Welcome to Checkpoint

Firewall Administration
Training

Introduction
Introduce the Instructor
Introduce you!
Introduce the course

Who are you?

Your instructor

You

What is Firewall?
A firewall is a system of
hardware and/or software
that controls access between
two or more networks.
Firewall sits at the junction point or gateway
between the two networks, usually a private
network and a public network such as the
Internet.

Why do we need a Firewall

Security is an extensive and serious
issue in today's environment. From
privacy policies to corporate
espionage, the threats are from both
internal and external sources
With a firewall , you can ensure
Protection of network environment
Protection of data

Types of Firewalls
Categories of firewalls
Hardware Firewalls
Software Firewalls

Hardware Firewall

Software Firewall

Where is it deployed in the

N/W

DMZ Interface
A firewall needs a minimum number of two
interfaces to connect to two different networks.
A third interface can be added to the firewall ,
to separate the public servers from the private
LAN.
This interface is referred as Demilitarized Zone
( DMZ).
This is done so that, even if the public servers
are attacked , the private LAN still remains
secure.

Types of Firewalls (based on features)

Packet filtering firewalls
Application Gateways
Stateful firewalls

Stateful Inspection Firewalls

Stateful multilayer inspection
firewalls combine the aspects of the
other two types of firewalls. Theyre
Stateful because firewall can
remember prior connection states
and continuously keeps on updating
the state of a connection in its
Dynamic connection table.

 Whenever a Firewall receives a SYN packet

initiating a TCP connection, this SYN packet is
reviewed against the Firewall Rulebase. If the
packet matches a rule its allowed otherwise its
denied.
However, if the packet is accepted, the session is
entered in the Firewalls Stateful connection table,
which is located in Kernel Memory. Every packet
that follows (that does not have a SYN) is then
compared to the Stateful Inspection table. If the
session is in the table then it means the packet is a
part of an existing session and it is allowed through
the firewall. If it does not matches an existing
session in the table then it is dropped.

 This improves the performance as every packet

is not compared with the rule base, just the
packets which are SYN packets are compared
with the Rulebase. All other packets are
compared to the state table in Kernel memory
(which happens Very fast)

Proxy Server Stateful Firewalls

These Firewalls filter services at the Application
level. They will terminate the session at their
interface and initiate a separate connection
with the internal server, thus taking a little
more time in establishing the session. They are
by nature slow in processing as they are more
application based.

 Today, there very less difference between these

two firewall technologies as more and more state
packet inspection firewall vendors take on a
Hybrid approach by combining both the concepts.
The main engine of the Stateful firewall is
implemented for maintaining connection states
and then the features such as Virus Scanning,
URL filtering, Java/Activex filtering etc are
superimposed over it to get the best of both
worlds.

What does a Firewall do?

Define security boundaries to block/permit
untrusted/trusted access to internal resources
=> protecting networks and hosts.
Restrict external access.
Log network activities.
Intrusion detection.
Restrict information transfer to/from the net

Contd

Address Translation
Authentication
Content Security
Logging network activity
VPN Termination

What a Firewall cannot do

It cannot protect against traffic not
passing through the firewall
Firewall policies must be realistic and
reflect the level of security in the
entire network
It cannot prevent attacks through
already open holes (i.e permitted
ports like telnet and http)

Checkpoint Power-1
Appliance

Checkpoint Firewall
This is a software firewall and one of
the earliest firewalls to use Stateful
inspection.
It is modular in nature, with separate
functions incorporated in each
module.

Packet Inspection and decision making process

Inspection Module Flow

Checkpoint Firewall
Components
Management Server
Firewall Module
Graphical User Interface (GUI)

Management Module (Smart center

Server)
The Management module maintains the
FireWall-1 databases, including network
object definitions, user definitions, the
Security Policy, and log files for any
number of Firewalled enforcement points.
Once the security policy is configured on
the management module, it is pushed into
the enforcement module, which actually
implements the policy.

Firewall Module (Enforcement Module)

The Firewall Module is at the junction between
the protected network and the public network
It is the module which actually implements
the security policy by examining each and
every packet that flows in or out of the
network
The Management Server downloads the
Security Policy to the Firewall Module.
Firewall Module can be installed on a broad
range of platforms.

