FIREWALL:

In computing, a firewall is a network security system that monitors and controls incoming
and outgoing network traffic based on predetermined security rules.

A firewall typically establishes a barrier between a trusted internal network and UN

trusted external network, such as the Internet

 Firewall works on network layer because firewall controls and monitors the network
traffic based on the IP Address or packets. In OSI model network layer works on IP addresses.

Stateless firewalls:

Stateless firewalls watch network traffic, and restrict or block packets based on
source and destination addresses or other static values. They are not 'aware' of traffic patterns or
data flows.

A stateless firewall uses simple rule-sets that do not account for the possibility that a packet
might be received by the firewall 'pretending' to be something you asked for.

A stateless firewall is also known as Access Control List (ACL), doesn’t state fully inspect the
traffic/packet contents statically and doesn’t keep the track of active connections.

The basic purpose is to enhance the security through the use of packet filtering.

The typical use of stateless firewall is to protect the routing engine processes and resources
from the malicious or UN trusted traffic.

State full firewalls:

Tasteful firewalls can watch traffic streams from end to end. They are aware of
communication paths and can implement various IP Security (IPSec) functions such as tunnels and
encryption.

In technical terms, this means that tasteful firewalls can tell what stage a TCP connection is in
(open, open sent, synchronized, synchronization acknowledges or established) it can tell if the MTU
has changed, whether packets have fragmented etc.

Stateless firewalls are typically faster and perform better under heavier traffic loads. Tasteful
firewalls are better at identifying unauthorized and forged communications .

Firewall vendors in the market:

There are many vendors in the market, whatever the vendor the firewall functionality is
same.

Checkpoint firewall
Fort iGATE
Juniper
Cisco ASA
Palo alto firewall
CHECKPOINT FIREWALL:

 Checkpoint works on Tasteful inspection technology.

 The latest version of checkpoint firewall is 77.30, 80.3
 Below are the checkpoint operating systems.
a. IPSO
b. SPLAT
c. GAIA

Checkpoint architecture:

Checkpoint firewall has unified architecture, i.e., three tier architecture.

o Smart console
o Smart management server
o Security gateway

Smart console:

It is a set of GUI applications that allows security administrators to configure and manage the
global security policy for the entire organization.

There are quite a few clients available in the smart console, each for a different purpose.
Among all those clients the main client application used is called Smart Dashboard, which is used to
configure the security policy of the network.

Smart Dashboard connects to the Security Management Server which houses the actual
security policy database of rules and objects

o Smart dashboard
o Smart view monitor
o Smart view tracker
o Smart log

Smart management server:

The Security Management Server contains the global security policy for an
organization. This policy is defined using the Smart Dashboard - however, the policy is actually saved
on the Security Management Server.

It contains the following databases: Object database, User database, Security rules and Log
database.

The Security Management Server interacts with the Security Gateways by uploading security
rule sets specific to the Security Gateway and by receiving logging information from the Security
Gateways. 

The Security Management Server package can be installed on the following supported
platforms: Windows 2003 and 2008, IPSO (FreeBSD) and SPLAT (Linux based).

Security gateway:

They are nothing but the ‘firewalls’. Security Gateways are installed/located where
the security rules must be applied. So, the security rules are created using the SmartDashboard
which is then saved on the Security Management Server and pushed on the intended Security
Gateway.
 The communication between three checkpoint modules is secure internal
communication.

Deployment of checkpoint firewall:

We can deploy the checkpoint firewall in standalone and distributed fashions.

Standalone deployment:

The Security Management Server and the Security Gateway are installed on the same
computer or appliance. Smart console most probably installed on a separate platform.

Fig: Standalone deployment

However this deployment defeats the whole purpose of checkpoint three tier
architecture and it is not recommended by the checkpoint, except for small businesses.

Distributed deployment:

Distributed deployment is more commonly known as three tier architecture, where in each
component is installed on a separate platform and this type of deployment is highly recommended
by the checkpoint firewall.

Smart console is usually installed on windows for its ease of use.

Security management server can be installed on windows, linux or free BSD platforms
depending on the requirement.

