Table Of ContentCheck Point FireWall-1 on AIX
A Cookbook for Stand-Alone and High Availability
ViktorMraz,BernhardWeiser,RobPriffer,ChristianEmmerich, DaesungChung
InternationalTechnicalSupportOrganization
www.redbooks.ibm.com
SG24-5492-00
SG24-5492-00
International Technical Support Organization
Check Point FireWall-1 on AIX
A Cookbook for Stand-Alone and High Availability
August 1999
Take Note!
Beforeusingthisinformationandtheproduct itsupports, besuretoreadthegeneralinformationin
AppendixC,“Specialnotices” onpage309.
FirstEdition(August1999)
ThiseditionappliestoCheckPointFireWall-14.0ServicePack2forusewiththeAIX4.3.2forRS/6000
Commentsmaybeaddressedto:
IBMCorporation, International TechnicalSupportOrganization
Dept.JN9B Building003InternalZip2834
11400Burnet Road
Austin, Texas78758-3493
WhenyousendinformationtoIBM, yougrantIBManon-exclusiverighttouseor distributethe
informationinanywayitbelievesappropriatewithout incurringanyobligationtoyou.
©CopyrightInternationalBusinessMachinesCorporation1999. Allrightsreserved.
NotetoU.SGovernmentUsers–Documentationrelatedtorestrictedrights–Use,duplicationordisclosureis
subjecttorestrictionssetforthinGSAADPScheduleContractwithIBMCorp.
Contents
Figures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii
Tables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xi
Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xiii
Theteamthatwrotethisredbook. ...... ....... ...... ....... ...... ..xiii
Comments welcome..... ...... ...... ....... ...... ....... ...... .. xv
Part 1. Implementing Check Point FireWall-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
Chapter 1. The design of firewall environments. . . . . . . . . . . . . . . . . . .3
1.1 Basic firewall design. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
1.2 Compartmentalized firewall environment design. . . . . . . . . . . . . . . . . .6
1.3 Need for highly available firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Chapter 2. Implementation of FireWall-1 on AIX. . . . . . . . . . . . . . . . . .13
2.1 Planning and preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
2.1.1 Network plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
2.1.2 Nodes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
2.2 Basic AIX installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
2.3 Configuring AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
2.3.1 Basic setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
2.3.2 Configuration of AIX networking. . . . . . . . . . . . . . . . . . . . . . . . .39
2.4 Basic installation of FireWall-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
2.5 Basic configuration of FireWall-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
2.6 Hardening the AIX operating system . . . . . . . . . . . . . . . . . . . . . . . . .71
2.7 Creating FireWall-1 Security Policies . . . . . . . . . . . . . . . . . . . . . . . . .74
2.7.1 Installation of the FireWall-1 Windows GUI. . . . . . . . . . . . . . . . .74
2.7.2 Creating a simple ruleset with FireWall-1 . . . . . . . . . . . . . . . . . .74
2.7.3 Improving the security of a FireWall-1 Security Policy. . . . . . . . .87
2.7.4 Creating network objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91
2.7.5 Configuring protection from IP spoofing . . . . . . . . . . . . . . . . . . .93
2.7.6 Creating a useful ruleset. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
2.8 Configuring user authentication with FireWall-1 . . . . . . . . . . . . . . . . .99
2.8.1 Configuring simple user authentication. . . . . . . . . . . . . . . . . . . .99
2.8.2 Configuring client authentication. . . . . . . . . . . . . . . . . . . . . . . .104
2.9 Configuring network address translation with FireWall-1. . . . . . . . . .113
2.9.1 Static NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114
2.9.2 Double-static NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121
2.9.3 Dynamic (hide mode) NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . .123
2.10 Configuring virtual private networking with FireWall-1. . . . . . . . . . .126
©CopyrightIBMCorp.1999 iii
2.10.1 Configuring FireWall-1 for client encryption . . . . . . . . . . . . . .127
2.10.2 Installing and configuring SecuRemote. . . . . . . . . . . . . . . . . .132
