Control Advanced IPS
Data Loss Prevention
SmartConsole Managed
Introduction to Gaia VSX
Intrusion Prevention P1 Managed VSX
Threat Prevention Endpoint
CCSA exam CCSE exam
Check Point Security Administration
Key Course Elements
Overview of Check Point Technology

Deploying a Security Policy and Monitoring
Traffic
Managing Users and Providing Access to
Protected Resources
Deploying Network Address Translation and
VPNs
2
Course Chapters
1. Introduction to Check Point Technology

2. Deployment Platforms
3. Introduction to the Security Policy
4. Monitoring Traffic and Connections
5. Network Address Translation
6. Using SmartUpdate
7. User Management and Authentication
8. Identity Awareness
9. Introduction to Check Point VPNs 3
Lab Topology
Introduction to Check Point Technology
Learning Objectives
Describe Check Points unified approach to

network management, and the key elements
of this architecture
Design a distributed environment using the
network detailed in the course topology
Install the Security Gateway in a distributed
environment, using the network detailed in
the course topology
8
Check Point Security Management Architecture (SMART)
The Check Point Security Management Architecture

(SMART) is a core component of the Check Point unified
security architecture.
With SMART security administrators can centrally configure,
manage, monitor and report on all security devices,
including endpoints, from a single console - the
SmartDashboard
Core Systems
The Check Point core systems:

SmartConsole
Security Management Server
Security Gateway
SMART
SmartConsole:
The SmartCenter GUI, SmartConsole is comprised of several
clients, used to manage the Check Point security environment.
Security Management Server:

The Security Management Server stores and distributes
Security Policies to multiple Security Gateways.
Security Gateway:
The Security Gateway is the firewalled machine on which the
firewall software is installed, and is based on Stateful
Inspection.
10
The Open Systems Interconnect (OSI) Model
To better understand the capabilities of the basic firewall,

understand the OSI model.
11
Controlling Network Traffic
Check Point utilizes these technologies to deny or permit

traffic, based on defined rules:
Packet Filtering
Stateful Inspection
Application Intelligence
12
Packet Filtering
Packet Filtering is a
firewall in its most basic
form
13
Stateful Inspection
Stateful Inspection
examinees the context
of a packet to
monitoring the state of
the connection:
14
Application Intelligence
Application
Intelligence works
with application-
layer defense:
15
Security Gateway Inspection Architecture
15
INSPECT Engine Packet Flow
Sample flow of new

inbound packet:
16-17
Deployment Considerations
18
Standalone Deployment
Security Management Server and Security Gateway

installed on same computer.
19
Distributed Deployment

installed on different computers.
19
Standalone Full HA Deployment

installed on different computers.
20
Bridge Mode
A bridge mode deployment adds a Security Gateway to an

existing environment without changing IP Routing.
20
Check Point SmartConsole Clients
SmartConsole is
comprised of
several clients,
used to manage
the security
environment.
21
SmartDashboard
Tabs:
Firewall
App Control &
URl Filtering
DLP
IPS
Anti Bot & Anti-
Virus
Anti Spam and
Mail
Mobile Access
IPSec VPN
QoS
Desktop
21
Check Point SmartConsole
SmartConsole
components can be
accessed from
SmartDashboard.
22
SmartView Tracker
SmartView Tracker
is used for
managing and
tracking logs and
alerts.
23
SmartLog
SmartLog enables
enterprises to
centrally track log
records.
24
SmartEvent
Event correlation
for firewall, IPS,
DLP, endpoints via
a single console.
24-25
SmartView Monitor
SmartView Monitor
centrally monitors Check
Point and OPSEC
devices, presenting a
complete visual picture of
changes to gateways,
tunnels, remote users
and security activities.
26-27
SmartReporter
SmartReporter
centralizes network
security reporting.
27
SmartUpdate
SmartUpdate
delivers automated
software and license
to distributed
security gateways
from a single
management
console.
28
SmartProvisioning
SmartProvisioning
provides centralized
administration and
provisioning of
Check Point security
devices via a single
management
console.
29
SmartEndpoint
SmartEndpoint is
the management
console for endpoint
clients and their
features.
31
Security Management Server
The Security Management Server is used to manage the

Security Policy.
The Security Management Server maintains the Security
Gateway databases
Policies are defined using SmartDashboard, and saved on
the Security Management Server
32
Managing Users in SmartDashboard
32
Securing Channels of Communication
Communication must be encrypted

Communication must be authenticated
Transmitted communication should have
data integrity
SIC setup process allowing the
intercommunication to take place must be
user friendly
34
SIC Between Security Management Servers

and Components
SIC among
Security
Management
Servers and
components
36-37
Lab Practice
Lab 1: Distributed Installation

Lab 2: Branch Office Security Gateway Installation
38
Review Questions
1. What is the strength of Check Points Stateful

Inspection Technology?
38
Review Questions
1. What is the strength of Check Points Stateful

Inspection Technology?
The contents of the packet is examined, not just the
header information.
The state of the connection is monitored.
38
Review Questions
2. What are the advantages of Check Points Secure

Management Architecture (SMART)?
38
Review Questions
2. What are the advantages of Check Points Secure

Management Architecture (SMART)?
SMART is a unified approach to centralizing Policy
management and configuration, including monitoring,
logging, analysis, and reporting within a single control
center.
38
Review Questions
3. What is the main purpose for the Security

Management Server? Which function is it necessary
to perform on the Security Management Server
when incorporating Security Gateways into the
network?
38
Review Questions
3. What is the main purpose for the Security

