Saturday, January 23, 2010

CheckPoint CCSE Failed with 63%

It is my first failure on certification exam, and I've been on more then 10 exams so far.

My feeling studying for this exam is that Checkpoint doesn't teach you how the things work according to RFC, but where to click in the GUI in order something to work.

I was amazed again from exam quality. 3 of the questions were repeated with different answers. 4-5 of the questions I wasn't able to understand. There was a mistake in the questions instead of "process" was mentioned "device", and thing like that.

I got 50% on remote access, VPN :-) , Clustering, and 60% on Site-to-Site VPN :-) And there was plenty of theoretical questions on the exam. I hope they can verify their theoretical questions, as really they were close to impossible to understand them. Also they are not following the RFC terminology on the technical questions. With my background in Cryptography and hands on practice on VPN with the product, I shouldn't have any problem getting 100% on many of the topics.

But, always look on the bright side of life :-)

The plan is to show up once more in 2 weeks. In meantime I'll go through the material one more time, and I'll blog my notes for each topic.

That will definitely be my last exam in Checkpoint. I don’t think it is worth to spent time, money and nerves on exam with such poor quality.

Monday, January 18, 2010

Checkpoint CCSE, 1 week before exam day

I've been through most of the material so far, except SSL Network Extender and Clientless VPN. I'll do this tonight, and I'll book my exam either on friday this week, or monday next week.

Few notes so far: I advise you to go through material in the following order:

1. Upgrade Chapters

2. High Availability and Cluster XL

3. VPN theory chapters

4. Site to Site VPN chapters

5. Remote Access VPN chapters

The reason for that is because in VPN chapters there are a lot of ClusterXL related stuff, and I had to go back and forward between them all the time, so I decided to go through ClusterXL before VPNs.

Note that Load Sharing mode will not work with 15day licence. You need to licence your virtual machines, before making those labs. There is 30 day evaluation version on the CD which comes with the book.

You can find details of used materials here.

Wednesday, January 13, 2010

Checkpoint CCSE Progress

I've decided to prepare for this exam, as I don’t have experience with Remote Access and ClusterXL. Those 2 topics will take most of the time for my practice with the virtual machines.

I got soft copy of Check Point Security Administration II NGX 1.1 from a colleague who was on the course in 2007, and I'll use that book for the labs.

For the theoretical part, I've decided to use Checkpoint Official guides, as it will be easier for the future. I'll review the theoretical part in the official course book as well.

I expect to sit on exam in 2-3 weeks.

You can find more details here

Friday, January 8, 2010

Checkpoint CCSA passed with 81%

Yesterday I've passed the exam with 81%.  The score is not that good, because I got 33% on the LDAP questions (I was too lazy to install AD on my Windows 2003 machine, and there were 7-8 LDAP questions) The rest of the topics vent fine with some of them above 70% and most of them above 80%. I've finished 5 topics with 100%.

Few questions on the exam were rather strange, and I wasn't able to understand them, even after 5 times reading. One of the questions had multiple choice answer (from 5 options) and 1 of the answer offered was: 1, 3 and 3 :) I've wrote a comment on that question, so I hope no one will get it again. There were 7-8 questions from general Network Security, not related to Checkpoint products at all.

Except the sources specified in this post, I've used the following:

- QOS Chapter from NGX II version 1.1 book

- SmartDefense white paper

- 2 very good blogs/sites: fir3net and netl33ts

Good Luck!

Wednesday, January 6, 2010

DHCP Snooping on Cisco Switches

DHCP protocol is widely used and have security issues as it was build long time ago before there was need for network security. Cisco have implemented several enhancements in IOS to (partially) protect and stop most of the DHCP attacks. Port Security, DHCP Snooping, IP Source Guard and Dynamic ARP Inspections are mostly used these days.

