| |
| |
Foreword | |
| |
| |
Preface | |
| |
| |
| |
Introduction to FireWalls | |
| |
| |
What is a Firewall? | |
| |
| |
What a Firewall Cannot Do | |
| |
| |
Overview of Firewall Security Technologies | |
| |
| |
Packet Filters | |
| |
| |
Application Proxies | |
| |
| |
Stateful Inspection | |
| |
| |
Technology Comparison: Passive FTP | |
| |
| |
Technology Comparison: Traceroute | |
| |
| |
What Kind of Firewall is FireWall-1? | |
| |
| |
Do You Really Need FireWall-1? | |
| |
| |
More Information | |
| |
| |
| |
Planning your FireWall Installation | |
| |
| |
Network Topology | |
| |
| |
A Word about Subnetting | |
| |
| |
Developing a Site-Wide Security Policy | |
| |
| |
The What, Who, and How | |
| |
| |
Implementing Firewalls Without a Written Security Policy | |
| |
| |
An Example Security Policy | |
| |
| |
Fun with Check Point Licensing | |
| |
| |
Node-Limited Firewall Licenses | |
| |
| |
Single Gateway Products | |
| |
| |
Inspection Module | |
| |
| |
FireWall-1 Host | |
| |
| |
Management Console | |
| |
| |
Motif GUI Licenses | |
| |
| |
Small Office Products | |
| |
| |
Getting Licenses | |
| |
| |
Summary | |
| |
| |
| |
Installing FireWall-1 | |
| |
| |
Selecting an Operating System | |
| |
| |
Windows NT | |
| |
| |
Sparc Solaris | |
| |
| |
x86 Solaris | |
| |
| |
AIX and HPUX | |
| |
| |
Nokia Security Platform (IPSO) | |
| |
| |
Linux | |
| |
| |
Installing the Operating System | |
| |
| |
Preparing for the OS Installation | |
| |
| |
Guidelines for OS Installation | |
| |
| |
Securing the Operating System | |
| |
| |
Installing FireWall-1 | |
| |
| |
Unix-Based Systems | |
| |
| |
Windows NT/2000 | |
| |
| |
Summary | |
| |
| |
| |
Building Your Rulebase | |
| |
| |
The Management GUIs | |
| |
| |
Configuring a Management User | |
| |
| |
Configuring IPs to run the GUIs from | |
| |
| |
What Files the GUI Modifies | |
| |
| |
Security Policy Editor Restrictions | |
| |
| |
GUI Demonstration Mode | |
| |
| |
Rulebase Components.@AHEADS = Objects | |
| |
| |
Anti-Spoofing | |
| |
| |
Policy Properties | |
| |
| |
Rules | |
| |
| |
Order of Operations | |
| |
| |
Making Your First Rulebase | |
| |
| |
Knowing Your Network | |
| |
| |
Defining Your Objects | |
| |
| |
Determining Your Policy | |
| |
| |
Rules That Should Be In Every Rulebase | |
| |
| |
Installing the Policy | |
| |
| |
Frequently Asked Questions | |
| |
| |
| |
Logging and Alerting | |
| |
| |
The System Status Viewer | |
| |
| |
The Log Viewer | |
| |
| |
Viewing Logs from the Command Line | |
| |
| |
Active Mode and Blocking Connections | |
| |
| |
Alerts | |
| |
| |
Messages in the Log | |
| |
| |
Log Maintenance | |
| |
| |
| |
Remote Management | |
| |
| |
The Components | |
| |
| |
The Management GUIS | |
| |
| |
Configuring a User | |
| |
| |
Configuring IPs to run from | |
| |
| |
What Files the GUIs Modify | |
| |
| |
Security Policy Editor Restrictions | |
| |
| |
GUI Demonstration Mode | |
| |
| |
The Management Console to Firewall Module Connection | |
| |
| |
control.map file | |
| |
| |
How Do the Different Authentication Schemes Work? | |
| |
| |
The fw putkey Command | |
| |
| |
Establishing an Authenticated Control Connection | |
| |
| |
Special Remote Management Conditions | |
| |
| |
What Can You DO With Remote Management | |
| |
| |
Control Policy on Firewall Module | |
| |
| |
View State Tables of Firewall Modules | |
| |
| |
Suspicious Activity Monitoring | |
| |
| |
Updating Licenses | |
| |
| |
Moving Management Consoles | |
| |
| |
Moving a Firewall Module off the Management Console | |
| |
| |
Moving the Management Console off a Firewall Module | |
| |
| |
Troubleshooting Remote Management Issues | |
| |
| |
GUI Issues | |
| |
| |
Firewall/Management Module Issues | |
| |
| |
Labs | |
| |
| |
| |
Authentication | |
| |
| |
Passwords | |
| |
| |
FireWall-1 Password | |
| |
| |
OS Password | |
| |
| |
S/Key | |
| |
| |
SecurID | |
| |
| |
Axent Pathways Defender | |
| |
| |
RADIUS | |
| |
| |
TACACS/TACACS+ | |
| |
| |
LDAP | |
| |
| |
How Users Authenticate | |
| |
| |
User Authentication | |
| |
| |
