Thorsten Behrens
Brian Browne
Ralph Bonnell
Rob Cameron
Simon Desmeules
Adrian F. Dimcev
Eli Faskha
Stephen Horvath

Daniel Kligerman
Kevin Lynn
Steve Moffat
Thomas W. Shinder, MD
Debra Littlejohn Shinder
Michael Sweeney
Kenneth Tam
Stephen Watkins


This page intentionally left blank


Elsevier, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively
“Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work is
sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other
incidental or consequential damages arising out from the Work or its contents. Because some states do not
allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation
may not apply to you.

You should always use reasonable care, including backup and other appropriate precautions, when working
with computers, networks, data, and files.
Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author
UPDATE®,” and “Hack Proofing®,” are registered trademarks of Elsevier, Inc. “Syngress: The Definition
of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think
Like One™” are trademarks of Elsevier, Inc. Brands and product names mentioned in this book are
trademarks or service marks of their respective companies.

PUBLISHED BY
Syngress Publishing, Inc.
Elsevier, Inc.
30 Corporate Drive
Burlington, MA 01803
The Best Damn Firewall Book Period, Second Edition

Copyright © 2007 by Elsevier, Inc. All rights reserved. Printed in the United States of America. Except as
permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed
in any form or by any means, or stored in a database or retrieval system, without the prior written
permission of the publisher, with the exception that the program listings may be entered, stored, and
executed in a computer system, but they may not be reproduced for publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
ISBN 13: 978-1-59749-218-8
Publisher: Andrew Williams
Page Layout and Art: SPi
Copy Editor: Judy Eby
For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales Director
and Rights, at Syngress Publishing; email



This page intentionally left blank


Contributing Authors
Thorsten Behrens (CCMSE, CCSE+, CCNA, CNE) is a Senior Security
Engineer with Integralis’ Managed Security Services Team. Thorsten’s
specialties include Check Point FireWall-1, Cisco PIX, and ISS RealSecure.
Thorsten is a German national who delights his neighbors in Springfield,
MA with bagpipe practice sessions.
Brian Browne (CISSP) is the Principal Consultant with Edoxa, Inc., and
provides both strategic and technical information security consulting. He
has 14 years of experience in the field of information security and is skilled
in all phases, from security management through hands-on implementation.
His specific security experience includes Sarbanes-Oxley and HIPAA gap
analysis and remediation, vulnerability assessments, network security, firewall
architecture, virtual private networks (VPN), UNIX security, Windows Active
Directory security, and public key infrastructure (PKI). He also conducts
application performance assessments and network capacity planning using
Opnet IT Guru. Brian resides in Willow Grove, PA with his wife Lisa and
daughter Marisa.
Ralph Bonnell (CISSP, Linux LPIC-2, Check Point CCSI, Check Point
CCSE+, Cisco CCNA, Microsoft MCSE: Security, RSA Security RSA/
CSE, StoneSoft CSFE, Aladdin eSCE, CipherTrust PCIA, ArcSight ACIA,
SurfControl STAR, McAfee MIPS-I, McAfee MIPS-E, Network Associates
SCP, Blue Coat BSPE, Sygate SSEI, Sygate SSEP, Aventail ACP, Radware
CRIE) is a Senior Information Security Consultant currently employed
at SiegeWorks in Seattle, WA. Ralph has been working with Check Point
products professionally since 1999. His primary responsibilities include the
deployment of various network security products, network security product
support, and product training. His specialties include Check Point and

NetScreen deployments, Linux client and server deployments, Check Point
training, firewall clustering, BASH scripting, and PHP Web programming.
Ralph contributed to Configuring Netscreen Firewalls (Syngress Publishing,
ISBN: 1-932266-39-9). Ralph also runs a Linux consulting firm called
v


Linux Friendly. Ralph is married to his beautiful wife, Candace. In memory
of Vincent Sage Bonnell.
Rob Cameron (CCSA, CCSE, CCSE+, NSA, JNCIA-FWV, CCSP,
CCNA, INFOSEC, RSA SecurID CSE) is an IT consultant who has worked with
over 200 companies to provide network security planning and implementation
services. He has spent the last five years focusing on network infrastructure
and extranet security. His strengths include Juniper’s NetScreen Firewall
products, NetScreen SSL VPN Solutions, Check Point Firewalls, the Nokia
IP appliance series, Linux, Cisco routers, Cisco switches, and Cisco PIX
firewalls. Rob strongly appreciates his wife Kristen’s constant support of his
career endeavors. He wants to thank her for all of her support through
this project.
Simon Desmeules (CCSI, ISS, RSA, CCNA, CNA) is the Technical Security
Director of AVANCE Network Services, an Assystem company with more
than 8,500 employees worldwide. AVANCE is located in Montreal, Canada.
His responsibilities include architectural design, technical consulting, and
tactical emergency support for perimeter security technologies for several
Fortune 500 companies in Canada, France, and the United States. Simon
has been delivering Check Point training for the past three years throughout
Canada. His background includes positions as a firewall/intrusion security
specialist for pioneer firms of Canadian Security, Maxon Services, and SINC.
He is an active member of the FW-1, ISS, and Snort mailing lists where he
discovers new problems and consults with fellow security specialists. Simon

has worked with Syngress before while contributing to Check Point Next
Generation Security Administration (Syngress, ISBN: 1-928994-74-1) and
Check Point Next Generation with Application Intelligence Security Administration
(Syngress, ISBN: 1-932266-89-5).
Adrian F. Dimcev is a consultant specializing in the design and implementation
of VPNs. Adrian also has extensive experience in penetration testing.
Eli Faskha (CCSI, CCSA, CCSE, CCSE+, CCAE, MCP). Based in
Panama City, Panama, Eli is Founder and President of Soluciones Seguras,
a company that specializes in network security and is the only Check Point
vi


Gold Partner in Central America and the only Nokia Internet Security partner in
Panama. Eli is the most experienced Check Point Certified Security Instructor
and Nokia Instructor in the region. He has taught participants from more
than a dozen different countries. A 1993 graduate of the University of
Pennsylvania’s Wharton School and Moore School of Engineering, he also
received an MBA from Georgetown University in 1995. He has more than
seven years of Internet development and networking experience, starting
with Web development of the largest Internet portal in Panama in 1999 and
2000, managing a Verisign affiliate in 2001, and running his own company
since then. Eli has written several articles for the local media and has been
recognized for his contributions to Internet development in Panama.
Stephen Horvath (CISSP) is an Information Assurance Engineer for Booz
Allen Hamilton in Linthicum, MD. He has been working with Check Point
Firewalls for the last seven years, including Check Point 3.0b, 4.1, NG with
Application Intelligence, and NGX. Steve was also a beta tester for Check
Point’s Edge SOHO devices prior to their release in early 2004. Steve’s
technical background is with computer and network forensics, firewalls,
enterprise management, network and host IDS/IPS, incident response, UNIX

system administration, and DNS management. He has extensive experience
in network design with emphasis on high availability, security, and
enterprise resilience.
Daniel Kligerman (B.Sc, CCSE, CCIE #13999) is the Manager of the
Data Diagnostic Centre at TELUS National Systems, responsible for the
support and management of enterprise customers’ data and VoIP networks.
Daniel is the technical editor of Check Point Next Generation with Application
Intelligence Security Administration (Syngress, ISBN: 1-932266-89-5), and the
contributing author of Building DMZs for Enterprise Networks (Syngress,
ISBN: 1-931836-88-4), Check Point NG VPN-1/Firewall-1 Advanced
Configuration and Troubleshooting (Syngress, ISBN: 1-931836-97-3), Nokia
Network Security Solutions Handbook (Syngress, ISBN: 1-931836-70-1), and
Check Point Next Generation Security Administration (Syngress, ISBN:
1-928994-74-1). He resides in Toronto, Canada with his wife, Merita.

vii


Kevin Lynn (CISSP) is a network systems engineer with International Network
Services (INS). INS is a leading global provider of vendor-independent network
consulting and security services. At INS, Kevin currently works within the
Ethical Hacking Center of Excellence where he evaluates the security at many
of the largest financial corporations. Kevin’s more than 12 years of experience
has seen him working a variety of roles for organizations including Cisco Systems,
IBM, Sun Microsystems, Abovenet, and the Commonwealth of Virginia.
In addition to his professional work experience, Kevin has been known to give
talks at SANS and teach others on security topics in classroom settings. Kevin
currently resides in Rockville, MD with his lovely wife Ashley.
Steve Moffat is an MCSA and has worked in IT support services for
the last 25 years. Steve has been employed in the UK by Digital, Experian,

Computacenter (to name but a few). He has also consulted with major
companies and organizations such as Zurich Insurance, Seagram’s, Texaco,
Peugeot, PriceWaterhouseCoopers, and the Bermuda Government.
He now lives and works in paradise. Since moving to Bermuda in 2001 to
work for Gateway Ltd as a senior engineer/consultant, he has gained a wife,
Hannah, has formed his own company and is currently CEO & Director of
Operations for The TLA Group Ltd. He specializes in ISA Server
deployments & server virtualization. He is also the owner & host of the
well known ISA Server web site, www.isaserver.bm
Thomas W. Shinder, MD is an MCSE and has been awarded the
Microsoft Most Valuable Professional (MVP) award for his work with ISA
Server and is recognized in the firewall community as one of the foremost
experts on ISA Server. Tom has consulted with major companies and
organizations such as Microsoft Corp., Xerox, Lucent Technologies, FINA
Oil, Hewlett-Packard, and the U.S. Department of Energy.
Tom practiced medicine in Oregon, Texas, and Arkansas before turning
his growing fascination with computer technology into a new career shortly
after marrying his wife, Debra Littlejohn Shinder, in the mid 90s. They
co-own TACteam (Trainers, Authors, and Consultants), through which
they teach technology topics and develop courseware, write books, articles,
whitepapers and corporate product documentation and marketing materials,
and assist small and large businesses in deploying technology solutions.
viii


Tom co-authored, with Deb, the best selling Configuring ISA Server 2000
(Syngress Publishing, ISBN: 1-928994-29-6), Dr.Tom Shinder’s ISA Server
and Beyond (Syngress, ISBN: 1-931836-66-3), and Troubleshooting Windows
2000 TCP/IP (Syngress, ISBN: 1-928994-11-3). He has contributed to
several other books on subjects such as the Windows 2000 and Windows

2003 MCSE exams and has written hundreds of articles on Windows server
products for a variety of electronic and print publications.
Tom is the “primary perpetrator” on ISAserver.org (www.isaserver.org),
where he answers hundreds of questions per week on the discussion boards
and is the leading content contributor.
Debra Littlejohn Shinder, MCSE, MVP is a technology consultant,
trainer and writer who has authored a number of books on computer
operating systems, networking, and security. These include Scene of the
Cybercrime: Computer Forensics Handbook, published by Syngress, and Computer
Networking Essentials, published by Cisco Press. She is co-author, with her
husband, Dr. Thomas Shinder, of Troubleshooting Windows 2000 TCP/IP, the
best-selling Configuring ISA Server 2000, ISA Server and Beyond, and Configuring
ISA Server 2004. She also co-authored Windows XP: Ask the Experts with
Jim Boyce.
Deb is a tech editor, developmental editor and contributor to over 20
additional books on subjects such as the Windows 2000 and Windows 2003
MCSE exams, CompTIA Security+ exam and TruSecure’s ICSA certification.
She formerly edited the Brainbuzz A+ Hardware News and currently
edits Sunbelt Software’s WinXP News and VistaNews, with over a million
subscribers, and writes a weekly column on Voice over IP technologies for
TechRepublic/CNET. Her articles on various technology issues are regularly
published on the CNET Web sites and Windowsecurity.com, and have
appeared in print magazines such as Windows IT Pro (formerly
Windows & .NET) Magazine and Law & Order Magazine.
She has authored training material, corporate whitepapers, marketing
material, and product documentation for Microsoft Corporation, HewlettPackard, GFI Software, Sunbelt Software, Sony and other technology
companies and written courseware for Powered, Inc and DigitalThink.
Deb currently specializes in security issues and Microsoft products; she
has been awarded Microsoft’s Most Valuable Professional (MVP) status in
ix



