 | ||
 Passed CCSE today | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2007-05-03 | |||
| |||
 Passed CCSE today w00t! I passed with an 84%. QoS = 100% HA and clustering = 91% Admin Utilities = 0% - I don't even remember a question utilities.. Remote Access = 100% Upgrading NGX = 71% Content Security = 73% VoIP = 88% Configuring VPN's = 83% Every question I had on my exam was on the latest Actual Tests with 101 questions. I knew every question on the practice test, so some of those answers on the practice test are incorrect, hence I got the 84%. I also put together a study sheet for both CCSA and CCSE. The CCSE is much longer, but it has alot of information. I recommend studying the Actual TEsts 101 questions, and read through checkpoint docs on their site. Hopefully these study guides will help some of you out. Good luck! ================================================== ======= CCSA Study Guide NGX 156-215.1 ================================================== ======= Licensing * Central The new license remains valid when changing the IP address of the Check Point Gateway. There is no need to create and install a new license. Only one IP address is needed for all licenses. A license can be taken from one Check Point Gateway and given to another Q: Must request a central license for one remote gateway, how would you request and apply the license? A: Request central license using the Smart Center Servers ip, attach license to remote gateway using smart update. LDAP * Sequence for configuring user management 1. Enable LDAP in Global properties 2. Configure host node for LDAP server 3. Configure object for the LDAP account unit * In NGX, if a distinguished name (DN) is NOT found in LDAP, NGX takes the common-name value from the certificate subject, and searches the LDAP account unit for a matching user id. * When you add LDAP users to a client authentication rule you need an LDAP group in the client authentication rule. * A user attempts authentication using secure remote, and the users password is rejected. A valid cause would be that the LDAP and security gateways databases are not synchronized. * On smart Center server - $FWDIR/lib/ldap/schema_microsoft_ad.ldif * Profiles Microsoft_AD, Novell_DS, Netscape_DS, OPSEC_DS Authentication * Checks 3 places Internal users database, LDAP Server, Generic profile * User-authentication 1. Five services allowed telnet / ftp / rlogin / http / https 2. Two connections are created after successful authentication; client to gateway, and gateway to target server 3. Per user basis Best if used if user is connecting from different machines 4. 3 auth attempts by default 5. Security server first checks if the connection can be allowed by a rule that does not require authentication. If one exists, the user will be connected through the less-restrictive rules, bypassing the user authentication rule. I had 2 questions on this * Session-authentication 1. Any service 2. Requires session auth agent which performs automatic authentication * Client authentication 1. Any service 2. Grants access on a per host/ip address basis 3. Need to be above stealth rule in rule base to connect to the gateway first 4. Best used for workstations, single-user machines 5. It is possible to set a refreshable time-out for client authentication. This means that for every new connection the time-out is reset (default=30 minutes) 6. Required Sign-on options a. Standard Sign on User on a client machines allowed to use for all services, and does not have to log on for each service used. b. Specific Sign on The user must re authenticate for each service accessed 7. Sign-On Methods a. Manual - Telnet to security gateway port 259 or http port 900 b. Partial Automatic all client authentication rules for users are activated. User authentication is used as trigger. Session authentication is never used c. Fully Automatic Attempts session authentication, if it does not support user authentication. User authentication is used as a trigger wherever it can be. Session is used otherwise. d. Agent Automatic Attempts session and has to have the agent installed. Session authentication is always used. User authentication is never used. i. Difference between fully automatic and agent automatic, is that agent automatic always uses session authentication. With fully, user authentication is used where it is supported. e. Single Sign on NGX send query to user authority with the packets source ip address. IT returns the name of the user who is registered to that IP address. If its the users name authenticated then the traffic is passed, otherwise it is dropped. Multicast Typical use for real time audio and video to a set of hosts Configured on the gateways interfaces settings Control access of multicast traffic to specific groups, ensuring that multicast applications are not inadvertently broadcast to outside groups. Multicast traffic to and from specific objects is controlled via policy rules show ip mroute - Display contents of the muticast routing table 224.0.0.1 show ip multicast boundary - obtain summarized info for all boundaries within all interfaces Attacks Common attacks: o Teardrop DoS, Attack uses IP's packet fragmentation algorithm to send corrupted packets to the victim machine. This confuses the victim machine and may hang it. o LAND DoS, SYN packet in which the source address and port are the same as the destination o SmallPMTU TCP, a bandwidth, the client fools the server into sending large amounts of data using small packets. Creates a "bottleneck" on the server. o PingOfDeath DoS, simply sending ping packets hat exceed ip packet size, larger than 64KB TCP Handshake o The active open is performed by sending a SYN to the server. o In response, the server replies with a SYN-ACK. o Finally the client sends an ACK back to the server. Smart Defense * Smart Defense is subscription based * Settings are global when creating two or more policy packages * Dshield.org integrates with Smart Defense by using a block list which is refreshed every 3 hours. The object that needs to be created is called CPDShield. * You can send alert and user defined alerts back to Dshield I had 2 questions about this * Place the Block List rule as high as possible in the Security Rule Base, but below all authentication rules, and any other rules you are absolutely certain have a reputable Source. * Host port scan, sweep scan * peer to peer * Explicitly protect low ports dynamic ports Web Intelligence - This is a separate TAB in the Smart Dashboard * Host configuration * HTTP worm catcher worm self replicating malware * Cross-site-scripting between user and websites. Malicious scripts. Steal users identities. Cookies * HTTP protocol inspection strict enforcement of the http protocol. (i.e. format size, ASCII only request/response headers,) * MAIL Strict enforcement of the SMTP protocol 1. Prevent the SMTP server from being a spam relay, the most efficient way would be to configure the SMTP security server to perform filtering, based on IP address and SMTP protocols * FTP - To create more granular control over FTP commands, like CWD and FIND, use FTP security server settings in Smart Defense 1. Radio Button Configurations apply to all connections forward all ftp connections to the ftp security server * Microsoft Networks CIFS File and print sharing * DNS Cache poisoning can make the DNS server accept incorrect information. If the server does not correctly validate DNS responses to ensure that they have come from an authoritative source, the server will end up caching the incorrect entries. * VOIP validates SIP headers * Sweep scan many hosts Security Servers * CVP = TCP port 18181 UFP = TCP port 18182 * Control maximum mail messages in a spool directory the gateway objects SMTP settings under advanced NAT * Know how many NAT entry's are created for automatic/manual and host/network object NAT. * If you use automatic NAT on a network object, there will be two NAT rules added to the firewall * Static NAT * Hide NAT * RFC 1918 - Address allocation for private IP networks, these IP networks cannot traverse public IP networks * Port numbers are assigned dynamically: 600-1023 10000-60000. If the original port number is less than 1024, a port number is assigned from te first pool. Else a port number is assigned from the second pool. * The high port number pool can be changed with DbEdit * Manual NAT rules (example: necessary to do PAT for 1 static IP address, SMTP to 192.168.1.1 and http to 192.168.1.2) * Bi-directional NAT both automatic NAT rules are applied, and both objects will be translated, so connections between the two objects will be allowed in both directions. 1. Lets a connection match 2 NAT rules. Normally the NAT rule base only permits one match and then subsequently exits the process. In the case of bidirectional NAT, if the source match is an Automatic NAT rule, the gateway continues to traverse the NAT rules to identify if there is a destination rule match. If the gateway finds a second match, it applies both NAT rules to the connection so that the packet it routed properly between source and destination. * Translate destination on client side packet must be sent from an external host to an internal host performing static NAT. Translates the destination IP address in the kernel nearest the client to prevent conflicts between anti-spoofing and NAT. * When the option Translate Destination on Client side is not enabled for automatic and/or manual NAT rules problems can occur with anti-spoofing. Make sure to configure anti-spoofing correctly. Furthermore when using manual static NAT and this option is disabled you need host routing entries in the FW ip routing table to the private IP address. * For a manual NAT static a manual ARP entry is necessary in the firewall OS * When using automatic static/hide NAT, two NAT rules are always created Security Policy Database Revision, Anti-spoofing, implied rules, Global Policy * Rule 0 = implied rules. To show click, View, Implied rules. These rules have no numbering. Anti-Spoofing rule drop * Which traffic is automatically permitted by implied rules: IKE, RDP, FW-CONTROL/LOG/KEY-EXCHANGE, RADIUS, CVP, TACACS, LDAP and logical servers * RIP, ICMP and UDP are not permitted by default * Rule 1 = first explicit rule (user-created), there rules are numbered * Address spoofing is not logged with a rule number, just as a Smart Defense event. This is because they are enforced before any rule in the security policy's rule base. * Stealth rule: drop all traffic to the firewall and log, if you use client authentication, encryption or CVP, these rules must be positioned before the Stealth rule * Cleanup rule: drop all traffic and log, this need to be the last rule in the rulebase * Hidden rules: you can hide rules, but they still apply to the security policy. The hide feature is used for managing complex security policy's. To unhide: click Rules, Hide, Unhide all. * The default rule: this rule will default to any any drop don't log * Rule base enforcement order: * 1. IP spoofing/IP options * 2. NAT * 3. Security policy FIRST rule * 4. Administrator-defined rule base * 5. Security policy BEFORE-LAST rule * 6. Cleanup rule or security policy LAST rule * Policy package: security rule base and NAT, QoS, Desktop Security * Use the copy policy wizard to copy a policy to an existing policy * Database revision control: create fallback configuration package. All policies, objects, users, smart defense and global settings. You must know when to use these two packages!!! * Network configuration and IP routing is not included in any of the above packages. You will need to create a backup of the system configuration in order to save this information. VPN and Encryption * Symmetric Pre-Shared Key Fast anyone steals key can steal data currently * Asymmetric public/private key slower Diffie-helman * Privacy No one else can see it other then intended parties - encryption * Integrity no tampering hash function one way * Authenticity true communication - digital signature * ICA (Internal Certificate Authority) * Tunnel-mode encryption works by encapsulation an entire IP packet and then adding it's own encryption header to the packet (encrease of total packet size) More Secure * SIC (secure internal communications) uniquely identifies checkpoint enabled machines. They have the same function as authentication certificates * Assume an intruder has compromised your current IKE Phase 1 and Phase 2 keys. Which of the following options will end the intruder's access, after the next Phase 2 exchange occurs? Perfect Forward Secrecy - provides additional security by means of a Diffie-Hellman shared secret value. With PFS, if one key is compromised, previous and subsequent keys are secure because they are not derived from previous keys. * Use Aggressive Mode - standard six-packet IKE Phase 1 exchange is replaced by a three-packet exchange * You want to establish a VPN, using Certificates. Your VPN will exchange Certificates with an external partner. Which of the following activities should you do first? Create a new server object, to represent your partner's Certificate Authority (CA) * What encryption scheme provides "In-place" encryption? DES * Key Management Protocol IKE * Encryption Alogrithm DES(56 bit), 3DES (3-56bit=168bit), CAST(40-128bit, not as strong as DES), AES(256 bit) * Authentication Algorithm MD5 SHA1 * Encryption is encapsulated IPSec * VPN Tunnel Sharing settings include: one VPN tunnel per gateway pair, per each pair of hosts, and per subnet pair * IKE DoS attacks global properties SmartView Tracker * Three modes: LOG-mode, ACTIVE-mode, AUDIT-mode * Verifies installed security policy name * How to block an intruder: Go to Active-mode, select a connection, click Tools, click Block Intruder * You can block based on source, destination, or source-destination-service * The name of the logs is dependant of the MODE: LOG=.log ACTIVE=.vlog AUDIT=.alog * Export to .txt is possible from the File menu * Switch logfile: current fw.log is closed and will be written to disk with a name that contains the current date and time. * Only one logfile can be open at a time * Exported logs can be viewed with the smartview tracker SmartView Monitor Create suspicious activity rues can do it for only an hour with out creating rule base rule Check if VPN phase 2 negotiations are failing Commandline and kernel * Kernel memory settings without manually modifying $FWDIR/lib settings on gateway objects capacity optimization screen Max IKE, Max Concurrent connections, Max tunnels * Reset password for administrator which was created during initial install cpconfig, delete administrators account and recreate with the same name. * cpstart: launches all Checkpoint applications * cpstop: stop all Checkpoint applications * fw start * fw stop * fw ver: display Checkpoint version * fw fetch [target]: fetches last policy * cpstop -fwflag -default: stop all Checkpoint processes and leave the default filter running * cpstop -fwflag -proc: stop all Checkpoint processes and leave the security policy running * fw ctl arp: Display the firewall ARP entry's voor automatic NAT objects * fw dbexport -f bla.ldif -l -s "o=bla,c=nl" * fw unloadlocal: unload the local security policy. This is a very convenient feature if you are not able to access the SmartDashboard, for example a too strict security policy * fwm unload [target]: unload a policy on target enforcement module * fwm lock_admin used to unlock admin account(s), and view locked administrators * cplic print: print the details of the installed Checkpoint licenses * fw tab x u display kernel table content * fw tab t sam_blocked_ips display blocked ips via block intruder feature of smartview tracker /conf rule bases, objects, users database, and certificates /lib base.def Performance Remove old or unused security policies from policy package Reduce logging Putting most used rules at top Eventia Reporter * Only connections that are logged by the firewall policy are available for Eventia reporting * Reports are saved in HTML format and in CSV format * To change the Eventia database-cache size to match the memory in the server, edit the $RTDIR/DATABASE/CONF/MY.INI (.INI=windows and .CNF=UNIX) * rmdstop: stop all Eventia Reporter services * rmdstart: start all Eventia Reporter services * Change Eventia database settings with utility UpdateMySQLConfig (stop Eventia Reporter services first!) Ram R Temp directories T Log files L Add new data file A To move file M * Eventia Reporter is licensed per gateway * Predefined Reports Two kinds - Standard Generated form info in the log files through the consolidation process to yield relevant analysis of activity. Express Generated from the smartView monitor history file. Express can not be filtered Security (Standard and Express) All security related traffic. Origin/destination of gateway. Blocked connections. Policy installs, analyze rule base order Network Activity (Standard, Express) most popular activities in your network, can focus ion directionVPN-1 (Standard, Express) encrypted traffic System Info (Express) CPU, kernel. memory VPN-1 My Reports (Standard, Express) customized * What is the consolidation policy OSE Device Open Security Extension 3rd party enforcement product the represents the router and influences and enforces the security policy. ROBO Gateway managed in smartLSM entry point to LAN  |
