SmartCenter

Chia sẻ: Nguyen Tien Lich | Ngày: | Loại File: PDF | Số trang:362

0
45
lượt xem
8
download

SmartCenter

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

Tham khảo tài liệu 'smartcenter', công nghệ thông tin, quản trị mạng phục vụ nhu cầu học tập, nghiên cứu và làm việc hiệu quả

Chủ đề:
Lưu

Nội dung Text: SmartCenter

  1. TM SmartCenter Administration Guide Version NGX R65 701676 March 7, 2007
  2. © 2003-2006 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: ©2003-2006 Check Point Software Technologies Ltd. All rights reserved. Check Point, Application Intelligence, Check Point Express, the Check Point logo, AlertAdvisor, ClusterXL, Cooperative Enforcement, ConnectControl, Connectra, CoSa, Cooperative Security Alliance, Eventia, Eventia Analyzer, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate-1, Hacker ID, IMsecure, INSPECT, INSPECT XL, Integrity, InterSpect, IQ Engine, Open Security Extension, OPSEC, Policy Lifecycle Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureKnowledge, SecurePlatform, SecuRemote, SecureXL Turbocard, SecureServer, SecureUpdate, SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, Smarter Security, SmartDashboard, SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, User-to-Address Mapping, UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 VSX, VPN-1 XL, Web Intelligence, ZoneAlarm, ZoneAlarm Pro, Zone Labs, and the Zone Labs logo, are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935 and 6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending applications. For third party notices, see “THIRD PARTY TRADEMARKS AND COPYRIGHTS” on page 353.
  3. Contents Preface Who Should Use This Guide.............................................................................. 14 Summary of Contents ....................................................................................... 15 Appendices ................................................................................................ 17 Related Documentation .................................................................................... 18 More Information ............................................................................................. 21 Feedback ........................................................................................................ 22 Chapter 1 SmartCenter Overview Introduction .................................................................................................... 24 VPN-1 Power .............................................................................................. 24 VPN-1 UTM................................................................................................ 24 Some Basic Concepts and Terminology ......................................................... 25 Possible Deployment ................................................................................... 27 Using Management Plug-Ins ........................................................................ 29 Login Process .................................................................................................. 30 Overview .................................................................................................... 30 Authenticating the Administrator .................................................................. 30 Authenticating the SmartCenter Server Using its Fingerprint ........................... 31 Managing Objects in SmartDashboard................................................................ 32 SmartDashboard and Objects ....................................................................... 33 Managing Objects ....................................................................................... 35 Configuring Objects..................................................................................... 36 Changing the View in the Objects Tree .......................................................... 37 Groups in the Network Objects Tree.............................................................. 41 Securing Channels of Communication (SIC)........................................................ 47 The SIC Solution ........................................................................................ 48 The Internal Certificate Authority (ICA) ......................................................... 48 Initializing the Trust Establishment Process .................................................. 48 Understanding SIC Trust States ................................................................... 49 Testing the SIC Status................................................................................. 49 Resetting the Trust State ............................................................................. 50 Troubleshooting: If SIC fails to Initialize........................................................ 50 Network Topology ............................................................................................ 51 Managing Users in SmartDashboard .................................................................. 53 User Management Requirements .................................................................. 53 The Check Point User Management Solution ................................................. 53 Users Database........................................................................................... 54 User and Administrator Types ...................................................................... 55 Configuring User Objects ............................................................................. 56 Working with Policies ....................................................................................... 60 Overview .................................................................................................... 60 To Install a Policy Package .......................................................................... 61 To Uninstall a Policy Package ...................................................................... 62 Table of Contents 5
