Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 133 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
133
Dung lượng
2,17 MB
Nội dung
498 Part IV • Check Point NG and Nokia IP Series Appliances is no reverse record, the object will be useless. It is also possible that, through DNS poisoning, this sort of object could lead to a security breach. For these reasons and others, Check Point does not recommend the use of domain objects in your rule base. If you decide to use them, use them as close to the bottom of the rule base as possible. OSE Device Open Security Extension technology allows FW-1 to manage third-party devices that support these extensions. Most notable among these devices are Cisco routers running IOS v9 and later. The number of devices that you may manage depends on your license.The configuration for an OSE compliant device features three windows.To create a new OSE Device, select New | OSE Device from the Network Objects management window. Figure 13.9 illustrates the General window. This window enables you to specify some of the basic information about the device, specifically the IP address, name, comment, and device type.The device type may be any of the following: ■ BayRS ■ Cisco ■ 3Com When a device from this category is managed by the firewall, access control lists are gener- ated based on the security policy and downloaded to the firewall.As with other object types, the Get address button will attempt to resolve the specified name to an IP address, saving you that one step. The topology window is identical to that of its counterpart for the other devices.The main caveat is that at least one interface must be defined (as opposed to, say, a simple workstation) or the ACL entries will not be created successfully. Anti-spoofing and its kin are also defined by editing the interface properties, just as with a workstation. However, there are some additional steps to take, which are accomplished by editing the information on the Setup window. www.syngress.com Figure 13.9 OSE Device—General Window 252_BDFW_ch13.qxd 9/18/03 5:02 PM Page 498 Using the Graphical Interface • Chapter 13 499 The Setup window varies depending on the OSE Type specified on the General window.The window as displayed with a Cisco router is displayed in Figure 13.10. The fields displayed on this window have the following meanings: ■ Access List No. The number of the ACL that will be applied. ■ Username This is the exec mode username that will be used for initial access to the device. It, along with the remaining drop-down lists, can be set to None, Known,or Prompt. If set to Known, the gray box to the right will become active and allow the entry of a username. ■ Password Enter the password associated with the exec mode username. ■ Enable Username The name, if any, of a user with privileged exec access. ■ Enable Password The password associated with the privileged username. ■ Version IOS version installed on this router. ■ OSE Device Interface Direction The direction in which to enforce the security policy.This can be Inbound, Outbound, or Eitherbound. ■ Spoof Rules Interface Direction The direction in which to enforce anti-spoofing behavior.This can be Inbound, Outbound, or Eitherbound. The fields for the 3Com and Bay devices are similar in their requirements, and the security policy is enforced in an identical manner. Embedded Device An embedded device is defined as a device on which a VPN/FW-1 module or Inspection module is installed.This type of object is restricted to two types (as defined in the Type field) with those being Nokia IP5x and Xylan with the supported platforms being Ramp and Xylan. The configuration is pretty straightforward, with the common rules applying. Define the name, IP address, and an optional comment.Then specify the type, and select VPN-1 & www.syngress.com Figure 13.10 Cisco OSE Setup Window 252_BDFW_ch13.qxd 9/18/03 5:02 PM Page 499 500 Part IV • Check Point NG and Nokia IP Series Appliances FireWall-1 installed if applicable.You must also define your license type. Figure 13.11 illustrates the configuration panel.To open this panel, select New | Embedded Device. Group The Group object can be used to manage other objects of dissimilar types.There are three types of groups that you may define within FW-1.To create a new group, select New | Group from the Network Objects management window.The group types are as follows: ■ Simple Group ■ Group with Exclusion ■ UAS High Availability group A simple group is just that. Simple. It is a collection of network devices.The second group type, Group with Exclusion, allows you some granular control over the contents of a group. If you are working in a network