Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
122 Cards in this Set
- Front
- Back
|
What three things does SecuRemote/SecureClient guarantee when connected via a VPN tunnel?
|
Authenticity, by using standard authentication methods
Privacy, by encrypting data Integrity, by using industry-standard integrity-assurance methods |
|
|
T/F - SecuRemote works with UTM Edge Gateways
|
True
|
|
|
In regards to Security, in what three ways does SecureClient extend on SecuRemote?
|
Desktop Security Policy
Logging and alerts Secure Configuration Verification |
|
|
In regards to Connectivity, in what three ways does SecureClient extend on SecuRemote?
|
Office Mode addresses
Visitor Mode Hub Mode |
|
|
In regards to Management, in what three ways does SecureClient extend on SecuRemote?
|
Automatic software distribution
Advanced packaging-and-distribution options Diagnostic tools |
|
|
In Remote Access VPN, what is Connect Mode?
|
During Connect Mode, the remote user deliberately initiates a VPN link to a specific gateway. Subsequent connections to any host behind other gateways will transparently initiate additional VPN links, as required.
|
|
|
What five Modes/features does Connect Mode offer?
|
Office Mode
Visitor Mode (over TCP 443) Hub Mode Auto connect - user is prompted to initiate a VPN link when traffic is destined behind the gateway User profiles (Location Profiles) |
|
|
What is the basic purpose of Office Mode?
|
Office Mode enables a VPN-1 Gateway to assign a remote client an IP address.
|
|
|
When does a user receive an IP address from Office Mode?
|
After the user connects and authenticates.
|
|
|
From what types of pools can Office Mode IP addresses come from?
|
A general IP pool or from an IP pool specified per user group.
|
|
|
T/F - Office Mode can be enabled for specific user groups
|
true
|
|
|
With which of the following is Office Mode supported?
SecureClient SSL Network Extender Crypto L2TP |
all of them
|
|
|
T/F - A remote user with only SecuRemote is supported in Office Mode
|
False, Office Mode is only supported in SecureClient
|
|
|
In Office Mode planning, what would be a reason to choose DHCP instead of IP pool?
|
Some administrators may perfer to manage all of their dynamic IP addresses from the same location. Moreover, DHCP allows a cluster to assign all the addresses from a single pool, rather than have a different pool per cluster member as you have to with gateway IP pools.
|
|
|
In Office Mode planning, what would be a reason to choose IP pool over DHCP?
|
Purchasing a DHCP server can be viewed by some as an unnecessary financial burden.
|
|
|
What routing table modification must be made when implementing Office Mode?
|
IP addresses assigned by Office Mode need to be routed by the internal LAN routers to the gateway that assigned the address. This is to make sure packets, destined to remote-access Office Mode users, reach the gateway to be encapsulated and returned to the client machine.
|
|
|
In Office Mode, under what conditions might you have to enable the Multiple External Interfaces option?
|
The gateway has multiple external interfaces and Office Mode packets are routed to the wrong external interface.
|
|
|
When is a list of Policy Servers downloaded to a SecureClient machine?
|
When a user creates a site in SecureClient
|
|
|
When is a policy downloaded to SecureClient from a Policy Server?
|
When the SecureClient machine connects to the site
|
|
|
The Desktop Security Policy is only valid for a certain period of time. When does the remote client query the Policy Server for a renewal/update?
|
After half the period set has elapsed (222)
|
|
|
During a Desktop Secure Policy update, what files are being uploaded to the Policy Server?
|
Mobile user log files
|
|
|
How can SecureClient be manually prepackaged to include a default Policy?
|
Open the SecureClient tar.gz file. Place the Policy files (local.scv, local.dt, local.lp, etc.) in the tar.gz directory. Specify initialpolicy.bat in the install section of product.ini. Repackage the client using the packaging tool (or running setup from the tar.gz). Install SecureClient from the generated package/tar.gz directory. The policy becomes active when the client is started for the first time.
|
|
|
How do you activate Policy Server High Availability?
|
Set the use_profile_ps_configuration option as true in the userc.c file
|
|
|
How is Wireless Hotspot/Hotel Registration restricted?
|
By time, number of IP addresses, and ports. SecureClient records the IP addresses and ports that were accessed during the registration phase.
|
|
|
What method does SecureClient Mobile use to enable handheld devices to securely access resources behind Check Point Gateways?
|
SSL (HTTPS) tunneling
|
|
|
What two modes of operation does SecureClient Mobile support?
|
Centrally Managed Mode and SSL Network Extender Mode.
