Government & Nonprofit

VPN-1 VE Evaluation Guide

Published
of 9
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Share
Description
VPN-1 VE Evaluation Guide This document is intended for users who are new to Check Point VPN-1 products and would like to evaluate and review VPN-1 VE. We recommend reading the VPN-1 VE Administration
Transcript
VPN-1 VE Evaluation Guide This document is intended for users who are new to Check Point VPN-1 products and would like to evaluate and review VPN-1 VE. We recommend reading the VPN-1 VE Administration Guide for further information and to understand how VPN-1 VE can be deployed in your business environment. In This Document What is VPN-1 VE? page 1 How Do I Get Started? page 2 Creating A VPN-1 VE Deployment page 3 Importing VPN-1 VE page 3 Configuring the VPN-1 Virtual Machine page 4 Setting Your Security Policy page 6 More Information page 9 Documentation Feedback page 9 What is VPN-1 VE? Check Point s VPN-1 NGX delivers end-to-end network security, providing proven, comprehensive security for businesses with integrated firewall, VPN, intrusion prevention, antivirus, and Web filtering functionality in a single solution. All network security can be managed with a single enterprise-wide Security Policy. VPN-1 VE (Virtual Edition) enables users to easily install VPN-1 on VMware ESX Servers to provide the identical security protections and VPN features as physical VPN-1 gateways. It securely connects these gateways and SmartCenters on virtual machines to shared resources, such as the Internet and DMZs, and allows them to safely interact with each other and the outside world. VPN-1 VE machines and physical gateways can be managed by the same unified central management, thus enabling a consistent, enforceable security policy across all physical and virtual networks. VPN-1 VE runs on Check Point s SecurePlatform, a pre-hardened, secure operating system. SecurePlatform is easy to use and manage, from either a WebUI or an industry-standard command line interface (CLI). When you install the VPN-1 VE, SecurePlatform is automatically installed and machines are ready for configuration in just a few steps. Virtualization of hardware resources represents the cutting edge of today s computing technology, providing cost-effective, scalable solutions for dynamic network environments. Virtualization allows you to create multiple virtual computers on a single hardware platform. With VPN-1 VE, Check Point brings its state of the art security solutions to the virtualized world, ensuring proven security for all of your virtualized network resources. Copyright 2008 Check Point Software Technologies, Ltd. All rights reserved 1 How Do I Get Started? How Do I Get Started? The VPN-1 VE enables you to easily deploy VPN-1 as a virtual machine that is already configured and optimized for a VMware ESX environment. A virtual machine created using the VPN-1 VE runs on Check Point s SecurePlatform and includes the following components: 1 CPU, 512MB of allocated memory, 12GB of disk capacity that can be extended, and four virtual network interfaces. To use VPN-1 VE, you import a file to the ESX server and add it to your virtual machine inventory. Once you log in to the VPN-1 VE, the configuration wizard guides you through the initial configuration. The configuration continues through the WebUI, where you download the Check Point SmartDashboard, which is the convenient GUI interface for managing all VPN-1 utilities Deployment Example Figure 1 illustrates a sample VPN-1 environment on a VMware ESX host. Many other deployments are also possible, including using VLANs to protect many virtual networks at once. Figure 1 Example of a VPN-1 VE Deployment In this simple example, a standalone VPN-1 gateway and SmartCenter server combination protects three virtual switches leading to networks containing several different types of servers. All traffic that flows between the virtual networks, for example between the Web Servers Network and Database Server, or from a host on the external LAN to the Server is inspected by the VPN-1 VE. Administrators manage network security using SmartDashboard from any client having connectivity with the SmartCenter server. Virtual machines and all other VMware objects are managed using Virtual Infrastructure Client. VPN-1 VE protects the virtual machines in the ESX server, but it does not protect the VMkernel. VPN-1 VE Evaluation Guide 2 Creating A VPN-1 VE Deployment Creating A VPN-1 VE Deployment In the sections to follow are instructions for setting up the deployment depicted in Figure 1 on page 2. The steps are: 1. Importing VPN-1 VE: Import the VPN-1 VE machine to the ESX Server. 2. Configuring the VPN-1 Virtual Machine: Configure VPN-1 products on the VPN-1 VE machine. 