Check Point Software’s Check Point FireWall-1 • Chapter 11 449 allows you to distribute the reports by sending them to an e-mail address as an attachment, or to a Web Server as an HTML document. There are almost 20 predefined reports that can be generated, and customized reports can be created to suit your needs. This allows reports to be created for administrators and decision makers, so that your network can be ana- lyzed properly as to its use and abuse. To protect yourself from yourself, actions performed by administrators are logged to a file on the server running your firewall. This allows you to see what actions you’ve performed so that you can review your work, and also to see if you’ve made a mistake that led to a particular problem. The log is a text file, which can be viewed through any text viewer. This file logs failed and successful logon attempts, logoffs, saved actions, and actions dealing with installations of databases and policies. In FireWall-1 4.1 this file is called cpmgmt.aud; previous versions have a file called fwui.log. Regardless of the file, these log files are stored in the $FWDIR/log direc- tory. LDAP-based User Management FireWall-1 supports the Lightweight Directory Access Protocol (LDAP). LDAP is a protocol that also allows user information to be stored in LDAP databases. The user information stored in these databases may be stored on one or more servers, and is accessible to FireWall-1 through the Account Management module. By accessing information in an LDAP database, it can be applied to the security policies used by FireWall-1. Information stored in the LDAP database covers a variety of elements, including identification and group membership information. Identification information provides such data as the full username, login name, e-mail address, directory branch, and associated template. Group membership provides information on the groups to which the user belongs. Access con- trol information in the database shows what each user has permissions to, and time restrictions indicate the times of day the user is able to log in and access resources. Finally, authentication information provides data regarding the authentication scheme, server, and password, and encryp- tion information details the key negotiation scheme, encryption algorithm, and data integrity method to be used. As mentioned, this information can be available to LDAP clients such as FireWall-1 with the Account Management module installed. The benefit of LDAP is that it eliminates the need for multiple data stores containing duplicate information on users. When the Account Management module is installed, security information can be stored on an LDAP server. FireWall-1 and other LDAP-compliant software can then use security information on users, which are stored in the LDAP database. www.syngress.com 115_MC_intsec_11 12/12/00 3:13 PM Page 449 450 Chapter 11 • Check Point Software’s Check Point FireWall-1 Malicious Activity and Intrusion Detection FireWall-1 has the ability to detect malicious activity and possible intru- sions. Such activity may indicate a hacker attempting to gain access to your network. The Malicious Activity Detection feature analyzes log files, and looks for known attacks and suspicious activity at the Internet gateway. When these are found, the security manager is then notified, allowing you to take action on attempted security policy violations. One type of attack that FireWall-1 effectively deals with is known as flooding, or a SYN Flood. With this, a request is made to a server. In the header of the packet, the SYN flag is set, so that the server sends back a SYN/ACK packet. Basically, the client sends a TCP/IP packet called a SYN packet to make a connection. The server replies to this with another packet. This packet is called a SYN/ACK packet, and acknowledges receipt of the SYN packet. If the IP address in the header is not legitimate, then the server can’t complete the connection, but it reserves resources because it expects a connection to be made. The hacker sends out hundreds or thousands of these requests, thereby tying up the server. Because resources are tied up from these requests, legitimate users are unable to connect to the server, and services are denied to them. To deal with these attacks, FireWall-1 uses a program called SYNDefender. SYNDefender ensures that the connection is valid. If the handshake isn’t completed, then resources are released. The SYNDefender Gateway enhances this protection, by moving requests of this sort out of a backlog queue and setting up a connection. If the connection isn’t completed by the client’s response to the SYN/ACK packet, then the connection is dropped. Another type of attack that FireWall-1 can detect is IP spoofing. This involves a hacker using a fake IP address, so that he or she appears to be working on a host with higher access. When a packet is sent from this host, it may appear to be originating from a host on the internal network. FireWall-1 works against IP spoofing by limiting network access based on the gateway from which data is received. Requirements and Installation In this section we’ll discuss the system requirements and installation pro- cedures for Check Point FireWall-1. As with any software, minimal require- ments