Instructor S Notes

Instructor’s Notes CCSA R70 Upgrade

It is recommended that this course be taught using VMware. Internet access is not a requirement for the labs, although it is necessary for the initial setup of the DMZ host machine which the instructor should complete prior to class. See notes specifically for each exercise for more information about using the Internet to enhance the exercise. Here are the specifics.

This course is designed for students who are certified CCSA NG, NGAI, or NGX, and are seeking the CCSA R70 certification. It covers topics covered in the current CCSA R70 course that are not covered in earlier versions. Therefore, repetition of lecture material that overlaps R70 with earlier versions will not be necessary. However, lab material may contain items previously covered in order to establish lab flow from one exercise to the next.

Refer to these notes and the following materials throughout the class:  Check Point Security Administrator R70 Courseware  Check Point Security Administrator R70 Lab manual  Educational Software Blades CD – R70 (CD1, CD3)  Educational Software Blades CD – R65 (CD1)  CCSA R70 Upgrade Instructor’s Slides

Student Topology To complete the CCSA R70 course, each student will have 5 systems assigned to them not counting the host machine. Minimum Minimum No. of Hard Additional Memory Machine Ethernet Drive OS Features (RAM) Interfaces Space Required Required Required Windows Host Server 2003 or Service Pack 2 4 GB 65 GB Machine Windows XP 1, FTP Professional Security Gateway for Bootable 3 256 MB 10 GB Red Hat Linux Corporate CDROM Net (sgcorp) Security Gateway for Bootable Branch 2 256 MB 10 GB Red Hat Linux CDROM Office (sgbranch)

CCSA R70 Accelerated Instructor’s Notes Mail Server 1 256 MB 8 GB Fedora 11 DMZ Server Web Server (DMZcorp) This machine is a VM image downloaded from the Fedora Web site. Follow the instructions below for download and configuration information. Security Managemen Bootable 1 512 MB 11 GB Red Hat Linux t Server CDROM (smcorp) Branch Windows XP Office Client 1 256 MB 8 GB PuTTY Prof. (pcbranch)

CCSA R70 Accelerated Instructor’s Notes Course Schedule The following schedule is included in the student syllabus. Consider using it as your guide as well. Review questions are optional. You may refer to the original CCSA R70 slide deck, or download the CCSA R70 Upgrade slides from the Website. These have been modified to hide some of the slides and display only the topics covered in the CCSA R70 Upgrade class. You can modify the hidden slides by right-clicking on the slide and re- selecting the option, “Hide Slide” from the drop-down menu.

Day Lecture Topic Labs to Follow Lecture Lab 1: Distributed Installation No new content. A discussion concerning 1 Lab 2: Branch Office Security the new topology will be useful. Gateway Installation Check Point Software Blades No lab exercise Deployment Platforms - UTM-1 Edge Appliances - IP Appliances - Introduction to Voyager - IPSO File System and Directory No lab exercise Structure - CLISH – IPSO’s Dedicated Configuration Shell - IP Network Voyager Lab 4: Defining Basic Objects and Optional lecture. Slides containing Rules review material may be useful. Lab 5: Configure the DMZ Lab 6: Configuring NAT 2 Using SmartUpdate Lab 8: Using SmartUpdate Lab 9: Upgrading a Security Gateway Upgrading to R70 Locally Lab 11: Site-to-Site VPN between Corporate and Branch Office Encryption and VPNs Lab 12: Two Gateway IKE Encryption Introduction to VPNs Using Certificates Lab 13: Remote Access and Office Mode Lab 14: Messaging and Content 3 Messaging and Content Security Security

Check Point IPS Lab 15: Implementing IPS

CCSA R70 Accelerated Instructor’s Notes Lab Setup Labs 1 and 2: Distributed Installation and Branch Office Security Gateway Installation

The students will need CD1 and CD3 from the R70 Security Gateway CD kit. These are provided in the student kits. The CDROM should be enabled for the SecurePlatform machines unless you have ISOs available. Ensure you have R65 Security Gateway CDs available. You will install R65 on the Branch Office gateway in order to upgrade in a later lab.

Essentially, the student will need to install the Security Management Server and a Security Gateway in the corporate network, along with a Security Gateway in the Branch city. Both Gateways will be centrally managed from the Corporate Management Server.

No lecture is necessary for these labs. Lab 3: CLI Tools Omit this lab. Lab 4: Defining Basic Objects and Rules

Build and install the Policy as shown on page 116, step 12.

