CP R70 Provider1 AdminGuide

7/31/2019 CP R70 Provider1 AdminGuide

1/320

Provider-1 and SiteManager-1Administration Guide

Version R70

March 9, 2009


2/320


3/320


4/320


5/320

Table of Contents 5

Contents

Preface Who Should Use This Guide.............................................................................. 14Product and Feature Nomenclature ................................................................... 14Summary of Contents....................................................................................... 15Related Documentation .................................................................................... 16More Information............................................................................................. 18Feedback ........................................................................................................ 19

Chapter 1 IntroductionThe Need for Provider-1 ................................................................................... 22

Management Service Providers (MSP) ........................................................... 23Data Centers .............................................................................................. 25Large Enterprises........................................................................................ 25

The Check Point Solution ................................................................................. 28Basic Elements........................................................................................... 29Point of Presence (POP) Network Environment............................................... 33Managers and Containers............................................................................. 35Log Managers............................................................................................. 38High Availability ......................................................................................... 40Security Policies in Provider-1 ..................................................................... 40

The Management Model ................................................................................... 42Introduction to the Management Model......................................................... 42Administrators ............................................................................................ 42Management Tools...................................................................................... 44

The Provider-1 Trust Model............................................................................... 50Introduction to the Trust Model.................................................................... 50Secure Internal Communication (SIC) ........................................................... 50Trust Between a CMA and its Customer Network............................................ 51Trust Between a CLM and its Customer Network ............................................ 52MDS Communication with CMAs .................................................................. 52Trust Between MDS to MDS......................................................................... 53Authenticating the Administrator .................................................................. 53Authenticating via External Authentication Servers......................................... 54

Setting up External Authentication ............................................................... 55Re-authenticating when using SmartConsole Clients....................................... 56CPMI Protocol ............................................................................................ 58

Chapter 2 Planning the Provider-1 EnvironmentAsking yourself the right questions... ................................................................. 61Consider the Following Scenario........................................................................ 64Protecting Provider-1 Networks ......................................................................... 66

MDS Managers and Containers.......................................................................... 67MDS Managers ........................................................................................... 67


6/320

6

MDS Containers.......................................................................................... 67Choosing your deployment for MDS Managers and Containers ......................... 68MDS Clock Synchronization ......................................................................... 69

Setting up the Provider-1 Environment .............................................................. 70A Typical Scenario ...................................................................................... 70A Standalone Provider-1 Network ................................................................. 71A Distributed Provider-1 Network ................................................................. 72Provider-1 Network with Point of Presence (POP) Center ................................ 73

Hardware Requirements and Recommendations.................................................. 75Provider-1 Order of Installation ......................................................................... 76Licensing and Deployment................................................................................ 77

The Trial Period.......................................................................................... 77

Considerations............................................................................................ 77Further Licensing Detail .............................................................................. 79

Miscellaneous Issues ....................................................................................... 83IP Allocation & Routing............................................................................... 83Network Address Translation (NAT) .............................................................. 84Enabling OPSEC......................................................................................... 85

Chapter 3 Provisioning Provider-1

Overview ......................................................................................................... 88Provisioning Process Overview........................................................................... 89Setting Up Your Network Topology..................................................................... 90Creating a Primary MDS Manager ...................................................................... 90Using the MDG for the First Time...................................................................... 91

Launching the MDG .................................................................................... 91Adding Licenses using the MDG................................................................... 91

Multiple MDS Deployments .............................................................................. 95Synchronizing Clocks .................................................................................. 95

Adding a New MDS or MLM......................................................................... 95Modifying an Existing MDS.......................................................................... 98Deleting an MDS ........................................................................................ 99

Protecting the Provider-1 Environment............................................................. 100Standalone Gateway/Security Management.................................................. 100Provider-1 CMA and MDG Management ...................................................... 100Defining a Security Policy for the Gateway................................................... 101Enabling Connections Between Different Components of the System ............. 103

Chapter 4 Customer ManagementOverview ....................................................................................................... 108Creating Customers: A Sample Deployment ...................................................... 110Setup Considerations ..................................................................................... 119

IP Allocation for CMAs .............................................................................. 119Assigning Groups ...................................................................................... 119

Management Plug-ins..................................................................................... 120Introducing Management Plug-ins .............................................................. 120Installing Plug-ins..................................................................................... 121Activating Plug-ins.................................................................................... 121


7/320

Table of Contents 7

Plug-in Status .......................................................................................... 123High Availability Mode .............................................................................. 123Plug-in Mismatches .................................................................................. 123

Configuration................................................................................................. 126Configuring a New Customer ...................................................................... 126Creating Administrator and Customer Groups............................................... 130Changing Administrators............................................................................ 130Modifying a Customers Configuration ......................................................... 132Changing GUI Clients................................................................................ 132Deleting a Customer.................................................................................. 133Configuring a CMA.................................................................................... 133Starting or Stopping a CMA........................................................................ 133

Checking CMA Status................................................................................ 133Deleting a CMA ........................................................................................ 134

Chapter 5 Global Policy ManagementSecurity Policies in Provider-1 ........................................................................ 136

Introduction to Security Policies in Provider-1 ............................................. 136The Need for Global Policies...................................................................... 138The Global Policy as a Template................................................................. 139

Global Policies and the Global Rule Base .................................................... 139Global SmartDashboard.................................................................................. 141Introduction to Global SmartDashboard....................................................... 141Global Services......................................................................................... 142Dynamic Objects and Dynamic Global Objects ............................................. 142Applying Global Rules to Gateways by Function ........................................... 143Synchronizing the Global Policy Database ................................................... 144

Creating a Global Policy through Global SmartDashboard................................... 145Global IPS .................................................................................................... 147

Introduction to Global IPS ......................................................................... 147IPS in Global SmartDashboard ................................................................... 147IPS Profiles.............................................................................................. 148Subscribing Customers to IPS Service......................................................... 150Managing IPS from a CMA......................................................................... 151

Assigning Global Policy .................................................................................. 153Assigning Global Policy for the First Time.................................................... 153Assigning Global Policies to VPN Communities ............................................ 154Reassigning Global Policy .......................................................................... 154Reassigning Global Policy to Multiple Customers ......................................... 154Viewing the Status of Global Policy Assignments.......................................... 156Considerations For Global Policy Assignment ............................................... 156Global Policy History File........................................................................... 158

Configuration................................................................................................. 160Assigning or Installing a Global Policy......................................................... 160Reassigning/Installing a Global Policy on Customers..................................... 161Reinstalling a Customer Policy onto the Customers Gateways ....................... 162

Remove a Global Policy from Multiple Customers......................................... 162Remove a Global Policy from a Single Customer........................................... 163


8/320

8

Viewing the Customers Global Policy History File ........................................ 163Global Policies Tab ................................................................................... 163Global Names Format................................................................................ 164

Chapter 6 Working in the Customers NetworkOverview ....................................................................................................... 166

Customer Management Add-on (CMA)......................................................... 166Administrators.......................................................................................... 167SmartConsole Client Applications............................................................... 167

