CCSA R75 Presentation-8 modules

7/23/2019 CCSA R75 Presentation-8 modules

1/58

Check Point Security

75Administrator R

Eran Shaham

Mct,Mcitp,Ccna,Ccse,Wci-


2/58

Course A"enda

Modue #$ Check Point % &hree &ier Architecture Modue '$ (mpementin" a )istributed instaation Modue *$ Con+i"urin" &he Ruease Modue $ &rackin" Acti.ity usin" Smart/ie0 &racker

Modue 5$ 1iterin" 2++ensi.e Web Content Modue 3$ Scannin" the 4et0ork Modue 7$ )epoyin" Site to Site /P4 Modue $ Course Summary


3/58

Modue #$

Check Point % &hree &ierArchitecture


4/58

rie+ (n+o

Check Point is an Israeli information security software company thatwas the first to invent and implement a network firewall solution. Checkpoint products are installed on 100% of fortune 100

companies. It has a 60% market share of enterprise firewalls in the market

today.

Check Point implements a complete security solution with enterprisemanagement of the complete network

Perimeter(nternaWeb


5/58

&he &hree &ier Architecture Concept Check Point is configured of three major components

!mart Console " # gui client that have all the administrative tools installed !mart Center !erver " # data$ase that contains the security policy rule$ase& for

the firewall it manages !ecurity gateway " # firewall that scans and filters the traffic. #lso called an

enforcement module.

'he !mart console is installed only on windows machines It has to connect to the !mart Center !erver with a valid ip ( username)password 'he !mart Center !erver is installed on various os*s

It contains the security policy rule$ase& created $y the !mart Console It distri$utes the rule$ase to the firewall

'he !ecurity +ateway is installed mostly on !P,#' and appliances !P,#' secure platform& is a hardened linu- of a ed /at enterprise edition

distri$ution


6/58

Standaone /s! )istributed (nstaation

# standaoneinstallation " is when the smart center server and thesecurity gateway installed on the same machine

# distributedinstallation " is when the smart center server and thesecurity gateway are installed on separate machine

e will use a distri$uted configuration in the class SMnywill $e the smart console and the smart center server

S6nywill $e the security gateway dapwill $e and e-ternal server

# '

*


7/58

Modue'$

(mpementin" a )istributedinstaation


8/58

SMny /irtua Machine Con+i"uration

!ny is a preconfigured virtual machine with the followingcharacteristics in 2P sp3 am is configured with 1g$ of memory 4ic is connected to vmnet1 C5 is attached to an iso image file

loppy has $een removed


9/58

S6ny /irtua Machine Con+i"uration !+ny is a virtual machine that we install with the following

characteristics !plat 78 am is configured with 769 : of memory 4ic is connected to vmnet1 " to !mny 4ic is connected to vmnet3 " to 5;ny we will not use it in the course& 4ic is connected to vmnet< " to ,dap

C5 is attached to an iso image file


10/58

dap /irtua Machine Con+i"uration ,dap is a preconfigured virtual machine with the following

characteristics in server 300< with a we$ and a mail server am is configured with 813 : of memory 4ic is connected to vmnet !martview 'racker

Con+i"ure Autoscro in Smart.ie0 &racker Huery => #utoscroll


30/58

&rackin" http Connections Powerp ,dap and login alt(ctrl(ins& with password .pn#'* rom !mny http))ldap

4ote that a we$ site displaying ,dap#tlantis has opened.
http://ldap/http://ldap/


31/58

&rackin" http Connections 9Cont!: a-imiDe the !martview 'racker window and dou$le click on the first

green http line.

5ou$le Click on that line and view the detailed information.


32/58

Modue 5$

1iterin" 2++ensi.e Web Content


33/58

Con+i"ure Web 1iterin" on SMny 9to be en+ored on S6ny: 5ash$oard 5ou$leClick !+ny and check$o-


34/58

Con+i"ure Web 1iterin" on SMny 9Cont!: ?-pand , iltering and watch the settings in the right pane. ?-pand the #dvanced option and press the ocked


35/58

Con+i"ure Web 1iterin" on SMny 9Cont!:

http))ldap and watch the message displayed instead of the we$site. atch the specified event monitored $y the !martJiew 'racker.


36/58

Modue 3$

Scannin" the 4et0ork


37/58

Con+i"ure (PS on SMny 9to be en+ored on S6ny: 5ash$oard 5ou$leClick !+ny and check$o- (PS 5ash$oard Gpen the (PS ta$ and look at the settings


38/58

Con+i"ure (PS on Smny 9Cont!: ?-pand Protections and press the Port Scan as shown a$ove. 5ou$le Click ost Port Scan 5ou$le Click )e+autDProtection Change the setting to 2.eride (PS Poicy 0ith )etect


39/58

Con+i"ure (PS on Smny 9Cont!: Close the opened windows. 5ou$le Click S0eep Scan! 5ou$le Click )e+autDProtection Change the setting to 2.eride (PS Poicy 0ith )etect (nsta the security poicy!


40/58

6ather in+ormation about opened ports usin" Superscan at dap Run!upescan from the desktop. #dd IP address of !ny and !+ny as shown a$ove. Gn the /ost and !ervice 5iscovery ta$ deseectthe /ost 5iscovery. Gn the !can ta$ press the pay$utton and watch the results. Gpen the !martview 'racker and find the port scan attempt.


41/58

Modue 7$

)epoyin" Site to Site /P4


42/58

&he /P4 Concept

JP4 Jirtual Private 4etwork& is used to transfer private data$etween private networks through an insecure pu$lic network.

'he term Jirtual Private 4etwork means esta$lishingA a @Private4etworkA over the wan and @JirtualA means encryption.

