Home > Store

Essential Check Point Firewall-1™: An Installation, Configuration, and Troubleshooting Guide

Register your product to gain access to bonus material or receive a coupon.

Essential Check Point Firewall-1™: An Installation, Configuration, and Troubleshooting Guide

Book

  • Sorry, this book is no longer in print.
Not for Sale

Description

  • Copyright 2002
  • Dimensions: 7-3/8x9-1/4
  • Pages: 544
  • Edition: 1st
  • Book
  • ISBN-10: 0-201-69950-8
  • ISBN-13: 978-0-201-69950-0

“Dameon’s knowledge of FireWall-1, which in many cases has surpassed the knowledge of Check Point’s own engineers, hasalways impressed me. This book is yet another proof of Dameon’sdeep understanding of FireWall-1’s internals as well as itsimplementation methodologies. I strongly recommend this book to anyFireWall-1 user who wishes to master the product.”
—Nir Zuk,CTO, OneSecure, Inc. Formerly, Principal Engineer at Check PointSoftware

“This book is a fabulous resource for running FireWall-1reliably and securely. It’s the single best source ofinformation I’ve ever seen on how to map security and businessrequirements into FW-1 rules and configurations. The hordes of sampleconfigurations are the best way to demonstrate the advice andexplanations in practice. If you’re using FireWall-1, you needthis book.”
—Tina Bird, Security Architect at CounterpaneInternetSecurity and moderator of the Virtual Private Networks mailinglist

“FireWall-1 is a critical security application, more widelyused than any other by far, that relies on proper configuration andusage to be effective. Dameon’s book can be counted as thedefinitive reference—required reading for anyone using CheckPoint’s FireWall-1 security software.”
—Kelly Robertson,Senior Sales Engineering Manager for Nokia InternetCommunications


Packed with practical, hands-on techniques, thisinsider’s guide explains how to build, implement, and maintainthe world’s best-selling firewall product, Check PointFireWall-1. Featuring tools, tips, and checklists not found in othersources, the book brings manageability, reliability, and efficiency totoday’s standalone or distributed networks.

Essential Check Point FireWall-1 coversevery major feature of the product providing working solutions toreal-world situations. Filled with screen shots and sampleconfigurations, the book features step-by-step instructions that canbe replicated on standard equipment easily. Developed through years ofactual product support, this guidebook is an invaluable resource fornetwork professionals working on UNIX or Windows NT platforms.

Key coverage includes:

  • Firewall overview; planning,installation, and deployment of firewall security
  • Building arulebase and using the Policy Editor application
  • Logging andalerting
  • Managing multiple firewall modules from a singlemanagement console
  • Authentication and security issues
  • Addressingtranslation (NAT)—why it’s important and how it’sconfigured within FireWall-1
  • Encryption (site-to-site andclient-to-site Virtual Private Networks)
  • INSPECT—an overviewof the language at the heart of FireWall-1

    Authoritative andpractical, this comprehensive guidebook provides real-world solutionsand techniques necessary for planning, installing, and deploying theworld’s leading firewall product.



    0201699508B10172001

  • Extras

    Related Articles

    Getting Your Check Point Firewall-1 Certifications

    More Than a Firewall

    Author's Site

    Click below for Author's Site related to this title:
    Author's Web Site

    Sample Content

    Online Sample Chapters

    Fun With Check Point Licensing

    Network Address Translation

    Downloadable Sample Chapter

    Click below for Sample Chapter related to this title:
    welchch09.pdf

    Table of Contents



    Foreword.


    Preface.


    1. Introduction to FireWalls.

    What is a Firewall?

    What a Firewall Cannot Do.

    Overview of Firewall Security Technologies.

    Packet Filters.

    Application Proxies.

    Stateful Inspection.

    Technology Comparison: Passive FTP.

    Technology Comparison: Traceroute.

    What Kind of Firewall is FireWall-1?

    Do You Really Need FireWall-1?

