HNG DN CONFIG FIREWALL NOKIA IP380

HNG DN CONFIG FIREWALL NOKIA IP380

Mc lc

1. Gii thiu

2. M hnh lab ci t.

3. Cc cu hnh c bn trn Nokia bng Voyager web

a. Cu hnh a ch ip cho cc interface

b. Cu hnh HostName

c. Cu hnh DNS server cho Nokia

d. Cu hnh default gateway

4. Ci t sn phm checkpoint trn Nokia IP380

5. Cu hnh firewall checkpoint

a. Cu hnh firewall

b. Hn ch bng thng ngi dng

c. Cu hnh VPN server trn Nokia

d. Cu hnh Log server v Report

1. Gii thiu Firewall Nokia s dng h iu hnh IPSO(hin thi Nokia IP380 chy trn phin bn IPSO 3.8.1), l HDH c vit da trn nn tng UNIX. Vi phn mm checkpoint c ci t trn n, Nokia tr thnh mt thit b security mnh vi cc chc nng chnh ca 1 firewall v VPN. Phn mm Check Point gm c nhiu module, mi module m nhim mt chc nng :

+ Floodgate-1 : Qun l bng thng ngi dng

+ UserAuthority : qun l Group v User chung cho tt c cc module ca CheckPoint

+ VPN-1&Firewall-1 : Module qun l VPN v Firewall, Management.

+ Reporting module : kt hp vi Log module xut ra cc bo co thng k di dng ha.

+ Real time Monitor: gip ngi gim st thi gian thc firewall : throughput traffic , CPU

+ Policy server: module qun l cc policy cho cc remote client.

Ngoi cc moule trn cn nhiu module khc na, ty thuc vo tng ng cnh c th ca cc t chc m mua licenses vi cc module khc nhau.

2. M hnh lab ci t Software Checkpoint setup trn Nokia firewall theo 2 kiu : Standalone v Distributed

Setup Standalone : Checkpoint software vi tt c cc module theo licenses ca n tt c c ci t trn nokia firewall bao gm Management module

SHAPE \* MERGEFORMAT

Setup Distributed: Checkpoint software vi tt c cc module VPN-1&Firewall-1 vi cc module km theo ci t trn Nokia Firewall, khng bao gm Management module. Management module c ci t trn my windows server 2003.

SHAPE \* MERGEFORMAT

Bi ny hng dn cu hnh firewall theo m hnh Distributed.

3. Cu hnh c bn trn Nokia firewall bng Voyager web Nu Nokia Firewall c cu hnh ln u tin, khi start nokia ln , mn hnh s prompt cc cu hi cho vic thit t cc cu hnh khi to nh: nhp password cho ti khon admin, chn la cch cu hnh firewall gm 2 kiu: web Voyager hoc cu hnh theo dng lnh lynx. Sau khi ta chn cch cu hnh firewall bng web Voyager, ta s c prompt cu hnh cc interface v DHCP server.

Sau khi cu hnh khi to hon tt, restart li h thng v bt u login vo Nokia firewall bng 1 trong cc a ch c cu hnh trn., nhp username v password c set trn.

a. Cu hnh a ch ip cho cc interface Sau khi login vo h thng, mn hnh bn di hin th, chn config

Chn Interface Configuration cu hnh cc interface ca nokia firewall

Ti mn hnh Interface Configuration, ta chn interface mun cu hnh bng cch nhp ln ng link ca n. Cc thng s cu hnh bao gm : a ch ip, half/full duplex, active/unactive, name.

Sau khi cu hnh xong, chn apply > save. Ch , sau khi cu hnh xong, phi save li, nu khng cu hnh s mt sau khi ta reset li firewall.

b. Cu hnh Hostname Sau bc cu hnh interface, ta nhn nt up, tr v trang trc trang , trong trng hp ny l trang config. Chn link Host Address Assignment..

Trong bng Static Host Entries, c t nht mt mc l localhost c ang k n a ch 127.0.0.1, khng bao gi xa a ch ny. Thm mt name n 1 trong cc a ch ip ca 1 trong cc interface(Interface External).Ngoi ra thm danh sch cc host m nokia firewall thng xuyn phi giao tip. Apply > Save.

c. Cu hnh DNS server cho Nokia Firewall T mn hnh config chnh, chn link DNS

Nhp a ch DNS server, Apply > Save.

d. Cu hnh default gateway T mn hnh config chnh, chn static route

Ti y, ta thm mt default route kt ni Nokia firewall ra internet

Trn ct gateway, chn on trn dng default, Type next hop l Normal, Apply. Sau khi Apply, xut hin dng gateway Type, chn l Address, v nhp a ch ca Next Hop kt ni ra internet.. Apply, Save .