Installing and Configuring Security Gateways.................................................... 169Managing Customer Policies ........................................................................... 170

UTM-1 Edge Appliances............................................................................ 170

Creating Customer Policies ........................................................................ 170Revision Control ....................................................................................... 170

Working with CMAs and CLMs in the MDG ....................................................... 171

Chapter 7 VPN in Provider-1Overview ....................................................................................................... 174

Access Control at the Network Boundary ..................................................... 175Authentication Between Gateways .............................................................. 175

How VPN Works........................................................................................ 175VPN Connectivity in Provider-1 ....................................................................... 178

Connections to a Customer Network............................................................ 178Global VPN Communities................................................................................ 183

Gateway Global Names.............................................................................. 183VPN Domains in Global VPN ...................................................................... 184Access Control at the Network Boundary ..................................................... 185Joining a Gateway to a Global VPN Community ............................................ 186

Configuring Global VPN Communities .............................................................. 188

Chapter 8 High AvailabilityOverview ....................................................................................................... 192CMA High Availability .................................................................................... 193

Active Versus Standby ............................................................................... 195Setting up a Mirror CMA............................................................................ 196CMA Backup using Security Management Server.......................................... 196

MDS High Availability .................................................................................... 199MDS Mirror Site........................................................................................ 199MDS Managers ......................................................................................... 200Setting up a New MDS and Initiating Synchronization .................................. 201MDS: Active or Standby............................................................................. 201The MDS Managers Databases .................................................................. 202The MDS Containers Databases................................................................. 203How Synchronization Works ....................................................................... 203Setting up Synchronization........................................................................ 206

Configuration ................................................................................................ 209Adding another MDS................................................................................. 209


9/320

Table of Contents 9

Creating a Mirror of an Existing MDS .......................................................... 210Initializing Synchronization between MDSs.................................................. 211Subsequent Synchronization for MDSs........................................................ 211Selecting a Different MDS to be the Active MDS.......................................... 212Automatic Synchronization for Global Policies Databases.............................. 212Add a Secondary CMA............................................................................... 212Mirroring CMAs with mdscmd .................................................................... 213Automatic CMA Synchronization................................................................. 213Synchronize ClusterXL Gateways ................................................................ 214

Failure Recovery in High Availability Deployments............................................. 215Recovery with a Functioning Manager MDS ................................................. 215Recovery from Failure of the Only Manager MDS.......................................... 217

Chapter 9 Logging in Provider-1Logging Customer Activity .............................................................................. 220Exporting Logs............................................................................................... 224

Log Export to Text..................................................................................... 224Manual Log Export to Oracle Database........................................................ 224Automatic Log Export to Oracle Database.................................................... 225Log Forwarding......................................................................................... 226

Cross Domain Logging ............................................................................... 226Logging Configuration .................................................................................... 227Setting Up Logging ................................................................................... 227Working with CLMs ................................................................................... 228Setting up Customer Gateway to Send Logs to the CLM ................................ 229Synchronizing the CLM Database with the CMA Database ............................. 230Configuring an MDS to Enable Log Export ................................................... 230Configuring Log Export Profiles .................................................................. 230Choosing Log Export Fields ........................................................................ 231

Log Export Troubleshooting........................................................................ 232Using Eventia Reporter.............................................................................. 233

Chapter 10 Monitoring in Provider-1Overview ....................................................................................................... 236Monitoring Components in the Provider-1 System ............................................. 237

Exporting the List Panes Information to an External File .............................. 238Working with the List Pane ........................................................................ 238

Checking the Status of Components in the System............................................ 239Viewing Status Details............................................................................... 241Locating Components with Problems........................................................... 241

Monitoring Issues for Different Components and Features.................................. 243MDS........................................................................................................ 243Global Policies ......................................................................................... 245Customer Policies ..................................................................................... 246Gateway Policies....................................................................................... 246High Availability ....................................................................................... 247Global VPN Communities........................................................................... 248Administrators .......................................................................................... 249


10/320

10

GUI Clients .............................................................................................. 250Using SmartConsole to Monitor Provider-1 Components..................................... 252

Log Tracking ............................................................................................ 252Tracking Logs using SmartView Tracker....................................................... 252Real-Time Network Monitoring with SmartView Monitor ................................ 253Eventia Reporter Reports ........................................................................... 255

Chapter 11 Architecture and ProcessesPackages in MDS Installation.......................................................................... 258MDS File System........................................................................................... 259

MDS Directories on /opt and /var File Systems............................................. 259Structure of CMA Directory Trees ............................................................... 260

Check Point Registry ................................................................................. 261Automatic Start of MDS Processes, Files in /etc/rc3.d, /etc/init.d................... 261

Processes...................................................................................................... 262Environment Variables............................................................................... 262MDS Level Processes ................................................................................ 264CMA Level Processes ................................................................................ 265

MDS Configuration Databases......................................................................... 266Global Policy Database.............................................................................. 266

MDS Database.......................................................................................... 266CMA Database.......................................................................................... 267Connectivity Between Different Processes ........................................................ 268

MDS Connection to CMAs.......................................................................... 268Status Collection ...................................................................................... 269Collection of Changes in Objects ................................................................ 269Connection Between MDSs ........................................................................ 270Large Scale Management Processes............................................................ 270UTM-1 Edge Processes.............................................................................. 270

Reporting Server Processes........................................................................ 270Issues Relating to Different Platforms.............................................................. 271

High Availability Scenarios ........................................................................ 271Migration Between Platforms ..................................................................... 272

Chapter 12 Commands and UtilitiesCross-CMA Search ......................................................................................... 274

Overview .................................................................................................. 274

Performing a Search.................................................................................. 274Copying Search Results ............................................................................. 275Performing a Search in CLI........................................................................ 275

P1Shell ........................................................................................................ 278Overview .................................................................................................. 278Starting P1Shell ....................................................................................... 279File Constraints for P1Shell Commands ...................................................... 279P1Shell Commands................................................................................... 280Audit Logging........................................................................................... 283

Command Line Reference............................................................................... 284cma_migrate ............................................................................................ 285


11/320

Table of Contents 11

CPperfmon - Solaris only ........................................................................... 286cpmiquerybin ........................................................................................... 294dbedit...................................................................................................... 296export_database........................................................................................ 297

mcd bin | scripts | conf.............................................................................. 299mds_backup............................................................................................. 299mds_restore ............................................................................................. 300mds_user_expdate .................................................................................... 301mdscmd................................................................................................... 301mdsenv.................................................................................................... 315mdsquerydb ............................................................................................. 315mdsstart .................................................................................................. 317

mdsstat ................................................................................................... 317mdsstop................................................................................................... 318merge_plugin_tables ................................................................................. 318migrate_assist .......................................................................................... 319migrate_global_policies ............................................................................. 320


12/320

12


13/320

13

Preface PPreface

In This Chapter

Who Should Use This Guide page 14

Summary of Contents page 15

Related Documentation page 16

More Information page 18

Feedback page 19


14/320

Who Should Use This Guide

14

Who Should Use This GuideThis guide is intended for administrators responsible for maintaining network

security within an enterprise, including policy management and user support.

This guide assumes a basic understanding of

System administration.

The underlying operating system.

Internet protocols (IP, TCP, UDP etc.).

Product and Feature NomenclatureThis product version incorporates updated names of some Check Point productsand features. These changes are intended to emphasize the enhanced functionalityand new features included.

In order to enhance the readability of this guide, we frequently use shortenedproduct names and features in place of the formal name.

Current Product/Feature Name Previous Name(s)

Check Point Security Gateway VPN-1, VPN-1 Power, VPN-1 UTM, FireWall-1

UTM-1 Edge VPN-1 UTM-1 Edge

SmartProvisioning SmartLSM

Endpoint Security IntegrityIPS SmartDefense

Web IPS Web Intelligence

Short Name Refers toProvider-1 Both Provider-1 and SiteManager-1

Used in place of Provider-1

SiteManager-1 Text pertaining only to SiteManager-1

Security Gateway Check Point Security Gateway


15/320

Summary of Contents

Preface 15

Summary of ContentsThis guide describes the installation, configuration and management of Provider-1.

It contains the following chapters:

Chapter Description

Chapter 1, Introduction Chapter 1 covers the need for Provider-1, anddifferent elements and deployments of theProvider-1 system.

Chapter 2, Planning the

Provider-1 Environment

Chapter 2 covers pre-installation considerations.

Chapter 3, ProvisioningProvider-1

Chapter 3 covers installation of the Provider-1system.

Chapter 4, CustomerManagement

Chapter 4 covers the initial configuration.

Chapter 5, Global Policy

Management

Chapter 5 covers setting up Global Policies for

Customers.Chapter 6, Working in theCustomers Network

Chapter 6 covers administration on the Customerlevel.

Chapter 7, VPN inProvider-1

Chapter 7 covers logging and tracking.

Chapter 8, High Availability Chapter 8 covers setting up Virtual PrivateNetworks.

Chapter 9, Logging inProvider-1

Chapter 9 covers monitoring the status of theProvider-1 system.

Chapter 10, Monitoring inProvider-1

Chapter 10 covers the different types HighAvailability available for Provider-1.

Chapter 11, Architectureand Processes

Chapter 11 covers the file and directorystructure of the Provider-1 system.

Chapter 12, Commands andUtilities Chapter 12 covers useful command line utilities.


16/320

Related Documentation

16

Related DocumentationThe current release includes the following documentation

TABLE P-1 Check Point Documentation

Title Description

Internet Security

Installation and Upgrade

Guide

Contains installation and upgrade procedures for allproducts and components included in the InternetSecurity Suite. This suite includes Check PointSecurity Gateway, Security Management, allSmartConsole client applications and much more.

High-End Installation and

Upgrade Guide

Contains an overview of the High-End Securitysuite, including Provider-1 and VSX. Explains allupgrade paths to the current version.

Security Management

Administration Guide

Explains Security Management solutions. This guideprovides solutions for control over configuring,managing, and monitoring security deployments atthe perimeter, inside the network, at all userendpoints.

Firewall Administration

Guide

Describes how to control and secure network accessand VoIP traffic; how to use integrated web securitycapabilities; and how to optimize ApplicationIntelligence with capabilities such as ContentVectoring Protocol (CVP) applications, URL Filtering(UFP) applications.

IPS Administration Guide Describes how to use IPS to protect against attacks.

VPN Administration Guide This guide describes the basic components of aVPN and provides the background for thetechnology that comprises the VPN infrastructure.


17/320

Related Documentation

Preface 17

Eventia ReporterAdministration Guide Explains how to monitor and audit traffic, andgenerate detailed or summarized reports in theformat of your choice (list, vertical bar, pie chartetc.) for all events logged by Check Point SecurityGateways, SecureClient and IPS.

SecurePlatform

SecurePlatform Pro

Administration Guide

Explains how to install and configureSecurePlatform. This guide will also teach you howto manage your SecurePlatform machine andexplains Dynamic Routing (Unicast and Multicast)protocols.

Provider-1 Administration

Guide

Explains the Provider-1 security managementsolution. This guide provides details about athree-tier, multi-policy management architectureand a host of Network Operating Center orientedfeatures that automate time-consuming repetitive

tasks common in Network Operating Centerenvironments.

TABLE P-1 Check Point Documentation

Title Description


18/320

More Information

18

More Information For additional technical information about Check Point products, consult

Check Points SecureKnowledge at http://support.checkpoint.com. To view the latest version of this document in the Check Point User Center, go

to: http://support.checkpoint.com.

F db k
http://support.checkpoint.com./http://support.checkpoint.com./http://support.checkpoint.com./http://support.checkpoint.com./


19/320

Feedback

Preface 19

FeedbackCheck Point is engaged in a continuous effort to improve its documentation. Please

help us by sending your comments to:

[email protected]

Feedback
mailto:[email protected]?subject=Check%20Point%20User%20Guide%20feedbackmailto:[email protected]?subject=Check%20Point%20User%20Guide%20feedback


20/320

Feedback

20


21/320

21

Chapter 1

IntroductionIn This Chapter

The Need for Provider-1 page 22

The Check Point Solution page 28

The Management Model page 42The Provider-1 Trust Model page 50

The Need for Provider-1


22/320

The Need for Provider 1

22


In This Section

Secured IT systems are a basic need for modern business environments, and large

deployments face unique security challenges. A large scale enterprise must handlethe challenges of disparate yet interconnected systems. The large scale enterpriseoften has corporate security policies that must be tailored to local branch needs,balanced with vital requirement for corporate-wide access, perhaps betweenbranches in different countries.

Businesses with a large user base often need to monitor and control access toconfidential internal sites, and to monitor communication failures. Administrators

must be alerted to external attacks, not only on a company-wide basis, but alsomore selectively on a department by department, branch by branch basis.

Companies with many branches must face security and access challenges thatsmall scale businesses do not. For example, an international airline needs toprovide access of varying levels to ticket agents, managers, airline staff, andcustomers, through the Internet, intranets both local and international, and throughremote dial-up; all the while preventing unauthorized access to confidential

financial data.Differentiating between levels of access permissions is critical not only for securinguser transactions, but also for monitoring for attacks, abuse and load management.Task specialization amongst administrators must also be supported so that securitycan be centralized.

Service providers such as Data Centers and Managed Service Providers (MSPs)need to securely manage large-scale systems with many different customers andaccess locations. An MSP must potentially handle separate customer systems withmany different LANs, each with its own security policy needs. The MSP must beable to confidentially address the security and management needs for eachcustomer, each with their own system topology and system products. One policy isnot sufficient for the needs of so many different types of customers.

A Data Center provides data storage services to customers and must handle accessand storage security for many different customers, whose requirements for privateand secure access to their data are of critical importance.

Management Service Providers (MSP) page 23

Data Centers page 25

Large Enterprises page 25



23/320

Chapter 1 Introduction 23

We will examine a few basic scenarios: the MSP, the Data Center, and the largescale enterprise.

