Provider-1/SiteManager-1

Chia sẻ: Nguyen Tien Lich | Ngày: | Loại File: PDF | Số trang:324

0
59
lượt xem
7
download

Provider-1/SiteManager-1

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

Tham khảo tài liệu 'provider-1/sitemanager-1', công nghệ thông tin, quản trị mạng phục vụ nhu cầu học tập, nghiên cứu và làm việc hiệu quả

Chủ đề:
Lưu

Nội dung Text: Provider-1/SiteManager-1

  1. TM TM Provider-1/SiteManager-1 Administration Guide Version NGX R65 March 7, 2007
  2. © 2003-2007 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: ©2003-2007 Check Point Software Technologies Ltd. All rights reserved. Check Point, AlertAdvisor, Application Intelligence, Check Point Express, Check Point Express CI, the Check Point logo, ClusterXL, Confidence Indexing, ConnectControl, Connectra, Connectra Accelerator Card, Cooperative Enforcement, Cooperative Security Alliance, CoSa, DefenseNet, Dynamic Shielding Architecture, Eventia, Eventia Analyzer, Eventia Reporter, Eventia Suite, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, Hybrid Detection Engine, IMsecure, INSPECT, INSPECT XL, Integrity, Integrity Clientless Security, Integrity SecureClient, InterSpect, IPS-1, IQ Engine, MailSafe, NG, NGX, Open Security Extension, OPSEC, OSFirewall, Policy Lifecycle Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureClient Mobile, SecureKnowledge, SecurePlatform, SecurePlatform Pro, SecuRemote, SecureServer, SecureUpdate, SecureXL, SecureXL Turbocard, Sentivist, SiteManager-1, SmartCenter, SmartCenter Express, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, SmartConsole, SmartDashboard, SmartDefense, SmartDefense Advisor, Smarter Security, SmartLSM, SmartMap, SmartPortal, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, UserAuthority, User-to-Address Mapping, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Express, VPN-1 Express CI, VPN- 1 Power, VPN-1 Power VSX, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, Web Intelligence, ZoneAlarm, ZoneAlarm Anti-Spyware, ZoneAlarm Antivirus, ZoneAlarm Internet Security Suite, ZoneAlarm Pro, ZoneAlarm Secure Wireless Router, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. ZoneAlarm is a Check Point Software Technologies, Inc. Company. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988, and 6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending applications. For third party notices, see: THIRD PARTY TRADEMARKS AND COPYRIGHTS.
  3. Table Of Contents Preface Who Should Use This Guide.............................................................................. 12 Summary of Contents ....................................................................................... 13 Related Documentation .................................................................................... 14 More Information ............................................................................................. 17 Feedback ........................................................................................................ 18 Chapter 1 Introduction The Need for Provider-1/SiteManager-1 ............................................................. 20 Management Service Providers (MSP) ........................................................... 21 Data Centers .............................................................................................. 23 Large Enterprises ........................................................................................ 23 The Check Point Solution ................................................................................. 26 Basic Elements........................................................................................... 27 Point of Presence (POP) Network Environment............................................... 31 Managers and Containers............................................................................. 33 Log Managers ............................................................................................. 36 High Availability ......................................................................................... 38 Security Policies in Provider-1 ..................................................................... 38 The Management Model ................................................................................... 40 Introduction to the Management Model......................................................... 40 Administrators ............................................................................................ 40 Management Tools ...................................................................................... 43 The Provider-1/SiteManager-1 Trust Model......................................................... 49 Introduction to the Trust Model .................................................................... 49 Secure Internal Communication (SIC) ........................................................... 49 Trust Between a CMA and its Customer Network ............................................ 50 Trust Between a CLM and its Customer Network ............................................ 51 MDS Communication with CMAs .................................................................. 52 Trust Between MDS to MDS......................................................................... 52 Authenticating the Administrator .................................................................. 52 Authenticating via External Authentication Servers......................................... 53 Setting up External Authentication ............................................................... 55 Re-authenticating when using SmartConsole Clients....................................... 56 CPMI Protocol ............................................................................................ 58 Chapter 2 Planning the Provider-1 Environment Asking yourself the right questions... ................................................................. 61 Consider the Following Scenario... ..................................................................... 63 Protecting the Provider-1/SiteManager-1 Network ............................................... 65 MDS Managers and Containers.......................................................................... 66 MDS Managers ........................................................................................... 66 MDS Containers.......................................................................................... 66 Table of Contents 5