    More Information.



    2. Planning your FireWall Installation.

    Network Topology.

    A Word about Subnetting.

    Developing a Site-Wide Security Policy.

    The What, Who, and How.

    Implementing Firewalls Without a Written Security Policy.

    An Example Security Policy.

    Fun with Check Point Licensing.

    Node-Limited Firewall Licenses.

    Single Gateway Products.

    Inspection Module.

    FireWall-1 Host.

    Management Console.

    Motif GUI Licenses.

    Small Office Products.

    Getting Licenses.

    Summary.



    3. Installing FireWall-1.

    Selecting an Operating System.

    Windows NT.

    Sparc Solaris.

    x86 Solaris.

    AIX and HPUX.

    Nokia Security Platform (IPSO).

    Linux.

    Installing the Operating System.

    Preparing for the OS Installation.

    Guidelines for OS Installation.

    Securing the Operating System.

    Installing FireWall-1.

    Unix-Based Systems.

    Windows NT/2000.

    Summary.



    4. Building Your Rulebase.

    The Management GUIs.

    Configuring a Management User.

    Configuring IPs to run the GUIs from.

    What Files the GUI Modifies.

    Security Policy Editor Restrictions.

    GUI Demonstration Mode.

    Rulebase Components.@AHEADS = Objects.

    Anti-Spoofing.

    Policy Properties.

    Rules.

    Order of Operations.

    Making Your First Rulebase.

    Knowing Your Network.

    Defining Your Objects.

    Determining Your Policy.

    Rules That Should Be In Every Rulebase.

    Installing the Policy.

    Frequently Asked Questions.



    5. Logging and  Alerting.

    The System Status Viewer.

    The Log Viewer.

    Viewing Logs from the Command Line.

    Active Mode and Blocking Connections.

    Alerts.

    Messages in the Log.

    Log Maintenance.



    6. Remote Management.

    The Components.

    The Management GUIS.

    Configuring a User.

    Configuring IPs to run from.

    What Files the GUIs Modify.

    Security Policy Editor Restrictions.

    GUI Demonstration Mode.

    The Management Console to Firewall Module Connection.

    control.map file.

    How Do the Different Authentication Schemes Work?

    The fw putkey Command.

    Establishing an Authenticated Control Connection.

    Special Remote Management Conditions.

    What Can You DO With Remote Management.

    Control Policy on Firewall Module.

    View State Tables of Firewall Modules.

    Suspicious Activity Monitoring.

    Updating Licenses.

    Moving Management Consoles.

    Moving a Firewall Module off the Management Console.

    Moving the Management Console off a Firewall Module.

    Troubleshooting Remote Management Issues.

    GUI Issues.

    Firewall/Management Module Issues.

    Labs.



    7. Authentication.

    Passwords.

    FireWall-1 Password.

    OS Password.

    S/Key.

    SecurID.

    Axent Pathways Defender.

    RADIUS.

    TACACS / TACACS+.

    LDAP.

    How Users Authenticate.

    User Authentication.

    Session Authentication.

    Client Authentication.

    Which Type Should You Choose?

    Setting Up Authentication.

    Creating Users.

    Setting Supported Authentication Schemes.

    User Authentication.

    Session Authentication.

    Client Authentication.

    Integrating External Authentication Servers.

    FAQs.

    Troubleshooting Authentication Issues.



    8. Content Security.

    The Security Servers.@AHEADS = A Word About Licensing.

    CVP and UFP.

    Resources and Wildcards.

    HTTP Security Server.

    Filtering HTTP Without a UFP or CVP Server.

    UFP with the HTTP Security Server.

    CVP with the HTTP Security Server.

    FTP Security Server.

    SMTP Security Server.@AHEADS = $FWDIR/conf/smtp.conf.

    SMTP Resources.

    TCP Security Server.

    Frequently Asked Questions.

    General Security ServerQuestions.

    FTP Security Server.

