My CCSA(156.215.65) Diary

[amol0009in_7]

Well i am starting my diary so that when i would pass it would help others to know how to prepare for examinations.

My Target for completing CCSA is by next 2 months.And this is how i am going to complete my CCSA:-
1) Syngress.Check.Point.NGX.R65.Security.Administrati on.Feb.2008 pdf i am gonna read that
2) Documentation of CCSA from Checkpoint site -- will do that after reading my book
3) During last 10 days i am going to take off from my work and going to join Classes to get Official Examination Guide of Checkpoint, for practical labs, for clearing my doubts..
4) The Judgement Day:- I am going to pass 156.215.65 examination very easily after putting lots of efforts for that.

[amol0009in_7]

Hi Guys,
Recently while studying on PKI deployments in various scenarios i found this line

Quote:

CA operations such as registration or revocation are usually performed
through HTTP forms. CRLs are retrieved from an HTTP server functioning as a CRL
repository

it means that Certificates are passed to each other in HTTP Form ???

Just thinking isn't that should be HTTPS, it can lead to major security breach in any large organisation if Certificates issued by ICA are captured.

What do you think guys? :o

Ummmm.................................Need to do google on it!

[cpbillm]

Quote:

Originally Posted by amol0009in_7

My Target for completing CCSA is by next 2 months.And this is how i am going to complete my CCSA:-
1) Syngress.Check.Point.NGX.R65.Security.Administrati on.Feb.2008 pdf i am gonna read that
2) Documentation of CCSA from Checkpoint site -- will do that after reading my book
3) During last 10 days i am going to take off from my work and going to join Classes to get Official Examination Guide of Checkpoint, for practical labs, for clearing my doubts..
4) The Judgement Day:- I am going to pass 156.215.65 examination very easily after putting lots of efforts for that.

I hope to pass the 156.215.65 exam with all self study preparation. I just ordered the Syngress Check Point NGX R65 Security Administration (2008) from Amazon.

question: What is the specific CCSA documentation on the Checkpoint site?

also - is there any other way to obtain the Official Examination Guide for Checkpoint without having to take the course?


thanks
cpbillm

[cpbillm]

update: I found the info on the sadikhov forum.

[amol0009in_7]

Hi!
CPbillin...,Feels nice to have someone with you to prepare for the exam.Please do regular visit to my diary let me know ur progress as well. Together we can help each other to study and pass.

Thanks,
amol0009in_7

[amol0009in_7]

Ha!!!

I started with Chapter no 5 as i have already completed 1-4 chapters.
The topic was "Advanced VPN Concepts and Tunnel Monitoring" was quite easy but below are some points u should not miss.
1) How IKE works and how SA is formed.I found it some hard but letter on read the checkpoints docs and then visited How IKE works (Crytogrphy)

2) IKE -- > port UDP 500

3) IKE phases --> I and II
Phase I --> Main mode or agressive mode (1 day by default)
Phase II --> (every hour by default)

4) What is Perfect Forward Secrecy(PFS) - need to research little bit on this the working is not explained

5) IP Compression and IKE DoS Attack - again no info on how to prevent DoS attack

6) What is IKE SA and IPSec SA

7) Mesh and Star Topology and there differences

8) PKI deplyoment - very easy to understand but need to research on how CA is deployed in various scenarios

9) What is Policy Based VPN and Route Based VPN(SecurePlatform and Nokia IPSO 3.9 >) and where to use

10) VPN Directional Match - didn't get to much what it is and when and where to use it.Need to do lot of research in this

11) Secure platform(imp must know) and Nokia IPSO Configuration(not imp)

12) Very IMP VPN Routing must be configured only within two gateways of same community.

Well that was the end of VPN but still one lesson to follow which deals with VPN Client Installation which i would do after doing research on the things i didn't get.

Meanwhile if anyone can help me out with those things that i didn't digest. Well next one week research and will share with u the output of the same.

Thanks! :)

[amol0009in_7]

Thanks for the support from all of u guys...

After wasting my 5 days i am back on my track, today was doing revision on VPN through Checkpoint docs.But at IPsec i got confused
Why IPsec lifetime is defined in kilobytes.

Googled and found some interesting thing about IPsec

From Wikipedia:-

Quote:

In order to decide what protection is to be provided for an outgoing packet, IPsec uses the Security Parameter Index (SPI), an index to the security association database (SADB), along with the destination address in a packet header, which together uniquely identify a security association for that packet. A similar procedure is performed for an incoming packet, where IPsec gathers decryption and verification keys from the security association database.

There is SADB which is not given in book

Quote:

For multicast, a security association is provided for the group, and is duplicated across all authorized receivers of the group. There may be more than one security association for a group, using different SPIs, thereby allowing multiple levels and sets of security within a group

Quote:

IPsec implementation is a mandatory part of IPv6[1] but is not an integral part of IPv4.

