Installing Check Point VPN-1FireWall-1 NG AI on SecurePlatform


Installing Check Point VPN-1/FireWall-1 NG AI on SecurePlatform

Check Point s SecurePlatform operating system (Figure 2.70) is a pre- hardened , performance- tuned version of Linux that Check Point created and supports directly at no cost. Check Point provides SecurePlatform to its customers as another of the many platforms on which its software can be installed. SecurePlatform can turn a normal server into a network appliance in mere minutes.

click to expand
Figure 2.70: Check Point s SecurePlatform GUI

Many appliances are often just x86 servers ”sometimes with a specialized operating system or a few other basic features. Most times they are also more expensive than servers. SecurePlatform also takes advantage of the enormous and continued advancements in the open server market. Intel has continued to produce unprecedented performance in their processors. Hardware manufacturers like Dell, IBM, HP, and even Sun have been producing x86 servers that are inexpensive. Coupled with SecurePlatform, very high performance can be achieved at a very low cost. For example, a server that retails for around $5,000 at the time of this writing can process in excess of 3Gbps of traffic. Often, the question comes up, How does SecurePlatform compare with Nokia s IPSO? IPSO comes with web-based configuration of routing protocols, high availability (HA) and load sharing capabilities built-in, as well as the ability to have multiple versions of the operating system installed all at no extra cost. SecurePlatform does not currently have as many features in the web interface, but it runs on less expensive hardware, has routing protocols configured via the command line, and HA is now enabled in new licenses but load sharing is a separate license at extra cost. Check Point is placing much effort into developing the SecurePlatform operating system, but often the choice for SecurePlatform is based on the price and performance.

In addition, Check Point provides support for the operating system and all the updates (which can also be distributed via SmartUpdate) at no cost. Any hardware issues would be handled by your hardware manufacturer, but any software, driver, operating system, etc. issues are handled through you support contract with Check Point. This provides for a very cost-effective security solution for companies while providing a single source of support. This level of performance at such a low cost in combination with SmartDefense makes providing security to high-speed LANs a reality.

Installing and Configuring Check Point SecurePlatform AI

Check Point s SecurePlatform is streamlined to be installed easily and quickly. Simply place the CD in the server, set the BIOS to boot from CD, and boot the computer. The installation can be done via the serial port or the console. The only questions you will be asked during this part of the installation is what language you want the installation to be in and what IP address you wish to use to complete the second phase of the installation. At this point, the installation program will format the first drive it finds, partition it appropriately, install the software and prompt you for a reboot. After reboot, you will complete the installation by going to https ://<IP Address you previously configured> to configure the rest of the interfaces, install the packages, and configure the management station or firewall.

Check Point s SecurePlatform is not simply an easy installation of Linux with web-based management. Check Point has gone through the work of hardening the operating system and even making the command-line access to the operating system similar to other appliances. For example, when you login to the system via the console, serial port, or SSH, you will be presented with a restricted shell that only allows a few select commands to be executed. The available commands depend on which packages are installed and the configuration of those packages.

Illustration 2.16 shows the commands available on a system with SmartCenter, VPN-1/FireWall-1, and the Policy Server installed. Simply executing ? will give a list of the available commands.

Illustration 2.16: cpshell Usage
start example
 [patty.theCurb.net]# ? Commands are: ?               - Print list of available commands LSMcli          - SmartLSM command line LSMenabler      - Enable SmartLSM SDSUtil         - Software Distribution Server utility addarp          - Add permanent ARP table entries adduser         - Add new user arp             - Display/manipulate the arp table audit           - Display/edit commands entered in shell backup          - Backup configuration checkuserlock   - Check if user is locked cp_conf         - CheckPoint system configuration utility cpconfig        - Check Point software configuration utility cphaprob        - Defines critical process of High Availability cphastart       - Enables the High Availability feature on the machine cphastop        - Disables the High Availability feature on the machine cpinfo          - Show Check Point diagnostics information cplic           - Add/Remove Check Point licenses cpshared_ver    - Show SVN Foundation version cpstart         - Start Check Point products installed cpstat          - Show Check Point statistics info cpstop          - Stop Check Point products installed date            - Set/show date delarp          - Remove permanent ARP table entries deluser         - Remove existing user diag            - Send system diagnostics information dns             - Add/remove/show domain name resolving servers domainname      - Set/show domain name exit            - Switch to standard mode/Logout expert          - Switch to expert mode fips            - Turns on/off FIPS mode fw              - VPN-1/FireWall-1 commands fwaccel         - SecureXL commands fwm             - FW-1/VPN-1 management utility help            - Print list of available commands hostname        - Set/show host name hosts           - Add/remove/show local hosts/IP mappings idle            - Set/show auto logout time in minutes ifconfig        - Configure/store network interfaces lockout         - Configure lockout parameters log             - Log rotation control netstat         - Show network statistics ntp             - Configure ntp and start synchronization client ntpstart        - Start NTP clock synchronization client ntpstop         - Stop NTP clock synchronization client passwd          - Change password patch           - Install/Upgrade utility ping            - Ping a host reboot          - Reboot gateway restore         - Restore configuration route           - Configure/store routing tables scroll          - Allow scrolling the output of various commands showusers       - List SecurePlatform administrators shutdown        - Shut down gateway sim             - SecureXL Implementation Module commands sysconfig       - Configure your SecurePlatform Gateway time            - Set/show time timezone        - Set/show the time zone top             - Show the most active system processes traceroute      - Trace the route to a host unlockuser      - Unlock user vconfig         - Configure Virtual LANs ver             - Print the version vpn             - Control VPN webui           - Configure web UI 
end example
 

sysconfig is a menu-driven system for configuring the properties of the OS such as routing, date/time, and IP addresses. Expert requires another password (should be a different one) and presents the administrator a full Unix shell for advanced configurations. A detailed explanation of the commands as well as how to manage and appropriately size SecurePlatform is available in the sister book to this one: Check Point NG VPN-1/FireWall-1: Advanced Configuration and Troubleshooting (Syngress Publishing, ISBN: 1-931836-97-3).




Check Point NG[s]AI
Check Point NG[s]AI
ISBN: 735623015
EAN: N/A
Year: 2004
Pages: 149

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net