Security Firewallcheckpoint 160131113133

Security- Checkpoint
NetworKraft Consultancy
Why Checkpoint?
• Specialized Vendor
– Only Firewall Creators
• More Granularity
– Connection based Granularity
• More Open
– Multiple hardware platforms
– Multiple OS platforms for Management Server
Why Checkpoint?
• Better management tools

– SMARTConsole
• Simpler GUI
– More User friendly GUI (My view)
– Easy to troubleshoot
• No java incompatibility issue

– ASA faces this more often
Where Checkpoint?
• Everywhere… mostly in enterprise where there are

– Multiple DMZ zones
– Web servers
– Variety of applications
– Numerous client requirements
SMART Architecture
• Check Point Three-Tier Architecture

– SmartConsole  Client on the admin machine
– SmartCenter Server  Security Management Server
– Security Gateway  Enforcement Unit  The real FW

Deployment
• Stand-alone Deployment
– Secure Platform + Management Server  Enforcement Unit
– Client Software on Client Machine
• Distributed Deployment
– Secure Platform  Enforcement Module
– Management Server  Another Hardware
– Client Software on Client Machine
Deployment
Distributed Deployment:
Security
Security Security
Gateway
Mgmt Smartview
(Physical
Server Tracker
Hardware)
Stand-Alone Deployment:
Security
Gateway Security
(Physical
Hardware) + Smartview
Security Mgmt Tracker
Server
Traffic Control Methods
• Packet Filtering
– Specific Rules for Allowing/Denying Traffic
– Explicit Deny at the end of the policy
• Stateful Filtering
– Maintaining state table
– Makes environment more secured
– Stale out old entries to protect FW from running out of memory space
• Application Aware Filtering
– More granular
– Datagram inspection
Secure Platform
• IPSO: FreeBSD
– Ipsilon company  1997  NOKIA acquired  2009  Check Point acquired NOKIA
Security Appliances
• Secured Platform (SPLAT)
• GAIA: FreeBSD
– Same command line as in IPSO
– Beginning of Virtualization (Virtual System eXtension)
– More concurrent connections (210 million)
Real World of Check Point
• Network Design from FW point of view

• Installing GAiA OS using Image
• Basic configuration of Check Point Enforcement Module using
GUI (GAiA)
• Adding Security Gateway to Management Server using R77
DashBoard
Design
Tire X
NETWORK- DC
(Ferrari)
YOUR
Metal
X
Internet
Design- iDMZ and xDMZ
Internal Network
Internet
idmz xdmz
Why Distributed Deployment
• Installing Policy simultaneously in Multiple FW

• Easy to manage similar Firewalls
• What if two different purpose FW are in same Management
Server
– Policy Package
Features
• Anti-spoofing
• Anti-bot
• Identity Awareness
Lab Topology
.2
.20
.7
.3
.30
192.168.10.4 Internet
.5 192.168.1.1
.40
GAiA
• Interface configuration
• Routing
– Static
– Dynamic (RIP,OSPF)
• System Management
– Proxy Server
– Core dump
– System Logging
GAiA Continued…
• High Availability
-VRRP (Virtual Router Redundancy Protocol)
• User Management
• Back-up/Restore
• Upgrade and licensing
Checkpoint SmartConsole
• Adding Rules in Firewalls

• Adding NAT rules in Firewall
• Policy package
• Network Monitoring
Important Commands
• Cpinfo  show tech-support (Cisco)

• Set interface eth0 ipv4 address192.168.10.1 subnet-mask 255.255.255.0
• Show interfaces all
• Fw stat
• Fw unloadlocal
• Fw monitor
Check Point Installation
- Start Virtual Machine

- Select Install Gaia on this system
Checking HCL
- Check Machine Info (Opt)

- Select OK
Select the Keyboard type

- Partition Configuration
- View/Change
- OK
- Type in the password

- Use this password
while logging in
through Gaia
- Select the interface

- Recheck (Opt)
- Give IP address to eth0

- Netmask
- Default Gateway
- This is the IP using
which we can login the
Gaia
- Reboot
Check Point Configuration
- Enter User Name and Password

Check Point Configuration
- Entering Gaia
Best Practices
• Adding a Stealth Rule (relatively above most of the rules)

– Deny Access to FW
– Add access rule above for management IP(s) to allow access
• Drop Noisy Traffic
– Bootp, bootps, sstp, UPMP etc. are rarely used protocols
• Add Drop Rule at the bottom of the List
– Drop Everything else!
Some Other Best Practices
• By default DNS, RIP and ICMP are unrestricted…Block them!

– Trojans such as BackOrafice use port 53/UDP (DNS)
– ICMP is used in Traceroute and Ping
– Man in the middle and DoS is possible with Poisoned RIP
• Maintain your FW
– Check for updates as new vulnerabilities are always discovered
• Know your Network
– Understand the requirement and place the FW
– Don’t place it where you need to allow almost everything
• Add only Specific Rules
…and a few more
• Relevant and consistence FW and Object Naming.

• Use Group management- Policy Packaging and Section creation.
• Use comments while making changes to existing config and rule base.
• Take Regular Backups of config and Rules
• Generate an alert in your management systems (HPoV) for monitoring FW
environment.t and regular backup procedures

Security Firewallcheckpoint 160131113133

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Security Firewallcheckpoint 160131113133

Uploaded by

Copyright:

Available Formats

Security- Checkpoint

• Better management tools

• No java incompatibility issue

• Everywhere… mostly in enterprise where there are

• Check Point Three-Tier Architecture

– SmartCenter Server  Security Management Server

– Security Gateway  Enforcement Unit  The real FW

• Secured Platform (SPLAT)

• Network Design from FW point of view

• Installing Policy simultaneously in Multiple FW

• Adding Rules in Firewalls

• Cpinfo  show tech-support (Cisco)

- Start Virtual Machine

- Check Machine Info (Opt)

Select the Keyboard type

- Type in the password

- Select the interface

- Give IP address to eth0

- Enter User Name and Password

• Adding a Stealth Rule (relatively above most of the rules)

• By default DNS, RIP and ICMP are unrestricted…Block them!

• Relevant and consistence FW and Object Naming.

You might also like