SECURITY ADMINISTRATION Student & Lab Manual R80.10 CHECK POINT INFINITY G Check Point© 2017 Check Point Software Technologies Ltd. Allrights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, ané de-compilation. No part of this productor related documentation may be reproduced in any form or by any means Without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions 2s set forth in subparagraph (OGG ofthe Rights in TecinicalData ané Computer Software clause at DPARS 2 1013 and FAR 52.207 TRADEMARKS: Refer to the Copyright page (http://www. checkpoint comeopyright hunt) for a list of our trademarks. Referto the Third Party copyright notices (http:// www-checkpoint com/ 3rd_party_copyright him!) fora list of relevant copyrights and third-party licenses International 3 Ha Solelim Steet Headquarters US. Headquarters 959 Skyway Road, Suite 300 San Carlos, CA 94070 ‘Tatss0-s282000 Techaical Sup port, (6350 Commerce Drive, Suite 120 Education & Professional. irving, TX 75063 Services. Tesraateo12 ‘Email come or goeione sou our sounevare te: ceaanQua chaps coat For guesons or commas aout ater Clack Peis deconemntin, email (CP FectPub_FeaouchGheckpoint om DOC Manual COSA RE0.10 ROOLOE Toy Witt, Vanesa fohncon Vanessa lohrson, Camming lia‘Bota Teating, Content Contribat Micha Au - Wiese (eis AbIas-QA- Eaglin ac Ancien -Vetanoe “USA ‘Mari Angee -TTvay-Taty [UF -SolcionesSeguas-Peruma Omar Genate2-SeaconesSegsas Patan ‘Till - Staton Pesk- USA, ‘at Haleal-Cueck Pot SofvareTesnologia-USA, ‘BLE Bren Check Poin Softer Teanloges- lal Jeni Linder S&7~Stovnia ‘Valet Lesie - Dimension Dat-Svitztant Drie Menars- Weston- Balsa Plot Midowie-CLICO- lsat Des Valvasen-Anor ECS-Eacand $k Wagemune-Procinss ICT Academy -Belgorn ‘Kim Wiest -Chece Pont SofraraTehasogie -USA. Special Thanks: abecioLananaa- Check Peat Softare Techcbgis- USA {shay MeDovwall-Arov ECS-UK (LondenBver Hos Certification Exam Development: Iesoe Tegel (Check Point TechnicalPublications Team: Devers HostingTable of Contents Preface: Security Administration . . Course Layout Prerequisites Certification Title Course Chapters and Learning Objectives Sample Setup for Labs Chapter 1: Introduction to Check Point Technology . . .. Concept of a Firewall Open Systems Interconnect Model ‘Transmission Control Frotocol/intemet Protoco! Mode! Controlling Network Traffic = = Packet Filtering Statefil Inspection Application Layer Firewall Introduction to the Gaia Operating System. Command Line Interface Obtaining a Configuration Lock WebtT Users Updates Lab 1.1: Working with Gaia Portal . Reviewing and Configuring Basic Sctings inthe Gaia Portal Defining Roles and Creating Check Point Users ’ Working inExpert Mode - Apotving Usefsl Commands 3 Adding and Deleting Administrators via the CLICheek Point Security Amini aton Testing User Role Assignments... ‘The Check Point Security Management Architecture SmartC onsole Security Management Server Security Gateway Neawork Communication Secure Internal Communication The SmartConsole Navigation Pane Overview Gateways & Servers Tab Secunty Policies Tab Logs & Monitor Tab Manage & Settings Tab SmartConsole Applications . ‘StartE vent (Advanced Events anéReports) SmartV iew Monitor (Tunnel & User Monitoring) SmartUpdate SmartDashboard Lab 1.2: Installing and Touring SmartConsole Installing SmatConsole - - Touring SmartConsole . : Deployment Platforms Check Point Appliances (Open Servers Deployment Considerations Standalone Distributed Chapter 2: Security Policy Management . Introduction to the Security Policy Rules Objects Security Zones Anti-SpoofingCheek Point Security Amini aton The Role Base Global Properties Sections Publish Policy Policy Packages... Policy Types Unified Poticies Shared Policies Additional Policy Management Tools Install Policy - Install a Poticy Package Lab 2.1: Modifying an Existing Security Policy... ... Reviewing and Modifying Objecs in the Check Point Security Management Architecture Editing and Creating Rules for the Rule Base - Reviewing Existing Security Policy Settings Organizing the Rule Base enon Creating a New Host Object Defining a New Rule a Publishing and Managing Revisions HTTPS Inspection Enabling HTTPS Inspection | Inspecting HTTPS Traffic Lab 2.2: HTTPS Inspection .... Verifying the HTTPS Server Certificate Enabling and Testing HTTPS Inspection Distributing the Certificate - Bypassing HTTPS Inspection... Network Address Translation HideNAT Static NAT NAT - Global Properties Lab 2.3: Configuring Hide and Static Network Address Translation .... Coafiguring Hide Network Address Translation... - - Configuring Static Network Address Translation Testing Network Address TranslationCheek Point Security Amini aton Administration... Permission Profiles Sessions Database Revisions Concurrent Administration Lab 2.4: Managing Administrator Access Creating Administrators and A ssigning Profiles Configuring IPS... - Testing Profile Assignments ss Managing Concurrent Administrator Sessions Disconnecting an Administrator Session Defining WiFi Access - Managing Remote Gateways - - Lab 2.5: Installing and Managing a Remote Security Gateway .. Installing Gaia on a Remote Security Gateway - Configuring the Branch Office Security Gateway with the Fist Time Configuration Wizard Using the Gaia Portal to Configure the Branch Office Security Gateway... - Configuring the Alpha Serurity Policy to Manage the Remote Security Gateway Creating a New Security Policy... - co Badeeps ea Performing Backups Lab 2.6: Managing Backups . Scheduling a Security Management System Backup Managing Scheduled Security Gateway Backups Performing Backup via CLI 3 Review Questions Chapter 3: Policy Layers . Policy Layer Concept Policy Layers and Sub-Policies Managing Layers Lab 3.1: Defining Access Control Policy Layers......... 66.065 Assigning Layers to an Existing Security Policy |. Confirming the Installation Target Gateway =Cheek Point Security Amini aton Access Control! Policy Layers Neawork Policy Layer Application Control Policy Layer Creating an Application Contro! Poticy Content Awareness Creating a Content Awareness Policy Lab 3.2: Implementing Application Control and URL Filtering . Configuting the Application Control & URL Filtering Rule Base - Creating a Rule to Block an Application - s Reviewing Dropped Traffic 7 Threat Prevention Policy Layers Layers and Policy Packages . 7 Lab 3.3: Defining and Sharing Security Policy Layers Adding an Ordered Policy Layer... a Configuring the Content Awareness Policy Layer Sharing a Poticy Layer enee Testing the Content Awareness Layer Configuring an Inline Layer Review Questions Chapter 4: Check Point Security Solutions and Licensing ........... Check Point Software Blade Architecture - Security Gateway Software Blades Advanced Threat Prevention Software Blades ‘Management Software Blades for Policy Management Management Software Blades for Monitoring Analysis “Management Software Blades for Operations and Workflow Endpoint Software Blades Software Biad: Packages Licensing Overview Components of a License Perpetual versus Subscription Blade Licenses Central and Local Licenses License Activation Hardware Licenses SmartlipdateCheek Point Security Amini aton SmartUpdate Architecture Using SmattUpdate Package Repositery Managing Licenses ‘Add and Install Licenses Attaching and Detaching Licenses New Licenses View Liconse Properties Export a License License Status License Reports, Service Contracts Lab 4.1: Activating the Compliance Software Blade Activating the Compliance Software Blade - Lab 4.2: Working with Licenses and Contracts . Verifying the Status of Existing Licenses in SmartConsole Importing Licenses... < 7 Attaching Licenses Verifying the Status of Existing Licenses in the Gaia Portal Review Questions Chapter 5: Traffic Visibility Analyzing Logs. Collecting Information Deploy Logging Configure Logging ‘SmartConsole Logs View Tracking Rules Examining Logs Pre-defined Log Queries Query Language Overview Lab 5.1: Working with Check Point Logs . Viewing Logs and Log Search Results 2 Monitoring Traffic and Connections SmartView Monitor and SmartConsoleCheek Point Security Amini aton ‘Monitoring and Handling Alerts ‘Monitoring Suspicious Activity Rules Monitoring Gateway Status Users View System Counters View Tunnels View Cooperative Enforcement View Traffic View Lab 52: Maintaining Check Point Logs Scheduling Loz Maintenance - Review Questions - Chapter 6: Basic Concepts of VPN Introduction to VPN IPSec VPN VEN Components VEN Deployments - Site-to-Site VPN Deployment Remote Access VPN Deployment VEN Communities . ‘Meshed VPN Community Star VPN Community Combination VPN Communities Remote Access VPN Community Object Access Contro! for VPN Connections Allow All Connections Allow All Site-to-Site VPN Connections Allow Specific VPN Communities Site-to-Site Communities — Allow All Encrypted Traffic ‘Tunnel Management and Monitoring - Permanent VPN Tunnels Tunnel Testing ‘Monitoring VPN Tunnels Lab 6.1: Configuring a Site-to-Site VPN Between Alpha and Bravo Defining the VPN Domain Creating the VPN CommunityCheek Point Security Amini aton Creating the VPN Ruleand Modifying the Rule Base Testing the VPN Review Questions Chapter 7: Managing User Access . Overview of User Management Components User Directory Identity Awareness, Acaive Directery(AD) Query Browser-Based Authentication Terminal Server Identity Agents Endpoint Identity Agents RADIUS Remote Access How to Choose an Identity Source Managing Users... 2 ‘SmartC onsole and User Database LDAP and User Directory Authenticating Users Authentication Schemes Managing User Access Actess Roles Rule Base Captive Portal for Guest Access Lab 7.1: Providing User Access . : Configuring the Security Poticy for Identity Awareness Defining the User Access Role Testing Identity Awareness Connection Controlling Teblet Access Through Captive Partal (Optional Review Questions cece Chapter 8: Working with ClusterXL .. Overview of ClusterXL ss ClusterXL Deployments - High Availabitity Deployment Failovers - Performing a Manual FailoverCheek Point Security Amini aton Synchronizing Cluster Connections Securing the Sync Interface Clock Synchronization Monitoring a Cluster ‘SmartView Monitor Lab 8.1: Working with ClusterXL . Reviewing High Availzbility Stings Configuring FTP Access Testing High Availability : Review Questions ceca Chapter 9: Administrator Task Implementation Compliance Software Blade - Best Practices Best Practice Tests Continuous Compliance Monitoring Comective Action Lab 9.1: Verifying Network Compliance Identifying Inactive Objects - Reviewing a Compliance Scan Report CPView User Interface Using CPView Lab 9.2: Working with CPVi Reviewing Statistics in CPView Changing the Refresh Rate of CPView Viewing Historical Data in CPViewCheek Point Security Amini aton Appendix A: Questions and Answers Chapter 1: Introduction to Check Point Technology Chapter 2: Security Policy Management Chapter 3: Policy Layers . Chapter 4: Check Point Security Sotutions and Licensing Chapter 5: Traffic Visibility - Chapter 6: Basic Concepts of V Chapter 7: Managing User Access Chapter 8: Working with CiusterXL Chapter 9: Administrator Task ImplementationSecurity Administration Welcometo the Security Administration course. This course provides an understanding of basic concepts and skills necessary to configure Check Point Security Gateway ond ‘Management Software Blades. During this course, you will configure a Security Policy and learn about managing and monitoring asecure network. In addition, you will upgrad> and configure a Security Gateway to implement a Virtual Private Network (VEN) for both internal and external remote users. Preface Outline Course layout Prerequisites Cestificatetitle Course chapters and leaming objectives Sample setup for labs BD seo reevsncCheek Point Security Amini wation Course Layout ‘This course is designed for Security Administators, Check Poiat resellers, and those who are ‘working towards their Check Point Certified Cyber Security Administrator (CCSA) certification. The following professionals benefit best fom thiscourse: = System Adninistrators © Support Analysts © Network Engineers Prerequisites Before taking this course, we strongly suggest you have the following knowledge base: + General knowledge of TCP/IP + Working knowledge of Windows and/or UNIX + Working knowledge of network technology + Working knowledge of the Internet Certification Title ‘The current Check Point Certified Cyber Security Administrator (CCS) certification is designed for parters and customers seeking to validate their knowledge of Check Point's Software Blade products Course Chapters and Learning Objectives Chapter 1: Introduction to Check Point Technology ‘© Intespret the concept of a Firewall and understand the mechanisms used for controlling network trafic. Describe the key elements of Check Point's unified Security Management Architecture. Recognize SmatConsole features, functions, and tools. Understand Check Point deployment options. Describe the basic functions of the Gaia operating system. BD seo reevsncCheek Point Security Amini wation Chapter 2: Security Policy Management Describe the essential clements of a Scausity Policy. Understand now traffic inspection takes place in aunified Security Policy Summarize how administration roles and permissions assist in managing policy Recall how to implement Check Point backup techniques. Chapter 3: Policy Layers + Understand the Check Point policy layer concept. = Recognize how policy layers affect trailic inspection, Chapter 4: Check Point Security Solutions and Licensing + Recognize Check Point security sotutions and products and how they work to protect your network. + Understand ficensing and contract requirements for Check Point security products. Chapter 5: Traffic Visibility ‘© Identify tools designed to monitor data, determine threats, and recognize opportunities for performance improvements. Identify tools designed to respond quickly and efficiently te changes in gateways, tunnels, remote users, traffic flow pattems, and other security activities Chapter 6: Basic Concepts of VPN + Understand Site-to-Site