156-310.pdf - Exam 156-310 Check Point CCSE NG Title Ver...

This preview shows page 1 out of 229 pages.

Unformatted text preview: Exam : 156-310 Check Point CCSE NG Title : Ver : 11.24.08 156-310 QUESTION 1: Which of the following statements about IKE Encryption are TRUE? (Choose three ) A. The final packet size is increased after it is encrypted. B. TCP and IP headers are encrypted, along with the payload. C. IKE uses in-place encryption. D. IKE can use the FWZ1 encryption algorithm. E. IKE uses tunneling encryption. Answer: A, B, E Explanation: IKE Encryption Scheme A long time ago (about four years in real time), Check Point supported many different encryption schemes: Manual IPSec, Simple Key Management for Internet Protocols (SKIP), FWZ (Check Point's own proprietary scheme), and Internet Key Exchange (IKE). As the industry began to settle on a standard and it became apparent that different vendors' VPN products needed to work together, the schemes were whittled down to only one: IKE. IKE is a hybrid protocol that combines the Internet Security Association and Key Management Protocol (ISAKMP) and the Oakley Key Exchange Protocol. ISAKMP is responsible for the generation and maintenance of Security Associations, and Oakley is responsible for key exchanges. Both ISAKMP/Oakley and IKE are described in the IETF standard for encryption using the IP Security Protocol (IPSec). (The terms IKE and IPSec are frequently used interchangeably.) You can find more on IPSec and its related protocols in RFCs 2401-2411 and 2451. IPSec provides the access control, integrity of the packet, authentication, rejection of replayed packets, encryption, and non-repudiation (there's that PAIN acronym coming into play). IPSec does so by using the protocols Authentication Header (AH) and Encapsulating Security Payload (ESP). Each protocol-IPSec, AH, and ESP-is incorporated into its own header in the IPSec packet. IKE is also a tunneling protocol, which means it encrypts the entire original packet and adds new headers to the encrypted packet. Actualtests.com - The Power of Knowing 156-310 Tunneling encrypts the entire original packet and adds new headers, which increases packet size and the likelihood of packet fragmentation. In-place encryption was Check Point's proprietary FWZ scheme supported in versions before FP2. It only encrypted the payload, and left the headers alone; therefore packet size did not increase. Although FWZ is no longer supported as of FP2, this information could still be used for a valid NG test question. The new IP header uses the IPSec protocol and replaces the true source and destination of the packet (which are now encrypted) with the source and destination IP addresses of the firewalls involved in the VPN tunnel. The AH header provides data integrity and authentication by using a message digest (instead of a digital signature, which is too slow for this process) and a Security Parameters Index (SPI). The SPI is like a pointer that tells your VPN partner which methods were selected for this VPN session. The SPI references the Security Association (SA), which was negotiated by the VPN participants. A good analogy to describe the SA is a large spreadsheet that contains all the possible combinations for key exchange, encryption, data integrity, and so forth that could be used for this connection. The SPI is the pointer that tells each partner which parts of the spreadsheet will be used for this specific tunnel. The ESP header provides confidentiality as well as authentication. It gives a reference to the SPI as well as an Initialization Vector (IV), which is another data integrity check. IKE supports a variety of different encryption algorithms, but VPN-1 supports only DES, Triple-DES, CAST, and AES. Actualtests.com - The Power of Knowing 156-310 For a more detailed explanation of encryption, IPSec, and cryptography, we recommend Applied Cryptography (John Wiley & Sons, 1995), RSA Security's Official Guide to Cryptography (McGraw-Hill, 2001) and IPSec Securing VPNs (McGraw-Hill Osborne Media, 2001). Encryption is not an easy topic to grasp, especially in an abbreviated format within a study guide. But this background information is essential before we go into detail about how IKE negotiates keys and eventually encrypts data. Let's forge ahead and tackle the IKE phases of key negotiation. QUESTION 2: When upgrading a configuration to NG with Application Intelligence: (Choose the FALSE answer) A. Upgrade the SmartConsole. B. Upgrade each module's version in SmartDashboard manually. C. Upgrade the VPN-1/Firewall-1 Enforcement Modules. Actualtests.com - The Power of Knowing 156-310 D. Copy $FWDIR/state from one version of VPN-1/FireWall-1 to another version of VPN-1/FireWall-1. E. Upgrade the SmartCenter server. The version is set during the upgrade. Answer: D Explanation: Upgrading to VPN-1/FireWall-1 NG Now that you've performed a successful installation of FireWall-1 NG, it's time to understand how to upgrade from a previous version of VPN-1/ FireWall-1. At the time of this writing, many companies are looking to upgrade from an older version of VPN-1/FireWall-1 (usually 4.1 SP3 or higher) to NG FP3. You can upgrade to NG FP1 from version 4.0 and higher. If you are running a version older than 4.0, you must upgrade to version 4.0 first, and then upgrade to NG. With the many enhancements in NG, it's better to create a fresh install of NG and then migrate your existing configuration files over to the newly created NG firewall. The upgrade technique discussed here will upgrade version 4.1 Service Pack 6 configuration files to NG configuration files. It is recommended that the 4.1 files are upgraded to Service Pack 6 before convertingthem to NG. In many instances, companies are viewing the NG upgrade as an opportunity to upgrade the current platform on which their firewalls are running. For example, this is an chance to upgrade operating systems from Solaris 2.6 to 2.8, or to upgrade hardware from a Pentium II machine with limited hard drive space and memory to a Pentium IV with lots of hard drive space and much more memory. In order to make the NG upgrade a smooth and convenient process, Check Point has developed an upgrade script that helps convert 4.1 configuration files to NG configuration files. This scripts automates the conversion by using the confmerge command on the objects.C, fwauth.NDB, and rulebases.fws files. (This script is not meant for people who are moving from a Windows machine to a Unix machine, or for people running FloodGate.) The script is in a zipped file called upgrade.4.3.tgz and can be downloaded from the support.checkpoint.com website. Here are the steps to use the upgrade script: 1. Create a new SmartCenterServer machine with the desired Feature Pack version of NG (FP1, FP2 or FP3), based on the installation guidelines previously discussed. This upgrade procedure will upgrade to FP3. 2. Download and unzip the upgrade.4.3.tgz file. This file opens into a directory named upgrade. 3. Place the 4.1 SP6 files on the SmartCenter Server under upgrade/4.1: a. objects.C. b. fwauth.NDB. On Windows machines, this file is only the pointer to the real database file-for example, fwauth.NDB522. In this case, take the real database file (fwauth.NDB522), rename it fwauth.NDB, and put it in the \upgrade\4.1 directory. Actualtests.com - The Power of Knowing 156-310 c. rulebases.fws. 4. Stop the FireWall-1 Services (cpstop), cd to the , and issue the following command in Windows (upgrade from 4.1 to FP3): upgrade.bat < upgrade_directory>\upgrade FP3 4.1 In Unix, enter this command (upgrade from 4.1 to FP3): upgrade.csh < upgrade_directory>/upgrade FP3 4.1 5. Restart the FireWall Services (cpstart) and log in to the GUI. After you have successfully run the script, in order to transfer the remaining configuration files (such as gui-clients, masters, and so on), copy the following files from the VPN-1/FireWall-1 4.1 $FWDIR/conf directory to the VPN-1/FireWall-1 NG $FWDIR/conf directory: xlate.conf, aftpd.conf, smtp.conf, sync.conf, masters, clients, fwmusers, gui-clients, slapd.conf, serverkeys, product.conf In addition to understanding which configuration files are important in upgrading to Check Point NG, it's important to understand which configuration files need to be saved for backup in case of a failure or loss of files. The next section talks about backup and restore options and identifies the critical configuration files needed for backup. QUESTION 3: When you upgrade VPN-1/FireWall-1, what components are carried over to the new version? (Choose two) A. Licenses B. VPN-1/FireWall-1 database C. OPSEC database D. Backward Compatibility E. Rule Base Answer: A, B Explanation: Upgrading to VPN-1/FireWall-1 NG Now that you've performed a successful installation of FireWall-1 NG, it's time to understand how to upgrade from a previous version of VPN-1/ FireWall-1. At the time of this writing, many companies are looking to upgrade from an older version of VPN-1/FireWall-1 (usually 4.1 SP3 or higher) to NG FP3. You can upgrade to NG FP1 from version 4.0 and higher. If you are running a version older than 4.0, you must upgrade to version 4.0 first, and then upgrade to NG. With the many enhancements in NG, it's better to create a fresh install of NG and then migrate your existing configuration files over to the newly created Actualtests.com - The Power of Knowing 156-310 NG firewall. The upgrade technique discussed here will upgrade version 4.1 Service Pack 6 configuration files to NG configuration files. It is recommended that the 4.1 files are upgraded to Service Pack 6 before convertingthem to NG. In many instances, companies are viewing the NG upgrade as an opportunity to upgrade the current platform on which their firewalls are running. For example, this is an chance to upgrade operating systems from Solaris 2.6 to 2.8, or to upgrade hardware from a Pentium II machine with limited hard drive space and memory to a Pentium IV with lots of hard drive space and much more memory. In order to make the NG upgrade a smooth and convenient process, Check Point has developed an upgrade script that helps convert 4.1 configuration files to NG configuration files. This scripts automates the conversion by using the confmerge command on the objects.C, fwauth.NDB, and rulebases.fws files. (This script is not meant for people who are moving from a Windows machine to a Unix machine, or for people running FloodGate.) The script is in a zipped file called upgrade.4.3.tgz and can be downloaded from the support.checkpoint.com website. Here are the steps to use the upgrade script: 1. Create a new SmartCenterServer machine with the desired Feature Pack version of NG (FP1, FP2 or FP3), based on the installation guidelines previously discussed. This upgrade procedure will upgrade to FP3. 2. Download and unzip the upgrade.4.3.tgz file. This file opens into a directory named upgrade. 3. Place the 4.1 SP6 files on the SmartCenter Server under upgrade/4.1: a. objects.C. b. fwauth.NDB. On Windows machines, this file is only the pointer to the real database file-for example, fwauth.NDB522. In this case, take the real database file (fwauth.NDB522), rename it fwauth.NDB, and put it in the \upgrade\4.1 directory. c. rulebases.fws. 4. Stop the FireWall-1 Services (cpstop), cd to the , and issue the following command in Windows (upgrade from 4.1 to FP3): upgrade.bat < upgrade_directory>\upgrade FP3 4.1 In Unix, enter this command (upgrade from 4.1 to FP3): upgrade.csh < upgrade_directory>/upgrade FP3 4.1 5. Restart the FireWall Services (cpstart) and log in to the GUI. After you have successfully run the script, in order to transfer the remaining configuration files (such as gui-clients, masters, and so on), copy the following files from the VPN-1/FireWall-1 4.1 $FWDIR/conf directory to the VPN-1/FireWall-1 NG $FWDIR/conf directory: xlate.conf, aftpd.conf, smtp.conf, sync.conf, masters, clients, fwmusers, gui-clients, slapd.conf, serverkeys, product.conf In addition to understanding which configuration files are important in upgrading to Check Point NG, it's important to understand which configuration Actualtests.com - The Power of Knowing 156-310 files need to be saved for backup in case of a failure or loss of files. The next section talks about backup and restore options and identifies the critical configuration files needed for backup. QUESTION 4: Which of the following is NOT a function of the Internal Certificate Authority (ICA)? A. Provides certificates for users and Security Administrators. B. Generated certificates for HTTPS Web server. C. Establishes SIC between OPSEC applications and Check Point products. D. Authentications SecureClient traffic to Enforcement Modules for VPNs. E. Establishes SIC between Check Point products. Answer: B Explanation: internal certificate authority (ICA) The certificate authority generated during the installation of a Check Point SmartCenter Server. Certificates generated by the ICA are used for encryption and authentication. QUESTION 5: Which of the following FTP Content Security settings prevents internal users from sending corporate files to external FTP Servers, while allowing users to retrieve files? A. Use an FTP resource, and enable the GET and PUT methods. B. Use an FTP resource and enable the GET method. C. Use an FTP resource and enable the PUT method. D. Block FTP_PASV. E. Block all FTP traffic. Answer: B Explanation: FTP The FTP (File Transfer Protocol) SmartDefense group essentially has two purposes: It can protect your system against a specific FTP attack called FTP Bounce, and it lets you configure your FTP Security Server. Actualtests.com - The Power of Knowing 156-310 FTP Bounce The FTP Bounce attack takes advantage of a design flaw in FTP. Port 20 is where the FTP PORT command negotiates a random high port for PASV transport of FTP data files. RFC 959, which describes FTP, dictates that the negotiated high port be allowed to any IP address and any port. The FTP Bounce attack takes advantage of this and the attacker can open a connection to a machine of their choosing for illegitimate purposes. You can select the Track option for notification if a FTP Bounce attack is detected. FTP Security Server The firewall FTP Security Server provides authentication and content security services (see Chapter 4,"Content Security," for more details on the FTP Security Server). Usually the FTP Security Server (showing below) is invoked by rules in your rule base that specify an FTP Resource or User Authentication. Selecting the Configurations Apply To All Connections radio button forces all FTP connections through the FTP Security Server regardless of whether your rule base contains an authentication or resource rule. Actualtests.com - The Power of Knowing 156-310 Selecting the default option of Configurations Apply Only To Connections Related To Resources Used In The Rule Base will cause the FTP Security Server to be invoked only when a resource or authentication rule in the rule base triggers it. You need to take into consideration three further settings when setting up the FTP Security Server: Allowed FTP Commands, Prevent Known Port Checking, and Prevent Port Overflow Checking: Allowed FTP Commands The Allowed FTP Commands option, illustrated in Figure below, gives you granular control over the FTP commands the FTP Security Server will respond to. You can set Acceptable commands and Blocked commands. Actualtests.com - The Power of Knowing 156-310 Prevent Known Port Checking The Prevent Known Port Checking option allows you to specify whether you want the FTP Security Server to allow connections to well-known ports. This option also provides another line of defense against the FTP Bounce attack by not allowing a connection to a well-known port. Prevent Port Overflow Checking Prevent Port Overflow Checking is another component to help prevent the FTP Bounce Attack. Turning on this option turns off the checks that prevent numerous instances of connections from/to the same port. QUESTION 6: All of the following are steps for implementing UFP, EXCEPT: A. While the UFP Server is analyzing the requests, the Enforcement Module HTTP Proxy Server initiates a request to the destination. The HTTP Proxy server then waits for a response from the UFP Server before allowing the request. B. The client invokes a connection through the VPN-1/FireWall-1 Enforcement Module. C. The Content Server inspects the URLs and returns the validation result message to the Enforcement Module. D. The Enforcement Module takes the action defined in the Rule Base for the resource. E. The Security Server uses UFP to send the URL to a third-party UFP Server categorization. Answer: A Actualtests.com - The Power of Knowing 156-310 Explanation: Content-Filtering Protocols As mentioned earlier, Check Point utilizes two different protocols to filter the content of HTTP, FTP, SMTP, and TCP traffic: CVP and UFP. Each protocol runs on a specific port and offers a different functionality, as described in the following sections. The Application Program Interface (API) information for each of these protocols can be found at . CheckPoint encourages vendors to program their content filtering products to interface with FireWall-1. Content Vectoring Protocol (CVP) Content Vectoring Protocol (CVP) allows FireWall-1 to send a connection on port 18181 to a CVP server to perform content checking. This API scans HTTP, FTP, SMTP, or other TCP data streams for viruses and malicious Java and ActiveX code. Some of the products also perform security for e-mail message content, but the CVP's main function is virus scanning. URL Filtering Protocol (UFP) URL Filtering Protocol (UFP) allows FireWall-1 to send data on port 18182 to a UFP server to perform URL filtering. This API allows organizations to monitor and/or eliminate network traffic to Internet sites deemed inappropriate or otherwise undesirable, as well as control the content viewed by the end user. QUESTION 7: Actualtests.com - The Power of Knowing 156-310 The _______ algorithm determines the load of each physical server and requires a Load Measuring Agent be installed on each server. A. Server Load B. Server Relay C. Round Robin D. Domain E. Round Trip Answer: A Explanation: server load A load balancing algorithm in which each server in the server farm has a load-measuring agent installed, which communicates its load to the Logical Server. The server in the server farm with the lightest load gets the connection. QUESTION 8: Which of the following is NOT a method of Load Balancing with VPN-1/FireWall-1? A. Domain Load Balancing B. Round Robin C. Server Load D. Round Trip E. Quantum Load Balancing Answer: E Explanation: Load Balancing Algorithms Now that you've learned about the methodologies the logical server/firewall uses to route traffic, you need to consider the algorithms used to decide which server in the server farm will get the load-balanced connection. Check Point provides five algorithms for the logical server; the administrator decides which of these algorithms to use. The algorithms are called server load , ,round trip , ,round robin , ,random , and domain . We'll describe these algorithms next. The server load algorithm, shown in Figure below, works in conjunction Actualtests.com - The Power of Knowing 156-310 with a load agent that runs on each server in the server farm. The load agent is a small program that communicates to the firewall how busy the machine is. The machine with the lightest load is sent the next packet. You can download this load agent from Check Point's website (only available for Solaris) or write one using the OPSEC APIs provided by Check Point on the OPSEC website ( ). The load agent uses UDP port 18212 by default. The firewall checks the load on each server at the configured time and passes the connection to the server that has the lightest load. The round trip algorithm uses ping to decide which server gets the request, as depicted in Figure below.The round trip algorithm is much simpler than the s...
View Full Document

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture