The Check Point Certified Security Administrator
Next Generation (CCSA NG) certification is a foundation
level certification. CCSA certified professionals are
expected to be able to do installation and management
of Check Point's VPN-1/FireWall-1 product. The objectives
covered by this exam are as below:
Skills measured
Install, configure VPN-1/FireWall-1
Log management
Intrusion detection and prevention
Set up and configure user, client, and
session authentication
VPN-1/FireWall-1 performance optimization
Security gateways deployment and management
Install and configure network address
translation
There are two versions of CCSA. One is CCSA CP 2000
(156-205) and the other is CCSA NG (156-210). Duration
of the exam is 90 minutes (120 minutes for non-English)
and a minimum score of 70%. For further details, visit
the official website of CCSA, CheckPoint Software, click
here.
1. The purpose of a firewall is to ensure security
in communications between internal and external networks.
A firewall allows or disallows communication across
the firewall in accordance with a pre-defined security
policy.
2. Firewall implementations: There are different implementations
of firewalls. Most notable among these are:
A firewall implemented with the Packet Filters work
at Network Layer of ISO/OSI stack.
A firewall implemented with the Application Layer Gateways
work at the Application Layer of ISO/OSI stack.
A Firewall implemented with stateful technology (like
Checkpoint Firewall-1) works at all layers of IS/OSI model.
3. A firewall implemented with stateful inspection technology
(FireWall-1 uses stateful inspection) has several advantages
over packet filter:
Application Layer Gateway
Packet Filters
Stateful Inspection
Communication Information
Partial
Partial
Yes
Communication Derived State
No
Partial
Yes
Application Derived State
No
Yes
Yes
Information Manipulation
No
Yes
Yes
4. The following information are used by Firewall-1 that
uses stateful inspection technology:
Communication information from different layers of TCP/IP
stack
The state derived from previous communications
The state derived from other applications, for example,
a previously authenticated user would be allowed to access
through the firewall for authorized services only.
5. Hardware / software requirements:
The following are FireWall-1 GUI Management Clients Minimum
Requirements:
Platforms: Windows 9x, Windows NT 4.0 SP4, 5, 6, and
X/Motif Client.
Disk Space: 40 Mbytes
Memory: 32 MB Minimum and 64 MB recommended.
The minimum requirements for installing Management Server
or FireWall-1 NG (Feature Pack 2) are:
a.Windows:
Hardware - 40MB of hard disk space and 128 MB of memory.
Operating System - Windows NT 4.0 SP 6a, Windows 2000
Server, and Windows 2000 Advanced Server. Note that the
operating system and hardware requirements are same for
installing VPN-1/FireWall-1 Management Server or VPN/FireWall
Module.
b. Solaris:
Hardware- The hard disk and memory requirements are
same as in Windows case, that is 40MB of hard disk space
and 128 MB of memory.
Note that the operating system and hardware requirements
are same for installing VPN-1/FireWall-1 Management Server
or VPN/FireWall Module.
Operating System - At the minimum the Operating system
required is Solaris 7 (SunOS 5.7) or Solaris 8 (SunOS 5.8).
c.Linux:
Hardware - Disk Space: 40MB; Memory:128MB
Operating System - Red hat Linux 6.2 and 7.0
The OS requirements for installing VPN-1/FireWall-1 NG Management
Server or FireWall Module on a Linux platform are:
6.1 The essential components of a FireWall-1 Single Gateway
Product are:
Management Module - Security management module with
graphical user interface.
Inspection Module - This module is responsible for implementing
access control, Client authentication, and session authentication.
Network Address Translation is also done here.
Firewall Module - User authentication, and content security
6.2 FireWall-1's FireWall Module contains the following components:
FireWall-1 Daemon: This is responsible for communication
modules, clients and hosts.
Inspection Module: Access control, Authentication, NAT
and auditing are the responsibility of Inspection Module.
Inspection module contains INSPECT engine.
Security Server: This is responsible for handling authentication
of packets for any specific service or protocol
For Single Gateway product, the FireWall Module and Management
Module must be installed on the same machine. However, GUI can
be installed on another machine.
7. The following Management clients are available when installing
Check Point on a Windows platform:
Policy Editor
Log Viewer
System Status (Status Manager)
SecureClient Packaging Tool
Traffic Monitoring
SecureUpdate
8. FireWall-1 is based on Client - Server model of operation.
Note that in FireWall-1, the modules like Management Server
can be separated from the GUI.
9. The basic components of a FireWall-1 Single Gateway Product
are:
Management Module - Security management module with
graphical user interface.
Inspection Module - This module is responsible for implementing
access control, Client authentication, and session authentication.
Network Address Translation is also done here.
Firewall Module - User authentication, and content security.
It is possible that a single Management module manages one
or more FireWall modules. The Management module consists of
a GUI client and a Management Server.
10. The FireWall-1 module sits in between the Data Link and
the Network layers ( layer 2 and layer 3).