and Remote Access VPN deployments and communities. + Understand how to analyze and interpret VPN tunnel traffic. Chapter 7: Managing User Access + Recngnize howto define users and user groups + Understand how to manage user access for internal and external users Chapter 8: Working with ClusterXL © Understand the basic concepts of ClusterXL technology and its advantages. BD seo reevsncCheck Peine Security Amini ration Chapter 9: Administrator Task Implementation Understand how te perform periodic administrator tasks as specified in administrator job descriptions. Sample Setup for Labs Mostlab exercises will require you to manipulate machines in your network and other labs will require interaction with the instructor's machines. Check Point R80.10 CCSA Lab Topology vel (ae nl Bintan & Figure 1—CCSA Lab Topology BD seo reevsncIntroduction to Check Point Technology Check Point technolo gy addresses network deployments and security threats while providing administrative flexibility and accessibility. To accomplish this, Check Point uses a unified Sccurity Management Architecture andthe Check Point Firewall. These Check Point features are further enhanced with the SmartConsole interface and the Gaia ‘operating system. The following chapter provides a basic understanding of these features and enhancements. Learning Objectives Interpret the concept of a Firewall and understand the mechanisms used for controlling network traific Describe the key elements of Check Point's unified Security Management Architecture Recognize SmartConsole features, functions, and tools Understand Check Point deployment options. Describe the basic functions of the Gaia operating system. BD seo reevsncCheek Point Security Amini wation Concept of a Firewall Firewalls are the core of 2 strong network Security Policy. They contol the traffic between. intemal and extemal networks. Firewalls can be hardware, software, or a combiration of both and are configured to meet an organization's security needs. When connecting to the Intemet, protecting thenetwork against intrusion is of critical importance. The most effective way to secure the Intemet link isto put a Firewall system between the local network ané the Intemet. ‘The Firewall ensures that all communication between an organization’ snetwork and the Internet conforms to the organization's Security Policy. Open Systems Interconnect Model ‘To understand the concept ofa basic Firewall, it is beneficial to examine the aspects of the ‘Open Systems Interconnect (OST) Model. The OST Mode! demonstrates network communication between computer systems and network devices, such as Security Gateways. It govems how network hardware and software work together and illustrates now ciffereat protocols fit together. It can be used s a guide for implementing network sandards ‘The OSI Model is comprised of seven layers. The bottom four layers govern the establishment ofa comaection and how the packet will be tansmitied. The top three layers of the mode! determine how’ end user applications communicate and work. The Check Point Firewall kernel module inspects packe's between the Data Link and Network layers. Depending on the traffic flow and service, inspection may wanscend multiple layers. Layer 5 - Session 1 | Layer 4 - Transport ) | Layer 1 - Physical J Figure 2—0S1 mode! BD seo reevsncCheek Point Security Amini waton ‘Tho OSI Model layers are described as follows: + Layer 1 — Represents physical-commanication links or media required hardware such as Ethernet cards, DSL modems, cables, and hubs Layer 2 — Represents where network traffic is delivered to the Local Arca Networks (LAN), this is where identification of single specific machine takes place. Media Access Control (MAC) addresses are assigned to network interfaces by the manufictures. An E theme’ address belonging to an Ethemet card is a layer 2 MAC address. An example of a physical device performing in this layer would be a switch. Layer 3 —Represenss where delivery of network traffic on the Intemet takes place: addkessing in this layer is referred to as Internet Protocol (IP) addressing and creates unique addresses, except when NAT is employed. NAT makes it possible to address, ‘multiple physical systems by a single layer 3 IP address. An example of a physical device performing in this layer would be a router. Layer 4 —Represen's where specific network applications and communication sessions are identified: multiple layer 4 sessions may occur simultaneously on any given system with other systems on the same network Layer 4 is responsible for flow contro! of data transferring between end systems. This layer introduces the concept of ports, or endpoints. Layer 5 — Represents where connections between applications are established, maintained, and terminated. Tais layer setsup the communication through the nstwork. The Session layer allows devices tocstablish and manage sessions. A session is the persistent logical linking of two software application processes. Layer 6 — Represents where data is converted into a stancard format that the other layers can understand. This layer formats and encrypts data to be seat across the network. The Presentation layer is responsible for presenting the data. It defines the format for data conversion. Encoding and decoding capzbilities allow for communication between dissimilar systems. Layer 7 — Represents end wser applications and systems. Application protocols are defined at this level and are used to implement specific usec applications and other high-level! functions. Hyper Text Transfer Protocol (HTTP) and Simple Mail Transfer Protocol (SMTP) are examples of application protoccls.It is important to understand, thatusually, the Application layer isa part ofthe operating system and not necessarily a part ofthe application in use NOTE Distinctions among layers 5, 6, and 7 are not always clear. Some models, combine these layers. BD seo reevsncCheek Point Security Amini wation Transmissio ‘Tho mote layers a Firewall is capable of covering, tho more thorough and effective the Firewall. Advanced applications and protocols can be accommodated more efficiently with additional layer coverage. In addition, advanced Firewalls, such as Check Point's Security Gateways, can provide services that are specifically oriented to theuser, such 2s authentication techniques and logging even's of specific users. n Control Protocol/Internet Protocol Model ‘The Transmission Control Protocol/Internet Protocol (TCP/IP) Mode! isa suite of protocols ‘which work together to connect hosts and networks to the Intemet. Whereas the OSI Model conceptualizes and standardizes how networks should work, TCP/IP actually serves as the industry-standard networking method that a computer uses to access the Internet TCP protocols support communications between any two different systems in the form of a client- server architecture. The model name is based on its two most dominant protocols but the suite consists of many additional protocols and 2 host of applications. Each protocol resides in a different layer of the TCPTP Model ‘The TCP/IP Model consists of four core layers that are responsible for its overall operation: ‘Network Interface layer, Intemet layer, Transport layer and Application layer. Each layer corresponds to one or mote layers of the OSI Model. These core layers support many protocols and applications. Application Layer Transport Layer i Internet Layer | | Network Interface Layer Figure 3 — TCP/IP Model BD seo reevsncCheek Point Security Amini ation ‘Tho TCP/IP Model layers are described as follows: Network Interface layer — Corresponds to the Physical and Data Link layers of the ‘OSI Model. It deals with all aspects ofthe physical components of network connectivity, connects with different network types, and is independent of any specific network media Internet layer — Manages the routing of data between networks The main protocol of this layer is the IP, which handles IP addressing, routing, and packaging functions. IP tells the packet where to go and how to get there. The packets are transported as datagrams, which allow the data to travel along different routes to reach its destination Each destination has a unique IP adcress assigned. The Internet layer corresponds to the ‘Network layer of the OSI Model Transport layer — Manages the flow of data between two hosts to ensure that the packets are comectty assembled and delivered to the targeted application. Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) are the core protocols of the Transport layer. TCP ensures reliable transmission of data across connected networks by acknowledging received packets and verifying that data is not lost during transmission. UDP also manages the flow of data: however, data verification isnot as reliable as TCP. The Transp ort layer corresponds to the Transport layer of the OST Model. Application layer — Fncompasses the responsibilities of the Session, Presentation, and Application layers of the OSI Model. It defines the protocols that are used to ‘exchange data between networks and how host programs interact with the Transport layer. The Application layer allows the end user to access the targeted networks application or service BD seo reevsncCheek Point Security Amini wation Controlling Network Traffic Managing Firewalls and monitoring network traffic is the key role of a network Security Administrator. Effectively controlling network traffic helps improve overall network peformance and orzanizational security. The Firewall, or the Security Gateway with a Firewall enabled, will deny or permit traffic based on rales defined in the Security Policy. The following technologies are used to deny or permit network traffic: + Packet Filtering + Stateful Inspection + Application Layer Firewall Packet Filtering Packet Filtering is the process by which traffic is broken down into packets. Basically ‘messages ae broken down into packets that include the following elements: Source address Destination address Source port Destination port Protocol Aepleation ‘Appleaton Presentation Presentation Session [session Transport Trarspert Network Network Network Data Link DataLink | | Data Link Physical Physical Physical @ Pros cons Aoplcatin Independence - Low Security High Perormance No sceering above Network Seay Loerie ete ote Figure 4 —Packet Fitering BD seo reevsncCheek Point Security Amini aton Packet Filtering is the most basic form of a Firewall. Its primary purpose is to control access 10 specific network segments as directed by a preconfigured set of rules, or Rule Base, which defines the traffic permitted access. Packet Filtering usually fusctions in the Network and ‘Transport layers of the network architecture. Packets are individually transmitted to their destination through various routes. Once the packets have reached their destination, they are recompiled into the original message. Stateful Inspection Stateful Inspection analyzes a packet's source and destination addresses, source and, destination ports, protocol, and content. With Stateful Inspection, the state ofthe connection is ‘monitored and state tables are created to compile the information, State tables hold usefis! information in regards to monitoring performance through a Security Gateway. As a result filtering inctudes content that has been established by previous packets passed through the Firewall For example, Stateful Inspection provides a security measure against port scanning by closing all ports until the specific port is requested. ‘ppleation SS ‘Application | | Presentation |~ | [Application Presentation Session Presentation Session Tianspot ‘Session TWanspert Network Network Data Link Data Line Physical Physica Payscal nepecr NONE PROS Good Secunty Fl ppleatien ayer Hh Perormance Transparency Figure 5 —Stateful Inspection BD seo reevsncCheek Point Security Amini ation (Chock Point sINSPECT Engine, which is installed on a Security Gateway, is used to extact state related infomation for the packets and store that information in state tables. State tables are key componcats of the Stateful Inspection technology because they ae vital in maintaining state information needed to correctly inspect packets. When aew packets arrive, their contents, are compared to the state tables to determine whether they are denied or permitted. NOTE Stateful Inspection technology was developed and patented by Check Point. State tables are covered in more detail in the CCSE couse, Stateful Inspection versus Packet Filtering Stateful Inspection differs from Packet Filtering in that it deeply examines a packet notonly in its header, butalso the content of the packet up through the Application layer to determine ‘more about the packet than just information about its source and destination. In addition, Packet Filtering requires creating two rules for each user or computer that needs to access resources. For example, if computer with IP adcress 10.1.1.201 needs to access 8.8.8.8 on the Internet for DNS, an outgoing request rule is needee for connecting to the server on the Internet and a second rule is required for the incoming reply for the same connection. The creation of Stateful Inspection eliminated the need for two rules. The Firewall remembers each reply for an existing request using the state tables. Therefore only one rule is required for each connection. BD seo reevsncCheek Point Security Amini wation Application Layer Firewall ‘Many attacks are aimed at exploitinga network through network applications, rather than disecily targeting the Firewall. Application Layer Firewalls operate at the Application layer of the TCPIP protocol stack to detect and prevent attacks against specific applications and services. They provide granular level filtering, Antivimus scanning, and access control for neswork applications, such as email, FTP, and HTTP. These Firewalls may have proxy servers or specialized application software added. Application Layer Firewalls inspect traffic through the lower layers of the TCP/IP model and upto and including the Application layer. They are usvally implemented through software