|
|
|
What does SecureClient Mobile's Centrally Managed Mode do?
|
Client connects to a gateway configured for SecureClient Mobile, and downloads a set of Policies that were sent to the gateway from the SmartCenter Server.
|
|
|
How does SecureClient Mobile's SSL Network Extender Mode differ from Centrally Managed Mode?
|
In this mode, the client does not download Policies, but enforces a set of Policies predefined upon client installation.
|
|
|
In what two ways can VPN Routing be configured?
|
Directly through SmartDashboard or by editing the VPN routing configuration files on the gateways.
|
|
|
What Mode enables VPN routing for remote access clients?
|
Hub Mode
|
|
|
How does Hub Mode work?
|
In Hub mode, all traffic is directed through a central hub. The central hub acts as a kind of router for the remote client. Once traffic from the remote access clients is directed through a hub, connectivity with other clients is possible, as well as the ability to inspect the subsequent traffic for content.
|
|
|
Why should you enable Office Mode when using Hub Mode?
|
If the remote client is using an IP address supplied by an ISP, this address might not be fully routable.
|
|
|
In addition to the usual requirements of remote access clients, what are three special demands users accessing the organization from remote locations?
|
Connectivity - must be able to access the organization from various locations, even if behind a NAT, proxy, or security gateway.
Secure connectivity - guaranteed by the combination of authentication, confidentiality, and data integrity for every connection Usability - installation must be easy. No configuration should be required as a result of network modification; should be seamless for the connecting user |
|
|
In regards to installation and configuration, what are some advantages to SSL Network Extender?
|
Thin client installation - much smaller size
Server-side configuration only Downloaded as an ActiveX component Easier to deploy newer versions |
|
|
T/F - To enable connectivity for clients using SSL Network Extender, VPN-1 must be configured to support SecuRemote/SecureClient
|
true
|
|
|
What are the two ways to install SSL Network Extender from a browser?
|
ActiveX or the Java Applet
|
|
|
What are four SSL Network Extender server-side prerequisites?
|
SNX must be enabled on the gateway
The specific gateway must be configured as a member of the Remote Access Community The same access rules are configured for both SecureClient and SNX users If you want to use Integrity Clientless Security (ICS), you shoudl install the ICS server or ICS configuration tool |
|
|
Which VPN-1 authentication schemes are supported in SNX?
|
all of them
|
|
|
At the end of the SNX session, what information about the user or gateway remains on the client machine?
|
none
|
|
|
What logging capabilities differ between SNX and SecureClient?
|
none
|
|
|
T/F - SSL Network Extender is supported in IPSO
|
true
|
|
|
T/F - SNX supports Hub Mode
|
true
|
|
|
What are the two clear phases of Clientless VPN?
|
Establishing a Secure Channel and Communication Phase
|
|
|
T/F - User Authentication is supported in Clientless VPN
|
true
|
|
|
What is invoked by the gateway to handle Clientless VPN connections?
|
The Clientless VPN Security Server daemon. It continues to run as a background process.
|
|
|
What takes place in the Communication Phase of Clientless VPN?
|
The VPN Security Server opens a connection to the Web server. The client connects to the server via the VPN-1 gateway. From now on, all connections from the client to the gateway are encrypted.
Since the gateway now sees the packet int he clear, it can be inspected for content. |
|
|
What are three special considerations for Clientless VPN?
|
Which Certificate does the gateway present?
How many Security Servers should be run? What level of encryption is required? |
|
|
What must be done by the administrator if he chooses to present a certificate from an external CA in Clientless VPN?
|
Obtain the CA certificate
Configure the SmartCenter Server to trust this CA Obtain and configure a certificate for the gateway Supply the CA certificate to the client Instruct the user to configure the client to trust this CA |
|
|
How many Security Servers can be run on a single gateway?
|
10
|
|
|
Up to how many active users does Check Point recommend to use each VPN Security Server?
|
Up to 150 active users
|
|
|
For the most part, Clientless VPN is configured on the gateway. What are two exceptions, and how are they configured?
|
1) The gateway authenticates itself to the client using a certificate that is not one of the client's default certificates.