Comming to my main doubt IPsec in kilobytes.Actually i found it from cisco site (one more reason why cisco is gr8 than others)

Quote:

There are two lifetimes: a "timed" lifetime and a "traffic-volume" lifetime. A security association expires after the first of these lifetimes is reached. The default lifetimes are 3600 seconds (one hour) and 4,608,000 kilobytes (10 megabits per second for one hour per second for one hour).

Checkpoint defers in this and has traffic-volume as 50,000 this can be problem for vpn between cisco and checkpoint device!

You can change this option by going to dbedit --> Table --> Managed Obects --> Communities
ike_p2_use_rekey_kbytes --> for enabling traffic-volume lifetime
ike_p2_rekey_kbytes --> specyging the size (50000 by default)

[amol0009in_7]

Got Perfect Forward Secrecy(PFS) :)

It is very simple. in normal operation DH key is computed during IKE phase I and used for IPsec SA,but comprising of this key can lead to compromising of subsequent keys.To solve this we enable PFS and due to this DH key is generated during IKE phase II and renewed for each key exchange.The DH group 2(1024 bits) is used during this senario.

PFS is supported only between gateways.




Mistake in Checkpoint docs
In VPN Admin doc there is one mistake "Support key exchange for subnets"
this option is for earlier products like R55 but for new products like R65 it is under VPN Tunnel Sharing (once agian proved cisco is best)

[amol0009in_7]

Hey all those who are preparing for exam please note that go through checkpoint docs, there are many things which are not given in book.

Huhhhh.. looking at those vast PDF i don't think i would be able to complete it within 1 month. Anyguys who have passed out there 215.65 have u read all the docs of checkpoint.
Its huge docs there.......hummmm.....

[amol0009in_7]

Thanks! Derby,

Indeed other vendors should be looked.And i know Cisco is best.While talking of IPSec Lifetime i wasn't able to guess why it is in Kilobytes?

I openend cisco and then i found.

Thanks for the book info also, becuase of pplz like u we are always heading in right direction.I will definetly get that book.

By the way can anyone who had passed 215.65 exam suggest me whether i need to go through all docs from checkpoint site.Its huge....and how long it takes to finish this exam ?

[amol0009in_7]

Hey i had a very hard time with vpn domain overlapping.For those who don't know what is VPN domain let me tell you.

VPN Domain (Checkpoint):-
VPN Domain is nothing but the network or hosts or topology which you are going to access after connecting to your VPN Gateway

VPN Domain Overlapping:-[
This occurs if two gateways A & B have same network , hosts behind there gateway.

You can check this by using the following command on Smartcentre
vpn overlap_encdom

You would get reply something like this:

Quote:

#> vpn overlap_encdom
The objects A and B have overlapping encryption domains.
The overlap domain is:
10.1.2.0 - 10.1.2.255

So now what to do? The answer is simple remove the overlapping ip's from either Gateway A or B.

How to do that?
I had very tough time dealing with this, where is vpn domain defined ? So let me tell you where u can find it.
1) Open Smartdashboard
2) Double click on Gateway A
3) Go to Topology and below Topology details you will find the VPN domain.

Now you have got the object which is VPN domain of gateway A , now edit that object and remove overlapping domain.So simple it is.

Also one more thing the VPN domain is also called as Encryption domain don't forget it.And have good times

[amol0009in_7]

I had one doubt
In checkpoint docs it is given:

Quote:

As part of the certificate validation process during the IKE negotiation, both the client and the gateway check the peer’s certificate against the Certificate Revocation List (CRL) published by the CA which issued the certificate. If the client is unable to retrieve a CRL, the gateway retrieves the CRL on the client’s behalf and transfers the CRL to the client during the IKE negotiation (the CRL is digitally signed by the CA for security).

Suppose if the client is connecting to gateway which is in CRL list,and then if desired the gateway can submit fake CRL to client so that client accepts connection with gateway What do u think?

[d31jan]

CAN any one tell me

How good is pass4sure regarding 156.215.65


Regards
d31jan

[amol0009in_7]

P4S = Fail

To pass this exam u need lot of practice and need to know where the settings are , under which option it is.

Read the Checkpoint docs,book first and then use it.

