Once you have verified connectivity, you are ready to generate a firewall license. This is done by pointing your Web browser at
http://license.checkpoint.com/
By filling in the online forms, you can register the product and generate a valid license key. The information you will be prompted for includes
Who you are Your e-mail address Who sold you the software
The certificate key number on the inside jacket of the CD case The platform and operating system you plan to use
The external IP address of the firewall
Once you complete the forms, you will be presented with a valid host ID, feature set, and license key. This information will also be sent to the e-mail address that you specified on the form. Once you have this information in hand, you are ready to begin your firewall installation.
Note The firewall software ships with a 30-day evaluation license that will expire on a specific date (not 30 days after the software is installed). You can use this license to get your firewall up and running if you need it, but the evaluation may not support all the options you require.
Choosing a Platform
One of FireWall-1’s strengths is the diversity of platforms it supports. FireWall-1 components work with various operating systems as illustrated in Table 7.1.
Table 7.1: Operating Systems support by FireWall-1
FireWall-1 Modules Operating Systems Management Server and
Enforcement Module Microsoft Windows NT 4.0 (SP4–SP6a)
Sun Solaris 2.6, Solaris 7 (32-bit mode only)
Red Hat Linux 6.1 (with kernel 2.2.x)
HP-UX 10.20, 11.0 (32-bit mode only)
IBM AIX 4.2.1, 4.3.2, 4.3.3
GUI Client Microsoft Windows 9x, NT, 2000
Table 7.1: Operating Systems support by FireWall-1
FireWall-1 Modules Operating Systems
IBM AIX
We will use the NT 4.0 version as a model for our discussion. There are a number of reasons for this selection: The information required to secure a UNIX system for firewall use has been widely distributed.
Techniques for securing NT are less common.
NT and NT product versions are less mature than their UNIX counterparts, so there are a number of caveats to watch out for during an installation.
Running a firewall on NT is becoming extremely popular.
For these reasons, our discussion will be limited to the NT version of the product. While there are many interface similarities between the NT and UNIX versions (you can even run the firewall on a UNIX platform and the control software from NT), the installation process does vary greatly between versions.
Prepping NT for Firewall Installation
First let’s look at getting NT ready for the firewall product installation. There are a number of tweaks you can perform in order to increase security and optimize performance.
Hardware Requirements
A production NT server that will be used as a firewall should meet or exceed the following criteria (I am assuming that you will have a T1-speed connection or less and that the server will be dedicated to firewall functionality):
Pentium 200 processor 1GB of disk storage
RAID III or higher redundancy
128MB of RAM (minimum for FireWall-1 per Check Point’s recommendation) 2 PCI network cards
While FireWall-1 will run on a lesser platform, Internet performance and availability have quickly become critical functions. If you are just bringing up an Internet connection for the first time, you will be amazed how quickly your organization relies on it, just like any other business service.
Installing NT
FireWall-1 will run on NT server or workstation. Since this system should be dedicated to firewall functionality, the license count difference between these two products should not be an issue. Therefore, you can use either product. It is recommended, however, that NT server be used, because the permission setting on the Registry makes this platform a bit more secure.
Note The Windows NT Registry, which stores all the configuration information for the system, varies slightly between NT Server and Workstation. NT Server has a stricter access control policy with regard to Registry keys. This insures that only the system
administrator is able to change the values stored within the database keys, thus increasing the integrity of the Registry information.
When installing NT server, observe the following guidelines:
Install all required network cards before loading NT.
Create an NTFS C partition of at least 800MB which will hold the NT operating system and swap file.
Create an NTFS D partition of the remaining drive space (200MB minimum) to hold the firewall software as well as the firewall logs.
Remove all services unless you plan to have this server join a domain in order to use OS authentication for inbound access. If you do wish to use OS authentication, you will need to run the Computer Browser, NetBIOS Interface, RPC Configuration, Server, and Workstation services.
Install the SNMP service if you choose to use it (see the “Installing FireWall-1” section for some caveats).
Configure the system as a stand-alone workgroup, not a domain, whenever possible. If the server will be part of a domain, disable all WINS bindings on the external interface. Disable the guest account and create a new Administrator-equivalent account for
performing firewall management. When you are ready to install the firewall software, log off as Administrator, log on as the new account name, and disable the Administrator account.
Enable auditing and track logon failures in User Manager. Under User Rights, remove the right for all users to log on from the network. Modify the Logon Locally right to include only the user name you created as an Administrator equivalent.
Install Service Pack 6a. This is considered the most stable service pack and has the most comprehensive security fixes to date.
Change the boost to the foreground application to None under the Performance tab in System Properties.
If you are running the server service (for domain authentication), go to the Server Properties dialog box and change Optimization to Maximize throughput for network applications.
Tip NT has a problem where it associates driver names with the NIC card loading order in the Registry. If the card settings are changed in any way (IRQ change, cards added or removed, and so on), this Registry setting may become corrupt. You can check this by running the ipconfig command, which will return incorrect card information or an error message that states, "The Registry has become corrupt." This is why it is important to install the NICs before installing NT. The only sure fix is to reload the operating system and all patches from scratch (not as an upgrade).
Once you have followed these guidelines, you are ready to make an emergency recovery disk and begin the FireWall-1 product install. Remember that if you load any new software from the NT server CD after this point, you will have to reinstall
SP6a All hotfixes
The firewall software (as an update) The firewall patch
Make sure you have your system exactly the way you want it before you install the firewall software.
Pre-install Flight Check
At this point, you should verify that the firewall platform has IP connectivity. Create a default route that points to the local router interface leading to the Internet. Create required route table entries for any internal network segments that are not directly connected to the firewall. The correct syntax to use when creating route table entries is
route add -p {remote IP} mask {subnet mask} {gateway address}
So to create a route entry to the network 192.168.2.0, which is on the other side of a local router at IP address 192.168.1.5, you would type
Note The -p switch tells the operating system to make this route entry permanent, allowing the route entry to remain persistent over operating system reboots.
Once you have created your route table, you should test connectivity. This can be done using ping and traceroute. At this point, the firewall platform should have connectivity to all internal and external hosts. If it does not, you need to troubleshoot the problem before going any further.
You should also make sure that you can ping external IP addresses from internal hosts. This will not be possible, however, if you are using private address space for your internal hosts. If you are using private address space, pinging the external interface of the firewall should suffice.
You should also run the ipconfig command and record the adapter drive name associated with the external IP address. This name will be similar to Elnk32. This information will be required later during the firewall software installation if you have purchased a single gateway product. Make sure you record the name exactly, because the entry is case sensitive.
Tip If you are worried about someone trying to break in to your network while you are testing for connectivity, simply disconnect the WAN connection to your router. You can then test connectivity as far as the IP address on the router’s serial interface.
Generating a License
Once you have verified connectivity, you are ready to generate a firewall license. This is done by pointing your Web browser at
http://license.checkpoint.com/
By filling in the online forms, you can register the product and generate a valid license key. The information you will be prompted for includes
Who you are Your e-mail address Who sold you the software
The certificate key number on the inside jacket of the CD case The platform and operating system you plan to use
The external IP address of the firewall
Once you complete the forms, you will be presented with a valid host ID, feature set, and license key. This information will also be sent to the e-mail address that you specified on the form. Once you have this information in hand, you are ready to begin your firewall installation.
Note The firewall software ships with a 30-day evaluation license that will expire on a specific date (not 30 days after the software is installed). You can use this license to get your firewall up and running if you need it, but the evaluation may not support all the options you require.
FireWall-1 Security Management
Managing a security policy through FireWall-1 is a multistep process. First, you must define objects you wish to control, and then you must define users, after which you apply these objects to the rule base. While this
configuration may seem a bit complex, it is actually quite straightforward and allows for extremely granular security control. All security management is performed through the Security Policy-1 tab of the Policy Editor as shown in Figure 7.6.
Figure 7.6: The FireWall-1 Policy Editor (with the Security Policy 1 tab selected)
Begin by defining your network objects. Select Manage ¾ Network Objects from the Security Policy-1 menu (the available menu options change depending on which policy tab is selected), which will produce the Network Object management screen as shown in Figure 7.7. When you start this screen for the first time, there will be no entries.
Figure 7.7: The Network Objects management screen
There a number of different object types that can be created. These include