2) User Authentication via certificates is required. In both cases, the relevant certificates must be supplied to the client out-of-band and the client configured to work with them |
|
|
What must be done in the Rule Base to allow Clientless VPN when User Authentication is not required?
|
A URI resource must be defined in the Rule to force the Security Server to be employed on every connection
|
|
|
What 3 things does a VPN guarantee?
|
Authenticity
Privacy Integrity |
|
|
How are users managed for SecureRemote/Client? (2)
|
Internal Database
LDAP server |
|
|
What kinds of gateways does SecureRemote work with?
|
VPN-1
UTM |
|
|
What Security features are added by SecureClient compared to SecuRemote? (3)
|
Desktop Security
Logging and alerts Secure Config Verification |
|
|
What connectivity features are added by SecureClient compared to SecuRemote? (3)
|
Office Mode addresses
Visitor Mode Hub Mode |
|
|
What management features are added by SecureClient compared to SecuRemote? (3)
|
Automatic Software distribution
Advanced packaging-and-distribution options Diagnostic tools |
|
|
When is Visitor mode used?
|
When the client needs to tunnel all client-to-gateway traffic through a regular TCP connection on port 443
|
|
|
What is done with traffic in Hub mode?
|
All traffic is routed through the gateway to achieve higher levels of security and connectivity.
|
|
|
(T/F) The IP assignment in Office Mode is lease-renewed as long as the user is connected?
|
True
|
|
|
For Office mode, what are the 2 different ways an IP address can be taken from an IP pool?
|
General Pool
User Group Pool |
|
|
What are the 2 ways the address can be specified in Office Mode?
|
Per User
DHCP |
|
|
In Office mode, what service does DHCP enable?
|
DNS name-resolution service
|
|
|
In Office mode, what does DNS name resolution service make easier?
|
accessing the remote client from within the corporate network.
|
|
|
(T/F) It is not possible to enable office mode for specific user groups.
|
False. It's possible to enable OM for specific groups or for all users.
|
|
|
What remote access methods support Office Mode?
|
SecureClient
SSL Network Extender Crypto L:2TP |
|
|
(T/F) A remote user with only SecuRemote is supported in Office Mode.
|
False
|
|
|
What routing-table modification needs to be made to support Office Mode?
|
internal LAN routers must route Office Mode IP addresses to the gateway/cluster that assigned the addresses.
|
|
|
What happens when the Multiple External Interfaces feature is enabled?
|
Routing decisions are performed after the packets are encapsulated using IPSEC to prevent routing problems.
|
|
|
Since there is a performance impact, when is Multiple External Interfaces recommended?
|
The gateway has multiple interfaces
Office Mode packets are routed to the wrong external interface. |
|
|
What IP configuration is the basic configuration for Office Mode?
|
IP Pools
|
|
|
In Desktop Security, what happens when the renewal process continually fails?
|
The current policy expires and the remote client remains with the previous policy.
|
|
|
(T/F) During the security policy update the mobile user log files are being uploaded to the policy server.
|
True
|
|
|
How do you prepackage SecureClient to include a default policy? (5)
|
1. Open the SecureClient SC tar.gz file.
2. Place the policy files in the tar.gz directory (local.scv, local.dt, local.1p, etc.) 3. specify initialpolicy.bat in the install section of product.ini 4. repackage using tar tool or run setup from the tar.gz 5. install SecureClient from the generated package/tar.gz |
|
|
How do you enable Policy Server HA?
|
Set the use_profile_ps_configuration to true in the userc.c file.
|
|
|
(T/F) SecureClient does not record the IP addresses and ports that were accessed during the registration phase.
|
False
|
|
|
(T/F) Enabling logging with locally save all the activity on a remote host.
|
True
|
|
|
(T/F) Log files do not include confidential info.
|
False
|
|
|
SecureClient's Mobile VPN is based on:
|
SSL (HTTPS) tunneling
|
|
|
(T/F) SecureClient acan be triggered/controlled by third-party applications.
|
True
|
|
|
What is Centrally Managed Mode?
|
The client conencts to a gateway configured for SecureClient Mobile and downloads a set of policies that were sent to that gateway by the SCS. The client then enforces these policies.
|
|
|
What is the oldest version that supports Centrally Managed Mode?
|
R60_HFA4
|
|
|
What is the oldest version that supports Centrally Managed Mode without patching the SCS and gateway?
|
R65
|
|
|
When using Hub mode, what should you also use?
|
Office Mode
|
|
|
Is Office Mode supported in SecuRemote?
|
No
|
|
|
What are the 3 special demands of remote clients?
|
Connectivity (various locations & networks)
Secure Connectivity Usability |
|
|
How is SSL Network Extender implemented on the user's machine?
|
A thin client is installed on the user's machine.
|
|
|
How is SSL Network Extender activated?