Management Service Providers (MSP)

An MSP manages IT services, such as security and accessibility, for othercompanies, saving these companies the cost of an expert internal IT staff. Amanagement system must accommodate the MSPs own business needs, deployingan IT management architecture that scales to support a rapidly growing customerbase, while minimizing support procedures and dedicated hardware.

The MSP handles many different customer systems, which creates a variety of ITmanagement needs. Home users may require basic Internet services, with securitymanaged by UTM-1 Edge appliances. Small companies may require Internet andcustomized-security coverage; others want autonomy to manage their own securitypolicies. One small company wants to protect its computers with a single gateway,a Security Gateway, while another requires gateways and security services forseveral offices and multiple networks which must communicate securely and

privately.While the MSP must have administrators that can manage the entire MSPenvironment, administrators or individual customers must not have access to theenvironments of other customers.

Lets examine the network of a fictitious MSP, SupportMSP:



24/320

24

Figure 1-1 Example of an MSP environment

Service providers need a management tool designed to specifically address theunique challenges of large-scale private-customer management. These different andunconnected customers systems must be centrally managed, yet the MSP mustalso maintain the privacy and integrity of each customers system.

Further, the MSP must be able to flexibly manage security policies. Customerscannot all be assigned one security policy. It may be that specialized securitypolicies suit a set of clients with similar needs (for example, supermarkets withmany branches), whereas individualized policies better suit other customers (suchas independent tax accountants and dentists). Repetitive policy changes andtime-intensive end-user management are a common problem if policies cannot bemanaged adroitly.

The MSP must also handle communication and activity logging for networktroubleshooting and reporting purposes. Comprehensive logging for many differentcustomers and disparate systems can be process and space intensive, drainingsystem resources if not handled carefully. This creates both administration issuesand unique security policy requirements.



25/320


Data Centers

The data service provider is a type of service center, a company that provides

computer data storage and related services, such as backup and archiving, for othercompanies. For example, lets examine the network of a fictitious Data Center:

Figure 1-2 Example of a Data Center

Similar to the MSP, the Data Center manages its own environment, whereasindividual customer administrators and customers cannot have access to othercustomers' environments.

Large Enterprises

Businesses that expand through lateral and horizontal integration, such asconglomerates or holding companies, face security policy challenges due to thediverse nature of their subsidiaries businesses. In these complex environments,security managers need the right tools to manage multiple policies efficiently.Central management of security policy changes, which are enforced by the differentSecurity Gateways throughout the system, ensure that the entire corporate ITarchitecture is adequately protected.

Lets look at a sample deployment for an automotive manufacturing concern:

Figure 1-3 Conglomerates network



26/320

26

Corporate IT departments must manage security services for a wide-spread system,with link-ups with vendors, external inventory systems, billing inputs, and reportingrequirements. Different branches are geographically distributed and haveindependent network management. Yet the network security personnel must supporta corporate-wide security policy, with rules enforcing access for appropriate users,preventing attacks, enabling secure communication and fail-over capabilities.

IT departments must often delegate levels of authority among administrators, sothat there is a hierarchy of access even within systems support. Whereas someadministrators will have global authorities to maintain the system backbone, othersmay handle specialized activities and only require permissions for certain parts ofthe system. For example, an IT support person in a manufacturing branch wouldnot necessarily need to have total administrator privileges for the logisticsheadquarters network, and a vendor administrator that handles networkmaintenance would not need corporate- wide permissions.

IT services in large scale enterprises must often log network activity for securitytracking purposes. Comprehensive logging can consume considerable systemresources and slow down a corporate network, if not deployed with an appropriatesolution. For enterprises with local and remote branches, centralized failoversecurity management is another critical success factor in achieving efficient andcomprehensive system security.



27/320


For Big Bank, different types of permissions and access management are requiredto protect internal networks and separate them from external networks accessible tousers.

Figure 1-4 Big Banks network

The Check Point Solution


28/320

28


In This Section

Check Point Provider-1 is thebest-of-breed security management solution designedto meet the scalability requirements of service provider and large enterpriseNetwork Operating Center environments. A unique three-tier, multi-policymanagement architecture and a host of Network Operating Center oriented featuresautomate time-consuming repetitive tasks common in Network Operating Center

environments. Provider-1 meets the needs of both the enterprise and of serviceproviders serving the enterprise market. This solution dramatically reduces theadministrative cost of managing large security deployments.

The basic three-tier security architecture of the Check Point Security Gatewaysystem, consisting of a gateway, a management console, and a GUI, delivers arobust mechanism for creating Security Gateway security policies and automaticallydistributing them to multiple gateways. Provider-1 supports central management for

many distinct security policies simultaneously.Companies envision horizontal growth throughout an industry, to implementeconomies of scale through incorporation of partner-companies and vendors.Enterprises want to manage vertical growth through product differentiation.Security management achieves a new level of customization and flexibility withProvider-1.

With Provider-1, security policies can be customized. Enterprises can, for example,tailor a security policy to enable vendor applications which tie into corporatefinancial networks to communicate safely and securely, yet without having accessto confidential corporate data. As another example, a security policy can enablefranchise companies to communicate with regional and international headquarters,yet safeguard the franchise internal network integrity.

Basic Elements page 29

Point of Presence (POP) Network Environment page 33

Managers and Containers page 35

Log Managers page 38

High Availability page 40

Security Policies in Provider-1 page 40



29/320


An administrator can create policies for groups of customer Security Gateways,and/or create high-level global policies that manage all customer polices at once.The ability to set policy at every level, including both the customer and global level,delivers exceptional scalability by eliminating the need to recreate policies andpolicy changes, potentially to thousands of devices.

Basic Elements

In This Section

The Provider-1 system is designed to manage many widely distributed gateways, fornetworks that may belong to different customers, different companies, or differentcorporate branches.

The primary element of a security system is the gateway, the Security Gateway.Administrators decide how this Security Gateway is to be managed and apply asecurity policy, with rules that determine how communication is handled by theSecurity Gateway.

A Customer Management Add-On (CMA) is a virtual customer management. TheCMA manages customer Security Gateways. Through the CMA, an administrator

centrally creates and deploys policies on customer gateways.

The Multi-Domain Server (MDS) houses the CMAs, as well as all of the Provider-1system information. It contains the details of the Provider-1 network, its

administrators, and high level customer management information.

The MDS can hold a substantial amount of customer network and policy detail ona single server, providing a powerful, centralized management node. Multiple MDSscan be linked in the Provider-1 system to manage thousands of policies in a singleenvironment, and to provide fail-over capabilities.

The CMA is the functional equivalent of a standalone Security Management server.

But unlike the Security Management server, the CMA is a manager, located on theMDS. Although many CMAs can be stored on the same MDS, CMAs are completely

Example: MSP Deployment page 30

Example: Enterprise Deployment page 31

Multi-Domain GUI page 32

Note - You may have noticed that the term Customer is capitalized in the precedingsentence. As a convention in this guide, the term Customer will appear as capitalizedwhenever referring to elements of the Provider-1 system.



30/320

30

isolated from each other, providing absolute customer privacy. In a large enterprise,each CMA may manage branch or department Security Gateways, depending on thesecurity resolution required by the corporate security policy.

CMAs are located inside the Provider-1 environment. The Security Gateway can belocated in a separate network, in a separate city or country.

Figure 1-5 Distributed Management Configuration

Example: MSP Deployment

Lets examine the basic system components at a less granular level, looking at astart-up MSP setup with Provider-1. The service provider, Provider, has an MDS and

an internal network, connected to the Internet and protected by a Security Gateway.This service provider offers security services to two customers, and manages theirSecurity Gateways.

Each customer has a Security Gateway protecting their respective internal corporatenetworks. Typing.com has one network with one Security Gateway. TravelAgency hastwo branches, each protected by its own Security Gateway. Each Customer has itsown CMA, which resides in the service providers MDS, inside the Provider-1

network environment.



31/320


Each CMA can manage more than one Security Gateway. TravelAgency has its ownprivate CMA, that manages both of TravelAgencys Security Gateways. Typing.Comalso has its own private CMA, which manages its Security Gateway. TravelAgencycannot access information about the Typing.Com environment, nor about theservice providers environment.

Notice that Provider also has a CMA to manage its own Security Gateway.

Figure 1-6 How CMAs manage Security Gateways

Example: Enterprise Deployment

Whereas a service provider manages individual customer networks, a largeenterprise manages branches and departments. So, lets consider a Provider-1setup for an international accountancy firm. The firm has its corporateheadquarters in London, with one branch office in Minicassette, and another inParis. Each of the branches have Security Gateways protecting internal corporatenetworks. Let us say that in this corporate environment, all security management ishandled through the corporate headquarters in London.

How can this corporate system be protected? The branch offices are assigned CMAsto manage their gateways. In this case, the IT department is centralized in the

corporate headquarters in London. An MDS has been created in London to managethe system. The Manchester corporate branchs Security Gateway is handled by its



32/320

32

own CMA. The Paris and Nice branches are both managed by another CMA.Although the MDS and the gateways themselves are in different cities andcountries, management is centralized and handled by the IT department in theLondon office.

Figure 1-7 Enterprise deployment

Multi-Domain GUI

Provider-1 administrators use the Multi-Domain GUI (MDG) as the primary interfaceto handle customer security management. The MDG has many views tailored todisplay information relevant to specific tasks.



33/320


The MDG manages the entire Provider-1 environment, and provides an easy way toincorporate customers and their networks into the Provider-1 system. It is used to

update Customer and gateway information, and to assign and navigate betweenglobal policies. Using the MDG, administrators can provision and monitor securitythrough a single console, and oversee rules, policies, logs, statuses, and alerts forhundreds of customers.

Point of Presence (POP) Network Environment

Some small scale businesses may not want the expense of a network or ITmaintenance staff. MSPs can provide a total IT package for these customers, usingthe POP network solution to provide secured, Security Gateway protected Internetservice. In the standard Provider-1 configuration we have seen, all of thecustomers Security Gateways are deployed on the customers premises. In aPOP-based configuration, the Security Gateways are deployed in the POP center onthe service providers premises.



34/320

34

Leased lines to the POP service center provide secured Internet access forcustomers. All Provider-1 components, such as the MDS and the MDG (theadministrative GUI), are located on the service providers premises. Customersdial-in to receive services, and connect to the Internet via the POP center. Althoughtheir usage is monitored and protected, they do not have to be involved in any ofthe security management.

All aspects of security and access are completely maintained by the MSP, usingCMAs on the MDS to manage the gateway in the POP center. The CMAs in the MDSdo this by managing the security policies for the Security Gateways that protectcustomer access.

Figure 1-8 A simple model of a POP configuration

For some MSPs, using VSX technology to provide customer Security Gateways is acost-saving solution. When setting up a POP site using VSX, individual securitydomains can be aggregated on a single platform, substantially minimizing hardware

investment. Provider-1 has special features which enable CMAs to manage thesecurity policies for the VSX virtual gateways, protecting customer sites fromintrusion. For more information, see the VSX Administration Guide.


Figure 1 9 POP t i VSX


35/320


Figure 1-9 POP center using VSX

Managers and Containers

There are two types of MDS: a Manager, which contains Provider-1 systeminformation, and a Container, which holds the CMAs. The Manager is the entrypoint for administrators into the Provider-1 environment, via the MDG, theProvider-1 GUI.

Provider-1 can be installed on a single computer and configured as a combinedManager/Container. It can also be installed on multiple computers, where one MDSis a standalone Manager and another is a standalone Container. There must be atleast one Manager and one Container per Provider-1 system.

In an environment where there are numerous Customers, it is recommended to useseveral Containers to house the CMAs. Each CMA does the following:

Stores and manages its respective customers Network Object database andSecurity Policies

Receives status notifications and real-time monitoring data from the customer'sgateways

Receives logs from the customer's gateways, unless the logging properties ofsome or all of the gateways are configured otherwise


Housing too many CMAs on a single Container can lead to performance issues See


36/320

36

Housing too many CMAs on a single Container can lead to performance issues. SeeHardware Requirements and Recommendations on page 75 to calculate theproper balance. Using Containers, multiple MDSs can cascade to managethousands of CMAs in a single environment.

Multiple administrators can simultaneously access the system via the MDG byconnecting to the same, or different, MDS Managers. Administrators can access theentire Provider-1 system from each of the Managers, as all system information isstored on each Manager.

Lets look at a Provider-1 environment for a service provider that handles numeroussmall customers, and several large-scale customers.

Figure 1-10 Multiple MDSs in the service provider environment

This service provider needs a robust system with many Containers to handle thelarge amount of information stored for all of its Customers. There are two MDSManagers in this system. One is housed as a standalone Manager, whereas theother is housed with a Container on the same server. There are also two otherContainers, which are managed by the MDS Managers. Another computer runs theMDG, the Provider-1 graphical management tool. Administrators can login to anyManager, and see the entire system via the MDG.


MDS Synchronization


37/320


MDS Synchronization

Manager synchronization (for Provider-1 system information) is performed at theMDS level. MDS Managers are mirrors of each other. If there is more than one

MDS Manager in the system, each Manager will contain allthe informationregarding the Provider-1 management system such as administrator hierarchy,Customer and network information.

MDS Managers contain three databases: MDS, Global Policy and ICA. The MDSManagers MDS database (general information) is synchronized whenever changesare made. The Global Policy database is synchronized either at configurableintervals and/or events, or it is synchronized manually. Interconnected, mutually

redundant MDS Managers form a robust management system providing non-stopaccess, without the need to deploy dedicated hardware or software redundancy.

MDG management activities can be performed using any of the MDS Managers.MDS Manager synchronization does notmirror CMA-specific data. For example,internal domains and Customer level policy rules are known only at the CMA level,so they are not synced by MDS Managers. To enable CMA failover, you must set upCMA High Availability. CMA High Availability synchronization is separate from MDS

synchronization.Figure 1-11 MDS Synchronization in an Enterprise network


Log Managers


38/320

38

Log Managers

Multi-DomainLog ModuleThe Multi-Domain Log Module (MLM) is an optional server that is dedicated to logcollection, separating critical management activities from logging traffic. It therebyprovides the infrastructure for further data-mining activities and improvesperformance for large deployments by offloading log processing activities from theMDS. It is recommended for systems with many CMAs or a heavy logging load.

