Configuring BaySecure FireWall-1 Router Software Version 11.02 Site Manager Software Version 5.02 Part No. 116751-A Rev.
4401 Great America Parkway Santa Clara, CA 95054 8 Federal Street Billerica, MA 01821 Copyright © 1988–1997 Bay Networks, Inc. All rights reserved. Printed in the USA. May 1997. The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty.
Bay Networks Software License Note: This is Bay Networks basic license document. In the absence of a software license agreement specifying varying terms, this license -- or the license included with the particular product -- shall govern licensee’s use of Bay Networks software. This Software License shall govern the licensing of all software provided to licensee by Bay Networks (“Software”).
Bay Networks Software License (continued) 9. Licensee shall not reverse assemble, reverse compile, or in any way reverse engineer the Software. [Note: For licensees in the European Community, the Software Directive dated 14 May 1991 (as may be amended from time to time) shall apply for interoperability purposes. Licensee must notify Bay Networks in writing of any such intended examination of the Software and Bay Networks may provide review and assistance.] 10.
Contents About This Guide Before You Begin .............................................................................................................. ix Conventions ....................................................................................................................... x Acronyms ........................................................................................................................... x Ordering Bay Networks Publications ..................................................
Configuring a FireWall Security Policy ..........................................................................1-23 Installing the Security Policy on the Router ..................................................................1-24 Troubleshooting Checklist .............................................................................................1-24 Index vi 116751-A Rev.
Figures Figure 1-1. Figure 1-2. Figure 1-3. Figure 1-4. Figure 1-5. Figure 1-6. Figure 1-7. Figure 1-8. Figure 1-9. Figure 1-10. Figure 1-11. Figure 1-12. Figure 1-13. Figure 1-14. 116751-A Rev. A Choose Destination Location Window ...................................................1-11 Selecting Product Type Window .............................................................1-11 Licenses Window ...................................................................................
About This Guide If you are responsible for network security, you need to read this guide to learn about BaySecure FireWall-1, and the steps you need to take to install, configure, and activate a firewall on a Bay Networks® router.
Configuring BaySecure FireWall-1 Conventions angle brackets (< >) Indicate that you choose the text to enter based on the description inside the brackets. Do not type the brackets when entering the command. Example: if command syntax is ping , you enter ping 192.32.10.12 bold text Indicates text that you need to enter, command names, and buttons in menu paths. Example: Enter wfsm & Example: Use the dinfo command.
About This Guide Ordering Bay Networks Publications To purchase additional copies of this document or other Bay Networks publications, order by part number from Bay Networks Press™ at the following numbers: • Phone--U.S./Canada: 1-888-422-9773 • Phone--International: 1-510-490-4752 • FAX--U.S./Canada and International: 1-510-498-2609 Bay Networks Customer Service You can purchase a support contract from your Bay Networks distributor or authorized reseller, or directly from Bay Networks Services.
Configuring BaySecure FireWall-1 How to Get Help If you purchased a service contract for your Bay Networks product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller for assistance.
Chapter 1 BaySecure FireWall-1 BaySecure™ FireWall-1 integrates version 2.1 of Check Point Software Technologies Ltd™ FireWall-1™ software, with the exception of user authentication, address translation, statistics and encryption features, into the Bay Networks’ GAME router operating system. The result is a security system that provides fully secure, bidirectional, anti-spoofing communication for all Internet applications and services, such as FTP, Telnet, and SMTP.
Configuring BaySecure FireWall-1 To configure a firewall on a router, see the following sections: • Obtaining a FireWall-1 License on 1-2 • Installing and Running the FireWall-1 Management Software on 1-3 • Creating and Configuring a FireWall on the Router on 1-17 • Enabling the FireWall on All Router Interfaces on 1-21 • Activating the Firewall on 1-22 • Configuring a FireWall Security Policy on 1-23 • Installing the Security Policy on the Router on 1-24 Obtaining a FireWall-1 License Before
BaySecure FireWall-1 Note: If you need to change the IP address of the FireWall-1 management station, contact Check Point at 800-429-4391 (North America) or +972-3-613-1833 (locations outside of North America). Refer to the section “Installing and Running the FireWall-1 Management Software ” and the Check Point documentation for information about how to install the license.
