Presentation is loading. Please wait.

Presentation is loading. Please wait.

W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T Technical Lab n°1 Guidelines End-to-End Security and VPN.

Published byLora Walsh Modified over 9 years ago

Similar presentations

Presentation on theme: "W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T Technical Lab n°1 Guidelines End-to-End Security and VPN."— Presentation transcript:

1

2 W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T Technical Lab n°1 Guidelines End-to-End Security and VPN

3 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Agenda Introduction Introduction Lab Presentation Lab Presentation Lab 1-1 : VPN Client to Gateway Lab 1-1 : VPN Client to Gateway Lab 1-2 : Hybrid Mode Lab 1-2 : Hybrid Mode Lab 1-3 : SecureClient Lab 1-3 : SecureClient Lab 1-4 : SecureServer Lab 1-4 : SecureServer Lab 1-5 : SR/SC behind NAT Hide Lab 1-5 : SR/SC behind NAT Hide

4 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Introduction : Objectives Understand End-to-End Security and secure communications Understand End-to-End Security and secure communications Setup Hybrid Mode (strong authentication) Setup Hybrid Mode (strong authentication) Setup / Manage VPN-1 SecureServer Setup / Manage VPN-1 SecureServer Understand and setup the new SP2 fonctionnality : UDP encapsulation Understand and setup the new SP2 fonctionnality : UDP encapsulation

5 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab Architecture – Lab 1 VPN-1 HUBHUB FW/VPN Module + Management 192.168.2.30 192.168.1.30 CLIENT SERVER 192.168.1.25 HUBHUB SecureServer 192.168.2.31 192.168.2.32 Telnet Server SecureServer RADIUS SecureClient

6 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Components VPN-1 VPN-1  NT 4.0 SP6a  VPN-1 4.1 SP2 SERVER SERVER  NT 4.0 SP6a  Radius Server SecureServer SecureServer  NT 4.0 SP6a  Telnet Server + SecureServer 4.1 SP2 Client Client  NT 4.0 SP6a  VPN-1 SecureClient build 4165

7 W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T Lab 1-1 : VPN Client to Gateway

8 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Logical architecture VPN-1 HUBHUB FW/VPN Module + Management CLIENT SERVER HUBHUB SecureServer VPN

9 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-1 : VPN Client to Gateway Configure VPN-1 to support client-to- site encryption Configure VPN-1 to support client-to- site encryption Create a remote user Create a remote user Create SecuRemote Site Create SecuRemote Site Access SecureServer with telnet Access SecureServer with telnet  Check logs

10 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-1 : VPN Client to Gateway (ADVANCED) Debug SecuRemote Debug SecuRemote  fwenc.log file  SRinfo file Debug IKE negotiation Debug IKE negotiation  Use IKEview

11 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-1 : VPN Client to Gateway (ADVANCED) Ike.elg and Ikeview Use with FireWall-1/SecuRemote 4.1: Use with FireWall-1/SecuRemote 4.1:  Generate a file IKE.elg on FW-1 4.1 or SR4.1. To do it, you need to :  Create the environment variable FWIKE_DEBUG=1 (set FWIKE_DEBUG=1)  On FW-1 : fwstop, fwstart  On SR4.1 : kill SR, create a log directory (in SRDIR directory) and reload SR.  The file IKE.elg will be created in the log directory.  Load IKEView and open the IKE.elg file.

12 W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T Lab 1-2 : Hybrid Mode

13 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Logical architecture VPN-1 HUBHUB FW/VPN Module + Management CLIENT SERVER HUBHUB SecureServer VPN RADIUS Auth

14 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-2 : Hybrid Mode Goal : establish a client-to-site IKE VPN using Radius to authenticate the remote user. Goal : establish a client-to-site IKE VPN using Radius to authenticate the remote user. IMPORTANT: You must define a user with pre-shared secret to download the topology. IMPORTANT: You must define a user with pre-shared secret to download the topology.