Management Server? Which function is it necessary
to perform on the Security Management Server when
incorporating Security Gateways into the network?
Used by the Security Administrator, the Security
Management Server manages the Security Policy. In
order to perform that role, the Security Management
Server must establish SIC with other components, so
that communication is verified and management can
be performed on any component on the network.
38
Deployment Platforms
39
Learning Objectives
Given network specifications, perform a

backup and restore the current Gateway
installation from the command line.
Identify critical files needed to purge or
backup, import and export users and groups
and add or delete administrators from the
command line.
Deploy Gateways using sysconfig and
cpconfig from the Gateway command line.
40
Security Appliances
Check Point Security Appliances are integrated hardware

devices that are preinstalled with essential software blades
to produce a comprehensive, turnkey security gateway
solution.
41
Security Appliances
Data Center:
61000 Security System - fastest
security appliance, offering scalable
performance for data centers and
telecommunication companies.
21000 Appliance - industry's best
security performance in their class and
offer unmatched scalability, serviceability
and port density.
IAS Bladed Hardware - provides
organizations with the ultimate choice in
carrier-grade chassis. 41
Security Appliances
Large Enterprise:
12000 Appliance - multi-core security
technology and high port density, are ideally
suited for perimeter security.
IP Appliance - offer turnkey and modular
security functionality with integrated firewall,
VPN, IPS, Application Control, Identity
Awareness and more.
IAS-D, M, and R Appliance Powered by
HP, the IAS -Series of appliances provide
integrated software and hardware bundles
and direct support that are customized to
organizations' exact specifications. 42
Security Appliances
Medium-Sized Business:
4000 Appliance - offer complete and
integrated security solutions in a
compact 1U form factor.
42
Security Appliances
Small Business & Branch Office

2200 Appliance - offers enterprise grade security
and performance in a compact desktop form
factor.
Series 80 Appliance Extends Software Blades
to the edge of the network.
UTM-1 Edge All-in-one appliance for branch
offices.
Safe@Office Integrated firewall, IPS, anti-
malware, URL filtering, and more.
Cloud-Managed Security Service Effective
security in a managed solution.
43
Security Appliances
Virtualized
Virtual Systems Taps the power of
virtualization to consolidate and simplify
security for private clouds.
Security Gateway Virtual Edition
Protects virtualized environments and
external networks.
Virtual Appliance for Amazon Web
Services Security Gateway for virtual
environments in the Amazon Cloud.
.
44
Security Appliances
Dedicated Appliances
Secure Web Gateway Appliance
Real-time protection against web-borne
malware.
Threat Prevention Appliance
Prevents advanced threats and malware
attacks.
DDOS Protector Blocks Denial of
Service attacks within seconds.
.
44-45
Check Point Appliance Selection Tool
Check Point Security Power TM

Allows customers to select security appliances by capacity
Accurate appliance sizing to meet needs
45
Security Software Blades
Threat Prevention
Threat Cloud Feeds security gateway software blades real-
time security intelligence.
46
Security Gateway Software Blades

Firewall Industrys strongest level of
gateway security and identity awareness
IPSec VPN Secure connectivity to

corporate networks for remote users
Application Control Application security

and identity control
46

URL Filtering Optimized web security.
Anti-Bot Detects bot-infected machines,

prevents bot damage
Antivirus Uses ThreatCloud to detect and

blocks malware real-time
46-47

Identity Awareness Granular visibility of
users, groups, and machines access control
DLP Preemptively protect sensitive

information
Web Security Detects and prevents

attacks launched against the Web
infrastructure
47

Anti-Spam & Email Security Protection
for messaging infrastructure
Advanced Networking & Clustering

Simplifies complex network security
deployment and management
Voice over IP Deploys secure VoIP

applications
47-48
Remote Access Solutions

Mobile Access Software Blade Safely
connect to corporate applications over
Internet with Smartphone, tablet, or PC
Endpoint Security with Remote Access

Secure and seamless access to corporate
networks remotely
Check Pont GO Turns any PC into your

corporate desktop
48-49
Check Point Gaia
Check Point GaiaTM is the unified cutting-edge secure

operating system for all Check Point Appliances, open
servers and virtualized gateways. Gaia was derived from
IPSO and SecurePlatform.
50
History Power of Two
IPSO
Developed by Ipsilon Networks
Based on FreeBSD
Hardened secure operating system
Kernel statistics
Purchased from Nokia 2009
50
History Power of Two
SecurePlatform
Developed by Check Point
Based on Red Hat
Hardened secure operating system
Management performed through a restricted shell
Supports SecureXL
51
Gaia
Combining the best features of IPSO and SecurePlatform

Increase operational efficiency with wide range of features
A secure platform for the most demanding environments
Provides for role-based administration
Web-based user interface for all commands and properties
Compatible with IPSO and SPLAT CLI commands
52
Gaia Architecture
Fully compatible with IPSO and SPLAT CLI Commands

Web-Based user interface with search navigation
Role-based administrative access
Support for industry standard authentication
Support for industry standard monitoring
Intelligent software updates
Automatic Security Gateway deployments
53-54
Gaia Architecture
Manageable dynamic routing suite

Native IPv4 and IPv6 support
Link aggregation
ClusterXL or VRRP clusters
High connection capacity
Full software blade support
55
Gaia System Information
Gaia system information is accessible through the WebUI,

and some CLI commands.
58
Gaia Architecture
Gaia Widgets
System Overview
Network Configuration
Memory Monitor
CPU Monitor
Security Configuration
59
Lab Practice
Lab 3: CLI Tools
60
Review Questions
1. What are some of the advantages in deploying

UTM-1 Edge Appliances?
60
Review Questions
1. What are some of the advantages in deploying

UTM-1 Edge Appliances?
Easy to install and configure
Can participate in corporate VPN
Security Policy can be enforced on the appliance
Status and traffic can be monitored
Device firmware can be automatically updated
60
Review Questions
2. How do you manage an IP Appliance?
60
Review Questions
2. How do you manage an IP Appliance?