  4. Choosing your deployment for MDS Managers and Containers ......................... 67 MDS Clock Synchronization ......................................................................... 68 Setting up the Provider-1/SiteManager-1 Environment......................................... 69 A Typical Scenario ...................................................................................... 69 A Standalone Provider-1/SiteManager-1 Network ........................................... 70 A Distributed Provider-1/SiteManager-1 Network............................................ 71 Provider-1/SiteManager-1 Network with Point of Presence (POP) Center........... 72 Hardware Requirements and Recommendations.................................................. 74 Provider-1/SiteManager-1 Order of Installation ................................................... 75 Licensing and Deployment................................................................................ 76 The Trial Period .......................................................................................... 76 Considerations............................................................................................ 76 Further Licensing Detail .............................................................................. 78 Miscellaneous Issues ....................................................................................... 82 IP Allocation & Routing ............................................................................... 82 Network Address Translation (NAT) .............................................................. 83 Enabling OPSEC ......................................................................................... 84 Chapter 3 Provisioning the Provider-1 Environment Overview ......................................................................................................... 88 The Provisioning Process .................................................................................. 89 Installation and Configuration ........................................................................... 90 Supported Platforms for the MDS ................................................................. 90 Minimal Hardware Requirements and Disk Space .......................................... 90 Installing the MDS - Creating a Primary Manager ........................................... 91 Uninstall the MDS ...................................................................................... 93 Entering the MDS License ........................................................................... 93 Install the MDG and SmartConsole Clients .................................................... 95 Using the MDG for the First Time ...................................................................... 97 To Launch the MDG .................................................................................... 97 Defining a Security Policy for the Provider-1 Gateway.......................................... 99 Enabling Connections Between Different Components of the System ............. 100 Configurations with More than One MDS .......................................................... 103 MDS Clock Synchronization ....................................................................... 103 Adding an MDS (Container, Manager, or both), or MLM ................................ 104 Editing or Deleting an MDS ....................................................................... 106 When the VPN-1 Power Gateway is Standalone ................................................. 107 When a CMA Manages the VPN-1 Power Gateway ............................................. 108 Starting the Add Customer Wizard .............................................................. 109 OPSEC Application Connections...................................................................... 110 Connecting with an OPSEC Application Client to all Customers ..................... 110 Connecting with an OPSEC Application Client to a Single Customer............... 111 Chapter 4 High-Level Customer Management Overview ....................................................................................................... 114 Creating Customers: A Sample Deployment ................................................. 116 Inputting Licenses using the MDG .............................................................. 124 Setup Considerations ..................................................................................... 127 6
  5. IP Allocation for CMAs .............................................................................. 127 Assigning Groups ...................................................................................... 127 Management Plug-ins..................................................................................... 128 Introducing Management Plug-ins .............................................................. 128 Installing Plug-ins..................................................................................... 129 Activating Plug-ins .................................................................................... 129 Plug-in Status .......................................................................................... 130 High Availability Mode .............................................................................. 131 Plug-in Mismatches .................................................................................. 131 Configuration................................................................................................. 133 Configuring a New Customer ...................................................................... 133 Creating Administrator and Customer Groups............................................... 137 Changing Administrators............................................................................ 137 Modifying a Customer’s Configuration ......................................................... 