Part 2. Making Check Point FireWall-1 highly available . . . . . . . . . . . . . . . . . . . . . . .141
Chapter 3. Expanding the FW-1 implementation to high availability.143
3.1 Design considerations for highly available FireWall-1. . . . . . . . . . . .143
3.1.1 Test environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143
3.1.2 Our HA design goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144
3.1.3 Classical FireWall-1 HA design. . . . . . . . . . . . . . . . . . . . . . . . .144
3.1.4 Our HA design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145
3.2 Configuring AIX for highly available FireWall-1. . . . . . . . . . . . . . . . .148
3.3 Installing HACMP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153
3.4 Configuring HACMP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154
3.4.1 Cluster topology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154
3.4.2 Cluster resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166
3.4.3 Cluster event customization . . . . . . . . . . . . . . . . . . . . . . . . . . .170
3.4.4 Solving the ARP cache problem. . . . . . . . . . . . . . . . . . . . . . . .173
3.5 Custom shell scripts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174
3.5.1 Custom shell scripts for HACMP events . . . . . . . . . . . . . . . . . .174
3.5.2 Custom shell scripts for status gathering . . . . . . . . . . . . . . . . .176
3.5.3 Custom shell scripts for starting and stopping HACMP. . . . . . .179
3.5.4 Custom shell scripts for file synchronization. . . . . . . . . . . . . . .180
3.6 Installing the second node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190
3.6.1 Cloning the first node to the second HACMP node. . . . . . . . . .190
3.6.2 Configuration of the second node. . . . . . . . . . . . . . . . . . . . . . .195
3.7 Testing HACMP without FireWall-1 . . . . . . . . . . . . . . . . . . . . . . . . .198
3.7.1 Synchronize HACMP configuration. . . . . . . . . . . . . . . . . . . . . .199
3.7.2 Start HACMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200
3.7.3 Prepare test environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . .205
3.7.4 Test the takeover scenario. . . . . . . . . . . . . . . . . . . . . . . . . . . .206
3.8 Configuring FireWall-1 for HACMP. . . . . . . . . . . . . . . . . . . . . . . . . .212
3.8.1 Command line configuration. . . . . . . . . . . . . . . . . . . . . . . . . . .212
3.8.2 GUI configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .217
3.8.3 FireWall-1 state table synchronization . . . . . . . . . . . . . . . . . . .221
3.8.4 Testing FireWall-1 HA with HACMP . . . . . . . . . . . . . . . . . . . . .223
3.8.5 HACMP service IP addresses & FireWall-1 Security Policy . . .225
3.9 High availability issues with FireWall-1. . . . . . . . . . . . . . . . . . . . . . .230
3.9.1 Synchronizing FireWall-1 management. . . . . . . . . . . . . . . . . . .230
3.9.2 NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231
3.9.3 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234
3.9.4 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .235
3.10 Improving security for HACMP . . . . . . . . . . . . . . . . . . . . . . . . . . . .236
iv CheckPointFireWall-1onAIX
3.10.1 A more granular security policy for HACMP services . . .. . . .236
3.10.2 Replacing RSH with SSH (Secure Shell) . . . . . . . . . . . . . . . .241
Chapter 4. Using IBM eNetwork Dispatcher for high availability. . . .251
4.1 Technical overview of eND. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251
4.1.1 Interactive Session Support (ISS). . . . . . . . . . . . . . . . . . . . . . .251
4.1.2 eNetwork Dispatcher function. . . . . . . . . . . . . . . . . . . . . . . . . .253
4.1.3 High availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .254
4.2 How does eND fit together with FW-1. . . . . . . . . . . . . . . . . . . . . . . .255
4.2.1 Firewall technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255
4.2.2 Integrating eND with FireWall-1 . . . . . . . . . . . . . . . . . . . . . . . .258
4.3 HACMP versus eND considerations. . . . . . . . . . . . . . . . . . . . . . . . .259
4.3.1 High availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259
4.3.2 Cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .261
