W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T Technical Lab n°1 Guidelines End-to-End Security and VPN.

Slides:



Advertisements
Similar presentations
What’s New in Fireware XTM v11.3.4
Advertisements

Internet Protocol Security (IP Sec)
Guide to Network Defense and Countermeasures Second Edition
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Module 5: Configuring Access to Internal Resources.
Module 5: Configuring Access for Remote Clients and Networks.
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
1 Configuring Virtual Private Networks for Remote Clients and Networks.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Implementing Secure Converged Wide Area Networks (ISCW)
70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.
W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T Check Point Next Generation Feature Pack 1 (FP1) Thomas Witte Check Point Deutschland.
Computer Network (MASQ/NAT/PROXY)
Virtual Private Network (VPN) © N. Ganesan, Ph.D..
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
Copyright Microsoft Corp Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.
1 Enabling Secure Internet Access with ISA Server.
©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Endpoint Security Current portfolio and looking forward October 2010.
© 2005,2006 NeoAccel Inc. Training Access Modes. © 2005,2006 NeoAccel Inc. Agenda 2. Access Terminals 6. Quick Access Terminal Client 3. SSL VPN-Plus.
NetComm Wireless VPN Functionality Feature Spotlight.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
VPN Scenarios © N. Ganesan, Ph.D.. Chapter Objectives.
NORTEL NETWORKS CONFIDENTIAL CallPilot 150 Modem Access Jan 03, 2005 Version 1.5.
1 Chapter Overview Understanding the Windows 2000 Networking Architecture Using Microsoft Management Console.
Clinic Security and Policy Enforcement in Windows Server 2008.
Module 1: Installing Internet Information Services 5.0.
Module 7: Configuring TCP/IP Addressing and Name Resolution.
Scenario & Hands-on 7-1 VPN Configuration-PPTP
Module 8: Configuring Virtual Private Network Access for Remote Clients and Networks.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Network Security 2 Module 6 – Configure Remote Access VPN.
 Introduction  VoIP  P2P Systems  Skype  SIP  Skype - SIP Similarities and Differences  Conclusion.
Securing Microsoft® Exchange Server 2010
Hands-On Microsoft Windows Server 2008
Module 8 Configuring Mobile Computing and Remote Access in Windows® 7.
VNC Greg Fankhanel Jessica Nunn Jennifer Romero. What is it? Stands for Virtual Network Computing It is remote control software which allows you to view.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Module 11: Remote Access Fundamentals
Guide to Firewalls and VPNs, 3 rd Edition Chapter Ten Setting Up A Virtual Private Network.
Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.
MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # ) Chapter Four Windows Server 2008 Remote Desktop Services,
C3 confidentiality classificationIntegrated M2M Terminals Introduction Vodafone MachineLink 3G v1.0 1 Vodafone MachineLink 3G VPN functionality Feature.
Module 9: Fundamentals of Securing Network Communication.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.
Generic Routing Encapsulation GRE  GRE is an OSI Layer 3 tunneling protocol: Encapsulates a wide variety of protocol packet types inside.
Securing Data with Internet Protocol Security (IPSec) Designing IPSec Policies Planning IPSec Deployment.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
Extending ISA/IAG beyond the limit. AGAT Security suite - introduction AGAT Security suite is a set of unique components that allow extending ISA / IAG.
Module 5: Designing Security for Internal Networks.
Module 7: Advanced Application and Web Filtering.
NMS Case Study-I NetScreen Global Manager CS720H.
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.
Module 10: Windows Firewall and Caching Fundamentals.
Wavetrix Changing the Paradigm: Remote Access Using Outbound Connections Remote Monitoring, Control & Automation Orlando, FL October 6, 2005.
IS 4506 Windows NTFS and IIS Security Features.  Overview Windows NTFS Server security Internet Information Server security features Securing communication.
©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Endpoint Security VPN R75 (SecureClient Next Generation)
Securing Access to Data Using IPsec Josh Jones Cosc352.
Module 3: Enabling Access to Internet Resources
Configuring ALSMS Remote Navigation
Enabling Secure Internet Access with TMG
Module 8: Securing Network Traffic by Using IPSec and Certificates
Server-to-Client Remote Access and DirectAccess
Configuration Of A Pull Network.
Module 8: Securing Network Traffic by Using IPSec and Certificates
Agenda Create certificates for the GlobalProtect Portal, internal gateway, and external gateway. Attach certificates to a SSL-TLS Service Profile. Configure.
Chapter 10: Advanced Cisco Adaptive Security Appliance
Presentation transcript:

W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T Technical Lab n°1 Guidelines End-to-End Security and VPN

©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Agenda Introduction Introduction Lab Presentation Lab Presentation Lab 1-1 : VPN Client to Gateway Lab 1-1 : VPN Client to Gateway Lab 1-2 : Hybrid Mode Lab 1-2 : Hybrid Mode Lab 1-3 : SecureClient Lab 1-3 : SecureClient Lab 1-4 : SecureServer Lab 1-4 : SecureServer Lab 1-5 : SR/SC behind NAT Hide Lab 1-5 : SR/SC behind NAT Hide

©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Introduction : Objectives Understand End-to-End Security and secure communications Understand End-to-End Security and secure communications Setup Hybrid Mode (strong authentication) Setup Hybrid Mode (strong authentication) Setup / Manage VPN-1 SecureServer Setup / Manage VPN-1 SecureServer Understand and setup the new SP2 fonctionnality : UDP encapsulation Understand and setup the new SP2 fonctionnality : UDP encapsulation

©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab Architecture – Lab 1 VPN-1 HUBHUB FW/VPN Module + Management CLIENT SERVER HUBHUB SecureServer Telnet Server SecureServer RADIUS SecureClient

©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Components VPN-1 VPN-1  NT 4.0 SP6a  VPN SP2 SERVER SERVER  NT 4.0 SP6a  Radius Server SecureServer SecureServer  NT 4.0 SP6a  Telnet Server + SecureServer 4.1 SP2 Client Client  NT 4.0 SP6a  VPN-1 SecureClient build 4165

W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T Lab 1-1 : VPN Client to Gateway

©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Logical architecture VPN-1 HUBHUB FW/VPN Module + Management CLIENT SERVER HUBHUB SecureServer VPN

©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-1 : VPN Client to Gateway Configure VPN-1 to support client-to- site encryption Configure VPN-1 to support client-to- site encryption Create a remote user Create a remote user Create SecuRemote Site Create SecuRemote Site Access SecureServer with telnet Access SecureServer with telnet  Check logs

©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-1 : VPN Client to Gateway (ADVANCED) Debug SecuRemote Debug SecuRemote  fwenc.log file  SRinfo file Debug IKE negotiation Debug IKE negotiation  Use IKEview

©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-1 : VPN Client to Gateway (ADVANCED) Ike.elg and Ikeview Use with FireWall-1/SecuRemote 4.1: Use with FireWall-1/SecuRemote 4.1:  Generate a file IKE.elg on FW or SR4.1. To do it, you need to :  Create the environment variable FWIKE_DEBUG=1 (set FWIKE_DEBUG=1)  On FW-1 : fwstop, fwstart  On SR4.1 : kill SR, create a log directory (in SRDIR directory) and reload SR.  The file IKE.elg will be created in the log directory.  Load IKEView and open the IKE.elg file.

W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T Lab 1-2 : Hybrid Mode

©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Logical architecture VPN-1 HUBHUB FW/VPN Module + Management CLIENT SERVER HUBHUB SecureServer VPN RADIUS Auth

©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-2 : Hybrid Mode Goal : establish a client-to-site IKE VPN using Radius to authenticate the remote user. Goal : establish a client-to-site IKE VPN using Radius to authenticate the remote user. IMPORTANT: You must define a user with pre-shared secret to download the topology. IMPORTANT: You must define a user with pre-shared secret to download the topology.