3. Setting Your Security Policy: Set and install your security policy on the installed products. Importing VPN-1 VE To use VPN-1 VE, import a file to the ESX server and add it to your virtual machine inventory. Importing the OVF VPN-1 VE If you are running a VMware ESXi 3.5 or ESX 3.5 Server, or using Virtual center 2.5, import the VPN-1 VE machine using the VPN-1_R65_VE_OVF.tgz file, as described below. To import the VPN-1 VE to the ESX Server from the VPN-1_R65_VE_OVF.tgz file and create a new machine: 1. Download the VPN-1_R65_VE_OVF.tgz file from the VMware Virtual Appliance Marketplace to the machine where the VMware Virtual Infrastructure Client is installed. 2. Extract the VPN-1_R65_VE_OVF.tgz file to the new folder using tar (tar -zxvf VPN-1_R65_VE_OVF.tgz), or any other decompression utility. 3. Open the VMware Virtual Infrastructure client. 4. Connect to the ESX server where you want to deploy the VPN-1 VE machine. 5. In the Getting Started tab, in Basic Tasks, choose Import a Virtual Appliance. 6. Select Import from file, and choose the.ovf file from the folder from where you extracted the.tgz file. Click Next. 7. View the Virtual Appliance Details. Click Next. 8. Type a name for the virtual machine. Click Next. 9. Select the Datastore where the VPN-1 VE files will be accumulated in the ESX server. Click Next. 10. In Network Mapping, select the proper Network port groups according to your topology. Click Next. 11. Click Finish to complete the Virtual Machine Wizard. It may take a few minutes for the new machine to appear in the inventory. 12. Select the machine from the inventory and Power On the machine. 13. When powering on your VPN-1 VE machine for the first time, you may get a Virtual Machine Message stating that the virtual machine s configuration file has changed. Select Create and then click OK to start the machine. Continue with Configuring the VPN-1 Virtual Machine on page 4. VPN-1 VE Evaluation Guide 3 Configuring the VPN-1 Virtual Machine Importing the VPN-1 VE to Earlier ESX Servers If you are running a VMware ESX 3.0.x Server or using Virtual Center 2.0, import the VPN-1 VE machine using the VPN-1_R65_VE.tgz file. To import the VPN-1 Virtual Appliance to the ESX server from the VPN-1_R65_VE.tgz file and create a new machine: 1. Connect to the ESX Server using SSH. 2. Within the ESX server, create a folder under /vmfs/volumes/ storage / folder name / where folder name and storage are folders that the administrator chooses. 3. Download the VPN-1_R65_VE.tgz file from the VMware Virtual Appliance Marketplace to the ESX Server on which the virtual machines are housed. 4. Extract the.tgz file to the new folder using tar (tar -zxvf VPN-1_R65_VE.tgz). 5. Open the VMware Virtual Infrastructure Client and connect to the ESX server or Virtual Center. 6. Select the desired ESX server. 7. Click on the Summary tab. Within the Resources pane, under Datastore, double-click the desired storage file, and browse to the location where you extracted the VPN-1_R65_VE.tgz file. 8. Right-click on the.vmx file and select Add to Inventory. 9. In the Add to Inventory Wizard, type a name for the new virtual machine. Click Next. 10. Select a Resource Pool to run the virtual machine. Selecting a Resource Pool allows you to determine which resources a virtual machine is using. Click Next. 11. Click Finish to complete the Virtual Machine Wizard. It may take a few minutes for the new machine to appear in the inventory. 12. Select the machine from the inventory and Power On the machine. 13. When powering on your VPN-1 VE machine for the first time, you may get a Virtual Machine Message stating that the virtual machine s configuration file has changed. Select Create and then click OK to start the machine. Configuring the VPN-1 Virtual Machine This section describes how to configure VPN-1 VE machines through the SecurePlatform command line. For more details regarding these procedures and the various Check Point product options, see the NGX R65 Internet Security Product Suite Getting Started Guide and the Firewall and SmartDefense Administration Guide found at Configuring Network and General Settings To perform initial configuration of network and general settings: 1. In the Console tab, log in to the machine using admin as the username and adminadmin as the password. 2. When prompted, change the default user name and password. Ensure that the new password contains more than six characters and has a combination of upper and lower case letters and numbers. 3. To enter the configuration wizard, run: cpconfig The configuration window opens and displays a welcome message. 4. Press n to continue. VPN-1 VE Evaluation Guide 4 Configuring the VPN-1 Virtual Machine 5. Press the number corresponding to your keyboard type and then press n, or just press n to keep the default US keyboard. 