!...........
c knowledgments
We would like to acknowledge the following people for their kindness and support in making this book possible. Syngress books are now distributed in the United States by O'ReiUy & Associates, Inc. The enthusiasm and work ethic at ORA is incredible and we would like to thank everyone there for their time and efforts to bring Syngress books to market: Tim O'ReiUy, Laura Baldwin, Mark Brokering, Mike Leonard, Donna Selenko, Bonnie Sheehan, Cindy Davis, Grant Kikkert, Opol Matsutaro, Lynn Schwartz, Steve Hazelwood, Mark Wilson, Rick Brown, Leslie Becker, Jill Lothrop, Tim Hinton, Kyle Hart, Sara Winge, C.J. Rayhill, Peter Pardo, Leslie CrandeU, Valerie Dow, Regina Aggio, Pascal Honscher, Preston Paull, Susan Thompson, Bruce Stewart, Laura Schmier, Sue Willing, Mark Jacobsen and to all the others who work with us, but whose names we do not know (yet)! The incredibly hard working team at Elsevier Science, including Jonathan Bunkell, Ian Seager, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother, Miguel Sanchez, Klaus Beran, and Rosie Moss for making certain that our vision remains worldwide in scope. David Buckland, Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of STP Distributors for the enthusiasm with which they receive our books. Kwon Sung June at Acorn Publishing for his support. Jackie Gross, Gayle Voycey,Alexia Penny, Anik RobitaiUe, Craig Siddall, Darlene Morrow, Iolanda Miller, Jane Mackay, and Marie SkeUy at Jackie Gross & Associates for all their help and enthusiasm representing our product in Canada. Lois Fraser, Connie McMenemy, Shannon Russell, and the rest of the great folks at Jaguar Book Group for their help with distribution of Syngress books in Canada. David Scott, Tricia Wilden, Marilla Burgess, Annette Scott, Geoff Ebbs, Hedley Partis, Bec Lowe, and Mark Langley of Woodslane for distributing our books throughout Australia, New Zealand, Papua New Guinea, Fiji Tonga, Solomon Islands, and the Cook Islands. Winston Lim of Global Publishing for his help and support with distribution of Syngress books in the Philippines. A special thanks to all the folks at Malloy who have made things easy for us and especially to Beth Drake and Joe Upton.
.......
% ' iiiiiiiiiiiii
thor Chris Tobkin (CCSI, CCSE+ CCSE, CCSA, MCP) is a security engineer for Check Point Software Technologies, Ltd. and a member of the Minnesota chapter of the ISSA. Chris began his career over a decade ago programming C, C++, and Perl at the University of Minnesota. While there obtaining his bachelors of business admimstration with emphasis on management information systems degree, his job expanded to include project management, as well as database, network, and systems administration. His talents in security were recognized and leveraged as a part of the computer security group for the university. Chris later moved on to a security services and integration company where he was able to hone his skills in penetration testing, social engineering, firewalling, policy development, intrusion detection and prevention, and teaching courses in security, including the Check Point curriculum. In 2001, Chris moved to a position inside Check Point designing and architecting solutions for customers. Chris has also done many presentations and other writing including contributing to Check Point N G VPN-1/FireWall1:Advanced Configuration and Troubleshooting (Syngress Publishing, ISBN: 1-931836-97-3) and the CCSA Next Generation Check Point Certified Security Administrator Study Guide (McGraw-Hill, ISBN: 0072194-20-0).
vii
chnical Editor and Contributor Daniel Kligerman (CCSA, CCSE), author of Building DMZs for Enterprise Networks (Syngress Publishing, ISBN: 1-931836-88-4), Check Point N G VPN- 1/Firewall- 1: Advanced Configuration and Troubleshooting (Syngress Publishing, ISBN: 1-931836-97-3), Nokia Network Security Solutions Handbook (Syngress, ISBN: 1-931836-70-1), and Check Point Next Generation Security Administration (Syngress, ISBN: 1-928994-74-1), is a senior network specialist with TELUS, Canada's second-largest telecommunications company. Leading the eastern Canadian network team, he is responsible for the architecture, deployment, and support of enterprise customer networks, including LAN and WAN routing and switching, and all aspects of network security. Daniel holds a bachelor of science degree from the University of Toronto in computer science, statistics, and English, and resides in Toronto, Canada with his wife Merita.
ntributors Simonis (CISSP, CCNA, SCSA, SCNA, CCSA, CCSE, IBM CS) is a senior security engineer with the RL Phillips Group, LLC, where he provides senior level security consulting to the United States Navy, working on large enterprise networks. Drew is a security generalist, with a strong background in system administration, Internet application development, intrusion detection and prevention, and penetration testing. He is a co-author of Hack ProofingYour Web Applications (Syngress Publishing, ISBN: 1-928994-31-8) and Hack Proofing Sun Solaris 8 (Syngress, ISBN: 1-928994-44-X). Drew's background includes various consulting positions with Fiderus, serving as a security architect with AT&T and as a technical team lead with IBM. Drew has a bachelor's degree from the University of South Florida Drew
viii
!!!!iiiiiiiiiiiiii!iiii!iiiii!!!!! .'. .
.
.
.
.
.
.
.
.
.
.
.
.
. . . . . . . .
. .
.
. .
.
.
. .
.
. .
. .
.
.
.
.
.
.
.
• ..:..
.....
•
•
"
.
:.i
......:
:.:
.. ?....:.
.
"i.?: 'i
Security is seldom simple. O v e r the years, companies have done an excellent job of mandating that security and privacy be transparent to users in the n a m e of productivity. Some of us long for a simpler time w h e n security response. .. wasn't measured in minutes and availabihty wasn't measured, in milliseconds:.i.:..~.:.::.:...~.~i..ii.....~.~..~..~.....~:ii~~:"i W i t h the rise in t h e : n u m b e r and..complexity of vulnerabihties..and:.attac~:~.~.~..~.~. ~:.!~.~.i~.:i.i:/!~!~...~i~. .~.: security professionals must.d6fend their, systems:against :more":threatS.,imore:... i:i ;i i:~:~~.~:.:~::ii.i iii ii:: ~ quicHy than ever before~,..,Check Pomit~,ihasi:~:~:.prodUced!a.:..solution,•w N c h : ~ ~ i ~'~%~,~,i~ possible for these C h e c k Points' S~mple ............M :..a....n....~.....g....e....m :=~"::~..:~..¢...:.~........... ..v:"m :~:::..r..e~..:=.'~=..:~...~:~:"::: ... (which' has been .mimic~...:..:..i~i:.i=.7~..{ . i:!i~::ii~':i~i{i~i',:":':~:',~'::.ili~:iii{iii{ii~,!i:!:. :.:. .:..~.:~i',~{{{~g~{!~',~ '.:... • " " : :"::~::.~:~:::i:~i-~i:!i:;..i:~::',::/'. " " " .:..... . ..:.4:.,:~i::~ '~:% but never rephcated) ha~.i~e-en,ii ed for:~::,u, ease-of-useiiii~ its inception a decade agO~i:~'::::: :
<mount
point>
Move into the C D - R O M mount point directory by typing cd /cdrom/cpsuite-r54 and press Enter. The directory name that you are using may vary depending on the version of the CD that you have. There is a file in this directory titled ReadmeUnix.txt, which explains the contents of the CD and how to begin the installation process.
www.syngress.com
105
106
Chapter 2 • Installing and Configuring VPN-1/FW-1 NG with AI
3. W h e n you are ready to start with the installation, type./UnixlnstallScript and press Enter to initiate the Check Point installation wizard (see Figure 2.47). If you are in the C o m m o n Desktop Environment (CDE) then you can also use a ftle manager and double-click the U n i x l n s t a l l S c r i p t ftle to begin. After you press Enter, you will be presented with Check Point's welcome screen. .~
TE
~
If you are installing Check Point NG on Linux, you use the same UnixlnstallScript to begin the installation process. It will execute a separate executable behind the scenes (wrappers/unix/Install_Linux).
www.syngress.com
Installing and Configuring VPN-1/FW-1 NG with AI • Chapter 2 F i g u r e 2 . 4 7 UnixlnstallScript # cd / c d r o m / c p s u i t e - r 5 4 t o t a l 260 dr-xr-xr-x drvxr-xr-x -r-xr-xr-x dr-xr-xr-x -r-xr-xr-x dr-xr-xr-x -r-xr-xr-x -r-xr-xr-x dr-xr-xr-x dr-xr-xr-x -r-xr-xr-x -r-xr-xr-x -r--r--r--r-xr-xr-x
i]d ........
,
x
!i 2 4 1 3 1 3 1 1 2 7 1 1 I 1
root root root root root root root root root root root root root
sys nobody root root root root root root root root root root root
root
root
14 r o o t
root
4096 gul 22 11:12 . 512 Oct 5 00:04 .. 102 Jun 3 13:04 Autorun. lnf 2048 Jul 23 09:07 Docs 1003 Jun 3 13:04 License.txt 2048 Jun 4 12:45 0PSEC 5198 J~tn 3 13:04 R e a ~ e ~ m i x . t x t 5317 Jun 3 13:04 R e a ~ e g i n d o w s . ~ x t 2048 J ~ 3 13:04 SU 2048 Jun 4 12:40 SecurePlac~orm 77824 Jun 3 13:04 Setup.exe 380 J ~ 3 13:04 5etup.ini 872 ~ul 23 09:11 TPAgS.TBL 2155 gun 3 13:04 UnixInstallScript
6 1 4 4 gun
4 12:42
linux
i
i
i|
From the Welcome Screen (Figure 2.48) you have the options listed below. Type n to advance to the next screen. •
V - E v a l u a t i o n O p t i o n s Informational page on running this software on an evaluation license. C - C o n t a c t I n f o r m a t i o n This option gives you telephone numbers on h o w to find and contact a local Check Point partner.
n
N - Next
•
H - H e l p To get help with navigating the installation screens.
•
Proceed to the next screen.
E - Exit To quit the installation and exit. It makes no difference in the installation process whether you are installing a purchased product or if you are installing for evaluation purposes. The software installation is exactly the same; the only thing that is different is the license you apply during configuration.You can always apply a permanent license to a system installed on evaluation at any time to turn it into a production firewall.
107
108
Chapter 2 • Installing and Configuring VPN-1/FW-1 NG with AI
Figure 2.48 Welcome to Check Point NG ~elco~e to Chec~ Point ~
with ~f~lication Intelligence Enterprise Suite!
Thank you f o r choosing Check Point Softwaz:e Technologies, the worldwide leader in Internet security. Please make sure you have obtained a license before continuing. If you do not have a license, see your reseller or visit the Check Point User Center. @e recommend r_hat you close all or.he~ applications before running this installation program.!
~,~i~iiiiiiiiii~ilIIIIIIIIIIIIIIIIIIIIIIIIII
~
~ Wh,le running the UnlxlnstallScrlpt, keep your eye at the bottom of the ~ i screen to see your navigation options. You will enter the letter associ~ i ated with the menu item to perform the requested action. For example, to exit the system, you see E -exit at the bottom of the screen. Simply press e to exit and end the installation at any time.
5. You will receive the license agreement as shown in Figure 2.49. Press the space bar until you reach the end of the agreement. When you reach the end, the program will prompt you to indicate whether you accept the terms in the license agreement, "Do you accept all the terms of this license agreement (y/n) ?" Enter y and press Enter.
Installing and Configuring VPN-1/FW-1 NG with AI
•
Chapter 2
Figure 2.49 LicenseAgreement i
i | u c h indlvidual is a c t i n g ) ( h e r e i n a f t e r "You" or " Your") and Check P o i n t S o f ~ a r l e Technologies Ltd. (hereinaftsr "Check Point'). :~ TAKING ANY STEP TO SET-UP OR INSTALL THE PRODUCT CONSTITUTES YOUR ASSENT TO AND ACCEPTANCE OF THIS END USER LICENSE AGREERENT. ~ I T F E N APPROVAL IS NOT & PREREQU ISITE TO THE VALIDITY OR ENFORCEABILITY OF THIS AGREEMENT AND NO SOLICIT&TION OF ANY SUCH W R ~ APPROVAL BY OR ON BEHALF OF YOU SHALL BE CONSTRUY.D AS AN INFER ENCE TO THE CONTRARY. IF YOU HAVE ORDERED THIS PRODUCT AND SUCH ORDER IS CONSID ERED AN OFFER BY YOU, CHECK POINT'S ACCEPTANCE OF YOUR OFFER IS EXPRESSLY CONDIT IONAL ON YOUR ASSENT TO THE TERHS OF THIS AGREERENT, TO THE EXCLUSION OF ALL 0T HER TER~S. IF THESE TERMS ARE CONSIDERED AN OFFER BY CHECK POINT, YOUR &CCEPTAN CE IS EXPRESSLY LIHITED TO THE TERNS OF THIS AGREEI~NT. IF YOU DO NOT AGREE gIT H ALL TH~ TER/fS OF THIS AGREERENT, YOU IUST RETURN THIS PRODUCT WITH THE 0RIGINA L PACKAGE AND THE PROOF OF PAYRENT TO THE PLACE YOU OBTAINED IT FOR A FULL REFUN
i :i:::
I. DEFINITIONS:
1.1 " P r o d u c t " means t h e o b j e c t code copy of che s o f t . a r e program provided co You in association, with chis Agreement, ~ogether irith the associated original • leccronic media and all accompanying manuals and ocher documentation, and cogech er wich all enhancements, upgrades, and extensions chereto chat may be provided t to You from t i m e to t i m e .
M
il i!i
ii
i!iiiiii'iiiiiiiii~!iiii!i~~ii :~iiiiiiiiiiiiiii~iii~iiij~ili~i~!ii~iii~i®i ! .....i.....i.................../..i....:~!ii~~-"~:!iii:.................~...... 6.
T h e next screen (Figure 2.50) will prompt you with two options to continue with the installation. T h e y are s o m e w h a t self-explanatory; N e w Installation and Advanced Upgrade. T h e advanced upgrade can be used to export a configuration from a previous version into a single c o m pressed fde. It can also be used to import the aforementioned configuration file into a n e w installation to create a n e w N G AI system with the configuration o f the old system. For the purposes o f this installation, we will press 1 to choose N e w Installation and then n to continue.
Figure 2.50 Select Installation Installation Options, ~lea~e select one ~f. the ~ollo~ing options"
I. (T) New Installation.
2. ( ~ A d v a n c e d U p g r a d e .
i
109
110
Chapter 2 • Installing and Configuring VPN-1/FW-1 NG with AI
B
You will now be presented with a screen where you will select the products that you want to install from this CD (Figure 2.51).Your options are explained below. Type in the numbers of the packages you wish to select in this window. Type the number again to unselect it. If you enter r for Review, then you will get a new screen in which you can select a product by entering its number, and then pressing r again to get a description of the product.You're going to type 1, 2 and then 4 to select V P N - 1 & FireWall-1, S m a r t C e n t e r , and S m a r t C o n s o l e respectively, then enter n to advance to the next screen. •
V P N - 1 & FireWall-1 This includes FireWaU-1 enforcement point software along with the VPN-1 encryption component.
•
S m a r t C e n t e r This option designates that you wish to install the management station component.
•
F l o o d G a t e - 1 Provides an integrated Quality of Service (QoS) solution for VPN-1/FireWaU-1.
•
S m a r t C o n s o l e The Graphical User Interface for Check Point including the Policy Editor, Log Viewer, and System Status GUI. Using the management clients on Solaris requires a Motif license and you may need to tweak your environment to get them to run, but you can connect with as many remote Windows GUI clients to a Solaris management server as you wish without any additional license.
•
V P N - 1 S e c u r e C l i e n t Policy Server Allows an enforcement module to install Granular Desktop Policies on mobile users' SecureClient personal firewalls.
•
UserAuthority A user authentication tool that integrates with FireWall-1, FloodGate-I, and other e-business applications.
•
S m a r t V i e w M o n i t o r Allows an orgamzation to momtor its V P N connections, Internet connections, etc.
•
S m a r t V i e w R e p o r t e r An integrated reporting tool that can generate reports, graphs, and pie charts to display information obtained from the VPN-1/FireWall-1 logs.
•
P e r f o r m a n c e P a c k Also available on the Linux platform (including SecurePlatform), the Performance Pack replaces the Sun
Installing and Configuring VPN-1/FW-1 NG with AI • Chapter 2
Solaris kernel with a SunTone Certified kernel optimized for firewall and VPN functions. By removing excess functionalities in the kernel and enabling inspection closer to the hardware by removing unnecessary processing cycles, the throughput is increased significandy and latency through the firewaU is reduced. This software acceleration requires a SecureXL (performance pack) license to be activated.
SmartCenterSafe@Connector Provides the ability to manage Sofaware Safe@ Appliances (including the Sofaware S-Box and Nokia's IP30 and IP40) via the same management infrastructure (management station and clients) as enterprise firewalls.
Figure 2.51 Select Products to Install The £ollowln~ ~rod~cts are included on tkiS CD, ~elect product (s)
I.['] VPN-I & FireWall-l. 2.['] SmartCenter. 3.[ ] FloodGate-l. 4.['] SaartConsole. 5.[ ] VPN-I SecureClient Policy Server. 6.[ ] User&uthorit¥. 7. [ ] SmartView Honitor. 8.11SmartVie-Report~r. 9. Pe~fornance Pack. O. [ ] SmartCenter Safe@ Connector.
~TE ~ If you are installing the enforcement module only, then select VPN-1 & ~~ FireWall-1. For those who have been using Check Point for some time, ! ~ the option for installing SmartCenter here will be new. The installation of management is actually just a configuration option, not an extra package. If you select VPN-1 & FireWall-1 and do not SmartCenter, you will be prompted with options analog to legacy version. The first option asks whether this system will be part of a Distributed or Stand Alone installation. When Distributed is chosen, you will be presented with the following options:
111
112
Chapter 2 • Installing and Configuring VPN-1/FW-1 NG with AI
•
• •
= =
Enterprise Module To install a firewall which will be managed by another system running the management software, choose this option. Enterprise SmartCenter Select this option if this system will only be a management server. Enterprise SmartCenter and Enforcement Module To install a firewall which will be managed by the management software which is also installed on this system, choose this option. Enterprise Log Module To send logs to a system which is only used for retaining logs.. Enterprise Module and Enterprise Log Server To install an enterprise firea~s. ,
0
Next you will need to select the type of management installation you want on this system.You must select one of these options if you chose to install SmartCenter for management. Enter the desired option number. To select a different option number, simply enter that number. Select one of the options as shown in Figure 2.52. Enter 1 to select Enterprise P r i m a r y S m a r t C e n t e r , and then press n to continue.
Enterprise P r i m a r y
S m a r t C e n t e r To install a management server that will be acting primarily in a primary capacity.
Enterprise Secondary
S m a r t C e n t e r To install a m a n a g e m e n t server that will be acting primarily in a backup capacity. This option requires an Enterprise Primary SmartCenter to be already installed and licensed for Management High Availability in your infrastructure.
Figure 2.52 Choose the Type of Installation $ ~ r t Center T1q~e
2. ( i En~eEprlse Secondary Sma~tCenCe~.
Installing and Configuring VPN-1/FW-1 NG with AI
0
•
Chapter 2
On the next screen (illustrated in Figure 2.53) press n to continue. This will be the last screen where you can exit the configuration before the installation script will start copying fries. While the installation script is installing the package and copying files, you will see a screen similar to the one in Figure 2.54. The installation could take a few minutes. Next, the firewall will install the VPN-1/FireWall-1 kernel module and begin the configuration process.
Figure 2.53 Validation Screen
You have selected the following products for installation: I VPN-I & FlreWall-I Enr~rprlse Primary Slar~Cen~er t SlartConsole t Backward Compatibility module for VPN-I & Fire@all-I I
Figure 2.54 Installation Progress Check Point Ir~tallation Progr~,
Installing Installing Insr~lling Installing
Check Point SVN Foundation R54.., VPN-I & Fire@all-I R54... VPN-I ~ Fire@all-I 4.1 for Backward Colpa~ibility... SmartConsole R54... i
113
114
Chapter 2 • Installing and Configuring VPN-1/FW-1 NG with AI
Configuring Check Point VPN-1/FireWall-1 NG AI on Solaris Once the system has fimshed copying fries during the installation procedure, it will begin to go through the configuration screens shown in Figure 2.55. If you read the first section of this chapter, then you should be prepared to configure the firewall. After this imtial configuration, you can always come back to any of these screens by running cpconfig from the root shell. It is recommended that you go through all of these screens during the installation without canceling; you can always go back in to change your imtial configuration settings. The imtial configuration will take you through the following screens" •
SecureXL Acceleration
•
Licenses
•
Administrators
•
GUI Clients
•
SNMP Extension
•
Certificate Authority Configuration
Figure 2.55 SecureXL Acceleration i ] ****.~t**t.~tttt
~N-1
a ril:eWa11-I
kerzlel I o ~ l e
in.~t~11ation
.t.t.ttt~,t.tt~
|
!!i01el .
.
.
.
.
.
i" i
.......................................................~ ...................................................................................................................................................... ~
~i!~i!iii!iiii~ii!#ii~i~.iiiii~ii~i~i~ii~iiiiJii~!~ii!iiii!iiii!~i~ii!iii~iiiii!iii~iiii~iiii~!iiiii!iiiiiiiiiii~iiiiiii~i ~i~i~iiiiii~iiiii~FiU~!E~
www.syngress.com
Installing and Configuring VPN-1/FW-1 NG with AI • Chapter 2
SecureXL Acceleration The first configuration option you are asked is in regard to SecureXL Acceleration. If you wish to off:load the processing VPN encryption information onto a third-party hardware acceleration device, you can answer this question with y for yes to prepare the module for processing off:load. For the installation within this chapter, enter n for no and press Enter.
Licenses You should have obtained all of your hcenses before you get to this step. If you need help getting your hcense, read the first part of this chapter tided "Before you Begin." If you don't have any permanent hcenses to install at this time, you can either continue without a hcense and use the built-in 15-day evaluation license or at any time, request an evaluation license from either Check Point directly or your Check Point reseller.
~ 00i~TE
~ %i~
The license configuration option will be displayed regardless of which modules you have installed.
When installing a primary management module, one will be installing a local license that was registered with the local management station's IP address. Follow this step-by-step procedure for adding your hcense(s).You can see the license configuration input and output in IUustration 2.3. 1. When prompted to add hcenses, enter y for yes and press Enter. 2. Enter m to add the hcense manually and press Enter. Now you will be prompted for each field of the license. The illustration below shows the following license installed: cphc puthc 192.168.0.1 never aoMJFd63kpLdmKQMwZ-aELBqjeVX-pJxZJJCZy CPMP-VFE-U-NG CKaf80d80852ad •
H o s t The IP address or hostid associated with this hcense.
•
D a t e The date that the hcense expires, which is "never" for any purchased hcense.
115
116
Chapter 2 • Installing and Configuring VPN-1/FW-1 NG with AI
S t r i n g The hcense string provided by Check Point to validate the hcense. This key will be unique for each hcense and IP Address/Host. •
Features These are the features that this license will enable (e.g. management and/or 3DES). As you can see in Illustration 2.3, you also have the option of choosing f for Fetch from file. If you select this option, the configuration will prompt you to enter the file name of the file received from UserCenter. 3. Enter the values for Host, Date, String, and Features, pressing E n t e r after each entry.
Illustration 2.3 Configuring Licenses Configuring
The
Licenses...
following
licenses
Host
are
Expiration
installed
on
this
host:
Features
Do y o u
want
to
add
licenses
(y/n)
[n]
? y
Do y o u
want
to
add
licenses
[M]anually
or
[F]etch
from
file?:
M
Host:192.168.0.1 D a t e :n e v e r S t r i n g :a o M J F d 63 k- p L d m K Q M w Z - a E L B q J e V X - p J x Z J J C Z y Features :CPMP-VFE-U-NG
CK-
af80d80852ad
Administrators If you have installed a management module, you will be prompted to add an administrator as soon as you enter a license into the configuration program.You must define at least one administrator at this time to allow you to log in using the SmartConsole GUI chents.You can always come back later to add, edit, or delete your administrators. Illustration 2.4 depicts the steps involved to add your administrator.
www.syngress.com
Installing and Configuring VPN-1/FW-1 NG with AI • Chapter 2 ~~TE
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
~~ If you have installed an enforcement module only, then you will not con~ ~,
,
~i~ fiaure administrators ~j
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.,~=
It is best to use individual administrative usernames instead of a generic username like fwadmin. The problem with using a generic login ID is that you cannot properly audit the activities of the firewaU admimstrators. It may be important for you to know who installed the last security policy when you are troubleshooting a problem. This becomes more and more important when there are several people administering a firewall system.You will have to complete the following fields: •
Administrator N a m e Choose a login name for your administrator. This field is case-sensitive.
•
P a s s w o r d Choose a good alphanumeric password. It must be at least four characters long and is also case-sensitive.
•
Verify P a s s w o r d Repeat the same password entered above.
•
Permissions for all Management Clients (Read/ [W] rite All, [R]ead Only All, [C]ustomized)
I l l u s t r a t i o n 2.4 Adding an Administrator Configuring A d m i n i s t r a t o r s . . .
No VPN-I
& FireWall-i
defuned for this Administrator
Administrators
SmartCenter
are c u r r e n t l y
Server.
name : T o e
Password: Verify
Password:
Permissions [C] ustomized)
for all M a n a g e m e n t
Clients
(Read/ [W] rite All,
[R]ead 0nly All,
w
Permission
to M a n a g e A d m i n i s t r a t o r s ( [Y] es,
[N] o)
Continued
117
118
Chapter 2 • Installing and Configuring VPN-1/FW-1 NG with AI I l l u s t r a t i o n 2 . 4 Adding an Administrator Administrator Read/Write
Joe was
Permission
added
successfully
for all p r o d u c t s
and has
with
Permission
to M a n a g e
Administrators
Add another
one
(y/n)
[n]
? n
Use the following steps to add an administrator: 1. Enter the login ID for your Administrator and press Enter. "Joe" is used in this example. 2. Enter the password for this username and press Enter. 3. Confirm the password entered in step 2 and press Enter. 4. Enter w for Read/Write All to give the administrator full permissions to access and make changes to all SmartConsole GUI clients. Setting permissions enables you to define the access level that you will require on an individual basis for each admimstrator. If you select R e a d / [W] rite All or [R]ead Only All, then your administrator will have access to all the available GUI client features with the ability to either make changes and updates or to view the configuration and logs (perhaps for troubleshooting purposes) respectively.You may also choose to customize their access so that they may be able to update some things and not others. To do this, select C u s t o m i z e d and configure each of these options (see IUustration 2.5): •
S m a r t U p d a t e This GUI tool enables you to manage licenses and update remote modules.
•
M o n i t o r i n g This option enables access to the Log Viewer, System Status, and Traffic Monitoring GUI clients.
Installing and Configuring VPN-1/FW-1 NG with AI • Chapter 2 I l l u s t r a t i o n 2 . 5 Setting Customized Permissions '
'
'
L
Permissions for all products [C] ustomized) o
(Read/ [W] rite All,
Permission for SmartUpdate Permission for Monitoring
Administrator
(Read/ [W] rite , [R]ead 0nly, (Read/ [W] rite,
for SmartUpdate
Read/Write permission
for Monitoring
.
,
,
,
i
[R]ead 0nly,
[N]one) w [N]one) w
Doug was added successfully and has
Read/Write permission
,
,
[R]ead Only All,
,,
GUI Clients The Graphical User Interface clients are the management clients you installed. These clients can be installed on as many desktops as you wish, but before they can connect to the management server, you need to enter their IP addresses into the GUI clients configuration (Illustration 2.6).You can use this feature, for example, if you install the GUI clients on your own workstation to enable you to control the management server from your PC. This will allow you to connect remotely to manage the security policy and view your logs and system status.You do not need to configure any clients at all during the installation, but if you are already prepared for this step, you may enter as many clients into this window as necessary. This client information will be saved in a file on your firewaU under SFWDIR/conf and will be named gui-clients.This file can be edited directly, but should be edited using the GUI clients window at any time in the future by running cpconfig. If you do not add any GUI clients, you will only be able to connect using the X - M o t i f GUI from this system. ~:~ ~
~ If you have installed an enforcement module only, then you will not con~0~ figure GUI clients. ~i~!i~
...............................
1. Press y to define the GUI clients. 2. Type in a GUI client IP address and press Enter.
119
120
Chapter 2 • Installing and Configuring VPN-1/FW-1 NG with AI
3.
Repeat step two for each GUI client you want to add to the list.
4.
Press Ctrl + D to complete the list.
5. Verify that the list is correct, enter y for yes and press E n t e r to continue. I l l u s t r a t i o n 2 . 6 Configuring GUI Clients Con/iguring
GUI
GUI
clients
clients...
are
Administrators
trusted are
Windows/X-Motif
No
GUI
You i.
want
can
to
log
on
to
this
SmartCenter
Server
using
defuned
to a d d
add
allowed
from which
GUI.
Clients
Do y o u
hosts
GUI
a GUI
Clients
Client
using
(y/n)
any
of
[y]
? y
following
the
formats:
IP address.
2.
Machine
3.
"Any"
4. A
Please Enter
- Any
range
5. W i l d
name.
of
IP w i t h o u t addresses,
cards-
enter GUI
the
Client
for
restriction. for
example
list one
example 1.2.3.*
of h o s t s per
line,
that
1.2.3.4-1.2.3.40 or
*.checkpoint.com
will
be
terminating
GUI with
Clients. CTRL-D
or y o u r
EOF
character. 192.168.0.10 172.17.3.2 ^D
Is
this
correct
(y/n)
[y]
? y
As you enter GUI clients into this configuration, you type their hostname or IP address, one per line, pressing E n t e r at the end of each. W h e n you are finished editing the client list, press Ctrl + D to send an end of file (EOF) control character to the program to continue.You are allowed to use wildcards as follows-
www.syngress.com
Installing a n d C o n f i g u r i n g VPN-1/FW-1 NG with AI
•
Chapter 2
•
A n y If you enter the word Any, this will allow anyone to connect without restriction (not recommended).
•
Asterisks You may use asterisks in the hostname. For example, 192.168.0.* means any host from 192.168.0.0 to 192.168.0.255, and *.domainname.com means any hostname within the domainname.com domain.
•
R a n g e s You may use a dash (-) to represent a range of IP addresses. For example, 192.168.0.5-192.168.0.9 means the 5 hosts including 192.168.0.5 and 192.168.0.9 and each one in between.
•
DNS
or WINS
resolvable hostnames
Illustration 2.7 displays an example of the configured GUI clients window with various options that you can use for your G U I client entries. It is recommended that you avoid using hostnames or domain names, however, since this requires DNS to be configured and working on the firewaU. Using IP addresses is the best method since it doesn't rely on resolving, and will continue to work even if you cannot reach your name servers from the management station.
Illustration 2.7 GUI Client Wildcards ,,
Please Enter EOF
enter
the
hostname
list
or
hosts
that
IP address,
one
will per
be
GUI
line,
,,,
clients. terminating
with
CTRL-D
or y o u r
character.
* . m~room~az~, oom 192.168.0.5-192.168.0.9
172.17.3.2 172.17.2.* moo. m~oom~az~, corn Is
this
correct
(y/n) ,,
[y]
? y ,
,
Certificate Authority Initialization Your management server will be a Certificate Authority for your firewall enforcement modules, and will use certificates for Secure Internal Commumcation (SIC).This is the step in the installation process where the management server's CA isconfigured, and a certificate is generated for the server and its components.
121
122
Chapter 2
•
Installing and Configuring VPN-1/FW-1 NG with AI
You will be presented with the Key Hit Session configuration option, where you will be asked to input random text until you hear a beep. The data you enter will be used to generate the certificate, and it is recommended that you enter the data at a random pace; some keystrokes may be close together and others could have a longer pause between them. The more random the data, the less likely that the input could be duplicated. If the system determines that the keystrokes are not random enough, it will not take them as input, and will display an asterisk to the right of the progression bar. i ~ ~'ii ~
~TE The Key Hit Session screen will also be presented to you if you have installed an enforcement module, only so that you can generate an i internal certificate for SIC.
@
Type random characters at random intervals into the Key Hit Session window until the progress bar is full, and the message "Thank you" appears at the bottom of the window as seen in Figure 2.56. Figure 2.56 Random Pool Enter GUI Client one per line, terminating with CTRL-D or your EOF chaEacter. *.mycompany. com 192.168.0.5-192.168.0.9 172.17.3.2 172.17.2.* noc.mycompany, com Is this correct (y/n) [y] ? y
Configuring Random Pool... = = = = = = = = = = = = = = = = = = = = = = = = = =
You are now asked t o perform a short random keystroke session. T h e random data collected in this session will be used in various cryptogrephic operations. Please e n t e r random text containing at least six different charactars. You will see the '*' symbol after keystrokes that are too fast or too similar t o preceding keystrokes. These keystrokes will be ignored. Please keep typing until you hear the beep and the bar is full.
2. The next step is to initialize the internal Certificate Authority for SIC. It may take a minute for the CA to initialize. Figure 2.57 displays the
Installing and Configuring
VPN-1/FW-1 NG w i t h AI • Chapter 2
messages you will receive on the console while configuring the CA. Press Enter to initialize the Certificate Authority.
Figure 2.57 Configuring Certificate Authority ii......................................................................................................................................................................... '...........................................................................................................................................................................................................................
i i
ilijwith the
P i
following
naxe:
Centl:aL~lXr..n¥compan¥. c o n
i
!
i
iI Certificate Authority initialization ended successfully
i iiJCentral~Igmt.mycompany. | com was successfully set to the Inte2:nal CA
!
Done
ilSULK FED CRY FUSE CU. iiDo you want to
,
0
save
RUSE ~
EI~IL WOU JikVA _C,~#YI~GRTIa
"ill
it to e file? (y/n) [n] ? ~
Once the CA is initialized successfully, you will be presented with the fingerprint of the management server's certificate. This fingerprint is unique to your CA and the certificate on your management server used for communication with the management server (another certificate would be generated for VPN). The first time your GUI clients connect to the management server, they will receive the fingerprint so that they can match it to the string listed here and verify that they are connecting to the correct manager. After the first connection, every time the clients connect to the management server, the fingerprint is verified. If the fingerprint presented by the management server doesn't match what's known on the workstation, a warning message will be displayed, and the administrator can decide whether or not to continue with the connection. Type y and press Enter to save the fingerprint to a file. Enter the fflename and press Enter. The file will be saved in $CPDIR/conf.
Installation Complete W h e n the configuration program ends, you may see a few messages on the screen, such as "generating GUI-clients I N S P E C T code" as the system fimshes
123
124
Chapter 2 • Installing and Configuring VPN-1/FW-1 NG with AI
up the installation of the VPN-1/FireWall-1 package. Finally, you ~ receive the following question, "Would You like to reboot the machine [y/n]'" (shown in Figure 2.58). If you select not to reboot, then you will exit the installation and go back to a shell prompt. If you choose to reboot, then the system will be restarted.
'
®
!RNING if you are connected to this firewall remotely, then you will not have access after rebooting. The firewall loads a policy named InitialPolicy, which will prevent all access after an installation.
1. Enter n for no and press Enter. 2. Press E n t e r again to exit the installation script.
Figure 2.58 Installation Complete F~mki Nould You like to reboot the machine [y/n]: n Note: In order to set the new environment variables, please login again to root account. If you wish to start the installed product~, run cpstart. Press Enter to continue...
!
J
When you exit the installation script, you will see the shell. The last message you received on the console was concerning new environment variables. Let's address these environment variables for a moment. The ftrewall will create a .proftle in root's home directory, which runs the Check Point environment script located at/opt/CPshrd-54/tmp/.CPprofrle.sh (for bourne shell) or .CPproftle.csh (for c shell).This script sets your
Installing and Configuring VPN-1/FW-1 NG with AI • Chapter 2
Check Point variables such as $ F W D I R and $ C P D I R among others. See Figure 2.59 for a list of environment variables that are set after installation on a new system. Without setting these variables, various ftrewall commands will fail. For example, if you log in to the system as your standard user and then type su to root instead of s u - , you will maintain the standard user's environment; then when executingfw unload localhost to unload the InitialPolicy, you will receive the following error message: "ld.so.l: /etc/fw/bin/fw: fatal: libkeydb.so: open failed: N o such file or directory Killed." 3. W h e n you are ready to restart the server, as a best practice, type sync; sync; reboot and press Enter.
Figure 2.59 Environment Variables CPVIR-/opt/CPshrd-54 CPHDIR=/opt/CPfwl-54 FWDIR=/opt/gPfwI-54 FWBOOT DIR=/etc/fw.boot GO~DIR~opt/CPclnt-54
ii i ii i
HOHE=I LD LIBRARY PATH=/opt/CP~wl-54/lib:/opt/CPshrd-54/lib
Lo~alz.ro~t ~AIL-Ivar/mail//root PATH~/CP~-54/bin:/~p~/CPshrd-54/u~i~:/~/CPshrd-54/bin:/us~/b~n:/b~n:/usr /sbin:/sbin:/usr/local/bin:/usr/local/bin
SHELL=/sbin/sh SUPIR=/opt/CPfwl-54/sup SUR00T=/var/suroot TER~=vtlO0 TZ-US/Central USER=roo~
,!
I i!!ii
J ~~iii~!ii~!iiiiii~i!iJii!ii~EEiiii!ii~i~iiii!ii~iii~i~iiiiii!ii!!~
i!
.Ei~ii~
Continued
125
126
Chapter 2 • Installing and Configuring VPN-1/FW-1 NG with AI
r r
www.syngress.com
Installing and Configuring VPN-1/FW-1 NG with AI • Chapter 2
Getting Back to Configuration N o w that installation is complete, you may need to get back into the configuration screens that you ran through at the end of the installation.You can add, modify, or delete any of the previous configuration settings by running cpconfig. If you did not log in as root or login and type su - to gain root access, then your Check Point environment variables may not be set, and you could receive the errors displayed in Illustration 2.8: Illustration 2.8 Possible cpconfig Execution Errors ,
|.
# /opt/CPshrd- 54/bin/cpcoruSg You must
setenv
CPDIR
before
# CPDIR=/opt/CPshrd-54/;
running
export
this
program
CPDIR
# / o p t / C P s h r d - 54/bin/cpconfig id.so.l:
No
/opt/CPshrd-54/bin/cpcon~g_ex:
such ~le
fatal:
libcpconfca.so:
open
failed:
or d i r e c t o r y C a n not
execute
cpconfig ,...
If this happens, simply login with s u - The dash is an optional argument to su, which provides you with the environment that you would have, had you logged in directly as root.You can also set your environment by sourcing root's .proftle by executing./.profile if using sh as your shell or s o u r c e / . c s h r c if you are using csh as your shell. See Figure 2.60 for the output of cpconfig on Solaris. Figure 2 . 6 0 cpconfig Q cpconfig This pzogzam will let you ze-configuze youz VPN-I • Fize@all-I configuzation.
Con~l~atlon (I) (2) (3) (4) (5)
(6) (7) (8) (9)
Options:
Licenses Administzatmzs GUI Clients SNMP E x t ~ i o n PKCSWll Token Random Pool Ceztlficate Aut~hozit¥ Ceztlficate's Fingezpzint Automatic stazt of Check Point Pzoducts
(I0) Exit
~
. r~te~ yo~
iii
~i~
choice (1-10)
i,l !i
:|
i i i i i iiiiiiiiiiiiiiiiiiiiiiiiiiiiiii;iiiiiiiiiiiiiiiii~ i
NIB
127
128
Chapter 2 • Installing and Configuring VPN-1/FW-1 NG with AI
There are a few options listed here that did not come up during the initial installation process. Number 5 configures a PKCS#11 Token, which enables you to install an add-on card such as an accelerator card, and number 9 enables you to configure the automatic start of Check Point modules at boot time. If you installed an enforcement module only, the cpconfig screens will also include the following: Secure I n t e r n a l C o m m u n i c a t i o n Enables a one-time password that will be used for authentication between this enforcement module and its management server, as well as any other remote modules that it might communicate with (see Figure 2.61).
Figure 2.61
Secure Internal Communication Configuration I~1/ Ii~Ii li ?
,l,,tautl
%%11%,.~:uw~, ',h,dl
~J~;;~
Configuration Options: (I) (2) (3) (4) (5) (6) (7)
Licenses Sh~qP Extension PKCS#II Token Randol Pool Secure Internal Comaunication Enable Check Point ClusterXL and State Synchronization Autolatic start of Check Point Products
(8) Exit Enter your choice
(I-8) :5
C o n f i g u r i n g Secure I n t e r n a l
Colaunicar~on...
============================================
The Secure Internal Co]munication is used for authentication between Check Point colponents Trust State: Trust established Would you like to change the Activation Key?
(y/n) [n] ? i
H i g h Availability Allows you to enable this enforcement module to participate in a High Availability or Load Sharing configuration with one or more other enforcement modules. This tab will not show up in your installation since you cannot have a management module installed on an enforcement module in a cluster. Figure 2.62 illustrates the High Availability option available from the cpconfig menu. If you enable high availability here, then you will need to set up state synchronization between the firewalls that will be participating in the cluster. This is covered in detail in Chapter 12.
Installing and Configuring VPN-1/FW-1 NG with AI • Chapter 2 Figure 2.62 High Availability Configuration C o n £ i ~ a ~ i o n 0p~ions:
(I) (2) (3)
(4) (5) (6) (7)
Licenses S]~P Extension pKcs#n Token Random P o o l Secure Internal Coaaunication Enable Check Point ClusterXL and State Synchronization Automatic start of Check Point Products
i:: i
::
(8) Exit Enter your choice
(I-8) :6 i
Enable Check Point ClusterXl and State Synchronization... i ....=====..=.==..=,
High Availability aodule is currently disabled.
Would you like to enable the High AvailabiliTy module
(y/n) [y] ? ~
~
Uninstalling Check Point VPN-1/FireWall-1 NG AI on Solaris When you uninstall Check Point VPN-1/FireWalI-1 N G from Solaris, it is recommended that you make a full system backup before you begin. If you only need to back up the firewaU configuration, then you should make a backup of / o p t / C P * a n d / v a r / o p t / C P * directories. If you are removing a primary management server, then the first time you run pkgrm, the removal wiU fail. Check Point does this on purpose to ensure that you do not unintentionally delete your management module without understanding that you will not be able to restore SIC to its current state after you remove it. J
EN.tN.G
.......
~ii~iii When you remove the Check Point VPN-1/FireWall-1 software from your i!ii~ti system, you will lose all configuration data. The uninstall process deletes ~ all files and directories.
www.syngress.com
129
130
Chapter 2 •
Installing and Configuring VPN-1/FW-1 NG with AI
Uninstalling VPN-1 & FireWall-1 W h e n you uninstall the firewall, you should remove the Check Point installed packages using the pkgrm program available on your Solaris system. The components should be removed in the following order: 1. Check Point VPN-1 & FireWall-1 N G 2. Check Point SVN Foundation N G You can remove the management clients package at any time, but the order in which you remove the two packages listed above is important. Follow the steps below to completely uninstall all Check Point products from your Solaris platform.You may wish to run the command pkginfo to see which Check Point packages you have installed before you start. The packages you are going to uninstall are listed in IUustration 2.9.
Illustration 2.9 pkginfo Command # pkginfo
I grep "Check Point"
application CPclnt-54
Check Point SmartConsole NG with Application
application CPfwl-54
Check Point VPN-I/FireWalI-I
Intelligence NG with Application
Intelligence application CPfwbc-41
Check Point VPN-i/FireWall-i
4.1 for Backward
Compatibility application CPshrd-54
Check Point SVN Foundation NG with Application Intelligence
1. Exit all GUI Client windows that you may have open. 2. Log in to the firewall and su to root: su 3. Type pkgrm and press Enter.You will see a list of installed packages available for removal, as shown in Figure 2.63. In this example, you will choose the Check Point VPN-1/FireWall-1 4.1 for Backward Compatibility, which is number 3 in the list. We will umnstaU this first because it extends the functionality of the VPN-1/FireWaU-1 package which means the backward compatibility package is dependent on the firewall package. And the firewall package is dependent on the SVN Foundation. These dependencies determine the order in which the software should be removed.
Installing and Configuring VPN-1/FW-1 NG with AI • Chapter 2
Figure 2.63 Package Removal Choices The following packages a r e available: I CPclnt-54 Check Point SmartConsole NG with Application Intelligence (sparc) 5.0 2 CPfwl-54 Check Point VPN-I/FireWalI-I NG with Application Intelligence (sparc) 5.0 3 CPfwbc-41 Check Point VPN-I/FireUalI-I 4.1 for Backward Compatibility (sparc) 4.1 4 CPshrd-54 Check Point S~rllFoundation NG with Application Intelligence (sparc) 5.0 S NSCPcom Netscape Communicator (sparc) 20.4.75,REV-2000.09.05.18.43 6 SHCgcc gcc (sparc) 3.3 7 SHCgzip Tzip (sparc) 1.3.5 8 SMCossh openssh (sparc) 3.7. Ip2 9 SMCossl openssl (sparc) 0.9.7c 10 S~Ccop cop (sparc) 3.5betel2
::
.?:s|
... 408 mote menu choices to follow; for more choices, to stop display: I
4. Press Ctrl + D, you will then be presented with the following message: Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,q]: 5. Enter 3 and press Enter to uninstall the CPfwbc-41 package. 6. Next, the system will ask you if you are sure you want to remove this package, as seen in Illustration 2.10. Enter y for yes and press Enter. 7. Repeat this process for the CPfwl-54 package and then for the CPshrd54 package. The SmartConsole GUI clients can be removed at any time, as they are not dependent on any other Check Point packages.
Illustration 2.10 CPfwbc-41 Package Removal Select package(s) (default:
The
all)
you wish to process
following package CPfwbc-41
(or
'all'
is currently installed: Check
Point V P N - I / F i r e W a l I - I
Backward C o m p a t i b i l i t y (sparc)
Do you want
to process
[?,??,q] : 3
to remove
4.1
this package?
y
4.1
for
all packages).
131
132
Chapter 2 • Installing and Configuring VPN-1/FW-1 NG with AI
0
Next, the pkgrm program notifies you that the uninstaU process will require the use of super-user privileges, and asks you if you want to continue (Illustration 2.11). Enter y for yes and press Enter.
Illustration 2.11 Continue with Package Removal ## Removing
This
installed package
package
contains
scripts w h i c h will be executed with super--user
p e r m i s s i o n during the process
Do you want
instance
of removing
to continue with the removal
this package.
of this package
[y,n,?,q]
y
9. When removing the CPfwl-54 package from a primary management station, the package removal will fail. Check Point has done this on purpose so that you can receive the W A R N I N G notification that is displayed in IUustration 2.12. This message informs you that if you uninstall VPN-1/FireWaU-1, then you will lose all configured SIC, and you will not be able to restore SIC to its current state by reinstalling the primary management server. The configuration can be recovered from a correctly performed backup. Run pkgrmagain to uninstall the CPfw1-54 package.
Illustration 2.12 Removal Failed ## V e r i f y i n g package dependencies. ## Processing package ## Executing preremove
There are no packages
information. script.
dependent
on VPN-I/FireWalI-I
NG with A p p l i c a t i o n
Intelligence. WW*WWWWWW*W*W*WWWWW*W**WWW*WWW*WW*WWW***WW.WW,W.W.WWW.WW*****W.W***
WARNING: You
are attempting
If you continue, SmartCenter reinstall program
to uninstall your Primary SmartCenter
you will be unable
is now aborting.
SmartCenter
to communicate with any Secondary
Servers and other Check Point Modules,
the Primary SmartCenter Server,
If y o u
Server.
even if you
Server on this machine. still
later
The u n i n s t a l l
wish to uninstall your
Primary
then run it again.
Continued
Installing and Configuring VPN-1/FW-1 NG with AI
•
Chapter 2
Illustration 2.12 Removal Failed
Please disregard pkgrm:
Removal
ERROR:
the following
preremove
of < C P f w l - 5 4 >
error message:
script did not complete
successfully.
failed.
#
10. Press Ctrl + D. 11. Enter 2 and press Enter to select the C P f w l - 5 4 package. 12. Enter y for yes and press Enter. 13. Enter y for yes and press Enter. This time the package removal will be successful. Figures 2.64 and 2.65 show you some of the messages you will see on your console as the package is removed from the system.
Figure 2.64 Uninstall of VPN-1/FireWall-1 ~i Removing installed package instance (A previous a t t e s t may have been unsuccessful.) This package contains scripts which will be executed with super-user ~ern/ssion during the process of removing this package. Do you want to continue with the removal of this package [y,n,?,q] y #~ Verifying package dependencies. ## Processing package information. H Executing preremove script. There are no packages dependent on: Check Point VPN-I/FireUalI-I NG with Application Intelligence.
tttt~tt~ttt.tt~ttttttttt~tt~tttt~tttttttttttt~tttttttttttttttttltttttlttlt
i
Proceeding to uninstall VPN-I/FireUalI-I NG witch Application Intelligence Priaar ~ i ¥ SmartCenter...
t~tttWtt~tttt~tttt~tt~tttttt~ttttttttttWttttttttttttt~tttt~tttt~tttttttt ~I Removing pauhnemes in class
/var/opt/CPfwl-54/tflp ]var/opt/CPfwl-54/state /var/opt/CPfwl-54/spool
~i
~
~iliiii iiiiiiii~ii i!iili i i i i i i i i i i i i ~ E O F @
::~
133
134
Chapter 2 • Installing and Configuring VPN-1/FW-1 NG with AI
Figure 2.65 Uninstall of VPN-1/FireWall-1 Continued .....;iil;;P
iiii
in;
il;i;i
..............................................................................................................................................................................
/ op t / C P f w l - 5 4Fo:J.n/Atl as S topl~,'epp e,"
i|
/optlCPfwl-54/binlAClasStarrN~apper /opt/CPfwl-S4/bin /opt/CP£wl-54/SU/~I/content. txt /opt/CPfwl-S4/SU/fwl/CPf~iPk~od /opt/CPfwl-S4/SU/fwl /opt/CPfw1-54/SU /opt/CP£wI-S4/LICENSE. TXT N# Executing pos~remove scrip~,
iI ii !I | i|
IHPORTAWT: You must; REB00T r.he machine !!!!
il
Check
:1
I i~
I
I
Point VPN-I/FIreMa11-I NG with Application Intelligence uninsr.all complet.e i~
H Updar.,d.ng system inforla~ion, Removal oE was successful.
I
a i |
14. Type sync; sync; reboot and press Enter to reboot the system.
Uninstalling SVN Foundation You have already umnstalled the VPN-1/FireWall-1 software, but now you must remove the SVN foundation. This should always be removed after all other Check Point components, which are built on top of this foundation (as the name suggests). The SVN foundation contains all the shared libraries used by various Check Point components. If you had installed FloodGate-1 or the Policy Server, for example, these should also be removed prior to removing the SVN CPshrd54 package. 1. Once the machine has rebooted, log back into the console. 2. Type s u - and pressEnter to become the super user (root). 3. Type pkgrm and press Enter. Now your choices to uninstall are the Check Point Management Clients NG and the Check Point SVN Foundation (see Illustration 2.13).
Installing and Configuring VPN-1/FW-1 NG with AI • Chapter 2 I l l u s t r a t i o n 2 . 1 3 Remove SVN Foundation The
following packages
1
CPclnt-50
are available:
Check Point Managment (sparc)
2
CPshrd-50
Clients NG
5.0
Check Point SVN Foundation with Application Intelligence (sparc)
5.0
4. Press Ctrl + D. 5. Enter 2 and press Enter to select the SVN Foundation CPshrd-50 package. 6. When the pkgrm program asks you if you want to remove this program, enter y for yes and press Enter. 7. Again, pkgrm will print, "This package contains scripts that xadJl be executed with super-user permission during the process of removing this package. Do you want to continue with the removal of this package [y,n,?,q]." Enter y for yes and press Enter to continue. See Illustration 2.14 for a complete view of the uninstall process of the Check Point SVN Foundation on Solaris.You do not need to reboot after uninstalling the SVN package. I l l u s t r a t i o n 2.14 pkgrm SVN Foundation ..
$
...,
,.
Illll
-
Password: Sun Microsystems
Inc.
SunOS
The following packages 1
CPclnt-54
5.8
(sparc) CPshrd-54
February
2000# pkgzm
are available:
Check Point SmartConsole Application
2
Generic
NG with
Intelligence
5.0
Check Point SVN Foundation with Apppication Intelligence (sparc)
5.0
Continued
www.syngress.com
135
136
Chapter 2 • Installing and Configuring VPN-1/FW-1 NG with AI I l l u s t r a t i o n 2 . 1 4 pkgrm SVN Foundation ... 148 more menu choices
for more choices,
Select package(s)
to stop d i s p l a y : ^ D
you wish to process
all packages) . (default:
The
to follow;
following package CPshrd-54
all)
(or
'all'
to process
[?,??,q] : 2
is currently installed:
Check Point SVN Foundation with A p p l i c a t i o n Ingelligence (sparc)
Do you want
to remove
## Removing
installed package
This package
contains
5.0
this package?
scripts
p e r m i s s i o n during the process
Do you want
y
instance
that which will be executed with super-user of removing
to continue with the removal
this package.
of this package
[y,n,?,q]
y
## V e r i f y i n g package dependencies. ## Processing package
information.
## Executing preremove
script.
There are no packages
dependent
on Check Point SVN Foundation NG installed.
## Removing pathnames
in class
/var/opt/CPshrd-54/registry /var/opt/CPshrd-54/conf/sic__policy.conf
/var/opt/CPshrd-54/conf/os.cps /var/opt/CPshrd-54/conf/cp.macro ...
/opt/CPshrd-54/SU /opt/CPshrd-54/LICENSE.TXT ## Executing postremove
script.
**************************************************************
Rebooting
the machine
NG with A p p l i c a t i o n
is recommended
for successful
removal
of Check Point
Intelligence products.
Continued
Installing and Configuring VPN-1/FW-1 NG with AI • Chapter 2
Illustration 2.14 pkgrm SVN Foundation If you wish
to start
the previous version,
please re-login and run cpstart.
**************************************************************
WWWWWWWWW*WWWW*W**WWWW***W***W*W*****WWW*W****WWW,W****WW.W***
Check Point SVN Foundation NG with A p p l i c a t i o n
Intelligence uninstall
complete.
## Updating
Removal
system information.
of was
successful.
#
Uninstalling Management Clients The management clients do not really depend on the SVN foundation installation; therefore, you could really remove them at any time without any difficulty. 1. Run p k g r m again to remove the SmartConsole package. 2. Press Ctrl + D. 3. At the prompt, "Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,q]-", enter I and press Enter to select the Check Point SmartConsole NG with Application Intelligence package (CPclnt-54). 4. Enter y for yes and press Enter when the pkgrm utility asks you, "Do you want to remove this package?" 5. Enter y for yes and press Enter when the pkgrm utility presents you with the following prompt, "This package contains scripts that will be executed with super-user permission during the process of removing this package. Do you want to continue with the removal of this package [y,n,?,q]." The package will be removed. Figure 2.66 illustrates the end of the uninstall process for the SmartConsole NG AI package.
137
138
Chapter 2 • Installing and Configuring VPN-1/FW-1 NG with AI Figure 2 . 6 6 Management Clients Package Removal /opt/CPc lnt- 54/asm_he Ip/ftp_bounce. html /opt/CPc Int-S4/asm_help/f tp. htal /opt/CPc Int- 54/as1_he Ip/fingerpr int. h ~ l / opt/CPclnt- 54/asB_he lp / dyna~ic_ports .html / op t/CPclnt- 54/asm_he Ip/do s. htal / op t/CPc int- 54/asm_he Ip/dns. hrJLl /opt/CPclnt-S4/asm_help/cr oss_sites_scrip~ing, html ]opt/CPclnt-54]asmhelp/cifs_wormca~cher. hr~tl /op t/CPc Int- 54/asm_help / asm_help, css /opt/CPclnt-54/asm_he Ip / anti_spoo f_hazar d. htal /opt/CPc Int- 54/asm_he Ip / op t/C P c Int- 54/WindU /opt/CPc Int- 54/LICE)/SE. TXT ~# Executing postremove scrip~.
Check Point Smar~Console N6 wi~h Application In~elligence uninstalled successful Iy. tttttttttttttWt*tttttt.ttttt*ttttt.t.ttttttttttttttttt.ttttt.tt*ttttttt
~
ttt
tt.t
Updating s~stem information.
Removal of ~as successful.
Installing Check Point VPN-1/FireWall-1 NG AI on Nokia Check Point's Next Generation with Application Intelligence Enterprise Suite on the Nokia IPSO appliance is a popular combination. Providing a combination of rack-mount appliance hardware, pre-hardened multi-purpose operating system, and the simple web and command-line interface, the IPSO platform currently claims nearly half of all Check Point installations. Nokia provides a web front-end called Voyager (see Figure 2.67) for easy package management and system configuration. Nokia also provides a fast failover mechanism utilizing V R ~ P and Check Point's state synchronization with an average failover time of just four seconds. Check Point VPN-1/FireWall-1 NG with Application Intelligence requires Nokia IPSO 3.7 or later for installation (refer to Nokia's Support website for the latest compatible version of the operating system which runs Check Point NG AI).You can either order a Nokia box with Check Point preinstaUed, or you can download the installation package from Check Point (with appropriate login ID) and install it yourself. If you need to upgrade your IPSO, you will need to obtain the IPSO image from Nokia's website. It may be necessary to upgrade your boot manager prior to upgrading your IPSO image. Please read all release notes prior to installing new packages or operating system (IPSO) images. It is not recommended to upgrade from 4.1 to NG AI if you have less than 128MB of memory; because this is the minimum memory required to run Check Point NG AI. www.syngress.com
Installing and Configuring VPN-1/FW-1 NG with AI • Chapter 2 Figure 2 . 6 7 Nokia's Voyager GUI ~:.:.~.:....~....~
.......
,
Imsgnrlnrlnlnl n I ! ~
M~dLtl~C~
~'~~i~'"~.0~.~00~-~
~ [ 0 1 6 6 2 1 ~
I
~efface C ~ J i o ~
~
l ~ r Se~ac~sC ~ £ m . r ~ S~ C ~ n
S~tm Lo~ R~ ~otocob
F~ ~
U ~
Co~z~ra=oo
Installing the VPN-1/FireWall-1 NG AI Package Since the Nokia appliance is already hardened, there is very little you need to do to prepare it for firewall installation.You must configure and test networking and DNS, set up the host address assignment through the Voyager GUI, and you may need to upgrade your IPSO and boot manager.
Upgrading IPSO Images Nokia is actively developing the IPSO operating system and is continually adding new features. Before upgrading your system, you should always check Nokia's website for compatibility matrix of platforms, operating systems, and Check Point software (see Nokia Resolution 11253). The release notes for each IPSO version contain a list of versions of IPSO that are supported upgrade paths. The newimagecommand will automatically upgrade the boot manager on IP300, IP600, IP500, IP100, and IP700 series appliances.You can download the 3.7 image from https-//support.nokia.com (login required). Once you have the image in/var/admin, you can run newimageto install it. The options for newimage are illustrated in Table 2.2.
139
140
Chapter2 • Installing and Configuring VPN-1/FW-1 NG with AI Table 2.2 newimage Command Line Arguments
Switch for newimage
Description
-k
Enables you to upgrade the IPSO image and keep all currently active packages so they will be started upon reboot. Sets the new image to be used upon the next reboot. Tells the newimage command where to find the ipso.tgz file, which contains the new image. Enables you to perform a test boot with the new image. (not supported on the IP440). Sets the newimage command in interactive mode. Use this if you need to ftp the file or use the CD-ROM drive (Platforms with CD-ROM only) to upgrade the IPSO image. Forces upgrade of bootmgr.
-R
-I <path to image>
-T
-b
Assuming that you have the ipso.tgz ftle downloaded to/var/admin, and your system is on, the recommended command to upgrade your IPSO image is as follows" newimage-k-R-i
/var/admin
. . . . . . . . .
~ ~ ~
The-k option should only be used if the software version you have installed and the one you are running are compatible with the current and new operating system versions. ..................
,
,
After updating the image, reboot your system: sync;
sync;
reboot
Installing
and Configuring VPN-1/FW-1 NG with
AI
•
Chapter 2
•~•!•RNING
' If your IPSO hardware platform is an IP350 or IP380, you can run IPSO W 3.5.1 or IPSO 3.7 (or later). Other IPSO versions previous to 3.7 were not compatible with the IP350 and IP380 hardware and when installed, required sending the system to Nokia for a newly formatted hard drive.
Installing VPN- 1/FireWaU-1 NG AI To install the VPN-1/FireWall-1 NG AI package, you must first install the SVN foundation and then the VPN-1/FireWall-1 package.You will need to get the software from Check Point or from a Check Point reseller since Nokia does not provide VPN- 1/FireWall- 1 packages on their support Web site any longer. The simplest way to install the Check Point software on a Nokia appliance is to download the wrapper (also known as the NG with Application Intelligence bundle). Follow this step-by-step procedure to install the new packages. O f course, you should always read the release notes for the most recent information on installing the Check Point software and any applicable limitations. See Table 2.3 for available arguments to the newpkg command.
Table 2.3 newpkg Command Line Arguments Switch for newpkg
Description
Installs the package, but does not activate it. Prompts you for media type, new packages and old packages that you wish to install or upgrade. -s <server> Specifies the FTP server IP address. -I <username> Enter the FTP username (you don't need to enter a username if you will be using anonymous FTP). -p <password > Enter the FTP user's password. -m Choose your media type; the options are CD-ROM, AFTP, FTP or LOCAL. Prints debug messages. -d
-I
-V
Verbose mode for FTP.
continued
141
142
Chapter2 • Installing and Configuring VPN-1/FW-1 NG with AI Table 2.3 newpkg Command Line Arguments Switch for newpkg
Description
-n < new package> package you are installing. -o
Enter the full pathname to the new Enter the full pathname of the package you are upgrading from. This sets the newpkg to install the package silently. If you enable silent mode, then you must specify the following arguments: -o, -m, -n and possibly-s and -I,-p if the media type is not LOCAL. Prints the usage for newpkg (help).
-S
-h
1. Put the installation wrapper package file in/var/admin. The NG with Application Intelligence wrapper file name at the time of release is IPSO_wrapper_R54.tgz.
~ ~ TE
,,,
I~i~il DO not unzip or untar the Nokia packages. When you run the newpkg i~l~ command it will do that for you. ~
%
,
From the/var/admin directory, type n e w p k g - i and press Enter. The newpkg installation program will begin, and will ask you where to install the new package as illustrated in IUustration 2.15.
Illustration 2.15 SVN Foundation Package Installation ExternalFW[admin] # ne~kg
-~
Load
following:
new package
from
the
i.
Install
from CD-ROM.
2.
Install
from
anonymous
3.
Install
from
FTP
4.
Install
from
local
server
FTP
server.
with
user
and password.
~lesystem.
Continued
Installing and Configuring VPN-1/FW-1 NG with AI • Chapter 2
Illustration 2.15 5VN Foundation Package Installation 5.
Exit
new package
installation.
Choose a n i n s t a l l a t i o n
Enter
pathname
Loading
to
method
(1-5) :
the packages
[ or
exit
]:
.
Check Point SVN Foundation NG with Application
Would you like to
:
i.
Install
this
a new package
2.
Upgrade
from an old package
3.
Skip
this
4.
Exit
new package
as
package
Choose
0
to
IPSO_wrapper_R54. tgz...
Package Description: Intelligence
,
'exit'
Package L i s t
Processing package
@
4
installation
(1-4) : 1
Choose the option for local ftlesystem number 4 and press Return. When you are asked for the pathname to the package, type a period (.) for your current directory (which is/var/admin) and press Enter. The newpkg program will locate any packages in this directory and begin processing them one by one. The Check Point SVN Foundation N G package will be presented to you. Choose 1 to install this as a new package and press Enter. Once the newpkg program has begun, it will process each package in the current directory until it has run through them all. If a package comes up that is already installed, or if you don't want to install it, then choose option 3 to skip the package and continue on with the others. You should reboot your Nokia appliance after each new Check Point package that you install; do not install them all simultaneously.
143
144
Chapter 2 • Installing and Configuring VPN-1/FW-1 NG with AI
6. When the installation of SVN is fimshed, exit the newpkg installation and reboot with the command sync; sync; reboot. 7. When the system boots up, log in to Voyager and enable the SVN package.
0
0
•
Click Manage Installed Packages.
•
Turn on the new NG SVN package.
•
Click Apply I Save.
When done in Voyager, type neupkg-i once again and press Enter from the/var/admin directory. Choose the option for localfile system number 4 and press Enter.
10. Type a period (.) for your current directory (/var/admin) and press Enter. 11. If you have an earlier version of VPN-1/FireWall-1 installed, then choose to number 1 to install this as a new package. If an earlier version of Check Point is currently enabled, select number 2 to upgrade this package from the existing, enabled version. If upgrading then: •
Choose the package you are upgrading from the available choices.
•
Verify that you want to continue and that the correct packages are being processed by pressing Enter.
12. When the installation is complete, exit the newpkg installation and reboot by typing: sync; sync; reboot.
Configuring VPN-1/FireWalI-1 NG AI on Nokia IfVPN-1/FireWall-1 NG is installed on your Nokia appliance, but it hasn't been configured, then you must run cpconfig before attempting to start the new package. If you just received your Nokia fresh from the factory NG AI is probably pre-installed installed, but you will still need to run cpconfig before the package will run properly. This is because you must accept the license agreement, choose which components you want to run (management and/or enforcement module), and configure licenses, admimstrators, GUI clients, etc.Your configuration options are the same as your options on the Solaris platform. See Figure 2.68 for the output of cpconfig on an NG FP1 Nokia appliance.
Installing and Configuring VPN-1/FW-1 NG with AI • Chapter 2
Figure 2.68 cpconfig on Nokia
i i~.~.`..:~.~ii!~.~*~yi~!i
iiii~~~i~@'~i~i~!~!
~~!i~ili~i~i!ii~i!@iiii!!~i!iiii~!~!ii~!~ !
nokia[ acidly] tl cpco~flg This p~ogcma w i l l l e t you re-con~tguce you," VPN-I & F1,'e~all-I con~lgure~lon. ConflgucaClon Opclons: ...................... (1) L l c e ~ e s ((23))
pKCS]i~,IE'ToCen~ ~I n
14~
~--do, tool
iiili
(6)
Enable Check Point CLtLSterXL and S t a t e S y n c h r o n i z a t i o n
:iiiiiiiH
iiiiiii|I
3t
¢,, ~x,c F~ter your
choice
(1-8)
il:t :~
~:|
After the NG package is installed on your system, you must run cpconfig to configure the package. Follow these steps to configure and activate your VPN1/FireWaU-1 NG package. 1. R u n cpconfig and go through each screen. It is highly recommended that you do not enter C T R L - C at any time during the initial cpconfig configuration screens. 2. When fimshed with cpconfig, log in to Voyager and enable your NG package (see Figure 2.69).
Click Manage Installed Packages. Turn off the old FireWall-1 package if enabled. Turn on the new NG AI package. Click Apply I Save. The Nokia package management makes it simple to back out of an upgrade. As you can see, it is easy to toggle back and forth between installed packages.You can also switch back and forth between IPSO images from Voyager's "Manage IPSO Images" page. After enabling or disabling a package or IPSO image, you must reboot your firewaU. It is also very important to ensure that you do not leave two packages which would conflict (i.e. CPShared NG FP3 and CPShared NG AI) enabled at the same time.
"
145
146
Chapter2
•
Installing and Configuring VPN-1/FW-1 NG with AI
Figure 2.69 Managing Installed Packages ........... ,%:::.:...
i¢:" O~ ~" O ~ i C ~ c k P ~ I ~ o l i c y S e r v e ~ N O ' m ~ ~ ~ (W'edAm 4 17:0~:43IDT 2003I~ikl.540000046) ~ ( ~ - ~ i~bna..Si/i~i,~n-~-i i ~ ~ ~ ~ ~ ~ i 9 i i . ~ i i 0 i ~ ~ ~ ~ 2 ~ i ............. ~ i - ~ 0 - ~ ........... i./.~Ja:...~i~.i~.~/.~v~.~i~.~.~a.~.~.i~.i~i~.i~:ag.~.~}..~.~.~..~/~:.?~i. ............... [~:.~a~ i~d~& ~ R ~ i ~ ~ ~ ~ a ~ / ~ i ~ i ~ i i ~ . ~ . i J ~ ~ 3 B ~ ~ ) ~ : ~ i ........... !a:6n~a6ei~~~i48~~~~~jij9~ii~i@~~i~~ii~$is5 .........~ ' g ~ - i ~ .....
@ D ~ PackaAz,I 71777 ........................................................................................................................................................................................................................... ~i:: ::::::~:~::i ~ii:::~::i::~::i::!::i::{~i i:i: : !~:i::::i::iiiii::ii::i! : ~.: ~ ~i::iiiil ::i::i::::::i :-i::i::iii:-i:: i::i:.::::::::~ i::::!!::~i/!i::~!ili:#:::!i::ii !i~i::i~':::::::::::::::::::::::::::: :: il::::::::::::::::::::::::::::::::::::::::::::::: i!~::7i!i~:;:iiiii!i::i:,i::iii):~'),i::ili:: ):i i::::::i::i::!::~:~ i::!i:~::i:~~ii~:i~:.~'.:i~:~:i~:i:.::~i:::~~::~:::~:!~~:.:i::~~ii:.~:~~!:~:i :,~~,!~: :i:~:.j~:i~ ~:~i~:~:.~::'.i':ii~:; :::~;:::.::i:~:i!~ ~::ii~::iii~:.i::~:;i~:~::~>:~: ~ ::~ ~ t!~-'...i~iI~¢£~'ii.iii:iii.iiliii:iiiiiiiii:i ::.:::-:::.=::...:::::::::::::::::::::::::::::::::::::::.:::.::i=:
iiiiiiiiiii~)lii!iiiii:;ii~]i iiiii!!i==!i!i!i=/ii@
i i ~i i i i i i=!i~i=:-.i: .!:= =.iiliIi~ii{~ii~i:i.:==iI.i:.i~i= • :?i:"i:ii:iK¢::i"i:::i::k i::i£i:"i&i::i: i: : i i
~i~31i!i!1i~3@ii=:1
::i• i~=.:.!=i.ii~iiilii% ii.:~]iiiiiiii:.iiiiiii@ ........
• : i=:):!i.:i!iIi~
:. ):i::ii.!iiiii!iiiiii!iii!
:i)i:!::il][ii.;=:i!~i
• ;..:::..ii.~!..~:.:!i.ii~i!qiiiii. • : :::ilii:i!.=iii!-::i.i!i •
.
:! .: 11:i!!1!1i1111-1ii.1i!.1ii:1i
:.......:.:::..~ ................
Solutions Fast Track
.. :..::::7::.::: .. ::::::::::::::::::::::::::
...
Managing Objects Do not be stingy: Create as many objects as necessary to support your rule base.You only need to do it once, but you can use them dozens of times.
. ..: }.}.:L.::::i:ii:iiiz.i~:Ql~ii:i:ii:::}
Save time and complexity by using groups of objects and users.
Adding Rules gl R e m e m b e r that the order in which your rules are displayed is the order they are enforced. Save time by using cut/paste when creating similar rules. It is easier to edit one field than to create a new rule. .iii.i!iii!:iii.[i]i3!.:!i:i!~:s~,~..-:...~:.
214
Chapter 3 • Using the Graphical Interface ga
i...
.
• :...)....":
R e m e m b e r that your security policy is enforced on more than just your firewall modules. Routers and other O P S E C devices may also be impacted.
.: .. :.
::q::!,',:: :::, G l o b a l • ~ ;..:.:;~::.::: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: .:: :~:.::.:::~;:~; ::::::::::::::::::::::::::::::: ::::::::::::::::::::::::::::::::::::::::::::::::::::::
Properties Be aware of the default settings within the Global Properties and how these may impact the operation of your firewall.
gl Make sure that you tabor the implied rules to suit your site's needs. Do not live with the default entries; they probably will not be just what you need.
Secure
Update
El Use SmartUpdate to track license and version informanon enterprisewide from a single point. El Take advantage of the Check Point V P N - 1 / F W - 1 central licenses to ease the crunch of enterprise management.
SmartView
Tracker
El Do not live with the default view. Take advantage of the customizations offered to create views that suit your needs. R e m e m b e r that the SmartView Tracker is also home to the Block Connection feature; keep it close at hand.
• ... :.i:::i.;
•...::~:i:}: :.ii.ii.iii;.i:
El Do not be afraid to try experiments with new and advanced features!
SmartView Status :..: ..., .~
~:~
~i H Make use of the features in this tool. ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ......::;::;:;:;:::,~:',:~,:~,:;c~'~ :;:i:ii!~iii.!iii! :~i::,~i~:i[~i ! :ili!!=========================== •... :.;.:. ::.::. •................... . • :... :..:....: • .. ;..::.:..: ::::::::::::::::: ... • . :;. :; ::::.:.::..~ :: .::ii:.~;..; ::..:. ...............................