| 2007-05-03 | |||
| |||
| Re: Passed CCSE today ================================================== ======= CCSE 156-315.1 study guide ================================================== ======= Configure SIP environment 1. Configure an object that represents the proxy or VoIP domain SIP object 2. To define a VoIP domain SIP object, First must define the following Configure a network object representing the IP addressed phones - (Node objects can be defined for individual phones. Objects can be placed in a group to represent the ip phones) (Optional) Object hosting the VoIP SIP domain proxy 3. VoIP SIP object must be defined if a proxy is used for IP phones to gain access to data network - Settings Related endpoints domain network or ip range that represents the ip address assigned to the phones that need access to the network VoIP gateway installed at Host on which the proxy is installed 4. Global Properties Allow to re-direct connections If not enabled, only peer calls (endpoint to endpoint) are allowed. Calls made through proxies or redirect servers are not allowed. Calls defined in the rule base using VoIP domains are not allowed. Allow instant messaging allow IM apps that use sip protocol. Not checked by default. Peer-to-peer connections supported. Call that uses a proxy is not supported. Allow destination to re-invite calls allow destination to make a new call to the source, while a call from the source to destination is in progress. Destination can return data on the same call (ex. White-board app) The source can always make additional calls to destination with out this enabled. Maximum invitations per call(from both directions) Maximum number of participants that can take part in a conference call 5. Rule Base configuration With one side Proxy allow sip or sip_any from VoIP domain SIP object to network object (IP phones) Without Proxy 1 rule, allow sip or sip_any from one network to another Proxies on both sides allow sip or sip_any from one VoIP domain SIP object to another With a proxy for internal communication - 2 rules, first allows network to VoIP SIP domain object using sip or sip_any. Second allows from VoIP SIP domain object to a network object using sip or sip_any 6. When to use the services 4 predefined sip, sip-tcp, sip_any, sip-tcp_any If the source or destination is Any, and the service is SIP, the object represented by Any is not allowed to redirect a connections unless it is a SIP proxy If source or destination is Any, and the service is sip_any, the object represented by Any is not a SIP proxy. (This is only true if the object is external to a network protected by a security gateway.) SCCP (Skinny Client Control Protocol) TCP 2000 for control, media uses RTP over UDP. H.323 for audio. Headers are binary MGCP (Media Gateway Control Protocol) o interoperates with sip and H.323. o Converts audio carried on PSTN to data packets for internet. o Simplifies standards for VoIP. o Described as a master/slave protocol High Availability / Load Sharing: Only used in distributed config o Gateways have to run the same supported platform o Third machine as smartcenter o State sync enabled on all members Management HA - Manual or automatic, global properties, set for specific time or when policy are installed o Advanced standby has progressed and active has not. Happens when both were active at the same time and modifications are made to the standby. o Collision standby and active have both progressed since the last sync o Lagging standby is lagging behind active. o Never synced o Not reachable server is down or network problem o Synchronized both are synced Unicast o One machine (the pivot) receives all traffic from a router with a uni-cast configuration. Only the pivot and router communicate. o Pivot is responsible for forwarding and distributing the traffic throughout the cluster Multicast o Every member of the cluster receives all packets sent to the cluster ip address o Most efficient load sharing mode, but requires routers or layer 3 switch that will accept a multicast MAC address as a response to an arp request with a unicast ip address. Many routers do not have this capability. o Multicast will just have split percentages Load Sharing (Active/Active) provides benefit of increasing performance HA (Active/Standby) ensures fail safe connectivity CLI commands o Cphastart - enables HA feature o Cphastop disables HA feature o Cphaprob Register register device as critical process -d <device> - <device> the name of device it will appear in the output of the chaprob list -t <timeout> - if <device> fails to contact clusterXL in <timeout> seconds it will be considered to have failed. Disable using 0 as timeout -s status to be reported (ok/init/problem) alive/initializing/has failed List displays state of -i internal devices, such as interface check, HA initialization -e external devices, kernel fwd, sync, filter -i[a] all devices state displays state of the HA configurations if state of the interfaces, -a will give info per interface Examples: Cphaprob d failDevice s problem t 0 register o Machine will immediately fail, and the secondary machine will take over. failDevice is a nonexistent device in this case Cphaprob d failDevice s ok report Cphaprob d failDevice unregister o Fw hastart <target> - displays info about ha machines and their states o fw ctl pstat - Show sync status State Sync Full/Delta - ensures all members have each others connections o Time can only be a couple seconds off for it to work, software solution is encouraged Given the output of 'cphaprob state' o Unicast 30%(pivot) and 70% percent between the pivot member and the other members o Multicast mode 50% and 50% o HA will have 100% and 0% o New Mode High Availability - #1 has the highest priority What is Persistent Server Mode???? - how to set up the rule base, and the various load balancing algorithms that are available Moving from HA Legacy Mode (identical MACs and IPs) to Load Sharing Multicast Mode OR HA New mode o Members Run cpstop on all membersReconfigure ips on all clusters with unique ips instead of shared (duplicate) ips Shared int and ext interfaces become cluster interfaces Run cphaconf uninstall_macs to remove shared MAC addresses Reboot o Dashboard Open cluster, clusterxl tab change the cluster mode Follow wizard Install policy To ensure source MAC in packets from different cluster members that are connected to same VLAN are distinguish-able, change the mac source of he cluster interface that is connected to the VLAN in all but one of the clusters. Clusters communicate using the Clustering Control Protocol (CCP) Synchronization slowed down using active mode in tracker, to get more accurate report of active connections, obtain tech support hot fix or enlarge the size of sync buffer in words (fwlddist_buf_size) o Load Balancing Methods Persistent server mode allows session to retain its load balancing until session has ended Server Load measure load on each server to determine which has the most available resources Round Trip handled by server with fastest response time Round Robin assigns to next server in the sequence Random at random Domain directs based on domain name Web intelligence on clusterXL gw do not survive failover. If providing protection and member fails, HTTP connections through the failed member are lost. User-authenticated connection through a cluster member that fails connection will be lost(stored as a process) NOTE: however client and session connection will not be lost (stored in kernel tables) LMA - Load Measuring Agent uses port 18212 shown in global properties Sharing method based on: o IPs, Ports, SPIs (default) provides best sharing distribution, and is recommended. It is the least sticky sharing config o IPS, Ports should only be used if problems arise when distributing IPSec packets to a few machines although they have the same source and destination IPs o