Register your product to gain access to bonus material or receive a coupon.
Essential Check Point Firewall-1â„¢: An Installation, Configuration, and Troubleshooting Guide
- By Dameon Welch-Abernathy
- Published Oct 23, 2001 by Addison-Wesley Professional.
Book
- Sorry, this book is no longer in print.
Description
- Copyright 2002
- Dimensions: 7-3/8x9-1/4
- Pages: 544
- Edition: 1st
- Book
- ISBN-10: 0-201-69950-8
- ISBN-13: 978-0-201-69950-0
“Dameon’s knowledge of FireWall-1, which in many cases has surpassed the knowledge of Check Point’s own engineers, hasalways impressed me. This book is yet another proof of Dameon’sdeep understanding of FireWall-1’s internals as well as itsimplementation methodologies. I strongly recommend this book to anyFireWall-1 user who wishes to master the product.”
—Nir Zuk,CTO, OneSecure, Inc. Formerly, Principal Engineer at Check PointSoftware
“This book is a fabulous resource for running FireWall-1reliably and securely. It’s the single best source ofinformation I’ve ever seen on how to map security and businessrequirements into FW-1 rules and configurations. The hordes of sampleconfigurations are the best way to demonstrate the advice andexplanations in practice. If you’re using FireWall-1, you needthis book.”
—Tina Bird, Security Architect at CounterpaneInternetSecurity and moderator of the Virtual Private Networks mailinglist
“FireWall-1 is a critical security application, more widelyused than any other by far, that relies on proper configuration andusage to be effective. Dameon’s book can be counted as thedefinitive reference—required reading for anyone using CheckPoint’s FireWall-1 security software.”
—Kelly Robertson,Senior Sales Engineering Manager for Nokia InternetCommunications
Packed with practical, hands-on techniques, thisinsider’s guide explains how to build, implement, and maintainthe world’s best-selling firewall product, Check PointFireWall-1. Featuring tools, tips, and checklists not found in othersources, the book brings manageability, reliability, and efficiency totoday’s standalone or distributed networks.
Essential Check Point FireWall-1™ coversevery major feature of the product providing working solutions toreal-world situations. Filled with screen shots and sampleconfigurations, the book features step-by-step instructions that canbe replicated on standard equipment easily. Developed through years ofactual product support, this guidebook is an invaluable resource fornetwork professionals working on UNIX or Windows NT platforms.
Key coverage includes:
Authoritative andpractical, this comprehensive guidebook provides real-world solutionsand techniques necessary for planning, installing, and deploying theworld’s leading firewall product.
0201699508B10172001
Extras
Related Articles
Getting Your Check Point Firewall-1 Certifications
Author's Site
Click below for Author's Site related to this title:
Author's Web Site
Sample Content
Online Sample Chapters
Fun With Check Point Licensing
Downloadable Sample Chapter
Click below for Sample Chapter related to this title:
welchch09.pdf
Table of Contents
Foreword.
Preface.
1. Introduction to FireWalls.
What is a Firewall?
What a Firewall Cannot Do.
Overview of Firewall Security Technologies.
Packet Filters.
Application Proxies.
Stateful Inspection.
Technology Comparison: Passive FTP.
Technology Comparison: Traceroute.
What Kind of Firewall is FireWall-1?
Do You Really Need FireWall-1?
More Information.
2. Planning your FireWall Installation.
Network Topology.
A Word about Subnetting.
Developing a Site-Wide Security Policy.
The What, Who, and How.
Implementing Firewalls Without a Written Security Policy.
An Example Security Policy.
Fun with Check Point Licensing.
Node-Limited Firewall Licenses.
Single Gateway Products.
Inspection Module.
FireWall-1 Host.
Management Console.
Motif GUI Licenses.
Small Office Products.
Getting Licenses.
Summary.
3. Installing FireWall-1.
Selecting an Operating System.
Windows NT.
Sparc Solaris.
x86 Solaris.
AIX and HPUX.
Nokia Security Platform (IPSO).
Linux.
Installing the Operating System.
Preparing for the OS Installation.
Guidelines for OS Installation.
Securing the Operating System.
Installing FireWall-1.
Unix-Based Systems.
Windows NT/2000.
Summary.
4. Building Your Rulebase.
The Management GUIs.
Configuring a Management User.
Configuring IPs to run the GUIs from.
What Files the GUI Modifies.
Security Policy Editor Restrictions.
GUI Demonstration Mode.
Rulebase Components.@AHEADS = Objects.
Anti-Spoofing.
