31. FireWall-1 supports the following encryption schemes:
- FWZ: This is a Check Point proprietary encryption scheme. FWZ uses symmetric encryption.
- Manual IPSec: This is an encryption and authentication scheme. The keys are fixed over duration of the connection.
- SKIP: This has some advantages over IPSec, that the keys change over time. An Internet host can send an encrypted packet to another host without requiring a prior message exchange to set up a secure channel.
- IKE: The Internet Key Exchange (IKE) protocol is a key management protocol standard which is used in conjunction with the IPSec standard. IPSec is an IP security protocol that provides robust authentication and encryption of IP packets.
- ISAKMP stands for Internet Security Association and Key Management Protocol. ISAKMP defines procedures and packet formats to establish, negotiate, modify and delete Security Associations (SAs).
32. There are nine objects available to manage a network under Network Objects Manager. These are:
- OSE Device
- Embedded Device
- Gateway Cluster
- Logical Server
- Address Range
- Dynamic Object
Only the objects that get used in the Rule Base need to be defined to VPN-1/FireWall-1. Also, note that an object need to be defined to VPN-1/FireWall-1 BEFORE a rule is defined (in the Rule Base) using that object.
The Object Tree of Check Point Policy Editor of FireWall-1 consists of eight tabs. These are:
|Object Tree Tab||Menu Command|
|1||Network Objects||Manage -> Network Objects|
|2||Services||Manage -> Services|
|3||Resources||Manage -> Resources|
|4||OPSEC Applications||Manage ->OPSEC Applications|
|5||Servers||Manage -> Servers|
|6||Users||Manage -> Users|
|7||Time Objects||Manage -> Time|
|8||Virtual Links||Manage -> Virtual Links|
Note that, Users and Servers are management objects.
33. Some of the popular protocol port numbers are:
- Telnet: Port #23
- FTP: Port #21
- HTTP (WWW): Port #80
- SMTP: Port #25
34. The Internet Assigned Numbers Authority (IANA) has set aside several ranges of IP numbers that can be freely used over private networks (Internet will not route these IP addresses). These private IP address ranges that are designated private:
Class A private address range:10.0.0.0 - 10.255.255.255
Class B private address range:172.16.0.0 - 172.31.255.255
Class C private address range:192.168.0.0 - 192.168.255.255
35. VPN/FireWall-1 Security Policy permits any number of administrators to view the Security Policy. However, only one administrator can log in using read/write permissions. This arrangement will prevent confusion arising from two admins simultaneously making changes to the Security Policy, without knowing what the other is doing.
36. The following are required to log on to the Log Viewer of a FireWall-1 Management Server:
- User Name
- Name or IP address of Management Server.
37. SIC (Secure Internal Communication) is used for communication between Modules and the Management Server. The following are true about SIC (Secure Internal Communication):
1. SIC name of a Module is typically known as DN (Distinguished Name).
2. VPN certificates and SIC certificates are used for different purposes.
3. IP connectivity between the Management Server and Module is REQUIRED for starting initialization process of the Module. The certificate is securely issued to the Module during initialization process. After successful initialization, the Module is said to be in TRUST state.
38. SecureUpdate allows to manage installation of CheckPoint and OPSEC products at a central location. The operations that can be performed include:
1. Upgrade and uninstall major versions and Service Packs.
2. Do multiple simultaneous upgrades
3. Manage product repository
4. View status of operation
39. SecureUpdate supports two types of licenses:
1. Central License - Here the Module License is bound to the IP address of the Management Server. That is, the Management Server IP address is used for issuing the license. The advantage is that, even if the IP address of the local module (to which the license is issued) changes, there is no need to re-issue the license.
2. Local License - Here the Module License is bound to the IP address of the module to which license is issued. If the IP address of the local module changes, the license need to be re-validated.
40. Static source mode translates the client's internal, invalid/reserved IP addresses to legal external IP addresses. Note that IP addresses have 1 to 1 relationship in static modes.
Static destination mode translates the server's legal external IP addresses to invalid/reserved internal IP addresses. Static destination mode is used when any server is located in the internal network with a private or invalid IP address, and being accessed from the Internet.