running on a host or stand-alone network hardware and ate vsed in conjunction with Packet Filtering. Since Application Layer Firewalls are application-aware, they can look into individual sessions and decide to drop apacket based on information in the application protocol The Firewalls deeply inspect traffic content and apply allow or block access rules per session or connection instead of filtering connections per port like Packet Filtering. Packets ae inspected to ensure the validity of the content and to prevent embedded exploits. For example, an Application Layer Firewall may bioc access to certain website content or software Containing viruses. The extent of filtering is based on the rules defined in the network Security Policy. Application Layer Firewalls are often referred to as Next-Generation Firewalls because they include the traditional functions of Packet Filtering and Stateful Inspection, Sample Protocols LL» | Layer 6 - Presentation Sree ‘Application Layer ‘ayer 2: Data Link I eteret Layer t= Physical Newer | OSI Model TCP/IP Model Figure 6 Protocol Examples BD seo reevsncCheek Point Security Amini wation Introduction to the Gaia Operating System Gaia is Check Point's operating system forall Check Point appliances and open servers. It supports the full portfolio of Check Point Software Blade, gateway, and Security Management products. It also supports: v4 and IPv6 network protocols. High connection and virtual capacity (64 bit Load Sharing. High Availability. Dynamic and Multicast souting. Gaia can be configured via the Command Line Interface (CLI) or WebUL For CLI-inclined a shell-emulator pop-up window makes Gaia CLI more intuitive to use. The intuitive WebUL delivers a seamless user experience for Security Administrators by integrating all ‘management functions into a Web-based dashboard accessible via most popular Web browsers. ‘The built-in search navigation delivers iastantresults on commands and properties. Command Line Interface Gaia utilizes an easy-to-use Command Line Interface (CLI) for the execution of various commands that are structured using the same syntactic rules. CLI can be used via SSHor a ‘web browser. An erhanced help system and auto-completion further simplify user operation. The default shell of the CLI is called Clish Clish isa restrictive shell and does not provide to advanced system and Linux functions. Expert mode allows advanced systemand Linux function access to the system. including the file system. Touse the expert shell, run the exper t command. A password for export mode must be set prior to running the shell. Toexit the expert shell and return to Clish, run the exit command. Figure 7 —Clish and Expert Shells BD seo reevsncCheek Point Security Amini wation Commands and Features Gaia commands are organized into groups of related comman¢ have the following syntax. operation feature parameter ‘Operation Description set Seta value in the system, ‘show Showa value of values fom the system, delete Delete a value from the system. add Add a value fromthe system save Save the configuration changes made since the last save operation reboot Restat the sySem, halt Tum the compater off quit Exit te CLI. exit Exit the shell Start Start a wansicton: Put the CLI into transaction mode. All changes made using commands in transaction mode are applied at once or none of the changes are applied vased on the way transaction mode is terminated, ‘conmit End a transaction by committing changes. expert Enler the expat Sell. ver Show the version of the active Gaia image. help Retrieve help on navigating tie CLI and some useful commands Table 4: CLI Operations and Descriptions To viewall commands that the user show conmands ‘To viewa list of all features: show comands feature To show all commands for a specific feature: show commands feature VALUE BD seo reevsncCheek Point Security Amini wation To show all possible operations: show conmands op To show all commands per operation, per feature: show comands [op VALLE] [feature VALUE] To show how long the system has been rumning: show uptime To show the full system version infornstion: show version all To show version information for operating system components: show version os build show version os edition show version os kernel Te show the name of the installed product: show version product Parameter Description alt ‘Show all system information. (os build [Display the Gaia build number. 0s edition __ |Dspiay the Gaia edition G2-bi or 6-0) 05 kernel [Display the Gaia kernel build number product [Display the Gaia version. ‘Table 2; System Information Parameters and Descriptions, BD seo reevsncCheek Point Security Amini wation Command Completion In order to save time, Gaia offers the ability to automatically complete acommand using a few ‘keyboard buttons. ‘Keybeard Button Description TAB Complete or fetch the keyword. SPACE=TAB | Show the arguments that the command for that feature accepts. ESC ESC ‘Display possible command completion options ? ‘Retrieve help ona feature or keyword, UpDownanows | Browse the command history TeftRight anows | Edit he command. Enter ‘Run a commandtring. The cursor docs net have to be atthe end of ao line. ‘Table 3: Keyboard Buttons and Desoriptions User-Defined and Extended Commands User-defined and extended commands are managed in Clish. Role-based administration can be used with extended commands by assigning those commands to roles and then assigning those roles to users or user groups. Description ame of the extended command. Path of the extended command description |Description of the extended command, Table 4: Extended Command Parameters and Description To show all extended commands: show extended conmands To show the path and description of a specified extended command: show conmand VALUE To add an extended command: add command VALLE path VALUE description VALLE BD seo reevsncCheek Point Security Amini wation ‘Te delete aa extended command: delete command VALLE Commonly Used Commands Asan administrator, there arc additional commands that youmay frequently use in your ole. ‘Many of these commands wil te introduced throughout this course. Here ae a fow commonly used Firewall commands. Te display the version of Check Point software installed on 2 gateway, enter the following command in the Clish shell: fw ver To display the name of the Security Policy installed on a gateway fw stat Te display interface information: fw getifs BD seo reevsncCheek Point Security Amini wation Obtaining a Configuration Lock Only one user caa have Read/Write access to Gaia configuration settings at a time. All other users can oaly tog in with Read-Only access to view configuration settings, as specified by their assignedroles. For example, Admin logs in andno other user as Read/Write access. Admin receives an exclusive configuration lock with Read/Write access. If AdminA logs ia and AdminB already has the configuration lock, Admin has the option to override AdminB's lock. If AdminA decides to override the Lock, AdminB stays logged in but will have Reac- ‘Only access. If Admin decides not to override the lock, they will only be granted Read-Only access, Tofurther illustrate, AdminA can sunthe lock database over tide command to obtain the configuration lock from AdminB and gain Read/Write access. Alternately. AdminB who hnas Read/Write access can run unlock database to release the configuration lock In this instance, the configuration lock can be obtained by Admin A. NOTE ‘The administrator whose Read/Write access is revoked does not receive notification. BD seo reevsncCheek Point Security Amini wation ‘The WebUL isan advanced, web-based interface used to configure Gaia platfoms. It provides clicutless access to the Gaia CLI directly fiom a browser. A majority of system configuration tasks can be done through the WebUI. To access the WebUL,navigate to ltips.//. Log in witha user name and password. The following trowsers suppatt the WebUL + Intemet Explorer + Firefox + Chome © Safari ‘The WebUl operates in the following two modes: «Basic — Shows ouly basic configuration options. ‘+ Advanced — Shows all configuration options. Figure 8—WebUI BD seo reevsncCheek Point Security Amini wation System Overview Page ‘The System Overview page displays an overview of the system in various widgets. These widgets can be added or removed ffom the page, moved around the page, andminimized or expanded. The following widgets are available: = System Overview — Provides system information, including the installed product, product version number. kemel build, product tuild, edition (22 bit or 64 bit), platform on which Gaia is installed, and computer serial number (if applicable), Blades — Displays a list of installed Software Blades. Those that ae enabled are colored. Those that are not enabled are grayed out, Network Configuration — Displays interfaces, their statuses, and IP addresses. ‘Memory Monitor — Provides a graphical display of memory usage. (CPU Monitor — Provides a graphical display of CPU usage. Navigation Tree ‘The Navigation tree isused to select a page within the WebUL Pages are arranged in logical feature groups. There are two viewing modes: + Basic — Shows some standard pages. = Advanced Default) — Shows all pages. To change the view mode, click View Mode and select a mode from the list. To hide the ‘Navigation tree, clide the Hide icon. Toolbar ‘The toolbar displays whether the user has Read/Write access or is in Read-Only mode. Itis also used to open the Terminal (Console) accessory for CLI commands and open the Scratch Pad accessory, which is used for writing notes. NOTE ‘The Scaatch Pad accessories are available in Read/Writemode orly. BD seo reevsncCheek Point Security Amini wation Search Tool The Search tool is uscd to find an applicable configuration page by entering akeyword, which can be a feature, a configuration parameter, ora word related toa configuration page. Status Bar ‘The Status bar displays the result of the last configuration operation. Toview a histo configuration operations dunng the current session, click the Expand icon. Configuration Tab Under the Configuration tab, a user may view and configure parameters for Gaia features and settings groups. The parameters are organized into functional settings groups in the aavigation tree NOTE Read’write access is required to configure parameters for a settings sroup. Monitoring Tab ‘Tho Monitoring tab allows a user to view the status and detailed operational statistics, in roal time, for some routing and High Availability settings groups. Tais ability is useful for ‘monitoring dynamic routing and VRRP cluster performance. Configuration Lock To override a configuration lock in the WebUL, click the small lock icon in the toolbar. The pencil icon, which indicates Read Write access is enabled, will replace the lock icon. NOTE ‘Only users with Read/Write access can override a configuration lock. BD seo reevsncCheek Point Security Amini wation ‘The WebULand CLI can be used to manage user accounts and perform the following actions: Adé users to your Gaia system. Edit the home directory of the user. Edit the defauit shell fora user. Assign a password toa user. Assign privileges to users. Figure 9 —WebUIUsers Page ‘There are ovo default users that cannot be deleted. The Admin has full Read/Write access for all Gaia features. This user has a User ID of 0 and therefore has al! of the privileges of a 100t user. The Monitor has Read-Only access for all features in the WebUL and the CLI and can change their own password. An Admin must provide a password for the Monitor before the ‘Monitor user account can be used. GZ sno revnc’ 36Cheek Point Security Amini wation ‘New uaees havo Read-Only privileges to the WebUl and CLI by default They mustbe assigned one or more roles befure they can log in, NOTE Penmissions can be assigned to all Gaia features or a subset of the features ‘without assigning a user ID of 0. If a user ID of 0 is assigned to a user account (fais can only be done in the CLD, the user is equivalent to the Admin user and the roles assigned to that user cannot be modified. Roles and Role-based Administration Role -based administration enables Guia administators to create different roles. Administrators, ccaa allow users to access features by adding those functions to the user's role definition. Each rolo can include a combination of Read Write access to acme features, Read-Only access to other features, and no access to other features. a i ae Honngisnnfcl 0tFentres comme Figure 10—WebUI Roles Page BD snore’ 37Cheek Point Security Amini wation ‘When auser is croated, pro-defined reles, or privileges, aro assigned to the user. For example,a user with Read/Write access to the Users featuce canchange the password of another user or an ‘Admin ser. It is also possible to specify which access mechanisms, the WebUL or CLI, are available to the uscr. ‘When users log in to the WebUI, they see only those features for which they ave Read-Only or Read Write access. If they have Read-Only access to a feature, they can see the settings pages but cannot change the settings. BD seo reevsncCheek Point Security Amini wation Configure Roles in the WebUI Roles are defined on the Roles page of the WebUI. To add anew role or change an existing role: 1. Select User Management > Roles in the WebUInavigation tree. Toadd anew role, click Add and enter a Role Name. The role name can be a combination of letters, numbers, and the undesscore (_) character, but must start with 2 letter, ‘To change permissions for an existing role, double-click the role, In the Add or Edit Role window, clicka feature (Features tab) or extended command (Extended Commands tab) Select None, Read-Only, of Read/Write from the options menn to the laft of the feature or command. ‘Sen Cotiwaton! Sytem ntinion syemtoa000 Cantata otguatin sym anapenent unser aye ter spcem mange Figure 11 —WebUl Add Role Window BD seo reevsncCheek Point Security Amini wation Te amiga users to arole: Select User Management > Roles in the WebUTnavigation tree Click Assign Memb In the Assign Members to Role window: Double-click a user in the Available