Through the WebUI
Through the CLI
60
Review Questions
3. What does SecurePlatform Pro provide over

SecurePlatform?
60
Review Questions
3. What does SecurePlatform Pro provide over

SecurePlatform?
Dynamic routing support
Centralized Administrator management via
RADIUS
60
Review Questions
4. What are the two critical Check Point directories?
60
Review Questions
4. What are the two critical Check Point directories?

$FWDIR/conf contains Rule Bases, objects, and
the user database
$FWDIR/bin contains import and export tools
60
Introduction to the Security Policy
61
Learning Objectives
Given the network topology, create and configure network, host and gateway
objects.
Verify SIC establishment between the Security Management Server and the
Gateway using SmartDashboard.
Create a basic Rule Base in SmartDashboard that includes permissions for

administrative users, external services, and LAN outbound use.
Evaluate existing policies and optimize the rules based on current corporate
requirements.
Maintain the Security Management Server with scheduled backups and

policy versions to ensure seamless upgrades and minimal downtime.
62
Security Policy Basics
The Security Policy is a set of rules that defines your

network security.
63
Managing Objects in SmartDashboard
64
Object Types
Network
Services
Resources
Servers and OPSEC Applications
Users and Administrators
VPN Communities
65
Managing Objects
The Objects Tree is the main view

for managing objects
66
Creating Objects
When creating objects, consider organizational needs:

What are the physical components in the network?
What are the logical components services, resources,
applications?
What components access the firewall?
Who are the users, how should they be grouped?
Who are the administrators, what are their roles?
Will VPN be used, will it allow remote users?
66
Creating the Rule Base
Each rule in a Rule Base defines the packets that

match the rule.
68
Default Rule
The Default Rule is added when you add a rule to the

Rule Base.
69
Basic Rules
Two basic rules used by nearly all Security Gateway

Administrators
Cleanup rule
Stealth Rule
70
Implicit/Explicit Rules
71
Control Connections
There are three types of Control Connections, defined by default

rules:
Gateway specific traffic
Acceptance of IKE and RDP traffic
Communication with various types of servers
71-72
Detecting IP Spoofing
Spoofing is where an intruder attempts to gain unauthorized access

by altering a packets IP address.
72
Rule Base Management
Before creating a rulebase:
Which objects are in the network?.

Which user permissions and authentication schemes are
needed?
Which services, including customized services and
sessions, are allowed across the network?
74
Rule Base Order
1. IP spoofing/IP options
2. First
3. Explicit
4. Before Last
5. Last
6. Implicit Drop
75
Policy Management and Revision Control
77-78
Multicasting
Multicasting transmits a single message to a select

group.
80
Lab Practice
Lab 4: Building a Security Policy

Lab 5: Configuring a DMZ
82
Review Questions
1. Objects are created by the Security Administrator to

represent actual hosts and devices, as well as
services and resources, to use when developing the
Security Policy. What should the Administrator
consider before creating objects?
82
Review Questions
1. Objects are created by the Security Administrator to

represent actual hosts and devices, as well as
services and resources, to use when developing the
Security Policy. What should the Administrator
consider before creating objects?
What are the physical and logical components
that make up the organization?
Who are the users and administrators, and how
should they be grouped, i.e. access permissions,
location (remote or local), etc?
82
Review Questions
2. What are some important considerations when

formulating or updating a Rule Base?
82
Review Questions
2. What are some important considerations when

formulating or updating a Rule Base?
Which objects are in the network, i.e., gateways,
routers, hosts, networks, or domains?
Which user permissions and authentication
schemes are required?
Which services, including customized services
and sessions, are allowed across the network?
82
Monitoring Traffic and Connections
83
Learning Objectives
Use Queries in SmartView Tracker to monitor IPS

and common network traffic and troubleshoot events
using packet data.
Using packet data on a given corporate network,

generate reports, troubleshoot system and security
issues, and ensure network functionality.
Using SmartView Monitor, configure alerts and traffic

counters, view a Gateway's status, monitor
suspicious activity rules, analyze tunnel activity and
monitor remote user access based on corporate
84
requirements.
SmartView Tracker
85
SmartView Tracker Log Types
Predefined
Custom
85-86
SmartView Tracker Tabs
Network & Endpoint

Active
Management
87
SmartView Tracker Action Icons
88
Log File Management
1. Open Log File

2. Safe Log File As
3. Switch Log File
4. Remote File Management
5. Show or Hide Progress
6. Query Options
89
Administrator Auditing
Administrator login and out

Object creation, deletion,
edits
Rule Base changes
90
Global Logging and Alerting
VPN successful key exchange SLA violations

VPN packet handling errors Connection matched by SAM
VPN configuration and key Dynamic Object resolution
exchange errors failure
IP Options drop Log every authenticated HTTP

connection
Administrative notifications
Log VoIP connection
90-91
Time Settings
Excessive log grace period