4.3.3 Load balancing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .262
4.3.4 Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .262
4.4 Installing eNetwork Dispatcher on AIX . . . . . . . . . . . . . . . . . . . . . . .262
4.5 Firewall configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .264
4.6 Understanding eNetwork Dispatcher components . . . . . . . . . . . . . .264
4.6.1 Basic dispatcher functionality . . . . . . . . . . . . . . . . . . . . . . . . . .264
4.7 Configure eNetwork Dispatcher with different scenarios. . . . . . . . . .267
4.7.1 Basic environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .267
4.7.2 Scenario 1: High availability with eND . . . . . . . . . . . . . . . . . . .268
4.7.3 Scenario 2: High availability and load balancing with eND . . . .276
Appendix A. Introduction to HACMP. ....... ...... ....... ...... .287
A.1 TechnicaloverviewofHACMP..... ....... ...... ....... ...... . 287
A.1.1 Quickreviewofbasicconcepts ....... ...... ....... ...... . 287
A.1.2 Components ofHACMPsoftware...... ...... ....... ...... . 292
A.1.3 HACMPlogfiles ...... ...... ....... ...... ....... ...... . 293
A.1.4 HACMPclusterevents . ...... ....... ...... ....... ...... . 293
A.1.5 Customizingevents ... ...... ....... ...... ....... ...... . 295
A.2 Designconsideration ...... ...... ....... ...... ....... ...... . 296
A.3 HowdoesHACMPfittogetherwiththefirewall? .... ....... ...... .303
Appendix B. An example of the HACMP planning worksheet ..... . 305
Appendix C. Special notices . ...... ....... ...... ....... ...... . 309
Appendix D. Related publications... ....... ...... ....... ...... . 313
D.1 InternationalTechnicalSupportOrganizationpublications.... ...... . 313
D.2 Redbooks onCD-ROMs.... ...... ....... ...... ....... ...... . 313
D.3 Otherpublications... ...... ...... ....... ...... ....... ...... . 313
v
How to get ITSO redbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .317
IBMredbookfax orderform ..... ...... ....... ...... ....... ...... . 318
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .319
ITSO redbook evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325
vi CheckPointFireWall-1onAIX
Figures
1. Simplestclassic firewall..... ...... ....... ...... ....... ...... ... 3
2. Classic DMZfirewallenvironment ... ....... ...... ....... ...... ...5
3. Modernfirewallenvironment . ...... ....... ...... ....... ...... ... 7
4. Networkplanforstand-aloneconfiguration... ...... ....... ...... .. 13
5. FireWall-1GUIloginpop-upbox .... ....... ...... ....... ...... ..75
6. Addingaruletothebottom .. ...... ....... ...... ....... ...... .. 76
7. Changingactiontoaccept... ...... ....... ...... ....... ...... .. 77
8. Changingtracktoaccount... ...... ....... ...... ....... ...... .. 78
9. OpeningtheNetwork Objectsmenu . ....... ...... ....... ...... .. 79
10. Creatinganewworkstationobject... ....... ...... ....... ...... .. 80
11. WorkstationProperties...... ...... ....... ...... ....... ...... .. 80
12. Interfacestabofthefirewall’s WorkstationProperties........ ...... ..81
13. Iconofafirewallgatewayobject .... ....... ...... ....... ...... ..81
14. InstallingtheSecurityPolicy . ...... ....... ...... ....... ...... .. 82
15. Impliedruleswarning. ...... ...... ....... ...... ....... ...... ..83
16. InstallSecurityPolicy targetselection ....... ...... ....... ...... .. 83
17. IP spoofingwarning.. ...... ...... ....... ...... ....... ...... ..84
18. InstallSecurityPolicy results. ...... ....... ...... ....... ...... ..84
19. FireWall-1LogViewer ...... ...... ....... ...... ....... ...... .. 85
20. Deactivatingimpliedrules inpolicy properties. ...... ....... ...... ..87
21. Makingtheimpliedpseudorules visible ..... ...... ....... ...... .. 88
22. Moreimpliedrules inPolicy->Properties->Servicestab .... ...... ..89
23. IP Options DropTrackinPolicy->Properties->LogandAlerttab.... .. 90
24. Asampleworkstationtypenetwork object.... ...... ....... ...... .. 91
25. Asamplenetworktypenetworkobject ...... ...... ....... ...... .. 92
26. Asamplegrouptypenetwork object . ....... ...... ....... ...... .. 94
27. Asamplegroupthatincludesagrouptypenetwork object.... ...... .. 95
28. SamplewindowofIPspoofingconfiguration.. ...... ....... ...... .. 96
