Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 64 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
64
Dung lượng
2,85 MB
Nội dung
Performance Pack • Chapter 13 481 The platform selection guide is, again, edifying as to the expected performance of different SecurePlatform-based machines.The “basic” SecurePlatform is identified as a Celeron or Duron processor, 256MB RAM, one 32-bit/33MHz PCI bus with standard 10/100 network interfaces.The throughput of this configuration is given as 200Mbps. Next up is the “midrange” SecurePlatform, which sports a Pentium or Athlon CPU, 512MB of RAM, two Intel Pro/1000 network interfaces, and 64-bit/66MHz PCI buses. Throughput is stated as 1Gbps+. Lastly is the “high performance” SecurePlatform, with dual Xeon or Athlon MP processors, 1GB of RAM, four Intel Pro/1000 network inter- faces, and four separate PCI-X buses.The stated throughput here is 3Gbps+. The importance of the I/O bus for raw TCP/UDP throughput cannot be over- stated, as this example shows: a dual Xeon 1.7 GHz machine, 1GB RAM, two indepen- dent 64-bit/66MHz PCI buses: 1.7Gbps. A dual Xeon 2.2 GHz machine, 1GB RAM, four independent PCI-X buses: 3.1Gbps. Comparing the raw CPU speeds, one would expect a performance increase to about 2Gbps, not 3Gbps. It is the I/O bus that is slowing the first configuration down. That said, these throughput figures are large TCP streams without encryption. Read on for some qualifying statements about performance. Performance Considerations Keep in mind that 900Mbps+ (Solaris) or 3Gbps+ (SecurePlatform) is maximum FireWall-1 throughput using 1500-byte packets.Throughput is lower in a real-world situation. Look at some numbers:You can expect around 4 percent of your packet volume, which equals approximately 20 percent of your byte volume, to come from these 1500-byte packets.About a third of the packets are dataless ACKs (40 bytes), with maybe another fourth coming from 552-byte packets.The median packet size is about 256 bytes; a good 85 percent of all “streams” are under 1KB in length. Now throw encryption (VPN-1) into the picture, and your performance drops dramatically from the quoted 900Mbps+ or 3Gbps+. We’d love to give you real figures. Unfortunately, we can’t—not for a high-perfor- mance Sun Solaris platform. We can make some educated guesses, however. We’d expect a raw FW-1 throughput, with real-world traffic, on the order of 600Mbps to 700Mbps. VPN-1 throughput is hard to estimate. Judging from what other platforms achieve, 30Mbps to 50Mbps seem reasonable. For SecurePlatform, Check Point states it offers 710Mbps encrypted throughput using AES-128 on a high-performance platform. Clearly, then, when encryption comes into play, the field is leveled between a platform with four PCI-X buses and a platform with two PCI 64-bit/66MHz buses. Playing our guessing game again, we would expect between 2.3Gbps and 2.5Gbps throughput with real-world traffic and between 200Mbps and 250Mbps VPN-1 throughput. www.syngress.com 259_ChkPt_VPN_13.qxd 4/3/03 1:38 PM Page 481 482 Chapter 13 • Performance Pack We hasten to say that these are guesstimates, based on other platforms for which we have performance data. Nothing will replace a real RFC2544 performance graph. Insist on this information when you shop for a FireWall-1/VPN-1 platform. An area of performance that we have never seen graphed is throughput while using security servers. Security servers are the most performance-eating application you can run on your firewall. For this reason, they are not usually deployed on a firewall that has been specified for maximum throughput. If, however, you do use security servers, and you are hurting for performance, give Performance Pack serious consideration. It does accelerate security servers.This will be even truer, we expect, in the upcoming FP4 and later releases, since Check Point has moved certain security server functions into kernel streams, and Performance Pack does accelerate kernel streams in FP4. Installing Performance Pack on Solaris 8 You can install Performance Pack NG FP3 on Solaris 8 with minimal downtime for your firewall.You do not have to halt the VPN-1/FireWall-1 processes to perform the installation, although established streams might break when enabling Performance Pack and will have to be reestablished.This could change with future