SmartView Tracker resolving
Virtual Link statistics logging interval
Status fetching interval
92
Blocking Connections
Block Intruder function
93
SmartView Monitor
High performance network and security analysis
94
SmartView Monitor Customized Views
Create views based on your specific needs, such as:

Status
Traffic
System stats
Tunnels
95
Tunnel View
Monitor the health of your VPN tunnels
96
Remote Users View
Keep track of your VPN remote users
97
Cooperative Enforcement View
Verify host
connections
with Integrity
Server
98
Monitoring Suspicious Activity Rules
Suspicious-activity
monitoring is used to
modify access
privileges, upon
detection of any
suspicious network
activity.
99
Monitoring Alerts
Alerts provide real-time information about

vulnerabilities to computing systems and how
they can be eliminated.
They are defined per product
They may be global or per Gateway
They are displayed and viewed in SmartView Monitor
After reviewing the status of certain clients in

SmartView Monitor, you may:
Disconnect Client
Stop/Start Cluster Member
100
Gateway Status
Status Information:
Check Point Gateways
OPSEC Gateways
Check Point Software Blades
102
Overall Status / Blade Status
OK Working properly
Attention Minor problem
Problem - Malfunction
Waiting 30 second connection period
Disconnected no communication
Untrusted SIC failed
103
SmartView Tracker vs. SmartView Monitor
SmartView Tracker SmartView Monitor

Ensure network components are Centrally monitor Check Point &
operating properly OPSEC devises
Troubleshoot system and security Present a complete picture of
issues changes to Gateways, tunnels,
Gather information for legal or remote users, security activities
audit purposes Maintain high network availability
Generate reports to analyze Improve efficiency of bandwidth use
network-traffic patterns Tack SLA compliance
Terminate connections from
specific IP addresses
105
Lab Practice
Lab 6: Monitoring with SmartView Tracker
106
Review Questions
1. Discuss the benefits of using SmartView Monitor

instead of SmartView Tracker in monitoring network
activity?
106
Review Questions
1. Discuss the benefits of using SmartView Monitor

instead of SmartView Tracker in monitoring network
activity?
SmartView Monitor presents an overall view of changes
throughout the network.
SmartView Tracker focuses on individual connections.
SmartView Monitor also helps the Administrator identify
traffic-flow patterns that may signify malicious activity,
maintain network availability, and improve efficient
bandwidth use.
106
Review Questions
2. Why is there a warning message when switching to

Active mode in SmartView Tracker?
106
Review Questions
2. Why is there a warning message when switching to

Active mode in SmartView Tracker?
There are performance implications for memory and
network resources in Active mode, since data is being
actively logged.
106
Network Address Translation
107
Learning Objectives
Configure NAT rules on Web and Gateway

Servers
146
Introduction to NAT
Reasons for employing NAT:

Private IP addresses used in internal networks
Limiting external network access
Ease and flexibility of network administration
Source NAT = IP of machine (client) initiating the connection

Destination NAT = IP of machine receiving the connection
109
Types of NAT
Hid NAT (Dynamic NAT)

Many-to-one relationship
Multiple computers represented by one IP address
Only allows connections from protected side of gateway
Static NAT
One-to-one relationship
Each host translated to unique IP address
Connections initiated internally and externally
109
IP Addressing
Addresses allocated for Private Networks

Class A network = 10.0.0.0 10.255.255.255
Class B network = 172.16.0.0 172.31.255.255
Class C network = 192.168.0.0 192.168.255.255
110
Hide NAT
Hide NAT
110
Static NAT
Static NAT
85.10.1.4 10.1.1.101
111
NAT - Global Properties
Allow bi-directional NAT

Translate Destination
on client side
Automatic ARP
Merge manual proxy
ARP
113
Object Configuration Hide NAT
114
Object Configuration Hide NAT
Address translation rules are divided into two elements

Original Packet
Translated Packet
115
Hide NAT Using Another Interface IP Address
116
Static NAT
117
Manual NAT
Instances where remote networks only allow specific IP addresses.

Situations where translation is desired for some services, and not for others.
Environments where more granular control of address translation in VPN
tunnels is needed.
Enterprises where Address Translation Rule Base order must be manipulated.

When port address translation is required.
Environments where granular control of address translation between internal
networks is required.
When a range of IP addresses, rather than a network, will be translated.

118
ARP
If Manual NAT rule creation is used, Gateway ARP table must be edited:
Hide NAT, Security Gateway in Translated Packet, Source field No additional
ARP table entries are required.
Hide NAT, hiding behind an IP address not assigned to the Security Gateway
Add an ARP table entry to the Security Gateway for the hiding address.
Static NAT Add ARP table entries to the Security Gateway for all hiding
addresses.
119
Lab Practice
Lab 7: Configuring NAT
120
Review Questions
1. What are some reasons for employing NAT in a

network?
120
Review Questions
2. When would an Administrator favor using Manual

NAT over Automatic NAT?
120
Review Questions
1. What are some reasons for employing NAT in a

network?
When requiring private IP addresses in internal
network.
To limit external-network access
To ease network administration
120
Review Questions
2. When would an Administrator favor using Manual NAT

over Automatic NAT?
Instances where remote networks only allow specific IPs
Situations where translation is desired for some services, not for others
Environments where more granular control of address translation in VPN
tunnels is needed
Enterprises where Address Translation Rule Base order must be
manipulated
When port address translation is required (port forwarding)
Environments where granular control of address translation between
internal networks is required
When a range of IP addresses, rather than a network, will be translated
120
Using SmartUpdate
121
Using SmartUpdate
Learning Objectives
Monitor remote Gateways using