|
Using SmartDashboard to enable the SSL enabled web server on the gateway.
|
|
|
For SSL Network Extender, what must be done to enable connectivity for clients?
|
VPN-1 must be configured to support SecuRemote/SecureClient in addition to a minor configuration related to SSL Network Extender.
|
|
|
How is SSL Network Extender installed on the user's machine?
|
By downloading it from gateway.
|
|
|
What is the oldest version of gateway that a user can use to download SSL Network Extender?
|
R55 HFA10
|
|
|
What do first-time installations, uninstalls, and upgrades require on the client machine?
|
admin rights
|
|
|
What are the configuration requirements for the server side of SSL Network Extender?
|
1. The gateway must be configured as part of the Remote Access Community
2. Visitor mode must be enabled. 3. The same access rules are configured for SecureClient and SSL Net Ex. |
|
|
What should you do if you want to use Integrity Clientless Security (ICS)?
|
Install the ICS server or ICS configuration tool.
|
|
|
What are the d/l and install sizes of SSL Network Extender?
|
400KB package and 650KB installed.
|
|
|
The SNX mechanism is based on which 2 modes?
|
Visitor and Office
|
|
|
Is automatic proxy detection implemented in SNX?
|
Yes
|
|
|
Does SNX support all of CP's auth schemes?
|
Yes
|
|
|
What information about the user remains on the client machine?
|
None
|
|
|
(T/F) SNX logging is not identical to SecuRemote/SecureClient.
|
False
|
|
|
(T/F) HA Clusters and failover are not supported with SNX
|
False
|
|
|
(T/F) SNX supports the RC4 encryption method.
|
True
|
|
|
(T/F) SNX users can authenticate using certificates issues by any trusted CA.
|
True
|
|
|
(T/F) SNX is not supported on IPSO
|
False
|
|
|
What does Integrity Clientless Security (ICS) prevent?
|
Threats posed by malware, trojans, hacker tools, key loggers, adware, etc.
|
|
|
(T/F) SNX cannot work in hub mode
|
False
|
|
|
What is provided by Clientless VPN?
|
1. Secure SSL communication between clients and servers that support HTTPS.
2. accepts any encryption method that is proposed by the client and supported in VPN. 3. Can enforce the use of strong encryption. 4. Supports user authentication |
|
|
What are the 2 clear phases of Clientless VPN?
|
Establishing a secure channel
Communication phase |
|
|
What are the steps in establishing a Secure Channel?
|
1. HTTPS request to the web server.
2. request reaches VPN-1 gateway. 3. the gateway checks the security policy. 4. If a rule is matched and clientless VPN is enabled, the connection is diverted to the Clientless VPN Security Server. 5. SSL negotiation takes place. The gateway uses a cert signed by a CA the client trusts. 6. Secure channel is established. |
|
|
What is the Clientless VPN Security Server?
|
It is a daemon invoked by the gateway to handle Clientless VPN connections that, once invoked, runs as a background process.
|
|
|
What are 3 considerations for Clientless VPN?
|
1. Which cert does the gateway present.
2. How many security servers should be run. 3. What level of encryption is required. |
|
|
Which certificate option for Clientless VPN requires no configuration on the client side?
|
The gateway presents a cert signed by a CA trusted by the client.
|
|
|
Which certificate option for Clientless VPN supplies a higher level of security?
|
A cert from the ICA.
|
|
|
For Clientless VPN, what steps are taken to set up an externally supplied certificate?
|
1. Obtain a CA Certificate
2. Configure the SCS to trust this CA. 3. Obtain and configure the cert for the gateway. 4. Supply the CA certificate to the client and instruct user on the client config |
|
|
How many Security servers can be run on the same gateway?
|
10
|
|
|
Check Point recommends running one VPN Security Server per _____ active users.
|
150.
|
|
|
For the most part, Clientless VPN is configured on the ____________.
|
Gateway
|
|
|
What are the 2 exceptions to configuring Clientless VPN on the gateway?
|
1. The gateway authenticates itself to the the client using a cert that is not one of the client's default certs.
2. User auth is require and is done using certs. |
|
|
For Clientless VPN, if no auth is required a rule must be defined that implements the _______________.
|
URI resource
|
|
|
For Clientless VPN, if client auth is required a rule must be defined that lists the _____________ in the service column and ___________ in the Action column.
|
URI resource
Client Authentication |
|
|
For Clientless VPN, if user auth is required a rule must be defined that lists the _____________ in the service column and ___________ in the Action column.
|
service
User auth |
