11. Administrative permissions available for CP 2000 Firewall:
1) Read/Write : Allows full access to all Check Point products. Note that only one FireWall-1 administrator can be logged in with Read/Write permission at any given time.
2) Custom: Permissions can be set individually per administrator.
12. For an administrator, the following are required parameters to log-in:
- User Name
- Name or IP address of of the management server.
13. While implementing security policy, there are three different enforcement directions:
- Inbound (default), packets going into the FireWall are checked.
- Outbound, packets going out of the FireWall are checked.
- Eitherbound, packets going into and packets leaving the FireWall are checked against the security policy.
14. License: All Check Point products except GUI require a license for their operation.
15. The communication between the Management module and the Firewall Module is encrypted. The Management server establishes a trust relationship with FireWall module for secure communication between the modules.
16. VPN-1/FireWall-1 is uninstalled on different platforms as below:
1. Windows Platform: To uninstall VPN-1/FireWall-1 on a Windows platform use, Add/Remove Programs applet in the Control Panel.
2. Solaris Platform: To uninstall VPN-1/FireWall-1 on a Solaris platform, use pkgrm
3. Linux Platform: To uninstall VPN-1/FireWall-1 on a Linux platform, use rpm -e
Note that, if the Primary Management Servr is uninstalled, all other Check Point Products need to be uninstalled and reinstalled from scratch.
17. Communication between the Management server and the other modules in FireWall-1 NG are authenticated using certificates. An encrypted secure link is established between the communicating modules and the Management Server upon successful authentication. The requirements for successful authentication using certificates are:
1. The communicating Modules agree on the version information
2. Agree on authentication information
3. Agree on encryption method.
A digital certificate is an electronic file that uniquely identifies individuals and Web sites on the Internet and enables secure, confidential communications. A trusted third party Certificate Authority, such as VeriSign creates, signs, and issues certificates.
Note that a digital certificate can also be generated by Internal Certificate Authority if the certificate is going to be used only on the internal network, and NOT on Internet.
18. VPN-1/FireWall-1 supports the following internal authentication schemes:
- OS Password: This is Operating System password
- FireWall-1 password: This is an encryped password supported by FireWall-1
- S/Key: One time password, very secure.
The following external authentication schemes are supported:
- SecurID: Here the Security Dynamics PassCode is entered by the user.
- EXENT Pathway Defender: Separate server software requires response from the user.
- RADIUS: Requires RADIUS server to perform centralized authentication.
- TACACS: TACACS server prompts the user for a response.
The Kerberos authentication scheme is not supported by VPN-1/FireWall-1.
19. To define a rule in the rule base in FireWall-1, the following must be specified at the minimum:
- Install On (the enforcement point)
20. VPN-1/FireWall-1 ignores other protocol packets such as IPX, DecNET. These protocols are processed by other protocols stacks. Note that, if you install an IPX protocol stack, for example, the IPX packets are processed by IPX stack independent of VPN-1/FireWall-1. This could be a security risk and need to be thoroughly evaluation for need before installing the same.