Policy Properties.
Rules.
Order of Operations.
Making Your First Rulebase.
Knowing Your Network.
Defining Your Objects.
Determining Your Policy.
Rules That Should Be In Every Rulebase.
Installing the Policy.
Frequently Asked Questions.
5. Logging and Alerting.
The System Status Viewer.
The Log Viewer.
Viewing Logs from the Command Line.
Active Mode and Blocking Connections.
Alerts.
Messages in the Log.
Log Maintenance.
6. Remote Management.
The Components.
The Management GUIS.
Configuring a User.
Configuring IPs to run from.
What Files the GUIs Modify.
Security Policy Editor Restrictions.
GUI Demonstration Mode.
The Management Console to Firewall Module Connection.
control.map file.
How Do the Different Authentication Schemes Work?
The fw putkey Command.
Establishing an Authenticated Control Connection.
Special Remote Management Conditions.
What Can You DO With Remote Management.
Control Policy on Firewall Module.
View State Tables of Firewall Modules.
Suspicious Activity Monitoring.
Updating Licenses.
Moving Management Consoles.
Moving a Firewall Module off the Management Console.
Moving the Management Console off a Firewall Module.
Troubleshooting Remote Management Issues.
GUI Issues.
Firewall/Management Module Issues.
Labs.
7. Authentication.
Passwords.
FireWall-1 Password.
OS Password.
S/Key.
SecurID.
Axent Pathways Defender.
RADIUS.
TACACS / TACACS+.
LDAP.
How Users Authenticate.
User Authentication.
Session Authentication.
Client Authentication.
Which Type Should You Choose?
Setting Up Authentication.
Creating Users.
Setting Supported Authentication Schemes.
User Authentication.
Session Authentication.
Client Authentication.
Integrating External Authentication Servers.
FAQs.
Troubleshooting Authentication Issues.
8. Content Security.
The Security Servers.@AHEADS = A Word About Licensing.
CVP and UFP.
Resources and Wildcards.
HTTP Security Server.
Filtering HTTP Without a UFP or CVP Server.
UFP with the HTTP Security Server.
CVP with the HTTP Security Server.
FTP Security Server.
SMTP Security Server.@AHEADS = $FWDIR/conf/smtp.conf.
SMTP Resources.
TCP Security Server.
Frequently Asked Questions.
General Security ServerQuestions.
FTP Security Server.
SMTP Security Server.
HTTP Security Server.
Performance Tuning for the Security Servers.
Troubleshooting Content Security Issues.
9. Network Address Translation.
Introduction.
RFC-1918.
How NAT Works in FireWall-1.
Order of Operations.
Implementing NAT: A Step-by-Step Example.
Determine which IP addresses will be used.
Proxy ARPs.
Static Host Routes.
Network Objects.
Anti-Spoofing.
Security Policy Rules.
Address Translation Rules.
Limitations of NAT.
Dual NAT.
Binding the NATted IP Address to the Loopback Interface.
Troubleshooting.
ARPs.
SYN Packets with No Response.
SYN Followed by RST.
Summary.
10. Encryption (Site-to-Site VPNs).
Introduction to VPNs.
Concepts.
Encryption.
Encryption Key.
Symmetric Encryption.
Asymmetric Encryption.
Certificate Authority.
Diffe-Hellman.
Encryption Domain..
A Word About Licensing.
Supported Key Management and Encryption Schemes.@AHEADS = FWZ.
IPSec.
Manual IPSec.
SKIP.
IKE (ISAKMP/OAKLEY).
How to Configure Encryption.@AHEADS = Planning Your Deployment.
IKE.
Manual IPSEC.
SKIP and FWZ.
Gateway Clusters and High Availability VPNs.
FAQs.
Troubleshooting VPN Problems.
Summary.
Labs.
Q and A.
11. SecuRemote and Secure Client (Client to FireWall-1 VPNs).
Introduction.
A Word About Licensing.
Steps to Configure SecuRemote on FireWall-1.
Choosing an Encryption Scheme.
Configuring Firewall Object for SecuRemote.
Creating Users for use with SecuRemote.
Client Encryption Rules.
Desktop Security Options.
Installing Secure Client.
High Availability and Multiple-Entry Point Configurations.
Hybrid Authentication Mode for IKE.
FAQs.
Troubleshooting.
12. High Availability.
What is High Availability.
State Synchronization.
HA Solutions.
Stonebeat.
Rainfinity.
Nokia.
Check Point's HA Module.
Issues with High Availability.
Licensing.
Managing Multiple Firewalls.
Load Balancing.
Asymmetric Routing.
13. Inspect.
What is INSPECT?
Basic INSPECT Syntax.
Conditions.
Constants.
Registers.
Manipulating Table Entries.
Creating Your Own Tables.
How Your Rulebase is Turned into INSPECT.
Services of Type Other.
Sample INSPECT Code.
Allowing Outbound Connections to a SecuRemote Client.
PPTP.
Allowing a Connection Based on a Previous Connection.
HTTP.
Ping and Traceroute.
Default filter.
fw monitor.
Appendix A: Securing Your Bastion Host.
Appendix B: firewall-1.conf File for Use with OpenLDAP v1.
Appendix C: firewall1.schema File for Use with OpenLDAP v2.
Appendix D: Complete Program for Stateful Inspection of HTTP.
Appendix E: Complete Program for Stateful Inspection of Ping and Traceroute.
Appendix F: NSPECT Script for Different Policies on Different Interfaces.
Appendix G: Sample defaultfilter.pf file.
Appendix H: Sample Internet Usage Policy.
Appendix I: Performance Tuning.
Appendix J: Other Resources.
Appendix K: Further Reading.
Index. 0201699508T05222001
Preface
Every book has to have a chapter that explains it. This book is no exception. By the end of the Preface, you should know:
How This Book Came to Be
In 1996, I began to support Check Point FireWall-1. Things were quite different back then. FireWall-1 was a much simpler product, Check Point did not have much of a support department, and there were really no public resources on FireWall-1 aside from a mailing list. My employer at the time had a little known Web site that had many frequently asked questions (FAQ) on FireWall-1. This Web site was the impetus that helped to create PhoneBoy’s FireWall-1 FAQ, which I started in April 1998.Because of my Web site and my participation on the FireWall-1 mailing list, I became well known and respected in the FireWall-1 community. My FAQ page was and still is considered one of the definitive resources on FireWall-1. Even people within Check Point use my page, and they also send me corrections from time to time.
Several people had approached me about the idea of writing a book on the topic of FireWall-1. Such a project seemed rather large, and I was unsure of my ability to tackle it alone. It was little more than an idea until Lance Spitzner approached me to be a coauthor on a book on FireWall-1. Sensing the scope of such a project, I brought in Jerald Josephs, who was also well known in the FireWall-1 community, and in June 1999, we began to write.
Somewhere in the middle of this project, it came to pass that I was the only person left working on this book. The details why are not important, but it was not part of the original plan. My life had changed dramatically with the birth of my son, Jaden, especially the amount of time I could spend on this project. However, I felt I had come too far not to finish; so with a little more determination, I set about the task of finishing this book.
What This Book Is and Is Not
What you are holding in your hands now is a book about Check Point FireWall-1. It covers the essentials of the product. Each chapter discusses a major feature of the product or a specific topic that will help you plan for your FireWall-1 installation. You get step-by-step configuration instructions for many features in FireWall-1 complete with screen shots and several sample configurations that you can try. The book also includes lots of information from my FireWall-1 FAQ.Although I do cover most features in FireWall-1, not every feature of FireWall-1 is covered in this text. Those features I have chosen to cover are based on my experience as someone who has supported this product since 1996. Other peripheral topics, like encryption and network security, are covered briefly as they relate to FireWall-1, but are not covered in great detail. I feel that other authors do a better job of covering these topics.
A summary of the chapters in this book follows. Note that where sample configurations are said to exist in a chapter, it means there are step-by-step examples that you can follow to set up your own equipment, provided you have it.
Thanks To:
Dameon D. Welch-Abernathy
a.k.a. PhoneBoy
dwelch@phoneboy.com
PGP Fingerprint: 72A2 8D9D BDC0 98D2 1E5D 3A2D 09D0 A5C1 597F 5D2A
July 2001
0201699508P10162001
Index
AAccount names, securing hosts, Windows NT platform,
462–463
Accounting mode, Log Viewer, 107
ACEswitch and
ACEdirector (Alteon/Nortel Networks), 422
Action, element of rules,
74–75
Active mode, Log Viewer, 107–111
Address range
network objects, rulebases, 64
AIX
platform
FireWall-1 installation,
35–41
hostid-based licensing,
20
log switching,
117
OSs, installing,
31
OSs, securing,
33
OSs, selecting,
23
OSs, selecting,
advantages/disadvantages, 26–27
state
tables, memory usage, 497
Alerts
Log and
Alert tab, Rulebase Properties,
111–113
viewing in System Status
Viewer, 99–101
Alteon/Nortel Networks ACEswitch and
ACEdirector, 422
Anti-spoofing, Policy
Editor
NAT,
284
rulebases, 68–69
Application
proxies
security technology type,
3–4
versus passive FTP,
5
versus traceroute tool, 7
ARPs,
NAT (Network Address Translation), 280–283,
291–292
Asymmetric encryption, 314–315
Asymmetric
routing, High-Availability, 420–421
Authentication
process
authentication schemes,
124–125
authentication schemes,
changing, 145–147
Axent Pathways
Defender servers, integration,
184–185
Axent Pathways Defender
servers, passwords, 156–157
basics,
121
Client Authentication,
162–165
Client Authentication,
sample, 215–217
Client
Authentication, setup,
180–183
controlled connections
between firewall modules and management consoles,
126–132
FAQs,
194–204
fw putkey command,
125–126
$FWDIR/lib/control.map file,
121–124
integrating external servers,
183–194
LDAP servers, integration,
188–194
LDAP servers, passwords,
158
passwords, FireWall-1 Password schemes,
154
passwords, One-Time Password (OTP)
schemes, 154
passwords, operating system
(OS) schemes, 154
passwords, seed
passwords, 124
passwords, skey schemes,
154–155
RADIUS servers, integration,
185–187
RADIUS servers, passwords,
157
remote management, troubleshooting,
138–141
SecurID servers, integration,
184
SecurID servers, passwords,
156
selecting type of authentication,
166
Session Authentication,
161–162
Session Authentication,
sample, 213–214
Session
Authentication, setup, 179–180
setup,
basics, 166
setup, creating users,
167–173
TACACS/TACACS+ servers,
integration, 187–188
TACACS/TACACS+
servers, passwords,
157–158
troubleshooting,
204–210
types of authentication,
supported in control.map file,
123–124
User Authentication,
158–161
User Authentication, order of
rules, 178–179
User Authentication,
sample, 210–213
User Authentication,
setup, 174–177
Automatic Update option, System Status Viewer,
101–102
Axent Pathways Defender
servers
authentication process,
integration, 184–185
authentication
process, passwords, 156–157
BBackward Compatibility
module, Windows NT platform, 41–42
Books, resources,
507
CCAs (Certificate Authorities), defined,
315
Certificate keys, FireWall-1 licenses, 20
Check
Point
High Availability Module,
422
Check Point (cont.)
licensing,
17–18
licensing, client-to-site VPNs,
366–367
licensing, node-limited
licenses, 18–19
licensing, obtaining
licenses, 20–21
licensing, remote
management, firewall modules,
134–135
licensing, site-to-site VPNs,
316–317
licensing, third-party
products, 219–220
removing banner
from authentication process, 199
Client
Authentication
basics,
162–165
sample,
215–217
setup, 166–171,
180–183
Client-to-site VPNs (Virtual Private
Networks)
basics,
365–366
configuration, client
encryption rules,
371–372
configuration, creating
users, 369–371
configuration, desktop
security, 373–375
configuration, HA
(High-Availability),
379–380
configuration, IP Pool NAT,
379–381
configuration, multiple entry
points, 379–382
configuration, of
firewall workstation object,
368–369
configuration, sample,
Gateway Clusters,
406–409
configuration, sample,
multiple entry points,
409–413
configuration, sample, simple
client-to-site VPNs,
402–406
configuration, selecting
encryption scheme, 367–368
FAQs,
386–396
IKE Hybrid Authentication
mode, 382–384
installation,
376–379
licensing with FireWall-1,
366–367
Microsoft networking,
384–386
troubleshooting,
396–402
Command line
Log Viewer
actions, 109–111
remote management,
controlling policies from firewall module,
132–133
remote management, updating
licenses, 134–135
remote management,
viewing state tables of firewall modules,
133–134
system status,
102–103
viewing logs,
106–107
Comment, element of rules, 75
Content
Security
CVP, basics,
220–221
CVP, resources,
221
CVP, wildcards,
221
FTP Security Server, basics,
242–244
FTP Security Server, FAQs,
244–246
FTP Security Server, sample
configuration, 263–266
HTTP Security
Server, FAQs, 231–234
HTTP Security
Server, performance tuning,
234–240
HTTP Security Server, sample
configuration, 266–270
More Information
Other Things You Might Like
Security in Computing Pearson uCertify Course and Labs Access Code Card, Sixth Edition, 6th Edition
- Book $119.00
- Online Video $239.99