6. Press the number corresponding to the Ethernet connection that you want to set as your management connection. When prompted, type the IP address attached to the Ethernet connection, its subnet mask, and its broadcast address. 7. In the Network Configuration menu, use the menu option to configure the following: The host name The domain name and at least one DNS server (if required) The network interface IP addresses The default gateway (if required) 8. In the time and date configuration menu, use the menu options to configure the following: Time zone Date Local time Show date and time settings 9. Press n to continue. The Import Check Point Products Configuration screen opens. Installing Check Point Products The instructions below specify choices necesary for the deployment depicted in Figure 1 on page 2. To continue with the configuration by installing Check Point products on the virtual machine: 1. Press n to continue. The Welcome to Check Point Suite screen opens. 2. Press n to continue and accept the End-user License Agreement by pressing y. 3. Type the number corresponding to type of Check Point Suite you want to install and press n. 4. Type the number to select whether you want to install a new installation or to import a configuration and press n. Select New Installation. 5. Type the numbers corresponding to the Check Point products you want to install and press n. Select VPN-1 UTM and SmartCenter UTM. 6. Type the number to select the type of SmartCenter server you want to install and press n. Select Primary SmartCenter. 7. Select whether or not to install the Connectra Plug-in for central management and press n. This Plug-in is not necessary for our deployment. 8. A Validation screen opens, confirming the products you are choosing to install. VPN-1UTM and Primary SmartCenter should be displayed. Press n and wait while the products are installed. Configuring Check Point Products Configure Check Point products through the console Command Line. To configure the Check Point Products via the Command Line: 1. After the Check Point products have installed, the Check Point Configuration Program opens. Select whether to add a product license. This can also be done at a later time. The products have a 15 day free trial period license by default. 2. When asked if you want to add an administrator, press y, then enter the administrator s username and password. VPN-1 VE Evaluation Guide 5 Setting Your Security Policy 3. When asked if you want to add a GUI client, press y, then identify the machine/s from which you will manage the SmartCenter Server using the SmartConsole. You can also type any to allow the SmartCenter to be accessed from any computer. 4. Wait while the internal certificate authority is initialized. 5. Press y to save the Certificate s Fingerprint to a file. The Fingerprint is saved to a text file that can be accessed from the SmartConsole client machine and used to confirm the Fingerprint of the SmartCenter server. 6. Reboot the VPN-1 VEe machine. Downloading SmartConsole The GUI used to manage the SmartCenter is called the SmartConsole, and is comprised of the SmartDashboard and other utilities. To download the SmartConsole onto the machine/s from which you will be managing the SmartCenter, connect to the WebUI of the SmartCenter via a Web browser. To download the SmartConsole: 1. Connect to the WebUI of the SmartCenter using a Web browser, for example https:// Log in to the SmartCenter using the Administrator user name and password. 3. From the Navigation Pane, under Product Configuration, click Download SmartConsole. 4. In the Download SmartConsole Applications screen, click Download. 5. Select which smartconsole clients to install and click Next. 6. When prompted, click Run to continue. 7. Wait while the SmartConsole is installed. 8. When SmartConsole has finished installing, a window opens stating that it has been successfully installed. Logging in for the First Time To log in to the SmartDashboard: 1. Open SmartDashboard by selecting Start Programs Check Point SmartConsole NGX R65 SmartDashboard. 2. Log in using the User Name and Password defined in the Configuration Tool s Administrators page during SmartCenter server installation. 3. Type the name or IP address of the SmartCenter server and click OK. 4. Manually authenticate the SmartCenter server using the Fingerprint provided during the configuration process. You can see this Fingerprint by connecting to your SmartCenter via SSH and clicking on Product Configuration Certificate Authority. When you have confirmed that the two fingerprints match, click Approve. 