20. VPN-1/FireWall-1 ignores other protocol packets such as IPX, DecNET. These protocols are processed by other protocols stacks. Note that, if you install an IPX protocol stack, for example, the IPX packets are processed by IPX stack independent of VPN-1/FireWall-1. This could be a security risk and need to be thoroughly evaluation for need before installing the same.
21. FireWall-1 rule base:
a. Implicit (Pseudo) rules are those that are derived from the security properties. Explicit rules are those created in the Rule Base. The implicit rules are NOT shown by default in the NAT Rule Base. However, you can select Implied Pseudo Rules" from the View menu .
b. Implicit Drop Rule is added by VPN-1/FireWall-1 at the bottom of the Rule Base. The purpose of this rule is to drop all packets that are not described by earlier rules in the Rule Base.
c. Stealth rule is the first rule in the Rule Base. The purpose of the Stealth rule is to prevent traffic from directly accessing the firewall itself
d. The correct order that Rule Base rules are defined are:
- IP Spoofing
- Security Policy "First" Rule
- Rule Base
- Security Policy "Before Last" Rule
- Security Policy "Last" Rule
- Implicit Drop
e. To disable a rule in Rule Base,
- Select the rule in the Rule Base
- Right click the rule number and select 'Disable rule'
- The policy need to be re-installed for the changes to take effect.
22. Using the Security Policy Editor, four types of policies can be defined:
- Security Policy: This policy specifies how the communication is allowed to enter or leave the network. This also specifies, how the authentication and/or encryption are handled.
- Address_Translation Policy: An Address_Translation Policy specifies how invalid internal IP addresses will be translated to valid Ip addresses.
- Anti-Spoofing: Anti-Spoofing feature ensures that the IP addresses of the packets entering the FireWall are valid.
23. Important file names used in FireWall-1:
- $FWDIR/conf/rule_base.W: Security Policy rules are stored in an ASCII format at this location.
- $FWDIR/conf/objects.C: The properties are stored in this ASCII file.
- $FWDIR/conf/rule_name.pf: Inspection Script is stored in this file. The file is generated from $FWDIR/conf/rule_base.W and $FWDIR/conf/objects.C
- $FWDIR/temp/rule_base.fc: This is Inspection Code file, compiled from the Inspection script. Note that the Inspection Code is installed on Network objects and used by VPN/FireWall Module to enforce security policy.
24. A Gateway must atleast have two network interfaces, one for the external network connection, and one for internal network connection.
25. The three types of Authentication schemes supported by VPN-1/FireWall-1 are:
- User Authentication: User Authentication gives access on a per user basis. This can be used for Telnet, FTP, RLOGIN and HTTP,HTTPS. Separate Authentication is required for each connection.
- Session Authentication: Session Authentication can be used with any service, and Session Authentication is required for each connection as in User Authentication.
- Client Authentication: Client Authentication gives access on a per host basis. Once a Client is Authenticated, it can be used for any number of conncetions, for any service. Client Authentication is recommended when the client is a single user machine such as a desktop.
26. VPN-1/FireWall-1 services covered by User Authentication are: Telnet, FTP, RLOGIN, HTTP, and HTTPS.
27. VPN-1/FireWall-1 supports third party routers (OPSEC products) such as Cisco, 3Com, Nortel (Bay Networks) routers, Cisco PIX firewalls, and Microsoft RRAS (Formerly known as Steelhead). For this purpose, Check Point's Open Security Extension ( an optional module) is required.
28. VPN-1/FireWall-1 supports two modes of Address Translation:
a. Hide mode: This has a many to 1 relation. Here many invalid addresses are translated to one valid IP address. Dynamically assigned port numbers are used to distinguish between the invalid addresses. This is called Hide mode, since invalid IP addresses are hidden behind the valid IP address.
b. Static mode: This has 1 to 1 correspondence of IP addresses. Here, the invalid IP is translated to a corresponding valid IP. There are two modes of static Address Translation:
- Static Source mode: This is for outgoing traffic. The connection is initiated by internal clients with invalid IP addresses. This is usually combined with Static Destination mode.
- Static Destination mode: This is for incoming traffic. This mode is used when servers inside the internal network have invalid IP addresses, so that packets entering the internal network arrive at their proper destinations. This mode is usually combined with Static Source mode.
29. The NAT Rule Base consists of three elements:
- Original Packet
- Translated Packet
- Install On
Original Packet and Translated Packet, in turn, consist of the following:
"Install On" specifies which firewalled objects will enforce the rule.