Session Authentication | |
| |
| |
Client Authentication | |
| |
| |
Which Type Should You Choose? | |
| |
| |
Setting Up Authentication | |
| |
| |
Creating Users | |
| |
| |
Setting Supported Authentication Schemes | |
| |
| |
User Authentication | |
| |
| |
Session Authentication | |
| |
| |
Client Authentication | |
| |
| |
Integrating External Authentication Servers | |
| |
| |
FAQs | |
| |
| |
Troubleshooting Authentication Issues | |
| |
| |
| |
Content Security | |
| |
| |
The Security Servers.@AHEADS = A Word About Licensing | |
| |
| |
CVP and UFP | |
| |
| |
Resources and Wildcards | |
| |
| |
HTTP Security Server | |
| |
| |
Filtering HTTP Without a UFP or CVP Server | |
| |
| |
UFP with the HTTP Security Server | |
| |
| |
CVP with the HTTP Security Server | |
| |
| |
FTP Security Server | |
| |
| |
SMTP Security Server.@AHEADS = $FWDIR/conf/smtp.conf | |
| |
| |
SMTP Resources | |
| |
| |
TCP Security Server | |
| |
| |
Frequently Asked Questions | |
| |
| |
General Security ServerQuestions | |
| |
| |
FTP Security Server | |
| |
| |
SMTP Security Server | |
| |
| |
HTTP Security Server | |
| |
| |
Performance Tuning for the Security Servers | |
| |
| |
Troubleshooting Content Security Issues | |
| |
| |
| |
Network Address Translation | |
| |
| |
Introduction | |
| |
| |
RFC-1918 | |
| |
| |
How NAT Works in FireWall-1 | |
| |
| |
Order of Operations | |
| |
| |
Implementing NAT: A Step-by-Step Example | |
| |
| |
Determine which IP addresses will be used | |
| |
| |
Proxy ARPs | |
| |
| |
Static Host Routes | |
| |
| |
Network Objects | |
| |
| |
Anti-Spoofing | |
| |
| |
Security Policy Rules | |
| |
| |
Address Translation Rules | |
| |
| |
Limitations of NAT | |
| |
| |
Dual NAT | |
| |
| |
Binding the NATted IP Address to the Loopback Interface | |
| |
| |
Troubleshooting | |
| |
| |
ARPs | |
| |
| |
SYN Packets with No Response | |
| |
| |
SYN Followed by RST | |
| |
| |
Summary | |
| |
| |
| |
Encryption (Site-to-Site VPNs) | |
| |
| |
Introduction to VPNs | |
| |
| |
Concepts | |
| |
| |
Encryption | |
| |
| |
Encryption Key | |
| |
| |
Symmetric Encryption | |
| |
| |
Asymmetric Encryption | |
| |
| |
Certificate Authority | |
| |
| |
Diffe-Hellman | |
| |
| |
Encryption Domain | |
| |
| |
A Word About Licensing | |
| |
| |
Supported Key Management and Encryption Schemes.@AHEADS = FWZ | |
| |
| |
IPSec | |
| |
| |
Manual IPSec | |
| |
| |
SKIP | |
| |
| |
IKE (ISAKMP/OAKLEY) | |
| |
| |
How to Configure Encryption.@AHEADS = Planning Your Deployment | |
| |
| |
IKE | |
| |
| |
Manual IPSEC | |
| |
| |
SKIP and FWZ | |
| |
| |
Gateway Clusters and High Availability VPNs | |
| |
| |
FAQs | |
| |
| |
Troubleshooting VPN Problems | |
| |
| |
Summary | |
| |
| |
Labs | |
| |
| |
Q and A | |
| |
| |
| |
SecuRemote and Secure Client (Client to FireWall-1 VPNs) | |
| |
| |
Introduction | |
| |
| |
A Word About Licensing | |
| |
| |
Steps to Configure SecuRemote on FireWall-1 | |
| |
| |
Choosing an Encryption Scheme | |
| |
| |
Configuring Firewall Object for SecuRemote | |
| |
| |
Creating Users for use with SecuRemote | |
| |
| |
Client Encryption Rules | |
| |
| |
Desktop Security Options | |
| |
| |
Installing Secure Client | |
| |
| |
High Availability and Multiple-Entry Point Configurations | |
| |
| |
Hybrid Authentication Mode for IKE | |
| |
| |
FAQs | |
| |
| |
Troubleshooting | |
| |
| |
| |
High Availability | |
| |
| |
What is High Availability | |
| |
| |
State Synchronization | |
| |
| |
HA Solutions | |
| |
| |
Stonebeat | |
| |
| |
Rainfinity | |
| |
| |
Nokia | |
| |
| |
Check Point''s HA Module | |
| |
| |
Issues with High Availability | |
| |
| |
Licensing | |
| |
| |
Managing Multiple Firewalls | |
| |
| |
Load Balancing | |
| |
| |
Asymmetric Routing | |
| |
| |
| |
Inspect | |
| |
| |
What is INSPECT? | |
| |
| |
Basic INSPECT Syntax | |
| |
| |
Conditions | |
| |
| |
Constants | |
| |
| |
Registers | |
| |
| |
Manipulating Table Entries | |
| |
| |
Creating Your Own Tables | |
| |
| |
How Your Rulebase is Turned into INSPECT | |
| |
| |
Services of Type Other | |
| |
| |
Sample | |