Configuring BaySecure FireWall-1 BayRS Version 12.00 Site Manager Software Version 6.00 Part No.
4401 Great America Parkway Santa Clara, CA 95054 8 Federal Street Billerica, MA 01821 Copyright © 1997 Bay Networks, Inc. All rights reserved. Printed in the USA. September 1997. The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty.
Bay Networks, Inc. Software License Agreement NOTICE: Please carefully read this license agreement before copying or using the accompanying software or installing the hardware unit with pre-enabled software (each of which is referred to as “Software” in this Agreement). BY COPYING OR USING THE SOFTWARE, YOU ACCEPT ALL OF THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT. THE TERMS EXPRESSED IN THIS AGREEMENT ARE THE ONLY TERMS UNDER WHICH BAY NETWORKS WILL PERMIT YOU TO USE THE SOFTWARE.
its own data and information and for maintaining adequate procedures apart from the Software to reconstruct lost or altered files, data, or programs. 4. Limitation of liability.
Contents About This Guide Before You Begin .............................................................................................................. xi Conventions ......................................................................................................................xii Acronyms ..........................................................................................................................xii Ordering Bay Networks Publications ..................................................
Installing the Security Policy on the Router ..................................................................1-24 Troubleshooting Checklist .............................................................................................
Figures Figure 1-1. Figure 1-2. Figure 1-3. Figure 1-4. Figure 1-5. Figure 1-6. Figure 1-7. Choose Destination Location Window ...................................................1-11 Selecting Product Type Window .............................................................1-11 Licenses Window ...................................................................................1-12 Administrators Window ..........................................................................
About This Guide If you are responsible for network security, you need to read this guide to learn about BaySecure FireWall-1, and the steps you need to take to install, configure, and activate a firewall on a Bay Networks® router.
Configuring BaySecure FireWall-1 Conventions angle brackets (< >) Indicate that you choose the text to enter based on the description inside the brackets. Do not type the brackets when entering the command. Example: if command syntax is ping , you enter ping 192.32.10.12 bold text Indicates text that you need to enter, command names, and buttons in menu paths. Example: Enter wfsm & Example: Use the dinfo command.
About This Guide Ordering Bay Networks Publications To purchase additional copies of this document or other Bay Networks publications, order by part number from Bay Networks Press™ at the following numbers: • Phone--U.S./Canada: 888-422-9773 • Phone--International: 510-490-4752 • FAX--U.S./Canada and International: 510-498-2609 The Bay Networks Press catalog is available on the World Wide Web at support.baynetworks.com/Library/GenMisc.
Configuring BaySecure FireWall-1 How to Get Help If you purchased a service contract for your Bay Networks product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller for assistance.
Chapter 1 BaySecure FireWall-1 BaySecure™ FireWall-1 integrates version 2.1 of Check Point Software Technologies Ltd™ FireWall-1™ software, with the exception of user authentication, address translation, statistics and encryption features, into the Bay Networks GAME router operating system. The result is a security system that provides fully secure, bidirectional, anti-spoofing communication for all Internet applications and services, such as FTP, Telnet, and SMTP.
Configuring BaySecure FireWall-1 To configure a firewall on a router, see the following sections: • Obtaining a FireWall-1 License on 1-2 • Installing and Running the FireWall-1 Management Software on 1-3 • Creating and Configuring a FireWall on the Router on 1-17 • Enabling the FireWall on All Router Interfaces on 1-21 • Activating the Firewall on 1-22 • Configuring a FireWall Security Policy on 1-24 • Installing the Security Policy on the Router on 1-24 Obtaining a FireWall-1 License Before
BaySecure FireWall-1 Note: If you need to change the IP address of the FireWall-1 management station, contact Check Point at 800-429-4391 (North America) or +972-3-613-1833 (locations outside of North America). Refer to the section “Installing and Running the FireWall-1 Management Software” and the Check Point documentation for information about how to install the license.
Configuring BaySecure FireWall-1 For SunOS lab# mount -r -t hsfs /dev/sr0 /cdrom lab# cd /tmp lab# tar xvf /cdrom/sunos4/fw1/fw.sunos4.tar For Solaris lab# lab# lab# mount -F hsfs -r /dev/sr0 /cdrom cd /tmp tar xvf /cdrom/solaris2/fw1/fw.solaris2.tar For HPUX lab# lab# lab# mount -r /dev/dsk/c1t2d0 (or your specific CD-ROM address) /cdrom cd /tmp tar xvf “/cdrom/HPUX/FW1/FW.HPUX.
BaySecure FireWall-1 Sample Installation The following sample installation takes the Check Point FireWall-1 software from a CD-ROM and installs it onto a SparcStation running SunOS. Use this sample installation to familiarize yourself with the FireWall-1 installation script. Note: In the following sample installation, all user input is in bold. **************** FireWall-1 v3.0 Installation **************** Reading fwinstall configuration. Please wait. Configuration loaded. This might take a while.
Configuring BaySecure FireWall-1 Software distribution extraction -------------------------------Extracting software distribution. Please wait ... Software Distribution Extracted to /etc/fw Installing license -----------------Reading pre-installed license file fw.LICENSE... done. The following evaluation License key is provided with this FireWall-1 distribution Eval 15Mar97 3.
BaySecure FireWall-1 Configuring Remote Modules... ============================= Remote Modules are FireWall or Inspection Modules that are going to be controlled by this Management Station. Do you want to add Remote Modules (y/n) [y] ? n Configuring Groups... ===================== FireWall-1 access and execution permissions ------------------------------------------Usually, FireWall-1 is given group permission for access and execution.
Configuring BaySecure FireWall-1 Do you wish to start FW-1 now (y/n) [y] ? n ******************************************************************* Configuration ended successfully **************** FireWall-1 is now installed. **************** Do you wish to start FW-1 now (y/n) [y] ? n ******************************************************************* DO NOT FORGET TO: 1. add the line: setenv FWDIR /etc/fw to .cshrc or FWDIR=/etc/fw; export FWDIR to .profile 2. add /etc/fw/bin to path 3.
BaySecure FireWall-1 Installing a License on the Management Station To install a license on the management station, use the following command: fw putlic pfmx controlx routers motif embedded The is the host ID of the management station. The is a string of alphanumeric characters that Check Point provides when you request your FireWall-1 license. Starting and Stopping the FireWall-1 Daemons To start the FireWall-1 daemons, use the fwstart command.
Configuring BaySecure FireWall-1 Starting the FireWall-1 GUI To start the FireWall-1 GUI, enter the fwui& command. For example, at the system prompt, type lab# fwui& Installing on the Windows/NT Platform Use the following sections as a guide to installing the FireWall-1 software on the Windows/NT platform. For more details, refer to your Check Point documentation.
BaySecure FireWall-1 Figure 1-1. Choose Destination Location Window 2. Choose a destination directory. For this sample installation, we accept the default directory. 3. Click on Next. The Selecting Product Type window (Figure 1-2) opens. Figure 1-2.
Configuring BaySecure FireWall-1 4. Choose the FireWall-1 component you want to install. To be compatible with BaySecure FireWall-1, choose FireWall-1 Enterprise Management Console Product. 5. Click on Next. The Licenses window (Figure 1-3) opens. Figure 1-3. 1-12 Licenses Window 6. Enter the license information you obtained from Check Point. 7. Click on Next.
BaySecure FireWall-1 The Administrators window (Figure 1-4) opens. Figure 1-4. Administrators Window You must specify at least one administrator. 8. Click on Add. The Add Administrator window (Figure 1-5) opens. Figure 1-5. 9. 117384-A Rev A Add Administrators Window Enter the administrator’s user name and password, which is limited to eight characters, and a password confirmation, and click on OK. You return to the Administrators window.
Configuring BaySecure FireWall-1 10. Click on Next. The GUI Clients window opens. Do not enter GUI clients at this time. 11. Click on Next. The Remote Modules window appears. Do not enter remoter modules at this time. 12. Click on Next. The Hit Key Session window (Figure 1-6) opens. Figure 1-6. Hit Key Session Window 13. Follow the directions in the window and enter random characters, with a delay of a few seconds between them, until the indicator bar is full.
BaySecure FireWall-1 The CA Key window opens (Figure 1-7). Figure 1-7. CA Key Window 15. Click on Generate to generate a new key. The host uses the RSA key to generate a digital signal for authenticating its communications in its capacity as a Certificate Authority. Generating the key may take several minutes. 16. Click on Finish. Installing the GUI Client 1. Begin by inserting the CD into the CD drive and executing the setup.exe file. For example: D:\windows\gui_client\disk1\setup.
Configuring BaySecure FireWall-1 Figure 1-8. Choose Destination Location Window For this sample installation, accept the default directory. 3. Click on Next. The Select Components window (Figure 1-9) opens. Figure 1-9.
