Presentation is loading. Please wait.

Presentation is loading. Please wait.

W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T Technical Lab n°1 Guidelines End-to-End Security and VPN.

Similar presentations


Presentation on theme: "W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T Technical Lab n°1 Guidelines End-to-End Security and VPN."— Presentation transcript:

1

2 W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T Technical Lab n°1 Guidelines End-to-End Security and VPN

3 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Agenda Introduction Introduction Lab Presentation Lab Presentation Lab 1-1 : VPN Client to Gateway Lab 1-1 : VPN Client to Gateway Lab 1-2 : Hybrid Mode Lab 1-2 : Hybrid Mode Lab 1-3 : SecureClient Lab 1-3 : SecureClient Lab 1-4 : SecureServer Lab 1-4 : SecureServer Lab 1-5 : SR/SC behind NAT Hide Lab 1-5 : SR/SC behind NAT Hide

4 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Introduction : Objectives Understand End-to-End Security and secure communications Understand End-to-End Security and secure communications Setup Hybrid Mode (strong authentication) Setup Hybrid Mode (strong authentication) Setup / Manage VPN-1 SecureServer Setup / Manage VPN-1 SecureServer Understand and setup the new SP2 fonctionnality : UDP encapsulation Understand and setup the new SP2 fonctionnality : UDP encapsulation

5 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab Architecture – Lab 1 VPN-1 HUBHUB FW/VPN Module + Management 192.168.2.30 192.168.1.30 CLIENT SERVER 192.168.1.25 HUBHUB SecureServer 192.168.2.31 192.168.2.32 Telnet Server SecureServer RADIUS SecureClient

6 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Components VPN-1 VPN-1  NT 4.0 SP6a  VPN-1 4.1 SP2 SERVER SERVER  NT 4.0 SP6a  Radius Server SecureServer SecureServer  NT 4.0 SP6a  Telnet Server + SecureServer 4.1 SP2 Client Client  NT 4.0 SP6a  VPN-1 SecureClient build 4165

7 W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T Lab 1-1 : VPN Client to Gateway

8 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Logical architecture VPN-1 HUBHUB FW/VPN Module + Management CLIENT SERVER HUBHUB SecureServer VPN

9 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-1 : VPN Client to Gateway Configure VPN-1 to support client-to- site encryption Configure VPN-1 to support client-to- site encryption Create a remote user Create a remote user Create SecuRemote Site Create SecuRemote Site Access SecureServer with telnet Access SecureServer with telnet  Check logs

10 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-1 : VPN Client to Gateway (ADVANCED) Debug SecuRemote Debug SecuRemote  fwenc.log file  SRinfo file Debug IKE negotiation Debug IKE negotiation  Use IKEview

11 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-1 : VPN Client to Gateway (ADVANCED) Ike.elg and Ikeview Use with FireWall-1/SecuRemote 4.1: Use with FireWall-1/SecuRemote 4.1:  Generate a file IKE.elg on FW-1 4.1 or SR4.1. To do it, you need to :  Create the environment variable FWIKE_DEBUG=1 (set FWIKE_DEBUG=1)  On FW-1 : fwstop, fwstart  On SR4.1 : kill SR, create a log directory (in SRDIR directory) and reload SR.  The file IKE.elg will be created in the log directory.  Load IKEView and open the IKE.elg file.

12 W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T Lab 1-2 : Hybrid Mode

13 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Logical architecture VPN-1 HUBHUB FW/VPN Module + Management CLIENT SERVER HUBHUB SecureServer VPN RADIUS Auth

14 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-2 : Hybrid Mode Goal : establish a client-to-site IKE VPN using Radius to authenticate the remote user. Goal : establish a client-to-site IKE VPN using Radius to authenticate the remote user. IMPORTANT: You must define a user with pre-shared secret to download the topology. IMPORTANT: You must define a user with pre-shared secret to download the topology.