139 Changing GUI Clients ................................................................................ 139 Deleting a Customer.................................................................................. 140 Configuring a CMA .................................................................................... 140 Starting or Stopping a CMA........................................................................ 140 Checking CMA Status................................................................................ 140 Deleting a CMA ........................................................................................ 141 Chapter 5 Global Policy Management Security Policies in Provider-1 ........................................................................ 144 Introduction to Security Policies in Provider-1 ............................................. 144 The Need for Global Policies ...................................................................... 146 The Global Policy as a Template................................................................. 147 Global Policies and the Global Rule Base .................................................... 148 Global SmartDashboard .................................................................................. 150 Introduction to Global SmartDashboard....................................................... 150 Global Services......................................................................................... 151 Dynamic Objects and Dynamic Global Objects ............................................. 151 Applying Global Rules to Gateways by Function ........................................... 152 Synchronizing the Global Policy Database ................................................... 153 Creating a Global Policy through Global SmartDashboard................................... 154 Global SmartDefense...................................................................................... 156 Introduction to Global SmartDefense .......................................................... 156 SmartDefense in Global SmartDashboard .................................................... 156 SmartDefense Profiles ............................................................................... 158 Subscribing a Customer to the Global SmartDefense Service ......................... 158 Modifying SmartDefense from the SmartDashboard of a CMA........................ 159 Assigning Global Policy .................................................................................. 161 Introduction to Assigning Global Policy ....................................................... 161 Assigning Global Policy for the First Time.................................................... 161 Reassigning Global Policy .......................................................................... 162 Reassigning Global Policy to Multiple Customers Simultaneously................... 162 Reviewing the Status of Global Policy Assignments ...................................... 163 Considerations For Global Policy Assignment ............................................... 164 Global Policy History File........................................................................... 166 Table of Contents 7
  6. Configuration ................................................................................................ 167 Assign/Install a Global Policy ..................................................................... 167 Reassigning/Installing a Global Policy on Customers..................................... 168 Reinstalling a Customer Policy onto the Customers’ Gateways ....................... 169 Remove a Global Policy from Multiple Customers......................................... 170 Remove a Global Policy from a Single Customer .......................................... 170 Viewing the Customer’s Global Policy History File ........................................ 170 Global Policies Tab ................................................................................... 170 Global Names Format................................................................................ 171 Chapter 6 Working in the Customer’s Network Overview ....................................................................................................... 174 Customer Management Add-on (CMA)......................................................... 174 Administrators .......................................................................................... 175 SmartConsole Client Applications ............................................................... 175 Installing and Configuring VPN-1 Power Gateways ............................................ 177 Managing Customer Policies ........................................................................... 178 VPN-1 UTM Edge/Embedded Appliances .................................................... 178 Creating Customer Policies ........................................................................ 178 Revision Control ....................................................................................... 178 Working with CMAs and CLMs in the MDG ....................................................... 179 Chapter 7 Logging in Provider-1 Logging Customer Activity .............................................................................. 182 Exporting Logs............................................................................................... 186 Log Export to Text..................................................................................... 186 Manual Log Export to Oracle Database ........................................................ 186 Automatic Log Export to Oracle Database .................................................... 187 Log Forwarding ......................................................................................... 188 Cross Domain Logging ............................................................................... 188 Logging Configuration .................................................................................... 189 Setting Up Logging ................................................................................... 189 Working with CLMs ................................................................................... 