Download presentation
Presentation is loading. Please wait.
Published byLora Walsh Modified over 9 years ago
2
W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T Technical Lab n°1 Guidelines End-to-End Security and VPN
3
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Agenda Introduction Introduction Lab Presentation Lab Presentation Lab 1-1 : VPN Client to Gateway Lab 1-1 : VPN Client to Gateway Lab 1-2 : Hybrid Mode Lab 1-2 : Hybrid Mode Lab 1-3 : SecureClient Lab 1-3 : SecureClient Lab 1-4 : SecureServer Lab 1-4 : SecureServer Lab 1-5 : SR/SC behind NAT Hide Lab 1-5 : SR/SC behind NAT Hide
4
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Introduction : Objectives Understand End-to-End Security and secure communications Understand End-to-End Security and secure communications Setup Hybrid Mode (strong authentication) Setup Hybrid Mode (strong authentication) Setup / Manage VPN-1 SecureServer Setup / Manage VPN-1 SecureServer Understand and setup the new SP2 fonctionnality : UDP encapsulation Understand and setup the new SP2 fonctionnality : UDP encapsulation
5
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab Architecture – Lab 1 VPN-1 HUBHUB FW/VPN Module + Management 192.168.2.30 192.168.1.30 CLIENT SERVER 192.168.1.25 HUBHUB SecureServer 192.168.2.31 192.168.2.32 Telnet Server SecureServer RADIUS SecureClient
6
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Components VPN-1 VPN-1 NT 4.0 SP6a VPN-1 4.1 SP2 SERVER SERVER NT 4.0 SP6a Radius Server SecureServer SecureServer NT 4.0 SP6a Telnet Server + SecureServer 4.1 SP2 Client Client NT 4.0 SP6a VPN-1 SecureClient build 4165
7
W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T Lab 1-1 : VPN Client to Gateway
8
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Logical architecture VPN-1 HUBHUB FW/VPN Module + Management CLIENT SERVER HUBHUB SecureServer VPN
9
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-1 : VPN Client to Gateway Configure VPN-1 to support client-to- site encryption Configure VPN-1 to support client-to- site encryption Create a remote user Create a remote user Create SecuRemote Site Create SecuRemote Site Access SecureServer with telnet Access SecureServer with telnet Check logs
10
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-1 : VPN Client to Gateway (ADVANCED) Debug SecuRemote Debug SecuRemote fwenc.log file SRinfo file Debug IKE negotiation Debug IKE negotiation Use IKEview
11
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-1 : VPN Client to Gateway (ADVANCED) Ike.elg and Ikeview Use with FireWall-1/SecuRemote 4.1: Use with FireWall-1/SecuRemote 4.1: Generate a file IKE.elg on FW-1 4.1 or SR4.1. To do it, you need to : Create the environment variable FWIKE_DEBUG=1 (set FWIKE_DEBUG=1) On FW-1 : fwstop, fwstart On SR4.1 : kill SR, create a log directory (in SRDIR directory) and reload SR. The file IKE.elg will be created in the log directory. Load IKEView and open the IKE.elg file.
12
W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T Lab 1-2 : Hybrid Mode
13
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Logical architecture VPN-1 HUBHUB FW/VPN Module + Management CLIENT SERVER HUBHUB SecureServer VPN RADIUS Auth
14
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-2 : Hybrid Mode Goal : establish a client-to-site IKE VPN using Radius to authenticate the remote user. Goal : establish a client-to-site IKE VPN using Radius to authenticate the remote user. IMPORTANT: You must define a user with pre-shared secret to download the topology. IMPORTANT: You must define a user with pre-shared secret to download the topology.