Configuring BaySecure FireWall-1 For SunOS lab# mount -r -t hsfs /dev/sr0 /cdrom lab# cd /tmp lab# tar xvf /cdrom/sunos4/fw1/fw.sunos4.tar For Solaris lab# lab# lab# mount -F hsfs -r /dev/sr0 /cdrom cd /tmp tar xvf /cdrom/solaris2/fw1/fw.solaris2.tar For HPUX lab# lab# lab# mount -r /dev/dsk/c1t2d0 (or your specific CD-ROM address) /cdrom cd /tmp tar xvf “/cdrom/HPUX/FW1/FW.HPUX.
BaySecure FireWall-1 Sample Installation The following sample installation takes the Check Point FireWall-1 software from a CD-ROM and installs it onto a SparcStation running SunOS. Use this sample installation to familiarize yourself with the FireWall-1 installation script. Note: In the following sample installation, all user input is in bold. **************** FireWall-1 v3.0 Installation **************** Reading fwinstall configuration. Please wait. Configuration loaded. This might take a while.
Configuring BaySecure FireWall-1 Software distribution extraction -------------------------------Extracting software distribution. Please wait ... Software Distribution Extracted to /etc/fw Installing license -----------------Reading pre-installed license file fw.LICENSE... done. The following evaluation License key is provided with this FireWall-1 distribution Eval 15Mar97 3.
BaySecure FireWall-1 Configuring Remote Modules... ============================= Remote Modules are FireWall or Inspection Modules that are going to be controlled by this Management Station. Do you want to add Remote Modules (y/n) [y] ? n Configuring Groups... ===================== FireWall-1 access and execution permissions ------------------------------------------Usually, FireWall-1 is given group permission for access and execution.
Configuring BaySecure FireWall-1 Do you wish to start FW-1 now (y/n) [y] ? n ******************************************************************* Configuration ended successfully **************** FireWall-1 is now installed. **************** Do you wish to start FW-1 now (y/n) [y] ? n ******************************************************************* DO NOT FORGET TO: 1. add the line: setenv FWDIR /etc/fw to .cshrc or FWDIR=/etc/fw; export FWDIR to .profile 2. add /etc/fw/bin to path 3.
BaySecure FireWall-1 Installing a License on the Management Station To install a license on the management station, use the following command: fw putlic pfmx controlx routers motif embedded The is the host ID of the management station. The is a string of alphanumeric characters that Check Point provides when you request your FireWall-1 license. Starting and Stopping the FireWall-1 Daemons To start the FireWall-1 daemons, use the fwstart command.
Configuring BaySecure FireWall-1 Starting the FireWall-1 GUI To start the FireWall-1 GUI, enter the fwui& command. For example, at the system prompt, type lab# fwui& Installing on the Windows/NT Platform Use the following sections as a guide to installing the FireWall-1 software on the Windows/NT platform. For more details, refer to your Check Point documentation.
BaySecure FireWall-1 Figure 1-1. Choose Destination Location Window 2. Choose a destination directory. For this sample installation, we accept the default directory. 3. Click on Next. The Selecting Product Type window (Figure 1-2) opens. Figure 1-2. 116751-A Rev.
Configuring BaySecure FireWall-1 4. Choose the FireWall-1 component you want to install. To be compatible with BaySecure FireWall-1, choose FireWall-1 Enterprise Management Console Product. 5. Click on Next. The Licenses window (Figure 1-3) opens. Figure 1-3. 1-12 Licenses Window 6. Enter the license information you obtained from Check Point. 7. Click on Next. 116751-A Rev.
BaySecure FireWall-1 The Administrators window (Figure 1-4) opens. Figure 1-4. Administrators Window You must specify at least one administrator. 8. Click on Add. The Add Administrator window (Figure 1-5) opens. Figure 1-5. 9. 116751-A Rev. A Add Administrators Window Enter the administrator’s user name and password, which is limited to eight characters, and a password confirmation, and click on OK. You return to the Administrators window.
Configuring BaySecure FireWall-1 10. Click on Next. The GUI Clients window opens. Do not enter GUI clients at this time. 11. Click on Next. The Remote Modules window appears. Do not enter remoter modules at this time. 12. Click on Next. The Hit Key Session window (Figure 1-6) opens. Figure 1-6. Hit Key Session Window 13. Follow the directions in the window and enter random characters, with a delay of a few seconds between them, until the indicator bar is full.
BaySecure FireWall-1 The CA Key window opens (Figure 1-7). Figure 1-7. CA Key Window 15. Click on Generate to generate a new key. The host uses the RSA key to generate a digital signal for authenticating its communications in its capacity as a Certificate Authority. Generating the key may take several minutes. 16. Click on Finish. Installing the GUI Client 1. Begin by inserting the CD into the CD drive and executing the setup.exe file. For example: D:\windows\gui_client\disk1\setup.
Configuring BaySecure FireWall-1 Figure 1-8. Choose Destination Location Window For this sample installation, accept the default directory. 3. Click on Next. The Select Components window (Figure 1-9) opens. Figure 1-9. 1-16 Select Components Window 116751-A Rev.
BaySecure FireWall-1 4. Install the Security Policy, System Status, and Log Viewer components by clicking on each item. Customizing the FireWall-1 Installation You can customize your FireWall-1 installation by executing the FireWall-1 Configuration file.
Configuring BaySecure FireWall-1 Begin by starting Site Manager. Then follow these steps: 1. Select Configuration Manager in either local, remote, or dynamic mode from the Tools menu. The Configuration Manager window opens (Figure 1-10). Figure 1-10. Configuration Manager Window 2. Open a configuration file if local or remote mode is selected. 3. Select Protocols > Global Protocols > FWALL > Create. The following confirmation box appears to verify that you have created a firewall on the router. 4.
BaySecure FireWall-1 Note: After you create a firewall on the router, you cannot remove it. 5. To enable the firewall, select Protocols > Global Protocols > FWALL > Global. The F.W. Global window opens (Figure 1-11) to verify that you want to enable a firewall to be active on the router. Click on OK. Figure 1-11. 6. F.W. Global Window To configure the firewall, select Protocols > Global Protocols > FWALL > FWALL Router PARAMS.
Configuring BaySecure FireWall-1 The F.W. Router Parameters window opens (Figure 1-12). Figure 1-12. 8. F.W. Router Parameters Window Complete the F.W. Router Parameters window. To configure a firewall, you must supply values for all of the parameters that appear in the F.W. Router Parameters window. Refer to the parameter descriptions that follow. When you finish configuring the parameters, click on OK to make all parameter settings take effect. Parameter: Log Host IP Address Default: 0.0.0.
BaySecure FireWall-1 Parameter: Local Host IP Address Default: 0.0.0.0 Options: Any valid IP address Function: Instructions: Shows the IP address of the router on which the firewall resides. Enter the IP address of the host where you installed the firewall module. If the log host IP address and the local host IP address you specify are on different subnets, then you must configure a static route to the local host IP address to enable communication between the router and the management station.
Configuring BaySecure FireWall-1 When you click on OK, a message box opens, confirming that you are enabling the firewall on all interfaces. Once you enable the firewall on all interfaces and reboot the router, you will not be able to communicate with the router through Site Manager until you change the FireWall-1 default security policy.
BaySecure FireWall-1 The Boot Router window opens (Figure 1-14). Figure 1-14. Boot Router Window 2. Specify the correct volume and boot image. 3. Select the correct router volume and configuration file. Then click on Boot. A confirmation window appears. 4. Click on OK in the confirmation window and wait a few minutes to give the router time to reboot. 5. Select View > Refresh Display from the main Site Manager window to verify that the router booted correctly.
Configuring BaySecure FireWall-1 You must define a security policy that explicitly defines acceptable communication to the router, based on the source address, destination address, and type of service. Refer to your Check Point FireWall-1 documentation for details about how to configure a security policy. Installing the Security Policy on the Router Once you have defined a security policy, you must install it on the router.
Index A activating FireWall-1, 1-22 adding administrators, 1-8 groups, 1-8 GUI clients, 1-8, 1-17 license, 1-8, 1-17 remote modules, 1-8, 1-17 B Bay Networks Press, xi Bay Networks World Wide Web page, xii booting the router, 1-22 C Check Point, contacting, 1-2 commands commit, 1-17 fw putlic, 1-9 fwconfig, 1-8 fwinstall, 1-4 fwputkey, 1-9 fwstart, 1-9 fwstop, 1-9 fwui&, 1-10 set, 1-17 Configuration Manager, 1-18 configuring a firewall, 1-17 control module, defined, 1-1 creating a firewall, 1-17 customer
options, 1-4 sample, 1-5, 1-10 installing management software, 1-4 L license adding, 1-8, 1-17 installing on management station, 1-9 obtaining, 1-2 Local Host IP Address parameter, 1-21 Log Host IP Address parameter, 1-20 synchronizing the router and management station, 1-9 T tar files, extracting, 1-3 technical response centers, xii Technician Interface, 1-17 W World Wide Web page, Bay Networks, xii M modules control, 1-1 firewall, 1-1 mounting a CD drive, 1-3 P publications, ordering, xi R refreshi
