NGX II r65 Slides

Check Point Security Administration II NGX R65
2003-2007 Check Point Software Technologies Ltd. All rights reserved. Proprietary and confidential.
puresecurity
Slide Graphic Legend
puresecurity
Course Objectives
Part 1: Updating and Upgrading Chapter 1: SmartUpdate
Identify the common operational features of SmartUpdate. Use SmartUpdate to create an upgrade package. Upgrade and attach product licenses using SmartUpdate.
Chapter 2: Upgrading VPN-1

Determine which VPN-1 upgrade strategy is appropriate, given a variety of scenarios. Determine VPN-1 license requirements, based on upgrade strategy.
puresecurity
Course Objectives
Part 2: Virtual Private Networks Chapter 3: Encryption and VPNs
Explain encryption for VPNs. Compare and contrast common encryption methods. Describe the process for setting up a encrypted VPN tunnels.
Chapter 4: Introduction to VPNs

Select the appropriate VPN deployment to meet requirements, given a variety of scenarios. Configure VPN-1 to support site-to-site VPNs, given a variety of business requirements. Adjust NGX R65 VPN configuration settings to correct a problem, given symptoms of a configuration problem.
puresecurity
Course Objectives
Chapter 5: Site-to-Site VPNs
Select the appropriate VPN deployment to meet requirements, given a variety of scenarios. Configure VPN-1 to support site-to-site VPNs, given a variety of business requirements. Adjust VPN configuration settings to correct a problem, given symptoms of a configuration problem.
Chapter 6: Remote Access VPNs

Configure VPN-1 to support remote-access VPNs, given a variety of business requirements.
puresecurity
Course Objectives
Part 3: High Availability and ClusterXL Chapter 7: High Availability and ClusterXL
Identify the features and limitations of Management High Availability. Identify the benefits and limitations of different modes in a ClusterXL configuration. Configure a ClusterXL VPN, given a specific business scenario. Implement and test State Synchronization, given a business scenario.
puresecurity
Preface Check Point Security Administration II NGX (R65)
puresecurity
Course Layout
Prerequisites Check Point Certified Security Expert (CCSE)
puresecurity
Recommended Setup for Labs

Recommended Lab Topology
puresecurity
Recommended Setup for Labs

IP Addresses Lab Terms
puresecurity
10
Check Point Security Architecture

PURE Security
puresecurity
11

Check Point Components
puresecurity
12

Unified Security Architecture
puresecurity
13

Broad Range of Security Solutions
puresecurity
14

Network Security Data Security Security Management Services
puresecurity
15
Training and Certification

CCMA Learn More
puresecurity
16
Part 1: Updating and Upgrading

Chapter 1: SmartUpdate
Chapter 2: Upgrading VPN-1
puresecurity
17
1
SmartUpdate
Objectives
Identify the common operational features of SmartUpdate. Use SmartUpdate to create an upgrade package. Upgrade and attach product licenses using SmartUpdate.
puresecurity
19
Introduction to SmartUpdate
Optional component of VPN-1 that automatically distributes software applications and updates for Check Point and OPSEC certified products Manages product licenses
puresecurity
20
Introduction to SmartUpdate
SmartUpdate Architecture
puresecurity
21
Upgrading Packages
Prerequisites for Remote Upgrades Retrieving Data From VPN-1 Gateways Adding New Packages to the Package Repository Verifying the Viability of a Distribution Transferring Files to Remote Devices Upgrading Edge Firmware with SmartUpdate Rebooting the VPN-1 Gateway Recovering From a Failed Upgrade Deleting Packages From the Package Repository
puresecurity
22
Managing Licenses
Central license: package license tied to IP address of SmartCenter Server Local license: package license tied to IP address of VPN-1 Gateway, and cannot be transferred to Gateway with different IP address License Upgrade Retrieving License Data From VPN-1 Gateways CPInfo SmartUpdate Command Line
puresecurity
23
1
Updating an Installation with SmartUpdate
Review Questions & Answers
1. What can be upgraded remotely using SmartUpdate?
puresecurity
25
VPN-1 Gateways Hotfixes, HFAs, and patches Third-party OPSEC applications UTM Edge devices Nokia operating systems Check Point SecurePlatform
puresecurity
26
2. What two repositories does SmartUpdate install on the SmartCenter Server?
puresecurity
27
License & Contract Repository in $FWDIR\conf Package Repository in C:\SUroos (Windows), /var/suroot (UNIX)
puresecurity
28
3. What does the Pre-Install Verifier check?
puresecurity
29
Operating-system compatibility Disk-space availability Package not already installed Package dependencies met
puresecurity
30
4. What are the benefits of using a central license?
puresecurity
31
Only one IP address is needed for all licenses. A license can be moved from one Gateway to another. A license remains valid when changing Gateway IP addresses.
puresecurity
32
2
Upgrading VPN-1
Objectives
Determine which VPN-1 upgrade strategy is appropriate, given a variety of scenarios. Determine VPN-1 license requirements, based on upgrade strategy.
puresecurity
34
Preinstallation Configuration
Remove any services not running that might be considered a security risk. Ensure your network and Gateway are properly configured, with special emphasis on routing. Log in to each of the hosts, and Ping the other hosts. Enable IP routing/forwarding. Confirm that DNS is working properly. Note names/IP addresses of the Gateways interfaces. Confirm Gateways name corresponds to IP address of Gateways external interface. Isolate the computers on which you will be installing VPN-1 components from the network. Verify you have correct version of software for all VPN-1 components.
puresecurity
35
Distributed Installation
VPN-1 Client/Server Configuration
puresecurity
36
Upgrading To VPN-1 NGX R65
Upgrade Guidelines Upgrade Order Upgrade Export/Import Upgrading via SmartUpdate
puresecurity
37
VPN-1 Backward Compatibility