must be met if the software is to function as expected. It is important that you compare these requirements to the server and network on which FireWall-1 is to be installed before installation actually takes place. www.syngress.com 115_MC_intsec_11 12/12/00 3:13 PM Page 450 Check Point Software’s Check Point FireWall-1 • Chapter 11 451 We will also discuss considerations for updating FireWall-1, installing Service Packs, and adding modules. As we’ve seen, FireWall-1 features are added through the installation of modules. As such, we will also discuss installing the Reporting module, which is important for monitoring and troubleshooting FireWall-1. NOTE In reading the following sections, it is important to realize that how you configure FireWall-1 will depend on the features you want to implement, and how your network is designed. Although system requirements are cut-and-dry, and must be met for the firewall to function properly, other information provided here is subjective. The information here should not be taken verbatim, but should be viewed as an outline that can be applied to your firewall design. System Requirements One of the most important parts of installing any software is ensuring that the computer meets the minimal requirements. This not only means that your server has enough RAM, hard disk space, and other necessary hard- ware, but also that it uses an operating system on which FireWall-1 can run. Before attempting to install FireWall-1 on a server, you should check the existing hardware and operating system to make certain that the fire- wall can be installed and will function properly. (See Table 11.2.) The hardware requirements vary, depending on whether you are installing FireWall-1’s Management Server & Enforcement Module or the GUI Client. The Management Server & Enforcement Module requires a minimum of 64MB of memory, but 128MB of RAM is recommended. You will also need 40MB of free hard disk space. To run FireWall-1’s GUI Client on a workstation, you will also need to ensure that minimal hardware requirements are met. The GUI Client needs a minimum of 32MB of RAM, and 40MB of hard disk space. A network interface that is supported by FireWall-1 is also needed, so that the software can communicate over the network. The network interface can be Asynchronous Transfer Mode (ATM), Ethernet, Fast Ethernet, Fiber Distributed Data Interface (FDDI), or Token Ring. Finally, you will need a CD-ROM so that you can install the firewall software. FireWall-1’s Management Server & Enforcement Module can run on a number of different operating systems (OSs). As a majority of software is www.syngress.com 115_MC_intsec_11 12/12/00 3:13 PM Page 451 452 Chapter 11 • Check Point Software’s Check Point FireWall-1 designed for Microsoft operating systems, it should come as no surprise that FireWall-1 supports Windows NT 4.0 Server and Windows 2000 Server. However, if Windows NT is used, you will need to ensure that the server has the proper Service Pack (SP) installed, as Service Pack 4 or higher (SP4 through SP6a) must be installed. Sun Solaris 2.6, 7, and 8 are also supported by FireWall-1, but these OSs must be running in 32-bit mode. Additionally, 32-bit mode must also be used if your server is run- ning HP-UX 10.20 or 11.0. Red Hat Linux 6.1 is supported, but you will need to check that it is using kernel 2.2x. Finally, IBM AIX 4.2.1, 4.3.2, or 4.3.3 can also be used on the server on which FireWall-1 is being installed. FireWall-1’s GUI client also has a number of requirements. It can run on Microsoft Windows 9x, Windows NT/2000, Sun Solaris SPARC, HP-UX 10.20, or IBM AIX. Since this covers most of the popular operating sys- tems, you probably have a workstation on your network running one or more of these OSs The Reporting Module also has specific requirements, which are small in comparison to these other modules. The Reporting Server is installed on the Windows NT/2000 or UNIX server running FireWall-1. For Windows servers, this machine will need a minimum of an Intel Pentium II (233 Mhz or higher) processor with 3GB of free disk space and 128MB of RAM. UNIX machines will need a Sun Ultra sparc 5 (360 Mhz), Solaris 2.5.1 or higher, 3GB of free disk space, and 128MB or RAM. The Reporting Client can run on a machine running Windows 9x or NT that has 6MB of free disk space, 32MB of RAM, and an Intel x86 or Pentium processor. Table 11.2 FireWall-1 System Requirements Component Requirement Details Management Server Operating System Windows NT 4.0 Server & Enforcement with Service Pace 4 or higher Module installed. Windows 2000 Server. Sun Solaris 2.6, 7, and 8 running in 32-bit mode. HP- UX 10.20 or 11.0 running in 32-bit mode. Red Hat Linux 6.1 with Kernel 2.2x. IBM AIX 4.2.1, 4.3.2, or 4.3.3. RAM 64MB. Hard Disk Space 40MB. Network Interface Asynchronous Transfer Mode (ATM), Ethernet, Fast Ethernet, Fiber Distributed Data Interface (FDDI), or Token Ring. www.syngress.com Continued 115_MC_intsec_11 12/12/00 3:13 PM Page 452 Check Point Software’s Check Point FireWall-1 • Chapter 11 453 GUI Client Operating System Microsoft Windows 9x, Windows NT/2000, Sun Solaris SPARC, HP-UX 10.20, or IBM AIX. RAM 32MB. Hard Disk Space 40MB. Network Interface Asynchronous Transfer Mode (ATM), Ethernet, Fast Ethernet, Fiber