Scribd Logo
Hochladen

Willkommen bei Scribd!

  • Firewall-1 Version 4.0: Unit Iv-1 Authentication

    Hochgeladen von

    agnysa
    12 Ansichten37 Seiten
    The document discusses authentication and network address translation capabilities in FireWall-1 Version 4.0. It describes different authentication types including user, client, and session authentication. It also outlines network address translation modes in FireWall-1, including static source mode, static destination mode, and hide mode. The document provides instructions on configuring authentication schemes and enabling authentication for network objects in the firewall.

    Originalbeschreibung:

    ccsa

    Originaltitel

    ccsa_unit4

    Copyright

    © © All Rights Reserved

    Verfügbare Formate

    PPT, PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    The document discusses authentication and network address translation capabilities in FireWall-1 Version 4.0. It describes different authentication types including user, client, and session authentication. It also outlines network address translation modes in FireWall-1, including static source mode, static destination mode, and hide mode. The document provides instructions on configuring authentication schemes and enabling authentication for network objects in the firewall.

    Copyright:

    © All Rights Reserved
    Als PPT, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    12 Ansichten37 Seiten

    Firewall-1 Version 4.0: Unit Iv-1 Authentication

    Hochgeladen von

    agnysa
    The document discusses authentication and network address translation capabilities in FireWall-1 Version 4.0. It describes different authentication types including user, client, and session authentication. It also outlines network address translation modes in FireWall-1, including static source mode, static destination mode, and hide mode. The document provides instructions on configuring authentication schemes and enabling authentication for network objects in the firewall.

    Copyright:

    © All Rights Reserved
    Als PPT, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 37

    Page 233 s265

    FireWall-1 Version 4.0

    Unit IV-1
    Authentication
    Page 233 s266

    Authentication: Objectives

     List types of services supported by FireWall-1


    requiring user names and passwords
     Demonstrate how to implement authentication
    using the various authentication schemes
    Page 234 s267

    Authentication Types
     User
    • Authenticates users for specific services (FTP,
    HTTP, HTTPS, TELNET and RLOGIN)
     Client
    • Authenticates users of any service; user required
    to telnet to port 259 on the firewall or with a web
    browser to HTTP port 900 to authenticate the user
    for a service
     Session
    • Like client authentication, however with the
    authentication agent, user does not have to telnet
    to the firewall
    Page 234 s268

    User Authentication

     Client initiates an FTP, HTTP, TELNET or


    RLOGIN connection to the destination
    server.
     Using the same connection as the client,
    FireWall-1 asks for authorization from the
    client.
     Client responds with ID and password.
     FireWall-1 allows the connection.
    Page 236 s269

    Client Authentication
     Client initiates a TELNET or HTTP connection
    to the firewall. Client authentication requires
    users to TELNET to port 259 or connect to the
    firewall with a Web browser on HTTP port 900
    to be authenticated for a service. The firewall
    asks for the ID and password and verifies the
    user is authentic.
     FireWall-1 recognizes client’s IP address and
    allows access to the destination server.
    Connection to the destination server is closed by
    time-out, logout or number of sessions.
    Page 237 s270

    Session Authentication

     Client attempts to contact server.


     FireWall-1 blocks the packet and contacts the
    session authentication agent.
     Session authentication agent pops up on the
    client’s screen. Client enters ID and
    password.
     Client’s ID and password is sent to the
    firewall. FireWall-1 accepts the ID and
    password and allows connection to the server.
    Page 240 s271

    Authentication Schemes

     Internal Authentication Schemes


    • *S/Key
    • FireWall-1 Password
    • O/S Password
     External Authentication Schemes
    • *SecurID
    • *RADIUS
    • *AXENT Pathways Defender
    • *TACACS
    *FireWall-1 enables these authentication schemes as the default
    Page 241 s272

    Authentication Setup

    Select Users from


    the Manage Menu

    Click New to set up a


    new user.
    Click Edit to configure
    authentication for an
    existing user.
    Page 242 s273

    User Properties
    Select the Authentication tab
    of User Properties

    Select the
    Authentication scheme

    Authentication
    Screens vary
    depending on the
    scheme selected
    Page 242 s274

    S/Key Authentication Scheme

    Select S/Key and


    specify the
    user properties
    Page 242 s275

    OS Password Authentication Scheme

    Select
    OS Password
    and specify the
    user properties
    Page 242 s276

    OS Password Authentication Scheme

    Select
    FireWall-1 Password
    and specify the
    user properties
    Page 243 s277

