product iamge

Check Point Vpn-1 / Firewall-1 on Aix: A Cookbook for Stand-Alone and High Availability Solutions

This document was uploaded by one of our users. The uploader already confirmed that they had the permission to publish it. If you are author/publisher or own the copyright of this documents, please report to us by using this DMCA report form.

Download
Search on Amazon

Simply click on the Download Book button.

Yes, Book downloads on Ebookily are 100% Free.

Sometimes the book is free on Amazon As well, so go ahead and hit "Search on Amazon"

Author(s): IBM Redbooks
Publisher: Ibm
Year: 2001

Language: English
Pages: 402

Contents......Page 5
Figures......Page 9
Tables......Page 13
The team that wrote this redbook......Page 15
Comments welcome......Page 17
Part 1. Implementing Check Point VPN-1/FireWall-1......Page 19
1.1 Basic firewall design......Page 21
1.2 Compartmentalized firewall environment design......Page 24
1.3 Need for highly available firewalls and load balancing......Page 29
1.4 What’s new in VPN-1/FireWall-1 V4.1 and SP1......Page 30
1.5 What’s new in VPN-1/FireWall-1 V4.1 SP2......Page 38
Part 2. Making Check Point FireWall-1 highly available......Page 41
2.1.1 Network plan......Page 43
2.1.2 Nodes......Page 44
2.2 Basic AIX installation......Page 45
2.3.1 Basic setup......Page 53
2.3.2 Configuration of AIX networking......Page 67
2.4 Basic installation of VPN-1/FireWall-1......Page 74
2.5 Basic configuration of VPN-1/FireWall-1......Page 88
2.6 Hardening the AIX operating system......Page 100
2.7.1 Installation of the VPN-1/FireWall-1 Windows GUI......Page 103
2.7.2 Creating a simple ruleset with VPN-1/FireWall-1......Page 104
2.7.3 Improving the security of a VPN-1/FireWall-1 Security Policy......Page 117
2.7.4 Creating network objects......Page 121
2.7.5 Configuring protection from IP spoofing......Page 123
2.7.6 Creating a useful ruleset......Page 127
2.8.1 Configuring simple user authentication......Page 129
2.8.2 Configuring client authentication......Page 134
2.9 Configuring network address translation with VPN-1/FireWall-1......Page 142
2.9.1 Static NAT......Page 143
2.9.2 Double-static NAT......Page 148
2.9.3 Dynamic (hide mode) NAT......Page 149
2.10 Configuring virtual private networking with VPN-1/FireWall-1......Page 151
2.10.1 Configuring VPN-1/FireWall-1 for client encryption......Page 152
2.10.2 Installing and configuring SecuRemote......Page 156
3.1.1 Test environment......Page 167
3.1.3 Classical VPN-1/FireWall-1 HA design......Page 168
3.1.4 Our HA design......Page 169
3.2 Configuring AIX for highly available VPN-1/FireWall-1......Page 172
3.3 Installing HACMP......Page 177
3.4.1 Cluster topology......Page 178
3.4.2 Cluster resources......Page 189
3.4.3 Cluster event customization......Page 193
3.4.4 Solving the ARP cache problem......Page 195
3.5.1 Custom shell scripts for HACMP events......Page 196
3.5.2 Custom shell scripts for status gathering......Page 198
3.5.4 Custom shell scripts for file synchronization......Page 202
3.6.1 Cloning the first node to the second HACMP node......Page 212
3.6.2 Configuration of the second node......Page 217
3.7 Testing HACMP without VPN-1/FireWall-1......Page 220
3.7.1 Synchronize HACMP configuration......Page 221
3.7.2 Start HACMP......Page 222
3.7.3 Prepare test environment......Page 226
3.7.4 Test the takeover scenario......Page 227
3.8.1 Command line configuration......Page 232
3.8.2 GUI configuration......Page 236
3.8.3 VPN-1/FireWall-1 state table synchronization......Page 239
3.8.4 Testing VPN-1/FireWall-1 HA with HACMP......Page 240
3.8.5 HACMP service IP addresses-VPN-1/FireWall-1 Security Policy......Page 242
3.9.1 Synchronizing VPN-1/FireWall-1 management......Page 247
3.9.2 NAT......Page 249
3.9.3 Authentication......Page 251
3.9.4 Encryption......Page 252
3.10.1 A more granular security policy for HACMP services......Page 253
3.10.2 Replacing RSH with SSH (Secure Shell)......Page 256
3.11.1 The clstat X-Window system display......Page 267
3.11.4 HACMP cluster event customizing......Page 270
3.11.5 VPN-1/Firewall-1 rule additions......Page 272
3.11.6 Testing the failover alerts......Page 273
4.1.1 Interactive Session Support (ISS)......Page 277
4.1.2 Network Dispatcher function......Page 279
4.1.3 Content Based Routing (CBR)......Page 280
4.2 How does ND fit together with VPN-1/FW-1......Page 281
4.2.1 Firewall technologies......Page 282
4.2.2 Integrating ND with VPN-1/FireWall-1......Page 284
4.3.1 High availability......Page 286
4.3.2 Load balancing......Page 288
4.4 Installing Network Dispatcher on AIX......Page 289
4.6.1 Basic dispatcher functionality......Page 292
4.7.2 Scenario 1: High availability with ND......Page 295
4.7.3 Scenario 2: High availability and load balancing proxied traffic......Page 304
4.7.4 Scenario 3: High availability and load balancing routed traffic......Page 315
5.1.1 Installation procedure......Page 323
5.2.1 Test network topology......Page 327
5.3.2 Changes to the Security Policy......Page 330
5.4 SecuRemote client configuration......Page 344
5.5.2 VPN-1/Firewall-1 state table synchronization......Page 347
5.5.4 Telnet......Page 348
5.6 Summary......Page 349
A.1.1 Quick review of basic concepts......Page 351
A.1.2 Components of HACMP software......Page 356
A.1.4 HACMP cluster events......Page 357
A.1.5 Customizing events......Page 359
A.2 Design consideration......Page 360
A.3 How does HACMP fit together with the firewall?......Page 367
Appendix B. An example of the HACMP planning worksheet......Page 369
Appendix C. Open Platform for Security (OPSEC)......Page 373
Appendix D. Special notices......Page 383
E.3 Other resources......Page 387
E.4 Referenced Web sites......Page 388
How to get IBM Redbooks......Page 389
IBM Redbooks fax order form......Page 390
Index......Page 391
IBM Redbooks review......Page 397