Redundant log infrastructures can be created by designating an MLM as a primary

log server and the MDS as a backup. In the event that the MLM cannot be reached,logs are redirected to the MDS. It is possible to have multiple MLMs in theProvider-1 network. The MLM is controlled by the MDG, and maintains CustomerLog Modules (CLMs), with a separate log repository for each Customer.

Lets look at Big Bank. Big Bank is expanding and has opened a number of newbranches. It has decided to track activity in its system to satisfy securityrequirements. It has created an environment with three MDSs. The system

administrators have set up an MDS Manager/Container with a second Container tomanage Security Gateways throughout the different bank branches. They have alsoset up an MLM to track activity.

Figure 1-12 A simple system with an internal MLM


Customer Log Module


39/320


Customer Log Module

A Customer Log Module (CLM) is a log server for a singleCustomer. Serviceproviders can deploy CLMs to monitor specific Customer modules. Enterprises may

deploy CLMs to monitor branch activity.

In the example below, Big Bank uses a specific CLM to collect information aboutthe Paris branchs gateway activities.

Figure 1-13 CLM gets activity data from customers Security Gateway


High Availability


40/320

40

High Availability

CMA High Availability

CMA High Availability is implemented by using two or more CMAs to manage oneCustomer network, one in Active mode, the others in Standby. Implementingmanagement High Availability guarantees fail-over capability. At any given time,only one CMA is Active, while the Standby CMAs are synchronized with the ActiveCMA.

Data synchronization between the CMAs greatly improves fault tolerance and

enables the administrator to seamlessly activate a Standby CMA when required.With High Availability, should a CMA fail for any reason, a Standby CMA cancontinue operation without service interruption.

The High Availability scheme requires one PrimaryCMA and at least one SecondaryCMA, which are housed separately, on different MDS computers. Administratorsmake security policy changes through the Active CMA. If policy changes are madewith the Active CMA, the Standby CMAs can be set up to synchronize automatically

to reflect these changes.These CMAs must be synchronized in order to maintain the same information. It ispossible to configure the High Availability feature to synchronize automatically foreach policy installation operation, on each policy save operation and on any otherscheduled event. If the Active CMAs data has not been synchronized with theStandby CMAs, you can still use the Standby CMAs, which are updated until themoment of the last synchronization.

Security Policies in Provider-1

Security Policies are created to enforce security rules. Administrators can createsecurity policies and rules tailored to a specificCustomer, or a type of Customer. Inthe Provider-1 environment, administrators create Customer security policies for aspecific set of gateways, using the CMA, which is the equivalent of the Security

Management server in the Check Point Security Gateway model. To find detailsabout how a Security Gateway works with security policies, see the VPNand IPSAdministration Guides.

The Need for Global Policies

Besides security policies for a specific set of gateways, administrators need tocreate policies which apply to the entire Provider-1 environment. The separation

between different levels of policies, and different types of policies, means that


Customer-level security rules do not need to be reproduced throughout the entire


41/320


Provider-1 environment. Policies can be created and privately maintained for eachCustomer, ensuring a Customers security integrity. Global Policies enforce securityfor the entire Provider-1 system.

The Management Model



42/320

42


In This Section

Introduction to the Management Model

In the Provider-1 environment, the management model has been designed so thatnetwork security managers can centrally and securely manage many distributedsystems. Network security is sharpened by differentiating between different levelsof security needs, and differentiating between access privileges and needs. TheProvider-1 management model allows you to designate trusted users(administrators) with different access rights. It enables trusted communication bothwithin the Provider-1 network, and with customers network environments.

Administrators

It is important, for security purposes, that there be different types of administrativeauthority. Administrators with authority over the entire system are needed in orderto manage the entire Provider-1 system. But there also must be a level ofadministration authority which only applies to the customer environment and not to

the Provider-1 system.

It is inappropriate for an administrator who remotely manages a Security Gatewayin a particular customer network to have authority over or access to the entireProvider-1 system. This could be a serious security breach, as a customers internalstaff would have access to other customer networks. For example, it would not beappropriate for an MSP to allow an administrator of one of its customers to havethe authority to shut down an MDS Manager or delete all the superusers from the

system.

In the Provider-1 environment, four types of administrators have been designated tohandle different levels of responsibility. While there is a need for administratorswith the authority to create and manage the entire Provider-1 environment, notevery administrator in the system has this level of complete control. The followingtable shows permissions by type of administrator.

Introduction to the Management Model page 42

Administrators page 42

Management Tools page 44



43/320


Table 1-1 Administrator levels and their access permissions

Administrator Permissions

Provider-1

Superuser

Provider-1 Superusers manage the entire Provider-1 system andcan oversee all the networks of allCustomers in the Provider-1system. They can use all MDG tools relating to Customer and MDSmanagement, and can manage all other administrators. Provider-1Superusers have sole permission to manage and change the MDSs.They can:

Add, edit or delete MDSs, including manager servers,containers, High-Availability servers, logging servers, etc.

Enable or disable a computers permission to access theMDG.

Customer

SuperuserCustomer Superusers can manage the networks of allCustomers inthe system, using the MDG and SmartConsole tools. They can useall MDG tools relating to Customer management; create, edit anddelete Customers; and see all the network objects for all of the

Customers. Customer Superusers can manage Customer Managersand None Administrators. However, they cannot manage or changethe MDS environment or manage Provider-1 Superusers.


Table 1-1 Administrator levels and their access permissions


44/320

44

Management Tools

In This Section

Global

Manager

Global Managers can access Global SmartDashboard and, if soconfigured, manage Global Policies and Global Objects. Global

Managers can also manage their assigned set of Customernetworks from within the Provider-1 environment. They can: Access the General, Global Policies, High Availability and

Connected Administrators Views. See and manage (add, edit and delete) the network objects of

their Customers.

If Global Managers are assigned Read/Write/All permissions, they

can: Edit their Customers. Add, edit and delete their Customer's CMAs and CLMs. Start or stop their Customer's CMAs and CLMs. Import their Customers CMAs to another MDS. Create Customer Manager or None administrators for their

Customers.

Global Managers have fewer permissions than Customer Superusers: They cannot see the Network Objects of Customers to which

they are not assigned. They cannot create new Customers.

Customer

Manager

Customer Managers, similar to Global Managers, can manage theirassigned sets of Customer networks, however they cannot accessthe Global SmartDashboard, meaning they cannot edit Global

Objects or Global Policies.None None administrators manage their Customers according to their

assigned permissions. They are outside of the Provider-1management environment. They manage their internal networksusing the SmartConsole tools, e.g., SmartDashboard. They do nothave access to the Provider-1 system, and cannot open an MDG.

