1 YEAR UPGRADE BUYER PROTECTION PLAN Check Point NG • Bonus Coverage of CCSA NG Exam 156-210 Objectives • Additional CCSA Self-Assessment Questions Available for Free Download • Free Spoofing Chapter by Dan “Effugas” Kaminsky,World-Renowned Cryptography Expert Drew Simonis CISSP, CCSE Corey S. Pincock CISSP, CCSA Daniel Kligerman CCSE Doug Maxwell CCSI Cherie Amon CCSI, Technical Editor Allen Keele CCSI, Technical Reviewer Next Generation Security Administration solutions@syngress.com With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we continue to look for ways we can better serve the information needs of our readers. One way we do that is by listening. Readers like yourself have been telling us they want an Internet-based ser- vice that would extend and enhance the value of our books. Based on reader feedback and our own strategic plan, we have created a Web site that we hope will exceed your expectations. Solutions@syngress.com is an interactive treasure trove of useful infor- mation focusing on our book topics and related technologies. The site offers the following features: ■ One-year warranty against content obsolescence due to vendor product upgrades. You can access online updates for any affected chapters. ■ “Ask the Author” customer query forms that enable you to post questions to our authors and editors. ■ Exclusive monthly mailings in which our experts provide answers to reader queries and clear explanations of complex material. ■ Regularly updated links to sites specially selected by our editors for readers desiring additional reliable information on key topics. Best of all, the book you’re now holding is your key to this amazing site. Just go to www.syngress.com/solutions, and keep this book handy when you register to verify your purchase. Thank you for giving us the opportunity to serve your needs. And be sure to let us know if there’s anything else we can do to help you get the maximum value from your investment. We’re listening. www.syngress.com/solutions 192_ChkPt_FM.qxd 2/22/02 2:37 PM Page i 192_ChkPt_FM.qxd 2/22/02 2:37 PM Page ii 1 YEAR UPGRADE BUYER PROTECTION PLAN Check Point Drew Simonis CISSP, CCSE Corey S. Pincock CISSP, CCSA Daniel Kligerman CCSE Doug Maxwell CCSI Cherie Amon CCSI, Technical Editor Allen Keele CCSI, Technical Reviewer Next Generation Security Administration NG 192_ChkPt_FM.qxd 2/22/02 2:37 PM Page iii Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,” and “Ask the Author UPDATE®,” are registered trademarks of Syngress Publishing, Inc. “Mission Critical™,”“Hack Proofing™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 L9F8TM93QD 002 AFG5Y4MPE4 003 VMER634RTN 004 SGD34BAS6Y 005 8Q5TYU6NVH 006 NFG477JEM4 007 BK7VFTR46T 008 2PMK9965MR 009 83N5C6YDAS 010 GT6YDR46FC PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Check Point Next Generation Security Administration Copyright © 2002 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-928994-74-1 Technical Editor: Cherie Amon Cover Designer: Michael Kavish Technical Reviewer: Allen Keele Page Layout and Art by: Shannon Tozier Acquisitions Editor: Jonathan E. Babcock Copy Editor: Janet Zunkel Indexer: Nara Wood Distributed by Publishers Group West in the United States and Jaguar Book Group in Canada. 192_ChkPt_FM.qxd 2/22/02 2:37 PM Page iv v Acknowledgments v We would like to acknowledge the following people for their kindness and support in making this book possible. Ralph Troupe, Rhonda St. John, and the team at Callisma for their invaluable insight into the challenges of designing, deploying and supporting world-class enterprise networks. Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Kevin Votel, Kent Anderson, Frida Yara, Bill Getz, Jon Mayes, John Mesjak, Peg O’Donnell, Sandra Patterson, Betty Redmond, Roy Remer, Ron Shapiro, Patricia Kelly, Andrea Tetrick, Jennifer Pascal, Doug Reil, and David Dahl of Publishers Group West for sharing their incredible marketing experience and expertise. Jacquie Shanahan and AnnHelen Lindeholm of Elsevier Science for making certain that our vision remains worldwide in scope. Annabel Dent and Paul Barry of Harcourt Australia for all their help. David Buckland,Wendi Wong, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm with which they receive our books. Kwon Sung June at Acorn Publishing for his support. Ethan Atkin at Cranbury International for his help in expanding the Syngress program. Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall, Darlene Morrow, Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates for all their help and enthusiasm representing our product in Canada. Lois Fraser, Connie McMenemy, Shannon Russell and the rest of the great folks at Jaguar Book Group for their help with distribution of Syngress books in Canada. 192_ChkPt_FM.qxd 2/22/02 2:37 PM Page v 192_ChkPt_FM.qxd 2/22/02 2:37 PM Page vi vii Contributors Drew Simonis (CISSP, CCNA, SCSA, SCNA, CCSA, CCSE, IBM CS) is a Senior Security Engineer with the RL Phillips Group, LLC, where he provides senior level security consulting to the United States Navy, working on large enterprise networks. Drew is a security generalist, with a strong background in system administration, Internet application devel- opment, intrusion detection and prevention, and penetration testing. He is a co-author of Hack Proofing Your Web Applications (Syngress Publishing, ISBN: 1-928994-31-8) and Hack Proofing Sun Solaris 8 (Syngress, ISBN: 1-928994-44-X). Drew’s background includes various consulting posi- tions with Fiderus, serving as a Security Architect with AT&T and as a Technical Team Lead with IBM. Drew has a bachelor’s degree from the University of South Florida and is also a member of American MENSA. He lives in Suffolk,Virginia with his wife, Kym and daughters, Cailyn and Delany. He would like to pay special thanks to Travis Corson and Ron Ostrenga for helping him break into the industry. Daniel Kligerman (CCSA, CCSE, Extreme Networks GSE, LE) is a Consulting Analyst with TELUS. As a member of TELUS Enterprise Solutions Inc., he specializes in routing, switching, load balancing, and network security in an Internet hosting environment. A University of Toronto graduate, Daniel holds an honors bachelor of science degree in computer science, statistics, and English. Daniel currently resides in Toronto, Canada, and would like to thank Robert, Anne, Lorne, and Merita for their support. Corey S. Pincock (CISSP, MCSE, GSEC, MCDBA, CCSA, CCNA) is the Senior Information Security Architect for CastleGarde in Tampa, Florida. As an expert in the information security aspects of Graham- Leach-Bliley and HIPAA, Corey consults with financial and healthcare organizations on a national level to implement information security pro- grams that include policy development, risk assessments, security infra- structure design, implementation, training, and monitoring. Other 192_ChkPt_FM.qxd 2/22/02 2:37 PM Page vii viii specialties include firewall assessments and audits,Windows 2000, and cryptography. Corey’s background includes positions as a Network Administrator for CommerceQuest, Systems Engineer for MicroAge, and Senior Instructor for Certified Tech Trainers. Corey holds a bachelor’s degree from the University of Washington and is a member of ISSA. Corey lives in Tampa, Florida with his wife and two daughters. He would like to thank his wife, Shelly for encouraging him to be his best, and Allen Keele of Certified Tech Trainers. Dan “Effugas” Kaminsky (CISSP) worked for two years at Cisco Systems designing security infrastructure for large-scale network moni- toring systems. Dan has delivered presentations at several major industry conferences including Linuxworld, DEF CON, and the Black Hat Briefings, and he also contributes actively to OpenSSH, one of the more significant cryptographic systems in use today. Dan founded the cross- disciplinary DoxPara Research (www.doxpara.com) in 1997, seeking to integrate psychological and technological theory to create more effective systems for non-ideal but very real environments in the field. He is based in Silicon Valley, presently studying Operation and Management of Information Systems at Santa Clara University in California. Dan is also a co-author of the best-selling Hack Proofing Your Network (Syngress Publishing, ISBN: 1-928994-70-9). Jeff Vince (CCSA, CCSE) is a security consultant in Waterloo, Ontario where he specializes in secure network architecture and firewall configu- ration for medium- to large-scale network installations. His specialties focus on security products ranging from anti-virus software to intrusion detection and enterprise security management software running on the Microsoft Windows and Linux platforms. In addition to normal client consulting work, Jeff has—as part of a team of security professionals— performed successful attack and penetration tests on networks owned by companies ranging from major financial institutions and broadband ser- vice providers to smaller software development companies.Working as both an outsider trying to break in and as a security manager responsible for securing corporate assets has given Jeff a unique perspective on net- work security. Applying this dual vision of security has allowed him to 192_ChkPt_FM.qxd 2/22/02 2:37 PM Page viii ix help clients build network infrastructure that provides the high availability and security required in today’s Internet environment. Doug Maxwell (CCSI) is a Senior Network Engineer with Activis, Ltd. in East Hartford, Connecticut. He currently works as a third-tier engineer in the technical support division, and is a certified Check Point instructor. His specialties include Unix network security and firewall network inte- gration. Doug holds a bachelor of science degree in computer science from the University of Massachusetts at Amherst, and is a member of the Association for Computing Machinery (ACM), USENIX, and SAGE, the System Administrator’s Guild. He happily resides in Ellington, Connecticut with his wife and 1-year-old son. Simon Desmeules (CCSE, ISS, MCSE+I, CNA) is an independent security perimeter specialist. He currently provides architectural design, technical consulting, and tactical emergency support for perimeter secu- rity technologies for several Fortune 1000 companies in Canada and the United States. Simon’s background includes positions as a Firewall / Intrusion Security Specialist for a pioneer of Canadian Security, Maxon Services, and their Managed Security clients. He is an active member of the FW-1, ISS & Snort mailing lists where he discovers new problems and consults with fellow security specialists. 192_ChkPt_FM.qxd 2/22/02 2:37 PM Page ix [...]... VPN-1/FireWall-1 Next Generation Introduction Before You Begin Obtaining Licenses Securing the Host Disabling Services Routing and Network Interfaces Enabling IP Forwarding Configuring DNS Preparing for VPN-1/FireWall-1 NG Administrators GUI Clients Upgrading from a Previous Version Installing Check Point VPN-1/FireWall-1 NG on Windows Installing from CD Configuring Check Point VPN-1/FireWall-1 NG on Windows... Configuring Check Point VPN-1/FireWall-1 NG on Solaris Licenses Administrators GUI Clients SNMP Extension Group Permission Certificate Authority Initialization Installation Complete Getting Back to Configuration Uninstalling VPN-1 & FireWall-1 Uninstalling SVN Foundation Uninstalling Management Clients Installing Check Point VPN-1/FireWall-1 NG on Nokia Installing the VPN-1/FireWall-1 NG Package Upgrading... Introduction to Check Point Next Generation Introduction Introducing the Check Point Next Generation Suite of Products VPN-1/FireWall-1 Account Management (LDAP) SecuRemote/Secure Client Reporting Module Check Point High Availability (CPHA) UserAuthority FloodGate-1 Meta IP Understanding VPN-1/FireWall-1 SVN Components VPN-1/FireWall-1 Management Module Central Management of VPN-1/FireWall-1 Modules SecureUpdate... Configuring NG for Performance Administering NG for Performance Monitoring NG for Performance Platform Specific Tools Performance Conclusion Administering Check Point VPN-1/ FireWall-1 NG for Effectiveness Quality Control Patches and Updates Policy Administration Managing Multiple Policies Editing Files Managing Firewall Logs Log Rotations Log Maintenance Administering Check Point VPN-1/ FireWall-1 NG for... Getting Back to Configuration Uninstalling Check Point VPN-1/FireWall-1 NG on Windows Uninstalling VPN-1 & FireWall-1 Uninstalling SVN Foundation Uninstalling Management Clients Installing Check Point VPN-1/FireWall-1 NG on Solaris 30 32 34 36 39 41 42 42 44 45 46 49 50 51 52 57 58 59 60 60 72 73 76 78 81 83 85 88 88 91 93 94 192_ChkPt_toc.qxd 2/26/02 10:04 AM Page xiii Contents View Selection Installing... Senior Network Security Engineer and Security Instructor for Integralis She is a Check Point Certified Security Instructor and has been installing, configuring, and supporting Check Point products since 1997 Cherie teaches the Check Point courses at the Integralis Authorized Training Center (ATC) in East Hartford, Connecticut, which is the only Check Point ATC in the state Prior to working at Integralis,... and Contributor Check Point Certified Security Professional: CCSA, CCSE, CCSI Senior Network Security Engineer /Security Instructor, Activis/Integralis —Drew Simonis, Contributing Author Check Point Certified Security Professional: CCSA, CCSE Senior Security Engineer, RL Phillips Group, LLC www.syngress.com 192_ChkPt_01.qxd 2/21/02 10:34 AM Page 1 Chapter 1 Introduction to Check Point Next Generation Solutions... Solutions in this chapter: s Introducing the Check Point Next Generation Suite of Products s Understanding VPN-1/FireWall-1 SVN Components s Looking at Firewall Technology Summary Solutions Fast Track Frequently Asked Questions 1 192_ChkPt_01.qxd 2 2/21/02 10:34 AM Page 2 Chapter 1 • Introduction to Check Point Next Generation Introduction The Check Point Next Generation suite of products provides... mentions the Check Point name, is VPN-1/FireWall-1.The VPN-1 and FireWall-1 products are designed to prevent unauthorized access to or from the www.syngress.com 192_ChkPt_01.qxd 2/21/02 10:34 AM Page 5 Introduction to Check Point Next Generation • Chapter 1 networks connected to the firewall, based on the rules defined by the security manager.VPN-1/FireWall-1 uses a set of rules to create a Security Policy.This... of VPN-1/FireWall-1 in a little more detail.You will learn the difference between proxy firewalls, packet filtering firewalls, and the technology that Check Point Next Generation uses, called Stateful Inspection.You will become familiar with the inspection engine, which is the nuts and bolts of the software, and learn how it analyzes traffic going through the firewall Introducing the Check Point Next Generation . Version 59 Installing Check Point VPN-1/FireWall-1 NG on Windows 60 Installing from CD 60 Configuring Check Point VPN-1/FireWall-1 NG on Windows 72 Licenses. Check Point VPN-1/FireWall-1 NG on Nokia 126 Installing the VPN-1/FireWall-1 NG Package 127 Upgrading IPSO Images 128 Installing VPN-1/FireWall-1 NG 129