  4. Install User Database .................................................................................. 63 Chapter 2 Policy Management The Need for an Effective Policy Management Tool ............................................. 66 The Check Point Solution for Managing Policies ................................................. 67 Policy Management Overview ....................................................................... 67 Policy Packages.......................................................................................... 68 Dividing the Rule Base into Sections using Section Titles ............................... 71 Querying and Sorting Rules and Objects........................................................ 71 Policy Management Considerations.................................................................... 74 Conventions ............................................................................................... 74 Policy Management Configuration...................................................................... 75 Policy Package ........................................................................................... 75 Rule Sections ............................................................................................. 77 Querying the Rule Base ............................................................................... 77 Querying and Sorting Objects ....................................................................... 80 Chapter 3 SmartMap Overview of SmartMap...................................................................................... 82 The SmartMap Solution............................................................................... 82 Working with SmartMap ................................................................................... 83 Enabling and Viewing SmartMap .................................................................. 83 Adjusting and Customizing SmartMap........................................................... 84 Working with Network Objects and Groups in SmartMap ................................. 86 Working with SmartMap Objects................................................................... 89 Working with Folders in SmartMap ............................................................... 92 Integrating SmartMap and the Rule Base ...................................................... 94 Troubleshooting SmartMap .......................................................................... 96 Working with SmartMap Output.................................................................... 98 Chapter 4 The Internal Certificate Authority (ICA) and the ICA Management Tool The Need for the ICA ..................................................................................... 102 The ICA Solution ........................................................................................... 103 Introduction to the ICA.............................................................................. 103 ICA Clients............................................................................................... 104 Certificate Longevity and Statuses .............................................................. 105 SIC Certificate Management ...................................................................... 106 Gateway VPN Certificate Management ........................................................ 107 User Certificate Management ..................................................................... 108 CRL Management ..................................................................................... 109 ICA Advanced Options............................................................................... 110 The ICA Management Tool ......................................................................... 111 ICA Configuration .......................................................................................... 114 Retrieving the ICA Certificate ..................................................................... 114 Management of SIC Certificates ................................................................. 115 Management of Gateway VPN Certificates ................................................... 115 Management of User Certificates via SmartDashboard .................................. 117 6
  5. Invoking the ICA Management Tool............................................................. 117 Search for a Certificate.............................................................................. 118 Certificate Operations Using the ICA Management Tool ................................ 120 Initializing Multiple Certificates Simultaneously........................................... 123 CRL Operations ........................................................................................ 124 CA Cleanup .............................................................................................. 124 Configuring the CA.................................................................................... 125 Chapter 5 SmartView Tracker The Need for Tracking .................................................................................... 132 The Check Point Solution for Tracking ............................................................. 133 Tracking Overview ..................................................................................... 133 SmartView Tracker .................................................................................... 135 Filtering ................................................................................................... 138 Queries .................................................................................................... 138 Matching Rule .......................................................................................... 139 Log File Maintenance via Log Switch .......................................................... 141 Disk Space Management via Cyclic Logging................................................. 142 Log Export Capabilities.............................................................................. 142 Local Logging ........................................................................................... 142 Logging Using Log Servers ......................................................................... 143 SmartDefense Advisory .............................................................................. 143 Advanced Tracking Operations ................................................................... 144 Tracking Considerations ................................................................................. 145 Choosing which Rules to Track................................................................... 145 Choosing the Appropriate Tracking Option ................................................... 145 Forwarding Log Records Online vs. Forwarding Log Files on Schedule ............ 