Distributed Data Interface (FDDI) or Token Ring Reporting Module Operating System Windows NT/2000 Server, Sun Solaris 2.5.1 or higher RAM 128MB Hard Disk Space 3GB Reporting Client Operating System Windows 9x or NT/2000 RAM 32MB Hard Disk Space 6MB Installing Check Point FireWall-1 In this section we will discuss the procedures involved when installing Check Point FireWall-1. Because FireWall-1 can be installed on so many operating systems, it would be impossible to detail the installation on each and every one. As such, this section will focus on installation on a Windows NT Server. If your company uses a different server operating system, then you will find installation on that OS virtually identical. As such, you can use the information provided here as a guideline, and adapt it to the server operating system being used by your company. After inserting your installation CD into your CD-ROM drive, open the Windows Start menu and click on the Run command. This will display the Run dialog box. Click the Browse button, and navigate to the Windows directory on the CD-ROM. Once you have gone to this directory, double- click on SETUP.EXE to start the installation. The first screen that will appear is an introduction to the installation wizard. By clicking the Next button, the Select Components screen will appear. As shown in Figure 11.3, clicking on the checkboxes that are on this screen will select the components to install. You will need to select www.syngress.com Table 11.2 Continued Component Requirement Details 115_MC_intsec_11 12/12/00 3:13 PM Page 453 454 Chapter 11 • Check Point Software’s Check Point FireWall-1 FireWall-1 to install the server components of the firewall, and FireWall-1 User Interface to install the GUI Interface that is used to set your security policy. After you click Next, the Software License screen is displayed. This screen provides information on the agreement to use the firewall software. Click Yes to agree to the agreement and continue to the next screen. If you click No, then you will not be allowed to continue with the installation, and will be forced to exit the wizard. After clicking Yes, the FireWall-1 Welcome screen will appear. Aside from the greeting, there is nothing to configure on this screen. Clicking Next will allow you to continue to the next screen. The screen that follows is the Chose Destination Location screen. This screen allows you to specify the directory into which FireWall-1 will be installed. A default location is provided on this screen. If you decide to install FireWall-1 to a different location, then you will need to set the FWDIR environment variable to point to the directory in which the firewall has been installed. If the FWDIR variable isn’t set, then the fwinfo debug- ging tool that comes with FireWall-1 won’t be able to function properly. Upon accepting the default directory or choosing a new directory on the Chose Destination Location screen, click Next to continue. The next screen is the Selecting Product Type window. On this screen, you will see different types of products available for installation. This allows you to decide whether to install VPN-1 products, FireWall-1 prod- ucts, or both. Select the product(s) being installed and click Next. www.syngress.com Figure 11.3 Select Components Screen of the FireWall-1 Installation. 115_MC_intsec_11 12/12/00 3:13 PM Page 454 Check Point Software’s Check Point FireWall-1 • Chapter 11 455 FireWall-1 will be installed to the specified location, and the FireWall-1 service will be started. After this occurs, a Welcome window will appear for the GUI Console. Click Next to go to the next screen. As seen in the FireWall-1 installation, the GUI installation will display a Choose Destination Location window. This allows you to specify where the User Interface, which will be used to manage FireWall-1, will be installed. Accept the default location, or enter the path of a new directory that will be used to install the GUI Console. Click Next to continue. As shown in Figure 11.4, the Select Components Screen will appear next. This screen allows you to specify which components will be installed to the destination location you specified. Click on the Security Policy, Log Viewer, and System Status to select these components, then click the Next button to continue. Once the software has been installed in the specified location, the Licenses screen is displayed as shown in Figure 11.5. Because this is a new installation, each of the fields on this screen will appear blank. To add a new license for FireWall-1, click the Add button. This will display the Add License dialog box. This is where you add licensing information that you received from Check Point. You must add information to three fields on this screen: ■ Host ■ Features ■ Key www.syngress.com Figure 11.4 Select Components Screen of the FireWall-1 Installation. 