IPs should only be used if problems arise when distributing IPSec packets or different port packets to a few machines although they have the same source and destination IP address. This is the most sticky sharing configuration, increasing probability that a certain connection will pass through a single cluster member on both inbound and outbound directions. Secure Client: 5 Supported on Windows 2000, 2003 Server, XP, XP Tablet PC Edition, Windows PocketPC 2003 SE, Windows Mobile 5.0, Mac OS 10.3, 10.4.6, and higher Global Properties o Topology update when topology download takes place users.c file on client Update topology every topology is updated before the next key exchange if the defined period has elapsed since the last update Automatic update update after the key exchange so the user does not get prompted to update Upon VPN-1 startup user is prompted when the client starts. User can reject if they are not connected to the vpn domain, and the will be updated automatically after the next exchange takes place. o Authentication timeout Use Default value Cert users cached on desktop, re authenticate on securemote start Static password (CP password/OS Password) who use hybrid ike do not re authenticate until secure remote starts, if the cahce static passwords box is checked. If it is unchecked users re authentication is required after 24 hours Validation timeout every users need to re authenticate after a specified time. If multiple sites, uses the minimum timeout for all the sites. o Allow caching of static passwords on client CP and OS passwords will be cached on desktop until the user selects erase passwords, stops the SR client, performs disconnect from connect mode, or restarts the computer o Enable back connections Keeps vpn connected. Maintains session-key info and allows encrypted back connections o Send keep alive packet SR client will ping gateway when defined period expires o Encrypt DNS traffic as it says o Use backup policy servers on logon failure Controls SC to support HA policy servers - Choose next policy server SC fails to log in to policy server, it will attempt next listed Choose policy server randomly - SC fails to log in to policy server, it will attempt random policy server o Revert to default policy after during which policy is considered valid. Calculated with last login, when time expires, revert to default policy o Support authentication methods Select from Pre-shared secret, public key, signatures, and legacy(hybrid) mode o IKE over TCP IKE negotiations sends UDP packets, can cause IP fragments. Used to resolve long large UDP packets and fragmentation. Some NAT devices are unable to translate IP fragments. Have to set this on the client side too. Should check this if client connects through NAT router if using NAT-T, port 4500 must be enabled UDP encapsulation uses port 2746 o IP compression enables compression using DEFLATE algorithm o Load distribution load distribution for MEP config o Nokia clients support remote access using nokia clients o SR/SC behavior while disconnected traffic to VPN community to gateway will be dropped or sent in clear text o Hub mode route internet traffic out of GW. If disabled only the vpn traffic will route through the firewall Use the sites gateway as a router o Disconnect client when getting ip from VPN domain auto disconnect if one of the clients interfaces has an ip address that is part of the vpn domain o Allow users to save troubleshooting logs grant permission for client to save logs o Office mode specify ip assignment from gateway used for internal traffic o User encryption properties set per user or for all users o Client will verify GW cert against revocation list CRL list of certs that have been revoked before they have expired o Renew users internal CA cert auto update users ICA cert SCV Secure Configuration Verification - With SCV enabled in global properties, client has to have a desktop policy for them to connect, if no policy server, they can not connect. Shows up in logging Apply on simplified mode upon verification failure Block client OR Accept and log client Policy installed on all interfaces Only tcp/ip protocols verify that only tcp/ip is enabled Config violation notification if SCV reveals mis-config it can generate log and/or notify user o SSL extender SSL VPN User authentication method drop-down select authentication method used by ssl client. Legacy, cert, cert with enrollment, and mixed Client upgrade method to upgrade do not upgrade, ask user, force upgrade Supported encryption methods options 3DESonly, 3DES or RC4 When client disconnects- keep installed, ask user to uninstall, force uninstall Integrity clientless security ICS determine whether ICS is enabled or not Re authenticate user every time frame to auto re authenticate user Client sends keep-alive packets every frequency of keep-alive Use cpconfig to verify valid license o Early Version Compatibility Required policy for all desktops specifies the policy that 4.1 clients will receive during key exchange No policy Allow outgoing & encrypted Allow outgoing only Allow encrypted only Client is enforcing required policy only desktops enforcing policy will be considered secure SR/SC chooses peer gateways interface using Static calculation based on network topology use network topology to calculate the peer gws interface Enable dynamic interface resolving dynamic resolve multiple interfaces. To use must config dynamic interface resolving mechanism on each gateway o Hot Spot/Hotel registration Enable registration config the tracking, max time to complete registration, and max numbers of ips allowed Ports to be opened during registration (up to 10) allows ports that can be opened ot have client register default 80,443,8080 Apply client auth rule and enable desktop configuration verification avoid unprotected user connecting to the internet from a protected network. On client suthentication action properties screen, ensure apply rule only if desktop configuration options are verified. Before client can connect must have site info o User can define a site and download the info o Admin can prepare userc.c file predefining s a site How connection happens after getting site info o User must authenticate with gw Using a certificate, gw verifies against CRL. Gw authenticates itself and sends cert and crl back to client Hybrid ike extends ike, enabling it to use any authentication method supported by ngx Secure authentication API (SAA) allows third party authentication to integrate with ngx. Support native PKI and CAPI allows integration ith wide range of authentication products using industry standards. o Key Exchange Once user has been authenticated, client and server exchange encryption keys o Connection After keys have been exchanged, the connection starts encrypted with IPSec for IKE o Routing Considerations Default routing ensures reply packets those returning back to client are routed through the same encrypting gw through which the original packets were routed. You can force the reply packets using nat on the gateway hiding all outside addresses behind the gw. Internal hosts will see the packet having originated on the gateway and will direct them back to the gateway. Another solution is using ip pools The ip address of a gws external interface must never be hidden Authentication by IP can remember user by either username (default) only or by username and ip address. User with IP advantage when user connects from different ip, must re-authenticate. The same user can connect from multiple ips too, but re-authenticate each User connects to site in vpn domain kernel wakes up, holds first packet, examines ad determines the relevant gateway for the site, challenges user to authenticate, key exchange, encrypts data Auto Connect when site is accessed , it auto prompts user to authenticate connect (easier for user by defining connect/disconnect, choose which site you want to connect) and transparent (encryption based on the first packet sent from client to vpn domain) mode Secure Domain Login Enables secure remote clients to securely log into a domain controller. If enabled, SecuRemote is activated before the domain controller authenticates the login. The exchange of user, password, and user profile is encrypted. If single signon is enabled, the encrypted username/password are automatically retrieved from the registry. Auto Local Logon saves username and password in registry, suitable for only one site defined works good for employees who have mapped drives behind a policy server. Windows login users will not be required to enter their user/pass What is your encryption domain when you have to go through two CP gateways Encryption domain always the network behind your second firewall you connect to. Clear connection to first site, and encrypt to site 2 Userc.c Config file for all site configuration P:\program files\SecurRemote\database ake sure syntax is right, if wrong the site will be deleted with no error Vistor Mode Encapsulates everything on port 443? Which packet is sent for secure client verification - tcp keep alive Know what a policy server is - What indication shows in Secure Client when you've authenticated to one flashing blue lock indicates logging into policy server blue lock default or user-specific policy is enforced red lock packet dropped or rejected because policy is enforced Have to reinstall SC if you modify your network configuration, you can reinstall adapters by re-binding the adapters, binds to all nics when installed For Pass-through router user IKE over TCP and force UDP encapsulation Cache static passwords on desktop only for OS or FW1, users only have to enter their password once per session and it will be cached. If unchecked users will have to re-authenticate Respond to unauthenticated topology requests instructs fw to respond to topology requests from securemote even if its is not encrypted What hybrid authentication is, and how to configure and troubleshoot it What RDP status queries - Goto the fw to make sure it is still up and working Desktop Security o Tracking - Log Logs on client Alert Logs on client and logs to smart server Policy renewal default 60 mins when half time elapsed client will download policy (30 mins), if cont contact tries every 5 mins Diagnostic on client o Diagnostic View critical notifications, current state, connections, policy server location, ike/ipsec settings, encryption details, os, nic info o Log view when desktop security policy that was loaded, current connections, SCV state o Policy View security policy installed and rules that apply to inbound and outbound Advantage over L2TP, L2TP is not possible to connect to organization and to outside world at same time while SecureClient can Ports to open for Secure Client o UDP 500 even if using IKE over TCP o TCP 500 only if using IKE over TCP o IP 50 ESP unless always using UDP encapsulation o UDP 2746 configuaralbe, only if using UDP encapsulation o UDP 259 only if using MEP, interface resolving or interface HA UserAuthority is used to lock down external access from the inside. Only have to authenticate once User without securemote, request goes to UserAuthority WebAccess, authentication page, UA queries UAS on the gw for user identity, UA WebAccess proxies the http request To display WebAccess tab in Smartdashboard global properties, go to UserAuthority, and check display Web Access view box UA features can prevent problems with broken access control by using o Forced browsing past access control checkpoints o Insecure ids o Directory traversal o File permissions UA and credentials manager o User requests web app, UA webaccess queries the credentials manager on the UAS o UA uses CM to match users identity o Users identity is held in UA CM together with the users specific application credentials so it is auto mapped |
| 2007-05-03 | |||
| |||
| Re: Passed CCSE today ================================================== CCSE 156-315.1 study guide - Continued ================================================== VPN: - How do you delete all VPN tunnels (vpn tu command from the FW NOT mgmt station--Delete al IPsec+IKE SAs for ALL peers and users) IKE DoS Attacks protection global properties puzzles best protection (performance intensive), stateless less protection (less perofmance intensive), none no protection Main mode less susceptible to DoS attacks, partially encrypted Aggressive mode phase 1 3 packets instead of 6 like main mode, if not selected defaults to main mode, provided for backwards compatibility with pre-ng remote access clients Know phase 1 and phase 2 negotiation sequences Assume an intruder has compromised your current IKE Phase 1 and Phase 2 keys. Which of the following options will end the intruder's access, after the next Phase 2 exchange occurs? o Perfect forward secrecy - provides additional security by means of a Diffie-Hellman shared secret value. With PFS, if one key is compromised, previous and subsequent keys are secure because they are not derived from previous keys. MEP Encryption o 4 methods to choose gateway to be used Closet to gateway to source (first to respond) Closet to gateway destination (vpn domain) Random selection random (load distribution) Manually set priority (MEP rules) Not Round Robin!! o 1. What is NOT true when using MEP encryption technologies? D is correct a. Gateways must use the same FW-1 build level b. Gateways must use the same management module c. You must use a distributed installation if VPN-1/FW-1 d. Gateways must run identical policies o Make sure return packets are routed correctly the MEPd gw can make use of either RIM (Route Injection Mechanism) or IP pool NAT RIM enables gw to use dynamic routing protocol to propagate encryption domain of a gw to internal network. RIM is supported in a mixed community where gateways configured using the gui and other gateways using the mnlon.conf RIM is not supported with communicating with 3rd party gws If RIM is configure in the tnlmon.conf, these settings will take precedence over setting in the gui SEP Encryption o SEP HA environment not using load sharing, the external interfaces of each cluster do not have the same IP address FW-1 does not support multi level proper subset encryption domains Symmetric encryption - Pre-Shared Key Fast anyone steals key can steal data currently Asymmetric encryption - public/private key slower Diffie-helman Privacy No one else can see it other then intended parties encryption Integrity no tampering hash function one way Authenticity true communication - digital signature Tunnel-mode encryption works by encapsulation an entire IP packet and then adding it's own encryption header to the packet (increase of total packet size) More Secure VPN Tunnel Sharing settings include: one VPN tunnel per gateway pair, per each pair of hosts, and per subnet What encryption scheme provides "In-place" encryption? DES Encryption Algorithm o DES(56 bit), o 3DES (3-56bit=168bit), o CAST(40-128bit, not as strong as DES), o AES (128 bit) default Phase II o AES(256 bit) default phase I Authentication Algorithm o MD5(default) and SHA1 Encryption is encapsulated IPSec What is IKE used to setup communication between gws not secure data, key exchange and negotiation of policies - Key Management Protocol Connections use IPSEC to encrypt If using certificates, they can be issued be either Internal CA on SC, or by third party OPSEC certified CA You want to establish a VPN, using Certificates. Your VPN will exchange Certificates with an external partner. Which of the following activities should you do first? o Create a new server object, to represent your partner's Certificate Authority (CA) Switch from Pre-Shared secrets to certificates o Disable Pre-Shared secret on gateway objects o Make sure all gws in vpn are in community o Manually generate ICA certificates for all gateways o Reinstall the security policy SIC (secure internal communications) uniquely identifies checkpoint enabled machines. They have the same function as authentication certificates VPN community Member gw resides at one end of tunnel VPN domain hosts behind a gw, could be whole network or just sections of that network VPN Site community members and the VPN domain VPN Community collection of VPN sites and enabled tunnels/links and their attributes QoS IQ Engine - uses detailed packet information from the INSPECT Virtual Machine to properly classify incoming traffic. Once classified, each packet is placed into the correct per flow queue and scheduled for transmission based on the bandwidth management policy. By controlling exactly when a packet is put on the line, the IQ Engine can precisely control the overall mix of traffic. WFRED Weighted Flow Random Early Drop manage packer buffers by selectively dropping packets during periods of network congestion RDED Retransmission detection early drop - eliminate TCP retransmit