©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-2 : Hybrid Mode Define a user with pre-shared secret to dowload the topology Define a user with pre-shared secret to dowload the topology  Not member of any group Create the Internal CA on the Management Station Create the Internal CA on the Management Station Create a Certificate for the VPN/Firewall Module Create a Certificate for the VPN/Firewall Module Allow "Hybrid" Mode SecuRemote Authentication on the Firewall Object (IKE Tab) Allow "Hybrid" Mode SecuRemote Authentication on the Firewall Object (IKE Tab) Define a User with one of the classical authentication methods (ex: RADIUS) Define a User with one of the classical authentication methods (ex: RADIUS) Update the SecuRemote Site with the first user Update the SecuRemote Site with the first user Test authentication Test authentication  Check logs

W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T Lab 1-3 : SecureClient

©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Logical architecture VPN-1 HUBHUB FW/VPN Module + Management + Policy Server CLIENT SERVER HUBHUB SecureServer VPN

©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-3 : SecureClient Define a Policy Server Define a Policy Server Define a policy (encrypt only) Define a policy (encrypt only) Update SecureClient Site Update SecureClient Site Reach TelnetServer Reach TelnetServer  Try to ping Configure SCV (Desktop Configuration Verification) Configure SCV (Desktop Configuration Verification)  Then bind NetBeui on the client Try to reach TelnetServer Try to reach TelnetServer  Then uncheck SCV

©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-3 : SecureClient (Advanced) View unauthorized actions on SecureClient View unauthorized actions on SecureClient  View SR.log file

W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T Lab 1-4 : SecureServer

©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Logical architecture VPN-1 HUBHUB FW/VPN Module + Management CLIENT SERVER HUBHUB SecureServer VPN

©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-4 : SecureServer Goal is to establish end-to-end VPN between client and Server. Goal is to establish end-to-end VPN between client and Server. Create new encryption domain for VPN1 Create new encryption domain for VPN1 Change VPN properties for VPN1 Change VPN properties for VPN1  Encryption domain Enable VPN for SecureServer Enable VPN for SecureServer Create Certificate for Secureserver (Hybrid mode) Create Certificate for Secureserver (Hybrid mode) Register SecureServer as a Radius Client Register SecureServer as a Radius Client

©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-4 : SecureServer Update topology Update topology Access Secureserver with telnet Access Secureserver with telnet Check Logs Check Logs

©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-4 : SecureServer Warning: A security rule, with the field « Install on » filled with « Gateways », doesn’t take care of SecureServer (just gateways ) A security rule, with the field « Install on » filled with « Gateways », doesn’t take care of SecureServer (just gateways ) Features not available on SecureServer Features not available on SecureServer  User Authentication  Content Security (CVP, UFP..)  NAT  IP forwarding is turned off (…)

W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T Lab 1-5 : SR/SC behind NAT Hide

©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Logical architecture SecureServer VPN-1 HUBHUB FW/VPN Module + Management CLIENT SERVER HUBHUB SecureServer VPN SR/SC is NATed Hide behind this address (=Routeur) Customer site

©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential NAT with SecuRemote Cont. Create a new network object for Net Create a new network object for Net  Nated Hide behind Uncheck VPN properties for VPN1 Uncheck VPN properties for VPN1 Bind Policy Server to SecureServer Bind Policy Server to SecureServer Modify Rulebase Modify Rulebase Create new SR site (Secureserver) Create new SR site (Secureserver) Access SecureServer with telnet Access SecureServer with telnet Check Logs Check Logs

©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Agenda Lab 1-1 : VPN Client to Gateway Lab 1-1 : VPN Client to Gateway Lab 1-2 : Hybrid Mode Lab 1-2 : Hybrid Mode Lab 1-3 : SecureClient Lab 1-3 : SecureClient Lab 1-4 : SecureServer Lab 1-4 : SecureServer Lab 1-5 : SR/SC behind NAT Hide Lab 1-5 : SR/SC behind NAT Hide

W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T Q & A ? Thank you

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.