Security gateway is also installed on windows, linux or free BSD platforms depending on the
requirement, be seriously windows for a security gateway.

Fig: Distributed deployment

Checkpoint smart console applications:

Smart Dashboard:

It’s tool of smart console. It’s used to Configure Rule, Policy object, Create NAT Policy,
Configure VPN and Cluster

Smart view monitor:

Smart View Monitor allows administrators to easily configure and monitor different aspects
of network activities. Graphical views can easily be viewed from an integrated, intuitive interface.

Real-time and historical reports of monitored events can be generated to provide a

comprehensive view of gateways, tunnels, remote users, network, security and gateway
performance over time.

Smart view tracker:

We can check active and management logs of the firewall.

Checkpoint rule base:

The rule base is where you actually define which traffic can be allowed and which traffic has
to be dropped when passing through the firewall.

It consists of a set of rules defining the security policy of the organization, it is processed in a
top down approach, this means when a packet is received it is compared with the first rule in the
rule base, if there is match, the corresponding action is taken. If there is no match, the next rule is
checked and so on, till the end of rule base.

If no match found, the packet is dropped, this is known as implicit deny at the end of rule
case.

Implicit and Explicit rules:

Implicit rules are designed to enable the common applications and services through the
enforcement modules, without requiring the creation of explicit rules that define the required access.

All the traffic through the firewall including ICMP is blocked, if you want to permit any traffic
you have to add the rules explicitly in the rule base. Implied rules can be modified through the policy
editor from policy global properties.

Explicit rules which are to be configured by the network administrator for the organization
depend on the requirement.

Format of a rule:

Source Destination Service Action Track Install on Time comments

Service

Stealth and Cleanup rule:

Before creating any rules to implement the security policy of you organization, it is
recommended that you create a “stealth rule “ and “ cleanup rule” and sandwich all the other rules
between these two rules.
Stealth rule:

The stealth rule should be the first rule in the rule base, which is defined to protect the
firewall itself and it will drop all the traffic which is destined to the firewall itself.

This means that the source is any, destination is firewall object, service is any and the action
should be DROP. Also make sure that you log this rule.

Source Destination Service Action Track Install on Time comments

Any Firewall Any Drop Log Gateways Any Stealth rule

Cleanup rule:

By default anything that is not explicitly permitted is dropped and no log is maintained for
dropped packets (by implicit deny rule )

To see which packets did not match any rule in the rule base, you have to define an explicit
drop rule in the policy and enable the tracking (log option should be enable)

The cleanup rule will have source is ANY, Destination is ANY, Service is ANY, action is DROP
and track will be LOG, it is the last rule in the rule base.

Source Destination Service Action Track Install on Time comments

Any Any Any Drop Log Gateways Any Cleanup rule

Secure Internal Communication (SIC):

SIC stand for “Secure Internal Communication”. Its a checkpoint firewall feature that is used
to make secure communication between Checkpoint firewall component. It’s used when Security
Gateway and Security management server installed in Distributed deployment. Its Authentication
and Encryption for secure communication.

The communication between smart console applications and SMS is happening with the port
TCP 18190

The communication between SMS and Firewall module (Gateway) is happening with the port
TCP 18191 and application monitoring is through the port TCP 18192

Logs from the firewall module is pushed/ SMS fetch the logs from firewall module with the
port TCP 257

============ need to mention about SIC ports and SVN

Suspicious activity management: SAM

The Need for Suspicious Activity Rules

In the fast-changing environment of network security requires that you be able to react
immediately to a security problem without having to change the entire network's Firewall rule base
(for example, when you want to block a specific user).

To achieve this you must make sure that all inbound and outbound network activity is
inspected and identified as suspicious when necessary (for example, when network or system
activity indicates that someone is attempting to break in).
Suspicious Activity Rules Solution

The Suspicious Activity Monitoring (SAM) utility is integrated into SmartView Monitor. The
utility blocks activities that you see in the SmartView Monitor's results and that appear to be
suspicious. Using SAM, you can block a user who tries several times to gain unauthorized access to a
network or Internet resource.

The firewall rules in a SAM-enabled Security Gateway block suspicious connections that are
not restricted by the security policy. These rules are applied immediately (Install Policy is not
required).

Antispoofing:

Anti-Spoofing is the feature of Checkpoint Firewall. which is protect from attacker who
generate IP Packet with Fake or Spoof source address. It’s determine that whether traffic is
legitimate or not. If traffic is not legitimate then firewall blocks that traffic on interface of firewall.

Session lookup:

It maintains the active connections for specific of time which are passing through the
firewall.

Network address translation: NAT

It’s used to map private IP address with Public IP Address and Public IP address map with
Private IP Address. Mainly it’s used for Provide Security to the Internal Network and Servers from
Internet. NAT is also used to connect Internet with Private IP Address. Because Private IP not route
able on Internet.

Static NAT:

Static NAT is one-to-one mapping of a private IP address to a public IP address. Static NAT is
useful when a network device inside a private network needs to be accessible from internet.

Dynamic NAT:

Dynamic NAT can be defined as mapping of a private IP address to a public IP address from a
group of public IP addresses called as NAT pool.

Dynamic NAT establishes a one-to-one mapping between a private IP address to a public IP

address. Here the public IP address is taken from the pool of IP addresses configured on the end NAT
router. The public to private mapping may vary based on the available public IP address in NAT pool

Port Address Translation:

Port Address Translation (PAT) is another type of dynamic NAT which can map
multiple private IP addresses to a single public IP address by using a technology known as Port
Address Translation.

Here when a client from inside network communicate to a host in the internet, the router
changes the source port (TCP or UDP) number with another port number. These port mappings are
kept in a table. When the router receive from internet, it will refer the table which keep the port
mappings and forward the data packet to the original sender.

Source NAT:
 Source NAT used to initiate traffic from internal network to external network. In source NAT
only source IP will translate in public IP address.

Destination NAT:

When request to translate Destination IP address for connect with Internal Private network
from Public IP address. Only static NAT can be used in Destination NAT.

Difference between Auto NAT and Manual NAT:

Automatic NAT Manual NAT

Automatic created by Firewall Manually Created by Network Security Administrator
Cannot modify Can be Modify
Can not create “No NAT” rule Can be Create “No NAT” rule
Can not create Dual NAT Can be Create Dual NAT
Port forwarding not possible Port forwarding possible
Proxy ARP by default enabled Proxy ARP by default not enable

Packet flow in checkpoint:

o SAM database
o Anti spoofing
o Session lookup
o Policy lookup
o Destination NAT
o Routing table
o Source NAT

Functions of FWM, FWD & CPD:

FWM (Firewall management):

It runs on Security Management Server (SMS) and handles most smart console GUI
applications, policy verifications & compilation and management HA sync

FWD (Firewall Daemon):

It runs on both SMS and security gateway- mainly handles the passing of logs from security
gateways to the SMS, but on the security gateway also acts a parent process to many security
processes that do advanced inspection outside the kernel.

CPD (Checkpoint Daemon):

It runs on both SMS and security gateway – handles generic functions such as
SIC/certificated, licensing, Smart view monitor and pushing/fetching the policy between the SMS
and security gateway.

What is VPN?
 Virtual Private Network (VPN) creates a secure network connection over a public network
such as the internet. It allows devices to exchange data through a secure virtual tunnel. It uses a
combination of security features like encryption, authentication, tunnelling protocols, and data
integrity to provide secure communication between participating peers.

What is Authentication, Confidentiality & Integrity?

Authentication - Verifies that the packet received is actually from the claimed sender. It verifies the

authenticity of sender. Pre-shared Key, Digital Certificate are some methods that can be used for

authentication.

Integrity - Ensures that the contents of the packet have not been altered in between by man-in-
middle. Hashing Algorithm includes MD5, SHA.

Confidentiality - Encrypts the message content through encryption so that data is not disclosed to
unauthorized parties. Encryption algorithms include DES (Data Encryption Standard), 3DES (Triple-
DES), AES (Advanced Encryption Standard).

What is Symmetric and Asymmetric Encryption?

In symmetric encryption, a single key is used both to encrypt and decrypt tra􀃕c. It is also
referred as shared key or shared secret encryption. Symmetric encryption algorithms include DES,
3DES, AES.

In Asymmetric encryption two keys are used to encrypt and decrypt tra􀃕c, one for
encryption and one for decryption. The most common asymmetric encryption algorithm is RSA.

What is IPSec VPN?

IP Security Protocol VPN means VPN over IP Security. It allows two or more users to
communicate in a secure manner by authenticating and encrypting each IP packet of a
communication session. IPsec provides data confidentiality, data integrity and data authentication
between participating peers.

At what layer IPsec works?

IPsec secures IP traffic at the Layer 3 (Network Layer) of the OSI model.

Major drawback of IPSec?

IPSec only supports unicast IP tra􀃕c.

What is the difference between Transport and Tunnel mode?

Tunnel mode - Protects data in network-to-network or site-to-site scenarios. It encapsulates

and protects the entire IP packet—the payload including the original IP header and a new IP header
(protects the entire IP payload including user data).

Transport mode - Protects data in host-to-host or end-to-end scenarios. In transport mode,

IPsec protectsthe payload of the original IP datagram by excluding the IP header (only protects the
upper-layer protocols of IP payload (user data)).

 IPSec protocols AH and ESP can operate in either transport mode and tunnel mode.

What are the three main security services that IPSec VPN provides?

IPsec offers the following security services:-

  Peer Authentication.
 Data confdentiality.
 Data integrity.

Define Digital Signatures?

Digital signature is an attachment to an electronic message used for security purposes. It is used to
verify the authenticity of the sender.

What is Authorization?

Authorization is a security mechanism used to determine user/client privileges or access

levels related to network resources, including firewalls, routers, switches and application features.
Authorization is normally preceded by authentication and during authorization, It’s system that
verifies an authenticated user’s access rules and either grants or refuses resource access.

What is Site to Site and Remote Access VPN?

A site-to-site VPN allows o􀃕ces in multiple locations to establish secure connections with
each other over a public network such as the Internet.

Remote Access VPN allows Remote users to connect to the Headquarters through a secure
tunnel that is established over the Internet. The remote user is able to access internal, private web
pages and perform various IP-based network tasks.

 There are two primary methods of deploying Remote Access VPN:-

1. Remote Access IPsec VPN.
2. Remote Access Secure Sockets Layer (SSL) VPN.

What are the 3 protocols used in IPSec?

1. Authentication Header (AH).

2. Encapsulating Security Payload (ESP).

3. Internet Key Exchange (IKE).

Explain IPsec Protocol Headers?

Encapsulating Security Payload (ESP) - It is an IP-based protocol which uses port 50 for
communication between IPsec peers. ESP is used to protect the confdentiality, integrity and
authenticity of the data and others anti-replay protection.

Drawback - ESP does not provide protection to the outer IP Header

Authentication Header (AH) - It is also an IP-based protocol that uses port 51 for communication
between IPsec peers. AH is used to protect the integrity and authenticity of the data and o􀃗ers anti-
replay protection. Unlike ESP, AH provides protection to the IP header also.

Drawback - AH does not provide confdentiality protection.

How ESP & AH provides anti-replay protection?

Both ESP and AH protocols provide an anti-reply protection based on sequence numbers.
The sender increments the sequence number after each transmission, and the receiver checks the
sequence number and reject the packet if it is out of sequence.
What is IKE?

It is a hybrid protocol that implements Oakley and SKEME key exchanges inside the Internet
Security Association and Key Management Protocol (ISAKMP) framework. It defnes the mechanism
for creating and exchanging keys. IKE derives authenticated keying material and negotiates SAs that
are used for ESP and AH protocols.

At what protocol does IKE works?

IKE uses UDP port 500.

Explain how IKE/ISAKMP Works?

IKE is a two-phase protocol-

Phase 1

IKE phase 1 negotiates the following:-

1.It protects the phase 1 communication itself (using crypto and hash algorithms).

2.It generates Session key using Di􀃕e-Hellman groups.

3.Peers will authenticate each other using pre-shared, public key encryption, or digital signature.

4.It also protects the negotiation of phase 2 communication.

There are two modes in IKE phase 1:-

Main mode - Total Six messages are exchanged in main mode for establishing phase 1 SA.

Aggressive mode - It is faster than the main mode as only three messages are exchanged in this
mode to establish phase 1 SA. It is faster but less secure.

 At the end of phase 1, a bidirectional ISAKMP/IKE SA (phase 1 SA) is established for IKE
communication.

Phase 2

IKE phase 2 protects the user data and establishes SA for IPsec.

There is one mode in IKE phase 2:-

Quick mode - In this mode three messages are exchanged to establish the phase 2 IPsec SA.

 At the end of phase 2 negotiations, two unidirectional IPsec SAs (Phase 2 SA) are established
for user data one for sending and another for receiving encrypted data.

Explain the messages exchange between the peers in IKE/ISAKMP?

Phase 1 - Main Mode

MESSAGE 1: Initiator o􀃗ers Policy proposal which includes encryption, authentication, hashing
algorithms (like AES or 3DES, PSK or PKI, MD5 or RSA).

MESSAGE 2: Responder presents policy acceptance (or not).

MESSAGE 3: Initiator sends the Di􀃕e-Helman key and nonce.

MESSAGE 4: Responder sends the Di􀃕e-Helman key and nonce.

MESSAGE 5: Initiator sends ID, preshare key or certifcate exchange for authentication.

MESSAGE 6: Responder sends ID, preshare key or certifcate exchange for authentication.

 Only First Four messages were exchanged in clear text. After that all messages are encrypted.

Phase 2 - Quick Mode

MESSAGE 7: Initiator sends Hash, IPSec Proposal, ID, nonce.

MESSAGE 8: Responder sends Hash, IPSec Proposal, ID, nonce.

MESSAGE 9: Initiator sends signature, hash, ID.

 All messages in Quick mode are encrypted.

What is Diffie-Hellman?

DH is a public-key cryptography protocol which allows two parties to establish a shared

secret over an insecure communications channel. Di􀃕e-Hellman is used within IKE to establish
session keys and is a component of Oakley.

How Diffie-Hellman works?

Each side have a private key which is never passed and a Di􀃕e-Hellman Key (Public Key used
for encryption). When both side wants to do a key exchange they send their Public Key to each other.

For example Side A get the Public Key of Side B, then using the RSA it creates a shared key
which can only be opened on Side B with Side B's Private Key So, even if somebody intercepts the
shared key he will not be able to do reverse engineering to see it as only the private key of Side B will
be able to open it.

What are Security Associations?

The SAs define the protocols and algorithms to be applied to sensitive packets and specify the keying
material to be used by the two peers. SAs are unidirectional and are established per security
protocol (AH or ESP).

What is Transform set?

An IKE transform set is a combination of security protocols and algorithms. During the IPsec SA
negotiation, the peers agree to use a particular transform set for protecting a particular data now.

What are Crypto access lists?

Crypto access lists specifies which IP traffic is protected by crypto and which tra􀃕c is not
protected by crypto. To protect IP traffic "permit" keyword is used in an access list. If the tra􀃕c is not
to be protected than "deny" keyword is used in access list.

What are Crypto map?

Crypto map is used to pull together the various parts used to set up IPsec SAs including:-

1. Which traffic should be protected by IPsec (crypto access list).

2. Where IPsec-protected traffic should be sent (remote IPsec peer).

3. What IPsec SA should be applied to this traffic (transform sets).

 Multiple interfaces can share the same crypto map set in case we want to apply the same
policy to multiple interfaces.
 If more than one crypto map is created for a given interface than use the sequence number of
each map entry to rank the map entries, the lower the seq-num argument the higher the
priority.

How do you check the status of the tunnel’s phase 1 & 2 ?

Use following commands to check the status of tunnel phases:-

 Phase 1 - show crypto isakmp sa

 Phase 2 - show crypto ipsec sa

What is IPsec Virtual Tunnel Interface?

IPSec VTI is the concept of using a dedicated IPsec interface called IPsec Virtual Tunnel
Interface for highly scalable IPsec-based VPNs. IPsec VTI provides a routable interface for
terminating IPsec tunnels. VTI also allows the encrypting of multicast tra􀃕c with IPsec.

What is the difference between Static Crypto Maps and Dynamic Crypto Maps?

Static Crypto Maps are used when peers are predetermined. It is basically used in IPSec site
to site VPNs.

Dynamic crypto maps are used with networks where the peers are not always
predetermined. It is basically used in IPSEC Remote Access VPNs.

There are two types of IPsec VTI interfaces:

1.Static VTI (SVTI): This can be used for site-to-site IPsec-based VPNs.

2.Dynamic VTI (DVTI): DVTI replaces dynamic crypto maps. It can be used for remote-access VPNs.

What is GRE?

Generic Routing Encapsulation Protocol is a tunnelling protocol developed by Cisco designed

to encapsulate IP uncast, multicast and broadcast packets. It uses IP protocol number 47.

Name a major drawback of both GRE & L2TP?

No encryption.

What is SSL VPN? How it is different from IPSec VPN?

SSL VPN provides remote access connectivity from any internet enabled device through a
standard web browser and its native SSL encryption. It does not require any special client software
at a remote site.

In IPSec VPN connection is initiated using pre installed VPN client software so it requires
installation of special client software. In SSL VPN connection is initiated through a web browser so it
does not requires any special purpose VPN client software, only a web browser is required.

At which Layer does SSL VPN operates?

SSL is an Application layer (Layer 7) cryptographic protocol that provides secure communications
over the Internet for web browsing, e-mail and other traffic. It uses TCP port 443.

What are different SSL VPN Modes?

SSL VPN can be deployed in one of the following three modes:-

1. Clientless mode - It works at Layer 7, Clientless mode provides secure access to web resources
and web based content. This mode can be used for accessing most content that you would expect to
access in a web browser such as Internet, databases and online tools. Clientless mode also supports
common Internet file system (CIFS). Clientless mode is limited to web-based content only. It does not
provide access to TCP connections such as SSH or Telnet.

2. Thin client mode - It works at Layer 7 and is also known as port forwarding. Thin client mode
provides remote access to TCP-based services such as Telnet, Secure Shell (SSH), Simple Mail
Transfer Protocol (SMTP), Internet Message Access Protocol (IMAP) and Post Office Protocol (POP3)
applications. Thin client is delivered via a Java applet that is dynamically downloaded from the SSL
VPN appliance upon session establishment.

3. Thick client mode - It works at Layer 3 and is also known as tunnel mode or full tunnelling client.
The thick client mode provides extensive application support through dynamically downloaded SSL
VPN Client software or the Cisco Any Connect VPN client software from the VPN server appliance.
This mode delivers a lightweight, centrally configured, and easy-to-support SSL VPN tunnelling client
that provides full network layer (Layer 3) access to virtually any application.

Explain SSL Handshake?

1.Client initiates by sending a CLIENT HELLO message which contains SSL version that the client
supports, in what order the client prefer the versions, Cipher suits (Cryptographic Algorithms)
supported by the client, Random Number.

2. Server will send back a SERVER HELLO message which contains Version Number (Server selects
SSL version that is supported by both the server and the client), Cipher Suits (selected by server the
best cipher suite version that is supported by both of them), Session ID, and Random Data.

3. Server also sends PKI certificate for authenticating himself signed and verified by Certificate
Authority along with the public key for encryption.

4. Server will than send Server Hello Done indicating that the server has finished sending its hello
message, and is waiting for a response from the client.

5. Client will sends its certificate if the server has also requested for client authentication in server
hello message.

6. Client will send Client Key Exchange message after calculating the premaster secret with the help
of the random values of both the server and the client. This message is sent by encrypting it with the
server's public key which was shared through the hello message.

Server will decrypt the premaster secret with its private key. Now both client and server will
perform series of steps to generate session keys (symmetric) which will be used for encryption and
decryption of data exchanges during SSL session and also to verify its integrity.
7. Client will send CHANGE CIPHER SUITE message informing the server that future messages will be
encrypted using session key.

8. Client will send CLIENT FINISH (DONE) message indicating that client is done.

9. Server will also send CHANGE CIPHER SUITE message.

10. Client will also send CLIENT FINISH (DONE) message.