BaySecure FireWall-1 4. Install the Security Policy, System Status, and Log Viewer components by clicking on each item. Customizing the FireWall-1 Installation You can customize your FireWall-1 installation by executing the FireWall-1 Configuration file.
Configuring BaySecure FireWall-1 Begin by starting Site Manager. Then follow these steps: 1. Select Configuration Manager in either local, remote, or dynamic mode from the Tools menu. The Configuration Manager window opens (Figure 1-10). Figure 1-10. Configuration Manager Window 2. Open a configuration file if local or remote mode is selected. 3. Select Protocols > Global Protocols > FWALL > Create. The following confirmation box appears to verify that you have created a firewall on the router. 4.
BaySecure FireWall-1 Note: After you create a firewall on the router, you cannot remove it. 5. To enable the firewall, select Protocols > Global Protocols > FWALL > Global. The F.W. Global window opens (Figure 1-11) to verify that you want to enable a firewall to be active on the router. Click on OK. Figure 1-11. 6. F.W. Global Window To configure the firewall, select Protocols > Global Protocols > FWALL > FWALL Router PARAMS.
Configuring BaySecure FireWall-1 The F.W. Router Parameters window opens (Figure 1-12). Figure 1-12. 8. F.W. Router Parameters Window Complete the F.W. Router Parameters window. To configure a firewall, you must supply values for all of the parameters that appear in the F.W. Router Parameters window. Refer to the parameter descriptions that follow. When you finish configuring the parameters, click on OK to make all parameter settings take effect. Parameter: Log Host IP Address Default: 0.0.0.
BaySecure FireWall-1 Parameter: Local Host IP Address Default: 0.0.0.0 Options: Any valid IP address Function: Instructions: Shows the IP address of the router on which the firewall resides. Enter the IP address of the host where you installed the firewall module. If the log host IP address and the local host IP address you specify are on different subnets, then you must configure a static route to the local host IP address to enable communication between the router and the management station.
Configuring BaySecure FireWall-1 When you click on OK, a message box opens, confirming that you are enabling the firewall on all interfaces. Once you enable the firewall on all interfaces and reboot the router, you will not be able to communicate with the router through Site Manager until you change the FireWall-1 default security policy.
BaySecure FireWall-1 The Boot Router window opens (Figure 1-14). Figure 1-14. Boot Router Window 2. Specify the correct volume and boot image. 3. Select the correct router volume and configuration file. Then click on Boot. A confirmation window appears. 4. Click on OK in the confirmation window and wait a few minutes to give the router time to reboot. 5. Select View > Refresh Display from the main Site Manager window to verify that the router booted correctly.
Configuring BaySecure FireWall-1 Configuring a FireWall Security Policy A security policy is a collection of rules that define the way the firewall operates. Check Point supplies a default security policy that drops all attempts at communication with the router. This security policy goes into effect when you first activate the firewall on the router.
BaySecure FireWall-1 Troubleshooting Checklist If you experience problems with FireWall-1, verify that you have performed these steps: • Enabled TCP on all slots on the router • Created a firewall using Site Manager • Created a static route if the router and firewall management stations are on different subnets • Rebooted the router with a firewall configuration file • Synchronized the router and management station passwords by executing the fwputkey command on both the router and the firewall man
Index A activating FireWall-1, 1-22 adding administrators, 1-8 groups, 1-8 GUI clients, 1-8, 1-17 license, 1-8, 1-17 remote modules, 1-8, 1-17 B Bay Networks Press, xiii booting the router, 1-22 C Check Point, contacting, 1-2 commands commit, 1-17 fw putlic, 1-9 fwconfig, 1-8 fwinstall, 1-4 fwputkey, 1-9 fwstart, 1-9 fwstop, 1-9 fwui&, 1-10 set, 1-17 Configuration Manager, 1-18 configuring a firewall, 1-17 control module, defined, 1-1 creating a firewall, 1-17 customer support programs, xiii Technical So
installing management software, 1-4 T L tar files, extracting, 1-3 Technical Solutions Centers, xiv Technician Interface, 1-17 license adding, 1-8, 1-17 installing on management station, 1-9 obtaining, 1-2 Local Host IP Address parameter, 1-21 Log Host IP Address parameter, 1-20 M modules control, 1-1 firewall, 1-1 mounting a CD drive, 1-3 P publications ordering, xiii R refreshing the display, 1-23 remote modules, adding, 1-8, 1-17 Reset button, 1-22 rule base, verifying, 1-24 rules, defined, 1-24