29. Therulesetweusedforourexamples....... ...... ....... ...... .. 98
30. Creatinganewuser.. ...... ...... ....... ...... ....... ...... .100
31. Enteringthenewusersdata . ...... ....... ...... ....... ...... . 100
32. Choosinganauthenticationscheme . ....... ...... ....... ...... . 101
33. ChangingtheHTTPruletouserauthentication...... ....... ...... . 102
34. EnablingFireWall-1passwordasauthenticationscheme..... ...... . 103
35. Enablinguserauthenticatedaccess toallowallHTTPservers. ...... .103
36. ChangingtheICMP ruletoclientauthentication ..... ....... ...... . 105
37. ClientAuthenticationActionProperties: Limits ...... ....... ...... . 106
38. ClientAuthenticationusingaWebbrowser: Login ... ....... ...... .107
39. ClientAuthenticationusingaWebbrowser: Password....... ...... . 108
40. ClientAuthenticationusingaWebbrowser: Methods. ....... ...... .109
©CopyrightIBMCorp.1999 vii
41. ClientAuthenticationusingaWebbrowser: FireWall-1message..... . 110
42. Addarule... ....... ...... ...... ....... ...... ....... ...... . 111
43. WorkstationProperties ofweb...... ....... ...... ....... ...... . 114
44. WorkstationProperties ofweb:NATtab ..... ...... ....... ...... . 115
45. NAT:Configureroutingwarning..... ....... ...... ....... ...... . 115
46. Addresstranslationrules.... ...... ....... ...... ....... ...... . 116
47. LogViewer:PingIPpacketgettingrejectedbyrule0. ....... ...... .119
48. Addingnetworkobjectwebtoanti-spoofinggroupip_tr0 ..... ...... . 120
49. ManuallyenteredNATrulesfordoublestaticNAT ... ....... ...... .122
50. NetworkPropertiesofint_9.3.187.128....... ...... ....... ...... . 123
51. NetworkPropertiesofint_9.3.187.128:NATtab..... ....... ...... . 124
52. Addresstranslationrules:Sequentialnatureof NATrules .... ...... .125
53. Creatingagroupobjecttoserveasencryptiondomain....... ...... . 127
54. EditingUserProperties:Encryptiontab...... ...... ....... ...... . 128
55. User’sISAKMPProperties:Authenticationtab ...... ....... ...... . 128
56. User’sISAKMPProperties:Encryptiontab ... ...... ....... ...... . 129
57. FirewallnetworkobjectWorkstationProperties...... ....... ...... . 129
58. FirewallnetworkobjectWorkstationProperties:Encryptiontab ...... . 130
59. Thefirewall’sISAKMPProperties ... ....... ...... ....... ...... .130
60. ChangingtheruletoClientEncrypt.. ....... ...... ....... ...... . 131
61. Task barwithSecuRemoteicon .... ....... ...... ....... ...... .132
62. SecuRemotemainwindow:Createanewsite ...... ....... ...... . 133
63. SecuRemoteSitemenu..... ...... ....... ...... ....... ...... . 134
64. SecuRemoteerrormessage:Siteis notaCertificateAuthority. ...... .134
65. FirewallnetworkobjectWorkstationProperties:Encryptiontab ...... . 135
66. Firewall’s FWZProperties: CAKey .. ....... ...... ....... ...... . 135
67. FireWall-1confirmationrequesttogeneratenewCA key ..... ...... . 136
68. Keycreatedsuccessfully.... ...... ....... ...... ....... ...... . 136
69. Firewall’s FWZPropertiesaftergenerationof CAkey........ ...... .136
70. SettingtheExportableoptioninthefirewall’s networkobject .. ...... . 137
71. SecuRemoterequest toverifyIP address andkeyIDof thefirewall... . 138
72. Sitewindowaftersuccessfulsitecreation.... ...... ....... ...... . 138
73. SecuRemoteUserAuthenticationrequest.... ...... ....... ...... . 139
74. SecuRemotesuccessfulauthentication...... ...... ....... ...... . 140
75. Abstractnetworkplanforhighavailability .... ...... ....... ...... .143
76. Detailednetworkplanforhighavailability .... ...... ....... ...... .148
77. TheFireWall-1HA rulesetforftptest. ....... ...... ....... ...... .218
78. Bothfirewallsareinstalltargets..... ....... ...... ....... ...... . 219
79. Thesecuritypolicyis installedonbothfirewalls ..... ....... ...... . 220
80. Creatinganetwork object fortheHACMPserviceIP address . ...... . 226
81. ThedifferencebetweenserviceIPaddress objectsandfirewalls..... . 227
82. Thenetworkobjectgroupfirewalls .. ....... ...... ....... ...... . 228
83. TheFireWall-1rulesetforHACMPsynchronizationtowork ... ...... . 229
viii CheckPointFireWall-1onAIX
Description:2.7.3 Improving the security of a FireWall-1 Security Policy . 87 Christian Emmerich is a Security Consultant with IBM Germany. He has within one security zone (in other words, the internal network). Experience shows
