Professional Documents
Culture Documents
CCSA R70 Study Guide
CCSA R70 Study Guide
TRADEMARKS 2003-2010 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point Endpoint Security, Check Point Endpoint Security On Demand, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoreXL, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Pointsec, Pointsec Mobile, Pointsec PC, Pointsec Protector, Policy Lifecycle Management,Power-1, Provider1, PureAdvantage, PURE Security, the puresecurity logo, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Security Management Portal, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advi-
sor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartProvisioning, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SMP, SMP On-Demand, SofaWare, SSL Network Extender, Stateful Clustering, Total Security, the totalsecurity logo, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, UTM-1, UTM-1 Edge, UTM-1 Edge Industrial, UTM-1 Total Security, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN-1 Power, VPN-1 Power Multi-core, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm ForceField, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 5,987,611, 6,496,935, 6,873,988, 6,850,943, and 7,165,076 and may be protected by other U.S. Patents, foreign patents, or pending applications. DISCLAIMER OF WARRANTY Check Point Software Technologies Ltd. makes no representation or warranties, either express or implied by or with respect to anything in this document, and shall not be liable for any implied warranties of merchantability or fitness for a particular purpose or for any indirect special or consequential damages.
International Headquarters:
U.S. Headquarters:
800 Bridge Parkway Redwood City, CA 94065 Tel: 650-628-2000 Fax: 650-654-4233
8333 Ridgepoint Drive, Suite 150 Irving, TX 75063 Tel: 972-444-6612 Fax: 972-506-7913 E-mail any comments or questions about our courseware to courseware@us.checkpoint.com. For questions or comments about other Check Point documentation, e-mail CP_TechPub_Feedback@checkpoint.com.
Chapter 1
Check Point Technology Overview Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Sample CCSA R70 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Chapter 2
13
Check Point Software Blades Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Sample CCSA R70 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Chapter 3
Deployment Platforms
17
Chapter 4
23
Introduction to the Security Policy Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Sample CCSA R70 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
29
Introduction to the Monitoring Traffic and Connections Topics . . . . . . . . . . . . . . . 30 Sample CCSA R70 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Chapter 6
Using SmartUpdate
35
Introduction to the SmartUpdate Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Sample CCSA R70 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Chapter 7
Upgrading to R70
39
43
Introduction to the User Management and Authentication Topics . . . . . . . . . . . . . . 45 Sample CCSA R70 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Chapter 9
49
Introduction to the Encryption and VPNs Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Sample CCSA R70 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
55
Introduction to the Introduction to VPNs Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Sample CCSA R70 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Chapter 11
61
Introduction to the Messaging and Content Security Topics . . . . . . . . . . . . . . . . . . . 62 Sample CCSA R70 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Chapter 12
67
Introduction to the Check Point IPS Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Sample CCSA R70 Exam Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Answer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Preface
The Check Point Certified Security Administrator Exam
The Check Point Security Administrator R70 course provides an understanding of basic concepts and skills necessary to configure the Check Point Security Gateway, configure Security Policies, and learn about managing and monitoring secure networks. The Check Point Security Administrator R70 Study Guide supplements knowledge you have gained from the Security Administrator R70 course, and is not a sole means of study. The Check Point Certified Security Administrator R70 exam covers the following topics: Describe Check Points unified approach to network management, and the key elements of this architecture Design a distributed environment using the network detailed in the course topology Install the Security Gateway version R70 in a distributed environment using the network detailed in the course topology Given Check Points latest integration of CoreXL technology, select the best security solution for your corporate environment Given network specifications, perform a backup and restore the current Gateway installation from the command line
Identify critical files needed to purge or backup, import and export users and groups and add or delete administrators from the command line Deploy Gateways using sysconfig and cpconfig from the Gateway command line Use the Command Line to assist support in troubleshooting common problems on the Security Gateway Given the network topology, create and configure network, host and gateway objects Verify SIC establishment between the SmartCenter Server and the Gateway using SmartDashboard Create a basic Rule Base in SmartDashboard that includes permissions for administrative users, external services, and LAN outbound use Configure NAT rules on Web and Gateway servers Evaluate existing policies and optimize the rules based on current corporate requirements Maintain the Security Management Server with scheduled backups and policy versions to ensure seamless upgrades and minimal downtime Use queries in SmartView Tracker to monitor IPS and common network traffic and troubleshoot events using packet data Using packet data on a given corporate network, generate reports, troubleshoot system and security issues, and ensure network functionality Using SmartView Monitor, configure alerts and traffic counters, view a Gateway's status, monitor suspicious activity rules, analyze tunnel activity and monitor remote user access based on corporate requirements Monitor remote Gateways using SmartUpdate to evaluate the need for upgrades, new installations, and license modifications Use SmartUpdate to apply upgrade packages to single or multiple VPN-1 Gateways Upgrade and attach product licenses using SmartUpdate
2
Check Point Security Administrator R70 Study Guide
Centrally manage users to ensure only authenticated users securely access the corporate network either locally or remotely Manage users to access to the corporate LAN by using external databases Select the most appropriate encryption algorithm when securing communication over a VPN, based on corporate requirements Establish VPN connections to partner sites in order to establish access to a central database by configuring Advanced IKE properties Configure a pre-shared secret site-to-site VPN with partner sites Configure a certificate based site-to-site VPN using one partner's internal Configure a certificate based site-to-site VPN using a third-party CA Configure permanent tunnels for remote access to corporate resources Configure VPN tunnel sharing, given the difference between host-based, subnet-based and gateway-based tunnels Configure Check Point Messaging Security to test IP Reputation, content based anti-spam, and zero hour virus detection Based on network analysis disclosing threats by specific sites, configure a Web-filtering and antivirus policy to filter and scan traffic Implement default or customized profiles to designated Gateways in the corporate network Manage profiles by tracking changes to the network, including performance degradation, and troubleshoot issues with the network related to specific IPS policy rules Create and install IPS policies
Preface: The Check Point Certified Security Administrator Exam Question How long is the exam? Do I get extra time, if I am not a native English speaker?
The following countries are given 120 minutes to complete the exam. All other regions get 150 minutes: Australia Bermuda Canada Japan New Zealand Ireland South Africa UK US
Chapter
Check Point Technology Overview
Check Point technology is designed to address network exploitation, administrative flexibility and critical accessibility. This chapter introduces the basic concepts of network security and management based on Check Points three-tier structure, and provides the foundation for technologies involved in the Check Point Software Blade Architecture, as discussed in the introduction. This course is lab-intensive, and in this chapter, you will begin your hands-on approach with a first-time installation using standalone and distributed topologies. Objectives: Describe Check Points unified approach to network management, and the key elements of this architecture Design a distributed environment using the network detailed in the course topology Install the Security Gateway version R70 in a distributed environment using the network detailed in the course topology
Security Gateway Inspection Archi- p. 17 tecture Deployment Strategies The DMZ Bridge Mode Security Policy Management SmartConsole Components Security Management Server Securing Channels of Communication Administrative Login Using SIC Table 1-1: Check Point Technology Overview Topics p. 20 p. 22 p. 23 p. 25 p. 25 p. 37 p. 43 p. 45
Chapter 1: Check Point Technology Overview Page Number L-p. 1 Install Security Management Server L-p. 2 Configure Security Management Server - sysconfig L-p. 12
Key Element
Configure Corporate Security Gate- L-p. 32 way - WebUI Install SmartConsole Launch SmartDashboard Lab 2: Branch Office Security Gateway Installation Install SecurePlatform on Branch Gateway Configure Branch Gateway WebUI Table 1-1: Check Point Technology Overview Topics L-p. 42 L-p. 52 L-p. 57 L-p. 58 L-p. 65
10
Answer
Answer
What would be the benefit of upgrading from SmartDefense to IPS R70?: 1. Completely rewritten engine provides improved security performance and reporting. 2. There is no difference - IPS R70 is the new name. 3. The SmartDefense technology expands IPS-1 to IPS R70. 4. The SmartDefense is replaced by the technology of IPS-1
11
Answer
12
Chapter
Check Point Software Blades
Check Point Software Technologies Software Blade architecture is the industrys first network security architecture designed to meet businesses need for total, flexible and manageable security. The new architecture empowers businesses with the ability to select, from a library of over 20 software blades, the exact security protections necessary and dynamically tailor security gateways for different environments and sites. Objectives: Given Check Points latest integration of CoreXL technology, select the best security solution for your corporate environment.
13
14
15
Answer
Answer
Select the correct statement about Secure Internal Communications (SIC) Certificates. SIC Certificates: 1. Increase network security by securing administrative communication with a two-factor challenge response authentication. 2. Uniquely identify machines installed with Check Point software only. They have the same function as RSA Authentication Certificates. 3. Can be used for securing internal network communications between the Security Gateway and an OPSEC device. 4. For R70 Security Gateways are created during the Security Management Server installation.
16
Chapter
Deployment Platforms
Before delving into the intricacies of creating and managing Security Policies, it is beneficial to know about Check Points different deployment platforms, and understand the basic workings of Check Points UNIX-based and Linux operating systems (IPSO and SecurePlatform) that support many Check Point products. For those familiar with Linux and UNIX this section will be a review. But for those with little to no Linux/UNIX experience, this will be a welcome guide Objectives: Given network specifications, perform a backup and restore the current Gateway installation from the command line. Identify critical files needed to purge or backup, import and export users and groups and add or delete administrators from the command line. Use command line utilities to assist support in troubleshooting common problems on the Security Gateway. Deploy Gateways using sysconfig and cpconfig from the Gateway command line.
17
18
Topic
Key Element Apply Other Useful Commands Add and Delete Administrators via the CLI Perform backkup and restore
19
20
Answer
Answer
What is the primary benefit of using upgrade_export over either backup or snapshot? 1. upgrade_export will back up routing tables, hosts files, and manual ARP configurations, where backup and snapshot will not. 2. upgrade_export has an option to backup the system and SmartView Tracker logs while backup and snapshot will not. 3. The backup and snapshot commands can take a long time to run whereas upgrade_export will take a much shorter amount of time. 4. upgrade_export is operating system independent and can be used when backup or snapshot is not available.
21
Answer
22
Chapter
Introduction to the Security Policy
The Security Policy is essential in administrating security for your organizations network. Your organization not only has to do a good job managing perimeter access control to company resources, but must also handle sensitive traffic to and from local area networks and remote devices, provide much-needed application-layer protection, maintain simple and effective management, and keep its security budget under control. Objectives: Given the network topology, create and configure network, host and gateway objects. Verify SIC establishment between the Security Management Server and the Gateway using SmartDashboard. Create a basic Rule Base in SmartDashboard that includes permissions for administrative users, external services, and LAN outbound use. Configure NAT rules on Web and Gateway servers. Evaluate existing policies and optimize the rules based on current corporate requirements. Maintain the Security Management Server with scheduled backups and policy versions to ensure seamless upgrades and minimal downtime.