Windows Server Security for the last four years. A former police officer
and police academy instructor, she lives and works with her husband, Tom,
on a beautiful lake just outside Dallas,Texas and teaches computer networking
and security and occasional criminal justice courses at Eastfield College
(Mesquite,TX).You can read her tech blog at
Michael Sweeney (CCNA, CCDA, CCNP, MCSE, SCP) is the owner of
the Network Security consulting firm Packetattack.com. Packetattack.com
specialties are network design and troubleshooting, wireless network design,
security and analysis. The Packetattack team uses such industry standard
tools such as NAI Sniffer, AiroPeekNX and Airmagnet. Packetattack.com
also provides digital forensic analysis services.
Michael has been a contributing author for Syngress for the books Cisco
Security Specialist Guide to PIX Firewalls, ISBN: 1-931836-63-9, Cisco Security
Specialist Guide to Secure Intrusion Detection Systems, ISBN: 1-932266-69-0
and Building DMZs For Enterprise Networks, ISBN: 1-931836-88-4. Through
PacketPress, Michael has also published Securing Your Network Using
Linux, ISBN: 1411621778.
Michael graduated from the University of California, Irvine, extension
program with a certificate in communications and network engineering.
Michael currently resides in Orange, CA with his wife Jeanne and daughters,
Amanda and Sara.
Kenneth Tam ( JNCIS-FWV, NCSP) is Sr. Systems Engineer at Juniper
Networks Security Product Group (formerly NetScreen Technologies).
Kenneth worked in pre-sales for over 4 years at NetScreen since the startup
days and has been one of many key contributors in building NetScreen
as one of the most successful security company. As such, his primary role
has been to provide pre-sale technical assistance in both design and
implementation of NetScreen solutions. Kenneth is currently covering the

upper Midwest U.S. region. His background includes positions as a Senior
Network Engineer in the Carrier Group at 3com Corporation, and as an
application engineer at U.S.Robotics. Kenneth holds a bachelor’s degree in
computer science from DePaul University. He lives in the suburbs of Chicago,
Illinois with his wife Lorna and children, Jessica and Brandon.

x


Stephen Watkins (CISSP) is an Information Security Professional with more
than 10 years of relevant technology experience, devoting eight of these years
to the security field. He currently serves as Information Assurance Analyst at
Regent University in southeastern Virginia. Before coming to Regent, he led
a team of security professionals providing in-depth analysis for a global-scale
government network. Over the last eight years, he has cultivated his expertise
with regard to perimeter security and multilevel security architecture. His
Check Point experience dates back to 1998 with FireWall-1 version 3.0b. He
has earned his B.S. in Computer Science from Old Dominion University and
M.S. in Computer Science, with Concentration in Infosec, from James Madison
University. He is nearly a life-long resident of Virginia Beach, where he and
his family remain active in their Church and the local Little League.

xi


This page intentionally left blank


Contents
Chapter 1 Installing Check Point NGX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Preparing the Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
SecurePlatform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
FireWall-1/VPN-1 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
SmartCenter Server Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
SmartConsole Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Putting It All Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
SmartDashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Chapter 2 SmartDashboard and SmartPortal . . . . . . . . . . . . . . . . . . . . . . . . 27
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
A Tour of the Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Logging In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
The Rulebase Pane. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Security Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Address Translation Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
SmartDefense Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Web Intelligence Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
VPN Manager Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
QoS Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Desktop Security Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Web Access Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Consolidation Rules Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
The Objects Tree Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Network Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Servers and OPSEC Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Users and Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

VPN Communities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
The Objects List Pane. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
The SmartMap Pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
xiii


xiv

Contents

Menus and Toolbars . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Working with Policy Packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Installing the Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Global Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
FireWall Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
NAT—Network Address Translation Page . . . . . . . . . . . . . . . . . . . . . . . .
VPN Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VPN-1 Edge/Embedded Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Remote Access Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SmartDirectory (LDAP) Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Stateful Inspection Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
New in SmartDashboard NGX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Security Policy Rule Names and Unique IDs . . . . . . . . . . . . . . . . . . . . . . .
Group Object Convention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Group Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Clone Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Session Description. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tooltips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Your First Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating Your Administrator Account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Hooking Up to the Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Reviewing the Gateway Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Defining Your Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Policy Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Creating Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Installing the Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Other Useful Controls on the Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Working with Security Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Section Titles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Hiding Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rule Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Searching Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Working with Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Object References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Who Broke That Object? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Object Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Working with Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
What Would Be Installed? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
What’s Really Installed? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

33
33
34
34
35
35
35
36
36

36
36
36
36
38
38
40
40
40
41
43
43
44
45
46
47
48
49
51
51
51
51
51
51
51
51
51
52
52
52