    Enable Authentication Scheme

    Select the firewalled object


    from Network Objects Manager
    Page 244 s278

    Select Authentication Scheme

    Select the Authentication tab


    and select the authentication
    scheme to enable
    Page 244 s279

    Add Authentication Rule

    Right-click on Action and


    Select User, Client or
    Session
    Page 245 s280

    Configure Authentication Rule

    Right-click on Action and


    Select Edit Properties
    Page 245 s281

    User Authentication Properties


    Page 245 s282

    Client Authentication Properties


    Page 245 s283

    Session Authentication Properties


    Page 257 s284

    FireWall-1 Version 4.0

    Unit IV-2
    Network Address
    Translation
    Page 257 s285

    Network Address Translation (NAT):


    Objectives

     Describe why network address


    translation is necessary
     Outline the process that FireWall-1
    uses to translate IP addresses
     Identify and define the three address
    translation modes
     Show how to set up all address
    translation modes
    Page 258 s286

    Legal vs. Illegal/Reserved

     Legal IP Addresses
    204.32.38.111
    204.32.38.112
     Illegal/Reserved IP Addresses
    192.168.1.1
    192.168.1.2
    Page 258

    Availability of IP Addresses
    3 main classes of IP addresses: A, B and C:
    • A class address:
    127 networks, ~16M hosts/network
    • B class address:
    16,000 networks, 65,532 hosts/network
    • C class address:
    ~2M networks, 254 hosts/network
    Class First Byte Decimal Binary Format
    Range Format
    A 1-127 10.1.1.13 00001010.00000001.00000001.00001101

    B 128-191 130.14.1.2 10000010.00001110.00000001.00000010

    C 192-223 204.30.13.45 11001100.00011110.00001101.00101101


    Page 258

    RFC 1918

    RFC 1918 has reserved a set of IP network addresses


    that can be used for address translation:
    1 Class A Network Number: 10.0.0.0

    16 Class B Network Numbers: 172.16.0.0 through 172.31.0.0

    256 Class C Network Numbers: 192.168.0.0 through 192.168.255.0

    Internal networks with RFC 1918 network numbers


    can reach all hosts on the Internet since no hosts on the
    Internet can use them.
    Page 259 s289

    How FireWall-1 Reads IP Addresses

    1. Legal IP Address 2. Illegal/Reserved


    204.32.38.1 IP Address
    192.168.1.1

    4. Legal IP Address 3. Ilegal/Reserved


    204.32.38.1 IP Address
    192.168.1.1
    Page 260 s290

    NAT Modes

     Static Source Mode


    • Translates illegal internal IP addresses to legal IP
    addresses when packets leave a network
     Static Destination Mode
    • Translates legal IP addresses to illegal internal IP
    addresses when packets enter a network
     Hide Mode
    • Hides multiple illegal internal IP addresses behind
    one legal address
    Page 261 s291

    Static Source Mode

    EXTERNAL INTERNAL

    Static

    Network
    Legal IP Address Illegal/Reserved
    Source IP Address
    204.32.38.1 192.168.1.1
    Mode
    Page 261 s292

    Static Destination Mode

    EXTERNAL INTERNAL

    Static
    Static

    Network
    Legal IP Address Illegal/Reserved
    IP Address
    204.32.38.1 Destination
    Destination 192.168.1.1
    Mode
    Mode
    Page 263 s293

    Hide Mode

    EXTERNAL INTERNAL

    Hide

    Network
    1 Legal IP Address Multiple Illegal/
    204.32.38.1 Mode Reserved IP
    Addresses:
    198.132.176.0
    Page 264 s294

    Applying Translation Modes

    Select a network object


    to apply NAT
    Page 265 s295

    Applying Translation Modes (Continued)

    Note the IP address


    is illegal/reserved
    Page 265 s296

    Applying Translation Modes (Continued)

    Select the NAT tab


    Check “Add NAT Rules”
    Complete the fields
    Page 270 s297

    NAT Rule Base

    Automatically generated
    Page 283 s298

    FireWall-1 Version 4.0

    Final
    Scenario
    Page 284 s299

    Final Scenario: Objectives

     Install and configure the firewall


    software.

    The configuration will involve the basic features of


    Check Point FireWall-1 software (NAT,
    authentication, rule base issues and object
    definition).
    Page 285 s300

    Sample Solution Rule Base

    The sample illustrates a possible solution to the


    Final Lab Scenario.
    Page 285 s301

    Sample NAT Rule Base

    The sample illustrates a possible solution to the Final


    Lab Scenario.

    Das könnte Ihnen auch gefallen