?ncryption makes the wan @virtually privateA. ?dge devices as routers and firewalls are used to encrypt and

decrypt the traffic $etween them.

#' *


43/58

)epoyin" Site to Site /P4 In this scenario the private networks are J4?'1 and J4?'K

and the pu$lic network is J4?'


44/58

Con+i"urin" SMny +or Site to Site /P4 'o save timeB we will use !ny in a preconfigured stage snapshot& In the snapshotB !ny is conrolling !+ny and !+la via !IC.

Start SMny +rom snapshot and aunch Smart )ashboard rom the menu /M- snapshot -snapshot mana"er Click on Site to site /P4 and then on the 62 &o $utton! Press the PAF $utton to start the virtual machine! Jerify that the time and date are correct!

)ra" and drop the icense files that the trainer gave you from the host todesktop at !ny.


45/58

Con+i"ure )ate and &ime settin"s on S64F-/P4 .irtua machine 'o save timeB we will use !+ny=JP4 Bwhich is a preconfigured version

of !+ny. 'his is a different virtual machine from the one you installed$efore.

rom the Jmware menu 1ie 2pen and then $rowse to the !+ny=JP4 folder. Click on the folder and then click on !+ny.vm- file.

Po0er on the virtual machine after it is added and authenticate to thefirewall. rom the command line chan"e the date to reflect today*s date in the

following format 5ate =55=EEEE. Jerify that the date is changed using the )atecommand. Jerify that the time is correct using syscon+i"from the command line.


46/58

Con+i"ure the )ate and &ime settin"s on S6a .irtua machine rom the Jmware menu 1ie 2pen and then $rowse to the !+la

folder. Click on the folder and then click on the vm- file. Po0er on the virtual machine after it is added and authenticate to

the firewall. rom the command line chan"e the date to reflect today*s date in

the following format 5ate =55=EEEE. Jerify that the date is changed using the )atecommand.

Jerify that the time is correct using syscon+i"from the commandline.


47/58

(nsta icense +ies centray +rom SMny Point to !tart => Check Point !martConsole 78 => Smart


48/58

(nsta icense +ies centray +rom SMny 9Cont!:

Click on 4et0ork 2bBects icenses G Contracts 'a$. 4otice that $oth gateway o$jects appear with pink triangle in the

upper right of the o$ject. It means that they are controlled $y !nyand connected to it via !IC.

rom the ,icenses L Contracts ta$ in !martpdate check$o- /ie0Repository!

'he ,icense L Contract epository opens as a windows at the$uttom!


49/58

(nsta icense +ies centray +rom SMny 9Cont!: rom the icense and Contracts menu choose Add icense and

then 1rom 1ieH !elect the first license file and press open.

#n information dialog $o- appers. Press 2=. 'he first component ofthe license file is local license and is immediately attached to !ny.


50/58

(nsta icense +ies centray +rom SMny 9Cont!: ight Click !+ny and choose Attach icensesH #n Attach icenses window opens. Click on the second part of the

license file Ba central licenseB and choose Attach.

#n information dialog $o- appers. Press 2=. 'he first component ofthe license file is local license and is immediately attached to !ny.


51/58

(nsta icense +ies centray +rom SMny 9Cont!: rom the icense and Contracts menu choose Add icense and

then 1rom 1ieH !elect the second license file and press open.

#n information dialog $o- appers. Press 2=.


52/58

(nsta icense +ies centray +rom SMny 9Cont!: rom the icense and Contracts Repository highlight the line that

it*s type is local in the right coloum. ight click on the unattached license in the left and choose Attach

icenseH Choose !+la and press Attach! 'he display should show three licenses attached to the o$jects.


53/58

Con+i"urin" SMny +or Site to Site /P4 9Cont!:

Gpen !mart5ash$oard. 5ou$leClick !+ny o$ject and check$o- (psec /P4 and press 2=! 5o the same for !+la*s G$ject. 4ote that $oth o$ject contain a lock sym$ol now. 'his indicates vpn

capa$ilities. Press on the (PSec /P4'a$. Eou can see My(ntraneto$ject that

contain common settings to esta$lish the JP4.


54/58

Con+i"urin" SMny +or Site to Site /P4 9Cont!:

5ou$leClick Myintraneto$ject. Press the Participatin" 6ate0ays 'a$

and add $oth gateways to the community. Press GM and watch that the Participant 6ate0ays

0indo0shows $oth gateways.


55/58

Con+i"urin" SMny +or Site to Site /P4 9Cont!: Con+i"urethe security policy shown a$ove and instait on $oth

gateways. 4oteB the vpn rule states that when traffic passes $etween networks

the firewalls will encrypt and decrypt it $y the parameters defined in

the My(ntraneto$ject.


56/58

&est the /P4 rue rom !ny open the run command and http$??pca 'he :rowser opens and PC,#*s we$ site is displayed. Gpen !martJiew 'racker and see that a ock si"n enryption

activity performed $y !+ny&and a ock 0ith a key si"n decryption

activity performed $y !+la& took place.


57/58

Modue $

Course Summary

idi M ti t ti S it


58/58

NOQR SSTU VW XSYSZ[\ V]T^ V]O\ RZS^ V_`\W]

V\S\] bS`ROVS] R^bR RSSbR ^ R[bT VO^O^R [b

XSR ^Q\] \Y^ VW R^R V]T^R _ O]_

V_\ VO]R XSRY

G! hardeningB update mana"ementB

authentication

1ire0asB /P4B (PS

+uardsB locksB monitoring and

tracking devices

4et0ork se"mentsB IP!ec

!ecure CodingB anti.irusB

Documents

CCSA R75 Presentation-8 modules