El System Status is as important to your enterprise as any other factor. This tool enables you to keep an eye on the h e a t h of your infrastructure, which is never a bad thing.
Using the Graphical Interface • Chapter 3
215
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in : this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to :~:,::::~:~:~i:i~:~ www.syngress.com/solutions and click on the "Ask the Author" form. You will !iiii ~::~: also gain access to thousands of other FAQs at ITFAQnet.com. ~ii.i.i:j:i:i:i!i!i:i:~:::~:~: ..:~i
..
. ....
:......
• ..i :i:.i .:. i"
.i
:~::::::.::::~:?.: :~: :.. ::::..:~:~:~.:~:~:.~::
Q" I see that there is a R e a d - O n l y option w h e n I log into the GUI client. Is there a way to force a user to be read only all the time?
:~:~,.~,.~,.:..:...:~:.,.~:.:~:~:~:~,::.: ...:: ::,,.~:~:~
{!i{{i!!!::.!:'~:!i!!!!!~ :".'::!:,!~' :.!~' :~.i:ii~ii:.< panel also features a custom selection option, which allows different permis . . . . i~:ii!.~:.i~ sions for different Check Point components. . .....
Q" I've installed my FW-1 inspection module on a separate machine as my Management mod~ii~:'~&~li~im having trouble connecting to manage it now. A" Make sure that you ~ e Erpperly set up the communication infrastructure. To do this, access th~{iGene}al p ~ l of the workstation properties and select the Conununicationi~Utton. V@'i~iithat the Trust State is indicated as initialized or communica'{~ng '~' .~d~iii:,~.~,~:,~:~:~:~~' i{ii!i,: ............~,........ Q" In older versions of FW-1,3~i{~o,uld~:~==~u~i~"edit the ~jects. C file to alter or add objects. Can i still do this on FW-1 N : ~ ,iii{ii~ :::i':i'> ,~!i~~i!!i A" The easy answer is no. Previously, there werd~i~,Q~=;~.~"ies of the objects. C file. O n e existed with the management module, the 0~~:~with..:~.~.~.~.~the . firewall module. This is no longer true. In Check Point F W - I N G , the firewall module objects. C is created dynamically based on the objects 5 0.C file found on the management module. The preferred m e t h o d of editing this file is through the use of the dbedit c o m m a n d (or the GUIdbEdit tool). Consult your documentation for the c o m m a n d reference. .~:~:~.~::,..
ii~.................... i:
•
.. ~.... • .:. :.
~..i..i.il.i:.i.:~.:i~:i~iiiiiiii~i ~ii
...: .:::. :: .::.::~:..::
.....
.
.
...
Chal
ii. i ii!iiiiiiiiiiiiiii:ii~ii:i!iii::::!::
~.!ii~iiiiii!i-ii!iii~i:~ !:::.',i:,:~",.:~.
• .:~.. i ~; ~, •.
C r e a t i n g •a Security Policy
•
.. i ::... ~: ~:::.:%!~i:~;.i:i.i!ili ~!i:ii~ii:~iiiii:iii~!iii}iii .!ii:!iii!~iliiii~ii:iiii:iiiiii:i
• "iiii.i~i.i. ~ • • ~:i.~
:.:!.i:,:..i...: i,li.
:. : : :.::::.iii" i
..fiiiiiiii.iiiiii.iiiiiiii~iii
.. ......................... i.~::dii:~i~::i!::,~i.~i~,!i~,~;,~k~i :~;!i.:.~%,~ii :i:.i:i:...::i...i::..i i:: i~i{::,.i.i. . ::.i.. ;.:.::i::.:~'S.;81::F:'::;:i::.i;.i::~::i:::::::'~ii:':k!ii::iii •
:
• . :.. •
..
..
.
S o lu tio.ns~:ii!in-,.t h i s.. iC..h a p t e r: : ii!.iiiii.
.......:~..::.:~
......i~i.~:..::::~:.;.::~::::::.~: .::.~.
iiiiii~ili~:;:::Reas:.o~Sfor a!:::Se.,cu.rity .F ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::.: "
a
!~,i::"i!'i::~"~':"~"'%~ito How Write ;f~i~i~,;:i~ik:;,~::.i::':. ....
•
.::.i;.i::#::::i'~i ~i &~i............... ~:~.:i
i.::: ~ :: i~~i ~ . . . . . . . . .
::: ... :...R.:~!~:~:~.~...... ~@~:.:i..:%:;:.: .~?~.~@~{~.~.~;~?~.~....~..~@~i~!;~i~!~.~!~;~@~i%~i
~i:~=i{~!: @i:==
!i~ !:!i: ~~i:~:;:~J~;~@:@~ ::
"%~ilgiiiii~ii:.kk~ ~i ::: .::~ M:: K: S"" :::~:::~¢ e 'C:~i "~::::~:~~i::~r~.:~.:::.:~::~..-.=~i~!~i~ii~ ~:::~~i;:~i ~
iiii~:: :~:!~.:=,@i !@i
!'~
.... ::i~:S:::::~i:::~!f::!~!i
~" ~:~,'~i:i~@i!i!~ii~Sii~i i ~!ii!i i ik~!ii ~!i'~l'i,!'~!'il,i:!'~!~',!',~'~!~%:~:IS!I:
•: ~.: :~..
: ~.. :.:-~ill~i~ll~ ~ ' ,:.. • .:::-::-~....::.:~.~ ~ : - . ii ..~ : ~ ..... ~
.:~:~i:~.:~.:.::.. ~s.~s~.s~
....
:~f,]@~i~i~,~i,,~,~4i~:,~:i~4~@~ ...........~::~...................... ,...... ................................................... • . •.:.:.:.:..::.:-::.~
:" ...................... "............. " . . . ..: S~S~;:i::~d!~ii~!ii~i~!:....::. ......... ::::~: ~,~,s~::~ . .....
. .
.."":" ..
":H:H.i:iS@~ii:::::i:::'...•
.ii:.::;.ii.i:x'i:!"~i.i~iiii2k.:.:.x. " i ix
:i8...i:£%:i ''
::::i::; ii Uii!!i~-Siii!:ii!;ili!iii~!!~:ik%Ni~;i!:::i:i; i~£:
...... ::.i:"i::i ]:"~i:;:~X::::
:. :. :.: ..
S~ S%Sii~i:~3:i'q,!iii%K
•..d~i:'~'~i:'~i%ii}ii-'~i:.i'~!i.'.:i:i::.::i.: ::'~•i:: ".,
•:~!~::ii:,',~,iii~,i!i!!ii~,!if~i"i~,~ii~',i::':
•.:::::::::~..;X. : "
,
: ~!::~::~:i~i~i:~ii~...... i~i~!i::
::i~i~i~ •
•..i.:.::.:i:.:Si:i:::.~=:-~i~:;-.";.:.i~@:~!: ;.
... : . ~;:~:::::~::K:~ ..............................................................
: i:~::d,'~;! i ' ..~..... :!:V'i!iilS!giiiii%~:~: ~v::~.:~.~:::;~::~u~ : iiiiiiii~iiK!:i i .... ~!::~!£KP% ...... !~!:S% ii'::~£~~..
'I i~
• i..%:i %!.:~%i!.ii%:i wi!il :i :i. ~. i:: : ;ill i il; i..: : .. :.
::
i :::'::ii:'~iii: ~I ~!I !:::
iii~i~'i:~:~:~~!'~~!!!~!i~f~;isli::::
,i,,~!i::i~......... i~Summary :
..... ...
i ':
"
::
: • :
~: i:: : :
.
....... ;.;..::x:k:;:x;. : :. : .............. ..........................
r-¢I Solutions Fast ~rack : :::,.:~:~;~i.~i:~;~'~i'~i,i:~:~:,~.:~:':.ii :... .i.........• .
• I-V1 Freq.u~n~ly Asked Questions ....
217 ...............
.......
•.:..:..~.:~:
" : ,;:;~i:i: ...... :: ::::::::::::::::::::::::::::::::.; ..................................... ........... ~.................... . ...................
i,~;,S%i'~;!!~~';i~.i!!'~;~iii!iiiiii-',i:.:~',:.:.. ~iiiiii~ ~ ~,~:~,~,i:~:i~,~!i!i!!!!~!~!ii~~, i... :.~,.,
.. •:
..: :.:i :~::%:~:~ii@.!~ii:~ii$}~ig!;!~.iiiiiiii@~ii~i~ ~
218
Chapter 4 • Creating a Security Policy
Introduction This chapter discusses how to define a security policy, which needs to be done early on in order to find the right solution for your specific environment. Once you determine how you want to enforce security in your company, you will know whether you need to set up user authentication or whether you should use your existing Lightweight Directory Access Protocol (LDAP) server. Once you have created a security policy for your company and have planned to introduce security into your network, choosing your implementation strategy should be fairly straightforward. Next is a discussion on how to implement your security policy into the Check Point SmartDashboard. If you are using private Internet Protocol (IP) addresses inside your firewall, you may need to read the chapter on network address translation (NAT) before you can put your firewaU completely in place. This chapter shows how to get your firewall ready to enforce your policy and begin passing packets in your network. You are then walked through the setup of a firewall object, and the step-bystep procedure for adding the services outlined in your Information Security Policy into the Check Point SmartDashboard interface. This chapter then discusses some additional ways in which to manipulate your rules as well as how to install your policy so that it is enforced.
Reasons for a Security Policy You are probably deploying Check Point Next Generation (NG) with Application Intelligence (AI) to protect something. Do you know what you are protecting, what you are protecting it from, and how you are protecting it? Before you can effectively deploy any security control, especially a powerful tool like Check Point NG AI, you need to have an Information Security Policy. This is not to be confused with the Check Point Security Policy, which, according to Check Point, is "Defined in terms of a Rule Base and [FW-1 NG AI] Properties." (www. checkpoint, corn/products/downloads/fw 1-4_ltech.pdf) We are talking about an enterprise-wide information security policy that includes a written Security Policy accompanied by standards, guidelines, and procedures for implementing and maintaining an information security program. (This is explained in more detail in the next section.) Many organizations now find the need to have an articulated information security policy. Having such policies makes orgamzations more effective in their
Creating a Security Policy • Chapter 4
preventative, detective, and responsive security measures. Moreover, as a result of government regulations, orgamzations in certain vertical industries are required to have formally documented information security policies. In addition, an Information Security Policy is also extremely beneficial to the security manager because it provides, at an executive level, a mandated framework for ensuring the confidentiality, integrity, and availability of an organization's information assets. What this means is that the security manager has some weight in their corner for budget requests when they have an approved Information Security Policy. For the security admimstrator, having a written and approved policy can ensure that they are able to deploy Check Point N G AI in a way that mimmizes disruption to business but enforces the protection necessary to keep business functioning. Think of the written policy as a recipe to ensure that you configure everything correctly.
How to Write a Security Policy To write an entire Information Security Policy can take months of work with involvement from the Legal and Human Resources departments, as weU as various business units. In order to implement Check Point N G AI, you need at a minimum an Executive Security Policy and a Perimeter Network Security Policy. Typically, the Executive Security Policy is a high-level document of about three to five pages that points to relevant standards, procedures, and guidelines. Because the highest levels of management or the board of directors must adopt the Executive Security Policy; it should be written without details about technologies, people, or methods. This will ensure that as technology changes or as people change, the document will not become obsolete. Think of the Executive Policy as a declaration of the importance of security to your organization. However, choose your words carefiilly because it is a legal document in many respects. The Executive Security Policy is important because without an executive endorsement of your security policy, enforcement may become difficult. In order to write an effective Executive Security Policy you must identify early on the departments with an interest in maintaining information assets, such as R&D, Finance, and IT. Approach the managers and request their involvement in drafting an executive-level security document. In addition, you will want to include the Legal department and an executive sponsor.
219
220
Chapter 4 • Creating a Security Policy
i OTE iiililiii Executive support and approval is critical to the success of your l!t!!li!li Information Security Policy. When the CEO has to follow the same rules .....~i~l~l~ as everyone else, it makes policy enforcement much simpler.
The final document should have language such as: "Because of the nature of our business, customer non-public information is frequently transmitted or stored on our information systems. As a result, we will employ appropriate controls and safeguards including encryption to ensure that non-public information is adequately protected against unauthorized disclosure while in storage or transit" At this point, that the policy seems rather vague and legal. However, resist the impulse to sag "We must use Triple DES encryption on all private data that is stored or transmitted" This is important because technology changes and this document will eventually be presented to management for approval. Management does not want to see you once a month asking for changes to the security policy. As a guiding principle, the Executive Security Policy should address why security is important and delegate the further implementation of appropriate standards, guidelines, and procedures to the appropriate individuals or groups.
Creating a Security Policy • Chapter 4
Drafting the second part of your overall Information Security Policy, the Perimeter Network Security Policy, is somewhat different. The Perimeter Network Security Policy is a document that includes specific standards, procedures, and guidelines for implementing and maintaimng perimeter network security. The first step in drafting a Perimeter Security Pohcy is to obtain a network map. The network map will help you to better identify resources that need protecting and how to architect your security solution. Depending on the size of your organization, you may elect to do this yourself or to obtain the assistance of individuals with specific knowledge regarding their environment. Although there are a number of software tools to assist you in automatically mapping the network, it will still be necessary to manually validate. After mapping the network, determine once again the departments or business units with a specific interest in network perimeter security, and assemble the representatives for a meeting. The best approach in this meeting is to identify what is needed and then, by default, disallow everything else. It is at this point that successful security managers recognize the purpose of security to meet business needs. Although it would be great from a security perspective to disconnect the business from the Internet, to stay in business the connection must be maintained. In this meeting, you need to specifically ask the representatives what would need to be changed and configured to allow the business to continue, if you were to put up a firewaU today and block everything,. This step is called "defining requirements." For example, some of the requirements that might be voiced include the following: •
We need a Web site that has dynamic content
•
We need to have an e-Commerce storefront
•
We need to be able to get and send e-marl.
•
We need to secure all of our internal information from external attacks.
•
We need to be able to access the Internet securely using HTTP, HTTPS, and FTP from the local area network (LAN).
•
We need to secure our critical information from internal attacks or destruction.
In addition, you will also want to identify any wishes the representatives have. Examples of wishes are as follows: •
We would like to have Instant Messaging
221
222
Chapter 4 • Creating a Security Policy
We would like to be able to have sales representatives connect remotely to download order status. You may find that most needs are simple and can use further refinement. For example, the requirement to send and receive e-mail begs the questions, "From where do you need to send e-marl? Do remote users need to send and receive emarl? Should there be any additional restrictions on e-marl?" In addition, you should ask questions about what types of communication to log and how long these logs are kept. Often you will be faced with end users that ask for more access than they actually need. This is typically rooted in the fact that they do not know, or are not sure, of what access is actually necessary. This can prove to be a trying situation, but it is best to work with these users to investigate what is required and explain why it is important to only allow the minimum access required.
The next stage in the drafting of the Perimeter Security Policy is risk assessment. Every requirement and wish has a risk attached to it. As a security professional, you must be able to identify those risks and communicate them to the involved parties so they can be weighed againstthe benefits.
www.syngress.com
Creating a Security Policy • Chapter 4
Security Design After identifying the requirements and risks you are willing to accept, you must design security solutions. Having knowledge of the features and abilities of FW-1 N G AI will help you to determine what you can and cannot do. In addition, be aware of the other types of controls that can be used to maintain perimeter network security. There are three main categories of controls: technical, physical, and administrative. Each category of controls has three functions including preventative, detective, and responsive, as shown in Table 4.1. The firewall is primarily a technical control of a preventative and detective nature. That is to say, the firewaU prevents unauthorized access and can be used to detect unauthorized access. However, do not dismiss addressing physical and administrative controls in your Perimeter Network Security Policy.
Table 4.1 Categories of Security Controls Technical
Physical
Administrative
User ID/password Identification badges policy Change management Detective CheckPoint NG AI CCTV Log and report review Rule base audits Responsive Check Point NG AI High availability Incident response procedures Preventative Check Point NG AI Locked data centers
VPN-1
Other policies that FW-1 N G can help enforce are" •
NAT security
•
Quality of Service (QoS) security
•
Desktop security
•
Monitoring
Firewall Architecture Before writing the policy, one thing you need to explore is whether you will need to have different policies for different locations or if you will have only one. If you have one security policy, Check Point can enforce the same policy on
223
224
Chapter 4 • Creating a Security Policy
all firewall modules from a central management station. Otherwise, you will have to maintain a different policy for different locations. Although for business reasons this might be necessary, it can add a level of complexity to your environment that could decrease your overall effective security. If it is necessary, make sure that it is thoroughly documented.
Writino the Policy N o w that you know what is necessary, you can write your Perimeter Network Security Policy. As you can see in Figure 4.1, writing a security policy is a logical progression of steps.
4.1 Steps to Writing a Security Policy
Figure
~
Define Requirements
Briefly, the structure of the policy should include the following: •
I n t r o d u c t i o n In this section, state the purpose of this policy. What is the objective of the policy? Why it is important to the organization?
•
Guidelines In this section, detail the guidelines for choosing controls to meet the objectives of the policy. These are the basic requirements. Typically, you will see the word "should" in these statements.
•
Standards In this section, detail the standards for implementing and deploying the selected controls. For example, state the initial configuration or firewall architecture. This section tends to detail the requirements given in the meeting with the interested departments and business units. This section is written with the words such as, "It is the policy that..."
Creating a Security Policy • Chapter 4
m Procedures In this section, detail the procedures for maintaimng the security solution, such as how often the logs should be reviewed and who is authorized to make changes. m D e p l o y m e n t In this section, assign responsibilities and specific steps for the implementation of the policy. Think of it as a mini project plan. In a Perimeter Network Security Policy, this is the section that translates the standards and guidelines into language that the security administrator can enforce on the firewall. •
E n f o r c e m e n t Many policies lack this component, however, all policies require a method for enforcement. A popular and effective method for enforcement is auditing. In this section you can state that the firewaU rule base would be subject to an external audit yearly. In addition, this section should detail the enforcement and consequences if someone were to circumvent the firewaU or its rules.
•
Modification
Exceptions No policy is perfect, and may require modifications or exceptions. In this section, detail the methods for obtaimng modifications to the policy or exceptions. or
Following is a sample Perimeter Network Security Policy:
Introduction Due to Company X's required connection and access to the public Internet, it is essential that a strong perimeter ftrewall exist that sufficiently separates the internal private LAN of Company X and the public Internet. The firewall should provide preventative and detective technical controls for access between the two networks.
Guidelines The implementation of any firewall technology should follow these basic rules: •
The firewall should allow for filtering of communication protocols based on complex rule sets.
•
The firewaU should provide extensive logging of traffic passed and blocked.
•
The firewall should be the only entry and exit point to the public Internet from the Company X LAN.
225
226
Chapter 4 • Creating a Security Policy
The firewall OS should be sufficiently hardened to resist both internal and external attacks. •
The firewall should fail closed. The firewall should not disclose the internal nature, names, or addressing of the Company X LAN. The firewall should only provide firewall services. No other service or application should be running on the frrewall. The firewall should provide read-only access for auditors.
Standards The implementation of any firewaU must follow these basic rules: •
Only the identified firewall administrator is allowed to make changes to the configuration of the firewall.
•
All firewalls must follow the default rule: That which is not expressly permitted is denied.
In addition, the following standards for perimeter networks are as follows: •
The deployment of public services and resources shall be positioned behind the firewall in a protected service net.
•
The firewall shall be configured to disallow traffic that originates in the service net to the general LAN.
•
Any application or network resource residing outside of the firewall and accessible by unauthorized users requires a banner similar to the following: A T T E N T I O N! PLEASE READ CAREFULLY. This system is the property of Company X. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system and all files on this system will be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to Company X management and law enforcement personnel, as well as authorized officials of other agencies, both domestic and foreign. By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and
Creating a Security Policy • Chapter 4
disclosure at the discretion of Company X. Unauthorized or improper use of this system may result in administrative disciplinary action and civil and criminal penalties. By continuing to use this system, you indicate your awareness of and consent to these terms and conditions of use. L O G OFF IMMEDIATELY if you do not agree to the conditions stated in this warmng.
Procedures The firewall will be configured to allow traffic as defined below. Transmission Control Protocol (TCP)/IP suite of protocols allowed through the firewall from the inside L A N to the public Internet is as follows:
•
m
•
H T T P to anywhere
•
H T T P S to anywhere
T C P / I P suite of protocols allowed through the firewall from the inside LAN to the service net is as follows: •
H T T P to Web server
•
Simple Mail Transfer Protocol (SMTP) to mail server
•
Post Office Protocol 3 (POP3) to Mail server
[]
Domain Name System (DNS) to D N S server
T C P / I P suite of protocols allowed through the firewall from the service net to the public Internet is as follows: []
•
T C P / I P suite of protocols allowed through the firewaU from the public Internet to the LAN is as follows: •
•
D N S from D N S server to anywhere
None
T C P / I P suite of protocols allowed through the firewall from the public Internet with specific source, destination, and protocols is as follows: []
SMTP to mail server
•
H T T P to Web server
•
FTP to FTP server www.syngress.com
227
228
Chapter 4 • Creating a Security Policy
Deployment The security administrator will define the rule base and configure the firewall as defined above, in addition to other industry standard properties (as appropriate).
Enforcement Traffic patterns will be enforced by the firewaU's technical controls as defined by the firewaU administrator. Periodically, an external vulnerability assessment will be performed to assure the proper configuration of the firewall. Additionally, an independent third party will annually audit the configured firewall.
Modifications or Exceptions Requests for modification to the firewall configuration must be submitted via e-marl to the security manager and firewall administrator, accompanied by justification and the duration of the requested change. The security administrator is allowed to make modifications outside the company's change control process in cases where they deem it necessary to prevent or contain disastrous events.
Implementing a Security Policy Now that you have a written Information Security Policy and a Perimeter Security Policy, you can begin configuring and deploying Check Point NG AI by translating your organization's written security policies into a technical policy that can be enforced by Check Point NG AI.
Default and Initial Policies The default and initial policies taken together comprise boot security for FW-1 NG AI. Unlike previous version of FW-1, FW-1 NG automatically applies the default policy upon restart. The default policy is intended to protect the firewall and the networks behind it by blocking all traffic while it is loading the firewaU services. Additionally, boot security will disable IP forwarding to keep the operating system (OS) from routing traffic while the firewall is booting. However, there are some things that the default filter will allow.You can view the default filter by viewing the $FWDIR/conf/defaultfilter.pfftle. Specifically, the default filter will allow the following:
Creating a Security Policy • Chapter 4 •
Outgoing communication from the firewall itself,
•
Incoming communications that are a response to communications initiated by the firewall.
•
Broadcasts.
Because the firewall is allowing something, the firewall also enforces antispoofing measures to ensure that the allowed FW-1 N G AI communications are not spoofed on any of its interfaces. As FW-1 N G AI boots up and the default £dter takes effect, the interfaces are configured and the FW-1 services are started.At this point, FW-1 applies an initial policy made up of implicit rules. The purpose of the initial policy is to add rules that will allow a graphical user interface (GUI) to be trusted and connect to the firewa11. After the GUI is able to connect to the firewall, a new security policy can be installed. The initial policy is only installed on a module after cpconfig is executed and there is no security policy. The initial policy is replaced after a regular policy is written and installed by the administrator to the module. Thereafter, the enterprise Security Policy will follow the default £dter and interface configuration. The enterprise Security Policy will be composed of the defined rule base and implicit rules. This process is illustrated in Figure 4.2. Boot security ensures that at no time is the firewall left unprotected. Ensuring that FW-1 starts at boot wi~ allow boot security to be enforced. It is possible to alter boot security and enable IP forwarding and disable the default £dter. However, this is not recommended. F i g u r e 4 . 2 Boot Security
BOOT SECURITY
FW-1LOADS
229
230
Chapter 4 • Creating a Security Policy
After the default policy is loaded, the firewall will attempt to fetch the policy from the management station or, in the case that it cannot load the policy from the management station, load the locally cached policy. In the event that this is a new installation and no policy has been pushed to it, the Initial Policy will be installed. The imtial policies are defined in the SFWDIR/conf directory named initial_management.pfand initial_module.pfdepending on whether the firewall is installed with or without a management station, respectively. There is no policy for systems that are only management stations, due to the fact that there is no firewall configured for the host. Each policy includes the following communications with the aforementioned default fdter applied appended afterwards: •
GUI client connections to the management station (from addresses in the $FWDIR/conf/gui-clients.def file)
•
HTTPS and Secure Shell (SSH) connections (if the system has any addresses in the $FWDIR/lib/webgui-clients.deffile defined)
•
CPD_Amon, FWD, CPD, and FW_ICA_Push from the management station to the firewaU
•
You can view the policy which is currently being enforced by typing fw stat at the command line.
Translating Your Policy into Rules At this point you can take your written policy and your network map and start translating your documented security policy into a policy that Check Point FW1 N G AI can enforce. Remember that the FW-1 N G AI policy is composed of global properties, which are implicit, as shown in Figure 4.3, and an explicit rule base. The first thing you have to do is create a new policy. To create a new policy, choose from the File menu in SmartDashboard and select New.
Creating a Security Policy • Chapter 4
Figure 4.3 Global Properties Implied Rules
As shown if Figure 4.4, you have a few options in the new policy dialog window. First, type a name for the policy. Now select Security and Address Translation as your Policy Type. By default, you will be presented with a simplified mode security policy. If you wish to utilize Traditional Mode or be given the option, select your preference in the Global Properties.
Figure 4.4 New Security Policy Dialog
Defining A Firewall Object The first step in translating the policy into an enforceable policy is to define the relevant network objects. The first object you will create is your firewall object. The firewaU object must be defined before you can install your FW-1 Security
231
232
Chapter 4 • Creating a Security Policy
Policy. The setup process has been streamlined in NG AI to allow for the automatic creation of network objects known to the firewall. This requires that the appropriate routing is configured on the firewall. If you have initiaUy installed the FW-1 module and management server on the same box, then the firewall object will be created and partially configured. If the components are installed in a distributed environment, however, you will have to create the firewaU workstation object.You start by logging into your management server via the SmartDashboard GUI. If you have not opened the Workstation Properties as shown in Figure 4.5, you may do so by selecting the firewall object from the Objects List, right-clicking, and choosing Edit by double-clicking the firewaU object from the Objects List, or by going through the Manage I N e t w o r k Objects menu.You will need to create one firewaU object for each firewall module that will be enforcing a security policy and that will be managed by this management server. If you are creating the firewall object for the first time, you can right-click on the N e t w o r k Objects in the Objects Tree and choose Check Point I Gateway from the New menu. After selecting Classic M o d e to configure the gateway, the first field you will be challenged with is the name of the firewall. This field should be the firewall module's T C P / I P host name. For better performance, it is recommended that DNS be configured to resolve this name to the firewall's external IP address, or better yet, have it set up in the host's file on the firewall and management module. By defimng this in a hosts file, it removes the reliance on DNS functioning. The next field should contain the external IP address of the firewall. If DNS is configured and you click Get address. DNS will be queried and the address will be ftUed in for you. Otherwise, you can just type in the value. In the Comment field, be as descriptive as possible. Using comments is a good way to document what you are doing so that others can understand more quickly and easily. The next decision is what color to give the object. This should be based on a scheme that will help you to read the rules and logs more easily.
Creating a Security Policy • Chapter 4
Figure 4.5 Workstation Properties with Check Point Products Installed
N o w select the version as N G w i t h A p p l i c a t i o n Intelligence. This will enable the appropriate next list of product modules. From the list, choose the modules that are installed on this host. If the management server and firewMl module are on different hosts, you will need to configure Secure Internal Communication (SIC) to establish communication between these two machines. To do so, click on the C o m m u n i c a t i o n button and enter a shared password. If this object was created for you, Check Point already knows which products you have installed and has made the selection for you. Double-check that the selection is correct before you continue. The second branch on the Workstation Properties is the Topology window. This enables you to define the networks reachable behind the internal and external interfaces that exist on your firewall object. Figure 4.6 illustrates this configuration window.
233
234
Chapter 4 • Creating a
Security Policy
Figure 4.6 TopologyWindow ii!iiiii%~;~i~~......iiiiiiiii ... i i!ili m ::!iiiil i ~ = ~
iii!i!iii!iiiiiiliiiiii~iiiii!i~ii~ii!iii~ii!ii!i~i!i~i~i~i=~i~i!i~i~ii~i!i!ii!i!i!~!i!i/i!~i~i!~:!!~!
i!iii!i!i!iii!iiiiiill . . . . . . . . .
~ ~ n
........ T,=
To define the interface, make sure that you have selected the right one. After selecting an interface to define, as shown in Figure 4.6, chck Edit. This will open up the dialog box, as shown in Figure 4.7. If you are configuring an interface manually, it is important to use the proper name. For example, the name as displayed by the ifconfig -a Unix command. Failure to properly define the interfaces may cause features such as anti-spoofing to not function, and may leave the network open to attack. The easiest way to define the interfaces is to use the G e t I Interfaces feature, which will query the system (encrypted via SIC) for its interface information and is the recommended method of gathering this information. To make your job even easier, the Get I Interfaces w i t h T o p o l o g y option will also ftU out your anti-spoofing definitions as weU as create the necessary network, host, and group objects. This is dependent on your firewall having the correct host and network routes predefined, so make sure that they are configured before you get to this point. W h e n defimng the interfaces manually, you are not only able to specify this interface as internal or external, but you can also specify the range of addresses that reside behind the interface for enforcing anti-spoofing and generating NAT rules. This is done while manually adding or editing interface information from the topology tab, as illustrated in Figure 4.7.
Creating a Security Policy • Chapter 4 F i g u r e 4 . 7 Topology Definition
If the interface is internal, it is very important to define the addresses that reside behind the interface. The first option, N o t Defined, generally should not be used unless the interface is present in the system but not connected to any network. If selected, anti-spoofing will be disabled on this interface. Generally speaking, it only makes sense to have anti-spoofing configured either for all or none of the interfaces. If you select the second option, these addresses will be calculated based on the address and subnet mask for this interface. Lastly, you can specify an explicit range of addresses or groups of networks. Anti-spoof tracking can also be defined on a per-interface basis. Anti-spoofing will stop someone from creating packets which, by address, seem to come from one network, though they are actually coming from another. A full discussion of address spoofing is available in Appendix B. The Logs and Masters branch is important for your FW-1 configuration. The Logs and Masters window enables you to specify logging options. The options are broken down into three sections: Additional Logging, Masters, and Log Servers. This branch is covered in more detail in Chapter 8. The Advanced window allows the configuration of Simple Network Management Protocol (SNMP) settings. If you expand out the A d v a n c e d branch, you will see five submenus as follows:
235
236
Chapter 4
•
Creating a Security Policy
•
SMTP
•
Security Account Manager (SAM)
•
Connection Persistence
•
Permissions to Install
•
SYNDefender
A new GUI option in Check Point N G AI is the Connection Persistence option. This defines how Check Point N G AI will treat existing connections when a new policy is installed. These options are displayed in Figure 4.8.
Figure. 4.8 Connection Persistence Options
The three options have three discrete functionalities: R e m a t c h c o n n e c t i o n s , the default, is the safest selection. After a connection has been accepted, the connection is entered into the connections state table on the firewall. U p o n a new policy installation, previously accepted connections are marked as "old". W h e n a packet matching an "old" connection is received, it is matched against the security policy and, if it matches a connection that is allowed in the rule base, the state of the connection is changed back to its previous state and communications continues.
Creating a Security Policy • Chapter 4
•
Keep all c o n n e c t i o n s represent a different stance to the question of how to deal with previously accepted connections. It does not mark any as "old" and allows any connections that were allowed to continue commumcating.
•
Keep data c o n n e c t i o n s allows an administrator to have functionalities of the other two options. With "Keep data connections" all control connections will be rematched to the rule base, but data connections will function in the same way as "Keep all connections" operates.
The SMTP page enables you to set local options on how the SMTP security server handles mail. Typically, the defaults on this page are appropriate, although you may have to define the postmaster name. These values are stored in the firewall's SFWDIR/conf/smtp.confconfiguration fde. The "Permissions to Install" page is a new addition as well.You can create groups of administrators and allow certain groups to install polices on certain firewalls. This functionality used to ordy be available with a large enterprise and managed service provider product Check Point produces called Provider-1. O n the SAM page, you will not need to modify anything unless your SAM server is external to your management server. In most cases, you will skip this section. Changing these values wi]l affect the firewaU's SFWDIR/conf/fwopsec.conf configuration ftle. SYNDefender options are discussed in more detail in Chapter 13, along with SmartDefense.
Define Rule Base N o w let's use the Perimeter Network Security Policy to create a Check Point FW-1 N G AI enforceable policy. The first step is to map things out and identify the objects that will compose the rule base. Below is the relevant excerpt from the policy. •
•
T C P / I P suite of protocols allowed through the firewall from the inside LAN to the public Internet is as follows: •
H T T P to anywhere
•
H T T P S to anywhere
T C P / I P suite of protocols allowed through the firewall from the inside LAN to the service net is as follows: •
H T T P to Web server
237
238
Chapter 4 • Creating a Security Policy
•
•
S M T P to Mail server
•
P O P 3 to Mail server
•
D N S to D N S server
T C P / I P suite of protocols allowed through the firewall from the service net to the public Internet is as follows: •
•
T C P / I P suite of protocols allowed through the firewall from the public Internet to the L A N is as follows: •
•
D N S from D N S server to anywhere
None
T C P / I P suite of protocols allowed through the firewaU from the public Internet with specific source, destination, and protocols is as follows: •
S M T P to Mail server
•
H T T P to Web server
• FTP to FTP server Reading through your policy, it refers to the LAN, the Internet, and a service net. These are all network objects that will need to be defined before you can continue. Next, traffic is flowing anywhere, to the Web server, the mail server, the D N S server, and through the firewall. These three servers on the service net will be defined as hosts or workstations. N o w that you know what objects are needed, you can create them. ....~i:ii
.......... ~-:-~-:~ . ~ : ~
~iiiiii~ii For simplicity purposes, when creating this rule base disregard the ~ ® cluster of firewalls shown in the diagram at the beginning of this book %i as well as the servers and networks (172.17.1 .x and 172.17.2.x) attached to them. To reiterate, the service net is the 172.16.0.x network attached to the ExternalFW firewall.
N o w that you have all of the objects defined, it is time to create the rule base. For your first rule, it is best to create the "Cleanup rule." By default, anything that is not explicitly permitted is dropped. This is called the Implicit Drop Rule. Anything not matching the rule base will be dropped and not logged.
Creating a Security Policy • Chapter 4
However, it would be smart to log those events, and the only way to accomplish that is to define an explicit drop rule in the policy and enable tracking. For your first rule, select A d d rule from the Rules menu in the SmartDashboard. This is your first rule, so bottom or top does not matter, although eventually this rule will be the last rule in the policy. From the rule that appears, confirm the following: source Any, destination Any, VPN Any, service Any, action Drop, and track Log. The only thing you will need to change is the track cell from n o n e to Log, and add a comment in the Comment field of"Cleanup Rule." At this point, your rule base should consist of one rule and look like the example in Figure 4.9. Figure 4.9 The "Cleanup Rule"
Another good rule to have in your rule base is the "Stealth Rule"This rule is defined to protect the firewall and alert you of traffic that is directed to the firewall itself. This time, create the rule from the Rules menu by clicking Add rule and sdectmg Above.You can also achieve this by right-clicking on the rule number and selecting Add Rule [ Above. From the newly created rule, change the destination field by right-clicking and selecting Add from the context menu. From within the Add dialog, select your firewall object. Next, in the Track field select Alert. This rule should read Any, Firewall, Any, Drop, and Alert, as illustrated in Figure 4.10. Add the comment "Stealth Rule" in the Comment field. At this point, you may be wondering how you will be able to commumcate with the firewall after this policy is installed. This communication is enabled through the implied rules in Global Properties I FireWall-1 I Accept V P N 1 & FireWall-1 c o n t r o l connections, discussed in Chapter 3. Figure 4.10 The "Stealth Rule"
Now you have the beginnings of a good rule base. Let's start adding some rules that are based on your policy.
239
240
Chapter 4 • Creating a Security Policy
The first element in the security policy states that you allow H T T P and H T T P S to anywhere. Because your policy does not call for any user authentication, you can leave your "Stealth Rule" at the top. Place this next rule beneath the "Stealth Rule." Click on the icon in the toolbar that represents A d d R u l e b e l o w C u r r e n t . Y o u r current rule will always be the rule that is highlighted in white, instead of being gray like all the other rules.You should see a new rule sandwiched between your two previous rules. There are many ways to create this rule. However, the best way is to select L A N (172.16.3.x) as the Source. For the Destination, select the Service_Net. Under the service field, add H T T P , then H T T P S , and finally F T P . Make sure you select a c c e p t in the Action field. The Track field will be changed to L o g for this rule. N o w right-click on the Destination S e r v i c e _ N e t and choose N e g a t e . A red " X " should now appear on the service net object in your rule base. What you have done is created a rule that allows LAN users the use of H T T P and H T T P S to everywhere except the service net. The reason you had to do this is because the policy does not allow H T T P S from the LAN to the service net, as you will see in the next couple of rules. In the C o m m e n t field, write in P e r m i t s L A N a c c e s s to H T T P , FTP, and HTTPS
o n the Internet.
Second, you must define what is allowed to the Service_Net from the LAN. In these rules, you will allow the LAN access to the mail server for POP3 and Internet Message Access Protocol (IMAP), and the D N S server for D N S queries. Start creating the next rule by right clicking on the number 2 from the previous rule and choosing A d d R u l e below. Just like the previous rule, the Source is the LAN; however, the Destination is now the E m a i l _ S e r v e r . In the Services field, add P O P 3 and I M A P and select a c c e p t in the Action field. As far as the Track field is concerned, there are no requirements to log this traffic, and it might make the logs pretty large, but for debugging and forensical purposes, choose Log. If the logging is too much, it can easily be turned back to N o n e . In the Comments field, write in P e r m i t s L A N a c c e s s to retrieve e - m a i l via P O P 3 and I M A P . Since the next rule will probably generate a lot of traffic (DNS queries), place it just below your stealth rule. So, add a new rule below rule one, and enter L A N in the Source field, D N S _ S e r v e r in the Destination, d o m a i n - U D P as the Service, and a c c e p t in the Action field. Again, you may not want to log this traffic because domain queries can be quite numerous, but it is a good practice and will help during the implementation when debugging problems. Enter "Permit LAN access to D N S server for D N S name resolving" in the C o m m e n t field.
Creating a Security Policy • Chapter 4
Next, let's create a rule that allows your D N S server in the service net to perform queries to the Internet for domain name resolution. Add this rule beneath the rule you just fimshed. Set the rule to read Source-DNS_Server, Destination-LAN (Negate), Service-DNS, Action-accept, Track-None, and Comment, "Permits D N S server access to Internet for domain name resolving." For your final rules, what will you allow in from the Internet? According to the policy you will allow SMTP to the mail server, and H T T P and FTP to the Web server. Create a new rule beneath the current rule. Rule number 4 should be defined as Source-Any, Destination-Email_Server, Service-SMTP, Actionaccept, Track-Log, and Comment, "Permit anyone to send e-mail to the e-mail server via SMTP." Notice that this rule also permits your LAN users to connect to the mail server for SMTP. This will not only allow users on the Internet to send mail via SMTP to the mail server, but also users on the LAN. Rule number 5 should be defined as Source-Any, Destination-Web_Server, S e r v i c e - H T T P , Action-accept, Track-Log, and Comment, "Permit anyone access to Web pages via H T T P on the Web server." This rule also allows access for your LAN. Add one more rule below 5, and define it as Source-LAN (negated), DestinationWeb_Server, Service-FTP, Action-Accept, Track-Log, and Comment, "Permit anyone on the Internet access to FTP on the Web server." Since your policy does not allow your LAN to connect to the FTP server for FTP, you had to negate it in the source. N o w you are pretty much done.Your rule base will have nine rules and should look like the FW-1 rule base shown in Figure 4.11.You should do a File I Save or click on the floppy disk icon to save your finished policy.
Figure 4.11 Rule Base from Security Policy
241
242
Chapter 4 • Creating a Security Policy
With these rules, the ordering is critical. Keep in mind that the firewall matches packets on the first three columns (Source, Destination, and Service) by using top-down processing. Each packet starts at the top rule and moves down until a rule matches. When a packet is matched, no further processing is performed. This is called "top-down processing." If you wrote your rule base directly from a piece of paper, there may be a few problems to sort out. There will always be more than one way to define your policy; the trick is finding the best method for your organization. As you fine-tune your policy, you can try to simplify the way you say things. By moving rules, consolidating rules, or just by stating rules differently, you can improve the effectiveness and performance of your rule base. (Performance implications and optimization is discussed in Chapter 8.)You will also need to install your rule base when you are satisfied that it is set up properly. Any changes that are made through the SmartDashboard do not take effect on the firewall module until the Security Policy is installed. The Policy menu is explained later in this chapter.
Manipulating Rules FW-1 features a very flexible rule base. It provides the ability to alter both content and context very simply. The next few sections focus on manipulating the rule base.
Copy, Cut, and Paste Rules Rules can be cut and pasted in a way that will be instantly familiar to most anyone.You simply select the rule (by clicking on its number), and either copy or cut the rule by right-clicking on the rule number or selecting the appropriate selection from the Edit menu, as shown in Figure 4.12. Alternatively, you can select from the Edit menu. Pasting a rule is just as easy, but there is one additional selection to make. When you select paste from the Edit menu, you will also have to decide on the placement of the rule.Your choices are top, bottom, above, or below, with the choices indicating a relation to the currently selected rule. Top and bottom are only available when using the Edit menu.
Creating a Security Policy • Chapter 4 Figure 4.12 Context Menu for Manipulating Rules
Disable Rules Disabled rules are one step from being deleted. They are not part of your security policy and are not installed when you install the policy. They are, however, displayed in the rule base window. Disabling rules is a handy method of troubleshooting, providing an easy way of recovering the rule's functionality. To disable a rule, simply right-click on that rule's number and select Disable Rule from the menu. To re-enable the rule, right-click the rule's number and deselect Disable Rule. Notice the big "X" in Figure 4.13 signifying a disabled rule. Figure 4 . 1 3 Disabled Rule * Ally
[~ Web Server
~ Any Traffic ~
~0
accept
i
Log
"h PolicyTargets
' "k A.y
Permit anyone access to web pages via http on server
the web
i] i!!i] i~
Delete Rules Deleting a rule eliminates it from both the security policy and your rule base view. To delete a rule, simply select the rule's number and select Edit I Cut.You can also select C u t from the right-click menu. While it is true that you can delete a rule outright, it is recommended you get into the habit of cutting rules, since if you mistakenly delete the wrong rule, you can recover it quickly. It is also a good idea to use the database revision control to mitigate this possibility.
r
www.syngress.com
243
244
Chapter 4 • Creating a Security Policy
Hiding Rules Sometimes, especially with a large rule base, you do not really need to see every rule all the time. Luckily, FW-1 allows you the ability to hide rules. These rules are still part of the security policy and are still installed when that policy is loaded, but they are not shown in the rule base window. To hide a rule, select the rule by clicking on its number. The easiest way is to right-click and select H i d e from the menu, or you may select H i d e from the Rules menu. A hidden rule is replaced with a thick, gray divider line, giving you an easy visual indication that a hidden rule exists. In Figure 4.14 you can see the thick, gray line between rules 4 and 6. Notice how the rule numbers stay the same. Rule 5 still exists; you just do not see it. F i g u r e 4 . 1 4 Hidden Rules
i--6-~~LAN
[~FTP.gerver ~ AnyTraffic ~~p~
.
.
.
.
iOacc~e-~--W-Lo~"...... * PolicyTergets *Any
Permit anyone on the ~ e r n e t access to FTP on the FTP Server
N You also have the ability to both view and manage hidden rules. To view hidden rules, select V i e w H i d d e n from the Rules menu. Managing hidden rules is even more flexible, as it enables you to create and apply masks to the rule base. These masks can be applied or removed to alter the view of the rule base. For example, suppose you have hidden all of the rules with a specific destination.You can store this view as a mask by selecting Rules I H i d e I M a n a g e h i d d e n and then storing this view. Later, if you choose U n h i d e All from the Rules menu, you can easily reapply the filters via the same menu options. The options for working with Hidden Rules are shown in Figure 4.15. V i e w H i d d e n will show all the hidden rules, but with a dark gray background. www.syngress.com
Creating a Security Policy • Chapter 4
Figure 4.15 Hidden Rules Options ~
- ...................
~ .
..........................
.................................. ~i ..~
Drag and Drop There are several ways in which you can mampulate the rules by dragging and dropping within the SmartDashboard.You can move a rule to a new location in the rule base by simply clicking on its rule number and dragging it to the new position.You can also drag network objects and services into your rules from the Object List pane and drop them in the appropriate fields.You can even drag an object from one rule into another. This can save you time when adding new rules or editing your existing rule base. It is worth your time to become familiar with this feature. For practice, and for the next section, drag rule 7 to rule 8. This will place the LAN access to the Internet rule at rule 8.
Section Titles W h e n working with a large rule base, it can sometimes be beneficial to break it down into logical or functional groupings. Section Tides can add this functionality to a policy. Section Tides allow an administrator to visually collapse sections of rules together for concise viewing and quicker rule locating. Figure 4.16 shows the policy with some section tides added. Rules 2 and 3 can be easily shown by double-clicking the section title or clicking the + at the right of the section tide. The information about which rules are encompassed by the section title is automatically added and updated by the GUI. Section tides can be added by right-clicking a rule number and selecting A d d Section Title.You can go back and edit the text by right-clicking a section title and choosing E d i t Text.
245
246
Chapter 4 • Creating a Security Policy
Figure 4.16
Policy with Section Titles
++++++++~.s +,.m+ c,p+-+-+>+ +
+1
ii ~
i
LAN
to
I n t e m e t wrarrIc
(,mine u)
.......................................................................................................................................................................................................................... i +i ........................................... ~'~~i~!. *:+i~....... ~: +. +~i:~.. i. ..................................................... ~.~ ++,::+-,".,.......................,~" ~ i m ~ ' = ++. ::~..... :~" :+..~". +. .". +. ~.N~ ~~i ~ i.+~:.~: i ~ " i ~>+i ~...... "~gN~ ++ i ~ +~~:~°~+~ :.... ++:.... ':~~"~*+"~~4~g~"~+ ~' + ~.....+..... + :'+"~+-';+ ..................::..................... ii:N+i' .~:+
+ ~
Cka,mp Rub
(m~de 9)
++
Querying the Rule Base The rule base can be viewed in many different ways. Sometimes it is beneficial to view it in its entirety, while at other times you may need to see only specific items. This is especially true when dealing with a very large rule base on a very complex network. One way to achieve this narrower view is through the ability to query the rule base. To query the rule base, select Q u e r y R u l e s from the Search menu. A query builder will appear. This window lists queries and allows for the addition, deletion, or modification of these queries. Select N e w to define a new query. A window will appear that enables you to strictly define the criteria to query against. Enter a name for your query and then click N e w again to begin entering search clauses.This window, the R u l e B a s e Q u e r i e s C l a u s e window, is similar to that presented when creating a group. Simply select the column you wish to query and add the objects you wish to include in the query to the In List box.You also have the ability to create a negation, that is, a query that will match only if the specified criteria are not present. The final option is to enforce the query explicitly. What this means is that the match must be exact. For example, if you select Explicit, then a query that contained a workstation object would not match a rule that used a group contaimng that workstation.
Creating a Security Policy • Chapter 4
Policy Options Once you have created your Security Policy, you are ready to put it into action. The next few sections describe the options available for working with the policy you have built. Access to these options is available by selecting Policy from the Policy menu.
Verify Verify is used to test the policy. It compiles the objects and prepares them for installation, but it does not actually perform the install. This is useful when you are in the process of editing and modifying your security policy and wish to make sure that you are not doing something wrong. Selecting Verify from the Policy menu would tell you that "Rule 1 blocks Rule 2 for service Telnet."This means that Rule 2 is redundant, and will never be matched on a packet, and therefore it is misplaced.
Install This option actually performs the install.You will be presented with a list of possible firewaU objects and can select the proper firewall or firewaUs to install on from this list. The policy is then compiled and pushed out to the selected modules.You have a choice as to how these modules are treated. •
This is useful when you are dealing with a large number of gateways. With this option, each module is treated as a single entity, and failure to install policy on one will not impact the others negatively.
•
For G a t e w a y Clusters Install o n All M e m b e r s , If it Fails do n o t Install at All This checkbox determines whether or not to allow the
Install o n E a c h S e l e c t e d M o d u l e I n d e p e n d e n t l y
policy to be installed if it cannot be installed on all systems within the cluster. •
Install o n All S e l e c t e d M o d u l e s , If it Fails do n o t Install at All
This is an all-or-nothing proposition. If you are concerned with configuration integrity, this is the option for you. Failure on any single module will preclude the installation on any module. You wiJ1 need to install your Security Policy whenever you make changes through SmartDastiboard and wish for those changes to be enforced. Nothing
247
248
Chapter 4 • Creating a Security Policy
you do in SmartDashboard will take effect until you push the policy to the appropriate firewalls. The Database Revision Control section allows an administrator to create a new version of the policy, which can be viewed or restored at any time. This eliminates the need for saving a new policy each time a change is made. Saving a completely new policy each time a change is made leads to very large files (specifically rulebases 5 0.fws) and can lead to slow times loading the GUI and installing policies. In addition, the objects database does not get saved each time a new policy is saved, but changes are saved and can be restored using Database Revision Control. (Database Revision Control is discussed later in this chapter.)
Uninstall This removes the policy from the objects that you select. The object selection method is identical to that when installing policy.
View The View option enables you to view the compiled security policy; that is, it enables you to view the inspect statements, which allows you to view and save the actual inspect scripts. Saved files can be manually altered and loaded with the command-line interface (CLI) of FW-1, though it is not recommended and likely not supported by Check Point.
Access Lists This is used to incorporate rules into an Open Security Extension (OSE)-compliant device, such as a router. W h e n a rule is installed on a router, the firewaU is actually generating an access control list (ACL) for that router and applying it as needed.You can also import the existing ACL entries for the OSE device and verify and edit them. This menu option allows for all three functions. When selected, the OSE Device Access List Operations window is displayed. This window enables you to select the OSE device you want to interact with and perform the specified operation. W h e n fetching an ACL, you can further specify the direction you are interested in and the format you wish the ACLs to be presented in (ASCII or GUI). This requires additional licensing.
Creating a Security Policy • Chapter 4
249
Install Users Database This option, available from both the Policy menu and the User Management function, propagates the user database defined on the management server to the selected modules. Note that the user database is also loaded when a security policy is published (pushed/installed) to the modules, but this manual process allows the updating of user information without interfering with the firewall operations.
Management High Availability This option of the Policy menu enables you to modify the behavior of your Management High Availability groups. This feature allows multiple management modules to synchronize and support each other, just as with HA FW-1 modules. This option loads a maintenance panel, which allows for both manual synchronization and preempting of the primary management server. When performing a manual synchronization, you have two modes of behavior to select from.
Synchronize Configuration Files Only If this is selected, only the database and configuration frles will be synchronized between management modules.
Synchronize Fetch, Install and Configuration Files This mode also synchronizes the Fetch and Install files, allowing the interaction with a standby management server. You can also change the current state of the management module, from Primary to Standby and vice versa. Note that a Standby management module cannot be used to push or edit configurations until it is promoted to Primary status.
Installing a Security Policy After you have defined all objects and composed the rule base, it is time to install the policy on your chosen modules so that it can be enforced. Remember that any time you modify network objects, rules, or Global properties, you need to install the policy for the changes to take effect. The install policy process does a few things before your rules get enforced.
v'-
--"I
www.syngress.com
250
Chapter 4 • Creating a Security Policy
When you select Install from the Policy menu, first Check Point saves your objects and rules. Next, Check Point verifies your rule base to ensure that you do not have any conflicting rules, redundant rules, or rules with objects that require definition. Alternatively, before you install, you can verify the policy by choosing Policy and then selecting Verify. Check Point N G AI will then parse your rule set. After the verify process returns the results that "Rules Verified OK!," Check Point N G AI asks you to select on which network object and module to install the compiled policy. When you select the object that you wish to install this policy on, an installation window will come up. The progress of the compile and install will be displayed here. Note that in N G AI, installations are processed in parallel, dramatically improving the time required to install the policy on multiple modules. Previously, the installation process was done on each module one at a time. W h e n the policy install is completed, you can crick on the Close button at the bottom of the window, as shown in Figure 4.17. If you wish to cancel the installation, press the button while the A b o r t button is enabled If an error or warning occurs, you can press the S h o w E r r o r s button to view which module and which errors were generated during the installation process. Figure
4.17 Install Policy Progress Window
i
............... ...
Alternatively, you can install the policy on the firewall modules at the command prompt with the using SFWDIR/bin/fw load. For example, if you want to install the policy named FirstPolicy on a firewall module defined with an object
www.syngress.com
Creating a Security Policy • Chapter 4
named Gatekeeper, you would run the following load command from the Management server's SFWDIR/conf directory: $FWDIR/bin/fw load FirstPolicy.W ExternalFW
To confirm the installation of your policy at the command line, execute SFWDIR~bin~w stat. This will display the host, policy, and time of install.
Policy Files In the process of compiling your security policy; Check Point N G AI takes the contents of the rule base file *. W that you created through the SmartDashboard GUI, to create an INSPECT script with the same name adding a .PF extension. The *.PF file is compiled into INSPECT code designated as a file called *.FC (where the * represents the name given to your policy in the initial dialog). The INSPECT code is then applied to the network objects (firewalls) specified in the install. Keep in mind that when you install a policy on a module that has no rules to enforce, the policy will not install as it would default back to the implicit "deny all" rule. To back up your policy, you should make and keep a separate copy of the frles listed below: w
;FWDImconJ
bjects S O.C
•
SFWDIR¥onf~*. W
n
SFWDIR¥onf~rulebases 50.fws
n
SFWDIRktatabase~wauth.NDB*
The objects 5 0 . C file stores all the network objects, resources, servers, services, and so on. The *. W files are each individual policy files that you named via SmartDashboard. The rulebases 50.fws file is the master rule base ftle that holds each of the individual *. W policies in one place. If you needed to restore your policies, you would not necessarily need to replace each. W file, but just the rulebases 50.fws. W h e n you log in to SmartDashboard, this file will open and create t h e . W files that were not already in the conf directory. This .FWS file gets called whenever you do a File I O p e n from SmartDashboard, and you can rename or delete policies from this file via the O p e n window. Deleting a policy from here does not remove it from the hard drive; it simply removes it from the rulebases 50.fws file. The fwauth.NDB* files contain the user database.
251
252
Chapter 4 • Creating a Security Policy
i~TE ~:~!i~ Editing files directly is not for the faint of heart. Similar to the registry ~,~iiii~i on a Microsoft Windows system, it should not be attempted unless you ~ii:~i~i~i!have been directed to by technical support, as simple changes done ~ incorrectly can introduce significant problems.
Creating a Security Policy • Chapter 4
Summary This chapter discussed the importance of a Security Policy and how to write one for your organization. Remember that the most important aspect of defining a Security Policy is involvement. Because the default policy of Check Point is to deny everything, with community involvement you can better define the requirements, and as a result, only permit communication that is necessary for business activities while denying all others. This is referred to as the "principle of least privilege." As you implement and translate your written policy into something that can be enforced by Check Point NG AI, you will have to define network objects. Much of this information should have been gathered during the design of your poficy and includes items like workstations, gateways, networks, applications, users, and services. Eventually, the rules you write wiU use these objects to match packets for processing and applying actions. A firewall object must be defined for each firewall you are installing a policy on. In a simple, stand-alone installation where the management server and firewall module reside on the same machine, the firewaU object is created for you during software installation.You will need to configure the interfaces topology and anti-spoofing within your firewall object definition. FW-1 provides several tools to manipulate the security poficy.You have several different methods of adding a rule to the rule base, disabling rules, cutting and pasting rules, and querying the rule base. Once you have the policy defined and you are ready to start the firewall enforcing the policy, you must instaU the policy onto the firewall objects that you have previously defined. The installation of a poficy is a process that converts the GUI rule base, which is represented as the *. W file, into an INSPECT script language *.pf£rle. The *.pf£fle is then compiled into INSPECT code, and is represented as a *.~ £fle that can be understood and enforced by the specified Check Point enforcement modules.
Solutions Fast Track Reasons for a Security Policy A written Security Policy is becoming a requiremen industries as mandated by government regulation, in,
253
254
Chapter 4 • Creating a
Security Policy
and healthcare organizations. Parts of the Sarbanes-Oxley Act also apply to a corporation's Security Policy. Having a written Security Policy can help the security manager and administrator perform their jobs better and receive executive-level support for technologies and training. Developing a Security Policy before implementing security products will help to ensure that the deployed product meets the requirements of the business and is properly configured. A written Security Policy will provide an orgamzation with direction and accountability in the implementation and maintenance of an information security program.
How to Write a Security Policy One of the most important aspects of writing a Security Policy is community involvement. Everyone with a stake or interest should be involved in the writing of certain aspects of the Security Policy. Writing a Security Policy should reflect your business needs and how you will manage the risks posed by those needs. An Executive Information Security Policy should be simple, readable, and accessible to users. An Information Security Policy is composed of an Executive Security Policy and specific standards, guidelines, and procedures. In addition to the Executive Security Policy, a Perimeter Network Security Policy or a FirewaU Security Policy can detail specific standards for implementing a firewall and procedures for maintaining it.
Implementing a Security Policy g~
The translation of a written policy to a Check Point NG AI policy is a step-by-step process. First, define your network objects. Then compose rules that enforce your written policy, specifying the actions to be taken when a packet matches the defined criteria.
Creating a Security Policy • Chapter 4
255
gl W h e n creating a rule base, the ordering of rules is critical. Because packets are evaluated against the rules in the rule base from the top to the bottom, incorrect positioning can have undesirable consequences.
gl The initial policy of Check Point N G AI is to deny everything. Use this to your advantage and configure your Security Policy from the perspective that you will only allow what is needed and everything else will be disallowed. This is much more secure than the approach to allow everything and only disallow that which you know is harmful, Consider putting the most-often-matched rules near the top of the rule base to increase performance.
:::: :i:7,(:~,':ii~~',~:'!~, i~i:~~4: .....~:::~:~:!':~:~!~::~: ii[:~i~' ~:i:,il:~i:!:~i:~i~:i~ ~!i!!i~}ii~i,~i~:Ui:ii~,:~i! i~i~!i~i!~i:~i~i{{i,!~i:!,~i-[~ '~::.i:~:;:.i!i~:=i :: :: ::. :..:.[ i: .:::i. i.::
: ~i-#?~i':?
Installing a Security Policy W h e n you install a policy, it will be verified by Check Point N G AI and then compiled into I N S P E C T code.
• ..;);
I;7I W h e n you choose install p o l i c y from the GUI, it executes the fw l o a d command.
Policy Files
....: •:.::,~...: ..:::.
•
,::i:i:~!iii!!i
r-el The *. W file is derived from the GUI rule base. It can be edited with a text
editor.
The *.PFfile is I N S P E C T script created from the *. W file in the install process.
objects 5 0. C file contains object definitions. i;7I The rulebases 50.fws file is an aggregation of all the *. W fries. [El The
% i!!ii~:i~.:::iii:!i::~:"71~' .. !!?!
256
Chapter 4 • Creating a Security Policy
Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, !: !:~:::::::: are designed to both measure your understanding of the concepts presented in ~::i..... :ii::: this chapter and to assist you with real-life implementation of these concepts. To :~:£!~:,~:,:3:i:~i:!:!::/::have your questions about this chapter answered by the author, browse to ~~i /~!~i~i /}~~i~i /~~i :~~i /~:~/~:~/~:~i:iwww.syngress.com/solutions /~i~i /~!.~ and click on the "Ask the Author" form. You will ~i~!::'~:i:'/!:!.i~i~:,.ii~f~i:,:i~/~i:i~f~i:.:i':,:@ :i:/fi~i:~~i~i iii ,i~:{,.dii:i!:,i:.:i~:i:i.i.:/:!~..,13!i:also i!i!i gain access to thousands of other FAQs at ITFAQnet.com. ....... .............
.
::..
.:..:i
: .. .....
:i:::..::
.
...:
.
.......................................
::::::::::::::::::::::::::::::::::::~:.:.::.:::.::::::::::::::::::::::::::::::::::::::::::::
@i:~i:~:i;'i:i:i:i::"!i:~:"Q" 4 i~i!!~/~!!i:~i~/i~~=. i~.:~i~i~::.~' :~,~.:~=:i~.:i:~:i==!i:/~,i::%i.
i:~@~i~i'~i~isi~:"~:/:~:".".
W h y can't I just write a policy? I k n o w better than anyone does what our network needs.
A: C o m m u n i t y involvement is essential.You cannot enforce a policy that is your personal opinion. Furthermore, it is likely you do not want the blame w h e n something goes wrong, in addition, having too strict of a policy could encourage users to back-door the network and bypass the firewall. Q" We are pretty small and do not have legal counsel on staff. Is legal counsel a necessity in writing the policy? :-:~:~:~:~,.~:~,~,~,.~:~~,.~:~,.~,.~:,.~,.:~,.~,.~,.,~,.:.,,.~,.~:,.,~,.:.:,.:,,..
ii/:,S!K.=.
:::::::::::::::::::::::::::::::::::::::::i:~q{@:!.::i(:i~:::i::.::i~:i:.::i:: (:
°~:...~'~...-~.:
" .i
~O accept
...,~
~.~ ...... ,: ,.>.,.:, , . . . ~
> ~ i ~ ~ ................" ~ t
[]
Log
~ ..~
* PoIcy Tet'ge~s
..........~
"k Any
%~
HTTP,HTTPS,and FTP
Ii!..................... ~.......................................................................i ..................................................................... '~ .......................................I....~....;~ ............................................ ........... il............................................................................................................................................................................ i.......................... ~................................... ] ::i ~
~
Rule (Rule 9)
...........................................................................................................................................................
This rule, rule 4 in Figure 5.3, has source L A N , destination and service S e r v i c e _ N e t (Negate), and action Accept. This means that all traffic originating from any of your workstations not directed to the Service_Net will be allowed outbound. O f course, because we have already configured the translation rule, once the firewaU accepts traffic from any of these objects, it will then go on to translate the packets as specified.
Routing and ARP Address Resolution Protocol (ARP) translates IP addresses to hardware M A C addresses, and vice-versa. In the example above, where we used hide-mode NAT to translate packets going to and from your internal network, we used the firewall's external IP address as the translated address. In this case, there are no A R P issues to consider because the firewall will respond to requests directed to its own external address. However, if we were to use another routable address as the translated address, we would have to ensure that this address is published, so that when external
Applying Network Address Translation • Chapter 5
hosts send traffic to this address, the firewall responds. To do this, you must add a static AR.P entry to the host on which the firewall is installed. There is also an option, enabled by default on new N G installations but not upgrades, that enables the automatic addition of A R P entries by the firewall. This is discussed in more detail later in the chapter. O n a Solaris system, use the following syntax to add the static A R P entry: arp
-s < t r a n s l a t e d
IP>
<MAC
address>
pub
The M A C address to use here is the M A C address of the external interface of your firewall.You can determine this address using the ifconfig -a command. Note that this A R P entry will only exist until the system is rebooted. To make the A R P entry permanent, you will have to add it to the appropriate startup fle on your system. For example, we will say that the public IP address for the Web Server is 11.12.13.10, and that the M A C address on the external interface of the firewall is 00:01:03:CF:50"C9. The A R P command you would use in this case is as follows: arp-s
11.12.13.10
00:01:03:CF:50:C9
Similarly, in Windows NT, you would also need to add a static A R P entry. However, N T does not allow this via the arp command, and so you must edit the ftle $FWDIR.\state\local.arp. In this ftle, add a line as follows"
<MAC
address>
Or, in our example" 11.12.13.10
00:01:03 :CF:50:C9
O n both Windows and Solaris, you can display a list of current A R P entries by issuing the command arp-a. This will include any manual A R P entries you have created, as well as all other AtkP entries the system has learned. When entering the arp command, separate the fields with a space or tab. After editing this ftle, you will have to stop and restart the FW-1 service to activate your changes. If you are using a Nokia to configure a static AtkP entry, access the Voyager GUI select C o n f i g I A R P , and add the entry.You should select the P r o x y O n l y type. Note that if you are using VR!KP, and you use the virtual IP address as the hiding address, there is no need to add a static A1KP entry because the firewall already knows that it should respond to the specified address. In addition to A R P issues, you need to keep routing issues in mind when configuring any type of NAT. Our example above does not present any obvious r
www.syngress.com
265
266
Chapter 5
•
Applying Network Address Translation
routing issues, assuming the workstations are all directly connected to the ftrewall, and are used as a gateway. However, i£ there were a router or any other Layer 3 device between the workstations and the firewaU, you would have to ensure that the router forwarded traflfic between the workstations and the firewall properly. One other routing issue to take into account is that if the IP address you are using as your hiding address is not part of your firewall's external interface, external routers may not know how to reach this address. If traffic does not reach the firewall, then the A R P entry you created for that address will do no good. To ensure that traffic reaches the firewa~, you will have to ensure that the router responsible for announcing your networks also publishes the network you are using for NAT. This may involve contacting your Internet provider (if you do not manage your own router).
Configuring Static Address Translation Static address translation translates an internal IP address to an external IP address on a one-to-one ratio. This is in contrast to hide-mode translation, which translates many internal IP addresses to one external IP address (many-to-one). Situations especially suited to static-mode translation include cases where external hosts on the Internet have to initiate connections with hosts on your protected network. Using hide-mode translation would not allow for t h i s ~ internal hosts are hidden, as the name suggests, and therefore cannot be contacted directly from external sources. Static address translation is also useful in situations where hide-mode will not work, such as with certain VPN clients or other specialized applications. Static address translation rules come in two flavors: static source and static destination. Rules are generally generated in p a i r s ~ y o u will want matching source and destination rules for each internal object involved with static-mode translation. If you have only static source or static destination, it will provide NAT for connections only in one direction. The NAT rulebase is similar to the Security Policy rulebase in that it works based on the connection, not the individual packet. Therefore, for incoming connections to a web server, it is not required that you define a static source NAT rule just to enable response packets to be translated on the way out to the Internet. The following sections provide more detail about the two types of staticmode translation rules and describe an example configuration. In the example, there is a Web server sitting behind the firewall, called "Web_Server," on an
Applying Network Address Translation • Chapter 5
internal IP address, 172.16.0.10. O u r objective here is to use static address translation to allow external users to access this Web server. To do this, we will first create a static source rule to allow the Web server to connect to the Internet with its public IP address. We will then configure a static destination rule that will allow others on the Internet to contact the Web server.
Static Source The first step in configuring static address translation for your Web server is to ensure that connections originating from the Web server are able to exit your network and reach their destinations on the Internet. This is the purpose of static source mode. In both hide-mode address translation and static source mode translation, reserved IP addresses are translated into a routable IP addresses before they leave the firewaU. The difference is that in static source mode there is a one-to-one relationship between reserved addresses and routable addresses. That is, each reserved address is translated into a unique routable address. Static source rules, like hide rules, can be configured either automatically or manually. While this example will focus on manual rule configuration, you can refer to the "Automatic N A T rules" section for information on how to generate these rules automatically. To configure a static source rule, open SmartDashboard, and select the Address Translation tab. Select R u l e s I Add Rule I Top. Again, depending on which rules are already present, you may need to add the rule elsewhere in the rule base.The next step is to configure this rule; see rule 1 in Figure 5.4.
Figure 5.4
Static Source Rule
Before you configure the new rule, you will need to add an object representing the routable IP address that will translate the Web server's internal address. Create a standard workstation object with a valid routable IP within your address space, and call it "Web_Server_External" as in Figure 5.5.
267
268
Chapter5 • Applying Network Address Translation Figure 5.5 Web Server External Object
Now, back to the translation rule. In the Original Packet section, under S o u r c e , add the W e b _ S e r v e r o b j e c t ~ d o u b l e - c h e c k that this object has an internal address. Leave the D e s t i n a t i o n as Any, since we want to apply this rule no matter what external host the Web server is attempting to contact. Also leave the Service as Any, since we are not going to restrict the destination port for this rule. Note that you could specify H T T P or H T T P S here, depending on your specific application, but it's easier to allow all services in case you ever have to use another service like I C M P to test connectivity. In the Translated Packet section, set Source to W e b _ S e r v e r _ E x t e r n a l , and double-check that this object is set to the routable address you are using for translation. Again, leave D e s t i n a t i o n and Service unchanged, as O r i g i n a l , since we are only interested in translating the source address, not in the destination or service. Set Install O n to All, or if you are only planning to use this rule on a subset of your available firewalls, set this to match that set. Be sure to add a descriptive comment, such as "Static source for Web_Server," so that you will be able to identify this rule later. The last step to enable static source translation is to ensure that your standard rule base will allow traffic from the Web server outbound if necessary. See rule 9 in Figure 5.6.
Applying Network Address Translation • Chapter 5 Figure 5.6 Outbound Rule for Web
Server
ili...............................................
ill
t
Set the S o u r c e to Web_Server, Destination to Any, and Service to H T T P . A c t i o n wi]] be A c c e p t , and T r a c k should be Log. Once you install the policy, you will have a working static source translation rule for this Web server. R e m e m b e r that this rule only takes care of allowing the Web server to reach external hosts; without any further configuration there is no means by which inbound traffic can reach the server. In general, the functionality of a Web server requires external traffic to reach the server, and so static source rules are usually created in pairs with static destination rules, which are described next.
Static Destination Creating a static destination rule is very similar to creating a static source rule, except for the order of the objects. See rule 2 in Figure 5.7. Figure 5.7 Static Destination Rule ~i
ii2mi
i~
ilia!i!ii
ili!Oi~ii
.................. ~
~,li !~',i
iliiiii!iiiiiiiiiiiiii!ii i i i!:,i',',iiiiii! i i iiiii! ~i :.:~.
...... ~iii)~iiii!ii~i~ii i ~
~......................... ~ ~-~-~.~:~:................................. ~:~:~: i.~,~~:J'~:~.~.~.~.~.~:.~.
www.syngress.com
269
270
Chapter 5 • Applying Network Address Translation
Again, add a rule to the translation rule base by selecting Rules I A d d Rule. Here you should place this rule above or below the static source rule. In this case, in the Original Packet section, set the Destination to W e b _ S e r v e r _ E x t e r n a l , and leave S o u r c e and Service as Any. In the Translated Packet section, set the D e s t i n a t i o n as Web_Server, and again leave the other two columns as O r i g i n a l . The reason we are modifying the destination in this case and not the source is that we are concerned only with incoming traffic, which has the Web server as destination. Finally, you must ensure that your standard rule base will allow incoming traffic to hit the routable address. If not, this traffic would be dropped before it even had a chance to go through your translation rule. In our case, we already created this rule when we were defining our rulebase. See rule 5 in Figure 5.8.
Figure 5.8
Rules for Incoming Traffic to Web Server
II- ..................................
=ill~-
iii!ii!i i i iiiijiii i! /jii !i!iiii ~iii::~iii!i!~ m i=')
....... DN5 trd~i¢
~i~i~:.:.i~:.
~:~
i !!!i i il; iii iii ili
if!iif! i!i i
iiiii!i~,i I ...........................................................................................
(Ruios 2-3)
~~:.~;~:.!.-"~!~~!~:.~~~ :.~~;~:.~~!!~:.~;:.~i;:.~~::;::~I:~.~i~:;:~i::~:.~:.~:.!~:.~ ~ i~!:.:.i:.i~@~!:.~!!!~:.i:.~!:::.-~.~~_:~ ~ ! i
LAN to ]bM:eqrn~ Trd:fk:
(Rule O)
:.:.~;:.~i.:-..i~!~!~i!!!!~
~:.~:.!~!~:.:.:.:.i~:.:,~i~:.@;:.:.~ ~~~!!~!~!!~i
!!
i]
.......................................................................
~)))))))))))))))~®)))()))~))))!)))) )))))))))))))))!!))~.)~.)))))~.)))())~),:,: :U~.'-~)))))))i)))!) ~)))))))))))!:::)))).~)L~))!))))6)~))!)!~))))))))))))!))':))) DNZ to ~ trdflic (R~lo 9) " !..::.~i~i)~-cJ)i~i~6ii:-~:~:)~....... ......)....i!:):):~:~........
