SecureClient Packaging Tool • Chapter 10 417 1. Highlight the profile’s name in the Main window (see Figure 10.14). 2. Open the Copy [profile name] to dialog box (see Figure 10.15) by doing one of the following: • Select Profile | Copy from the menu. • Right-click and then select Copy from the menu. • Press Ctrl + C. • Select the Copy icon from the toolbar. 3. Enter the new profile name and comment. In this example (see Figure 10.15), we’re creating a profile for software developers who work from other locations. 4. Click OK to copy the profile and close the dialog box. 5. You can now double-click the new profile name and edit its options. Deleting a Profile Deleting a profile is easy. Complete the following steps: 1. Highlight the profile’s name in Main window (refer back to Figure 10.14). 2. Delete the profile by doing one of the following: www.syngress.com Figure 10.14 Selecting an Existing Profile Figure 10.15 The “Copy [profile name] to” Dialog Box 259_ChkPt_VPN_10.qxd 4/2/03 4:26 PM Page 417 418 Chapter 10 • SecureClient Packaging Tool ■ Select Profile | Delete from the menu. ■ Right-click and then select Delete from the menu. ■ Press Del. ■ Select the Delete icon from the toolbar. Editing a Profile To edit an existing profile, follow these steps: 1. Highlight the profile’s name in Main window (refer back to Figure 10.14). 2. Edit the profile by doing one of the following: ■ Select Profile | Edit from the menu. ■ Right-click and then select Copy from the menu. ■ Press Ctrl + E. ■ Select the Edit icon from the toolbar. Creating SecureClient Installation Packages To create SecureClient Installation packages, launch the SecureClient Packaging tool (if it’s not already open) and view the existing profiles (refer back to Figure 10.14). Highlight the profile you want to build a package for and then start the SecureClient Packaging Tool Package Generator wizard by doing one of the following: ■ Select Profile | Generate from the menu. ■ Right-click and then select Generate from the menu. ■ Press Ctrl + G. ■ Select the Generate icon from the toolbar. Let’s walk through the process window by window. The Welcome Window The first window you will see is the Welcome window (see Figure 10.16). Seeing this window is your confirmation that you’ve successfully launched the wizard. Be sure to heed the warning in the third paragraph in this window. For this wizard to execute, it needs to have access to the special SecuRemote/SecureClient directory so that it can copy all the files it needs. Be sure to have it copied over in advance. Click Next to continue. www.syngress.com 259_ChkPt_VPN_10.qxd 4/2/03 4:26 PM Page 418 SecureClient Packaging Tool • Chapter 10 419 The Package Generation Window The second window (see Figure 10.17) is the Package Generation window.You shouldn’t have a reason to change the offered defaults unless you have an unusual configuration. Keeping it standardized is a way to reduce complexity and errors. Click Next to continue. As you can see from Figure 10.18, we’ve successfully created the installation package. Distribute it to your remote users and you’re ready to go! www.syngress.com Figure 10.16 The Welcome Window Figure 10.17 The Package Generation Window Figure 10.18 Success! 259_ChkPt_VPN_10.qxd 4/2/03 4:26 PM Page 419 420 Chapter 10 • SecureClient Packaging Tool Deploying SecuRemote Packages The SecureClient Packaging tool is a fairly simple, self-contained utility program. It creates profiles and then creates installation packages containing the profiles.There’s really nothing complicated at all about “deploying” them; you just post them on your Web site or send them out on CD-ROMs. In fact, that’s the whole point of this utility; once the installation packages are created, the user simply runs them and reboots and they’re done. More sophisticated administrators might want to add some complexity to the deployment process. Even though there’s little security risk in a user receiving a spoofed installation package (after all, the software is publicly available and the user still needs to authenticate to the server), you might want to digitally sign the packages (in a ZIP file, say) before distributing them. A typical installation package is 7MB or 8MB, so it’s probably too large to be conveniently e-mailed. Posting on a Web site for downloading could be ideal. www.syngress.com 259_ChkPt_VPN_10.qxd 4/2/03 4:26 PM Page 420 SecureClient Packaging Tool • Chapter 10 421 Summary The SecureClient Packaging tool can significantly reduce complexity in a VPN rollout by enabling you to generate customized installation packages comprising a single executable file to be distributed to users. Within this package, you can set default options, configure for silent installation if desired. and set additional options manually. The user only has to launch the executable, approve the end-user license agreement, and the rest of the installation is automated, presenting to the user only the choices determined by the administrator. The SecureClient Packaging Tool provides a wizard to assist you, the administrator, in creating user profiles and an easy interface for managing these profiles.The SecureClient Packaging Tool Profile Generator wizard combines the completed profile with the necessary SecuRemote/SecureClient installation files to create a single executable file for distribution to users. All that’s left for the administrator is to distribute the packages to end users.The packages are designed for easy self-installation by users without advanced skills. For more sophisticated enterprises, the administrator might want to implement version control or digital signing of the packages. Solutions Fast Track Creating a Profile ; Close the SmartView Dashboard before trying to launch the SecureClient Packaging tool, because they cannot simultaneously be open with read/write privileges. ; Use the SecureClient Packaging Tool wizard to create profile for your users. ; Follow the screen in the wizard to configure all the settings for the automated installation. ; By configuring the profile to obscure (encrypt) topology information in the userc.C file and to include only partial topology information, you can make the installation package safer for public distribution. Managing SecureClient Profiles ; Copy an existing profile and save it under a new name to create new, similar profiles. www.syngress.com 259_ChkPt_VPN_10.qxd 4/2/03 4:26 PM Page 421 422 Chapter 10 • SecureClient Packaging Tool ; Edit existing profiles when you need to make changes. ; Experiment with different versions of your profiles until you get them working properly, and then delete the unneeded copies. Creating SecureClient Installation Packages ; Run the SecureClient Packaging Tool Profile Generator wizard to combine a completed profile with the necessary installation files to create an installation package. Be sure to specify the target location for your completed installation packages. ; Complete the two-screen wizard and you’re done! Deploying SecuRemote Packages ; Copy the necessary files to the management server before trying to generate a package from a profile. ; Use the SecureClient Packaging Tool Package Generator wizard to generate ready-to-go installation packages. ; Be sure to do thorough testing with a small sample before launching a large- scale rollout. ; Distribute the installation package to your remote users. www.syngress.com 259_ChkPt_VPN_10.qxd 4/2/03 4:26 PM Page 422 SecureClient Packaging Tool • Chapter 10 423 Q: For one-time installations and testing, isn’t it faster and easier to copy the SecuRemote/SecureClient directory over to the remote machine and run the installation program from there? A: Even for single installations, using the packaging tool may prove beneficial, because creating a profile and then generating a package goes very quickly, and it gives the added benefit of a repeatable installation process. Q: Where can I find the special directory of files that the package generator needs to build the package? A: Download the SecuRemote/SecureClient self-extracting installation package from the Check Point Web site. Run the package and the directory will be created for you.The default destination location is C:\SecureClient Files. Q: I want to be able to post our installation packages on our public Web site so that our users can download them and run them from anywhere, without having to authenticate first. Is this safe? A: The SecureClient Packaging tool and the SecuRemote/SecureClient software are distributed with every copy of VPN-1/FireWall-1 NG, so you won’t be able to prevent anyone from getting access to them. But since remote users need to authenticate as part of initializing a VPN, there’s no risk that unauthorized persons could connect to your encryption domain. As for information that might be contained in your particular userc.C file, this is more of a concern because topology information might be included in this file. Be sure to check Obscure topology on disk in the Topology window in order to encrypt topology information in the userc.C file.Also, enable Partial Topology in the same window in order to reduce the amount of topology information included in the userc.C file. Q: If the SecureClient Packaging tool is one of the SMART clients, why can’t I launch it directly from the SmartView Dashboard? www.syngress.com Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form. 259_ChkPt_VPN_10.qxd 4/2/03 4:26 PM Page 423 424 Chapter 10 • SecureClient Packaging Tool A: You can’t have the SmartView Dashboard and SecureClient Packaging tool both open at the same time in read/write mode.This prevents your creating a package based on a configuration that’s being edited.Therefore, the option to launch the SecureClient Packaging tool directly from the SmartView Dashboard isn’t available, and if you try to launch it from the operating system, you’ll get a warning dialog box reminding you that you can’t have them open simultaneously for read/write access. Q: Is the SecureClient Packaging tool just for preparing installation packages for SecureClient, or can I also prepare a package for SecuRemote? A: The SecureClient Packaging tool can prepare installation packages for either product. www.syngress.com 259_ChkPt_VPN_10.qxd 4/2/03 4:26 PM Page 424 SmartDefense Solutions in this chapter: ■ Understanding and Configuring SmartDefense Chapter 11 425 ; Summary ; Solutions Fast Track ; Frequently Asked Questions 259_ChkPt_VPN_11.qxd 4/3/03 8:42 AM Page 425 426 Chapter 11 • SmartDefense Introduction SmartDefense is a new product that was first available for FireWall-1 NG FP2 and was designed to be part of Check Point’s new line of Active Defense security solutions.The new active solutions are designed to take immediate action to prevent an attack, instead of only notifying the administrators that an attack has taken place.This can be viewed as an extension to the packet inspection that already takes place on your firewall. FireWall-1 previously had the capability to understand a small number of application layer protocols, such as FTP, to allow the firewall make the correct decision on the validity of a connection. FireWall-1 now understands additional protocols and has some idea of what should be considered a valid data stream based on user-defined parameters. SmartDefense takes a different approach than a standard Intrusion Detection System (IDS) because it does not attempt to counter each new attack that is discovered, but instead it protects your network against entire classes of attacks. SmartDefense performs strict sanity checks on packet headers and protocol data to prevent any malformed information into your network. For example, instead of watching for an extensive list of attacks that can be used against DNS servers, SmartDefense will check DNS packets for compliance with the RFC standard for DNS packets.This behavior can protect against a large number of current and future exploits without the need for continual signature updates.This, of course, will not protect against every available attack because many attacks are difficult to distinguish from valid traffic flows. Some of these checks may also be too strict and will subsequently drop valid traffic that is required for your appli- cations to function properly, which is why you have the ability to change the sensitivity levels or even turn off the protection entirely. Not everything that you will see in SmartDefense is a new feature, because Check Point has combined some longstanding features with new attack defenses and placed it all into a single user interface.This user interface is available for use without any extra licensing, but if want to be able to update the attack definitions you will need to pur- chase the subscription service, which gives you the ability to receive all of the latest updates directly from Check Point with the click of a button. This chapter covers the SmartDefense features available in FireWall-1 NG FP3. SmartDefense is constantly being updated via the subscription service, and the user interface will likely be modified in future updates, so it is likely that you will see fea- tures that were not available during the writing of this book. Fortunately, many of the major attack classes already exist in SmartDefense and the information in this chapter should still be valid in future versions. The help files that are currently included with the FP3 SmartClients are lacking in both information and accuracy.You may see discrepancies between what is printed in this chapter and what is contained in the help files. Most of the features in SmartDefense www.syngress.com 259_ChkPt_VPN_11.qxd 4/3/03 8:42 AM Page 426 [...]... configuration is shown in Figure 11 . 18 Please keep in mind that this figure represents random commands moved into the blocked category and does not reflect an appropriate way to protect your FTP server Figure 11 . 