releases. Be sure to read the Release Notes to find out whether installation requirements have changed.You might have to reboot. There are two methods of installation.You can use the FireWall-1 Comprehensive Install package, or you can add the Performance Pack package using pkgadd. Prerequisites You need root privileges for the installation of Performance Pack. If you are not already logged in as root, become root by typing su –. Performance Pack requires the same Solaris patch level as VPN-1/FireWall-1 NG. As of FP3, all needed patches are included in Sun’s 8_Recommended patch cluster. In the unlikely case that you have not updated your 8_Recommended patch cluster when you installed or upgraded to FireWall-1 NG FP3, you should do so now. If you use the Solaris FireWall-1 wrapper install, you also need about 130MB of free space on one of your partitions to hold the installation files—around 60MB for the compressed wrapper file and another 70MB for the uncompressed files and space during installation. Allow for more space during installation if you install Performance Pack at the same time you install VPN-1/FireWall-1. Installation Using the Solaris Comprehensive Install Package You can install Performance Pack with the help of the UnixInstallScript that Check Point provides with its Solaris VPN-1/FireWall-1 Comprehensive Install or wrapper www.syngress.com 259_ChkPt_VPN_13.qxd 4/3/03 1:38 PM Page 482 Performance Pack • Chapter 13 483 package.The UnixInstallScript contained in that package lets you add Performance Pack to a system that already has VPN-1/FireWall-1 NG installed.You may also use it to install Performance Pack at the same time that you install VPN-1/FireWall-1 NG. Since Check Point recommends using the wrapper install over installing individual packages, this is the preferred method of installing Performance Pack. If disk space is at an absolute premium, you might instead want to try the individual package install, cov- ered in the “Installation as a Separate Package” section. Or invest in a bigger hard drive. Unpack the solaris_wrapper.tgz file into a directory with sufficient free space.Then start the install by typing ./UnixInstallScript. Continue through the first few pages and the License Agreement until you come to the Product Selection Screen, shown in Figure 13.1. Choose Performance Pack, then Next. Verify that you have correctly chosen Performance Pack, then choose Next again.The script will now install Performance Pack and finish with a screen that informs you of what you need to do to activate the newly installed software. Let’s activate Performance Pack now. Log out and then back in again as user root. Next, type cpconfig,You will see an option to enable or disable Check Point SecureXL.This choice determines the default state of Performance Pack after boot: acceleration on (enabled) or off (disabled).You can always manually enable or disable SecureXL through the command line while FireWall-1 is running. Next, type cpstart.This command starts SecureXL, if you selected it as enabled in cpconfig, and fetches policy so that acceleration is enabled. In the output of cpstart,you expect to see a line telling you that the SecureXL device has been enabled: # cpstart cpstart: Start product - SVN Foundation www.syngress.com Figure 13.1 Product Selection Screen with Performance Pack Selected 259_ChkPt_VPN_13.qxd 4/3/03 1:38 PM Page 483 484 Chapter 13 • Performance Pack SVN Foundation: cpWatchDog already running SVN Foundation: cpd already running SVN Foundation started cpstart: Start product - FireWall-1 FireWall-1: starting external VPN module OK FireWall-1: Starting fwd FireWall-1: Starting fwm (SmartCenter Server) SecureXL device is enabled Installing Security Policy Standard on all.all@syngress-fw Fetching Security Policy from localhost succeeded FireWall-1 started If you desire, you can now clean up the installation files by removing the solaris2 directory, the wrappers directory, and the UnixInstallScript and ReadmeUnix.txt files. Installation as a Separate Package This method of installation needs considerably less temporary disk space than the wrapper install. About 10MB of free space will be plenty, plus another 2.5MB on /opt. To install Performance Pack, first unpack the package’s .TGZ file.The NG FP3 Performance Pack installation package unpacks into a directory