5. The SmartDashboard opens. Setting Your Security Policy Your VPN-1 VE and all of its features and security policy are managed through the SmartCenter server, which you control through the SmartConsole. The main window of SmartConsole, from which you create network objects and administer security policies, is the SmartDashboard. This unified central management enables you to easily create, modify, and enforce security policies across all of your networks and gateways. VPN-1 VE Evaluation Guide 6 Setting Your Security Policy The steps needed to establish a security policy are: Define network objects Create a Rule Base Install the Security Policy on the network objects. All of these steps can be modified, and repeated at any time. The instructions that follow are meant to implement the deployment described in Figure 1 on page 2. The instructions assume that the VPN-1 VE machine has a virtual network interface configured in the same port group as the Web servers ( ). Defining Network Objects Create network objects in order to represent actual machines or components, whether physical or virtual, such as gateways and servers. Objects also represent logical components such as IP Address ranges. For more information, see the Network Objects section of the SmartCenter Administration Guide, Version NGX R65. The following network objects must be defined to implement the deployment described in Figure 1 on page 2: The VPN-1 Machine This is already defined when you start SmartDashboard, since it was configured in SmartCenter. Right-click the cpmodule object under Check Point in the Objects Tree and select Edit. Make sure its IP Address is and click OK. Network/s In the Objects Tree, select Networks New Network. Fill in the fields as follows: Name: Web_Servers Network Address: Net Mask: If you choose, create networks for the Database and server networks also by following the same steps. Host/s In the Objects tree, select Node New Node Host to create at least one administrator host for the Web Servers network. Fill in the fields as follows: Name: Admin IP Address: Give it an IP address in the /24 range You can define multiple administrators/hosts by following the same steps. Once you create an object, it appears in the SmartMap under the Rule Base. You can move objects in the Smart Map to best represent your deployment. Creating a Security Rule Base You must create a Rule Base to establish a security policy. The Rule Base is a collection of rules that determines which communication traffic is permitted and which is blocked. Rule parameters include the source and destination of the communication, the services and protocols that can be VPN-1 VE Evaluation Guide 7 Setting Your Security Policy used and at what times, and tracking options. The underlying principle behind the rule base is that traffic not specifically allowed by a gateway s security policy is dropped. In addition to the explicit rules that the administrator defines, implicit rules are automatically in place as well. Below is an sample rule base that you can create for the objects defined in Defining Network Objects on page 7. Figure 2 Sample Rule Base Creating a Rule Base To add a rule permitting certain traffic to the Web Servers: 1. Select Rules Add Rule Top. 2. In the Destination field, right-click and select Add. Select the Web-Servers object from the list and click OK. 3. In the Service field, right-click and select Add. Select http, https, and icmp-proto from the list and click OK. 4. In the Action field, right-click and select Accept. 5. In the Track field, right-click and select Log. 6. Optionally, add a Name or Comment to the rule. To add a rule that drops all traffic not specifically allowed: 1. select Rules Add Rule Bottom. 2. In the Source, Destination, VPN, and Service fields, leave the default of Any. 3. In the Action field, leave the default of Drop. Create the other rules using the same methods as described in previous steps. For more information on creating a Rule Base, see the Network Access section of the Firewall and SmartDefense Administration Guide, Version NGX R65, found at Installing the Security Policy After you have defined Network Objects and a Rule Base, SmartCenter Management makes it easy to install the security policy on each object that you select. 1. Select Policy Install Policy. 2. Inside the Install Policy window, select each Installation Target on which you want to install the Advanced Security Policy, then click OK. The Policy installs on each target. VPN-1 VE Evaluation Guide 8 More Information More Information To learn more about VPN-1 VE, see the VPN-1 VE Administration Guide. To learn more about Check Point products and how they can protect your business, visit the Check Point website at Documentation Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments to: VPN-1 VE Evaluation Guide 9
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks