| |
| |
| Foreword | |
| |
| |
| Preface | |
| |
| |
| |
| Introduction to FireWalls | |
| |
| |
| What is a Firewall? | |
| |
| |
| What a Firewall Cannot Do | |
| |
| |
| Overview of Firewall Security Technologies | |
| |
| |
| Packet Filters | |
| |
| |
| Application Proxies | |
| |
| |
| Stateful Inspection | |
| |
| |
| Technology Comparison: Passive FTP | |
| |
| |
| Technology Comparison: Traceroute | |
| |
| |
| What Kind of Firewall is FireWall-1? | |
| |
| |
| Do You Really Need FireWall-1? | |
| |
| |
| More Information | |
| |
| |
| |
| Planning your FireWall Installation | |
| |
| |
| Network Topology | |
| |
| |
| A Word about Subnetting | |
| |
| |
| Developing a Site-Wide Security Policy | |
| |
| |
| The What, Who, and How | |
| |
| |
| Implementing Firewalls Without a Written Security Policy | |
| |
| |
| An Example Security Policy | |
| |
| |
| Fun with Check Point Licensing | |
| |
| |
| Node-Limited Firewall Licenses | |
| |
| |
| Single Gateway Products | |
| |
| |
| Inspection Module | |
| |
| |
| FireWall-1 Host | |
| |
| |
| Management Console | |
| |
| |
| Motif GUI Licenses | |
| |
| |
| Small Office Products | |
| |
| |
| Getting Licenses | |
| |
| |
| Summary | |
| |
| |
| |
| Installing FireWall-1 | |
| |
| |
| Selecting an Operating System | |
| |
| |
| Windows NT | |
| |
| |
| Sparc Solaris | |
| |
| |
| x86 Solaris | |
| |
| |
| AIX and HPUX | |
| |
| |
| Nokia Security Platform (IPSO) | |
| |
| |
| Linux | |
| |
| |
| Installing the Operating System | |
| |
| |
| Preparing for the OS Installation | |
| |
| |
| Guidelines for OS Installation | |
| |
| |
| Securing the Operating System | |
| |
| |
| Installing FireWall-1 | |
| |
| |
| Unix-Based Systems | |
| |
| |
| Windows NT/2000 | |
| |
| |
| Summary | |
| |
| |
| |
| Building Your Rulebase | |
| |
| |
| The Management GUIs | |
| |
| |
| Configuring a Management User | |
| |
| |
| Configuring IPs to run the GUIs from | |
| |
| |
| What Files the GUI Modifies | |
| |
| |
| Security Policy Editor Restrictions | |
| |
| |
| GUI Demonstration Mode | |
| |
| |
| Rulebase Components.@AHEADS = Objects | |
| |
| |
| Anti-Spoofing | |
| |
| |
| Policy Properties | |
| |
| |
| Rules | |
| |
| |
| Order of Operations | |
| |
| |
| Making Your First Rulebase | |
| |
| |
| Knowing Your Network | |
| |
| |
| Defining Your Objects | |
| |
| |
| Determining Your Policy | |
| |
| |
| Rules That Should Be In Every Rulebase | |
| |
| |
| Installing the Policy | |
| |
| |
| Frequently Asked Questions | |
| |
| |
| |
| Logging and Alerting | |
| |
| |
| The System Status Viewer | |
| |
| |
| The Log Viewer | |
| |
| |
| Viewing Logs from the Command Line | |
| |
| |
| Active Mode and Blocking Connections | |
| |
| |
| Alerts | |
| |
| |
| Messages in the Log | |
| |
| |
| Log Maintenance | |
| |
| |
| |
| Remote Management | |
| |
| |
| The Components | |
| |
| |
| The Management GUIS | |
| |
| |
| Configuring a User | |
| |
| |
| Configuring IPs to run from | |
| |
| |
| What Files the GUIs Modify | |
| |
| |
| Security Policy Editor Restrictions | |
| |
| |
| GUI Demonstration Mode | |
| |
| |
| The Management Console to Firewall Module Connection | |
| |
| |
| control.map file | |
| |
| |
| How Do the Different Authentication Schemes Work? | |
| |
| |
| The fw putkey Command | |
| |
| |
| Establishing an Authenticated Control Connection | |
| |
| |
| Special Remote Management Conditions | |
| |
| |
| What Can You DO With Remote Management | |
| |
| |
| Control Policy on Firewall Module | |
| |
| |
| View State Tables of Firewall Modules | |
| |
| |
| Suspicious Activity Monitoring | |
| |
| |
| Updating Licenses | |
| |
| |
| Moving Management Consoles | |
| |
| |
| Moving a Firewall Module off the Management Console | |
| |
| |
| Moving the Management Console off a Firewall Module | |
| |
| |
| Troubleshooting Remote Management Issues | |
| |
| |
| GUI Issues | |
| |
| |
| Firewall/Management Module Issues | |
| |
| |
| Labs | |
| |
| |
| |
| Authentication | |
| |
| |
| Passwords | |
| |
| |
| FireWall-1 Password | |
| |
| |
| OS Password | |
| |
| |
| S/Key | |
| |
| |
| SecurID | |
| |
| |
| Axent Pathways Defender | |
| |
| |
| RADIUS | |
| |
| |
| TACACS/TACACS+ | |
| |
| |
| LDAP | |
| |
| |
| How Users Authenticate | |
| |
| |
| User Authentication | |
| |
| |