called CPppak-53. The Check Point instructions tell you to use pkgadd –d CPppak-53 to install the package. If you attempt this, you will get an error message telling you that no package was found. Instead, while in the parent directory of CPppak-53, type pkgadd –d . and then choose to install CPppak-53. Answer y to the next two questions. CPppak-53 will install and warn you to reboot. If you are presented with a prompt to install CPppak-53 once again, break out of it by typing q. Contrary to what the postinstall script tells you, you do not need to reboot to acti- vate Performance Pack NG FP3. Follow the same steps as after a wrapper install of Performance Pack NG FP3. Execute cpconfig and enable SecureXL. Exit the cpconfig utility and type cpstart to fetch policy and enable acceleration. If you are installing a later release of Performance Pack NG, read the Release Notes to see whether installation requirements have changed. www.syngress.com 259_ChkPt_VPN_13.qxd 4/3/03 1:38 PM Page 484 Performance Pack • Chapter 13 485 Uninstalling Performance Pack You can uninstall Performance Pack NG FP3 without any downtime to your firewall— not even a glitch in traffic. Do, however, see the Tools & Traps sidebar for a vital warning about a possible system crash during uninstall with FP3. To uninstall, first execute fwaccel off, then remove the package with the command pkgrm CPppak-53. For future Feature Packs, the name of the package will change accordingly.The FP4 package will likely be named CPppak-54. When in doubt, use pkginfo to see the names of all installed packages. When you uninstall this way, the SecureXL module might remain in memory until the next reboot, although acceleration is no longer possible. If you desire a clean unin- stall, you will have to reboot. Should you be tempted to manually remove the fwaccel binary that the uninstalla- tion script seemingly left behind, we advise against it. Fwaccel is actually part of the FireWall-1 package proper, not of Performance Pack. Installing Performance Pack on SecurePlatform SecurePlatform installs Performance Pack by default. Unless you expressly deselected it, SecurePlatform has been installed for you.You may install Performance Pack as an individual package if you opted out of its installation during initial installation of SecurePlatform. www.syngress.com Crash and Burn The uninstallation script for Performance Pack NG FP3 does not perform an fwaccel off command as its first step. As a result, your firewall will crash, and crash hard, if you attempt to remove the CPppak-53 package without turning acceleration off first. This is true even if you cpstop the firewall first. It will crash on the subsequent cpstart if acceleration was not turned off. In our testing, the server rebooted into single-user mode and needed minor console intervention (an fsck –y followed by a reboot) to come back up again. Now imagine that we had done this work remotely, without an out-of-band con- sole connection. Always turn acceleration off first before uninstalling. It is likely that future Feature Packs will sport a more forgiving uninstallation routine. Still, better to be safe than sorry. Tools & Traps… 259_ChkPt_VPN_13.qxd 4/3/03 1:38 PM Page 485 486 Chapter 13 • Performance Pack Prerequisites You have to be in expert mode to install the Performance Pack package. Expert mode is what Check Point calls the root shell in SecurePlatform. Because you are going to install an rpm package, you need a root shell. Installing the rpm Package Unpack the contents of the Performance Pack package into a temporary directory. Execute the command rpm –i CPppak-50-03.i386.rpm to install Performance Pack NG FP3. After installation, use cpconfig to enable SecureXL if you want acceleration to be enabled by default; then execute cpstart to start acceleration. Command-Line Options for Performance Pack Because Performance Pack, or more precisely the SecureXL driver, gets “in the way” of interface-level changes to the host machine, we need a way to stop and start Performance Pack at will.The ability to stop Performance Pack is also useful in trou- bleshooting; it enables you to narrow a problem to “no, it is not caused by Performance Pack” or “yes, it is caused by Performance Pack.” Lastly, you might want to see what goes on “under the hood” or change some of the settings of