High-End Security Product Suite Getting Started Guide Version NGX R65

Chia sẻ: Nguyen Tien Lich | Ngày: | Loại File: PDF | Số trang:70

0
76
lượt xem
6
download

High-End Security Product Suite Getting Started Guide Version NGX R65

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice....

Chủ đề:
Lưu

Nội dung Text: High-End Security Product Suite Getting Started Guide Version NGX R65

  1. High-End Security Product Suite Getting Started Guide Version NGX R65 702024 January 30, 2008
  2. © 2003-2007 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: ©2003-2008 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point Endpoint Security, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoreXL, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Pointsec, Pointsec Mobile, Pointsec PC, Pointsec Protector, Policy Lifecycle Management, Provider-1, PureAdvantage, PURE Security, the puresecurity logo, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Security Management Portal, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SMP, SMP On-Demand, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, UTM-1, UTM-1 Edge, UTM-1 Edge Industrial, UTM-1 Total Security, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN-1 Power, VPN-1 Power Multi-core, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm ForceField, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 5,987,611, 6,496,935, 6,873,988, 6,850,943, and 7,165,076 and may be protected by other U.S. Patents, foreign patents, or pending applications. For third party notices, see “THIRD PARTY TRADEMARKS AND COPYRIGHTS” on page 61. 3
  3. 4
  4. Contents Chapter 1 High-End Security Suite Welcome................................................................................... 8 In This Guide ............................................................................ 9 Documentation .......................................................................... 9 Endpoint Security Integration...................................................... 9 Feedback ................................................................................ 10 Chapter 2 Introduction Overview ................................................................................. 11 For New Check Point Customers................................................ 12 What's New in the High-End Security Suite ................................ 13 Provider-1/SiteManager-1 ................................................ 13 VPN-1 Power VSX ........................................................... 14 Management Plug-Ins...................................................... 15 Chapter 3 Getting Started Provider-1 Terminology............................................................. 18 VSX Terminology...................................................................... 20 High-End System Requirements ................................................ 21 Compatibility Table .................................................................. 21 Supported Upgrade Paths and Interoperability ............................ 24 Upgrading Management Servers ....................................... 24 Backward Compatibility For Gateways ............................... 25 Licensing ................................................................................ 27 Licensing Provider-1/SiteManager-1 ................................. 28 VSX-CMA Bundle Licenses............................................... 29 5
  5. For More Information ....................................................... 30 Upgrading Licenses ......................................................... 30 Chapter 4 Performing a New Installation Overview .................................................................................31 Installing and Configuring Provider-1/SiteManager-1 ...................32 Overview......................................................................... 32 Building the Basic Provider-1 Network .............................. 34 Installing and Configuring the MDS................................... 35 Installing the SmartConsole and MDG Clients .................... 38 Logging in to the MDG for the First Time ........................... 39 Provider-1 and SMP Integration.................................................42 Licensing Issues.............................................................. 42 Installation ..................................................................... 43 Configuration Fine Tuning ................................................ 43 Importing VPN-1 UTM Edge Devices to Provider-1.............. 44 The Import Tool: ImportEdgeFromSMP.............................. 47 Installing and Configuring VPN-1 Power VSX...............................51 Installing VPN-1 Power VSX on SecurePlatform.................. 51 First Time Login.............................................................. 56 Initial Configuration ........................................................ 57 Configuration on the Management Server........................... 58 Where To From Here? ...............................................................59 6
  6. Chapter 1 High-End Security Suite In This Chapter: Welcome page 8 In This Guide page 9 Documentation page 9 Feedback page 10 7
  7. Welcome Welcome Thank you for choosing the Check Point High-End Security Suite. We hope that you will be satisfied with this security solution and the service that Check Point provides. Check Point delivers Worldwide Technical Services including educational, professional and support services, through a network of authorized training centers, certified support partners, and a variety of Check Point resources. In order to extend your security infrastructure as your network and application security requirements grow, Check Point recommends using OPSEC (Open Platform for Security), the industry leader in open, multi-vendor security frameworks. OPSEC has over 350 partners and guarantees the widest range of best-of-breed integrated applications and deployment platforms. To obtain more information about this and other security solutions, refer to: http://www.checkpoint.com or call us at 1(800) 429-4391. For additional technical information, refer to: http://support.checkpoint.com. Welcome to the Check Point family. We look forward to meeting all of your current and future network and application security and management needs. 8
  8. In This Guide In This Guide This guide provides: • A brief overview of the High-End Security Suite applications • Installation procedures Documentation Technical documentation is available on your distribution CD-ROM at: CD2\Docs\CheckPoint_Suite. These documents can also be found at: http://www.checkpoint.com/support/technical/documents. To see what is new in version NGX R65 and for the latest technical information, refer to the R65 What’s New. For information on upgrading your current Check Point deployment, refer to the Check Point R65 Upgrade Guide. Endpoint Security Integration For in-depth documentation of Provider-1/SiteManager-1 and SmartCenter Integration with Check Point Endpoint Security products, refer to: • Endpoint Security Server Installation Guide • R65 SmartCenter Administration Guide Chapter 1 High-End Security Suite 9
  9. Feedback Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments to: cp_techpub_feedback@checkpoint.com 10
  10. Chapter 2 Introduction In This Chapter: Overview page 11 For New Check Point Customers page 12 What's New in the High-End Security Suite page 13 Overview The current Check Point release focuses on usability and smarter management. SmartCenter is now integrated with Connectra, InterSpect and Endpoint Security, which allows for centralized management and monitoring of all security enforcement points. This enhanced functionality provides IT organizations and executive management with full visibility over their entire security environment. The current version includes expanded intelligent inspection technologies in VPN-1 Power, which incorporate additional application support into state-of-the-art Stateful-Inspection and Application Intelligence technologies. 11
  11. For New Check Point Customers For New Check Point Customers For new Check Point customers, the Check Point User Center can help you: • Manage Users & Accounts • Activate Products • Get Support Offers • Open Service Requests • Search the Technical Knowledge Base To access the Check Point User Center, go to: https://usercenter.checkpoint.com/pub/usercenter/get_started.html. 12
  12. What's New in the High-End Security Suite What's New in the High-End Security Suite The following sections offer a brief overview of the advancements offered by NGX R65. In This Section: Provider-1/SiteManager-1 page 13 VPN-1 Power VSX page 14 Management Plug-Ins page 15 Provider-1/SiteManager-1 • Management Plug-ins View. This new View indicates whether a plug-in is activated per Customer, and displays a Needs Attention notification for any plug-in that has not been activated properly. • Install on Dynamic Objects. Installs a security policy on dynamic objects. • Gateway Function Oriented Global Policy. Global security rules can now be installed on specific gateways or groups of gateways for a Customer CMA, allowing gateways with different functions to receive different global security rules. When installing global policy to a number of similarly configured CMAs, the relevant global rules are installed to all of the relevant gateways on each CMA. This feature is particularly useful for enterprise deployments of Provider-1, where Customer CMAs typically represent geographic subdivisions of an enterprise. For example, an enterprise deployment may have Customer CMAs for business units in New York, Boston, and London, and each CMA will be similarly configured, with a gateway (or gateways) to protect a DMZ, and others to protect the perimeter. This new capability allows an Chapter 2 Introduction 13
  13. VPN-1 Power VSX administrator to configure the global policy so that certain global security rules are installed to DMZ gateways, wherever they exist, and different rules are installed to the perimeter gateways. • Global Manager. Global Manager is a new type of administrator account in the MDG. With access to Global SmartDashboard, a Global Manager is capable of managing global policies and global objects. For a Global Manager to have additional access to CMA policies, read-write or partial access rights must be specifically assigned. VPN-1 Power VSX VPN-1 Power VSX provides the ability to: • Distribute Virtual Systems on different members of a cluster, effectively spreading the Virtual System traffic load within the cluster, with Cluster XL Virtual System Load Sharing. • Manage the processing power of a VSX machine, with Resource Control. • Control the network quality of service in the VSX network environment, with Check Point Lightweight QoS Enforcement. It also initiates support for a range of network interface cards and servers. For complete details on what’s new in this version, and for the latest technical information, refer to the VPN-1 Power VSX NGX Scalability Pack Release Notes, available at: http://www.checkpoint.com/support/technical/documents/index.html. 14
  14. Management Plug-Ins Management Plug-Ins NGX R65 introduces an additional infrastructure that enables the use of management plug-ins. The new plug-ins architecture introduces the ability to dynamically add new features and support for new products. Management plug-ins offer central management of gateways and features not supported by your current NGX R65 SmartCenter or Provider-1/SiteManager-1. Management plug-ins supply new and separate packages that consist only of those components necessary for managing new gateway products or specific features, thus avoiding a full upgrade to the next release. Each plug-in: • Is supplied with relevant documentation • Is installed on SmartCenter Server or Gateway. • Requires a specific version of SmartDashboard Chapter 2 Introduction 15
  15. Management Plug-Ins 16
  16. Chapter 3 Getting Started In This Chapter: Provider-1 Terminology page 18 VSX Terminology page 20 High-End System Requirements page 21 Compatibility Table page 21 Supported Upgrade Paths and Interoperability page 24 Licensing page 27 This chapter describes terminology used throughout this manual, installation requirements, and licensing information. 17
  17. Provider-1 Terminology Provider-1 Terminology Provider-1 refers to the complete Provider-1/SiteManager-1 product functionality. The following Provider-1 terms are used throughout this manual: • Customer: A business entity or subdivision of a business entity whose networks are protected by VPN-1 gateways, VPN-1 UTM Edge appliances or other Check Point compatible firewalls. Customer security policies and network access are managed using Provider-1/SiteManager-1. • Customer Log Module (CLM): A log server for a single customer. • Customer Management Add-On (CMA): The Provider-1 equivalent of the SmartCenter server for a single customer. Through the CMA, an administrator creates security policies and manages the customer gateways. • GUI Client: A computer running one or more of the SmartConsole applications, for example, the Provider-1 MDG. • Internal Certificate Authority (ICA): The component that creates and manages X.509 compliant certificates for Secure Internal Communication (SIC), site-to-site VPN communication (between VPN-1 gateways), and the authentication of administrators and users. • The MDS has an ICA that secures the Multiple Domain Server (MDS) domain. • Each CMA has its own ICA to secure its customer’s management domain. • Multi-Domain Server (MDS): The MDS houses Provider-1 system information including details of the Provider-1 deployment, its administrators and customer management datum. There are two types of MDSes: the Manager, which runs the Provider-1 deployment, and the Container, which holds the Customer 18
  18. Provider-1 Terminology Management Add-Ons (CMA). The Manager is the administrator’s entry point into the Provider-1 environment. An MDS can be a Manager, a Container, or both. • Multi-Domain Log Module (MLM): A special MDS container that collects and stores logs. It contains multiple Customer Log Modules (CLMs). • Provider-1 Administrator: A security administrator that is assigned with granular permissions to manage specific parts of the Provider-1 system. The following four permission levels can be assigned: • Provider-1 Superuser: Manages the entire Provider-1 system, which includes the management of all MDS servers, all administrators (with all permission levels), all customers, and all customer networks. • Customer Superuser: Manages all administrators (with lower permission levels), all customers, and all customer networks. • Global Manager: A new type of administrator account in the MDG. With access to Global SmartDashboard, a Global Manager is capable of managing global policies and global objects. For a Global Manager to have additional access to CMA policies, read-write or partial access rights must be specifically assigned. • Customer Manager: Manages customer networks for specific customers. Administrators with this permission level can also use the MDG application, however, they can view and manage only those customers that have been specifically assigned to them. • None: Manages customer networks for specific customers, but cannot access the MDG application. Chapter 3 Getting Started 19
  19. VSX Terminology VSX Terminology The following VPN-1 Power VSX (VPN-1 Power VSX NGX Scalability Pack) terms are used throughout this manual: • Virtual Router: An independent routing domain within a VSX gateway that functions like a physical router. It is used to direct packets arriving at the VSX gateway through a shared interface to the relevant Virtual System or to direct traffic arriving from Virtual Systems to a shared interface or other Virtual Systems. • Virtual Switch: A virtual entity that provides layer-2 connectivity between Virtual Systems and connectivity to a shared interface. As with a physical switch, each Virtual Switch maintains a forwarding table with a list of MAC addresses and their associated ports. • Virtual System: A routing and security domain featuring firewall and VPN capabilities. Multiple Virtual Systems can run concurrently on a single VSX gateway, isolated from one another by their use of separate system resources and data storage. 20
Đồng bộ tài khoản