a. Implicit (Pseudo) rules are those that are derived
from the security properties. Explicit rules are those
created in the Rule Base. The implicit rules are NOT
shown by default in the NAT Rule Base. However, you
can select Implied Pseudo Rules" from the View menu
.
b. Implicit Drop Rule is added by VPN-1/FireWall-1
at the bottom of the Rule Base. The purpose of this
rule is to drop all packets that are not described by
earlier rules in the Rule Base.
c. Stealth rule is the first rule in the Rule Base.
The purpose of the Stealth rule is to prevent traffic
from directly accessing the firewall itself
d. The correct order that Rule Base rules are defined
are:
IP Spoofing
Security Policy "First" Rule
Rule Base
Security Policy "Before Last" Rule
Security Policy "Last" Rule
Implicit Drop
e. To disable a rule in Rule Base,
Select the rule in the Rule Base
Right click the rule number and select 'Disable
rule'
The policy need to be re-installed for the changes
to take effect.
22. Using the Security Policy Editor, four types of policies
can be defined:
Security Policy: This policy specifies how the communication
is allowed to enter or leave the network. This also specifies,
how the authentication and/or encryption are handled.
Address_Translation Policy: An Address_Translation Policy
specifies how invalid internal IP addresses will be translated
to valid Ip addresses.
Anti-Spoofing: Anti-Spoofing feature ensures that the
IP addresses of the packets entering the FireWall are valid.
23. Important file names used in FireWall-1:
$FWDIR/conf/rule_base.W: Security Policy rules are stored
in an ASCII format at this location.
$FWDIR/conf/objects.C: The properties are stored in
this ASCII file.
$FWDIR/conf/rule_name.pf: Inspection Script is stored
in this file. The file is generated from $FWDIR/conf/rule_base.W
and $FWDIR/conf/objects.C
$FWDIR/temp/rule_base.fc: This is Inspection Code file,
compiled from the Inspection script. Note that the Inspection
Code is installed on Network objects and used by VPN/FireWall
Module to enforce security policy.
24. A Gateway must atleast have two network interfaces, one
for the external network connection, and one for internal network
connection.
25. The three types of Authentication schemes supported by
VPN-1/FireWall-1 are:
User Authentication: User Authentication gives access
on a per user basis. This can be used for Telnet, FTP, RLOGIN
and HTTP,HTTPS. Separate Authentication is required for
each connection.
Session Authentication: Session Authentication can be
used with any service, and Session Authentication is required
for each connection as in User Authentication.
Client Authentication: Client Authentication gives access
on a per host basis. Once a Client is Authenticated, it
can be used for any number of conncetions, for any service.
Client Authentication is recommended when the client is
a single user machine such as a desktop.
26. VPN-1/FireWall-1 services covered by User Authentication
are: Telnet, FTP, RLOGIN, HTTP, and HTTPS.
27. VPN-1/FireWall-1 supports third party routers (OPSEC
products) such as Cisco, 3Com, Nortel (Bay Networks) routers,
Cisco PIX firewalls, and Microsoft RRAS (Formerly known as Steelhead).
For this purpose, Check Point's Open Security Extension ( an
optional module) is required.
28. VPN-1/FireWall-1 supports two modes of Address Translation:
a. Hide mode: This has a many to 1 relation. Here many invalid
addresses are translated to one valid IP address. Dynamically
assigned port numbers are used to distinguish between the invalid
addresses. This is called Hide mode, since invalid IP addresses
are hidden behind the valid IP address.
b. Static mode: This has 1 to 1 correspondence of IP addresses.
Here, the invalid IP is translated to a corresponding valid
IP. There are two modes of static Address Translation:
Static Source mode: This is for outgoing traffic. The
connection is initiated by internal clients with invalid
IP addresses. This is usually combined with Static Destination
mode.
Static Destination mode: This is for incoming traffic.
This mode is used when servers inside the internal network
have invalid IP addresses, so that packets entering the
internal network arrive at their proper destinations. This
mode is usually combined with Static Source mode.
29. The NAT Rule Base consists of three elements:
Original Packet
Translated Packet
Install On
Original Packet and Translated Packet, in turn, consist of
the following:
Source
Destination
Service
"Install On" specifies which firewalled objects will enforce
the rule.
30. GUIs that are available in FireWall-1:
1. Policy Editor GUI: Used for creating rules and network
objects. GUI may have upto four tabs, a) Security Policy b)
Address Translation c) Bandwidth Policy d) Compression Policy
2. Log Viewer GUI: Used for viewing log files that are composed
for events recorded as per the Rule Base and also other events
such as security alerts, important system events.
3. System Status GUI: Enables the real time monitoring of
all FireWall modules and alerting. Communication and traffic
flow statistics are also displayed.
4. SecureClient Packaging Tool: This tool helps in customizing
SecureClient installations, and simplifies large scale deployment
of SecuRemote/SecureClient.
5. Traffic Monitoring: This tool is used for monitoring traffic.
6. SecureUpdate: SecureUpdate enables centralized management
of CheckPoint and OPSEC software products including licensing.
