Checkpoint ³£ÓÃÅäÖõÄÁ½¸öµØ·½£º 1¡¢ policy?global properties 2¡¢ Gateway ÊôÐÔ
»ù±¾Éϴ󲿷ݵÄÉèÖö¼ÔÚÕâÀïÉèÖÃ
2£®2£®2 Policy design cp policy µÄÌص㣺
1¡¢ Accept only the traffic that is required ,drop anything else ½ÓÊÜÔÊÐíµÄ£¬¾Ü¾øÆäËûµÄ
2¡¢ When a rule is match ,that action is followed and no more rules are checked.
²ßÂÔÊÇ´ÓÉϵ½ÏÂÆ¥ÅäµÄ£¬µ±Ç°Ãæ²ßÂÔÒѾƥÅäµÄÇé¿öÏ£¬ÊDz»»áÔÙÈ¥ÍùÏÂÆ¥Åä 3¡¢ there is an invisible rule at the bottom of runbase : drop anything
Òþº¬Ò»Ìõ¾Ü¾øËùÓÐ
Á½ÌõÌØÊâµÄrule Stealth Rule
Placed near the top of the policy and explicitly blocks access to the firewall
Clean up rule
Placed at the bottom of the policy and explicitly drops and log all traffic that has not match other rules .but the clean up rule ensure it get logged.
2£®2£®3ÍêȫжÔØ°²È«²ßÂÔ
Request that the security policy be unloaded from remote gateways 1¡¢ from the menu,policy ?uninstall
2¡¢ run the command fw unload local from the command line of the gateway itself
2£®2£®4 cp µÄimplied Rules Òþº¬µÄ²ßÂÔ
1- View?implied rules ÏÔʾsecurity pane Àï±ßµÄ
ÕâЩÒþº¬µÄ²ßÂÔ£¬ÎÞ·¨ÊÖ¶¯É¾³ý
2- policy?global properties ?firewall
2£®2£®5 Checkpoint NATÖÖÀà
1¡¢ ×Ô¶¯ÅäÖÃ
A¡¢ Hide NAT (Ï൱ÓÚPAT) B¡¢ Static Nat 2¡¢ ÊÖ¶¯ÅäÖÃ
A¡¢ Hide Nat
B¡¢ Static Nat
C¡¢ Port translation
¾²Ì¬NATÓÅÏÈÓÚPATµÄת»»
ÊÖ¶¯ÅäÖÃ(×î´óµÄÎÊÌâÊÇProxy ARP)
2£®2£®6 Checkpoint ÈÏÖ¤·½Ê½ 1¡¢ user Authentication
1¡¢ Ö»Äܹ»Ö§³Öhttp ftp telnet rlogin
2¡¢ User authentication ÊÇ»ùÓÚÿһ¸öconnection 3¡¢ ÀàËÆcisco µÄcute-through
·ÅÐÐsnauthÁ÷Á¿(tcp/261) Fwl_snauth 2¡¢ session auth 3¡¢ client auth
1¡¢ clientÐèÒª·ÅÐÐ
FWl_clntauth_http (http/900)ºÍFWl_clntauth_telnet(telnet/259) 2¡¢ clientÊôÐÔÀïÓÐÐí¶àµÇ½·½Ê½
a¡¢ manual
b¡¢ partially auto
c¡¢ full auto
d¡¢ agent auto sign
e¡¢ single sign on
(1)¡¢partially auto:http ¡¢Ftp¡¢telnet ºÍrlogn ʹÓÃuser auth ,ÆäËüÐÒéʹÓÃclient auth µÄmanual auth
(2)¡¢full auto:http ftp telnet ºÍrlogin ʹÓÃuser auth £¬ÆäËüÐÒéʹÓÃsession auth ,manual auth ÒÀÈ»´æÔÚ¡£
£¨3£©¡¢Agent auto ËùÓÐÐÒéʹÓÃsession auth,manual auth ÒÀÈ»´æÔÚ¡£ £¨4£©¡¢single sign-on :ʹÓÃuser authority server ʵÏÖÒ»´ÎÐԵǽ¡£
Opsec °²È«¹«¹²Æ½Ì¨ CiFS windowsµÄÎļþ¹²Ïí
2£®2£®7 Vpn 1¡¢ ¼òµ¥µÄVPN·½Ê½ 2¡¢ ´«Í³µÄVPN·½Ê½ 3¡¢ ¼òµ¥Ó봫ͳµÄVPN·½Ê½
VPN Communities Ìصã
1¡¢ ¼ÓÈëÕâ¸öVPN communities µÄÉ豸ӵÓÐ×ÅÏàͬµÄ²ßÂÔ 2¡¢ ÕâÑùµÄÅäÖò»ÈÝÒ׳öÏÖÅäÖÃÉϵĴíÎó
3¡¢ SmartcenterÄܹ»¶Ô¶àVPN device½øÐÐͳһÅäÖÃ
Vpn communities types 1¡¢ meshed(Íø×´) 2¡¢ star(ÐÇÐÎ)
ÔÚÉ豸ÉϼÓÈëcommunities
ÔÚÉ豸É϶¨Òå¸ÐÐËȤÁ÷
Remote access vpn
¿Í»§¶ËÔÚcheckpoint ÉÏÏÂÔØ
Èý¡¢Checkpoint ʵÑéÊÖ²á
3£®1 Remote access vpn ʵÑé
ÔÚoutside ¶Ë£¬·ÅÖÃһ̨²¦ºÅVPNÓõÄPC»ú£¬ÈÃËûµÇ½³É¹¦ºóÄÜpingͨÄÚ²¿ÍøÂç172.16.1.0/24 1¡¢ PCÉèÅäÖÃ
