CCSA™ NG: Check Point™ Certified Security Administrator Study Guide Justin Menga San Francisco • London Copyright ©2003 SYBEX, Inc., Alameda, CA www.sybex.com Associate Publisher: Neil Edde Acquisitions Editor: Maureen Adams Developmental Editor: Heather O’Connor Editor: Cheryl Hauser Production Editor: Dennis Fitzgerald Technical Editors: Ted Snider, Gareth Bromley Graphic Illustrator: Tony Jonick Electronic Publishing Specialist: Interactive Composition Corporation CD Coordinator: Dan Mummert CD Technician: Kevin Ly Proofreaders: Emily Husan, Dave Nash, Laurie O’Connell, Nancy Riddiough Indexer: Ted Laux Book Designer: Bill Gibson Cover Design: Archer Design Cover Photograph: Bruce Heinemann, PhotoDisc Copyright © 2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. World rights reserved. No part of this publication may be stored in a retrieval system, transmitted, or reproduced in any way, including but not limited to photocopy, photograph, magnetic, or other record, without the prior agreement and written permission of the publisher. Library of Congress Card Number: 2002113565 ISBN: 0-7821-4115-3 SYBEX and the SYBEX logo are either registered trademarks or trademarks of SYBEX Inc. in the United States and/or other countries. Screen reproductions produced with FullShot 99. FullShot 99 © 1991–1999 Inbit Incorporated. All rights reserved. FullShot is a trademark of Inbit Incorporated. The CD interface was created using Macromedia Director, COPYRIGHT 1994, 1997–1999 Macromedia Inc. For more information on Macromedia and Macromedia Director, visit http://www.macromedia.com. TRADEMARKS: SYBEX has attempted throughout this book to distinguish proprietary trademarks from descriptive terms by following the capitalization style used by the manufacturer. ClusterXL, ConnectControl, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FireWall-1 SmallOffice, FireWall-1 VSX, FireWall-1 XL, FloodGate-1, INSPECT, INSPECT XL, IQ Engine, Open Security Extension, OPSEC, Provider-1, SecureKnowledge, SecurePlatform, SecureXL, SiteManager-1, SmartCenter, SmartCenter Pro, SmartDashboard, Smart- Defense, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartView Tracker, SVN, UAM, User-to-Address Mapping, UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Net, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 SmallOffice and VPN-1 VSX are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. The author and publisher have made their best efforts to prepare this book, and the content is based upon final release software whenever possible. Portions of the manuscript may be based upon pre-release versions supplied by software manufacturer(s). The author and the publisher make no representation or warranties of any kind with regard to the completeness or accuracy of the contents herein and accept no liability of any kind including but not limited to performance, merchantability, fitness for any particular purpose, or any losses or damages of any kind caused or alleged to be caused directly or indirectly from this book. Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1 Copyright ©2003 SYBEX, Inc., Alameda, CA www.sybex.com To Our Valued Readers: The Check Point certification program well deserves its position as the leading vendor-specific security certification in the IT arena. And with the recent release of the Check Point NG exams, current and aspiring security professionals are seeking accurate, thorough, and accessible study material to help them prepare for the new CCSA and CCSE exams. Sybex is excited about the opportunity to provide individuals with the knowledge and skills they’ll need to succeed in the highly competitive IT security field. It has always been Sybex’s mission to teach exam candidates how new technologies work in the real world, not to simply feed them answers to test questions. Sybex was founded on the premise of providing technical skills to IT professionals, and we have continued to build on that foundation. Over the years, we have made significant improvements to our study guides based on feedback from readers, suggestions from instructors, and comments from industry leaders. Check Point’s certification exams are indeed challenging. The Sybex team of authors, editors, and technical reviewers have worked hard to ensure that this Study Guide is comprehensive, in-depth, and pedagogically sound. We’re confident that this book, along with the collection of cutting-edge software study tools included on the CD, will meet and exceed the demanding standards of the certification marketplace and help you, the Check Point certification exam candidate, succeed in your endeavors. Good luck in pursuit of your Check Point certification! Neil Edde Associate Publisher—Certification Sybex, Inc. Copyright ©2003 SYBEX, Inc., Alameda, CA www.sybex.com Software License Agreement: Terms and Conditions The media and/or any online materials accompanying this If you discover a defect in the media during this warranty book that are available now or in the future contain programs period, you may obtain a replacement of identical format at and/or text files (the “Software”) to be used in connection no charge by sending the defective media, postage prepaid, with the book. SYBEX hereby grants to you a license to use with proof of purchase to: the Software, subject to the terms that follow. Your purchase, acceptance, or use of the Software will constitute your accep- SYBEX Inc. tance of such terms. Product Support Department The Software compilation is the property of SYBEX unless 1151 Marina Village Parkway otherwise indicated and is protected by copyright to SYBEX Alameda, CA 94501 or other copyright owner(s) as indicated in the media files Web: http://www.sybex.com (the “Owner(s)”). You are hereby granted a single-user license to use the Software for your personal, noncommercial use After the 90-day period, you can obtain replacement media only. You may not reproduce, sell, distribute, publish, circu- of identical format by sending us the defective disk, proof of late, or commercially exploit the Software, or any portion purchase, and a check or money order for $10, payable to thereof, without the written consent of SYBEX and the specific SYBEX. copyright owner(s) of any component software