15 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-2 : Hybrid Mode Define a user with pre-shared secret to dowload the topology Define a user with pre-shared secret to dowload the topology  Not member of any group Create the Internal CA on the Management Station Create the Internal CA on the Management Station Create a Certificate for the VPN/Firewall Module Create a Certificate for the VPN/Firewall Module Allow "Hybrid" Mode SecuRemote Authentication on the Firewall Object (IKE Tab) Allow "Hybrid" Mode SecuRemote Authentication on the Firewall Object (IKE Tab) Define a User with one of the classical authentication methods (ex: RADIUS) Define a User with one of the classical authentication methods (ex: RADIUS) Update the SecuRemote Site with the first user Update the SecuRemote Site with the first user Test authentication Test authentication  Check logs

16 W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T Lab 1-3 : SecureClient

17 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Logical architecture VPN-1 HUBHUB FW/VPN Module + Management + Policy Server CLIENT SERVER HUBHUB SecureServer VPN

18 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-3 : SecureClient Define a Policy Server Define a Policy Server Define a policy (encrypt only) Define a policy (encrypt only) Update SecureClient Site Update SecureClient Site Reach TelnetServer Reach TelnetServer  Try to ping 192.168.6.1 Configure SCV (Desktop Configuration Verification) Configure SCV (Desktop Configuration Verification)  Then bind NetBeui on the client Try to reach TelnetServer Try to reach TelnetServer  Then uncheck SCV

19 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-3 : SecureClient (Advanced) View unauthorized actions on SecureClient View unauthorized actions on SecureClient  View SR.log file

20 W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T Lab 1-4 : SecureServer

21 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Logical architecture VPN-1 HUBHUB FW/VPN Module + Management CLIENT SERVER HUBHUB SecureServer VPN

22 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-4 : SecureServer Goal is to establish end-to-end VPN between client and Server. Goal is to establish end-to-end VPN between client and Server. Create new encryption domain for VPN1 Create new encryption domain for VPN1 Change VPN properties for VPN1 Change VPN properties for VPN1  Encryption domain Enable VPN for SecureServer Enable VPN for SecureServer Create Certificate for Secureserver (Hybrid mode) Create Certificate for Secureserver (Hybrid mode) Register SecureServer as a Radius Client Register SecureServer as a Radius Client

23 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-4 : SecureServer Update topology Update topology Access Secureserver with telnet Access Secureserver with telnet Check Logs Check Logs

24 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Lab 1-4 : SecureServer Warning: A security rule, with the field « Install on » filled with « Gateways », doesn’t take care of SecureServer (just gateways ) A security rule, with the field « Install on » filled with « Gateways », doesn’t take care of SecureServer (just gateways ) Features not available on SecureServer Features not available on SecureServer  User Authentication  Content Security (CVP, UFP..)  NAT  IP forwarding is turned off (…)

25 W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T Lab 1-5 : SR/SC behind NAT Hide

26 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Logical architecture SecureServer VPN-1 HUBHUB FW/VPN Module + Management CLIENT SERVER HUBHUB SecureServer VPN SR/SC is NATed Hide behind this address (=Routeur) Customer site

27 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential NAT with SecuRemote Cont. Create a new network object for Net 192.168.1.0 Create a new network object for Net 192.168.1.0  Nated Hide behind 192.168.2.30 Uncheck VPN properties for VPN1 Uncheck VPN properties for VPN1 Bind Policy Server to SecureServer Bind Policy Server to SecureServer Modify Rulebase Modify Rulebase Create new SR site (Secureserver) Create new SR site (Secureserver) Access SecureServer with telnet Access SecureServer with telnet Check Logs Check Logs

28 ©2000 Check Point Software Technologies Ltd. - Proprietary & Confidential Agenda Lab 1-1 : VPN Client to Gateway Lab 1-1 : VPN Client to Gateway Lab 1-2 : Hybrid Mode Lab 1-2 : Hybrid Mode Lab 1-3 : SecureClient Lab 1-3 : SecureClient Lab 1-4 : SecureServer Lab 1-4 : SecureServer Lab 1-5 : SR/SC behind NAT Hide Lab 1-5 : SR/SC behind NAT Hide

29 W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T Q & A ? Thank you


Download ppt "W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T Technical Lab n°1 Guidelines End-to-End Security and VPN."

Similar presentations


Ads by Google