18 Allowed FTP Commands www.syngress.com 259_ChkPt _VPN_ 11 .qxd 4/3/03 8: 42 AM Page 4 51 SmartDefense • Chapter 11 4 51 Two other additional measure are automatically enabled when using the FTP Security Server.These... RST to the server, closing that particular session Figure 11 .9 illustrates the steps taken when using SYN Gateway Figure 11 .9 SYN Gateway 1) SYN SYN Server 2) Firewall SYN/ACK SYN/ACK Server 3) Client Firewall Client Firewall Client ACK Server 4) ACK Server Firewall Client OR 4) RST Server Firewall Client www.syngress.com 259_ChkPt _VPN_ 11 .qxd 440 4/3/03 8: 42 AM Page 440 Chapter 11 • SmartDefense I Passive... attacks using the File Transfer Protocol (FTP) No options apply to the entire FTP category, and all other settings are under their individual categories www.syngress.com 259_ChkPt _VPN_ 11 .qxd 4 48 4/3/03 8: 42 AM Page 4 48 Chapter 11 • SmartDefense NOTE Security Server alerts (FTP, HTTP, and SMTP) are reported in the logs as coming from FW -1 /VPN- 1, instead of SmartDefense, because you are making changes to... commands are enabled, but you can easily disallow the use of a command by highlighting it in the allowed list and www.syngress.com 259_ChkPt _VPN_ 11 .qxd 450 4/3/03 8: 42 AM Page 450 Chapter 11 • SmartDefense clicking Add If you decide later that you want to move a command back into the accepted list, just highlight the command and click Remove Figure 11 .17 Rules with Resources NOTE The Allowed FTP Commands... configured all gateways for anti-spoo ng, the gateway list will be removed and you will see a message that “Anti-spoo ng configuration is set on all gateways.” Figure 11 .4 Anti Spoo ng Not Configured on All Gateways Figure 11 .5 Anti Spoo ng Configured Correctly www.syngress.com 259_ChkPt _VPN_ 11 .qxd 4/3/03 8: 42 AM Page 4 31 SmartDefense • Chapter 11 4 31 If you are not using this feature on your firewall, an... for testing the security policy and verifying that you are protecting against these types of attacks Port scanners like nmap can also tell you which ports are being filtered and which are not.This can tip you off to a problem in your rule base before an attacker finds and exploits the problem www.syngress.com 259_ChkPt _VPN_ 11 .qxd 442 4/3/03 8: 42 AM Page 442 Chapter 11 • SmartDefense Figure 11 .11 SYN Attack... HTTPS session, the update will fail www.syngress.com 259_ChkPt _VPN_ 11 .qxd 4/3/03 8: 42 AM Page 429 SmartDefense • Chapter 11 429 Figure 11 .2 Successful Update of SmartDefense Figure 11 .3 SmartDefense Already Up to Date Anti-Spoo ng Configuration Status When an attacker is said to be spoo ng packets, he is usually bypassing the standard TCP/IP stack of the OS and building packets with a source address that... out-of-state packet and drop it www.syngress.com 259_ChkPt _VPN_ 11 .qxd 446 4/3/03 8: 42 AM Page 446 Chapter 11 • SmartDefense When the sequence verifier is enabled, you are given three different tracking options when deciding what sorts of problems you want to receive alerts/logs on.These options are shown in Figure 11 .14 and include the following: I Every This option will take the selected tracking option for... defined and the Perform Anti-Spoo ng based on Interface Topology box is checked You can quickly see if you have any gateways that are not performing anti-spoo ng by looking at the icon next to Anti Spoo ng Configuration Status in the SmartDefense settings tree.The icon for the menu item will either be a red triangle with www.syngress.com 259_ChkPt _VPN_ 11 .qxd 430 4/3/03 8: 42 AM Page 430 Chapter 11 • SmartDefense... respond to all connection requests passing through This option was not available in FireWall -1 4.x, but was added to NG as a www.syngress.com 259_ChkPt _VPN_ 11 .qxd 4/3/03 8: 42 AM Page 4 41 SmartDefense • Chapter 11 4 41 kernel-level process to keep delay to a minimum, although it will still add some amount of overhead With the introduction of SmartDefense to FireWall -1 NG FP2, the SYNDefender functionality . Figure 10 .14 ). 2. Delete the profile by doing one of the following: www.syngress.com Figure 10 .14 Selecting an Existing Profile Figure 10 .15 The “Copy [profile name] to” Dialog Box 259_ChkPt _VPN_ 10 .qxd. users and you’re ready to go! www.syngress.com Figure 10 .16 The Welcome Window Figure 10 .17 The Package Generation Window Figure 10 . 18 Success! 259_ChkPt _VPN_ 10 .qxd 4/2/03 4:26 PM Page 419 420. connect to Check Point s site and download any attack sig- nature updates that are available. SmartDefense • Chapter 11 427 259_ChkPt _VPN_ 11 .qxd 4/3/03 8: 42 AM Page 427 4 28 Chapter 11 • SmartDefense The