SmartUpdate to evaluate the need for
upgrades, new installations, and license
modifications.
Use SmartUpdate to apply upgrade
packages to single or multiple VPN-1
Gateways.
Upgrade and attach product licenses using
SmartUpdate. 122
Using SmartUpdate
SmartUpdate and Managing Licenses
123
Using SmartUpdate
SmartUpdate Architecture
124
Using SmartUpdate
SmartUpdate Introduction
126
Using SmartUpdate
Overview of Managing Licenses
127
Using SmartUpdate
License Terminology
Add Upgrade Status

Attach Get
Certificate Key License Expiration
CPLIC Multi-License File
Detached Features
129
Using SmartUpdate
License State
Attached
Unattached
Requires Upgrade
Assigned
130
Using SmartUpdate
Upgrading Licenses
New Licenses need to be attached when:

Existing license expires
Existing license is upgraded
Local license replaced with central license
IP address changes
131
Using SmartUpdate
Service Contracts
135
Using SmartUpdate
Service Contracts
136
Using SmartUpdate
ReviewQuestions
1. What can be upgraded remotely using SmartUpdate?
137
Using SmartUpdate
ReviewQuestions
1. What can be upgraded remotely using SmartUpdate?

VPN-1 Gateways
Hotfixes, HFAs, and patches
3rd party OPSEC applications
UTM Edge devices
Nokia operating systems
Check Pont Secure Platforms.
137
Using SmartUpdate
ReviewQuestions
2. What two repositories does SmartUpdate install on the

Security Management Server?
137
Using SmartUpdate
ReviewQuestions
2. What two repositories does SmartUpdate install on the

Security Management Server?
License & Contract Repository in $CPDIR\conf
PackageRepository in C:\Suroot (Windows), /var/suroot (UNIX).
137
Using SmartUpdate
ReviewQuestions
3. What does the Pre-Install Verifier check?
137
Using SmartUpdate
ReviewQuestions
3. What does the Pre-Install Verifier check?

Operating-system compatibility
Disk-space availability
Package not already installed
Package dependencies met
137
User Management and Authentication
139
Learning Objectives
Centrally manage users to ensure only

authenticated users securely access the
corporate network either locally or remotely.
Manage users access to the corporate LAN
by using external databases.
140
Creating Users and Groups
Authentication rules are defined by user

groups.
First define your users, then add them to
groups to define authentication rules.
141
User Types
External User Profile

Groups
LDAP Groups
Templates
Users
141
Types of Authentication
User Authentication
Session Authentication
Client Authentication
142
Authentication Types
143
Authentication Schemes
Check Point Password

Operating System Password
RADIUS
SecurID
TACACS
Undefined
143-144
Authentication Schemes
145
Authentication Types
146
User Authentication (Legacy)
148
Session Authentication (Legacy)
149
Client Authentication Sign-On
152
Client Authentication Sign-on Methods
Partially Automatic Sign-on

Fully Automatic Sign-on
Agent Automatic Sign-on
Single Sign-on
153
LDAP User Management with SmartDirectory
LDAP is based on client/server model

Each entry has a unique DN
Default port numbers 389 & 636
Each LDAP server is an Account Unit
156
Distinguished Name
157
Multiple LDAP Servers
158
Configuring Entities to Work with the Gateway
159
Defining Account Units
160
Managing Users
161
UserDirectory Group
162
Lab Practice
Lab 8: Configure User Directory
163
Review Questions
1. User Auth can be only used for what services?
163
Review Questions
1. User Auth can be only used for what services?

Telnet
FTP
HTTP
rlogin
HTTPS
163
Review Questions
2. When using Session Authentication, what is needed to

retrieve a users identity?
163
Review Questions
2. When using Session Authentication, what is needed to

retrieve a users identity?
Session Authentication Agent
163
Review Questions
3. What are the advantages of using multiple LDAP servers?
163
Review Questions
3. What are the advantages of using multiple LDAP servers?

Compartmentalization
High Availability
Faster access time
163
Review Questions
4. Why integrate the Security Gateway and SmartDirectory?
163
Review Questions
4. Why integrate the Security Gateway and User Directory?

To query user info
To enable CRL retrieval
To enable user management
To authenticate users
163
Identity Awareness
165
Identity Awareness
Use Identity Awareness to provide granular

level access to network resources.
Acquire user information used by the
Security Gateway to control access.
Define Access Rules for use in an Identity
Awareness rule.
Implementing Identity Awareness in the
Firewall Rule Base 166
Identity Awareness
Introduction to Identity Awareness
Identity Awareness
configure network access
and auditing based on
network location, identity
of user, identity of
machine
167
Identity Awareness
Introduction to Identity Awareness
Identity Awareness
shows user activity in
SmartView Tracker and
SmartEvent based on
user and machine name,
not just IP address.
168
Identity Awareness
AD Query
Recommended for
Identity based auditing and logging
Leveraging identity in Internet application control
Basic identity enforcement in the internal network
Easily deployed, clientless identity acquisition method,

based on Active Directory integration
Transparent to the user
168
Identity Awareness
Firewall Rule Base Example
169
Identity Awareness
Scenario: Laptop Access
The gateway policy permits access to HR Web Server only