Users list to add that user to the rele. Double-click a user in the Users with Role list to remove that user from the role. Configure Roles in the CLI To add role definitions: add rba role domain-type System readon| y-features readwrite-features To delete role definitions delete rba role delete rba role readon| y-features teadwrite-features To add users to or fiom existing roles: add tba user User Nave> roles Te remove users to or from existing roles: delete rba user roles Toadd access mechanism, WebUI or CLI, permissions for a specified user: add rba user access-mechanisms [Abb-UI | CLI] Parameter Description Role Role name 28 a character string that contains letters, numbers, or the underscore (_) character. Domain-type Reserved for future use Systen Teadon ly- Comninva separated lis of Gaia features that have read only features | permissionsin the specified mle. Youcan add Read-Only and Read/Write feature lists in the same command. Teadwr ite— Comma separaied list of Gaia features that have Read/Wrile features | permissionsinthe specified role Youcan add Read-Only and Read Write feature lists in the same command. user | User to which access mechanism permissions and roles are assigned. roles ‘Cominra separated lis of role names that are assigned to or removed from the specitied user. access— Defines the access mechanisms that users can wok with fo mechan isms manage Gaia. You can only specify one access mechanism at a time with this command. Table 5: User and Role Parameters and Descriptions For example add tba role NewRole domain-type System readonly-features yon, ospf, roa readwrite-features tas, add rba user Paul access-mechanisms CLI, WebUI add rba user Daly roles NewRole,adminfole delete rba role NewPole delete rba user Daly roles adminRole BD seo reevsncCheek Point Security Amini wation Updates Gaia provides the ability to directly receive updates for licensed Check Point products. With the Check Point Upgrade Service Engine (CPUSE), you can automatically update Check Point products for the Gaia operating system and the Gaiz operating system itself. Updates can be downloaded automatically, manually, or periodically and installed manually or periodical. Downstate: @ analy send sono ane inenston ett Sot Ute to us Pot Fence inte ne Depa gents feonmerse Figure 12— Gala Software Updates Policy Page Hotfixes are downloaded and installed automatically by default, however full installation and upgrade packages must be installed manually. Email notifications are seat for newly available updates, downloads, and installations. Updates are discussed in greater detail in the CCSE course. Lab 1.14 Working with Gaia Portal BD seo reevsncCheek Point Security Amini wation The Check Point Security Management Architecture ‘The Check Point Security Management Architecture is an object-oriented architecture that uses graphical representations of real-world entities, such as users and gateways. These entities are configured, managed, and monitored througha single management console which provides the flexibility needed for organizations of all shapes and sizes to manage and secure their network. There are three essential components of the Check Point Security Management Architecture: SmartConsole, Security Management Server, and the Security Gateway Security Management Server ‘SmartConscle Security Gateway __ Figure 53— Check Point's Security Management Architecture Components, SmartConsole SmartConsole isa Graphical User Interface (GUD) used to manage the objects that represent network elements, servers, and gatewavs. These objects are wsed throughout SmartConsole for ‘many tasks including creating Security Policies. SmartConsole is also used to monitor traffic through logs and manage Software Blades, licenses. and updates. Security Management Server ‘When a Security Policy is created in SmartConzole, itis stored in the Security Management Server. The Security Management Secver then distributes that Security Policy to the various Sccusity Gateways. The Security Management Server is also used to maintain and store an organization’ sdatabases, including object definitions and log files, fer all gateways. BD seo reevsncCheek Point Security Amini wation Security Gateway A Sccusity Gateway isa gateway on which the Firewall Software Blade is enabled. It is also ‘known as a Firewalled machine. Security gateways are deployed at network access points, or points where the organization” snetwork is exposed to external traffic. Tuey protect the nesworkusing the Security Policy pushed to them by the Security Management Server, BD seo reevsncCheek Point Security Amini wation Network Communication Secure Internal Communication Secure Internal Communication (SIC) is a means by which platforms and products authenticate with each other. It creates tusted coanections between gateways, managemeat servers, and other Check Point components. SIC is required for policy installation on gateways and to send logs between gateways and management servers. Once SIC is established, the ‘management server and ils components are identified by their SIC names rather than the IP address, ‘Check Point platforms and products authenticate each other through onc of these SIC methods: + Certificates + TLS fer the creation of secure chanaols © 3DES or AES128 for encryption NOTE Gateways above R71 use AES128 for SIC. If one of the gateways is below RTI, the gatewaysuse 3DES Internal Certificate Authority ‘The Internal Certificate Authority (ICA) is created during the primary Security Management Server installation process. It is responsible for issuing the followiag certificates to authenticate: + SIC— Between gateways or between gateways and management servers + VPN Certificates— Beoween members of a VPN community in order to create the YPN tunnel Users — User access according to authorization and permissions NOTE If the Security Management Server is renamed, ust will need to be ‘reestablished as the certificate is reissued. BD seo reevsncCheek Point Security Amini wation Initializing Trust A gateway and management server use a one-time password to initially establish trust. The ICA signs and issues a certificate to the gateway. AL this point, the trust state is initialized but, not usted. The ICA issues a certificate for the gateway, but does uot yet deliver it. The gateway and management se-ver will then authenticate over SSL using a one-time password, ‘The certificate is then downloaded and stored on the gateway, tus is established, and the one- lime password is deleted. Now, the gateway can safely communicate with other Check Point gateways and management servers that have a security certificate signed by the same ICA. NOTE Make sure the clocks of the gateway and management server are synchronized before initializing trust between them, Toinitialize trast In SmartConsole, navigate to the General Properties page of the gateway object. Under the Machine section. click the Communication button Under the Authentication section, enter and confirm the one-time password. This one-time password must be on both the gateway and the management server. Under the Trusted Communication Initialization section, click the Initialize buton. Publish the changes. Secure Internal Communication Status ‘Once the certificate is downloaded and stored on the gateway. the SIC status will display the current communication status between the management server and the gateway ‘The communication status may show: ‘Communicating — The secure communication isestabiished. Unknown — There is no connection between the gateway and management server. Not Communicating — The management server can contact the gateway but cannot establish SIC BD seo reevsncCheek Point Security Amini wation Resetting the Trust State If the trust state has been compromised, such as when keys are leaked or certificates are lost, it is possible to reset the trust sate. Once SIC has been established, it must be reset on both the ‘management server and the gateway. When resetting SIC, the management server revokes the certificate from the Security Gateway and stores the certificate imformation in the Certificate Revocation List (CRL). The CRL is a database of revoked certificates. Once the trust state has ‘been reset, it is updated with the serial number of the revoked certificate. TheICA signs the updated CRL and issues it to all gateways during the next SIC comnection. If two gateways have different CRLs, they cannot authenticate. Te reset the trust state: In SmartConsole, navigate to the General Properties page of the gateway object Under the Machine section, click the Communication button. At the bottom of the window, next to the certificate status, click the Reset button. Publish the changes. Install policy on the gateways to deploy the updated CRL to all gateways NOTE If the default policy is in place on the gateway, trust cannot be reset ‘becaise communicauon ftom the management server will be dropped along with traffic ftom any other source. ‘Tho trust state mustbereset on the gateway as woll. To establish a new trust sate for a gateway: 1. Open the Command Line Interface (CLI) on the gateway 2. Execute the following command: epconfig ‘Type the number for SIC, press Emer and confirm. Enter and confirm the activation key. ‘When done. enter the number for Exit, ‘Wait for Check Point processes to stop and automatically restart In SmartConsole, navigate back to the General Properties page of the gateway object ‘Complete the steps required to initialize tus. BD seo reevsncCheek Point Security Amini wation The SmartConsole ‘The SmartConsole is an all-encompassing, unified console for managing Security Policies ‘monitoring evens, installing updates, adding new devices and appliances, and managing a ‘multi-domain environment Navigation Pane Overview Figure 54—SmartCensole Navigation toolbar — Navigate between SmartConsole views ‘Main menu — Manage policies and layers, explore anc create objects, manage sessions, install poticy, manage licenses and packages, and configure global properties Objects menu — Create and manage objects Install Policy button — Install policy. Session details — View the session name and description and publish or discard the cur- rent session, Side bar — Create and manage objects and view validation errors. ‘Management activity bar— View the currentadministrator logged in and the aumber of changes made in the current session, management server details, and additional manzge- ‘ment activity, sack as policy installation tasks ‘Command Line — Rus API commands and scripts BD seo reevsncCheek Point Security Amini aton ‘Tho SmartConsole is organized into the following taba: Gateways & Servers Security Policies Logs & Monitor Manage & Settings Gateways & Servers Tab In the Gateway & Servers tab, you can manage gateways, configure blade activation, view gateway status, andperform actions on the gateways Figure 55 — Gateways & Servers Tab 1. Viewsmenu— Navigate between various pre-defined views. 2. Gateways & Servers toolbar — Create and edit gateways and clusters, run scripts, per- fonm backups and restores, and search and filter gateways. 3. Additional Information section — View summary of the selected gateway, tasks, and ‘error messages and view installed Software Blades. BD seo reevsncCheek Point Security Amini wation Security Policies Tab Under the Security Policies tab, you are able to manipulate the various Security Policies and layers. Figure 56 — Security Policies Tab Tabs— Navigate between different policy packages. Policy Package menu — Navigate beoween various poticies within a policy package and ‘view and manage shared policies. Security Policies toolbar — Add or delete rules, expand and collapse sections, install policy. view the history. and search, filter, and export the Rule Base. Related Tools — Viewand edit VPN communities, view updates, create and manage UserCheck messages, manage client certificates, navigate to the Application Wiki or ‘ThreatWiki. and view installation history Additional Information section — Viewa summary of the selected rule along with, details, logs, and history BD seo reevsncCheek Point Security Amini wation Logs & Monitor Tab ‘The Logs & Monitos tab allowsyou to view graphs and pivot tables in an organized dashboard, search through logs, schedule customizable reports, and monitor gateways. 0-0:0-0-0-00) — ©CO00000 = Figure 57 —Logs & Monitor Tab 1, Tabs— Open various event analysis views. 