190 Setting up Customer Module to Send Logs to the CLM ................................. 191 Synchronizing the CLM Database with the CMA Database ............................. 192 Configuring an MDS to Enable Log Export ................................................... 192 Configuring Log Export Profiles .................................................................. 192 Choosing Log Export Fields ........................................................................ 193 Log Export Troubleshooting........................................................................ 194 Using Eventia Reporter.............................................................................. 195 Chapter 8 VPN in Provider-1 Overview ....................................................................................................... 198 Access Control at the Network Boundary ..................................................... 199 Authentication Between Gateways .............................................................. 199 How VPN Works........................................................................................ 200 VPN-1 Connectivity in Provider-1 .................................................................... 203 8
  7. VPN-1 Connections for a Customer Network ................................................ 203 Global VPN Communities................................................................................ 207 Gateway Global Names .............................................................................. 207 VPN Domains in Global VPN ...................................................................... 208 Access Control at the Network Boundary ..................................................... 209 Access Control and Global VPN Communities .............................................. 209 Joining a Gateway to a Global VPN Community ............................................ 210 Configuring Global VPN Communities .............................................................. 212 Chapter 9 Monitoring in Provider-1 Overview ....................................................................................................... 216 Monitoring Components in the Provider-1 System ............................................. 217 Exporting the List Pane’s Information to an External File .............................. 218 Working with the List Pane ........................................................................ 218 Checking the Status of Components in the System ............................................ 219 Viewing Status Details ............................................................................... 221 Locating Components with Problems........................................................... 221 Monitoring Issues for Different Components and Features .................................. 223 MDS........................................................................................................ 223 Global Policies ......................................................................................... 225 Customer Policies ..................................................................................... 226 Module Policies ........................................................................................ 226 High Availability ....................................................................................... 227 Global VPN Communities........................................................................... 228 Administrators .......................................................................................... 229 GUI Clients .............................................................................................. 230 Using SmartConsole to Monitor Provider-1 Components..................................... 232 Log Tracking in Provider-1 ......................................................................... 232 Tracking Logs with SmartView Tracker ........................................................ 232 Real-Time Network Monitoring with SmartView Monitor ................................ 233 Eventia Reporter Reports ........................................................................... 235 Chapter 10 High Availability Overview ....................................................................................................... 238 CMA High Availability..................................................................................... 239 Active Versus Standby ............................................................................... 241 Setting up a Mirror CMA ............................................................................ 242 CMA Backup using SmartCenter Server ....................................................... 242 MDS High Availability .................................................................................... 245 MDS Mirror Site........................................................................................ 245 MDS Managers ......................................................................................... 246 Setting up a New MDS and Initiating Synchronization .................................. 247 MDS: Active or Standby............................................................................. 247 The MDS Manager’s Databases .................................................................. 248 The MDS Container’s Databases ................................................................. 249 How Synchronization Works ....................................................................... 249 Setting up Synchronization ........................................................................ 252 Configuration................................................................................................. 255 Table of Contents 9