from John's desktop which is assigned a static IP address
10.0.0.19
John wants access from anywhere in the organization
Current Rule:
170
Identity Awareness
Scenario: Laptop Access - Solution
John wants to move around the organization and have

access.
Enable Identity Awareness on Gateway
Select AD Query as one of the Identity Sources
170
Identity Awareness
Check SmartView Tracker system identifies John in logs
171
Identity Awareness
Add access role object to Firewall Rule Base
172
Identity Awareness
Browser- Based Authentication
Browser-based Authentication acquires identity from

unidentified users.
Acquisition methods:
Captive Portal
Transparent Kerberos Authentication
173
Identity Awareness
Captive Portal authenticates users through a Web

interface. Recommended for:
Identity based enforcement for non AD users
Deployment of Endpoint Identity Agents
173
Identity Awareness
Transparent Kerberos browser attempts to authenticate

users before Captive Portal page opens.
Captive Portal requests authentication data from browser
If request successful, user redirected to destination
If request fails, user must enter Captive Portal credentials
173
Identity Awareness
Captive Portal in Firewall rule base
174
Identity Awareness
Transparent Kerberos:
User wants to access Internal Data Center
Identity Awareness does not recognize user, redirects browser to
Transparent Authentication page
Transparent Authentication page asks browser to authenticate itself
Browser gets Kerberos ticket from Active Directory, and gives to
Transparent Authentication page
Transparent Authentication page sends ticket to Security Gateway,
which authenticates user, redirects to original URL
If Kerberos authentication fails, Identity Awareness redirects browser
to Captive Portal
175
Identity Awareness
Browser-based authentication lets you acquire identities

from unidentified users:
Managed users connecting to network from unknown devices
Unmanaged, guest users such as partners or contractors
175
Identity Awareness
Scenario: Recognized User from Unmanaged Device
Jennifers accesses internal financial data on her office

computer. She wants to access the same internal financial
data on her iPad.
Enable Identity Awareness on a gateway and select Browser-Based
Authentication as one of the Identity Sources
In the Portal Settings window in the User Access section, make sure
Name and password login is selected
Create a new rule in the Firewall Rule Base to let Jennifer McHanry
access network destinations. Select accept as action
Right-click the Action column Edit Properties to open the Action
Properties
Select Redirect http connection to authentication (captive) portal
Click OK 176
Identity Awareness
From the Source of the rule, right-click to create an Access Role

Enter a Name for the Access Role
In the Users tab, select Specific users, and choose Jennifer
McHanry
In the Machines tab make sure that Any machine is selected
Click OK. The Access Role is added to the rule.
176
Identity Awareness
Jennifer:
Browses to Finance server from iPad
Enters her system credentials in Captive Portal
Is successfully directed to Finance server
176
Identity Awareness
Log entry
177
Identity Awareness
Scenario: Guest User from Unmanaged Devices
The CEO wants company guests to have Internet access on

their own laptops.
Enable Identity Awareness on a gateway, and select Browser-
Based Authentication as one of the Identity Sources
In the Portal Settings window in the User Access section, make
sure Unregistered guest login is selected
Click the Unregistered guest login Settings and configure:
The data guests must enter
For how long users can access the network resources
If a user agreement is required, and its text
178
Identity Awareness
Create a rule that identified users can access the Internet from
the organization
In the Users tab, select All identified users
Click OK
178
Identity Awareness
Create a rule to let Unauthorized Guests access only the Internet

In the Users tab, select Specific users and choose Unauthenticated
Guests
Click OK. The Access Role is added to the rule
Select Accept as the Action
Right-click the Action column and select Edit Properties
Select Redirect http connections to an authentication (captive) portal
and click OK.
179
Identity Awareness
The Guests:
Browse to an Internet site from their laptop
The Captive Portal opens (they are not identified so cannot
access the Internet)
The enter identifying data in the Captive Portal, and read
through and accept a network access agreement
A welcome window opens
The can successfully browse to the Internet for a specified
period of time
179
Identity Awareness
The SmartView
Tracker log shows
how the system
recognizes a guest
180
Identity Awareness
Identity Agents
Two types of
Identity Agents
Endpoint Identity
Agents
Terminal Servers
Identity Agents
180-181
Identity Awareness
Identity Agents
Endpoint Identity Agent recommended for:

Leveraging identity for Data Center protection
Protecting highly sensitive servers
When accuracy in detecting identity is crucial
181
Identity Awareness
Identity Agents
Using Endpoint Identity Agents gives you:

User and machine identity
Minimal user intervention
Seamless connectivity
Connectivity through roaming
Added security
181
Identity Awareness
Identity Agents
Types of Endpoint Identity Agents:

Full
Light
Custom
178
Identity Awareness
Identity Agents
How a user downloads the Endpoint Identity Agent from

the Captive Portal
182
Identity Awareness
Scenario: Endpoint Identity Agent Deployment & User Group Access
ACME wants only the Finance Department to access the

Finance Web server.
Finance users to be automatically authenticated with SSO
Roaming users to have continuous access to Finance Web
Server
Access to the Finance Web server to be secure, preventing IP
spoofing attempts
183
Identity Awareness
To make the scenario work:

Enable Identity Awareness on a gateway and select Identity
Agents and Browser-Based Authentication as Identify Source
Click the Browser-Based Authentication Setting button
In the Portal Settings window in the Users Access section,
select Name and password login
In the Identity Agent Deployment from the Portal, select Require
users to download and select Identity Agent Full option
Configure Kerberos SSO
184
Identity Awareness
Create a rule in the Firewall Rule Base that lets only Finance
Department users access the Finance Web server, and install
policy.
In the Networks tab, select Specific users and add the Active
Directory Finance users group
In the Users tab, select All identified users
In the Machines tab, select All identified machines and select IP
spoofing protection, and click OK
184
Identity Awareness
The Finance Department user can now browse to the Finance

Web server, where the Captive Portal opens because the user
is not identified and cannot access the server
185
Identity Awareness
Other Endpoint Identity Agent Options
Other options that can be configured for Endpoint Identity

Agents:
A method that determines how Endpoint Identity Agents connect
to a Security Gateway enabled with Identity Awareness and
trusts it
Access roles to leverage machine awareness
End user interface protection so users cannot access the client
settings
Let users defer client installation for a set time and ask for user
agreement confirmation
185
Identity Awareness
Scenario: Identifying Users Accessing the Internet through Terminal Servers
ACME wants user access to the Internet through Terminal

Servers and only the Sales Department is to be able to
access Facebook
Sales users will automatically be authenticated with Identity
Awareness when logging in to the Terminal Servers
All connections to the Internet will be identified and logged
Access to Facebook will be restricted to the Sales Departments
users
186
Identity Awareness
Scenario: Identifying Users Accessing the Internet through Terminal Servers
To enable the Terminal Servers solution, Amy must:

Configure Terminal Server/Citrix Identity Agents as an identity
source for Identity Awareness.
Install a Terminal Servers Identity Agent on each of the
Terminal Servers.
Configure a shared secret between the Terminal Servers
Identity Agents and the Identity Server.
After configuration and installation of the policy, users that log
in to Terminal Servers and browse to the Internet will be
identified and only Sales department users will be able to
access Facebook. 186
Identity Awareness
Deployment
Perimeter security gateway with Identity Awareness

Most common deployment
Protects access to DMZ and internal network
Can control and inspect outbound traffic
Can create identity-based firewall security Rule Base together
with Application Control
186
Identity Awareness
Deployment
Data Center Protection

Protect access to segregated server farms
Gateway inline in front of Data Center
All traffic that flows in is inspected by gateway
Identity based access policy controls access to resources and
applications
Can be deployed in transparent (bridge) mode to avoid
changing existing infrastructure
186-187
Identity Awareness
Deployment
Large scale enterprise deployment

Multiple gateways deployed at different locations
Identity Awareness managed centrally
Identity-based policies distributed to all identity aware
gateways
Identity information about users and machines obtained by
each gateway is shared by all gateways
187
Identity Awareness
Deployment
Network segregation
Control access between network segments with identity-
based policy
Deploy gateway close to access network to avoid malware
and unauthorized access in global network
187
Identity Awareness
Deployment
Distributed enterprise with branch offices

Deploy gateway at remote offices to avoid malware and
unauthorized access to headquarters network and Data
Centers
Enable Identity Awareness at branch office gateway so users
authenticate before reaching internal resources
Branch office identity information is shared between internal
gateways
187
Identity Awareness
Deployment
Wireless campus
Deploy Identity Awareness enabled gateway inline in front of
wireless switch
Provide an identity awareness policy and inspect traffic that
comes form WLAN users
Guest access can be given by authenticating with Captive
Portal
187
Identity Awareness
Lab Practice
Lab 9: Identity Awareness
188
Identity Awareness
Review Questions
1. Identity Awareness lets you configure network access

based on what?
188
Identity Awareness
Review Questions
1. Identity Awareness lets you configure network access

based on what?
Network location
Identity of a user.
Identity of a machine
188
Identity Awareness
Review Questions
2. Browser-based Authentication lets you acquire identities

from?
188
Identity Awareness
Review Questions
2. Browser-based Authentication lets you acquire identities

from?
unidentified users, such as managed users connecting to the
network from unknown devices, and guests, such as partners or
contractors
188
Identity Awareness
Review Questions
3. What are two types of Identity Agents?
188
Identity Awareness
Review Questions
3. What are two types of Identity Agents?

Endpoint Identity Agent
Terminal Servers Identity Agent
188
Introduction to Check Point VPNs
189
Learning Objectives
Configure a pre-shared secret site-to-site

VPN with partner sites.
Configure permanent tunnels for remote
access to corporate resources.
Configure VPN tunnel sharing, given the
difference between host-based, subnet-
based and gateway-based tunnels.
190
The Check Point VPN
191
The VPN
VPN encrypted tunnels to exchange data

Uses IKE and IPSec protocols
IKE creates the tunnel
IPSec encodes the data
191-192
Site-to-Site VPN
Strong encryption
Reliable
Scalable
192
Remote-Access VPN
Strong
authentication
Centralized
Management
Scalable
193
VPN Implementation
194
Understanding VPN Deployment
Check Point VPN management model

Administrators directly define a VPN on group of Gateways
Gateway in group = VPN site
Each VPN site performs encryption for VPN Domain, LAN, Networks
Grouped VPN sites = VPN Community
195
VPN Communities
VPN Community
member VPN
VPN Site
Domain
VPN Domain
VPN site VPN
Community
VPN
VPN Community Members
VPN Tunnel
Domain-based VPN
Route-based VPN
195-196
Remote Access Community
Specifically for remote users

Secures communication between users and corporate LAN
197
Meshed VPN Community
198
Star VPN Community
199
Choosing A Topology
Meshed Community Star Community