2. Logs toolbar — Use pre-defined and cusiom queries to search through logs, refresh satis- ‘ics, export search results, and manage query settings. BD seo reevsncCheek Point Security Amini wation Manage & Settings Tab ‘The Manage & Settings tab allows you fo manipulate various general settings Figure 58 — Manage & Settings Tab 1. Manage & Settings menu — Navigate between the various menu options, create, edit, ‘and manage pemiission profiles and administrators, manage Software Blado global set- tings, view sessions and revisions, manage tags, and edit preferences. BD seo reevsncCheek Point Security Amini wation SmartConsole Applications SmartEvent (Advanced Events and Reports) ‘SmartEvent comelates logs and detects real security threats. I provides a centralized display of aggregated data and potential attack patterns fiom perimeter devices, internal devices, Security Gateways, and third-party security devices. SmartEvent automatically priotitizes security events for action. This automation minimizes the amount of data that needs to bereviewed, thereby seducing the use of resources. SmatE vent is capable of managing millious of logs per day per correlation unit in large networks. A correlation unit is used to analyze log entuies and identify events. SmartE vent is a licensed Software Blade and caa be installed on a single server or across multiple correlation units to reduce the network load. ‘SmartEvent views can be customized to monitor pattcras and events that are most important to a Security Administrator. Information can be displayed froma high level view down to a detailed forensics analysis view. The free-text search engine is extemely effective in quickly running data analysis and identifying critical security events SmartView Monitor (Tunnel & User Monitoring) ‘Smatt View Monitor displays a complete picture of network and secusity performance, allowing you to monitor changes to gateways, tuanels, remote users, and security activities ‘This SmartC onsole application can be used in its most basic form without 2 license. More advanced features, such as customized views and detailed queries will require a license. ‘Smart View Monitor is discussed in greater detail in a later chapter. SmartUpdate ‘SmartUpdate is used to manage licenses and packages for multi-domain servers, domain servers, gateways, and Software Blades. Through this client, an administrator can add licenses tothe central license repository and assign these licenses to components as necessary. ‘SmartUpdate can also be used to upgrade packages and install contract files. SmartUpdate is discussed in greater detail in a later chapter. BD seo reevsncCheek Point Security Amini wation SmartDashboard There arc a few legacy applications that must be accessed through SmartDashboard. Links to SmartDashboard are iecated throughout SmariConsole and provide access to the following, applications Data Loss Prevention Ant-Spam & Mail ‘Mobile Access HTTPS Inspection Lab 1.2 Installing and Touring SmartConsole BD seo reevsncCheek Point Security Amini wation Deployment Platforms ‘Check Point appliances and open servers are two hardwate options for deploving Check Point technology. Check Point Appliances (Check Point appliances are tuilt with flexibility and expansion capability to meet the diverse requizements for today’s entesprise networks. They are designed to be flexible in order to moot ‘throughput requizements. They also kave the ability to divide into multiple, virtualized gateways and are equipped to handle advanced Check Point Software Blades. Using Check Point appliances also means a single support contract for hardware and licensing and a lower support rate as appliance troubleshooting reduces complexity. They can bere-imaged simply by plugging in apre-imaged USB. Many Check Point appliances also have hot-swap redundant components. Strong and proven, Check Point security appliances provide reiiable services for thousands of businesses worldwice. Small Business and Branch Office Appliances ‘Check Point small business and branch office appliances provide asimple, affordable and easy to deploy all-in-one solution for i delivering industry leading security. These appliances offer ae robust multilayered protection with flexible network interfaces Branch Office ‘in a compact desktop form factor. Special features inctude DSL and Web Management Enterprise Network Security Appliances Offering the best performarre foritsclass, Check Point Enterprise Network Security appliances combine several network interface options with high-performance multi-core capabilities to deliver multilayered security protection. With 2 ‘OneRack Unit (IRU) mountable form factor, the appliances are Enterprise dosigned to meet protectionneeds and match the perfermance requirements of an enterprise network. Special features include flexible input/output. BD seo reevsncCheek Point Security Amini wation Data Center Security Systems Data Center Chassis Systems Chassis Systems Rugged Appliances (Check Point Data Center Security appliances provide unmatched scalability and serviceability in a compact two rack unit 10 secure even the most demanding enterprise and data center eavizouments. With multi-core and acceleration technologies, redundant components, aid superior performance, these appliances are ideal for large enterprise and data center networks ‘that require high performance an¢ flexible /O options. Special features include low latency, LOM, and 40 GOE. Check Point's Chassis-based security systems are designed to excel in demancing data center, Telco, and cloud service network environments. These camier-grade systems offers high reliability and unparalleled security performance with a 6RU to 15RU form factor that supports the éynamic needs of growing networks. Special features include a scalable platform and DC power, ‘Tue Check Point Rugged appliance delivers Next Generation ‘Tarcat Prevention for Critical Infrastructuro and Industrial Control Systems. The appliance deploys Supervisory Control and Data Acquisition (SCADA) security in harsh enviroments ‘and remote locations. It operates in extreme temperatures and complies with industrial specifications for heat, vibration, aad immunity to Electromagnetic Interference (EMD. Special features include desktop or DIN mount and AC/DC power. BD seo reevsncCheek Point Security Amini wation Additional Check Point Appliance Solutions Choosing the right security appliance fora specific Thermo epltcstof Check Poe agplaness deployment situation canbe a i oct on te Chk Poe wb challenging task. However, Sets Cn fe eB rb ‘Check Point appliance ei ni sn solutions are prepared to meet Check Poin Rel det the challenge. Additional appliances designed tomeet cp compos ete predate a even more specialized security functions are also available, such as DDoS Protector appliances, management appliances, and virtual systems. Leverage the Check Point Appliance Sizing Tool to select the right appliance based on your specific environment and security needs. Check Point's Security Power™ provides an effective metric for selecting the appliance that can best meet your network security needs for today and provide room for growth. Open Servers Check Point software technology can also be deployed on open servers, or non-Check Point hardware. Open servers provide the benefit of bringing your own hardware, which provides the ability to increase RAM, CPU, and disk space. With open servers, licensing is not hardware dependent ané can be transferred between old and new hardware. Hardware compatibility must be approved for the device to work and be supported by Check Poiat. In addition, thereis, sno requirement to purchase all softwaro solutions, only the neceasary Software Blades. BD seo reevsncCheek Point Security Amini wation Deployment Considerations Before delving into the various deployment options for a network, consider the following nesvork topology: Figure 76—Secure Network Each component in the network topology is distinguished by its TP address and netmask. The combination of components ané their respective IP information make up the network topology. This network topology represents an intemal network, consisting of both the Local Access ‘Network (LAN) and the Demilitarized Zone (DMZ), that is protected by the gateway. The gateway must be aware of the network topology in order to correctly enforce the Security Policy. ensure the validity of IP addresses for inbound and outbound traffic and configure a special domain for VPNs. tis importantto take into consideration the existing network when deciding the best deployment stategy for a Security Gateway, 2s installing a new gateway in an existing network often requires reconfiguration of the routing scheme. There are three deployment options available: Standalone, Distributed, and Bridze Mode. BD seo reevsncCheek Point Security Amini wation Standalone Ina Standalone deployment, the Security Management Server and Security Gateway are installed on the same computer or appliance. item | Deseristion 3) 1 | Securty Management Server component @ security Management Server component Caras Saniora ‘Securiy Gateway component Figure 77 — Stancatone Deployment Distributed Ina Distributed deployment, the Security Gateway anc the Security Management Server are installed on different computers ot appliances. Descriation| Security Management Server Network connection Securly Gateway Figure 78— Distributed Deployment BD seo reevsncCheek Point Security Amini wation Bridge Mode A Bridge Mode deployment adds a Security Gateway to an existing environment without changing PP routing Descrstn Switch Sevurity Gateway Firewall bridging Layer 2 trafficover the one P address, with asubnet © neath side using the same address. Figure 79 — Bridge Mode Deployment BD seo reevsncCheek Point Security Amini wation Review Questions 1. What are the three mechanisms for controlling network traffic? 2. What role does SmartConsole play in Check Point's Security Management Architecture? 3. What aro the two hardware options for deploying Check Point technology? 4, Describe the Command Line Interface. BD seo reevsncSecurity Policy Management ‘Managing the Security Policy fora large network can quickly become a resource intensive task Tohelp manage the network Security Policy. it is important to know the components ‘of a Sccurity Policy and how they impact traffic inspection. In this chapter. you will also earn about many SmartConsole features and capabilities that enhance the management of the Security Policy Learning Objectives Describe the essential elements of a Security Policy. Understand how traffic inspection takes place in a unified Security Policy Summarize how administration roles and permissions assist in managing policy. Recall how to implement Check Point backup techniques. BD seo reevsncCheek Point Security Amini wation Introduction to the Security Policy The Security Policy is a key component in securingand managing any corporate network no ‘matter how large or small. It sets the plans and processes for protecting an organization's information and physical assets, A Security Policy is acollectioa of objects settings, and rules that contro's network traftic and enforces crganization guidelines ior data protection and access to resources with packet inspection It defines rules for such things as how network resources can be accessed and who can access them, how data security measures are enforced, and bow communication ocours within the network. A Sccutity Policy consists of a set of rules that defines network security using a Rute Base. Once a Rule Base is defined, the Security Policy can be distibuted to all Security Gateways across aneiwork, Rules are comprised of network objects such as gateways, hosts, ne6vorks, routers, and domains and specifies the source, destination, service, and action to be taken for each session. A basic rule consists of the following information: Rule number ‘Name of the rule Source Destination ‘Whither or not VPN will be used Services & Applications Actionto take if the session criteria matches Ifand how the mle activity should be tracked Which Firewall object(s) will enforce therule ‘The time period for the mule BD seo reevsncCheek Point Security Amini wation Default Rule A default leis added when you add a rule to the Rule Base. These rales are configured using all objects, services and users installed on your database. Therule is defined with the following, information. + No. —Defines the number order of each rule; the first rale in the Rule Base is 1 Hits — Tracks the number of connections each rule matches on this gateway. (This column isnot shown in the figure below.) Name — Gives administrators a spaceto name the rule, helping to annotate the Rule Base; by default, itis blank. ‘Source — Displays the Object picker, where you can select network objects or a group of users to add to the Rule Base: the default is Any. Destination — Displays the Object Manager screen, where you can select resource objects to add to the male; the default is Any. ‘VPN — Displays the Add VPN Communities screen, where youcan select a VPN ‘Community to ads tothe rule; the default is Any. ‘Services & Applications — Displays the Services & Applications picker, where you can select services and applications to add to the rule: the default is Any. Action — Accepts, drops, or rejects the session: provides authentication and encryption: the default is drop. Time — Specifies the time period for the nate: the default is Any ‘Track —Defines logging o alerting for this rulo; the default is None. Install On — Specifies which Firewalled objects will enforce the rule; the default is Policy Targets, which means all intemal Firewalled objects. ‘Comments — Allows administrators to add notes about this rule; the default is a blank comment field. (Thiscolumn is not shown in the figure below.) Figure 80 —Default Rule BD seo reevsncCheek Point Security Amini wation Objects ole, objects are used to represent physical and virtual network components, such crvers and users, as well as logical components. Logical compoaeats include IP address ranges and dynamic objects. Objects are divided into the following categories. Category Objects Network Object | Gateways. hosts, networks. address ranges, dynamic objects, security Zones, inter-operable devices, domains, and logical servers, Service Protocols, protocol groups Cason ‘Applications, user categacies, URL categorizations Application Site VEN Community _ | Sie-to-Site or Remote Access VPNS User ‘Users, user groups, user templates Sener Trusted Certificate Authorities, RADIUS, TACACS, OPSEC seivers Resource ‘URI, SMIP,FTP, TCP, CIES Time Object Time, time group, bandwidth limit on upload and download rates UserCheck Mesuage windows (A&, Caicel, Certificate template, Inform and Interactions Drop) Limit Download and uptoad bandwidth ‘Table 6: Object Categories, Creating Objects Objects are created by the System Administrator to represent actual hosts, devices, and intangibie components such as services (HTTP and TELNET) and resources (URI and FTP) Each component has a corresponding object that represents it. Once these objects are created, they can be used in the rules of the Security Policy. Objects ae the building blocks of Security Policy rules and are stored in the Objects database on the management server. BD seo reevsncCheek Point Security Amini waton ‘When creating objects, the Systom Administrator must consider the needs of the organization: + What are che physical and logical components that make up the organization? Each component that accesses the Security Gateway most likely needs to be defined. ‘What componeats will access the Firewall? ‘Who ate the users and how should they be grouped? Who are the administators and what are their roles? ‘Will VPN be