[amol0009in_7]

Just Finished SecureClient Mobile Chapter! Huh!! huge one
-Based on SSL(HTTPS) Tunneling

Operations Mode:

• Centrally Managed(policy downloaded)
• SSL Network Extender(policy predifned)

Session Continuation

• Continued session(session-id)
• Dial-up(if no internet access)
• Always connected(Valid IP-Add, Exits Standby or after shutdown, Device released from disconnect condition[Active Sync])

Authentication

• Certificates(X.509,Smartcards,etc)
• One time password(RSA, SecurID, SoftID)
• User/Password Combination & Multichallenge Response

*Seamless authentication achieved by caching

High Availability(HA)

• Clustering(2 g/w behind 1 logical ip)
• DNS Clustering(no session-continuation)

Unencrypted(Clear) Traffic

• Active Sync(connected to pc)
• When Disconnected(inside encryption domain)

Routing

• Hub Mode(through gateway)
• Office Mode(Ip address allocation ,behind gateway)
• Visitor Mode(SSL Tunnel - when bypassing firewall, NAT Device to get to Internet)

Policies:

1. Can be decided by client(not default)
2. if no policy downloaded,Master(predefined) policy used
3. IP Firewall Policy(Allow all, Outgoing&Encrypted, Outgoing only, Encryted only, )
4. Custom polices can be defined for client connectivity(Active Sync-allow/disallow , drop non-encrypted traffic , disable packet forwarding, Always Connected, Disconnected)

Client Deployment:

• Self Installing CAB Package
• Self Installing MSI Package(ActiveSync)

*SCM Gateway Deployment with Patch installation if g/w is not supporting:
cpstop-->cpdb scheme_adjust-->cpstart

*When Gateway is configured for SCM and SSL support and properties configured differetly then SSL settings are used

*Gateway should participate in remote-access community

Load Sharing Cluster Suppport

• IP's, ports, SPI(default)
• IP's, port
• IP's

*Sticky Decision Function:resumes session with another g/w if one fails

When Patch not installed on g/w changes need to be done via TTM files($fdir/conf/)

1. vpn_client_1.ttm
2. fw_client_1.ttm
3. neo_client_1.ttm

Ways to configure Security Policy(in order or priority):

1. Using SmartDashboad
2. Using the GUIDBEdit tool
3. Modifying the TTM files on each gateway
4. Modifying the startup.C file in a package

*Certificates should be used first for locked devices(cpcert.cab)-->copy to devce with activesync-->run .cab with help of file explorer

*Enabling the SAA plugin enables the ability to implement additonal authentication schemes (for example SoftID.) The plugin also allows customizing the login page.

*SCV can be configured and exception can be added for SCM

*Split tunneling: SCM decides for traffic to be tunneled or encrypted based on topology he has downloaded

Troubleshooting:

• Enable loggin at SCM
• Routing table at SCM
• IP Configuration
• Error Messages

I am going to go dead :wacko: ,reading so much detail info on each topic,well this post will be usefull to revise while appearing for exam.Now next target is Packaging SecureClient :mad:

[amol0009in_7]

Finally decided 18th december is the date i am giving the exam.I want to complete it before next year so that from Jan 2009 i can start my CCIE Studies.As far as i know i have read all the topics

Now i am going to revise syngress book,student handbook,checkpoint docs not all but few which i think are important. till 15th of november and then 1 month practicals and last week dumps.

I know i have taken effort! I know i have the knowledge! I know i am gonna pass this exam!

[amol0009in_7]

Just finished up the Authentication Chapter revision and would like to summarize here.As like me there might be many confused, so don't worry here is all you need to know of Authentication to pass the CCSA exam:

Quote:

Extract from CP manual:

When a Gateway requires user information for authentication purposes, it searches
for this information in three different places:
1. The first place that is queried is the internal users database.
2. If the specified user is not defined in this database, the Gateway queries the SmartDirectory (LDAP) servers defined in the Account Unit one at a time, and according to their priority. If for some reason the query against a specified SmartDirectory (LDAP) server fails, for instance the SmartDirectory (LDAP) connection is lost, the SmartDirectory (LDAP) server with the next highest priority is queried.
If there is more than one Account Unit, the Account Units
are queried concurrently. The results of the query are either taken from the first Account Unit to meet the conditions, or from all the Account Units which meet the conditions. The choice between taking the result of one Account Unit as opposed to many is a matter of Gateway configuration.
3. If the information still cannot be found, the Gateway uses the external users template to see if there is a match against the generic profile. This generic profile has the default attributes applied to the specified user.