Appropriate for Intranet Appropriate for exchange with
Participating Gateways part external partners
of internally managed Central and satellite
network Gateways
199-200
Combination VPN
200
Introduction Check Point VPNs
Topology and Encryption Issues
201
Special VPN Gateway Conditions
202
Special VPN Gateway Conditions
203
Authentication Between Community Members
Before exchanging keys and building tunnels, Gateways must

authenticate one of two ways.
Certificates
Pre-shared secret
203
Domain and Route-Based VPNs
Two ways to direct VPN traffic:

Domain-based VPN
Route-based VPN
204
Access Control and VPN Communities
205
Using the VPN column of the Rule Base, you can create access
control rules that apply only to members of a VPN community:
205
You can also create rules that are relevant for both VPN Communities
and host machines not in the Community:
205
205
Accepting All Encrypted Traffic
206
Special Considerations for Planning a VPN Topology
1. Who needs secure/private access?

2. From as VPN point of view, what will be the organization structure?
3. How will externally managed Gateways authenticate?
207
Integrating VPNs into a Rule Base
Simplified Mode Rule Base
208
Simplified vs. Traditional Mode VPNs
Simplified Mode Traditional Mode

Simpler Maintain existing VPN
Less error-prone definitions
More secure
Easier to understand
New VPN features
209
VPN Tunnel Management
VPN Tunnel
Authenticity
Privacy
Integrity
Types and number of tunnels:

Permanent Tunnels
VPN Tunnel Sharing
209
Permanent Tunnels
Configuration of permanent tunnels on Community level:

Can be specified for an entire community
Can be specified for a specific Gateway
Can be specified for a single VPN tunnel
210-211
Tunnel Testing for Permanent Tunnels
Testing to see if VPN tunnels are active:

1. Test
2. Reply
3. Connect
4. Connected
210
VPN Tunnel Sharing
Control number of tunnels:

One per each host
One per subnet pair
One per Gateway pair
211
Remote Access VPNs
SecuRemote
SecureClient
SecureClient Mobile
L2TP
213
Multiple Remote Access VPN Connectivity Modes
IPsec Software Blade modes for connectivity and

routing issues
Office Mode
Visitor Mode
Hub Mode
214
Establishing a Connection Between a Remote User

and a Gateway
214-215
Lab Practice
Lab 10: Site-to-Site VPN Between Corporate and

Branch Office (Certificate)
216
Review Questions
1. What is a VPN Community?
216
Review Questions
1. What is a VPN Community?

A collection of VPN enabled Gateways capable of communication
via VPN tunnels.
216
Review Questions
2. What is a meshed VPN Community?
216
Review Questions
2. What is a meshed VPN Community?

A VPN Community in which a VPN site can create a VPN tunnel
with any other VPN site within the community.
216
Review Questions
3. Which is the preferred means of authentication between

VPN Community members, and why?
216
Review Questions
3. Which is the preferred means of authentication between

VPN Community members, and why?
Certificates, because they are more secure than pre-shared
secrets.
216
Review Questions
4. When planning a VPN topology, what questions should be

asked?
216
Review Questions
4. When planning a VPN topology, what questions should be

asked?
Who needs secure/private access?
From the point of view of the VPN, what will be the structure of the
organization?
How will externally managed Gateways authenticate?
216

CCSA Class Slides

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

CCSA Class Slides

Hochgeladen von

Copyright:

Verfügbare Formate

Security Administration

2 WAYS to EXTEND CCSA / CCSE for 1 YEAR

Attend and pass

CCSA Certification CCSE Certification

Training Blades: Instructor Led Training

Key Course Elements

Overview of Check Point Technology

1. Introduction to Check Point Technology

Describe Check Points unified approach to

Check Point Security Management Architecture (SMART)

The Check Point Security Management Architecture

The Check Point core systems:

Security Management Server:

The Open Systems Interconnect (OSI) Model

To better understand the capabilities of the basic firewall,

Controlling Network Traffic

Check Point utilizes these technologies to deny or permit

Security Gateway Inspection Architecture

INSPECT Engine Packet Flow

Sample flow of new

Security Management Server and Security Gateway

Security Management Server and Security Gateway

Standalone Full HA Deployment

Security Management Server and Security Gateway

A bridge mode deployment adds a Security Gateway to an

Check Point SmartConsole Clients

Check Point SmartConsole

Security Management Server

The Security Management Server is used to manage the

Managing Users in SmartDashboard

Securing Channels of Communication

Communication must be encrypted

SIC Between Security Management Servers

Lab 1: Distributed Installation

1. What is the strength of Check Points Stateful

1. What is the strength of Check Points Stateful

2. What are the advantages of Check Points Secure

2. What are the advantages of Check Points Secure

3. What is the main purpose for the Security

3. What is the main purpose for the Security

Given network specifications, perform a

Check Point Security Appliances are integrated hardware

Small Business & Branch Office

Check Point Appliance Selection Tool

Check Point Security Power TM

Security Software Blades

Security Software Blades

Security Gateway Software Blades

IPSec VPN Secure connectivity to

Application Control Application security

Security Software Blades

Security Gateway Software Blades

Anti-Bot Detects bot-infected machines,

Antivirus Uses ThreatCloud to detect and

Security Software Blades

Security Gateway Software Blades

DLP Preemptively protect sensitive

Web Security Detects and prevents

Security Software Blades

Security Gateway Software Blades

Advanced Networking & Clustering

Voice over IP Deploys secure VoIP

Security Software Blades

Remote Access Solutions