23
24
Chapter 4: Introduction to the Security Policy Page Number p. 183 Installation Targets Querying and Sorting Rules and Objects p. 186 p. 188 p. 192 Implementing Database Revision Control p. 192 p. 195 IP Addressing Hide NAT Static NAT Choosing the Hide Address Configuring Automatic NAT Hide NAT Object Configuration Manual NAT p. 196 p. 197 p. 199 p. 201 p. 201 p. 204 p. 208 p. 212 Configuring Multicast Access Control p. 212 L-p. 83 Create Security Gateway Object Create GUIclient Object L-p. 85 L-p. 91
Key Element
Multicasting
Create Rules for Corporate Gateway L-p. 92 Save the Policy Install the Policy Table 4-4: Security Policy Topics Check Point Security Administrator R70 Study Guide L-p 97 L-p. 98
25
Introduction to the Security Policy Topics Page Number L-p. 102 L-p. 103 L-p. 108 L-p. 112 L-p. 119 Configure DMZ Interface on the Gateway L-p. 120
Topic
Key Element Test the Corporate Policy Create the Remote Security Gateway Object Create a New Policy for the Branch Office Combine Policies
Create DMZ Objects in SmartDash- L-p. 121 board Create DMZ Access Rule Test the Policy Lab 6: Configuring NAT Configure Hide NAT on the Corporate Network Test the Hide NAT Address Configure Static NAT on the DMZ Server Test the Static NAT Address Observe Hide NAT Traffic Using fw monitor Observe Static NAT Traffic Using fw monitor Table 4-4: Security Policy Topics L-p. 123 L-p. 124 L-p. 125 L-p. 126 L-p. 129 L-p. 131 L-p. 133 L-p. 134 L-p. 139
26
27
Answer
Answer
A Web server behind the Security Gateway is set to Automatic Static NAT. Client side NAT is not checked in the Global Properties. A client on the Internet initiates a session to the Web Server. Assuming there is a rule allowing this traffic, what other configuration must be done to allow the traffic to reach the Web server? 1. Nothing else must be configured. 2. Automatic ARP must be unchecked in the Global Properties. 3. A static route must be added on the Security Gateway to the internal host. 4. A static route for the NAT IP must be added to the Gateway's upstream router.
28
Chapter
Monitoring Traffic and Connections
To manage your network effectively and to make informed decisions, you need to gather information on the networks traffic patterns. Objectives: Use queries in SmartView Tracker to monitor IPS and common network traffic and troubleshoot events using packet data. Using packet data on a given corporate network, generate reports, troubleshoot system and security issues, and ensure network functionality. Using SmartView Monitor, configure alerts and traffic counters, view a Gateway's status, monitor suspicious activity rules, analyze tunnel activity and monitor remote user access based on corporate requirements.
29
Chapter 5: Monitoring Traffic and ConnectionsIntroduction to the Monitoring Traffic and Connec-
30
Introduction to the Monitoring Traffic and Connections Topics Chapter 5: Monitoring Traffic and Page Number p. 249 p. 250 Report Types Predefined Reports Customizing Predefined Reports Eventia Reporter Considerations Eventia Reporter Licensing Lab 7: Monitoring with SmartView Tracker Launch SmartView Tracker Track by Source and Destination Modify the Gateway to Activate SmartView Monitor View Traffic Using SmartView Monitor Table 5-5: Monitoring Traffic and Connections Topics p. 252 p. 254 p. 256 p. 257 p. 260 L-p. 143 L-p. 144 L-p. 148 L-p. 150 L-p 152
Topic
Eventia Reporter
31
32
Answer
Answer
A third-shift Security Administrator configured and installed a new Security Policy early this morning. When you arrive, he tells you that he has been receiving complaints that Internet access is very slow. You suspect the Security Gateway virtual memory might be the problem. Which SmartConsole component would you use to verify this? 1. This information can only be viewed with fw ctl pstat command from the CLI. 2. SmartView Tracker. 3. Eventia Analyzer. 4. SmartView Monitor
33
Answer
34
Chapter
Using SmartUpdate
SmartUpdate extends your organizations ability to provide centralized policy management across enterprise-wide deployments. SmartUpdate can deliver automated software and license updates to hundreds of distributed Security Gateways from a single management console. Objectives: Monitor remote Gateways using SmartUpdate to evaluate the need for upgrades, new installations, and license modifications. Use SmartUpdate to apply upgrade packages to single or multiple VPN-1 Gateways. Upgrade and attach product licenses using SmartUpdate.
35
36
37
Answer
Answer
You are a Security Administrator preparing to deploy a new HFA (Hotfix Accumulator) to ten Security Gateways at five geographically separate locations. What is the BEST method to implement this HFA? 1. Send a Certified Security Engineer to each site to perform the update. 2. Use SmartUpdate to install the packages to each of the Security Gateways remotely. 3. Use a SSH connection to SCP the HFA to each Security Gateway. Once copied locally, initiate a remote installation command and monitor the installation progress with SmartView Monitor. 4. Send a CD-ROM with the HFA to each location and have local personnel install it.
38
Chapter
Upgrading to R70
This chapter shows how to upgrade an existing Security Management server and security gateway to R70. Upgrades are used to save Check Point product configurations, Security Policies, and objects, so that Security Administrators do not need to recreate Gateway and Security Management Server configurations. This chapter lists guidelines for deciding when to upgrade, versus doing a new installation. Objectives: Based on current products or platforms used in an enterprise network, perform a pre installation compatibility assessment before upgrading to R70. Given R70 licensing restrictions, obtain a license key. Install a Contract File on platforms such as Windows, SecurePlatform, Linux, Solaris and IPSO.
39
IPS-1 Upgrade Paths and Interoper- p. 298 ability Important R70 Upgrade Notes Upgrade Configuration Distributed Installation Gateway Upgrade Lab 9: Upgrading a Security Gateway Locally Upgrade the Security Gateway Table 7-7: Upgrading to R70 Topics p. 298 p. 300 p. 302 p. 306 L-p. 169 L-p. 170
40
41
Answer
Answer
You currently do not have a Check Point software subscription for one of your products. What will happen if you attempt to upgrade the license for this product? 1. The license is not upgraded. 2. It is upgraded with new available features, but cannot be activated. 3. It is deleted. 4. The license will be upgraded with a warning.
42
Chapter
User Management and Authentication
In this chapter, we discuss Security Gateway options for creating, managing, and authenticating users. If you do not have a user-management infrastructure in place, you can make a choice between managing the internal-user database or choosing to implement an LDAP server. If you have a large user count, Check Point recommends opting for an external user-management database, such as LDAP. By maintaining a large user database externally, Security Gateway performance is greatly enhanced. For example, if the user database is external, the database will not have to be reinstalled every time the user information changes. Additionally, the external user database can be used as the user database by other applications. Authentication confirms the identity of valid users authorized to access your company network. Staff from different departments are assigned access permissions, based on their level of responsibility and role within the organization. Authentication ensures that all users trying to access the system are valid users, but does not define their access rights. Check Point authentication features enable you to verify the identity of users logging in to the Security Gateway, but also allow you to control security by allowing some users access and disallowing others. Users authenticate by proving their identities, according to the scheme specified under a Gateway authentication scheme, such as LDAP, RADIUS, SecurID and TACACS.
43
Objectives: Centrally manage users to ensure only authenticated users securely access the corporate network either locally or remotely. Manage users to access to the corporate LAN by using external databases
44
Introduction to the User Management and Authentication Topics Chapter 8: User Management and
Configuring Session Authentication p. 327 Client Authentication Configuring Client Authentication Resolving Access Conflicts p. 328 p. 333 p. 335
Configuring Authentication Tracker p. 336 Table 8-8: User Management and Authentication Topics
45
Chapter 8: User Management and AuthenticationIntroduction to the User Management and AuthenPage Number p. 337 LDAP Features Multiple LDAP Servers Using an Existing LDAP Server Configuring Entities to Work with the Gateway Managing Users SmartDirectory Groups Lab 10: Client Authentication Use Manual Client Authentication with FTP and Local User Modify the Rule Base Test Manual Client Authentication Use Partially Automatic Client Auth with a Local User Use Partially Automatic Client Auth with LDAP Verify SmartDashboard Integration Test Active Directory Authentication Create a Database Revision Table 8-8: User Management and Authentication Topics p. 337 p. 339 p. 340 p. 340 p. 346 p. 347 L-p. 177 L-p. 178 L-p. 181 L-p. 184 L-p. 185 L-p. 189 L-p. 195 L-p. 198 L-p. 200
Key Element
46
47
Answer
Answer
Choose the BEST sequence for configuring user management in SmartDashboard, using an LDAP server. 1. Configure a server object for the LDAP Account Unit, and create an LDAP resource object. 2. Configure a workstation object for the LDAP server, configure a server object for the LDAP Account Unit, and enable LDAP in Global Properties. 3. Configure a server object for the LDAP Account Unit, enable LDAP in Global Properties, and create an LDAP resource object. 4. Enable LDAP in Global Properties, configure a host-node object for the LDAP server, and configure a server object for the LDAP Account Unit.
48
Chapter
Encryption and VPNs
The Check Point Security Gateway enables you to create site-to-site Virtual Private Networks (VPNs) that provide secure communication between two defined participants, by encrypting the communication on unsecured public networks, such as the Internet. Objectives: Select the most appropriate encryption algorithm when securing communication over a VPN, based on corporate requirements. Configure a certificate-based site-to-site VPN using one partner's internal CA. Establish VPN connections to partner sites in order to establish access to a central database by configuring Advanced IKE properties.
49
50
Key Element
Certificates Multiple Certificate Authorities Local Certificate Authority CA Service via the Internet Internal Certificate Authority Creating Certificates Table 9-9: Encryption and VPNs Topics
51
52
Answer
Answer
Your organization maintains several IKE VPNs. Executives in your organization want to know which mechanism Security Gateway R70 uses to guarantee the authenticity and integrity of messages. Which technology should you explain to the executives? 1. Certificate Revocation Lists 2. Application Intelligence. 3. Digital signatures. 4. Key-exchange protocols.
53
Answer
54
Chapter
User Management and Authentication
10
Virtual Private Networking technology leverages the Internet to build and enhance secure network connectivity. Based on standard Internet secure protocols, a VPN enables secure links between special types of network nodes: the Gateways. Site-to site VPN ensures secure links between Gateways. Remote Access VPN ensures secure links between Gateways and remote access clients. Objectives: Configure a pre-shared secret site-to-site VPN with partner sites. Configure permanent tunnels for remote access to corporate resources. Configure VPN tunnel sharing, given the difference between host-based, subnet-based and gateway-based tunnels.
55
Chapter 10: User Management and Authentication Introduction to the Introduction to VPNs Topics
56
Introduction to the Introduction to VPNs Topics Chapter 10: User Management and Authentication Page Number p. 403 VPN Tunnel Management Permanent Tunnels VPN Tunnel Sharing Remote Access VPNs Multiple Remote Access VPN Communities Establishing a Connection Between Remote User and a Gateway Configuring Remote Access VPN Lab 11: Site-to-Site VPN Between Corporate and Branch Office Define the VPN Domain Create the VPN Community Create the VPN Rule and Modifying the Rule Base Test VPN Connection VPN Troubleshooting Lab 12: Tow-Gateway IKE Encryption Using Certificates Save Certificate for Export Add Instructor Machine to VPN Community Add the Instructor Network to the VPN Community Table 10-10: Introduction to VPNs Topics Check Point Security Administrator R70 Study Guide p. 404 p. 404 p. 407 p. 409 p. 410 p. 410 p. 413 L-p. 201
Key Element
L-p. 202 L-p. 205 L-p. 211 L-p. 214 L-p. 220 L-p. 223
57
Chapter 10: User Management and Authentication Introduction to the Introduction to VPNs Topics Page Number L-p. 233 L-p. 236 L-p. 237 L-p. 238 L-p. 242 L-p. 243 Create Remote-Access Group Configure Gateway for IKE Encryption and LDAP Authentication Configure VPN Domain Configure Office Mode IP-Pool Configure Remote Access Community Objects Modify the Rule Base for Remote Access Create a Site Using the Site Wizard Verify Office Mode IP Assignment Test the Remote Connection Table 10-10: Introduction to VPNs Topics L-p. 245 L-p. 246
Topic
Key Element Create Atlantis Certificate Authority Modify the Rule Base Install and Verify Security Gateway Configuration Test Encryption with Certificates Revert to Standard Security Policy
L-p. 248 L-p. 251 L-p. 253 L-p. 256 L-p. 258 L-p. 265 L-p. 267
58
59
Answer
Answer
You have traveling salesmen connecting to your VPN community from all over the world. Which technology would you choose? 1. IPsec: It allows complex setups that match any network situation available to the client, i.e. connection from a private customer network or various hotel networks. 2. IPsec: It offers encryption, authentication, replay protection and all algorithms that are state of the art (AES) or that perform very well. It is native to many client operating systems, so setup can easily be scripted. 3. SSL VPN: It only requires HTTPS connections between client and server. These are most likely open from all networks, unlike IPsec, which uses protocols and ports which are blocked by many sites. 4. SSL VPN: It has more secure and robust encryption schemes than IPsec.
60
Chapter
Messaging and Content Security
11
Protecting corporate resources is a major concern for most businesses. Blocking undesirable content is an important part of a corporate security policy for a variety of reasons, including: Computer viruses, Trojans and ActiveX components containing malicious code can bring down entire networks. Viewing undesirable Web content wastes time and resources. Access control firewalls prevent unauthorized traffic from passing through the Gateway. However, hackers also attempt to misuse allowed traffic and services. Some of the most serious threats in today's Internet environment come from attacks that attempt to exploit the application layer. Access control devices cannot easily detect malicious attacks aimed at these services. Objectives: Configure Check Point Messaging Security to test IP Reputation, content based anti-spam, and zero hour virus detection. Based on network analysis disclosing threats by specific sites, configure a Web-filtering and antivirus policy to filter and scan traffic.
61
Chapter 11: Messaging and Content Security Introduction to the Messaging and Content Security
62
Introduction to the Messaging and Content Security TopicsChapter 11: Messaging and Content SePage Number L-p. 273 L-p. 274 L-p. 275 L-p. 276 L-p. 279 L-p. 282
Topic
Key Element Modify Rule Base Observe SMTP Traffic Modify the Gateway Properties Configure Anti-Virus and AntiSpam for Monitor Only Analyze Logs Reconfigure Policy to Block Attacks
63
64
Answer
Answer
Which Security Servers can perform authentication tasks, but CANNOT perform content security tasks? 1. HTTP 2. RLOGIN 3. FTP 4. HTTPS
65
Answer
66
Chapter
Check Point IPS
12
This chapter presents basic information on Check Points Intrusion Prevention Software Blade, how intrusion prevention systems work, and prevent network attacks that the intrusion prevention system can detect. Objectives: Implement default or customized profiles to designated Gateways in the corporate network. Manage profiles by tracking changes to the network, including performance degradation, and troubleshoot issues with the network related to specific IPS policy rules. Create and install IPS policies.
67
68
Chapter 12: Check Point IPS Page Number p. 482 p. 486 p. 486 p. 487 p. 489 Managing IPS Protections Updating IPS Protections Downloading Updates p. 489 p. 489 p. 490 L-p. 285 Modify the Gateway Properties Modify DMZ Server Object Configure IPS for Preliminary Detection Modify the Rule Base Generate an Attack Analyze the Attack Reconfigure IPS to Block Attacks Review Logs L-p. 286 L-p. 287 L-p. 291 L-p. 301 L-p. 302 L-p. 304 L-p. 308 L-p. 310
Topic
Key Element Performance Management Tuning Protections IPS Policy Settings Enhancing System Performance
69
70
Answer
Answer
You just upgraded to R70 and are using the IPS Software Blade. You want to enable all critical protections while keeping the rate of false positive very low. How can you achieve this? 1. The new IPS system is based on policies and gives you the ability to activate all checks with critical severity and a high confidence level. 2. This can't be achieved; activating any IPS system always causes a high rate of false positives. 3. As in SmartDefense, this can be achieved by activating all the critical checks manually. 4. The new IPS system is based on policies, but it has no ability to calculate or change the confidence level, so it always has a high rate of false positives.
71
Answer
72