Professional Documents
Culture Documents
Checkpoint - Day 3
Checkpoint - Day 3
Objective
• Content Security
CSC Private
Chapter 6 – Authentication
• At the end of the chapter, you should be able to –
CSC Private
Passwords
• Firewall-1 provides various authentication options
• Firewall-1 Password
• OS Password
• S/Key
• Secure ID
• RADIUS
• TACACS
• LDAP
CSC Private
User Authentication
• Provides authentication for 5 different services.
• Services include –
• telnet
• http
• https
• rlogin
• FTP
CSC Private
Session Authentication
• Session authentication can be used for “any” service.
CSC Private
Session Authentication
CSC Private
Client Authentication
• Used to authenticate “any” service
CSC Private
Client Authentication
• Two choices in client authentication
CSC Private
Standard Sign-on
CSC Private
Client Authentication using HTTP
CSC Private
CSC Private
CSC Private
Specific Sign-on using HTTP
CSC Private
CSC Private
Which authentication is best?
CSC Private
CSC Private
Steps in setting up user authentication
• Create necessary users and groups required for
authentication
CSC Private
Setting up user authentication
• When adding the source, right-click source field and click “
Add user access”
• Right-click the user authentication and select “edit
properties” in the action field.
CSC Private
Importance of rule in User Authentication
• If user authentication rules are present, firewall does not
process the rule base in order.
• Instead all rules are evaluated and the least restrictive rule
applies.
CSC Private
Example of User authentication
CSC Private
Setting Session authentication
• Similar to User authentication except the action properties
settings
CSC Private
Setting Client Authentication
• Similar to User Authentication except the action properties
settings
CSC Private
Client Authentication (Contd.)
• You may select standard sign-on or specific sign-on
• Manual sign-on – Authentication happens only via telnet on
port 259 or http on port 900
• Partially Automatic – Firewall-1 allows you to use user
authentication (User authentication database) for 5 services
(telnet, http, ftp, rlogin and https)
• Fully Automatic – Non-standard services can be
authenticated using session authentication.
• Agent automatic sign-on –Uses session authentication
when the rule is matched. It performs standard sign-on.
CSC Private
Client Authentication (Contd.)
CSC Private
Chapter 7 - Content Security
• At the end of this chapter, you should be able to –
CSC Private
Word about content security
• Checkpoint found that they could not integrate all
applications on Firewall-1 software.
CSC Private
CVP
• It is used to scan content, typically viruses, but can also
scan malicious java applets and Active X controls
depending on the CVP server used.
CSC Private
CVP
• Following are the actions taken by CVP server
• Send the content as is without any modification
• Remove the offending content and send the corrected content
• Do not send the content at all.
CSC Private
UFP
• Used for filtering HTTP traffic destined for internet based
URL’s
CSC Private
URI Resource
• Click on Manage – Resources and select new URI resource
CSC Private
URI Resource
CSC Private
URI Resource
CSC Private
URI Resource
CSC Private
URI Resource
• Once the URI resource is defined, It can be used in the rule
base in “action” field
CSC Private
UFP with HTTP Security Server
• Following are the configuration steps to configure a UFP
server with Firewall-1 HTTP security server
CSC Private
UFP with HTTP Security Server
• Creating an OPSEC application
• Click on icon and select new OPSEC application
CSC Private
UFP with HTTP security server
CSC Private
UFP with http security server
CSC Private
UFP with http security server
• Finally add the rule with the resource type in the action field.
CSC Private
CVP with HTTP security server
• Following are the steps to configure CVP with http security
server
CSC Private
CVP using HTTP security server
• Creating OPSEC application object is similar to UFP,
instead use CVP server as the option
• Create a URI resource of type CVP
CSC Private
CVP using http security server
CSC Private
What NAT does?
• NAT allows hosts to transparently talk to one another with
addresses that are agreeable to each other.
CSC Private
How it works?
CSC Private
How NAT Works
• Give your email, intranet web server, web server, email
server an external address
CSC Private
Disadvantages of using NAT
• NAT must be able to handle new applications. It is unable to
handle some applications and probably more in near future.
CSC Private
Types of NAT
• Four types of NAT are available on Firewall-1
CSC Private
Order of Operation
CSC Private
Order of operation
• Firewall checks if its is a new connection and there is no
record of the packet in the connections table, the
connection must be checked against the security policy.
CSC Private