':':)!:':;:~.:!.!':)~i:i;~i:~:i~)~ii~ )~"~:.:.~)~:ii)6~.'.:: ~)~~))~))~))!~.'F.¢:'.~:
...iii:i..... ~l.l.i,:,:::,~.~-:~.~,:,~::~.~:..,~
(k,,mup a,,m,. (rule no)
Here, set S o u r c e to Any, Destination to Web_Server, Service to Any, and A c t i o n to Accept. Note that you could specify specific services, such as H T T P or HTTPS, and you could also narrow down the acceptable remote hosts that can access the Web server by adding them to the destination. After you install the policy, you will have a working static destination setup. What you can do then is configure DNS so that the name by which you want people to access this Web server, for example www.mycompany.com, points to the address you have assigned to Web_Server_External.
Applying Network Address Translation • Chapter 5
W h e n this name is accessed on the Internet, traffic will be directed to your firewall, which will then translate and forward the packets to your Web server's internal address (the same one assigned to the object Web_Server). The Web server will recognize these packets as belonging to itself, and will respond to the request. W h e n the response reaches the firewall, the firewaU will again translate the packets back to the routable address, and forward them back toward the client. The chent will see the response as originating from the same address to which they sent the request, and will not even know translation took place.
Routing and ARP Just as in hide-mode address translation, there are A R P and routing issues to take into account for static source and static destination modes. Static-mode NAT requires the same A R P configuration as hide-mode; the routable address you are using (in this case the one assigned to Web_Server_External) must be configured on the firewall host. This is necessary so that incoming traffic bound for this address is recognized by the firewall as belonging to itself, and processed rather than forwarded elsewhere. On a Solaris system, use the following syntax to add the static A R P entry: arp
-s < t r a n s l a t e d
IP>
<MAC
address>
pub
On a Windows N T system, edit the ftle $FWDIR\state\local.arp. In this ftle, add a line as follows:
<MAC
address>
In both cases, use the translated IP assigned to Web_Server External and the MAC address of your local network card. Be sure to stop and restart the firewall process after making these changes. If you are using a Nokia, add an AtkP entry in the Voyager GUI under Configure [ A R P . Here, add a permanent A R P entry with type P r o x y Only. Static destination mode requires that you take into account routing the packets destined for the Web server. Specifically, the firewall will not know which interface to use to transmit the packets unless told explicitly. This may seem confusing, since you may think the translation rule will take care of routing the packet properly. However, if you upgraded your firewall to N G from a previous version (for instnace v4.1), then translation takes place after the packets are routed.You can think of this as the packet header being rewritten just as the packet is on its way out of the firewall's interface. So, it must be going out of the
www.syngress.com
271
272
Chapter 5 • Applying Network Address Translation
correct interface before the address is translated. N e w installations of N G will translate before the packets are routed. See the section NAT Global Properties for more information. To add a static route on a Solaris system, use the following command: route
add < r o u t a b l e
address>
Note that in Solaris, this route, as well as any A R P entries you have added statically, will only remain present until the system is rebooted.You will need to ensure that you add this route to the appropriate startup fde prior to the next reboot. To add a static route on a Windows N T system, use the following command: Route
add < r o u t a b l e
address>
-p
Here, the route will remain intact following a reboot due to the -p option, which stands for persistent. In both cases, the routable address is the address assigned to Web_Server_Ext, and the internal address is the address assigned to Web_Server or the next hop router. To add a static route on a Nokia, open the Voyager GUI and select Configure [ R o u t i n g C o n f i g u r a t i o n [ Static R o u t e s . Add the route here, and then apply and save your changes. N o w that you have taken care of all outstanding A R P and routing issues, you can be sure that your static source and static destination translation rules will allow the Web server to function normally, while still being protected by the firewall.
Automatic NAT Rules In additional to creating translation rules manually, FW-1 gives you the ability to generate these rules automatically. Generating automatic translation rules saves you time, and reduces the opportunity for error.You can create both hide-mode and static-mode translation rules automatically. Manually defined NAT rules can be more e~cient, but Automatic NAT rules are easier for novice users and are typically used for simplicity when possible.
Automatic Hide As above, we will use the example of configuring hide-mode translation to hide your LAN network, 172.17.3.0/24, behind one routable address. To configure automatic hide-mode translation, open the SmartDashboard and select Manage www.syngress.com
Applying Network Address Translation • Chapter 5
I Network Objects. Edit the properties of LAN and select the N A T tab, as shown in Figure 5.9.
Figure 5.9 NAT Tab of Network Object
Select A d d A u t o m a t i c Address Translation Rules. Select Hide from the Translation M o d e drop-down list. To specify a routable IP address to hide the network, enter the address in the Hide b e h i n d IP Address field (enter 0.0.0.0 to configure the firewall to use its external IP address). Alternatively, you can use the external IP address of the gateway by selecting the Hide behind Gateway option. Use the Install O n drop-down list to specify the firewaUs that will require this rule, or select All to apply this rule to all existing firewalls. Click OK. FW-1 will automatically generate the required rules for this hidemode translation. See Figure 5.10.
Figure 5.10 NAT Rule Base with Generated Rules ~ i ~
~
!
!~
~ili~i~ii!ii!i!iiiiii!iiiiili~iii~ i!!ii!il iiiiii!ii iiiii!ii!ii!i!~i !i~i!i~i~i!~i~!iiii!~i~i~i~~ii!~lili~i!~!i i~i~ii~i!~ii~ii!ii!~ii!iiii!iiii! i 4 .Any
.,.~.~ = f Z[ e ~ _..E~,e~ .......*.~,~................
~!
!! !i!!i!i! i!ii!i i i
! ii!!! !!!!! i!!~! !!! !!!!!!!~!!!~!!~ !i!! i ,,= ....
~ill !j ....... NAT~
connect~to the web
273
274
Chapter 5 •
Applying Network Address Translation
Rules 1 and 2 above have been generated by the LAN object's automatic translation settings. Rule 1 ensures that traffic traveling within LAN will not be affected by translation; this traffic does not require translation since it is not leaving your network. Rule 2 resembles the manual translation rule we created earlier. It translates all traffic originating on your network into the routable IP address you specified, and then translates the destination of incoming packets back into their original addresses. The final step to activating hide-mode translation is to ensure that your general rule base will allow traffic to flow as expected. These are the same rules you created when you configured manual hide-mode translation.
Automatic Static Configuring static rules automatically is similar to creating hide-mode rules automatically. In this example, we will again be configuring translation to allow Web_Server to be accessed from the Internet. To configure automatic static-mode translation, open SmartDashboard and go to the properties of the object you are configuring, in this case Web_Server.See Figure 5.11.
Figure 5.11 NAT Tab of Web Server
Access the NAT tab and enable Add A u t o m a t i c Address Translation rules. Select Static from the Translation M e t h o d drop-down list, and for Valid www.syngress.com
Applying Network Address Translation • Chapter 5
IP Address, enter the routable IP address you are going to use in this case. The Install O n field should include the firewalls for which this rule is appropriate, or be set to All. Click OK. FW-1 will automatically generate the required rules for this staticmode translation. See rules 1 and 2 in Figure 5.12. Figure 5 . 1 2 Generated Address Translation Rules
m EI~ ExtemelFW
~tcN~lic rule (see the nelwo~ ot~ec~
i Here, rules 1 and 2 have been generated by the Web_Serverautomatic translation settings. These rules will resemble the static source and static destination rules we created earlier. Rule 1 translates tramc originating from the Web server to the routable IP address, and rule 2 translates incoming trail% from valid, routable address back to the internal address for incoming trail%. Again, the final step is to ensure that your general rule base will allow tramc to flow to and from the Web server. These are the same rules you created when you configured manual static-mode translation.
Routing and ARP With automatic NAT, you also need to keep routing and A R P issues in mind. The procedures for ensuring packets reach their intended destination are the same as with manual NAT.
www.syngress.com
275
276
Chapter 5 • Applying Network Address Translation
If there is a router or multiple routers on your internal network and you are using reserved address space, you need to ensure that static routes (and default routes) exist on the router, or that dynamic routing protocols are configured correctly, so that packets will reach the firewall. For static source and hide-mode NAT, you must ensure that proper A R P entries exist on the firewall for the hiding or static source address. If you have upgraded to N G from a prior version of FW-1, then for static destination you need to add a static host route on the firewall to direct the traffic out the proper interface, since routing will take place before NAT. You can configure individual A R P and routing tasks using the same techniques that you use when you configure NAT manually. Alternatively, you can configure A R P and routing tasks by enabling some of the options available in the NAT Global Properties, which we will talk about next.
NAT Global Properties FW-1 has some global NAT settings that affect the firewall's behavior. To access these settings, open SmartDashboard and select Policy I Global Properties. Select N A T - N e t w o r k Address Translation, shown in Figure 5.13.
Applying Network Address Translation • Chapter 5
Figure 5.13 NAT Global Properties
The A u t o m a t i c rules intersection setting, when checked, will apply when there is more than one automatic NAT rule that applies in any given situation. Automatic rules intersection means that in this case the firewall will combine or intersect the rules, thereby applying them both. When this box is not checked, the firewall will only apply the first matching NAT rule, and will ignore any subsequent matching rules. For example, if a packet matches one translation rule's source and other rule's destination, the firewaU would translate both the source and destination. When P e r f o r m destination translation on the client side is checked, the firewaU will perform static destination mode NAT on the client side of the connection, as opposed to the server side. With this option enabled, the need to add static host routes on the firewall is eliminated since address translation will take place before routing.
277
278
Chapter 5 • Applying Network Address Translation
Automatic ARP configuration avoids the necessity to configure ARP entries manually on the firewall, as discussed in the routing and ARP sections. This applies only to automatic NAT, not to manual NAT rules. This setting causes the firewall to automatically generate ARP entries for all configured translated IP addresses, enabling the firewaU to respond to these addresses. This occurs on the firewall module that is enforcing the translation policy, and you can view the ARPs the firewall is generating with this command:fw ctl arp
Applying Network Address Translation • Chapter 5
279
Summary Network address translation is an effective way to protect your network, while at the same time conserving valuable IP address space. Hosts that are protected by N A T are far less vulnerable to attack or compromise by external threats, since they are not directly accessible from the Internet. FW-1 provides you with two main methods of doing NAT: hide-mode and static-mode. Hide-mode translation is most useful for situations when you need to translate an entire range of private IP space into one routable address.A c o m m o n example is an office LAN: multiple office workstations, none of which need to be accessible externally, can be hidden with hide-mode NAT. Static-mode translation, divided into static source and static destination, is suited to cases when the device you are hiding must be accessible from the Internet. In static-mode, there is a one-to-one relationship between internal and external addresses. For both hide- and static-mode translation, FW-1 enables you to define NAT rules manually, or to have them generated automatically. The end result is the s a m e - - w h i c h method you use to define rules is up to you, and will depend on the situation and on how comfortable you are with the NAT rulebase. N o w that you understand how to configure network address translation with FW-1, you have a powerful tool available that will enable you to create a highly secure, yet functionally uninhibited environment. Using NAT effectively is a key to building an optimal security policy.
Solutions Fast Track Hiding Network Objects Hide-mode NAT is used to hide an entire range of private addresses behind one routable address. With hide-mode NAT, internal hosts are not accessible from external hosts, but internal hosts can still retain full access outward. W h e n configuring hide-mode NAT, you need to take A R P issues into account, and may have to add manual A R P entries to your firewall.
.:. . .::. . .ii. . .i:.i:.i.::;i: i..:::... :. :....:2. : . . . . • .:::.......: . . . . . . . . . . :.. . . . . . .........................
.
.. . . . . . . . . . .
....
• :~i~::!.i!"iii~;iiiqill .:i:.:i. ~.:.i.:i :. .... ..:..,.::..:.?:.:.::.:...::.:...
.....
.:iiiiii:iii:iil;iii!iiii:i!.ii!il;:il;i~:iii•
.. ..:i.i;:ii.i!iiii.liiii!i!i!!.iiiiii.i!:ii::ii::iii.i! ~.~I:
:i:~:i:.:i::i!i!i.:iiiiii!i::i!iii: i:i.!!:fi!!ili.li.iiii:!i!ii!";i ;i:
:i;:ii~!i;i~i:i~;.:i:.~!: .i,:!::i.:~/i-iliili:!;i(:i.i;ii;i-~;i!:i.:i.ii
@ii~ii£i~,i~,i-ii@iii~,i!~:::,i~,i~,i~,:::
ii!i==ii?==® i
i,i!i!!!' •
..:
;:..:: .: .... .....x.:...
===============
...... : :ii'¢::
.... . : : i . : • .:.:..:.:~:.:?:.
•
..........
..:::,i:~ii:c~i~i:
280
Chapter 5 •
Applying Network Address Translation
Configuring Static Address Translation Static-mode NAT is used when internal hosts need to be accessible from the Internet. With static-mode NAT, there is a one-to-one ratio between internal and external addresses. There are A R P and routing issues to take into account when configuring static-mode NAT.You may need to add static routes if you have a router between your workstations and firewall, as well as static A R P entries.
Automatic NAT Rules
%
H NAT rules in FW-1 can be created manually via the NAT rulebase, or automatically via each network object's NAT tab. Configuring FW-1 rules automatically may simplify your configuration tasks, and allow you to more easily visualize your environment. Even when configuring NAT automatically, you need to keep the same A R P and routing considerations in mind.
NAT Global Properties FW-I's global NAT properties help you to configure rule intersection behavior, determine where to perform destination translation, and perform automatic A R P configuration. H Automatic A R P configuration is an especially useful feature that eliminates the need for manual A R P entries on the firewall. FW-1 will create A R P entries for all required addresses.
Applying Network Address Translation • Chapter 5
281
Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in
....... ~i~:~i~i~i!,i~i!i~ ....
(:~ :i =.:.i :i i :i.:: :i i:..: : .
this chapter and to assist you with real-life implementation of these concepts. To .;:~' .;~:i.~i.:i~:i:~:,!: have your questions about this chapter answered by the author, browse to ~:.:.::.:.,.:"::.:::i:.i:.::~i!',; : ii i:i~.il il ii:ii.?: :ii~i?:.i];. . :
www.syngress.com/solutions and click on the "Ask the A u t h o r " form. You will :,i)i~i~i~il;~i;i~:~i:!~:i~ i:i~ also gain access to thousands of other FAQs at ITFAQnet.com. i..:.iii::"iiii~!iiiiiiiiiiii~;ii:i :. ::::.ii:i!:::
Q" Should i configure N A T rules manually, or use FW-~ to generate them automatically?
i:i:ilY:.ii.:ii!i.iiiLi,~
A: N o matter how you configure NAT, the end result should be the same. In fact, if you configure N A T automatically, you should still check the N A T rule base to ensure that the rules ended up as you expected. So, the answer to this question really depends on your familiarity and comfort level with N A T and with FW-1 in general.
Q
m
i!i i!!ii!i!!! •
•
'i:i!;.i!i!iiii-ii~!ii:i~
.. ~:i: :i.::!.. :i ~ • .:"
i
H o w do I k n o w w h e n to use hide-mode and w h e n to use static-mode
A: As a general ruie us4iii-~tatic~mode N A T only w h e n the internal device must be accessible from tN~ Inte~net..:~is includes devices such as Web servers, FTP servers, or any .~her serv@!~"~g want external users to have access to. Also, some forms 0 ~ ~ ' N an~i~o~k.other s p e c i ~ z e d applications require static-mode NAT. H i d e - m o ~ } ~trans~Nion s ~ u l d bd:~!-i~£.edw h e n the internal device needs access outbou~a..~.:.:::.but..d~a~:.-nqi!.iiilneed to ~.::,::,::,::,reached externally.
Q
I
W h e n will the firewall use an A R P entry
a
route?
A: A R P entries are used for devices that are on the s'~e.....network as the firewall, while routes are used otherwise. For devices on:''~":~e same network, w h e n the firewall tries to reach an IP address, it first checks to see if it already has an A R P entry for that host. If not, it sends out an A R P broadcast, received by all devices on the same network, requesting the M A C address for the given IR For devices not on the same network, the firewall simply checks its routing table for a route to that host, and uses the default route if none is found.
.i!.i.i:.i!i:i~.;i,~i:i,i~.i~.~I.~..,:~..,:
282
Chapter 5 • Applying Network Address Translation
Q: I have
a lot of N A T rules, and it takes a long time to compile my security policy. What can I do to speed things up?
A: If you have several sequential networks or subnets defined for your hiding NAT networks, you can combine these into one network object with a subnet that will cover all (or as many as possible) of your networks. For example, if you have 10.1.1.0, 10.1.2.0, 10.1.3.0...10.1.128.0, and you have automatic N A T turned on for each of these networks, you could have 256 NAT rules. Instead, you can create one object with address 10.1.0.0 and subnet mask 255.255.128.0 and add the automatic N A T to this one object.
Q: M y
management console is managing several firewalls, and we have an assortment of 10.x.x.x networks on our internal network networks spread out across different locations. H o w can I keep my N A T rule base simple?
A: Create one network object for 10.0.0.0 with netmask 255.0.0.0, and add hide N A T with a translation address of 0.0.0.0 or select H i d e b e h i n d G a t e w a y . Using this address will hide the traffic behind the firewaU's IP address that the traffic is leaving.
Q: I
can't access my remote network over our Virtual Private Network because the firewall is hiding our local network. What should I do?
A: Sometimes it is necessary to create manual address translation rules that
do not
translate. If you should not be translating your internal network to your remote oflfice, then you could add a rule where the Original Packet fields match these V P N packets, and the Translated Packet section keeps all three columns (Source, Destination, and Service) as O r i g i n a l . This rule would have to be added above any rules in the rulebase that translated this source or destination. Note: you can only use one object in each cell in the N A T rulebase. As a result, it may be necessary to create a group of objects between which you will not be NATing. Q" H o w can I troubleshoot my N A T configuration? A: Perform these steps to verify that you have things configured properly for static address translation.You may need to add a security policy rule for this to report correctly. If you cannot determine a problem with ping, check your Log Viewer for dropped or rejected packets as well as look at the following ~-r,l,,m~,o ;,~ ~,~ Log Viewer: NAT rule number, NAT additional rule number,
Applying Network Address Translation • Chapter 5
XlateSrc (Xlate is short for Translate) for the translated source IP address, XlateDst for the translated destination IP address, XlateSPort for the translated source port, and XlateDPort for the translated destination port. Don't worry if they are blank, they are only recorded if the particular part of the packet is being changed. 1. From the firewaU, ping the internal IP address of the host/server. If you cannot, then check the cabling. 2. From the firewaU, ping the routable, external IP address of the host/server. If you cannot, then check the host route on the firewaU. If the host route looks right, then check the network object for your workstation; the IP address or Address Translation may be incorrect. 3. From the host, ping the internal IP address of the firewall. If you cannot, then check the cabling. 4. From the host, ping the firewall's external IP address. If you cannot, then check the default route on the host, and the default route of any intervening touters. 5. From the host, ping your Internet router (or the firewall's default gateway). If you cannot, then check the address translation on the workstation's network object in SmartDashboard. If that looks fine, then check the A R P on the firewall (local.arp in NT).
Q: Why
can't I get to any servers on my D M Z that are configured with static NAT after rebooting the firewall?
A: If you are using a Windows firewall, check that the static host route was added with a - p switch, which stands for persistent or permanent. This ensures that the routes are added into the registry and restored whenever the system is rebooted. If you are using a Solaris firewaU, ensure that your ARP and route statements are added in a startup fde. If you have a Nokia firewaU, make sure that you make any route and A R P change through the Voyager GUI, and that you SAVE your changes after you apply them.
283
CHAPTER 6 Screening of Recombinant DNA Libraries INTRODUCTION
T
he usual approach to isolating a recombinant DNA clone encoding a particular gene or mRNA sequence is to screen a recombinant DNA library. As described in Chapter 5, a recombinant DNA library consists of a large number of recombinant DNA clones, each one of which contains a different segment of foreign DNA. Since only a few of the thousands of clones in the library encode the desired nucleic acid sequence, the investigator must devise a procedure for identifying the desired clones. The optimal procedure for isolating the desired clone involves a positive selection for a particular nucleic acid sequence. If the desired gene confers a phenotype that can be selected in bacteria, then the desired clone can be isolated under selective conditions (UNIT 1.4). However, most eukaryotic genes and even many bacterial sequences do not encode a gene with a selectable function. Clones encoding nonselectable sequences are identified by screening libraries: the desired clone is identified either because (1) it hybridizes to a nucleic acid probe, (2) it expresses a segment of protein that can be recognized by an antibody, or (3) it promotes amplification of a sequence defined by a particular set of primers.
Screening libraries involves the development of a rapid assay to determine whether a particular clone contains the desired nucleic acid sequence. This assay is used first to identify the recombinant DNA clone in the library and then to purify the clone (see Fig. 6.0.1). Normally, this screening procedure is performed on bacterial colonies containing plasmids or cosmids or on bacteriophage plaques. To test a large number of clones at one time, the library is spread out on agarose plates (UNIT 6.1), then the clones are transferred to filter membranes (UNIT 6.2). The clones can be simultaneously hybridized to a particular probe (UNITS 6.3 & 6.4) or bound to an antibody (UNITS 6.7 & 6.11). When the desired clone is
bacteriophage, cosmid, or plasmid libraries
plate library (consider library base and insert size)
screen library by: hybridization to nick-translated DNA and synthetic oligonucleotides or,
immunoreactivity or, hybrid selection of mRNA and translation
purify plaques or colonies
Figure 6.0.1
Flow chart for screening libraries.
Contributed by J.G. Seidman Current Protocols in Molecular Biology (1994) 6.0.3-6.0.5 Copyright © 2005 by John Wiley & Sons, Inc.
Screening of Recombinant DNA Libraries
6.0.3 Supplement 69
first identified, it is usually found among many undesirable clones; an important feature of library screening is the isolation of the desired clones (UNITS 6.5, 6.6 & 6.12). Another method for identifying the desired clone involves hybrid selection (UNIT 6.8), a procedure by which the clone is used to select its mRNA. This mRNA is characterized by its translation into the desired protein. Libraries consisting of large genomic DNA fragments (∼1 Mb) carried in yeast artificial chromosome (YAC) vectors have proven to be tremendously useful for genome analysis. In general, these libraries (which are usually produced by large “core” laboratories) are intially screened using a locus-specific PCR assay (UNIT 6.9); the clone resulting from the initial round of screening is subsequently analyzed by more conventional hybridization methods (UNIT 6.10). To screen a DNA library, one must first devise the screening procedure. The next important choice is the selection of a recombinant DNA library. When choosing which library to screen the investigator should consider whether he or she wants to isolate clones encoding the gene or the mRNA sequence. cDNA clones encode the mRNA sequence and allow prediction of the amino acid sequence, whereas genomic clones may contain regulatory as well as coding (exon) and noncoding (intron) sequences. The differences between genomic and cDNA libraries are discussed in Chapter 5. Another critical parameter to be determined before proceeding with a library screen is the number of clones in the library that must be screened in order to identify the desired clone. That is, what is the frequency of the desired clone in the library? This frequency is predicted differently for genomic and cDNA libraries, as described below. Screening a genomic library. In general, genomic libraries can be made from DNA derived from any tissue, because only two copies of the gene are present per cell or per diploid genome. The predicted frequency of any particular sequence should be identical to the predicted frequency for any other sequence in the same genome. The formula for predicting the number of clones that must be screened to have a given probability of success is presented in UNIT 5.1. This number is a function of the complexity of the genome and the average size of the inserts in the library clones. For amplified libraries, the base (see UNIT 5.1) must exceed this number. Usually about 1 million bacteriophage clones or 500,000 cosmid clones must be screened to identify a genomic clone from a mammalian DNA library. Many of the clones that are screened from an amplified library will be screened more than once; the total number of clones that must be screened is 30 to 40% greater than the number calculated by the formula. Screening a cDNA library. The optimal cDNA library is one made from a particular tissue or cell that expresses the desired mRNA sequence at high levels. In highly differentiated cells, a particular mRNA may comprise as many as 1 of 20 of the poly(A)+ mRNA molecules, while some mRNAs are either not present at all or comprise as low as 1 molecule in 100,000 poly(A)+ mRNA molecules. When choosing a cDNA library the investigator must make every effort to obtain a library from a cell where the mRNA is being expressed in large amounts. Of course, the number of clones that must be screened is determined by the abundance of the mRNA in the cell. The amount of protein that is found in the cell is frequently a good indicator of the abundance of the mRNA. Thus, proteins that comprise 1% of the total cell protein are made by mRNAs that usually comprise 1% of the total poly(A)+ mRNA, and the desired cDNA clones should comprise about 1% of the clones in the cDNA library.
Introduction
Screening a YAC library. In the typical genomic libraries maintained in E. coli (described in Chapter 5), the size of the insert is limited to 20 to 25 kb for lambda vectors or to 40 to 45 kb for cosmid vectors. Yeast artifical chromosome (YAC) vectors, by contrast, are designed to carry much larger genomic DNA fragments and thereby facilitate genomic analysis, with inserts ranging from 0.3 to ∼1 Mb in size. Conventional screening of YAC
6.0.4 Supplement 69
Current Protocols in Molecular Biology
libraries by hybridization is difficult, both because of the unfavorable signal-to-noise ratio and the sheer numbers of replica films required to represent an entire library. For example, a standard YAC library representing 5 to 8 genome equivalents requires over 500 microtiter plates (and corresponding filters for screening by hybridization). Thus, most core laboratories screen YAC libraries using a locus-specific PCR assay whose primers define a particular sequence. The PCR screening is initially performed using pools (representing up to 4 microtiter plates or 384 YAC clones) or superpools (representing up to 20 microtiter plates or nearly 2000 clones), followed by subsequent rounds of screening to narrow down the possible candidates. Specialized screening strategies. For particular applications, there exist specialized approaches to screening. For example, cloned cDNAs encoding cell surface or intracellular proteins can be identified by expression screening, involving rounds of transient expression of a library and subsequent screening by immunoselection (UNIT 6.11). The technique of recombination-based screening provides a rapid and efficient approach for screening a complex genomic library in bacteriophage lamba (UNIT 6.12). The library is screened for homology against a plasmid carrying a particular cloned target sequence. If homology exists, a recombination event occurs, resulting in integration of the plasmid into the phage, and the recombinant is isolated by genetic selection. General considerations. When selecting the library it is critical that the base be larger than the number of clones to be screened. One problem with predicting the number of clones to screen is that most libraries are amplified and in the process of amplifying the library some clones are lost while others may grow more rapidly. Thus, if the desired clone is not found in a particular library, another independent library should be screened. Having selected the library, the investigator is ready to begin screening for the desired clone. The technologies used to screen libraries are mostly extensions of the techniques that have been described earlier in the manual. Libraries are plated out, transferred to nitrocellulose filters, and hybridized to 32P-labeled probes or bound to antibodies. The major problem associated with this technique is that “false” positives can be identified: the probe may hybridize to clones that do not encode the desired sequence. Approaches to minimize this problem are discussed in UNIT 6.7. A second source of undesired clones arises from the power of the screening procedures that are normally used to screen these libraries. The investigator will be screening as many as one million clones. If the library contains any contaminating recombinant DNA clones that have been previously grown in the laboratory, it will be identified in the screening procedure. Thus, extreme care must be exercised to prevent contamination of the library with previously isolated recombinant clones. Despite these problems the ability to screen large DNA libraries to isolate the desired clone provides a powerful tool for molecular biologists. J.G. Seidman
Screening of Recombinant DNA Libraries
6.0.5 Current Protocols in Molecular Biology
Supplement 27
PLATING LIBRARIES AND TRANSFER TO FILTER MEMBRANES
SECTION I
The basic principle of screening recombinant DNA libraries is that bacteriophage plaques, or bacterial colonies containing plasmids or cosmids, contain relatively large amounts of insert DNA that can be detected either directly by hybridization (see below) or indirectly by the protein that may be expressed from the cloned segment (UNIT 6.7). The first step in the nucleic acid hybridization screening procedure is to grow large numbers of colonies or plaques on agar plates. Replica copies of these colonies are transferred to nitrocellulose filters, where they can be screened. In this section the techniques for producing large numbers of colonies and plaques, and for transferring these to filter membranes, are discussed. Prerequisites to these procedures are that the library must already be chosen and the number of clones to be screened must be determined (see introduction to this chapter).
Plating and Transferring Bacteriophage Libraries Bacteriophage are plated onto agar plates at high density so that as many as 1 million different plaques can be screened. The bacteriophage plaques are then transferred to nitrocellulose filters, denatured, and baked. The library and the number of clones to be screened are predetermined. Principles for choosing the plaque density and the number of plates to be used are outlined in the commentary.
UNIT 6.1
BASIC PROTOCOL
Materials Host bacteria, selection strain if applicable (UNIT 1.10; Table 1.4.5; Table 5.10.1) Recombinant phage (UNIT 5.10) 0.7% top agarose (prewarmed; UNIT 1.1) 82-mm or 150-mm LB plates; or 245 × 245–mm Nunc bioassay LB plates (UNIT 1.1) 0.2 M NaOH/1.5 M NaCl 0.4 M Tris⋅Cl, pH 7.6/2× SSC 2× SSC (APPENDIX 2) Nitrocellulose membrane filters (or equivalent) 20-G needle 46 × 57–cm Whatman 3MM or equivalent filter paper 80°C vacuum oven or 42°C oven Plating bacteriophage 1. Determine the titer of the library by serial dilution as described in UNITS 1.11 & 5.7. For λ vectors that allow genetic selection against nonrecombinants, plating should be done on the appropriate bacterial strain (e.g., P2 lysogen for EMBL vectors). LB plates should be poured several days in advance to allow them to dry prior to plating. The large Nunc plates are particularly prone to condensation on the surface of the agar, but this can be alleviated by allowing them to sit on the benchtop with covers removed for a few minutes to several hours before use.
2. Mix recombinant phage and plating bacteria (prepared as described in UNIT 1.11) in a culture tube as outlined in Table 6.1.1 and incubate 20 min at 37°C. 3. Add 0.7% top agarose to culture tube and transfer mixture to LB plates. Disperse bacteria and agarose on plates by tilting the plates back and forth. Mix cells and agarose for the large Nunc plates by gently inverting several times in a capped 50-ml tube prior to plating. Contributed by Thomas Quertermous Current Protocols in Molecular Biology (1996) 6.1.1-6.1.4 Copyright © 2000 by John Wiley & Sons, Inc.
Screening Recombinant DNA Libraries
6.1.1 Supplement 34
Top agarose rather than top agar should be used as agar tends to lift off with the nitrocellulose filter. Melt the top agarose and cool to 45° to 50°C before use. If top agarose is too hot it will kill the bacteria, while if it is too cold the library will solidify in the tube.
4. Incubate plates at 37°C until plaques cover the plate but are not confluent. Incubation time varies between 6 and 12 hr and depends on type of phage and bacteria used. Store at 4°C. Do not incubate unattended overnight, but rather place at 4°C and allow to continue growth the next day. Allowing phage plaques to incubate for the correct amount of time is critical. The object is to optimize two parameters. First, the plaques must be large enough to contain sufficient DNA to give a good signal. Second, if the plaques are too large and become confluent they are difficult to purify in subsequent steps. Because most nucleic acid probes give a very strong signal, we tend to prefer having smaller plaques and weaker signals.
5. Incubate plates at 4°C for at least 1 hr before applying filters. Transferring to nitrocellulose filters 6. Label nitrocellulose filters with a ballpoint pen and apply face down (ink side up) on cold LB plates bearing bacteriophage plaques. This is best accomplished by touching first one edge of the filter to the agarose and progressively laying down more of the filter as it wets. Bubbles should be avoided. If difficulties are encountered the filter should not be adjusted on the plate, but rather removed and replaced with a new filter. Nitrocellulose filters should be handled only with forceps or gloved hands.
7. Leave filters on plates for 1 to 10 min to allow transfer of phage particles to the filter. During this transfer period the orientation of the filter to the plate is recorded by stabbing a 20-G needle through the filter into the agar at several asymmetric points around the edge of the plate. Up to five replicas can be made from each plate. Remove the filter slowly from the plate with blunt, flat forceps and place face up on paper towels or filter paper. Some investigators dip the needle used to orient the filter in India ink to more clearly mark the filter and agar. Other investigators mark the back of the agar plate with a black marker. Making two replicas from each filter, hybridizing both to the DNA probe, and comparing the autoradiographs of the replica filters eliminates many possible artifacts. This is particularly helpful when screening with an oligonucleotide probe.
8. Dry the filters on the benchtop for at least 10 min. This drying process binds the plaques to the filter.
Table 6.1.1
Plating and Transferring Bacteriophage Libraries
Recommended Mixtures for Plating Bacteriophage Libraries
Plate size
LB plate ingredient
82 mm
Bacteriab (ml) Phage, pfu Top agarose, ml
0.2 5,000 3
245 × 245 mma
150 mm 0.5 20,000-30,000 7
2 150,000 30
aNunc Bioassay plates distributed by Vangard International. bPlating bacteria are prepared as described in Chapter 1.
6.1.2 Supplement 34
Current Protocols in Molecular Biology
Denaturation and baking 9. Place 46 × 57–mm Whatman 3MM paper on the benchtop and saturate with 0.2 M NaOH/1.5 M NaCl. Place filters on the paper face up for 1 to 2 min. The 3MM paper should be wet enough to allow immediate saturation of the filters, but not so wet that the solution pools on the surface.
10. Transfer filters (face up) to 3MM paper saturated with 0.4 M Tris⋅Cl, pH 7.6/2× SSC for 1 to 2 min and then to 3MM paper saturated with 2× SSC for 1 to 2 min. Some investigators immerse the filters in all three solutions. This procedure can make the plaques detected by hybridization appear diffuse.
11. Dry filters in a vacuum oven 90 to 120 min at 80°C or overnight in a regular oven at 42°C. Store at room temperature in folded paper towels or other absorbent paper until needed for hybridization (described in UNIT 6.3 or 6.4). COMMENTARY Background Information There are two parts to this protocol—plating the library and preparing filters. The number of bacteriophage per plate determines the number of plates that must be poured. This number is defined by the number of recombinants in the library (i.e., base of the library) and the frequency of the expected clone in the library. There is no advantage to screening more than 3 to 5 times the base of the library. The frequency of the clone in the library is determined as follows. cDNA libraries: the expected frequency of the desired RNA among the total RNA of the cell, ranging from 1⁄100 to 1⁄50,000. Genomic libraries: the size of the insert divided by the total genome size. Subgenomic libraries: the size of insert per total genome size times the fold purification of the DNA fragment (usually 10- to 50-fold). The usefulness of a recombinant phage library depends on the ability to screen a large number of phage and identify the clone that carries the DNA sequence of interest. This has been made possible by the technique of in situ plaque hybridization described by Benton and Davis (1977). The phage are allowed to multiply in host bacteria in a thin layer of agarose on regular bacterial plates. When nitrocellulose is applied to the agarose, phage particles and unpackaged DNA adsorb to the filter to produce a replica of the plate surface. If the agarose surface is not excessively wet, there will be little spreading of the phage on the filter. Subsequent treatment of the filter with sodium hydroxide destroys the phage particles and denatures the phage DNA which then binds to the nitrocellulose. Neutralization of the filters is required to maintain the integrity of the nitrocellulose. Hy-
bridization of these filters to a DNA or RNA probe will identify the location of the phage plaque of interest, which can then be recovered from the plate. A common variation of this technique is the substitution of one of the nylon-based membranes for nitrocellulose (see UNIT 2.9). The advantage of nylon membranes is their durability, which allows multiple hybridizations to the same filter and allows one to sequentially clone several genes from the same library using a single set of filters. However, nylon filters do not offer an improvement in sensitivity and are often more expensive than nitrocellulose filter paper.
Literature Review
The molecular basis of λ phage replication and the adaptation of the λ genome for molecular cloning has been reviewed by Arber et al. (1983) and Williams and Blattner (1980). Principles governing the plating of λ phage have been outlined by Arber (1983); see also UNIT 1.10. Thorough understanding of these principles has led to a universal approach to plating phage libraries.
Critical Parameters To prevent recombination between different phage, do not allow them to overgrow, and grow them in recombination-minus hosts where possible. Calculations of the amount of phage stock to be used per plate should be based on a recent titration, and plating cells should be fresh. Filters must not become brittle during this procedure; brittle filters will be destroyed during the hybridization process. This can be avoided by limiting the time in the hydroxide solution to less than 5 min, making certain that
Screening Recombinant DNA Libraries
6.1.3 Current Protocols in Molecular Biology
Supplement 13
the 0.4 M Tris⋅Cl, pH 7.6/2× SSC brings the filters to neutral pH, and limiting the baking to 2 hr.
Troubleshooting Plaques should be visible on the plate before filters are made. If there appears to be poor bacterial growth, it is possible that the top agarose was too warm and many bacteria were killed, or that the phage titer was higher than expected and most host cells were lysed. Lower than expected phage titer could be due to an inaccurate titration of the phage stock, poor host-cell preparation, or too little time for adsorption. The preparation of the nitrocellulose filters will only be tested after hybridization is complete. Occasionally, hybridization to a plaque will produce a streak instead of a discrete circle on the autoradiograph, making location of the correct plaque difficult. Steps that will often correct this problem include: (1) drying plates with the cover removed for 1 to 2 hr before applying the filter, (2) drying the filters well before the hydroxide treatment, and (3) making certain that the face (phage side) of the filters is not directly in contact with the solutions.
Anticipated Results This plating procedure characteristically produces plates with an even distribution of dense phage particles. It is sensitive enough to allow identification of a phage by hybridization even when the phage are plated at high density (>5000 plaques per 82-mm plate). A signal is easily visible after 18 to 24 hr, when filters are hybridized to a nick-translated DNA probe with activity of >107 counts/µg DNA.
Time Considerations Usually plaques will become visible within 6 to 10 hr after plating. Bacteriophage should generally not be allowed to grow longer than necessary to visualize the plaques. Using the procedure outlined, even a large number of filters can be processed in a single day.
Literature Cited Arber, W. 1983. A beginner’s guide to lambda biology. In Lambda II (R.W. Hendrix, J.W. Roberts, F.W. Stahl, and R.A. Weisberg, eds.) pp. 381395. Cold Spring Harbor Laboratory, Cold Spring Harbor, NY. Arber, W., Enquist, L., Hohn, B., Murray, N., and Murray, K. 1983. Experimental methods for use with lambda. In Lambda II (R.W., Hendrix, J.W. Roberts, F.W. Stahl, and R.A. Weisberg, eds.) pp. 433-466. Cold Spring Harbor Laboratory, Cold Spring Harbor, NY. Williams, B.G. and Blattner, F.R. 1980. Bacteriophage lambda vectors for DNA cloning. In Genetic Engineering, Vol. 2 (J.K. Setlow and A. Mullander, eds.) p. 201. Plenum, NY.
Key References
Benton, W.D. and Davis, R.W. 1977. Screening λgt recombinant clones by hybridization to single plaques in situ. Science 196:180-182. Describes the method of plaque hybridization developed by the authors to allow isolation of phage possessing specific cloned DNA sequences.
Contributed by Thomas Quertermous Massachusetts General Hospital Boston, Massachusetts
Plating and Transferring Bacteriophage Libraries
6.1.4 Supplement 13
Current Protocols in Molecular Biology
Plating and Transferring Cosmid and Plasmid Libraries A bacterial suspension is suctioned through a porous membrane, leaving the bacteria bound to the membrane surface. The membrane is transferred, bacteria up, to an agar plate upon which the bacteria will receive enough nutrients to grow into colonies. These filters can then be used for replica platings and for hybridization with specific DNA probes.
UNIT 6.2
BASIC PROTOCOL
Materials LB plates containing antibiotic (UNIT 1.1) LB medium (UNIT 1.1) LB plates containing 50 µg/ml chloramphenicol (UNIT 1.1) 0.5 M NaOH 1 M Tris⋅Cl, pH 7.5 0.5 M Tris⋅Cl, pH 7.5/1.25 M NaCl 10- or 15-cm Whatman 3MM or equivalent filter paper discs Sintered glass filter with vacuum Nitrocellulose membrane filters (10- or 15-cm, Millipore HATF) 20 × 20–cm Whatman 3MM or equivalent filter paper 20 × 20–cm glass plate 20-G needle 46 × 57–cm Whatman 3MM or equivalent filter paper 80°C vacuum oven NOTE: All materials coming into contact with E. coli must be sterile. Plating cosmids 1. Start with plasmid or cosmid library produced after transformation, transfection, or amplification (UNIT 5.7). 2. Determine titer of the library by serial dilutions using plates containing antibiotics (see UNIT 1.3). Remaining library suspension can be held at 4°C overnight with only minimal loss of viable bacteria. A 10-cm nitrocellulose filter can accommodate 10,000 to 20,000 colonies, while a 15-cm filter can hold up to 50,000.
3. Calculate the appropriate amount of the bacterial suspension for plating and dilute the suspension in LB medium such that there is the desired amount of bacteria in 5 ml (10-cm filter) or 10 ml (15-cm filter) of solution. 4. Meanwhile, prepare a layer of 10- or 15-cm Whatman 3MM paper discs on either the bottom part of a sintered glass Buchner funnel or on a porcelain filter funnel. Pour 10 to 20 ml LB medium over two or three layers of 3MM paper discs to make a level bed. The same pad of discs can be used for many filters. Sterilize filter apparatus and filter paper before use. The 3MM and nitrocellulose filters can be sterilized by autoclaving them while wrapped in aluminum foil. The purpose of this step is to spread the bacteria uniformly across the surface of a nitrocellulose filter. The filtering apparatus must be level, it must create a uniform suction to all the surface of the filter, and it should be easy to move the filters to and from the apparatus.
Contributed by Thomas Quertermous Current Protocols in Molecular Biology (1987) 6.2.1-6.2.3 Copyright © 2004 by John Wiley & Sons, Inc.
Screening Recombinant DNA Libraries
6.2.1 Supplement 68
5. Label a nitrocellulose filter with a ballpoint pen on the side opposite that where the bacteria will be plated. Place the filter on the surface of the LB/antibiotic plate to wet it. The antibiotic plate must be permissive for cosmid- or plasmid-bearing bacterial cells and usually is ampicillin or tetracycline. Most ballpoint pen inks do not smudge during the hybridization reaction. If the one you choose runs, try another type.
6. Remove the wet filter from an antibiotic plate to the filtration apparatus. The suction should be off.
Carefully pipet the 5 to 10 ml of bacterial suspension onto the surface of the nitrocellulose filter, leaving the outer 4 to 5 mm of the filter free of solution. This outside bacteria-free ring leaves enough surface area to work with the filter without smearing or losing the colonies.
7. Slowly suction the solution down through the filter, taking care not to create any preferential suction pockets that would concentrate the bacteria. After suctioning all of the solution through the filter, transfer the filter back to the antibiotic plate on which it was wetted. In laying the filter down on the agar surface, take care to avoid trapping any air bubbles between the surface of the plate and the filter.
8. Plate the entire library in this way and incubate the plates upside down (agar side up) at 37°C until the colonies are ∼1 mm in diameter. Do not overgrow the filters, as smaller colonies can be lost beneath larger, faster-growing recombinant bacteria.
Preparing replica filters 9. Label and wet another set of nitrocellulose filters, as described in step 5. 10. Remove the initial library filter from its plate and place on several sheets of 20 × 20 cm 3MM paper, bacteria side up. While wearing gloves, carefully position the wetted replica filter above the bacterial lawn. Lay the second filter upon the first, leaving the two filters offset by 2 to 3 mm. This overlap will help in the separation of the two filters after the replica transfer. Do not allow air bubbles to form between the two filters. These are excluded by touching the second filter to the first in the middle and then allowing the edges to fall.
11. Lay three sheets of 20 × 20–cm 3MM paper on the two filters, followed by a 20 × 20 cm glass plate. Using the palms of your hands, press with all your weight down on the glass plate, thus transferring the bacterial colonies from the library filter to the replica filter. 12. Remove the glass plate and the filter paper and, using a 20-G needle, punch holes 2 to 4 cm apart through both of the filters. These holes will allow the orientation of the film produced from the replica filter down on the library filter for the isolation of the correct clones.
Plating and Transferring Cosmid and Plasmid Libraries
13. Carefully peel the two filters apart, placing them both bacteria up, on their respective agar plates. Grow the replica colonies at 37°C overnight, leaving the library filters at 25°C overnight. After overnight growth, store the library filters on the agar plates at 4°C, while screening the replica filters. Multiple replica filters can be made from the same library filter. Incubate library filters 2 to 4 hr at 37°C or overnight at 25°C to allow regrowth of the colonies.
6.2.2 Supplement 68
Current Protocols in Molecular Biology
5. Label a nitrocellulose filter with a ballpoint pen on the side opposite that where the bacteria will be plated. Place the filter on the surface of the LB/antibiotic plate to wet it. The antibiotic plate must be permissive for cosmid- or plasmid-bearing bacterial cells and usually is ampicillin or tetracycline. Most ballpoint pen inks do not smudge during the hybridization reaction. If the one you choose runs, try another type.
6. Remove the wet filter from an antibiotic plate to the filtration apparatus. The suction should be off.
Carefully pipet the 5 to 10 ml of bacterial suspension onto the surface of the nitrocellulose filter, leaving the outer 4 to 5 mm of the filter free of solution. This outside bacteria-free ring leaves enough surface area to work with the filter without smearing or losing the colonies.
7. Slowly suction the solution down through the filter, taking care not to create any preferential suction pockets that would concentrate the bacteria. After suctioning all of the solution through the filter, transfer the filter back to the antibiotic plate on which it was wetted. In laying the filter down on the agar surface, take care to avoid trapping any air bubbles between the surface of the plate and the filter.
8. Plate the entire library in this way and incubate the plates upside down (agar side up) at 37°C until the colonies are ∼1 mm in diameter. Do not overgrow the filters, as smaller colonies can be lost beneath larger, faster-growing recombinant bacteria.
Preparing replica filters 9. Label and wet another set of nitrocellulose filters, as described in step 5. 10. Remove the initial library filter from its plate and place on several sheets of 20 × 20 cm 3MM paper, bacteria side up. While wearing gloves, carefully position the wetted replica filter above the bacterial lawn. Lay the second filter upon the first, leaving the two filters offset by 2 to 3 mm. This overlap will help in the separation of the two filters after the replica transfer. Do not allow air bubbles to form between the two filters. These are excluded by touching the second filter to the first in the middle and then allowing the edges to fall.
11. Lay three sheets of 20 × 20–cm 3MM paper on the two filters, followed by a 20 × 20 cm glass plate. Using the palms of your hands, press with all your weight down on the glass plate, thus transferring the bacterial colonies from the library filter to the replica filter. 12. Remove the glass plate and the filter paper and, using a 20-G needle, punch holes 2 to 4 cm apart through both of the filters. These holes will allow the orientation of the film produced from the replica filter down on the library filter for the isolation of the correct clones.
Plating and Transferring Cosmid and Plasmid Libraries
13. Carefully peel the two filters apart, placing them both bacteria up, on their respective agar plates. Grow the replica colonies at 37°C overnight, leaving the library filters at 25°C overnight. After overnight growth, store the library filters on the agar plates at 4°C, while screening the replica filters. Multiple replica filters can be made from the same library filter. Incubate library filters 2 to 4 hr at 37°C or overnight at 25°C to allow regrowth of the colonies.
6.2.2 Current Protocols in Molecular Biology
Then repeat steps 9 to 13. Normally, two copies of the cosmid are hybridized to each probe.
14. After the bacterial colonies have grown, the cosmids or plasmids on the replica filter are amplified by transferring them to an LB plate containing 50 µg/ml chloramphenicol and incubating at 37°C for 4 to 10 hr. This step will increase the signal produced by hybridization. Preparing filters for hybridization 15. Remove the replica filters from the LB/chloramphenicol plates, place filters bacteria side up on a sheet of 46 × 57–cm 3MM paper soaked with 0.5 M NaOH, and leave them for 5 min. 16. Carefully transfer to a sheet of 46 × 57–cm 3MM paper soaked with 1 M Tris⋅Cl, pH 7.5. Allow neutralization to occur for 5 min. 17. Transfer to a third 46 × 57–cm filter soaked in 0.5 M Tris⋅Cl, pH 7.5/1.25 M NaCl. Neutralize 5 min. 18. Transfer filter to a dry sheet of 3MM paper to allow filter to dry. After filters are completely dry, stack them on paper towels or other adsorbent paper. Each nitrocellulose filter should be separated by paper towels from other filters.
19. Transfer the stacked filters to a vacuum oven at 80°C for 90 min. Remove filters and hybridize with a nick-translated probe, as described in UNITS 6.3 and 6.4. COMMENTARY Background Information There are two commonly used protocols for the screening of recombinant bacteria with hybridization probes. The first method involves the spreading of bacteria on the surface of agar using a sterile spreader (UNIT 1.3). A nitrocellulose membrane filter is then placed on top of the colonies and most of each colony is transferred to the filter. The filter is then treated as described in steps 15 to 19. This method works well when relatively small numbers of positive colonies are being selected (up to several thousand). The second method employs a matrix of some type (here nitrocellulose filters are used) upon which bacteria can be plated and grown when the filter is placed on top of a nutrient agar surface. Once the plated bacteria have grown into visible colonies, the filters can be used for replica plating and in situ hybridization analysis.
Critical Parameters In order to provide a uniform lawn of recombinant bacteria for screening, it is critical to ensure that the suction applied to the filters is uniform and not spotty. The best way to accomplish this is to suction the suspension through
the filter slowly and to avoid any preferential suction sites in the filter. Make sure that the apparatus is level and that adequate layers of LB-soaked chromatography paper are used. Air bubbles will prevent bacterial growth, so be certain that air is not trapped between the filter and the agar surface.
Time Considerations
Once the apparatus is set up, it takes ∼5 min per filter to wet the filter, suction the bacteria, and transfer to an LB plate. The colonies take ∼15 hr to grow at 37°C, after which they can be transferred to 4°C until ready for the replica platings. Replica plating also requires 5 min per filter, and resulting filters will be ready for denaturation and hybridization after 15 hr at 37°C.
Key Reference Hanahan, D. and Meselson, M. 1983. Plasmid screening at high density. Meth. Enzymol. 100:333-342.
Contributed by John H. Weis Harvard Medical School Boston, Massachusetts Screening Recombinant DNA Libraries
6.2.3 Current Protocols in Molecular Biology
Supplement 24
SECTION II
HYBRIDIZATION WITH RADIOACTIVE PROBES After plaques or colonies have been transferred to nitrocellulose filters, the desired clone can be detected by its ability to hybridize to a DNA probe. This is a rapid, effective screening procedure that allows the identification of a single clone within a population of millions of other clones. The filters are hybridized with a 32P-labeled nucleic acid probe, the excess and incorrectly matched probe is washed off the filter, and the filter is autoradiographed. Two features of the nucleic acid probe used for these experiments are critical to the successful screening of recombinant DNA libraries. First, the probe must hybridize only to the desired clones and not to any other clones. Thus, the nucleic acid sequence used for a probe must not contain any reiterated sequences or sequences that will hybridize to the vector. Second, the specific activity of the probe must be at least 107 cpm/µg. Most of the procedures for labeling DNA or copy RNA molecules are described in Chapter 3, and a support protocol is presented here that allows the 5′ end-labeling of a mixture of oligonucleotides. The two basic protocols presented in this section describe steps required to hybridize labeled probes to recombinant DNA clones on filters. Two protocols are presented because conditions for hybridizing short oligonucleotide probes and longer nucleic acid probes to filters are different.
UNIT 6.3 BASIC PROTOCOL
Using DNA Fragments as Probes HYBRIDIZATION IN FORMAMIDE Bacteriophage plaques or bacterial colonies bound to a filter membrane are detected by hybridization with a radioactive probe. Hybridization proceeds on prewet filters placed in a sealable plastic bag. After hybridization the filters are removed from the sealed bag, excess probe is washed off, and the filters are autoradiographed to identify the clones that have hybridized with the probe. Materials Nitrocellulose membrane filters bearing plaques, colonies, or DNA (UNITS 6.1 & 6.2) Hybridization solution I Radiolabeled probe, 1 to 15 ng/ml (UNIT 3.5) 2 mg/ml sonicated herring sperm DNA High-stringency wash buffer I Low-stringency wash buffer I Sealable bags 42°C incubator Water bath adjusted to washing temperature (see commentary) Glass baking dish Additional reagents and equipment for autoradiography (APPENDIX 3) Incubate filters with probe 1. Wet filters with hybridization solution I. Lay a filter membrane bearing plaques on top of 5 to 20 ml of hybridization solution I and allow solution to seep through filter. It is important to wet only one surface at a time to prevent trapping air in filter. Wet each filter in turn, producing a stack of wet filters.
Using DNA Fragments as Probes
6.3.1 Supplement 24
When multiple filters are to be hybridized to the same probe, no more than twenty 8.2-cm discs or ten 20 × 20 cm square filters should be placed in one stack. Contributed by William M. Strauss Current Protocols in Molecular Biology (1993) 6.3.1-6.3.6 Copyright © 2000 by John Wiley & Sons, Inc.
Estimate the volume of hybridization solution used to wet the filters; this is a significant fraction of the volume of the hybridization reaction.
2. Transfer the stack of wetted filters to an appropriately sized sealable bag. Add enough hybridization solution to generously cover filters and seal. Note the volume of hybridization solution used to cover the filters.
3. Prehybridize filters by placing the bag in a 42°C incubator for at least 1 hr. Some investigators omit this step.
4. While filters are prehybridizing, pipet the radioactive probe into a screw-cap tube, add 2 mg (1 ml) sonicated herring sperm DNA, and boil 10 min. Place boiled probes directly into ice to cool. The amount of probe used is important, and should be in the range of 1 to 15 ng/ml of hybridization reaction. The volume of the hybridization reaction can be assumed to be the amount of hybridization solution added to the filters.
5. Add 2 ml hybridization solution I to the boiled probe. 6. Remove bag containing filters from the 42°C incubator. Open bag, add probe mixture, exclude as many bubbles as possible, and reseal. A good way to add the radioactive probe is to take it up in a syringe with an 18-G needle and then inject it into the bag. Reseal the bag after adding probe.
7. Mix probe in the bag so that filter is evenly covered. Replace bag in the 42°C incubator and let hybridize overnight. Wash filters to remove nonhybridized probe 8. Warm 1 liter high-stringency wash buffer I to the “washing temperature” in a water bath. The stability of washing temperature and salt concentrations are critical features of this experiment. See discussion in commentary.
9. Remove bag containing hybridizing filters from the 42°C incubator. Cut bag open and squeeze hybridization solution out of the bag. CAUTION: Handle material carefully as it is extremely radioactive. This should be done on disposable paper bench covers.
10. Quickly immerse the filters in 500 ml low-stringency wash buffer I at room temperature in a glass baking dish. Separate all the filters, as they may stick together during hybridization. The volume of the low-stringency wash buffer is not important as long as the filters are completely covered. The filters must not be allowed to dry as the radioactive probe will irreversibly bind the filters if the filters dry in contact with probe. (The type of container used to hold the filters is not important as long as it transfers heat well. Thus glass, metal, or enamel containers are better than plastic.) The low-stringency wash only removes nonhybridized probe formamide and hybridization solution; it does not determine the stringency of the hybridization.
11. Rinse the filters three times with 500 ml low-stringency wash buffer. Let the filters sit 10 to 15 min at room temperature in low-stringency wash buffer with each rinse. 12. Pour off the low-stringency wash buffer and pour in 500 ml high-stringency wash buffer (prewarmed to washing temperature).
Screening Recombinant DNA Libraries
6.3.2 Current Protocols in Molecular Biology
13. Replace the high-stringency wash buffer with another 500 ml of high-stringency wash buffer, then place the glass dish containing the filters in incubator at wash temperature. Make sure that the temperature in the glass dish reaches the desired washing temperature by placing a thermometer directly into the bath and measuring the temperature. Usually 15 to 20 min at the desired wash temperature is sufficient to remove most of the background radioactivity. Of course, if the glass dish is placed in a water bath, be careful that the water from the water bath does not get into the filters.
Autoradiographing filters 14. Remove filters and mount them either wet or dry on a plastic backing. If the filter(s) is to be exposed wet, then isolate it from the film by covering it with plastic wrap. Used X-ray film provides a good form of plastic backing for filters.
15. Mark the filters with radioactive ink to assist in alignment and autoradiograph. An easy way to apply radioactive ink is to mark adhesive-backed paper labels with radioactive ink and then attach the stickers to the plastic wrap cover. X-ray intensifying screens greatly decrease the amount of exposure time required. ALTERNATE PROTOCOL
HYBRIDIZATION IN AQUEOUS SOLUTION This method differs mainly in that formamide is not used in the hybridization solution. Follow the basic protocol except use the reagents and alternate parameters listed below. Additional Materials Hybridization solution II Low-stringency wash buffer II High-stringency wash buffer II 65°C incubator 1. Prehybridize as in basic protocol except that the filters are prehybridized at 65°C using hybridization solution II. Hybridization solution II may have to be prewarmed to solubilize the SDS.
2. Prepare probe as in step 4 of basic protocol and dilute with 2 ml of hybridization solution II. 3. Hybridize overnight as in steps 6 and 7 of basic protocol except use a hybridization temperature of 65°C. 4. Remove bag containing hybridization from the 65°C incubator. Squeeze out the hybridization solution, taking care to avoid contamination with the excess radioactive hybridization solution. 5. Immediately rinse filters twice with low-stringency wash buffer II. It is unnecessary to maintain a given temperature for this wash; just let the filters sit in wash buffer at room temperature until ready to proceed.
Using DNA Fragments as Probes
6. At 65°C, proceed to wash filters with high-stringency wash buffer II. Employ multiple quick washes (5 to 8) and immerse filter in a final wash for ∼20 min. Check the radioactivity of the filters with a Geiger counter and be certain that they produce a signal only a fewfold above background levels.
6.3.3 Current Protocols in Molecular Biology
REAGENTS AND SOLUTIONS High-stringency wash buffer I 0.2× SSC (APPENDIX 2) 0.1% sodium dodecyl sulfate (SDS) High-stringency wash buffer II 1 mM Na2EDTA 40 mM NaHPO4, pH 7.2 1% SDS Hybridization solution I Mix following ingredients for range of volumes indicated (in milliliters): Formamide 20× SSC 2 M Tris⋅Cl, pH 7.6 100× Denhardts solution Deionized H2O 50% dextran sulfate 10% SDSa Total volume aIn place
24 12 0.5 0.5
48 24 1.0 1.0
72 36 1.5 1.5
120 60 2.5 2.5
240 120 5.0 5.0
2.5 10 0.5 50
5.0 20 1 100
7.5 30 1.5 150
12.5 50 2.5 250
25 100 5 500
480 240 10 10 50 200 10 1000
of SDS, N-lauroylsarcosine (Sarkosyl) may be used.
Add the SDS last. The solution may be stored for prolonged periods at room temperature. The dextran sulfate should be of high quality. Pharmacia produces acceptable-grade dextran sulfate. Recipes for SSC and Denhardt’s solution are in APPENDIX 2.
Hybridization solution II 1% crystalline BSA (fraction V) 1 mM EDTA 0.5 M NaHPO4, pH 7.2 (134 g Na2HPO4⋅7H2O plus 4 ml 85% H3PO4/liter = 1 M NaHPO4) 7% SDS Low-stringency wash buffer I 2× SSC (APPENDIX 2) 0.1% SDS Low-stringency wash buffer II 0.5% BSA (fraction V) 1 mM Na2EDTA 40 mM NaHPO4, pH 7.2 5% SDS Sonicated herring sperm DNA, 2 mg/ml Resuspend 1 g herring sperm DNA (Boehringer Mannheim #223636) in a convenient volume (about 50 ml of water) by sonicating briefly. The DNA is now ready to be sheared into short molecules by sonication. Place the tube containing the herring sperm DNA solution in an ice bath (the tube must be stable even if the ice begins to melt). The sonicator probe is placed in the DNA solution (without touching the bottom of the vessel). The sonicator is turned on to 50% power 20 min, or until there is a uniform and obvious decrease in viscosity. At no time should the tube containing the DNA become hot to the touch. After sonication, the DNA is diluted to a final concentration of 2 mg/ml, frozen in 50-ml aliquots, and thawed as needed.
Screening Recombinant DNA Libraries
6.3.4 Current Protocols in Molecular Biology
Supplement 13
COMMENTARY Background Information All hybridization methods depend upon the ability of denatured DNA to reanneal when complementary strands are present in an environment near but below their Tm (melting temperature). In a hybridization reaction involving double-stranded DNA on a filter and a singlestranded DNA probe there are three different annealing reactions occurring. First, there are the desired probe-DNA interactions which result in signal. Second, there are mismatch interactions that occur between related but nonhomologous sequences; these mismatch hybrids are the ones that must be eliminated during the washing of the filters. Non-sequence-specific interactions also occur and these result in noise. The ability to extract information from a particular hybridization experiment is a function of the signal-to-noise ratio. High background or poor specific signal can both result in uninterpretable results. Washing nitrocellulose filters is required to remove excess radioactive probe, as well as radioactive probe that has bound to the DNA on the filter as mismatch hybrids. Temperature and salt concentration dramatically affect the maintenance of specific hybrids. Detergents and other charged species can have a profound effect upon the nonspecific binding of species that contribute to background. In this protocol, hybridization is achieved in a solution containing 50% formamide. Excess probe is rinsed away under low-stringency conditions so that further hybridization will not occur. Once the hybridization solution is rinsed away, it is possible to proceed to a high-stringency wash without fear of further hybridization. When washing is complete, the filters should produce very little “noise” when monitored with a Geiger counter. Although single-copy sequence probe normally does not produce a signal that is detectable with a Geiger counter, a probe corresponding to more abundant sequences will produce a signal that can be “heard” with a Geiger counter.
Literature Review Hybridization to filter membranes forms a basis of recombinant DNA technology and is described in detail earlier in the manual (UNIT 2.9). The protocols described here vary from those used for Southern blot filter hybridization in that the volume of the hybridization is usually larger and the washing conditions are different. Dextran sulfate is an important component of the hybridiUsing DNA Fragments as Probes
zation solution as it increases the rate of reassociation of the nucleic acids. The protocols in this unit describe methods for hybridizing radioactive probes to membranebound plaques or colonies. These procedures for screening recombinant clones were first suggested by Grunstein and Hognes (1975) and by Benton and Davis (1977). The conditions of hybridization proposed in the basic protocol involving hybridization in formamide was originally described by Denhardt (1966) and Gillespie and Spiegelman (1965) while the alternate protocol using aqueous hybridization solution was introduced by Church and Gilbert (1984). The method of washing filters under stringent conditions to remove background was first proposed by Southern (1975). Botchan et al. (1976) described the benefit of adding SDS to the wash solution. Jeffreys and Flavell (1977) first employed the wash conditions described in the protocols presented here.
Critical Parameters Hybridization. Kinetically, the hybridization of DNA (or RNA) probes to filter-bound DNA is not significantly different from hybridization in solution. For single-stranded probes, the rate of hybridization follows first-order kinetics, since probe is available in excess. Under conditions of excess probe, the time for hybridization is inversely proportional to the probe concentration. For double-stranded probes the rate of hybridization displays a more complex relationship to the initial probe concentration. However, to a first approximation the initial probe concentration is inversely proportional to the rate of hybridization. To determine the actual time required for the successful hybridization of a given probe, either empirical data must be available or the following formula can be used to determine the length of time (in hours) required to achieve 50% hybridization (T50): 1⁄
x
× y⁄5 × z⁄10 × 2 = T50
where x is the weight of probe in micrograms; y is the complexity of probe in kilobases; and z is the volume of hybridization solution in milliliters. The length of time T is given in hours. Maximum hybridization signal will be obtained if the reaction is allowed to proceed to 5 × T50, although 1 to 2 × T50 is often used. It is also clear that nonspecific interactions
6.3.5 Supplement 13
Current Protocols in Molecular Biology
occur and that in any hybridization, sources of noise will be present. Therefore, from a practical standpoint one conventionally utilizes concentrations of nick-translated probe on the order of 1 to 15 ng/ml of hybridization, where the specific activity of the probe is from 5 × 107 cpm/µg to >108 cpm/µg. Too much probe in a hybridization is as bad as too little. One important source of background hybridization to filters is due to the hybridization of the probe to vector sequences or to E. coli DNA. Be certain that there is no vector or E.coli DNA sequences in the probe. This can best be ensured by isolating the probe from one type of vector (e.g., plasmid) and screening a library made with a different type of vector (e.g., bacteriophage). Washing temperature. Washing at low stringency is a straightforward proposition. Buffer is added at room temperature and washing proceeds at room temperature. High-stringency wash is determined empirically. The relative homology between the probe and target sequence is a determining parameter. If the homology is 100%, a high temperature (65° to 75°C) can be used. As the homology drops, lower washing temperatures must be used. In general one starts at 37° to 40°C, raising the temperature by 3° to 5°C intervals until background is low enough not to be a major factor in the autoradiography. The length of the probe is also important. Very short probes (5 × 107 cpm/µg and an overnight hybridization reaction with a 1-kb unique sequence probe, hybridizing bacterial colonies or bacteriophage plaques can be visualized after a 1 to 18 hr exposure.
Time Considerations Generally hybridizations are carried on overnight for 12 to 16 hr. This is sufficient for most probes and blots. However, with probes of increasing complexity longer hybridization times are required. This is preferable to increasing the probe concentration from experiment to experiment. Autoradiography requires 1 to 18 hr.
Literature Cited
Benton, W.D. and Davis, R.W. 1977. Screening λgt recombinant clones by hybridization to single plaques in situ. Science 196:180. Botchan, M., Topp, W., and Sambrook, J. 1976. The arrangement of simian virus 40 sequences in the DNA of transformed cells. Cell 9:269-287. Church, G. and Gilbert, W. 1984. Genomic sequencing. Proc. Natl. Acad. Sci. U.S.A. 81:1991-1995. Denhardt, D. 1966. A membrane filter technique for the detection of complementary DNA. Biochem. Biophys. Res. Commun. 23:641-646. Gillespie, D. and Spiegelman, S. 1965. A quantitative assay for DNA–RNA hybrids with DNA im mobiliz ed on a m em b ra ne. J. M ol. Biol.12:829-842. Grunstein, M. and Hogness, D. 1975. Colony Hybridization: A method for the isolating of cloned DNA’s that contain a specific gene. Proc. Natl. Acad. Sci. U.S.A. 72:3961. Jeffreys, A.J. and Flavell, R.J. 1977. A physical map of the DNA region flanking the rabbit β globin gene. Cell 12:429-439. Southern, E.M. 1975. Detection of specific sequence among DNA fragments separated by gel electrophoresis. J. Mol. Biol. 98:503-517.
Contributed by William M. Strauss Harvard Medical School Boston, Massachusetts
Screening Recombinant DNA Libraries
6.3.6 Current Protocols in Molecular Biology
Supplement 2
UNIT 6.4
Using Synthetic Oligonucleotides as Probes The protocols in this unit describe procedures for using mixtures of 32P-labeled oligonucleotides to screen recombinant DNA clones bound to nitrocellulose filters. A partial amino acid sequence of a protein is used to predict the nucleotide sequence of the gene that would encode it. A mixture of oligonucleotides is chosen that includes all possible nucleotide sequences encoding that amino acid sequence. This mixture of oligonucleotides is then used to screen a recombinant DNA library for the corresponding clones. In some cases however, the exact nucleotide sequence of a desired clone is known and it is possible to use a unique oligonucleotide as a probe.
BASIC PROTOCOL
HYBRIDIZATION IN SODIUM CHLORIDE/SODIUM CITRATE (SSC) This procedure outlines the steps necessary to screen nitrocellulose filters bearing DNA from bacteriophage or plasmids with mixtures of synthetic oligonucleotide probes. Hybridization and washing steps are carried out in solutions containing SSC. The washing temperature that produces the lowest background is determined empirically. Materials Membrane filters bearing plasmid, bacteriophage, or cosmid libraries (UNITS 6.1 & 6.2) 3× SSC/0.1% SDS Prehybridization solution SSC hybridization solution 6× SSC/0.05% sodium pyrophosphate, prewarmed to wash temperature Filter forceps (e.g., American Scientific Products #2568-1) Sealable bags (or equivalent) Additional reagents and equipment for autoradiography (APPENDIX 3) Prehybridize the filters 1. Prepare duplicate nitrocellulose filters of bacterial colonies or bacteriophage plaques. These should be processed and baked as described in UNITS 6.1 and 6.2. Although some authors recommend wiping the wet filters prior to baking to remove bacterial debris, we do not advise this procedure because the hybridization signal may be reduced. Filter forceps (i.e., without serrated tips) should be used to handle membrane filters to prevent marring the surface.
2. Wash the filters 3 to 5 times in 3× SSC/0.1% SDS at room temperature; about 50 82-mm filters can be washed in 500 ml. Then wash them once in the same solution at 65°C for at least 1.5 hr or overnight. This step removes much of the bacterial debris from the filters.
3. Remove filters from 3× SSC/0.1% SDS and prehybridize them 1 hr at 37°C in prehybridization solution. Herring sperm DNA in the prehybridization solution blocks nonspecific binding of probe to the filters and thus decreases the background level of radioactivity.
Using Synthetic Oligonucleotides as Probes
6.4.1 Supplement 2
Hybridize oligonucleotides to the filters 4. Remove filters from the prehybridization solution and put them into sealable bags containing SSC hybridization solution. Place up to 20 filters and ≥20 ml SSC hybridization solution into each bag. Add 0.125 to 1.0 ng of each 32P-labeled oligonucleotide per ml of hybridization solution to each bag. The mixed oligonucleotide probe is end-labeled with 32P as described in the support protocol. For example, to 20 ml of hybridization solution that will contain a mixture of 128 Contributed by Allan Duby, Kenneth A. Jacobs, and Anthony Celeste Current Protocols in Molecular Biology (1993) 6.4.1-6.4.10 Copyright © 2000 by John Wiley & Sons, Inc.
17-base oligonucleotides, add 320 ng (0.125 ng/ml × 128 oligonucleotides × 20 ml) of labeled probe. Hybridize filters 14 to 48 hr at the temperature indicated below: 14-base oligonucleotide 17-base oligonucleotide 20-base oligonucleotide 23-base oligonucleotide
room temperature 37°C 42°C 48°C
For bacterial colonies, adding much more than 0.125 ng of each oligonucleotide probe per ml of hybridization solution significantly increases the background on the autoradiogram. For bacteriophage plaques, there is less DNA per plaque than in a bacterial colony; as high backgrounds are not a problem with filters bearing bacteriophage plaques, more probe should be added to the hybridization mixture.
5. Remove filters from the hybridization bag and wash filters for 5 to 15 min, 3 to 5 times, in 6× SSC/0.05% pyrophosphate at room temperature. It is important that the filters are well separated from each other and that the solution is occasionally or continuously gently agitated.
Wash the filters 6. Wash filters for 30 min in prewarmed 6× SSC/0.05% sodium pyrophosphate at the temperature indicated below: 14-base oligonucleotide 17-base oligonucleotide 20-base oligonucleotide 23-base oligonucleotide
37°C 48°C 55°C 60°C
Adjust the temperature of 6× SSC/0.05% pyrophosphate and filters. Measure the temperature of the filters and surrounding solution by putting the thermometer into the solution, not into the water bath. Make sure the filters are separated and are occasionally or continuously gently agitated.
7. Examine the filters with a Geiger counter; they should not exhibit above-background radioactivity. If the filters still show a significant degree of radioactivity above background, increase the temperature by 2° to 3°C for 15 to 30 min and reexamine the filters with the Geiger counter. Do not exceed the following temperatures: 14-base oligonucleotide 17-base oligonucleotide 20-base oligonucleotide 23-base oligonucleotide
41°C 53°C 63°C 70°C
The background level of bound radioactivity depends upon the amount of bacterial debris left on the filters, the amount of labeled oligonucleotides added to the hybridization mixture, and the guanosine-cytosine (G-C) content of the oligonucleotide mixture.
Perform autoradiography 8. When the filters exhibit a low level of radioactivity or the maximum temperatures referred to in step 7 have been reached, the filters should be removed from the wash solution and mounted wet on a solid support before exposure at −70°C to X-ray film, using an intensifying screen. Cover filters with plastic wrap. Do not allow the filters to dry out. Allow films to expose for 14 to 72 hr. Autoradiograms made from filters with a high background may still yield interpretable results.