Ensure that the GUIclient machines have the FTP service running or are configured as FTP servers.

Lab 5: Configure the DMZ

Add the Web Traffic Rule to the Rule Base as in steps 7 – 10 on page 123. Remember to define the DMZ machine’s hostname in the host file of the client machine in the branch office for each student. Lab 6: Configuring NAT

Complete all the steps in this lab. Lab 7: Monitoring with SmartView Tracker

Omit this lab.

CCSA R70 Accelerated Instructor’s Notes Lab 8: Using SmartUpdate

Complete all the steps in this lab.

In step 7, if Internet access is not provided to student lab stations, download HFA 40 ahead of time, and save it as an ISO on their desktops or on CDs.

Step 15, or the actual update, can take as much as 15 or 20 minutes. Consider offering your students a break at this time.

Lab 9: Upgrading a Security Gateway Locally

There are two steps in this lab that require wait-time…steps 5 and 7-9. Lecture or more break time could be applied here. Lab 10: Client Authentication

Omit this lab. Lab 11: Site-to-Site VPN between Corporate and Branch Office

This lab uses PuTTY from the branch office client. Ensure that it is downloaded and installed on the pcbranch machine prior to this lab.

Lab 12: Two Gateway IKE Encryption Using Certificates

You will need to complete steps 1-9 to save the Atlantis certificate key, which means you’ll need to enable IPSec VPN on the Atlantis gateway. The machine sgatlantis can be configured with an any-any policy for simplicity. You will be exchanging certificates with each of the student stations to complete this lab.

CCSA R70 Accelerated Instructor’s Notes Lab 13: Remote Access and Office Mode

Since the user authentication chapter and lab is skipped in this course, the student is instructed to create a local user group and account in SmartDashboard in lieu of creating a new LDAP group for remote access authentication. Refer to the student’s syllabus for more information.

You may decide to take a different tact with this lab instead of the way it is written to make it appear more real-world. For example, it is noted that the remote user could be located outside of a gateway protected network, and that the pcbranch machine could be removed from behind the branch office gateway easily if using VMware; i.e., redefine the IP address and change the VMnet assignment. Lab 14: Messaging and Content Security

Run your mail.sh script file as instructed above from the pirate (BackTrack) machine to generate the attack mail for this lab. The student has been instructed to inform you when they are ready for the attacks. You can decide to wait for all the students to be ready and send all the students the attacks at once using the batch file, or generate the attacks on an as-needed basis to each student individually. Lab 15: Implementing IPS

Ensure that insecure.war is installed on the DMZhost machine of each student lab station. Verify its location. See step 41 in the Generate an Attack section of the lab.

CCSA R70 Accelerated Instructor’s Notes DMZ Server Installation and Setup

Fedora Image installation Step-by-step:

1. Download Fedora 11 distribution from: http://fedoraproject.org/en/get-fedora

This will result in a file called Fedora-11-i686-Live.iso.

2. Start VMWare.

3. Create a new VM (File > New > Virtual Machine).

4. Select “Typical”.

CCSA R70 Accelerated Instructor’s Notes 5. Choose the installation location, which will be the ISO file you downloaded.

6. Select Linux as the guest operating system, and “Other Linux 2.6.x kernel” as the Version.

CCSA R70 Accelerated Instructor’s Notes 7. Give the VM a name. Since the labs designate specific corporate sites for their DMZ machines, we use the format, DMZcorp, where corp is the dummy variable for the corporate city site-name; i.e., DMZny or DMZparis. You can just as easily use the name DMZhost if you prefer.

8. Provide 8GB of disk space, and break it into 2 GB files.

CCSA R70 Accelerated Instructor’s Notes 9. Review the configuration, then click “Customize Hardware…”.

CCSA R70 Accelerated Instructor’s Notes 10.Set the Network adapter to “Bridged” for the time being, since we will need Internet connectivity for installing some of the packages. You can also remove the sound card, and floppy drive if you wish. Selecting 256 MB of RAM should be sufficient. Click “OK”.

CCSA R70 Accelerated Instructor’s Notes 11.Click Finish, which completes the setup and powers on the Virtual Machine. If the machine doesn’t power automatically, start the machine manually.

CCSA R70 Accelerated Instructor’s Notes 12.When the login screen appears, click “Log In”.

CCSA R70 Accelerated Instructor’s Notes 13.In order to install the OS to the VM Disk, double-click the “Install to Hard Drive” shortcut on the desktop.

