Day Three Session

Objective

• Various authentication methods

• Content Security

• Network Address Translation

CSC Private
Chapter 6 – Authentication
• At the end of the chapter, you should be able to –

• Understand static and one-time passwords

• Understand user, session and client authentication

• Understand the best authentication method for a given situation

• Integrate 3rd party authentication servers in Firewall -1

CSC Private
Passwords
• Firewall-1 provides various authentication options

• Firewall-1 Password
• OS Password
• S/Key
• Secure ID
• RADIUS
• TACACS
• LDAP

CSC Private
User Authentication
• Provides authentication for 5 different services.

• Services include –

• telnet
• http
• https
• rlogin
• FTP

CSC Private
Session Authentication
• Session authentication can be used for “any” service.

• Relies on the agent installed on the client machine

CSC Private
Session Authentication

CSC Private
Client Authentication
• Used to authenticate “any” service

• User must authenticate to the firewall before the service is

authorized

• Service is provided a specific number of times and/or

specific duration of time
• Authentication may happen in one of the following ways –

• Telnet to firewall on port 259

• HTTP to firewall on port 900
• HTTPS to firewall on port 950

CSC Private
Client Authentication
• Two choices in client authentication

• Standard Sign-on – Authenticates once and perform whatever

the authentication allows

• Specific Sign-on – Requires specific destination and service

each time you connect.

CSC Private
Standard Sign-on

CSC Private
Client Authentication using HTTP

CSC Private
CSC Private
CSC Private
Specific Sign-on using HTTP

CSC Private
CSC Private
Which authentication is best?

CSC Private
CSC Private
Steps in setting up user authentication
• Create necessary users and groups required for
authentication

• Create appropriate rules in the rulebase

• Configure user authentication action properties

• Configure rulebase properties authentication frame

• Verify and install policy

CSC Private
Setting up user authentication
• When adding the source, right-click source field and click “
Add user access”
• Right-click the user authentication and select “edit
properties” in the action field.

CSC Private
Importance of rule in User Authentication
• If user authentication rules are present, firewall does not
process the rule base in order.

• Instead all rules are evaluated and the least restrictive rule
applies.

CSC Private
Example of User authentication

CSC Private
Setting Session authentication
• Similar to User authentication except the action properties
settings

CSC Private
Setting Client Authentication
• Similar to User Authentication except the action properties
settings

CSC Private
Client Authentication (Contd.)
• You may select standard sign-on or specific sign-on
• Manual sign-on – Authentication happens only via telnet on
port 259 or http on port 900
• Partially Automatic – Firewall-1 allows you to use user
authentication (User authentication database) for 5 services
(telnet, http, ftp, rlogin and https)
• Fully Automatic – Non-standard services can be
authenticated using session authentication.
• Agent automatic sign-on –Uses session authentication
when the rule is matched. It performs standard sign-on.

CSC Private
Client Authentication (Contd.)

CSC Private
Chapter 7 - Content Security
• At the end of this chapter, you should be able to –

• Know what CVP and UFP are used for

• Restrict content for various tcp services.

• Understand performance issues with Content Security.

CSC Private
Word about content security
• Checkpoint found that they could not integrate all
applications on Firewall-1 software.

• They integrated 3rd party applications to work with Firewall-1

• CVP (Content Vectoring protocol) and UFP (URL Filtering

Protocol) are discussed later in this chapter

CSC Private
CVP
• It is used to scan content, typically viruses, but can also
scan malicious java applets and Active X controls
depending on the CVP server used.

• A content stream is intercepted by one of the security

servers on firewall.

• Security servers include http daemon, ftp daemon, https

daemon, telnet daemon, https daemon. Other generic tcp
services can be added as well.

CSC Private
CVP
• Following are the actions taken by CVP server
• Send the content as is without any modification
• Remove the offending content and send the corrected content
• Do not send the content at all.

• Wildcards used in resources.

• * - Matches string of any length. E.g. : *@csc.com would

match all email address at csc.com
• + - Matches any single character. E.g. pink+@csc.com would
match pinky@csc.com pinkie@csc.com etc.
• { ,} – Matches any of the listed strings. E.g. pinky@ {csc, abc}.
com would match pinky@csc.com and pinky@abc.com

CSC Private
UFP
• Used for filtering HTTP traffic destined for internet based
URL’s

• Firewall-1 uses HTTP security server and intercepts any

connections that goes to the internet.

• Based on the defined URL list and security policy access is

either granted or denied.

CSC Private
URI Resource
• Click on Manage – Resources and select new URI resource

CSC Private
URI Resource

CSC Private
URI Resource

CSC Private
URI Resource

CSC Private
URI Resource
• Once the URI resource is defined, It can be used in the rule
base in “action” field

CSC Private
UFP with HTTP Security Server
• Following are the configuration steps to configure a UFP
server with Firewall-1 HTTP security server

• Define workstation object on which UFP server is running

• Define OPSEC application object

• Define URI resource of type UFP

• Add rule using the resource and verify/install policy

CSC Private
UFP with HTTP Security Server
• Creating an OPSEC application
• Click on icon and select new OPSEC application

CSC Private
UFP with HTTP security server

CSC Private
UFP with http security server

CSC Private
UFP with http security server
• Finally add the rule with the resource type in the action field.

CSC Private
CVP with HTTP security server
• Following are the steps to configure CVP with http security
server

• Define workstation object on which CVP server is running

• Define OPSEC application object of type CVP

• Define a URI resource that uses CVP server

• Use the rule with resource and install policy.

CSC Private
CVP using HTTP security server
• Creating OPSEC application object is similar to UFP,
instead use CVP server as the option
• Create a URI resource of type CVP

CSC Private
 CVP using http security server

Verify and install the policy

CSC Private
Chapter 8 – Network Address Translation
• At the end of the chapter, you should be able to –

• Understand why NAT is necessary

• Identify what NAT actually does.

• Limitations of using NAT

• Troubleshoot NAT issues.

CSC Private
What NAT does?
• NAT allows hosts to transparently talk to one another with
addresses that are agreeable to each other.

• In other words, it allows illegal/private addresses to talk to

host on public network.

• Best utilization of public addresses.

CSC Private
How it works?

CSC Private
How NAT Works
• Give your email, intranet web server, web server, email
server an external address

• Protect your entire internal network.

• Allows internal network access to the internet using a single

internet address

• Change ISP without re-numbering your internal network.

CSC Private
Disadvantages of using NAT
• NAT must be able to handle new applications. It is unable to
handle some applications and probably more in near future.

• Requires some additional work to maintain

• Limited addresses can be hidden behind a single address

• Requires extra memory and CPU cycles. Negligible with

limited connections, but is noticeable with over 20,000
connections.

CSC Private
Types of NAT
• Four types of NAT are available on Firewall-1

• Source Static – Translates source ip address to a specific static

address

• Source hide – Translates the source address to a hide

address. Also referred as “many-to-one” translation

• Destination Static – Translates destination ip address to a

specific static address

• Destination port static – Translates only destination port

number to a specific port.

CSC Private
Order of Operation

CSC Private
Order of operation
• Firewall checks if its is a new connection and there is no
record of the packet in the connections table, the
connection must be checked against the security policy.

• The firewall performs an anti-spoofing check on the

10.20.30.1 interface. The source of the packet
(10.20.30.40) is compared against the valid address setting.

• Firewall checks properties and rulebase

• OS routes the packet.

• Packet goes through the address translation rules.

• Packet is routed with/ without translation to the interface.

CSC Private
Questions

CSC Private