    SMTP Security Server.

    HTTP Security Server.

    Performance Tuning for the Security Servers.

    Troubleshooting Content Security Issues.



    9. Network Address Translation.

    Introduction.

    RFC-1918.

    How NAT Works in FireWall-1.

    Order of Operations.

    Implementing NAT: A Step-by-Step Example.

    Determine which IP addresses will be used.

    Proxy ARPs.

    Static Host Routes.

    Network Objects.

    Anti-Spoofing.

    Security Policy Rules.

    Address Translation Rules.

    Limitations of NAT.

    Dual NAT.

    Binding the NATted IP Address to the Loopback Interface.

    Troubleshooting.

    ARPs.

    SYN Packets with No Response.

    SYN Followed by RST.

    Summary.



    10. Encryption (Site-to-Site VPNs).

    Introduction to VPNs.

    Concepts.

    Encryption.

    Encryption Key.

    Symmetric Encryption.

    Asymmetric Encryption.

    Certificate Authority.

    Diffe-Hellman.

    Encryption Domain..

    A Word About Licensing.

    Supported Key Management and Encryption Schemes.@AHEADS = FWZ.

    IPSec.

    Manual IPSec.

    SKIP.

    IKE (ISAKMP/OAKLEY).

    How to Configure Encryption.@AHEADS = Planning Your Deployment.

    IKE.

    Manual IPSEC.

    SKIP and FWZ.

    Gateway Clusters and High Availability VPNs.

    FAQs.

    Troubleshooting VPN Problems.

    Summary.

    Labs.

    Q and A.



    11. SecuRemote and Secure Client (Client to FireWall-1 VPNs).

    Introduction.

    A Word About Licensing.

    Steps to Configure SecuRemote on FireWall-1.

    Choosing an Encryption Scheme.

    Configuring Firewall Object for SecuRemote.

    Creating Users for use with SecuRemote.

    Client Encryption Rules.

    Desktop Security Options.

    Installing Secure Client.

    High Availability and Multiple-Entry Point Configurations.

    Hybrid Authentication Mode for IKE.

    FAQs.

    Troubleshooting.



    12. High Availability.

    What is High Availability.

    State Synchronization.

    HA Solutions.

    Stonebeat.

    Rainfinity.

    Nokia.

    Check Point's HA Module.

    Issues with High Availability.

    Licensing.

    Managing Multiple Firewalls.

    Load Balancing.

    Asymmetric Routing.



    13. Inspect.

    What is INSPECT?

    Basic INSPECT Syntax.

    Conditions.

    Constants.

    Registers.

    Manipulating Table Entries.

    Creating Your Own Tables.

    How Your Rulebase is Turned into INSPECT.

    Services of Type Other.

    Sample INSPECT Code.

    Allowing Outbound Connections to a SecuRemote Client.

    PPTP.

    Allowing a Connection Based on a Previous Connection.

    HTTP.

    Ping and Traceroute.

    Default filter.

    fw monitor.



    Appendix A: Securing Your Bastion Host.


    Appendix B: firewall-1.conf File for Use with OpenLDAP v1.


    Appendix C: firewall1.schema File for Use with OpenLDAP v2.


    Appendix D: Complete Program for Stateful Inspection of HTTP.


    Appendix E: Complete Program for Stateful Inspection of Ping and Traceroute.


    Appendix F: NSPECT Script for Different Policies on Different Interfaces.


    Appendix G: Sample defaultfilter.pf file.


    Appendix H: Sample Internet Usage Policy.


    Appendix I: Performance Tuning.


    Appendix J: Other Resources.


    Appendix K: Further Reading.