146 Tracking Configuration ................................................................................... 147 Basic Tracking Configuration...................................................................... 147 SmartView Tracker View Options................................................................. 148 Configuring a Filter ................................................................................... 150 Configuring the Current Rule Number Filter................................................. 150 Follow Source, Destination, User Data, Rule and Rule Number...................... 151 Viewing the Logs of a Rule from the Rule Base ............................................ 152 Configuring Queries................................................................................... 153 Hiding and Showing the Query Tree Pane .................................................... 155 Working with the Query Properties Pane ...................................................... 155 Modifying a Columns Properties ................................................................. 156 Copying Log Record Data........................................................................... 157 Viewing a Record’s Details ......................................................................... 157 Viewing a Rule.......................................................................................... 158 Find by Interface ...................................................................................... 158 Maintenance ............................................................................................ 159 Local Logging ........................................................................................... 160 Working with Log Servers........................................................................... 161 Custom Commands ................................................................................... 163 Block Intruder .......................................................................................... 164 Configuring Alert Commands...................................................................... 165 Table of Contents 7
  6. Enable Warning Dialogs............................................................................. 165 Chapter 6 SmartCenter Management The Need for SmartCenter Management........................................................... 168 The SmartCenter Management Solution ........................................................... 169 General.................................................................................................... 169 Managing Policy Versions .......................................................................... 169 Version Operations .................................................................................... 170 Version Configuration ................................................................................ 171 Version Upgrade ....................................................................................... 172 Version Diagnostics ................................................................................... 172 Manual versus Automatic Version Creation .................................................. 172 Backup and Restore the SmartCenter Server................................................ 173 Chapter 7 Integrity - EndPoint Security Introduction .................................................................................................. 176 What is Endpoint Security? ............................................................................. 177 Integrity........................................................................................................ 178 Check Point SmartCenter and Integrity Architecture .......................................... 179 Support Platforms..................................................................................... 180 Integrity and SmartCenter Integration ......................................................... 181 Licenses ....................................................................................................... 183 Installing and Managing Licenses ............................................................... 184 Enforcing Licenses.................................................................................... 185 Installation.................................................................................................... 186 Basic Configurations ................................................................................. 186 Installation Paths...................................................................................... 187 Install...................................................................................................... 188 Uninstall.................................................................................................. 189 Configuration ................................................................................................ 190 Create an Integrity Object .......................................................................... 190 Add an Integrity Host/Gateway to the SmartDashboard Definitions ................. 192 Define a Log Server for Integrity Server Logs................................................ 193 Create an Integrity Administrator ................................................................ 195 Open the Integrity Server ........................................................................... 195 Configuring VPN-1 Firewall to Allow Access to Integrity ................................ 196 Troubleshooting ............................................................................................. 197 Chapter 8 SmartPortal Overview ....................................................................................................... 199 Deploying SmartPortal on a Dedicated Server ................................................... 200 Deploying SmartPortal on the SmartCenter server ............................................. 201 SmartPortal Configuration and Commands ....................................................... 202 SmartPortal Commands ............................................................................. 202 Limiting Access to Specific IP Addresses .................................................... 202 SmartPortal Configuration.......................................................................... 203 Client Side Requirements ............................................................................... 204 8
  7. Connecting to SmartPortal .............................................................................. 204 Using SmartPortal.......................................................................................... 204 Troubleshooting ............................................................................................. 205 Chapter 9 SmartUpdate The Need for Software Upgrade and License Management ................................. 208 The SmartUpdate Solution.............................................................................. 209 Introducing SmartUpdate .......................................................................... 209 Understanding SmartUpdate...................................................................... 210 SmartUpdate - Seeing it for the First Time .................................................. 211 Common Operations .................................................................................. 213 Upgrading Packages....................................................................................... 215 Overview of Upgrading Packages ................................................................ 215 The Upgrade Package Process.................................................................... 216 Other Upgrade Operations.......................................................................... 221 Managing Licenses ........................................................................................ 223 Overview of Managing Licenses .................................................................. 223 Licensing Terminology............................................................................... 224 License Upgrade....................................................................................... 226 The License Attachment Process ................................................................ 227 Other License Operations........................................................................... 230 Service Contracts........................................................................................... 232 Generating CPInfo.......................................................................................... 233 The SmartUpdate Command Line .................................................................... 234 Chapter 10 SmartDirectory (LDAP) and User Management The Need to Integrate LDAP Servers with Check Point Software ......................... 236 The Check Point Solution for Using LDAP Servers ............................................. 237 VPN-1 SmartDirectory (LDAP) Deployment .................................................. 238 Account Units .......................................................................................... 239 The SmartDirectory (LDAP) Schema ........................................................... 240 Managing Users on a SmartDirectory (LDAP) Server ..................................... 241 Retrieving Information from a SmartDirectory (LDAP) Server ......................... 242 Working with Multiple SmartDirectory (LDAP) Servers .................................. 243 Check Point Schema ................................................................................. 243 SmartDirectory (LDAP) Profiles .................................................................. 244 SmartDirectory (LDAP) Considerations ............................................................. 246 Configuring SmartDirectory (LDAP) Entities to Work with VPN-1......................... 247 Define an Account Unit ............................................................................. 248 Working with SmartDirectory (LDAP) for User Management ........................... 251 Working with SmartDirectory (LDAP) for CRL Retrieval ................................. 252 Managing Users ........................................................................................ 253 Using SmartDirectory (LDAP) Queries ......................................................... 256 SmartDirectory (LDAP) Reference Information .................................................. 258 Integration with Various SmartDirectory (LDAP) Vendors ............................... 258 SmartDirectory (LDAP) Schema....................................................................... 264 Proprietary Attributes ................................................................................ 264 Attributes................................................................................................. 264 Table of Contents 9
  8. Schema Checking ..................................................................................... 273 Modifying SmartDirectory (LDAP) Profiles ........................................................ 274 Profile Attributes ................................................. 274 Fetch User Information Effectively by Modifying the Profile .......................... 286 Chapter 11 Management High Availability The Need for Management High Availability ..................................................... 288 The Management High Availability Solution...................................................... 289 Backing Up the SmartCenter server ............................................................ 289 Management High Availability Deployment .................................................. 289 Active versus Standby ............................................................................... 291 What Data is Backed Up by the Standby SmartCenter Servers?...................... 291 Synchronization Modes.............................................................................. 292 Synchronization Status.............................................................................. 293 Changing the Status of the SmartCenter Server............................................ 295 Synchronization Diagnostics ...................................................................... 295 Management High Availability Considerations ................................................... 297 Remote versus Local Installation of the Secondary SCS ................................ 297 Different Methods of Synchronizations ........................................................ 297 Data Overload During Synchronization ........................................................ 297 Management High Availability Configuration..................................................... 298 Secondary Management Creation and Synchronization - the First Time .......... 298 Changing the Active SCS to the Standby SCS .............................................. 300 Changing the Standby SCS to the Active SCS .............................................. 300 Refreshing the Synchronization Status of the SCS........................................ 301 Selecting the Synchronization Method ........................................................ 302 Tracking Management High Availability Throughout the System .................... 303 Chapter 12 Working with SNMP Management Tools The Need to Support SNMP Management Tools ................................................ 306 The Check Point Solution for SNMP ................................................................ 307 Understanding the SNMP MIB ................................................................... 307 Handling SNMP Requests on Windows NT .................................................. 308 Handling SNMP Requests on Unix ............................................................. 309 Handling SNMP Requests on SecurePlatform .............................................. 309 SNMP Traps............................................................................................. 309 Special Consideration for the Unix SNMP Daemon ............................................ 311 Configuring VPN-1 for SNMP .......................................................................... 312 ........................................................Configuring VPN-1 for SNMP Requests 312 Configuring VPN-1 for SNMP Traps ............................................................ 313 Chapter 13 FAQ Network Objects Management......................................................................... 316 Policy Management........................................................................................ 317 Chapter 14 SmartCenter Advanced Configuration Backup and Restore ....................................................................................... 320 10
  9. Using the Backup and Restore Tool in the Upgrade Process .......................... 320 Management High Availability ......................................................................... 321 Upgrade the Management High Availability Servers ...................................... 321 SmartUpdate Upgrade.................................................................................... 322 Upgrade SmartUpdate version 4.1 VPN-1 Gateways ..................................... 322 Appendix A Network Objects Introduction to Objects................................................................................... 324 The Objects Creation Workflow ................................................................... 325 Viewing and Managing Objects ................................................................... 325 Network Objects ............................................................................................ 326 Check Point Objects.................................................................................. 326 Nodes...................................................................................................... 329 Interoperable Device ................................................................................. 329 Networks.................................................................................................. 329 Domains .................................................................................................. 330 Open Security Extension (OSE) Devices ...................................................... 330 Groups..................................................................................................... 334 Logical Servers ......................................................................................... 335 Address Ranges ........................................................................................ 336 Dynamic Objects....................................................................................... 336 VoIP Domains........................................................................................... 337 Appendix B SmartCenter CLI Index........................................................................................................... 359 Table of Contents 11
  10. 12
  11. Preface P Preface In This Chapter Who Should Use This Guide page 14 Summary of Contents page 15 Related Documentation page 18 More Information page 21 Feedback page 22 13
  12. Who Should Use This Guide Who Should Use This Guide This guide is intended for administrators responsible for maintaining network security within an enterprise, including policy management and user support. This guide assumes a basic understanding of • System administration. • The underlying operating system. • Internet protocols (IP, TCP, UDP etc.). 14
  13. Summary of Contents Summary of Contents This guide contains the following chapters: . Chapter Description Chapter 1, “SmartCenter includes an overview of usage, and describes the Overview” terminology and procedures that will help you install VPN-1Power and VPN-1 UTM. Chapter 2, “Policy describes how to facilitate the administration Management” and management of the Security Policy by the system administrator. Chapter 3, “SmartMap” describes how a visual representation of your network is used to facilitate and enhance the understanding of the physical deployment and organization of your network. Chapter 4, “The Internal includes in-depth information about how to work Certificate Authority (ICA) with and manage the Certificate Authority. and the ICA Management Tool” Chapter 5, “SmartView provides information about how to collect Tracker” comprehensive information on your network activity in the form of logs and descibes how you can then audit these logs at any given time, analyze your traffic patterns and troubleshoot networking and security issues. Chapter 6, “SmartCenter explains the use of SmartCenter tools to make Management” changes in the production environment securely, smoothly and efficiently. This chapter includes information on Revision control(SmartCenter can manage multiple versions of policies) and Backup & Restore (when it is imperative that the SmartCenter Server be upgraded, it is possible to create a functioning SmartCenter Server which will replace the existing machine while it is being serviced). Chapter 7, “Integrity - explains the importance and significance of EndPoint Security” Integrity, how it is integrated in Check Point products and how Check Point and Integrity come together to provide a manageable solution for securing internal-network endpoint PCs. Preface 15
  14. Summary of Contents Chapter Description Chapter 8, “SmartPortal” includes an explanation about web based administration and troubleshooting of the VPN-1 SmartCenter Server. Chapter 9, “SmartUpdate” explains the use of SmartUpdate is an optional module for VPN-1 that automatically distributes software applications and updates for Check Point and OPSEC Certified products, and manages product licenses. This chapter shows how SmartUpdate provides a centralized means to guarantee that Internet security throughout the enterprise network is always up to date. It shows how SmartUpdate turns time-consuming tasks that could otherwise be performed only by experts into simple point and click operations. Chapter 10, “SmartDirectory contains information about the effective use of (LDAP) and User SmartDirectory (LDAP) servers. In addition, this Management” chapter explains how VPN-1 supports LDAP technology and uses existing LDAP servers to obtain user information for authentication and authorization purposes. Chapter 11, “Management includes an in-depth explanation of how in High Availability” Management High Availability the Active SmartCenter Server (Active SCS) always has one or more backup Standby SmartCenter Servers (Standby SCS) which are ready to take over from the Active SmartCenter Server. 16
  15. Appendices Chapter Description Chapter 12, “Working with explains how SNMP management tools are used SNMP Management Tools” to monitor the activity of various devices on the network. In addition, this chapter discusses the point that because system administrators prefer to work with familiar tools, they might feel more comfortable obtaining status information regarding Check Point products through their regular SNMP Network Management Station (NMS). Chapter 13, “FAQ” provides frequently asked questions about network objects management and policy management. Chapter 14, “SmartCenter provides detailed information about backup and Advanced Configuration” restore procedures, management high availability and SmartUpdate upgrade procedures. Appendices This guide contains the following appendices Appendix Description Appendix A, “Network provides an in-depth explanation of network Objects” objects and how manage and configure them. Appendix B, “SmartCenter contains a complete list and explanation of CLI” SmartCenter command line commands. Preface 17
  16. Related Documentation Related Documentation The NGX R65 release includes the following documentation: TABLE P-1 VPN-1 Power documentation suite documentation Title Description Internet Security Product Contains an overview of NGX R65 and step by step Suite Getting Started product installation and upgrade procedures. This Guide document also provides information about What’s New, Licenses, Minimum hardware and software requirements, etc. Upgrade Guide Explains all available upgrade paths for Check Point products from VPN-1/FireWall-1 NG forward. This guide is specifically geared towards upgrading to NGX R65. SmartCenter Explains SmartCenter Management solutions. This Administration Guide guide provides solutions for control over configuring, managing, and monitoring security deployments at the perimeter, inside the network, at all user endpoints. Firewall and Describes how to control and secure network SmartDefense access; establish network connectivity; use Administration Guide SmartDefense to protect against network and application level attacks; use Web Intelligence to protect web servers and applications; the integrated web security capabilities; use Content Vectoring Protocol (CVP) applications for anti-virus protection, and URL Filtering (UFP) applications for limiting access to web sites; secure VoIP traffic. Virtual Private Networks This guide describes the basic components of a Administration Guide VPN and provides the background for the technology that comprises the VPN infrastructure. 18
  17. Related Documentation TABLE P-1 VPN-1 Power documentation suite documentation (continued) Title Description Eventia Reporter Explains how to monitor and audit traffic, and Administration Guide generate detailed or summarized reports in the format of your choice (list, vertical bar, pie chart etc.) for all events logged by Check Point VPN-1 Power, SecureClient and SmartDefense. SecurePlatform™/ Explains how to install and configure SecurePlatform Pro SecurePlatform. This guide will also teach you how Administration Guide to manage your SecurePlatform machine and explains Dynamic Routing (Unicast and Multicast) protocols. Provider-1/SiteManager-1 Explains the Provider-1/SiteManager-1 security Administration Guide management solution. This guide provides details about a three-tier, multi-policy management architecture and a host of Network Operating Center oriented features that automate time-consuming repetitive tasks common in Network Operating Center environments. TABLE P-2 Integrity Server documentation Title Description Integrity Advanced Explains how to install, configure, and maintain the Server Installation Integrity Advanced Server. Guide Integrity Advanced Provides screen-by-screen descriptions of user Server Administrator interface elements, with cross-references to relevant Console Reference chapters of the Administrator Guide. This document contains an overview of Administrator Console navigation, including use of the help system. Integrity Advanced Explains how to managing administrators and Server Administrator endpoint security with Integrity Advanced Server. Guide Integrity Advanced Provides information about how to integrating your Server Gateway Virtual Private Network gateway device with Integrity Integration Guide Advanced Server. This guide also contains information regarding deploying the unified SecureClient/Integrity client package. Preface 19
  18. Related Documentation TABLE P-2 Integrity Server documentation (continued) Title Description Integrity Advanced Provides information about client and server Server System requirements. Requirements Integrity Agent for Linux Explains how to install and configure Integrity Agent Installation and for Linux. Configuration Guide Integrity XML Policy Provides the contents of Integrity client XML policy Reference Guide files. Integrity Client Explains how to use of command line parameters to Management Guide control Integrity client installer behavior and post-installation behavior. 20

CÓ THỂ BẠN MUỐN DOWNLOAD

Đồng bộ tài khoản