storms by preventing redundant retransmits from hitting the line. Can reduce the number of retransmits and improve line efficiency. Weights and limits WFQ Weighted Fair Queuing helps avoid drops caused by congestion. Avoiding drops can mean holding long queues, long queues may lead to non-negligable delays. Long queues are inappropriate for voice and video traffic (hence, WFQ is inappropriate for delay sensitive applications), for most delay sensitive applications, packets need not be dropped from queues to keep them short. The streams of these applications have a known, bounded bit rate. LLQ Low Latency Queuing allows admin to define classes of service for deal-sensitive apps. Low Latency Classes specify the maximal delay that is tolerated and a constant bit rate. Checks packets to low latency class rules to prevent delays longer then maximal delay. If maximal is reached, packet is dropped; otherwise they are transmitted at a constant bit rate defined for the low latency class. If constant bit rate is defined right no dropped packets **Performance on qos need lots of cpu each connection needs 1300 bytes memory Limited to TCP, UDP, ICMP, Citrix TCP and IP Express mode weights, per-rule guarantee/limits, logging/accounting, hardware accelerator support, and HA and load sharing Traditional Mode all in express mode, authenticated qos (user authority), per connection guarantee/limits, LLQ, Differentiated Service Support, sub-rules, match URI/DNS/Citrix ICA, RDED mechanism 3 architectural components SmartConsole, SmartCenter Server, and module - Flow control like a firewall, gui, save to smart center server, push out to qos module Default rule applies to all connections not matched by other rules or sub rules. Weight assigne to what is specified in the global properties. Weight can be modified, but rule can not be deleted. Automatically added to QoS policy. Guarantee o Always subtract first. o if in sub rule, then must be defined in rule above it. o Sub rule guarantee can not be greater then the guarantee of the rule above o Rule guarantee can not be smaller then the sum of guarantees defined in sub rules o Sum of guarantees in upper level should not exceed 90% of capacity of link o May receive no bandwidth If rule limit and guarantee are equal connections o Guarantee should always be smaller then a limit Limits o Per connection limit must be smaller the rule limit o Rule limits should not be greater then the sum of limits defined in sub rules having a rule limit greater then the sum of sum-rules, is not possible to allocate more bandwidth to a rule then the bandwidth determined by sum of sub-rules Low Latency use when bit rate of stream is known and controlling delay is important Low latency classes differ from diffserv classes in that they do not receive TOS markings Differentiated Services (DiffServ) used to prioritize traffic get TOS markings Load Sharing o 2 way stickiness all packets of a single connection use the same machine in both directions o Conversation stickiness all packets of control/data within a conversation use the same machine in both directions Rejects when number of guaranteed connections is exceeded and/or when action is not configured to accept additional connections Track field to account A lot of overhead *Important* - More then one rule can be relevant to a connection, but QoS on works according to the first rule it is matched. So if traffic can be seen in two rules, only top rule is applied Check I floodgate is installed cprinstall verify fwgw floodgate can use with other packages too, same syntax Tuning o Upgrade to newest CP QoS o More frequent rules at top o Install only on external interface of firewall o Install only outbound direction, unless have limits for inbound o Turn per connection limits into per rule limits o Turn per connection guarantees into per rule guarantees Upgrading to NGX Supported: NG FP1,2,3, NG w/ AI R54, R55, R55W, FW1GX2.5 and VSX NG w/AI release 2 Can not upgrade from 4.1 to ngx, must upgrade to r55 first Central Licensing o store all licenses in a repository on smartcenter o licenses are installed on machines they are assigned to using smartupdate o licenses are not tied to the ip address of the system they are installed on, and can be reassigned o ideal for distributed installs o Advantages no need to generate new license when I p change, gw is retired, license can be reused, all license can be reviewed in one location Local Licensing o Specific license on specific machine o Installed using smartupdate or locally using cpconfig o Licenses are tied to the ip address and new licenses must be regenerated if address change o Suitable for stand alone installs View license from user center, smartupdate, or smartview monitor You upgraded license and every time you run commands you receive error fix - upgrade software to ngx Upgrade from splat r54 GW with patch add cd ---> the policy server is updated Licensing - where to get licenses, the various commands for installing and viewing licenses, and requirements for licensing. license_upgrade o view status of currently installed license o simulate license upgrade o perform actual license upgrade Memory and disk space requirements o 256MB for windows o 128MB for splat, solaris, redhat, and linux o Min Pentium II 300MHz , 6GB HD o Recommended Pentinum IV 2GHz, 512MB ram, 40GB HD 1 administrator user is needed on installation How to upgrade from previous versions Do the install R54 or later do not have to be in expert mode o SmartUpdate o TFTP - patch add tftp <ip_address< <patch_name> o Local - patch add <full_path_name> o CD - patch add cd o Choose yes to make backup image safe upgrade Do the install (pre R54) not 4.x must be in expert mode o CD mount /mnt/cdrom Patch add /mnt/cdrom/SecurePlatform/patch/<patch name> o TFTP patch add tftp <ip> <patch name> o Local patch add <full path> o After upgrade, open gw object change version to ngx, and install policy on new gw SecurePlatform Pro enables dynamic routing (OSPF) Order Smartcenter first, then gateways Pre upgrade verification tool o Runs auto or manual during smartcenter upgrade o Windows pre_upgrade_verifier.exe p %FEDIR% -c NG_AIR55 t NGX_R60 Migrating SC to a new machine with a different ip o On original SC create a rule that allows CPD TCP (18191) to originate from new SC o On original SC create rule that allows FW1(TCP 256) to originate from new SC SmartUpdate o Upgrade operations require cprid daemon and license operations use the cpd daemon. Watchdog (cpwd) monitors critical processes (fwd, fwm, cpwd,) and attempts to restart if they fail o Checks during upgrade OS, and if packages are appropriate Package not already installed Package dependencies are fulfilled The is enough disk space o Can remotely be upgrade Splat VPN-1 Pro enforcement module Nokia OS Third Party OPSEC apps Hotfixes, HFAs and patches Advanced Upgrade choose export in upgrade options to perform advanced on additional SC server via spare machine |
| 2007-05-03 | |||
| |||
| Re: Passed CCSE today ================================================== CCSE 156-315.1 study guide - Continued ================================================== Resource Severs Define a resource based on HTTP, FTP, SMTP, CIFS, or generic TCP. The resource can be used in a rule the same way as a service. Can divert a connection to CVP or UFP CVP Content Vectoring Protocol examine contents of a file for a virus, also can examine outgoing traffic o NGX does not have virus scanning capability built in o Security server transfers packet to another server running OPSEC virus scanner o TCP 18181 o Eliminates virus being downloaded from FTP and/or HTTP o Prevents malicious-script viruses through email o Off-loads scanning to another machine, improving performance of gw o Placed either on DMZ or private net with gw o When resource specifies CVP, passes the file to virus scanner for inspection o Can check all files transferred for HTTP, FTP, SMTP, and other TCP protocols o Transparent to users o CVP Sharing Can not configure load sharing suspension period for cvp server that does not respond Identical cvp servers can share the load 2 methods round robin and random o CVP Chaining Works only if all servers in the chain are available Useful when each server performs different task Invoked in order chosen by the admin In the CVP group object Can be chained of combing funtionality o Implement CVP inspection Define CVP OPSEC