Supported Versions
puresecurity
38
Licensing VPN-1
Obtaining Licenses Supported Upgrade Paths Contract Verification
puresecurity
39
Performing License Upgrade

Two Upgrade Methods Trial Licenses
puresecurity
40
Pre-Upgrade Considerations
Pre-Upgrade Verification Tool Web Intelligence License Enforcement Upgrading on SecurePlatform
puresecurity
41
Upgrading SmartCenter Server

Using the Pre-Upgrade Verification Tool
puresecurity
42
Gateway Upgrade
Gateway Upgrade with SmartUpdate
puresecurity
43
1. What is the correct order for a VPN-1 upgrade?
puresecurity
44
SmartCenter Server first, then Security Gateway
puresecurity
45
2. What should be done before installing a VPN-1 Security Gateway?
puresecurity
46

Remove any services not running that may be a security risk. Make sure your network and Gateway are properly configured. Test network communication. Enable IP routing/forwarding Confirm DNS is working properly. Note the names and IP addresses of the Gateways interfaces. Confirm the Gateway is shown in the hosts files correctly. Isolate the computers. Verify the correct version of software for you OS
puresecurity
47
3. What methods are there for upgrading licenses?
puresecurity
48
Centrally, from the SmartCenter Server via SmartUpdate Locally at the Check Point machine
puresecurity
49
4. Which products can be upgraded to NGX R65?
puresecurity
50

VPN-1 Pro Gateways SecurePlatform SmartView Monitor Eventia Reporter UserAuthority Server Policy Server Check Point QoS Nokia OS UTM-1
puresecurity
51
Part 2: Virtual Private Networks

Chapter 3: Encryption and VPNs
Chapter 4: Introduction to VPNs

Chapter 5: Site-to-Site VPNs Chapter 6: Remote Access VPNs
puresecurity
52
3
Encryption and VPNs
Objectives
Explain encryption for VPNs. Compare and contrast common encryption methods. Describe the process for setting up a encrypted VPN tunnels.
puresecurity
54
Securing Communication
Privacy
puresecurity
55
Shared-Secret Key
puresecurity
56
Symmetric Encryption
puresecurity
57
Symmetric Disadvantages Asymmetric Encryption
puresecurity
58
Diffie-Hellman Encryption
puresecurity
59
Integrity
Hash Function
puresecurity
60
Authentication
Digital Signature
puresecurity
61
Two Phases of Encryption Encryption Algorithms
puresecurity
62
IKE
ISAKMP Oakley ISAKMP/Oakley Phase 1 Phase 2 IKE Example
puresecurity
63
IKE
Tunneling-Mode Encryption
Encrypted Packet
puresecurity
64
Certificate Authorities
Certificates Multiple Certificate Authorities Certificate Authority Hierarchy
puresecurity
65
Local Certificate Authority
puresecurity
66
CA Service via the Internet
puresecurity
67
Internal Certificate Authority CA Public Keys
CA Action
puresecurity
68
Creating Certificates
puresecurity
69
1. What three tenets of network communication do Security Administrators need to ensure?
puresecurity
70