included on Disclaimer this media. SYBEX makes no warranty or representation, either expressed In the event that the Software or components include specific or implied, with respect to the Software or its contents, quality, license requirements or end-user agreements, statements of performance, merchantability, or fitness for a particular condition, disclaimers, limitations or warranties (“End-User purpose. In no event will SYBEX, its distributors, or dealers License”), those End-User Licenses supersede the terms and be liable to you or any other party for direct, indirect, special, conditions herein as to that particular Software component. incidental, consequential, or other damages arising out of the Your purchase, acceptance, or use of the Software will con- use of or inability to use the Software or its contents even if stitute your acceptance of such End-User Licenses. advised of the possibility of such damage. In the event that By purchase, use or acceptance of the Software you further the Software includes an online update feature, SYBEX further agree to comply with all export laws and regulations of the disclaims any obligation to provide this feature for any specific United States as such laws and regulations may exist from duration other than the initial posting. time to time. The exclusion of implied warranties is not permitted by some Software Support states. Therefore, the above exclusion may not apply to you. This warranty provides you with specific legal rights; there Components of the supplemental Software and any offers may be other rights that you may have that vary from state to associated with them may be supported by the specific state. The pricing of the book with the Software by SYBEX Owner(s) of that material, but they are not supported by reflects the allocation of risk and limitations on liability SYBEX. Information regarding any available support may be contained in this agreement of Terms and Conditions. obtained from the Owner(s) using the information provided in the appropriate read.me files or listed elsewhere on the media. Shareware Distribution Should the manufacturer(s) or other Owner(s) cease to offer This Software may contain various programs that are dis- support or decline to honor any offer, SYBEX bears no tributed as shareware. Copyright laws apply to both shareware responsibility. This notice concerning support for the Soft- and ordinary commercial software, and the copyright Owner(s) ware is provided for your information only. SYBEX is not the retains all rights. If you try a shareware program and continue agent or principal of the Owner(s), and SYBEX is in no way using it, you are expected to register it. Individual programs responsible for providing any support for the Software, nor differ on details of trial periods, registration, and payment. is it liable or responsible for any support provided, or not Please observe the requirements stated in appropriate files. provided, by the Owner(s). Copy Protection Warranty The Software in whole or in part may or may not be copy- SYBEX warrants the enclosed media to be free of physical protected or encrypted. However, in all cases, reselling or defects for a period of ninety (90) days after purchase. The redistributing these files without authorization is expressly Software is not available from SYBEX in any other form or forbidden except as specifically provided for by the Owner(s) media than that enclosed herein or posted to www.sybex.com. therein. Copyright ©2003 SYBEX, Inc., Alameda, CA www.sybex.com This book is dedicated to my first child, Chloe. Copyright ©2003 SYBEX, Inc., Alameda, CA www.sybex.com Introduction W elcome to the exciting world of Check Point certification! You have picked up this book because you want something better; namely, a better job with more satisfaction. Rest assured that you have made a good decision. Check Point certification can help you get your first networking or security job, or more money or a promotion if you are already in the field. Check Point certification can also improve your understanding of how network security works for more than just Check Point products. For instance, currently over 300 products integrate VPN-1/FireWall-1 through protocols such as voice over IP (VoIP) and Lightweight Directory Access Protocol (LDAP), as well as technologies such as network address translation (NAT) and content filtering. Check Point’s Open Platform for Security (OPSEC), located at www.opsec.com, is the foundation responsible for creating the standards used to incorporate products from third-party vendors with Check Point products. It certainly can’t hurt to have Check Point certifications, considering Check Point is the worldwide market leader in firewalls and VPNs and has been since 1995. According to their website, Check Point’s solutions are “sold, integrated and serviced by a network of 2,500 certified partners in 149 countries.” Obtaining a Check Point certification makes you a CCP (Check Point Certified Professional), which in turn makes you eligible to use the Certified Professional password-protected website. Here you’ll find tools, features, transcripts, and other information not available to the general public. Other benefits of being a CCP include access to the Secure- Knowledge database, notification of product updates, use of logos and credentials, and invitations to seminars and other Check Point events. For more information about the CCP program, visit www.checkpoint.com/ services/education/certification/index.html. While pursuing Check Point certifications, you will develop a complete understanding of networking security. This knowledge is beneficial to every network security job and is the reason that, in recent times, Check Point certification has become so popular. Check Point is one of the leading and most respected firewall and VPN vendors in the world. To ensure that organizations can measure the skill level of Check Point administrators and engineers, Check Point provides various levels of certification that Copyright ©2003 SYBEX, Inc., Alameda, CA www.sybex.com xviii Introduction quantify network security knowledge and an administrator’s ability to implement network security using Check Point products. How to Use This Book If you want a solid foundation for the Check Point Certified Security Admin- istrator (CCSA) exam, then look no further. We have spent hundreds of hours putting together this book with the sole intention of helping you to pass the VPN-1/FireWall-1 Management I NG (156-210) exam. This book is loaded with valuable information, and you will get the most out of your studying time if you understand how we put this book together. To best benefit from this book, we recommend the following study method: 1. Take the assessment test immediately following this introduction. (The answers are at the end of the test.) It’s okay if you don’t know any of the answers; that is why you bought this book! Carefully read over the explanations for any question you get wrong, and note which chapters the material comes from. This information should help you plan your study strategy. 