used? If so, will it allow remote users? VPN will be discussed in greater detail in a later chapter. Object Management System Administrators can add, edit, delete, and clone objects. A cione is a copy of the original object with a different aame. Aa object in the Security Policy can also be replaced ty another object. The Object Explorer window in SmartCoasole allows you to create new objects and edit existing objects. From this window, you can browse objects by categorioa or search for a particular object using keywords or tags. A tag is a keyword or label assigned to an object or group of objects. parece eae Figure 81— Object Explorer Window BD seo reevsncCheek Point Security Amini wation Security Zones A security zone is a group of one or more netwotk interfaces from different centrally managed gateways bound together and used diecily in the Rule Base. They allow administrators to define the Security Policy based oa nctwork interfaces rather than IP addresses. The security zone can be matched in arule as a source zone or a destination zone. Using the cocrect zone for a given connection is based on the network topology and determined according to where the interface is lead. A given interface can be a part of oaly one zone. External, Intemal, and DMZ security zones are always available on the gateway by defautt, ‘With security zones, administrators can simply apply the same rule to multiple gateways and ‘manage traffic between network segments. Au explicitrule is required to transfer traffic ‘beaween the same zone. Security zones also support Acceleration solutions, Seousity zones objects automatically enforce chaages ia the topolozy and allow administrators toefliciently add intemal networks without updating the Security Policy. However, Anti- Spoofing will overrule security zones because it docs not automatically trust all networks in a NOTE Security zones will not work in Manual NAT miles, Anti-Spoofing Spoofing is a technique where an intruder attempts to gain unauthorized access by altering a packet’sIP address. This alteration makes it appear as though the packet originated in the part, ‘ofa network with higher access privileges. The Security Gateway has a sophisticated Ant Spoofing feature that detects such packets by requiting that the interface on which a packet, cenlers a gateway corresponds to its IP address. Anti-Spoofing is an object setting that when coafigured, affects the Security Policy Anti-Spoofing verifies that packets are coming fom, and going to, the correct interfaces on a gateway. Anti-Spoofing confirms that packets claiming to be from the intemal network are actually coming from the internal network interface. For example, if a packet from an external nesvorkhas an intemal IP address, Anti-Spoofing blocks that packet. It also verifies that once a packet is routed, i is going through the proper interface. BD seo reevsncCheck Peine Security Amini ration Configuring Anti-Spoofing Te properly configure Anti-Spoofing, nctworks that are reachable from an interface need to be defined appropriate!y. Configure all the static routes, including the default route, before coafiguring or getting the topology for a Security Gateway. For Anti-Spoofing to be most efleciive, it should be configured on all gateway interfaces. If Anti-Spoofing is implemented ona specific interface, spoof tracking for that interface should also be defined. This will help ‘with both intrusion detection and troubleshooting. To activate Anti Spoofing, configure the Firewalled interface propertioa. Tho Topology tab of the Interface Properties window allows you to configure Anti-Spoofing properties of a gateway. Leads To © TheNewok Geers) © intmazone Ove ArsiSpooting amuspectag one eato [Paver Spot aching (te Figure 82—Anti-Spoofing BD seo reevsncCheek Point Security Amini wation The Rule Base ‘The Rule Base is a collection of individual rules which builds the Security Policy. Each rule in a Rule Base defines the packets that match the rule based on source, destination, service, and the time the packet is inspected. The first rule that matches a packet is applied, and the specified Action is taken. The communication may be logged andior an alect may be issued, depending on what has been entered in the Track field. The fundamental concept of the Rule Base is “a connection that isnot explicitly allowed is denied” Cleanup and Stealth Rules There ate two basic rules that Check Point recommends for building an effective Security Policy: the Cleanup rule and the Steaith ule. Both the Cleanup and Stealth rules are important for creating basic security measures and tracking important information. + Cleanup Rule — A Cicanup sue is recommended to determine how to handle connections not matched by the miles above it in the Rule Base. It is also necessary for logging this traffic. Cleanup rules can be configured to allow or érop the connection. It should always be placed atthe bottom of the Rule Base. Stealth Rule — To prevent any users fiom connecting directly to the Security Gateway, adda Stealth rule to your Rule Base. The Security Gateway becomes invisible to users ‘on the network. In most cases, the Stealth rule should be placed above all other rules. Placing the Stealth rule at the top of the Rule Base protects the gateway from port scanning, spoofing, and other types of direct attacks. Connections thatneed to be made directly to the gateway, such as Client Authentication, encryption, and Content Vectoring Protocol (CVP) rules, always go above the Stealth mule Figure 83 — Cleanupand Stealth Rules BD seo reevsncCheek Point Security Amini wation Explicit and Implicit Rules ‘The Security Management Server creates Explicit rules and Implicit males. Explicit males are created in the Rule Base by the administrator. Explicit rules are configured to allow or block taffic based on specified criteria. The Cleanup rule is a default Explicit rule. Implicit rules allow certain conaections to and from the Security Gateway. Implicit rules are snot visible in the Rule Base. Tho Security Management Server enforces two types of Implicit rules that enable Control Connections and Outgoing Packets, Control Connections ‘The Security Gateway creates a group of Implicit rules that it places first, last, or before Last in the explicitly defined Rule Base. These first Implicit rules are based on the Accept Control ‘Connections setting on the Global Properties window. The Security Gateway anticipates other possible connections relating to gateway communication and creates Impticit rules for those scenarios. ‘There are three types of Control Connections defined by Implicit rales: += Gateway specific traffic that facilitates fianctionality, sich as logging, management and koy exchange Acceptance of Internet Key Exchange (KE) and Reliable Datagram Protocol (RDP) traffic for communication and encryption purposes Communication with various types of servers, such as RADIUS, CVP, UFP,TACACS, LDAP and logical servers, even if these serversare not specifically defined resources in your Security Policy Implied Rules Implied rules are generated in the Rule Base as a part of the Global Properties and cannot be edited. They are configured to allow connections for different services that the Security Gateway uses, such as connecting to RADIUS authentication servers and sending fogs from the Security Gateway to the Security Management Server. Some Implied rules are enabled by default. To configure their position in the Rule Base, check the properties enforced in the Firewall Implied Rules screen then choose a position in the Rule Base for the Implied rule. BD seo reevsncCheek Point Security Amini wation Additional Rule Types The following table describes other rules that may be created. Rule Description Critical Subnet | Traffic from the intemal network to the specified resources is logged. ‘Thisrule defines three subnets as critical resources: Finance, HR and Rud. “Tech Support | Allows the Technical Support server to access the Remote-I web server, ‘which is behind the Remote-1 Secunty Gateway. Only HTTP trafficis allowed. When a packet matches the Techsupportrule, the Alert acton is executed DNS Server ‘Allows UDP waffic to the extemal DNS server. Traffic s not logged. Mail and Wes | Allowsincoming traffic to the mail and web servers that are located in Servers the DMZ. HTTP, HTTPS and SMTP traffic is allowed. ‘SMTP ‘Allows outgoing SMTP connections to the mail server. Docs not allow SMTP connections to the intemal network, to protect against a compromised mail server. DMZ and Internet | Allows traffic fiom the intemal network to the DMZ and Internet. ‘Table 7:Additional Rules Rule Base Management Asa network infrastructure grows, so will the Rule Base created to manage the network's traffic. IFnot managed properly, Rule Base order can affect Security Gateway performance and negatively impact traffic on the protected networks. Here are some general guidelines to help you manage your Rule Base effectively. Before creating a Rule Base, answer the following questions: Which objects are in the network? Examples include gateways, hosts, actiworks, routers, and domains. Which user permissions and authentication schemes areneeded? Which serviees, including customized services and sessions, are allowed across the network? BD seo reevsncCheek Point Security Amini ation ‘ou formulate the Rule Base for your Security Policy, these tips aro useful to consider: ‘The policy is enforced from top to bottom Place the most restrictive rules atthe top of the policy, then proceed with the ‘generalized rules further down the Rule Base. If more permissive rules are located at the top, the restrictive rules may not be used properly. This allows misuse or intrusion, ‘due to improper rule configuration. Keep it simple. Grouping objects or combining rules makes for visual clarity and simplifies debugging. If more than 50 roles are used, the Security Policy becomes hard to manage and Security Administrators may have difficulty determining how rules interact Adé a Stealth rule and Cleanup rule first. Usingan Explicit Drop Rule is recommended for logging purposes. Limit the use of the Reject action inrules, Ifa rule is configured to reject, a message is returned to the source address, informing that the connection is not permitted. Use section titles to group similar rules according to their function. For example, rales controlling access to a DMZ should be placed together. Rules allowing internal network access o the Internet should be placed together. This makes it easier to locate rules and modify the Rute Base. Adé a comment to each rule. Comments ease troubleshooting and explain wiy rules exist. This is particularly important when the Security Policy is managed by multiple administrators. In addition, this Comment option is available when saving database versions, See the Database Revision Contol section in thischapter. For efficiency. the most frequently used rules are placed above less frequentty used rales. This must be done carefully to ensure a general accept rule is not placed before a specific drop rule. BD seo reevsncCheek Point Security Amini wation Understanding Rule Base Order Before you caa define Security Policy properties, you must consider Rule Base order. The Security Gateway inspects packets by comparing them to the Security Policy, one rule at a time. For this reason, itis important to define cach rule in the Security Policy in the appropriate onder. Firewall Implied rules are placed fist, last or before last in theRule Base and can be logged. Rulesare processed in the following order First Implied — This rule cannot be modified, moved or overwritten in theRule Base No rules can be placed before it. First Implied rules are applied before all other rules, including administrator explicitly defined rules and Implicit rules Explicit — These are the administrator defined rules, waich may be located benveen the first and the before Last males. Before Last Implied — These are more specific Implied rules enforced before the last rule is applied. Last Explicit — 4 Cleanup rule shou'd be used as the last Explicitrute Last Implied — This rule is applied after all other Explicit and Implied rules in the Rule Base, except the Implicit Cleanup Rule Implicit Cleanup Rule —This defauit ruleis applied if none of the rules are matched. NOTE Hf the Cleanup rule is the last Explicit rule, the last Implied rule and Implicit Cleanup Rule are not enforced, Completing the Rule Base ‘When you have dofined the dosired rules, you must install the Security Policy. The installation ‘process specifies the network object on which the Security Policy is installed. Only managed ‘objects are available for policy installation. In contrast, the Install On column in the Rule Base specifies the network ebject that is to enforce a specific rule. ‘There are times when verifying a Security Policy is useful to System Administrators. By verifying a Security Policy. you check that sules are consistent and there areno redundant rules, before Security Policy installation BD seo reevsncCheek Point Security Amini wation Global Properties ‘The Security Policy encompasses more thaa a set of rules and objects. It also includes ‘numerous settings which are primarily configured as Global Properties. These settings apply to a variety of Check Point products, seivices and functions, such as the Firewall, VPN and Reporting Tools. Settings configured as Global Properties are enforced by all Security Gateways managed by the Security Management Sever. For example, logging Implied rules, enabling Hit Count, and defining advanced VPN functions are all settings that are applied as Global Properties. Tada) Sette llounapopesandchna te poten tenn Rs Ee Apoteson idee ta ca ety re ect Retr tn ron i thetecay (tenet: naupnet cones teensy 1 deter asker engage (eta) Ubraonets ; soa pet cep Danner I aes Paci Domine er CP Zan Tt Circ eet tet nen ssHencteelrGaenn/ ein Ft (Sofotes sae teat ocennpticts ICP nd ONS evens tater Sau Dret Onan es mie ang ent cress heme paicaatetencimeomies [i 1 Sc ety arc ctl comes Dainese Figure 84— Global Properties Window BD seo reevsncCheek Point Security Amini wation Sections ‘When managing a large network, it can be helpful to divide the policy into smaller sections. ‘These sections are simple visual divisions of the Rule Base and do not hinder the order of rule ‘enforcement. Use section titles to more easily navigate between large rule bases. Section titles are not sent to the gateway side. Figure 85 — Policy Sections Publish Policy Newly created Security Policies and changes made to an existing Rule Base must be published ‘onthe management server before the policy can be installed and enforced on the Security Gateway. Publishing changes is not the same as saving changes, Saving changes made duringa session in SmartConsole creates a draft of the edited poticy on the management server. ‘Changes are not updated to the policy when viewed in SmanConsole. Policy cannot be installed ifthe changes are not published. BD seo reevsncCheek Point Security Amini ation Publishing actually updates the policy on the mazagemont acrver and/or Log Server and makes ‘the changes visible in SmartConsole. Many organizations amend policy regularly but only publish policy during a change window. To publish policy, simply click the Publish button located at the top of the SmartConsole window. A pop-up window will appear. Click the publish button to make the changes visibicto all and update the policy. If desired, select the don’t show again checkbook to eliminate this step when pubiishing policy. Click ‘Publish’ to make these changes available to all. Sesion come: [VPN Rute andes . Desc: [Changes toVPH ni Totalerat changes: 6 1 Dont show again Figure 86 — Publich Policy BD seo reevsncCheek Point Security Amini wation Policy Packages A policy package isa group of different types of policies that are installed together on the same installation targets. After installation, the Security Gateway enforces all of the policies in the package. Some circumstances require multiple versions of a Secunty Policy. vet the Objects database needs to stay the same, Often this will occur when adding or consolidating cules in an existing Rule Base or when creating a new set of rules on a Security Gateway. Inthese instances, using policy packages is better than creating multiple versions of the system database. Pre-defined installation targets allow each policy package to be associated with the appropriate set of gateways, thereby eliminating the need to repeat the gateway selection ‘process each time you install the package. Policy Types ‘SmantConsote uses tabs to make iteasy and convenient to navigate between and work within ‘multiple policy packages. There ate four policy types available for each policy package! + Access Control = Qs © Desktop Security . NewPolicyPackage cnr Tage My rexreeron + Figure 87 ~ New Policy Window ~ General Tab BD seo reevsncCheek Point Security Amini wation Access Control ‘The Access Control policy package consists of these types of nules: + Firewall ‘Application Control and URL Filtering * NAT = Content (Data) Awareness Quality of Service Quality of Service (QoS) is Check Point's policy-based bandwidth management solution which allows for prioritizing critical traffic, such as ERP. Voiceover IP (VoIP), database and. Web services traffic over less time critical traffic. When integrated with the Security Gateway, QoS optimizes performance for VPNand mencrypted traffic. QoS policy mules are similx to Firewall rules, however its primary purpose is to enforce bandwidth and traffic control rules ‘The QoS policy type is only available when at least one of the gateways has QoS enabled, Desktop Security ‘The Desktop Security policy is the Firewall policy for endpeint computers that have an Endpoint Security VPN remoteaccess client installed as a standalone client When a remote user connects to the corporate network, the VPN-enabled Security Gateway verifies wheter the latest desktop Security Policy has been installed on the remote client. The Desktop Security policy type is available ifat least one Security Gateway already enforces Desktop Security rks. Threat Prevention ‘The Threat Prevention policy rules accompany the Threat Prevention Software Blades. These rules are in place to defend against network malware infections. Threat Prevention policy packages consistof the following policy types: + Ps © Ant-Bot © Antivins ‘Threat Emulation BD seo reevsncCheek Point Security Amini waton ‘Tho Throat Prevention policy has its own Exceptions section. This section allows an administrator to create global exceptions and exception groups. A global exception is an ‘exception applied to the entise Thrcat Prevention policy. An exception group contains multiple ‘exception miles. Exception groups can be manually attached to arule, automatically attached to cach rule witha particular profile, or automatically attached to all mules. These exception ‘groups can be assigned to one or more rules in the Threat Prevention policy Rule Base. Unified Policies One innovative feature of SmartConsole is the concept of the unified policy, which allows an administrator to control several security aspects from a single console. A unified Security Policy provides Rule Base unification of policies for both access control and threat prevention Software Blades. The information on connections fiom all of the Software Blades is collected inone log file The unified Access Control policy is both data and application aware. Itunifies the Firewall NAT, Application Control & URL Fittering, Content Awareness and Mobile Access Software Blade policies, controlling access to computers, clients and servers. The rules that accompany these Software Blade policies make up the Access Control policy Rule Base. Theserules use serviees, protocols, applications, URLs, file types or data types to filter traffic entering and leaving the network. NOTE Jn ged: to configure the URL Filtering and Applicaton Contol rules, the URL Filtering and Application Control blade must be enabled on’ the Acoéss Conti policy. ‘The Threat Prevention policy unifies the IFS, Antivirus, Ant-Bot and Tarcat Emulation Seftware Blade policies. Each rale in the Rule Bme contains a Threat Prevention profile which is a set of configurations related to the enforcement of the Threat Prevention Software Blades. A unified Threat Prevention policy allows an organization to enforce more granular Threat Prevention policies by allowing multiple profiles for each Security Gateway. In addition, ‘Threat Prevention logs track additional fields of information which may be used for forensic ‘purposes such as, DNS query, HTTP referrer, SMTP Subject, and FTP User ‘Tho Access Control and Threat Provention policies are discussed in greater detail in the next chapter. BD seo reevsncCheek Point Security Amini wation Shared Policies ‘SmartConsole’s Shared Policies feature allow’ administrators to share a policy with other policy packages. Shared Policies are installed with the Access Control policy and can be referenced in multiple policy packages. The Shared Policies section in a policy package provides access to these granular Sofware Blades and features. + Mobile Access — Configure how remote users access internal resources, such as their email accounts, when they are mobile. ‘+ Data Loss Prevention (DLP) — Configure advanced tools to automatically identify data that cannot go outside the network, block the data leak and educate users. + HTTPS Inspection — The HTTPS policy allows the Security Gateway to inspect HTTPS traffic to prevent security risks related to the SSL protocol + Geo Policy — Create poticy for traffic to or from specific geographical locations. aed Poise +O ote 12 nTTesinpecton Figure 88 ~ Shared Policies BD seo reevsncCheek Point Security Amini wation Additional Policy Management Tools ‘The Access Tools section in the Security Policies Access Coatrol view and the Tareat Tools section in the Security Policies Threat Prevention view provideadditional management and data collection tools. Access Tools inchude: + VPN Communities — The VPN Communities too! allows the administrator to create, editor delete VPNs. Client Certificates — This tool allows users to access resources using their handheld devices, such as cell phones and tables, by creating and distributing cliont certificates, allowing them to authenticate to the gateway. Application Wiki — The Application Wiki tool isa tink to the Check Point App Wiki From thissite, an admin:strator can search and filter the Wed 2.0 Applications Database anduse Check Point security research when creating rules for actions on applications andwidgess. Installation History —This tool allows the administrator to view the policy installation history for each gateway and which administrator made the changes. They canalso see the revisions that were made during each policy installation and who made them, Revisions are opened in Read-Only mode. From this tool, an administrator also has the ability to revert © aspecific version of the policy, allowing for a quick recovery ‘without losing all the changes made in the database. BU Communiee So Uncheck 1 Ayotwion ie ® © insasion ton Figure 89 — Access Control Tools BD seo reevsncCheek Point Security Amini wation ‘Throat Tools include: Profiles — The Profiles tool provides an administrator the ability to create, edit or delete profiles. Multiple profiles can becreated for each gateway and assigned to one or more rules. These profiles canbe configured to provide any combination of IPS, Anti- bot, Anti-virus and Threat Emulation protections. There are a few pre-defined profiles thatare automatically enabled upon upgrade. If edits are made to a pre-defined profile, tho profile must be saved under anew namo to preserve the original settings in the pro- defined profile IPS Protections — In this tool, an admin‘strator can edit IPS protections and configure ‘exceptions to those protections. An administrator can also activate or deactivate protections based on their tagging. For example, an administrator can activate all IPS protections tagged with the vendor Microsoft or deactivate all protections tagged with the protocol Modbus. This tagging feature provides more protecton activation and deactivation granulanty. The IPS protection is a link to the IPS Protectors tool NOTE Protections are automatically tagged through the IPS update. This is the ‘only process that can change the tags. Protections — This too! allows an administator to view the statistics on different detected threats. Ttenables engine granularity by providing specific protections against ‘maliciousand unusual activity engines. These protections can be overridden per profile. ‘The management server uses web services to retrieve the list of protections, thereby requiring connectivity. Without connectivity, an error message is generated, Whitelist Files — The WhitelistFites tool provides 2 list of trusted files. An administrator can specify filesthat the Threat Prevention blade docs not scan or analyze for malware, viruses or bots. This decreases the use of resources on the gateway. ‘Threat Wiki— The ThreatWikd is 2 tool that inks an administrator to the Check Point ‘Threat iki. From there, the administrator can search and filter Check Point's Malware Database and use Check Point security research to block malware before it enters therr eavironment and respond appropriately when malware does intrude the environment, BD seo reevsncCheek Point Security Amini wation Updates ‘The Update tool is used by both Access Control ané Threat Prevention policies. In the Access Control policy, the Updates tool allows theadministrator to configure updates to the Application Control and URL Filtering database. Under the Threat Prevention policy, the administrator is able to configure updates to the Malware database, Threat Emulation engine and images, and the IPS database. It also allows an administrator (0 revert back @ an earlier IPS package version, NOTE Updates require Internet connectivity and name resolution fom the Scourity Management Server. If there is no connectivity, an error message is generated. UserCheck UserCheck is a communication tool used by the Security Gateway toinfonn a user about a ‘website or application they are trying to access. It communicates messages about the company’s Secusity Policy or a change in the company's Security Policy to the person trying to access the application or Internet site. This tool provides users the ability to create, edit or delete UserCheck interaction objects in the Access Control and Tixeat Prevention policy ‘There are three types of UserCheck messages. + Inform — Informs the user of possitle viclation of ora change in the company Sceurity Policy and provides users the option to continuc to the application or cancel the request. + Ask — Asks a user if they want to continue to the application or cancel the reques. + Block — Blocks the request to arcess the application or Internet ste ‘Waen enabled, the user's Intemet browser will display the UserCheck message in anew ‘window. When UserCheck is installed on endpoint computers, the messages ace displayed directly on the computer. BD seo reevsncCheek Point Security Amini wation Install Policy ‘When changes are made to a Rule Base, it is important to instal policy to enforce the changes The policy cannot be installed ifthe inchuded changes are not published. When you instal policy. the management server installs the updated policy and the entire database on the selected gatewavs, even if network objects were not modified. It is possible to install only the Access Control policy. only the Threat Prevention poticy. or both policies. NOTE ‘Changes made during a session must be published before installing policy. ‘SmatConsdle Seeutty Gateway Figure 90— Installing Policy Install a Policy Package Policy rules are verified and checked for redundancy whea apolicy package is being installed, ‘Once verification is performed, the Security Policy is sent to the Security Gateways for enforcement. Installation ensures that each Security Gateway enforces at least one rule. Ifnone of the rules, inthe policy package apply to a Security Gateway, the Security Management Server doesnot install the policy package on the Security Gateway. However, the Security Gateway will then enforce a defasit drop rule, which is the default policy for all Security Gateways. Installing a policy package also distributes the User and Objects databases to the target installation Security Gateways. ‘There ate two types of installation modes. The first installation mode installs the poticy on each target gateway independently. In this case, if the installation fails on one target gateway. it does not affect the installation on the rest of the target gateways. BD seo reevsncCheek Point Security Amini waton ‘Tho second installation mode installs the policy on all target gateways. In thiscazo, if the policy fails to install on one of the gateways, the policy is not installed on any of the other target gateways. Figure 91—Policy Package Installation Mode NOTE I For Gateway Clusiers install on all the members, (fails do not install at all is selected, the management server makes sure that it can install the policy on all cluster members before it begins the installation. If the policy cannot be installed on one of the members, policy installation fails forall of them, Lab 2.1 Modifying an Existing Security Policy BD seo reevsncCheek Point Security Amini wation HTTPS Inspection HTTPS is 2 communications protocol used throughout the world to secure access to websites and applications via the Intemet. To provide data privacy and integrity, HTTPS connects and ‘encrypts deta sent and received with the SSL/TLS protoccl. However, HTTPS traffic can often hide dangerous web activity and malicious attacks from gateways, passing HTTPS but not inspecting the traffic. This is because the gateway. by default. does not inspect the encrypted parts ofthe traffic. HTTPS Inspection allows the gateway to inspect traffic encrypted by HTTPS. Enabling HTTPS Inspection lets the gateway create new SSL/TLS connections with an external site or server. Asa result, the gateway is then able to decrypt and inspect the HTTPS traffic that uses the new connections. HTTPS Inspection is a feature which is inciuded with the following Check Point Software Blades: Application Control URL Filtering Content Awareness DLP Bs Antivirus Ant-Bot ‘Threat Emulation Enabling HTTPS Inspection ‘There are two types of HTTPS Inspection: + Outbound HTTPS Inspection — protects against malicious traffic sent fom an internal client to aa external site or server Inbound HTTPS Inspection — protects intemal servers ftom malicious requests that arrive ffom the Internet or an extemal network CA Certificates The Security Gateway uses certificates to act as an intermediary between the client computer and the secured website. An outbound Certification Authority (CA) certificate must be created or imported for the gateway to inspect outbound HTTPS traffic when the feature is enabled for the first time. This certificate is then used by all Security Gateways managed on the Security ‘Management Server. BD seo reevsncCheek Point Security Amini waton ‘Tho cutbound CA cortificate is saved with a P12 file extension and uses a password to encrypt the private key of the fle. P12 file extensions store a private key that can eacrypt information which can only be decrypted by a corresponding public key. The Security Gateway uses the password to signcertificates for the sites accessed. The password is also used by other Security ‘Management Servers that import the CA certificate to decrypt the file. The newly created certificate must be exported so that itcan be deployed on the clients, otherwise users will receive SSL exror messages when accessing HTTPS sites. After the outbound CA certificate has been created, a certificate object named Outbound (Certificate ia created and used in rales that inspect cutbound HTTPS traffic. To enable Inbound HTTPS Taspection, server certificates for servers bekind the gateway must bbe imported and assigned. A server certificate object is created after the server certificate is added to the gateway. When an inbound HTTPS connection arrives ffom an extemal client and connects to an internal server, the Security Gateway intercepts and inspects the inbound traffic. It creates anew HTTPS connection fiom the gateway to the internal server. To allow, Tabound HTTPS Inspection, the gateway uses the original server certificate and private key for SSL coanections. To view Trusted CAs and Server Certificates for HTTPS Inspection: Jn SmartConsole, navigate to the Security Policies view. Under the Shared Policies section, select HTTPS Inspection. Click the link to open HTTPS Inspectionin SmartDashboard, Select the list of certificates you desire to view ftom the navigation pane of the HTTPS Inspection tab. Figure 139 —List of Trusted CAs BD seo reevsncCheek Point Security Amini wation Inspecting HTTPS Traffic Te inspect HTTPS tafiic, HTTPS Inspection miles must be created and installed in the Access (Control policy. HTTPS Inspection rules define how the Security Gateway inspects the traffic ‘These rules are applied to all of the Software Blades that have HTTPS Inspection enabled. The HTTPS Ingpection Policy is managed in SmartDashboard. ‘Tho Rule Base must be configures for different HTTPS Inapection rules for outbound and inbound traffic. The outbound rules use the certificate that was generated for the Secusity Gateway. Theinboundrules use a different certificate for cach intemal server. Bypass rules for ‘waffic that is sensitive and should aot be inspected can also be created. These rules must be placed at the top of the HTTPS Inspection Rule Base. Once HTTPS Inspections have beea created, the Access Control Policy must be installed. Figure 140 —HTTPS inspection Polley BD seo reese’ 178Cheek Point Security Amini wation Inspecting Outbound Connections HTTPS requests are compared to the rules in the HTTPS Inspecticn Policy by the Security Gateway. The figure below represents how outbound connections are inspected. Connection is based without Inspection The gateway HITPS request inspectsthe The certificate request validated | Unenerypted Anew connection s certificates inspected and connection is created for the| then decrypted client and enctypied server Figure 144.~ Inspecting Outbound Connections Tfan HTTPS request does not match a rule, the packet is not inspected and the connection is, allowed Ifthe request matches rule, the Security Gateway validates the certificate from the server. A new certificate is created and used for new HTTPS connections. The packets are decrypted and inspected according to the Security policy. Once the packet has been inspected, itis encrypted again and sent to its destination. BD seo reevsncCheck Peine Security Amini ration Inspecting Inbound Connections Inbound HTTPS connections arrive fiom an external client and connect to a secver in the DMZ or the internal network. The figure below represents how inbouad coanections are inspected. Connection is pased without The eateway The ateway HTTPS request Inspects the usesa server. request certificate and ‘connects to thecliont the i The unencrypted connections: ene Stet the servers ‘created Figure 142 — Inspecting Inbound Connections Ifan HTTPS request does not match a rule, the packet is not inspected and the connection is allowed. Ifthe request matches a rule, the Security Gateway uses the server certificate to create an HTTPS connection with the external client The gateway then creates a new HTTPS coanection with the internal server. The secured connection allows the gateway to proceed with the decryption and inspection. Lab 2.2 HTTPS Inspection BD seo reevsncCheek Point Security Amini wation Network Address Translation Network Address Translation QVAT)allows Security Administrators to overcome IP addressing limitations, allowing private IP-address allocation and unregistered internal- addressing schemes. Enterprises employ NAT for a variety of reasons, incfuding: # Forprivate IP addresses used in internal networks + Tolimit extemal network access + For ease and flexibility of network administration ‘NATcan be used to translate either TP address ina connection. Translating the IP of the ‘machine initiating the connection (typically the “client” of the connection) is called Source ‘NAT Translating the IP address of the machine receiving the connection is called Destination NAT. ‘The Security Gateway supports two types of NAT where the source and or the destination are ‘ranslated: + Hide NAT— a many-to-one relationship where multiple computers om the internal network are represented by a single unique address. This type of NAT i also referred to a5 Dynamic NAT. ‘Static NAT —a one+o-one relationship where each hos is translated to a unique addkess; this allows connections to be initiated internally and extemally. An example ‘would be a web secver or a mail server that needs to allow connections initiated extemally ‘NAT can be configured on Check Point hosts, nodes, networks, address ranges and dynamic objects. NAT can be configured automatically or by creating Manual NAT rales. Manual NAT rules offer flexibility because they allow the translation of both the source ané destination of, the packet and allow the translation of services. Manual NAT is discussed in greater detail in the CCSE course Address translation cules are divided into two elements: Original Packet and Translated Packet. ‘The elements of the Original Packet section inform a Security Gateway which packets match the rule. The Translated Packet elements define how the Security Gateway should modify the packet, BD seo reevsncCheek Point Security Amini wation Hide NAT In Hide NAT the source is translated, the source port is modified, and translation occurs on the server side. In the illustration below, notice the source packet with address 10.1.1.101 going to destination 192.9.100.10. ‘The Firewall modifies the source port and adds the port information to a state table. The packet ‘translates on gost-outbound, O, as it leaves the gateway. For protocols where tho port sumber caanot be changed, Hide NAT cannot be used, Original Packet Original Packet (Translated) 101.2401 8 : po Fess 192.9.100.10 Taira ket ( —— a rey Packet Hide NAT Figure 1.79 — Hide NAT Choosing the Hide Address in Hide NAT ‘The Hide Address is the address behind which the networis address range or node is hidden. It is possible to hide behind eitaer the interface of the gateway or a specified IP address, Choosing a fixed public IP address isa good option if you want to hide the address of the Sccusity Gateway. However, it means you have to use an extra publicly covtable IP address. ‘Choosing to hide behind the address of the gateway is a good option for administrative purposes. For example, ifthe extemal IP address of the gateway changes, there is no need to change the NAT settings. BD seo reevsncCheek Point Security Aiminic ation ‘Tho default method for destination NAT is “client side”, where NAToccurs on the Inbound interface closest to the client. Assume the clicat is outside the gateway and the server is inside the gateway with automatic Static NAT configured. When the clicat starts a connection to access the server's NATIP address, the following happens to the original packet ina client side NaT. In the original packet: ‘The packet from outside the gateway arives atthe Inbound interface. ‘i. destined for the web server and passes Security Policy and NAT rules. ‘TE accepted, the packst information is added to the Connections table and the destination is translated on tho post in side of the interface, ‘T’, before itis routed. ‘The packet arrives atthe TCPP stack of the gateway and is routed to the Outbound inter- face, ‘0 4. The packet is then forwarded through the kemel, ‘O”, and routed to the web server. In the reply packet: 1. The web server replies and hits the Inbound interface, ‘i, of the gateway. ‘The packet is passed by the policy since itis found in the Connections table anc arrives at the post-in side of the kernel, “I ‘The packet arrives atthe TCPIP stack of the gateway and is routed to the Outbound inter- face, ‘0° ‘The packet goes through the Outbound interface and is translated to the Static NATIP address as it leaves the Security Gateway, “O". The source port does not change ‘When the external server must distinguish between clients based on their IP addresses, Hide ‘NATannot be used because all clients share the same IP address under Hide NAT. To allow Connections from the external network to the intemal network, only Static NAT can be used. BD seo reevsncCheek Point Security Amini wation Object Configuration - Hide NAT Hide NATcan be configured to hide networks using a Security Gateway IP address or another, externally accessible IP address. The following figure illustrates how to configure NATtohide behind the gateway’s public address, all machines that reside on the network represented by this object. Toconfigue Hide NAT with Automatic NAT rule ceation, select the Add automate address translation rules option. This automatically creates the necessary NAT rules for the object. ZB - MINTNET General Values for address translation nar (© Asa automate seltvesetrarlation rules ® tae dering ne gateway Hide oetindP address Prt address: [9000 16 adr: Instat ongateway. [All @ Aa Too Figure 180 — NAT Configured Object, BD seo reevsncCheek Point Security Amini wation Configuring the network object as described above creates two rules in the Addross ‘Translation policy. The first rule peevents the translation of packets traveling fom the translated objectto itself. The second,ule instructs the Security Gateway te translate packets ‘whose source IP address is part of the company’s network. This rule translates packets from private addresses to the IP address of the exiting interface of the Security Gateway. Figure 181 — NATRules Because Hide NAT also modifies source ports, there isno need to add another rule for reply ‘packets. Information recorded in a Security Gateways state tableswill be used to modify the destination IP address and destination port of reply packeis. BD sroreonc’ GH 20