Screening Recombinant DNA Libraries
6.4.2 Current Protocols in Molecular Biology
Supplement 13
9. Develop the films; if a high background prevents proper interpretation of the films, rewash the filters at a higher temperature. 10. Number and mark the orientation of the films as described in UNIT 6.3. Spots that appear in precisely the same place on duplicate filters are “positives” (winners) and should be processed as described in UNIT 6.5. It is impossible to identify the characteristics of a true positive spot. Only colonies or plaques that produce evidence of hybridization on both filter copies should be processed as described below. Note that the intensity of the spot can vary dramatically between the duplicate filters. If a clear-cut spot appears on one filter and only a darkening of the background appears on the other, this should be considered positive and the plate should be processed as described in UNIT 6.5. Note that if two different oligonucleotide mixtures representing two different parts of the protein are available, either the positives obtained with one probe can then be hybridized with the other probe or four filter copies of the library can be made and hybridized to the two probes. Of course, depending on how far apart the sequences that hybridize to the two probes are, it is possible that neither will be present on a less than full-length cDNA clone. BASIC PROTOCOL
HYBRIDIZATION IN TETRAMETHYLAMMONIUM CHLORIDE (TMAC) This procedure is similar to the SSC protocol except that hybridization and washing are performed in solutions containing TMAC. In TMAC, the melting temperature of an oligonucleotide is a function of length and is independent of base composition; thus, spurious hybridization due to high G-C content of some of the oligonucleotides is reduced. Conditions are described for using 17-base oligonucleotides, but information is provided for determining the conditions when oligonucleotides of various lengths are employed. Materials Nitrocellulose or nylon membrane filters bearing plasmid, bacteriophage, or cosmid libraries (UNITS 6.1 and 6.2) 150-mm LB agarose plates (UNIT 1.1), prewarmed to 37°C 2× SSC/0.5% SDS/50 mM EDTA, pH 8.0, prewarmed to 50°C TMAC hybridization solution, prewarmed to hybridization temperature TMAC wash solution 2× SSC/0.1% SDS 15-cm glass crystallizing dishes Filter forceps (e.g., American Scientific Products #2568-1) Additional reagents and equipment for autoradiography (APPENDIX 3) Process and prehybridize the filters 1. Process filters bearing bacterial colonies as described in bearing amplified bacteriophage plaques as follows:
UNIT 6.2.
Produce filters
a. Plate the bacteriophage from the library on LB agarose plates and transfer to nitrocellulose filters as described in UNIT 6.1, steps 1 to 7. To obtain maximum sensitivity with oligonucleotide probes when the amplification procedure is used, plating density should be reduced to 8,000 to 10,000 plaques per 150-mm plate.
Using Synthetic Oligonucleotides as Probes
Either nitrocellulose or nylon (Colony/Plaque Screen Filters by New England Nuclear) filters can be used in this procedure. Nitrocellulose filters become fragile when hybridized in TMAC and must be handled very carefully. If this becomes a problem and nylon filters are substituted, the phage plaques must be amplified overnight. The rest of the protocol is unchanged.
6.4.3 Supplement 13
Current Protocols in Molecular Biology
b. Amplify the bacteriophage by transferring the wet filter to a prewarmed (37°C) LB agarose plate so that the surface bearing the bacteriophage is faceup. Refrigerate the master plates upon which the recombinant phage library were plated to prevent any further plaque expansion.
c. Incubate the plates at 37°C until the bacterial lawn re-forms on the surface of the nitrocellulose and plaques are evident. Plaque size will be somewhat larger than those on the original plate. This usually requires a 5- to 12-hr incubation period. Longer periods of growth will produce a dense bacterial lawn without significantly increasing plaque size or affecting hybridization signal. Bacteriophage that produce small plaques (e.g., EMBL) are usually plated in the evening and allowed to grow overnight. The plaques are transferred to nitrocellulose filters the following morning and the phage are amplified on the filters by incubation for 5 to 7 hr during the day. Phage that produce large plaques (e.g., λgt10) are plated early in the morning, allowed to grow 5 to 7 hr, transferred to nitrocellulose filters (steps 6 and 7 of UNIT 6.1), transferred to fresh plates, and then incubated for amplification overnight.
d. Denature and bind the bacteriophage DNA to nitrocellulose filters as described in steps 8 to 11 of UNIT 6.1. 2. Wash filters bearing bacterial colonies as described in step 1 of the SSC protocol. Wet bacteriophage-bearing filters in a prewarmed (50°C) solution of 2× SSC/0.5% SDS/50 mM EDTA (pH 8.0). Float the filters on top of the solution (with the surface containing the dried bacteria and plaques faceup) to allow the nitrocellulose to wet completely. Submerge the filters and, with a gloved hand, gently rub the surface of the filters to remove the dried bacterial debris. Transfer the filters to a container of fresh solution of 2× SSC/0.5% SDS/50 mM EDTA to remove bacterial debris. Alternatively, the filters can be incubated in this solution at 65°C for one to several hours and then scrubbed. Inadequate scrubbing of the filters results in an increase of nonspecific background hybridization, obscuring positive hybridization signals in the subsequent screening procedure.
3. Transfer the filters to a 15-cm glass crystallizing dish containing 5 to 10 ml TMAC hybridization solution (per filter), which has been prewarmed to the appropriate hybridization temperature (48°C for 17-mer oligonucleotides; see Fig. 6.4.1 and commentary for other oligonucleotides) and seal the dishes with plastic wrap and rubberbands. Prehybridize 1 to 2 hr at the hybridization temperature, which is 5° to 10°C below the melting temperature. Prehybridization and hybridization can be performed in glass crystallizing dishes that are slightly larger in diameter than the nitrocellulose filters. Gentle agitation on an orbital platform shaker will allow the solution to pass freely between the stacked filters and prevent the filters from sticking together. Place no more than 25 to 30 filters in each dish. Alternatively, prehybridization and hybridization can be performed in a sealable bag (see SSC protocol) with 7000 Ci/mmol) 25 to 50 U T4 polynucleotide kinase (UNIT 3.10) and 10× kinase buffer (UNIT 3.4) Ice-cold 10% trichloroacetic acid (TCA) 1. Set up reaction mixture on ice in microcentrifuge tube as follows: 2.5 to 250 pmol mixed oligonucleotides 7.5 µl 10× T4 polynucleotide kinase buffer 66 pmol [γ-32P]ATP (200 µCi) 25 to 50 U T4 polynucleotide kinase H2O to 75 µl Incubate 30 min at 37°C. The reaction mixture should have either equimolar amounts of label and oligonucleotide ends, or the label should be in molar excess. 1 mol deoxyribonucleotide ≅ 330 g 1 OD260 ≅ 40 ìg/ml oligonucleotide 1 ìg 14-base oligonucleotide ≅ 0.24 nmol 1 ìg 17-base oligonucleotide ≅ 0.18 nmol 1 ìg 20-base oligonucleotide ≅ 0.15 nmol
2. At the end of the reaction, check for incorporation of label by precipitating 1 µl of a diluted aliquot with ice-cold 10% TCA (acid precipitation, UNIT 3.4) and counting the incorporated radioactivity. Using equimolar amounts of oligonucleotide and label, ∼30% to 90% of the counts are incorporated. The labeled oligonucleotide can be further purified by a combination of phenol extraction and/or ethanol precipitation (UNIT 2.1). To remove unincorporated label, oligonucleotides of 17 bases or longer can be quantitatively precipitated from a solution of 2.5 M ammonium acetate containing 25 ìg carrier DNA plus 9 vol of 100% ethanol. The resulting pellets are washed with 70% ethanol, followed by 95% ethanol, air dried, and resuspended in 100 ìl TE buffer.
3. Store mixture in appropriate container at −20°C. REAGENTS AND SOLUTIONS Prehybridization solution 6× SSC (APPENDIX 2) 5× Denhardts solution (APPENDIX 2) 0.05% sodium pyrophosphate 100 µg/ml boiled herring sperm DNA continued
Screening Recombinant DNA Libraries
6.4.6 Current Protocols in Molecular Biology
Supplement 9
0.5% sodium dodecyl sulfate (SDS) SSC hybridization solution 6× SSC (APPENDIX 2) 1× Denhardt’s solution (APPENDIX 2) 100 µg/ml yeast tRNA 0.05% sodium pyrophosphate TMAC hybridization solution 3 M tetramethylammonium chloride (see recipe below for stock solution) 0.1 M NaPO4, pH 6.8 1 mM EDTA, pH 8.0 5× Denhardt’s solution (APPENDIX 2) 0.6% SDS 100 µg/ml denatured salmon sperm DNA TMAC wash solution 3 M tetramethylammonium chloride (see recipe below for stock solution) 50 mM Tris⋅Cl, pH 8.0 0.2% SDS Tetramethylammonium chloride (TMAC), 6 M stock solution Dissolve 657.6 g TMAC (mol wt = 109.6) in H2O and bring to 1 liter. Filter the solution through Whatman No. 1 filter paper and determine the precise concentration of the solution by measuring the refractive index (n) of a 3-fold diluted solution. The molarity (M) of the diluted solution = 55.6(n − 1.331) and the molarity of the stock solution = 3 × M. TMAC can be stored at room temperature in brown bottles. CAUTION: TMAC can irritate eyes, skin, and mucous membranes. It should be used with adequate ventilation in a fume hood. Used TMAC solutions should be collected and discarded as hazardous and/or radioactive waste. Small amounts (1 Mb have been produced and these are routinely propagated with apparent stability, suggesting that the major limitation to the size of YAC inserts is the quality of the starting genomic DNA. Large “core” laboratories that generate human YAC libraries— such as the Center for Genetics in Medicine, Washington University School of Medicine, St. Louis; the Centre d’Etude du Polymorphisme Humain (CEPH), Paris; and the Genome Analysis Laboratory, Imperial Cancer Research Fund, London—prepare human YACs with average insert sizes ranging from 0.3 to 1.2 Mb. Additional high-quality YAC libraries have been constructed using inserts from Drosophila melanogaster, Caenorhabditis elegans, Schizosaccharomyces pombe, and mouse (Burke et al., 1991; Rossi et al., 1992). Anecdotal reports indicate YAC libraries may support the propagation of certain insert sequences that are poorly represented in Escherichia coli–based libraries. The YAC cloning system also offers the advantage that large genomic YAC inserts can be easily manipulated in yeast by homologous recombination. Thus, it is relatively simple to truncate a YAC insert or to introduce specific deletions, insertions, or point mutations with high efficiency using methods such as those described in UNIT 13.10. This unit provides an introduction to the use of yeast artificial chromosome–bearing yeast clones (hereafter referred to as YAC clones) in genome analysis. It describes criteria for de-
signing a polymerase chain reaction (PCR) assay to be used in screening a YAC core library and discusses the rationale for verification and characterization of YAC clones obtained from these core laboratories. Protocols for maintaining YAC clones, analyzing YAC insert structure, preparing YAC DNA, and subcloning YAC inserts into other vectors are presented in UNIT 6.10. These protocols are outlined in the flow chart in Figure 6.9.1.
GENERATING YAC LIBRARIES Although YAC cloning is the method of choice when insert sizes >100 kb are required, a number of features of the system have interfered with its rapid assimilation for routine cloning. Because the S. cerevisiae genome is at least an order of magnitude more complex than the E. coli genome and existing YACs are carried as only a single copy within yeast cells, the signal-to-noise ratio is less favorable for identifying a cognate clone in a YAC library than in a λ or cosmid library. Moreover, efforts to develop high-density screening methods for YACs have enjoyed only limited success. Most laboratories that maintain YAC libraries organize them as collections of individual clones in 96-well microtiter plates, which can be replicated faithfully and kept frozen for storage; in this form, a standard library representing 5 to 8 genome-equivalents comprises more than 500 microtiter plates. As a result, the effort and resources required to construct YAC libraries and prepare them for screening are enormous. Consequently, it is generally most practical for investigators wishing to obtain YACs carrying a specific DNA sequence to arrange for screening of a preexisting library maintained by a core laboratory. Initially, YAC libraries were constructed with total genomic DNA (Burke et al., 1987). More recently, there has been interest in generating libraries from targeted DNA using somatic cell hybrids carrying a specific chromosome or portion of a chromosome. The feasibility of this approach has been demonstrated with the construction of a library carrying a portion of the human X chromosome (Abidi et
Contributed by David D. Chaplin and Bernard H. Brownstein Current Protocols in Molecular Biology (1992) 6.9.1-6.9.7 Copyright © 2000 by John Wiley & Sons, Inc.
Screening of Recombinant DNA Libraries
6.9.1 Supplement 20
al., 1990). Additional targeted libraries are in the late stages of development and should reduce the cost and effort of screening for loci whose chromosomal location has been established.
YAC LIBRARY SCREENING BY A CORE LABORATORY Methods used by YAC core laboratories for library screening evolve rapidly. It is possible to screen a library by hybridizing a single-copy probe to nylon filters stamped with a replica of one or more microtiter arrays. However, because of the low signal-to-noise ratio for hybridization and the substantial cost required to produce all of the nylon filter replicas, most laboratories perform library screening using PCR (Green and Olson, 1990). At the time of this writing, most core facilities first extract DNA from pools of clones, usually representing 1 to 4 microtiter plates (96 to 384 YACs) per pool, and then combine this pooled DNA into more superpools of 1500 to 2000 YACs. The pools and superpools are screened by PCR to identify candidate microtiter plates containing at least one amplifying YAC clone. Final identification of the clone is most commonly performed either by colony hybridization using the PCR product as the probe or by screening pools of rows and col-
umns from the same microtiter plate using PCR. The time required for a YAC core laboratory to verify the specificity and parameters of the PCR assay and screen complex clone pools and subpools is usually 3 to 8 weeks. As an example, the screening strategy used by one major core laboratory is described in the accompanying box. It should be noted that this procedure may change as technology advances; for instance, the recent advent of techniques providing reliable DNA extraction from small quantities of thousands of individual clones has made it feasible to screen individual wells on a plate and eliminate the laborious filter-hybridization step.
DESIGNING A LOCUS-SPECIFIC PCR ASSAY FOR SCREENING An investigator arranging with a core laboratory for library screening is required to design a strategy for detecting the inserted genomic DNA and to provide the appropriate probe(s). It is worth investing considerable effort to create a convenient and reliable assay because the assay’s success depends on its ability to detect the target sequence with high sensitivity while being insensitive to the presence of large excesses of yeast and plasmid sequences. Because a core laboratory must adopt PCR assays that have been imported
EXAMPLE: SCREENING OF HUMAN-GENOME YAC LIBRARY AT THE WASHINGTON UNIVERSITY SCHOOL OF MEDICINE At this core facility, screening of the human-genome YAC library proceeds in three stages: (1) initial evaluation of the PCR assay; (2) screening of pools of YACs; and (3) identification of individual YACs from subpools to the single well by filter hybridization. To permit pretesting of assays before they are sent to a screening core, new PCR assays are evaluated using four control DNA samples as templates: (1) CGM-1 human genomic DNA (33 ng/µl) from a lymphoblastoid cell line established from the donor whose DNA was used in preparing the YAC library; (2) YY212 DNA from a yeast strain carrying a YAC whose insert is yeast chromosomal DNA; (3) “single-membrane-pool” DNA (33 ng/µl) prepared from a pool of 396 YAC isolates; and “spiked-pool” DNA, which is single-membrane-pool DNA augmented with 5 ng/µl of CGM-1 DNA.
Yeast Artificial Chromosome Libraries
CGM-1 DNA serves as a positive control to demonstrate that the sensitivity of the PCR assay is adequate. YY212 DNA serves as a negative control, demonstrating that no product is amplified from either yeast host genomic DNA or the YAC vector. DNA from the singlemembrane pool and the spiked pool provide additional negative/positive controls that more closely mimic library screening conditions. A negative signal from single-membrane-pool DNA demonstrates lack of cross-reactivity of the probe with the YAC vector, yeast genomic DNA, or common human repetitive sequences. A positive signal obtained from the spikedpool DNA (containing only 5 ng/µl of CGM-1 DNA) is a strong indication that the assay possesses sufficient sensitivity against a yeast DNA background for successful library screening.
6.9.2 Supplement 20
Current Protocols in Molecular Biology
design a PCR assay for identifying YAC clone of interest from genomic YAC library (UNIT 6.9 )
obtain isolated YAC clone from core facility (UNIT 6.9 )
validate identify of YAC using PCR (UNITS 6.9 & 15.2 )
grow and store YAC clone (UNIT 6.10, first basic protocol)
prepare DNA from isolated YAC clone and analyze by Southern blotting (UNIT 6.10, second basic protocol, and UNIT 2.9 )
analyze isolated YAC clone for chimerism using PCR (UNIT 6.10, fourth basic protocol)
prepare DNA from isolated YAC clone using agarose plugs and analyze by PFGE (UNIT 6.10, third basic protocol, and UNIT 2.5B )
analyze isolated YAC clone for chimerism by subcloning in bacterial vector (UNIT 6.10, alternate and support protocols)
for high-resolution analysis (optional) prepare high-molecular-weight YAC-containing DNA (UNIT 6.10, fifth basic protocol)
subclone high-molecular-weight YAC-containing DNA into cosmid or λ vector (UNIT 6.10, sixth basic protocol)
Figure 6.9.1 Flow chart showing protocols used to obtain and analyze YAC clones.
Screening of Recombinant DNA Libraries
6.9.3 Current Protocols in Molecular Biology
Supplement 20
from outside laboratories, it is a good idea to inquire in advance about the protocols preferred by the specific core facility that will be performing the screening. In general, any highly specific, sensitive, and robust PCR assay is suitable for screening a YAC library (see Chapter 15). Typically, two 18- to 30-mer oligonucleotide primers for use in amplifying a single-copy 75- to 750-bp product are satisfactory. Such primers define a landmark for genome mapping called an STS (sequence-tagged site; see introduction to Chapter 7 and Olson et al., 1989). When designing a PCR assay from scratch, it is useful to consider the following:
Fragment size The STS should be 75 to 750 bp in length. Fragments in this range are most efficiently amplified by PCR and are easily detected by either polyacrylamide (UNIT 2.7) or standard agarose (UNIT 2.5A) gel electrophoresis.
assay, it does help eliminate some of the most trivial causes of assay failure.
ANALYZING INDIVIDUAL YAC CLONES Once library screening has been successfully completed and the isolated YAC clone has been furnished to the investigator, attention should be directed to analyzing its structure. Initial studies should focus on determining whether the genomic insert is chimeric, checking for evidence of rearrangement within the insert, and verifying that the YAC is propagated in stable fashion in the yeast cell (see below). Simply analyzing several isolates of the same YAC in parallel may provide a means of recognizing instability, as each isolate serves as a control for the others. The following sections give an overview of strategies for analyzing YAC clones; specific protocols are given in UNIT 6.10.
Chimerism of the YAC Insert Primer length Each primer should ideally be 18 to 30 nucleotides long, be composed of 50% to 55% G + C, and be contained within a single-copy human-genomic-DNA segment. This ensures efficient priming and decreases the probability of false priming, enhancing the sensitivity and specificity of the assay. This also permits the amplified fragment to be used as a hybridization probe in the final hybridization-dependent steps of library screening (see below). If it is not possible to amplify a single-copy fragment, then some other single-copy probe (e.g., a synthetic oligonucleotide 30 nucleotides long) should also be prepared. Oligonucleotide design strategies are discussed further in UNITS 2.11 & 15.1.
Primer affinity
Yeast Artificial Chromosome Libraries
Primers should show little affinity for selfannealing or for annealing with each other. This prevents the production of small, template-independent PCR products that compete for primers in the reaction. A number of academic and commercial DOS-based and Macintosh software programs permit rapid selection of non-self-annealing primers from within a known DNA sequence (e.g., Oligo 4.0, National Biosciences; Primer, S. Lincoln and M. Daly, Whitehead Institute for Biomedical Research, Cambridge, Mass., and OSP, Hillier and Green, 1991; see UNIT 7.7). Although the use of these programs cannot remove all the uncertainty associated with designing a new PCR
A consistent problem in YAC cloning is chimerism of the YAC insert—i.e., the insert is composed of two or more separate genomic fragments joined in a single YAC. The mechanism(s) giving rise to chimeric YAC clones are currently not fully understood (Green et al., 1991). In most existing total genomic YAC libraries, chimeric clones represent from 5% to 50% of the total clones. Preliminary data suggest that targeted, chromosome-specific libraries may contain only 5% to 15% chimeric clones. Although future generations of YAC libraries are likely to contain lower frequencies of chimeric clones, chimerism will probably remain a significant problem requiring assessment for every new YAC clone being analyzed. The most reliable way to determine if a YAC insert is chimeric is to isolate a small fragment from each end of the insert and determine its chromosome of origin and whether it shares sequences with overlapping YACs derived from the same chromosomal region. Many approaches have been suggested for isolating such YAC genomic insert end fragments, all of them relying upon the fact that end fragments are marked by their adjacent YAC vector sequences. Thus, it is possible to determine whether a YAC insert is chimeric by preparing probes from the two YAC vector arms and using these to demonstrate that both ends of the YAC map to the same general chromosomal region. This is generally done using hybridization or PCR analysis of a somatic hybrid cell line containing the appropriate human chromo-
6.9.4 Supplement 20
Current Protocols in Molecular Biology
some (or preferably a fragment thereof) as its sole human DNA. The appropriate end-fragment probes may be produced in several ways, two of which are presented in UNIT 6.10. The most rapid and versatile approaches to producing end-fragment probes use PCR amplification (Riley et al., 1990; Green, 1992). The template is a restriction fragment produced by cutting the YAC DNA at sites near the two ends of the genomic insert. The YAC DNA is digested with a frequently cutting restriction endonuclease to produce a collection of small restriction fragments. One of the fragments contains the distal portion of the YAC insert still associated with a portion of the left vector arm, while another contains the other end of the insert associated with a portion of the right vector arm (the arm of the YAC vector containing the yeast centromere is arbitrarily designated the left vector arm and the arm containing the ura3 selection marker is arbitrarily designated the right vector arm). These fragments are prepared for PCR amplification by ligation of a synthetic double-stranded DNA tag to both ends. This tag contains a 29-nucleotide “bubble” of noncomplementary sequence flanked by two 12-nucleotide complementary sequences (Fig. 6.10.2). The two YAC-insert end fragments can then be selectively amplified using one PCR primer derived from the YAC vector and one primer with the sequence of the noncomplementary portion of the bubble. These methods are generally favored because of their speed, but they depend on the fortuitous placement of restriction sites close enough to the ends of the genomic insert that a fragment suitably sized for PCR amplification can be generated. Moreover, if highly repetitive sequences are present at the distal portions of the insert, the PCR method may fail to generate useful information. A reliable but more time-consuming method of generating probes for end-fragment analysis is conventional subcloning of larger YAC-derived restriction fragments into plasmid or λ vectors (Bronson et al., 1991). Subcloning an end fragment several kilobases in size is timeconsuming, but reliably assures identification of nonrepeated sequences for use as probes. The subcloning protocol given in UNIT 6.10 involves double-digesting the YAC DNA to enrich for end fragments in the course of subcloning the insert into a pUC19-based vector. One of two specific enzymes that cut rarely in yeast and human genomic DNA, ClaI or SalI, is included in the double digestion mixture. A ClaI recognition sequence lies in the left arm
of the YAC vector, while a SalI recognition site lies in the right arm (Fig. 6.10.1). When one of these rarely cutting restriction enzymes is used together with a frequently cutting enzyme, doubly-digested fragments constitute only a small fraction of the total digested product. Ligation to a doubly-digested plasmid vector eliminates all of the single-digested fragments, resulting in a substantial enrichment for the YAC end fragment.
Internal Rearrangement or Instability of the YAC Insert Internal rearrangement of a YAC insert is more difficult to identify than chimerism, and may become apparent only after high-resolution analysis of the clone. Existing reports of internal rearrangement of YAC inserts are anecdotal, infrequent, and usually identify only rather large-scale changes. It is likely, however, that subtle rearrangements will be recognized as more clones are analyzed. Nevertheless, the data suggest that important rearrangements will remain relatively infrequent and will not impede most YAC cloning efforts. Although YACs are usually stable in culture, deletion or other rearrangements of the insert may occur months after the initial isolation of a clone. Thus, it is wise to verify the size of a YAC following prolonged passage in culture or after it has been thawed from a frozen stock. Several different colonies of the same YAC strain should be analyzed in parallel, using the protocols in UNIT 6.10, to confirm that the artificial chromosome is the same size in each of the isolates. Because cytosine methylation, which is quite frequent in the DNA of higher eukaryotic species, does not occur in yeast (Proffitt et al., 1984), it is not possible to perform direct structural comparisons of the YAC inserts and the corresponding genomic DNA isolated from higher eukaryotic cells using infrequently cutting restriction enzymes to create large-scale restriction maps. Consequently, direct structural comparisons must be carried out using methylation-insensitive restriction enzymes and frequently spaced probes. Evidence of internal rearrangement within a YAC clone can be obtained by preparing chromosomes from the clone (UNIT 6.10) and analyzing them by pulsed-field gel electrophoresis (PFGE; UNIT 2.5B). The CHEF gel system (Vollrath and Davis, 1987) is particularly useful in that it permits excellent resolution in the size range most common for individual YAC clones. Following electrophoresis, the artificial chro-
Screening of Recombinant DNA Libraries
6.9.5 Current Protocols in Molecular Biology
Supplement 20
mosome can be visualized using ethidium bromide staining as an extra chromosome not present in the host yeast strain. Occasionally, the YAC is not immediately recognizable because it comigrates with one of the endogenous yeast chromosomes. As described in the third basic protocol in UNIT 6.10, the PFGE gel should be Southern blotted and analyzed by successive hybridization with probes specific for the locus used in the library screening and for one or both of the YAC vector arms [e.g., for pYAC4, the 351-bp ClaI/BamHI fragment of pBR322 (left YAC arm) and the 276-bp BamHI/SalI fragment of pBR322 (right YAC arm)]. These blots should show hybridization to a single chromosome of the same size in all isolates from the same YAC strain as well as no hybridization to the AB1380 host strain.
CONSTRUCTION AND ANALYSIS OF A YAC-INSERT SUBLIBRARY
Yeast Artificial Chromosome Libraries
Although the large genomic DNA fragments provided by the YAC cloning system are easy to manipulate, it is often convenient to reduce a YAC to smaller fragments by subcloning it into a cosmid or λ vector. In particular, such smaller fragments are more amenable to highresolution analysis; this is important because information concerning the specific content of the YAC insert is typically limited, and often the only internal probe that is available is the one used for YAC library screening. Protocols for preparing YAC insert DNA and constructing a cosmid sublibrary are provided in UNIT 6.10. Two general strategies are available for preparing YAC insert DNA in order to create a saturating collection of subclones. The more elegant strategy is to purify the artificial chromosome itself by preparative CHEF gel electrophoresis (UNIT 2.5B). This permits isolation and analysis of the resulting recombinant clones without further selection, assuming that only a small amount of contaminating yeast DNA is present in the purified YAC, and that essentially all subclones isolated are derived from the human YAC insert. In practice, however, it is difficult to recover sufficient quantities of purified YAC DNA to permit construction of a cosmid or λ library. An alternate approach is to prepare a library from the total DNA of the YAC-carrying yeast strain. YACspecific subclones must then be selected by hybridization. An initial round of screening is usually performed with total human genomic DNA (rich in repetitive sequences) as the probe.
This detects subclones that contain human repetitive elements and eliminates subclones consisting of yeast DNA. Additional analysis is performed to identify overlapping sequences and thereby establish an approximate map of the original YAC insert. Ultimately, one or more rounds of chromosome walking may be required to fill in gaps between contiguous groups of subclones.
Literature Cited Abidi, F.E., Wada, M., Little, R.D., and Schlessinger, D. 1990. Yeast artificial chromosomes containing human Xq24-Xq28 DNA: Library construction and representation of probe sequences. Genomics 7:363-376. Bronson, S.K., Pei, J., Taillon-Miller, P., Chorney, M.J., Geraghty, D.E., and Chaplin, D.D. 1991. Isolation and characterization of yeast artificial chromosome clones linking the HLA-B and HLA-C loci. Proc. Natl. Acad. Sci. U.S.A. 88:1671-1675. Burke, D.T., Carle, G.F., and Olson, M.V. 1987. Cloning of large segments of exogenous DNA into yeast by means of artificial chromosome vectors. Science 236:806-812. Burke, D.T., Rossi, J.M., Leung, J., Koos, D.S., and Tilghman, S.M. 1991. A mouse genomic library of yeast artificial chromosome clones. Mamm. Genome 1:65-69. Green, E.D. and Olson, M.V. 1990. Systematic screening of yeast artificial chromosome libraries by use of the polymerase chain reaction. Proc. Natl. Acad. Sci. U.S.A. 87:1213-1217. Green, E.D., Riethman, H.C., Dutchik, J.E., and Olson, M.V. 1991. Detection and characterization of chimeric yeast artificial-chromosome clones. Genomics 11:658-669. Green, E.D. 1992. Physical mapping of human chromosomes: Generation of chromosome-specific sequence-tagged sites (STS). Methods Mol. Genet. In press. Hillier, L. and Green, P. 1991. A computer program for choosing PCR and DNA sequencing primers. PCR Meth. Appl. 1:124-128. Olson, M., Hood, L., Cantor, C., and Botstein, D. 1989. A common language for physical mapping of the human genome. Science 245:1434-1435. Proffitt, J.H., Davie, J.R., Swinton, D., and Hattman, S. 1984. 5-Methylcytosine is not detectable in Saccharomyces cerevisiae DNA. Mol. Cell Biol. 4:985-988. Riley, J., Butler, R., Ogilvie, D., Finniear, R., Jenner, D., Powell, S., Anand, R., Smith, J.C., and Markham, A.F. 1990. A novel, rapid method for the isolation of terminal sequences from yeast artificial chromosome (YAC) clones. Nucl. Acids Res. 18:2887-2890.
6.9.6 Supplement 20
Current Protocols in Molecular Biology
Rossi, J.M., Burke, D.T., Leung, J.C., Koos, D.S., Chen, H., and Tilghman, S.M. 1992. Genome analysis using a yeast artificial chromosome library with mouse DNA inserts. Proc. Natl. Acad. Sci. U.S.A. 89:2456-2460. Vollrath, D. and Davis, R.W. 1987. Resolution of DNA molecules greater than 5 megabases by contour-clamped homogeneous electric fields. Nucl. Acids Res. 15:7865-7876.
Contributed by David D. Chaplin and Bernard H. Brownstein Howard Hughes Medical Institute and Washington University School of Medicine St. Louis, Missouri
Key Reference Burke, et al., 1987. See above. Initial description of the YAC cloning system, covering general features of library construction.
Screening of Recombinant DNA Libraries
6.9.7 Current Protocols in Molecular Biology
Supplement 20
UNIT 6.10
Analysis of Isolated YAC Clones The preceding unit gives an overview of methods involved in screening a YAC library to isolate a particular clone of interest (UNIT 6.9), with the sequence of methods illustrated in a flow chart (Fig. 6.9.1). This unit provides a series of protocols describing the analysis and manipulation of an isolated YAC clone. The procedures are based upon the use of the YAC vector pYAC4. Once an isolated YAC clone has been obtained from a core laboratory (UNIT 6.9), the clone can be analyzed as described herein. As depicted in Figure 6.9.1, methods for analysis involve growing and storing YAC-containing yeast strains and purifying YAC DNA in a form suitable for assessing the size of the artificial chromosome and for conventional Southern blotting. Preparation of yeast chromosomes in agarose plugs for subsequent analysis by pulsed-field gel electrophoresis is also described. Additional protocols are provided for recovering DNA fragments from the ends of a YAC genomic insert to be used as probes for detecting chimerism and for chromosome walking. Finally, preparation of high-molecular-weight YAC DNA is described and a general method for subcloning YAC inserts into cosmid or λ vectors for higher-resolution analysis is provided. NOTE: All solutions, media, glassware, and plasticware coming into contact with yeast or bacterial cells must be sterile, and sterile techniques should be followed throughout.
BASIC PROTOCOL
PROPAGATION AND STORAGE OF YAC-CONTAINING YEAST STRAINS YACs prepared using the pYAC4 vector (Figs. 6.10.1 and 13.4.6; pYAC4 contains an EcoRI site within the SUP4 gene in addition to the SnaBl site found in pYAC3, but is otherwise identical to pYAC3, carrying selectable markers TRP1 and URA3) and the S. cerevisiae host strain AB1380 (trp1−, ura3−, ade2-1) are grown on AHC plates. They can be stored short-term on AHC plates or stored long-term (after growth in YPD medium) in YPD containing glycerol at −80°C.
EcoRI
Hinfl Clal
CEN4
SUP4
EcoRl Hin fl
genomic insert
Sal l
URA3
SUP4
1 2
3 4
Analysis of Isolated YAC Clones
6.10.1 Supplement 20
1
HYAC-C
2
LS-2
3
RA-2
4
HYAC-D
Figure 6.10.1 Structure of a representative pYAC4 clone at the vector/insert junction. Open boxes represent portions of the pYAC4 vector derived from yeast sequences (CEN4, the two halves of the SUP4 element, and URA3). Thin lines represent sequences derived from pBR322 and the bold line represents the YAC genomic insert fragment. Sites of annealing of the HYAC-C, LS-2, RA-2 and HYAC-D oligonucleotides are indicated by arrows 1, 2, 3, and 4, respectively. The EcoRI cloning site, the ClaI and Sal I sites (used for the end-fragment subcloning alternate protocol), and the HinfI sites that are utilized in the bubble linker end-fragment isolation protocol are indicated. Contributed by David D. Chaplin and Bernard H. Brownstein Current Protocols in Molecular Biology (1992) 6.10.1-6.10.19 Copyright © 2000 by John Wiley & Sons, Inc.
Materials S. cerevisiae strain AB1380 containing pYAC4 with insert (from core facility; UNIT 6.9) AHC plates (ura−, trp−) YPD medium (UNIT 13.1) 80% (v/v) glycerol in YPD medium 30°C orbital shaking incubator (e.g., New Brunswick Scientific #G-24) Cryovials Additional reagents for preparation of yeast media (UNIT 13.1) and growth and manipulation of yeast (UNIT 13.2) 1. Streak strain AB1380 containing pYAC4 with insert onto AHC plates. AHC medium selects for the presence of both arms of the YAC vector and thereby favors high stability of the YAC through successive passages.
2. Invert plate and incubate at 30°C until colonies are 1 to 3 mm in size. The AB1380 strain carries the ade2-1 ochre mutation, a block in the purine biosynthetic pathway that leads to accumulation of red-hued intermediates. Because a genomic insert in the YAC interrupts the SUP4 (ochre) gene in the YAC vector, colonies will have a red pigmentation.
3a. For short-term storage: Seal plates with Parafilm and store at 4°C for 4 to 6 weeks. 3b. For long-term storage: Inoculate an individual colony into 3.2 ml YPD medium and shake overnight at 30°C. Add 1 ml of 80% glycerol in YPD medium, mix thoroughly, and transfer in 0.2- to 1.0-ml aliquots to cryovials. Store at −80°C. YPD is a nonselective medium used to favor rapid growth and high cell viability. Strains stored in this fashion are stable for ≥5 years. Before strains are used in an experiment, they should first be grown on selective medium (e.g., AHC plates) to avoid recovery of a contaminant clone or one that has lost its YAC.
PREPARATION OF YAC-CONTAINING DNA FROM YEAST CLONES FOR ANALYSIS BY SOUTHERN BLOTTING
BASIC PROTOCOL
Procedures used by core laboratories for isolating an individual clone from a YAC library ensure that the purified YAC supports amplification of an appropriately sized PCR product using the screening primer pair. However, it is best to confirm the identity of the clone by hybridization analysis. Various methods can be used to prepare DNA suitable for Southern blot analysis using frequently cutting restriction enzymes. This protocol yields substantial quantities of DNA in the size range of 50 to 200 kb; it involves growing and lysing a single red colony containing pYAC4 with the insert DNA, then obtaining the DNA from the supernatant after centrifugation and analyzing by Southern blotting. Yeast chromosomes prepared in agarose plugs or very-high-molecular-weight DNA prepared in solution (third and fifth basic protocols) may also be used. Materials Single colony of S. cerevisiae AB1380 containing pYAC4 with insert (first basic protocol) AHC medium (ura−, trp−) SCE buffer SCEM buffer 50 mM Tris⋅Cl (pH 7.6)/20 mM EDTA (Tris/EDTA lysis buffer)
Screening of Recombinant DNA Libraries
6.10.2 Current Protocols in Molecular Biology
Supplement 20
10% (w/v) sodium dodecyl sulfate (SDS) 5 M potassium acetate, pH 4.8, ice-cold (UNIT 1.6) 95% ethanol, room temperature TE buffer, pH 8.0 (APPENDIX 2) 1 mg/ml DNase-free RNase A (UNIT 3.13) Isopropanol, room temperature 5 M NaCl Total genomic DNA of the species or individual from which the library was made (e.g., UNITS 2.2, 2.3 & 5.3) Appropriate single-copy probe designed to hybridize with the YAC insert (see UNITS 2.9 & 6.9) Orbital shaker (e.g., New Brunswick Scientific #G-24) 50-ml conical plastic centrifuge tubes Beckman JS-4.2 rotor or equivalent Additional reagents and equipment for digestion of DNA with restriction endonucleases (UNIT 3.1), Southern blotting and hybridization (UNIT 2.9), and pulsed-field gel electrophoresis (UNIT 2.5B) Culture and lyse cells from YAC clone 1. Inoculate a single red colony of a YAC-containing clone into 20 ml AHC medium in a 250-ml Erlenmeyer flask. Shake 24 hr at 250 rpm, 30°C, on an orbital shaker. The culture should begin to turn pink. If not, continue incubation an additional 24 hr. If culture is still not pink, discard and start over with a new red colony. Orbital shakers are preferred because they give much better aeration.
2. Inoculate 1 ml of culture from step 1 into 100 ml AHC medium in a 1-liter Erlenmeyer flask. Shake 24 hr at 250 rpm, 30°C. 3. Transfer culture to 50-ml plastic conical centrifuge tubes. Centrifuge 5 min at 2000 × g (2800 rpm in Beckman JS-4.2 rotor), 4°C. 4. Discard supernatants and resuspend cell pellets in a total of 5 ml SCE buffer. Pool into a single tube. 5. Add 1 ml SCEM buffer. Mix gently 1 to 2 hr at 100 rpm, 37°C, on an orbital shaker. SCEM buffer contains lyticase, which will digest the cell wall.
6. Centrifuge 5 min at 2000 × g, 4°C. Discard supernatant and resuspend cell pellet in 5 ml Tris/EDTA lysis buffer. 7. Add 0.5 ml of 10% SDS and invert several times to mix. Incubate 20 min at 65°C. Isolate nucleic acids 8. Add 2 ml of ice-cold 5 M potassium acetate, pH 4.8, and invert to mix. Keep 60 min on ice. 9. Centrifuge 10 min at 2000 × g, room temperature. Carefully pour nucleic acid–containing supernatant into a new tube. Add 2 vol room-temperature 95% ethanol and invert to mix.
Analysis of Isolated YAC Clones
10. Centrifuge 5 min at 2000 × g, room temperature. Discard supernatant and air-dry nucleic acid pellet 10 to 15 min. Add 3 ml TE buffer, pH 8.0, and dissolve overnight at 37°C.
6.10.3 Supplement 20
Current Protocols in Molecular Biology
Recover and analyze DNA 11. Add 0.1 ml of 1 mg/ml DNase-free RNase A and incubate 1 hr at 37°C. 12. Add 6 ml room-temperature isopropanol with swirling, then invert to mix. 13. Spool DNA using a capillary pipet and dissolve in 0.5 ml TE buffer, pH 8.0. Add 50 µl of 5 M NaCl and 2 ml of room-temperature 95% ethanol. Mix by inverting. 14. Spool DNA again and dissolve in 0.5 ml TE buffer. Store at 4°C. A yield of 1 to 1.5 ìg DNA/108 yeast cells can be expected.
15. Analyze 2-µg aliquots of YAC DNA and 15-µg aliquots of total genomic DNA from the species or individual from which the YAC library was made by digesting with several frequently cutting restriction enzymes. Proceed with Southern blotting and hybridization using a single-copy probe. The product amplified by PCR screening (see UNIT 6.9) may be used as probe. Because the YAC donor may exhibit a restriction-fragment-length polymorphism for this probe, two restriction fragments may be observed in the donor DNA. One of these fragments should be identified in the isolated YAC DNA.
16. Once the YAC clone has been verified by Southern blotting, determine its size and obtain a preliminary assessment of its stability by preparing chromosomes in agarose plugs (third basic protocol) and analyzing by pulsed-field gel electrophoresis. PREPARATION OF YEAST CHROMOSOMES IN AGAROSE PLUGS FOR PULSED-FIELD GEL ELECTROPHORESIS
BASIC PROTOCOL
In order to assess size, stability, and possible rearrangements within YACs, and to identify overlapping YACs, it is useful to isolate the YACs by embedding them in agarose plugs for subsequent analysis by pulsed-field gel electrophoresis (PFGE). Most methods of pulsed-field gel electrophoresis can be used (UNIT 2.5B); the CHEF (contour-clamped homogeneous electric-field electrophoresis) gel system is particularly suitable in that it reliably permits excellent resolution in the size range most common for YACs. Materials AHC medium (ura−, trp−) Single colony of S. cerevisiae containing pYAC4 with insert (first basic protocol) 0.05 M EDTA, pH 8.0 (APPENDIX 2) SEM buffer 10 mg/ml Lyticase (Sigma #L-8137 or ICN Biomedicals #190123) 2% InCert or SeaPlaque agarose (FMC Bioproducts), dissolved in SEM buffer and equilibrated to 37°C SEMT buffer Lithium lysis solution 20% (v/v) NDS solution 0.5× TBE (APPENDIX 2) or GTBE buffer (UNIT 2.5B) 30°C rotary platform shaking incubator Beckman JS-4.2 rotor or equivalent Gel sample molds (e.g., CHEF gel molds, Bio-Rad #1703622) 60-mm tissue culture plate Additional reagents and equipment for pulsed-field gel electrophoresis (UNIT 2.5B) Screening of Recombinant DNA Libraries
6.10.4 Current Protocols in Molecular Biology
Supplement 20
Prepare and lyse YAC clone 1. Inoculate 25 ml AHC medium with a single red colony of a YAC-containing clone. Shake 48 to 60 hr at 250 rpm, 30°C. The culture should be pink. If it is not, discard and start over with a new red colony. To assess the stability of an individual YAC and to facilitate distinguishing of the artificial chromosome from the native yeast chromosomes, it is useful to analyze 4 or 5 individual colonies from the same YAC strain as well as a colony of the untransformed yeast host.
2. Centrifuge 10 min at 2000 × g (2800 rpm in a Beckman JS-4.2 rotor), 4°C. Discard supernatant and resuspend cell pellet in 10 ml of 0.05 M EDTA, pH 8.0. 3. Centrifuge 10 min at 2000 × g, 4°C. Remove all liquid from pellet and resuspend in 150 µl SEM buffer. Prepare agarose molds 4. Warm YAC sample to 37°C and add 25 µl Lyticase. Add 250 µl of 2% InCert or SeaPlaque agarose that has been melted in SEM buffer and equilibrated to 37°C. 5. Mix quickly and pour into CHEF gel sample molds. Chill 10 min at 4°C. Transfer solidified plugs to a 60-mm tissue culture plate. 6. Cover each plug with 4 ml SEMT buffer. Incubate 2 hr with gentle shaking at 37°C. 7. With a pipet, remove SEMT buffer and replace with 4 ml lithium lysis solution. Incubate 1 hr with gentle shaking at 37°C. 8. Remove and replace lithium lysis solution two or three times, shaking ≥1 hr each time. Shake the last change overnight. 9. Remove lithium lysis solution, replace with 4 ml of 20% NDS solution, and shake 2 hr at room temperature. Repeat once. Electrophorese samples in individual agarose plugs 10. Cut into plugs of suitable size to fit into wells of a pulsed-field gel. Store plugs individually in 20% NDS solution at 4°C. Plugs prepared and stored in this manner are usually stable for 4 to 8 weeks.
11. Soak each plug 30 min in 1 ml of 0.5× TBE or GTBE buffer. Change three times. 12. Analyze by pulsed-field gel electrophoresis. Following electrophoresis, the artificial chromosome can be visualized in an ethidium bromide–stained gel as an extra chromosome not present in the host yeast strain. If desired, Southern blot hybridization (UNIT 2.9) with appropriate probes can be carried out.
Analysis of Isolated YAC Clones
6.10.5 Supplement 20
Current Protocols in Molecular Biology
END-FRAGMENT ANALYSIS USING PCR AMPLIFICATION This protocol provides a means for recovering end fragments from the YAC insert using PCR amplification of end fragments. Digestion of YAC-containing DNA with a frequently cutting restriction enzyme produces a collection of small fragments: among these, one contains the distal portion of the YAC insert associated with part of the left vector arm, and another contains the other end of the insert associated with part of the right vector arm. Fragments encoding these vector sequences are prepared for PCR amplification by ligation of a double-stranded DNA tag containing a “bubble” of noncomplementary sequence flanked by short complementary sequences (Fig. 6.10.2). Selective amplification of these two end-fragment sequences is achieved using one PCR primer derived from the YAC vector (HYAC-C or LS-2 for the left arm or HYAC-D or RY-2 for the right arm) and one primer containing the sequence of the noncomplementary portion of the bubble (the 224 primer template, created by extension from the YAC-vector-specific primer; Fig. 6.10.3). Occasionally, nonspecific DNA fragments are amplified from the bubble PCR reaction. If this occurs, specificity may be restored using a hemi-nesting strategy. A small aliquot of the product of the initial PCR reaction (containing a mixture of the specific and nonspecific amplified fragments) is reamplified in a second round of PCR using an internal sequence from the vector arm as one of the primers. Because this sequence is not present in the nonspecific fragments, only the specific fragment will be amplified.
BASIC PROTOCOL
Materials “Bubble-top” and “bubble-bottom” oligonucleotide primers (Fig. 6.10.2) YAC-containing DNA (second basic protocol) RsaI and HinfI restriction endonucleases and appropriate buffers (UNIT 3.1) 10× T4 DNA ligase buffer and 1 U/µl T4 DNA ligase (UNITS 3.4 & 3.14) PCR reaction mix PCR amplification primers HYAC-C, HYAC-D, 224, and RA-2, 4 µM each (Fig. 6.10.2) Thermal cycling apparatus 65° and 68°C water baths Additional reagents and equipment for phosphorylating synthetic oligonucleotides (UNIT 3.10), restriction endonuclease digestion (UNIT 3.1), PCR (UNIT 15.1), nondenaturing PAGE (UNIT 2.7), preparing radiolabeled oligonucleotide probes (UNITS 3.10, 4.6 & 15.2), and blunt-end ligation (UNIT 3.16) Prepare bubble oligonucleotide tags 1. Phosphorylate the bubble-top oligonucleotide. This step can usually be eliminated, but may modestly increase efficiency.
2. Adjust bubble-top and bubble-bottom oligonucleotide concentrations to 4 nmol/ml with water. Mix together 1 nmol of each, then anneal by heating 15 min at 68°C in a water bath, followed by slow cooling to room temperature over 30 to 60 min. Digest YAC DNA and ligate to bubble oligonucleotides 3. Digest 2.5-µg aliquots of purified YAC-containing DNA to completion with RsaI or HinfI in 20 µl final volume, 37°C. Digestion of separate samples with RsaI and HinfI increases the chance of obtaining an end fragment of a size suitable for PCR amplification (75 bp).
4. Heat samples 15 min at 65°C to inactivate the restriction enzymes.
Screening of Recombinant DNA Libraries
6.10.6 Current Protocols in Molecular Biology
Supplement 20
A GCTGTCTGTCGAAGGTAAGGAACGGACGA
5 ′ - GAAGGAGAGGAC
Rsal bubble-top
GAGAAGGGAGAG - 3 ′
3 ′- CTTC C T C T CC TG CTCT T C C C TC TC - 5 ′ TCGCTAAGAGCATGCTTGCCAATGCTAAG
Universal bubble-bottom
* * * * * * * * * * * * * * * * * * * * * * * *
224 primer
3 ′- TCGCTAAGAGCATGCTTGCCAATGCTAAGC- 5 ′
B GCTGTCTGTCGAAGGTAAGGAACGGACGA
GAGAAGGGAGAG - 3 ′ Hin f l bubble-top
5 ′- A (N)TGAAGGAGAGGAC
3 ′ - C T T C C T C T CC T G
CTCT T C C C TC TC - 5 ′ Universal bubble-bottom TCGCTAAGAGCATGCTTGCCAATGCTAAG
C HYAC - C primer HYAC - D primer RA - 2 primer LS - 2 primer Bubble sequencing primer
5 ′- GCTACTTGGAGCCACTATCGACTACGCGAT- 3 ′ 5 ′- GGTGATGTCGGCGATATAGGCGCCAGCAAC- 3 ′ 5 ′- TCGAACGCCCGATCTCAAGATTAC- 3 ′ 5 ′- TCTCGGTAGCCAAGTTGGTTTAAGG- 3 ′ 5 ′- CGCTGTCCTCTCCTTC - 3 ′
Figure 6.10.2 Oligonucleotides for amplification and sequencing of YAC insert end-fragments. (A) Annealing of the 53-mer universal “bubble-bottom” oligonucleotide to the 53-mer RsaI bubble oligonucleotide yields a blunt-ended DNA duplex in which 12-bp complementary sequences flank a 29-nucleotide “bubble” of noncomplementary sequence. This bubble linker can be ligated to any blunt-ended fragment (e.g., one generated by digestion with RsaI). The 224 primer does not anneal to either strand of the bubble, but is fully complementary to any DNA strand that is generated during PCR using the universal bubble-bottom strand as a template (see Fig. 6.10.3). (B) Annealing of the 53-mer universal bubble-bottom oligonucleotide to the 56-mer HinfI bubble-top oligonucleotide yields a DNA duplex with one blunt end and one cohesive end with the degenerate HinfI site. A mixture of all four nucleotides at a specific position is indicated by (N). (C) The HYAC-C, HYAC-D, RA-2, and LS-2 primers anneal to sequences in the pYAC4 vector (see Fig. 6.10.1). The bubble sequencing primer anneals to the RsaI and HinfI bubble-top sequences near their 5′ ends, permitting DNA sequencing from the bubble linker back into the YAC insert end-fragment.
5. Prepare the following ligation mix (50 µl total): 2 µl (250 ng) digested DNA 1 µl (2 pmol) annealed bubble oligonucleotides (from step 2) 5 µl 10× ligase buffer 2 µl (2 U) T4 DNA ligase 40 µl H2O. Incubate 2 hr at 37°C or overnight at room temperature.
Analysis of Isolated YAC Clones
The blunt-ended bubble composed of the universal bubble-bottom oligonucleotide and the RsaI bubble-top oligonucleotide should be used with RsaI-digested YAC DNA. Likewise, the HinfI cohesive bubble composed of the universal bubble-bottom oligo-
6.10.7 Supplement 20
Current Protocols in Molecular Biology
A random insert fragment
5′ 3′
B
3′ 5′
vector primer site insert end-fragment
5′ 3′
3′ 5′
YAC vector
1st cycle of PCR
3′
5′
insert end-fragment
3′ 5′
224 primer site
Figure 6.10.3 Selective PCR amplification from the YAC insert end-fragment. (A) Result of ligation of the bubble linker to a random fragment from the internal portion of the YAC insert. Because this fragment is not derived from the end of the YAC genomic insert, it contains no sequences from the YAC vector and has no site for annealing any of the HYAC-C, HYAC-D, RA-2, or LS-2 primers or for annealing of the 224 primer. Consequently, no fragment is amplified by PCR. (B) Result of ligation of the bubble linker to a fragment derived from the end of the YAC genomic insert and containing its associated YAC vector sequences. During the first cycle of PCR, extension from the YAC vector priming site produces sequences complementary to the universal bubble-bottom primer. This extended fragment provides a template for annealing of the 224 primer, thus permitting successful amplification of the insert end-fragment.
nucleotide and the HinfI bubble-top oligonucleotide should be used with HinfI-digested YAC DNA.
6. Add 200 µl water to bring the DNA concentration to 1 ng/µl final. Amplify fragments containing YAC-insert end sequences 7. Prepare the following PCR on ice (10 µl total): 8 µl PCR reaction mix 1 µl (2 µM each) PCR primer pair mix 1 µl (1 ng) digested, bubble-ligated YAC DNA. Carry out 35 cycles of amplification as follows: 1 min at 92°C, 2 min at 65°C, and 2 min at 72°C. To amplify left end of YAC insert, use primer pair mix made from equal amounts of primers 224 and HYAC-C (Fig. 6.10.1). To amplify right end of YAC insert, use primer pair mix made from equal amounts of primers 224 and RA-2 (specific for the SUP4 region of pYAC4; Fig. 6.10.1).
Screening of Recombinant DNA Libraries
6.10.8 Current Protocols in Molecular Biology
Supplement 20
These parameters were optimized using the Perkin-Elmer TC1 thermal cycler. If another instrument is used, some adjustment of parameters may be required.
8. Analyze a 1-µl aliquot of PCR product on a 5% polyacrylamide gel. A single, clearly visible amplified fragment should be observed after staining the gel with ethidium bromide. Produce end fragments using hemi-nested amplification To amplify the left end (either RsaI- or HinfI-digested DNA): 9a. Amplify 1 µl digested, bubble-ligated YAC DNA (from step 6) with primers 224 and HYAC-C, using 20 cycles of 1 min at 92°C, 2 min at 62°C, and 2 min at 72°C. 10a. Dilute the amplification product 1:100 with water and add 1 µl to a new PCR reaction containing primers 224 and LS-2 (specific for the SUP4 region of pYAC4; see Figs. 6.10.1 and 13.4.6). Carry out 30 cycles of 1 min at 92°C, 2 min at 65°C, and 2 min at 72°C. To amplify the right end using RsaI-digested DNA: 9b. Amplify 1 µl digested, bubble-ligated YAC DNA (from step 6) with primers 224 and HYAC-D, using 20 cycles of 1 min at 92°C, 2 min at 62°C, and 2 min at 72°C. 10b. Dilute amplification product 1:100 with water and add 1 µl to a new PCR reaction (see step 7) containing primers 224 and RA-2. Carry out 30 cycles of 1 min at 92°C, 2 min at 65°C, and 2 min at 72°C. Hemi-nesting of the right end cannot be performed with HinfI-digested DNA, because there is a HinfI site only 24 bp from the EcoRI YAC vector cloning site.
11. Analyze a 1-µl aliquot of each final PCR reaction on a 5% polyacrylamide gel. 12. End label amplified fragments with 32P and use as hybridization probes or for nucleotide sequencing to produce an end-specific STS. Alternatively, subclone by blunt-end ligation to a plasmid vector prior to further manipulation. Blunt-end subcloning of DNA fragments that have been amplified by PCR must be preceded by “polishing” of the ragged PCR ends with S1 nuclease or T4 DNA polymerase (see UNIT 15.7). ALTERNATE PROTOCOL
END-FRAGMENT ANALYSIS BY SUBCLONING INTO A BACTERIAL PLASMID VECTOR This method (an alternative to the previous protocol for recovering end fragments from the YAC insert) uses the strategy of double digesting the YAC-containing DNA to enhance the efficiency of subcloning into a pUC19-based vector; the SUP4 element containing the YAC EcoRI cloning site is located within a portion of the YAC vector derived from pBR322 (Figs. 1.5.2 and 6.10.5). The cloning strategy enriches for end-fragment-containing subclones because the restriction endonuclease used for digestion of YAC-containing DNA is either ClaI (for the left arm) or SalI (for the right arm). Both enzymes cut rarely in human or yeast genomic DNA; therefore, when one is combined with a more frequently cutting enzyme, the resulting doubly digested fragments will represent a minor portion of the total DNA pool. Size fractionation on an agarose gel prior to subcloning affords a still further enrichment for end fragments. Note that after the first step of the protocol, all steps are performed in duplicate to identify both the right and left end fragments of the YAC insert.
Analysis of Isolated YAC Clones
6.10.9 Supplement 20
Current Protocols in Molecular Biology
Additional Materials ClaI, SalI, and other appropriate restriction endonucleases and digestion buffers (UNIT 3.1) Left- and right-vector-arm probes (Fig. 6.10.4) pUC19-ES and pUC19-HS plasmid vectors (support protocol and Fig. 6.10.5) Transformation-competent Rec− strain of E. coli (e.g., DH5; Table 1.4.5) 2× TY or LB agar plates (UNIT 1.1) containing 50 to 100 µg/ml ampicillin Additional reagents and equipment for agarose gel electrophoresis (UNIT 2.5A), subcloning of DNA fragments (UNIT 3.16), transformation of E. coli (UNIT 1.8), Southern blotting and hybridization (UNIT 2.9), labeling by random-primed synthesis (UNIT 3.5), isolation and purification of DNA fragments from agarose gels (UNIT 2.6), replica plating (UNIT 1.3), and purification of plasmid DNA (UNITS 1.6 & 1.7) Perform an appropriate double digest and analyze by hybridization 1a. For left arm: Digest 5-µg aliquots of YAC-containing DNA with ClaI and then with each possible second cloning enzyme—SacI, KpnI, SmaI, BamHI, XbaI, and SphI. In addition to SmaI, other blunt-cutters not represented within the ClaI-EcoRI interval of the YAC vector may be tested.
1b. For right arm: Digest 5-µg aliquots of YAC-containing DNA with SalI and then with each of the following possible second cloning enzymes: SacI, KpnI, SmaI, BamHI, XbaI, SphI, or HindIII. All of the above restriction endonucleases have compatible cleavage sites within the polylinker of the modified pUC19; AccI provides a cohesive site for ClaI.
Carry out all remaining steps in parallel for the left- and right-arm probes: 2. Electrophorese doubly digested DNA on an agarose gel and transfer to a filter for Southern hybridization. 3. Prepare left- and right-vector-arm probes by PCR as described in Fig. 6.10.4. Probes can also be obtained by digestion and fractionation of pBR322 DNA with subsequent labeling.
4. Hybridize each probe to the appropriate filter from step 2.
Left arm:
5′ ATCGATAAGCTTTAATGCGGTAGT 3′ (pBR322 bases 23-46) 5′ GATCCACAGGACGGGTGTGGTCGC 3′ (pBR322 bases 379-356)
Right arm: 5′ GATCCTCTACGCCGGACGCATCGT 3′ (pBR322 bases 375-399) 5′ GTCGACGCTCTCCCTTATGCGACT 3′ (pBR322 bases 656-632)
Figure 6.10.4 Generation of left- and right-vector-arm probes. The 351-bp ClaI-BamHI and 276-bp BamHI-SalI fragments of pBR322, which hybridize to sequences immediately flanking the sup4 sequences of the YAC vector, are appropriate probes for the YAC left and right vector arms. These probes can be obtained by restriction digestion and gel fractionation of pBR322 plasmid DNA or generated by PCR using 10 ng pBR322 as template for the primers illustrated here. Perform PCR using 25 cycles of 1 min at 92°C, 1 min at 50°C, and 2 min at 72°C. Extract the amplified material once with phenol and once with chloroform, then precipitate with ethanol (UNIT 2.1). Label directly by random priming (UNIT 3.5) without further purification.
Screening of Recombinant DNA Libraries
6.10.10 Current Protocols in Molecular Biology
Supplement 20
5. Examine autoradiogram and choose an enzyme combination that yields a hybridizing DNA fragment in the 2- to 7-kb size range. Digest a 50-µg aliquot of YAC-containing DNA with these two enzymes. This should yield ∼5 times more size-fractionated DNA than needed.
Isolate the DNA 6. Electrophorese doubly digested DNA on an agarose gel. Using a scalpel or razor blade, cut out the segment of gel that should contain the doubly digested DNA fragment. To avoid missing the critical portion of the gel, it may be useful to excise adjacent gel slices containing fragments larger than and smaller than the expected size, and to process them in parallel.
7. Purify size-fractionated DNA from gel slice and resuspend in a final volume of 20 µl TE buffer, pH 8.0. For purifying the DNA, the best results have been obtained by using the Geneclean II kit (BIO 101, La Jolla, CA).
Subclone the end fragments 8. Ligate 20% of the purified YAC-derived insert DNA with 0.2 µg of gel-purified, compatibly digested pUC19-HS or -ES vector DNA overnight in a total volume of 20 µl. Because the pUC19 plasmid from which they are derived has no homology with the portion of pBR322 detected by the ClaI/BamHI and BamHI/SalI probes (Fig. 6.10.4), these probes can be used to detect YAC-insert end-fragment-containing subclones in pUC19, and will not cross-hybridize to the pUC vector.
9. Transform the ligated DNA into a transformation-competent Rec− host strain of E. coli. Plate sufficient transformation mix on 2× TY/ampicillin or LB/ampicillin plates to obtain ∼200 colonies, a sufficiently low density that individual colonies may be recovered following hybridization. Invert plates and incubate overnight at 37°C. 10. Prepare colony-lift filters and hybridize overnight with ∼1–2 × 107 cpm of appropriate 32 P-labeled left- or right-arm probes. Wash and autoradiograph. Because of the enrichment afforded by double digestion, 1% to 4% of colonies will contain the end fragment.
11. Purify plasmid DNA from hybridizing colonies. 12. Verify the structure of the plasmid by comparing its restriction map to the data obtained during the initial analytical double digests of the YAC (steps 1 to 3). SUPPORT PROTOCOL
DESIGN AND PREPARATION OF pUC19-ES and pUC19-HS SUBCLONING VECTOR
Analysis of Isolated YAC Clones
This protocol describes the construction of two vectors for subcloning YACs (previous basic protocol). pUC19 is modified by insertion of a “stuffer” fragment in both possible orientations (see UNIT 3.16; Fig. 6.10.5). If a double digest is performed on the resulting construct (UNIT 3.1), using AccI (cohesive with ClaI) or SalI and any of the other enzymes in the pUC polylinker, the presence of the stuffer makes it possible to visualize whether the vector has been fully cut. Complete double digestion is critical to the success of the end-fragment subcloning described in the previous protocol. For example, digestion with AccI or SalI will linearize the pUC19-ES vector. Subsequent digestion with EcoRI, SacI, KpnI, SmaI, BamHI, or XbaI will result in a shift in vector size from 3161 bp to 2686 bp
6.10.11 Supplement 20
Current Protocols in Molecular Biology
EcoRI Sacl Kpnl Smal BamHI Xbal
ampr
pUC19-ES 3161 bp
475-bp stuffer
SaII / AccI / HincII Ps tI SphI Hin dIII EcoRI Sacl Kpnl Smal BamHI Xbal SaI I / AccI / Hin cII
ori
ampr
pUC19-HS 3161 bp
ori
475-bp stuffer
Ps tI SphI Hin dIII
Figure 6.10.5 Structure of the pUC19-ES and pUC19-HS plasmids.
and free stuffer fragment will be generated. The doubly digested vector can then be isolated by fractionation in an agarose gel (UNIT 2.5A) and purified (UNIT 2.6). pUC19-ES: Modify the pUC19 (see Fig. 1.5.2) vector by inserting a stuffer consisting of 475-bp TaqI fragment of pBR322 (positions 653-1128) into the pUC19 polylinker AccI (HincII) site. In the resulting plasmid, the AccI (and SalI and HincII) site adjacent to the polylinker PstI site is preserved, but the AccI site previously found next to the polylinker XbaI site (which would now be at the other end of the stuffer) is lost (Fig. 6.10.5). pUC19-HS: Insert the 475-bp TaqI fragment stuffer described above into the same pUC19 AccI site but in the opposite orientation. In the resulting plasmid, the polylinker AccI site adjacent to the XbaI site is preserved, but the AccI site adjacent to the PstI site is lost (Fig. 6.10.5).
Screening of Recombinant DNA Libraries
6.10.12 Current Protocols in Molecular Biology
Supplement 20
BASIC PROTOCOL
PREPARATION OF HIGH-MOLECULAR-WEIGHT YAC-CONTAINING YEAST DNA IN SOLUTION This protocol describes the purification of YAC-containing DNA of sufficiently high molecular weight to provide a source of YAC insert material for subcloning in λ or cosmid vectors. This DNA is also suitable for restriction mapping or other genetic manipulations. A cell lysate is fractionated on a sucrose gradient; the DNA-containing fraction is subsequently dialyzed, concentrated, and examined by electrophoresis through a pulsedfield gel. Materials Single colony of S. cerevisiae containing pYAC4 with insert (first basic protocol) AHC medium (ura−, trp−) SCEM buffer Lysis buffer Step-gradient solutions: 50%, 20%, and 15% (w/v) sucrose TE buffer, pH 8.0 (APPENDIX 2) Dry granular sucrose 30°C orbital shaking incubator (e.g., New Brunswick Scientific #G-24) 250-ml conical centrifuge bottles (e.g., Corning #25350) 65°C water bath 25 × 89–mm tube (e.g., Beckman #344058) Beckman JS-4.2 and SW-27 rotors (or equivalents) Dialysis tubing (APPENDIX 3) Pyrex baking dish CHEF pulsed-field gel apparatus or equivalent (UNIT 2.5B) Additional reagents and equipment for size fractionation using a sucrose gradient (UNIT 5.3) and estimating DNA concentration (UNIT 2.6) Grow and prepare the cells 1. Inoculate a single red colony of a YAC-containing clone into 25 ml AHC medium in a 250-ml flask. Shake at 250 rpm, 30°C, until culture reaches saturation (∼3 days). 2. Transfer 1 ml of saturated culture to 100 ml AHC medium in a 1-liter flask. Shake 16 to 18 hr at 250 rpm, 30°C. 3. Harvest yeast cells by centrifuging 10 min at 2000 × g (2800 rpm in Beckman JS-4.2 rotor), room temperature, using a 250-ml conical centrifuge bottle. Discard supernatant. 4. Resuspend cells in 50 ml water. Centrifuge 5 min at 2000 × g, room temperature. Discard supernatant. A cell pellet of ∼4 g should be obtained.
5. Resuspend cells in 3.5 ml SCEM buffer. Lyse the cells 6. Incubate 2 hr at 37°C with occasional gentle mixing. The mixture will become highly viscous. 7. Gradually add cell mixture to 7 ml lysis buffer in a 250-ml Erlenmeyer flask by allowing viscous cell suspension to slide down side of flask. Analysis of Isolated YAC Clones
8. Gently mix by swirling flask until mixture is homogeneous and relatively clear. 9. Incubate 15 min at 65°C, then cool rapidly to room temperature in a water bath.
6.10.13 Supplement 20
Current Protocols in Molecular Biology
Fractionate cell contents 10. Fractionate on a sucrose step gradient. In a 25 × 89–mm tube, prepare a step gradient consisting of: 3 ml 50% sucrose 12 ml 20% sucrose 12 ml 15% sucrose 11 ml lysed sample. Centrifuge 3 hr at 125,000 × g (26,000 rpm in a Beckman SW-27 rotor), room temperature. 11. Discard ∼25 ml from top of gradient using a 10-ml pipet. Dialyze and analyze DNA 12. Collect viscous DNA-containing solution at the 20% to 50% sucrose interface (∼5 ml total volume) and place in dialysis tubing, leaving room for volume to increase ≥2- to 3-fold. Dialyze overnight against 2 liters TE buffer, pH 8.0, at 4°C. 13. Reconcentrate dialyzed DNA by placing dialysis tubing in an autoclaved Pyrex baking dish and covering with granular sucrose. Recover dialysis tubing when volume of contents has been reduced to ∼2 ml. 14. Squeeze DNA solution to one end of dialysis tubing and tie an additional knot to keep DNA in a small volume. Dialyze overnight against 1 liter of TE buffer, pH 8.0, at 4°C. 15. Recover dialyzed DNA and check a small aliquot by electrophoresing in a CHEF pulsed-field gel. Stain with ethidium bromide and estimate DNA content by comparison to a known amount of λ DNA. The DNA sample will contain a substantial amount of yeast RNA but should also contain a population of YAC DNA fragments migrating at a size of >100 kb. The presence of the RNA may make it difficult to determine the DNA concentration accurately; the concentration may be estimated by comparison to known DNA standards in an ethidium bromide– stained gel. The RNA will not affect restriction digestion of the DNA.
PREPARATION AND ANALYSIS OF A YAC-INSERT SUBLIBRARY Construction of a sublibrary of fragments of the YAC insert facilitates high-resolution analysis of the insert sequence. This protocol details the steps required to produce a cosmid library, followed by a series of screenings to identify regions of interest and “walking” to establish a contiguous map of the insert.
BASIC PROTOCOL
Materials High-molecular-weight YAC-containing DNA (fifth basic protocol) Vector DNA (e.g., SuperCos 1, Stratagene #251301) 32 P-labeled (UNIT 3.10) probes: total genomic DNA of the individual or species from which the library was made (e.g., UNITS 2.2, 2.3 & 5.3), end-specific DNA (UNIT 3.10) or RNA (UNIT 3.8), and end fragment from YAC (fourth basic protocol or alternate protocol) Additional reagents and equipment for restriction endonuclease digestion (UNIT 3.1), genomic DNA library production (UNIT 5.7), plating and transferrin a cosmid library (UNIT 6.2), and hybridization with radioactive probes (UNITS 6.3 & 6.4)
Screening of Recombinant DNA Libraries
6.10.14 Current Protocols in Molecular Biology
Supplement 20
Construct the library 1. Partially digest 1 to 2 µg of YAC-containing DNA with restriction endonuclease(s) appropriate for cosmid vector to be used. For example, to clone into the BamHI site of SuperCos 1, digest the YAC DNA with either MboI or Sau3A. The quantity of restriction endonuclease should be adjusted to produce digested fragments with an average size of ∼40 kb. Although only a small fraction of the YAC-containing DNA used as starting material is actual YAC DNA (the rest being yeast genomic DNA), because of the low complexity of the yeast genome (e.g., compared to the human genome), only 3000 to 5000 cosmid clones are required to yield 3 yeast genome equivalents. Thus, only 1 to 2 ìg of yeast DNA are required to make an adequate library.
2. Perform a series of test ligations as described in UNIT 5.7. Using optimal conditions, ligate insert DNA to vector DNA. 3. Package cosmid recombinants; dilute packaged extract and determine the titer. 4. Plate and transfer the sublibrary as appropriate for the vector, and prepare resulting filters for hybridization. Screen the sublibrary 5. Perform a preliminary screen of the library using a 32P-labeled probe of total genomic DNA of the individual or species from which the library was made. This probe is a source of repetitive sequences. Because these repetitive sequences are spaced frequently throughout the source genome, and are absent from yeast, this probe will identify most of the source-DNA insert cosmids from the excess of yeast insert cosmids.
6. Organize this first set of cosmid clones into contigs by analyzing shared restriction fragments and by hybridizing with probes contained in the YAC insert or prepared from the ends of individual cosmid inserts. Cosmid end-fragment-specific probes can be generated by digesting cosmid DNA and end-labeling the purified restriction fragment(s) that contain(s) the cloning site. If the cloning vector is SuperCos 1 (or a comparable vector), end-specific RNA probes may also be transcribed from the ends of the cosmid clones using T3 and T7 polymerase (see critical parameters).
7. Establish a complete contiguous collection of cosmid clones of the original YAC insert by screening the library with specific YAC-derived probes and cosmid end-specific probes. Note that nitrocellulose filters may be reused for hybridization in subsequent steps without further washing or removal of probe. Repeated hybridization with sequential “walking probes” should reveal new hybridizing colonies at each step.
Analysis of Isolated YAC Clones
6.10.15 Supplement 20
Current Protocols in Molecular Biology
REAGENTS AND SOLUTIONS AHC medium and plates (ura−, trp−) 1.7 g yeast nitrogen base without amino acids and without ammonium sulfate (Difco) 5 g ammonium sulfate 10 g casein hydrolysate-acid, salt-free and vitamin-free (U.S. Biochemical #12852) 50 ml (for medium) or 10 ml (for plates) of 2 mg/ml adenine hemisulfate (Sigma #A-9126) Dissolve in a final volume of 900 ml H2O Adjust pH to 5.8 Autoclave 30 min, then add 100 ml sterile 20% (w/v) glucose. For AHC plates, add 20 g agar prior to autoclaving. Store at 4°C for ≤6 weeks. Lithium lysis solution 1% lithium dodecyl sulfate (Sigma # L-4632) 100 mM EDTA 10 mM Tris⋅Cl, pH 8.0 (APPENDIX 2) Filter sterilize and store indefinitely at room temperature Lysis buffer 0.5 M Tris⋅Cl, pH 8.0 (APPENDIX 2) 3% (v/v) N-lauroylsarcosine (Sarkosyl) 0.2 M EDTA, pH 8.0 (APPENDIX 2) Store indefinitely at room temperature. Add 1 mg/ml proteinase K just before use. 100% NDS solution Mix 350 ml H2O, 93 g EDTA, and 0.6 g Tris base. Adjust pH to ∼8.0 with 100 to 200 pellets of solid NaOH. Add 5 g N-lauroylsarcosine (predissolved in 50 ml water) and adjust to pH 9.0 with concentrated NaOH. Bring volume to 500 ml with water. Filter sterilize and store indefinitely at 4°C. Dilute 1:5 with H2O (20% final) just before use. PCR reaction mix 1.5 mM MgCl2 50 mM KCl 10 mM Tris⋅Cl, pH 8.3 (APPENDIX 2) 0.2 mM each dATP, dCTP, dGTP, and dTTP 0.05 U AmpliTaq polymerase (Perkin-Elmer/Cetus)/µl reaction mixture 0.03 µl Perfect Match Enhancer (Stratagene)/µl reaction mixture Store all components at −20°C and mix just before use SCE buffer 0.9 M sorbitol (Fisher, molecular biology grade) 0.1 M sodium citrate 0.06 M EDTA, pH 8.0 Adjust pH to 7.0 Store at room temperature ≤3 months SCEM buffer 4.9 ml SCE buffer (see above) 0.1 ml 2-mercaptoethanol (2-ME) Add 1 to 2 mg Lyticase (Sigma #L-8137 or ICN Biomedicals #190123) just before use.
Screening of Recombinant DNA Libraries
6.10.16 Current Protocols in Molecular Biology
Supplement 20
SEM buffer 1 M sorbitol 20 mM EDTA, pH 8.0 14 mM 2-ME Filter sterilize Store at 4°C for ≤6 weeks SEMT buffer 1 M sorbitol 20 mM EDTA 14 mM 2-ME 10 mM Tris⋅Cl, pH 8.0 (APPENDIX 2) Filter sterilize Add 1 mg/ml Lyticase (Sigma #L-8137 or ICN Biomedicals #190123) just before use. COMMENTARY Background Information An overview of strategies for screening YAC libraries and analyzing YAC clones is presented in UNIT 6.9.
Critical Parameters and Troubleshooting
Analysis of Isolated YAC Clones
The protocols provided in this unit are intended to describe the analysis and characterization of particular YAC clones of interest. It is initially desirable to assure the integrity of the clone; that is, to ensure that the YAC indeed carries the proper insert, that the insert is not chimeric or rearranged, and that it is stably maintained and propagated in the yeast host. Growth of YAC-containing strains. In YAC clones, genomic DNA is inserted into a cloning site carried within the SUP4 gene of the vector (see Figs. 6.10.1 and 13.4.6). In the parent vector, the SUP4 product complements the ade2-1 ochre mutation carried in the host AB1380. This mutation causes a block in purine biosynthesis, resulting in accumulation of red pigment in the culture. Thus, disruption of SUP4 by insertional inactivation prevents complementation of the ochre mutation in the host. Before a strain is used, it is important to check that upon growth the colonies or cultures exhibit a red pigmentation. If not, another isolate should be used. Additionally, growth on selective AHC medium requires the presence of both arms of the YAC vector and favors stability of the clone through passage. Analysis of YAC DNA. Restriction analysis of purified YAC DNA (second basic protocol) can be used to assess YAC structure. If fragments of unanticipated sizes are detected in the YAC, then it is likely that the YAC contains
sequences homologous to, but different from, the desired clone, or that the YAC insert has undergone some sort of rearrangement during cloning. Alternatively, lack of methylation of the YAC DNA at the restriction enzyme recognition site may give a digestion pattern not seen in uncloned genomic DNA. Determination of size and stability of the YAC clone is made by preparing chromosomes in agarose plugs and subsequent pulsed-field gel electrophoresis. The PFGE gel can be blotted and analyzed by hybridization with sequence-specific probes and end-fragment probes. The results should reveal hybridization to the same size chromosome in all isolates of a given YAC clone. Variation in the size of the artificial chromosome between yeast isolates derived from one clone indicates YAC instability. Hybridization of a YAC vector arm probe to more than one artificial chromosome may indicate multiple transformation of the strain at the time of library construction. Alternatively, it may represent strain instability, with the smaller chromosome(s) representing deletion products of the original YAC. When two or more artificial chromosomes are identified with a single-copy genomic insert-specific probe, instability of the YAC insert is the most likely cause. Assessing chimerism. In most existing YAC libraries, chimeric clones are observed to represent from 5% to 50% of the total clones. One of the most reliable ways to identify a chimeric YAC insert is to isolate a small fragment from each end of the YAC insert and define its chromosome of origin and whether it is contained in overlapping YACs from the same chromosomal region. Two procedures are given for analyzing the end fragments of
6.10.17 Supplement 20
Current Protocols in Molecular Biology
the YAC clone, which can be used to identify chimerism in the YAC insert—one based upon subcloning (which for large-scale mapping projects can require prohibitive amounts of time and effort) and one based upon PCR. With the PCR strategy, the resulting amplified product should migrate as a single fragment in a polyacrylamide gel. If multiple bands are present, it may be possible to demonstrate that one is an appropriately amplified fragment because it should be digested by EcoRI to yield the vector-linker fragment plus the insert end fragment (see Fig. 6.10.3). If digestion by EcoRI cannot be confirmed or if no amplified band is observed, it is useful to try a “hemi-nested” PCR amplification in which the initially amplified product is reamplified using another primer that should be contained only in the properly amplified fragment. Each end-fragment probe should be shown to be single-copy by hybridization to a Southern blot of total DNA from the species used to prepare the YAC library. If a smear of hybridization is obtained, repetitive sequences are present within the probe. In the case of fragments obtained by subcloning, it is usually possible to identify a single-copy probe by digesting the fragment into several smaller pieces using selected restriction enzyme. The end fragments recovered by PCR are usually small, so that it is generally impossible to salvage a single-copy probe. It may be possible to suppress the repetitive DNA hybridization by including in the hybridization reaction an excess of unlabeled denatured repetitive DNA fragments from the species used to prepare the YAC library. If this is unsuccessful, the alternate protocol (subcloning into a bacterial vector) is usually necessary. Construction of a cosmid sublibrary. For further high-resolution analysis and mapping of the YAC insert, it is desirable to construct a sublibrary (final basic protocol) from the YACcontaining DNA (fifth basic protocol). A number of cosmid and phage vectors are available that are suitable for subcloning YACs into bacterial vectors (UNITS 3.16 & 5.7). One excellent candidate is the SuperCos-1 cosmid vector (Stratagene), which can accommodate inserts in the 35- to 42-kb range. It contains a neomycin-resistance cassette that permits selection of transfected clones in mammalian cells. It also contains T3 and T7 phage promoters flanking the genomic insert, which facilitate generation of RNA probes from the ends of the genomic inserts. This feature is useful for verifying overlaps of clones or to permit chromo-
some walking if a complete cosmid contig is not established in the first round of screening. Once a sublibrary has been constructed, it should be screened with a probe consisting of 32P-labeled total genomic DNA from the individual or species that was originally used to construct the library (a source of repetitive sequences). This will identify most of the cosmids containing DNA inserts from the source genome. Individual clones can be analyzed by Southern blotting with probes from the YAC insert or with genomic repetitive sequences. This data, together with results of Southern blots using probes derived from the ends of the cosmid clones using T3 or T7 polymerase, can be used to organize the cosmids into contigs. If a complete contig is not established, the cosmid library can be screened again with probes representing the ends of the YAC inserts, or derived from the ends of cosmid clones. Empirically, different portions of the YAC insert have been found to be nonrandomly represented in the cosmid library. Consequently, it is common for one or more rounds of chromosome walking to be required to fill in gaps between cosmid contigs.
Anticipated Results The basic protocol for preparation of DNA from YAC clones can be expected to yield ∼1 to 1.5 µg of DNA in the size range of 50 to 200 kb from 108 yeast cells. The yield of DNA obtained by purification using preparative CHEF gel electrophoresis is ≥10-fold lower. The basic protocol for preparation of yeast chromosomes in agarose plugs for PFGE should yield sufficient material for ∼40 lanes of a pulsed-field gel from a 25-ml yeast culture. The basic and alternate protocols for analysis of the YAC insert end fragments (by PCR and by subcloning into a plasmid vector) should each yield DNA fragments that identify single hybridizing bands in genomic DNA when used as probes for Southern blots. The basic protocol for preparation of high-molecular-weight YACcontaining yeast DNA in solution should yield ∼25 to 50 µg of DNA ≥100 kb in size from a 100-ml culture. Basic protocol for preparation of a YAC insert cosmid sublibrary should yield ∼1500 colonies/µg of starting yeast DNA. From these, ∼30 to 50 genomic DNA–containing cosmids should be recovered.
Time Considerations Purifying YAC DNA using the first basic protocol requires ∼3 days to grow the culture, 3.5 hr to isolate the DNA, and after an overnight
Screening of Recombinant DNA Libraries
6.10.18 Current Protocols in Molecular Biology
Supplement 20
resuspension, ∼2 hr to remove RNA and reprecipitate the DNA. Preparation of yeast chromosomes in agarose plugs takes ∼4 days to grow the yeast culture, ∼11⁄2 hr to form the yeast-containing plugs, ∼6 hr to lyse the yeast, an overnight incubation, and ∼6 hr to wash and prepare the plugs for electrophoresis. Preparation of YAC insert end fragments by PCR takes from 6 hr to overnight to anneal the bubble primers, digest the YAC DNA, and ligate it to the bubbles. Another 3 to 5 hr are needed to amplify the end fragment by PCR. Isolation of YAC end fragments by subcloning requires 2 to 3 days to perform the preliminary analytical Southern blot to identify the enzyme combination of choice for subcloning. Once this is identified, 1 day is required for preparative isolation of the doubly digested DNA fragments, followed by an overnight ligation to the modified pUC 19 vector. An additional day is needed to transform bacteria and grow colonies, and 1 to 2 days are required to identify the specific end-fragment
subclones by hybridization. Finally, 2 days are needed to purify the subcloned DNA and to verify its structure by restriction enzyme analysis. Preparation of high-molecular-weight YACcontaining DNA requires ∼4 days to grow the culture, 7 hr to lyse the cells and perform the sucrose-gradient fractionation, an overnight dialysis, and 2 to 3 hr to concentrate the DNA. Following an additional overnight dialysis, the DNA is ready for use. YAC insert cosmid sublibrary preparation and analysis takes 2 days to perform test digestions and ligations. Another 2 days are required to perform the preparative digestion, ligation, packaging, and plating of the library. Two more days are required for preparation of filters, hybridization, washing, and autoradiography. Contributed by David D. Chaplin and Bernard H. Brownstein Howard Hughes Medical Institute and Washington University School of Medicine St. Louis, Missouri
Analysis of Isolated YAC Clones
6.10.19 Supplement 20
Current Protocols in Molecular Biology
SPECIALIZED STRATEGIES FOR SCREENING LIBRARIES
SECTION VI
Use of Monoclonal Antibodies for Expression Cloning
UNIT 6.11
This unit details the use of transient expression in mammalian cells to screen cDNA libraries with monoclonal antibodies (MAb) to isolate cDNA clones encoding cell-surface and intracellular proteins. The first basic protocol describes the cloning of cDNAs encoding cell-surface antigens. Several steps in this protocol involve transfection procedures that are described in greater detail in UNIT 16.12. The second basic protocol is a modification that facilitates isolation of cDNAs encoding antigens that are expressed intracellularly. Both protocols are designed for use with the expression vector CDM8, which contains a polylinker for subcloning double-stranded cDNA (Fig. 16.12.1). ISOLATION OF cDNA CLONES ENCODING CELL-SURFACE ANTIGENS This protocol is designed to isolate cDNAs encoding cell-surface proteins by screening cDNA libraries transiently expressed in mammalian cells. The procedure requires multiple rounds of transfection and immunoselection and is divided into four sections: (1) COS cell transfection by the DEAE-dextran method, (2) immunoselection by panning, (3) plasmid recovery and E. coli transformation, and (4) COS cell transfection by the spheroplast fusion method. A total of four rounds of transfection and immunoselection (one using DEAE-dextran, three using spheroplast fusions; Fig. 6.11.1) are used. After the final round of immunoselection, plasmid DNA is prepared from individual bacterial colonies. COS cells are then transfected with this DNA by the DEAE-dextran method and examined for their ability to express the foreign protein of interest by immunofluorescence microscopy (UNIT 14.6) or flow cytometry analysis (Holmes and Fowlkes, 1991).
BASIC PROTOCOL
DEAE-dextran transfection is a highly efficient means of introducing the cDNA library into COS cells to ensure that the transfected cells receive as complete a library representation as possible. Typically, ten 100-mm tissue culture plates of COS cells are transfected (Fig. 6.11.1). The subsequent panning steps allow rapid and efficient culling of cells expressing the protein of interest from the bulk of the transfected cells (each 60-mm, antibody-coated plate can be used to pan 1–2 × 107 transfectants). Plasmid DNA can be rescued from the panned cells by obtaining a Hirt supernatant (Hirt, 1967) and following amplification in E. coli, the plasmid DNA can be reintroduced into COS cells using spheroplast fusion. This transfection procedure ensures that a single plasmid type is delivered into each transfectant, allowing greater enrichment in subsequent rounds of transfection and immunoselection. Each round of screening usually requires a set of six fusions and each set of six fusions requires 100 ml of cells in broth. NOTE: All incubations are performed in a humidified 37°C, 5% CO2 incubator unless otherwise noted. See Chapter 9 introduction for critical parameters concerning media components and preparation. Materials Complete Dulbeccos minimum essential medium containing 10% (v/v) NuSerum or 10% (v/v) calf serum (complete DMEM-10 NS or complete DMEM-10 CS; APPENDIX 3F) 100-mm tissue culture plates seeded with COS cells (∼50% confluent) Contributed by Diane Hollenbaugh, Alejandro Aruffo, Bryan Jones, and Peter Linsley Current Protocols in Molecular Biology (1998) 6.11.1-6.11.16 Copyright © 2003 by John Wiley & Sons, Inc.
Screening of Recombinant DNA Libraries
6.11.1 Supplement 62
cDNA library: plasmid expression vector DNA containing >106 of cDNA clones (UNIT 5.8; see background information), CsCl-purified (UNITS 1.7 & 9.1) Phosphate-buffered saline (PBS; APPENDIX 2) DEAE-dextran/chloroquine solution: PBS containing 10 mg/ml DEAE-dextran (Sigma) and 2.5 mM chloroquine (Sigma) 10% (v/v) DMSO in PBS Trypsin/EDTA solution: PBS containing 0.5 mg/ml trypsin + 0.2 mg/ml EDTA 0.5 mM EDTA/0.02% (v/v) azide in PBS 0.5 mM EDTA/0.02% (v/v) azide/5% (v/v) calf serum in PBS 1 µg/ml purified monoclonal antibody (MAb) or 1:100 dilution of ascites fluid (UNIT 11.1) 0.5 mM EDTA/0.02% (v/v) azide/2% (w/v) Ficoll 60-mm antibody-coated plates (first support protocol) 5% (v/v) calf serum in PBS 0.6% (w/v) SDS/10 mM EDTA 5 M NaCl (APPENDIX 2) Phenol (extracted twice with 1 M Tris⋅Cl, pH 7.5) 2 µg/µl linear polyacrylamide TE buffer, pH 7.5 (APPENDIX 2) Electroporation-competent E. coli cells (UNIT 1.8) LB medium (UNIT 1.1) 100 mg/ml spectinomycin or 35 mg/ml chloramphenicol in ethanol 20% (w/v) sucrose/50 mM Tris⋅Cl, pH 8.0, ice cold 5 mg/ml lysozyme (Sigma #L6876), freshly prepared in 250 mM Tris⋅Cl, pH 8.0 250 mM EDTA, ice cold (APPENDIX 2) 50 mM Tris⋅Cl, pH 8.0 (APPENDIX 2)
cDNA library
DEAE-dextran transfection (steps 1- 4)
panning (steps 6-12)
plasmid recovery (steps 13-18)
repeat 3 times
protoplast fusion (steps 20- 36)
plasmid amplification (step 19) isolation of DNA from single colonies
DEAE-dextran transfection
Use of Monoclonal Antibodies for Expression Cloning
immunofluorescence analysis
Figure 6.11.1 Isolation of a cDNA clone encoding a cell-surface antigen by transient expression in mammalian cells.
6.11.2 Supplement 62
Current Protocols in Molecular Biology
10% (w/v) sucrose/10 mM MgCl2 in DMEM (GIBCO/BRL #320-1960AJ) without serum, filter sterilized 60-mm tissue culture plates seeded with COS cells (∼50% confluent) 50% (w/w) PEG 1000 or 1450 in DMEM (no serum), adjusted to pH 7 with 7.5% (w/v) sodium bicarbonate (Baker or Kodak) DMEM without serum Complete DMEM-10 CS (APPENDIX 3F) containing 15 µg/ml gentamycin sulfate Nylon mesh, 100-µm pore size (Tetco) Sorvall GSA rotor or equivalent Swinging-bucket centrifuge (e.g., Sorvall RT-6000B) Additional reagents and equipment for transformation of E. coli by electroporation (UNIT 1.8), phenol extraction and ethanol precipitation (UNIT 2.1), alkaline lysis miniprep (UNIT 1.7), and immunofluorescence (UNIT 14.6) Transfect COS cells using DEAE-dextran 1. Add 5 ml complete DMEM-10 NS to each 100-mm plate of COS cells to be transfected. Each 100-mm plate should be ∼50% confluent the day of transfection (∼5 × 106 cells). This protocol is designed to be used with COS cells and is too harsh for WOP or MOP cells (see background information). If these murine lines must be used, it is important to reduce both the concentration of DEAE-dextran used to 200 ìg/ml final and the time that the cells are exposed to the transfection medium to 2 hr, and to use IMDM (Iscoves modified Dulbeccos medium; GIBCO/BRL #430-2200) in place of DMEM (prepare complete IMDM media as for complete DMEM media, but omit amino acids).
2. To each dish, add 5 µg cDNA library and mix, then add 0.2 ml DEAE-dextran/chloroquine solution and mix. Incubate 4 hr. Typically, libraries of >106 clones are used to obtain plasmid DNA. It is important that the DNA and the DEAE-dextran form a fine, invisible precipitate. If the DNA is not diluted prior to addition of DEAE-dextran, a large DNA/DEAE-dextran precipitate forms (it is easily seen), which is not readily taken up by the cells. Check the cells after ∼3 hr exposure to the DEAE transfection mix, as their health can decline rapidly. This is particularly true of chloroquine transfections, and it is usually better to shorten the transfection than to allow too many cells to die.
3. Aspirate the medium and add 2 ml of 10% DMSO. Incubate ≥2 min at room temperature. The time that the cells are exposed to the DMSO is not critical.
4. Remove DMSO and replace with 10 ml complete DMEM-10 CS. Incubate overnight. 5. Aspirate the medium, add PBS, then aspirate the PBS. Add 2 ml trypsin/EDTA to each plate and incubate 5 to 15 min until cells have lifted from the plate. Replate the cells on two new 100-mm plates and incubate overnight. Replating the cells allows them to recover more effectively from the transfection. In addition, the DEAE-dextran transfection makes the cells sticky and replating allows them to be lifted from the plates with EDTA to initiate the panning step.
Immunoselect the cells by panning 6. Aspirate the medium, add 2 ml EDTA/azide solution, and incubate 10 to 20 min to detach cells from plates. 7. Pipet vigorously with a short Pasteur pipet to dislodge the cells, then transfer cells from each plate into a 15-ml centrifuge tube.
Screening of Recombinant DNA Libraries
6.11.3 Current Protocols in Molecular Biology
Supplement 23
8. Centrifuge 4 min at 200 × g (e.g., 1000 rpm in a Sorvall RT-6000B with GSA rotor or in a tabletop centrifuge) and discard supernatant. 9. Resuspend cells in 0.5 to 1.0 ml EDTA/azide/calf serum solution and add purified MAb to 1 µg/ml final or ascites at a 1:100 dilution final. Incubate 30 to 60 min on ice. 10. Add an equal volume of EDTA/azide solution and carefully layer on 3 ml EDTA/azide/Ficoll solution. Centrifuge 4 min at 200 × g. Aspirate supernatant in one smooth movement. 11. Add 3 ml EDTA/azide/calf serum solution to each antibody-coated plate. Resuspend cells in 0.5 ml EDTA/azide solution, then add aliquots of the cells to these plates by pipetting them through a nylon mesh. Leave 1 to 3 hr at room temperature. Four 6-mm antibody-coated plates are used in each round of panning. It is important to pass the cells through the nylon mesh to break up large clumps of cells which might contain both positive and negative cells. This ensures that individual antibody-coated cells bind to the panning plate.
12. Remove excess cells not adhering to the plate by gently washing two to three times with 3 ml of 5% calf serum (or complete DMEM-10 NS or complete DMEM-10 CS). Washing gently means swirling the plate with a smooth motion for ∼30 sec. The plate obtained after these washes is known as a panned plate.
Recover plasmid DNA and transform E. coli 13. Add 0.4 ml SDS/EDTA solution to the panned plate and leave 20 min at room temperature (to lyse the cells). This incubation period can be as little as 1 min if there are only a few cells on the plate.
14. Pipet the viscous mixture into a microcentrifuge tube. Add 0.1 ml of 5 M NaCl, mix, and place ≥3 hr on ice or leave overnight at 4°C. The viscosity is primarily due to the genomic DNA. It is important to avoid shearing the genomic DNA so that it will not contaminate the plasmid DNA. Keeping the mixture as cold as possible seems to improve the quality of the Hirt supernatant.
15. Microcentrifuge 4 min at top speed, 4°C, and remove supernatant carefully. 16. Extract with phenol (twice if the first interface is not clean) and add 5 µl (10 µg) of 2 µg/µl linear polyacrylamide (or other carrier). 17. Fill the tube to the top with 100% ethanol and precipitate. Resuspend the pellet in 0.1 ml TE buffer, pH 7.5. 18. Add 10 µl of 3 M sodium acetate and 300 µl of 100% ethanol, and repeat precipitation. Resuspend the pellet in 0.1 ml TE buffer, pH 7.5. 19. Transform electroporation-competent E. coli cells by electroporation using DNA obtained from step 18. Incubate overnight at 37°C. Approximately 105 bacterial colonies should be obtained. It is advisable to transform E. coli with an aliquot of DNA to determine the amount necessary to obtain 105 colonies. Generally 1⁄10 to 1⁄4 of the recovered DNA will be used. Use of Monoclonal Antibodies for Expression Cloning
6.11.4 Supplement 23
Current Protocols in Molecular Biology
Prepare the spheroplasts 20. Rinse the plate from step 19 several times with LB medium while scraping with a spreader to dislodge the bacteria. Use 1⁄10 to 1⁄5 of the pooled scrapings to inoculate 200 ml of LB medium. Grow to OD600 = 0.5 at 37°C with shaking. 21. Add 100 mg/ml spectinomycin to 100 µg/ml or 35 mg/ml chloramphenicol to 150 µg/ml. Incubate with shaking 10 to 16 hr at 37°C. Do not let the cells grow >16 hr or they will begin to lyse. If the cells lyse, do not proceed.
22. Centrifuge 100 ml of the culture in a 250-ml bottle, 5 min at 4000 × g (e.g., 5000 rpm in a Sorvall with GSA rotor), room temperature or 4°C. 23. Drain well and resuspend pellet in 5 ml of ice-cold sucrose/Tris⋅Cl, pH 8.0. 24. Add 1 ml of 5 mg/ml lysozyme solution. Incubate 5 min on ice. 25. Add 2 ml of ice-cold 250 mM EDTA, pH 8.0, and incubate 5 min on ice. 26. Add 2 ml of 50 mM Tris⋅Cl, pH 8.0, and incubate 5 min in a 37°C water bath. 27. Place on ice. Check percent conversion to spheroplasts by microscopy. A good spheroplast preparation gives about 80% to 90% conversion; anything 106 cDNA clones (UNIT 5.8; see background information), CsCl purified (UNITS 1.7 & 9.11) Trypsin/EDTA solution: PBS containing 0.5 mg/ml trypsin + 0.2 mg/ml EDTA Phosphate-buffered saline (PBS; APPENDIX 2) Methanol 1% (w/v) nonfat dry milk in PBS with and without monoclonal antibody (MAb) 1% (w/v) nonfat dry milk in PBS containing 0.25 µCi/ml of 125I-labeled protein A 0.6% (w/v) SDS/10 mM EDTA buffer LB medium (UNIT 1.1) Polyvinylidene-wrapped plates (second support protocol) X-ray film Polyvinylidene wrap (e.g., Saran Wrap) Rubber cement Luminescent stickers Additional reagents and equipment for alkaline lysis miniprep (UNIT 1.7) and autoradiography (APPENDIX 3) Transfect cells and fix with methanol 1. Transfect ten 100-mm plates of COS cells with the cDNA library using the DEAEdextran method as described in steps 1 to 4 of the first basic protocol. 2. Trypsinize each plate of transfected COS cells using trypsin/EDTA as described in step 5 of the first basic protocol and replate onto polyvinylidene-wrapped plates. Incubate 1 to 2 days. Cells should be split at a ratio that will provide 50% to 75% confluency the following day. Complete DMEM containing penicillin and streptomycin should be used to avoid minor contamination that may occur because the plates are not sterile.
3. Remove medium from transfected COS cells. Wash plates by adding 5 ml PBS and aspirating at room temperature. Repeat wash one time. Generally, 15 to 20 plates are used.
4. Add ∼6 ml methanol and incubate 5 min at room temperature. 5. Wash plates three times with PBS, leaving the first addition of PBS on the plate for 2 to 3 min before aspirating. 6. Add 4 ml of 1% dry milk containing MAb to each plate. Incubate 30 to 60 min at room temperature. 7. Wash plates twice by adding 5 ml of 1% dry milk (without MAb), swirling gently, and removing solution. Radiolabel and locate positive cells 8. Add 4 ml of 1% dry milk in PBS containing Incubate 30 min at room temperature.
125
I-labeled protein A to each plate.
9. Rinse plates four times with 1% dry milk in PBS and one time with PBS at room temperature. Remove all excess liquid. Use of Monoclonal Antibodies for Expression Cloning
It is helpful to prop the plates on edge to remove the excess liquid.
10. Completely cover a piece of X-ray film with polyvinylidene wrap and tape the edges
6.11.8 Supplement 23
Current Protocols in Molecular Biology
of the wrap to the film. Paint the wrap with a thin layer of rubber cement. Allow rubber cement to dry briefly. The X-ray film acts as a support and may be a used piece that would otherwise be discarded. The presence of rubber cement does not appear to affect DNA recovery. Five plates will fit on an 8 × 10–inch (20.3 × 25.4–cm) film or 15 plates will fit on a 14 × 17–inch (35 × 43–cm) film.
11. Paint the bottom surface of the polyvinylidene-wrapped plate with a thin layer of rubber cement and allow the rubber cement to dry briefly. 12. Place the plates on the support. Lift the plate slightly and cut the wrap away from the edge of the plate. The wrap with the cells will be left on the X-ray film. By slightly lifting the plate, a scalpel held nearly horizontal along the inside of the plate can be used to cut the wrap from the plate without cutting the wrap on the support. While this technique is not difficult, it is advisable to practice it on nonradioactive samples.
13. Affix luminescent stickers to the support. Cover the support and samples with polyvinylidene wrap. There are now three layers of wrap on the support. Without the luminescent stickers, the film cannot be aligned over the samples to recover positive cells. Careful alignment is necessary to recover positive cells (there will be insufficient background to use the location of the samples for alignment).
14. Autoradiograph with an intensifying screen for 1 to 2 days at −70°C. Develop the film. 15. Align the film over the support using the luminescent stickers. Mark the location of positive cells by piercing the film alongside the spot with a needle (this leaves a mark on the polyvinylidene wrap). A light box is helpful for locating the positive cells on the film.
16. Remove the film. Cut small squares of ∼3 mm in the polyvinylidene wrap at the places it is marked. Recover plasmid DNA and isolate the positive clone 17. Add 400 µl of SDS/EDTA buffer to a microcentrifuge tube. Place squares in tube (10 to 25 squares per tube) and incubate 30 min at room temperature. All three layers of wrap are placed in the tube.
18. Recover plasmid DNA and transform E. coli as in steps 14 to 19 of the first basic protocol, plating transformed bacteria on separate LB plates to form pools of appropriate numbers of clones. Incubate overnight at 37°C. 19. Collect the bacteria from the LB plates by rinsing several times with LB medium while scraping with a spreader to dislodge the bacteria. 20. Prepare plasmid DNA from the scraped colonies using an alkaline lysis miniprep. 21. Transfect COS cells with the pools of plasmid DNA by the DEAE-dextran method as described in steps 1 to 4 of the first basic protocol. In general, 1⁄10 to 1⁄5 of the DNA obtained from 1000 colonies is used to transfect one 100-mm plate of COS cells. Screening of Recombinant DNA Libraries
6.11.9 Current Protocols in Molecular Biology
Supplement 23
22. Repeat steps 2 to 14 above to identify pools enriched with the gene of interest. Store the appropriate plasmid DNA in TE buffer at −20°C. When screening pools, it is possible to use 60-mm plates (reduce all volumes to 1⁄3).
23. Prepare DNA from a single bacterial colony, transfect COS cells, and analyze as in steps 38 and 39 of the first basic protocol. SUPPORT PROTOCOL
PREPARATION OF POLYVINYLIDENE-WRAPPED PLATES Plates are prepared in which the growth surface is a polyvinylidene wrap (to be used in the second basic protocol). The plates are quite sturdy and can be used in the same manner as standard tissue culture plates. Plates may be prepared a day or two in advance but the wrap will stretch and become floppy on prolonged storage. Additional Materials Chloroform 70% ethanol 0.1 mg/ml poly-L-lysine HCl (Sigma) in 50 mM Tris⋅Cl, pH 8.0, freshly prepared 100-mm or 60-mm tissue culture plates 1. Break the bottoms out of a 100- or 60-mm tissue culture plate with a blunt object. Safety glasses are advisable. Strike the plate near the sides of the plate rather than in the center. If too much force is used, the sides of the plate will break as well. Structural stability is increased if the outer edges of the bottoms are not removed.
2. In a fume hood at room temperature, dip the top rim of the plate in chloroform to a depth of ∼3 mm. 3. Shake off excess chloroform and place plate on a piece of polyvinylidene wrap laid flat. Place the plate and attached film into the lid of the plate to force the wrap into contact with the edges of the plate. 4. Remove the lid and gently but firmly pull the film tight to form a smooth surface. Adhesion of the film to the outside of the plate helps maintain the strength of the seal.
5. Cut excess wrap from the plate with a razor blade. The plate is now essentially inverted. The lid is placed over the opening that had been the bottom of the plate. When using 100-mm plates, a second lid is used to support the new wrap bottom.
6. Wash the plate two times with 70% ethanol. Allow the wrap to soak in the ethanol ∼30 min. 7. Wash the plate with water. 8. Add 0.1 mg/ml poly-L-lysine to the plate—11 ml for a 100-mm plate and 4 ml for a 60-mm plate. Incubate 2 hr to overnight at room temperature. 9. In a tissue culture hood, rinse the plates twice with PBS. Dishes should not be stored more than a few days because the wrap will stretch and become loose. Use of Monoclonal Antibodies for Expression Cloning
6.11.10 Supplement 23
Current Protocols in Molecular Biology
COMMENTARY Background Information Transient expression in mammalian cells has emerged as a powerful method for isolating cDNA clones that encode secreted cell-surface and intracellular proteins. It was first used to isolate cDNA clones encoding the lymphokine granulocyte/macrophage colony stimulating factor (GM-CSF; Lee et al., 1985; Wong et al., 1985). This cloning strategy is well suited for isolating any secreted proteins for which a rapid and sensitive bioassay exists, and has since been applied to isolate cDNA clones encoding a number of different lymphokines. Transient expression cloning was combined with the simple but powerful immunoselection technique of panning (Wysocki and Sato, 1978) to isolate a cDNA encoding the T cell–surface proteins CD2 and CD28 (Seed and Aruffo, 1987; Aruffo and Seed, 1987). This procedure has since been used to isolate cDNA clones encoding a number of different cell-surface proteins when antibodies against them were available. When antibodies against a cell-surface receptor of interest are not available, but its ligand is, transient expression in mammalian cells has been combined with ligand-binding assays to isolate cDNA clones encoding the receptor. This strategy was first used to isolate a cDNA clone encoding the receptor for the lymphokine interleukin 1 (Sims et al., 1988). Modifications to this protocol (Gearing et al., 1989) have since allowed the use of this strategy to isolate a number of receptors. Recent improvements have allowed the use of transient expression in mammalian cells to isolate cDNA clones encoding intracellular proteins, including the major DNA-binding protein of the erythroid lineage (Tsai et al., 1989), the lysosomal membrane glycoprotein CD63 (Metzelaar, 1991), and fucosyltransferase, which adds fucose to N-acetylglucosamine with α(1,3) linkages, allowing the expression of the sialyl CD15 antigen (Goelz et al., 1990). Transient expression in mammalian cells. Mammalian cells are ideal hosts for screening cDNA libraries prepared using mRNA isolated from higher eukaryotes. These cells are able to synthesize transcripts correctly from the cDNA clones in the library and are likely to process the proteins that they encode appropriately, thus maximizing the likelihood that the foreign proteins will be present in their native state and will be detectable using functional or immunological assays.
Mammalian cells were initially used as the host for isolation of genomic DNA fragments encoding oncogenes by stably introducing genomic DNA fragments derived from human tumors into murine cells (Goldfarb et al., 1982; Shih and Weinberg, 1982). The gene encoding the oncogene was then rescued from the transfected cells that had acquired the transformed phenotype. Stable transfections of mammalian cells were subsequently combined with immunoselection procedures to isolate genomic DNA fragments encoding the human HLA and β2 microglobulin genes (Kavathas and Herzenberg, 1983) and cDNA clones encoding the T cell–surface proteins CD8 (Kavathas et al., 1984; Littman et al., 1985) and CD4 (Maddon et al., 1985). The time involved in obtaining stable transfectants expressing the gene of interest and the difficulties associated with recovering the transfected DNA from the host’s chromosomal DNA has limited the number of genes isolated using this cloning strategy. These difficulties prompted the development of transient expression systems for use in cloning with mammalian cells as the screening host. Unlike stable transfectants, these methods permit rapid preparation and detection of transfectants expressing the protein of interest and efficient recovery of the DNA encoding it. Many technical advances have permitted efficient and routine screening of cDNA libraries in transiently expressing mammalian cells. These include the following developments: shuttle vectors that contain the appropriate eukaryotic transcription elements for highlevel protein expression in transfected mammalian cells, mammalian cell lines that can act as effective heterologous expression hosts, and transfection protocols that allow efficient introduction of plasmid DNA into mammalian cells. Expression vectors. A number of mammalian expression vectors permit screening of cDNA libraries by transient expression in mammalian cells (Chapter 16; Kaufman, 1990). These plasmids contain at least four basic elements: an efficient eukaryotic transcription unit, a viral-derived origin of replication, a prokaryotic origin of replication, and a prokaryotic selectable marker. One particular expression vector, CDM8 (Seed, 1987; Fig. 16.12.1; available from Invitrogen #V308-20) is especially engineered for these purposes, and is described in detail in UNIT 16.12. CDM8 con-
Screening of Recombinant DNA Libraries
6.11.11 Current Protocols in Molecular Biology
Supplement 62
Use of Monoclonal Antibodies for Expression Cloning
tains origins of replications derived from polyoma and SV40 viruses that allow for plasmid replication in cell lines expressing either the polyoma or SV40 large T antigens, respectively; usually, WOP (Dailey and Basilico, 1985) and COS (Gluzman, 1981) cells, respectively. Bacterial and M13 origins of replication (ori) are also present, allowing for plasmid amplification in bacteria and production of single-stranded DNA, respectively. The plasmid contains a supF gene as a prokaryotic selectable marker and a T7 RNA polymerase promoter for the preparation of mRNA in vitro from the subcloned cDNAs. Mammalian cell lines. A number of cell lines have been developed that are excellent hosts for screening cDNA libraries prepared in the vector described above. Perhaps the most popular is the COS cell line (Gluzman, 1981), which was derived from the African green monkey kidney cell line CV-1 by transformation with an origin-defective SV40 virus. This cell line produces wild-type SV40 large T antigen but no viral particles. When plasmids containing an SV40 virus–derived ori are transfected into COS cells, the plasmid is replicated to a high copy number 48 hr posttransfection (10,000 to 100,000 copies/cell). This high-level replication has two important consequences. First, it allows for amplification of all DNA templates available for transcription. Second, it allows for recovery of the plasmid encoding the protein of interest from the immunoselected cells. This last point is of importance in the two basic cloning protocols because each cycle of transfection and immunoselection is followed by a plasmid-rescue step. Other cell lines that have been used for expression cloning include the murine cell lines WOP (Dailey and Basilico, 1985) and MOP (Muller et al., 1984). These two cell lines express the polyoma large T antigen allowing the replication of plasmids containing a polyoma origin of replication in the transfected cells (1,000 to 10,000 copies/cell, 48 hr posttransfection). Another cell line, CV-1/EBNA, has been developed for screening cDNA libraries in conjunction with the expression vector pDC406, which contains an Epstein-Barr virus ori (McMahan et al., 1991). The ability of COS cells to endure the transfection protocols and their ability to replicate the transfected plasmid to a very high copy number make them the cells of choice when screening a cDNA library with the methods described here. However, when the antibodies to be used in the immunoselection step cross-
react with proteins expressed by COS cells, another cell line must be used. In these cases, WOP or MOP cells can be used successfully, in spite of their more delicate nature and lower copy numbers of transfected plasmid. Mammalian cell transfection. A number of transfection protocols have been developed for efficient introduction of foreign DNA into mammalian cells, including calcium phosphate, DEAE-dextran, spheroplast fusion, lipofection, and electroporation (UNITS 9.1-9.5). Two factors determine which transfection procedure should be used when screening a cDNA library by transient expression in mammalian cells: first, the efficiency of transfection, and second, the number of different plasmids that are introduced into each cell during transfection. Two transfection protocols, DEAE-dextran (McCutch and Pagano, 1968) and spheroplast fusion (Sandri-Goldin et al., 1981), are discussed below. The mechanism by which DEAE-dextran transfections allow for introduction of foreign DNA into cells is poorly understood. It is believed that the positive charge of the DEAEdextran polymer neutralizes the negative charge of the DNA polymer, forming a fine precipitate that can come into contact with the plasma membrane of the host cell. The DEAEdextran/DNA complex is then internalized by pinocytosis. Some of this DNA makes its way to the host-cell nucleus, where it is replicated and transcribed. Because the foreign DNA enters the cell via endosomes, DNA integrity is enhanced by the addition of chloroquine to the transfection medium to prevent endosome acidification. DEAE-dextran transfections are very efficient, allowing for transfection of up to 70% of the host cells and delivery of up to 200 different plasmids into each transfected cell. Introducing foreign DNA into mammalian cells by spheroplast fusion is very inefficient, allowing for transfection of only 1% to 2% of the host cells. Bacteria containing the foreign DNA are treated with lysozyme to remove their cell walls. The resulting spheroplasts are then fused with the host mammalian cell using polyethylene glycol (PEG), allowing introduction of the foreign DNA directly into the host cell cytoplasm. The DNA is then replicated and transcribed in the nucleus. Because of the inefficiency of the procedure, each host cell fuses with only one spheroplast, on average, introducing only a single plasmid type into each transfected cell. The immunoselection screening method de-
6.11.12 Supplement 62
Current Protocols in Molecular Biology
scribed in the first basic protocol involves multiple rounds of mammalian cell transfection, immunoselection, and plasmid rescue steps. The rescued plasmids are amplified in E. coli and reintroduced into mammalian cells to initiate additional rounds of enrichment. To take full advantage of immunoselection, the two methods of transfection are used. When the cDNA library is first introduced into mammalian cells, it is important to obtain a complete representation of the library in the transfected host cells, ensuring that the protein of interest is expressed by the transfectants. For this reason, the first round of enrichment is initiated using DEAE-dextran transfection. In subsequent cycles of enrichment, it is important that a single plasmid type be delivered into each of the transfected cells to maximize the level of enrichment obtained in the subsequent immunoselection steps. This is accomplished using the spheroplast fusion transfection. Immunoselection procedures. Two immunoselection techniques designed to rapidly select and enrich for plasmids encoding proteins of interest from a cDNA library transfected into mammalian cells are described. The first strategy is designed to isolate cDNA clones encoding surface proteins. A cDNA library prepared in a mammalian expression vector is transfected into COS cells using DEAE-dextran transfection. Forty-eight hours posttransfection, the cells are lifted from the plate and incubated with antibodies directed against the protein of interest. Cells expressing the foreign protein on their cell surface are easily culled from the bulk of the transfected cells by panning on plastic plates coated with anti-antibody antibodies (Wysocki and Sato, 1978). Plasmid DNA is then recovered from the transfected cells by the method of Hirt (Hirt, 1967), amplified in E. coli, and reintroduced into COS cells by spheroplast fusion. Two additional rounds of spheroplast fusion and panning are usually required to enrich for the plasmid encoding the protein of interest. Panning has many advantages over other immunoselection procedures. It is fast, efficient (107 cells can easily be panned on two 60-mm plastic plates in 30 min), and very inexpensive. Other immunoselection techniques, such as sorting of fluorescence-labeled cells (Holmes and Fowlkes, 1991), may be used to screen cDNA libraries in transiently expressing mammalian cells (Yamasaki et al., 1988); but the greater demands on time, equipment, and technical expertise make these methods much less attractive.
The second strategy is designed to isolate cDNA clones encoding intracellular antigens. This method is a combination of the techniques described by Munro and Maniatis (1989) and Metzelaar et al. (1991). COS cells are transfected with a cDNA library by DEAE-dextran transfection. The day after transfection, they are replated onto poly-L-lysine-coated polyvinylidene wrap and allowed to grow for 1 to 2 additional days. They are then washed and fixed with methanol. The permeabilized cells are incubated with antibodies directed against the protein of interest, washed, and incubated with radiolabeled protein A (125I). After washing, they are exposed to film to identify radiolabeled cells, which are then recovered by cutting the polyvinylidene wrap. The plasmid DNA is recovered from these cells by the method of Hirt, amplified in E. coli, and subjected to additional rounds of transfection and immunoselection.
Critical Parameters The cloning strategy described in the first basic protocol is well suited for isolating cDNA clones encoding cell-surface proteins (see discussion above). If a cDNA library is thought to contain cDNA clones encoding a number of proteins of interest, it is possible to isolate all of them simultaneously by simply using a mixture of antibodies against all of the proteins of interest in the panning steps of the first three rounds of enrichment. The last cycle of immunoselection is carried out independently with antibodies against each of the different proteins. Many times antibodies directed against the protein(s) of interest are of multiple isotypes. It is important, in this case, to use panning plates that have been coated with anti-Ig antibodies that bind to each of the isotypes present in the initial antibody pool. Alternatively, individual panning plates can be prepared for each of the antibody isotypes present in the initial antibody pool, but no significant advantage is achieved. Although this cloning strategy has allowed isolation of a large number of cDNA clones encoding cell-surface proteins, it has some serious limitations. As with any expression cloning system, the gene of interest must initially be present in the library, the target protein must be functional or immunoreactive as a single chain, and the host system must posttranslationally modify the protein appropriately when these modifications are required for function or immunoreactivity. Compared with earlier bacterial expression cloning systems, the mam-
Screening of Recombinant DNA Libraries
6.11.13 Current Protocols in Molecular Biology
Supplement 23
Use of Monoclonal Antibodies for Expression Cloning
malian expression systems presented here are more likely to appropriately modify the gene products of higher eukaryotes. However, these methods require the host mammalian cell to express the target protein on its surface as a single molecule. This may not occur in cases where the target protein is part of a heterocomplex that requires more than one member for surface expression. Several factors contribute to the successful application of this cloning strategy. The most critical parameter when screening a cDNA library by expression in mammalian cells is the quality of the cDNA library (for a more complete discussion, see UNIT 5.8). In addition, the quality of the COS cells and transfectability is of utmost importance. COS cells maintained in culture for prolonged periods tend to become refractory to transfection. For this reason, it is important to check the cells periodically for transfectability and replace them with cells from frozen stocks when necessary. The competency level of the bacterial cells used to amplify the DNA rescued from the immunoselection step is very important and should be determined prior to the start of the experiment. If only a few positive cells are immunoselected by panning, it is of utmost importance that this plasmid DNA work its way into the bacteria so that it can potentially be amplified and thus be available for subsequent rounds of transfection and immunoselection. Ideally, only cells whose competency level is ≥109 cfu/µg DNA should be used. For most bacterial strains, this can be achieved using electroporation. When using panning to immunoselect the transfected cells, it is important to check that the antibody directed against the protein of interest does not bind to COS cells. If it does, another cell line should be used for screening. The researcher must also be mindful that DEAE-dextran treatment of cells changes their phenotype and thus the antibodies to be used in the panning step should be tested for cross-reactivity with mock-transfected cells. The most difficult step, technically, is the spheroplast-fusion step. Careful timing of cell exposure to PEG is necessary to promote fusion while minimizing cell death. Although lowermolecular-weight PEG (PEG 1000) results in more efficient fusion, it is more toxic to the cells. The cloning strategy described in the second basic protocol will not be effective if the antibodies used recognize epitopes that are sensitive to methanol treatment. Testing of the target
cells may reveal this limitation. If methanol sensitivity cannot be assayed, multiple antibodies against a given protein should be used when available.
Anticipated Results In the first basic protocol, the authors typically use DNA prepared from a cDNA library of ≥106 clones for screening. After four rounds of transfection, immunoselection, and plasmid rescue, 12 individual colonies are picked and plasmid DNA prepared from them. If the cloning procedure has been successful, at least one DNA preparation directs the expression of the protein of interest. In general, if the screening is unsuccessful, this indicates that the clone of interest may not be present in the library. In this case, screening of a new cDNA library may be successful. Unsuccessful screening may indicate that the target gene is refractory to cloning using this strategy. Possible alternative methods are described in Chapter 5. In the second basic protocol, three to five spots are generally obtained on each 100-mm plate. It is possible to enrich a mixture that is 1:10,000 in the desired clone to 1:100 with a single immunoselection step.
Time Considerations In the first basic protocol, the cloning strategy involves multiple steps. Each cycle of transfection, immunoselection, plasmid rescue, and amplification can be comfortably accommodated in 1 week. On this schedule, it is possible to screen a cDNA library in 1 month. However, the more ambitious can screen a library in 3 weeks. In the second basic protocol, successful application allows identification of positive pools in 11⁄2 weeks. The screening of subsets of the pool can be accelerated by using 60-mm plates. When screening individual clones, transfectants may be assayed by immunofluorescence. The length of time required to obtain a single isolated positive clone will depend on the pool sizes used.
Literature Cited Aruffo, A. and Seed, B. 1987. Molecular cloning of a CD28 cDNA by a high-efficiency COS cell expression system. Proc. Natl. Acad. Sci. U.S.A. 84:8753-8577. Dailey, L. and Basilico, C. 1985. Sequence in the polyomavirus DNA regulatory region involved in viral DNA replication and early gene expression. J. Virol. 54:739-749.
6.11.14 Supplement 23
Current Protocols in Molecular Biology
Gearing, D.P., King, J.A., Gough, N.M., and Nicola, N.A. 1989. Expression cloning of a receptor for human granulocyte-macrophage colony-stimulating factor. EMBO J. 8:3667-3676. Gluzman, Y. 1981. SV40-Transformed simian cells support the replication of early SV40 mutants. Cell 23:175-182. Goelz, S.E., Hession, C., Goof, D., Griffiths, B., Tizard, R., Newman, B., Chi-Rosso, G., and Lobb, R. 1990. ELFT: A gene that directs the expression of an ELAM-1 ligand. Cell 63:13491356. Goldfarb, M., Schimizu, K., Perucho, M. and Wigler, M. 1982. Isolation and preliminary characterization of a human transforming gene from T24 bladder carcinoma cells. Nature (Lond.) 296:404-409. Hirt, B. 1967. Selective extraction of polyoma DNA from infected mouse cell cultures. J. Mol. Biol. 26:365-369.
McMahan, C.J., Slack, J.L., Mosley, B., Cosman, D., Lupton, S.D., Brunton, L.L., Grubin, C.E., Wignall, J.M., Jenkins, N.A., Brannan, C.I., Copeland, N.G., Huebner, L., Croce, C.M., Cannizzarro, L.A., Benjamin, D., Dower, S.K., Spriggs, M.K., and Sims, J.E. 1991. A novel IL-1 receptor, cloned from B cell by mammalian expression, is expressed in many cell types. EMBO J. 10:2821-2832. Metzelaar, M.J., Wijngaard, P.L.J., Peters, P.J., Sixma, J.J., Nieuwenhuis, H.K., and Clevers, H.C. 1991. CD63 antigen. J. Biol. Chem. 266:3239-3245. Muller, W.J., Naujokas, M.A., and Hassell, J.A. 1984. Isolation of large T antigen-producing mouse cell lines capable of supporting replication of polyomavirus-plasmid recombinants. Mol. Cell. Biol. 4:2406-2412. Munro, S. and Maniatis, T. 1989. Expression cloning of the murine interferon γ receptor cDNA. Proc. Natl. Acad. Sci. U.S.A. 86:9248-9252.
Holmes, K. and Fowlkes, B.J. 1991. Preparation of cells and reagents for flow cytometry. In Current Protocols in Immunology (J.E. Coligan, A.M. Kruisbeek, D.H. Margulies, E.M. Shevach, and W. Strober, eds.) pp. 5.3.1-5.3.11. Greene Publishing and John Wiley & Sons, New York.
Sandri-Goldin, R.M., Goldin, A.L., Glorioso, J.C., and Levine, M. 1981. High-frequency transfer of cloned herpes simplex virus type I sequences to mammalian cells by protoplast fusion. Mol. Cell. Biol. 1:743-752.
Kaufman, R.J. 1990. Overview of vectors used for expression in mammalian cells. Methods Enzymol. 185:487-511.
Seed, B. 1987. An LFA-3 cDNA encodes a phospholipid-linked membrane protein homologous to its receptor CD2. Nature (Lond.) 329:840842.
Kavathas, P. and Herzenberg, L.A. 1983. Stable transformation of mouse L cells for human membrane T-cell differentiation antigens, HLA and 2-microglobulin: Selection by fluorescence-activated cell sorting. Proc. Natl. Acad. Sci. U.S.A. 80:524-528. Kavathas P., Sukhatme, V.P., Herzenberg, L.A., and Parnes, J.R. 1984. Isolation of the gene encoding the human T-lymphocyte differentiation antigen Leu-2 (T8) by gene transfer and cDNA subtraction. Proc. Natl. Acad. Sci. U.S.A. 81:7688-7692. Lee, F., Yokota, T., Otsuka, T., Gemmell, L., Larson, N., Luh, J., Arai, K.-I., and Rennick, D. 1985. Isolation of cDNA for a human granulocytemacrophage colony-stimulating factor by functional expression in mammalian cells. Proc. Natl. Acad. Sci. U.S.A. 82:4360-4364. Littman, D.R., Thomas Y., Maddon, P.J., Chess, L., and Axel, R. 1985. The isolation and sequence of the gene encoding T8: A molecule defining functional classes of T lymphocytes. Cell 40:237-246. Maddon, P.J. Littman, D.R., Godfrey, M., Maddon, D.E., Chess, L., and Axel, R. 1985. The isolation and nucleotide sequence of a cDNA encoding the T cell surface protein T4: A new member of the immunoglobulin gene family. Cell 42:93-104. McCutchan, J.H. and Pagano, J.S. 1968. Enhancement of the infectivity of simian virus 40 deoxyribonucleic acid with diethylaminoethyl-dextran. J. Natl. Cancer Inst. 40:351-357.
Seed, B. and Aruffo, A. 1987. Molecular cloning of the CD2 antigen, the T-cell erythrocyte receptor, by a rapid immunoselection procedure. Proc. Natl. Acad. Sci. U.S.A. 84:3365-3369. Shih, C. and Weinberg, R.A. 1982. Isolation of a transforming sequence from a human bladder carcinoma cell line. Cell 29:161-169. Sims, J.E., March, C.J., Cosman, D., Widmer, M.B., MacDonald, H.R., McMahan, C.J., Grubin, C.E., Wignall, J.M., Jackson, J.L., Call, S.M., Friend, D., Alpert, A.R., Gillis, S., Urdal, D.L., and Dower, S.K. 1988. cDNA expression cloning of the IL-1 receptor, a member of the immunoglobulin superfamily. Science 241:585-589. Tsai, S.F., Martin, D.I., Zon, L.I., D’Andrea, A.D., Wong, G.G., and Orkin, S.H. 1989. Cloning of cDNA for the major DNA-binding protein of the erythroid lineage through expression cloning. Nature (Lond.) 339:446-451. Wong, G.G., Witek, J.S., Tempel, P.A., Wilkens, K.M., Leary, A.C., Luxenberg, D.P., Jones, S.S., Brown, E.L., Kay, R.M., Orr, E.C., Shoemaker, C., Golde, D.W., Kaufman, R.J., Hewick, R.M., Wang, E.A., and Clark, S.C. 1985. Human GMCSF: Molecular cloning of the complementary DNA and purification of the natural and recombinant proteins. Science 228:810-815. Wysocki, L.J. and Sato, V.L. 1978. Panning for lymphocytes: A method for cell selection. Proc. Natl. Acad. Sci. U.S.A. 75:2844-2848. Screening of Recombinant DNA Libraries
6.11.15 Current Protocols in Molecular Biology
Supplement 23
Yamasaki, K., Taga, T., Hirata, Y., Yawata, H., KaWanishi, Y., Seed, B., Taniguchi, T., Hirano, T., and Kishimoto, T. 1988. Cloning and expression of the human interleukin-6 (BSF-2/ IFNβ 2) receptor. Science 241:825-828.
Metzelaar et al., 1991; Munro and Maniatis, 1989. See above.
Key References
Contributed by Diane Hollenbaugh and Alejandro Aruffo (cell-surface and intracellular antigens)
Aruffo and Seed, 1987; Seed and Aruffo, 1987. See above. Contain original descriptions of cDNA library construction in CDM8 and isolation of cDNA clones encoding cell-surface antigens by expression cloning.
Contain descriptions of growth of COS cells on wrap and screening for extracellular ligands.
Bryan Jones and Peter Linsley (intracellular antigens) Bristol-Myers Squibb Seattle, Washington
Use of Monoclonal Antibodies for Expression Cloning
6.11.16 Supplement 23
Current Protocols in Molecular Biology
Recombination-Based Assay (RBA) for Screening Bacteriophage Lambda Libraries The recombination-based assay represents a convenient way to screen a complex library constructed in bacteriophage λ for homology to a given sequence cloned into a specially designed plasmid. The technique serves to screen a bacteriophage library rapidly and efficiently with a sequence cloned into a plasmid; counterselection then yields the gene product of interest with its plasmid carrier deleted. Because 106 to 107 plaque-forming units (pfu) may be screened using several petri dishes, and the homology for crossing-over need only be >25 bp, the RBA represents an efficient way to screen complex λ libraries rapidly for homology to a given sequence.
UNIT 6.12
BASIC PROTOCOL
In this procedure (outlined in Fig. 6.12.1), a λ library is screened using a specially designed R6K supF plasmid, pAD1 (Fig. 6.12.2), carrying the desired target sequence. Recombinants arising from cross-over events between the plasmid and a bacteriophage carrying a corresponding region of homology are selected by their ability to grow on strain DM21 (Fig. 6.12.3). Growth of λ on DM21 requires the presence of the supF allele encoded on the plasmid to suppress an amber mutation in the host strain that prevents λ propagation. Recovery of the original phage carrying the target sequence requires a reversal of the homologous recombination event. This reversal occurs spontaneously, and is detected by PCR amplification using primers that flank the cloning site in the λ vector (Fig. 6.12.4).
supF
supF
Kmr
Kmr
ori ori DM21 blue plaque lacZam P1 ban dnaBam co
s
cos
λ-plasmid chimera colorless plaque plasmid cos cos
λ phage
human probe
cos cos
phage
Figure 6.12.1 The recombination-based assay (RBA). Homology between sequences in a plasmid and a bacteriophage >25 bp long (Watt et al., 1985; Shen and Huang, 1986, 1989; King and Richardson, 1986) mediates a recombination event between the two vectors. As a result supF is integrated into the bacteriophage, allowing it to plate on the dnaBam host DM21 (see Table 6.12.1). The cointegrate yields a blue plaque in the presence of IPTG and Xgal on the lacZam host DM21, as supF suppresses the amber mutations in both the dnaB and lacZ genes. Different shadings indicate origins of DNA regions. Contributed by David M. Kurnit Current Protocols in Molecular Biology (1994) 6.12.1-6.12.12 Copyright © 2000 by John Wiley & Sons, Inc.
Screening of Recombinant DNA Libraries
6.12.1 Supplement 27
Materials For recipes, see Reagents and Solutions in this unit (or cross-referenced unit); for common stock solutions, see APPENDIX 2; for suppliers, see APPENDIX 4.
DNA fragment encoding sequence of interest Plasmid pAD1 (Fig. 6.12.2; available from Dr. D. Kurnit) recA+ E. coli strain (Table 1.4.5 or commercial suppliers) L broth (see recipe) with 50 µg/ml kanamycin (Table 1.4.1) Bacteriophage λ library (UNIT 5.8) Lambda top agar (see recipe) Lambda plates (see recipe), some with 50 µg/ml kanamycin and some with 100 µg/ml streptomycin (Table 1.4.1) Suspension medium (SM; see recipe) Chloroform E. coli DM21, DM75, DM392, and DM1061 (Fig. 6.12.3 and Table 6.12.1), saturated overnight cultures freshly grown in LB medium (UNIT 1.1) with 100 µg/ml streptomycin 100 mM IPTG (isopropyl thiogalactoside; Table 1.4.2) 2% Xgal in DMF (see recipe) Additional reagents and equipment for subcloning DNA into plasmids (UNIT 3.16), culturing (UNIT 1.1) and transformation (UNIT 1.8) of bacteria, plating and titering λ phage (UNIT 1.11), β-galactosidase assay (UNIT 1.4), and PCR amplification (UNIT 15.1) NOTE: All incubations are at 37°C unless otherwise specified. Screen library and select recombinants 1. Clone the sequence of interest into a pAD1 plasmid and transform into recA+ E. coli strain yielding a kanamycin-resistant recA+ strain. Prepare a saturated overnight culture grown with aeration in L broth containing 50 µ/ml kanamycin.
EcoRI Sfi l
polylinker Notl Sacll Pstl Pvull
supF
BamHl
pAD1 4 kb Kmr R6K ori RBA for Screening Bacteriophage Lambda Libraries
Figure 6.12.2 Structure of pAD1. This plasmid incorporates the R6K replicon, Kmr, supF, and a polylinker. It is not homologous to ColE1 plasmids.
6.12.2 Supplement 27
Current Protocols in Molecular Biology
2. Mix 3 ml lambda top agar, 200 µl of overnight culture, and 106 to 107 pfu of a bacteriophage λ library. Mix well and pour mixture onto a lambda/kanamycin plate. Incubate 7 hr to overnight until total lysis occurs. If more convenient, incubation overnight is perfectly acceptable, because there is no need to harvest the plates just as lysis occurs.
3. Add 3 ml SM and 0.5 ml chloroform to each plate. Swirl lightly. Incubate 2 hr to overnight at room temperature to allow the plates to elute. SM and chloroform are immiscible; swirling them together ensures that the SM is saturated with chloroform, killing any eluted bacteria and minimizing phage adsorption to bacterial debris. The easiest method is to rotate a stack of plates slowly by hand after adding the liquid. Care should be taken not to get chloroform on the petri dish cover, as this can cause fusion of the cover and the plate bottom. If fusion occurs, the cover can be pried from the bottom (e.g., with a screwdriver).
4. Using a nonsterile disposable transfer pipet, harvest the eluate from each plate into a 1.5-ml polypropylene microcentrifuge tube. Although the transfer pipets are polyethylene, they hold chloroform-saturated SM for too short a time-span to be damaged by the solvent. At this stage harvested eluates can be stored ≤1 week at 4°C before continuing the procedure.
5. Add 50 µl of eluate (5 × 108 to 1 × 109 pfu) to 200 µl DM21 culture. Add 3 ml lambda top agar and pour mixture onto a lambda/streptomycin plate. Incubate 7 hr to overnight until plaques form. DM21 is selective (dnaBam lacZam) and resistant to streptomycin. DM75, DM1061, and DM392 (used in later steps) are also streptomycin-resistant, with growth and plating conditions identical to those for DM21.
supF dnaBam
Kmr
ori
lacZam λ-plasmid chimera
tonA co
s
cos
bacterial chromosome
λ imm21 P1 ban
plasmid human probe
cos cos
phage
Figure 6.12.3 Bacterial strain DM21 (outer rectangle) containing λ plasmid chimera with supF integrated (inner circle). DM21 has the genotype lacZYA536(am), dnaB266(am), Smr, hsdR+, hsdM+, tonA− (λ imm21 b515 b519 nin5 att+P1 ban), supO lacZ(am) dnaB(am). The dnaB amber allele selects for λ phage that have supF integrated as shown. SupF also suppress the lacZ amber mutation, yielding blue plaques. Different shadings indicate origins of DNA regions.
Screening of Recombinant DNA Libraries
6.12.3 Current Protocols in Molecular Biology
Supplement 27
Titer eluates on permissive strain 6. Add 10 µl of each eluate to be titered to 990 µl SM to obtain a 1/100 dilution. Prepare a 100-fold dilution series (to 10−8) in SM. Several random eluates should be titered on the permissive (supF-bearing) strain DM392 to ensure that an appropriate number of phage have been added to the DM21 lawn.
7. Pour a lawn of DM392 (200 µl culture in 3 ml top agar) on a lambda/streptomycin plate. Drop 10-µl aliquots of each eluate dilution onto lawn. Dry 15 min in a forced-air hood (or for longer on bench or in incubator). Incubate 7 hr to overnight until total lysis occurs. This drop-titer procedure is the most convenient method of titering the eluates.
8. Count plaques in the lowest dilution that yields plaques. Convert the result to pfu/ml by multiplying it by the appropriate dilution factor and by a factor of 102. Titration ensures that sufficient phage have been added to the DM21 lawn. Should too many be added (more pfu than cells), the lawn will not materialize due to lysis from without. This phenomenon occurs because every cell that is infected with a bacteriophage will die, even though only cells infected by a phage carrying supF will yield a productive burst that then goes on to infect other cells. In rare cases of lysis from
supF
supF Kmr
ori
Kmr plasmid ori
blue plaque A
co
s
B
cos
A plasmid or recombined phage
B
plasmid human probe
cos A
RBA for Screening Bacteriophage Lambda Libraries
cos
phage
B
PCR primers
cos cos
library phage
Figure 6.12.4 Counterselection. Reversal of the recombination event (which is an equilibrium event) occurs spontaneously. PCR using primers abutting the cloning site of the bacteriophage is employed preparatively to obtain the cDNA without the genomic sequence in pAD1 that was used to retrieve it. The cDNA insert + pAD1 + genomic insert is too large to be amplified by PCR; in contrast, the cDNA insert alone can be amplified. Because there is an equilibrium between the selected and the counterselected phage, the counterselected insert can be amplified directly from the selected blue plaque, which contains a mixture of the two phages. Different shadings indicate origins of DNA regions.
6.12.4 Supplement 27
Current Protocols in Molecular Biology
without, the plating should be repeated; either the eluate should be titered or less eluate used. Plaques on DM21 are very small, because suppression of the dnaBam mutation (which is not fully efficient) is required for growth. This makes it difficult to confirm that supF is present via simultaneous suppression of the lacZam mutation by supF; therefore, phage must be transferred to another strain as described in the following steps.
Confirm phages have integrated supF 9. Elute plaques on DM21 (from step 5) into 100 µl SM. Mix: 10 µl eluate 200 µl DM75 culture 3 ml lambda top agar 10 µl 100 mM IPTG 100 µl 2% Xgal in DMF. Plate on lambda/streptomycin plates. Incubate 7 hr to overnight until total lysis occurs. To mix water and DMF, the tubes of top agar must be inverted and righted several times, taking care not to create bubbles. It is best not to prepare more than several tubes at once, because cells do not tolerate the heating block for very long. Light blue plaques are the desired phage containing supF. A larger number of colorless plaques that have not integrated supF will also plate on this strain; these correspond to phage that were not adsorbed originally on DM21 and therefore remain viable. In addition, for a phage such as λgt11, in which interruption of an intact lacZ gene serves as evidence of successful cloning, blue color can result from an intact lacZ gene in the phage. To differentiate between the two, note that the desired supF suppression of the single-copy chromosomal lacZ locus results in a light blue color that extends only to the plaque margins, whereas the high-copy-number lacZ gene on λgt11 yields a dark blue halo that extends past the plaque margins.
10. Elute each plaque thought to contain an integrated supF (from step 9) into 100 µl SM. Pour lawns of DM75 and DM1061 (200 µl culture in 3 ml top agar/IPTG/Xgal, as in previous step) onto separate lambda/streptomycin plates. Drop 10-µl aliquots of each phage eluate onto a lawn of each strain. Incubate 7 hr to overnight until total lysis occurs. This serves to confirm that plaques result from phage with supF rather than lacZ. Phage with supF will be blue on DM75 (lacZam) but colorless on DM1061 (which contains a lacZ deletion), whereas phage carrying an intact lacZ gene will be blue on both strains.
Counterselect with PCR 11. Pour a lawn of 200 µl DM75 in 3 ml top agar onto lambda/streptomycin plate. Drop 10-µl aliquots of phage eluate onto lawn. Incubate 7 hr to overnight, until a single large plaque (“macroplaque”) appears. 12. PCR amplify the cloned product from the macroplaque using primers that abut the EcoRI cloning site of the λ phage vector used to construct the library. This reverses the selection process and accomplishes counterselection (see Fig. 6.12.4). Using the large macroplaque ensures that sufficient template is present. Because the recombination reaction is an equilibrium reaction, a small fraction of phage within a blue macroplaque represent colorless revertants that have excised the pAD1 plasmid and its insert. In contrast, the major product in the macroplaque carries the phage insert, the plasmid, and the insert. Because this is too large to be amplified efficiently by PCR, the technique preferentially yields the desired genic insert from the phage without the unwanted plasmid and its insert.
Screening of Recombinant DNA Libraries
6.12.5 Current Protocols in Molecular Biology
Supplement 27
13. If desired, sequence the isolated genic clone (UNITS 7.1-7.5) and compare it to a database of known expressed sequences (UNIT 7.7) to obtain information about its possible significance, if available. Repeatedly performing this protocol with different cDNA libraries allows determination of the timing of development and the tissue(s) in which the gene of interest is expressed. The latter can also be determined by using PCR primers specified by the sequence to see if amplification of different cDNA libraries occurs; given the sensitivity of this method, only cDNA library eluates, rather than DNA preparations, need be screened.
REAGENTS AND SOLUTIONS Use deionized, distilled water in all recipes and protocol steps. For common stock solutions, see APPENDIX 2; for suppliers, see APPENDIX 4.
Lambda plates 10 g tryptone 5 g NaCl 13 g agar 3 ml 1 M MgCl2 H2O to 1 liter Sterilize by autoclaving. Allow to cool until comfortable to touch. Add antibiotics as needed, mix gently to avoid bubbles, and pour plates. Store up to several months at 4°C. Lambda top agar 10 g tryptone 5 g NaCl 8 g agar 3 ml 1 M MgCl2 H2O to 1 liter Sterilize by autoclaving. Maintain ≤1 month molten at 60°C. L broth 10 g tryptone 5 g NaCl 5 g yeast extract 5 g MgSO4⋅7H2O 1 g glucose 160 ml 12.5 M NaOH (to pH 7.2) H2O to 1 liter Sterilize by autoclaving. Allow to cool until comfortable to touch. Add antibiotics as needed and mix. Store up to several months at 4°C.
RBA for Screening Bacteriophage Lambda Libraries
6.12.6 Supplement 27
Current Protocols in Molecular Biology
Suspension medium (SM) 5.8 g NaCl 2 g MgSO4⋅7H2O 50 ml 1 M Tris⋅Cl, pH 7.5 (APPENDIX 2) 5 ml 2% (w/v) gelatin H2O to 1 liter Sterilize by autoclaving. Store up to several months at 4°C. Gelatin is prepared by adding 2 g gelatin to 100 ml H2O, then autoclaving to dissolve when needed.
Xgal, 2% (v/v) in DMF Dissolve 2% Xgal (5-bromo-4-chloro-3-indolyl-β-D-galactoside; see Table 1.4.2) in dimethylformamide (DMF). Place in polypropylene tube (not polystyrene, which will be dissolved by DMF), wrapped in aluminum foil. Store indefinitely at −20°C (solution will not freeze). COMMENTARY Background Information The recombination-based assay (RBA) permits screening of a complex library or group of libraries with a given probe using only two petri dishes. As a result, the RBA is unparalleled in its efficiency and speed. The crux of the RBA is the insertion of a DNA fragment into a plasmid containing supF, followed by screening of a complex λ library (106 to 107 recombinants) for homology to the fragment. If such homology exists, a recombination event ensues between the inserts in the plasmid and homologous phage at a frequency of 10−2 to 10−3 (see Fig. 6.12.1). As a result of this homology-mediated recombination event, the plasmid with supF is integrated into λ. Genetic selection for λ phage carrying the plasmid with supF results in the isolation of λ phage carrying an insert homologous to the insert in the plasmid. Given the high frequency of homologous recombination (10−2 to 10−3), and the fact that 5 × 108 to 109 pfu can be plated onto a single petri dish, it is feasible to screen rapidly a λ library with a complexity of 106 to 107. Bacterial host characteristics This assay employs a bacterial strain, DM21 (see Figs. 6.12.1 and 6.12.3), that has been constructed to require the presence of supF in λ for phage propagation. As a result, sequences from a λ library that are homologous to a sequence cloned into the supF-bearing plasmid can be isolated on this strain. By screening a λ library carrying human genomic DNA sequences (Lawn et al., 1978), the copy number of a given sequence can be determined analytically. Plasmids carrying repetitive sequences rescue more phage clones from a human
genomic library than do plasmids carrying nonrepetitive sequences (Neve and Kurnit, 1983). By screening a λ library corresponding to the genes encoded by a given tissue with singlecopy sequences, the tissue and time in which a single-copy sequence is transcribed can be determined analytically. Selection for the desired supF-bearing phage is done using the dnaB/P1 ban balanced lethal system. In constructing the host, the dnaB unwinding protein that is normally essential for λ phage growth was replaced by the related, but not identical, P1 ban gene for E. coli growth. The resulting streptomycin-resistant dnaBam P1 ban lacZam host, DK21 (Kurnit and Seed, 1990), was then protected against a contaminating large (?T1) phage infection by a ?tonA mutation to yield the strain DM21 that is used in the protocol (the question mark notes characteristics that are likely but not definite). Analogously, strains LE392, LG75, and MC1061 have each been altered to carry a ?tonA mutation and resistance to streptomycin for use in the protocol, and have been renamed DM392, DM75, and DM1061, respectively (Table 6.12.1). DM21 selects for the plasmid-borne supF by requiring the suppression of an amber mutation in the dnaB gene to permit λ propagation. Furthermore, supF also suppresses the amber mutation in the lacZ gene of DM21, yielding a blue plaque upon addition of the chromogenic substrate Xgal in the presence of IPTG. This makes it possible to discard rare (100 copies; Neve and Kurnit, 1983). 2. Determining tissue- and time-specific transcriptional activity of single-copy fragments and isolating genes. Gene libraries containing >106 independent recombinants are constructed: each corresponds to the totality of genes made in a given tissue at a given time in development. Screening a pool of 106 recombinants from a cDNA library requires only two petri dishes. The phage are first plated on a bacterial lawn carrying the sequence to be tested cloned in a supF-bearing plasmid. Following confluent lysis, 5 × 108 to 5 × 109 pfu are eluted and plated on DM21 to select for phage that have integrated supF. If no phage plaques are observed on DM21, this indicates that the sequence is not transcribed in the tissue
at the developmental stage present when the cDNA libraries were made. If plaques are observed on DM21, this indicates that the sequence is transcribed at that stage. The transcribed sequence is isolated free of the genomic sequence initially used to screen for it by reversing the recombination event (Fig. 6.12.4). In all the libraries used to date—λgt10 (Huynh et al., 1985), λgt11 (Young and Davis, 1983), and Sumo 15A (Kurachi et al., 1989)—the desired sequence is liberated as an EcoRI fragment that can be subcloned. As well as liberating the sequence, the reversal also makes it possible to discard rare nonhomologous (or imperfect) recombination events, which are identified by the fact that they reverse at the same low 10−9 frequency that they occur (for nonhomologous events) and at an intermediate frequency (for partially homologous events). In contrast, homologous recombination events, which can occur in a forward direction at a similar 10−8 frequency (assuming a worst case where a sequence is present only once per genome equivalent in a phage library of 106 recombinants, which is multiplied by a 10−2 chance of recombining if there is homology), reverse at a much higher 10−2 frequency. Thus, reversal of the recombination reaction will yield the cDNA free of the genomic sequence and will simultaneously allow rarer nonhomologous or partially homologous exchange events to be identified and discarded. The RBA can be employed to determine the tissue and time of transcription of candidate genes discovered by other technologies as well as to obtain the gene of interest (in the form of the larger gene sequence that is transcribed). The technique is useful either alone or in combination with other methods for defining single-copy transcribed sequences. If DNA sequencing (as part of the genome initiative) or techniques to define transcribed sequences are used to identify genes, the RBA is still useful for determining the tissue and developmental timing of transcription, as well as for isolating a larger gene of interest. Technologies for defining transcribed sequences include exon trapping/amplification (Nisson and Watkins, 1994; Duyk et al., 1990; Buckler et al., 1991), use of somatic cell hybrids (Liu et al., 1989), and the use of hybridization-based schemes (Hochgeschwender and Brennan, 1994; Hochgeschwender et al., 1989; Kao and Yu, 1991), including hybrid selection (Lovett, 1994; Lovett et al., 1991; Parimoo et al., 1991). The RBA will proceed cooperatively, rather than competitively, with these other methods be-
6.12.10 Supplement 27
Current Protocols in Molecular Biology
cause it efficiently accomplishes two necessary tasks: identifying the timing and tissue of gene transcription and isolating a large transcribed sequence.
