259_Chkpt_VPN_FM_4-11.qxd 4/10/03 12:19 PM Page i solutions@syngress.com With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we continue to look for ways we can better serve the information needs of our readers One way we that is by listening Readers like yourself have been telling us they want an Internet-based service that would extend and enhance the value of our books Based on reader feedback and our own strategic plan, we have created a Web site that we hope will exceed your expectations Solutions@syngress.com is an interactive treasure trove of useful information focusing on our book topics and related technologies The site offers the following features: ■ One-year warranty against content obsolescence due to vendor product upgrades You can access online updates for any affected chapters ■ “Ask the Author” customer query forms that enable you to post questions to our authors and editors ■ Exclusive monthly mailings in which our experts provide answers to reader queries and clear explanations of complex material ■ Regularly updated links to sites specially selected by our editors for readers desiring additional reliable information on key topics Best of all, the book you’re now holding is your key to this amazing site Just go to www.syngress.com/solutions, and keep this book handy when you register to verify your purchase Thank you for giving us the opportunity to serve your needs And be sure to let us know if there’s anything else we can to help you get the maximum value from your investment We’re listening www.syngress.com/solutions 259_Chkpt_VPN_FM_4-11.qxd 4/10/03 12:19 PM Page ii 259_Chkpt_VPN_FM_4-11.qxd 4/10/03 12:19 PM Page iii Check Point NG VPN-1/FireWall-1 ™ Advanced Configuration and Troubleshooting Jim Noble CCSI, CISSP, Technical Editor Doug Maxwell CCSI, NSA Kyle X Hourihan NSA Robert Stephens CCSI, CISSP Barry J Stiefel CCSI, CISSP Cherie Amon CCSI Chris Tobkin CCSI 259_Chkpt_VPN_FM_4-11.qxd 4/10/03 12:19 PM Page iv Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) not guarantee or warrant the results to be obtained from the Work There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY You may have other legal rights, which vary from state to state In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents Because some states not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc “Syngress: The Definition of a Serious Security Library”™,“Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc Brands and product names mentioned in this book are trademarks or service marks of their respective companies KEY 001 002 003 004 005 006 007 008 009 010 SERIAL NUMBER YV4PK9H7G3 TKXD37T6CVF 8J9HF5TBAA Z2BMQUH89Y U8MPT3L33T HAXXR54ES6 G8D4EPQLUK EJ69BKMRD7 579KP7V6FH TRCA7UM39Z PUBLISHED BY Syngress Publishing, Inc 800 Hingham Street Rockland, MA 02370 Check Point NG VPN-1/FireWall-1 Advanced Configuration and Troubleshooting Copyright © 2003 by Syngress Publishing, Inc All rights reserved Printed in the United States of America Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication Printed in the United States of America ISBN: 1-931836-97-3 Technical Editors: Jim Noble, Doug Maxwell, Cover Designer: Michael Kavish Victor Chang Page Layout and Art by: Shannon Tozier and Technical Reviewer: Kyle X Hourihan Patricia Lupien Acquisitions Editor: Jonathan Babcock Copy Editors: Darlene Bordwell, Darren Meiss Indexer: Rich Carlson Distributed by Publishers Group West in the United States and Jaguar Book Group in Canada 259_Chkpt_VPN_FM_4-11.qxd 4/10/03 12:19 PM Page v Acknowledgments We would like to acknowledge the following people for their kindness and support in making this book possible Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Kevin Votel, Kent Anderson, Frida Yara, Jon Mayes, John Mesjak, Peg O’Donnell, Sandra Patterson, Betty Redmond, Roy Remer, Ron Shapiro, Patricia Kelly, Kristin Keith, Jennifer Pascal, Doug Reil, David Dahl, Janis Carpenter, and Susan Fryer of Publishers Group West for sharing their incredible marketing experience and expertise The incredibly hard working team at Elsevier Science, including Jonathan Bunkell, AnnHelen Lindeholm, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother, Miguel Sanchez, Klaus Beran, and Rosie Moss for making certain that our vision remains worldwide in scope David Buckland, Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of STP Distributors for the enthusiasm with which they receive our books Kwon Sung June at Acorn Publishing for his support Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall, Darlene Morrow, Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates for all their help and enthusiasm representing our product in Canada Lois Fraser, Connie McMenemy, Shannon Russell, and the rest of the great folks at Jaguar Book Group for their help with distribution of Syngress books in Canada David Scott,Tricia Wilden, Marilla Burgess, Annette Scott, Geoff Ebbs, Hedley Partis, Bec Lowe, and Mark Langley of Woodslane for distributing our books throughout Australia, New Zealand, Papua New Guinea, Fiji Tonga, Solomon Islands, and the Cook Islands Winston Lim of Global Publishing for his help and support with distribution of Syngress books in the Philippines v 259_Chkpt_VPN_FM_4-11.qxd 4/10/03 12:19 PM Page vi 259_Chkpt_VPN_FM_4-11.qxd 4/10/03 12:19 PM Page vii Contributors Cherie Amon (CCSI, CCSA, CCSE, NSA) is technical editor of and contributor to the best selling Check Point Next Generation Security Administration (Syngress Publishing, ISBN: 1-928994-74-1), as well as the Nokia Network Security Solutions Handbook (Syngress, ISBN: 1-93183670-1) Cherie is a Senior Professional Security Engineer at Integralis, a systems integrator specializing in IT and e-commerce security solutions She is both a Check Point and Nokia Certified Security Instructor and has been installing, configuring, and supporting Check Point products since 1997 Cherie currently provides third-tier technical support to Integralis clients and acts as Technical Lead for many managed firewall accounts Cherie is a member of USENIX and SAGE Chris Tobkin (CCSI, CCSE+, CCSE, CCSA, MCP) has over eight years of security-related experience in a wide range of products and technologies Chris is currently employed as a Security Engineer for Check Point Software Technologies, Ltd His career began in programming C, C++, and Perl While studying for his MIS degree, his job at the University of Minnesota included systems and network administration, and later, database administration and project management His interest in security was recognized and applied to each of these areas Chris later moved on to a security services company where he was able to hone his skills in social engineering, penetration testing, firewalling, policy development, intrusion detection, and teaching courses in security, including Check Point Simon Coffey (CCSI, CCSA, CCSE) is a support consultant based in the Integralis European Support Centre in Reading, United Kingdom Integralis is one of Europe's leading specialists in the IT security market Simon has many years experience providing support, training, and installation services for security products, specializing in Check Point solutions and Nokia firewall appliances He is also a member of the Theale vii 259_Chkpt_VPN_FM_4-11.qxd 4/10/03 12:19 PM Page viii Volunteer Networking Group, a local forum for discussing current realworld issues Robert Stephens (CISSP, CCSI, NSI, NSA-IAM) is a Senior Security Consultant with VigilantMinds, where he provides enterprise security assessments and penetration services, along with engineering services, for managed Check Point VPN-1/FireWall-1 solutions for VigilantMinds clients Prior to this he was the Technical Lead for Check Point and Nokia training and courseware development with VeriSign Robert holds a bachelor’s degree in Criminology from the University of Pittsburgh and a master’s degree in Management Information Systems from Duquesne University Barry J Stiefel (CISSP, CCSI, MCSE, CCSA, CCSE, CCNA, A+), co-author of the best selling Next Generation Check Point Certified Security Administrator, is the founder of Information Engine, Inc., a San Francisco security training and consulting firm (www.Information-Engine.com) Previously, he was the Founding Manager of Information Systems at Galileo Technology, an instructor at the University of California, and President of the Windows NT Engineering Association Barry has developed and teaches the only independent Check Point FireWall-1 training course and is developing CPUG.org, the Check Point User Group Barry has earned a bachelor’s of Science, as well as a master’s in Business Administration In his lab, he has more firewalls and routers than he needs, but not as many as he wants Yinal Ozkan (CISSP, CCSE) is a Senior Security Engineer at Integralis He currently provides low level troubleshooting support for enterprise level customers.Yinal is a strategic contributor for large scale deployment projects and security awareness implementation initiatives His specialties include smart cards, financial systems security, and network security systems He enjoys focusing on financial sector clients.Yinal holds a bachelor's degree from Istanbul Technical University, and is a member of the ISSA and ISACA.Yinal lives in Manchester, CT viii 259_Chkpt_VPN_FM_4-11.qxd 4/10/03 12:19 PM Page ix Thorsten Behrens (CCSE, CCNA, CNE-5, CNE-4) is a Senior Security Engineer with Integralis.Thorsten provides technical expertise to all of Integralis’ Managed Security Services and Support clients He is responsible for complete client satisfaction on a technical and support level for clients, and is a leading member of the Integralis QA team.Thorsten’s specialties include Check Point FireWall-1, Cisco PIX and routers, network design and troubleshooting, and communications infrastructure (including Frame Relay, ISDN, and ATM).Thorsten is a German national who currently resides in Springfield, MA with his family, Christopher, Amberlea, and Caitlin Kurt Falde (MCSE, MCSA, MCP, CCSE, CCSA, A+) is the Senior Systems Engineer for INFO1 Holding Company, Inc., located in Atlanta, GA Kurt is responsible for maintaining the corporate Active Directory network and the Check Point Firewall structures throughout the company’s multiple sites He provides direction, implementation and troubleshooting for the numerous VPN's that the company maintains for business-to-business connectivity He is currently engaged in managing the merging of several new sites into the corporate Active Directory network as well as security infrastructure Kurt has spent the last nine years working in the IT industry His enthusiasm with using computers, however, goes back about fifteen years Kurt holds a bachelor’s degree in Mechanical Engineering from Pensacola Christian College Kurt currently lives in Sugarhill, GA with his wife,Tara, and their cat, Mr Kitty Daniel Kligerman (CCSA, CCSE, Extreme Networks GSE, LE) is a Consulting Analyst with TELUS Enterprise Solutions Inc., where he specializes in routing, switching, load balancing, and network security in an Internet hosting environment Daniel is a contributing author for Check Point Next Generation Security Administration (Syngress Publishing, ISBN: 1928994-74-1) A University of Toronto graduate, Daniel holds an honors bachelor’s of Science degree in Computer Science, Statistics, and English Daniel currently resides in Toronto, Canada He would like to thank Robert, Anne, Lorne, and Merita for their support ix ... PUBLISHED BY Syngress Publishing, Inc 800 Hingham Street Rockland, MA 02370 Check Point NG VPN-1/FireWall-1 Advanced Configuration and Troubleshooting Copyright © 2003 by Syngress Publishing, Inc All... and Mark Langley of Woodslane for distributing our books throughout Australia, New Zealand, Papua New Guinea, Fiji Tonga, Solomon Islands, and the Cook Islands Winston Lim of Global Publishing... services, along with engineering services, for managed Check Point VPN-1/FireWall-1 solutions for VigilantMinds clients Prior to this he was the Technical Lead for Check Point and Nokia training and courseware