Multi-Domain GUI page 45

SmartConsole Client Applications page 46

Sample Deployment - Administrator Setups page 46


Multi-Domain GUI


45/320


Administrators use the Multi-Domain GUI (MDG), the interface through whichProvider-1 administrators handle Customer security management. The general view

is shown below:Figure 1-14 MDG - The General View

Administrators use the MDG to manage the Provider-1 environment and monitorCustomers networks. This tool provides an easy way to add Customers and theirnetworks to the Provider-1 management system. Administrators can create, update,change and delete Customers, CMAs information; assign licenses; view and assignpolicy policies, which are stored centrally on the MDS. Through a single console,

administrators can provision and monitor security, by assigning and overseeingrules, policies and logging setups, as well as monitoring logs, statuses, and alertsfor hundreds of customers.

The MDG also is used to create administrators of all four types and assign theirpermissions. The MDG can even be used to designate which othercomputers canbe entrusted to run the MDG. Administrators can create a logging setup by addingan MLM (Log Containers) to the Provider-1 management system, and designating a


dedicated customers server as a CLM for that customer. Further, it is possible toupdate Check Point software installed on all Provider-1 computers and Customer


46/320

46

update Check Point software installed on all Provider 1 computers and Customernetwork computers using SmartUpdate, via the MDG.

From the MDG, an administrator can launch Global SmartDashboard to createGlobal Policies, or the administrator can launch SmartConsole Clients for each ofthe Customers. Outside of the Provider-1 environment, local administrators can alsorun SmartConsole Client applications for each of the Customers.

SmartConsole Client Applications

SmartConsole Clients are the Check Point tools used to design, manage, monitor

and log the Security Gateway enforcement policies. SmartConsole Clients includeall the following:

SmartDashboardis used by the system administrator to define and manage theSecurity Policy. From this SmartConsole you can access many Check Pointfeatures and add-ons.

SmartView Tracker is used for managing and tracking logs throughout thesystem.

SmartUpdateis used to manage and maintain a license repository, as well as tofacilitate upgrading Check Point software.

SecureClient Packaging Tool is used to define user profiles forSecuRemote/SecureClient clients.

SmartView Monitoris used to monitor and generate reports on traffic oninterfaces, Provider-1 and QoS gateways, as well as on other Check Point

System counters. It is also is used for managing, viewing alerts and testing thestatus of various Check Point components throughout the system.

Eventia Reporteris used to generate reports for different aspects of networkactivity.

SmartProvisioningis used for managing large numbers of SmartLSM SecurityGateways via the Security Management server or Provider-1 CMA.

Sample Deployment - Administrator Setups

Lets examine a sample deployment, in which a service provider has an MDGconsole set up within the Provider-1 environment, and customers have their ownconsoles within their internal networks.


The service providers Provider-1Superuser administrator, Rosa, uses the installationCD and command line utilities to configure and set up the entire Provider-1


47/320


g penvironment. Then, she uses the MDG and the Global SmartDashboard to managethe global policies. As a Provider-1Superuser, Rosa is responsible for everything to

do with the physical layout of the service providers environment, and managing allthe highest level security authorizations.

Figure 1-15 Rosa sets up the Provider-1 environment

Rosa knows that her Provider-1 environment will run a large system, with hundredsof Customers, and it will not be possible for one administrator to handle all theactivity. It is time to start considering staffing issues. Customer Superusers canhandle all Customer specific management activities. They can create/delete/edit

Customers and create edit or delete CMAs. Rosa authorizes Martin to be a CustomerSuperuser. Now Martin can add customers to the system.

Figure 1-16 Martin adds customers to the Provider-1 environment


Martin starts adding customers into the system. Each customer needs a securitypolicy to monitor the customer networks gateway, the Security Gateway. The work


48/320

48

is really piling up! Now that the customer base is expanding, it is time for Martin,as a Customer Superuser, to add more customer administrators.

Martin authorizes Tony to be a Customer Manager for the customers Accountant andPharmacy2Go. Customer Managers can handle many Customer specific managementactivities. They can add, edit or delete their Customers CMAs. They can start orstop their Customer's CMAs and CLMs. They can also import their Customers CMAsto another server, and create customer security rules. Its time for Tony to createsecurity policies for Pharmacy2Go and for Accountant.

Figure 1-17 Tony creates security rules for customers

The company Pharmacy2Go has a resident IT manager, Sandrine, who handles localnetwork maintenance and security. Tony works with Sandrine to ensure that

Pharmacy2Gos network is running securely and safely.

As a Customer Manager, Tony can authorize None administrators, who are outside ofthe Provider-1 management environment, but may administer customer SecurityGateways themselves. Tony adds Sandrine to the list of administrators as a Noneadministrator, so that she can use SmartConsole applications to monitor and trackactivity in Pharmacy2Gos network.


Figure 1-18 Sandrine works with SmartConsole Clients


49/320


Sandrine can run SmartConsole Client applications for Pharmacy2Gos network,now that she has been made a None administrator. Remember, None administratorsmanage their own internal networks via the CMA. They do not have access to otherelements in the Provider-1 environment.

Notice that the Provider-1 network itself needs to maintain its own security,

protecting the confidentially of critical information regarding customer networks,administrators, and access details, as well as for its own network! It can use astand-alone Security Gateway, ordefine a CMA to manage its gateway. If thegateway is standalone, Rosa can manage it through its own Security Managementserver. If maintained by the MDS, it is managed with a CMA.


50/320

The Provider-1 Trust Model

meant for someone else, be authenticated, so there can be no doubt as to theidentity of the communicating peers, and have data integrity, not have been alteredor distorted in an a Of co rse it is helpf l if it is also se f iendl


51/320


or distorted in any way. Of course, it is helpful if it is also user-friendly.

The SIC model incorporates PKI. Certificates are issued to trusted communicatingparties by an Internal Certificate Authority. These certificates are then used toauthenticate every communication established between the communicating parties.

The following security measures are taken to ensure the safety of SIC:

Certificates for authentication.

Standards-based SSL for the creation of the secure channel.

3DES for encryption.

Trust Between a CMA and its Customer Network

In order to ensure authenticated communication between the Provider-1environment and the Customer network environment, each CMA also has its ownInternal Certificate Authority (ICA), which is responsible for issuing certificates to

the CMAs Customer gateways. The CMA ICA is part of the CMA data residing in theMDS Container. Each CMA ICA is associated with a specific Customer. ACustomers secondary CMA shares the sameInternal Certificate Authority as theprimary CMA.

The ICA of each CMA issues a certificate to Security Gateways in the Customernetwork. SIC can then be established between the CMA and each of its CustomersSecurity Gateways.

Different CMAs have different ICAs to ensure that a CMA establishes securecommunication with its own Customers gateways, but that differentCustomerCMAs cannot penetrate each others internal networks and establish communicationwith another Customers gateways.


Figure 1-19 SIC between CMA and Customer gateway


52/320

52

Trust Between a CLM and its Customer Network

The CLM (Customer Log Manager) also receives a certificate from the CMAs ICA.This is so that the Customers Security Gateways can establish communication withthe CLM, for tracking and logging purposes. The gateways and CLM must be ableto trust their communication with each other, but only if they belong to the samecustomer. Otherwise, different customers could monitor each other, which would be

a security breach.

MDS Communication with CMAs

Every MDS Container communicates with the CMAs that it houses locally andsecurely through a protocol called SIC local. This type of authentication, SIC local,is managed by the Provider-1 environment and allows internal MDS communication

to be trusted.


SIC is used for remote (not on the same host) communication, whereas SIC local isused for a hosts internal communication. SIC local communication does not makeuse of certificates


53/320


use of certificates.

Trust Between MDS to MDS

The primary MDS Manager, the first Manager created, has its own InternalCertificate Authority. This ICA issues certificates to all other MDSs, so that trustedcommunication can be authenticated and secure between MDSs. All MDSs shareone Internal Certificate Authority.

Figure 1-20 SIC between MDSs

The ICA creates certificates for all other MDSs, and for Provider-1 administrators.Administrators also need to establish trusted communication with the MDSs.

Authenticating the Administrator

Administrators are authenticated to access the MDS via the MDG either by using aUser Nameand Passwordcombination (which is considered only semi-secure) or byusing a certificate issued by the MDS ICA (far more secure).

Figure 1-21 SIC between Administrator and MDS


For management purposes, administrators use the certificates provided by the MDSICA to establish trusted communication to manage the CMAs. This is because everyCMA also trusts the MDS ICA for administrator management activities using a


54/320

54

CMA also trusts the MDS ICA for administrator management activities using acommunication medium, CPMI. This means that administrators do not need to have

certificates issued to them for every CMA that they communicate with.Figure 1-22 SIC between administrators and a customer CMA

Authenticating via External Authentication Servers

Provider-1 supports authentication using an external server that contains adatabase of user login information (for example, user name, password andattributes). When a Provider-1 administrator is set to authenticate using one ofthese external servers, all authentication requests are forwarded to theauthentication server. The external server authenticates and authorizes the user andsends a reply to the MDS. Only if the administrator is authenticated and verifiedwill the MDS allow the administrator to connect to the MDS or the CMA.

Provider-1 supports the following external authentication servers:

RADIUS

TACACS

RSA SecurID ACE/Server

The following diagram depicts an authentication process in which administratorsuse external authentication:


Figure 1-23 Authentication using an External Authentication server


55/320


TACACS and RADIUS authentication methods, when authenticating anadministrator connecting to a CMA, use the MDS as a proxy between the CMA andthe external authentication server. Therefore, each MDS container should bedefined on the authentication server, and the authentication server should bedefined in the global database. In addition, if the MDS is down, the CMA will notbe able to authenticate administrators.

Setting up External Authentication

To authenticate using an authentication server, the MDS must know whichadministrators should be authenticated. Administrator authentication is performedthrough the MDG as follows:

1. Open MDG > Administrators.

2. Create a new administrator.

3. In the General tab enter the same user name that was created on theauthentication server.

4. Mark the administrators permission.

5. On the Authentication tab, select the Authentication Scheme. If using RADIUS orTACACS, choose the appropriate server that was configured in GlobalSmartDashboard.

6. If using SecurID, do the following:


1. Generate the file sdconf.rec on the ACE/Server, and configure the user touse Tokencodeonly.

2 Copy sdconf rec to /var/ace/ on each MDS


56/320

56

2. Copy sdconf.rec to /var/ace/ on each MDS.

3. Edit the file /etc/services and add the following lines: securid 5500/udp

securidprop 5510/tcp

4. Reboot the MDS machines.

Alternatively, instructions 3., 4. and 5. can be performed from the command lineinterface (CLI), with the following syntax:

Re-authenticating when using SmartConsole

Clients

When a SmartConsole Client is launched from another open SmartConsole Client,the system by default reapplies the credentials entered when the administrator

logged into the first Client.However, there are cases where it is useful to compel administrators tore-authenticate for each SmartConsole Client they launch. When using RSASecurID to authenticate Provider-1 administrators, for instance, it is common torequire re-authentication when SmartConsole Clients connect to MDSs or CMAs.

You can compel administrators to re-authenticate every time a new GUI client islaunched and connects to:

a specific CMA

all CMAs created on this system in the future

this MDS or MLM

The instructions for each are listed below.

mdscmd setadminauth

[authenticationserver name]

[-m mds -u user -p password]


...When Connecting to a Specific CMA

The following commands need to be executed in a root shell on the MDS machinehosting the CMA


57/320


hosting the CMA:

dbedit -s -u-p

modify properties firewall_properties fwm_ticket_ttl 0

update properties firewall_properties

quit

If the relevant Customer has more than one CMA, synchronize the CMAs for thechange to take effect on both. If the Customer owns one or more CLMs, the InstallDatabase operation should be performed on each CLM for the change to take effect.

...When Connecting to all CMAs Created on ThisSystem in the Future

The following steps need to be executed in a root shell of every MDS Container

machine:

Run the command mdsenv.

Edit the file $MDS_TEMPLATE/conf/objects_5_0.C

Find the line containing :fwm_ticket_ttl

Replace it with the line :fwm_ticket_ttl (0)

...When Connecting to this MDS or MLM

The following commands need to be executed in a root shell on the MDS machinehosting the CMA:

dbedit -s -u-p

modify properties firewall_properties fwm_ticket_ttl 0update properties firewall_properties

quit

If the Provider-1 configuration consists of more than one MDS Container server orMLM, synchronize the Global Policy for the change to take effect on all MDSContainer servers or MLMs.


CPMI Protocol

The CPMI (Check Point Management Interface) protocol is a generic open protocol


58/320

58

that allows third party vendors to interoperate with Check Point management

products. The client side of CPMI is included in the OPSEC SDK documentation,so third-party products can integrate with the CMAs. For more information onCPMI, see the CPMIguide in the OPSEC SDK documentation.


59/320

59

Chapter 2Planning the Provider-1

EnvironmentIn This Chapter

This chapter deals with different aspects required in order to plan and prepare forsetting a first time deployment with Provider-1. In every first time setup there aregeneral questions that you need to ask yourself, such as

What do you need to know about the basic components that need to beinstalled?

How should the basic components be deployed and in what order should theybe installed?

What are the hardware requirements that need to be considered?

What licenses need to be obtained in order to run the product?

Asking yourself the right questions... page 61

Consider the Following Scenario... page 64

Protecting Provider-1 Networks page 66

MDS Managers and Containers page 67

Setting up the Provider-1 Environment page 70

Hardware Requirements and Recommendations page 75

Provider-1 Order of Installation page 76

Licensing and Deployment page 77

Miscellaneous Issues page 83


60/320

Asking yourself the right questions...

Asking yourself the right questions...There are many factors to consider when planning your Provider-1 environment.This section discusses a few of these issues in general terms Specific details are


61/320

Chapter 2 Planning the Provider-1 Environment 61

This section discusses a few of these issues in general terms. Specific details are

discussed at a later stage.

Safety comes first

Whatever deployment you choose to implement needs to safeguard and protect yournetworks. You will need to install an enforcement gateway to protect Provider-1environment. For more information see, Protecting Provider-1 Networks onpage 66

MDS Manager

CP R70 Provider1 AdminGuide

Documents

Transcript of CP R70 Provider1 AdminGuide