  8. Adding another MDS ................................................................................. 255 Creating a Mirror of an Existing MDS .......................................................... 256 Initializing Synchronization between MDSs.................................................. 257 Subsequent Synchronization for MDSs........................................................ 257 Selecting a Different MDS to be the Active MDS .......................................... 258 Automatic Synchronization for Global Policies Databases.............................. 258 Add a Secondary CMA ............................................................................... 258 Automatic CMA Synchronization................................................................. 259 Synchronize ClusterXL Modules.................................................................. 259 Chapter 11 Architecture and Processes Packages in MDS Installation.......................................................................... 262 Packages in Common MDS Installation ....................................................... 262 Packages in MDS Upgrade......................................................................... 263 Eventia Reporter Add-on............................................................................ 263 MDS File System ........................................................................................... 264 MDS Directories on /opt and /var File Systems ............................................. 264 Structure of CMA Directory Trees ............................................................... 265 Check Point Registry ................................................................................. 266 Automatic Start of MDS Processes, Files in /etc/rc3.d, /etc/init.d................... 266 Processes...................................................................................................... 267 Environment Variables............................................................................... 267 MDS Level Processes ................................................................................ 269 CMA Level Processes ................................................................................ 270 MDS Configuration Databases ......................................................................... 271 Global Policy Database .............................................................................. 271 MDS Database.......................................................................................... 271 CMA Database.......................................................................................... 272 Connectivity Between Different Processes ........................................................ 273 MDS Connection to CMAs.......................................................................... 273 Status Collection ...................................................................................... 274 Collection of Changes in Objects ................................................................ 274 Connection Between MDSs ........................................................................ 275 Large Scale Management Processes............................................................ 275 VPN-1 UTM Edge Processes ...................................................................... 275 Reporting Server Processes ........................................................................ 275 Issues Relating to Different Platforms .............................................................. 276 High Availability Scenarios ........................................................................ 276 Migration Between Platforms ..................................................................... 277 Chapter 12 Commands and Utilities Index .......................................................................................................... 321 10
  9. Preface P Preface In This Chapter Who Should Use This Guide page 12 Summary of Contents page 13 Related Documentation page 14 More Information page 17 Feedback page 18 11
  10. Who Should Use This Guide Who Should Use This Guide This guide is intended for administrators responsible for maintaining network security within an enterprise, including policy management and user support. This guide assumes a basic understanding of • System administration. • The underlying operating system. • Internet protocols (IP, TCP, UDP etc.). 12
  11. Summary of Contents Summary of Contents This guide describes the installation, configuration and management of Provider-1/SiteManager-1. It contains the following chapters: Chapter Description Chapter 1, “Introduction” Chapter 1 covers the need for Provider-1, and different elements and deployments of the Provider-1 system. Chapter 2, “Planning the Chapter 2 covers pre-installation considerations. Provider-1 Environment” Chapter 3, “Provisioning the Chapter 3 covers installation of the Provider-1 Provider-1 Environment” system. Chapter 4, “High-Level Chapter 4 covers the initial configuration. Customer Management” Chapter 5, “Global Policy Chapter 5 covers setting up Global Policies for Management” Customers. Chapter 6, “Working in the Chapter 6 covers administration on the Customer Customer’s Network” level. Chapter 7, “Logging in Chapter 7 covers logging and tracking. Provider-1” Chapter 8, “VPN in Chapter 8 covers setting up Virtual Private Provider-1” Networks. Chapter 9, “Monitoring in Chapter 9 covers monitoring the status of the Provider-1” Provider-1 system. Chapter 10, “High Chapter 10 covers the different types High Availability” Availability available for Provider-1. Chapter 11, “Architecture Chapter 11 covers the file and directory and Processes” structure of the Provider-1 system. Chapter 12, “Commands and Chapter 12 covers useful command line utilities. Utilities” Preface 13
  12. Related Documentation Related Documentation The NGX R65 release includes the following documentation TABLE P-1 VPN-1 Power documentation suite documentation Title Description Internet Security Product Contains an overview of NGX R65 and step by step Suite Getting Started product installation and upgrade procedures. This Guide document also provides information about What’s New, Licenses, Minimum hardware and software requirements, etc. Upgrade Guide Explains all available upgrade paths for Check Point products from VPN-1/FireWall-1 NG forward. This guide is specifically geared towards upgrading to NGX R65. SmartCenter Explains SmartCenter Management solutions. This Administration Guide guide provides solutions for control over configuring, managing, and monitoring security deployments at the perimeter, inside the network, at all user endpoints. Firewall and Describes how to control and secure network SmartDefense access; establish network connectivity; use Administration Guide SmartDefense to protect against network and application level attacks; use Web Intelligence to protect web servers and applications; the integrated web security capabilities; use Content Vectoring Protocol (CVP) applications for anti-virus protection, and URL Filtering (UFP) applications for limiting access to web sites; secure VoIP traffic. Virtual Private Networks This guide describes the basic components of a Administration Guide VPN and provides the background for the technology that comprises the VPN infrastructure. 14