52


Contents

No Security Please . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
For the Anoraks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Change Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Managing Connectra and Interspect Gateways . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Interspect or Connectra Integration . . . . . . . . . . . . . . . . . .
SmartDefense Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SmartPortal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SmartPortal Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Installing SmartPortal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Tour of SmartPortal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

xv

52
52
52
53
53
54
55
56
56
56
60


Chapter 3 Smart View Tracker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Tracker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Log View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Active . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Audit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Predefined Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Use for Predefined Queries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Adding Custom Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Applying Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Custom Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Matching Rule Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Viewing the Matching Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Viewing Log Records from SmartDashboard . . . . . . . . . . . . . . . . . . . 71
Active View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Live Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Custom Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Following a Source or Destination . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Block Intruder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Audit View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Log Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Daily Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Log Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Chapter 4 SmartDefense and Web Intelligence . . . . . . . . . . . . . . . . . . . . . . 83
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Network Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Threats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85



xvi

Contents

Structured Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
External Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Welchia Internet Control Message Protocol . . . . . . . . . . . . . . . . . . . . 88
Network Quota . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Internal Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Reconnaissance (Port Scans and Sweeps) . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
The OSI Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Layer 3: The Network Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Layer 4: The Transport Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Layer 7: The Application Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
The Need for Granular Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Application Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Configuring Hosts and Nodes for AI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
SmartDefense Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Central Configuration and the SmartDefense Web Site . . . . . . . . . . . . . . 98
Updating SmartDefense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Defense Against Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Peer-to-Peer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Preventing Information Disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Fingerprint Scrambling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Abnormal Behavior Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Web Intelligence Technology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Malicious Code Protector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Active Streaming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Application Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Web Application Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
SQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Custom Web Blocking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Preventing Information Disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Header Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Directory Listing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Malicious Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Different Types of Malicious Code. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
General HTTP Worm Catcher . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Protocol Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Conformity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
DNS Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
HTTP Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Default Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112


Contents

DShield Storm Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Retrieving Blocklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Submitting Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

113
115
115
117


Chapter 5 Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Global Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Configuring Dynamic Hide Mode NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Dynamic NAT Defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Advanced Understanding of NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
When to Use It . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Routing and ARP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Adding ARP Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Secure Platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Solaris. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
IPSO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Configuring Static Mode NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Static NAT Defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
When to Use It . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Inbound Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Configuring Automatic NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
When to Use It . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
NAT Rule Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Access Control Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Configuring Port Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
When to Use It . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
NAT Rule Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Security Policy Implications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Chapter 6 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Authentication Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Using Authentication in Your Environment . . . . . . . . . . . . . . . . . . . . . . . . 148
Users and Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Managing Users and Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Permission Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

xvii


xviii

Contents

Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
General Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Personal Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Admin Auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Admin Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Administrator Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
User Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Personal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
User Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Personal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
External User Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Match by Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Match All Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
LDAP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Understanding Authentication Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . .
Undefined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SecurID. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Check Point Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
RADIUS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TACACS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring User Authentication in the Rulebase . . . . . . . . . . . . . . . . . . .
UserAuth | Edit Properties | General | Source . . . . . . . . . . . . . . . . . .
UserAuth | Edit Properties | General | Destination . . . . . . . . . . . . . . .
UserAuth | Edit Properties | General | HTTP . . . . . . . . . . . . . . . . . .

153
153
154
154
154
154
155

156
157
157
157
157
157
158
158
158
159
160
160
160
160
161
161
161
161
161
161
162
163
163
163
163
163
163
165
166
166

