View
4.700
Download
6
Category
Preview:
Citation preview
Security- Checkpoint
NetworKraft Consultancy
Why Checkpoint?
• Specialized Vendor – Only Firewall Creators
• More Granularity– Connection based Granularity
• More Open– Multiple hardware platforms– Multiple OS platforms for Management Server
Why Checkpoint?
• Better management tools– SMARTConsole
• Simpler GUI– More User friendly GUI (My view)– Easy to troubleshoot
• No java incompatibility issue– ASA faces this more often
Where Checkpoint?
• Everywhere… mostly in enterprise where there are– Multiple DMZ zones – Web servers – Variety of applications – Numerous client requirements
SMART Architecture
• Check Point Three-Tier Architecture
– SmartConsole Client on the admin machine
– SmartCenter Server Security Management Server
– Security Gateway Enforcement Unit The real FW
Deployment
• Stand-alone Deployment– Secure Platform + Management Server Enforcement Unit– Client Software on Client Machine
• Distributed Deployment– Secure Platform Enforcement Module– Management Server Another Hardware– Client Software on Client Machine
Deployment
Distributed Deployment:
Stand-Alone Deployment:
Security Gateway(Physical
Hardware)
Security Mgmt Server
Security Smartview
Tracker
Security Gateway(Physical
Hardware) + Security Mgmt
Server
Security Smartview
Tracker
Traffic Control Methods
• Packet Filtering– Specific Rules for Allowing/Denying Traffic– Explicit Deny at the end of the policy
• Stateful Filtering– Maintaining state table – Makes environment more secured
– Stale out old entries to protect FW from running out of memory space
• Application Aware Filtering– More granular– Datagram inspection
Secure Platform
• IPSO: FreeBSD– Ipsilon company 1997 NOKIA acquired 2009 Check Point acquired NOKIA
Security Appliances
• Secured Platform (SPLAT)
• GAIA: FreeBSD– Same command line as in IPSO– Beginning of Virtualization (Virtual System eXtension) – More concurrent connections (210 million)
Real World of Check Point
• Network Design from FW point of view• Installing GAiA OS using Image• Basic configuration of Check Point Enforcement Module using
GUI (GAiA)• Adding Security Gateway to Management Server using R77
DashBoard
DesignY
OU
R N
ETW
OR
K- D
C(F
erra
ri)Tire X
Metal X
YO
UR
N
ETW
OR
K- D
C(Ferrari)
Internet
Design- iDMZ and xDMZ
Internet
Internal Network
idmz xdmz
Why Distributed Deployment
• Installing Policy simultaneously in Multiple FW • Easy to manage similar Firewalls• What if two different purpose FW are in same Management
Server– Policy Package
Features
• Anti-spoofing• Anti-bot• Identity Awareness
Lab Topology
Internet192.168.10.4
.2
.3
.5 192.168.1.1.40
.30
.20.7
GAiA
• Interface configuration• Routing
– Static – Dynamic (RIP,OSPF)
• System Management– Proxy Server– Core dump– System Logging
GAiA Continued…
• High Availability-VRRP (Virtual Router Redundancy Protocol)
• User Management• Back-up/Restore• Upgrade and licensing
Checkpoint SmartConsole
• Adding Rules in Firewalls• Adding NAT rules in Firewall• Policy package• Network Monitoring
Important Commands
• Cpinfo show tech-support (Cisco)• Set interface eth0 ipv4 address192.168.10.1 subnet-mask 255.255.255.0• Show interfaces all• Fw stat• Fw unloadlocal• Fw monitor
Check Point Installation
- Start Virtual Machine- Select Install Gaia on this system
Check Point Installation
Check Point Installation
Checking HCL
Check Point Installation
- Check Machine Info (Opt)- Select OK
Check Point Installation
Select the Keyboard type
Check Point Installation
- Partition Configuration- View/Change- OK
Check Point Installation
- Type in the password
- Use this password while logging in through Gaia
Check Point Installation
- Select the interface- Recheck (Opt)
Check Point Installation
- Give IP address to eth0- Netmask- Default Gateway- This is the IP using
which we can login the Gaia
Check Point Installation
Check Point Installation
Check Point Installation
Check Point Installation
Check Point Installation
Check Point Installation
- Reboot
Check Point Configuration
- Enter User Name and Password
Check Point Configuration
- Entering Gaia
Best Practices
• Adding a Stealth Rule (relatively above most of the rules)– Deny Access to FW– Add access rule above for management IP(s) to allow access
• Drop Noisy Traffic– Bootp, bootps, sstp, UPMP etc. are rarely used protocols
• Add Drop Rule at the bottom of the List– Drop Everything else!
Some Other Best Practices
• By default DNS, RIP and ICMP are unrestricted…Block them! – Trojans such as BackOrafice use port 53/UDP (DNS) – ICMP is used in Traceroute and Ping – Man in the middle and DoS is possible with Poisoned RIP
• Maintain your FW– Check for updates as new vulnerabilities are always discovered
• Know your Network– Understand the requirement and place the FW– Don’t place it where you need to allow almost everything
• Add only Specific Rules
…and a few more
• Relevant and consistence FW and Object Naming.
• Use Group management- Policy Packaging and Section creation.
• Use comments while making changes to existing config and rule base.
• Take Regular Backups of config and Rules
• Generate an alert in your management systems (HPoV) for monitoring FW environment.t and regular backup procedures
Recommended