115_MC_intsec_11 12/12/00 3:13 PM Page 455 456 Chapter 11 • Check Point Software’s Check Point FireWall-1 The Host field is where you enter the IP address of Windows NT Servers. If you are evaluating FireWall-1, then you would enter the word eval. The Features field is used to enter a string that lists the features of your license. Each of the features entered in this field should be separated by a space. Finally, the Key field is where you enter the registration key of your license. Upon entering this information, click the OK button to return to the Licenses screen, then click Next to continue. The screen that follows is the Administrators screen, where you’ll enter the usernames of those who will administer the firewall. As with the Licenses screen, if this is a new installation, there will be no administra- tors. To add a new username to this listing, click on the Add button to dis- play the Add Administrators dialog box. This screen has several fields: ■ Administrator’s Name ■ Password ■ Confirm Password ■ Permissions Enter the name of the user you want to be an administrator in the Administrator’s Name field. Type the password in the Password and Confirm Password fields. This will ensure that any password you enter will be spelled correctly. Finally, click on the Permissions drop-down box and select the permissions you want the administrator to have. To have full www.syngress.com Figure 11.5 Licenses screen of the FireWall-1 installation. 115_MC_intsec_11 12/12/00 3:13 PM Page 456 Check Point Software’s Check Point FireWall-1 • Chapter 11 457 access, select Read/Write. After performing these steps, click OK to save the settings. To add additional administrators, click the Add button on the Administrators screen and repeat these steps. When you have completed the wizard, you will then be ready to con- figure it. However, as the following sections will discuss, there may be other modules you want to install. Upon installing the modules you want to use with FireWall-1, you will then need to configure it, as we’ll see later in this chapter. Installing the Reporting Module The Reporting Module is available on the Enterprise CD. To install this module, simply insert the installation CD into the CD-ROM of the server running FireWall-1. The installation wizard starts and the Welcome screen appears. Click Next; the next screen lets you select the Server/Gateway compo- nents you’d like to install. On this screen, click on the checkbox labeled Reporting Module, and then click the Next button to install the module. Now you are ready to install the license. Licenses for Check Point products are available from the Check Point Web site (http://license.checkpoint.com.). Once the license is installed, you can configure Reporting for your FireWall-1 server. We will discuss configu- ration later in this chapter. Upgrade Issues Before performing an upgrade you should perform a number of prelimi- nary steps. If you are upgrading from version 3.0b to version 4.1, you should first upgrade to FireWall-1 4.0 Service Pack 3 before upgrading to the latest version. This will provide a cleaner installation, and will help you avoid problems during the upgrade. Regardless of the version you are upgrading from, you should always perform a backup of the server on which FireWall-1 resides. If a problem occurs during the upgrade, this will ensure that data isn’t lost, and will keep you from needing to perform a full install and configuration if the upgrade fails badly. After Installation Once installation is complete, you should ensure that no service packs have been released for FireWall-1. Service packs fix known problems or issues with software, and are available from the manufacturer’s Web site. Once you’ve installed FireWall-1, go to Check Point’s Web site at www.checkpoint.com to see if any service packs are available, and occa- sionally visit the site so that you’re sure the latest service pack has been applied to the firewall. www.syngress.com 115_MC_intsec_11 12/12/00 3:13 PM Page 457 458 Chapter 11 • Check Point Software’s Check Point FireWall-1 TIP FireWall-1 works with other third-party software, such as anti-virus soft- ware. As such you should ensure the latest updates and virus signature files are installed on your server(s). To avoid problems unrelated to FireWall-1, you should install the latest service pack for your operating system on the machine on which FireWall-1 is running. In some cases, problems you may attribute to new firewall software may be due to problems in the operating system or other software that FireWall-1 is working with. FireWall-1 Configuration Configuration and management is done through FireWall-1’s Graphical User Interface. This interface provides a representation of common objects to which rules will be applied. These resource objects allow you to define rules for users, hosts, servers, services, and other elements of a TCP/IP network. This centralized management is incredibly simple and easy to use. Using the Graphical User Interface, shown previously in Figure 11.1 and later in Figure 11.6, you are able to select the object for which you want to design a rule. Upon selecting the object, you then bring up the properties for the object. As we will see in the sections that follow, the spe- cific properties will vary depending on the object selected. By modifying these properties, a rule based on your specifications will be stored in the security policy for the firewall. In this section, we will highlight what can be configured on Check Point FireWall-1, and then discuss how this is done. As we will see, there is con- siderable control over the FireWall-1 features through the GUI Console. Configuring FireWall-1 To configure FireWall-1, you must start by opening the GUI console that’s used to build your security policy. In Windows, start the user interface by clicking on the Start menu, selecting the FireWall-1 folder in Programs, and then clicking on the item called Security Policy. A logon screen appears; enter the username and password of an administrator (which you created during installation) and the name of the server you want to admin- ister. After you click OK, the GUI Console appears. www.syngress.com 115_MC_intsec_11 12/12/00 3:13 PM Page 458 [...]