Checkpoint Firewall for Dummies
- 2. Why Checkpoint? • Specialized Vendor – Only Firewall Creators • More Granularity – Connection based Granularity • More Open – Multiple hardware platforms – Multiple OS platforms for Management Server
- 3. Why Checkpoint? • Better management tools – SMARTConsole • Simpler GUI – More User friendly GUI (My view) – Easy to troubleshoot • No java incompatibility issue – ASA faces this more often
- 4. Where Checkpoint? • Everywhere… mostly in enterprise where there are – Multiple DMZ zones – Web servers – Variety of applications – Numerous client requirements
- 5. SMART Architecture • Check Point Three-Tier Architecture – SmartConsole Client on the admin machine – SmartCenter Server Security Management Server – Security Gateway Enforcement Unit The real FW
- 6. Deployment • Stand-alone Deployment – Secure Platform + Management Server Enforcement Unit – Client Software on Client Machine • Distributed Deployment – Secure Platform Enforcement Module – Management Server Another Hardware – Client Software on Client Machine
- 7. Deployment Distributed Deployment: Stand-Alone Deployment: Security Gateway (Physical Hardware) Security Mgmt Server Security Smartview Tracker Security Gateway (Physical Hardware) + Security Mgmt Server Security Smartview Tracker
- 8. Traffic Control Methods • Packet Filtering – Specific Rules for Allowing/Denying Traffic – Explicit Deny at the end of the policy • Stateful Filtering – Maintaining state table – Makes environment more secured – Stale out old entries to protect FW from running out of memory space • Application Aware Filtering – More granular – Datagram inspection
- 9. Secure Platform • IPSO: FreeBSD – Ipsilon company 1997 NOKIA acquired 2009 Check Point acquired NOKIA Security Appliances • Secured Platform (SPLAT) • GAIA: FreeBSD – Same command line as in IPSO – Beginning of Virtualization (Virtual System eXtension) – More concurrent connections (210 million)
- 10. Real World of Check Point • Network Design from FW point of view • Installing GAiA OS using Image • Basic configuration of Check Point Enforcement Module using GUI (GAiA) • Adding Security Gateway to Management Server using R77 DashBoard
- 12. Design- iDMZ and xDMZ Internet Internal Network idmz xdmz
- 13. Why Distributed Deployment • Installing Policy simultaneously in Multiple FW • Easy to manage similar Firewalls • What if two different purpose FW are in same Management Server – Policy Package
- 14. Features • Anti-spoofing • Anti-bot • Identity Awareness
- 16. GAiA • Interface configuration • Routing – Static – Dynamic (RIP,OSPF) • System Management – Proxy Server – Core dump – System Logging
- 17. GAiA Continued… • High Availability -VRRP (Virtual Router Redundancy Protocol) • User Management • Back-up/Restore • Upgrade and licensing
- 18. Checkpoint SmartConsole • Adding Rules in Firewalls • Adding NAT rules in Firewall • Policy package • Network Monitoring
- 19. Important Commands • Cpinfo show tech-support (Cisco) • Set interface eth0 ipv4 address192.168.10.1 subnet-mask 255.255.255.0 • Show interfaces all • Fw stat • Fw unloadlocal • Fw monitor
- 20. Check Point Installation - Start Virtual Machine - Select Install Gaia on this system
- 23. Check Point Installation - Check Machine Info (Opt) - Select OK
- 24. Check Point Installation Select the Keyboard type
- 25. Check Point Installation - Partition Configuration - View/Change - OK
- 26. Check Point Installation - Type in the password - Use this password while logging in through Gaia
- 27. Check Point Installation - Select the interface - Recheck (Opt)
- 28. Check Point Installation - Give IP address to eth0 - Netmask - Default Gateway - This is the IP using which we can login the Gaia
- 34. Check Point Installation - Reboot
- 35. Check Point Configuration - Enter User Name and Password
- 36. Check Point Configuration - Entering Gaia
- 37. Best Practices • Adding a Stealth Rule (relatively above most of the rules) – Deny Access to FW – Add access rule above for management IP(s) to allow access • Drop Noisy Traffic – Bootp, bootps, sstp, UPMP etc. are rarely used protocols • Add Drop Rule at the bottom of the List – Drop Everything else!
- 38. Some Other Best Practices • By default DNS, RIP and ICMP are unrestricted…Block them! – Trojans such as BackOrafice use port 53/UDP (DNS) – ICMP is used in Traceroute and Ping – Man in the middle and DoS is possible with Poisoned RIP • Maintain your FW – Check for updates as new vulnerabilities are always discovered • Know your Network – Understand the requirement and place the FW – Don’t place it where you need to allow almost everything • Add only Specific Rules
- 39. …and a few more • Relevant and consistence FW and Object Naming. • Use Group management- Policy Packaging and Section creation. • Use comments while making changes to existing config and rule base. • Take Regular Backups of config and Rules • Generate an alert in your management systems (HPoV) for monitoring FW environment.t and regular backup procedures