Critical Parameters Plaque size is a major issue in this assay because plaques on the dnaB am strain DM21 are so small. Fresh λ plates should be used to maximize plaque size, because plaques will be smaller on older (drier) plates; likewise, it is important to plate cells on lambda plates, because plaques will be smaller on richer (e.g., LB) plates. It is essential that there be no homology between the screening plasmid and sequences in the λ libraries (see Background Information). Therefore, screening should be performed solely with R6K supF plasmids, not with ColE1 supF plasmids. Although titering all eluates would be too time-consuming, a few eluates should be titered to ensure that lysis and elution are occurring as expected. This is especially important because a lysed plate may vary from clear to grainy, rendering it difficult to determine visually whether complete lysis has occurred. Eluates should be saved until the DM21 plates have been scored as a precaution in case too many phage have been added, resulting in lysis from without. If this happens, the eluate may be titered or a lesser amount plated on DM21.
Anticipated Results
The abundance of sequences in screened λ libraries should be reflected in the number of phage that plate on DM21. Assuming a recombination rate of 1/500 (the exact number that will depend on the extent of homology), a sequence abundance of 1/106 should yield one plaque on DM21 per 5 × 108 phage plated. A higher abundance should yield a correspondingly greater number of plaques on DM21. If mismatching occurs in an interspersed “saltand-pepper” manner (as for Alu sequences), recombination will be depressed (e.g., ∼1000fold for Alu sequences; Neve et al., 1983).
Time Considerations The major advantage of the RBA is its rapidity: selection can be completed in four days using the following schedule. Day 1, grow bacterial cultures; day 2, add λ library and perform lysis; day 3, elute and plate on DM21; and day 4, identify plaques on DM21. Counterselection takes an additional four days. One day is necessary for elution of
plaques from DM21 that are plated on DM75 with IPTG and Xgal in top agar. A second day is required for elution of putative light blue plaques and confirmatory macroplaque plating on DM75 and DM1061 with IPTG and Xgal. PCR counterselection of macroplaques that are blue on DM75 and colorless on DM1061 takes one day and a final day is necessary to isolate the counterselected PCR band from the gel.
Literature Cited Bolivar, F., Rodriguez, R., Green, P.J., Betlach, M., Heyneker, H.L., Boyer, H.W., Crosa, J., and Falkow, S. 1977. Construction and characterization of new cloning vehicles. Gene 2:95113. Buckler, A.J., Chang, D.D., Graw, S.L., Brook, J.D., Haber, D.A., Sharp, P.A., and Housman, D.E. 1991. Exon amplificaton: A strategy to isolate mammalian genes based on RNA splicing. Proc. Natl. Acad. Sci. U.S.A. 88:4005-4009. Casadaban, M.J. and Cohen, S.N. 1980. Analysis of gene control signals by DNA fusion and cloning in Escherichia coli. J. Mol. Biol. 138:179-207. Duyk, G.M., Kim, S., Myers, R.M., and Cox, D.R. 1990. Exon trapping: A genetic screen to identify candidate transcribed sequences in cloned mammalian genomic DNA. Proc. Natl. Acad. Sci. U.S.A. 87:8995-8999. Guarente, L., Lauer, G., Roberts, T.M., and Ptashne, M. 1980. Improved methods for maximizing expression of a cloned gene: A bacterium that synthesizes rabbit β-globin. Cell 20:543-553. Hanzlik, A.J., Hauser, M.A., Osemlak-Hanzlik, M.M., and Kurnit, D.M. 1993. The recombination-based assay demonstrates that the fragile X sequence is transcribed widely during development. Nature Genet. 3:44-48. Hochgeschwender, U. 1994. Identifying transcribed sequences in arrayed bacteriophage or cosmid libraries. In Current Protocols in Human Genetics (Dracopoli, N., Haines, J.L., Korf, B., Moir, D.T., Morton, C.M., Seidman, C.E., Seidman, J.G., and Smith, D.R., eds.) pp. 6.2.1-6.2.15. John Wiley & Sons, New York. Hochgeschwender, U., Sutcliffe, J.G., and Brennan, M.D. 1989. Construction and screening of a genomic library specific for mouse chromosome 16. Proc. Natl. Acad. Sci. U.S.A. 86:8482-8486. Huynh, T., Young, R.A., and Davis, R.W. 1985. Constructing and screening cDNA libraries in λgt10 and λgt11. In DNA cloning, Vol. II (D. Glover, ed.). IRL Press, Eynsham, U.K. Ikeda, H., Aoki, K., and Naito, A. 1982. Illegitimate recombination mediated in vitro by DNA gyrase of Escherichia coli: Structure of recombinant DNA molecules. Proc. Natl. Acad. Sci. U.S.A. 79:3724-3728. Jankowski, S., Stewart, G.D., Buraczynska, M., Galt, J., Van Keuren, M., and Kurnit, D.M. 1990. Molecular approaches to trisomy 21. Prog. Clin. Biol. Res. 360:79-88.
Screening of Recombinant DNA Libraries
6.12.11 Current Protocols in Molecular Biology
Supplement 27
Kao, F.-T. and Yu, J.-W. 1991. Chromsome microdissection and cloning in human genome and genetic disease analysis. Proc. Natl. Acad. Sci. U.S.A. 88:1844-1848. King, S.R. and Richardson, J.P. 1986. Role of homology and pathway specificity for recombination between plasmids and bacteriophage λ. Mol. Gen. Genet. 204:141-147. Kurachi, S., Baldori, N., and Kurnit, D.M. 1989. Sumo 15A: A lambda plasmid that permits easy selection for and against cloned inserts. Gene 85:35-43. Kurnit, D.M. and Seed, B. 1990. Improved genetic selection for screening bacteriophage libraries by homologous recombination in vivo. Proc. Natl. Acad. Sci. U.S.A. 87:3166-3169.
Parimoo, S., Patanjali, S.R., Shukla, H., Chaplin, D.D., and Weissman, S.M. 1991. cDNA selection: Efficient PCR approach for the selection of cDNAs encoded in large chromosomal DNA fragments. Proc. Natl. Acad. Sci. U.S.A. 88:9623-9627. Poustka, A., Rackwitz, H.-R., Frischauf, A., Hohn, B., and Lehrach, H. 1984. Selective isolation of cosmid clones by homologous recombination in Escherichia coli. Proc. Natl. Acad. Sci. U.S.A. 81:4129-4133. Rubin, C.M., Houck, C.M., Deininger, P.L., and Schmid, C.W. 1980. Partial nucleotide sequence of the 300 nucleotide interspersed repeated human DNA sequences. Nature 284:372-374.
Lawn, R.M., Fritsch, E.H., Parker, R.C., Blake, G., and Maniatis, T. 1978. The isolation and characterization of linked δ- and β-globin genes from a cloned library of human DNA. Cell 15:11571174.
Saiki, R.K., Scharf, S., Faloona, F., Mullis, K.B., Horn, G., Erlich, H.A., and Arnheim, N. 1985. Enzymatic amplification of β-globin genomic sequences and restriction site analysis for diagnosis of sickle cell anemia. Science 230:13501354.
Liu, P., Legerski, R., and Siciliano, M.J. 1989. Isolation of human transcribed sequences from human-rodent somatic cell hybrids. Science 246:813-815.
Seed, B. 1983. Purification of genomic sequences from bacteriophage libraries by recombination and selection in vivo. Nucl. Acids Res. 11:24272445.
Lovett, M. 1994. Direct selection of cDNAs using genomic contigs. In Current Protocols in Human Genetics (Dracopoli, N., Haines, J.L., Korf, B., Moir, D.T., Morton, C.M., Seidman, C.E., Seidman, J.G., and Smith, D.R., eds.) pp. 6.3.16.3.15. John Wiley & Sons, New York.
Shen, P. and Huang, H.V. 1986. Homologous recombination in Escherichia coli: Dependence on substrate length and homology. Genetics 112:441-457.
Lovett, M., Kere, J., and Hinton, L.M. 1991. Direct selection: A method for the isolation of cDNAs encoded by large genomic regions. Proc. Natl. Acad. Sci. U.S.A. 88:9628-9632. Lutz, C.T., Hollifield, W.C., Seed, B., Davie, J.M., and Huang, H.V. 1987. Syrinx 2A: An improved λ phage vector designed for screening DNA libraries by recombination in vivo. Proc. Natl. Acad. Sci. U.S.A. 84:4379-4383.
Shen, P. and Huang, H.V. 1989. Effect of base pair mismatches on recombination via the recBCD pathway. Mol. Gen. Genet. 218:358-360. Short, J.M., Fernandez, J.M., Sorge, J.A., and Huse, W.D. 1988. λ ZAP: A bacteriophage λ expression vector with in vivo excision properties. Nucl. Acids Res. 16:7583-7599. Stewart, G.D., Hauser, M.A., Kang, H., McCann, D.P., Osemlak, M.M., Kurnit, D.M., and Hanzlik, A.J. 1991. Plasmids for recombination-based screening. Gene 106:97-101.
Marvo, S.L., King, S.R., and Jaskunas, S.R. 1983. Role of short regions of homology in intermolecular illegitimate recombination events. Proc. Natl. Acad. Sci. U.S.A. 80:2452-2456.
Watt, V.M., Ingles, C.J., Urdea, M.S., and Rutter, W.J. 1985. Homology requirements for recombination in Escherichia coli. Proc. Natl. Acad. Sci. U.S.A. 82:4768-4772.
Neve, R.L. and Kurnit, D.M. 1983. Comparison of sequence repetitiveness of human cDNA and genomic DNA using the miniplasmid vector piVX. Gene 23:355-367.
Yanisch-Perron, C., Vieira, J., and Messing, J. 1985. Improved M13 phage cloning vectors and host strains: Nucleotide sequences of the M13mp18 and pUC19 vectors. Gene 33:103-119.
Neve, R.L., Bruns, G.A.P., Dryja, T.P., and Kurnit, D.M. 1983. Retrieval of human DNA from rodent-human genomic libraries by a recombination process. Gene 23:343-354.
Young, R.A. and Davis, R.W. 1983. Efficient isolation of genes by using antibody probes. Proc. Natl. Acad. Sci. U.S.A. 80:1194-1198.
Nisson, P.E. and Watkins, P.C. 1994. Isolation of exons from cloned DNA by exon trapping. In Current Protocols in Human Genetics (Dracopoli, N., Haines, J.L., Korf, B., Moir, D.T., Morton, C.M., Seidman, C.E., Seidman, J.G., and Smith, D.R., eds.) pp. 6.1.1-6.1.14. John Wiley & Sons, New York.
Contributed by David M. Kurnit University of Michigan Medical Center Ann Arbor, Michigan
RBA for Screening Bacteriophage Lambda Libraries
6.12.12 Supplement 27
Current Protocols in Molecular Biology
. . . . .
.
. .....:.......::::::::::::::::::::::::::::::::::::::
• • ..:. ::): ;:",::Gi"£:LII:. : :.:
iiiiii~]ii.iiii!iiiiii~iii!iiiiii~i!iiiiii!.iiii!iii!::!!? '
~~::~v:~;::::~ :
:i:-ii/
Chapter
i ii!iiii!i!iiii!iiiiiiiiiiiiii!ii~! ~ :~!:'~:ii.:!~,".:i~~:.~:.~.:.,~:~i:~,::,!~~ii~., ~~~. ~~!~ii ~. ~: iii!iiiiii!iii!i!iiiiiiiiiiiiii!iiiii!iiiiiiiiiiiiiiiii!ii':~ii:'.i';:.'. ;:
. :..~:i.:
-
~:~:~:~:-~:~.:~::~:~:~...................::...
iiiiiiiiiiiiiiiiiiii!iiiii!i~!i:: .I~: ...
Open Security (OPSEC and •Co nte n Filter in g •
.
.
..
..
•
. ....
.
. i . . : ..
.
.i..: . .
.
.
.
.....
.
•
.
.
•
iiii!iiiii
.
•
• ..........:.: :: .~ ~: ~. :: .: . ...: . . ....:..]..
: :..::~...:(.::;~::~:.:.L..::.: ....::~; •
~.... •
:....p........
.
• ::
.... i.ii..ii.::i ! . : . I :
.
"
..:..:::...:... . . . .
• .
"
: ....: ::. :i.::..i
......~!.i~i.iii.iii.ii~iii~iiii~! •.
Solutions in this Chapter:
~:
• ..
:
. . . .
.
•
"
....
i'~iiiiiiiiii~ilii-iii:iili!~iiiii:.ii!i.!
':
. . . . . . . .
:. ii:il i:.i; :.i i..i: .:: :; .. :. .. !: .;):ii!::!ii:i!ii!~.iii:.ii.!i!.ii.i:: ;. :
:. : • : ::"":
::~:;:A::!:~ !i'~il
•..:=i.~.i::,::~iO PSE~i. A p p l i c a t ions ~:.~:~:.~....
".i
::
~:J~iiii~i~!.i~:~;~ii:~:.~i:~ii~ii~:.~ii~.~i~i.~!!i~.:~..i~i~;~i~;~;~.i:~i:i~]~;~ii~i:i~ii
.:. :. ..:k.
• ..... ....
•
:~::: ::),?:~i:i:~:;~~:::! :::~:~i~:b:~:~~:~:i :~i~:~i:E:::::~•
.: .:; i: :Z g.:.:.ii:.i:.i:]i~ii:.ii!i~iii~!i~i!ii ~
:, ::i~;:~,~,:~,::,:;:~;~::~:L ~• i :~,ii:;:i , ~:!!!'iiiiN
':.
:.: . ....
~~~:~~:
~
"
..:..
"
.
~..:~.~~:::i' :.~,.:;~ii~i::iiiiiii ..
:
.... :::::;;:.::~
......)ii:ii~ii!]i!.iiyl~ ............
: ::
:....::.:..,.:.::::.:.,:.:,:.,:::..~:,:.:~..•........ :::::!'::~..!~i.!iiiiii ~ui~ii~,,,,,.::,:
li.. ~
"
~ii!~ ...................... i Filtering . P r ~ iiiiii!::!:::i::i:.::i.~:.
• :
"
• ::~.:~u;,.~:=. ~
::!i.~iii:!:~i::!~i.~i !ili::::iii&i.!ii.i!:..iiii~ ...~...:.::::::::::::::::::::::::: :.: .::;:.i:;i;~:!iiii,:ili~!i!i
::!!!iii::~
i~~.!G~i~i~i~!~]i~!!~!!~i~!~!~i~i~i~!~i~.!i.!~.!~.~..~..~!.~!~.!~!~!..~:.~!~.~.~..~.~ • ~:...
!!~ii
•. e:.: :.: .:..:.....: .:::..:
. iiiiii:.:................................. !:ii:.:.............. ii:i,~}~i!~::i:!~i;i!' ~ ~.......................................... :~:~~=~%iiii!~.~ u '.iiliii!!i~:: .... ::;~ "~i'.v:'):]~. '~:~:.:.::~:::::]!!iii!i!~!i!ii!:]!!~' :~ii"!~::~'~!~:~"::ii:ii'i!:i~i!~i!iii~iliiiiii~i:'~iiiiii!'~iiiii .......~:.:,..dii~'~!!ii!iiii:;:iiiiii:~,~.;:.. • i..:.i.i. :....i:ii:.i;i-~i:~-~il~i~l~i~::~i~i~i~:~)::.~..
'~@:;
• .~.%.;:
..:.:.~;~.~;~::~;~.::@~.~;~;:~?::~;.:::... ...
:.
.... • ....:.:..:......:.: •
.; ~:.::i.i~::::~:;,:~.~;:;~:i.:i,.!d::~ii i!~ii!•i!!i . ::iii~ii~ii@i!!]]::i.::):: .... ...:
• ...!.3,1i!:!i:i.:. .
• :.i.; :: :"
... . . . . . . . . . . . . . . . . . . .
........ • :( •
.
.
.
.
.
....
• ....... .. . . . . . . .
. . . . . . . . .
.. . . . . . . . . . . . . i:..i,
i::i
'...:
.... :.......
. . : i
:i
.
...
. ....
...
:
.
........................ :ii:i:~iii;~if~i:ii:.::~.:......
......N
Summary
• ....... ........... .. :.: ; ::~;.~ .::.:....
•
.
i~ Solutions Fast ~rack :i~:!i~!;.:~!::~i;~ii~i:,~i-~',~.::';::.~:. "~.~:"i:fi~:~:!~i:,::~:ii: i~!.: .
. .:.:::..i.~:;:.;i~di:~ii',:~i..... :.~::~.~
i~ F r e q ~ ~ i y •
.:.:.:i.;:.:::::~i::[:diii:;.;:~.:i:~i::)~!.diiii!iiiii!!i!i!:i!i!!]i:::!..!
.....~:~iiiif, i:i: i:i
Asked Q u e s t i o n s ::q .
:::~!i ~:~:!:i:::i:
":!~i!!!!i!i::': i : ! ~:... "
.
.
.
:
"
319 •
:: ...
..:.. .... :......: ..:.:..~:~
.:: :; ii~.iii.::i:.:i:.
-:.:~i~-!~i!iiiii~ii!iiiii!ill
•i u~:~:i!:i~!~!!!i iiiii!!
320
Chapter 7 • Open Security (OPSEC) and Content Filtering
Introduction Check Point's Open Platform for Security (OPSEC) model enables you to implement third-party vendor apphcations into your firewall environment. Based on open protocols, the OPSEC model enables vendors to easily design their apphcations to conform to this standard, and therefore interoperate with the VPN-1/FireWall-1 product. You may be asking how this can benefit you? The most notable examples are your content filtering options.You can use other vendors' virus scanners that support the Content Vectoring Protocol (CVP) (for example, Aladdin's eSafe Protect Gateway) to easily implement virus scanning of Simple Mail Transfer Protocol (SMTP) mail, Hypertext Transfer Protocol (HTTP), and/or File Transfer Protocol (FTP) traffic, just by adding some objects and rules to your Security Policy. Other content-filtering apphcations use Website databases, which are broken into categories, so that you can easily block your users from going to specific sites, such as adult entertainment, shopping and chat sites, while on the job. Several schools that provide Internet access for their young students utilize this technology to prevent them from accessing certain categories that are considered inappropriate for children. We will talk about other OPSEC applications, and show you how to configure CVP and UFP (Universal Resource Identifier (URI) Filtering Protocol) apphcations in this chapter, and also how you can use the resources available in Check Point VPN-1/FireWalI-1 (CP VPN-1/FW-1) to implement bruited content filtering without needing a third-party application.
OPSEC Applications Realizing that no single product or vendor could address network security completely and do it well, Check Point designed the OPSEC standard to enable security managers to easily extend the functionality of VPN-1/FW-1 with bestof-breed third-party applications designed for specific security requirements. By using a standard set of Apphcation Programming Interfaces (APIs) and open protocols, OPSEC applications are able to easily move data in and out of the VPN1/FW-1 infrastructure. An OPSEC session is a dialog between two OPSEC entities using one of the OPSECAPIs, and usually is between VPN-1/FW-1 and a third-party apphcation that performs a specific task on the data received from the firewall. For a hst of
Open Security (OPSEC) and Content Filtering • Chapter 7
available applications, check the OPSEC Alliance Solutions Center at www.opsec.com. The properties of the OPSEC session are defined in the OPSEC application's object properties in the Security Policy Editor database. As you can see in Figure 7.1, there are three major types of OPSEC servers using the CVP, UFP, and A M O N (Application MONitoring) protocols, as well as six client options using the following APIs: •
Event logging API (ELA)
•
Log exporting API (LEA)
•
Suspicious activities monitor (SAM)
•
Check Point management interface (CPMI)
m Object management interface (OMI) •
UserAuthority API (UAA)
Each one of these protocols is a specific interface used to extend the capabilities of the firewall to another application. This fight integration provides functionality exceeding what would be available with each piece operating individually.
Figure 7.10PSEC Application Properties-General Tab
321
322
Chapter 7 • Open Security (OPSEC) and Content Filtering
Besides the required naming information, the General tab of the OPSEC Application Properties window requires you to specify the host that this server is running on.You must create the host object before creating a new OPSEC application object, as you will not be able to create a new workstation object while application properties window is open.You must then define the application properties, located in the section of that same name. To set the application properties you can select User defined from the V e n d o r drop-down menu, and then manually select both the server and client entities, or you can select a specific vendor, product, and version here. Vendors and products available from the Vendor menu include the following: Computer Associates' SafeGate product, Finjan Software's SurfinGate, as well as a variety of solutions from Trend Micro, F-Secure, Aliroo, and Aladdin Knowledge Systems. Over 70 vendors are predefined and listed in Next Generation Application Interface (NG AI), some with multiple products listed.A complete list of OPSEC certified CVP vendors and products can be found at www.opsec.com/solutions/sec_content_security.html. After selecting a predefined vendor and product from the list, the appropriate Server and Client Entities sections will be Rlled in automatically. If you selected User Defined from the Vendor menu, the next step in defining a new OPSEC application object for use in your security policy is to select the Client or Server entry that matches how the application functions.As shown in Figure 7.1 with C V P checked, once you select the appropriate application type, the second tab of the OPSEC Application Properties window, which contains application-specific communication configuration information, will change to match your selection.Your final step on this tab is to configure SIC, or Secure Internal Communication, by clicking the C o m m u n i c a t i o n button. Setting up SIC for OPSEC applications is identical to setting up SIC for firewall modules. The next few pages will discuss each of these communication methods in detail and give you a sense of the flexibility and ease of integration that the OPSEC standard offers.
Content Vectoring Protocol Content Vectoring Protocol is normally used to move data, such as Web pages or e-mail messages, from VPN-1/FW-1 to another server for validation.Though a CVP server (such as an antivirus server) could reside on the same physical server as a firewall module, it is not recommended as this would add a significant amount of overhead to the firewaU (in the case of an antivirus server, looking
www.syngress.com
Open Security (OPSEC) and Content Filtering • Chapter 7
through a database of known viruses for each H T T P connection would likely slow down the firewaU). For example, CVP could be used to move all inbound SMTP e-mail messages to a content-scanning server that will check for malicious Active-X code. Most commonly, CVP is used to virus-scan file data from e-mail messages or fries downloaded from the Internet as they pass through the firewall. However, it has also been used to monitor and ftlter incoming traflfc to a SQL database from the Internet by Log-On Software's SQL-Guard application.
Defining Objects There are three steps involved in creating a new CVP object to use in your Security Policy. 1. Create a standard workstation object for the server. The workstation object enables you to assign an Internet Protocol (IP) address and name to the server that hosts the application you will be sending data to. 2. Create a new OPSEC application object to define the properties of the service you're enabling. This can be done by selecting Servers and O P S E C Applications from the Manage menu, and then clicking New, or by right-clicking in the O P S E C Applications tab of the Object Tree and selecting New, and then O P S E C Application. When you complete the General tab of the OPSEC Application Properties window, you will be using the workstation object you created for the resources' host. Figure 7.1 shows the completed General tab. 3. Configure the C VP properties. This is done on the CVP tab that appeared when you checked the C V P option under the Server Entities. The CVP tab is used to define how this application communicates with the firewaU. As shown in Figure 7.2, CVP applications only require a few options, consisting only of a Service drop-down list and an optional directive to use backward compatibility.
www.syngress.com
323
324
Chapter 7 • Open Security (OPSEC) and Content Filtering Figure 7 . 2 0 P S E C Application
Properties~CVP Options Tab
The Service selected on the CVP Options tab defines the port on which this application will be listening for connections from the firewall, and is almost always set to FWl_cvp (Transfer Control Protocol port 18181). The Use b a c k w a r d s c o m p a t i b i l i t y m o d e .section replaces the function of the fwopsec.conffile that was used in the version 4.x of FireWall-1. If your OPSEC vendor has supplied instructions relating to that file, then this is the area where you implement them. Generally, applications based on the OPSEC Software Development Kit (SDK) version 4.1 or lower will require that you use backward compatibility. Typically when applications use backward compatibility they also require the legacy f ~ putkey command to be used on both sides to establish trust instead of SIC.
Creating a CVP Resource N o w that you've defined your OPSEC application server, you'll want to start sending it data from your security policy through a r e s o u r c e defimtion. There are five resource types that can be used in your security policy to send data to a CVP server" •
U R I U R I resources are mostly used to mampulate H T T P requests.
•
S M T P SMTP resources enable you to ftlter and modify e-mail message data as it passes through your firewall.
•
F T P FTP resources provide the tools needed to control you users' FTP sessions.
•
T C P The Transfer Control Protocol resource enables you to work with other T C P services that are not covered by the other resources.
Open Security (OPSEC) and Content Filtering • Chapter 7
•
CIFS The C o m m o n Internet File System resource enables you to granularly £flter CIFS file and printer sharing connections.
The previously listed resources are implemented by the V P N - 1 / F W - 1 security servers. Each security server is a specialized module that provides detailed control for specific services. Located just above the Inspection Module in the firewall daemon, the security servers have the ability to monitor and manipulate SMTE Telnet, FTP, and H T T P traffic, providing highly tunable access control and filtering capabilities. Since each security server has full application awareness of the protocols it supports, it is capable of making control decisions based on the data and state of the session similar to how proxy firewalls function. In addition to performing specific content £fltering, the security servers provide a conduit to send and retrieve data to and from third-party severs, allowing V P N - 1 / F W - 1 to use other security applications in the traffic control process. W h e n invoked by a resource, the security servers will proxy the affected connections. Aside from the possibility of adding latency to the session (normally only measurable on very busy firewalls or with servers that are improperly equipped to run the OPSEC application) and additional load to the firewall, Network Address Translation (NAT) cannot be used with data allowed (or dropped) using resources. Since the firewaU must proxy the connection, all data will appear from the address of the firewall that is closest to the server. This means that any applicable NAT rules will not be used because the firewall itself will function as the server the client is connecting to. Then, once the content is approved, the firewall will create a new connection to the actual server that will service the request. This is probably not a big deal when using hide-mode NAT, but it can be a bit confusing when debugging a problem between networks where NAT is not used. In this case, you would expect the traffic to be coming from the server's IP address, but it would actually be coming from an IP address on the firewall. To help understand how CVP servers can be used as part of the security policy, let's look at how to integrate virus scanning into the security policy. Later on, we'll examine in detail how FTP and other resources match data streams that we can send to our CVP server, but for now let's just look at how to set up a simple FTP resource that enables users to retrieve fries from the Internet and scans those fries for viruses before sending them to the user. There are three steps involved in setting up this simple resource:
www.syngress.com
325
326
Chapter 7 • Open Security (OPSEC) and Content Filtering
1. Create the resource object by selecting Resources from the M a n a g e menu. Click New, then F T P . Set up the object name, comment, and color on the resulting FTP Resource Properties window. The other two tabs of this window will allow you to specify the details for the resource's ftlter and allow you to send data to the CVP server. 2. On the M a t c h tab, set M e t h o d to GET. This instructs the V P N 1/FW-1 FTP security server to only allow users to download fries via FTP, since uploading would require the use of the p u t command. 3. Use the C V P tab, shown in Figure 7.3, to select the antivirus server object and define how it will function for this resource. F i g u r e 7.3 FTP Resource Properties--CVP Tab
Aside from the Use C V P checkbox, which enables the C V P server dropdown list where you select the server to use, the CVP tab has two other important options that control how the CVP server functions in your resource. The C V P server is allowed to m o d i f y c o n t e n t checkbox controls whether or not V P N - 1 / F W - 1 will pass on data that has not come back from the CVP server in its original form. This option is particularly useful for virus scanning where an infected ftle may be sent to the antivirus server and cleaned before being returned.This option would allow the V P N - 1 / F W - 1 security server (which enforces the FTP Resource definition) to accept the cleaned fde and send it on
www.syngress.com
Open Security (OPSEC) and Content Filtering • Chapter 7
to its destination. If the C V P server is allowed to m o d i f y c o n t e n t option was not enabled, the antivirus software would only be allowed to report that the file was infected, causing the security server to discard the file completely. The R e p l y O r d e r options control when and how the CVP server will scan data being passed to the user. The options for controlling how data is scanned are: •
R e t u r n data after c o n t e n t is a p p r o v e d This option sends the entire file or data stream to the CVP server to be checked after the security server has validated the content. In our example, the GET request would be validated before the file was checked for viruses.
•
R e t u r n data b e f o r e c o n t e n t is a p p r o v e d Some packets are returned to the security server before the CVP server has approved them. This option is especially useful for resources that may deal with large fries. Continuing to send the data stream before it has been approved may help stop problems with FTP or H T T P sessions timing out while the CVP server downloads and then checks the requested file. With this option the CVP server will allow all packets to be sent back to the security server and on to its destination, but the final packet will be held pending approval from the CVP server. This means the file will be incomplete and unusable at the end of the transfer if it is disallowed.
The method you select will depend greatly on what function your CVP server performs on the data, and on how the application is designed. In the antivirus server example, the CVP server controls the reply order. This allows the antivirus software maximum flexibility for scanning fdes and raw data differently if desired, since the application could decide to assemble a complete binary ftle before scanning, but scan H T M L packets individually. Note that your CVP application must support this option, so check the documentation that came with your application before creating the resource to ensure compatibility.
Using the Resource in a Rule The final step in using a CVP server, after creating the OPSEC application object and using it in a resource defimtion, is to build it into a rule in your security policy. Creating a security policy rule to use a resource is almost identical to creating a normal rule. The only exception is in the service column where, instead of selecting A d d after right-clicking, you will select A d d W i t h R e s o u r c e . Figure 7.4 shows the Service with Resource window that enables you to configure the resource to be used in the security policy.
327
328
Chapter 7 • Open Security (OPSEC) and Content Filtering F i g u r e 7 . 4 Service with Resource Window
The Service with Resource tab allows you to select from the supported services and define which resource to use with that service. In the case of our virus-scanning example, we'll be using the FTP service with the ftp_get resource. Figure 7.5 shows the completed rule that allows local network traffic to FTP data from the Internet using the resource that limits access to FTP GETs only, and will use the CVP server we defined to scan all files for viruses before passing them to the user. Notice that the Service_Net is negated in the destination. This enables the user to control access to known networks separate from access to the Internet as well as to strictly adhere to the security principle of least access. If the destination field had been set to Any, it would have inadvertently opened FTP access to the network represented by the Service_Net object even though the intention was just to allow FTP GETs from the Internet.You will also notice that the icon used in the Service column indicates that we're allowing the FTP service with the ftp_get resource.
www.syngress.com
Open Security (OPSEC) and Content Filtering • Chapter 7 Figure 7.5 Security Policy Rule Using Resource
..~
.,....~
Stealth Rule (Rule 1)
............................
~ . . . . ............... : . . , . . , . , _ , ........................ .._~ ....................................................
~
Traffic (Rules 2-3) Smrvice Net Traffic (Rules 4-7) ................................................................................................................................................................................... B LAN'to ][ntornet Trafffi¢ (Rules 6-9) .........................................................................................................................................................................
:~
DMZ to Internet Traffic ................ ,.....,....,,.~. .......................
..:~...:.:~...~ . . . . . . . . . ~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
(Rule 10)
:.......................................................
The important thing to remember when using resources is that data is matched or denied on a per-packet basis.You could, for example, select to scan only fdes of type "*.exe" downloaded via HTTP, with an accept rule that uses a CVP resource. However, this will only accept the downloaded fdes, not the pages you must browse to find the fde you want. To make this work, you must specify a rule to match all other H T T P traffic, otherwise the HTTP-browsing traffic will fall through to the cleanup rule and be discarded.
CVP Group As with most other objects in the Security Policy, CVP objects can be grouped. W h e n you combine two or more OPSEC applications into a group, additional options for load balancing and chaimng become available. Figure 7.6 shows a CVP group configuration tab being used to enable load balancing across two antlvlrus servers.
www.syngress.com
329
330
Chapter 7 • Open Security (OPSEC) and Content Filtering Figure 7.6 CVP Group Properties
Creating a new CVP group can be done easily by right-clicking in the Servers and O P S E C A p p l i c a t i o n s tab of the object list. Next, select N e w and C V P Group. After defimng the group's name, adding a descriptive comment, and assigning the color you want for this object, you'll need to select the servers that will be members of this group. Note that groups don't have to be of identical object types.You can have a group consisting of a UFP server (which we'll look at next) and a CVP server to enable application chaining. Once the components of the group have been defined, you'll have to select the function of this group by making the appropriate selection in the W o r k dist r i b u t i o n m e t h o d section.You have two choices: L o a d sharing W h e n selected, the workload is distributed among the servers in the group. There are two distribution methods allowed: round robin or random. C h a i n i n g Chaining allows a data stream to be inspected by several servers that perform different functions. For example, a chaimng group consisting of an antivirus scanner and a Web content scanner could be employed to check your incoming e-mail traffic for viruses and appropriate language. If you select chaining, you'll have an option to abort the chain when any individual server detects a violation, or to allow a11 the servers to inspect the data before making a control decision. Once you have the CVP group created, it can be used in the security policy to create a resource rule, just like any other group object would be used to create a standard rule. www.syngress.com
Open Security (OPSEC)and Content Filtering
•
Chapter 7
URI Filtering Protocol A Uniform Resource Identifier most commonly defines how to access resources on the Internet. U R I Filtering Protocol is used to enable passing data between V P N - 1 / F W - 1 and a third-party server for U R I classification. The most c o m m o n example of UFP is to pass H T T P Uniform Resource Locators (URLs) to a server running Websense, SurfControl, or a similar product, to check that the requested U R L is allowed by your organization's acceptable Internet usage policy. Since the term U R I (described in R F C 1630) and U R L (RFC 1738) essentially deal with the same thing (especially when discussing HTTP), it is c o m m o n to see the terms interchanged. Which term you use ( U R L or U R I ) is more a matter of preference than being technically correct, as there seems to even be disagreement between the industry standards organizations as to which is correct in which circumstances.
331
332
Chapter 7 • Open Security (OPSEC) and Content Filtering
Defi n ing Objects Creating a UFP server object is almost identical to creating a CVP object. Both objects require that you define a workstation object with at least a name and IP address for the server and that you use that workstation in the OPSEC application object. Figure 7.7 shows the General tab of the UFP server object, which enables you to define the application you are using.You can choose from the predefined list, which includes vendors such as WebSense, Symantec, SurfControl, Secure Computing, and 8e6_Technologies, or you can use the User D e f i n e d option to customize your UFP server object.A complete list of UFP applications from OPSEC-certified vendors is available atwww.opsec.com/solutions/sec_content_security.html.
Figure 7.7 UFP Server Object~General Tab
i .......... iiiiiiiiii:iiii! i!:i iiiiiiii i117:
i'ii
i
t
The difference in setting up a CVP server compared to a UFP server starts when you select U F P (as seen in Figure 7.7) in the Server Entities section of the OPSEC Application Properties window, which makes the UFP Options tab (Figure 7.8) available.
www.syngress.com
Open Security (OPSEC) and Content Filtering • Chapter 7
Figure 7.8 UFP Server Object~UFP Options Tab
The Service drop-down menu defines which port the UFP service will be listening on; for most UFP applications, this is set to FWl_ufp (TCP port 18182). The backward compatibility options for UFP servers are the same as for the CVP server you looked at earlier, enabling you to configure options that, in previous versions of VPN-1/FireWall-1, were set in the now nonexistent fwopsec.conf file. The D i c t i o n a r y section of the UFP tab will show the category list from the UFP server. In order for the UFP server to function with V P N - 1 / F W - 1 , the servers' D i c t i o n a r y I D and category list are required. The dictionary is basically a list of categories and the dictionary ID is the version of the list. This is useful if you are using a dictionary that is updated often. Once you've set up the server object on the General tab and set the service to match your UFP server, you can click the G e t D i c t i o n a r y button to retrieve the category list and ID number from the UFP server. The category list is displayed to help you verify that the connection to the UFP server is established and to show you which categories are available on that server. Note, however, that the categories in this window cannot be manipulated here. To select which categories you would like to filter incoming URLs against, you must create a U R I resource that uses UFP.
333
334
Chapter 7 • Open Security (OPSEC) and Content Filtering
Creating a URI Resource to Use UFP Unlike a CVP server, which can be used with SMTP, TCP, FTP, and U R I , a UFP server can only be used with U1KI resources. A U R I is made up of two basic parts: a scheme or protocol, and a path. The scheme is the first portion of the U R I , located to the left of the colon. C o m m o n schemes are HTTP, FTP, Trivial File Transfer Protocol (TFTP), Lightweight Data Access Protocol (LDAP), and so on, and can be thought of as a protocol identifier. The remainder of the UtkI specifies the path to the resource, and often has scheme-dependant syntax. Part of the path may contain a method, such as GET, POST, or PUT, which the UFP server may use to make filtering decisions. Although the UFP server actually scans the U R L and makes a control decision, it's the UtkI resource that tells V P N - 1 / F W - 1 where and how to send the U R I to be scanned. Figure 7.9 shows the U R I Resource Properties window that is used to create the resource that will enable you to validate URLs through the UFP server created above. Figure 7.9 URI Resource Properties-General Tab
Aside from the generic object identifiers, there are some interesting U1KI resource options to select from. The first is the Use this r e s o u r c e to radio button set, which affects how the U R I resource functions. If you select the first option, O p t i m i z e U R L logging, all of the remaining options will gray out, and the object will only be used to log H T T P URLs into the V P N - 1 / F W - 1 log. This option will not require the use of a security server to proxy the connection. www.syngress.com
Open Security (OPSEC) and Content Filtering
•
Chapter 7
In order to use this resource as a conduit to an UFP server, you must select the Enforce URI capabilities or E n h a n c e U F P p e r f o r m a n c e option.The former utilizes the security server and provides extended options for frltering traffic, while the latter allows the firewall to retrieve the U R L deep in the I N S P E C T engine (without the use of a security server), and to query the UFP server with the U R L . Unfortunately, if you select the E n h a n c e U F P p e r f o r m a n c e option, UFP caching, CVP, certain H T T P header verifications, and authentication will not be available. For the rest of this section, we will use the Enforce U R I capabilities option. The Connection Methods section defines which modes V P N - 1 / F W - 1 will use to examine traffic. If Tunneling mode is selected, you will not have access to the CVP tab and will not be able to use any U R I filtering or UFP servers, since tunneling only allows the security server to inspect the port and IP address information, not the U R I that you're interested in. T r a n s p a r e n t mode is used when users' browser configurations do not contain proxy server information. In this configuration, the firewaU must be the network gateway that handles Internet traffic. As your users request resources from the Internet, the firewaU will send the U R I s to the UFP server to be checked as part of the security policy. In P r o x y mode, the firewaU must be specified in each user's browser as a proxy server. This configuration is very useful if you want to direct Internet service requests (such as FTP and H T T P ) to a firewall that is not the default gateway for your network, as the security server will provide proxy services to Internet requests. Using the P r o x y option also enables you to manually load balance your Internet traffic by directing users' traffic to different firewalls, or to separate traffic based on type (for example FTP to one firewall, H T T P to another) if required. The U R I M a t c h Specification Type section specifies how you want to inspect the UR.Is matched by this object. We'll be examining the File and Wildcards options later in the chapter, but for now we're only interested in the U F P option. Once you select the U F P option, then the M a t c h tab, as seen in Figure 7.10, will provide you with additional UFP options needed to enable the UFP server.
335
336
Chapter 7 • Open Security (OPSEC) and Content Filtering Figure 7.10 UFP Options for URI Resources
The M a t c h tab enables you to select which U F P server to use, as well as to set operating parameters to control the interaction between the firewaU security server and the filtering application. The U F P c a c h i n g c o n t r o l field allows you to increase the performance of the UtLI resource by reducing the number of ~ s sent to the UFP server. There are four caching options. •
N o C a c h i n g With caching disabled, the UFP server is used to check each UILI. Typically, turning off the cache has a negative impact on performance, as every request must be checked by the UFP Server. However, this option is useful if your UFP server configuration changes frequently and you want to ensure that each request is fdtered using the newest options. However, when using the E n h a n c e U F P perform a n c e option, the overhead of a security server is removed, providing better performance than even a security server, which caches UFP requests.
•
U F P Server This option allows the UFP server to control the caching. The UFP server may choose to check each U R L or it may maintain its own cache to speed up the checks.
•
V P N - 1 & FireWall-1 (one request) The V P N - 1 / F W - 1 security server controls UFP caching. Unique U R I s xadll be sent to the UFP server only once before being added to the cache. This option provides the greatest performance by significantly reducing the number of URIs sent to the UFP server.
www.syngress.com
Open Security (OPSEC) and Content Filtering • Chapter 7
V P N - 1 & FireWall-1 (two requests) U R I s previously checked by the UFP server will be sent a second time before being added to the cache. Reduced performance is traded for the added security of checking each U R L twice. The I g n o r e U F P server after c o n n e c t i o n failure option controls how the security server will react if the UFP server is not available to service requests. Leaving this option unchecked can have a severe impact on performance if your UFP server falls, since the security server will attempt to send each UR.I to the failed server and will not allow traffic to pass until the server responds with an accept message. If this option is not enabled and your UFP server fails, then you most likely will experience a Denial of Service (DOS) condition, since even acceptable sites cannot be checked. The teUtale sign of this condition wi/1 be messages in your logs that read, "Unknown error while trying to connect to UFP," and users calling your help desk complaining of a lack of access. Enabling the I g n o r e U F P server after c o n n e c t i o n failure option enables you to specify the N u m b e r o f failures before i g n o r i n g the U F P server option, which controls how many attempts are made before considering a UFP server ofBine. The T i m e o u t before reconnect to U F P server value instructs VPN-1/FW-1 on how long to wait before considering the connection to the UFP server lost.
~
RNING
~ The Ignore UFP server after connection failure option is not to be ~ used lightly. By checking this box, if the UFP server fails, all access would ~ , still function without the added security the UFP server provides. This ~ could be a circumvention of your overall security policy. Make sure to check what value the company (specifically the Human Resources and Legal departments) places on Web access and the inspection capabilities UFP provides. Because Internet access impacts the ability of users to do work, it must be balanced against any relevant legal ramifications, which means this decision typically needs to made at an executive level by someone with the authority to decide if lost productivity takes a higher priority than content security.
Finally, the CVP tab enables you to hand data off to a third-party server for validation. In addition to the antivirus example we looked at earlier, CVP servers like Symantec's Igear Web content scanner can provide you with fine-tuned con-
337
338
Chapter 7 • Open Security (OPSEC) and Content Filtering
tent control for Web applications. Note that the CVP tab is not available if the Tunneling or Enhance UFP performance options are selected. The Action tab in the U R I Resource Properties window is discussed later in this chapter.
Using the Resource in a Rule Using a U F P server to validate U R I s as part of your security policy is similar to using a CVP server in a resource rule. To follow the example used earlier, the U F P server can be used to scan U R L requests to Internet sites. In doing so, the final step is to add the U R I resource, which uses the U F P server object, as the resource in a new (or existing) rule. As with the CVP rule we created earlier, the only difference between a rule that uses a resource and a normal security policy rule is what is defined in the service column. Instead of selecting the A d d option for the service, use the A d d w i t h R e s o u r c e option to select the U R I resource that contains the U F P server configuration you need. Figure 7.11 shows the final rule in the security policy being used to reject unacceptable data requests. Notice that the Service column shows both the scheme being used (HTTP) and the name of the U R I resource (URL_Filtering).
Figure 7.11 .
.
.
.
.
.
.
Security Policy Rule Using UFP Server in URI Resource .
.
Stealth Rule (Rule 1) DIMSTraffic (Rules 2-3) S4rvice Net TratTk (Rules 4-7) I.AN to I n t o m ~ Traffic (Rules 8-9) Any Tragic i
DIqZ to ][ntorrm~ Tral~c (Rule 10) Cleanup Rule (Ruk 11)
As with CVP resources, it is necessary to remember that a match is made on the packet, not the session. For example, with UFP, you will typically create a drop or reject rule to match on the categories you want to disallow. As you can see in Figure 7.11, you must have another rule that will accept the traffic that you want to allow, or else it will be dropped on the cleanup or Drop All rule. This second rule is necessary because the resource rule only deals with dropping tramc, not with allowing it.You could, of course, use a U F P resource in the rule
www.syngress.com k~
Open Security (OPSEC) and Content Filtering • Chapter 7
base to allow traffic based on category rather than drop it to get around this second rule requirement. The only problem with this approach is that the allowed list is often longer that the drop list, and is therefore is harder to maintain. The difference between drop and reject in these two cases is that drop will silently drop the packets, whereas reject will quickly tell the user that his connection is not allowed by returning an error or redirecting the user to another Website if defined in the Action tab. Reject is typically a more useful configuration because it will allow you (and your helpdesk) to distinguish between network connectivity problems and disallowed Websites.
UFP Group A UFP group is similar to a CVP group except that it does not support chaining. The configuration of a UFP group is similar to the other generic group configuration screens, in that you enter a name, comment, and select the appropriate color and then simply move UFP servers from the Not in group section to the In group section. Your choices for load balancing between servers in a UFP group are either R a n d o m or R o u n d Robin. Using Up and D o w n buttons will enable you to change the order in which servers are used in the round robin configuration, but since the server being used will change with each incoming session, changing the order will only slightly affect how the object performs. The final option, Load sharing suspend timeout, enables you to configure the time to ignore a failed server before attempting to reestablish communication with it.You can set this time to anywhere from 0 (ignore the failure, attempt to use server normally) to 10,000 minutes.
Application Monitoring Using OPSEC applications as CVP and UFP resources in your security policy makes those servers an integrated part of your security environment. To allow for easy monitoring of OPSEC products that function alongside VPN-1/FW-1, Check Point developed the A M O N API. A M O N is the third tab in the OPSEC Application Properties window (as shown in Figure 7.12). It allows supported applications to report status information to VPN-1/FW-1. This status information is then available in the Check Point System Status Viewer alongside the real-time status of your Check Point applications. This is very useful for momtoring all devices interoperating within
339
340
Chapter 7 •
Open Security (OPSEC) and Content Filtering
the security infrastructure, but another solution would probably be more useful for monitoring your entire network.
Figure 7.12 AMON Application Properties~General Tab
Enabling A M O N is as simple as selecting the A M O N option under Server Entities, and then setting the Service and A M O N Identifier information on the A M O N tab. As seen in Figure 7.13, the Service option is usually set to FWl_amon (TCP port 18193), but you should check the documentation that came with your application to ensure that this is the port the application is listemng on. The A M O N identifier field contains the Management Information Base (MIB) identifier, which also must be provided by your application's vendor.
Figure 7.13 OPSECApplication Properties--AMON Options Tab
N
Open Security (OPSEC) and Content Filtering • Chapter 7
Client Side OPSEC Applications In addition to the UFP and CVP application servers and the A M O N momtoring service, there are six client application APIs that extend the functionality and management of VPN-1/FW-1 to third-party applications.Although complete configuration and implementation details for each of the six APIs will be dependent on which third-party application you're using, this section will give a quick look at each to discuss the capabilities of the API and to show the integration options possible for OPSEC-certified products.
Event Logging API The Event Logging API allows third-party applications to send log data to the VPN-1/FW-1 log database. Sending log data to the central log has two main advantages: log consolidation and alert triggering. In many networks, the firewall gateways are the security focal point, making the VPN-1/FW-1 logs the primary data source for security auditing. By extending the log to third-party products with the ELA, Check Point has enabled you to collect your security logs into a single location, making it easier to analyze and trend your security infrastructure's performance. An added benefit of consolidating logs from other products into the central log is that products using ELA will be able to trigger the VPN-1/FW-1 alert mechanism.This allows products like Stonesofts' StoneBeat high-availability solution to send logs and alerts to the Check Point Management Console when a FireWall-1 product has failed over to a standby machine.
Log Export API To securely and emciently access the Check Point log database, third-party products can use the Log Export API. The LEA allows access to the log in both realtime and historical access modes. In order to use LEA, the product vendor must write an LEA client that will access data from the Management Console that is running the LEA server. Using the LEA client/server model, OPSEC applications reduce the need to try to access the locked, proprietary formatted logs directly or having to export the Check Point logs out to plain text before being able to work with the log data. For example, products like the WebTrends Firewall Suite can set up a secure connection to the VPN-1/FW-1 log database to pull in historical information for report generation. Since LEA supports encryption, you can be assured that www.syngress.com
341
342
Chapter 7 • Open Security (OPSEC) and Content Filtering
the information used to generate the reports was not copied or corrupted during the transfer from one application to another. Real-time data retrieval using LEA is most useful for generating alerts, based on firewall events, with a non-Check Point application. For example, LEA could be used to funnel firewall events into an Enterprise security manager (ESM) product that could correlate data with other security products, to generate trends and alerts based on a bigger view of the security infrastructure.
Suspicious Activities Monitoring The Suspicious Activities M o m t o r was designed to provide a method for intrusion detection system (IDS) software to commumcate with V P N - 1 / F W - 1 . T h i s provides a method for an IDS application to create dynamic firewall rules to block traffic that the application believes is malicious. Using a SAM-enabled application allows you to add some level of reflexive access to block previously allowed traffic. The key is in remembering that the access can only be granted with the static security policy rules, not the SAM application's dynamic rules. For example, if an IDS system detected something suspicious like a connection attempt to a closed port, it would be able to close all access to all resources from the IP address in question for a configurable period of time.This would block traffic, such as browsing your Internet Website, which may be explicitly allowed in your security policy. The action taken by the firewall is configurable and can include anything from making an entry in the logs, disconnecting a session in progress, or blocking all further access from the offending host.You need to be especially careful when allowing SAM applications to create firewall rules. If not configured properly, you can inadvertently create a denial of service situation on your own servers. For example, if you block all data from any host that has tried to connect to a closed port for one hour, an attacker may send connection requests to your servers with spoofed IP addresses in order to cause your own firewall to block traffic from your customers. SmartDefense can be used to block attacks it recognizes them (as discussed in Chapter 13), but other solutions may notice traffic that is also unauthorized. The SAM API allows other devices to tell the firewall to block connections as appropriate. The SAM protocol is discussed in more detail in Chapter 9.
Object Management Interface The Object Management Interface allows OPSEC applications to interact with the management server. The O M I has been replaced by the Check Point r
www.syngress.com
Open Security (OPSEC) and Content Filtering • Chapter 7
Management Interface, and has only been kept in NG for backward compatibility. New applications being developed with the NG OPSEC Software Development Kit (SDK) will use CPMI.
Check Point Management Interface Replacing OMI in the NG OPSEC SDK, the Check Point Management Interface allows OPSEC applications access to the management server's security policy and objects database. This can enable you to use objects already defined with the Policy Editor in other applications. Additionally, this secure interface can provide other applications access to create objects in the VPN-1/FW-1 database.The CPMI has three main benefits that OPSEC applications can take advantage of." •
CPMI can allow access to authentication information, enabling vendors to design single sign-on security solutions that take advantage of the authentication information already known to the firewall.
"
Access to the Check Point object database can allow for report generation and alerting based on changes to monitored objects.
"
Some management tasks can be automated, allowing software products to modify VPN-1/FW-1 in response to a security event.
UserAuthority API The UserAuthority API is designed to extend the firewall's knowledge of users' VPN and local area network (LAN) authentication to other applications. In addition to providing the information that applications need in order to enable a single sign-on model, the UAA can also be used to provide information needed to develop billing and auditing applications that track individual users instead of just sessions. The UAA also allows third-party applications to take advantage of the secure virtual network's (SVN) openPKI infrastructure for authentication. This reduces the vendor's need to develop their own authentication methods, which not only speeds development time for new applications, but also ensures compatibility with and leverages the investment in your existing infrastructure.
343
344
Chapter 7 •
Open Security (OPSEC) and Content Filtering
Other Resource Options W h e n we examined CVP and UFP resources, we touched on the basics of U R I and FTP resources to show how to use the third-party servers in the security policy. U R I resources can be used to filter based on wildcard matches and can be configured using specially formatted fdes, which you could create or purchase. After covering the remaining U R I faltering methods and functions, we'll have a closer look at the FTP resource that we used in the virus-scanning example earlier, and we will examine SMTP and TCP resources. The U R I , SMTP, FTP, TCP and CIFS resources can be used in the rulebase in the same fashion as a normal service (such as HTTPS). The difference is in how the firewall handles the resource. W h e n a packet matches a rule that uses a resource, the connection is handed off to the appropriate security server (if necessary) to make a control decision after inspecting the connection's content. This means that the packet must be approved by the resource before the rule's action will take effect. This is important to keep in mind when creating your rules, as you don't want to waste time virus-scanning fries with a resource that will be dropped by the rule that caused the scan to be performed.
URI Resources In addition to the resource we examined earlier (Figure 7.9) to use a UFP server in the security policy, there are two other types of U R I resources. U R I fde resources allow you to use a specially formatted frle to load complete U R L strings, while wildcard resources allow you to create completely custom-match strings that may be as simple as looking for all executable files. W h e n you select a type of U R I resource on the General tab, the Match tab will change to offer specific options for that type of object (Wildcard, File, or UFP). We've already looked at the UFP Match tab (Figure 7.10), and will examine the File and Wildcard tabs next, but it's worth noting that regardless of which U R I Match Specification Type you choose, the Action and CVP tabs remain unchanged. As we saw when we looked at CVP servers, the CVP tab (Figure 7.3) enables you to configure the resources' interaction with the CVP server. The Action tab, shown in Figure 7.14, enables you to specify some interesting things to further control and fdter U R I requests. Here you can enter a R e p l a c e m e n t U R I , which redirects the user's session to a site of your choice if the rule that matches this object sets the action to reject. Many companies use this option to redirect
Open Security (OPSEC) and Content Filtering • Chapter 7
users to the corporate acceptable Internet-use policy when certain blocked URLs are requested. Figure 7 . 1 4 URI Resource Properties~Action Tab
Limited content filtering is available through the use of H T M L Weeding on the Action tab.You have five options for removing Active X, JAVA, and JAVA Script code from the HTML data. •
Strip Script Tags
Remove JavaScript information from the selected
Web page. •
Strip Applet Tags Remove Java Applet information from the selected Web page.
•
Strip ActiveX Tags Remove ActiveX information from the selected Web page.
•
Strip F T P Links Remove links destined for an FTP site from the selected Web page.
•
Strip P o r t Strings Remove port strings from the selected page.
Although removing this data from the HTML code before the user sees it does reduce the risk of malicious code being sent to your users, the data stripping is non-selective, so all tags are removed. In addition, you have the option, under Response Scanning, to block all Java execution.You need to consider how these settings may reduce the functionality of some pages and have a negative impact on your users before enabling this type of filtering. To achieve more
345
346
Chapter 7 • Open Security (OPSEC) and Content Filtering
granular control over these data types, you need to look into the services provided by a good CVP or UFP application.
U R I File After selecting File on the URI Resource Properties General tab (Figure 7.15), the Match tab will display the import and export options, as seen in Figure 7.16. These options enable you to load the match string definitions from disk rather than having to create complicated match strings manually.
Figure 7.15 URI Resource Properties--General Tab
Clicking I m p o r t will enable you to specify the directory and fdename of the file that contains the URIs you want to apply the filter to. The E x p o r t option will create a file contaimng the currently filtered URIs.
Figure 7.16 URI File Configuration
www.syngress.com
Open Security (OPSEC) and Content Filtering • Chapter 7
A U R I specification file can be bought from companies that specialize in U R L classification, or you can create your own. W h e n creating a U R I specification file, be sure to use an ASCII editor that uses a \ n as the new line character, as this is the character the security server expects at the end of each line. There are three parts to each line in the U R I specification: •
The IP address of the blocked server.
•
An optional path to filter.
•
A category number. Typically, each line is set to 0 (zero), but you can pick any number you like. Be carefttl when applying service or feature packs to your firewall, as it is possible that Check Point may start using this field in the future, so you may need to adjust it to an acceptable value.
The completed line will look similar to this: 192.168.0.1 / h o m e 0, which will deny any data request for information under t h e / h o m e directory on the 192.168.0.1 server.Your firewaU will require access to a domain name service (DNS) server if you use the name of the blocked resource rather than the IP address.Also, note that you could be generating a considerable amount of D N S traffic if you have a busy firewall and are using names rather than IP addresses, since each U R I must be resolved before being checked.
U1KI Wildcards W h e n you select the Wildcards option from the General tab on the U R I Resource Properties window (Figure 7.17), you are offered several options on the Match tab that will help you build a customized string to search for.You'U also notice that a new tab, SOAP, is created.
Figure 7.17 URI Wildcard Resource General Tab
347
348
Chapter 7 • Open Security (OPSEC) and Content Filtering
Figure 7.18 shows the predefined checkbox options available on the Match tab. As well as the commonly used schemes and methods provided, the Other option can be used to provide even greater flexibility. Figure 7 . 1 8 URI Wildcards Match Specification , . . . .
.. . . . .
. ......................................
:
I
~ii~i!~ii~i~i~i!~!!!~!i~ii~:i~:~.:~ii~:~i~:~.~:~:~i ~:i~:~.-~.: ~:i:.~: -~--::!-: -~u-i:~:-~i:,::::: ~:~!~:~:~i:~:~i: -~!
•
i
Under the Schemes section, you can select from the predefined common schemes of HTTP, FTP, Gopher, mailto, NEWS, and WAIS. If what you're looking for isn't among the six schemes provided, you can specify exactly what you need in the O t h e r field. Most commonly, you'll be entering complete schemes to catch such as HTTPs, but this field also supports wildcards, so you can, if needed, specify something similar to *tp in this field. This would enable you to catch any scheme that ended in the string 'tp' such as FTE NNTP, SMTP, and HTTP, among others.You need to choose your wildcards carefully to ensure that you're not blocking or allowing something that you hadn't intended with a poorly written search string. The Methods section provides the most common H T T P methods in a predefined set of options: •
Get The GET method is used to retrieve all the information specified by a U R I . It is commonly used to download a complete H T M L ftle as part of a Web browser session.
•
P O S T Used to ask the server to accept a block of data, and is usually found in forms to send input from the user back to the server for processing.
www.syngress.com
Open Security (OPSEC) and Content Filtering • Chapter 7
•
H E A D This method functions almost exactly like GET, except that the entire requested resource is not returned. HEAD is commonly used to validate U R L links and to check time and date stamps for modification (normally to see if a cached copy is still current).
a
P U T This method is used to place data (normally files) into the location specified by the U R I , and is unlike the P O S T method, which sends data to an application as input.
The O t h e r field in the M e t h o d s section supports the follox~g less-common methods as well as wildcards that can be used to specify a custom pattern to match. []
O P T I O N S This method can be used to determine the parameters available and supported at a specified U R L . The O P T I O N S method is commonly used to retrieve information about the server or specific resources without using a method like GET or HEAD, which would attempt to retrieve the actual object.
a
P A T C H Functions like P U T except that only a list of changes or differences between the fde specified in the U R L and the client's copy is sent. This method is most likely to be used when dealing with large fries that only receive small updates, so sending only the changes is more efficient than sending the entire fde again.
a
C O P Y The C O P Y method specifies a second U R L in the request headers and instructs the server to place a copy of the specified resource at the location defined in the headers. This would enable the user to copy data from one server to another without having to download a copy of the data first, and is commortly used if the network between the servers is faster than between the client and the servers.
•
D E L E T E Instructs the server to delete the resource (normally a file) specified in the U R L .
•
M O V E The M O V E method will first copy the data to another specified U R L then delete the original.
a
L I N K Allows you to create relationships between resources and is similar to the In command on U N I X systems.
•
UNLINK
•
T R A C E The T R A C E method is normally used for testing and will cause the server to echo back the information it receives from the
Deletes the relationships created by LINK.
349
350
Chapter 7 • Open Security (OPSEC) and Content Filtering
client. This allows the chent to analyze the information that was received by the server and compare it to what was sent. The final section of the Match tab allows you to specify the host, path, and query options to match. The H o s t option can be specified by name (such as www.syngress.com) or by IP address. If you specify the host by name, you will need to ensure that the firewall has access to a DNS server to resolve the name to an IP address.You can use wildcards to help build the pattern to match if needed. The Path option must include the directory separation character (normally /) in order for a match to be made. W h e n you define the path to match, you must specify the complete path, down to the individual file, or use wildcards to match all files or directories. Table 7.1 shows common strings used in the path field and how they will match to incoming data. Table 7.1 Path Field Search Examples String
Results
Will match a file called home in any directory. For example: /home and/mysite/mydir/home would both be matched. In either case, if home was a directory, no match would be found. This pattern will match all files and directories under the /home/* home directory. For example,/home/index.htm and /home/files/index.htm would be matched. This will match any URI that contains the directory home, so */home/* files in/home would be matched as well as files in /mydi r/home/mysite. This will match the file index.htm in any directory. */index.htm This pattern will match three character file extensions that */*.rap+ start with "mp," such as mp3 and mpg. */*.{exe,zip,gz} Will match all files that end in .exe, .zip, and .gz in any directory.
/home
The Q u e r y field can be used to match on any string of characters found after a question mark (?) in a URL. Since wildcards are supported here as well, it is not necessary to know the exact placement of the key words you are looking for in the query. For example, this will allow you to block or redirect searches for keywords that are in violation of your Internet acceptable-use policy.
www.syngress.com
Open Security (OPSEC) and Content Filtering • Chapter 7
When working with U R I resources, it is common to use a single asterisk in the three match fields so that all possible requests can be matched. However, when using CVP servers, it is often useful to do specific file matching with wildcards in the patch field to ensure that only supported data types are sent to the server to be scanned. The final tab is the SOAP tab. SOAP stands for Simple Objects Access Protocol. It is a lightweight protocol used in the exchange of information in a decentralized, distributed environment. SOAP messages are encoded in XML (extensible markup language). A full discussion of SOAP and XML is well outside the scope of this book. More information can be found in other books or at http: / / w w w . w3. o r g / T R / S O A P / . The SOAP option can only be used with H T T P connections that are accepted. It is not usable if the action is drop or reject. The additional checking that VPN-1/FW-1 does when Allow all SOAP requests is selected is to confirm that the SOAP requests conform to R F C standards (see Figure 7.19). When selecting Allow SOAP requests as specified in the following file, a file named scheme1 through scheme10 in the management station's $ F W D I R / c o n f / X M L directory will specify the namespaces and methods used for the exchange. The namespace and XML methods being passed can be viewed in SmartView Tracker by setting the Track SOAP connections option. An example can be seen in $FWDIR/conf/XML/SchemeSample.dat.The syntax for the file is as follows: namespace method
Example: http ://tempuri. org/message/
EchoString
http ://tempuri. org/message/
SubtractNumbers
r
www.syngress.com
351
352
Chapter 7 • Open Security (OPSEC) and Content Filtering
Figure 7.19 URI Wildcards SOAP Specification
SMTP Resources The SMTP resource defines the methods used by V P N - 1 / F W - 1 to control and manipulate incoming and outgoing e-mail. There are many options, including the ability to remove active scripting components, rewriting fields in the envelope (such as to: or from:), or filtering based on content. The configuration of an SMTP resource is similar to that of U R I resources, including the ability to use a CVP server to provide third-party content filtering. Figure 7.20 shows the General tab of the SMTP Resource Properties window that is used to set basic operational parameters for the resource.
Figure 7.20 SMTP Resource Properties--General Tab
Open Security (OPSEC) and Content Filtering • Chapter 7
This tab includes the standard initial object setup of name, comment, and color. If you want to forward all messages to another server, specify its name or IP address in the Server text field. Enable the Deliver messages using D N S / M X records option to have these messages delivered directly to the specified server rather than to a group of servers used for redundancy purposes. The Check Rule Base w i t h n e w d e s t i n a t i o n option can be used to instruct the security server to recheck the SMTP message's destination server against the security policy after being modified by the SMTP resource. Identical settings are available for the handling of error mail messages if the N o t i f y sender on error option is selected. The Match tab, shown in Figure 7.21, has only two option fields that control how to match messages being examined by the security server. The Sender and Recipient fields are used to define the addresses you want to work with. Wildcards are supported in these fields to provide the ability to specify all addresses (using *) or all users in a specific domain (with *@domain.com) if needed. The example shown in Figure 7.21 shows how an administrator would allow incoming mail to mycompany.com, but not allow relays or outgoing mail. In most cases an administrator would configure two resources, one for inbound mail and another for outbound mails. Figure 7.21 SMTP Resource Properties--Match Tab i ...........................................................................................................................................................................................................................
W h e n you create a new SMTP resource, the Sender and Recipient fields are blank and must be filled in before the resource will function.You need to be careful with these options, though; it's common to just set the Recipient field to an asterisk to save time.You need to keep in mind that the resource defines how the security server will function, and by placing an asterisk in both of the available fields, you could be allowing external hosts to bounce mail off your firewall. This makes your firewall an open relay for SMTP traffic, and aside from the possibility of your server being used to send unsolicited bulk e-mail (spam), many domains and even some ISPs may refuse to accept SMTP traffic from your
353
354
Chapter 7 •
Open Security (OPSEC) and Content Filtering
domain if it's found that you have an open relay. For information on blocking open relays from your domain, or checking to see if you've become blacklisted, check an open relay database site such as www.ordb.org and check your Postmater@yourdomain. com mailbox. The Action1 tab has a few simple options that allow you to re-address messages and change limited content. The Sender and Recipient fields allow you to re-address messages on a single-user basis, or by using wildcards, to translate addresses for an entire domain. The Field option allows you to modify data in any of the other standard SMTP fields such as the carbon copy (cc), blind carbon copy (bcc), or subject. Once you've specified the field to change, you need only specify the string to look for, and what to replace it with. Shown in Figure 7.22, this tab is very useful if you have recently changed your SMTP domain name but still have a few messages coming to the old domain. Using the simple rewrite options shown, you could easily translate an address joe@olddomain to
[email protected]. The Help button for this section has some useful information in the section entitled Using wildcards and Regular Expressions in Resources. It also defines how you can specify multiple rewriting rules even though you see only one text box.
Figure 7.22 SMTP Resource Action Tab Showing Address Rewrite
The Action2 tab allows the removal of information found within the body of the message. The A t t a c h m e n t handling section provides two simple methods
Open Security (OPSEC) and Content Filtering • Chapter 7
of discarding attachments from messages. In Figure 7.23, the resource is configured to strip attachments of the message/partial type. There are seven supported options, as defined in R F C 2046, for removing specific file. •
Text
•
Multipart
i
Image
•
Message
•
Audio
•
Video
•
Application
You can use the Strip file by n a m e field to remove files based on a pattern, using wildcards if needed, rather than by Multipurpose Internet Mail Extension (MIME) type. This field is often used to stop "zero day" or new viruses and worms that spread via e-mail. It's often faster to start filtering out viruses by their specific attachment names (once known), than it is to update the virus signatures throughout your entire enterprise. In Figure 7.23, files ending with the extension .exe, .vbs, or .scr will be stripped. If nothing else, this function will buy you enough time to update your signatures properly while you block new infections from entering (or leaving) your network. Use the D o n o t send mail l a r g e r t h a n field to specify the maximum allowable message size. Use the Allowed Characters options to specify whether the security server will accept messages in either 7- or 8-bit ASCII. The Weeding section allows you to remove JAVA, JAVA Script, Active X, FTP U R I links, and Port strings from the message's headers and body.
355
356
Chapter 7 • Open Security (OPSEC) and Content Filtering
Figure 7.23 SMTP Resource Properties~Action2 Tab
One common mistake made when creating SMTP resources is not checking the D o n o t send mail larger than field. By default, the messages larger than 10,000 KB will be dropped. Note that in NG AI the default maximum message size has been raised to 10,000 KB, compared with 1,000 KB in its predecessor. This is because many attachments are larger than the previous limit of just under one megabyte. Aside from irritating users, failing to check this option often resulted in e-mail administrators spending hours troubleshooting lost SMTP messages, since the security server would discard the entire message. The CVP tab of the SMTP Resource Properties window provides the standard options we discussed when examining CVP servers. The only exception, as shown in Figure 7.24, is the addition of a single SMTP-only option to Send S M T P h e a d e r s to C V P server. This option instructs the CVP server to scan messages' full headers in addition to the message body.
www.syngress.com
Open Security (OPSEC) and Content Filtering • Chapter 7 F i g u r e 7.24 SMTP Resource Properties~CVP Tab
FTP Resources We looked at FTP resources briefly when we first examined CVP servers. In addidon to enabling you to send FTP data streams to another server for content faltering, FTP resources can be used without a CVP server to just control FTP sessions. The General tab in the FTP Resource Properties window (Figure 7.25) allows you to specify the normal V P N - 1 / F W - 1 object information, but the interesting options (aside from the CVP tab) are on the Match tab. F i g u r e 7.25 FTP Resource Properties-General Tab
357
358
Chapter 7 • Open Security (OPSEC) and Content Filtering
The Match tab, shown in Figure 7.26, contains three options that allow you to control the actual FTP session. The P a t h field allows you to specify specific file paths, using wildcards ff desired, to perform actions on. The most interesting and useful part of the FTP resource is the use of GET and PUT, since they enable you to control FTP functions. Using these options will allow you to control the commands that your users can issue to remote servers. Allowing your users to GET but not P U T will prohibit them from pushing data out of your network, while still allowing them to download files as needed. Allowing P U T but not GET would be a good solution for a publicly accessible FTP server used to receive files from your business partners, since they could upload files to you, but could not download anything. Figure 7 . 2 6 FTP Resource Properties~Match Tab
The FTP Resource CVP tab enables you to specify a CVP server to send matched data to, and defines the interaction between the FTP security server and the CVP server. Similar to the example you looked at when examining CVP server objects, Figure 7.27 shows how to scan incoming fdes for viruses. By enabling the C V P Server is allowed to m o d i f y c o n t e n t option, you can specify that infected fdes are to be cleaned. If this option was unchecked, all infected fdes would be discarded.
www.syngress.com
Open Security (OPSEC) and Content Filtering • Chapter 7
Figure 7.27 FTP Resource Properties--CVP Tab
TCP The T C P resource allows you to work with services not handled by built-in security servers, and has only two methods of operation.You can use the T C P resource as a generic daemon, providing an alternative to the H T T P security server, for interaction with a CVP server. Additionally, you can use the T C P resource to screen U R L s via a UFP server without the intervention of the security server. Note that the UFP server must support this sort of interaction, as the format of its incoming data stream will not be in full U R I format, since only the IP-based U R L is available without the security server. The T C P resource has three possible tabs, only two of which are displayed at any time. The Type option on the General tab (Figure 7.28) enables you to select either U F P or CVP, and this dictates which other tab (UFP or CVP) is offered for configuration.
359
360
Chapter 7 • Open Security (OPSEC) and Content Filtering Figure 7.28 TCP Resource Properties~General Tab :::::::::::::::::::::::::::::::::::::::::::::::::::::: Poa-9317 ii::i:J::i:::i:i
::ili::"M~h I~t
"
-.:
....
3317 for rdl~,'~g
:: :: :i.
::
: .:
After checking U F P on the General tab, you can then access the UFP tab (shown in Figure 7.29) and configure the associated tab. The UFP configuration on this tab is similar to other resources that use UFP servers.You need only to select the UFP server that this resource will be using, configure the caching method, and select the categories against which this data stream will be checked from the supplied list. Figure 7 . 2 9 TCP Resource Properties~UFP Tab
If you select C V P on the General tab, you will be presented with the CVP tab (Figure 7.30), which will allow you to configure the resource's interaction with the CVP server.You will need to specify which C V P s e r v e r to use from the drop-down list on the CVP tab. The other options here are identical to the CVP objects you've looked at before, and will enable you to configure options such as whether the CVP server is allowed to modify the content passed to it, and to specify the method in which data is returned to the security server.
www.syngress.com
Open Security (OPSEC) and Content Filtering • Chapter 7 Figure 7.30 TCP Resource Properties~CVP Tab
CIFS W i t h a CIFS resource, an administrator can grant granular access to shares on a server to different user groups or to everyone. CIFS resources are most c o m m o n w h e n controlling access to internal servers from the L A N or controlling access to a f'de server across a site-to-site VPN. CIFS is the protocol used for f'de and print services b e t w e e n clients and servers on the network. Legacy CIFS connections (implemented over N e t B I O S ) run over port 139. In W i n d o w s 2000 and later, the Microsoft-DS protocol (running over port 445) is used. A single CIFS resource can be used w i t h both ports to ensure consistent enforcement across b o t h f'de-sharing protocols. In Figure 7.31, the resource could be used in a rule to grant access to the shared for only certain source address, to certain users, or to deny access to the shares to the entire LAN. It all depends on h o w the resource rule is created.