... usage, 212–218, 350, 351 Internet Relay Chat (IRC), 171 ports, 69 Internet security applications FAQs, 144–145 integration, 106 107 Internet Security Association and Key Management Protocol (ISAKMP), 84, 353 concentration, 87–88 protocol, 85 Internet Service Manager, 256, 270 Internet service provider (ISP), 15, 212, 229, 236, 276 provisions, 386 support, 238 usage, 342, 362, 370, 385 Internetwork Packet... 78–79 pros/cons, 83–84 Internet Protocol Security (IPSec), 31, 34–36, 74, 155, 190 configuration walkthrough, 218–226 conversation, setup, 218–226 FAQs, 102 103 MMC Console, building, 213–215 network security, 185 policy building, 212–218 creation See Custom IPSec policy practical usage, 98–99 processing destination, 85 rules, 216–218 secured communications, 218 security, issues, 99 102 support, 248 traffic,... Server (IAS), 212 Internet Control Message Protocol (ICMP), 27, 36, 311, 334 error message, 302 inbound packets, limiting, 169 protocol, 329 response packets, 165 Internet Engineering Task Force (IETF), 33, 74, 78, 196, 211 standard, 129, 241 web site, 79 Internet Explorer, 121, 256 versions, 274 Internet Group Message Protocol (IGMP), 36 Internet Information Server (IIS), 212 processes, 279 security, 286... (IIS), 212 processes, 279 security, 286 status, 277 version 3, 276 version 5 (IIS5), 142 Internet Key Exchange (IKE), 36 Internet Message Access Protocol (IMAP), 6, 33 483 115_MC_intsec_Index 484 12/13/00 10: 46 AM Page 484 Index Internet Official Protocol Standards, 79 Internet Protocol See also External IP; Internal IP Internet Protocol (IP), 27, 311 access lists, 301–308, 339 See also Extended IP access... encapsulation, 227–229 Data encryption, 69, 227 Data Encryption Standard (DES), 29, 35, 47, 97, 109 , 121 See also Triple DES key, 39 symmetric key encryption, 138 usage, 136, 201 Data-link layer (Layer 2), 156 security, 37 Data packets, 229 Data security, 231–232 Database services, 23 Datagram, 75 See also Internet Protocol; Internetwork Packet Exchange DDoS See Distributed Denial of Service DDR See Dial-on Demand... ICMP See Internet Control Message Protocol Icmp_type, 378, 381 ICV See Integrity Check Value IDEA See International Data Encryption Algorithm Idle-timeout, 323 IDS See Intrusion Detection System IETF See Internet Engineering Task Force If_name, 375, 376, 383 IGMP See Internet Group Message Protocol IGRP See Enhanced Interior Gateway Routing Protocol IIS See Internet Information Server IKE See Internet. .. Team (CERT), 13, 158, 167, 173 Computer Security Institute (CSI), 2 Computers 115_MC_intsec_Index 12/13/00 10: 46 AM Page 477 Index accounts, management/accessibility, 199 connection See Intranets conduit (statement), 351, 352 Confidentiality, 17–18, 30, 108 , 374 configd (daemon), 181 Configuration lab See Proxy Server 2.0 Connection See Point-to-Point Protocol; Transmission Control Protocol hijacking,... can access resources outside of their network (i.e., the Internet) or when users of a VPN would be allowed to access resources located on your internal network www.syngress.com 461 115_MC_intsec_11 462 12/12/00 3:13 PM Page 462 Chapter 11 • Check Point Software’s Check Point FireWall-1 Content Security Content security is configured through the Security Policy Editor using resource objects With FireWall-1,... signatures, 115 effect See Security usage, 112–113 See Security Digital Subscriber Line (DSL), 13, 98, 237, 269 Director (software), 179–180 general operation, 182 Directory services, security services relationship, 207–208 Disks See Full disks Distributed caching, 282–283 Distributed Denial of Service (DDoS), 16, 166 attack, 167–169, 433 filter, setup, 431–433 Distributed security services See Windows... 46, 47 Encapsulating Security Payload (ESP), 35, 89, 93–98, 190 authentication, 95–98 encryption, 95–98 extension headers, 77 header placement, 95 packet format, 94 payload, 98 Encapsulation, 231 See also Data encapsulation Encrypted session, 174 Encrypting Security Payload (ESP), 85, 191 Encryption, 18, 46–48, 99 100 See also Data encryption; E-mail encryption; Encapsulating Security Payload; Public . attacks and suspicious activity at the Internet gateway. When these are found, the security manager is then notified, allowing you to take action on attempted security policy violations. One type. 461 462 Chapter 11 • Check Point Software’s Check Point FireWall-1 Content Security Content security is configured through the Security Policy Editor using resource objects. With FireWall-1, a resource. user information in LDAP directories into FireWall-1, so that security information on users can be applied to your security policy. The security data on users can be retrieved from any LDAP-compliant