DHCP Snooping is a security feature which protect the network clients to receive IP settings from rogue DHCP servers. Ports can be classified into 2 types: trusted and untrusted. Ports which are connected to a authorized DHCP servers have to be configured as trusted. All the rest should be configured as untrusted (the default value). Trusted ports are bypassed from DHCP Snooping validation. DHCP Snooping feature can be enabled per Vlan.

Enabling this feature will create DHCP Snooping binding database  with support up to 8192 entries. In that database there are records for: IP address of the client, MAC Address of the client, DHCP lease time, Interface on which the client is connected and VLAN number (there are also checksums for each entry and one checksum for the file)

The switch is comparing Source MAC Address with DHCP CHADDR (Client Hardware Address). If those 2 addresses match, packet is forwarded. In other case, the packet is dropped.

The switch will drop the packet if:

  1. Packet originated from DHCP server is received on untrusted port
  2. The Source MAC Address is different then the CHADDR
  3. The switch receive a DHCPRELEASE on interface for a MAC address which doesn't match the interface in the DHCP Snooping binding database
  4. DHCP relay agent forwards a packet that includes option-82 information to an untrusted port. (this situation will be covered in another post, as I've experienced this in practice recently)

Example of DHCP Snooping configuration:

Switch(config)# ip dhcp snooping
Switch(config)ip dhcp snooping vlan 101-102,104,301,1000

Show commands:

show ip dhcp snooping

Switch#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
DHCP snooping is operational on following VLANs:
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled
   circuit-id format: vlan-mod-port
    remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

show ip dhcp snooping binding

Switch#show ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:21:70:15:EA:8D     244958      dhcp-snooping   101   FastEthernet3/0/22
00:1C:23:4F:F3:DD     244166      dhcp-snooping   101   FastEthernet1/0/10
00:1C:23:4F:F3:10     246563      dhcp-snooping   101   FastEthernet4/0/16
00:1C:25:97:57:63     258392      dhcp-snooping   101   FastEthernet4/0/23
00:1C:23:4F:E6:E1     240567      dhcp-snooping   101   FastEthernet3/0/18
00:21:70:15:E9:14     152945      dhcp-snooping   101   FastEthernet3/0/2
00:1C:23:5A:F7:93     160704      dhcp-snooping   101   FastEthernet2/0/9
00:1C:23:4F:F6:4B     245043      dhcp-snooping   101   FastEthernet1/0/14
00:1C:23:4F:F4:24     97990       dhcp-snooping   101   FastEthernet3/0/12
00:1C:23:4F:F6:BF     244629      dhcp-snooping   101   FastEthernet1/0/21
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:24:E8:BC:FF:6E     252080      dhcp-snooping   101   FastEthernet2/0/12
00:22:68:13:55:A8     253335      dhcp-snooping   101   FastEthernet4/0/23
00:21:70:15:FC:F2     252408      dhcp-snooping   101   FastEthernet2/0/19
00:1E:C9:70:D4:F2     201709      dhcp-snooping   101   FastEthernet3/0/16
00:0F:1F:EA:23:04     226910      dhcp-snooping   101   FastEthernet4/0/14
00:21:70:15:F8:06     243896      dhcp-snooping   101   FastEthernet3/0/1
00:21:70:15:EA:0E     158323      dhcp-snooping   101   FastEthernet3/0/10
00:21:70:15:EB:78     248641      dhcp-snooping   101   FastEthernet2/0/21
00:21:70:16:00:9D     159319      dhcp-snooping   101   FastEthernet2/0/11
00:21:70:15:EB:15     247514      dhcp-snooping   101   FastEthernet2/0/18
00:1A:6B:D4:53:C5     248756      dhcp-snooping   101   FastEthernet4/0/23
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:1C:25:97:81:55     255468      dhcp-snooping   101   FastEthernet4/0/20
00:22:68:13:28:40     255690      dhcp-snooping   101   FastEthernet4/0/23
00:21:70:15:FC:C9     242025      dhcp-snooping   101   FastEthernet4/0/17
00:21:70:15:FF:E1     250732      dhcp-snooping   101   FastEthernet1/0/18
00:1C:23:5A:F7:EE     241494      dhcp-snooping   101   FastEthernet2/0/10
00:24:E8:D5:CF:9E     244181      dhcp-snooping   101   FastEthernet3/0/15
00:21:70:AF:C0:BF     243784      dhcp-snooping   101   FastEthernet4/0/19
00:21:70:B0:48:68     246445      dhcp-snooping   101   FastEthernet5/0/20
00:1C:23:4F:86:F4     242733      dhcp-snooping   101   FastEthernet1/0/15
00:1C:23:4F:F4:DB     239051      dhcp-snooping   101   FastEthernet2/0/2
00:21:70:15:FB:FF     243821      dhcp-snooping   101   FastEthernet3/0/6