    Index. 0201699508T05222001

    Preface

    Every book has to have a chapter that explains it. This book is no exception. By the end of the Preface, you should know:

  • How this book came to be
  • What this book is and is not
  • Why you should buy (or sell) this book
  • What typographical conventions are used in this book
  • Some of the people who made this book possible
  • How This Book Came to Be

    In 1996, I began to support Check Point FireWall-1. Things were quite different back then. FireWall-1 was a much simpler product, Check Point did not have much of a support department, and there were really no public resources on FireWall-1 aside from a mailing list. My employer at the time had a little known Web site that had many frequently asked questions (FAQ) on FireWall-1. This Web site was the impetus that helped to create PhoneBoy’s FireWall-1 FAQ, which I started in April 1998.

    Because of my Web site and my participation on the FireWall-1 mailing list, I became well known and respected in the FireWall-1 community. My FAQ page was and still is considered one of the definitive resources on FireWall-1. Even people within Check Point use my page, and they also send me corrections from time to time.

    Several people had approached me about the idea of writing a book on the topic of FireWall-1. Such a project seemed rather large, and I was unsure of my ability to tackle it alone. It was little more than an idea until Lance Spitzner approached me to be a coauthor on a book on FireWall-1. Sensing the scope of such a project, I brought in Jerald Josephs, who was also well known in the FireWall-1 community, and in June 1999, we began to write.

    Somewhere in the middle of this project, it came to pass that I was the only person left working on this book. The details why are not important, but it was not part of the original plan. My life had changed dramatically with the birth of my son, Jaden, especially the amount of time I could spend on this project. However, I felt I had come too far not to finish; so with a little more determination, I set about the task of finishing this book.

    What This Book Is and Is Not

    What you are holding in your hands now is a book about Check Point FireWall-1. It covers the essentials of the product. Each chapter discusses a major feature of the product or a specific topic that will help you plan for your FireWall-1 installation. You get step-by-step configuration instructions for many features in FireWall-1 complete with screen shots and several sample configurations that you can try. The book also includes lots of information from my FireWall-1 FAQ.

    Although I do cover most features in FireWall-1, not every feature of FireWall-1 is covered in this text. Those features I have chosen to cover are based on my experience as someone who has supported this product since 1996. Other peripheral topics, like encryption and network security, are covered briefly as they relate to FireWall-1, but are not covered in great detail. I feel that other authors do a better job of covering these topics.

    A summary of the chapters in this book follows. Note that where sample configurations are said to exist in a chapter, it means there are step-by-step examples that you can follow to set up your own equipment, provided you have it.

    Chapter 1: Introduction to Firewalls briefly discusses firewalls in general, the different technologies used in today’s firewalls, and how they are used in FireWall-1.

    Chapter 2: Planning Your Firewall Installation talks about the issues that should be considered prior to installing a firewall, such as understanding your current network topology, establishing a formalized security policy, and reviewing the various types of licenses that exist in FireWall-1.

    Chapter 3: Installing FireWall-1 walks you through the initial configuration of FireWall-1 when it is loaded for the first time. This chapter also covers the basics of preparing your system for a firewall installation.

    Chapter 4: Building Your Rulebase explains the basics of creating a security policy within FireWall-1 and includes how to use the Policy Editor application.

    Chapter 5: Logging and Alerts explains how logging and alerting works in FireWall-1. Details about how to use the Log Viewer and System Status Viewer applications are also provided.

    Chapter 6: Remote Management explains how to manage multiple firewall modules from a single management console. Sample configurations are provided in this chapter.

    Chapter 7: Authentication explains how you can provide access control for services based on individual users. Sample configurations are provided in this chapter.

    Chapter 8: Content Security explains how you can restrict the kind of content that enters or leaves your network via HTTP, FTP, and SMTP. Sample configurations are provided in this chapter.

    Chapter 9: Network Address Translation explains what NAT is, why it is a necessary evil, and how to configure NAT within FireWall-1. Sample configurations are provided in this chapter.

    Chapter 10: Site-to-Site VPNs explains what a Virtual Private Network (VPN) is and how to configure FireWall-1 to support this feature. Sample configurations are provided in this chapter.