Quote:

LDAP
* Sequence for configuring user management
1. Enable LDAP in Global properties
2. Configure host node for LDAP server
3. Configure object for the LDAP account unit

* In NGX, if a distinguished name (DN) is NOT found in LDAP, NGX takes the common-name value from the certificate subject, and searches the LDAP account unit for a matching user id.
* When you add LDAP users to a client authentication rule you need an LDAP group in the client authentication rule.
* A user attempts authentication using secure remote, and the users password is rejected. A valid cause would be that the LDAP and security gateway’s databases are not synchronized.
* On smart Center server - $FWDIR/lib/ldap/schema_microsoft_ad.ldif
* Profiles – Microsoft_AD, Novell_DS, Netscape_DS, OPSEC_DS

Authentication
* Checks 3 places – Internal users database, LDAP Server, Generic profile
* User-authentication
1. Five services allowed – telnet / ftp / rlogin / http / https
2. Two connections are created after successful authentication; client to gateway, and gateway to target server
3. Per user basis – Best if used if user is connecting from different machines
4. 3 auth attempts by default
5. Security server first checks if the connection can be allowed by a rule that does not require authentication. If one exists, the user will be connected through the less-restrictive rules, bypassing the user authentication rule. – I had 2 questions on this

* Session-authentication
1. Any service
2. Requires session auth agent which performs automatic authentication

* Client authentication
1. Any service
2. Grants access on a per host/ip address basis
3. Need to be above stealth rule in rule base to connect to the gateway first
4. Best used for workstations, single-user machines
5. It is possible to set a refreshable time-out for client authentication. This means that for every new connection the time-out is reset (default=30 minutes)
6. Required Sign-on options
a. Standard Sign on – User on a client machines allowed to use for all services, and does not have to log on for each service used.
b. Specific Sign on – The user must re authenticate for each service accessed
7. Sign-On Methods
a. Manual - Telnet to security gateway port 259 or http port 900
b. Partial Automatic – all client authentication rules for users are activated. User authentication is used as trigger. Session authentication is never used
c. Fully Automatic – Attempts session authentication, if it does not support user authentication. User authentication is used as a trigger wherever it can be. Session is used otherwise.
d. Agent Automatic – Attempts session and has to have the agent installed. Session authentication is always used. User authentication is never used.
i. Difference between fully automatic and agent automatic, is that agent automatic always uses session authentication. With fully, user authentication is used where it is supported.
e. Single Sign on – NGX send query to user authority with the packets source ip address. IT returns the name of the user who is registered to that IP address. If it’s the users name authenticated then the traffic is passed, otherwise it is dropped.
--taken from jgahan1978 Study Sheet

1)There will be a yellow icon named cpconfig_administrators, which represents the administrator configured through the SecurePlatform Web interface or the cpconfig utility on a SmartCenter.
2)Before you create an administrator, you need to create a Permissions Profile
3) If Authentication scheme for user is undefined then the administrator will authenticate using digital certificates.Same is the for the user during vpn
4) Smartdirectory(LDAP) uses account unit so that the servers defined in the account unit can communicate with Smartcentre and when u fetches the ldap branches while configuring ldap server it indicates that LDAP server is communicating with Smartcentre


User authentication summary still to follow but i think jgahan1978 had explained very well above

[amol0009in_7]

As many would have been confused with intersect with user database.Here is the explanation
courtesy:godspeedcapri

Quote:

Link: hxxp://www.checkpoint.com/support/technical/online_ug/authent.html


Source - Reconcile Source in the rule with Allowed Sources in the User Properties window.


The Allowed Sources field in the User Properties window may specify that the user to whom this rule is being applied is not allowed access from the source address, while the rule may allow access. This field indicates how to resolve this conflict.

Choose Intersect with User Database to apply the intersection of the access privileges specified in the rule and in the User Properties window.

Choose Ignore User Database to allow access according to the Source specified in the rule.

Example



Suppose a user's User Properties window lists the network objects Tower and BigBen under Allowed Sources. TABLE 1-2 summarizes the various access possibilities.

TABLE 1-2 Access Possibilities rule allows access from ... Source is Intersect with User Database Source is Ignore User Database

Tower The user is allowed access only from Tower, because only Tower is in both Allowed Sources and Source. The user is allowed access only from Tower, because only Tower is in Source.

Thames The user is denied access, because there is no network object that is in both Allowed Sources and Source. The user is allowed access only from Thames, because only Thames is in Source.



Destination - Reconcile Destination in the rule with Allowed Destinations in the User Properties window.


The Allowed Destinations field in the User Properties window may specify that the user to whom this rule is being applied is not allowed access to the destination address, while the rule may allow access. This field indicates how to resolve this conflict.

Choose Intersect with User Database to apply the intersection of the access privileges specified in the rule and in the User Properties window.

Choose Ignore User Database to allow access according to the Destination specified in the rule.

[amol0009in_7]

Just finished reading 25% pages of AT and i was surprised , i was answering every question without looking at options available correctly :D
Seems like my hardwork is paying off.....Although i need to work more on QoS, VoIP,Natting and memorize all Smartdefense settings and firewall ports
18 Days to go for exam!.....hope i finish it off... :rolleyes:

Now i am gonna watch some movie,study later on.. :)

[amol0009in_7]

Today gonna deal with QoS and Smartdefense