15
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-2 : Hybrid Mode Define a user with pre-shared secret to dowload the topology Define a user with pre-shared secret to dowload the topology Not member of any group Create the Internal CA on the Management Station Create the Internal CA on the Management Station Create a Certificate for the VPN/Firewall Module Create a Certificate for the VPN/Firewall Module Allow "Hybrid" Mode SecuRemote Authentication on the Firewall Object (IKE Tab) Allow "Hybrid" Mode SecuRemote Authentication on the Firewall Object (IKE Tab) Define a User with one of the classical authentication methods (ex: RADIUS) Define a User with one of the classical authentication methods (ex: RADIUS) Update the SecuRemote Site with the first user Update the SecuRemote Site with the first user Test authentication Test authentication Check logs
16
W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T Lab 1-3 : SecureClient
17
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Logical architecture VPN-1 HUBHUB FW/VPN Module + Management + Policy Server CLIENT SERVER HUBHUB SecureServer VPN
18
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-3 : SecureClient Define a Policy Server Define a Policy Server Define a policy (encrypt only) Define a policy (encrypt only) Update SecureClient Site Update SecureClient Site Reach TelnetServer Reach TelnetServer Try to ping 192.168.6.1 Configure SCV (Desktop Configuration Verification) Configure SCV (Desktop Configuration Verification) Then bind NetBeui on the client Try to reach TelnetServer Try to reach TelnetServer Then uncheck SCV
19
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-3 : SecureClient (Advanced) View unauthorized actions on SecureClient View unauthorized actions on SecureClient View SR.log file
20
W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T Lab 1-4 : SecureServer
21
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Logical architecture VPN-1 HUBHUB FW/VPN Module + Management CLIENT SERVER HUBHUB SecureServer VPN
22
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-4 : SecureServer Goal is to establish end-to-end VPN between client and Server. Goal is to establish end-to-end VPN between client and Server. Create new encryption domain for VPN1 Create new encryption domain for VPN1 Change VPN properties for VPN1 Change VPN properties for VPN1 Encryption domain Enable VPN for SecureServer Enable VPN for SecureServer Create Certificate for Secureserver (Hybrid mode) Create Certificate for Secureserver (Hybrid mode) Register SecureServer as a Radius Client Register SecureServer as a Radius Client
23
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-4 : SecureServer Update topology Update topology Access Secureserver with telnet Access Secureserver with telnet Check Logs Check Logs
24
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-4 : SecureServer Warning: A security rule, with the field « Install on » filled with « Gateways », doesn’t take care of SecureServer (just gateways ) A security rule, with the field « Install on » filled with « Gateways », doesn’t take care of SecureServer (just gateways ) Features not available on SecureServer Features not available on SecureServer User Authentication Content Security (CVP, UFP..) NAT IP forwarding is turned off (…)
25
W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T Lab 1-5 : SR/SC behind NAT Hide
26
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Logical architecture SecureServer VPN-1 HUBHUB FW/VPN Module + Management CLIENT SERVER HUBHUB SecureServer VPN SR/SC is NATed Hide behind this address (=Routeur) Customer site
27
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential NAT with SecuRemote Cont. Create a new network object for Net 192.168.1.0 Create a new network object for Net 192.168.1.0 Nated Hide behind 192.168.2.30 Uncheck VPN properties for VPN1 Uncheck VPN properties for VPN1 Bind Policy Server to SecureServer Bind Policy Server to SecureServer Modify Rulebase Modify Rulebase Create new SR site (Secureserver) Create new SR site (Secureserver) Access SecureServer with telnet Access SecureServer with telnet Check Logs Check Logs
28
©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Agenda Lab 1-1 : VPN Client to Gateway Lab 1-1 : VPN Client to Gateway Lab 1-2 : Hybrid Mode Lab 1-2 : Hybrid Mode Lab 1-3 : SecureClient Lab 1-3 : SecureClient Lab 1-4 : SecureServer Lab 1-4 : SecureServer Lab 1-5 : SR/SC behind NAT Hide Lab 1-5 : SR/SC behind NAT Hide
29
W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T Q & A ? Thank you
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.