Confidentiality No one, other than the intended parties, can understand the communication. Integrity The sensitive data passed between the communicating parties is unchanged. Authentication The communicating parties must be sure they are connecting with the intended party.
puresecurity
71
2. Which encryption system uses a different key for encryption and decryption?
puresecurity
72
Asymmetric cryptographic systems
puresecurity
73
3. What two modes does VPN-1 supply for IKE Phase 1 between Gateways?
puresecurity
74
Main mode (default) Aggressive mode
puresecurity
75
4. Which encryption method encapsulates an entire packet, adding its own encryption protocol header to the packet?
puresecurity
76
Tunnel-mode encryption
puresecurity
77
4
Introduction to VPNs
Objectives
Select the appropriate VPN deployment to meet requirements, given a variety of scenarios. Configure VPN-1 to support site-to-site VPNs, given a variety of business requirements. Adjust NGX R65 VPN configuration settings to correct a problem, given symptoms of a configuration problem.
puresecurity
79
The Check Point VPN

Check Point VPN Topology
puresecurity
80
The Check Point VPN

Simplified VPN Tunnel
puresecurity
81
The Check Point VPN

How a VPN Works
Gateway-to-Gateway Network configuration
puresecurity
82
The Check Point VPN

Specifying Encryption
puresecurity
83
VPN Deployments
Site-to-Site VPNs
puresecurity
84
VPN Deployments
Remote-Access VPNs
puresecurity
85
VPN Implementation
Three Critical VPN Components
Complete VPN
puresecurity
86
VPN Implementation
VPN Setup
Two-Network Configuration
puresecurity
87
VPN Implementation
How a VPN Works
puresecurity
88
VPN Implementation
VPN Tunnel
puresecurity
89
VPN Implementation
VPN Communities
puresecurity
90
VPN Implementation
VPN Topologies
Basic Meshed Community
puresecurity
91
VPN Implementation
Star VPN Community
puresecurity
92
VPN Implementation
Choosing a Topology
Star and Mesh Combined
puresecurity
93
VPN Implementation
Different Encryptions in Mesh Communities
puresecurity
94
VPN Implementation
Special Condition
puresecurity
95
VPN Implementation
Three VPN Communities
puresecurity
96
VPN Implementation
Authentication Between Community Members Dynamically Assigned IP Gateways Routing Traffic Within a VPN Community Access Control and VPN Communities
puresecurity
97
VPN Implementation
Access Control in VPN Communities
puresecurity
98
VPN Implementation
Special Considerations for Planning a VPN Topology
puresecurity
99
VPN Implementation
Integrating VPNs into a Rule Base
puresecurity
101
1. What is a VPN Community?
puresecurity
102
A collection of VPN enabled Gateways capable of communication via VPN tunnels
puresecurity
103
2. What is a meshed VPN Community?
puresecurity
104
A VPN Community in which a VPN site can create a VPN tunnel with any other VPN site within the Community
puresecurity
105
3. Which is the preferred means of authentication between VPN Community members, and why?
puresecurity
106
Certificates, because they are more secure than preshared secrets
puresecurity
107
4. If both domain-based VPN and route-based VPN are configured, which will take precedence?
puresecurity
108
Domain-based VPN
puresecurity
109
5. When planning a VPN topology, what questions should be asked?
puresecurity
110
Who needs secure/private access? From the point of view of the VPN, what will be the structure of the organization? How will externally managed Gateways authenticate?
puresecurity
111
5
Site-to-Site VPNs
Objectives
Select the appropriate VPN deployment to meet requirements, given a variety of scenarios. Configure VPN-1 to support site-to-site VPNs, given a variety of business requirements. Adjust VPN configuration settings to correct a problem, given symptoms of a configuration problem.
puresecurity
113
Site-to-Site VPN
Domain-Based VPN
puresecurity
114
Site-to-Site VPN
Simple VPN Routing
puresecurity
115
Site-to-Site VPN
Route-Based VPN VPN Routing Process for VTIs
puresecurity
116
Site-to-Site VPN
Routing to a Virtual Interface
puresecurity
117
Site-to-Site VPN
Route-Based VPN
puresecurity
118
Site-to-Site VPN
Routing Multicast Packets Through VPN Tunnels
puresecurity
119
Site-to-Site VPN
Multicasting
puresecurity
120
VPN Tunnel Management

Permanent Tunnels
puresecurity
121

Permanent Tunnel in MEP Environment
puresecurity
122

VPN Tunnel Sharing
puresecurity
123
Wire Mode
Wire Mode in a MEP Configuration
puresecurity
124
Wire Mode
Wire Mode in MEP
puresecurity
125
Wire Mode
Wire Mode with Route-Based VPN
Wire Mode in a Satellite Community
puresecurity
126
Wire Mode
Wire Mode Between Two VPN Communities
puresecurity
127
Directional VPN Enforcement

Directional Enforcement Between Communities
puresecurity
128

Directional Enforcement Within a Community
puresecurity
129

Directional Enforcement Between Communities
Directional VPN between Mesh and Star Communities
puresecurity
130
Multiple Entry Point VPNs

VPN High Availability with MEP
puresecurity
131
Traditional Mode VPNs

Organizations with large VPN deployments with complex networks may continue to work within Traditional Mode. VPN Domains and Encryption Rules
puresecurity
132
2
Two-Gateway IKE Encryption (Shared Secret)
3
Two-Gateway IKE Encryption (Certificates)
1. What type of VPN does the use of VPN tunnel interfaces support?
puresecurity
135
Route-based VPNs
puresecurity
136
2. What are the three types of VPN tunnel sharing supported by VPN-1?
puresecurity
137
One VPN tunnel per each pair of hosts One VPN tunnel per subnet pair One VPN tunnel per Gateway pair
puresecurity
138
3. What is the advantage of a Wire Mode VPN?
puresecurity
139
Improves connectivity by allowing existing connections to fail over successfully by bypassing firewall enforcement, and relying on the security of the trusted VPN connection itself
puresecurity
140
4. What are the primary benefits of Multiple Entry Point VPNs?
puresecurity
141
High Availability Load Sharing
puresecurity
142
6
Remote Access VPNs
Objectives
Configure VPN-1 to support remote-access VPNs, given a variety of business requirements.
puresecurity
144
Remote Access VPN

VPN-1 SecuRemote enables you to create a VPN tunnel between a remote user and your organizations internal network. Extending SecuRemote with SecureClient Connect Mode Establishing Remote Access Workflow
puresecurity
145
Remote Access VPN

Workflow for Establishing Remote Access VPN
puresecurity
146
Office Mode
How Office Mode Works
puresecurity
147
Office Mode
Office Mode Process
puresecurity
148
Office Mode Planning
IP Pool vs. DHCP Routing-Table Modifications Multiple External Interfaces Before Configuring Office Mode
puresecurity
149
Desktop Security Policy
Policy Expiration and Renewal Policy Server HA Wireless Hotspot/Hotel Registration Logging SecureClient Mobile
puresecurity
150
VPN Routing Remote Access

VPN routing provides a way of controlling how VPN traffic is directed. VPN routing can be implemented with Gateways and remote-access clients. Configuration for VPN routing is performed either through SmartDashboard, or by editing routingconfiguration files.
puresecurity
151

Simple VPN Routing
puresecurity
152

Hub Mode
puresecurity
153
SSL Network Extender

SSL Network Extender is connected to an SSL enabled Web server that is part of the Security Gateway. SSL Network Extender It is via SmartDashboard. How SSL Network Extender Works Prerequisites
puresecurity
154
Clientless VPN
Clientless VPN provides secure SSL-based communication between clients and servers that support HTTPS. Two phases:
Establishing a secure channel Communication phase
puresecurity
155
Clientless VPN
Communication Phase
puresecurity
156
Clientless VPN
Special Considerations for Clientless VPN Configuring Clientless VPN Creating Appropriate Rules in the Rule Base
puresecurity
157
4
Configuring Remote Access in an IKE VPN
5
Using SecuRemote in an IKE VPN
6
Remote Access and Office Mode
7
SSL Network Extender
6 1.
When a SecuRemote/SecureClient needs to know the elements of the organizations internal network to build a connection, how is that information sent?
puresecurity
162
Over a connection secured and authenticated using IKE over SSL
puresecurity
163
6 2.
What is the most recommended and manageable method for client-Gateway authentication?
puresecurity
164
Digital Certificates
puresecurity
165
6 3.
What problem does Office Mode solve?
puresecurity
166
Nonroutable IP addresses; Office Mode enables a VPN-1 Gateway to assign a remote client an IP address.
puresecurity
167
6 4.
What is the advantage of SSL Network Extender
puresecurity
168
Simple to implement, easy-to-use remote-access solution
puresecurity
169
Part 3: High Availability

Chapter 7: High Availability and ClusterXL
puresecurity
170
7
High Availability and ClusterXL
Objectives
Identify the features and limitations of Management High Availability. Identify the benefits and limitations of different modes in a ClusterXL configuration. Configure a ClusterXL VPN, given a specific business scenario. Implement and test State Synchronization, given a business scenario.
puresecurity
172
Management High Availability

