What is address range?
ANSWER
An address
range is simply the range of IP addresses. It stipulates the range of IP
addresses used in the network beginning from the first to the last. It can also
be described as group of IP addresses mapped out for a specific purpose.
It is
mainly used in Network Address Translation (NAT) to map a group of invalid
Internet Protocol (IP) address to a group of valid IP address.Example is
Dynamic NAT where a private IP is mapped to an IP address taken from a range of public IP address.
What are the new features included
in NGX?
ANSWER
In NGX
there is more security administration provided with a unified management of all
Check Point gateways from just a single console. It provides a stronger
security and a better management for the most security problems in Checkpoint. Administrators
of NGX can now centrally manage VPN-1 Pro,VPN-1 Edge, Check Point Express,VSX,
Connectra and InterSpect including simplified management of VPN-1 Edge
appliances with centralized configuration and topology creation. The features
include:
VolP:
VPN-1 Pro, Express and Edge NGX provides enhanced support for NAT and more VolP
protocol.
VPN-1
Diagnostics: The usability of VPN activity logs has been enhanced.
VPN Tunnel
Management: VPN links can configured to be always ON.
PKI, PKCS:
Internal CA diagnostics are now available through smart view status.
VPN-1 VSX:
Smart center can now manage VSX 2.0.1, VSX NG AI Release 2 and VSX NG AI.
Office
Mode: with this, management of other gateways is now possible.
Multicast:
Multicast traffic can now be encrypted.
VPN: VPN
security has been enhanced .
VPN-1
Clusters: In load sharing mode, Cisco gateways and LPT Nokia clients can now
open tunnels with ClusterXL Gateways.
Route
Injection Mechanism is now supported with or without MEP. Etc.
What is implied rule?
ANSWER
Implied/Implicit
rule is a rule that is enforced by firewall that a user does not see. This rule
is added or removed as part of features and options that is configured in part
in other parts of the interface.It is
not just a rule. They are rules. These rules are automatically created in
the rule base and cannot be edited, or individually deleted. By default, these
rules are hidden from view. When a change is made in eg setting, implied rules
are added in the rule base.
They
are based on the settings selected in the Global Settings of the Smart
Dashboard Software. The rules control communication between the Management
module, enforcement module(s) and GUI Client(s) as well as controlling other
functions such as VPN authentication traffic and OPSEC compatible server integration
traffic.
The
implied rules consist of firewall rules, which specifically allow certain TCP or
UDP traffic to pass through the enforcement module enabling the various components
of the Firewall-1/VPN-1 solution to interact.
For
instance, when selections are made in the
Global
Properties of Firewall-1 the following rules are created:
Accept
RIP:RIP is used to communicate
information about reachable systems and the routes used to those systems.
Accept
Domain Name over TCP (Zone Transfer):Domain_udp
service (UDP port 53) serves DNS requests to allow hostname to IP address
resolution.
Accept
Outgoing Packets originating from Gateway:This
rule allows any traffic (any protocol, any port) deriving from the Gateway
machine (the Firewall-1 enforcement module) to any destination to be accepted
by the firewall. This could cause problems should an enforcement module become
compromised in which case there is no restriction on what an attacker could do
from the compromised machine.
Accept
Domain Name over UDP (Queries):Domain_udp
service (UDP port 53) serves DNS requests to allow hostname to IP address
resolution.
Accept
VPN-1 Pro/Express control connections
Accept
Smart Update Connections
Accept
Dynamic Address Modules DHCP traffic:This
rule allows DHCP traffic from enforcement modules to be passed in order for
them to obtain a DHCP supplied IP Address
Accept
Remote Access control Connections
Accept
ICMP requests:This rule allows ICMP (Internet
Control Message Protocol) traffic, such as PING to pass across the gateway.
Accept
Domain Name over TCP (Zone Transfer):Domain_tcp
service (TCP port 53) serves DNS requests over TCP. This protocol is used to
download name resolving tables when zone transfers occur between servers.
What are the components of security
objects?
ANSWER
The
components of security objects are:
a. Network
Objects: This is an
object that is created to represent a network element or groups of network
element i.e. the actual physical machines and components such as gateway,
embedded profiles and servers as well as logical components such as dynamic
objects and IP address ranges. These objects are created and managed by system
administrators and then enforced in the security policy. It was created to give
the network administrator an eased management of network configuration by
giving names to group of elements. For example, instead of defining a different
firewall rule for each IP address of a sub-network, you can just define the
rule for the network object containing the IP addresses.
b. Resources:
These objects represent application
layer protocol traffic such as FTP, SMTP and HTTP with their attributes.
c. Servers
and OSPEC applications: OSPEC
applications ensure a policy level interoperability between security products
and OSPEC applications. This is done by combining published API’s, high-level
scripting language and industry-standard. Server here represents
“authentication server and databases that provides user authentication services
for VPN-1Firewall-1.
d.
Services: These objects represents transport
layer protocols e.g. Internet Protocol Security (IPsec), User Data Protocol
(UDP), Transmission Control Protocol (TCP), ICMP and application layer
protocols like Domain Name Server/Service (DNS), Hypertext Transfer Protocol
(HTTP) and Simple Mail Transfer Protocol (SMTP).
e. Virtual
Private Network (VPN) Communities: These objects represents extranet, intranet and remote
access Virtual Private Network (VPN) that include several enforcement module or
gateway objects that participates in VPN.
Security
objects are components of VPN-1/Firewall-Security that provides a logical
representation of networks, systems, users and applications. With it,
VPN-1/Firewall can be configured.
This is dummy text. It is not meant to be read. Accordingly, it is difficult to figure out when to end it. But then, this is dummy text. It is not meant to be read. Period.
ConversionConversion EmoticonEmoticon