    Chapter 11: SecuRemote and Secure Client builds on Chapter 10. It explains how to establish client-to-site VPNs using Check Point’s Windows-based VPN client called Secure Client, which is also known as SecuRemote. Sample configurations are provided in this chapter.

    Chapter 12: High Availability explains state synchronization and how it plays a role in High Availability firewalls. Also covered are the problems that arise when implementing multiple firewalls in parallel along with some ideas on how to overcome these problems.

    Chapter 13: INSPECT is an overview of the language that is the heart of Check Point’s FireWall-1. Several examples of working INSPECT code are provided in the chapter as well as in the appendices.The Appendices cover topics such as hardening an operating system, sample INSPECT code, performance tuning, recommended books, and Web sites on the Internet to obtain software and more information.

    Thanks To:

  • My wife, Alisa, and my son, Jaden, who put up with me spending far more time working on this book than any of us planned. If it were not for their patience, I would have never finished this book.
  • Lance Spitzner and Jerald Josephs, who played a big role in this book taking shape. If it were not for you two, I would not have even started this book in the first place.
  • Matthew Gast, for allowing me to commiserate with him as a fellow author, for motivation, and for reviewing the book.
  • Derin Mellor for providing me with several ideas that I used in Chapter 12.
  • Atul Sharma and Michael Williams for their help in fleshing out Chapter 13. Atul also provided a sample INSPECT script included in Appendix F.
  • My editors: Stephane Thomas, Marcy Barnes, and Anne Marie Walker.
  • My reviewers: Joe Balsama, Paul Keser, and Bob Bruen. Your reviews were invaluable to this process.
  • Folks at Nokia: Paul Esch, Matthew Gulbranson, John Spiller, Qian Zhao, John Kobara, Bo Chen, Ed Ingber, Claudio Basegra, Scott McComas, “Uncle” Kelly Robertson, and all the guys in TAC.
  • Folks at Check Point: Bob Bent, Luanne Lemmer, Oren Green, Patrick Plawner, Reut Sorek, Gilad Yadin, Gil Carman, Erica Ziemer, and Tiffany Shockley.
  • A bunch of people who I’m sure I’ve forgotten.
  • And finally, to the rest of you who have visited my Web site, contributed to the process, and kept me employable.
  • Dameon D. Welch-Abernathy
    a.k.a. PhoneBoy
    dwelch@phoneboy.com
    PGP Fingerprint: 72A2 8D9D BDC0 98D2 1E5D 3A2D 09D0 A5C1 597F 5D2A
    July 2001