Checkpoint GUI (Smart Console)

An enterprise-wide Security Policy is
defined and managed using a graphical
user interface.
The Security Policy is defined in terms of
network objects (for example, hosts,
networks, gateways, etc.) and security
rules.
The FireWall-1 GUI also includes a Log
Viewer and System Status Viewer.

Check Point Three-Tier Architecture

Firewall Models
Single Gateway product
Enterprise Gateway product
(Distributed Setup)

Single vs Enterprise Gateway

In the Single gateway product, the
Management module and firewall module
reside on the same machine.
This is suitable for small organizations
with only one office.
In the Enterprise gateway product, the
management module and the firewall
module reside on different machines.
This is suitable for large enterprises with
several branch offices.

 The management module can be located

at the central office and at the branch
offices , you can have only the firewall
modules.
The security policy can be pushed from
the central management module to all the
branch offices firewall modules.

Enterprise Gateway Setup (Distributed

setup)

Licensing
The Checkpoint Firewall needs to be
licensed before it can be used.
Licenses primarily specify the
number of IP addresses that will be
protected by Firewall-1, that is, the
number of hosts behind the firewall.
The License will also decide which
features are enabled on the firewall.

 The license is bound to

The IP address of the firewall
machine
The operating system
The hardware platform
Any time these three parameters
change, a new license should be
requested.

Types of Licensing
Central License
Local License

 Here the Module License is bound to the

IP address of the Management Server.
That is, the Management Server IP
address is used for issuing the license.
The advantage is that, even if the IP
address of the local module (to which
the license is issued) changes, there is
no need to re-issue the license.

 Here the Module License is bound to

the IP address of the module to which
license is issued. If the IP address of the
local module changes, the license need
to be re-validated.
This means that separate license
should be issued for the management
module as well as the firewall module.
Any changes in either module imply
that the licenses should be changed

Checkpoint Firewall
Rulebase

Firewall-1 Rulebase

Firewall-1 Rulebase
The Rule base is where you actually
define which traffic can be allowed
and which traffic has to be dropped
when passing through the firewall.
It consists of a set of rules defining
the security policy of the organization
The rule base is processed in a top
down fashion

 This means that when a packet is received

it is compared with the first rule in the rule
base . If there is a match, the
corresponding action is taken.
If there is no match, the next rule is
checked and so on, till the end of the rule
base.
If no match is found, the packet is dropped.
This is known as implicit deny at the end
of the rule base.

Firewall-1 Implied Rules

All other traffic through the firewall,
including ICMP, is blocked.
If you want to permit any traffic, you
have to add rules explicitly in the
rule base
Implied Rules can be modified
through the Policy Editor from Policy
Global properties

Format of a rule

Stealth and Cleanup Rule

Before creating any rules to
implement the security policy of your
organization, it is recommended that
you create a stealth rule and a
cleanup rule and sandwich all the
other rules between these two rules.
The stealth rule should be the first
rule in the Rule base.

 This rule is defined to protect the

firewall itself and it will drop all traffic
which is destined to the firewall itself.
This means that the source should be
set to ANY, destination to the firewall
object, service ANY and the action
should be DROP. Also make sure that
you log this rule.

Cleanup Rule
By default, anything that is not explicitly
permitted is dropped and no log is
maintained for dropped packets.
To see which packets did not match any
rule in the rule base, you have to define an
explicit drop rule in the policy and enable
tracking.
The cleanup rule will have Source ANY,
Destination ANY, Service ANY , Action
DROP and Track will be LOG.
The cleanup rule should be the last rule in
the rule base.

 The cleanup rule will have Source

ANY, Destination ANY, Service ANY ,
Action DROP and Track will be LOG.
The cleanup rule should be the last
rule in the rule base.

Ip Spoofing
IP Spoofing is an attack in which the
hacker forges the IP address of his
packet to make it appear as if it is from
a legitimate source.
Checkpoint can guard against spoofing
attacks.
The anti spoofing feature can be
turned on from the Topology tab of
the firewall object.