167
168
168


Contents

Interacting with User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Telnet and RLOGIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Placing Authentication Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Advanced Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Eliminating the Default Authentication Banner . . . . . . . . . . . . . . . . . . .
Changing the Banner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Use Host Header as Destination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Session Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Session Authentication in the Rulebase . . . . . . . . . . . . . . . . .
SessionAuth | Edit Properties | General | Source . . . . . . . . . . . . . . . . .
SessionAuth | Edit Properties | General | Destination . . . . . . . . . . . . .
SessionAuth | Edit Properties | General | Contact Agent At . . . . . . . . .
SessionAuth | Edit Properties | General | Accept only
SecuRemote/SecureClient Encrypted Connections . . . . . . . . . . . . .
SessionAuth | Edit Properties | General | Single
Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Session Authentication Encryption . . . . . . . . . . . . . . . . . . . . .
The Session Authentication Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuration | Passwords | Ask for Password . . . . . . . . . . . . . . . . . . .
Configuration | Allowed Firewall-1 | Allow authentication
request from . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Configuration | Allowed Firewall-1 | Options . . . . . . . . . . . . . . . . . . .
Interacting with Session Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . .
Client Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Client Authentication in the Rulebase . . . . . . . . . . . . . . . . . .
ClientAuth | Edit Properties | General | Source . . . . . . . . . . . . . . . . .
ClientAuth | Edit Properties | General | Destination . . . . . . . . . . . . . .
ClientAuth | Edit Properties | General | Apply Rule Only
if Desktop Configuration Options Are Verified . . . . . . . . . . . . . . . . .
ClientAuth | Edit Properties | General | Required Sign-In . . . . . . . . .
ClientAuth | Edit Properties | General |Sign-On Method . . . . . . . . . .
Manual Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Partially Automatic Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Fully Automatic Sign-On. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Agent Automatic Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
General | Successful Authentication Tracking . . . . . . . . . . . . . . . . . . . .
Limits | Authorization Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Limits | Number of Sessions Allowed . . . . . . . . . . . . . . . . . . . . . . . . . .

168
168
169
169
171
172
173
173
174
175
176

177
177
177
177
177
177
178
180
180
181
182
184
184
185
185
185
186
186
186
191
192
192
192
192
193
193

xix



xx

Contents

Advanced Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Check Point Gateway | Authentication . . . . . . . . . . . . . . . . . . . . . . . .
Enabled Authentication Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . .
Authentication Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
HTTP Security Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Global Properties | Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Failed Authentication Attempts. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Authentication of Users with Certificates . . . . . . . . . . . . . . . . . . . . .
Brute-Force Password Guessing Protection . . . . . . . . . . . . . . . . . . . .
Early Version Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Registry Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
New Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Use Host Header as Destination . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Opening All Client Authentication Rules . . . . . . . . . . . . . . . . . . . . .
Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enabling Encrypted Authentication . . . . . . . . . . . . . . . . . . . . . . . . .
Custom Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Installing the User Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

193
194
195
195
195
195

196
196
197
197
197
197
198
198
199
199
199
199
201

Chapter 7 Content Security and OPSEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
OPSEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Partnership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Anti-virus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Web Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
OPSEC Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Security Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
URI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
CIFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
CVP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Resource Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
UFP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

Resource Creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
MDQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
How to Debug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221


Contents

Secure Internal Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Chapter 8 VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Encryption Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Symmetric and Asymmetric Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Certificate Authorities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Exchanging Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Tunnel Mode vs. Transport Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Encryption Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Hashing Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Public Key Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Simplified vs. Traditional . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Using the Simplified Configuration Method . . . . . . . . . . . . . . . . . . . . . . . 228
VPN Communities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Meshed VPN Communities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Star VPN Communities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Multiple Entry Point (MEP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Installing the Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Configuring a VPN with a Cisco PIX. . . . . . . . . . . . . . . . . . . . . . . . . . 240
Using the Traditional VPN Configuration Method . . . . . . . . . . . . . . . . . . . 241
VPN Directional Matching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Route-Based VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Configuring VTIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Configuring VTI Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Tunnel Management and Debugging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Using SmartView Tracker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Using cpstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Chapter 9 SecuRemote, SecureClient, and Integrity . . . . . . . . . . . . . . . . . . 253
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
SecuRemote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
What’s New with SecuRemote in NGX? . . . . . . . . . . . . . . . . . . . . . . . . . 254
Standard Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Basic Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Defining the Connection Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
SecuRemote Installation and Configuration on Microsoft Windows . . . . . . 274
Connecting to the VPN-1 Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

xxi


xxii

Contents

SecureClient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
What’s New in SC NGX? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Installing SecureClient on Microsoft Windows . . . . . . . . . . . . . . . . . . . . . .
Policy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Desktop Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Desktop Security Policies . . . . . . . . . . . . . . . . . . . . . . . . .

