checkpoint firewall for dummies

Security- Checkpoint

NetworKraft Consultancy

Why Checkpoint?

• Specialized Vendor – Only Firewall Creators

• More Granularity– Connection based Granularity

• More Open– Multiple hardware platforms– Multiple OS platforms for Management Server

Why Checkpoint?

• Better management tools– SMARTConsole

• Simpler GUI– More User friendly GUI (My view)– Easy to troubleshoot

• No java incompatibility issue– ASA faces this more often

Where Checkpoint?

• Everywhere… mostly in enterprise where there are– Multiple DMZ zones – Web servers – Variety of applications – Numerous client requirements

SMART Architecture

• Check Point Three-Tier Architecture

– SmartConsole Client on the admin machine

– SmartCenter Server Security Management Server

– Security Gateway Enforcement Unit The real FW

Deployment

• Stand-alone Deployment– Secure Platform + Management Server Enforcement Unit– Client Software on Client Machine

• Distributed Deployment– Secure Platform Enforcement Module– Management Server Another Hardware– Client Software on Client Machine

Deployment

Distributed Deployment:

Stand-Alone Deployment:

Security Gateway(Physical

Hardware)

Security Mgmt Server

Security Smartview

Tracker

Security Gateway(Physical

Hardware) + Security Mgmt

Server

Security Smartview

Tracker

Traffic Control Methods

• Packet Filtering– Specific Rules for Allowing/Denying Traffic– Explicit Deny at the end of the policy

• Stateful Filtering– Maintaining state table – Makes environment more secured

– Stale out old entries to protect FW from running out of memory space

• Application Aware Filtering– More granular– Datagram inspection

Secure Platform

• IPSO: FreeBSD– Ipsilon company 1997 NOKIA acquired 2009 Check Point acquired NOKIA

Security Appliances

• Secured Platform (SPLAT)

• GAIA: FreeBSD– Same command line as in IPSO– Beginning of Virtualization (Virtual System eXtension) – More concurrent connections (210 million)

Real World of Check Point

• Network Design from FW point of view• Installing GAiA OS using Image• Basic configuration of Check Point Enforcement Module using

GUI (GAiA)• Adding Security Gateway to Management Server using R77

DashBoard

DesignY

OU

R N

ETW

OR

K- D

C(F

erra

ri)Tire X

Metal X

YO

UR

N

ETW

OR

K- D

C(Ferrari)

Internet

Design- iDMZ and xDMZ

Internet

Internal Network

idmz xdmz

Why Distributed Deployment

• Installing Policy simultaneously in Multiple FW • Easy to manage similar Firewalls• What if two different purpose FW are in same Management

Server– Policy Package

Features

• Anti-spoofing• Anti-bot• Identity Awareness

Lab Topology

Internet192.168.10.4

.2

.3

.5 192.168.1.1.40

.30

.20.7

GAiA

• Interface configuration• Routing

– Static – Dynamic (RIP,OSPF)

• System Management– Proxy Server– Core dump– System Logging

GAiA Continued…

• High Availability-VRRP (Virtual Router Redundancy Protocol)

• User Management• Back-up/Restore• Upgrade and licensing

Checkpoint SmartConsole

• Adding Rules in Firewalls• Adding NAT rules in Firewall• Policy package• Network Monitoring

Important Commands

• Cpinfo show tech-support (Cisco)• Set interface eth0 ipv4 address192.168.10.1 subnet-mask 255.255.255.0• Show interfaces all• Fw stat• Fw unloadlocal• Fw monitor

Check Point Installation

- Start Virtual Machine- Select Install Gaia on this system


Checking HCL


- Check Machine Info (Opt)- Select OK


Select the Keyboard type


- Partition Configuration- View/Change- OK


- Type in the password

- Use this password while logging in through Gaia


- Select the interface- Recheck (Opt)


- Give IP address to eth0- Netmask- Default Gateway- This is the IP using

which we can login the Gaia


- Reboot

Check Point Configuration

- Enter User Name and Password

Check Point Configuration

- Entering Gaia

Best Practices

• Adding a Stealth Rule (relatively above most of the rules)– Deny Access to FW– Add access rule above for management IP(s) to allow access

• Drop Noisy Traffic– Bootp, bootps, sstp, UPMP etc. are rarely used protocols

• Add Drop Rule at the bottom of the List– Drop Everything else!

Some Other Best Practices

• By default DNS, RIP and ICMP are unrestricted…Block them! – Trojans such as BackOrafice use port 53/UDP (DNS) – ICMP is used in Traceroute and Ping – Man in the middle and DoS is possible with Poisoned RIP

• Maintain your FW– Check for updates as new vulnerabilities are always discovered

• Know your Network– Understand the requirement and place the FW– Don’t place it where you need to allow almost everything

• Add only Specific Rules

…and a few more

• Relevant and consistence FW and Object Naming.

• Use Group management- Policy Packaging and Section creation.

• Use comments while making changes to existing config and rule base.

• Take Regular Backups of config and Rules

• Generate an alert in your management systems (HPoV) for monitoring FW environment.t and regular backup procedures