    0201699508P10162001

    Index


    AAccount names, securing hosts, Windows NT platform, 462–463
    Accounting mode, Log Viewer, 107
    ACEswitch and ACEdirector (Alteon/Nortel Networks), 422
    Action, element of rules, 74–75
    Active mode, Log Viewer, 107–111
    Address range network objects, rulebases, 64
    AIX platform
        FireWall-1 installation, 35–41
        hostid-based licensing, 20
        log switching, 117
        OSs, installing, 31
        OSs, securing, 33
        OSs, selecting, 23
        OSs, selecting, advantages/disadvantages, 26–27
        state tables, memory usage, 497
    Alerts
        Log and Alert tab, Rulebase Properties, 111–113
        viewing in System Status Viewer, 99–101
    Alteon/Nortel Networks ACEswitch and ACEdirector, 422
    Anti-spoofing, Policy Editor
        NAT, 284
        rulebases, 68–69
    Application proxies
        security technology type, 3–4
        versus passive FTP, 5
        versus traceroute tool, 7
    ARPs, NAT (Network Address Translation), 280–283, 291–292
    Asymmetric encryption, 314–315
    Asymmetric routing, High-Availability, 420–421
    Authentication process
        authentication schemes, 124–125
        authentication schemes, changing, 145–147
        Axent Pathways Defender servers, integration, 184–185
        Axent Pathways Defender servers, passwords, 156–157
        basics, 121
        Client Authentication, 162–165
        Client Authentication, sample, 215–217
        Client Authentication, setup, 180–183
        controlled connections between firewall modules and management consoles, 126–132
        FAQs, 194–204
        fw putkey command, 125–126
        $FWDIR/lib/control.map file, 121–124
        integrating external servers, 183–194
        LDAP servers, integration, 188–194
        LDAP servers, passwords, 158
        passwords, FireWall-1 Password schemes, 154
        passwords, One-Time Password (OTP) schemes, 154
        passwords, operating system (OS) schemes, 154
        passwords, seed passwords, 124
        passwords, skey schemes, 154–155
        RADIUS servers, integration, 185–187
        RADIUS servers, passwords, 157
        remote management, troubleshooting, 138–141
        SecurID servers, integration, 184
        SecurID servers, passwords, 156
        selecting type of authentication, 166
        Session Authentication, 161–162
        Session Authentication, sample, 213–214
        Session Authentication, setup, 179–180
        setup, basics, 166
        setup, creating users, 167–173
        TACACS/TACACS+ servers, integration, 187–188
        TACACS/TACACS+ servers, passwords, 157–158
        troubleshooting, 204–210
        types of authentication, supported in control.map file, 123–124
        User Authentication, 158–161
        User Authentication, order of rules, 178–179
        User Authentication, sample, 210–213
        User Authentication, setup, 174–177
    Automatic Update option, System Status Viewer, 101–102
    Axent Pathways Defender servers
        authentication process, integration, 184–185
        authentication process, passwords, 156–157

    BBackward Compatibility module, Windows NT platform, 41–42
    Books, resources, 507

    CCAs (Certificate Authorities), defined, 315
    Certificate keys, FireWall-1 licenses, 20
    Check Point
        High Availability Module, 422
    Check Point (cont.)
        licensing, 17–18
        licensing, client-to-site VPNs, 366–367
        licensing, node-limited licenses, 18–19
        licensing, obtaining licenses, 20–21
        licensing, remote management, firewall modules, 134–135
        licensing, site-to-site VPNs, 316–317
        licensing, third-party products, 219–220
        removing banner from authentication process, 199
    Client Authentication
        basics, 162–165
        sample, 215–217
        setup, 166–171, 180–183
    Client-to-site VPNs (Virtual Private Networks)
        basics, 365–366
        configuration, client encryption rules, 371–372
        configuration, creating users, 369–371
        configuration, desktop security, 373–375
        configuration, HA (High-Availability), 379–380
        configuration, IP Pool NAT, 379–381
        configuration, multiple entry points, 379–382
        configuration, of firewall workstation object, 368–369
        configuration, sample, Gateway Clusters, 406–409
        configuration, sample, multiple entry points, 409–413
        configuration, sample, simple client-to-site VPNs, 402–406
        configuration, selecting encryption scheme, 367–368
        FAQs, 386–396
        IKE Hybrid Authentication mode, 382–384
        installation, 376–379
        licensing with FireWall-1, 366–367
        Microsoft networking, 384–386
        troubleshooting, 396–402
    Command line
        Log Viewer actions, 109–111
        remote management, controlling policies from firewall module, 132–133
        remote management, updating licenses, 134–135
        remote management, viewing state tables of firewall modules, 133–134
        system status, 102–103
        viewing logs, 106–107
    Comment, element of rules, 75
    Content Security
        CVP, basics, 220–221
        CVP, resources, 221
        CVP, wildcards, 221
        FTP Security Server, basics, 242–244
        FTP Security Server, FAQs, 244–246
        FTP Security Server, sample configuration, 263–266
        HTTP Security Server, FAQs, 231–234
        HTTP Security Server, performance tuning, 234–240
        HTTP Security Server, sample configuration, 266–270
     

    Updates

    Submit Errata

    More Information

    Unlimited one-month access with your purchase
    Free Safari Membership