21. FireWall-1 rule base:
a. Implicit (Pseudo) rules are those that are derived from the security properties. Explicit rules are those created in the Rule Base. The implicit rules are NOT shown by default in the NAT Rule Base. However, you can select Implied Pseudo Rules" from the View menu .
b. Implicit Drop Rule is added by VPN-1/FireWall-1 at the bottom of the Rule Base. The purpose of this rule is to drop all packets that are not described by earlier rules in the Rule Base.
c. Stealth rule is the first rule in the Rule Base. The purpose of the Stealth rule is to prevent traffic from directly accessing the firewall itself
d. The correct order that Rule Base rules are defined are:
- IP Spoofing
- Security Policy "First" Rule
- Rule Base
- Security Policy "Before Last" Rule
- Security Policy "Last" Rule
- Implicit Drop
e. To disable a rule in Rule Base,
- Select the rule in the Rule Base
- Right click the rule number and select 'Disable rule'
- The policy need to be re-installed for the changes to take effect.
22. Using the Security Policy Editor, four types of policies can be defined:
- Security Policy: This policy specifies how the communication is allowed to enter or leave the network. This also specifies, how the authentication and/or encryption are handled.
- Address_Translation Policy: An Address_Translation Policy specifies how invalid internal IP addresses will be translated to valid Ip addresses.
- Anti-Spoofing: Anti-Spoofing feature ensures that the IP addresses of the packets entering the FireWall are valid.
23. Important file names used in FireWall-1:
- $FWDIR/conf/rule_base.W: Security Policy rules are stored in an ASCII format at this location.
- $FWDIR/conf/objects.C: The properties are stored in this ASCII file.
- $FWDIR/conf/rule_name.pf: Inspection Script is stored in this file. The file is generated from $FWDIR/conf/rule_base.W and $FWDIR/conf/objects.C
- $FWDIR/temp/rule_base.fc: This is Inspection Code file, compiled from the Inspection script. Note that the Inspection Code is installed on Network objects and used by VPN/FireWall Module to enforce security policy.
24. A Gateway must atleast have two network interfaces, one for the external network connection, and one for internal network connection.
25. The three types of Authentication schemes supported by VPN-1/FireWall-1 are:
- User Authentication: User Authentication gives access on a per user basis. This can be used for Telnet, FTP, RLOGIN and HTTP,HTTPS. Separate Authentication is required for each connection.
- Session Authentication: Session Authentication can be used with any service, and Session Authentication is required for each connection as in User Authentication.
- Client Authentication: Client Authentication gives access on a per host basis. Once a Client is Authenticated, it can be used for any number of conncetions, for any service. Client Authentication is recommended when the client is a single user machine such as a desktop.
26. VPN-1/FireWall-1 services covered by User Authentication are: Telnet, FTP, RLOGIN, HTTP, and HTTPS.
27. VPN-1/FireWall-1 supports third party routers (OPSEC products) such as Cisco, 3Com, Nortel (Bay Networks) routers, Cisco PIX firewalls, and Microsoft RRAS (Formerly known as Steelhead). For this purpose, Check Point's Open Security Extension ( an optional module) is required.
28. VPN-1/FireWall-1 supports two modes of Address Translation:
a. Hide mode: This has a many to 1 relation. Here many invalid addresses are translated to one valid IP address. Dynamically assigned port numbers are used to distinguish between the invalid addresses. This is called Hide mode, since invalid IP addresses are hidden behind the valid IP address.
b. Static mode: This has 1 to 1 correspondence of IP addresses. Here, the invalid IP is translated to a corresponding valid IP. There are two modes of static Address Translation:
- Static Source mode: This is for outgoing traffic. The connection is initiated by internal clients with invalid IP addresses. This is usually combined with Static Destination mode.
- Static Destination mode: This is for incoming traffic. This mode is used when servers inside the internal network have invalid IP addresses, so that packets entering the internal network arrive at their proper destinations. This mode is usually combined with Static Source mode.
29. The NAT Rule Base consists of three elements:
- Original Packet
- Translated Packet
- Install On
Original Packet and Translated Packet, in turn, consist of the following:
"Install On" specifies which firewalled objects will enforce the rule.
30. GUIs that are available in FireWall-1:
1. Policy Editor GUI: Used for creating rules and network objects. GUI may have upto four tabs, a) Security Policy b) Address Translation c) Bandwidth Policy d) Compression Policy
2. Log Viewer GUI: Used for viewing log files that are composed for events recorded as per the Rule Base and also other events such as security alerts, important system events.
3. System Status GUI: Enables the real time monitoring of all FireWall modules and alerting. Communication and traffic flow statistics are also displayed.
4. SecureClient Packaging Tool: This tool helps in customizing SecureClient installations, and simplifies large scale deployment of SecuRemote/SecureClient.
5. Traffic Monitoring: This tool is used for monitoring traffic.
6. SecureUpdate: SecureUpdate enables centralized management of CheckPoint and OPSEC software products including licensing.