app Define resource objects that specify CVP checking Use of CVP whether or not to use CVP Server define server and if it can modify content, and whether or not to send HTTP headers Reply Order when data is returned to user, return before or after approved, if rejected it is not retrievied Define rules resource rules that accept HTTP, SMTP, and FTP must be placed before other rules that accept the services UVP URI Filtering Protocol maintains a list of URLs and their categories (ex. Surf control and websense) o Does not scale well, primarily used for restricting 50 or less sites not had limit, but practical maintenance limit since they are added manually o Control access to specific URLs o Predefined list of categories that can be downloaded o TCP 18182 CIFS Common Internet File System - NetBIOS o Share access o Can block remote registry access o Logs mapped shares o Allow MS print shares o DOES NOT provide long access share o Wildcards can be used o Not case sensitive o Does not invoke security server o Only accept, client authentication, and session authentication o Does not broker connections between server and client Security Servers Broker between clients and server, 2 tasks (authentication and content security) o Telnet Yes Authentication, no Content security o rlogin Yes Authentication, no Content security o FTP Yes Authentication, yes Content security o HTTP Yes Authentication, yes Content security o SMTP No Authentication, yes Content security FTP Content on GET and PUT, filename restrictions, and CVP checks Can log GET and PUT, filename, if rule is set to log HTTP Content on GET, PUT, and POST, specific hosts, URLs, paths and queries can create a file with list of banned ips, can be used to deny access to specific ip address or to a path at a site o Improve performance by ensuring that safe traffic is not sent to cvp SMTP Content based on From and To fields, provides secure send mail app that prevents direct connection attacks, hide real usernames, rewrite from field OPSEC CP maintains site Partner software including virus protection, content security, authentication, java blocking, and active x blocking Implement Content Security o Create object for 3rd party server o Create UFP/CVP OPSEC application object for 3rd party server o Define a resource that specifies matching, and the type of the content check o Define rules that specify an action taken for a resource o Two Methods Active requires users to authenticate in order to use service, allows time out of passwords and re-authentication Passive Transparent to users URI Filtering precise control over web access o Use UFP servers that maintain list of URLs (permitted or denied) o Match types, general tab UFP, Wild Cards, file o To Implement Define UFP server Define URI resource specifies list of URL categories from UFP server Define rules for action Allowed HTTP and FTP schemes, GET and POST methods Not Allowed A list of forbidden URL categories Specify if CVP is to be used, select CVP server it if is. Can specify if CVP server is allowed to modify content and whether or not to send HTTP headers to the CVP server optimize URL Logging want to see URLs full destination path in the logs, not just FQDN Mail SMTP o Uses FIFO spool scanning o Hide outgoing mail from behind generic address o Mail filtering based on SMTP and IP address o Strip MIME attachments from mail o Drop mail above given size o Resolve DNS for recipients and their domains (MX resolving) o Control # of connections per site o Mail-user based policy Different mail actions per recipient of a given mail Content security features at the user level o Performs CVP checking o Splits functionality into two processes so no direct path connecting mail servers exist NOTE queuing mail on firewall not good Enqueuer writes incoming messages to a disk cache Dequeuer empties the cache FTP provides authentication and content security based on PUT and GET , filenames restrictions, and anti-virus checking o Implement ftp server with a ftp resource o When using browser without defining proxy, all HTTP requests use HTTP protocol, and all FTP requests use FTP protocol. If proxy is defined for FTP, the proxy should be a HTTP proxy and not a FTP proxy. When using this confing the connection between browser and proxy uses the HTTP protocol, it is up for the proxy to convert the request from HTTP to FTP protocol. o NGX HTTP security server does not support this kind of protocol conversion o If you want to authenticate FTP requests from a web browser, a second HTTP proxy that does support conversion should be installed and defined. o If a next proxy is not defined on the gw, and authentication is attempted for a FTP request you will see error scheme FTP not supported o Smart Defense Application Intelligence FTP Security Server Java and Active X Stripping HTML Weeding , control incoming java/activex code such as host, URL, authenticated username o Strip applets from HTML o Block java attacks by blocking suspicious back connections o Strip activex tags form html pages o Implement java and activex stripping with a URL resource Resources and rules o Pyramid style restriction at top, generalized at bottom o Resource rules located middle or beginning o Restricted access go above resource rule, and generalized drop or accept should follow them o Consequences Connections allowed that should not Connections are dropped that should not Security server allows packets to pass that should not and drop packets that should be allowed. CVP Load Sharing and Chaining Increase efficiency o Chaining is useful when each CVP server performs a different function such as Scanning for viruses Stripping MIME tags Stopping large email attachments Implement TCP Resource o Supports all TCP services o Allows URL screening via UFP server and provides CVP o UFP server can provide URL verification without using security server o Full URL not sent to UFP server, only the IP of the remote server allows for faster transaction to occur o Before using ensure UFP server is capable of supporting IP-Based URLs and can categorize specific protocols How to use the resource servers - various options when defining resources How control maximum number of mail messages on spool? gateway advanced properties UFP - TCP resources work (particularly with UFP) What the file format of a URI Specification file is and where it is stored ip <tab> optional path <tab> single hex char(1-F) o 172.29.109.1 /warez/illegal.html a <return> Understand the three SYNDefender modes o SYN Relay monitors all connection attempts and verifies the attempt is valid before sending the initial SYN to server o SYN Gateway monitors all connection attempts as well as after the server responds with SYN-ACK. Firewall also sends an ACK to the server and opens the connection so that the servers backlog queue is available to accept more connection requests. o Passive SYN Gateway - monitors all connection attempts like the gateway option, but does not send an ACK to open the connection to the server. CLI Export Users under LDAP - "fw dbexport" -s "o=Acme Corp, c=US?? Debug option will gather information about the input/output control messages, such as loading of FW-1 or kernel to daemon communications isoctl fw ctl debug 0 Returns all flags in all modules to their default values fw ctl debug buf allocate buffer for all messages generated by the kernel fw ctl debug misc set debug flag to miscellaneous fw ctl kdebug f > <file name> - read debug every second and print message fw ctl kdebug reads debug buffer Control +C to stop debugging Fw ctl debug 0 Reset debug flags to 0 fw ctl pstat full sync status fw ctl pstat l general VPN-1 Pro stats fw ctl pstat h additional hmem details fw ctl pstat k additional kmem details fw ctl pstat s additional smem details fw ctl pstat n NDIS info (windows only) fw ctl iflist display ip interfaces known to kernel fw ctl arp display arp o n no name resolution fw ctl block on blocks all traffic fw ctl block off restores traffic and the security fw ctl chain prints names of internal VPN-1 modules that delal with packets fw ctl conn prints names of connection modules vpn debug on all=5 timeon 5 writes all debug info for all topics to the vpnd.elg for five seconds writes to $FWDIR/log all=levels 1-5, 5 being all o vpn debug on |off turns on/off high level vpn debugging o vpn debug ikeon | ikeoff turns on/of IKE packet logging to $FWDIR/log/IKE.elg o vpn debug trunk truncates the log files vpn crlview retrieves Certificate Revocation List (CRL) from various distribution points and displays info fw_sync_block_new_conns allows to detect heavy loads and start blocking new connections load heavy when transmits queue fills beyond the fw_sync_buffer_threshold fw_sync_buffer_threshold maximum percentage of buffer may be filled before new connections are dropped Default is 80, buffer size 512 fw_sync_allowed_protocols types of connections that can be opened while system is blocking Kernel memory settings without manually modifying $FWDIR/lib settings on gateway objects capacity optimization screen Max IKE, Max Concurrent connections, Max tunnels Reset password for administrator which was created during initial install cpconfig, delete administrators account and recreate with the same name. unlockuser kate unlock user kate cpstart: launches all Checkpoint applications cpstop: stop all Checkpoint applications fw start fw stop fw ver: display Checkpoint version fw fetch [target]: fetches last policy cpstop -fwflag -default: stop all Checkpoint processes and leave the default filter running cpstop -fwflag -proc: stop all Checkpoint processes and leave the security policy running fw ctl arp: Display the firewall ARP entry's voor automatic NAT objects fw dbexport -f bla.ldif -l -s "o=bla,c=nl" fw unloadlocal: unload the local security policy. This is a very convenient feature if you are not able to access the SmartDashboard, for example a too strict security policy fwm unload [target]: unload a policy on target enforcement module fwm lock_admin used to unlock admin account(s), and view locked administrators cplic print: print the details of the installed Checkpoint licenses fw tab x u display kernel table content fw tab t sam_blocked_ips display blocked ips via block intruder feature of smartview tracker fw tab t sip_state f info on current sip calls fw hastat displays ha states /conf rule bases, objects, users database, and certificates /lib base.def Logging 'alertf' command, The following program can be used to threshold the activity of an alert in FireWall-1. The syntax of the command is: o alertf N-seconds M-alerts alert-command arg#1 arg#2 arg#3 "Excessive Log Grace Period - This specifies the minimum amount of time between consecutive logs of similar packets. Higher number means less logging, and a higher risk of losing important information. If log analysis is being performed, lowering this parameter value will help improving the accuracy of the log analysis when searching for port scanning attempts and doing performance/usage analysis. This value should be experimented with; we recommend a setting at 30 seconds or lower if possible. Performance Remove old or unused security policies from policy package Reduce logging Putting most used rules at top File Names $FWDIR/conf/local.arp manually config proxy ARP if different subnets used for cluster ips, auto proxy arp will not work. Using static NAT, cluster automatically recognizes hosts behind it, issues arp replies with cluster MAC (Auto Proxy ARP Global Property) $FWDIR\conf\vpn_route.conf - VPN routing scenarios can be configured through a VPN star Community, but not all VPN routing configuration is handled through SmartDashboard. VPN routing between Security Gateways (star or mesh) can be also be configured, by editing the configuration file $FWDIR/conf/rule_name.pf compiled script generated from the information in the security policy and its rule base editing it could cause inconsistencies in the gui and code. Should not edit, edit the .def files instead VPN-1 Edge Appliances Exceed licensed nodes o Odes will be protected o License can be upgraded to support ore nodes o Exceeded nodes will not be able to access internet through appliance If used behind another NAT device (router) and having problems with apps you should o Consider if you need the router o Disable NAT on router o If router has DMZ set it to the VPN-1 Edge ext ip o Open necessary ports Problem accessing certain network app o Set VPN-1 Edge firewall level to low, if still doesnt work set computer to be the exposed host, when finished clear exposed host setting Edge X supports site-to-site vpn, and edge s does not LDAP Sequence for configuring user management Enable LDAP in Global properties Configure host node for LDAP server Configure object for the LDAP account unit In NGX, if a distinguished name (DN) is NOT found in LDAP, NGX takes the common-name value from the certificate subject, and searches the LDAP account unit for a matching user id. When you add LDAP users to a client authentication rule you need an LDAP group in the client authentication rule. Enforcement module acts as LDAP client when either querying user information or retrieve CRL A user attempts authentication using secure remote, and the users password is rejected. A valid cause would be that the LDAP and security gateways databases are not synchronized. On smart Center server - $FWDIR/lib/ldap/schema_microsoft_ad.ldif Profiles Microsoft_AD, Novell_DS, Netscape_DS, OPSEC_DS True of CP schema when dealing with LDAP issues o SmartDirectory (LDAP) schema is the default schema o Recommended to enhance the default SmartDirectory (LDAP) schema by adding the CP schema o CP schema acts as an extension to the default SmartDirectory (LDAP) Users and user groups are arranged on the account unit in a tree structure as they are on te SmartDirectory (LDAP) server Account Management Client (AMC) means of authenticating and managing users through ldap server Changes applied to SD(LDA) template are reflected immediately for all users using that template Users managed on an external SD(LDAP) server are managed as if they were managed by smart center server Account unit that represents SD(LDAP) server needs to be defined SD(LDAP special license is needed 2 differences between internal DB and user management on SD (LDAP) o User management in the SmartDirectory is done externally and not locally o SD (LDAP) server templates can be modified and applied to users dynamically, meaning changes are instantaneous. Multicast Typical use for real time audio and video to a set of hosts Configured on the gateways interfaces settings Control access of multicast traffic to specific groups, ensuring that multicast applications are not inadvertently broadcast to outside groups. Multicast traffic to and from specific objects is controlled via policy rules show ip mroute - Display contents of the muticast routing table clear ip mroute remove rouιs from multicasting routing table 224.0.0.1 show ip multicast boundary - obtain summarized info for all boundaries within all interfaces MISC Sticky Decision function o Not supported when employing performance pack o Not supported when employing hardware based accelerator card o When used in conjuction with VPN, cluster members are prevented from opening more then 1 connection to a specific peer Initial Policy operates by adding the implied rules to the filter DAIP modules ip maintained in the smart center database SCCP (cisco call control) devices do not support NAT Storm Center Module two way info flow between network storm centers and organizations Explicitly protect low ports using the dynamic ports page in smartdefense LEA Log Export API used to export Check Point logs to a third party application Policy Package management Allows to revert to earlier versions of the security policy without changing object configurations Database revision control - create fallback configuration package. All policies, objects, users, smart defense and global settings. Consolidation Policy specific policy used by Eventia reporter to configure log-management practices |
| 2007-05-04 | |||
| |||
| Re: Passed CCSE today Hi jgahan, This a very good stuff. Thanks for the Detailed one. Sridhar |
| 2007-05-08 | |||
| |||
| Re: Passed CCSE today Nice stuff dude!! I am about to start the preparation for ccse. Kindly guide , how to go about it. I have ngx r61 pack. What topics to study from that or should i go for other pdfs like syngress. Kindly send the at doc if its possible: dew1902@gmail.com |
| 2007-05-14 | |||
| |||
| Re: Passed CCSE today Please do not ask me to send you the boson test or the actualtests/TK. Search the forums!! you will find all the actualtests and TK you want. As for topics to study: http://www.checkpoint.com/services/e...s/156-315.html |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