15 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-2 : Hybrid Mode Define a user with pre-shared secret to dowload the topology Define a user with pre-shared secret to dowload the topology  Not member of any group Create the Internal CA on the Management Station Create the Internal CA on the Management Station Create a Certificate for the VPN/Firewall Module Create a Certificate for the VPN/Firewall Module Allow "Hybrid" Mode SecuRemote Authentication on the Firewall Object (IKE Tab) Allow "Hybrid" Mode SecuRemote Authentication on the Firewall Object (IKE Tab) Define a User with one of the classical authentication methods (ex: RADIUS) Define a User with one of the classical authentication methods (ex: RADIUS) Update the SecuRemote Site with the first user Update the SecuRemote Site with the first user Test authentication Test authentication  Check logs

16 W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T Lab 1-3 : SecureClient

17 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Logical architecture VPN-1 HUBHUB FW/VPN Module + Management + Policy Server CLIENT SERVER HUBHUB SecureServer VPN

18 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-3 : SecureClient Define a Policy Server Define a Policy Server Define a policy (encrypt only) Define a policy (encrypt only) Update SecureClient Site Update SecureClient Site Reach TelnetServer Reach TelnetServer  Try to ping 192.168.6.1 Configure SCV (Desktop Configuration Verification) Configure SCV (Desktop Configuration Verification)  Then bind NetBeui on the client Try to reach TelnetServer Try to reach TelnetServer  Then uncheck SCV

19 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-3 : SecureClient (Advanced) View unauthorized actions on SecureClient View unauthorized actions on SecureClient  View SR.log file

20 W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T Lab 1-4 : SecureServer

21 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Logical architecture VPN-1 HUBHUB FW/VPN Module + Management CLIENT SERVER HUBHUB SecureServer VPN

22 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-4 : SecureServer Goal is to establish end-to-end VPN between client and Server. Goal is to establish end-to-end VPN between client and Server. Create new encryption domain for VPN1 Create new encryption domain for VPN1 Change VPN properties for VPN1 Change VPN properties for VPN1  Encryption domain Enable VPN for SecureServer Enable VPN for SecureServer Create Certificate for Secureserver (Hybrid mode) Create Certificate for Secureserver (Hybrid mode) Register SecureServer as a Radius Client Register SecureServer as a Radius Client

23 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-4 : SecureServer Update topology Update topology Access Secureserver with telnet Access Secureserver with telnet Check Logs Check Logs

24 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-4 : SecureServer Warning: A security rule, with the field « Install on » filled with « Gateways », doesn’t take care of SecureServer (just gateways ) A security rule, with the field « Install on » filled with « Gateways », doesn’t take care of SecureServer (just gateways ) Features not available on SecureServer Features not available on SecureServer  User Authentication  Content Security (CVP, UFP..)  NAT  IP forwarding is turned off (…)

25 W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T Lab 1-5 : SR/SC behind NAT Hide

26 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Logical architecture SecureServer VPN-1 HUBHUB FW/VPN Module + Management CLIENT SERVER HUBHUB SecureServer VPN SR/SC is NATed Hide behind this address (=Routeur) Customer site

27 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential NAT with SecuRemote Cont. Create a new network object for Net 192.168.1.0 Create a new network object for Net 192.168.1.0  Nated Hide behind 192.168.2.30 Uncheck VPN properties for VPN1 Uncheck VPN properties for VPN1 Bind Policy Server to SecureServer Bind Policy Server to SecureServer Modify Rulebase Modify Rulebase Create new SR site (Secureserver) Create new SR site (Secureserver) Access SecureServer with telnet Access SecureServer with telnet Check Logs Check Logs

28 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Agenda Lab 1-1 : VPN Client to Gateway Lab 1-1 : VPN Client to Gateway Lab 1-2 : Hybrid Mode Lab 1-2 : Hybrid Mode Lab 1-3 : SecureClient Lab 1-3 : SecureClient Lab 1-4 : SecureServer Lab 1-4 : SecureServer Lab 1-5 : SR/SC behind NAT Hide Lab 1-5 : SR/SC behind NAT Hide

29 W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T Q & A ? Thank you

Download ppt "W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T Technical Lab n°1 Guidelines End-to-End Security and VPN."

Similar presentations

What’s New in Fireware XTM v11.3.4

What’s New in Fireware XTM v11.3.4
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
Extending ForeFront beyond the limit www.AGATSolutions.com TMGUAG ISAIAG AG Security Suite.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.

Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Module 5: Configuring Access to Internal Resources.

Module 5: Configuring Access to Internal Resources.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Implementing Secure Converged Wide Area Networks (ISCW)
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.
W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T Check Point Next Generation Feature Pack 1 (FP1) Thomas Witte Check Point Deutschland.

W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T Check Point Next Generation Feature Pack 1 (FP1) Thomas Witte Check Point Deutschland.
Computer Network (MASQ/NAT/PROXY)

Computer Network (MASQ/NAT/PROXY)
Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Virtual Private Network (VPN) © N. Ganesan, Ph.D..
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
Copyright Microsoft Corp. 2006 Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.

Copyright Microsoft Corp Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.

Similar presentations

Ads by Google