Performance Pack.This is where the command line comes in. Stopping and Starting SecureXL You can determine whether acceleration should be on by default with the help of the cpconfig utility. It offers an option to enable or disable Check Point SecureXL: ■ fwaccel on Turn acceleration on while FireWall-1 is running. ■ fwaccel off Turn acceleration off while FireWall-1 is running. Checking the Status of SecureXL You can get the current status of SecureXL by typing fwaccel stat.This command shows you whether acceleration is enabled and whether Connection Templates are currently being used: # fwaccel stat Status : on Templates : enabled Accelerator Features Mask : 0x0006f167 www.syngress.com 259_ChkPt_VPN_13.qxd 4/3/03 1:38 PM Page 486 Performance Pack • Chapter 13 487 To see the number of connections SecureXL currently accelerates, type the com- mand fwaccel conns –s. You will see two connections per TCP stream there, one for each direction.To see more detail about the connections, such as source and destination addresses and ports and the physical interfaces the accelerated traffic passes through, use fwaccel cons or fwaccel cons –m <max_entries>.The latter form limits the max- imum number of connections shown to <max_entries>. You can also filter the connections shown using fwaccel conns –f <flags>.You can use one or more of these flags: F/f - forwarded to firewall/cut-through U/u - unidirectional/bidirectional connections N/n - entries with/without NAT A/a - accounted/not accounted C/c - encrypted/not encrypted On SecurePlatform only, there are two more ways to gain some status information about SecureXL.To view the affinity settings of all interfaces—that is, a list of interfaces and the processors that handle each interface on a multiprocessor system—use sim –l. To view a list of currently generated Connection Templates, use sim tab templates. To get a configuration overview or view general statistics, use the command cat /prot/ppk/conf | ifs | statistics.The Performance Pack configuration is displayed if you view conf, the interfaces Performance Pack is bound to if you view ifs, and some general Performance Pack statistics are available through statistics. Configuring SecureXL A few aspects of SecureXL’s configuration can be controlled through the command line: ■ fwaccel –l <number> Limit the amount of Connection Templates that SecureXL can generate. ■ fwaccel –l 0 Reset to defaults. On SecurePlatform only, you can set the affinity of the network interface cards.Affinity determines which processors in a multiprocessor system handle that par- ticular NIC: ■ sim –a Affinity is set automatically, according to the load on each interface. Retuning of the affinity happens every 60 seconds.This is the default mode. ■ sim –s Affinity is set manually. For each interface, you will be asked to either enter a space-separated list of processor numbers that will handle this interface or the keyword all, which will allow all processors to handle that interface. www.syngress.com 259_ChkPt_VPN_13.qxd 4/3/03 1:38 PM Page 487 488 Chapter 13 • Performance Pack Troubleshooting Performance Pack Few areas of Performance Pack will need troubleshooting. Check Point has made Performance Pack a very simple product. It seamlessly improves the performance of Firewall-1/VPN-1, with very little configuration necessary. If you do suspect Performance Pack is causing trouble, turn it off using fwaccel off, then see whether your issue remains. That being said, there is one area of Performance Pack that deserves a closer look: Connection Templates. Connection Templates improve the setup and teardown rate of connections that differ only by source port. A typical example is a Web server: One client will initiate many connections to the server in the course of one session.These connections differ by source port only. Connection Templates will be generated only for simple TCP or UDP connections. Connection Templates are subject to a few restrictions: ■ If SYN Defender is enabled, Connection Templates will only be created for UDP connections. ■ Connection Templates will never be created for: ■ NAT connections ■ VPN connections ■ Complex connections such as H.323, FTP or SQL ■ Connections involving a security server Connection Templates will be disabled completely if the Rule Base contains a rule containing one of the following: ■ Service(s) with a source port range ■ A time object ■ Dynamic objects and/or Domain objects ■ Services of type “other” with a match expression ■ Services of type RPC/DCERPC/DCOM If your Rule Base contains a rule with one or more of the preceding factors, you will receive console and log messages telling you that Connection Templates have been disabled and identifying the restricted rules.To enable Connection Templates, you will have to either rewrite or delete those rules.To merely disable them is not sufficient. www.syngress.com 259_ChkPt_VPN_13.qxd 4/3/03 1:38 PM Page 488 Performance Pack • Chapter 13 489 Summary Performance Pack, also called SecureXL, is a software solution to accelerate CPU- intensive FireWall-1/VPN-1 operations, including but not limited to setup and tear- down of connections, encryption, authentication, accounting, and NAT. It is supported on Solaris and SecurePlatform, with support on Nokia IPSO planned in the near future. Performance Pack is an alternative to performance solutions found on other FireWall-1/VPN-1 platforms. Care must be taken when working with the physical interfaces of the host plat- form; turn acceleration off before enabling, disabling, or changing an interface. The ideal hardware platform for Performance Pack has multiple high-powered CPUs, multiple independent very fast I/O buses, and at least 1GB of memory. Lower- specification hardware will still benefit from Performance Pack but will not reach the 3Gbps+ throughput on high-end hardware that Check Point states. Real-world throughput will be lower than the numbers quoted by Check Point, but by no means will they be low. Impressive throughput of well over 2Gbps TCP throughput and over 600Mbps encrypted VPN can be achieved. Performance Pack can be installed with the Comprehensive Install package on Solaris and comes preinstalled by default on SecurePlatform. If so desired, it is possible to install Performance Pack as a separate package after initial system install. Performance Pack is very easy to use, but its configuration options are limited.You can turn acceleration on and off, and you have some tools to optimize performance, particularly on multiprocessor systems. Session setup and teardown optimization through Connection Templates might require changes to your Rule Base to work. Solutions Fast Track How Performance Pack Works ; Performance Pack accelerates CPU-intensive functions of FireWall-1/VPN-1. It does so by moving routines into “kernel space,” taking full advantage of the host OS and CPU it runs on, and using Connection Templates and other low- level techniques. ; Performance Pack will very likely gain new functionality, such as the ability to accelerate security server connections, in future Feature Packs. www.syngress.com 259_ChkPt_VPN_13.qxd 4/3/03 1:38 PM Page 489 490 Chapter 13 • Performance Pack Installing Performance Pack ; On Solaris, use the Comprehensive Install wrapper and choose Performance Pack as one of the products to install. ; On SecurePlatform, Performance Pack is installed by default when you install FireWall-1/VPN-1. ; Be careful when you uninstall Performance Pack on Solaris; turn acceleration off first. Command-Line Options for Performance Pack ; Acceleration can be turned on with fwaccel on and off with fwaccel off ; To get the status of Performance Pack, use fwaccel stat ; To see a list of accelerated connections, use fwaccel conns ; On SecurePlatform, the sim command can be used to control the processor affinity of individual NICs. Troubleshooting Performance Pack ; Connection Templates will be disabled if the Rule Base contains certain rules. These rules will have to be deleted, not just disabled, for Connection Templates to start functioning. ; Disable Performance Pack using fwaccel off if you suspect it of causing problems. www.syngress.com 259_ChkPt_VPN_13.qxd 4/3/03 1:38 PM Page 490 [...]