4. Ci t sn phm Checkpoint trn Nokia. Cc bc chun b trc khi ci t:

a. Kim tra licenses cho sn phm: C 2 loi license center v local. Ty theo m hnh ci t m ta chn license thch hp

i. Vi License center: a ch ip c ng k n license l a ch ip ca management server(khng phi a ch ip ca Enforcement), do 1 license center c th gn trn 1 Enforcement ca mt nokia firewall hoc tho ra gn vo mt nokia firewall khc(thay i c ch ip).

ii. Vi License Local: a ch ip ca license gn vi a ch ip ca my ng chy license . Nu thay i a ch ip, phi thay i license khc.

b. Kim tra hostname c ang k n interface (Host Address Assignment ), v cc hostname m checkpoint nokia thng xuyn phi giao tip.

c. Kim tra cu hnh DNS server cho Nokia Firewall.

d. Ln k hoch ci t cc module: ch ci t thnh phn Enforcement module trong VPN-1&Firewall-1

Cc module cn thit ci t trn Nokia firewall v Management station:

Nokia : Firewall-1 & VPN -1, User Authority, Smartview moniror, Policy server, Smartview Reportor Add on, Floodgate.

Windows 2003 station: Smartcenter + Log Server, SmartDaskboard, smartview Reportor Server, Floodgate Add on. Sau khi ci t xong Management module v cc module khc trn windows 2003, chng trnh bt buc ta thit lp cc tham s chung sau: nh ngha ti khon Admin qun tr Management module, cu hnh license cho management, GUI client

5. Cu hnh Firewall checkpoint a. Cu Hnh Firewall Sau khi ci t cc thnh phn nh c trnh by trn, sau khi hon tt cc th tc trn, yu cu reboot li firewall Nokia.

A1. Thit lp password SIC (Secure Internal Communication): cc module c th giao tip c vi nhau (management module v enforcement module ), ta phi thip lp password SIC. Cch thip lp nh sau:

Vo console Nokia: Nhp lnh cpconfig

Chn s 5 (Secure Internal Communication). Nhn ENTER

Thng qua cc bc hng dn thit lp password SIC

Password SIC s c nhp vo trong phn nh ngha Checkpoint Gateway trong Management Station, management server c th giao tip c vi Firewall, giao tip qua cc port TCP 18190,18191, 18192

A2.nh ngha cc thnh phn mng: khi ng SmartDaskboard, kt ni n server Smartcenter. Nhp ti khon admin i vo phn cu hnh h thng.

Nu ln u login: s xut hin bn sau

Cc thnh phn c nh ngha l:

+ Checkpoint gateway: ti tab Network Object, nhp phi chut vo Checkpoint > new checkpoint > Gateway

Xut hin bng Checkpoint Gateway. Nhp cc thng tin m bng Checkpoint gateway cn cung cp nh : Name, IP ca gateway, check vo cc module m c ci t trn checkpoint gateway, Click vo Communication nhp Password SIC, sau khi nhp Password SIC, click initialize, kt ni n firewall nokia, nu hin ra bng di y th qu trnh kt ni thnh cng

Ngc li, nu c bt k thng bo li no, hy kim tra cc kt ni mng, hay c firewall gia Management station v firewall module(communition SIC giao tip qua port 18191, 18192, 18190), sau khi kim tra, khi to li pasword SIC ti Nokia firewall v management station tr li.

Trong bng checkpoint gateway, chn mc Topology nm bn tri,

Click Get > Interface with Topology, ly thng tin cu hnh interface trn checkpoint gateway > click ACCEPT. Phn VPN Domain s c gii thch trong phn cu hnh VPN.

Double Click vo interface m kt ni ra internet, ti tab Topology, dnh ngha interface ny l interface kt ni ra internet External (leads out to the internet)

+ Network Object : Nhp phi chut vo vo phn Network, Chn new Network

Nhp tn ca Network, ia ch Network, subset ca network..

+ Node Object : nh ngha cc host trong cc mng, cng dng ca vic nh ngha ny l gip cho ta kim sot c cc host m c ip c nh trong cc mng.

+ Address Ranges object: nh ngha cc dy ip m t chc hay cng ty qun l

A3. nh ngha cc rule: Firewall s kim tra cc gi tin i qua theo cc rule bt u t rule 1 cho n rule cui cng. Cc gi tin m ng vi iu kin t ra ca mt rule no th s th gi tin s c cho qua hoc drop, v log li hoc khng log li, khi gi tin ng vi iu kin ca mt Rule th s p dng ngay cc action ca rule v s khng i xung cc rule k tip.

Mc nh, rule cui cng l Deny on (Hidden ), c ngha l khi mt gi tin i qua firewall m khng b kim tra bi bt c rule no th gi tin s b DROP

Vd: t mt rule cho cho php giao thng ftp t internal network ra internet

Source | Destination |VPN |Service| Action |Track | Install On

InternalAny

AnyFTP Accept LOGPolicy Tartet

b. Hn ch bng thng ngi dng c th to mt chnh sch v bng thng , u tin ta phi setup bng thng ca interface External (connect internet) bng cch sau :

Tab Network object > double click Checkpoint gateway > trn trang Topology > dounle click interface external > chn tab QOS > Thit t Inbound Active rate v Outbound Active rate

Module qun l bng thng ngi dng l Floodgate. Checkpoint management server qun l cc chnh sch v bng thng trn tab qos

tab QOS xut hin. theo m hnh m ta ang ci t(Distributed), ta phi ci t module Floodgate trn Firewall Nokia(ci t chung vi VPN-1 Pro or VPN-1 Net) v ci t floodgate_Add on trn management server.

Vd thm mt rule hn ch bng thng ca giao thng FTP vi bng thng bo m (guarantee) : 500Kps, bng thng ti a : 1Mps trn rule 1 thuc hnh trn.

Floodgate qun l bng thng theo cc tham s sau: Rule Guarantee, Rule Limit, Rule weight.

+ Ch nh bng thng n mt rule l s kt hp ca 2 tham s: Rule Guarantee v Rule weight. Bng thng thc dng cho rule l bng thng ch nh trong tham s Guarantee v thm bng thng chia s t s bng thng sn dng cn li da theo tham s Weight.

Vi du, ng leaseline vi bng thng 256K

Rule Name Source Destination Service Action

1 Rule A Any Any ftp Rule Guarantee -100KBps

Weight 10

2 Rule B Any Any http Weight 20Rule 1 s c bng thng bo m l 100Kps + x

X= (256 100) * 10 / 30 = 52 kps

Rule 2 s c bng thng l y

Y = (256-100) * 20 / 30 = 104kps

Cng thc c tnh nh sau:

X or Y = Weight of this rule / Total Weight of All Rule * s bng thng cn li ca kt ni Wan.

Nu Rule 1 s dng bng thng vt qu bng thng ch nh ti a v rule 2 khng s dng ht bng thng ch nh ti a (Guarantee + Weight) th s lng bng thng d ra ny s c phn phi vo rule 1. iu ny gip ta qun l bng thng c hiu qu hn trong trng hp, ti cc thi im khc nhau bng thng s dng cho cc dch v khc nhau th khc nhau, bng thng s c phn phi n cc dch v m ang c s dng nhiu(vt qu bng thng ti a c ch nh), ngn nga tnh trng mng b chm v tn dng ti a bng thng ca kt ni.

Nu ch 2 tham s Guarantee v Limit (Khng c tham s Weight) c set cho mt rule, nu rule s dng ht bng thng ti a, th cc connection tip theo s c a vo hng i.

Nu c 3 tham s Guarantee , Limit, Weight, nu bng thng s dng cho rule t n Limit, cc connection tip theo s c phn phi da theo Weight theo cng thc v d trn.

Cc Rule c kim tra t rule 1 rule 2 v n cc rule k tip. Nu 1 giao thng m khng ng vi bt k rule no th Deaufalt Rule s s c p dng cho giao thng . Default Rule l mt rule ng vi bt k giao thng no v p dng bng thng ch nh vi mt tham s Weight, ta c th thay i tham s Weight : Policy > Global Properties > Floodgate-1 page.

Trong mt rule c cc Sub-rule. Trong mt Sub-rule c cc sub-rule khc. Bng thng ch nh cho rule cha(Guarantee) lun ln hn hoc bng sub-rule ca n. Nu giao thng ng vi mt rule m rule c Sub-rule, th s tm kim trong s cc sub-rule apply bng thng trn giao thng , nu khng c cc sub-rule no ng vi giao thng th default rule s c c apply.

thm 1 sub-rule ca 1 rule no , nhp phi chut ln rule v chn add sub-rule

c. Cu Hnh VPN server

VPN c 2 kiu cu hnh : site to site v remote access, Trong gii hn ca bi ny, ta ch cu hnh kiu Remote Access.

C1. To account user

Trn tab Users, nhp phi chut vo user groups, chn new group, t tn l VPN-group.

Nhp phi vo Users > new users > Default, user Properties hin ra,

+ Tab General : nhp tn ng nhp.

+ Tab groups : add group m user account thuc vo : vpn group

+ Tab Encryption : Click Edit, chn nh hnh v nhp password cho account

Click OK.

C2. nh ngha VPN Domain

VPN Domain cha ng tt c cc host c bo v bi gateway m ta cho php remote client c th giao tip thnh cng.

nh ngha VPN Domain: ti tab Network Object, double click vo checkpoint gateway v nh ngha VPN domain nh hnh di y

C3. Setup kiu VPN: trn trang VPN , click Add > chn kiu Remore access > OK

C4. Configure Hub mode: setup gateway trong Hub mode gateway(VPN server) ng vai tro nh l mt ci Hub, tt c remote client route tt c giao thng u thng qua gateway ny. Ngoi ra chn Support Nat traselsal mechanism v chn port mc nh trong trng hp pha client c Nat.Ta cu hnh cc yu cu trn theo hnh di y

C4. Setup Office Mode v cp Ip cho remote clientOffice mode cho php gateway ng k a ch ip trong(ip bn trong gateway) n remote client khi remote client connected v authiticate thnh cng, lm cho remote client sau khi kt ni thnh cng n VPN server th remote client c x l ging nh mt client bn trong gateway. Ta cu hnh nh hnh bn di

Remote client c th c cp ip bng DHCP hoc t setup ip tnh cho client mi khi client connect thnh cng. c th d dng qun l v d dng cho ngi s dng, ta cu hnh cp ip tnh c nh cho tng user khi user connect vo VPN server thnh cng. Cch cu hnh nh sau: Sa file ipassignment theo nh dng ca file nm trong th mc /opt/CPfw1-R55/conf/ trn firewall nokia vi nh dng nh sau:

GatewayType

Ip address

User name

Fwvascaddr

192.168.1.10

VPN-user1

C5. Setup Remote Access Community

Trn tab VPN Communities, chn double click Remote acceess community, ti participating Gateway > Add Gateway m nng vai tr l VPN server, ti participating user groups > Add group m cho php connect n VPN user.

C6. Cu hnh SCV (Secure Configuration Verification)

SCV cho php server kim tra cu hnh pha client(chnh sch bo mt), n gin ha qu trnh ci t, ta cho php pha client c th kt ni n server VPN bt chp c bo mt hay khng v log li li cc kt ni theo di. Cu hnh theo bc sau: Policy > Global Properties > remote Access Page > Secure Configuration Verification(SCV) , chn nh hnh bn di.

d. Cu hnh Log server v Report

Mc nh khi ta chn ci t smartcenter th log server c ci t theo gi ny v ta c th theo di log real time theo chng trnh smartview Tracker.

Report server cho php ta thng k log theo tng ngy, tng gi, trn tng dch v

Ta ci t report server trn cng management server.

Cu hnh log server y file log xung database report server thng k.

Ta cu hnh nh hnh di y

Vi cu hnh c setup trn, nu file log c dung lng vt qu 500M th file log s c chuyn xung database hoc file log s c y xung database vo mi ti (Midnight). Nu a y n s t ng xa cc file log c.

Thng tin URL xut hin trong Smartview Tracker, ta cu hnh nh sau:

Ti server log: + Stop server log (CPstop)

+ Chuyn n th mc c:\\program file\checkpoint\SmartviewReportor\Log_consolidator_engine\bin, thc thi cu lnh log_consolidator K true

+ Start server (CPstart).Internet

NOKIA

Firewall

PC

VPN-1&Firewall-1 & Management Server module

Management client

NOKIA

Firewall

PC

Internet

VPN-1&Firewall-1

Management server & Management client