2. Study each chapter thoroughly, making sure that you fully understand the information and the test objectives listed at the beginning of each chapter. Pay extra-close attention to any chapter where you missed questions in the assessment test. 3. Complete the exercises included in each chapter on your own equip- ment if possible. If you do not have Check Point VPN-1/FireWall-1 equipment and software available, be sure to study the examples provided in the book carefully. 4. Answer all of the review questions related to each chapter. (The answers appear at the end of each chapter.) Note questions that confuse you and study those sections of the book again. Do not just skim these questions! Make sure you understand completely the reason for each answer. 5. Try your hand at the practice exams that are included on the compan- ion CD. The questions in these exams appear only on the CD. These exams will give you a complete overview of what you can expect to see on the real VPN-1/FireWall-1 Management I NG exam. Copyright ©2003 SYBEX, Inc., Alameda, CA www.sybex.com Introduction xix 6. Test yourself using all the flashcards on the CD. There are brand new and updated flashcard programs on the CD to help you prepare completely for the VPN-1/FireWall-1 Management I NG exam. These are great study tools! The electronic flashcards can be used on your Windows computer, Pocket PC, or Palm device. 7. Make sure you read the Key Terms and Exam Essentials lists at the end of the chapters. These study aids will help you finish each chapter with the main points fresh in your mind; they’re also helpful as a quick refresher before heading into the testing center. To learn every bit of the material covered in this book, you’ll have to apply yourself regularly, and with discipline. Try to set aside the same time every day to study, and select a comfortable and quiet place to do so. If you work hard, you will be surprised at how quickly you learn this material. If you follow the steps listed above, and really study and practice the review questions, CD exams, and electronic flashcards, it would be hard to fail the VPN-1/FireWall-1 Management I NG exam. What Does This Book Cover? This book covers everything you need to pass the VPN-1/FireWall-1 Man- agement I NG exam. (cid:1) Chapter 1 introduces you to Check Point’s Secure Virtual Network, which is a framework that provides a total end-to-end network secu- rity solution. This chapter is a high-level overview of Check Point VPN-1/Firewall-1. (cid:1) Chapter 2 discusses the different types of firewall architectures and takes a closer look at the architecture of VPN-1/FireWall-1. (cid:1) Chapter 3 covers the basics of VPN-1/FireWall-1 security policy, introducing you to each of the components that make up the security policy database. Security objects, policy properties, and security rules are all introduced in this chapter. By the end of the chapter, you will be able to configure a complex security policy using security rules and install the policy to VPN-1/FireWall-1 enforcement modules. Copyright ©2003 SYBEX, Inc., Alameda, CA www.sybex.com xx Introduction (cid:1) Chapter 4 discusses advanced security policy topics, such as optimizing the performance of your security policy and learning how to manage security rule bases more efficiently. You will also learn about many of the useful CLI utilities that can be used to manage and monitor VPN-1/FireWall-1. (cid:1) Chapter 5 shows you how to use the SmartView Tracker application, to ensure that you can harness the native security logging features of VPN-1/FireWall-1, detect security threats, and block connectivity to suspected security threats. (cid:1) Chapter 6 discusses authentication in VPN-1/FireWall-1 and how VPN-1/FireWall-1 supports many popular authentication schemes. You’ll also learn how to configure the users database, which holds all user and group objects—important features when defining authenti- cation rules. (cid:1) Chapter 7 provides in-depth analysis of each of the authentication types supported on VPN-1/FireWall-1, how to implement each type, and when to implement them. (cid:1) Chapter 8 introduces you to the concept of network address translation (NAT), why it is such an integral component of Internet connectivity today, and discusses the various types and advantages and disadvan- tages of NAT. (cid:1) Chapter 9 shows you how to configure network address translation on VPN-1/FireWall-1. You will learn how to configure automatic and manual NAT. The differences between and caveats of each type of NAT will also be explored in depth, so that you know when you should implement the appropriate type of NAT. (cid:1) Chapter 10 provides the information you need to back up and restore VPN-1/FireWall-1 so you can ensure the ongoing availability and reliability of your VPN-1/FireWall-1 installation. You will also learn how to uninstall VPN-1/FireWall-1, as this may be required during the restoration procedure. Finally, you will learn about the SmartView Status SMART client, which is used to provide real-time system moni- toring of VPN-1/FireWall-1 systems and products, ensuring that you are notified in real-time of any immediate or potential issues. (cid:1) The glossary is a handy resource for Check Point and other security terms. This is a great tool for understanding some of the terms used in this book. Copyright ©2003 SYBEX, Inc., Alameda, CA www.sybex.com