... www.syngress.com 2 59_ Chkpt _VPN_ 14 .qxd 4/3/03 1: 39 PM Page 493 Chapter 14 UserAuthority Solutions in this chapter: I Defining UserAuthority I Installing UserAuthority I Implementing UserAuthority Chaining I Utilizing UserAuthority Logging I Understanding Credentials Management and Domain Equality I Deploying UserAuthority Summary Solutions Fast Track Frequently Asked Questions 493 2 59_ Chkpt _VPN_ 14 .qxd 494 ... in the Check Point object for the WAM server.The logging is best viewed using the UA WebAccess predefined query An example of WAM logging is shown in Figure 14 .26 Figure 14 .26 An Example of WAM Logging www.syngress.com 2 59_ Chkpt _VPN_ 14 .qxd 4/3/03 1: 39 PM Page 515 UserAuthority • Chapter 14 515 UAS Event Logging Logging of events by the UA Server and Credentials Manager is configured in the Check Point. .. software to install (see Figure 14 .14 ) Select the area and then click Next 6 The installation of the SVN software will now proceed (see Figure 14 .15 ) Wait while it completes www.syngress.com 2 59_ Chkpt _VPN_ 14 .qxd 506 4/3/03 1: 39 PM Page 506 Chapter 14 • UserAuthority Figure 14 .13 The Check Point License Agreement Figure 14 .14 The Installation Location of SVN Figure 14 .15 SVN Proceeds to Install 7 Finally,... see the Check Point Licenses screen, as shown in Figure 14 .20 UserAuthority is licensed at a management station and UAS level, not WAM, so click Next.You will be warned that you have not added a license (see Figure 14 . 21) —that’s fine, so click Yes www.syngress.com 2 59_ Chkpt _VPN_ 14 .qxd 508 4/3/03 1: 39 PM Page 508 Chapter 14 • UserAuthority Figure 14 .18 The Check Point License Agreement Figure 14 . 19 The... installation (see Figure 14 .11 ) Figure 14 .11 Installing the SVN 3 You should then see the Check Point Installation wizard for the Check Point SVN (see Figure 14 .12 ) Click Next to proceed Figure 14 .12 The Check Point SVN Installation Wizard 4 You will then see the License Agreement screen (see Figure 14 .13 ) Scroll down to read the license agreement If you agree with the license terms and conditions, click... Agreement Figure 14 . 19 The Installation Location for the WebAccess Module Figure 14 .20 The Check Point Licenses Screen www.syngress.com 2 59_ Chkpt _VPN_ 14 .qxd 4/3/03 1: 39 PM Page 5 09 UserAuthority • Chapter 14 5 09 Figure 14 . 21 Warning of No License 12 You should now see the Secure Internal Communications screen As with all Check Point NG components, you will have to establish trust with the management station... Server, as shown in Figure 14 .2 Figure 14 .2 Installing UAS on a Firewall Enforcement Module During CD Wrapper Install www.syngress.com 2 59_ Chkpt _VPN_ 14 .qxd 4/3/03 1: 39 PM Page 499 UserAuthority • Chapter 14 499 Alternatively, if you have an existing enforcement module that does not have UserAuthority installed, it is possible to download the individual UserAuthority FP3 package and install that.The installer... Figure 14 .17 Figure 14 .17 The Installation Wizard for the WebAccess Module 9 Click Next.You will see the Check Point License Agreement screen (see Figure 14 .18 ) Scroll down to read it and if you agree to the terms, click Yes 10 You will then be presented with the screen shown in Figure 14 . 19 Decide where you would like the WebAccess software to install on your hard drive, then proceed by clicking Next 11 ... Clicking UserAuthority WebAccess Make sure you select a UserAuthority server In our example, the UAS is installed on the firewall enforcement module (called fw1).You might also want to change the Track selection to Log, as shown in the example in Figure 14 .23.You’ll see more settings if you www.syngress.com 2 59_ Chkpt _VPN_ 14 .qxd 4/3/03 1: 39 PM Page 511 UserAuthority • Chapter 14 511 click the Advanced. .. application www.syngress.com 2 59_ Chkpt _VPN_ 14 .qxd 514 4/3/03 1: 39 PM Page 514 Chapter 14 • UserAuthority The logging generated by the different components is controlled in different locations in the SmartDashboard and viewed in SmartView tracker In the following sections, we look at each type of logging, the type of information recorded, and where it is configured FireWall -1 SSO Policy Rules Logging of connections . product - FireWall -1 FireWall -1: starting external VPN module OK FireWall -1: Starting fwd FireWall -1: Starting fwm (SmartCenter Server) SecureXL device is enabled Installing Security Policy Standard. that already has VPN- 1/ FireWall -1 NG installed.You may also use it to install Performance Pack at the same time that you install VPN- 1/ FireWall -1 NG. Since Check Point recommends using the wrapper. functioning. ; Disable Performance Pack using fwaccel off if you suspect it of causing problems. www.syngress.com 2 59_ ChkPt _VPN_ 13 .qxd 4/3/03 1: 38 PM Page 490 Performance Pack • Chapter 13 4 91 Q: