Check Point Security

Administration NGX I
Authorized Check Point Distributor
Module 6: Encryption and Virtual
Private Networks
Check Point Security
Administration
Course Map
Module 1: Check Point Firewall Architecture &
Installation
Module 2: Security Policy
Module 3: Network Address Translation
Module 4: Log/Monitoring
Module 5: SmartDefense
Module 6: Encryption and VPNs
Module 7: Disaster Recovery
Module 6:
Introduction to Site-to-Site VPN
Objectives
Demonstrate gateway-to-gateway encryption
using IKE with shared secrets.
Demonstrate gateway-to-gateway encryption
using Ike with certificates.
Discuss the configuration of Remote Access using
IPSec and SSL VPN
Key Terms
pre-shared secret
VPN site
VPN community
Mesh
Star
Module 6:
The Virtual Private Network
a VPN is a private network that overlays
onto the Internet
this supports a secure communication
link between partners
VPNs are fast replacing more expensive
leased lines, frame relay circuits and
other forms of dedicated connections
Site-to-Site VPN
Remote Access (client-to-side)
Module 6: Encryption and Virtual
Private Networks
Module 6.a: Site-to-Site VPN
Module 6:
Two Gateway Network Configuration
two private networks are connected to the Internet
through firewalled gateways
Module 6:
Types of site-to-site VPNs
Intranet VPNs
Extranet VPNs
Module 6:
Intranet VPNs
built to handle secure communication
between internal departments and branch
offices
intranet VPN design requirements
include:
strong data encryption to protect confidential
information
reliability for mission-critical systems (e.g.,
database management)
scalable to accommodate growth and change
Module 6:
Intranet VPN
Module 6:
Extranet VPNs
built to handle secure communication
between a company and its strategic
partners, customers and suppliers
an extranet VPN design requirements
include:
Internet Protocol Security standard (IPSec)
traffic control to prevent network access
point bottlenecks
fast delivery and response times for critical
data
Module 6:
Extranet VPN
Module 6:
VPN Implementation
a complete VPN implementation
supports all types of VPN
the complete VPN must include three
critical components:
Security including access control,
authentication and encryption
QoS VPN traffic control should include
bandwidth management and VPN
acceleration to ensure QoS
Performance and management should
include policy based management
Module 6:
Complete VPN
Module 6:
Understanding VPN Deployment
Check Points VPN management model
now enables administrators to directly
define a VPN on a group of gateways
this uses a new entity called a VPN Site
this is different from sites defined in
SecuRemote or SecureClient
VPN Sites can be grouped to create
VPN Communities
this model simplifies the process of
defining VPNs
16
2006 Check Point Software
Simplified Intranet Setup
Two Basic Types of VPN community
Mesh
Star
8
Module 6:
Star and Mesh VPN communities
18
2006 Check Point Software
Integrating VPNs into a Rule Base
8
VPN Rule in a Simplified Rule Base
Module 6:
Two Gateway IKE Encryption
Configuration
Module 6:
Lab: Site-to-Site VPN using shared key
Module 6:
Lab: Site-to-Site VPN using certificates
Module 6.b:
Remote Access (client-to-side)
Module 6:
Remote Access VPNs
built to handle secure communication
between a corporate network and
remote or mobile employees
remote access VPN design requirements
include:
strong authentication to verify remote and
mobile users
centralised management
scalable to accommodate user groups
Module 6:
Remote Access VPN
Module 6:
Configuring Remote Access
Define the users, user groups that will be
allowed access, and the authentication to be
used
configure Gateways to enable Remote
Access
Configure a Remote Access VPN Community
Define VPN connection rules in the Policy
Rule Base
Install SecuRemote/SecureClient on all users
computers
Configure Remote Access
Define users/user groups
9
Configure Remote Access
Configure VPN Community, gateway
9
Configure Remote Access
Install VPN client (SecuRemote/SecureClient)
9
Configure Remote Access
SecuRemote/SecureClient
9
Module 6:
Example Network
SecuRemote/RecureClient is installed on Bob and
Annas machines and a User Authentication rule in the
Firewall policy
Bob and Anna can connect to netoslo using their own
names and passwords
Module 6:
Rule Base Configuration
Rule Base without Encryption
Rule Base with RemoteAccess VPN
Object
Module 6:
Office Mode
this mode allows an organisation to
assign internal IP addresses to
SecureClient users
this IP address is encapsulated inside the
VPN tunnel between the client and
gateway
this mode enables administrators to
control which IP addresses will be used
by remote clients inside the local network
33
2006 Check Point Software
Office Mode
Overview
Before VPN-1 NGX, there were only three
ways to configure Office Mode:
Office Mode by IP pool
Office Mode by DHCP
IP per user (by editing ipassignment.conf)
9
34
2006 Check Point Software
Office Mode: How Office Mode
Works
9
Module 6:
Routing Considerations
the default routing must ensure that reply
packets (returning to the SecuRemote
client) are routed through the same
encrypting gateway through which the
original packets were delivered
Module 6: SSL VPN
Business Partner
Mobile Worker
Teleworker
SSL VPN
Gateway
Web-based
Applications
Users SSL
Session to
Gateway
HTTP
Internet
Authentication
Server
HTTPS
For IPSec VPN, SecuRemote/SecureClient installed on PCs
SSL VPN just needs Web browser (IE or firefox)
Module 6:
Defining SecuRemote Users
Install SecuRemote/SecuClient
Software
Configuring Remote Access in an
IKE VPN
Module 6: SSL VPN
Configure SSL VPN
Access thru web brower