Check Point Security Gateway R77 initial looks

Today I am going to spend some time familiarizing myself with the Check Point Security Gateway R77. I'll go through install (briefly, because it's simple, but this will be covered in day one) and have an initial look around the portal.

I am not counting this as the start of the 15 days countdown, that will begin once the lab has been built up and I am ready to dive in properly. This is just an overview.

Check Point R77 install

I have started a brand new VM, its got 8GB storage and 2GB memory. We are not running a distributed system - which is why I am not classing this as day one. The exam topics state that we should be able to:

• Design a distributed environment using the network detailed in the course topology.
• Install the Security Gateway version R77 in a distributed environment using the network detailed in the course topology.

So this is just a play around at the moment.

Install is easy. Build a VM, and boot from the ISO image. During the install, which if you have ever installed a recent version of a Red Hat Linux (and this includes Centos), will look very familiar.

During install you are asked to complete some language options, IP addressing and give a password for the admin account. Not much to it, but we'll go through it properly on Day one.

Once it has finished you can navigate to the IP address you have chosen using your browser, it's on https by the way. Logging in you then run through the final steps of configuration, including the role that the system will be, mainly management, or gateway, or both. I left all the defaults, but you can change your IP address if you want, all I added was the DNS servers. Once done you can reboot and then you are ready to rock.

Check Point Gaia R77 interface

The interface is nice, we have all our interesting configurable stuff down the left hand side, which we'll look at in a moment, but until then, let's look at the main screen.

Firstly we have a banner telling us to "Manage Software Blades using SmartConsole", and our system details:

Beneath that we have our network configuration:

And, to the right, we have our blades, which are all greyed out:

Let's get those bad-boys un-greyed!

Clicking on the green "Download Now!" button downloads SmartConsole.exe, which is just under 300MB. It would be nice to have a Mac app, but it all uses Microsoft's .NET, and will ask you to install the Visual C++ 2005 redistributable package, if you don't already have it installed. Being Microsoft it takes a while to install the redistributable package.

Once done the SmartConsole install launches, I accept all the options, and it's going to take up about 800MB on my laptop.

Anyway, before we go jumping into the SmartConsole, let's see what else is on the main portal page.

The the top we have the Network Management options, here we can do the basics such as IP address assignment, ARP, setting up a DHCP server, DNS, static routing and we can export to a NetFlow collector:

Next we have System Management, too much to go into at the moment, but they are all pretty self-explantory:

Next we can do Advanced Routing, we can see that it supports BGP, Multicast, RIP and OSPF. We can also do some summarization, filtering, redistribution and PBR:

User Management - this is where we can connect to LDAP servers.

The R77 supports VRRP (which is an industry standard) for High Availability.

The penultimate option is Maintenance, here we can license the product, and do backups.

Finally, here is where we come to do any software updates.

So far, the interface looks pretty easy to navigate. The downside, though is that all the routing stuff takes place here, and all the firewall stuff takes place in the SmartConsole.

There doesn't appear to be anything in the exam topics that requires any of this routing though, so we'll push on by looking at SmartConsole in the next post.

Read More

CCSA in 15 days

Check Point CCSA in 15 days

I get a lot of calls from recruiters, at least one a week. It seems that most of them are very keen on people with Check Point security skills. So, I thought I would have a look into it. It never hurts to widen your skill-set.

I am currently studying for my Cisco CCIE certification, but after sitting my written exam I though I'd take a little time out to look at Check Point.

What is Check Point Firewall?

Check Point started in 1993, and offer a wide range of products covering Network Security, data, mobile and endpoint security. Last year they made a revenue of $1.394 Billion, with a net of $652 million. That's not bad really. It shows that people are using them. Which goes to explain the number of people looking for Check Point certified staff.

Can I become Check Point Certified Security Administrator in 15 days?

Firstly, why 15 days?

This is due to the licensing limit on the R77 software firewall, so, as far as I know, it'll need to be started again from scratch after the 15 days is up. So it seems like a good goal to work towards.

I have some pretty decent knowledge of Cisco ASAs, so, in theory, making the jump shouldn't be too hard.

What is the CCSA?

The CCSA (Check Point Certified Security Administrator) is their entry level exam. The exam code is 156-215.77, with the .77 referring to the current release of the software. It is a multiple choice based exam, which can be taken at any Pearson Vue testing center, and costs £125 in the UK.

The brief exam outline is:

• Check Point Technology Overview
• Deployment Platforms and Security Policies
• Monitoring Traffic and Connections
• Network Address Translations
• User Management and Authentication
• Using SmartUpdate
• Implementing Identity Awareness
• Configuring VPN tunnels
• Resolving security administration issues

There is a longer list of exam topics, which will be covered separately.

I will not guarantee that I will be able to study every day, so chances are that I will have to recreate the firewalls at some stage during the process, this also means that you shouldn't expect the blog to be updated every day, and to have everything completed within two weeks. But at the end of it, it does mean that someone might stumble onto the blog and be able to follow it through within that time-frame.

The clock will (hopefully) start ticking mid-November.

Read More

The CCSA exam topics

The topics listed for the CCSA exam (156-215.77) (taken from here) are:

• Describe Check Point's unified approach to network management, and the key elements of this architecture.
• Design a distributed environment using the network detailed in the course topology.
• Install the Security Gateway version R77 in a distributed environment using the network detailed in the course topology.
• Given network specifications, perform a backup and restore the current Gateway installation from the command line.
• Identify critical files needed to purge or backup, import and export users and groups and add or delete administrators from the command line.
• Deploy Gateways using sysconfig and cpconfig from the Gateway command line.
• Given the network topology, create and configure network, host and gateway objects
• Verify SIC establishment between the Security Management Server and the Gateway using SmartDashboard.
• Create a basic Rule Base in SmartDashboard that includes permissions for administrative users, external services, and LAN outbound use.
• Evaluate existing policies and optimize the rules based on current corporate requirements.
• Maintain the Security Management Server with scheduled backups and policy versions to ensure seamless upgrades and minimal downtime.
• Configure NAT rules on Web and Gateway servers.
• Use Queries in SmartView Tracker to monitor IPS and common network traffic and troubleshoot events using packet data.
• Using packet data on a given corporate network, generate reports, troubleshoot system and security issues, and ensure network functionality.
• Using SmartView Monitor, configure alerts and traffic counters, view a Gateway's status, monitor suspicious activity rules, analyze tunnel activity and monitor remote user access based on corporate requirements.
• Monitor remote Gateways using SmartUpdate to evaluate the need for upgrades, new installations, and license modifications.
• Use SmartUpdate to apply upgrade packages to single or multiple VPN-1 Gateways.
• Upgrade and attach product licenses using SmartUpdate.
• Centrally manage users to ensure only authenticated users securely access the corporate network either locally or remotely.
• Manage users to access to the corporate LAN by using external databases.
• Use Identity Awareness to provide granular level access to network resources.
• Acquire user information used by the Security Gateway to control access.
• Define Access Roles for use in an Identity Awareness rule.
• Implementing Identity Awareness in the Firewall Rule Base.
• Configure a pre-shared secret site-to-site VPN with partner sites.
• Configure permanent tunnels for remote access to corporate resources.
• Configure VPN tunnel sharing, given the difference between host-based, subunit-based and gateway-based tunnels.
• Resolve security administration issues.

Let's break this down a bit.

We have to describe the unified approach - That's ok, should just be a bit of reading.

Design and install - this is a multiple choice exam, with maybe some drag and drops - there wont be any actual installations.

Command line usage for backup, restore and importing - no biggy there

There is some object management, and we have to create a "basic rule base".

We need to understand the rules and optimize them.

There is some management of the interface (Security Management Server).

NAT rules - this should be OK, NAT on Check Point can't be massively different to NAT on an ASA!

Monitor IPS and network traffic using queries, and using packet data do some reporting and troubleshooting.

More monitoring...

Use SmartUpdate...

Centrally manage users - this is probably connecting to LDAP or similar, then we need to provide granular access, including access roles.

Next we have to configure some VPN tunnels

Lastly we need to do some problem resolution.

It certainly doesn't look too scary, and also allows me to start formulating a lab environment...

Read More