Disabling the Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Secure Configuration Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Office Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Why Office Mode? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Client IP Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Office Mode with IP Pools . . . . . . . . . . . . . . . . . . . . . . . .
Configuring the VPN-1 Gateway for Office Mode . . . . . . . . . . . . . .
Configuring SecureClient for Office Mode . . . . . . . . . . . . . . . . . . .
Secure Configuration Verification (SCV) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
What’s New with Secure Configuration Verification (SCV)
in NGX? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring the Policy Server to Enable Secure Configuration
Verification (SCV) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Secure Configuration Verification (SCV) Checks Available . . . . . . . . . . . . .
Check Point OPSEC Vendor SCV Checks . . . . . . . . . . . . . . . . . . . . . .
Other Third-Party Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create Your Own Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
History of Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Integrity Client Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Integrity Client Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Integrity Clientless Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

287
287
288
288
288
289

294
295
295
296
296
296
297
300
301
302
303
304
304
304
304
304
305
306
309
309
310

Chapter 10 Adaptive Security Device Manager . . . . . . . . . . . . . . . . . . . . . 311
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Features, Limitations, and Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Supported PIX Firewall Hardware and Software Versions . . . . . . . . . . . . . . 313
PIX Device Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Host Requirements for Running ASDM . . . . . . . . . . . . . . . . . . . . . . . 313
Adaptive Security Device Manager Limitations . . . . . . . . . . . . . . . . . . . . . 313
Unsupported Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

Unsupported Characters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
ASDM CLI Does Not Support Interactive Commands . . . . . . . . . . . . . 314
Printing from ASDM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315


Contents

Installing, Configuring, and Launching ASDM. . . . . . . . . . . . . . . . . . . . . . . . .
Preparing for Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Installing or Upgrading ASDM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Obtaining a DES Activation Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring the PIX Firewall for Network Connectivity. . . . . . . . . . . .
Installing a TFTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Upgrading the PIX Firewall and Configuring the DES
Activation Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Installing or Upgrading ASDM on the PIX Device . . . . . . . . . . . . . . . .
Enabling and Disabling ASDM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Launching ASDM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring the PIX Firewall Using ASDM . . . . . . . . . . . . . . . . . . . . . . . . . .
Using the Startup Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring System Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The AAA Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Advanced Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The ARP Static Table Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Auto Update Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The DHCP Services Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The DNS Client Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Failover Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The History Metrics Category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The IP Audit Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

The Logging Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Priority Queue Category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The SSL Category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The SunRPC Server Category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The URL Filtering Category . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring VPNs Using ASDM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring a Site-to-Site VPN Using ASDM . . . . . . . . . . . . . . . . . . . . . .
Configuring a Remote Access VPN Using ASDM . . . . . . . . . . . . . . . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

315
315
315
316
316
317
317
317
318
318
332
333
340
343
345
349
350
352
354
354

358
359
361
367
368
369
370
371
371
378
386

Chapter 11 Application Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
New Features in PIX 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
Supporting and Securing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
TCP, UDP, ICMP, and the PIX Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Application Layer Protocol Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Defining a Traffic Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392

xxiii


xxiv

Contents

Associating a Traffic Class with an Action. . . . . . . . . . . . . . . . . . . . . . . . . .
Customizing Application Inspection Parameters . . . . . . . . . . . . . . . . . . . . .
Applying Inspection to an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Domain Name Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Remote Procedure Call . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SQL Net . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Internet Locator Service and Lightweight Directory
Access Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
HTTP Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
FTP Inspection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Active versus Passive Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ESMTP Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ICMP Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
H.323 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Simple Network Management Protocol (SNMP) . . . . . . . . . . . . . . . . .
Voice and Video Protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CTIQBE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SCCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Real-Time Streaming Protocol (RTSP), NetShow, and VDO Live . . . . .
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

395
397
397
397
398
399
400
401
402
402
405
406

406
407
408
408
408
409
409
411

Chapter 12 Filtering, Intrusion Detection, and Attack Management . . . . 413
New Features in PIX 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Enhanced TCP Security Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Improved Websense URL Filtering Performance . . . . . . . . . . . . . . . . . . 414
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Filtering Web and FTP Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Filtering URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Websense and Sentian by N2H2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Fine-Tuning and Monitoring the Filtering Process . . . . . . . . . . . . . . . . 416
Configuring HTTP URL Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Configuring HTTPS Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Setting Up FTP Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Active Code Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
Filtering Java Applets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Filtering ActiveX Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Virus Filtering; Spam, Adware, Malware, and Other-Ware Filtering . . . . . 423
TCP Attack Detection and Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
PIX Intrusion Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425