  13. Related Documentation TABLE P-1 VPN-1 Power documentation suite documentation (continued) Title Description Eventia Reporter Explains how to monitor and audit traffic, and Administration Guide generate detailed or summarized reports in the format of your choice (list, vertical bar, pie chart etc.) for all events logged by Check Point VPN-1 Power, SecureClient and SmartDefense. SecurePlatform™/ Explains how to install and configure SecurePlatform Pro SecurePlatform. This guide will also teach you how Administration Guide to manage your SecurePlatform machine and explains Dynamic Routing (Unicast and Multicast) protocols. Provider-1/SiteManager-1 Explains the Provider-1/SiteManager-1 security Administration Guide management solution. This guide provides details about a three-tier, multi-policy management architecture and a host of Network Operating Center oriented features that automate time-consuming repetitive tasks common in Network Operating Center environments. TABLE P-2 Integrity Server documentation Title Description Integrity Advanced Explains how to install, configure, and maintain the Server Installation Integrity Advanced Server. Guide Integrity Advanced Provides screen-by-screen descriptions of user Server Administrator interface elements, with cross-references to relevant Console Reference chapters of the Administrator Guide. This document contains an overview of Administrator Console navigation, including use of the help system. Integrity Advanced Explains how to managing administrators and Server Administrator endpoint security with Integrity Advanced Server. Guide Integrity Advanced Provides information about how to integrating your Server Gateway Virtual Private Network gateway device with Integrity Integration Guide Advanced Server. This guide also contains information regarding deploying the unified SecureClient/Integrity client package. Preface 15
  14. Related Documentation TABLE P-2 Integrity Server documentation (continued) Title Description Integrity Advanced Provides information about client and server Server System requirements. Requirements Integrity Agent for Linux Explains how to install and configure Integrity Agent Installation and for Linux. Configuration Guide Integrity XML Policy Provides the contents of Integrity client XML policy Reference Guide files. Integrity Client Explains how to use of command line parameters to Management Guide control Integrity client installer behavior and post-installation behavior. 16
  15. More Information More Information • For additional technical information about Check Point products, consult Check Point’s SecureKnowledge at https://secureknowledge.checkpoint.com/. • See the latest version of this document in the User Center at http://www.checkpoint.com/support/technical/documents Preface 17
  16. Feedback Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments to: cp_techpub_feedback@checkpoint.com 18
  17. Chapter 1 Introduction In This Chapter The Need for Provider-1/SiteManager-1 page 20 The Check Point Solution page 26 The Management Model page 40 The Provider-1/SiteManager-1 Trust Model page 49 19
  18. The Need for Provider-1/SiteManager-1 The Need for Provider-1/SiteManager-1 In This Section Management Service Providers (MSP) page 21 Data Centers page 23 Large Enterprises page 23 Secured IT systems are a basic need for modern business environments, and large deployments face unique security challenges. A large scale enterprise must handle the challenges of disparate yet interconnected systems. The large scale enterprise often has corporate security policies that must be tailored to local branch needs, balanced with vital requirement for corporate-wide access, perhaps between branches in different countries. Businesses with a large user base often need to monitor and control access to confidential internal sites, and to monitor communication failures. Administrators must be alerted to external attacks, not only on a company-wide basis, but also more selectively on a department by department, branch by branch basis. Companies with many branches must face security and access challenges that small scale businesses do not. For example, an international airline needs to provide access of varying levels to ticket agents, managers, airline staff, and customers, through the Internet, intranets both local and international, and through remote dial-up; all the while preventing unauthorized access to confidential financial data. Differentiating between levels of access permissions is critical not only for securing user transactions, but also for monitoring for attacks, abuse and load management. Task specialization amongst administrators must also be supported so that security can be centralized. Service providers such as Data Centers and Managed Service Providers (MSPs) need to securely manage large-scale systems with many different customers and access locations. An MSP must potentially handle separate customer systems with many different LANs, each with its own security policy needs. The MSP must be able to confidentially address the security and management needs for each customer, each with their own system topology and system products. One policy is not sufficient for the needs of so many different types of customers. A Data Center provides data storage services to customers and must handle access and storage security for many different customers, whose requirements for private and secure access to their data are of critical importance. 20

CÓ THỂ BẠN MUỐN DOWNLOAD

Đồng bộ tài khoản