| Session Authentication | |
| |
| |
| Client Authentication | |
| |
| |
| Which Type Should You Choose? | |
| |
| |
| Setting Up Authentication | |
| |
| |
| Creating Users | |
| |
| |
| Setting Supported Authentication Schemes | |
| |
| |
| User Authentication | |
| |
| |
| Session Authentication | |
| |
| |
| Client Authentication | |
| |
| |
| Integrating External Authentication Servers | |
| |
| |
| FAQs | |
| |
| |
| Troubleshooting Authentication Issues | |
| |
| |
| |
| Content Security | |
| |
| |
| The Security Servers.@AHEADS = A Word About Licensing | |
| |
| |
| CVP and UFP | |
| |
| |
| Resources and Wildcards | |
| |
| |
| HTTP Security Server | |
| |
| |
| Filtering HTTP Without a UFP or CVP Server | |
| |
| |
| UFP with the HTTP Security Server | |
| |
| |
| CVP with the HTTP Security Server | |
| |
| |
| FTP Security Server | |
| |
| |
| SMTP Security Server.@AHEADS = $FWDIR/conf/smtp.conf | |
| |
| |
| SMTP Resources | |
| |
| |
| TCP Security Server | |
| |
| |
| Frequently Asked Questions | |
| |
| |
| General Security ServerQuestions | |
| |
| |
| FTP Security Server | |
| |
| |
| SMTP Security Server | |
| |
| |
| HTTP Security Server | |
| |
| |
| Performance Tuning for the Security Servers | |
| |
| |
| Troubleshooting Content Security Issues | |
| |
| |
| |
| Network Address Translation | |
| |
| |
| Introduction | |
| |
| |
| RFC-1918 | |
| |
| |
| How NAT Works in FireWall-1 | |
| |
| |
| Order of Operations | |
| |
| |
| Implementing NAT: A Step-by-Step Example | |
| |
| |
| Determine which IP addresses will be used | |
| |
| |
| Proxy ARPs | |
| |
| |
| Static Host Routes | |
| |
| |
| Network Objects | |
| |
| |
| Anti-Spoofing | |
| |
| |
| Security Policy Rules | |
| |
| |
| Address Translation Rules | |
| |
| |
| Limitations of NAT | |
| |
| |
| Dual NAT | |
| |
| |
| Binding the NATted IP Address to the Loopback Interface | |
| |
| |
| Troubleshooting | |
| |
| |
| ARPs | |
| |
| |
| SYN Packets with No Response | |
| |
| |
| SYN Followed by RST | |
| |
| |
| Summary | |
| |
| |
| |
| Encryption (Site-to-Site VPNs) | |
| |
| |
| Introduction to VPNs | |
| |
| |
| Concepts | |
| |
| |
| Encryption | |
| |
| |
| Encryption Key | |
| |
| |
| Symmetric Encryption | |
| |
| |
| Asymmetric Encryption | |
| |
| |
| Certificate Authority | |
| |
| |
| Diffe-Hellman | |
| |
| |
| Encryption Domain | |
| |
| |
| A Word About Licensing | |
| |
| |
| Supported Key Management and Encryption Schemes.@AHEADS = FWZ | |
| |
| |
| IPSec | |
| |
| |
| Manual IPSec | |
| |
| |
| SKIP | |
| |
| |
| IKE (ISAKMP/OAKLEY) | |
| |
| |
| How to Configure Encryption.@AHEADS = Planning Your Deployment | |
| |
| |
| IKE | |
| |
| |
| Manual IPSEC | |
| |
| |
| SKIP and FWZ | |
| |
| |
| Gateway Clusters and High Availability VPNs | |
| |
| |
| FAQs | |
| |
| |
| Troubleshooting VPN Problems | |
| |
| |
| Summary | |
| |
| |
| Labs | |
| |
| |
| Q and A | |
| |
| |
| |
| SecuRemote and Secure Client (Client to FireWall-1 VPNs) | |
| |
| |
| Introduction | |
| |
| |
| A Word About Licensing | |
| |
| |
| Steps to Configure SecuRemote on FireWall-1 | |
| |
| |
| Choosing an Encryption Scheme | |
| |
| |
| Configuring Firewall Object for SecuRemote | |
| |
| |
| Creating Users for use with SecuRemote | |
| |
| |
| Client Encryption Rules | |
| |
| |
| Desktop Security Options | |
| |
| |
| Installing Secure Client | |
| |
| |
| High Availability and Multiple-Entry Point Configurations | |
| |
| |
| Hybrid Authentication Mode for IKE | |
| |
| |
| FAQs | |
| |
| |
| Troubleshooting | |
| |
| |
| |
| High Availability | |
| |
| |
| What is High Availability | |
| |
| |
| State Synchronization | |
| |
| |
| HA Solutions | |
| |
| |
| Stonebeat | |
| |
| |
| Rainfinity | |
| |
| |
| Nokia | |
| |
| |
| Check Point''s HA Module | |
| |
| |
| Issues with High Availability | |
| |
| |
| Licensing | |
| |
| |
| Managing Multiple Firewalls | |
| |
| |
| Load Balancing | |
| |
| |
| Asymmetric Routing | |
| |
| |
| |
| Inspect | |
| |
| |
| What is INSPECT? | |
| |
| |
| Basic INSPECT Syntax | |
| |
| |
| Conditions | |
| |
| |
| Constants | |
| |
| |
| Registers | |
| |
| |
| Manipulating Table Entries | |
| |
| |
| Creating Your Own Tables | |
| |
| |
| How Your Rulebase is Turned into INSPECT | |
| |
| |
| Services of Type Other | |
| |
| |
| Sample | |