31. FireWall-1 supports the following encryption
schemes:
FWZ: This is a Check Point proprietary encryption
scheme. FWZ uses symmetric encryption.
Manual IPSec: This is an encryption and authentication
scheme. The keys are fixed over duration of the
connection.
SKIP: This has some advantages over IPSec, that
the keys change over time. An Internet host can
send an encrypted packet to another host without
requiring a prior message exchange to set up a secure
channel.
IKE: The Internet Key Exchange (IKE) protocol
is a key management protocol standard which is used
in conjunction with the IPSec standard. IPSec is
an IP security protocol that provides robust authentication
and encryption of IP packets.
ISAKMP stands for Internet Security Association
and Key Management Protocol. ISAKMP defines procedures
and packet formats to establish, negotiate, modify
and delete Security Associations (SAs).
32. There are nine objects available to manage a
network under Network Objects Manager. These are:
Workstation
Network
Domain
OSE Device
Embedded Device
Gateway Cluster
Group
Logical Server
Address Range
Dynamic Object
Only the objects that get used in the Rule Base need
to be defined to VPN-1/FireWall-1. Also, note that an
object need to be defined to VPN-1/FireWall-1 BEFORE
a rule is defined (in the Rule Base) using that object.
The Object Tree of Check Point Policy Editor of FireWall-1
consists of eight tabs. These are:
Object Tree Tab
Menu Command
1
Network Objects
Manage -> Network Objects
2
Services
Manage -> Services
3
Resources
Manage -> Resources
4
OPSEC Applications
Manage ->OPSEC Applications
5
Servers
Manage -> Servers
6
Users
Manage -> Users
7
Time Objects
Manage -> Time
8
Virtual Links
Manage -> Virtual Links
Note that, Users and Servers are management objects.
33. Some of the popular protocol port numbers are:
Telnet: Port #23
FTP: Port #21
HTTP (WWW): Port #80
SMTP: Port #25
34. The Internet Assigned Numbers Authority (IANA) has set
aside several ranges of IP numbers that can be freely used over
private networks (Internet will not route these IP addresses).
These private IP address ranges that are designated private:
Class A private address range:10.0.0.0 - 10.255.255.255
Class B private address range:172.16.0.0 - 172.31.255.255
Class C private address range:192.168.0.0 - 192.168.255.255
35. VPN/FireWall-1 Security Policy permits any number of
administrators to view the Security Policy. However, only one
administrator can log in using read/write permissions. This
arrangement will prevent confusion arising from two admins simultaneously
making changes to the Security Policy, without knowing what
the other is doing.
36. The following are required to log on to the Log Viewer
of a FireWall-1 Management Server:
User Name
Password
Name or IP address of Management Server.
37. SIC (Secure Internal Communication) is used for communication
between Modules and the Management Server. The following are
true about SIC (Secure Internal Communication):
1. SIC name of a Module is typically known as DN (Distinguished
Name).
2. VPN certificates and SIC certificates are used for different
purposes.
3. IP connectivity between the Management Server and Module
is REQUIRED for starting initialization process of the Module.
The certificate is securely issued to the Module during initialization
process. After successful initialization, the Module is said
to be in TRUST state.
38. SecureUpdate allows to manage installation of CheckPoint
and OPSEC products at a central location. The operations that
can be performed include:
1. Upgrade and uninstall major versions and Service Packs.
2. Do multiple simultaneous upgrades
3. Manage product repository
4. View status of operation
39. SecureUpdate supports two types of licenses:
1. Central License - Here the Module License is bound to
the IP address of the Management Server. That is, the Management
Server IP address is used for issuing the license. The advantage
is that, even if the IP address of the local module (to which
the license is issued) changes, there is no need to re-issue
the license.
2. Local License - Here the Module License is bound to the
IP address of the module to which license is issued. If the
IP address of the local module changes, the license need to
be re-validated.
40. Static source mode translates the client's internal,
invalid/reserved IP addresses to legal external IP addresses.
Note that IP addresses have 1 to 1 relationship in static modes.
Static destination mode translates the server's legal external
IP addresses to invalid/reserved internal IP addresses. Static
destination mode is used when any server is located in the internal
network with a private or invalid IP address, and being accessed
from the Internet.