CCSA R70 Accelerated Instructor’s Notes 14.Click “Next” at the installation screen.

CCSA R70 Accelerated Instructor’s Notes 15.Select your language and click “Next”.

CCSA R70 Accelerated Instructor’s Notes 16.The drive will need to be reinitialized, since it has no data on it. Click the “Re- initialize drive” button.

CCSA R70 Accelerated Instructor’s Notes 17.Provide a hostname. This is a fully qualified domain name unique for each DMZ host related to the lab station in which it resides. In this example, usa.cp is used. Click “Next”.

CCSA R70 Accelerated Instructor’s Notes 18.Select your local time-zone. Use either the drop-down menu or the map with the zoom slider. Click “Next”.

CCSA R70 Accelerated Instructor’s Notes 19.Provide a root password. For our labs, we will use “abc123”. Click “Next”. The system will warn of a weak password. Click “Yes”.

CCSA R70 Accelerated Instructor’s Notes 20.Set up the drive usage. Select “Use entire drive” from the drop-down menu and click “Next”. You will be warned that this will remove partition data. Click “Write changes to disk”.

CCSA R70 Accelerated Instructor’s Notes 21.The installation process will start. This will take a few minutes.

CCSA R70 Accelerated Instructor’s Notes 22.Once the installation is completed, click “Close” to initiate the reboot and complete the installation.

There MAY be a “Remote drive mount” error that appears. You can ignore this as it is part of the RAMdisk process that is no longer required since the system is shutting down. Close it by clicking “OK”.

CCSA R70 Accelerated Instructor’s Notes 23.Click “System > Shutdown” to start the reboot process to boot from the hard drive. Select “Restart” from the option box that appears.

CCSA R70 Accelerated Instructor’s Notes 24.Once the reboot is complete, you are brought to the initial configuration wizard. Click “Forward” to proceed to the license screen, then “Forward” again to accept the GNU license statement.

CCSA R70 Accelerated Instructor’s Notes 25.After the license screen, you come to the Create User screen. This is the non-root user that is added for logging into the system. Use “lab” as the username, and “Lab User” for the full name. The password will be “vpn123”. Click “Forward”. Again, the password is weak. Click “Yes” to acknowledge this and continue.

CCSA R70 Accelerated Instructor’s Notes 26.Next, set the time and date information. Click “Forward”.

27.You are presented with a hardware profile window that lists the specifics of your hardware and asks if you would like to share that information. Click “Finish” when done. You can send the information if you like. If you decline, it will ask you again to reconsider. You can decline again.

CCSA R70 Accelerated Instructor’s Notes 28.Installation of the OS is now complete and you can log in with the “lab” user with the password “vpn123”.

CCSA R70 Accelerated Instructor’s Notes 29.Open a terminal window by clicking “Applications > System Tools > Terminal”.

CCSA R70 Accelerated Instructor’s Notes 30.From the terminal, initiate installation of the packages needed for the applications we are going to use. Change to the “root” context by using the “su” command and entering the root password of “abc123”. Then type the following commands: yum –y install postfix yum –y install vsftpd yum –y install tomcat6 yum –y install system-switch-mail

CCSA R70 Accelerated Instructor’s Notes 31.Change the default mail transfer agent (MTA) from sendmail to postfix. Use the command “system-switch-mail” and select “postfix” then “Ok”. Confirm that the MTA has changed.

CCSA R70 Accelerated Instructor’s Notes 32.Setting the mail server configuration files: a. Edit the file /etc/postfix/main.cf b. Add the following lines to the main.cf file: myhostname = dmzhost.[your country].cp mydomain = [your country].cp myorigin = $mydomain inet_interfaces = all mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain home_mailbox = Maildir/

c. Validate the postfix configuration with the command “postfix check”. d. If no output is given then the file is ok. Reload postfix with the command “postfix reload”.

33.Create a default webpage: a. At the prompt, type vi /var/www/html/index.html b. Insert whatever content is appropriate to identify the server, such as “Hello world from [my domain]; i.e., usa.cp.

34. Configure the Web server host name: a. At the prompt, type vi /etc/httpd/conf/httpd.conf b. Add a line ”ServerName www.[your county].cp:80” i.e. www.usa.cp:80 c. Start the Web server process and set it to start on boot: service httpd start chkconfig httpd

35.Start the Tomcat Service and set it to start at boot: service tomcat6 start chkconfig tomcat6 on

36.Start the FTP service and set it to start at boot: service vsftpd start chkconfig vsftpd on

37.Download the OWASP “Insecure Web project” files from: http://downloads.sourceforge.net/sourceforge/insecurewebapp/insecure- 20051027.zip?use_mirror=softlayer a. This will download a file called “insecure-20051027.zip”. b. Unzip that file using “unzip insecure-20051027.zip”. c. Change to the unzipped directory and copy the file insecure.war to the Tomcat directory using “cp insecure.war /var/lib/tomcat6/webapps/.” This will set up the website for Lab 15: Implementing IPS.

CCSA R70 Accelerated Instructor’s Notes To change the IP address to a static value:

38.To set the IP address to a static value, type “system-config-network” from the prompt, and the Network Configuration window appears:

CCSA R70 Accelerated Instructor’s Notes 39.Click “Edit”. Select “Manually configured” and enter the IP address that is appropriate to that environment. Click “Ok”. Close the Network Configuration window and click “yes” to save the changes.

40.Change the VMnet adapter on this machine to VMnet 0 or whatever the host-only VM network adapter is. 41.Reboot by clicking “System” then “Shutdown” and select “Restart”.

Note other changes that may be required:

 To Change Hostname defaults: Edit the file: /etc/sysconfig/network

 To Modify Postfix configuration: Edit the file: /etc/postfix/main.cf and change $myhost= and $mydomain=

 To Modify httpd configuration: Edit the file: /etc/httpd/conf/httpd.conf and change ServerName

CCSA R70 Accelerated Instructor’s Notes  To Disable linux host firewall: service iptables stop chkconfig iptables off

 To Disable SELinux: Edit the file: /etc/selinux/config and change SELINUX=disabled

 To Allow a local user access to FTP: Edit the file: /etc/vsftpd/vsftpd.con and remove # before local_enable=yes and remove # before write_enable=yes

 To Restart vsftpd service: Type at the prompt: service vsftpd restart

Notes:

 Since we are not using a DNS server in these labs, you must direct all the host files on the Windows machines to the DMZ host machine. On this machine, the host file is in the /etc directory. Use the hostname you defined earlier; i.e., dmzcorp.usa.cp

 Though not required in the labs, if you want to get mail messages off of the DMZ host, you must install and configure Dovecot. At the prompt, type:

yum –y install dovecot

After it has installed, edit dovecot.conf at the prompt by typing: vi /etc/dovecot.conf

Make the following changes in the file : protocols = pop3 disable_plaintext_auth = no mail_location = maildir:/home/%n/Maildir

under auth default: mechanisms = plain login

under the section called socket listen: socket listen { master { path = /var/run/dovecot/auth-master mode = 0600 user = vmail }

client { path = /var/spool/postfix/private/auth mode = 0660 user = postfix Page 35 CCSA R70 Accelerated Instructor’s Notes group = postfix } }

 This is not a requirement, but you can save on some resources by disabling the graphical desktop environment at boot. To do this, modify the file /etc/inittab and change the last line that reads “id:5:initdefault:” to “id:3:initdefault:”.

Since the interface does not come up in non-graphical mode, you must change the network management options. Type the following at the prompt:

chkconfig NetworkManager off service NetworkManager stop chkconfig network on service network start

CCSA R70 Accelerated Instructor’s Notes Instructor Site Setup and Installation

The instructor site includes the following machines:

Minimum No. of Minimum Hard Additional Ethernet Memory Machine Drive OS Features Interface (RAM) Space Required s Required Required Windows Service Pack 1, Server 2003 Host Machine FTP, 2 4 GB 65 GB or Windows GUIclient SmartConsole XP R65 or R70 Professional 8 GB for Security Security Gateway R65 Red Hat 2 256 MB Gateway R65 or (sgatlantis) 10 GB for Linux R70 R70

1 See note See note See note Attack tools Pirate.atlantis.cp This machine is a VM image downloaded from remote-exploit.org Web site. Follow the instructions below for download and configuration information. Security Security Management Red Hat 1 512 MB 10 GB Management Server Linux R65 or R70 (smatlantis) Windows Active 1 512 MB 8 GB 2003 XP Directory Ldap.atlantis.cp Professional This machine is not required.

Pirate Machine Installation and Configuration

This information is important for Lab 14: Messaging and Content Security to function properly. Once the BackTrack VM is downloaded and opened in VMware, you will build three text files and one script file that generate email attacks to student machines. You can create another script that sends the attacks to all the students at once, or designated students. If you prefer to send the attacks to students one at a time, the command for that is included in these instructions as well.

Backtrack 3 Image Download and Setup:

CCSA R70 Accelerated Instructor’s Notes Link to download BackTrack 3 VM Image. http://www.remote-exploit.org/cgi-bin/fileget?version=bt3-vm

Note: You can also download the ISO image of the BackTrack3 virtual machine, and run the machine from the image. However, you will have to save the configuration changes before shutting the machine down or all your changes will be lost.

Modify interface settings to enable eth0 and give it an IP address: # ifconfig eth0 up # ifconfig eth0 172.31.1.201 # route add default gw 172.31.1.2 # echo ‘search atlantis.cp’ > /etc/resolv.conf # echo ‘nameserver 172.31.2.101’ >> /etc/resolv.conf # hostname pirate # domainname atlantis.cp

Note: Either the LDAP server on the instructor site should have DNS set up with the DMZhost IPs and domain names, or a host file must be created on the pirate machine. Locate the host file at /etc/hosts. By default, when resolving names, the pirate machine will first look at the local file (hosts) before looking in the resolv.conf file.

Create and edit the following files: #touch /root/mail.sh #touch /root/spam.txt #touch /root/clean.txt #touch /root/virus.txt #chmod 744 /root/mail.sh

# vi /root/spam.txt from: [email protected] subject: Spam Message This message should be marked as spam due to blocked sender list. [Blank line]

# vi /root/clean.txt from: [email protected] subject: Safe message This message should be allow to pass. [Blank line]

# vi /root/virus.txt from: [email protected] subject: Virus message This message should be blocked for containing a virus. [Blank line]

# vi /root/mail.sh #!/bin/bash #This is a script file to call sendmail and the pirana mailer to send messages #to target hosts sepcified in the command line. Multiple hosts can be targeted #with a 'for' loop in the command line. 3 messages will be sent per iteration #and there will be 3 iterations per execution. if [ $# -eq 0 ]

CCSA R70 Accelerated Instructor’s Notes then echo "Usage : $0 [target domain] (e.g. usa)" exit 1 fi TARGET=$1 echo "Sending messages to $TARGET " for (( i=1; i<=3; i++ )) { /usr/sbin/sendmail lab@$TARGET.cp < /root/spam.txt /usr/sbin/sendmail lab@$TARGET.cp < /root/clean.txt /usr/sbin/sendmail lab@$TARGET.cp < /root/virus.txt /pentest/fuzzers/pirana/pirana2.pl -e 0 -c 0 -s 2 -v –h dmzcorp. $TARGET.cp –a lab@$TARGET.cp -l localhost -p 1337 > /dev/null } exit 0

Modify the pirana.pl Script At the prompt, create a copy of the pirana.pl file and call it pirana2.pl. From the command prompt, type: #cp /pentest/fuzzers/pirana/pirana.pl /pentest/fuzzers/pirana/pirana2.pl

On line 30 of pirana2.pl, change “my $from_address = ‘[email protected]’” to “my $from_address = ‘[email protected]’” Save and close the file.

Make sure that the resolv.conf file is updated with the nameserver information or the host file, /etc/hosts has been created.

Before running the script file, you must run the command ‘make’ from the absolute path to the binaries directory (the exploit bins) of the pirana directory in order to create the binaries. If you neglect to do this, the script will fail. For example: if in the root directory, type ‘cd /pentest/fuzzers/pirana’ to change to the pirana directory. Then type, ‘make –f Makefile’.

Copy the mail.sh script file to /pentest/fuzzers/pirana directory and run the script file from within the pirana directory.

In order to run the attacks the instructor can either initiate them individually for each domain (student), or run them as a batch by using a “for” loop. In order to run the attack individually the instructor types: # /pentest/fuzzers/pirana/mail.sh [country name] i.e. # mail.sh usa

To run the attack as a batch, create a file that lists the active countries one per line: # vi /pentest/fuzzers/pirana/targets england usa japan germany france canada australia india

CCSA R70 Accelerated Instructor’s Notes china brazil spain italy mexico russia

Any targets that are not active can be commented out with a # at the beginning of the line with that entry. To run the attack: # for target in `cat /pentest/fuzzers/pirana/targets`; do /pentest/fuzzers/pirana/mail.sh $target; done

CCSA R70 Accelerated Instructor’s Notes