with a flat topology, for example, you may be in a situation where there isn’t much physical separation within this network. A group of this type enables you to force some structure here. Figure 13.12 illustrates a simple group. www.syngress.com Figure 13.11 Embedded Device General Properties Figure 13.12 Group Properties 252_BDFW_ch13.qxd 9/18/03 5:02 PM Page 500 Using the Graphical Interface • Chapter 13 501 A Group with Exclusion is slightly different than a Simple group, with the difference being that you specify a major group, defined by Check Point as an “outer group.”This will be the group that is included for this definition.You then specify minor, or inner, groups.These will be the groups culled out and excluded from the major group. Logical Server The logical server group (available by selecting New | Logical Server from the Network Objects window) enables you to group like servers (FTP, HTTP, SMTP, etc) to be treated as one and used in a sort of resource sharing, or server pooling. Note that this is an optional feature and may not be included with your FW-1 installation. Workload is distributed among these servers in a user-configurable manner. Figure 13.13 shows the configuration options for this object type. As usual, the name must be entered, and, if resolvable, the Get address button can be used to gather the associated IP address.A special note is in order here, specifically regarding the IP you’ll select.This address should be that of a non-existent server located on the same network as the destination servers, but can also be that of the FireWall-1 module.Think of this IP as a virtual IP address. It will be used by the clients to connect to the Logical Server group, and therefore cannot belong to any one member of that group. The Server’s Type feature really is poorly named.This actually defines the method of load balancing, or even more specifically, the type of algorithm used.The two methods behave very differently. For example, with HTTP selected, only the initial connection will be handled by the logical server address. A redirection is sent to the client informing his or her browser of the new IP (that of the selected destination server), and the remainder of the conversation goes forth without the intervention of the firewall module. If Other is selected as the type, address transla- tion is performed and the conversation is balanced per connection, with the firewall module con- stantly involved, unless Persistent Server mode is checked. The Servers section enables you to select the server group that will make up this logical group. If selected, Persistent server mode allows some fine-tuning of the balancing mechanism. When enabled, you can enforce connection persistence, meaning you can force packets from an established flow to continue to a single destination.This is very useful for something like an www.syngress.com Figure 13.13 Logical Server Properties Window 252_BDFW_ch13.qxd 9/18/03 5:02 PM Page 501 502 Part IV • Check Point NG and Nokia IP Series Appliances HTTP conversation when using Other as the server type.You can select between two modes here, Persistency by service and Persistency by server.The main difference between the two is that, when the former is selected, only connections to a single server for a single service will have persistency enforced, while in the latter any service on a specific server will be impacted. The final settings define the type of balancing to be performed.The Balance Method has sev- eral possible options. ■ Server Load FW-1 sends a query, using port 18212/UDP, to determine the load of each server.There must consequently be a load-measuring agent on each server to sup- port this method. ■ Round Trip FW-1 sends a simple ICMP ping to each server.The fastest round-trip time is chosen as the preferred server.This lacks somewhat, in that the ping is from the firewall to the server, and may not be optimal from a remote client (remember, the servers need not be centrally located to participate in a server group). Also, a ping doesn’t tell you that the HTTP daemon has crashed on the server.As long as the server is up and on the network, regardless of the status of any of its services, traffic will be sent to it. ■ Round Robin FW-1 selects sequentially from a list.This is among the simplest methods. ■ Random FW-1 selects randomly from a list. ■ Domain FW-1 attempts to select the closest server to the client, based on domain naming convention.This method is not recommended. Address Range An address range defines a sequential range of IP addresses for inclusion with your rule base. An address range is similar in use to a network object, with the major difference being that you specify a starting and ending IP address instead of a network number and subnet mask. Figure 13.14 illustrates the General panel for this object type, which is available by selecting New | Address Range from the Network Objects management window.As usual, the NAT panel fea- tures no special information and is the same as that found on most other object types. www.syngress.com Figure 13.14 Address Range Properties Window 252_BDFW_ch13.qxd 9/18/03 5:02 PM Page 502 Using the Graphical Interface • Chapter 13 503 Gateway Cluster A gateway cluster is a grouping of machines running VPN-1/FW-1 that is grouped together as a means of fail-over support. Clustering is a complex subject, and configuring it is much more detailed than the majority of other object types. First, you have to visit the Global Properties and, under the Gateway High Availability branch, place a checkmark in the setting to Enable gateway clusters. The next step is to create your workstation objects. In order to support clustering, you must have at least three objects, two of which must be firewall modules, and one a manager.The work- station object should be created as normal for a machine with FW-1 installed. It is important that the interfaces are properly defined, as anti-spoofing is required for proper high-availability func- tion. Next, you create a new gateway cluster object.The General panel is illustrated in Figure 13.15.You’ll access this panel by selecting New | Gateway Cluster from the Network Objects management window. This panel allows the initial configuration for the cluster.The name and IP address are defined here, as are the specific Check Point products that will reside within this cluster.Also, you can specify whether you or another party manage the cluster.You also can specify, on the topology panel, which addresses reside behind this cluster.This is similar to the features on a workstation object’s interface properties topology panel. Dynamic Object A dynamic object is perhaps the most interesting object type supported on FW-1. It is also one of the most useful in a large enterprise.This object type enables you to define a logical server type, one in which the actual IP address will resolve differently on each FW-1 machine.This enables you to create rules referencing “mail server” and distribute that policy to several different FW-1 machines, all of which will resolve “mail server” as the proper machine within their realm. Figure 13.16 shows you the basic configuration window, which you can see by selecting New | Dynamic Object from the Network Objects management window. www.syngress.com Figure 13.15 Gateway Cluster—General Panel 252_BDFW_ch13.qxd 9/18/03 5:02 PM Page 503 504 Part IV • Check Point NG and Nokia IP Series Appliances The real key to a dynamic object is the dynamic_objects command.This command is run on the firewall module where the name will be resolved, and enables you to specify the values to which it will resolve.Table 13.2 describes this command and its options. Table 13.2 Dynamic_Objects Command Options Option Explanation -o <object name> Specify the object name to work with. This option is often used with operators such as –a to add addresses to an existing object. -r <address range> Specify an address range. -a <address range> Add address of <range> to object. -d <address range> Delete addresses from the object. -l List all dynamic objects. -n <object name> Create a new dynamic object; assuming the VPN-1/FW-1 process has been stopped. -c Compare the defined dynamic objects to those defined in the objects.C file. -do <object name> Delete the specified object. Services The services objects give you a finer level of access control as compared to exclusive use of net- work entities. With the service object, you can define protocol specific information, like protocol in use (TCP, UDP, and so forth), and port numbers. FW-1 comes preconfigured with many of the more common services in use today, and further enables you to create custom services based on your unique needs. To add, modify, or delete services, access the Services window by clicking Manage | Services. From here, you will be able to act on the following service types. www.syngress.com Figure 13.16 Dynamic Object Properties Window 252_BDFW_ch13.qxd 9/18/03 5:02 PM Page 504 Using the Graphical Interface • Chapter 13 505 TCP The TCP service object enables you to define a basic TCP service. Figure 13.17 illustrates this service type, using the domain-tcp (DNS) service as an example.To bring up this window, select New | TCP from the Services management window. The information required for this service is very limited (which is nice when you have to define a lot of them!). Besides a name and comment, all you have to enter is the destination port number.This can be a specific port, as in Figure 13.17, a range (e.g. 1024-1028), or a greater- than/less-than definition (e.g. <56).There is also an Advanced button, which displays the window as shown in Figure 13.18. The Advanced settings enable you to specify a source port, and allow for the same modifiers as in the General panel’s port specification.You can also specify the protocol type, which impacts which security server will provide things like content security for this service.The checkbox marked Enable for TCP resource, if checked, enforces screening using a UFP server, mitigating the intervention of a security server.The next item, Match for ‘Any’ allows connections using this service to be matched when a rule is crafted with ‘Any’ as the service.The Session Timeout is a local setting meant to allow override of the global session timeout.The inclusion of the timeout in the GUI is a nice change for FW-1 NG. In previous versions, setting a per-service timeout required manual editing of the base.def file, which is obviously a bit more involved. www.syngress.com Figure 13.17 TCP Service Properties Figure 13.18 Advanced TCP Service Properties 252_BDFW_ch13.qxd 9/18/03 5:02 PM Page 505 506 Part IV • Check Point NG and Nokia IP Series Appliances UDP The UDP service object enables you to define a basic UDP service. An example of this is the TFTP service. UDP tracking poses a problem for many firewalls, especially circuit level gateways. Since UDP is connectionless, it’s generally an all-or-nothing approach to security. Whole port ranges are often opened to allow UDP traffic, which is not a very nice notion. With FW-1, a second mechanism has been designed to keep track of a virtual “connection.” The General properties are identical to those for TCP, as seen in Figure 13.17.The Advanced options are slightly different, and are shown in Figure 13.19. As with the TCP settings, we are able to specify a source port and a protocol type. Additionally, we have the familiar checkboxes, but this time with slightly different values.These are as follows: ■ Accept Replies If checked, allows for a bi-directional communication to take place. ■ Accept replies from any port Allows the server to reply from any port. An example of the need for this is the TFTP service. ■ Match for ‘Any’ Allows connections using this service to be matched when a rule is crafted with ‘Any’ as the service. RPC RPC services are usually tricky for a firewall administrator. RPC-based connections do not use a fixed port number, so allowing these types of connections is either an all-or-nothing exercise. Usually, administrators choose to block all RPC connections on their external firewalls, while being far more permissive within their network boundaries. To alleviate this potential risk, FW-1 transparently tracks RPC ports. Application information is extracted from the packet in order to identify the program used. FW-1 also maintains a cache that maps RPC program numbers to the assigned port numbers.The configuration panel, viewed by selecting New | RPC from the Service management window, is shown in Figure 13.20. www.syngress.com Figure 13.19 Advanced UDP Service Properties 252_BDFW_ch13.qxd 9/18/03 5:02 PM Page 506 Using the Graphical Interface • Chapter 13 507 ICMP ICMP is used for things like network troubleshooting and discovery. Unfortunately, attackers looking to gain information about you can also use it. For this reason, many sites decide to block all ICMP traffic.This isn’t really necessary, and may cause more problems than it solves.You can, using FW-1, pick and choose the specific ICMP types (and even sub types, or “codes”) allowed. Table 13.3 details some of the more useful ICMP types, their associated codes, and their mean- ings, as defined by the IANA (www.iana.org/assignments/icmp-parameters). Table 13.3 ICMP Codes ICMP Type ICMP Code Explanation 0 Echo (ping) reply 3 Destination unreachable: 0 -network unreachable 1 -host unreachable 2 -protocol unreachable 3 -port unreachable 4 Dropped because DF (do not fragment) bit was set, fragmentation needed 5 Source routing not allowed or otherwise failed 4 Slow transmission rate 5 Better network path available: 0 -for entire network 1 -for specific host 2 -for tos and entire network 3 -for tos and specific host 8 Echo (ping) request 11 Time exceeded for reason: 0 -TTL reached 0 in transit 1 -fragment reassembly time exceeded 12 Bad IP header www.syngress.com Figure 13.20 RPC Service Properties 252_BDFW_ch13.qxd 9/18/03 5:02 PM Page 507 [...]... 51 7 Using the Graphical Interface • Chapter 13 I Accept Accept the packet; allow the connection I Reject Reject the connection and notify the sender of the condition I Drop Reject the connection, but do not notify the sender I User Authentication Use User Authentication for this connection I Client Authentication Use Client Authentication for this connection I Session Authentication Use Session Authentication... PM Page 51 1 Using the Graphical Interface • Chapter 13 51 1 The next step is to define the Service, which is the obvious choice of RADIUS .The Shared Secret must be entered in order to establish communication between the firewalled object and the RADIUS server Consequently, it must be the same on both devices .The final step is to select the proper version from the Version drop-down menu Figure 13. 25 RADIUS... available via the toolbar or via the View menu.These views select some of the more commonly accessed information for display For example, there is a predefined selection for VPN-1 data, which shows you such entries as Key IDs, encryption method, VPN www.syngress.com 252 _BDFW_ch13.qxd 9/18/03 5: 02 PM Page 52 5 Using the Graphical Interface • Chapter 13 52 5 peer gateway, and so forth But the real power of the Log... queue, and then wait, for a predefined timeout period, for the final part of the connection process to complete Herein lies the rub There are two problems here .The first is that the sending of a SYN packet is completely normal A high-volume server might see thousands of SYN packets in any given time period The second problem is that the server tends to be too generous in its timeout period, giving the client... see a submenu with the following choices I Bottom After the last rule in the rulebase I Top Before the first rule in the rulebase www.syngress.com 252 _BDFW_ch13.qxd 51 6 9/18/03 5: 02 PM Page 51 6 Part IV • Check Point NG and Nokia IP Series Appliances I After After the currently selected rule I Before Before the currently selected rule After you insert the new rule, it will resemble the one shown in Figure... resources on the Internet Most of us are familiar with the URI by another name: URL Which term you use is often a matter of tossing the dice, as there is dispute even among the standards developers as to which is more proper www.syngress.com 252 _BDFW_ch13.qxd 51 0 9/18/03 5: 02 PM Page 51 0 Part IV • Check Point NG and Nokia IP Series Appliances URI for QoS Another type of URI object is the URI for QoS,... parameters.They can then be monitored using Check Point Traffic Monitoring.To add a new Virtual Link, select Virtual Links from the Manage menu in the Policy Editor There are two panels to be configured .The General panel defines the name, etc., for the link, and also enables you to define the endpoints and to optionally activate the link The SLA Parameters panel, shown in Figure 13.29, enables you to specify the. .. GUI The left-hand pane, known as the Modules View, lists the installed and monitored modules These modules can be either Check Point or third-party OPSEC modules .The right-hand pane, known as the Details View, lists the status for the module selected in the Modules View Finally, there is a Critical Notifications pane (not shown in Figure 13.40) that keeps you updated on any status alerts generated The. .. certificate.You may also be able to specify the source of the Certificate Revocation List (CRL) The Advanced panel deals with the CRL for this server; specifically, it configures the desire to cache the CRL and when to fetch a new CRL.You can also assign what branches are to be allowed www.syngress.com 252 _BDFW_ch13.qxd 9/18/03 5: 02 PM Page 51 3 Using the Graphical Interface • Chapter 13 51 3 SecuRemote DNS SecuRemote... support exists to paste the license details from the clipboard, obviating the need www.syngress.com 252 _BDFW_ch13.qxd 9/18/03 5: 02 PM Page 52 3 Using the Graphical Interface • Chapter 13 52 3 to hand-type) so you probably will not want to add licenses in this way .The second method is to import a file created by the Check Point User Center.To begin, select Licenses | New License from the SecureUpdate tool . on the following service types. www.syngress.com Figure 13.16 Dynamic Object Properties Window 252 _BDFW_ch13.qxd 9/18/03 5: 02 PM Page 50 4 Using the Graphical Interface • Chapter 13 50 5 TCP The. optionally log the SLA statistics. www.syngress.com Figure 13.28 Time Object—Days Panel 252 _BDFW_ch13.qxd 9/18/03 5: 02 PM Page 51 4 Using the Graphical Interface • Chapter 13 51 5 Adding Rules The Policy. Accept Accept the packet; allow the connection. ■ Reject Reject the connection and notify the sender of the condition. ■ Drop Reject the connection, but do not notify the sender. ■ User Authentication