show ip dhcp snooping statistics detail

Switch#show ip dhcp snooping statistics detail
Packets Processed by DHCP Snooping                    = 1823
Packets Dropped Because
   IDB not known                                       = 0
   Queue full                                          = 0
   Interface is in errdisabled                         = 0
   Rate limit exceeded                                 = 0
   Received on untrusted ports                         = 0
   Nonzero giaddr                                      = 0
   Source mac not equal to chaddr                      = 680
   Binding mismatch                                    = 0
   Insertion of opt82 fail                             = 0
   Interface Down                                      = 0
   Unknown output interface                            = 0
   Reply output port equal to input port               = 0
   Packet denied by platform                           = 0

And log messages when some PC are trying to use different MAC address then their hardware address:

Jan  6 09:55:47.405 UTC: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPDISCOVER, chaddr: 0021.6a31.a2ec, MAC sa: 001c.2597.802a
Jan  6 09:57:42.085 UTC: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPDISCOVER, chaddr: 0022.68e1.e669, MAC sa: 001c.2597.5763
Jan  6 10:01:29.406 UTC: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPDISCOVER, chaddr: 0021.6a31.a2ec, MAC sa: 001c.2597.802a
Jan  6 10:03:33.086 UTC: %DHCP_SNOOPING-5-DHCP_SNOOPING_MATCH_MAC_FAIL: DHCP_SNOOPING drop message because the chaddr doesn't match source mac, message type: DHCPDISCOVER, chaddr: 0022.68e1.e669, MAC sa: 001c.2597.5763

Tuesday, January 5, 2010

Upgrade of libsw package on Provider-1

Recently we purchased new UTM-1 Edge firewalls, and we ship some of them to a site far away in Northern Norway (without testing them in the lab first, off course ;-) ). On our surprise they came up with version 8 of firmware, all of other firewalls had version 7.5 and our Smart Center had support for 7.5 only. After the installation of the policy on the Edge device, in the log of the Edge firewall came up this message: "Wrong update version in policy (got policy 655 instead of 700)". Checkpoint have published sk31448 for this problem.

P.S. Make sure you backup your old libsw files, before upgrading to the new version.

Friday, January 1, 2010

Checkpoint CCSA instead of CCIE Written

Just decided to do CCSA before CCIE Written.

I have more then 4 years of experience with Checkpoint products, but I've never sit down to read for some of their products that I haven't used. I've done few installations of the firewalls, I've created approximately 50 site to site tunnels using Edge or 3rd party devices.

Now this decision came up because most probably I'll get a task to upgrade complete Checkpoint Infrastructure for our client from R62 to R65/R70, and I decided to work on it. After 1 month work approximately 2-3 hours per day, I'm 1-2 weeks away from exam date.

If you decide to do that I encourage you to use the following:

1. Install Smart Center and Firewall on SPLAT, test Windows (AD server) host and/or Backtrack test host and do your own labs at home

2. I've used this R65 book

3. CCSA CBT Nuggets

4. CPUG Group Forums

I'll update you with my exam experience once I sit on it.