Management High Availability Deployment
puresecurity
173

Management High Availability Environment Synchronization Status
puresecurity
174

Typical Management High Availability Example
puresecurity
175
ClusterXL
VPN-1 Gateway Cluster
puresecurity
176
ClusterXL
Load Sharing
puresecurity
177
ClusterXL Modes
Legacy High Availability Mode New High Availability Mode Load Sharing Multicast Mode Load Sharing Unicast (Pivot) Mode
puresecurity
178
ClusterXL Modes
Load Sharing Unicast Mode
puresecurity
179
ClusterXL Modes
Cluster Member Forwarding Packet
puresecurity
180
ClusterXL Modes
Cluster Control Protocol
puresecurity
181
Synchronizing Clusters
The Synchronization Network How State Synchronization Works Synchronized-Cluster Restrictions
puresecurity
182
Sticky Connections
The Sticky Decision Function
puresecurity
183
cpha Commands
cphastart cphastop cphaprob cphaprob Syntax cphaprob Example fw hastat
puresecurity
184
Debugging ClusterXL Issues

fw ctl pstat Sync Output
puresecurity
185
ClusterXL Configuration Issues

Modes of ClusterXL Supporting SecureXL Crossover-Cable Support
puresecurity
186
8
Deploying New Mode HA
9
Load Sharing Unicast (Pivot) Mode
10
Configuring Load Sharing Multicast Mode (Optional)
8 1.
For Management HA to function properly, what data must be synchronized and backed up?
puresecurity
190
8 2.
In ClusterXL, what benefit does State Synchronization provide?
puresecurity
192
Ensures no data is lost in case of a cluster member failure; all connection information and VPN state information is synchronized between the members.
puresecurity
193
8 3.
What does Load Sharing in Multicast Mode do?
puresecurity
194
Enables you to distribute network traffic between cluster members
puresecurity
195
8 4.
In what two modes does State Synchronization work?
puresecurity
196
Full sync, which transfers all VPN-1 kernel-table information from one cluster member to another Delta sync, which transfers changes in the kernel tables between cluster members
puresecurity
197
8 5.

What is a sticky connection?
puresecurity
198

When all of a connections packets are handled, in either direction, by a single cluster member
puresecurity
199

NGX II r65 Slides

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

NGX II r65 Slides

Hochgeladen von

Copyright:

Verfügbare Formate

Check Point Security Administration II NGX R65

Slide Graphic Legend

Chapter 2: Upgrading VPN-1

Chapter 4: Introduction to VPNs

Chapter 6: Remote Access VPNs

Preface Check Point Security Administration II NGX (R65)

Recommended Setup for Labs

Recommended Setup for Labs

Check Point Security Architecture

Check Point Security Architecture

Check Point Security Architecture

Check Point Security Architecture

Check Point Security Architecture

Network Security Data Security Security Management Services

Training and Certification

Part 1: Updating and Upgrading

Chapter 2: Upgrading VPN-1

Review Questions & Answers

1. What can be upgraded remotely using SmartUpdate?

Review Questions & Answers

Review Questions & Answers

2. What two repositories does SmartUpdate install on the SmartCenter Server?

Review Questions & Answers

Review Questions & Answers

3. What does the Pre-Install Verifier check?

Review Questions & Answers

Review Questions & Answers

4. What are the benefits of using a central license?

Review Questions & Answers

Upgrading To VPN-1 NGX R65

Upgrade Guidelines Upgrade Order Upgrade Export/Import Upgrading via SmartUpdate

VPN-1 Backward Compatibility

Performing License Upgrade

Upgrading SmartCenter Server

Review Questions & Answers

1. What is the correct order for a VPN-1 upgrade?

Review Questions & Answers

SmartCenter Server first, then Security Gateway

Review Questions & Answers

2. What should be done before installing a VPN-1 Security Gateway?

Review Questions & Answers

Review Questions & Answers

3. What methods are there for upgrading licenses?

Review Questions & Answers

Review Questions & Answers

4. Which products can be upgraded to NGX R65?

Review Questions & Answers

Part 2: Virtual Private Networks

Chapter 4: Introduction to VPNs

ISAKMP Oakley ISAKMP/Oakley Phase 1 Phase 2 IKE Example

Review Questions & Answers

1. What three tenets of network communication do Security Administrators need to ensure?

Review Questions & Answers

Review Questions & Answers

Review Questions & Answers

Asymmetric cryptographic systems

Review Questions & Answers

Review Questions & Answers

Main mode (default) Aggressive mode

Review Questions & Answers

Review Questions & Answers

The Check Point VPN

The Check Point VPN