Figure 7.31 ClFS Resource Properties~General Tab
www.syngress.com
361
362
Chapter 7 • Open Security (OPSEC) and Content Filtering
Summary
Check Point's O P S E C standards program certifies that third-party applications meet minimum integration and compatibility requirements with the V P N 1/FW-1 products.This, in essence, extends the reach of your V P N - 1 / F W - 1 security infrastructure to encompass areas where highly specialized or customized solutions are required to meet the needs of your network. Through the use of CVP and UFP application servers, you are able to extend iil = '. the information used by V P N - 1 / F W - 1 to make data control decisions to include ' input from third-party solutions. In addition to providing you with greater flexibility, this enables you to build best-of-breed solutions into your firewall from i~,~= ~iiii:~i:i;" vendors that specialize in the task you need to perform. CVP is used to send an entire data stream, such as a downloaded file, to another server to be validated either as a whole or in parts. This validation can be :=::::::i!!iiii~ ,Si! :===:ii: as simple as checking the file for viruses or using image recognition software to discard images that may not be acceptable in your environment. In many cases, such as when using a virus scanner, the CVP server may modify the data before returning it to the security server to be passed along to its final destination. CVP objects can be grouped together to share load among servers performing a similar function, or servers can be chained together to perform multiple actions and validation checks on the data before returning it to the firewall. UFP is used to check the scheme and path of data resource requests. U F P is most commonly used for H T T P traffic to control access to sites that may not be appropriate in a corporate setting, but can also be used with other protocols. ......~ :.= i~ ;.=~ :;!i.;~ := := !i.:'= :iUFP servers enable you to choose from predefined categories to specify which ~:i:= ~ iii=!= i==~i=.=~==~i==?"="==::~~:sites are to be filtered or denied from the data requests passing through the fire'=."=::.==.=.:":i!::i:::::ili:::i!i'~ii~'~ii'~!~:~'~;~:::~:!:!i:~i: wall. U F P applications often come with a subscription service that will provide updates to the database of sites and categories known to the product, as well as i i enabling you to specify your own so that your protection is kept up to date. As with CVP resources, you can group UFP servers together to provide high availability and load sharing among servers providing the same service.You cannot, however, chain U F P servers together. A M O N is new to the N G version of V P N - 1 / F W - 1 and provides a method for third-party servers to report status information to the firewall products. This allows you to monitor the status of other security devices using the tools from Check Point, or other vendor tools that you're already using to keep an eye on • .:: .~:::.~.::......
:..:
~
.
....
: •
i::~.~ili!::~ .~"::iiiii~.::i":..
'.~'.~'.~
~
i~.~.
• ...:.:
..... ............. .:~:~-..:~:.:::,~:,~:.:.~,,~,.~:~:~:.::..::... ....... •..: :: ::~::,~:~:~::~::-:::~::.:~:~:,..~,~:~:~:...:~..:..
... .....
:...:..7 : ..,:.....
....................
•.
• . : i. .::. . i. . ..:. .?"~ . . . .. ..... ...... ...... .....
Open Security (OPSEC) and Content Filtering • Chapter 7
O P S E C applications can also access V P N - 1 / F W - I information and resources by using LEA, ELA, SAM, O M I , C P M I or UAA. These client applications are not normally used in the data control process as O P S E C servers are, but often make use of the status, log, and object databases to report on and manipulate V P N - 1 / F W - 1 devices and applications. There are five major types of resources in V P N - 1 / F W - I : U R I , SMTP, FTP, CIFS, and TCP. U R I is the most c o m m o n and offers the greatest flexibility, since U R I resources can be created using wildcards or from specially formatted files that define the pattern to match on. Most commonly, U R I resources are used with C V P or U F P servers as a m e t h o d to move data between the security policy and third-party servers. S M T P resources allow you to manipulate e-mail messages and provide a m e t h o d to replace or substitute information in certain fields as messages pass through the firewall. FTP resources allow you to control FTP sessions down to the level of being able to specify whether users can issue G E T or P U T commands, as well as the ability to stop users from accessing specific paths on the server. Both S M T P and FTP resources support using C V P servers to validate data coming into or leaving your protected networks. T h e T C P resource enables you to use either a U F P or a C V P server with T C P data that is not handled by one of the built-in security servers. A CIFS resource is used to granularly control access to fde and print servers based on user, server, or share name.
Solutions Fast Track OPSEC Applications Using third-party OPSEC-certified applications enables you to build onto your existing C h e c k Point security infrastructure to address specific security needs, while ensuring compatibility and interoperability. There are three types of O P S E C server applications" CVP, UFP, and A M O N . U F P and C V P servers interoperate with V P N - 1 / F W - 1 by passing data back and forth and participating in the control process, whereas A N I O N is used by other applications to report status information back to the firewall management server. O P S E C client applications, as a general rule, either s ---~ ~ . . . . . . . . . . . . data from V P N - 1 / F W - 1 , and generally do not affect
"
364
Chapter 7 • Open Security (OPSEC) and Content Filtering
directly as servers do. There are six methods for O P S E C clients to send or receive data from V P N - 1 / F W - I : LEA, ELA, SAM, OMI, CPMI, and UAA. [Zl ELA allows third-party applications to send log data to the V P N - 1 / F W 1 log database for consolidation and alerting functions. ga LEA provides a method for applications to extract log data from the central log database, either historically or in real time. SAM provides a conduit for IDS devices to signal and make changes to the current security policy, such as blocking traffic from a specific host. I~ The O M I provides support for legacy applications that need to access the V P N - 1 / F W - 1 object database. C M P I replaces O M I in the N G version o f V P N - 1 / F W - 1 . C P M I allows applications to access the object database as well as authentication information known to the firewaU. C P M I also provides the needed APIs to allow third-party applications to make limited changes to the security policy. !~ The UAA can be used to access V P N and LAN authentication information from V P N - 1 / F W - 1 . T h i s allows applications to be designed to use existing logon information to provide single sign-on capabilities.
Content Vectoring Protocol CVP is normally used for sending data, such as binary fries or e-mail messages from V P N - 1 / F W - 1 , to a third-party server to be scanned.The results of the scan have a direct impact on the control decision for that data, which can include blocking the data entirely or just modifying it to an acceptable format (in the case of removing a virus). CVP resources are created using an O P S E C Application object as the server to send data to, and contain configuration settings for what actions the CVP server is to perform on the data. CVP groups allow you to load share between servers or chain multiple CVP servers together to perform different tasks one after another. Load sharing splits the incoming work to be done evenly among the defined servers, using the method that you specify.
Open Security (OPSEC) and Content Filtering • Chapter 7
URI Filtering Protocol gl A U R I describes how to access a resource and is made up of two parts. The scheme defines which protocol (such as H T T P ) to use and is separated by a colon from the path to the desired resource. I;71 UFP can be implemented through the use of U R I resources in the security policy, and allows you to examine and filter U R I s passed from the V P N - 1 / F W - 1 security servers as part of the control decision. gl UFP is commonly used to verify that requested or returned U R L s conform to an acceptable standard, by classifying UR.Ls into categories and enabling you to choose which categories are permissible in your environment. gl UFP groups enable you to share load between multiple UFP servers to increase efficiency and provide availability, if a UFP server should fail.
Other Resource Options U R I file resources allow you to use a specially formatted file to define the U R I s that you want to filter on. This option is commonly used when you have many U R I s to filter but do not want to use a UFP server. U R I wildcards allow you to build a completely customized WILl string to match to incoming data. The flexibility of wild cards enables you filter on a specific file extension or even specify entire IP address blocks. SMTP resources enable you to inspect and modify e-marl traffic passing through your firewaU.You can, for example, modify sender or recipient information in addition to the data within the body of the message. It is also possible to perform limited screening for potentially malicious content by removing Active X and/or JAVA code from the messages. For more granular screening capabilities, the SMTP Resource enables you to send e-marl messages, with complete headers, to a CVP server to be analyzed. FTP resources allow you to looking for certain paths or when and where your users to control data moving into
control FTP data streams. In addition to file names being requested, you can control can use the FTP GET and P U T commands or out of your network.
366
Chapter 7 • Open Security (OPSEC) and Content Filtering
[-d The T C P resource allows you to send data from T C P protocols not covered by the normal security servers to a CVP or UFP server for inspection. r-d The CIFS resource enables an administrator to very granularly define access to file and print sharing servers over N e t B I O S and Microsoft-DS protocols.
Frequently Asked Questions
.,.
The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the "Ask the Author" form. You will also gain access to thousands of other FAQs at ITFAQnet.com.
.it
Q: My U R I specification file looks okay, but it doesn't work properly. What should I look for? A: There are three major parts to each line in the U R I specification file. After you've entered the IP address, path, and category, you m u s t end each line with a new line character (\n). If you use a Windows-based computer to build your file, ensure that you use an editor that uses only \n when you end a line. The WordPad application or Edit (run from a cmd.exe window) will create the file properly, whereas the Notepad application may not. W h e n in doubt, add an extra new line character at the end of the file. Q: What are the valid wildcard characters? A: There are only four characters that can be used as wildcards in resource definitions, such as a U R I wildcard object: The asterisk (*) can be used to match any n u m b e r of characters. The plus sign (+) can be used to match a single character only. For exan:ple, '+tp' will match 'ftp' but not 'http.' The ampersand (&) can only be used with S M T P addresses and allows you to manipulate information on either side of the @ symbol for address replacement objects. For example, changing from
Open Security (OPSEC) and Content Filtering • Chapter 7
"
[email protected]" in an object to "
[email protected]" results in "j im@yo urn ewsite, c om." A list of strings may be separated with commas (,) to match any one of the specified strings. The case of"hr, sales,' "@yoursite.com" will match "
[email protected]" and "
[email protected]." 1
What O P S E C applications are available?
A: The list of OPSEC-certified applications grows everyday. At the time of this writing, there are over 300 certified O P S E C vendors, each with one or more certified applications. This means that when you're looking for a third-party product to fill a specific security need in your orgamzation, odds are that there is an OPSEC-certified product available. The current list of O P S E C certified products and vendors can be found at www.opsec.com. 1
H o w do I block the latest virus that is spreading today?
A: In addition to the capabilities of SmartDefense discussed later in this book, if the virus is spread through http/ftp downloads and/or through e-mail attachments, then you can use V P N - 1 / F W - 1 resources to block these connections. Using the Nimda virus as an example, you could use the S M T P file and/or M I M E stripping to match M I M E attachments of type audio/x-wav and the fflename of readme.exe.Then use a U R I wildcard resource to match HTTP, GETs to any host and any query match. Fill in the Path field with the following string: { * c m d . e x e , * r o o t . e x e , * a d m i n . d l l , * r e a d m e . e x e , * r e a d m e . e m l , d e f a u l t . i d a } . T h e n just use these resources in rules that drop or reject the connections. For more information on blocking Nimda, see Check Point's public knowledge base (support.checkpoint.com/public) article sk7473.
Q: W h y
do my users receive the error,"FW-1 U n k n o w n W W W Server," intermittently?
A: If your firewall cannot resolve the Website name to an IP (DNS), then it will present this error when a Web browser has the firewaU defined as a proxy. Sometimes other problems with the H T T P security server may result in this error as well.You may want to try some of the objects 5 0.C changes or contact support for assistance.
.-=aL
368
Chapter
Q
D
7 •
Open Security (OPSEC) and Content Filtering
M y users are complaining that they cannot connect to certain sites and they are receiving the following message" "Web site found. Waiting for reply..." All of these sites seem to include a double slash in them. Is there a problem with the firewaU?
A: If the site your users are trying to access contains a double slash within in the U R L G E T command, then the G E T command does not conform to R F C 2616 standards (according to Check Point), and the security server will not allow a connection.Your only option (if you must pass the site) is to bypass the security server by creating an H T T P accept rule specifically for this destination above any H T T P resource rules defined in your V P N - 1 / F W - 1 security policy. See Check Point's public knowledge base article ski3834 for more information. Q: In FireWaU-1 4.1, there were several objects.C file modifications for the H T T P security server that resolved several problems. Are the same changes available in NG? •
~,.:
,
A" Yes, most of the changes that you implemented in 4.1 can be used in N G as well.To edit the objects 5 0.C fde, you need to use the dbedit utility in NG. Some changes are as follows. :http disable_content_type :http_disable_content_enc :http_enable_uri_queries
(false) (true)
(false)
:http_max_header_length (8192) :http_max_url_length (8192) :http_avoid keep_alive (true)
These are the default
settings
that are in the objects.C file in N G HFI"
:http_allow_content_disposition
(false)
:http_allow_double_slash (false) :http_allow_ranges
(false)
:http_avoid_keep_alive (false) :http_block_java allow_chunked (false) :http_buffers_size (4096) :http_check_request_validity (true) ponse_validity (true)
Open Security (OPSEC) and Content Filtering • Chapter 7 :http
cvp
allow_chunked
(false)
:h t t p _ d i s a b l e _ a h t t p d h t m l
(false)
:h t t p _ d i s a b l e _ a u t o m a t i c _ c i i e n t _ a u t h _ r e d i r e c :http_disable_cab_check
(false)
:http_dont_dns_when_star_port
:h t t p _ f a i l e d _ r e s o l v e _ t i m e o u t
ii~iiii~iii~,iiiii~!~il.ii~ii!i• iii!ii~i!!ii~!!!iiiiiiiii•iii.i.i.~i.i.i
(false)
(900)
:http_force_down_to_10
(0)
:http_handle__proxy_pw
(true)
:http_log_every_connection
iii!i!i! ii
~i ~!~i ~ ~~!~i
(false)
:h t t p _ m a x _ a u t h _ p a s s w o r d _ n u m
(I000 )
:http_max_auth_redirect_num
(I000)
:http_max_connection_num
!i !i.ii i
..... ~~'~~!ii~!i ~~i!i
•.~..~!~.i:ii~
(4000)
length
:http_max_header_num
~~i~.i~i~il ~ i!~!~!.i!i~.i!~ii•
(false)
:http_dont_handle_next__proxy_pw
(i000)
(500)
:http_max_held_session_num
(i000)
(1 0 0 0 )
:h t t p _ m a x _ s e r v e r _ n u m
(i 0 0 0 0 )
:h t t p _ m a x _ s e s s i o n _ h u m :http_max_url_length
:h t t p _ n e x t _ i o r o x y _ l o o r t
()
:http_no_content_length
:h t t p _ p r o c e s s _ t i m e o u t
(false)
• ••~•i~i~iiii!iii~ii~i
(0) (43200)
:h t t p _ p r o x i e d _ c o n n e c t i o n s _ a l
lowed
:http_query_server_for_authorization :h t t p _ r e d i r e c t _ t i m e o u t
• !i:i.~i ~.!i!!!i! ~ii!i
!if! !iii!i~!~.~~ ~'~............
(2048) ()
:http_old_auth_timeout
i~..
(0)
:h t t p _ n e x t _ p r o x y _ h o s t
:h t t p _ s e r v e r s
(false)
(false)
:http_disable_content_type
:h t t p _ m a x _ r e a l m _ n u m
t
(false)
:h t t p _ d i s a b l e _ c o n t e n t _ e n c
:http_max_header
369
(true) (false)
(300)
(
:e r s
()
:Uid
(" { 6 C A C S I 2 A - 2 0 2 F - I I D 6 - A B 5 7 - C O A 8 0 0 0 5 6 3 7 0
} ")
) :h t t p _ s e s s i o n _ t i m e o u t :http_skip_redirect_free
(300) (true)
••i~i!i•i!i~i~ ~••••~!~•~i• ~•ii•~ii~iii~ii~i~ ••~••~•~ ...
370
Chapter 7 • Open Security (OPSEC) and Content Filtering :http_use_cache_hdr
(true)
:http_use_cvp_reply_safe :
(false)
http_use_default_schemes
:http u s e _ h o s t
h as_dst
(false) (false)
:http_use_proxy_auth_for_other :http_weeding_allow_chunked i!i:ii:.:::•i!::!••••:•i:•::L• ••:•::•:: : •••::•:••:: ?i•!:)i:~•i~i• •:
.... .:.:...:.:..: :.... :..~.~.:.::..:~:~::...~ ....•::~.::..::..:::..:~::~::~:~::.:.:.:......: .....:.~
:ii~!i~!i~i~i~i!iiiiiiiiiiii~iiii,i!:~iiiii.~iii!:iiii~ill i~i:!i ~!!ii?~::%:ii!i!!!iiii!!i~iiii!ii.~
•...
.......~..:.
.......i.:...i..i.:..... ~ii~:iii~]iiiii:!i~ii:iii.
liii.ii.ii.l.iiii~.: .!
(true)
(false)
....
:. :. :.::: :... .................
..
.
.
~i'~:~i~ii~!~!:~:!C"~: ~ ~' !~:!~:~:~:,~i,~~i~i~i~,,~i~!~:~;:!~
•:. " .;::;~i.::::",i:.:':i:.i::iiiii .....;:!i:iii~i:ii~iiiiii~ii~ .: ..::::::.:.:~;:i::~::::~ii::i ~ ~+IL>.~-..
• ....~:.:;i=:::!iiii:=ililii=iliiliiiI "
":::..~iiliiiliii~iii!~I .:.:i~i:iiiii~iilI!iI~i
Chapter 8 =========== ::':::i':~iiiiiiiiiliiiiilili~
iii[iiiiiiiiiii~]iiiiiiiiii~i.i!i.ii~:!i::. =:..
.
.
.
.
.
.
..::::.
.
iliiiiii!i!iiiiiiiii!iiii!~!!!~ii!!~iiii~~:.
"..... ..
'.
..............
":.
"
'. ;.!:://:.i:~i:i:F~';:iii!iiiii
......:.S~iiiil
Managing Policies and Logs
. . . . . . . .
•
::.. :):i.
::i.;..".. " :i.iiiiiii!:i!i!ii.i.:.:.:
iii:ii!( i
.
..
: if:: ii!ii~~ii :
: :i
i ii!iiiiiii!:i~i~:):il~;i!i:i !i:!ii~i!i: i il '~:~:~:
:!:
•
•
•
•
:.
• . :¢ ...
Solutions in this Chapter:
• i
i¢ •
i! .! i.:.:..i
....
•
:. ; .....
"
.:. :: .:.
...
• . .
.. . . ......
.
.
.
.
.
.: ~~]~:~i~i~!~;~i~i~i~!~i~i;~i~!i
..
...;=:;::~,:~Ad:~nistering::i:Check Poi nt !ii~iiii:i' ' Al:,::ifo~ Performa ace i :. (i ! ):!:~iii:i!/:.~i..~u :t ii :., .:.
~!=: :;~,,~: ::Admi:nistering ~ ......~....ii!iAi .... for::;Effectiven :riS,ii':;'i:::iiii~ii~:~iiiiifi'~iiiiiiiii:.;
:.,/;,.:.; ...........
....
"
~:::I
¢
~
i:i;:ii:i:iiiii~i~:i;~iii~......... ii;i~i~iii!~iii~ !i~i
~
!i:ii:iiii..!!:]:Qi.!.,:2:::~::::~::,::~:::::::::::: :.: :.~.:~:;i!::iiii:~:ii!i~iiiii :.:.:: :.. ::..: :: :. ::~.~:::::i:::~i::;~ji:;i:~ ~:
_ ~t~ ~ 8~s~:~::~:::~:.:~::..:.. i~ ~i~~.:~8 ~ ~:.~:~::~:::.:.~:. :~::~-~ ~:::~.:~.:;.~:::::..
!:::ii!.~.:~ii..: i:"::::.~:.::.~::~i'-!:;::::~::!-::~ • :...: .::~-::t:::.::t~:,~::t~..: ~;:.~;~ii:i::)i:.~:;i::!::;!:i ::..~:~:::::!:.!::~ ii~li!i.i~!iii!:ii~ii:.i:::.:.:i:i
'~'~i!®~i~i,,, :~:'!!
:.~:~::.i.::
!!iii:iiiii!!i:iiiiiii:'!,':'.iiii!i:!i.ii!.;::.• • ..: ,,: ::::
'Ad~mii~Fst~P~ti.on"':TaskS .. ::,.i:..C:
:.:ii.i: i :i"::i. :: •
: :~Ai!i.ii.iil;iii::.iiiiliii-i.i:C:i
.:i: i i- ::
-"-
"
" •
i:::.:i . !i"i. .::! ,: !.i.:..:.. . . .
•
.
.
.
" .
.
::: ii:i:,iiY: i::: :.:....
.
. . . :
........
•
.
..:::i].:i:i:.:.i.:...
.
•
....
...:
:
.
.
....... ..:.. .....
:
.
: i~:ii;il].ii~i.i:i:i. : " :::::.: :.i : ; ~ : ii i::iiiii:! :i :: i::: " i:i.i :.:;i::(i :, ......... . . . . . . . . . . ....
. .
" "
...:. ..... if(i:::: "
I-Vl S u m m a r y .. ...:.:.: ......
El Solutions Fast'~iTrack • "::;~.i~,i~,:.i.. ............... .....:.:: .:........
....
.......:::i~i.:ii.:il;ii]::.ii:ili::i::ii:~.~,:: .......
r(:I;!L!:.:
!~ Freq!U~tly Asked Questions ....:.,.=::_..: ......
:.: ............... ...
371 ::,.:'. ;.;..::
~i::i:[i::
•
.::~.I::L.:..
•
':.
~.:.;::.~i::j:~:;;~;;:;~:.::.
: (
..:.
• 'Li:f!:!!~i~::B~!!:.!::i.~i :.. ;..
:...
.:.;..: •..
il~ii~iiiii~.;i ....... :i ::/::!:::~::~:.:.):) ....i: i. :: i. ii:!i:.::i : . :iL:::~!::.~::!~i!'i!!!i!ii:i)... :: i: : :::'i ....
• :ii:~!!::::(ii:i!i ii iil
:
•
. ....
....
:.:,:,= ................................................
:,~, :'~:!i!i!ii!! iii
372
Chapter 8 • Managing Policies and Logs
Introduction In this chapter we strive to give you some basic firewall administrator knowledge and show you how to administer the enterprise security software package VPN1/FW-1 Next Generation with Apphcation Intelligence (NG AI) so that it doesn't get too big for you to handle. It's very easy for several admimstrators to be involved in policy development and manipulation, but if you have too many people involved in a security system such as a firewall, you need to keep strict vigilance and record who is making changes when and why. Otherwise, you could end up with a misconfigured firewall, which could compromise the security it is meant to provide. Besides momtoring administrator activities, you should also keep software up to date.You should frequently check Check Point's Web site for the latest security patches and software updates. Sometimes these updates require you to modify configuration fries or to stop and start your firewall services, and we discuss how to go about performing those tasks in this chapter. This chapter covers performance related to your security pohcy and logs and discusses what to do when you have multiple firewaUs in various locations. It tells you about your firewall's log fries and some ways to administer your logs so that you don't run into disk space issues. This chapter also equips you with several command-line options that you can use to perform maintenance or troubleshoot your firewall. As a Check Point NG AI admimstrator, you have three main goals with respect to administration. They are as follows: •
P e r f o r m a n c e Because the Check Point NG AI firewall is the point through which all traffic to or from the unprotected to protected network flows, performance is critical. A poorly performing firewall will quickly bring complaints from users and eventually from your boss.
•
Effectiveness The effectiveness of the firewall is a vital concern. If the firewall isn't doing its job at controlling and monitoring access, it isn't any good. In fact, an ineffective firewaU could open up your organization to multiple vulnerabilities.
"
Recovery capability Because the Check Point NG AI firewall is such a crucial piece in your network architecture, forget about rebuilding a ftrewall from scratch to its pre-crash state, duplicating the many rules and properties from memory.You need to be able to recover your configuration and security policy quickly and effectively should disaster strike.
Managing Policies and Logs • Chapter 8
Administering Check Point VPN-1/FW-1 NG AI for Performance With FW-1 N G AI, Check Point has made a number of improvements over previous versions. One major improvement is with I N S P E C T XL, which is responsible for evaluating packets based on rules. The new version of I N S P E C T XL is supposed to be optimized and much more efficient because it uses only one state table, as opposed to earlier implementations that used multiple state tables. Despite these improvements, ensuring that your firewall is performing up to your expectations as well as everyone else's is important. There are a number of"best practices" that you should keep in mind when configuring and admimstrating your firewall to ensure that Check Point N G performance is at its optimum.
Configuring NG for Performance There are a number of things that you can do when you're initially configuring FW-1 N G AI so that it provides optimum performance for your environment: •
Use hosts files on management servers and remote enforcement modules.
•
Disable decryption on accept.
•
Modify logging Global Properties.
The recommendation to use hosts fries should be part of every installation. To clarify, every time you install a policy, the management station must resolve its name to an IP address and each of the enforcement modules onto which it is installing policy. In the event that a D N S server cannot be contacted or the name is not found in DNS, policy installations can fail or take a very long t i m e - - b o t h undesirable consequences. Using hosts fries, the host will parse the hosts file first for IP address mappings and not make a network query. This will speed up the install of security policy and ensure that it will install even during times when D N S servers are unavailable. O n U N I X systems, the hosts file is located at /etc/hosts. On Windows N T / 2 0 0 0 , the hosts file is located at %SystemRoot%\ System32\drivers\etc\hosts. For example, if the name of your FW-1 object in the Rule Base GUI is ExternalFW, you must be sure that the name ExternalFW is mapped to an IP address in the hosts file. Additionally, let's say that part of your policy installs policy onto a remote firewall named 1KemoteFW. The mapping o f R e m o t e F W must also be defined in the hosts file. Here is a sample hosts file:
373
374
Chapter 8 • Managing Policies and Logs 127.0.0.I
localhost
11.12.13.14
ExternalFW
15.16.17.18
RemoteFW
Another setting you can change right off the bat is decryption on accept. If you are not using encryption, you should uncheck Enable d e c r y p t i o n on accept. This option can be found in Global Properties under the VPN-1 tab, as shown in Figure 8.1. This setting prevents FW-1 NG from attempting decryption of packets even when the rule doesn't require it.This setting allows FW-1 NG to free some resources for other tasks, but it should be noted that this setting is relevant only if you are using Traditional Mode policies.
www.syngress.com
Managing Policies and Logs • Chapter 8 Figure 8.1 Global Properties
Other Global Properties that you should consider changing are related to logs and alerts, as shown in Figure 8.2. Although the default settings are generally effective, you might need to make changes, depending on your environment. For example, you can limit the amount of activity that gets logged to the log ftle by decreasing the Excessive log grace period. This is the period in seconds that FW-1 NG AI will not log the same activity multiple times. Decreasing this number will probably reduce the number of resources that the Log Unification Engine uses to consolidate activity into the log view. There are also a couple of performance tweaks that will not affect firewall throughput but that do have an effect on overall performance. One such setting is the S m a r t V i e w Tracker resolver timeout. Decreasing this value will decrease the amount of time in seconds that FW-1 NG AI spends resolving IP addresses to names for log entries. If names are not critical to your understanding of the logs and if DNS queries frequently timeout, this option would be good to decrease. Doing so increases the Log Viewer but not the firewaU throughput. And finally, you can decrease the Status fetching interval to decrease the frequency in seconds that the management server queries the modules that it manages for status. If your environment is pretty static, this setting could be reduced. Again, this decrease will not affect firewall throughput and will not even be an issue if the System Status window is not open and querying modules.
375
376
Chapter 8 • Managing Policies and Logs Figure 8.2 Log and Alert Global Properties
Administering NG for Performance In addition to the initial configuration of FW-1 N G AI, you should keep in mind a number of administration "best practices" to ensure that the firewaU is performing up to expectations and its capabilities: •
Keep the Rule Base simple.
•
Put the most frequently applied rules near the top of the Rule Base.
•
Keep accounting to a minimum.
•
Use the Active Log mode sparingly.
•
Use logging wisely.
•
Consider limiting the use of security servers.
•
Implement NAT wisely.
•
Avoid the use of domain objects.
The first recommendation, to keep the Rule Base simple, will probably have the greatest impact on overall performance. Unfortunately, it is the most difficult to define and control. The reason this is so important is that every packet that isn't a part of an existing connection must be evaluated against the Rule Base sequentially, from the top to the bottom, until a match is found. A long, complex
www.syngress.com
Managing Policies and Logs • Chapter 8
policy will introduce latency into the processing of packets, not to mention that a long, complex policy is hard to administer. When making modifications to the Rule Base, you should consider the best way to write the rule and where to place it. For example, instead of writing an extra rule to give FTP to the internal network, if you already have a rule for HTTP, simply add FTP to the H T T P rule. Just remember that there is almost always a simpler way to write rules. Keep the number of rules as low as possible.
Continued
377
378
Chapter8 • Managing Policies and Logs
R e m e m b e r in Chapter 4 we looked at a security policy that allowed our internal users the use of H T T P to anywhere and the use of H T T P S everywhere but the local service net. We chose to write the rule as Source-LAN, Destination-Service N e t , S e r v i c e - H T T P / H T T P S , Action-Accept, and Track-None with the Destination-Service N e t N e g a t e d . And because another element of our policy allowed everyone H T T P access to the Web server in the service net, we wrote a second rule as Source-Any, Destination-Web Server, S e r v i c e - H T T P , Action-Accept, and Track-Log. This rule could have been much more complicated. For example, we could have written our Rule Base to look like Figure 8.3. Figure 8.3 A Bad Example
www.syngress.com
Managing Policiesand Logs
•
Chapter 8
Translating our policy this way, we used three rules instead of two. If we repeated this process over and over while writing the Rule Base, we would have one-third more rules than we need! In addition to keeping the Rule Base simple, put the most frequently applied rules near the top. This will get packets through inspection more quickly and routed by the OS. Remember that a packet is processed from top to bottom until a match is made on the Rule Base; so, when optimizing, be aware of the effect of reordering rules. As an aid to optimization, monitoring your logs using the FW-1 predefined selection criteria can help you determine the most frequently applied rules. Take a look at Figure 8.4. Here you will see the most activity on Rule 12, which allows HTTP traffic outbound. Although this isn't enough information for you to decide that Rule 12 should be moved up, it is the kind of monitoring you should undertake. Keep in mind that you need to log all rules to see what is going on and that some rule order can't be changed or else it weakens the security policy.
Figure 8.4 Logs and Optimum Rule Placement
Log ~uene~
:: [ ] ~ R ~ , i I r,~'~
iii!~i~#~~~ii~iiiiii ~ !ii~i~i!i:i:i~iiiiiiii!iii!ii!i:iiiiiiiiii:iiiii!i!ili!i!iii!i~i!iiiiiiiiii i
@
[]
~
~ ..... ,-m~... | A~&,Lme~r~'.z.. ~
~ ~
~
~,~p
Tm
!.I n ~ : ~ 4
[] ~
~_,,~.,~...
I
Ala~a_Fin~... [ ] ~ ~ # l ~ a F~.~.... ~ @ ~
Tem~,~ Tem~al
A ~ a RND .... [] ~T,~
h,~
!I
!.
~
~ u~ s,.,,,.
i ~ [] ~
I
~
,~,~,, ~.. (00000005) (00000005) -> (00000006) .... ~ -> (00000002) ~iii| [Expert@shaft] ~
i...
www.syngress.com
~......!i ....~...!...!.~i.L~....i..~, .....~..i..L..'~i~.L ~
~.
.!..~.~i~.~.~
Managing Policiesand Logs • Chapter8 As you are modifying the connections table, you will probably need to modify the hash size as well. The hash size value should be a power of 2 that is as close as possible to the limit on the connections table.As you can see in Table 8.2, if you have modified the connection limit to 50,000, you should set your hash size to 65536.
Table 8.2 Relevant Powers of 2 ,
2 TM 2 is 216 217
,,
Hash Size
Connection Limit
16384 32768 65536 131072
4097-24576 24577-49152 49153-98304 98305-196608
~TE Check Point does sell a product called SmartView Monitor (formerly the Real-Time Monitor) that integrates nicely into the Check Point framework. SmartView Monitor is included with SmartCenter Pro, SmartCenter Express Plus, or SmartView. It enables you to monitor bandwidth, bandwidth loss, and round-trip time in end-to-end VPNs.
Platform Specific Tools In addition to the Check Point N G AI tools provided for measuring performance on Windows NT, a number of FW-1 specific counters are installed to the Windows N T Performance Monitor.The counters provided include the following: •
Number of packets accepted
•
Number of packets dropped
•
Number of current connections
•
Number of packets decrypted
•
Number of packets encrypted
•
Number of packets that fail encrypt/decrypt
385
386
Chapter 8 • Managing Policies and Logs •
Amount of hash memory currently in use
•
Amount of system kernel memory currently in use
•
Number of packets logged
•
Number of packets rejected
•
Number of total packets processed
•
Number of packets undergoing address translation
These counters can be invaluable in further tumng your firewall.
Performance Conclusion And finally, if none of these suggestions improves the performance of your FW-1 NG, consider upgrading your hardware based on the recommendations in Table 8.3 and on your own observations of CPU, memory, and I / O usage"
Table 8.3 Quick Recommendations If you require a large amount of...
Then you need...
Encryption/decryption Network address translation Logging Sessions
CPU
Security servers
Memory Memory and I/O Memory CPU and I/O
Administering Check Point VPN-1/FW-1 NG AI for Effectiveness Although performance is important, if a firewall doesn't do what it's supposed to do, it is of no use. In fact, it is easy to trade increased performance for decreased effectiveness or security. In this section we talk about how to make sure your F W - N G is doing its job and securing your network.
Quality Control One of the best ways to test a firewaU's effectiveness is to assume the role of attacker. Although it is not only possible but also advisable to hire a third party to
Managing Policies and Logs • Chapter 8
do penetration testing, the initial testing is your responsibility. The simplest way to test the firewall is by using a simple port scanner. Some popular and free port scanners you may want to try include the following: m N m a p A favorite of security professionals and hackers alike. Nmap allows different types of scans, spoofing, decoys, and timing changes. It can be found at www.insecure.org. []
L a n g u a r d N e t w o r k S c a n n e r A very noisy but full-featured scanner. This tool will pull S N M P information as well as attempt to connect to open services and gather banners. It can be found at www.gfisoftware.com/languard/lanscan.htm.
m H p i n g 2 An advanced tool that runs on *nix that allows the crafting of custom T C P / I P packets. Hping2 can be used to test firewall rules and even transfer fries.You can download Hping2 from www.hping.org. If you would like to further assess your configuration, you can use a full-featured vulnerability assessment tool. Most even have modules that enable you to test known vulnerabilities. For recommendations and more descriptions, you can visit www.insecure, org/tools.html. This sort of quality control has multiple benefits. It helps you see what ports are open or not filtered from the outside. In addition, it may help you see what patches you might be missing or vulnerabilities you are exposed to. It enables you to test your logging and monitoring. Finally, it enables you to see what an attack might look like and help you detect one from your monitoring.
387
388
Chapter 8 • Managing Policies and Logs
Patches and Updates As a security professional, make sure you sign up to a few security mailing lists (such as bugtraq) to stay abreast of new developments in security. Especially make sure you get the Check Point e-mail newsletter, which will notify you of support issues and relevant patches when they're available.You can sign up for Check Point's newsletter at www.checkpoint.com/newsletter.html. To obtain updates to your FW-1 N G AI installation, you can use SmartUpdate, as shown in Figure 8.8. From the P r o d u c t s menu, select N e w Product [ A d d F r o m D o w n l o a d Center. After you agree to the licensing agreement, this choice will connect your computer to the Check Point download site. It will get a list of software available for download up to the version you have installed on the management station. Select the products you want to add to your repository, and click D o w n l o a d .
www.syngress.com
Managing Policies and Logs • Chapter 8 Figure 8.8 SmartUpdate Utility
i ~ 182.168.0.2
i~i..~~ii~iii!iiiii~iii~i!i!iiii!iiiiiiiiii~!!iii!~ii!!i~i!i~!i~ii~!!iiii~!iii~!i!ii!~iii~i!ii~i~!ii!~iii!ii~i!ii!iii!iii~ii~!~!i!ii~!~i~i!~iii~iiiiiiii~iii!ii~ii~iiiiiii~iii i
-~
i
-..'It SVN Foundation
Idanagem~
i ~--.BF~x~,t.-~ ~..~ E,~*'~
NG_AI
R54
~,~Po~
N~_~
RS4
i. IIImVPN-1 I~RreWal-1
Check Point
NG_AJ
R54
~...~r s ~ F ~
Check Point
NG_AI
R54
IBVPN-1 &VreWalH
W'rck:w~
~i~i~:::ii:N~ii~Q
Check,Point
li~:~ii~,~i B[P~ S~
i~ ....................~ ....... ~r~ ......... ~ p ~
~l SmadViewM o r ~
i Wr:++:+::+++::::+::+++++++::+++::+:++:+++:+++':+++++:+++:+:+
..++ ...
I
::
iliii
,
!i
iiii!ii iliiii
Keep in mind that the event is acted on by the machine that records the logs. While in the majority of cases this is the management machine, it does not necessarily have to be. Also note that the actual executables and scripts reside in the $ F W D I R / b i n directory on the system recording the log, which is typically the Managementmodule. This is also where you would need to save your userdefined alert programs.You will also need to remember to copy your programs to the new $ F W D I R / b i n directory after an upgrade if you choose to use other utilities. Below is a brief description of how each scripting option may be used. script This is the script that will be executed when you select Popup Alert as the action for a matched rule. Generally, this option should not be changed. One item of special note here is the actual function of a Popup Alert. W h e n you are running the SmartView
Pop-up
www.syngress.com
alert
Tracking and
Alerts • Chapter 9
Status GUI, and a rule is matched whose action is alert, and Send p o p u p alert to S m a r t V i e w Status is selected, you will be notified with a window containing details of the alert. These details include the packet information as well as items such as the component generating the alert. The pop-up window enables you to delete single events or all selected events. Mail alert script This specifies the command that will be run to send an e-marl alert regarding the matched event, assuming that this action is the specified one.You will need to change this and the command will be specific to your system. The syntax for the command is: internal_sendmail [-s subject] -t mailserver recipient_email [recipient_email ...]
[-f sender_emaii]
S N M P trap alert script Defines the action when a rule with the Simple Network Management Protocol (SNMP) trap action is matched. You may decide to alter this to send your traps to alternate locations, such as to a network management station instead of the default system, localhost. User defined script (No. 1, 2, a n d 3)" These allow for you to write your own programs to handle a matched rule, and are very handy. Userdefined alerts are covered later in this chapter.
Configuring Alerts Once you have properly configured the commands to be run, you are ready to begin using them as an action.Your most frequent interaction with them will be in the rules you create for your firewall. W h e n you create a new rule, or wish to modify an existing rule, simply right-crick on the A c t i o n column and you'll see a Context menu, as shown in Figure 9.3.
Figure 9 3 Alert Context Menu
420
Chapter 9 • Tracking and Alerts
You also may interact with the alerting function within various network objects. For example, Figure 9.4 shows us the Firewall Object's Interface Properties window with the Topology panel active. Note the field labeled Spoof Tracking. In this field you'll be able to configure alerting for this event.
Figure 9.4 Alerting in Use
User-Defined Tracking CP VPN-1/FW-1 features very robust event handling, but it isn't always able to do exactly what you want' In some cases you need to send multiple alert types, or need to send them to many different people. Check Point foresaw this need and has included the user-defined alert type. With this alert type, VPN-1 /FW-1 N G AI provides you the ability to create your own event-handling scripts to suit your needs.You also don't have to learn a new programming language to do so. If you are proficient in C, C + + , Perl, WSH, the various U N I X sheU-scripting languages, or even writing BAT fries, then you are well on the way to creating a user-defined response.You also might be able to find an existing script via the Internet that would suit your needs. The process of writing your own script is fairly simple; however; there are a number of ways to go about it. Imtially, you may be more inclined to use userdefined alerts to generate multiple alert types. Suppose, for example, that you want to send an SNMP trap to a network management console, to a security console, and also mail an alert to yourself. Writing a simple Windows batch or www.syngress.com
Tracking and Alerts • Chapter 9 U N I X shell script will get this done for you with minimal effort, as shown in Figure 9.5.
Figure 9.5 Simple "Batch" Script snmp_trap
172.17.2.15
snmp_trap
172.17.2.16
mailx
-s W a r n i n g
[email protected] Advanced User-Defined Alerts If you want to move into more advanced realms, the first step is to understand what V P N - 1 / F W - 1 N G AI will be sending as input to your script.The format for this input is as seen in this example: 10Nov2003 src
15:00 :12 drop 172.17.3.2
len 40 rule
dst
ExternalFW 172.17.2.10
>ethl service
proto 1234
top
s_port
2345
5
The various fields are described in Table 9.1.
Table 9.1 Basic User-Defined Alert Input Field
Example
Date Time Action Originating firewall Traffic direction and interface Protocol in use Source address Destination address Service in use Source port Length of data captured Rule matched
10Nov2003 15:00:12 Drop ExternalFW >ethl proto tcp src 172.17.3.2 dst 172.17.2.10 service 1234 s_port 2345 len 40 rule 5
www.syngress.com
421
422
Chapter 9 • Tracking and Alerts
Note that values these depending on your use of or the alerting of Internet example, an ICMP packet icmp-code.These additional
are the basic log input values. The values will change network address translation (NAT), VPN encryption, Control Message Protocol (ICMP) packets. For will include field information for the icmp-type and fields are detailed in Table 9.2.
Table 9.2 ICMP and NAT User-Defined Input Field
Explanation
icmp-type icmp-code Xlatesrc
ICMP type ICMP code When using NAT, this indicates the the source IP was translated. When using NAT, this indicates the the destination IP was translated. When using NAT, this indicates the source port was translated. When using NAT, this indicates the destination port was translated.
Xlatedst Xlatesport Xlatedport
address to which address to which port to which the port to which the
Once you understand what V P N - 1 / F W - 1 N G AI will be sending your program, you can then make logical decisions as to what to do with the data. Userdefined alerting can be very useful as a method to inform various people based on what the rule detects. For example, the script could parse out the destination IP address or system name, compare that information to a database and then, from the database, locate the proper contact information for the individual responsible. Once this person is located, he or she can be notified via any of several means, allowing the person a more rapid response to the attack. Some other common examples use the global W H O I S database to attempt to locate the administrator of the source of the event, and attempt to notify that person as well. Figure 9.6 includes a partial script as an example of how to get started. It's written in Perl, but, as mentioned earlier, the choice is yours.
www.syngress.com
Tracking and Alerts • Chapter 9
Figure 9 6 Beginnings of a Use~Defined Ale~ #!/usr/bin/perl
-w
# # Here
we'll
# assist
request
in
sending
use
strict;
use
Net::SMTP;
pragma checking and i m p o r t
strict a mail
=
(0177);
# Get
the log entry and break
Slog
my
@elements
security!
'/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin,
umask
my
to
message.
# Good p r o g r a m m i n g practice mandates SENV{'PATH'}
a module
it up
into
smaller,
useable
;
bits.
= <STDIN>;
# Identify
= split
the
most
(/[
]+/,
commonly
Slog);
used
elements
and a s s i g n
them
for
frequent
#
use. my
Sdate
= S e l e m e n t s [0] ;
my
$time
= $ e l e m e n t s [i] ;
my
$source
= $ e l e m e n t s [9] ;
my
Sdestination
# The
array
other
factors.
my
$service
= S e l e m e n t s [ii] ;
element Be
to u s e
sure
to
can
vary
depending on the use of NAT,
among
test.
= $ e l e m e n t s [13] ;
(...)
You can see that it is actually very simple to get the log data. Any program that can gather one line of input and parse it up will do the trick. The only remaining tasks are to install your program in $ F W D I R / b i n on the machine running the firewall management module, and point to it within the Global Properties. The fact that the alert script runs on the management module makes deploying this user-defined script much easier, especially in a large network. And, since it runs in one central location with access to all the firewall logs, you can also perform simple event correlation. OPSEC partners provide packages that provide more complex event correlations to suit your needs.
423
424
Chapter 9 • Tracking and Alerts
Suspicious Activities Monitoring Protocol (SAMP) Check Point, along with their OPSEC alliance partners, has introduced a very powerful feature into CP VPN-1/FW-1.This feature, known as Suspicious Activity Monitoring, or SAM, enables the firewall to interact and block traffic as specified by other network devices. Most notable among these OPSEC partners is ForeScout Technologies, with their ActiveScout product. Using the Suspicious Activity Monitoring Protocol (SAMP) a scout can dynamically update V P N 1/FW-1 rules. These changes can be either permanent or time-based. For you, as a firewall admimstrator, the most interesting element of SAMP is not the ability of other devices to restrict connections, but your own ability to block, or inhibit, a connection. This can be a very powerful reactive measure, and, if properly employed, can greatly enhance your site security. Imagine the ability www.syngress.com
Tracking and Alerts • Chapter 9 to block a connection for five or ten minutes while you do some quick on the nature of the suspicious connection. Teamed with a user-defined script, this can even be done in an automated way. Connection inhibiting is enabled using the fw s a m command. This mand has some very useful options, most of which are detailed in Table usage of the f w s a m command is as follows:
research alert com9.3. The
fw sam [-v] [-s sam-server] [-S server-sic-name] fw-host] [-C] -((nli]I]j ]J)
[-t timeout]
[-i log]
fw sam [-v] [-s sam-server]
[-S server-sic-name]
[-f fw-host]
-M -ijn
fw sam
[-S server-sic-name]
[-f fw-host]
-D
[-v] [-s sam-server]
[-f
Table 9.3 fw sam Command Options Option ,,
,
Explanation
,,
-V
-s server
-S server sic name
-f < f w host>
Enable verbose mode. In this mode of operation, SAM writes a message to STDERR on each firewall module that is enforcing the action. The message indicates the success or failure. The address or registered name of the VPN1/FW-1 system that will enforce the action. The default is Iocalhost. This should be your management station, which will contact one, multiple, or all firewalls to actually block connections. The SIC name for the SAM server to be contacted. It expects that the system being contacted will have this SIC name. If it does not, the connection will fail. If this option is not used, it will proceed without comparing the name to the certificate that is presented to it. The firewall that will actually block the connection(s). By default, your SAM server will contact all firewalls it manages. The < f w host> can be Iocalhost, the internal object name (that is, ExternalFW), Gateways (only systems defined as Check Point Gateways, not hosts), or All. Continued
www.syngress.com
425
426
Chapter 9 • Tracking and Alerts Table 9.3 fw sam Command Options Option
Explanation
-t timeout
The time period during which the action will be blocked, specified in seconds. If no value is specified, the action will be in effect indefinitely, or until canceled by you. Cancel the blocking of the connection specified by the parameters. Cancel all inhibit and notify directives. Notify (by recording a log entry) and alert (but do not block) based on the specified criteria. Inhibit the connection meeting the specified criteria. Connections will be rejected. Inhibit the connection meeting the specified criteria. Also close all existing connections that match the criteria. Connections will be rejected. Inhibit the connection meeting the specified criteria. Connections will be dropped. Inhibit the connection meeting the specified criteria. Also close all existing connections that match the criteria. Connections will be dropped. Specifies the log format to use when recording an event. Options are nolog, Iong_noalert and long_alert, with the latter being the default. Used to match connections with a combination of various parameters. Criteria may be one of the following:
-C -D -n
src dst any subsrc subdst subany srv <src-ip> <service> <protocol> subsrv <src-ip> <service> <protocol>
Continued
www.syngress.com
Tracking and Alerts • Chapter 9 Table 9.3 fw sam Command Options ,
,
,,
Option ,,,
Explanation
,
subsz~cs < s r c - i p > <protocol>
< d s t - i p >
<service>
subsrvd <src-ip> <service> <protocol> dstsrv <service> <protocol> subdstsrv <service> <protocol> srcpr <protocol> dstpr <protocol> subsrcpr <protocol> subdstpr <protocol>
This command is very useful if you are writing user-defined scripts, and you should really become comfortable with that process if you intend on writing user-defined scripts and being proactive. Another way to interface with SAM is via the SmartView Tracker GUI. From SmartView Tracker, select the Active tab.You will then see entries representing the active connections for the firewall. Each connection will be assigned a Connection ID, as indicated in Figure 9.7.
Figure 9.7 Active Connections--Connection ID
Once you have noted the connection that you wish to remove, select the connection and then choose Tools I B l o c k I n t r u d e r from the menu.You will then see a screen as illustrated in Figure 9.8.
www.syngress.com
428
Chapter 9 • Tracking and Alerts
Figure 9.8 Specify the Connection ID
This is the panel used to block the connection.You have a couple of options to select from on this screen, and they are shown in Figure 9.9. •
B l o c k i n g S c o p e Enables you to block this specific connection, all connections from the source noted in the log, or all connections to the destination noted in the log.
•
B l o c k i n g T i m e o u t Enables you to specify either indefinite blocking or a time period for this block.
•
Force this b l o c k i n g Enables you to enforce blocking this connection on all firewaUs or just the firewall that has recorded the event.
You see that the command-line arguments, while a bit more complicated, do allow a greater degree of flexibility. The ease of use of the GUI makes up for this, as scripted execution can be used when you want to be very specific. So, what do you do when you've blocked a connection that shouldn't be blocked, or wish to unblock an existing block? Here's where it gets odd. The GUI only enables you to unblock e n m a s s e . It's an all-or-nothing proposition. From the menu bar, select Tools [ Clear Blocking.You will be presented with
www.syngress.com
Tracking and
Alerts • Chapter 9
a pop-up message, like the one in Figure 9.9, telling you that ALL the connections that were blocked via SAM are no longer blocked. If you've made a mistake and blocked the wrong connection (assuming you have other, valid blocks in place) your only real recourse is to use the command-line syntax to clear a specific block using the - C option with the fw s a m command.
Figure 9.9 Clear Blocking Confirmation
iiiii
...........................................................................................................................................................................................................................
=.
www.syngress.com
429
430
Chapter 9 • Tracking and Alerts
Summary
This chapter looked at some of the options you have w h e n dealing with an event recorded by CP V P N - 1 / F W - 1 . It examined, in some depth, the ability for you to exercise some strong control over these settings and how their judicious use can ..::.:.:i.:~:~.i.~....: greatly enhance the security of your network. :~' :~:'i~i~!:~:!::~::~' :~::~:':~:~:i Also examined were the alert commands configuration panels, the default ~.::i::~"";ii"i:ii settings, and how to alter them to better suit your security pohcy.You saw that ~i~{{i:i:~:~(~,;:Li:,:i :: you can modify not only the data that is logged, and w h e n it is recorded, but also ~'..,:~..::.~.:~..:,.:.~.:.~.:.~:.:~.:~:". what action to take based on event criteria. ~.~.~i:~9%:.? The chapter then went on to discuss the process of defining your own programs to handle an event and some of the increased flexibility this allows you w h e n designing your security pohcy. We even saw how user-defined alerts can be a sort of lightweight IDS system. ,.~!~.:.7,!~.!~.~:.,i.,~i!~ii:i!".~{i.,: Finally, this chapter also showed the GUI interface to SAM, how to interface :.:,.:.:.;~..::.e:':~i~i~;!~!~i~i(with : the SmartView Tracker G U I to block connections, and how to use the :i.i:.7!!~iii!::,~i~?ig:::~i~i~{i~c: o m m a n d - h n e interface to SAM. All in all, the additional features and function :.::i. i:'.~:"~:~.:~.:i.:.i:i.i~i-!:{added , by the ability to define your own alerts, SAM and SmartDefense make .~ ,..~i~ ,:~i~ ,:i~ ,i~ ,i~:i~i.~:.i:"i:~ .: ii :iiiii.{ii:i:.:.::i.
• i..i :i.lii::iiii:iii:ii~i~i~$.::i:.
: ................ ':::::i~%: ~: "
I-¢I FreqU~ily Asked Questions
iii
,
.......
475 •
•
:.;.........
:
:%!ii!i:.!il.iii!ii.!iiii!.iiiiii:;ii::x.:...
.
..:: : .: :..: .. =========================================== :. : ....
.: .: i:.: i i;.i i..i i: i:. i: . :
......:...:.... .................
476
Chapter 11 • Securing Remote Clients
Introduction If your orgamzation wants to use a virtual private network (VPN) client, but you are concerned about allowing clients' personal computers into your network, do not worry. Check Point solves this problem by giving you control of the remote users' desktop security.You can configure specific properties for your mobile users' desktops, including prohibiting connections to their PC's when they have remote software running. That way, if they are running a Web server on their PC, you do not have to worry about their server being compromised while they have a connection into your private network. SecureClient software is simply the SecuRemote software package discussed in the previous chapter with additional features. These features include a personal firewall on your mobile users' PCs that you control via SmartDashboard, as well as Secure Configuration Verification (SCV), which allows an administrator to define the attributes of a system secure enough to access the VPN. Within SmartDashboard, you can define detailed pohcies that SecureChent downloads when a user logs in to your firewaU's pohcy server. This chapter shows you how to install and configure a policy server, and how to configure different desktop pohcies for your users. A pohcy server can reside on one of your firewall modules, or it can be set up as a separate server to strictly enforce chents' security pohcies. After describing the pohcy server in full detail, this chapter shows you how to install the SecureClient software, and how to use the SecureChent Packaging Tool on the Next Generation with Apphcation Intelligence (NG AI) CD.
Installing and Configuring a Policy Server The first step toward ensuring that your remote users' desktops adhere to your security policies, is to install and configure a pohcy server. Once the policy server is installed and configured, it will be able to transmit the appropriate security settings to the SecureChent process running on the remote desktops.
Installing from CD-ROM The policy server can be found on the Check Point N G AI C D - R O M . To install the policy server onto your firewall module, insert the C D - R O M , and from the
Securing Remote Clients • Chapter 11
Add Products option, choose Install additional Check Point products. Then select S e c u r e C l i e n t Policy Server, as shown in Figure 11.1.
Figure 11.1 Check Point Policy Server Installation
' t ..... RQo~ear~-z :~:.Si liB~ ~ .i.
"
PQti~:~er.
;~
. F~Sma~.wi~n~r~:::
r,:
U'~O~
]i ........ ........ ::MAN~GEMENI t SERVER. .
..
::.
!...-
. . . .
i
Check Point's three-tier
~i ....
architecture ~onsists of
i i
•
;:~::Sm~e~
i
• ::i:~ :~@ C ~ . ~ .... : :r Sma~eW;~O~ •..... .. . . . . . . . . . . .... ~ ....4~!ANAGEiMENT::EONSOtL E [ .....
.
.
.
Check Point's three-tier architecture
:
gateway-, client-, and host-based security '..~-:~,-~ s~-~-u:~t.~sol~-.+.io~-~ enforcement points, a i centralized management '" '> co,"..... ,,,-f. .........,,.,,., server and an intuitive "............................................................... dashboard-styleGUI, This architecture delivers the most robust mechanism to create VPN, firewall, and QoS policies and automatically distribute them to labor multiple enforcement points, thus reducing
i;
i
..'" ....................................................................................................................
'
........~................................................................ ~ X .., Ba,:i,
Next
F. : ~ ' i t
This will load the Check Point installation wizard, which will ftrst check that the VPN-1/FireWaU-1 module is installed. If not, you will be required to install the VPN-1/FireWall-1 module prior to continuing with the policy server insta~ation. The policy server installation will proceed, and will not require any further input. Once it is complete, ensure that you have the appropriate license installed on your firewaU and management station. The license on the management station must contain sufficient users for the number of actual users connecting to your environment. The license on the firewall must contain a license for the policy server, which is available with any VPN-1 Pro module. If your firewall license does not have a policy server SKU, you can regenerate it in UserCenter. If you do not know whether your license contains policy server functionality, consult your reseller, local Check Point office, or call Check Point Support and speak to Customer Advocacy. N o w that the policy server component of Check Point N G AI is installed, you can configure your security policy.
477
478
Chapter 11 • Securing Remote Clients
i~i~P TE . ijii~ ~ii~ %i~ii~~i ~ ~ , ~ - : ~
.
.
.
.
Starting with NG FPI, a Software Distribution Server (SDS)is included in the policy server package. NG FP1 and later SecureClient packages also include a Software Distribution Agent, which checks the SDS for updated software revisions using Transmission Control Protocol (TCP) port 18332.
Configuring a Policy Server The first step in configuring the policy server is to open the policy editor, go to Manage, and edit the firewaU object. In this example, the firewall object is called ExternaIFW. From the General Properties tab, under the Check Point P r o d u c t s section, check SecureClient Policy Server, as shown in Figure 11.2. Figure 1 1 . 2 General Firewall Properties
By selecting this option, you are teUing the firewall that the SecureClient policy server is installed.You may now continue to configure its remaining options. Next, go to the Authentication tab of your ftrewall object. Here, you will see a new option that allows you to define a group of users, as shown in Figure 11.3.
www.syngress.com
Securing Remote Clients • Chapter 11 F i g u r e 11.3 Authentication Firewall Properties
Select the user group that the policy server is going to manage. This user group should contain all of the SecureClient users who will log on to the policy server. If you are not restricting certain users from utilizing the VPN, you may select All Users, which allows any defined user to log on to the policy server. In this example, only Engineering users are able to log on to this policy server. Later, you will add all applicable users to this group. Once you install the policy, the policy server will start running.
Desktop Security Options There are two main areas of the policy editor that are important to desktop security: •
The Desktop Security policy
•
The R e m o t e Access global properties.
Both of these enable you to control various aspects of what is transmitted to the SecureClient users by the policy server.
Desktop SecurityPolicy Located on the main screen of the policy editor, the Desktop Security tab enables you to specify what access your users have. The Desktop Security
www.syngress.com
479
480
Chapter 11 • Securing Remote Clients
Rulebase is similar to the standard Security Policy Rulebase, with some important distinctions. The Desktop Policy is installed just like a standard Security Policy. When you select Install from the Policy Menu, you have the option of installing an Advanced Security policy and/or a Desktop Security policy. Both are selected by default (per the global properties SmartDashboard Customization), and once you install the desktop policy onto the policy servers, they get distributed to the SecureClients as they log in. Only the rules that apply to the user who belongs to the SecureClient desktop will be applied. See Figure 11.4 for an example of a basic Desktop Security Ikulebase. If you do not see the Desktop Security tab in SmartDashboard, simply select File I Add Policy to Package and check Desktop Security to show a Desktop Security policy as part of this policy package. To remove the Desktop Security policy from a package, open the package and select File I Delete I Policy from Package.
Figure 11.4 Desktop Security Rulebase
www.syngress.com
Securing Remote Clients • Chapter 11
Notice that unlike the normal security policy, there are Inbound Rules and Outbound Rules. These are rebound and outbound in relation to the desktop system, which will be doing the policy enforcement, not the policy server you are pushing your policy to. In the initial release of Check Point NG, this was one single rulebase, but due to the confusion of many administrators, in NG FP1 and later it has been separated into two sections. Also, even though there are inbound and outbound sections, you do not need to enter each piece of a connection (one in the outbound and a returning packet in the inbound) because all of this functions on connections, not packets. This is because the desktop ftrewall also utilizes stateful inspection, which keeps track of each session and only permits packets that are known to be part of that session. As a result, you only need to explicitly permit packets in the direction that the connection is initiated. In Figure 11.4, Rule 1 allows tra~c from anywhere to the users' workstations for any service, but only while they are on the local area network (LAN). Rule 2 allows connections to a desktop when a user in the Engineering group is logged into the VPN and authenticated by the policy server. These connections will be logged locally, but not sent consolidated with the logs seen in SmartView Tracker. Note that because Encrypt is selected as the action, only connections via the VPN are allowed by this rule; cleartext connections from across the Internet are not allowed. Rule 3 then drops any incoming Windows ftle sharing connections and broadcasts, and does not log them. The final Inbound rule, Rule 4, is similar in functionality to the Stealth Rule found in a typical security p o l i c y ~ i f not explicitly allowed, block the connection, log it, and the next time that user
481
482
Chapter 11 • Securing Remote Clients
logs into the policy server, send the logs to be consolidated with the rest of the logs to be viewed via SmartView Tracker or reported on by SmartView Reporter. The Outbound Rules section contains rules to be applied for connections originating from the desktop system itself. As you can see from the rule numberings, this is a continuation of the same policy. Rule 5 allows users on the LAN to communicate with anything. The assumption here is that the security on the LAN will take care of providing access controls. Rule 6 is for users that are not on the LAN allowing access to anything on the internal network as long as it is over the V P N (due to the Encrypt action). While users are not on the LAN, they still require access to systems on the Internet for Web browsing and other functions. Rule 7 allows them to establish connections to anything on the Internet unless it is a Windows £de sharing or peer-to-peer application. Rule 8 blocks connection attempts using Windows £de sharing, and does not log them, and Rule 9 blocks all other outbound connections similar to a Cleanup rule in a typical security policy. Because of what is defined before this rule, it will likely only block access to peerto-peer applications and log them. This will, however, show which users are attempting to use peer-to-peer applications in SmartView Tracker as well as create reports in SmartView Reporter of which users are attempting to use peer-to-peer applications. The Desktop Security Rulebase adds an implicit rule to the bottom of the rulebase that denies all inbound communication. This means that anything not explicitly allowed in the Desktop Security Rulebase is blocked. Note that packets that are dropped due to the implicit drop rule are not logged; if you want to log drop packets, you can add your own explicit drop rule at the bottom of this rulebase. The Desktop Security Rulebase also has an implicit rule, which allows all outgoing traffic and does not log it. If you plan on restricting what a user is able to access outbound, it is imperative to add a rule similar to Rule 9.
Remote Access Global Properties The R e m o t e Access Global Properties screen enables you to configure various additional aspects of the SecuRemote and SecureClient desktop environment. Keep in mind that SecureClient uses the same Client Encryption software as SecuRemote, and therefore some of the settings shown in Figure 11.5 apply to both sets of users and some only apply to users of SecureClient.
Securing Remote Clients • Chapter 11
Figure 11.5 Remote Access Global Properties
The Topology Update section defines how topology updates will be handled. By default, the client will update its site once a week, but this can be changed to a specific number of hours by checking the U p d a t e t o p o l o g y every n H o u r s checkbox and setting the number of hours. There are also two options: •
A u t o m a t i c U p d a t e This tells the client to do the updates automatically when the user connects to the VPN. This is the default.
•
U p o n V P N - 1 S e c u R e m o t e / S e c u r e C l i e n t start up This selection tells the client to automatically prompt the user to connect to the VPN every time the client is started, which is typically whenever they boot the system logs into the operating system (OS) to use it.
Next are the Authentication Timeout settings.You may choose U s e d e f a u l t v a l u e s , which allows an Internet Key Exchange (IKE) Phase 1 authentication to be valid for one day.You can choose to lower this value by selecting Validation t i m e o u t every n Minutes and selecting the number of minutes. If you select Allow Caching o f static passwords on client, users with authentication methods of OS or VPN-1/FireWall-1 password will only have to authenticate when SecureClient connects initially. The Additional Properties section allows an administrator to define whether to allow back connections (connections originating from the LAN directed to the desktop) and if so, how often to send a keep-alive packet to the gateway. This
483
484
Chapter 11 • Securing Remote Clients
is necessary because connections may time out or fail incoming to the V P N client due to firewall or Network Address Translation (NAT) limitations on devices between the client and the gateway. This ensures that the V P N tunnel is always available. E n c r y p t D N S traffic determines whether Domain Name System (DNS) queries sent by the desktop to a D N S server located on the corporate LAN are to be sent through the V P N tunnel or in the clear. W h e n logging on to a policy server using SecureGlient, one may not always be available. This setting defines what action to take if a policy server is unreachable from the client and the client is using Transparent Mode to connect. (If the client is using Connect Mode, the action to be taken is defined in the Connection Profile.) The two options are fairly self explanatory. C h o o s e next Policy Server tells the client to connect in a predefined pattern. C h o o s e Policy Server r a n d o m l y attempts to connect to any of the policy servers in a random method, whereby allowing the admimstrator to disperse the load on other policy servers in the event that one is down. The final option on this page (VPN-1 SecureClient- Desktop Security Policy expiration time) deals with how long a policy downloaded from a policy server is valid before the client seeks to update itself and receive a new Desktop Security policy. W h e n half of the time defined here has elapsed, the client will connect to the policy server to retrieve an updated version (if necessary) and start the timer over again. If this renewal fails, after half of the remaining time, a connection will be attempted again. If the client reaches the amount of time set in Revert to default p o l i c y after n m i n u t e s , it will revert back to its default policy. The number of minutes a policy will be valid for can be set by changing the value from 60 (default) to the length of time desired. This means that after 30 minutes it will attempt to renew the policy, then if that fails, after 15 minutes (of the remaimng 30 minutes) it will attempt to renew again and so on.
VPN
- Basic
Figure 11.6 presents options that deal with the basics of the V P N connection, how users are allowed to authenticate, what connectivity enhancements are enabled, and if they are required to integrate with legacy Nokia V P N clients.
www.syngress.com
Securing Remote Clients • Chapter 11
Figure 11.6 Remote Access- VPN Basic Global Properties
The setting fields are as followsS u p p o r t Authentication Methods IKE itself has two methods for authenticating VPN connections; P r e - S h a r e d Secret and Public Key Signatures The final option, H y b r i d M o d e (VPN-1 & FireWall-1 Authentication), is used to authenticate users using other methods (such as SecurID, Radius, and internally managed passwords) as defined on the user's Authentication tab. IKE over T C P Eventually, one of your users will end up connecting from behind a device that does not support fragmented User Datagram Protocol (UDP) packets correctly, and you will be required to check the Gateways support IKE over T C P option. Gateways will always support the standard IKE implementation, which happens over UDE This allows clients to connect using TCP if it detects a problem using UDR It should be noted that this option only allows the gateways to use IKE over TCP, this does not tell the clients to use IKE over TCEThe client's setting must be done from the client for Transparent Mode (Tools I Global INE Settings) or using Connection Profiles ff using Connect Mode. IP C o m p r e s s i o n By selecting Enable IP c o m p r e s s i o n for SecureClient, you allow the client to negotiate Internet Protocol (IP) compression parameters during key exchange, which allows the effective
www.syngress.com
485
486
Chapter
11
*
Securing
Remote
Clients
throughput to be higher than the actual bandwidth. By setting this, all clients running SecureClient (not available with SecuRemote) will negotiate IPCOMP along with the encryption parameters, which will be reflected in the logs in SmartView Tracker. Load Distribution The Enable load distribution for Multiple E n t r y Points configurations (Remote Access Connections) selection allows admimstrators to spread the load (bandwidth and CPU) of client connections across gateways in different locations. Multiple entry points will be discussed further in the Chapter 12. Nokia Clients For a brief period of time, Nokia was distributing its own VPN solution. It was eventually phased out, but for legacy purposes, checking the Supply r e m o t e access V P N using Nokia clients will allow Nokia VPN clients to establish a VPN tunnel to a Check Point gateway.
VPN
-
Advanced
The VPN -Advanced page (as seen in Figure 11.7) presents more options that are typically only changed if you are configuring your VPN in a more specific or advanced fashion.
Figure 1 1 . 7
Remote
•!~i:::~:i~: • D
Access-
Accountl~:
VPN
Basic
Global
:::k::~b:*::~H::~::::~:SNN:~ ::~ :.~:~S:: .: ?::/..
.....".... t :¢+iii++!iC+'-Log i ar, d Alert
:::::::: : :.......... ::: ..... :-ii ii[i: ::++++++i +~ : : ~ ~ i ~
:ii~'i,~, :~.O~SEC
:-::':- i~
:
....
:::::
:..: :. :. :::.~: :~:.K::::::~: ~:: kT.:::~::~:~ ~S~%::::S:.::::~[::::S::~::~::
: .... " " ........... + .i + ::. :lGroup 2 [1024 bit)
: ~[+ .. ./ .::: :.,il
-iii] :.i~iiiii!il~:;~::~i~i~!s:.~i~::~::~!~::~i~::~
www.syngress.com
i:i i~:i:i
-
:: :: S:::!' : :'::;'::i:,:::::i::,:-;:::'"',;:::!::~::':::::.;!:.:.~ .' i':i::i~,;::i:
-i: ~::::':.':::'"::,:/.::~,~ : ' ) i ~ : i ~ ~ : , ~ - ~ i ~
~
::::'i~:i:. :":;:):": ::::i:;:::':/:
'~i::,',i,!i~i':i'S',~',~::~~::,£,: ', :~:,:i, :~::::::i==============::: ===~i==~=7i=:'=~=£~7' ======i!~:'~:':S':i~!!:,
:'S |
':iiiiiiiii|
: .......... .... " : " ~:! :: :::ii:i~::::.i.:::i::i.:S: i:i:+!::+ii:~i
:~ -£ :~:i
i':'~',ii~,i'~... ,il S,,~D,,~,d C~o:i ii',ili~,',~iii':ii',i!i",,:,~i~~i~~~;~ :::)~i':i'~i l
Properties
" " ::/::: ..
:: ::::::ii':i:,:i~!ii~i~i%::"
p:::: : ::
~::~i~i~:::::::iii:iii%ii:.:::ii:.!:~ii:.i!::::i~i~i:i%:i.i::,:: i~: i ~: :...: ~::!::" :.:
...... :"
:: :: ....-:,: ..... :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::: ::-::,::.:"~ ::.:::~::..-.::.: : :: .:i~ i::
~:~-: ~: :. :::::::::::::::::::::::::::::::::::::::::::::::::::::
Securing Remote Clients • Chapter 11
The settings fields are as follows:
User Encryption Properties By default, Enforce E n c r y p t i o n A l g o r i t h m and Data Integrity on all users is enabled. This allows you to define the Phase 2 encryption properties for all users using SecuRemote or SecureClient. ~ ~
i~
~~ 'p~~T E The Enforce E n c r y p t i o n Algorithm and Data I n t e g r i t y on all users option is only available for NG FP2 modules or later. Disable this option if using earlier versions on your gateway(s). If disabled, it can be set on a per-user basis in the Encryption tab of each user's object. For performance reasons, you may wish to select AES-128 instead of 3DES, as it is a less CPU-intensive algorithm for both the gateway and client and has a slightly higher effective key length (AES' 128 bits vs. 3DES's 112 bits). AES-256 is also an option for enforcing the highest levels of security and DES is available for operating in countries where high encryption is not allowed.
IKE Security associations Properties The Diffie-Hellm~ (DH) group determines the level of encryption used in IKE Phase 1 to exchange keys during IKE Phase 2. This information is downloaded by the cliem as part of the topology. By default, a new cliem (no topology yet defined) will use Group 2, so keeping Group 2 enabled is necessary to support the addition of new clients. If using Traditional Mode policies, ensure that the gateway will support the DH groups you specify here.
Resolving Mechanism SecuRemote and SecureClient have the ability to find the interface on the gateway best to communicate with. This is important if you have more than one interface which you want the client to establish a VPN to. For example, if you have one interface for the wireless network and another interface for connections across the Internet, you would want to allow the VPN client to find which one to speak directly with. Enable SecuRemote/SecureClient to calculate statically peer gateway's best interface based on network topology will use the primary (external) address of the gateway (on the object's General Properties page) to VPN to only. By selecting
487
488
Chapter 11 •
Securing Remote Clients
Enable dynamic interface resolving by S e c u R e m o t e / SecureClient peers, you are not enabling the client to try to connect to each interface, you are only allowing a new option in each V P N Gateway object's V P N Advanced page called Dynamic Interface resolving configuration. There you can define whether you wish for an individual gateway to be resolved statically or dynamically. •
~This
SecuRemote/SecureClient behavior while disconnected In the beginning, Check Point's V P N clients would simply drop all traffic desfined for addresses contained in V P N domains unless it was connected to the V P N or it recognized that it was on the LAN. This was not always the ideal option for compames, so Check Point added the option to simply send traffic in the clear when not connected to the VPN.
option is only valid when the client is in Connect Mode.
Certificates W h e n users are authenticating themselves to the V P N gateway using Certificates, there are two options (as seen in Figure 11.8) that become relevant; how to handle whether the client will check the gateway's certificate and how to handle the expiration of certificates"
www.syngress.com
Securing Remote Clients • Chapter 11 F i g u r e 11.8 Remote Access- Certificates Global Properties
The settings fields are as follows" •
Client will verify gateway's certificate against revocation list This option tells the VPN client to verify the digital certificate the gateway is presenting against the Certificate Authority's Certificate Revocation List, to ensure that the gateway's certificate is still valid. This is part of any good PKI infrastructure in that digital certificates are continuaUy being compared against published lists of revoked certificates.
•
R e n e w users internal CA Certificates This option allows an individual user's certificate to be renewed starting at a specific period of time (60 days by default) before it expires, to ensure that the user will continue to have access to the VPN without interruption. Certificates are valid for two years from the date they are issued by default.
SCV SCV enables you to control other important aspects of the SecureClient desktop.
www.syngress.com
489
490
Chapter 11 • Securing Remote Clients
Figure 11.9 Remote Access- SCV Global Properties
The settings fields are as foUows: •
Gateway Secure Configuration Options Check the box next to Apply Secure Configuration Verification on Simplified m o d e Security Policies to enable the SCV desktop security mechamsms for all VPN connections to gateways using Simplified Mode VPN policies. Note that SCV is a SecureClient option only. By enforcing desktop policies, you may be blocking SecuILemote sessions.
Continued
www.syngress.com h,~
Securing Remote Clients • Chapter 11
U p o n Verification failure When a desktop does not pass the SCV checks as defined in this pane and in the local.scv file, you may choose to block connections from that system by selecting Block client's connection or simply notify the user (the final option on this page), log that it failed, and allow connections by selecting Accept and log client's connection. It is best to simply block the connection; however, when you are beginning to enforce SCV on your user community you may wish to allow the connections, inform the users directly on how to fix their systems (install anti-virus, install Windows patches, and so on), and then after the users have had ample time to update their systems, start blocking connections. Basic configuration verification on client's m a c h i n e These basic options have been available since the beginning of SecureClient. During the installation of SecureClient, the user has the option to only install the client on dial-up interfaces, in which case Policy is installed on all interfaces becomes relevant. If all interfaces are not protected, the machine may be at risk via the unprotected interface and it will fail SCV. Only T C P / I P Protocols are u s e d is also a basic method of checking if non-TCP/IP are in use (such as Internetwork Packet Exchange/Sequenced Packet Exchange [IPX/SPX] or NETBIOS Extended User Interface [NetBEUI]). SecureClient cannot protect these protocols and again, the system is at risk and will fail SCV.
491
492
Chapter 11 • Securing Remote Clients
Configuration Violation Notification on client's machine If the desktop fails SCV, you can elect to generate a log locally (Generate log) and also Notify the user about the failure. If you are going to be blocking connections when verification fails, it is a good idea to notify the user that they are not configured securely and also teach the user how to correct the problem. The error message to display to the user is defined in the local.scv file in the :mismatchmessage section.
Early Versions Compatibility This section of the Global Properties window, as shown in Figure 11.10, enables you to configure policies for versions of SecureClient prior to NG. Figure
11.1 0 Remote Access- Early Versions Compatibility Global Properties
Following are the four policy options in the R e q u i r e d Policy for all desktops pull-down window: •
No Policy
•
Allow Outgoing & Encrypted
•
Allow Outgoing Only
•
Allow Encrypted Only
www.syngress.com
Securing Remote Clients • Chapter 11
You can see from this list how much more granular the new Desktop Security rulebase is.You can only select one of these policies for all pre-NG SecureClient users, which will work in conjunction with the other Security Configuration Verification options set in the global properties. m If N o Policy is selected, there will be no policy loaded on the SecureClient when users log m to their policy server, hence no protection. •
If Allow O u t g o i n g Only is selected, only non-encrypted trat~c originating from the SecureClient PC will be allowed, and all inbound connection attempts to the SecureClient will be dropped.
m If Allow E n c r y p t e d Only is selected, only connections to and from the VPN domain will be permitted. For example, with the encrypted policy, mobile users cannot browse Internet sites, but they can download their e-mail from the ot~ice while the SecureClient software is running. m If Allow O u t g o i n g & E n c r y p t e d is selected, the users can initiate any connections to either the Internet or to the VPN domain, and only encrypted traffic is allowed inbound to the SecureClient. The Client is enforcing required policy option defines whether or not to allow users not configured securely to be able to connect to the VPN and access the LAN.
Traditional Mode (Client Encrypt) Rules The final step to allowing remote users to use SecureClient when using a Traditional Mode policy securely to a VPN is to set up a client encrypt rule in the standard Security rulebase. This is where the firewall administrator defines the policies that will be installed on the firewall module that will be enforcing the policy and allowing SecuRemote and/or SecureClient users into the VPN domain. (See Figure 11.11.) To do this, open the Policy Editor and add a new rule to the rulebase, similar to the rule used in Chapter 10 for SecuRemote.
493
494
Chapter11 • Securing Remote Clients Figure 11.11 Client Encrypt Rule
stealth Rule (Rule t)
[]
Client-to-Site VPN Traffic (Rule 2)
2 ~r.~e~Engineering~Any ! ~IL LAN [] [] [] [] [] []
0
Clent Enc
Log
* Policy Targets
Any
I~mHr"
Site-to-Site VPN Trafic (Rules 3-4)
DN5 Traffk (Rules 5-6)
...........................................................................................................................................................................................................................
Service Net Traffic (Rules 7-10) LAN to Intemet Traffic (Rules t l - t 2 ) DNZ to Internet Traffic (Rule 13)
...........................................................................................................................................................................................................................
..............................................................................................................................................
...~ ................
.
........................................................
...........................................................................................................................................................................................................................
CleanupRule (RUle 14)
For this example, choose E n g i n e e r i n g and set L o c a t i o n to N o restriction. The Destination field specifies what objects these users will have access to via the encrypted connection, and Service enables you to further restrict the connection to particular services. Set Action to Client E n c r ~ t , Track to Log, and ensure that Install On includes the appropriate firewalls. N o w that the rule is configured, there are some additional action properties to consider for SecureClient. To access them, right-click on Client Encrypt, and choose Edit properties, as shown in Figure 11.12.
Figure 11.12 User Encryption Action Properties
www.syngress.com
Securing Remote Clients • Chapter 11
The Source and Destination options discussed in Chapter 10 have not changed. The selection you need to be concerned with is the Apply Rule only if desktop configuration options are verified, which relates to the desktop configuration verification options you configured earlier in the global properties and the local.scv file. If any of the desktop verifications fail for a particular user, the firewall will not allow the encrypted connection via this rule. This is an effective way to ensure that only properly secured SecureClient desktop users are authenticating and connecting to particular parts of your network. If a user does not have the appropriate desktop policy loaded on their client, they will not have access via this rule. In Traditional Mode, you can have rules that allow SecuRemote users and users that do not pass SCV to connect by not checking the Apply Rule only if desktop options are verified option on a per-rule basis. Traditional Mode is necessary to allow connections through the VPN to an anti-virus update server in order to get clients that are failing SCV (because of an out-of-date anti-virus version) up-to-date so that they can be verified by SCV and allowed access to other parts of the network. Client Authentication supports SecureClient connections as well. To enable this, select Client A u t h in the action field on a rule, and then edit the Client A u t h A c t i o n P r o p e r t i e s and select Verify secure configuration on D e s k t o p . This is generally used for cleartext (not encrypted) communication from an internal SecureClient PC.
Simplified Mode Rules In Simplified Mode, adding rules for SecureClient V P N connections is exactly the same as setting up a rule for SecuRemote connections in Simplified Mode. To not allow SecuRemote connections and only allow SecureClient connections with SCV verified, check the box next to A p p l y Secure Configuration Verification on Simplified m o d e S e c u r i t y Policies in the Global Properties. Simplified Mode is, as its name suggests, easier to configure but not nearly as flexible as Traditional Mode.
Installing SecureClient Software Each remote user that will be connecting to your firewaU via V P N needs to instal/the SecureClient software. This software is available on your Check Point N G AI C D - R O M , and the latest version is also downloadable from the Check Point Web site at www.checkpoint.com/techsupport/downloads_sr.html. It is
www.syngress.com
495
496
Chapter 11 • Securing Remote Clients
highly recommended that you read the release notes prior to installing or upgrading the SecuRemote/SecureClient software.You will notice that there are two versions on the Web site to download; a self-extracting .exe file for end users to run and a compressed .tgz version, which is similar to what is provided on the N G AI C D - R O M . The .tgz version contains all of the individual files needed by an administrator to create a customized installation, which is discussed later in the "SecureClient Packaging Tool" section. You may notice that the software package is called SecuRemote/ SecureClient. The installation is for both VPN clients, with the important distinction being that SecuRemote does not contain the desktop security components that SecureClient does. This means that with SecuRemote, the user's desktop will not be protected from external attacks, nor will they receive policy updates from your policy server. To install the SecureClient software, perform the following steps: 0
R u n the SecuRemote/SecureClient installation program. If you have a previous version of SecuRemote or SecureClient on your workstation, you will be asked if you would like to upgrade or overwrite the old version, as shown in Figure 11.13. Upgrading your previous version of SecuRemote/SecureClient preserves your configuration data, so you would be wise to take this option. Overwriting may be necessary if there is something wrong with the previous version, and you want to start with a clean installation. Also, if you want to switch from SecuRemote to SecureClient or vice versa, choose overwrite, since upgrading will only upgrade the type of client you already have installed. Whichever option you choose, click N e x t to continue.
www.syngress.com
Securing Remote Clients • Chapter 11
Figure 11.13 Previous Version Screen
,
Next, you will be asked if you want to install SecureClient or SecuR.emote, as shown in Figure 11.14. Unless you have a particular reason not to provide personal firewaU functionality for this client, it would be best to take advantage of these additional security features by installing SecureClient. Select the checkbox for Install VPN-1 SecureClient and click Next.
Figure 11.14 SecureClient
497
498
Chapter 11 • Securing Remote Clients
,
Next, you will be asked what network adapters you would like to bind SecuRemote/SecureClient to, as shown in Figure 11.15. The most secure method of running SecuRemote/SecureClient is to bind it to all adapters. Binding to all adapters means that traffic passing through any physical interface on the desktop will be secured and encrypted. Otherwise, it is increasingly possible for unauthorized access attempts via one of the desktop's other network interfaces. This option also relates to the Desktop Configuration Verification where you specified whether or not the policy must be installed on all interfaces. If you selected this option and you do not choose to install on all adapters here, this client will be denied access. Select Install on all n e t w o r k adapters and click Next.
Figure 11.15 Network Adapters
,
0
Next, the installation wizard will install the SecuRemote/SecureClient kernel into the OS. This is a fairly intensive and delicate process that may take several minutes. By placing itself at the OS level, SecuRemote/SecureClient can ensure the highest level of security, since it will inspect packets prior to their interaction with applications. Note that during this phase, all of your current network connections will be briefly interrupted. You will then be prompted to restart your system, which is required prior to using SecuRemote/SecureClient.
www.syngress.com
Securing Remote Clients • Chapter 11
SecureClient Packaging Tool To reduce the amount of configuration and customization each remote user must perform to their V P N client, Check Point provides the SecureClient Packaging Tool. This tool enables you to create a customized SecureClient package that you can distribute to your remote users. The end result is an easy-to-install, selfextracting SecureClient executable ftle that is designed to your specifications. The SecureClient Packaging Tool is installed from your Check Point N G AI C D R O M . The installation of the SecureClient Packaging Tool is part of the Management Clients installation covered in Chapter 2. ,
Once installed, the SC Packaging Tool is run from the Start I Check P o i n t M a n a g e m e n t Clients section. U p o n loading the tool, you will see the log-in screen as shown in Figure 11.16.You will log in to the SC Packaging Tool with the same credentials you used to log into SmartDashboard. Click O K to log in.
Figure 11.1 6 Packaging Tool Login
o
The first time you log in, you will see a blank window. Figure 11.17 shows this window with a list of proftles.You will want to create a new proftle. To do this, go to the Profile menu, and choose N e w . Click N e x t on the welcome screen.
499
500
Chapter 11 • Securing Remote Clients Figure 1 1 . 1 7 List of Profiles
~ili
'~iiii!iiiili i ii '~i',~,i!i ~,i~,'i,ili',':,i~,i~!ii'::: l il
Engne~ing Adrnin~a~o~ U~er~
::',ifil!i!i:'i,:ii
~ii:ii: : i;;:ii::
::ii::i,ii:!ii~i! i: i i !I :, iii',;':i::::,:,: : ~:':i':'~:i'~:'~i::i~i i'i:~:,~':i i:::ii::ii':i !':i::ii i ~!i!:,:::i',i::iiiii!iii' i::i!i:,i~,ii!iii::i~i~iiiiiiii' i,ii'i,i',i i :!':i :iiii'~i:,i'
~iiiii! ~
Package fo~E n g ~ Packagefo~N ~ k and Firm~l ~ e o ~ Package fo~genericU~rs
Sun Dec 14 08:27:36 2003 Sun Dec '14 08 27:58 2003 Sun Dec 14 [3~:2~10 2003
3. You will now see the General configuration screen, as shown in Figure 11.18. For Profile n a m e , enter a descriptive name for this pro£de. Note that this name can only contain up to 256 alphanumeric characters and cannot contain any spaces. In this case, you will use StandardPro£de. The C o m m e n t section can include a more detailed comment about this pro£fle. Once you have entered these, click N e x t .
Figure 11.18 General Properties
i i~~'-~-~i'~i~i~'~i~~
~' ~
~
i
.........................................¸¸¸, ...i..i!i......... iii i
www.syngress.com
Securing Remote Clients • Chapter 11
0
Next, you will be presented with your first configuration options, as shown in Figure 11.19. These configurations affect how the end-user will interact with the application. Transparent m o d e watches for packets leaving the desktop directed towards the V P N domain of any of the gateways and prompts for authentication only when it sees traffic destined for one. This can be annoying when a desktop system is continually polling a printer or print server and the client insists on connecting. Connect m o d e is similar to dial-up networking, and therefore end users seem to understand it better. Click on the envelope in the taskbar and it presents a screen that has a button named Connect. Connect mode is probably the most widely deployed now. The other selection on this page is whether or not to allow the user to change between modes in the SecureClient GUI. For simplicity, most organizations elect to select one mode and not enable mode transition so that helpdesk employees have a single configuration to troubleshoot. Figure
.
11.19 Client Mode Configuration
You will next see the SecureClient configuration window, as shown in Figure 11.20. The options on this screen are defined below.
Allow clear connections for Encrypt action when inside the e n c r y p t i o n d o m a i n W h e n selected, this option allows unencrypted connections whenever both the source and destination of the connection are within the V P N domain (for example, when a laptop returns to the corporate campus and attempts to connect to
501
502
Chapter 11 • Securing Remote Clients
an internal server). When this is the case, clear connections are allowed even if"Encrypt" is specified in the Desktop Security rulebase. •
Accept D H C P response w i t h o u t explicit i n b o u n d rule By default, SecureClient will accept dynamic host control protocol (DHCP) responses regardless of whether or not they are defined in the Desktop Security rulebase. If you do not select this option, these D H C P connections will only be allowed if they are defined explicitly in the rulebase.
•
Restrict SecureClient user intervention As described in the window, selecting this object will hide the Disable Policy item from the SecureClient menus. This removes the remote user's ability to disable the policy their SecureClient receives from the policy server.
•
Policy Server When selected, the Logon to Policy Server at SecureClient Startup option will result in the remote user being prompted to log on to the policy server defined as soon as SecureClient starts up. If you choose Enable Policy Server Load Sharing at SecureClient Startup, the logon request will be randomly sent to one of multiple policy servers. Click Next when you have configured this screen.
Figure 11.20 SecureClient Configuration
www.syngress.com
Securing Remote Clients • Chapter 11
Q
You will now see the A d d i t i o n a l I n f o r m a t i o n options, as shown in Figure 11.21. Here, you can select the options you want to enable for connectivity enhancements. I K E over T C P enables the IKE negotiation to happen over T C P port 500 instead of U D P port 500 as necessary, since some devices do not correctly know how to translate fragmented U D P packets. F o r c e U D P e n c a p s u l a t i o n for I P S e c C o n n e c t i o n s is useful in cases when the SecureClient is connected behind a NAT gateway; as some NAT gateways are unable to route E S P / A H packets properly for an Secure Internet Protocol (IPSec) VPN. Some NAT devices do not allow you to set up NAT for these protocols. Basically, it can only handle TCP, UDP, and Internet Control Message Protocol (ICMP). ESP and AH use protocols 50 and 51; these are needed along with the IKE service on U D P 500 for IPSec communication. Table 11.1 shows you which TCP, UDP, and IP protocols each encryption scheme uses. If you have a policy server behind a firewall, these are the ports that you need to open. Here you are also allowed to define whether or not to give the user the option to stop SecuRemote/SecureClient. Note that even if the user stops SecureClient, the desktop will still be protected because it only stops the service, it does not remove the driver that is doing the enforcement. This screen tells you to decide how to handle connections if the user selects to erase the passwords.You can choose to allow or block (the default) already established connections. The last option on this page is to " U s e t h i r d p a r t y a u t h e n t i c a t i o n DLL. This is used if you want to use a mechanism outside of what Check Point has provided for authenticating users. Examples of this include biometrics and token-based authentication systems. If you are using a system that has been OPSEC-certified to use Secure Authentication API (SAA), configure this as appropriate per the vendor's documentation. Click N e x t to continue.
503
504
Chapter11 • Securing Remote Clients Figure 11.21 Additional Information
!iiii!i!ii~ ~ a i ~~
......i~'..:.'.':"
.........................................................................
,~i
:~,~:.: (::.:~:,:i::"i:i::::'~i:,'~,:i:;:~ii~i::i~i:~,:i!ii'!i,'i!,'i!i!~i!ii
~
i
.............. ................................ ~.......i ~ .......~ ~:~::: ::/"i! ::~::::::i ::':.'.:'.~. .~:::'':i~~"i . . . . . . . .....
Table 11.1 Encryption Protocols Encryption Scheme
Ports/Protocols Used
IKE
IKE (UDP port 500) ESP (IP protocol 50) AH (IP protocol 51) IKE over TCP (TCP port 500) * UDP encapsulation (UDP port 2476)* FWl_topo (TCP port 264) FWl_pslogon_NG (TCP port 18231) FWl_sds_logon (TCP port 18232) FWl_scv_keep_alive (UDP port 18233)
* Not always necessary 7. You will now be brought to the Topology Information screen, as shown in Figure 11.22. The options in the Topology Information screen include the following: •
Change default topology port Topology information is transmitted by default on port 264. For port conflicts or security reasons, you can change this to an alternative port.
•
O b s c u r e T o p o l o g y on disk The topology information that FireWall-1 stores in the userc. C £de can be stored in an obscured
www.syngress.com
Securing Remote Clients • Chapter 11
(non-human readable) format. If so, you must specify this option. For testing and debugging purposes, it is useful to be able to see the contents of the u s e r c . C frle. In production, however, there is little need for users to be able to see it. •
Accept unsigned topology If selected, the firewall will accept topology requests even if there is no security signing in place. This is not recommended, since it introduces a possible security hole.
•
Perform automatic topology update only in "Silent" mode If enabled, this option causes SecureClient to obtain an updated topology after every key exchange. This is a very useful option.
If you choose to utilize the Partial Topology option, the only information stored in the package about your site will be the system users will have to connect to in order to receive the topology. This is nice in the fact that after the end-user has rebooted, they are prompted to authenticate to download the latest topology information. In addition, if this package falls into the hands of someone outside the organization, the only information compromised is the address of your VPN gateway. Click N e x t when you have made your selections.
Figure 11.22 Topology Information
.
This brings up the Certificates Information configuration screen, as shown in Figure 11.23. Here, you can select a Certificate Authority IP Address and Port, which are used to specify the location and port
505
506
Chapter 11 • Securing Remote Clients
of your Entrust Certificate Authority server.You can also specify your L D A P server IP address and Port, which you should use if you are using an Lightweight Directory Access Protocol (LDAP) server as part of your configuration. Use E n t r u s t E n t e l l i g e n c e specifies whether SecureClient should use this proprietary feature of Entrust. W h e n you have made your selections, click Next.
Figure 11.23 Certificate Information
0
N o w you will see the Silent Installation configuration screen, as shown in Figure 11.24. The options here specify how many prompts the user will see when installing the SecureClient package. The D o n ' t p r o m p t user d u r i n g installation option means that the user will see no prompts at all, which is what Check Point calls a silent installation. Alternatively, you can select C h o o s e p r o m p t s t h a t will be s h o w n to users, and turn on or off the various prompts as per your requirements. Make your choices and click Next.
Securing Remote Clients
•
Chapter 11
Figure 11.24 Silent Installation
10. You will now see the Installation O p t i o n s I n f o r m a t i o n screen, as shown in Figure 11.25. Here, you can specify the destination installation folder to use, what adapters you want SecureClient to bind to (see above for details), and whether you want the package to instaU SecureClient by default, as opposed to SecuRemote.You can also choose whether you want the user's system to be restarted by default after instaUation. Make your selections and click Next.
Figure 11.25 Installation Options
507
508
Chapter 11 • Securing Remote Clients
11. Next, you will see the O p e r a t i n g S y s t e m L o g o n I n f o r m a t i o n screen, as shown in Figure 11.26. Here, you can choose E n a b l e Secure D o m a i n L o g o n (SDL) and specify a timeout for SDL. This means that remote users will be able to log on to a Windows N T domain controller. E n a b l e R o a m i n g user profiles means users can use the Windows N T roaming profiles feature over their SecureClient connection. Finally, E n a b l e t h i r d p a r t y G I N A D L L enables you to use an external vendor's authentication DLL (for example, Novell's Client32 logon GINA). The VPN-1 User Guide also has information on changes you can make to the product.ini fde and others to streamline the installation process. Make your selections and click Next.
Figure 11.26 Operating SystemLogon
12. You will now be brought to the Finish screen, as shown in Figure 11.27. Here, you can choose N O , C r e a t e profile only to have the packaging tool simply create a profile based on the parameters you have specified. Or, if you choose YES, C r e a t e profile a n d generate package, the Packaging Tool will generate a complete SecureClient package that you can then distribute to your remote clients. If you choose to generate the package, you will see the SecureClient Packaging Tool wizard, which will first ask you if you want to upload the package you are creating to an Automatic Software Distribution (ASD) S Automatic Software Distribution (ASD) server. If you have one
Securing Remote Clients • Chapter 11 defined, check the box and click N e x t to continue.You will be shown a screen with a prompt for a P a c k a g e Source Folder, which is the location of the SecureClient package on your system.You can either use the package directory on the N G AI CD or you can place it (unzipped) in a directory on your PC.You will also be prompted for a destination folder, which is where the final package executable £de will be placed. You will be required to create a package for each platform type (Windows 2000/XP, 98/ME, and NT). It is also useful to number the packages you created (similar to build numbers) so you can tell if someone is using the latest version of the installer and configuration you have defined. CLick Finish once you have made your selection.
~TE , " ~ii~ ~!lii If you have a working version of userc.C and wish to have all the site Niii~~ information defined (as well as all the other options) as part of the i~iiii package, do not select partial topology, place your pre-configured ....~i userc.C into the source directory replacing the stock userc.C, and generate the package.
Figure 11.27 Finish
509
510
Chapter 11 • Securing Remote Clients
Logging into the Policy Server Once you create and distribute a SecureClient package to your remote users, they are on their way to securely connecting to your network. After installing the SecureClient package, the policy server needs to commumcate with the remote client. This occurs when the user logs in to the policy server, either explicitly or automatically. W h e n the remote user first loads SecureClient, it automatically tries to log in to the policy server, provided that one is installed on the firewall. The user will be prompted for their log-in credentials and then logged on. ~
iliiliiiili: a remote user eoa .e on t eir es to , iiii!i!iili SecureClient w i l l detect this, will display a warning to the user, and may %ii~! disable some functionality as per the security policy. This is an important % feature, because having IP forwarding can result in packets entering o n e insecure interface being transmitted out another interface, which is a security risk. ,
,
,
~
~ ,
~
,
,
,.,,,
.~.
=.~,
.,~
.....
.
,
~
. . ,
~
~ . ,
,
,
,
After successfully logging on, SecureClient will periodically re-log on to the policy server in order to transmit any logs and ensure that it receives any updates to the security policy. In addition to these automated policy server logins, the remote user may also decide to explicitly log on to the policy server when in Transparent mode. This is useful in cases where the user knows the policy has been updated, such as when they are in contact with the firewall administrator and they want to update their desktop's policy immediately. In Connect mode, the user simply can disconnect and reconnect. To explicitly log on to the policy server in Transparent mode (since there is no disconnect option for the V P N session in Transparent mode, only Invalidate Passwords), the remote user should go to the Policy menu and choose L o g o n to Policy Server. They will see a list of available policy servers to choose from.
Securing Remote Clients • Chapter 11
Summary Any security policy is only as strong as its weakest link. A common mistake by firewall administrators is not considering remote users as a possible source of security breaches. This is changing, however, as worms and viruses are propagated by them. Once a remote user is connected to your network, any compromise of that user's workstation could easily result in a compromise of your network. Check Point's SecureClient and policy server coupled with SCV enable you to reduce the risk of a remote user's desktop being susceptible to a security compromise as well as ensure its level of security. Because remote users are not necessarily knowledgeable about what their local security policy should be or how to implement it, the combination of SCV, policy server, and SecureClient enables the firewaU administrator to set the security policy appropriate for remote users, and then push that policy out in a way that is simple and unobtrusive to the user. The Check Point SecureClient Packaging Tool is an additional component that enables you to distribute preconfigured versions of SecureClient to your users. This eliminates the need for remote users to correctly set up and configure SecureClient, thereby further simplifying the process for remote users to securely connect to the network.
Solutions Fast Track installing and Configuring a Policy Server Install the Policy Server from the Check Point N G AI C D - R O M or from a package off of the Check Point Web site. Enable the Policy Server as an installed product in your firewaU object. Set the user group to use with the Policy Server in the Authentication tab of your firewall object.
Desktop Security Options H Set up your desktop security rulebase and configure the global policy properties for desktop security. If desired, configure desktop configuration verification to specify what should happen if the security policy is broken.
.
!
::i :Y i
512
Chapter 11 • Securing Remote Clients
Add a chent encrypt rule to the standard rulebase and edit the chent encryption action properties.
Installing SecureClient Software ~i R e m o t e users can install SecuRemote/SecureChent directly from their Check Point N G AI C D - R O M . ~I The latest version of SecuRemote/SecureChent software can be obtained from Check Point at www. ch eckpo int. c o m / te c hsup port/downlo ads_sr, html. 8B You can use the SecureChent packaging tool to preconfigure SecureChent, and bundle it into a package that remote users can easily install.
Logging into the Pohcy Server When a remote user loads SecureClient, it automatically logs into the policy server and receives the most recent security pohcy. SecureChent periodically logs into the pohcy server (approximately every 30 minutes) to check for any security pohcy updates, and send logs back to the pohcy server. Users can also exphcifly log in to the pohcy server through SecureClient.
[~,.
Securing Remote Clients • Chapter 11
513.
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book, ,:.:.:.~!i :. l.i.::~..~;~.:~.~ are designed to both measure your understanding of the concepts presented in .......~ .~ .% . ~~i~i?~~ :~ .~ .:~ .~ :~ . this chapter and to assist you with real-life implementation of these concepts. To .:i:~~ i :i!~~ i :~:~:~ i :. have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the "Ask the A u t h o r " form. You will also gain access to thousands of other FAQs at ITFAQnet.com. iii:;i,i~%~°{~i~,:!i,!~,% -; : .... :.: ::,,:,.::;:~::..:..:::.::..::.::~;:~:,::~::~.:.~:..
~:?~:~:?~:.~:.~;:::::::::::::::::::::::::::::::::::::::::::::::::::::: :::::::::::::::::::::::: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :::::::::::::::::::::::::::::::::::::::::::: ::::::::::::::::::::::::::::::::::::::::::::.:: :;:-:;~:;.:~:;::;..:~:;.::~:;,,.:~:;~:;~,.~.:~:~:~:,.:;:.:..:.... ~ ~ ~-::..:;~:.::;.:.:..,.::,.:~::~,.~..:~:~-:~.:~:.:-:.:.:....
Q: C a n I install the policy server on two firewalls for redundancy? A: You can configure the policy server for high availability, but it is m o r e c o m plicated than simply installing the policy server on two separate firewalls. C o n s u l t the C h e c k Point N G AI d o c u m e n t a t i o n for details.
Q
II
=;, '!ii!ii
....::..::~ ~ ~:~::.:: :.................. .::..,~:::.,::. ::..,
..:. ::..:...:::.:;~.;....:..:.:.:;~:;:.:~=;:.:;:.:;~:~.:~:~:,~:~~
!!ii!ii!
W h a t licensing issues should I take into a c c o u n t w h e n installing a policy server?
• • ~ :::::.:.::~:~:~:...:~i::~:.::i~::!~:=:~:=
• .. •...
A: In addition to your existing FireWall-1 licenses, the policy server requires a separate license o n 0 = ~ 5 ~ ~ a l l m o d u l e on w h i c h it is installed.You also •iI~ ~i n e e d to ensure that ~ u have sufficient user licenses for the n u m b e r of r e m o t e users that w ~ nnecting. T h e user licenses are installed on the Management Moduf~ :~ ./ii{{ii~ ~ ......
:i~~
"~'~'iii~'~
..... ;:,.i!.:::.:;,~::i,~.:~,,~i: . .: :.i.i,.::,;:,~,i,,i:i,i.~
. ~~.~"~" i~i= ,..... ~ :~iii~ ~ik~iii~,i-~,i~i!!i,:~i.?:!~
====================
" .......
. •
: ::.:.i
i " 'ggg
Q" I w a n t m y salespeople to be on a ~ , , ~ b . ~ s e m y N T / d o m a i n from the field. I also want t h e m t~iii1~e abl~i{~o be.~,~!~tified t their N T passwords ..~: ~i~i~i!i-i~o .i{{ii~ .~:~ will be expiring at the sam'g'°'~'{~iNe. =.........~...........~'.... :~
C CAs. See Certificate Authorities caching options, URI resources, 336-337 CDs installing on Solaris, 105 installing policy server from, 476-477 Windows installation from, 69 Central Licensing feature, 205-209 Certificate Authorities (CAs)
configuring internal, 191-192 as encryption scheme, 439-440 initializing, installation process, 89-93 SIC and, 22 certificate revocation lists (CRLs), 22, 192 certificates authentication to VPN gateways, 488-489 and CAs, 439-440 remote user configuration, 505-506 renewal of, 489 chaining CVP group properties, 330 chapter summaries advanced VPN configurations, 546 applying NAT, 279 authenticating users, 314 Check Point Next Generation (NG) introduction, 39-41 installing and configuring VPN-1/FW-1 NG AI, 152-153 managing policies and logs, 408 OPSEC and content filtering, 362-363 securing remote clients, 511 security policy, creating, 253 SmartDefense, 567 tracking and alerts, 430 using the GUI, 213 VPN configurations, 470 Check Point Application Intelligence. See NG AI encrpytion algorithms (table), 437 firewaU. See FireWaU-1 (FW-1), VPN1/FirewaU-1 help, online, 548 high availability (CPHA), 95 Next Generation. See NG AI OPSEC Partner Alliance, 7 Security Policy, 218 UserCenter, logging in to, 566 Check Point gateway objects, 163-164 Check Point High Availability (CPHA), 516 Check Point Malicious Activity Detection, 24 Check Point Management Interface (CPMI), 321,343
Index
Check Point Next Generation (NG) Application Intelligence. See NG AI installation. See installation licensing, 51-52 suite described, 2-4, 39-42 SVN architecture, 3 Check Point Open Platform for Security. See OPSEC Check Point SecurePlatform, 20 Check Point SVN Foundation installation, 61 Check Point User Center, obtaining licenses, 51-52 Check Point User Database tool, 66 CIFS (Common Internet File System) resources, controlling access to internal users, 361 SmartDefense worm protection, 566 ciphertext, 434 Cisco touters and OSE technology, 169-172 and VPN configurations, 455 Citrix ICA application names, 399 Cleanup Rule, 201,238-239 client authentication described, using, 303-309 vs. session authentication, 308-309 vs. user authentication, 306 client encryption rules, configuring, 460, 493-495 Client/Server architecture, 19-20 client-to-site VPN, 440, 499-509 clustering HA and load sharing configurations, 521 MEP vs. SEP, 538 network, High Available, 517 Nokia's technology, 548 and redundancy, 13 clusters policy configuration, 532 viewing status of, 527 ClusterXL described, using, 12-13, 42 IPSO-based appliances and, 548 modules installed, 531 Code Red worm, 32
581
collisions and hash functions, 438 command line firewaU control commands, 402-406 firewaU process commands, 406-407 runmng commands, 411 commands See also specific command alerts, 414-420 command line. See command line firewall administration, 402-407 operating-specific for listing running processes, 406-407 SAM, options (table), 425-427 Committed Information Rate (CIR), 194 Common Internet File System (CIFS) and CVP resources, 325 Commumty Traffic Security Policy, 449 compression, IP, 485 Computer Associates SafeGate, 322 confidentiality Executive Security Policy, 220 protecting, 562-563 Configuration Tool screen, installation process, 94-95 configurations common, options, 163-167 SecuRemote VPN, 458 configuring administrators, 84-87 alerts, 419-420 CA on Solaris platform, 122-123 Check Point VPN-1/FW-1 NG AI on Solaris, 114-129 DNS, 58-59 FloodGate-I, 204 Global Properties, 200-205 GUI clients, 87-89, 119-121 IKE VPN in Simplified mode, 447-453 IKE VPN in Traditional mode, 441-446 mteroperable devices, 172 IP Pool NAT, 539 Multiple Entry Point VPNs, 533-543 NG AI for performance, 372-376 policy servers, 478-479 RADIUS authentication, 289-291 scheduled events, 194
582
Index
SCV options, 489-493 SecuRemote VPN, 457-462 SmartView Tracker, 209-210 Stateful Inspection, 204 static address translation, 266-272 static IP addresses, 64 static rules automatically, 274 VPN-1/FW-1 on Nokia, 144-146 VPN-1/FW-1 on Windows, 80-97 ConnectControl feature, 204 Connection Persistence options, 236 Connection Refused message, 257 connections blocking, and SAM, 424-429 blocking, duration of, 410 concurrent on FW-1,377-378 displaying, 383 synchromzed, 528 Consolidation Policy Editor, 11 Content Vectoring Protocol (CVP) creating resources, 324-326 described, using, 22, 320, 322-331 grouped objects, 329-331 load balancing chained servers, 331 using CVP resources in rules, 327-329 using resources in rules, 324-329 controls, security, categories of, 223 copying installation files, 75-76 rules, 242 cpconfig command changing administrators, 215 changing configuration with, 127 running on Nokia, 145 cpconfig command, 404 CPfwbc-41 package removal, 131 CPHA. See Check Point High Availability cphaprob command, 523-524 cpshell, using, 148-151 cpstart, cpstat commands, 404 cpstop command, 403 CPU (central processing umt) optimizing performance, 382 upgrade recommendations (table), 386 creating CVP groups, 330
default users for authentication, 292-293 reports with Report Tool, 11-12 templates for authentication, 293-297 URI resource to use UFP, 334 user groups, 297-298 Web sites, 464-467 CRLs (certificate revocation fists), 22, 192 Cross Site Scripting tab, SmartDefense, 562-563 customizing alert types, 414 SmartDashboard, 205 UFP server object, 332
D Data Encryption Standard (DES), 9 data flow in FireWall-1, 34-35 data integrity, encryption and, 435 Database Revision Control section, security policy, 248 DBEDIT utility dbedit command, 215 editing files manually with, 392-393 editing objects 5 0.C file, 368 DCE-RPC service described, using, 186 debugging See also troubleshooting VPNs, 454-456 decryption algorithm and key management, 436 NT name resolution, 374 .DEF files, 252 defaultfilter.pf, 393 defining CVP objects, 323-324 firewall objects, 231-237 users for authentication, 292-298 deleting old security policies, 391 rules, 243 Demilitarized Zone (DMZ), 2,260 demo installation, 59 Denial of Service (DOS) attacks, 45,550, 553-555 DES (Data Encryption Standard), 9 designing
Index
managing throughput, 377 OS password authentication, 288 security policies, 223 Desktop Security adding support, remote clients, 462-464 described, using, 30 policy options, 479-482 policy updating, 484 Remote Access Global Properties, 482-484 Rule Base, 480 destination mode NAT, 278 detective security controls, 223 DHCP (dynamic host control protocol), 165, 539 diagnosing networks with SmartView Tracker, 10 Differential Services (Dii~erv), 15 Diffie-Hellman algorithm, 436, 451,487 digital signatures described, using, 438-439 and RSA encryption, 436 Digital Subscriber Line (DSL), security and VPN-connected users, 9 disabling authentication, 547 ICMP, 569 rules, 243 displaying and hiding rules, 244 displaying user's at logm, 312 DMZ (demilitarized zone), 2, 260 DNS (domain name service) configuring, 58-59 encrypting traffic, 484 firewaU access, 347 SecuRemote, 192 security policy rule, 241 domain objects, 169, 382 domains, VPN. See VPN domains DoS attacks, 45,550, 553-555 double slash (//) within URL GET command, 368 downloading Check Point updates, 69 dropped packets, firewaU logs and, 10 DSL security and VPN-connected users, 9
583
dynamic host control protocol (DHCP), 165,502, 539 dynamic objects, 15, 177-178 Dynamic Ports, SmartDefense configuration, 559-560 dynamic objects command, 178-179
E e-mail alert script, 419 SMTP, configuring, 237 editing objects_5_0.c file, 467 security policy files manually, 252 with Consolidation Policy Editor, 11-12 enabling high availability, 516-521 IP forwarding, 57-58 load sharing, 521-523 MEP, 534 Secure Domain Login (SDL), 508 encrypting data with SIC, 21-22 NIC cards, 24 encryption certificates and CAs, 439-440 client rules, 460 domain. See VPN domains external network considerations, 456 hash functions and digital signatures, 438-439 IKE and ISAKMP, 437-438 in-place, 438 Key Exchange (IKE), 166 NT name resolution, 374 ping testing, 472 protocols (table), 504 schemes described, 434-437 SecuRemote and, 8-10 speeding up, 380 symmetric vs. asymmetric, 435 tunneling-mode, 437 user authentication, 296-297 user properties, VPN, 459 endpoints, gateway, 473 enforcing security policy, 225
584
Index
Enterprise security manager (ESM), 342 error messages 'FW-1 Unknown W W W Server', 367 'No proposal chosen', 472 Ethereal (sniffer), 257 evaluation copy of VPN-1/FW-1, 46 license for Check Point NG, 51-52 event logging, OPSEC client option, 321 Event Logging API, 341 events, tracking suspicious, 558 Executive Security Policy, 219-221 expired licenses, viewing, 208-209 exporting SmartMap to image file, 29 extracting files, 106 Extranet Manager, configuring, 203
F F-Secure, 322 failover methods, 543-545 .FC files, 251 File and Print Sharing Worm Catcher, 564 File Transfer Protocol. See FTP files See also specificfile firewaU configuration, 256 security policy, 251-252 filtering broadcasts from security logs, 256 fingerprint of server, 44, 92 fingerprint scrambling options, 558 Finjan Software's SurfinGate, 322 FireWall- 1 (FW- 1) See also VPN-1/Firewall-1 administering for effectiveness, 386-401 authentication schemes, 286-292 backing up configuration, 401-402 command-line interface (CLI), 248 default and initial security policy, 229 described, 4-8 file editing capability, 392-393 Inspection Engine, 34-35 monitoring logs, 394-400 performance and scalability, 36-37 state table limit, 383
stopping and starting for maintenance, 403 throughput on different platforms (table), 377 FireWall-1 GX, configuring, 204 firewall objects, defining, 231-237 firewalls See also FW-1, VPN-1/Firewall-1 architecture, 223-224 Check Point solution, 36 defining users on, 192 displaying licenses, 23 installing policy server on two, 513 and OSI reference model, 31-33 security policy. See Security Policy synchronizing, 525-528 technology, 43 FloodGate-1 configuring, 204 described, using, 14-15, 42 installation, 60 logging option (table), 399 Foundry Severlron XL, 544 fragmented packet handling, 45 FTP (File Transfer Protocol) and CVP resources, 324, 326 resource, using, 188 resources, content filtering, 357-359 running on firewaU, 53 user authentication, 299 FW-1. See FireWall-1 FW-1 daemon, controlling, 404-405 FW-1/VPN-1. See VPN-1/FireWall-1 fw tab command, 383 fw unloadlocal command, 153 fwalert command, 417 fwauthd.conf, 380 $FWDIR/conf/local.scv.file, 490, 547 fw.log, 395 fwpolicy command, 160 fwstart command, 403 fwstop command, 403 FWZ firewall encryption scheme, 437
Index
G gateway cluster described, using, 176-177 Gateway feature and MEP VPN configurations, 533 gateway objects, 163-164 gateways configuring backup, 538 default, configuring on Windows systems, 56 endpoints, 473 and hosts, 165 satellite routing to, 449 security and, 8-10 VPN-1/FW-1 options, 60 and VPN commumties, 448 and VPN domains, 440 Global Properties configuring, 200-205 configuring NG AI, 373-376 implied rules, 231 NAT, 276-278 group objects, 173, 186 grouping CVP objects, 329 UFP objects, 338-339 groups creating user, 297-298 RADIUS, 190 GUI (graphical user interface) clients, configuring, 87 clients, installation of firewall, 66-67 configuring during Solaris installation, 119-121 of management module, using, 25-29 using generally, 160 GUIdbEdit tool, 215
H hardening operating systems, 21 hardware, upgrading to improve performance, 386 hash functions and digital signatures, 438-439 hash size, optimization procedures, 385 help, Check Point online, 548
585
hiding LAN networks, 272-273 network objects, 260-264 OS information, 558 rules, 244 high availability (HA) Check Point, 516 configuring on Solaris platform, 128 enabling, 516-521 Management High Availability, security policy option, 249 new mode, 520 on Nokia, 147 other methods, 543-545 Meta IP and, 17 honeypots, using, 424 host files, using to optimize performance, 373 host objects, 163-164 hostnames, Source field, rule creation, 196 hosts and gateways, 165 Hot Standby Routing Protocol (HSRP), 520 hotfixes Check Point Express Supplement, 52 downloading, 389 HP OpenView, 64 Hping2 tool, 387 HSRP (Hot Standby Routing Protocol), 520 HTML weeding, options described, 345-346 HTTP (Hypertext Transfer Protocol) described, 514 Protocol Inspection tab, SmartDefense, 561-562 security policy rule, 240-241 security servers, improving performance on, 381 user authentication, 299 viruses that exploit, 38 HTTP Worm Catcher, 560-561 HTTPS (Hypertext Transfer Protocol Secure), 203 described, 203 security policy rule, 240
586
Index
user authentication, 299 Hypertext Transfer Protocol. See HTTP
I IANA (Internet Assigned Numbers Authority), 183, 260 ICANN, IP address allocation, 260 ICMP (Internet Control Message Protocol) attacks, defending against, 569 codes, configuring, 183-185 packets, field information (table), 422 ping testing VPNs, 455 proxy firewaU problems with, 32 IDS (Intrusion Detection System), 28-29, 424, 550 ifconfig command, 265 IKE (Internet Key Exchange) authentication timeouts, setting, 483 authentication, VPN, 459 configuring VPN in Simplified mode, 447-453 configuring VPN in Traditional mode, 441-446 described, using, 437-438 over TCP, configuring, 485,503 IMAP (Internet Message Access Protocol), permitting LAN access, 240 implementing security policies, 228-242 implied rules, Global Properties, 231 importing installation configuration, 60 in-place encryption, 438 Inbound Rules, Desktop Security, 481,482 incident response procedures, testing, 388 inetd.conf, 54-55 information security policy, 218-221 InitialPolicy, 125-126 INSPECT engine, URL retrieval, 334 script, 251 updates, 565-566 INSPECT XL described, using, 373 Inspection Engine, FW-1, 34-35, 45 installation completed, rebooting, 94
disabling services on firewaU host, 53-55 options, 59-60 order of installation, 157 pre-installation considerations, 48-67 securing host, 52-58 security policies, 247,250-251,393-394 silent, 506 Installation Wizard, 70, 152 installing Check Point VPN-1/FW-1 NG AI on Solaris, 104-129 policy server on two firewaUs, 513 policy servers, 476-478 SecureClient software, 495-498 SecuRemote client software, 464-469 security policy, 249-251 VPN-1/FW-1 on Nokia, 138-146 VPN-1/FW-1 on SecurePlatform, 146-151 VPN-1/FW-1 on Windows, 68-80 InstaUShield Wizard, 73 instant messengers, 566 Intel Xeon processor, 158 interfaces defining on Check Point objects, 168 firewaU, defimng, 234 local, spoofing, 559 Security Dashboard, 4 Internet hiding network objects from, 260-264 interruption and outage prevention, 516 Internet Assigned Numbers Authority (IANA), 183,260 Internet Control Message Protocol. See ICMP Internet Engineering Task Force (IETF), 437 Internet Information Server (IIS), running on firewaU, 53 Internet Key Exchange. See IKE Internet Message Access Protocol (IMAP), permitting LAN access, 240 Internet Security Association and Key Management Protocol (ISAKMP), 437-438 Internet Service Providers. See ISPs
Index
Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX), 491 interoperable devices, configuring, 172 interruptions and outages, preventing, 516 Intrusion Detection System (IDS) mapping, 28-29 and SmartDefense, 424, 550 Intrusion Prevention System (IPS), 424 IP addresses configuring firewaU interface with, 56 firewall, 232 hiding with NAT, 260-264 selecting, 174 Source field, rule creation, 196 IP addressing, managing with Meta IP, 16-18 IP compression, 485 IP forwarding, enabling, 57 IP fragments, allowing, 554 IP Pool NAT, using, 543 IP scanning, defending against, 550 IPSec and VPN connections, 513 IPSO, upgrading images, 139 ipsofwd command, 157 IPX/SPX (Internetwork Packet Exchange/Sequenced Packet Exchange), client configuration, 491 ISAKMP (Internet Security Association and Key Management Protocol), 437-438 ISPs (Internet Service Providers) interruptions and outages, 516 and IP address allocation, 260
K Key Exchange (IKE) encryption, 166 Key Hit Session screen, 90 keys in encryption schemes, 435-438
L Languard Network Scanner, 257, 387 layers of OSI reference models, firewalls and, 31-33 LDAP (Lightweight Database Access Protocol) account management, enabling, 203
587
account unit, server objects, 191 authentication described, using, 309-313 and FW-1, 8 and UR.I, 334 LDAP Users Database, 66 LEA. See Log Export API (LEA) Least Privilege Principle, 195 legal department, and security policy, 219, 256 .lic files, 84 License Repository, 206-208 licenses accepting agreement, 71 for access control lists (ACLs), 248 adding during Windows installation, 82 Check Point, obtaining, 51-52 configuring for Solaris platform, 115-116 displaying firewall, 23 High Availability module, 517 installation and, 63-64 managing with SmartUpdate, 205-209 Solaris platform, 108-109 Lightweight Database Access Protocol. See LDAP links, virtual, 194 Linux Check Point firewaUs and, 437 guidelines for securing OS, 53 installing Check Point NG on, 106-107 SecurePlatform, 146-151 load balancing chained servers, 331 configuring, 174-176 load sharing and ClusterXL, 12 CVP group properties, 330 enabling, 521-523 local gateway object SecuRemote VPN, 457 local.scv file, 490 Log Consolidator tool described, 66 log data, viewing, 209-210 Log Export API (LEA), 22, 341-342 log exporting, OPSEC client option, 321 Log Unification Engine, 380, 395
588
Index
Log Viewer, 11 log viewer. See SmartView Tracker logging Active Mode log, 380 in to Check Point UserCenter, 566 configuring SecureClient, 481 configuring security policy, 234 filtering broadcasts, 256 into Policy Server, 29-30, 510 session information, 11-12 tracking and alerts options, 414-420 URL, 334 Logical Server groups configuring, 174 logs managing firewall, 394-400 rotating firewall logs, 405
M MAC (media access control) and HA, 517, 519 man-in-the-middle attacks, 21 Managed Service Provider (MSP), integrated solutions for, 6-7 management servers, fingerprint window, 92 managing firewall logging, 394-400 IP addressing and name resolution services, 16-18 multiple security policies, 391 objects generally, 160-162 SecureClent software remotely, 29-30 VPN-1/FW-1 in distributed environment, 5 VPNs, and network topology, 469 mapping network for security policy, 221 media access control (MAC), 517 memory determining your needs, 382 required for VPN-1/FW-1 installation, 49 upgrade recommendations (table), 386 MEP (Multiple Entry Point) VPN configurations, 10, 533-543
mesh configuration, VPN, 448 Meta IP described, using, 16-18, 42 Microsoft Active Directory, and FW-1, 8 Microsoft Visio, 29 model, OSI reference. See OSI reference model monitoring administrator activity, 372 firewall traffic, 414 NG AI for performance, 382-386 OPSEC applications, 339-340 QoS performance, 15 real-time status, 40, 211-212 user-defined tracking, 420-424 MSBlast.exe, 38 Muliple Entry Point (MEP) VPN-1 gateway configuration, 10, 533-543 Multi-Domain GUI, 6
N name resolution services domain. See DNS (domain name service) managing with Meta IP, 16-18 Windows NT 4.0, 374 names, GUI configuring, 166 NAT (Network Address Translation) automatic rules, routing, 272-276 configuring IP Pool, 539 and CVP, 325 DNS configuration, 59 destination mode, 278 Global Properties, 202,276-278 hide and static modes, 261,281 keeping rule base simple, 282 limiting rules to improve performance, 381 manually configuring rules, 281 policies, 14-15 user-defined input, field information (table), 422 using to hide internal networks from Internet, 260 Nessus, 257 NETBEUI, disabling during firewaU installation, 53-55 NetBIOS
Index
logging, 380 names, 374 Netmask Cheat Sheet, 56 netstat command, 472, 527 Network Address Translation. See NAT network interface cards (NICs), 24 network objects, 162-163, 167-168, 260-264 Network Processors (NPs) in SecureXL, 24 Network Properties window, 168 Network Security, understanding, 553 networks diagnosing with SmartView Tracker, 10 synchronizing firewaUs, 525-528 viewing topology with SmartMap, 28-29 newimage command, 139-141 newpkg command, 141-142 NG AI (Next Generation Application Intelligence) administering for performance, 376-382 administrative goals, 372 concurrent connections, 377-378 configuring for performance, 372-376 monitoring for performance, 382-386 Security Dashboard, 4 throughput on different platforms (table), 377 vs. previous versions, 410 NG OPSEC Software Development Kit (SDK), 343 NICs (network interface cards), encrypting, 24 Nimda attacks, 32 NMAP, 257 Nmap port scanner, 387 node objects, 167 Nokia associated host name with external IP address, 59 clients, remote access configuration, 486 ClusterXL and VRRP, 548 configuring static ARP entry, 265 configuring VPN-1/FW-1 NG AI on, 144-146 forwarding packets, 157
589
hardened FreeBSD operating system, 53 installing VPN-1/FW-1 NG AI on, 138-146 listing firewaU processes on bastion host, 406-407 Nortel Alteon Switched FirewaU, 380 NoveU Directory Services (NDS), 8 NT/domam, logging on from field, 513
O Object List, described, using, 27 Object Management Interface and OPSEC applications, 342-343 Object management interface (OMI), 321 Object Tree described, using, 27 objects defining CVP, 323 defining URI Filtering Protocol, 332-333 domain, 169 dynamic, using, 177-178 editing manually, 215 firewaU, 231-237 group, 173 managing generally, 160-162 network, 162-163, 167-168, 260-264 node, 167 OPSEC, 188 RADIUS server, 189-190 resource, 187-188 server, 189 services, 179 TCP service, 179-181 time, 193 UDP service, 181-182 UFP groups, 338-339 Objects Database tool, 66 Objects Tree in SmartDashboard, 162 objects_5_0.C file backing up, 401-402 described, 255 editing manually, 368,392-393 making changes to, 467 Old Sync Method, 548 Open Platform for Security. See OPSEC
590
Index
Open Security Extension (OSE) device, 169-172 Open System Interconnection reference model. See OSI reference model operating systems (OSs) choosing for VPN-1 and FireWall-1, 20 guidelines for securing, 52-53 keeping information hidden, 558 password authentication, 288 OPSEC (Open Platform for Security) applications, 320-322 available applications, 367 -certified products, 544 -certified vendors, 332 client side applications, 341-343 content filtering options, 320 described, 6-7 objects, 188 Partner Alliance, 7 Roaming Administrator, 205 OPSWAT OPSEC-compliant solutions, 432 SCV CHECKS, 491 OSE (Open Security Extension) configuring, 204 device, 169-172 OSE Device Access List Operations window, 248 OSI reference model, layers and functions, 31 OSs. See operating systems outages, preventing, 516 Outbound Rules, Desktop Security, 482 overlapping VPN domains, 534-537, 540-543
P packet filtering editing files manually, 393 vs. proxy server, 31-33 Packet Sanity verification, 554 packets filters. See packet filtering firewall drops and rejects, 257 fragmented, handling by FW- 1, 45
Performance Monitor, FW-1 counters, 385-386 rule base processing of, 380 setting minimum size, 557 SmartDefense checks, 551 passwords admimstrator, 64 NT, using to for remote logon, 513 operating system, authentication method, 288 RADIUS, 290 strength, 313 patches, obtaining updated, 388 peer-to-peer blocking, 563-564 performance administrator's goals, 372 configuring NG AI for, 372-376 firewaU proxies vs. packet filtering, 33 improving by controUing QoS priorities, 14-15 momtoring NG AI for performance, 382-386 platform-specific tools, 385 SecureXL API technology and hardware acceleration, 380 Stateful Inspection traflfic control, 36 Performance Monitor, FW-1 specific counters for, 385 Perimeter Network Security Policy, 219 defining rule base, 237 drafting, 221-222 sample, 225-228 permissions, security policy, configuring, 237 Persistent server mode, option described, 175 Pest Patrol, 491 .PF files, 251,255,393 ping floods, preventing, 554 load balancing, 175 testing for VPNs, 455,472 pivot, load sharing, 522 pkginfo command, 130 pkgrm command, 129-132
Index
PKI (Public Key Infrastructure), SIC and, 22 plaintext, 434 planning OS password authentication, 288 platforms, choosing OS for your company, 21 PMTU attacks, 557 point-to-point applications, protection for, 566 pointer (PTR) records, 59 policies Desktop Security, 30, 482-484 FloodGate- 1, 14-15 logging, 393-400 security. See Security Policy Policy Editor See also SmartDashboard FloodGate-1 policy loaded in, 14-15 integration with Visual Policy Editor, 29 using, 26-27 policy profiles, creating and pushing to remote firewalls, 15 Policy Server, using, 29-30 policy servers installing and configuring, 476-479 installing on two firewalls, 513 logging into, 510 port 135, defining for application access, 187 port 443, SecurePlafform and, 514 port scanners, scanning, 257,387, 559 ports dynamic, SmartDefense configuration, 559-560 VPN, and protocols (table), 469 power supplies, preventing interruptions, 516 preventative security controls, 223 Principle of least privilege, 195 print sharing, File and Print Sharing Worm Catcher, 564 privacy, encryption and, 434 processes, listing firewaU, 406-407 Product Repository, managing, 389 profiles, user configuring remote, 499-500
591
enabling roaming, 508 properties, user encryption, 459 protocols See also specific protocol
custom, and security policy, 256 encryption (table), 504 Provider-1 creating policies with SmartLSM, 16 described, 6-7 proxy firewalls, 31-33 proxy servers vs. packet filter and OSI reference model, 31-33 public key encryption, 435 Public Key Infrastructure (PKI), SIC and, 22 putkeys command, 547
Q QoS (Quality of Service) improving by controlling priorities, 14-15 logging option (table), 398 Policy tool, 66 quality control, firewaU performance, 386-388 querying Rule Base, 246
R Radius, 485 RADIUS (Remote Authentication Dial-In User Service) authentication method described, using, 289-291 server objects, configuring, 189-190 RainWaU, 544 records, DNS, 58-59 RedHat Linux OS, 20 registry, editing to enable IP forwarding, 57-58 Reliable Datagram Protocol (P~P), 437 remote access global properties, configuring, 482-484 logging on NT/domain from the field, 472 SecureClient. See SecureClient VPN community, 448
592
Index
VPN connection options, 484-495 Remote Access Global Properties, 482-484 Remote Authentication Dial-In User Service. See RADIUS remote networks, troubleshooting, 282 Remote Procedure Calls (RPCs) configuring, 182-183 proxy firewall problems with, 32 removing See also uninstaUing Primary SmartCenter Server, 153 SVN Foundation, 101 Reply Order options, CVP, 327 Report Tool, using, 11-12 Reporting module installation, 61 Reporting Tool installation, 63, 78 reports See also SmartView Reporter log data, 10 requirements, security policy, 221 resource objects, 187-188 resources CIFS, using, 361 creating CVP, 324-326 creating URI, to use UFP, 334 FTP, 357-359 Hping2 tool download, 387 OPSEC-certified applications, 7 SMTP, 351-357 subnet calculators, 168 URI Filtering Protocol, using in rules, 338-339 Web sites. See Web sites response scanning, URI resource properties, 345 responsive security controls, 223 restricting user sources, destinations, 295 R.ijindael Advanced Encryption Standard (AES), 9 roaming profiles, 508 ROBO Gateways Database tool, 66 'roofing' Web servers, 10 rotating firewall logs, 396 round trip time (KTT), 194 Route Injection Module (RIM), 545 routers
Cisco, and OSE technologw, 169-172 incorporating security policy rules, 248 routes vs.ARP entries, 281 routing and ARE 264-266, 271-272 RSA encryption, 436, 438-439 Rule Base adding VPN (Simplified mode), 451-453 adding VPN (Traditional mode), 444-446 address translation, 261-264 backing up, 401-402 defining, 237-242 described, using, 195-200 Desktop Security, 480, 482 determining when too complex, 410 drops and rejects, 257 and managing objects, 160 NAT, with generated rules, 273 optimizing, 376-382 querying, 246 section rifles in, 245 SmartDefense traffic inspection, rules, 569 top-down processing, 242 User Auth in, 317 using other resources in, 344 rulebases_5_0.fws, 255 rules See also Rule Base adding with SmartDashboard, 195-200 automatic NAT, 272-276 Cleanup Rule, 238-239 client authentication, 304-305 client encryption, 460 configuring alerts, 419-420 CVP resources usage, 327-329 deleting, disabled, 243 dragging, dropping, 245 hiding, 244 implied, 200-202 Inbound and Outbound, 481 manipulating, 242-247 NAT, configuring manually, 260-264, 281 outbound, for Web server, 269 Security Policy, 45
Index
session authentication, 307 static address translation, 266-272 Stealth Rule,.239 tracking information, 198 translating security policy into, 230-242 URI Filtering Protocol, 338-339 user authentication, 299-300 VPN commumty encryption (table), 453
S Safe@ Connector installation, 60 SAM API, using, 342-343 saving security policies, 241,390 scalability firewaU proxies vs. packet filtering, 33 Stateful Inspection and, 36-37 scheduled events, configuring, 194 scripts INSPECT, 251 IntialPolicy, unloading, 125-126 user-defined responses, 420, 431 writing, 420-424, 431 SCV, setting global properties, 489 SDL (Secure Domain Logm), 468 searching for licenses, 84 using SmartView Tracker, 211 Secondary Management Station, 163 secure communications, ensuring between GUI client and management server, 44 Secure Domain Login (SDL), 468, 508 Secure Internal Communication (SIC) certificates and, 121 Check Point's use of, 6-7 configuring, 233 Secure Shell (SSH), 54, 203 Secure Sockets Layer (SSL), 203, 514 Secure Virtual Network (SVN) architecture, 3 SecureClient blocking viruses with, 38 configuring logging, 481 described, 9-10 installing software, 495-498 logging into policy server, 510
593
Packaging tool installation, 63, 78 Policy Server installation, 60 software described, 476 SecureClient Packaging Tool, 63, 78, 464, 499-509 SecureDHCP service, 17 SecuRemote configuring, 203 configuring VPN, 457-462 described, 8-10 installing client software, 462-464 using client software, 464-469 SecuRemote DNS, configuring, 192 SecurePlatform elements of high-performance configuration, 158 installing VPN-1/FW-1 NG AI on, 146-151 SecureXL described, using, 24 extreme performance, 380 Solaris installation screen, 115 SecurlD authentication method described, using, 287 described, 485 when to use, 316 securing host during firewall installation, 52-58 security boot, 229 training, 220 security associations (SAs), 437 Security Configuration Verification (SCV) checks, 9 Security Dashboard described, using, 5-6 managing NG AI suite with, 4 Security Policy admimstration, 390-391 application of rules to incoming data, 45 backing up, 250 boot process, 393-394 commumty involvement in formulation of, 222, 256 default and initial, 228-229
594
Index
defining requirements, 221 designing, 223 DNS rule, 241 editing files manually, 252 HTTP and HTTPS rule, 240 implementing, 228-242 installation methods, 250-251 installing, 249-251 policy files, 251-252 policy options, 247 reasons for, 218-219 rule using CVP resource, 329 rule using UFP server in URI resource, 338-339 translating into rules, 230-242 using CVP, 324-329 writing, 224-228 Security Policy tool, installing, 66 Security Server, Global Properties, 202 security servers, 380 Security Sockets Layer (SSL), 8 server objects, 189 server pooling, 174 servers CVP vs. UFE 332 fingerprints of, 44 load balancing chained, 331 policy. See policy servers 'rooting', 10 services objects, 179 session authentication, 306-309 session keys in encryption, 436 sessions logging, 11-12 OPSEC, 320 SHA-1 encryption, 456 shared secret (encryption), 435 showing. See displaying SIC module, using, 21-22 Sign-On Method, client authentication, 305 silent installation, 506 Simple Mail Transfer Protocol. See SMTP Simple Objects Access Protocol (SOAP), OPSEC option, 351
Simplified Mode, SecureClient VPN connection rules, 495 Single Entry Point (SEP) VPN configurations, 440, 520, 528-533 site-to-site VPN, 439 SmartCenter installation, 60 SmartCenter Pro, 16 SmartConsole, installation, 61, 77 SmartDashboard adding rules with, 195-200 Address Translation tab, 262 customizing, 205 described, using, 25-26 installation, 78 managing objects with, 160-161 SmartDefense tab, 551 SmartDefense Application Intelligence described, using, 560-564 concurrent connection setting, 556 Cross Site Scripting tab, 562-563 described, using, 23-24 fingerprint scrambling options, 558 and IDS, 424 introduction to, 550-551 updating, 565-566 using, 551-552 • SmartDirectory (LDAP), 8 SmartLSM described, using, 15-16 installation, 63, 78 SmartMap described, using, 28-29 topology of objects, 162 using with Policy Editor, 26-27 SmartUpdate configuring option, 66 configuring tool, 205-209 described, 6 described, using, 22-23,388-389 installation, 63 Product of Repository, 23 SmartView Monitor installation, 60 monitoring functions, 385 SmartView Reporter
Index
creating reports to, 482 described, 10-12 real-time status monitoring, 40 using, 42 SmartView Status configuring tool, 211-212 installation, 78 SmartView Tracker, 10 configuring tool, 209-210 installation, 63, 78 interfacing with SAM, 427 monitoring firewaU traffic with, 414 SMTP (Simple Mail Transfer Protocol) and CVP resources, 324 described, 15, 527 resource, using, 188 resources, e-mail filtering, 351-357 viruses that exploit, 38 sniffers, 257 SNMP daemon (UNIX), 64 security policy settings, 235 vulnerabilities, 65 SOAP (Simple Objects Access Protocol), 351 Sofaware, 16, 60 Solaris 32-bit vs. 64-bit, 50 8 UltraSPARC, SmartConsole nonsupported clients, 49 configuring VPN-1/FW-1 NG AI on, 114-129 guidelines for securing OS, 53 installing VPN-1/FW-1 NG AI on Solaris, 104-129 startup routing statements, 57 uninstalling VPN-1/FW-1 NG AI from, 129-138 Solutions Fast Track advanced VPN configurations, 546-547 applying NAT, 279-280 authenticating users, 315-316 installing, configuring VPN-1/FW-1 NG, 153-156 managing policies and logs, 408-409 NG with AI, introduction, 41-44
595
OPSEC and content filtering, 363-366 securing remote clients, 511-512 security policy, creating, 253-255 SmartDefense, 567-568 tracking and alerts, 430-431 using the GUI, 213-214 VPN configurations, 470-471 SonicWaU, 437 Spitzner, Lance, 424 spoofing address, 559 anti-spoof configuration status, 552 IP addresses, 343 SSL (Security Sockets Layer), 8 SSO solutions and UA module, 13-14 standards, security policy, 224 star configuration, VPN, 448-449 starting installation wizard, 152 SecuRemote GUI, 464 SmartDashboard, 160 state synchronization, 95,525-528, 547 Stateful ICMP, 183 Stateful Inspection configuring, 204 technology, 9, 30-31 static address translation, configuring, 266-272 static destination rule, 269-270 status alerting, configuring, 211-212 Stealth Rule, 239 subnet calculators, Web sites, 168 subnets, configuring firewall interface with, 56 Sun Solaris OS, 20 SunTone Certified kernel, 111 SurfControl, 331 Suspicious Activities, Monitoring (SAM), 321,342, 415 Suspicious Activities Monitoring Protocol (SAMP), 424-429 SVN Foundation and improving performance, 382-383 installing for Solaris installation, 106 installing on Nokia, 142-144 removing, 101
596
Index
umnstalling from Solaris installation, 134-137 Symantec, 332 symmetric encryption, 435 SYN attacks, 556-558 sync.conf file, 547 synchronizing connections in cluster, 181 firewaUs, 525-528 state synchronization, 547 SYNDefender, 236 system requirements for VPN-1/FW-1 installation, 49
T TACACS, configuring, 190 TCP (Transmission Control Protocol) and CVP resources, 324 and FW-I's Inspection Engine, 34-35 logging options, 416 resources, content filtering, 359-361 vulnerabilities, protecting, 556-558 TCP Dump, 257 TCP/IP attacks, 550 TCP/IP properties window, 57-58 TCP service objects, 179-181 TCP Tunneling, 514 TearDrop attack, 553 Telnet timeouts, 257 user authentication, 299 templates for user authentication, 293-297 TACACS (Terminal Access Controller Access Control Server), configuring, 190 testing firewaUs, 387-368 security policy, 247 VPNs, 453-454 •tgz files, 496 time objects, 193 timeouts authentication, setting, 295-296,483 downloaded policies, 484
logging, SmatView Tracker resolution, 417 SYN attack identification, 557 topologies gateway clusters, 529 managing VPN, 469 network, viewing, 28-29 remote user configuration, 504-505 resolving mechanism for VPN configuration, 487 SmartDefense, configuring, 553 synchromzing SecuRemote server with client, 466 Topology window, Workstation Properties, 233-234 Track Options, log and alert menu, 415-416 tracking. See monitoring traffic allowed under security policy, 227 monitoring firewaU, 414 network, reporting on, 10 routing satellites to gateways, 449 rule to allow outbound, 264 rules for incoming, to Web server, 270 weighting individual types of, 14 training personnel about security policy, 220 Transactional Signatures (TSIGs), 17 translation rule base, 261-264 Transmission Control Protocol. See TCP Transparent mode, 465,501, 510 transparent user authentication, 316-317 Trend Micro, 322, 491 Triple Data Encryption Standard (3DES), 9 Trivial File Transfer Protocol (TFTP), 334 troubleshooting debugging VPNs, 454-456 log corruption, 399 NAT configuration, 282 slow firewaU, 410 SmartConsole clients on Nokia platforms, 157 upgrade installation, 68 URI specification file, 366 tunneling-mode encryption, 437
Index
U UA module described, using, 13-14, 42 UDP Encapsulation, 458, 503 UDP service objects, 181-182 UFP, enhancing performance, 381 Unicast MAC addresses, 522 Uniform Resource Identifier (URI) and CVP resources, 324 filtering protocol. See URI Filtering Protocol for QoS object, 188 resources, types, using, 344--346 uninstaUing Check Point VPN-1/FW-1 NG AI from Solaris, 129-138 management clients (Solaris), 137 management clients (Windows), 103 rules from security policy, 248 SVN Foundation, Solaris platform, 134-137 SVN Foundation, Windows platform, 101 VPN-1/FW-1 from Windows, 97-104 Universally Unique Identifier (UUID), 186 UNIX hosts file location, 373 installing firewall on, 54 resolvable names, 166 running command line options, 411 SNMP daemon, 64 UnixinstallScript, 106-107 updates managing with SmartUpdate, 205-209 obtaining latest, 388 SmartDefense, 550, 565-566, 570 upgrades from previous version of VPN-1/FW-1 NG, 67-68 Zero-Downtime, 528 URI Filtering Protocol creating URI resource to use URP, 334-338 defining objects, 332-333 introduction to, 331 using resources in rules, 338-339 wildcards, 347-352
597
user confidentiality and SSL, 8 user accounts creating, 292-298 LDAP authentication, 309-310 User Auth, using in rule base, 317 user authentication described, using, 298-303 transparent, 316 vs. client authentication, 306, 308-309 User Datagram Protocol (UDP), proxy firewall problems with, 32 user-defined alerts, 432 scripts, writing, 420-424, 431 service properties, configuring, 185 user groups, creating, 297-298 User Management function, security policy option, 249 User Monitor installation, 63, 78 user profiles configuring remote, 499-500 enabling roaming, 508 UserAuthority, 60, 321 UserAuthority API (UAA), 343 userc.C file, 509 UserCenter, logging in to, 566 users
defining for authentication, 292-298 defining on firewaU, 192 forcing to be read-only, 215 profiles, 499-500, 508 UUID (Universally Unique Identifier), 186
V verifying security policy, 247 versions of FW-1, earlier compatibility settings, 203 Global Properties settings, 492-493 upgrading from, 67-68 viewing ARPs that firewall is generating, 278 cluster status, 527 implied rules, 201-202 License Repository, 206-207 log data, 209-210 modules installed, 212
598
Index
option, security policy, 248 virtual IP (VIP), 520 virtual links, configuring, 194 virtual private networks. See VPNs Virtual Router Redundancy Protocol (VRRP), 520, 544 virus-scanning with CVP, 323 viruses See also attacks, worms blocking, 367 blocking Windows Fire Sharing, 38 Visio (Microsoft), 29 Visitor mode, 514 Visual Policy Editor, integration with Policy Editor, 29 Voice over IP (VolP) Protocols, 202 Voyager (Nokia), 138 VPN-1 and SecureClient, 9 VP N- 1/ FireWaU-1 components, integrating, 18-30 configuring, 404 defining services with cphaprob command, 523-524 described, using, 4-8, 42-43 encryption schemes, 434-441 evaluation copy of, 46 firewaU module described, 30-37 fw commands, 404-406, 526 moving data to another server for validation, 322-331 Next Generation with Application Intelligence. See NG AI NG AI and version 4.1, 7 SmartDefense update types, 565-566 synchronization information, 526 uninstaUing from Windows, 97-104 upgrading from previous version, 67-68 VPN client installation, 61 VPN communities, 448 VPN domains described, 440 overlapping, 534-537,540-543 VPN Properties, configuring, 450--451 VPN tunnels, maintaining high number of concurrent, 380 VPNs (virtual private networks)
configuring IKE, 441-453 configuring remote clients with Packaging Tool, 499-509 external network considerations, 456 IP addressing, 56 IPSec and, 513 logging and alerts, configuring, 415-416 managing, 469 Multiple Entry Point configurations, 533-543 organizations' use of, 434 remote access configuration options, 484-495 Single Entry Point configurations, 528-533 testing, 453-454 types of, 439-440 VRRP (Virtual Router Redundancy Protocol), 520, 544 vulnerability assessment tools, 257
W W files, 251 WANs. See wide area networks Watchguard, 437 Web Policy tool, 66 Web servers, configuring static address translation, 266-272 Web sites Check Point licenses, 51-52 creating, 464-467 GUI SCV editor download, 491 guidelines for securing OSs, 52-53 hotfixes download, 389 Hping2 tool download, 387 IANA, 183 OPSEC-certified applications, 7 OPSEC-certified vendors, 332 OPSWAT OPSEC-compliant solutions, 432 OPSWAT products, 491 subnet calculators, 168 user-defined alerts guide, 424 VPN-1/FW-1 evaluation copy, 46 Web Trends FirewaU Suite, 341 Websense, 331
Index
webui disable command, 514 WHOIS database, 422 wide area networks (WANs), firewall configurations, 56 wildcards URI, 347-352 valid characters, URI, 366 Windows configuring Check Point VPN-1/FW-1 NG AI, 80-97 configuring firewall interface on, 56 installing Check Point VPN-1/FW-1 NG AI on, 68-80 uninstaUing Check Point VPN-1/FW-1 NG, 97-104 Windows 2000 host name resolution, 374 runmng command line options, 411 Windows Fire Sharing, viruses that exploit, 38 Windows NT 4.0 enabling IP forwarding in, 57-58
599
listing firewaU processes, 406-407 name resolution, 374 running command line options, 411 and VPN-1/FW-1, 20 WinNT, guidelines for securing, 52-53 wizards Check Point installation, 477 Installation, 70, 152 InstaUShield, 73 SecureClient software, 495-498 workstations installing SecuRemote client software on, 462-464 NAT and network connections, 261 properties, Topology window, 233-234 worms, 550 See also attacks, viruses File and Print Sharing Worm Catcher, 564 HTTP Worm Catcher, 560-561 Nimda, Code Red, 32