Check Point Security Administration Student Manual R77.30

Uploaded by

Lương Gia Duy

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF or read online on Scribd

0% found this document useful (0 votes)

223 views240 pages

Check Point Security Administration Student Manual R77.30

Uploaded by

Lương Gia Duy

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF or read online on Scribd

You are on page 1/ 240

RO: aie al pre) Security Administration Student Manual ava =eliK(o)a)Check Point Education Series Check Point SOFTWARE TECHNOLOGIES INC. Security Administration Student Manual R77 Edition PIN 705982© 2014 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distib- uted under licensing restricting their use, copying, distribution, and de-compilation. No part ofthis, product or related documentation may be reproduced in any form or by sny means without prior ‘written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for erors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subpa ‘graph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227- 7013 and FAR 52.227-19. ‘TRADEMARKS: Refer to the Copyright page (hitp:/www.checkpoint.com/copyright html) fora list of our trademarks. Refer to the Third Party copysight notices (hitp:/ www.checkpoint.com/ 3rd_party_copyright him) for alist of relevant copyrights and thiparty licenses.Tntemational Headquarters US. Headquarers “Technical Support, Education & Professional Services: Document # Revision: Content: Graphics: ‘Contributors 5 Ha’Solelim Street Tek 972-3183 4555 989 Skyway Road, Suite 300 San Carlos, CA 94070 “Te: 630-626.2000 Fax 630-6542253 {6330 Commerce Drive, Suite 120 living, TX 75063 rei or24a4 612 Fa 9725062913 smal any comments questions aout ur auteur to cousovar@us check- For quate comments shout ether Check Pin dace, «mail CP_Tesh- Pub Fedinck@ebeckpoin com DOC-Manval-CCSA-RI6 R772018 Mark Hoefle, Joey Witt Charming Jia ‘Beta Testing and Technical Review Chris Albtas - Arrow ECS - UK Robin Bay - Arrow ECS -Cz Republic Kishin Feinani - K-Secure - India Patrick Felsner - Arrow ECS ~ Austria ‘Tim Hall - Shadow Peak -USA ‘Thomas Norbeck - Glasspaper - Norway Alejandro Diez Rodrigues - Afina - Spain Ich Tathanie, - INTAS - Slovakia Erik Wagemans - JCA - Belgium ‘Test Development: Ken Finley ~ Check Point ‘Check Point Technical Publications Team: Rochelle Fisher, DalyYam, Eli Har-Even, Paul Grigg, Richard Levine, Rivkah Albinder, Shira Rosenfield, Yaakov SimonContents Preface: Security Administration ... Security Administration Overview ... Course Layout Prerequisites Certification Title Course Chapters Sample Setup for Labs Chapter 1: Introduction to Check Point Technology . Check Point Technology Overview 7 Leaming Objectives: ‘The Check Point Security Management Architecture (SMART) ‘SmartConsole ... = Security Management Server .. Security Gateway .. on ‘The Check Poin Firewall... oo = n ‘Mechanisms for Controlling Network Traffic — wool Packet Filtering .. B Stateful Inspection 4 Application Intelligence... so : ened S Security Gateway Staeful Inspection Architecture 16 INSPECT Bngine Packet Flow : 16 Deployment Considerations 18 Check Point SmartConsole Clients — : 21 ‘SmartDashboard one so evans 21 ‘SmartLog 23 SmantBvent ... 24 Check Point Security Administration - i‘Table of Contents ‘SmartView Monitor... ‘SmartEndpoint ‘SmartView Tracker . 7 ‘SmartUpdate ee ‘SmartReporter ‘SmartProvisioning Security Management Server ... ‘Managing Users in SmartDashboard, Users Database o ‘Securing Channels of Communication .. ‘Secure Internal Communications ... ‘Testing the SIC Status ..... Resetting the Trust State ... Practice and Review Practice Labs Review Chapter 2: Deployment Platforms ..........+--+- Deployment Platforms Leaming Objectives: Check Point Deployment Platforms. Security Appliances .. Dedicated Appliances Carrer & Ulva High-Bod Data Center Security Systems Data Center Security Systems Enterprise Network Security Systems Small/Branch Office . Virtual Systems Management .. More Check Point Appliances 1. Check Point Software Blade Architecture ‘Software Blade Bundles Cheek Point Gaia ... History - Power of Two Gaia... Benefits of GaiaGaia Architecture Gaia System Information Practice and Review Practice LabS oso Review Chapter 3: Introduction to the Security Policy . Introduction to the Security Policy Learning Objectives: Security Policy Basics The Rule Base Managing Objects in SmartDashboard ‘SmartDashboard and Objects... Object-Tree Pane Objects-List Pane ..... Object Types Rule Base Pane ‘Managing Objects Classic View of the Objects Tree Group View of the Objects Tree Creating the Rule Base Basic Rule Base Concepts Default Rule Basic Rules 7 ImplicivExplicit Rules Control Connections Detecting IP Spoofing Configuring Anti-Spoofing Rule Base Management Understanding Rule Base Order Completing the Rule Base Policy Management and Revision Control Policy Package Management .. Database Revision Control Multicasting..... Practice and Review .. Student Manual 58 59 60 60‘Table of Contents Practice Labs ..c.n ee 82 Review ... Chapter 4: Monitoring Traffic and Connections ‘Monitoring Traffic and Connections .... Learning Objectives SmartView Tracker Log Types SmartView Tracker Tabs Action Icons Working with Smartview Tracker. Log-File Management Administrator Auditing Global Logging and Alerting ‘Time Settings Blocking Connections ... ‘SmartView Monitor Customized Views .. Gateway Status Vi Traffic View ‘Tunnels View Remote Users View 7 Cooperative Enforcement View ‘Monitoring Suspicious Activity Rules ‘Monitoring Alerts Gateway Status . Overall Status Software Blade Status... Displaying Gateway Information - ‘SmartView Tracker vs, SmartView Monitor .... Practice and Review Practice Lab .. Review .. Chapter 5: Network Address Translation ........... ponbapucsoGG +++ 107 Network Address Translation ere = sve 108, nnn ee ee iv ‘Check Point Security AdministrationLearning Objectives: a . 108 Introduction to NAT esc semen er) IP Addressing a 110 Hide NAT so o 110 Choosing the Hide Address in Hide NAT... sevens MEL Static NAT. ut Original Packet o . sons MD, Reply Packet : . sow HD NAT - Global Properties ae soe LB Object Configuration - Hide NAT .... sn eee a) Hide NAT Using Another Interface IP Address sown 116 Static NAT... _ o 17 Manual NAT a a 18. Configuring Manual NAT woos nse sooo : 118 Special Considerations ht) ARP oo a HD Practice and Review .... — so 120 Practice Labs . = ove 120 Review a sn 120 Chapter 6: Using SmartUpdate . eeeeereni2t Using SmartUpdate E : . 122 Leaming Objectives: ....... soe so 122 SmartUpdate and Managing Licenses 0... : 123, SmartUpdate Architecture : : 124 ‘SmartUpdate Introduction oso nnn oe 126 Overview of Managing Licenses svn os 128 Licensing Terminology 129 Upgrading Licenses... 131 Retrieving License Data fiom Security Gateways 131 ‘Adding New Licenses to the License & Contract Repository . 131 Importing License Files. 132 Adding License Details Manually 132 Attaching Licenses ... 133 133 Detaching Licenses Deleting Licenses From License & Contact Repository 133 Student Manual ~ v‘Table of Contents Installation Process Viewing Livense Properties ‘Checking for Expired Licenses ‘To Export a License to a File Service Contracts... Managing Contracts Updating Contracts .. Practice and Review Review .. Chapter 7: User Management and Authentication . User Management and Authentication Learning Objectives: (Creating Users and Groups... User Types... Security Gateway Authentication ‘Types of Legacy Authentication Authentication Schemes Remote User Authentication ‘Authentication Methods User Authentication (Legacy) «0.» User Authentication Rule Base Considerations Session Authentication (Legacy)... Configuring Session Authentication Client Authentication (Legacy) 1 mmesnnm Client Authentication and Sign-On Overview ... Sign-On Methods .. Wait Mode Configuring Authentication Tracking .... LDAP User Management with UserDirectory LDAP Feattte sono nonnen Distinguished Name se ‘Multiple LDAP Servers Using an Existing LDAP Server senso Configuring Entities to Work with the Gateway ... Defining an Account Unit ... 7 vi Check Point Security AdministrationManaging Users... : . oe 61 UserDitectory Groups 162 Practice and RevieW ou. = : sonene 163 Practice Lab voc so sone 163 Review... son 163 Chapter 8: Identity Awareness... ee ceeees 165 entity Awareness ... oe . 166 Learning Objectives: Install Database... from the menu, Security Gateways that do not include a ‘Management Software Blade do not receive the Users Database. Student Manual 3Introduction fo Check Point Technology Securing Channels of Communication ‘The Security Management Server must be able to communicate with all ‘components and partner-OPSEC applications that it manages, even though they may be installed on different machines. The interaction must take place to ensure that the components receive all necessary information from the Security ‘Management Server (such as the Security Policy). While information must be allowed to pass freely, it also has to pass securely, This means that + The communication must be encrypted so that an impostor cannot send, receive or intercept communication meant for someone else, + The communication must be authenticated; there can be no doubt as to the identity ofthe communicating peers. + The transmitted communication should have data integrity; thats, the communication must not be altered or distorted in any form. * The SIC setup process allowing the intercommunication to take place must be user-friendly. If these criteria are met, secure channels of communication between intercommunieating components of the system can be set up and enforced, to protect the free and secure flow of information. Secure Internal Communications Secure Internal Communication (SIC) lets Check Point platforms and products ‘authenticate with each other. The SIC procedure creates a trusted status between ‘gateways, management servers and other Check Point components. SIC is required to install polices on gateways and to send logs between gateways and ‘management servers. ‘These security measures ensure the security of SIC: © Certificates for authentication * Standards-based SSL for the ereation of the secure channel © 3DES for encryption The Internal Certificate Authority (ICA) ‘The ICA is created during the Security Management server installation process. ‘The ICA is responsible for issuing certificates for authentication, For example, 4 Check Point Security Administration— ‘Securing Channels of Communication ICA issues certificates such as SIC certificates for authentication purposes to administrators and VPN certificates to users and gateways, Initializing the Trust Establishment Process Communication Initialization establishes a trust between the Security Management server and the Check Point gateways. This trust lets Check Point ‘components communicate securely. Trust can only be established when the gateways and the server have SIC certificates. Note: For SIC to succeed, the clocks of the gateways and servers ‘must be synchronized. ‘The Internal Certificate Authority (ICA) is created when the Security Management server is installed. The ICA issues and delivers a certificate to the Security Management server, Administrative Login Using SIC ‘The login process, in which Administrators connect to the Security Management Server, is common to all Check Point SmartConsole components (SmartDashboard, SmartUipdate, etc.) This process consists of a bidirectional ‘operation, in which the Administrator and the Security Management Server authenticate each other and create a secure channel of communication between them using SIC, Once both the Administrator and the Security Management Server have been successfully authenticated, Security Management launches the selected SmartConsole. Testing the SIC Status ‘The SIC status reflects the state of the Gateway afer it has received the certificate issted by the ICA. This status conveys whether or not the Security Management server is able to communicate securely with the gateway. The most typical status is Communicating. Any other status indicates thatthe SIC communication is problematic. For example, ifthe SIC status is Unknown then there is no connection between the Gateway and the Security Management server. Ifthe SIC status is Not Communicating, the Security Management server is able to contact the gateway, but SIC communication cannot be established. In this case an error message will appear, which may contain specifi instructions hhow to remedy the situation, Student Manual 35Introduction to Check Point Technology Resetting the Trust State Resetting the Trust State revokes the gateway's SIC certificate, This must be done if the security of the gateway has been breached, or if for any other reason the gateway functionality must be stopped. When the gateway is reset, the Certificate Revocation List (CRL) is updated to include the name of the revoked certificate. ‘The CRL is signed by the ICA and issued to all the gateways in this system the next time a SIC connection is made. If there isa discrepancy between the CRL of | ‘wo communicating components, the newest CRL is always used. The gateways refer tothe latest CRL and deny a connection from an impostor posing as a ‘gateway and using a SIC certificate that has already been revoked. Important - The SIC reset must be performed on the gateway’s object using SmartDashboard, and from a command prompt on the gateway using the epconfig tool. Performing the SIC reset on the gateway will cause an outage until SIC is reestablished and policy reinstalled, The £w stat command can be used to verify a Gateway’s Policy installed status. SIC Between Security Management Servers and Components ‘The following is an example of the SIC process: 2 vconecicertenesto ‘ins ook Pat occ anagenent Sever } seeuriy” Gateway, Figure 23 ~ SIC Ameng Security Management Servers and Components ‘The graphic illustrates the SIC process in a distributed environment 36 ‘Check Point Security Administration= ‘Securing Channels of Communication 4. The ICA creates a Certificate forthe Security Management Server during the Security Management Server installation. The ICA is ereated automatically during the installation procedure. 2. Corlificates for the Security Gateways, and any other communicating components, are created via.a simple initialization from the SmartConsole. Upon initialization, the ICA creates, signs, and delivers a Cerificate tothe communication component. Every component can then verify the Certificate for authenticity. Communication between a Security Management Server and its components depends on a Security Policy specified ina Policy file on each machine, Com munication using Certificates will take place provided thatthe comsmunicat- ing components are of the appropriate version, and agree on the authentication and encryption methods. The Security Management Server and its components are identified by their SIC name, also known asthe Distin- suished Name. Student Manual 37Introduction to Check Point Technology Practice and Review Practice Labs Lab 1: Distributed Installation Lab 2: Branch Office Security Gateway Installation Review 4. What is the strength of Check Point's Stateful Inspection technology? 2. What are the advantages of Check Point's Secure Management Architecture (SMART)? In what way does it benefit an enterprise network and its adminis trators? 3. What is the main purpose for he Security Management Server? Which func tion is it necessary to perform on the Security Management Server when incorporating Security Gateways into the network? 3B Check Point Security Administrationcuaprer2 __- Deployment Platforms Check Point Security Administration 39a Deployment Platforms Deployment Plaiforms Before delving into the intricacies of creating and managing Security Policies, it is beneficial to know about Check Point's different deployment platforms, and ‘understand the basic workings of Check Point's Linux operating systems such as, Gaia, that support many Check Point products - and what those products are. Learning Objectives: * Given network specifications, perform a backup and restore the current Gateway installation from the command line, + Identify critical files needed to purge or backup, import and export users and groups and add or delete administrators from the command line. © Deploy Gateways from the Gateway command line. wD Check Point Security AdministrationCheck Point Deployment Platiorms Check Point Deployment Platforms Security Appliances Dedicated Appliances Check Point security appliances deliver powerful turkey systems for deploying ‘and managing Check Point's award winning Software Blades to address virtually any security need for businesses of all sizes. All Check Point appliances are built around the unified Software Blade Architecture, enabling organizations to protect against rapidly evolving threats and perform all aspects of security management via a single, unified console. Strong and proven, the Check Point security appliances provide reliable services for thousands of businesses worldwide. Private Cloud Emulation Appliances: © Threat Emulation prevents infections from undiscovered exploits, zero-day and targeted attacks. This innovative solution quickly inspects incoming files, launches suspicious files in a virtual sandbox, discovers malicious behavior and then prevents discovered malware from entering the network. ‘The Private Cloud Emulation Appliance is an on-premise solution to emulate threats, Threat Prevention Appliances + deine ppliane focused on revenng thea tempting to ener our neon The . Theat Prevention Aplinces pre ret i ling pret suas ni, An Bt URL ering, Met Avene sa se int one content ppc Secure Web Gateway © Check Point's Secure Web Gateway Appliance enables secure use of Web 2.0 with the largest application coverage, unified control of all aspects of web, end-user education, integrated anti-malware and 360 degrees visibility ofall web activities, Student Manual aiDeployment Platforms DDoS Protector © The Check Point DDoS Protector™ Appliances protect business-critical networks and block Denial of Service attacks with multi- layered protection and up to 12Gbps of performance. ier & Ultra High-End Data Center Security Systems 41000 and 61000 Security Systems ‘+ Check Point Security Systems deliver high- performance, highly sealable Security Gateways that are cartier-grade designed for data centers, telecommunication and cloud services providers. 21000 Appliances + The 21000 Appliances deliver total protection with unmatched performance and flexibility. Equipped with the Security Acceleration Modul, it delivers up to 110 Gbps of firewall throughput with sub Sys latency —making it an ideal solution for performance & time- sensitive applications, Data Center Security Systems 13500 Appliances + Experience breakthrough Next Generation Firewall performance and unmatched scalability and serviceability in compact 2 rack-unit to seoure even the most demanding enterprise and data center environments a ‘Check Point Security Administration“Theck Paint Deployment Platforms 12000 Appliances * These datacenter-grade security appliances, with its multi-core and acceleration technologies, redundant components and superior mulfi-Software Blade performance are designed for high-performance and reliability for even the most demanding enterprise network environments. Enterprise Network Security Systems. ‘Small/Branch Office 4000 Appliances © Today's enterprise security gateway needs to >be more than just a firewall ~ it must use ‘multiple technologies to secure and protect networks against evolving threats. The Check Point 4000 Appliances with its flexible network interface options and multi-core technology offer the best performance for its class, 2200 Appliances * The Check Point 2200 Appliance offers enterprise-class security with leading price/ performance in # compact desktop form factor, Combined with the Software Blade Architecture, itis an ideal solution for securing small offices and branch offices, 1100 Appliances extensible Software Blades to deliver big security to the small branch office. These all-in-one appliances offer robust multi-layered protection with flexible network interfaces in a compact desktop form factor. © The Check Point 1100 Appliances leverage the | | Student Manual a3Virtual Systems Management 600 Appliance * Check Point 600 Appliances deliver proven enterprise-grade security in simple, affordable, all- {n-one security solution to proteet your employees, ‘your applications and your data from eyber-theft for small offices like yours, Check Point Virtual Systems * Check Point Virtual Systems consolidate and simplify security for private clouds. It enables Software Blades for customized protections agninst evolving network threats. ‘Smart-U/Smart-1 SmartEvent Appliances © Smart-1 —Check Point Smart-1 Appliances deliver market-leading security management ‘ona dedicated hardware platform specifically designed for mid-size and large enterprise networks. ‘© Smart-1 Smartlevent — Check Point Smart 1 Appliances deliver market-leading event management on a dedicated hardware platform specifically designed for mid-size and large enterprise networks. ‘Check Point Security AdministrationGhock Paint boploymont Pratorne More Check Point Appliances X-Series Appliances * Check Point X-Series Appliances provides organizations with the ultimate choice in carrier-grade chassis - integrated software and hardware bundles customized to their exact specifications, TAS Appliances * Check Point Integrated Appliance Solutions (IAS) Bladed Hardware provides organizations with the ultimate choice in earrier-grade chassis, IAS Bladed Hardware delivers integrated software and hardware solutions that are customized to your exact security needs-all while maintaining the network performance you require ‘Small Business Appliances * Check Point Safe@Ofice and UTM-1 Edge N appliances deliver proven, cost effective and bestin- class security to small businesses quickly and easily, itegrating firewall, IPS, anti-malware, URL Filtering and more, ‘Student Manual oieS Deployment Platforms Security Power - Choosing a Security Appliance Check Point's SecurityPower™is a new benchmark metric that allows customers to select security appliances by their capacity to handle real-world network traffic, multiple advanced security functions and a typical security policy. SecurityPower helps customers to accurately size and determine the appropriate appliances that can best meet their network security needs today, as well as support anticipated future traffic increases and additional security functions. Leveraging the new Check Point Appliance Selection Tool, the Check Point ‘account team or Check Point partners can take criteria of the customer's network including the required throughput performance and desired security functions ~ 2g inputs, and produce a SecurityPower requirement value, That value is then ‘compared against the SecurityPower capacities of the range of Check Point appliances to determine and present candidates that can best meet the customer's network security and performance requirements. Figure 24 — Securty Power Check Point Security AdministrationThack Pont Software Blade Architecture Check Point Software Blade Architecture Student Manwat Sceurity environments become more complex as companies ofall sizes defend themselves against new and varied threats. With these new threais come new security solutions, new vendors, costly new hardware, and increasing complexity, As IT comes under increasing pressure to do more with existing hardware and human resources, this approach becomes increasingly unacceptable, Check Point's Software Blade architecture offers a better way, enabling organizations to efficiently tailor targeted managed solutions that meet targeted business security needs, All solutions are centrally managed through a single console that reduces complexity and operational overhead. And as new threats emerge, Check Points Software blade architecture quickly and flexibly expands services as needed without the addition of new hardware or management complexity. Our pre-defined Software Blade Bundles take the guesswork out of choosing the right security with targeted, comprehensive security protections. ‘The Check Point Software Blade architecture is the fist and only security architecture that delivers total, flexible and manageable security to companies of any size, With this unprecedented capability, Check Point Software Blades deliver lower cost of ownership and cost-efficient protection that meet any network security or endpoint secusity need, today and in the future. A software blade is a logical security building block that is independent, modular and centrally managed, Software Blades can be quickly enabled and configured into a solution based on specific business needs, And as needs evolve, additional blades can be quickly activated to extend security to an existing configuration within the same hardware foundation. Key Benefits of the Check Point Software Blade Architecture ‘+ Flexibility ~ Provides the right level of protection at the right level of investment © Manageability ~ Enables fast deployment of security services. Increases productivity through centralized blade management. * Total Security — Provides the right level of security, at all enforcement points, ‘and at all layers ofthe network + Lower TCO - Protects investment through consolidation and use of existing hardware infrastructure © Guaranteed performance ~ Enables provisioning of resources that guarantee service levels Software Blades can be deployed on Check Point security appliances, IP appliances, open servers, within virtualized environments, and on endpoints. New blades can be added simply by enabling their functionality in software; no aDeployment Platforms additional hardware, firmyvare or drivers are necessary. This enables organizations to deploy secutity dynamically, as needed, with lower total cost of deployment. Software Blade Bundles Next Generation Firewall ‘The Check Point Next Generation Firewall extends the power of the firewall beyond stopping unauthorized access by adding IPS and Application Control protections. Next Generation Firewalls come in many sizes and offer throughput of up to 110Gbps Next Generation Threat Prevention Unified next generation solution that prevents advanced threats and malware attacks and enables an organization to easily and confidently control access to millions of web sites. Protections include stopping application-specific attacks, botnets, targeted attacks, APTs, and zero-day threats, Next Generation Secure Web Gateway Embracing the current paradigm shift from simple URL filtering to comprehensive malware protection, the Check Point Secure Web Gateway provides an intuitive solution that enables secure use of Web 2.0 with real time multi-layered protection against web-borne malware, largest application coverage in the industry, advanced granular control, intuitive centralized ‘management, and essential end-user education functionality. Next Generation Data Protection Next Generation Data Protection solutions encompass all facets of protecting content from getting into the wrong hands. Data Loss Prevention (DLP) is an integral part of a data protection solution, however to fully protect data, multiple layers must be put into place. Check Point combines these layers into a complete solution protecting against confidential data inadvertently leaving the organization ® Check Point Security AdministrationStudent Manual ‘hack Paint Software Blade Architecture Security Gateway Software Blades * Firewall — The Check Point Firewall Software Blade builds on the award winning technology first offered in Check Point’s FireWall-1 solution to provide the industry's strongest level of gateway security and idemity awareness, Check Point's firewalls are trusted by 100% of the Fortune 100 and deployed by over 170,000 customers, and have demonstrated industry leadership and continued innovation since the introduction of FireWall-1 in 1994. * IPSec VPN — The Check Point IPSec VPN Software Blade provides secure connectivity to corporate networks for remote and mobile users, branch offices and business partners. The Software Blade integrates access control, authentication and encryption to guarantee the security of network connections over the public Internet, © Mobile Access Software Blade — Check Point Mobile ‘Access Software Blade is the safe and easy solution to ‘connect to corporate applications over the internet with your Smartphone, tablet or PC, The solution provides 7 enterprise-grade remote access via both Layer-3 VPN and SSL VPN, allowing you simple, safe and secure connectivity to your email, calendar, contacts and corporate applications. © Identity Awareness — Check Point Identity Awareness Software Blade provides granular visibility of users, groups ‘nd machines, providing unmatched application and access ‘control through the creation of accurate, identity-based policies. Centralized management and monitoring allows for policies to be managed from a single, unified console, ‘* Application Control — The Check Point Application Control Software Blade provides the industry's strongest application security and identity control to organizations of, all sizes. It enables IT teams to easily create granular policies—based on users or groups—to identify, block or limit usage of over 240,000 Web 2.0 applications and widgets.The Application Control Software Blade is a key component of the Secure Web Gateway Appliance. + IPS — The Check Point Intrusion Prevention System (IPS) Software Blade combines industry-leading IPS protection with breakthrough performance at a lower cost than traditional, stand-alone IPS solutions. The IPS Software Blade delivers complete and proactive intrusionDeployment Platiorme prevention—all with the deployment and management advantages of a unified and extensible next-generation firewall solution, DLP — The Check Point DLP Software Blade combines technology and processes to revolutionize Data Loss Prevention (DLP), helping businesses to pre-emptively protect sensitive information from unintentional loss, educating users on proper data handling policies and empowering them to remediate incidents in real-time, Web Security — The Check Point Web Security Software Blade provides a set of advanced capabilites that detect and prevent attacks launched against the Web infrastructure. ‘The Web Security Software Blade delivers comprehensive protection when using the Web for business and communication. URL Filtering — ‘The Check Point URL Filtering Software Blade provides optimized web security through full integration in the gateway to prevent bypass through ‘external proxies. Integration of policy enforcement with ‘Application Control means full Web and Web 2.0 protection, and UserCheck technology empowers and educates users on web usage policy in realtime. The URL Filtering Software Blade is a key component of the Secure Web Gateway Appliance. Anti-Bot — The Check Point Anti-Bot Software Blade detects bot infected machines, prevents bot damages by blocking bot C&C communications, and is continually updated from ThreaiCloud™, the first collaborative network to fight eybererime. ‘Threat Emulation — Check Point ThreatCloud Emulation Service prevents infections from undiscovered exploits, zero-day and targeted attacks. This innovative solution. quickly inspects files and runs them in a virtual sandbox to discover malicious behavior. Discovered malware is prevented from entering the network. Antivirus & Anti-Malware — The enhanced Check Point Antivirus Software Blade uses real-time virus signatures and anomaly-based protections from ThreatCloud™, the first collaborative network to fight cybercrime, to detect and block malware at the gateway before users are affected. ‘The Antivinss Software Blade isa key component ofthe Secure Web Gateway Appliance and Threat Prevention Appliance 30 Check Point Security Administration‘Check Point Software Biads Architecture © Anti-Spam & Email Security —The Check Point Anti- Spam & Email Security Software Blade provides comprehensive protection for messaging infrastructure. A. ‘multidimensional approach protects email infrastructure, provides highly accurate anti-spam coverage and defends organizations from a wide variety of virus and malware threats delivered within email, + Advanced Networking — The Check Point Advanced Networking and Clustering Software Blade simplifies network security deployment and management within complex and highly utilized networks, while maximizing network performance and security in multi-Gbps environments. This combination is ideal for high-end enterprise and datacenter environments where performance and availability are critical * Voice over IP (VoIP) — The Check Point VoIP Blade ‘enables you to deploy VoIP applications such as telephony or video conferencing without introducing new security threats or needing to redesign your network. Because worms and VoIP-specific Denial of Service attacks can take TP phone services down, the Check Point family delivers an evolving solution that understands and protects against existing and new threats that may disrupt business continuity. Check Point solutions also reduce the complexity of VoIP deployment by eliminating such common pain points as incompatibility between VoIP and Network Address Translation. © Security Gateway Virtual Edition — The Check Point Security Gateway Virtual Edition (VE) protects dynamic virtualized environments and external networks, such as private and public clouds, from internal and external threats by securing virtual machines and applications with the full range of Check Point Software Blades. Security Management Software Blades * Network Policy Management — The Check Point ‘Network Policy Management Software Blade provides ‘comprehensive, centralized network security policy ‘management for Check Point gateways and Software Blades, via SmartDashboard-—a single, unified console that, provides control over even the most complex security deployments. Student Manual artn Deployment Platforms + Endpoint Policy Management — The Check Point Endpoint Policy Management Softwate Blade simplifies endpoint security management by unifying all endpoint security capabilities for PC & Mac in a single console. Monitor, manage, educate and enforce poliey, ftom an at-a~ lance dashboard down to user and machine details, all with a few clicks, + Logging and Status — The Check Point Logaing and Status Software Blade transforms data into security intelligence with SmartLog, an advanced log analyzer that delivers split-second search results providing real-time Visibility into billions of log records over multiple time periods and domains ‘+ SmartWorkflow — The Check Point SmartWorkflow Software Blade provides seamless and automated process for policy change management that helps administrators reduce errors and enhance compliance. Enforce a formal process for editing, reviewing, approving and auditing policy changes from a single console, for one-stop, total policy lifecycle management. © Monitoring — The Check Point Monitoring Software Blade presents a complete picture of network and security performance, enabling fast responses to changes in traffic patterns or security events, The Software Blade centrally monitors Check Point devices and alerts to changes to gateways, endpoints, tunnels, remote users and security activities. © Management Portal — The Check Point Management Portal Software Blade allows browser-based security ‘management access to outside groups such as support staff cor auditors, while maintaining centralized control of policy enforcement. View security policies, the status of all Check Point products and administrator activity as well as edit, create and modify internal users. + User Directory —The Check Point User Directory Software Blade leverages LDAP servers to obtain identification and security information about network users, climinating the risks associated with manually maintaining and synchronizing redundant data stores, and enabli centralized user management throughout the enterprise 2 ‘Check Point Security Administrationa sok Point Software Blade Arch ‘* SmartProvisioning — The Check Point SmartProvisioning Software Blade provides centralized administration and security provisioning of Check Point devices. Using. profiles, administrators can automate device configuration and easily roll out changes to settings to multiple, geographically distributed devices, via a single security ‘management console. + Smuariopeiey— The Gin Pec Semper Software Blas incres th nriny tent teats by centralizing network security reporting of network, security (/iss a and usraciviy intoconcisepeiefed craorctait PEAS eee intl ctial uy eae or oe easily manage big data security, and make faster, more informed security. Sato + Mle Domain Secure Management — Seay Maragamartand Mult Dusan seeety Mecreeet (Prone delves enciercnlooaa ‘segmenting your security management into multiple virtual Endpoint Software Blades * Full Disk Encryption — The Check Point Pull Disk Encryption Software Blade provides automatic security for all information on endpoint hard drives, including user data, operating system files and temporary and erased files. For ‘maximum data protection, multi-factor pre-boot authentication ensures user identity, while encryption prevents data loss from theft Student Manual 33Deployment Platforms © Media Eneryption — The Check Point Media Eneryption Software Blade provides centrally-enforceable encryption of removable storage media such as USB flash drives, backup hard drives, CDs and DVDs, for maximum data protection. Educating users on when to share and not share ‘corporate data via UserCheck prevents future data sharing mistakes. Port control enables management of all endpoint ports, plus centralized logging of port activity for auditing and compliance, ‘= Remote Access — The Check Point Endpoint Remote Access VPN Software Blade provides users with secure, seamless access to corporate networks and resources when traveling oF working remotely. Privacy and integrity of sensitive information is ensured through multi-factor authentication, endpoint system compliance scanning and encryption of all transmitted data. 34 Check Point Security AdministrationCheck Point Gaia History - Power of Two Check Point Gaia is the unified cutting-edge secure operating system for all Check Point Appliances, open servers and virtualized gateways. Gaia was derived from IPSO and SecurePlatform, IPSO Ipsilon Networks, the developers of IPSO, was a computer networking company specializing in IP switching. The company was a key player in the introduction of label switching, and published early proposals on the subject, Label switching, or tag switching (Cisco Systems), was a technology that eventually became standardized as MPLS (Multiprotocol Label Switching). Nokia purchased Ipsilon Networks in 1997, and incorporated the IPSO operating system into their network appliances. Check Point bought Nokia’s Security business unit in April 2008, IPSO 3.x and 4.x were based on FreeBSD 2.x. IPSO 6.x is based on FreeBSD 6x. Asa stripped down operating system, IPSO provided enough functionality to ran Check Point firewalls, along with the incorporation of some standard Unix commands, such as top, ps, df. Italso provided a hardened, secure operating system (no compilers included). IPSO also provided great visibility into kernel statistics, such as network counters, interrupts, and more, IPSO contained many key differentiators from mainline FreeBSD, as well as, from SecurePlatform: * ipsetl: comparable to sysctl (BSD) and /proe (Linux) * ipsrd: comparable to GateD or Quagga * xpand and configuration database: Single system configuration repository * Voyager: Web based management GUI for the oper ig system * lish: command line shel supporting same festures as Voyager * iclid ipsrd command line interface daemon + VRRP and IP Clustering: High Availability solutions + ADP: Accelerated Date Path * Boot Manager: Similer to OpenBoot on Sun boxes * CST: Configuration Summary Tool Student Mamuat 35ee Daployment Platforms SecurePlasform Check Point's secure operating system, SecurePlatform is based on a kernel from Red Hat Software, which allows SecurePlatform to benefit from the compatibility and stability testing performed by Red Hat Software, SecurePlatform has been hardened to eliminate any components that are not necessary for a network security device. Components that could present security exposure were removed or modified. The hardening of SecurePlatform. components was audited by both Check Point staff and an independent security consulting organization. Any software package not needed by network security services was removed fiom SecurePlatform. Required services, that might present security risks, were modified as necessary. Where the existing software could not be made secure, it was replaced. For example, the Web server used by the Web interface for system administration, was developed internally at Check Point. The Web server is a small server, designed to perform only the functions required (o allow Web-based system administration. Routine management and maintenance of SecurePlatform is performed through @ restricted shell, called Standard Mode. Most utilities needed to managed ‘SecurePlatform and other installed Check Point products are accessed in Standard Mode. Many Standard Mode commands are ‘wrapped’ in custom scripts to disable unnecessary options and make the utility easier to use. Standard Mode enhances the security of SecurePlatform, by restricting access to utilities that, if used improperly, could damage system stability. Because of the usability ‘enhancements in Standard Mode, extensive Linux knowledge is not required to perform routine management of SecurePlatform. Because SecurePlatform does not include unnecessary software, superior performance is achieved, Resources are not consumed by software such as graphical user interfaces, office applications, and network file systems. All system resources are dedicated to the operating system and the installed Check Point products. SecurePlatform fully supports Check Point SecureXL, which can boost throughput rates for SecurePlatform installations to speeds up to three times faster than the throughput realized on similar hardware, with other operating systems, without SecureXL. 56 Check Point Security AdministrationSack Po a Gaia Benefits of Gaia ‘Check Point Gaia is the next generation Secure Operating System for all Check Point appliances and open servers. Gaia combines the best features from IPSO. ‘and SecurePlatform (SPLAT) into a single unified OS providing greater efficiency and robust performance. With the support of the full suite of Software Blades, customers will benefit from improved connection capacity and the full breadth and power of Check Point security technologies by adopting Gaia Check Point Gaia announced on April 17th 2012 offers 3 key value propositions: * Combining the best features of IPSO & SecurePlatform ‘+ Increase operational efficiency with wide range of features * A secure platform for the most demanding environments Gaia combines the best features from IPSO and SecurePlatform (SPLAT) into a single unified OS providing greater efficiency and robust performance. As a 64- bit operating system, Gaia increases the connection capacity of select appliances. Customers migrating from [Pv4 to IPv6 networks are secured with Gaia utilizing the Check Point Acceleration & Clustering technology. Gaia fils into the most complex networks by supporting dynamic routing, bridge mode and 802.3ed link aggregation Gaia simplifies and strengthens management with segregation of duties by enabling role-based administrative access. Furthermore, Gaia greatly increases operational efficiency by offering Intelligent Software Updates, Security ‘management is made simple with the intuitive and feature-rich Web-based user interface and instant search for all commands and properties. Gaia is fully compatible with IPSO and SPLAT command line interface (CLI) commands, ‘making it an easy transition from existing Check Point operating platforms. Student Manwat 7Deployment Platforms Gaia Architecture ee + Configuration wizards Ease of Use + One-step install + One-click registration Full Software Blade support Higher connection capacity + 64 BiLOs “v6 + Supports Dual stack and Tunneling + SecureXL and CoreXL acceleration ‘Clustering options + ClusterXL and CoreXL acceleration Enhanced device management + Image snapshot, + Device replication ‘Automated software update + WebUL and CLI + Role-based administration + Multiple configuration sets ‘Manageable dynamic routing Higher connection capacity + 64 Bit OS TPv6 + Supports Dual stack and Tunneling + SecureXL and CoreXL acceleration Clustering options + ClusterXL and CoreXL, acceleration Enhanced device management + Image snapshot + Device replication “Automated software update ‘Table 2-1: Benefits of Gaia for SecurePlatformn and IPSO Users Full Compatibility with IPSO and SPLAT CLI Commands ‘Transitioning to Gaia is a breeze for security administrators. The same powerful ‘command line interface (CLI) commands from IPSO and SPLAT are seamlessly integrated into Gaia, Additional new commands and capabilities are also added to the Gaia CLI making powerful CLI interface even more intuitive to use. 3B Check Point Security AdministrationStudent Manual Ghack Point Web-Based User Interface with Search Navigation The intuitive WebUI delivers a refteshing user experience for security administrators. This interface integrates all management functions into a Web- bbased dashboard that is accessible via the most popular Web browsers ~ Intemet Explorer, Chrome, Firefox and Safari. The built-in search navigation delivers instant results on commands and properties. For the CLI-inelined users, a Shetl- Emulator pop-up window is only a single click away. Role-Based Administrative Access Segregation of duties is part of a good security policy and it improves operating efficiency and auditing of administrative events. The role-based administrative access gives Gaia customers the ability and granularity to customize their security management policies that are particular to their business needs. Specific levels of access can be granted based on ech individual's role and responsibility — building a stronger security environment. Support for Industry Standard Authentication ‘The AAA component of the Gaia manages user access to the appliance. Generally, AAA includes Authentication (identifying a user), Authorization (determining what a user is permitted to do), and Accounting (tracking some aspects of a user's activity). Gaia implements Pluggable Authentication Modules (PAM), an industry-standatd framework for authenticating and authorizing users. Using PAM, authentication, account management, and session management algorithms are contained in shared modules that you configure on your appliance. Support for Industry Standard Monitoring Gaia supports the user-based security model (USM) component of SNMPv3 fo supply message-level security. With USM described in RFC 3414, access to the SNMP service is controlled on the basis of user identities. Each user has a name, ‘an authentication pass phrase to identify the user, and an optional privacy pass phrase for protection against disclosure of SNMP message payloads. Managed devices use trap messages to report events to the Network Management Station (NMS). SNMP traps may be sent to the NMS in the event of a hardware or product change. Intelligent Software Updates Software updates is an important process to maintain robust security performance and high network integrity. Its also a process that can sometime cause disruptions to the network services or to your business. With the intelligent software updates offered by Gaia, new releases and patches can be pre-scheduled EyDeployment Platforma Practice and Review Practice Labs Lab 3: CLI Tools, Review What are some of the advantages in deploying UTM-1 Edge Appliances? 2. How do you manage the Gaia Appliance? 3. How would you get Gaia system information? Check Point Security Administrationcaapters Introduction to the Security Policy Check Point Security Administration 61Titroduction tothe Security Polley Tniroduction to the Security Policy Learning Objectives: ‘The Security Policy is essential in administrating security for your organization's network. This chapter examines how to create rules based on network objects, and modify a Security Policy’s properties. In addition, this chapter will teach you how to apply Database Revision Control and Policy Package management, to decrease the burden of management when working with rules and objects. © Given the network topology, create and configure network, host and gateway objects. ‘Verify SIC establishment between the Security Management Server and the Gateway using SmartDashboard. © Create a basie Rule Base in SmartDashboard that includes permissions for administrative users, external services, and LAN outbound use. ‘© Evaluate existing policies and optimize the rules based on current corporate requirements ‘© Maintain the Security Management Server with scheduled backups and policy versions to ensure seamless upgrades and minimal downtime, a ‘Check Point Security AdministrationOT “Soourity Polley Basics Security Policy Basics The Rule Base “The Security Policy is a set of rules that defines your network security using a Rule Base, rules comprised of network objects, such as gateways, hosts, networks, routers, and domains. Once a Rule Base is defined, the Policy is distributed to all Security Gateways across a network. Each rule in a Rule Base specifies the source, destination, service, and action to bbe taken for each session. A rule also specifics how a communication is tracked. Events can be logged, and then trigger an alert message. The figure is an example of a Rule Base: Figure 26 ~ Rule Base Managing Objects in SmartDashboard Objects are created by the System Administrator to represent actual hosts and devices, as well as intangible components, such as services (for exemple, HTTP and TELNET) and resources (for example, URI and FTP). Each component of an. organization has a corresponding object that represents it. Once these objects are created, they oan be used in the rules of the Security Policy. Objects are the building blocks of Security Policy rules and are stored in the Objects database on ‘the Security Management Server. Objects in SmartDashboard are divided into several categories, which can be viewed in the different tabs of the Objects Tree. For instance, the Network Student Manual 6Inroduction to the Security Policy Objects tab represents the physical machines and logical components, such 2s dynamie objects and address ranges, that make up your organization. ‘When creating objects, the System Administrator must consider the needs of the organization: ‘© What are the physical and logical components that mnake up the organization? Each component that accesses the Security Gateway most likely needs to be defined. ‘© Who are the users and Administrators, and how should they be divided into different groups? Figure 27 — SmartDashboard ‘SmartDashboard and Objects Object-Tree Pane SmartDashboerd is comprised of three principal areas, known as panes. From these panes, objects are created, manipulated, and accessed, From these panes, objects are created, manipulated, and accessed. The following section describes the functions and charactersties of each pane. ‘The Objects tree is the main view for managing and displaying objects. Objects are distributed among logical eategores (called tabs), such es Network Objects and Services. Each tab orders its objects logically. For example, the Services tab locates al services using ICMP in the folder called ICMP. Check Point Security Administrationos ccty Policy Basis Objects-List Pane ‘The Objects tree works with the Objects list, The Objects list displays current information for a selected object category. For example, when a Logical Server network object is selected in the Objects tree, the Objects list displays a list of Logical Servers, with certain details displayed. Object Types ‘The objects lists are divided into the following categories: + Network * Services + Resources ‘Servers and OPSEC Applications + Users and Administrators + VPN Communities Rule Base Pane Objects are implemented across various Rule Bases, where they are used in the rules of various Policies. For example, network objects are generally used in the Source, Destination or Install On columns, while time objects can be applied in any Rule Base within the Time column, Student Manual 5Introduction to the Securlty Polley Managing Objects “The Objects Tree is the main view for adding, editing, and deleting objects, although these operations can also be performed from the menus, toolbars and other views, such as in Rule Bases. You create objects to represent actual hosts and devices, intangible components (Such as HTTTP and TELNET services) and resources (for example, URI and FTP). Make an object for each component in your organization. Then you ean use the objects in the rules of the Security Policy. Objects are stored in the Objects database on the Security Management server. Bsisieiaie) Network Objects Figure 28 — Object Tree When you create your objects, consider the needs of your organization: © What are the physical components in your network? ‘© What are the logical components - services, resources, and applications? ‘© What components will access the firewall? ‘© Who are the users, and how should they be grouped? ‘+ Who are the administrators, and what are their roles? ‘© Will you use VPN, and ifso, will it allow remote users? Creating an Object with the Objects Tree ‘To add anew object, right-click the object type you would like to add. For example, in the Network Objects tab, right-click Networks and select Network from the displayed menu, or elick the Action button on the Object List menu bar. 6 Check Point Security Administrationee Wianaging Objects Editing an Object with the Objects Tree ‘To edit an existing object, right-click the desired object in the Objects tree and select Edit fiom the displayed menu. Or double-click the object you would like to modify. Deleting an Object with the Objects Tree To delete an existing object, right-click the object in the Objects tree and click Delete from the displayed menu, Classic View of the Objects Tree In Classic view, network objects are displayed beneath their object type. For example, a corporate mail server would appear under the Node category. Check Point management stations and Security Gateways appear under the category Check Point, DAIP servers appear in the category Dynamic Objects, ete. Organizing objects by category is preferred for small-to-medium-sized deployments. SmartDashboard opens to classic view by default, unless set to Group view. Group View of the Objects Tree In Group view, network objects are organized by the group objects to which they belong. For instance, group GW-group could include all of the gateway abjects in ‘an organization. You can switch to Group view by right-clicking Network ‘Objects, and selecting Arrange by groups. As changing views can at first be disorienting, a warning appears. ‘Shudent Manual aIntroduction to the Security Policy Creating the Rule Base Each rule in a Rule Base defines the packets that match the rule — based on source, destination, service, and the time the packet is inspected. The first rule that matches a packet is applied, and the specified Action is taken. The ‘communication may be logged and/or an alert may be issued, depending on what hhas been entered in the Track field. Figure 29 — Adding a Rule Basic Rule Base Concepts ‘The SmartDashboard allows you to create a Rule Base, which builds your Security Policy from a collection of individual rules. Choose from the following, options: Add Rule — The position where the rule is to be placed: Bottom, Top, After, Before, Delete Rule — Deletes the currently selected rule from the Rule Base, Disable Rule — Disables a rule when testing a Security Policy; disabling a rule can also allow access to a previously restricted source or destination, Hide — Hides, unhides, views, and manages hidden rules; hidden rules still apply, they are just not visible in the SmartDashboard. This feature is nor= mally used to temporarily move groups of rules out of view, to minimize con- fusion when an Administrator is working on a complex Rule Base. Rule Expiration — Allows a rule to be set with an activation date and time, and an expiration date and time, or a rule can be restricted to specific hours and days. e Check Point Security AdministrationSean Greating the Rule Base Default Rule ‘The Default Rule is added when you add a rue tothe Rule Base. You can configute this rule with all objects, services, and uses installed on your database = tame [aay Borne Sey [ow | nme [a rertvone Figure 30 —Defavit Rule ‘The Default Rule is defined with the following information No. — Defines the number order of each rule; the first rule in the Rule Base is No. | Hits — Tacks the number of connections each rule matches on this gateway Name — Gives Administrators a space to name the rule, helping to annotate the Rule Base; by default, itis blank. Source — Displays the Object Manager screen, from which you can select network objecis or a group of users, to add to the Rule Base; the default is Any. Destination — Displays the Object Manager screen, from which you can select resource objects to add to the rule; the default is Any. VPN — Displays the Add Objects VPN Communities screen, from which you can select a VPN Community to add to the rule; the default is Any Traf- fie, Service — Displays the Service Manager screen, from which you can select, services to add to the rules the default is Any. Action — Accepts, drops, or rejects the session, or provides authentication and encryption; the default is drop. ‘Track — Defines logging or alerting for this rule; the default is none. ‘The options are: Account, Alert, Log, Mail, None, SampTrap, and UserDe- fined Install On — Specifies which firewalled objects will enforce the rule; the default is Policy Targets, which means all internal firewalled objects, (Throughout this handbook, all labs and examples assume this default, and the Install On column is not shown.) ‘Student Manwal - 9Introduction to the Security Policy Basic Rules 70 ‘Time — Specifies the time period for the rule; the default is Any. (Through- ‘out this handbook, all labs and examples assume this default and the Time column is not shown.) Comment — Allows Administrators to add notes about this rule; the default isa blank comment field, ‘There are two basic rules used by nearly all Security Gateway Administrators the Cleanup Rule and the Stealth Rule fs boa fomm [ove len cmseen fa aan stir foam bw arf wi Figure 31 — Basic Rules Both the Cleanup and Stealth Rules are important for creating basic security ‘measures, and tacking important information in SmartView Tracker. Cleanup Rule — The Security Gateway follows the principle, “That which is not expressly permitted is prohibited”. Security Gateways drop all communication attempts that do not match a rule, The only way to monitor the dropped packets is to create a Cleanup Rule that logs all dropped traffic. The Cleanup Rule, also known as the “None of the Above” rule, drops all communication not described by any other rules, and allows you to specify logging for every- thing being dropped by this rule. Stealth Rule— To prevent any users from connecting directly to the Gate- way, you should add a Stealth Rule to your Rule Base. Protecting the Gateway in this manner makes the Gateway transparent to the network. The Gateway ‘becomes invisible to users on the network. The figure above displays a sample Stealth Rule. In most cases, the Stealth Rule should be placed above all other rules. Placing the Stealth Rule at the top of the Rule Base protects your Gateway from port scanning, spoofing, and other types of direct attacks. Connections that need to be made directly (o the Gateway, such as Client Authentication, encryption and Content Vectoring Protocol (CVP) rules, always go above the Stealth Rule. (Check Point Security AdministrationRules Control Connections ‘The Security Gateway creates a Rule Base by translating the Security Policy into collection of individual rules. The Security Gateway creates implicit rules, derived from Global Properties and explicit rules, created by the Administrator in the SmartDashboard Figure 32 — implicivExplct Rules An explicit rule is a rule that you create in the Rule Base. Explicit rules are displayed together with implicit rules in the eorrect sequence, when you select to view implied 1ules. To see how properties and rules interact, select Implied Rules from the View menu. Implicit rules appear without numbering, and explicit rules appear with numbering. Implicit rules are defined by the Security Gateway to allow certain connections to and from the Gateway, witha variety of different services, The Gateway enforces two types of implicit rules that enable the following: * Control Connections © Outgoing packets ‘The Security Gateway creates a group of implicit rules that it places fist, las, or before last in the explicitly defined Rule Base. These first implicit rules are based on the Accept control connections seting on the Global Properties window. ‘The Gateway anticipates other possible connections relating to Gateway ‘communication, and also creates implicit niles for those scenarios. ‘There are three types of Control Connections, defined by default rules: * Gateway specific traffic that facilitates functionality, such as logging, ‘management, and key exchange Student Manual 7iIntroduction to the Security Policy Detecting IP Spoofing © Acceptance of IKE and RDP traffic for communication and encryption purposes © Cormunication with various types of servers, such as RADIUS, CVP, UFP, TACACS, LDAP, and Logical Servers, even if these servers are not specifically defined resources in your Security Policy Implied rules are generated in the Rule Base through Global Properties. Check the properties enforced in the FireWall Implied Rules screen, then choose & position in the Rule Base for the implied rule: © First — first in the Rule Base + Before Last — before the last rule in the Rule Base © Last — last rule in the Rule Base Spoofing is a technique where an intruder attempts to gain unauthorized access by altering a packet's IP address. This alteration makes it appear as though the packet originated in the part of a network with higher access privileges. The Security Gateway has a sophisticated anti-spoofing feature that detects such packets, by requiring that the interface on which a packet enters a gateway corresponds to its IP address. 7a Check Point Security Administrationeee ‘Creating the Rule Base Anti-spoofing verifies that packets are coming fiom, and going to, the correct interfaces on a gateway. Anti-spoofing confirms that packets claiming to be from the intemal network are actually coming fiom the intemal-network interface. It also verifies that, once a packet is routed, it is going through the proper interface. Configuring Anti-Spoofing ‘To properly configure anti-spoofing, networks that are reachable from an interface need tobe defined appropriately, For anti-spoofing to be most effective, itshould be configured on all gateway interfaces. If antispoofing is implemented na specific interface, spoof tracking fr that interface should also be defined. This wil help with both intrusion detection and troubleshooting ‘To activate anti-spoofing, configure the firewalled-interface properties. The ‘Topology tab of the Interface Properties window allows you to configure anti- spoofing properties of a gateway. ‘Student Marwal Beee Introduction to the Security Pol Rule Base Management [Asa network infiastructure grows, so will the Rule Base created to manage the network's traffic, Ifnot managed propetly, Rule Base order can affect Secutity Gateway performance and negatively impact traffic on the protected networks. Here are some gencral guidelines to help you manage your Rule Base effectively, Before creating a Rule Base for your system, answer the following questions: 4. Which objects are in the network? Examples include gateways, hosts, net- ‘works, routers, and domains, 2, Which user permissions and authentication schemes are needed? 3, Which services, including customized services and sessions, are allowed ‘across the network? ‘As you formulate the Rule Base for your Policy, these tips are useful to consider: ‘The Policy is enforced from top to bottom. © Place the most restrictive rules at the top of the Policy, then proceed with the generalized rules further down the Rule Base. If more permissive rules are located at the top, the restrictive rule may not be used properly. This allows misuse or unintended use of access, or an intrusion, due to improper rule configuration. © Keep it simple. Grouping objects or combining rules makes for visual clarity and simplifies debugging. If more than 50 rules are used, the Security Policy becomes hard to manage. Security Administrators may have difficulty determining how rules interact. + Adda Stealth Rule and Cleanup Rule first to each new Policy Package. A Stealth Rule blocks access to the Gateway. Using an Explicit Drop Rule is recommended for logging purposes. ‘Limit the use of the Reject action in rules. If rule is configured to reject, a ‘message is returned to the source address, informing that the connection is not permitted. ‘© Use section titles to group similar rules according to their function, For example, rules controlling access to a DMZ should be placed together. Rules allowing an internal network access to the Intemet should be placed together, ‘and so on. This allows easier modification of the Rule Base, as itis easier to locate the appropriate rules, a ‘Check Point Security Administration+ Comment each rule! Documentation eases troubleshooting, and explains why rules exist. This assists when reviewing the Security Policy for errors and ‘modifications. This is particularly important when the Policy is managed by ‘multiple Administrators. In addition, this Comment option is available when saving database versions. See the Database Revision Control section in this chapter * For efficiency, the most frequently used rules are placed above less-frequently used rules. This must be done carefully, to ensure a general-accept rule is not placed before a specific-drop rule, Understanding Rule Base Order Before you can define Security Policy properties, you must consider Rule Base order, The Security Gateway inspects packets by comparing them to the Security Policy, one rule at atime. For this reason, itis important to define each rule in the Security Policy in the appropriate order. Firewall implied rules are placed first, last, or before last in the Rule Base and can be logged. Rules are processed in the following order: IP spoofing/IP options: 4. First: This rule cannot be modified or overwritten in the Rule Base because the fist rule that matches is always applied to the packet and no rules ean be placed before it. Implied rules are processed before administrator explictly- defined rules. 2. Explicit: These are the administrator-defined rules, which may be located between the first and the before-last rules. 3. Before Last: These are more specific implicd rules that are enforced before the last rule is applied. 4. Last: A rule that is enforced after the last rule in the Rule Base, which nor- mally rejects all packets, usually referred to as the Cleanup Rule. 5, Implicit Drop Rule: No logging occurs. ‘Student Manual 5‘traduction tothe Security Policy Completing the Rule Base When you have defined the desired rules, you must install the Security Policy. ‘The installation process specifies the network object on which the Security Policy is installed. Only managed objects are available for Policy installation. In ‘contrast, the Install On element in the Rule Base specifies the network object that is to enforce a specific rule. ‘There are times when verifying a Security Policy is useful to System Administrators, By verifying a Security Policy, you check that rules are consistent, and that there are no redundant rules before Secutity Policy instalation. 76 (Check Point Security AdministrationPolicy Management and Revision Control Policy Management and Revision Control Policies are created by the system administrator and managed via the Security Management server. Different versions of these policies can be seved. Each version includes backups of the various databases (objects, users, Certificate Authority data, ete.) This information is zipped and saved. ‘The existing versions are recorded in a “Version table". This table can be viewed and the versions which are displayed can be modified. Itis possible to: © Create a Version © Export and Import a Version + View a Version © Revert to a Previous Version © Delete a Version Versions can be created manually by the system administrator, or the system can be set o automaticaly create a new version everytime Security Policy installation takes place. It is recommended to create a version before upgrading the system. This enables the administrator to back out toa functioning, environment in case of problems during the upgrade operation, Important - The Revision Control feature is not supported when the Security Management database contains VSX objects. You must not select the Create database version option in SmartDashboard when you install a policy.. Policy Package Management Student Manual Some circumstances require multiple versions of a Security Policy, but the abject, database needs to stay the same. Often this will be when adding or consolidating rules in an existing Rule Base, or creating a new set of rules on a Gateway. In these circumstances, using Policy Package management is better than creating ‘multiple versions of the system database ‘These two points are worth consideration when saving your Policies: + Thenew Policy Package includes Firewall, Address Translation, Application & URL Filtering, Anti-Bot & Anti-Virus, QoS and Desktop Security policies. © It isan ideal management utility for a distributed installation with multiple Security Gateways; specific Policies are created for specific Security Gateways. TiIntroduction tothe Securlly Polley a ‘The Security Management Server provides a wide range of tools that address various Policy management tasks, both atthe definition stage and at the ‘maintenance stage: + Policy Packages — Allow you to easily group different types of Policies, to be installed together on the same installation target(s) + Predefined Installation Targets — Allow you to associate each Policy Package with the appropriate set of Gateways; this feature frees you of the need to repeat the Gateway selection process every time you install (or install) the Package, with the option to easily modify the list at any given time. In addition, it minimizes the risk of installing Policies on inappropriate targets + Section Titles — Allow you to visually break your Rule Base into subjects, thereby instantly improving your orientation and ability to locate rules and objects of interest © Queries — Provide versatile search capabilites for both objects end the rules in which they are used, * Sorting — Using the Objects tree and Objects list pane is a simple and quick ‘way to locate objects; this feature is greatly facilitated by consistent use of ‘naming and coloring conventions. Database Revision Controt Database Revision Control gives the Administrator freedom to create fallback configurations when implementing new objects and rules, or adjusting rules and objects as networks change. This can help the Administrator test new Rule Base and object configurations, or can be used to revert to an earlier configuration for ‘troubleshooting, Consider these points when saving your Policies: © The database version consists of all Policies on a single Gateway, and objects and users configured, including setings in SmartDefense and Global Properties ‘+ Itis an ideal management utility fora stand-alone or distributed deployment with a single Gateway. * Itis configurable to automatically create new database versions on Policy installation, B (Check Point Security AdministrationPolicy Management and Revision Contral ‘This table compares the advantages of using Database Revision Contral and Policy Package Management: Database Revision Control | + Database version consists of all Policies, ‘objects and users configured, including settings in SmartDefense and Global Properties + Ideal management utility for a stand-alone deployment, or distributed with a single Gateway deployment * Configurable to automatically create new database versions on Policy installation Policy Package Management | Policy Package including only Security and NAT, QoS, and Desktop Security settings. + Ideal management utility for a distributed installation with multiple Security Gateways; specific Policies created for specific Security Gateways, Shudent Manual 9Tntveduction to the Sec iy Policy Multicasting Multicasting transmits a single message to a select group of recipients. Atypical use of multicasting is to distribute real-time audio and video to a set of hosts that have joined a distributed conference. IP multicasting applications send one copy of each IP packet, and address it a group of computers that want to receive it. This technique addresses datagrams toa group of receivers ata multicast address, rather than toa single receiver ata unicast address. Network routers forward the datagrams to only those routers and hosts that need to receive them. Figure 34 — Multicast Address Range Properties ‘The Multicast Restrictions tab in the Interface Properties window drops multicast packets according to configured conditions. Security Administrators can configure alist of address ranges to drop or accept. grease ce Figure 35 — Interface Properties 30 Check Point Security AdministrationPolicy Management and Revision Contra To configure multicast access control: 4, Inthe Topology window of the Gateway’s General Properties, edit the appropriate interface. 2. In the Interface Properties window's Multicast Restrictions tab, select Drop Multicast packets by the following conditions. 3, After selecting your drop option and clicking Add, you are prompted to select ‘2 Multicast Address Range in the Add Object window. Click Add, and in the Multicast Address Range Properties window, define either an IP address range or a single IP address that is in the range 224.0.0,0-239.255.255.255, 4. Inthe Rule Base, add a rule to allow the required multicast groups. In the destination of the rule, specify the multicast groups defined in step 1 5. Save and install the Policy, Student Manual a1Introduction to the Security Policy Practice and Review Practice Labs Lab 4: Building a Security Policy Lab 5: Configuring the DMZ Review 4. Objects are created by the Security Administrator to represent actual hosts and devices, as well as services and resources, to use when developing the ‘Security Policy. What should the Administrator consider before creating objects? 2, What are some important considerations when formulating or updating a Rule Base? 2 Cheek Point Security AdministrationGHAPTER 4 Monitoring Traffic and Connections Check Point Security Administration 83Wonitoring Traffic and Connections Monitoring Traffic and Connections Learning Objectives ‘To manage your network effectively and to make informed decisions, you need to gather information on the network’s traffic patterns, Use Queries in SmartView Tracker to monitor IPS and common tetwork traffic and troubleshoot events using packet data. © Using packet data on a given corporate network, generate reports, troubleshoot system and security issues, and ensure network functionality. ‘Using Smart View Monitor, configure alerts and traffic counters, view a Gateway’s status, monitor suspicious activity rules, analyze tunnel activity ‘and monitor remote user access based on corporate requirements. @ Check Point Security AdministrationFees ‘Sinariviow wacker SmartView Tracker Log Types Siudent Manuat Check Point's SmartView Tracker provides visual tracking, monitoring, and accounting information for all connections logged by Check Point components, Online viewing features enable real-time monitoring of network activity ‘SmartView Tracker provides control over every event, including those causing alerts, a well as certain important system events, such as Security Policy installation or uninstallation. ‘To log in to SmartView Tracker, select SmartConsole > SmartView Tracker from the SmartDashboard main menu, or click Start > Programs > Check Point ‘SmartConsole R77 > SmartView Tracker Figure 36 — SmartViow Tracker ‘The format of log entries requested by a rule is determined by the log type specified in the rule, You can select the log entries and data fields to display. ‘SmartView Tracker also allows you to navigate the log file. You can display one of several log types from the Network & Endpoint Queries tree, as shown. ‘Log types are defined as either predefined or custom. The predefined types include log details specific to that type. For instance, UA WebAccess displays UserAuthority Web access log data for SecureClient entries, and the Account type displays changes made to fields over time. 8SMonitoring Waffic and Connections Figure 37 — Log Types ‘SmartView Tracker toolbar buttons also enable Administrators to define custom log queries that can be saved for recurring use. The custom query allows the column widths to be modified, and also allows selection of various log information to display. 6 ‘Check Point Security Administration‘SmartView Tracker Tabs Student Manwat SmartView Tracker has three predefined, optional views. These views can be ‘modified and saved. Select views with tabs located above the main log-viewing area, as shown in below: Network & Endpoint tab— Displays the default view for SmartView ‘Tracker, and shows all security-related events, Active tab — Shows currently open, active connections in SmartView ‘Tracker. The Active Connections screen displays as shown in Figure 5- 3, and also includes the Elapsed or duration of the connection, the Bytes or amount of data passed on the connection, and any additional information about the connection, Management tab — Displays only audit entries in SmartView Tracker; this enables you to track changes made to objects in the Rule Base, and tracks general SmartDashboard use. = All Records (lyctecs. fws) ES nemboiecaernnintoueres |. ee BG panned ETE bat at recoras yo erons e 511 Network Security 61 2 ANov2008 15:00:41. a 1B Frew lage 3 ovzo0e 150693 TH cal te ) Ps iade 4 ANow2008 15:41:29 Gai 8D dbos poteaor 5 inovaees 164313 EG cat $8 [JJ Appliation and URL ite) 5 pee eat BD Threat Prevention: a ANov2008 18:35:14 Sa Ah amesinpecton fy ttmaatetasmar HES ale Figure 38 — Smartvew Tracker Tabs 7Monitoring Traffic and Connections Action Icons Each tab displays log fields regarding both the product that generated the log, and the type of operation performed. Action icons provide a visual representation of the log's operation. The following table gives a description of some of the different types of actions recorded by Smart View Tracker: Reject — The connection was blocked. ‘Drop — The connection was dropped without noti- © fying the source. : ~~ | Bnerypt — The connection was encrypted. SS BES on 8 ‘Check Point Security AdministrationWorking with Smariview Tracker Working with Smartview Tracker Log-File Management Administrator Auditing ‘The SmartView Tracker toolbar allows you to perform the following tasks; 4, Open Log File — When you select Open, you can open other log files. 2. Save Log File As — When saving a log file, the current log entries will be ‘written to file. Only the records that match the selection criteria will be saved to the file; both entries that are visible in the screen, and those that are not visible. 3. Switch Log File — In this window, you can select the default log file or specify a particular log file name. This operation actually performs a log file switch, 4. Remote Files Management — In this window, you can transfer log files from a remote machine to the machine to which the SmartView Tracker is ‘currently connected 5. Show or hide Fetch Progress — Afer clicking Get File List from the Remote Files Management window, you can click Fetch Files and toggle the display of the Files Fetch Progress window. The file transfer operation will continue even if the Files Fetch Progress window is closed. It is interrupted only if you click the Abort button, 6. Query Options — These buttons allow you to toggle the display of the query tree pane, open an existing query, save a custom query, or save a custom query under a new name, SmartView Tracker logs Security Administrator activities, including: © Administrator login and logout. © Object creation, deletion, and editing, * Rule Base changes. ‘Administrator auditing simplifies the process of tracking and troubleshooting. Security Policy changes, especially in environments with more than one Administrator. Via the Management tab, itis possible to see the changes made by ‘particular Administrator, or see who modified an object and what changes were made. Student Manual ES)ing Traffic and Connections He Remon Figure 39 — Auditing Logging provides « historical record of logged connections. Logs are essential for security management, so properly configuring Security Gateway to log ‘connections of interest is important, ‘The Global Properties - Log and Alert window, accessed by clicking Policy > Global Properties > Log and Alert, allows you to define global log-and-alert parameters. VPN successful key exchange — Specifies the action to be taken then VPN keys, are successfully exchanged. VEN packet handling errors — Specifies the action to be taken when encryption or decryption errors occur VEN configuration and key exchange errors — Specifies the action to be taken ‘when logging configuration or key-exchange errors occu for example, when 90 ‘Check Point Security AdministrationTime Settings Working with Smariview Tracker ‘attempting to establish encrypted communication with a network object inside the same VPN Domain, IP Options drop — Specifies the action to take when a packet with IP options is ‘encountered; the Security Gateway always drops these packets, but you can log, them or issue an alert ications — Specifies the action to be taken when an administrative event occurs, for example, when a Certificate is about to expire. SLA violation — Specifies the action to be taken when an SLA violation occurs, a defined in the Virtual Links window. Connection matched by SAM — Specifies the action to be taken when a connection is blocked by Suspicious Activities Monitoring (SAM); for information about SAM, see htp:/Awww.opsec.com. Dynamic object resolution failure — Specifies the action to be taken when a dynamic object cannot be resolved. Log every authenticated HTTP connection — Specifies that a log entry should bbe generated for every authenticated HTTP connection. Log VoIP connection — Generates additional log entries for every VoIP connection; additional log entries for SIP contain information about the user (SIP URL, for example, [email protected]). Additional log entries for H.323 contain information about phone numbers. ‘The Time Settings window allows you to configure time settings associated with system-wide logging-and-alert parameters. Excessive log grace period — Specifies the minimum amount of time between consecutive logs of similar packets; two packets are considered similar, if they have the same source address, source port, destination address and destination port, and the same protocol was used. After the first packet, similar packets encountered within the grace period will be acted upon according to the Security Policy, but only the first packet generates a log entry or an alert SmartView Tracker resolving — After a specified amount of time, displays a log page, without resolving names and showing only IP addresses, Suudent Manual oI‘onitoring Watfle and Ganneclions Blocking Connections Virtual Link statistics logging interval — Specifies the frequency with which Virtual Link statisties will be logged this parameter is relevant only for Virtual Links defined with Log SLA values enabled in the SLA Parameters tab of the Virtual Link window. Virtual Links are defined by clicking Manage > SmartView Monitor > Virtual Links from the main menu. ‘Status fetching interval — Specifies the frequency at which the Security Management Server queries the Security Gateway, Check Point QoS, and other software it manages for status information; any value from 30 to 900 seconds can be entered in this field. ‘You can terminate an active connection and block further connections from and to specific IP addresses, using the SmartView Tracker Block Intruder function. ‘To block an active connection with Block Intruder, select the connection you ‘want to block, then select Tools > Block Intruder from the menu. Figure 40 — lock intruder ‘The Block Intruder window displays. In the Blocking Scope fields, select one of the options: Block all connections with the same source, destination and service — Block the connection or any other connection with the same service, source oF destination, 2 ‘Check Potnt Security Administration —+{ee ‘Working with Smarviow Tracker Block access from this source — The connection is terminated, and all further attempts to establish connections from this source IP address will be denied Block access to this destination — The connection is terminated, and all further attempts to establish connections to this destination IP address will be denied, In the Blocking Timeout field, select one of the options: Indefinite — Block all further access. For... minutes — Block all further access attempis for the specified number of minutes. In the Force this blocking field, select one of the options: ‘Only on... — Block access attempts through the indicated Security Gateway. ‘On any Security Gateway — Block access attempts through Security Gate- ways defined as gateways or hosts on the log server, The connection will remain blocked, until you choose Tools > Clear Blocking fiom the main menu Student Manual wWonitoring Traffic and Gannat SmartView Monitor ‘SmaitView Monitor isa high-performance network- and security analysis system that helps you easily administer your network, by establishing work habits based con leamed system-resource patterns. Smart View Monitor provides a single, central interface for monitoring netwotk activity and performance of Check Point applications. SmartView Monitor allows Administrators to easily configure and ‘monitor different aspects of network activities. Graphical views can easily be viewed from an integrated, intuitive GUI Figure 41 — SmartView Monitor Predefined views include the most frequently used traffic, counter, tunnel, ‘gateway, and remote-user information. For example, Check Point system ‘counters collect information on the status and activities of Check Point Blades (for example, Firewall). Using custom or predefined views, Administrators can drill down on the status ofa specific gateway and/or segment of traffic to identify top bandwidth hosts that may be affecting network performance. If suspicious activity is detected, Administrators can immediately apply a security rule to the ‘appropriate Security Gateway to block that activity. These security rules can be created dynamically via the graphical interface, and can be set to expire within a certain time period, Real-time and historical reports of monitored events can be generated to provide a comprehensive view of gateways, tunnels, remote users, network, security, and Security Gateway performance over time. To log in to SmartView Monitor, select, Window > SmartView Monitor from the SmartDashboard main menu. Or, click Start > Programs > Check Point SmartConsole R76 > SmartView Monitor. 4 Check Point Security AdministrationCustomized Views Customized Views Gateway Status View Traffic View Student Manual ‘SmartView Monitor enables graphical views depicting data for several types of measurements, including bandwidth, round-trip time, packet rate, CPU use, te ‘The most efficient way to yield helpful information i to create a view based on ‘your specific needs. It is possible to create customized views for view types (for example, status, taflc, system statistics, and tunnels). The customization provides the ability to filter specific data and how the data is to be displayed ‘SmartView Monitor enables information about the status of all Gateways in a network, The data in the results pane (upper right) provides information about all Gateways in the organization, as well as pertinent information about the Gateway (ouch as its IP addresses, the last time it was updated, and its status). This, information is directly linked to the view selected inthe tree pane (lef). Each 1ow in the table represents a Gateway. SmartView Monitor makes Administrators aware of traffic associated with specific network activities, servers, clients, etc, as well as activities, hardware, and sofware use of different Check Point products in realtime. Among other things this knowledge enables Administrators to: * Block specific traffic when a threat is imposed. ‘+ Assume instant contro! of traffic low on a Gateway. + Leam about how many tunnels are curently open, or about the rate of new connections passing through the Security Gateway. ‘You can generate fully detailed or summarized graphs and charts forall connections and for numerous rates and figures when calculating network use. ‘System Counters provides in-depth details on Gateway use and activity. As a Security Administrator, you can generate system stats information about * Resource use forthe variety of components associated with the Security Gateway. + Gateway performance statistics for a variety of firewalled components. * Detect and monitor suspicious activity. 95Tnitoring Traffic and Connections Tunnels View Remote Users View VPN nunnels are secure links between Security Gateways, and ensure secure connections between an organization's gateways and its remoteaccess clients. Once tunnels are created and put fo use, Administrators can keep track of their normal functions, so possible malfunctions and connectivity problems can be accessed and solved as soon as possible. Figure 42 — Tunnels “To ensure this security level, SmartView Monitor can recognize malfunctions and connectivity problems, by constantly monitoring and analyzing the status of an organizations’ tunnels. With the use of tunnel queries, Administrators can generate fully detailed reports that include information about all tunnels that {fulfil specific tunnel-query conditions. With this information, itis possible to ‘monitor tunnel status the VPN Community with which a tunnel is associated, the Gateways to which a tunnel is connected, et. ‘The Remote Users view allows you to keep track of VPN remote users currently logged in (i-e., SecuRemote, SecureClient and SSL Network Extender, and in general any IPSec client connecting to the Security Gateway). It provides you ‘with filtering capabilities, making it easier to navigate through the entries. 96 ‘Check Point Security Administration—_—_ Customized Views Figure 43 — Remote Users ‘The Remote Users view provides detailed real-time information about remote users" connectivity, using data collected from sources such as current open sessions, overlapping sessions, route traffic, and connection time, Student Mamuat 7Monitoring Traffic and Connections Cooperative Enforcement we Cooperative Enforcement is a feature that works in conjunction with the Endpoint Server. The Cooperative Enforcement view utilizes the Endpoint Server compliance capability to verify connections artiving from vatious hosts across the internal network. Easily deployed and managed, the Endpoint Server mitigates the risk of hackers, worms, spyware, and other security threats. Figure 44 — Cooperative Enforcement Using Cooperative Enforcement, any host initiating a connection through a Gateway is tested for compliance. (The Gateway generates logs for unauthorized hosts. The logs generated for both authorized and unauthorized hosts can be viewed in SmartView Monitor. This increases the integrity ofthe network, because it prevents hosts with malicious software components from accessing the network, ‘This feature acts as a middleman between hosts managed by an Endpoint Server and the Endpoint Server itself. It relies on the Endpoint Server compliance feature, which defines whether a hast is secure and can block connections that do not meet the defined prerequisites of software components. 8 Check Point Security AdministrationMonitoring Suspicious Activity Rules Monitoring Suspicious Activity Rules ‘The fast-changing network environment demands the ability to immediately react to a security problem, without having to change the entire network's Rule Base (for example, to instantly block a specific user). All inbound and outbound network activity should be inspected and identified as suspicious when necessary (for instance, when network or system activity indicates that someone is attempting to break in), «<] Non-Compliant Hosts By Gateway - Ret et een 4. es ; ie ii iar S56 fee pasa ETD Se “Ri 2 & Sn el Figure 45 — External Suspicious Activity Rules ‘SmartView Monitor enables the integration of a suspicious-activity monitoring ‘program that is used to modify access privileges, upon detection of any suspicious network activity. This detection is based on the creation of Suspicious Activity rules. Suspicious Activity rules are security rules that enable the Administrator to instantly block suspicious connections that are not restricted by the currently enforced Security Policy. These rules can be applied immediately, ‘without the need to install a Policy. Student Marsial 99Wonitorng Monitoring Alerts fic and Connections ‘Alerts provide real-time information about vulnerabilities to computing systems and how they can be eliminated, Check Point alerts users to potential threats to the security of their systems, and provides information about how to avoid, minimize, or recover from the damage, ‘Alerts are sent by the Security Gateways to the Security Management Server. The Security Management Server then forwards these alerts to the SmartView ‘Monitor SmartConsole, which is actively connected to the Security Management Server. Alerts are sent to draw the Administrator's attention to problematic Gateways, and are displayed in SmartView Monitor. These alerts are sent: © Ifcertain rules or attributes, which are set to be tracked as alerts, are matched by a passing connection. © Ifsystem events, also called System Alerts, are configured to trigger an alert when various thresholds are surpassed. ‘The Administrator can define alerts to be sent for different Gateways. These alerts are sent under certain conditions, such is if they have been defined for certain Policies, or if they have been set for different properties. By default, an alert is sent as a message to the Administrator’s desktop when a new alert arrives in SmartView Monitor. Alerts can also be sent for certain system events. If certain conditions are set, you can receive System Alerts for critical situation updates; for example, if free disk space is less than 10 percent, or if a Security Policy has been changed. System Alerts are characterized as follows: * ‘They are defined per product. For instance, you may define certain System Alerts for Check Point QoS that would not apply to Connectra + ‘They may be global or per Gateway. You can set global alert parameters for all Gateways in the system, or you can specify a particular alert for a particular Gateway. © They are displayed and viewed via the same user-friendly window. The information SmantView Monitor gathers also includes status information about OPSEC gateways and network objects ‘After reviewing the status of certain clients in SmartView Monitor, you may decide to take decisive action for a particular client or cluster member, for instance: * Disconnect client — If you have the correct permissions, you can choose to disconnect one or more of the connected SmartConsole clients, Click the Disconnect Client button on the Results pane toolbar. © Start/Stop Cluster Member — All cluster members of a given gateway cluster can be viewed via SmartView Monitor. You can start or stop a selected 100 Check Point Security Administration { LMonitoring Suspicious Activity Rules cluster member. To do this, right-click the cluster member, From the pull~ down menu, select Start Member or Stop Member ‘To configure an alert in Smart View Monitor from SmartDashboard, select Poliey > Global Properties > Log and Alert > Alerts. To view the active alerts from ‘Smart View Monitor, select the Alerts icon from the toolbar, Student Manual TOIMonitoring Traffic and Connections Gateway Status Check Point enables information about the status of all gateways in the system to be collected by the Security Management server and viewed in Smart View Monitor. The information gathered includes status information about: + Check Point gateways * OPSEC gateways Check Point Software Blades ‘A Gateways Status view displays a snapshot of all Check Point Software Blades, such as VPN and ClusterXL, as well as third party products (for example, OPSEC-partner gateways), Gateways Status is very similar in operation to the ‘SNMP daemon that also provides a mechanism to ascertain information about gateways in the system, Figure 46 — Gateway Status Example 102 Check Point Security Administrationem Gateway States ‘The Security Management server acts as an AMON (Application Monitoring) client. It collects information about specific Check Point Software Blades installed, using the AMON protocol. Each Check Point gateway, or any other OPSEC gateway which runs an AMON server, acts as the AMON server itself. Each gateway makes a status update request, via APIs, from various other components such as. © The “kernel” © Security Servers Analtemate source for status collection may be any AMON client, such as an OPSEC partner, which uses the AMON protocol. ‘The information is fetched at a subscribed interval which is defined by the system administrator. The AMON protocol is SIC- based so information can be retrieved ‘once SIC has been initialized Note: There are general statuses which occur for both the gateway or ‘machine on which the Check Point Software Blade is installed, and the Software Blade which represents the ‘components installed on the gateway. Overall Status ‘An Overall status is the result of the blades’ statuses. The most serious Software Blades status determines the Overall status. For example, if all the Software Blades statuses are OK except for the SmartReporter blade, which has a Problem status, then the Overall status will be Problem. + OK — indicates that the gateway is working properly © Attention — at least one of the Software Blades indicates that there is 2 ‘minor problem but it can still continue to work. Attention can also indicate that, although a Software Blade isnot installed, itis selected in the General Properties > Check Point Products associated with a specific gateway. ‘+ Problem — indicates that one of the Software Blades reported a specific ‘malfunction, To see details of this malfunction open the gateways status ‘window by double-clicking it in the Gateways view. Problem can also indicate a situation in which the Firewall, VPN and ClusterXL Software Blades are selected in the General Properties > Software Blades but are not installed, © Waiting — from the time thatthe view starts to run until the time that the first status message is received, This takes no more than thirty seconds. + Disconnected — the Security Gateway cannot be reached. Sudent Manual 103Monitoring Traffic and Connections © Untrusted — Secure Internal Communication failed. The gateway is ‘connected, but the Security Management server is not the master of the gateway, Software Blade Status Software Blades include components such as VPN, SmartReporter, Endpoint Security, and Qos. © OK — indicates that the blade (for example, SmartReporter, VPN, Firewall, ete.) is working properly. * Attention — the blade indicates that there is a minor problem but it can still continue to work, ‘+ Problem — indicates that the blade reported a specific malfunction, To see details of this malfimetion open the gateways status window associated with the blade by double-clicking it in the Gateways Status view © Waiting — displayed from the time that the view starts to run until the time thatthe first status message is received. This takes no more than thitty seconds isconnected — the gateway cannot be reached. © Untrusted — Secure Internal Communication failed. ‘The gateway is connected, but the Security Management server is not the master of the | gateway, Displaying Gateway Information Gateways Status, information is displayed per Check Point or OPSEC gateway. To display information about the gateway, click the specific gateway in the Gateway Results view. Details about the gateway will be displayed in the Gateway Details pane. ‘This information includes general information such asthe name, IP Adress, version, operating system, and the status of the specified gateway, as well as a yrid of gateway specific information, 104 Check Point Security AdministrationCee ‘SmariView Tracker vs, SmariView Monitor SmartView Tracker vs. SmartView Monitor Here are some key points when considering which product addresses your needs better: ‘SmartView Tracker Benefits — Administrators can use SmattView Tracker to: Ensure network components are operating properly. * Troubleshoot system and security issues ‘+ Gather information for legal or audit purposes. * Generate reports to analyze network-taffic patterns. * Temporarily or permanently terminate connections from specific IP addresses, in case of an attack or other suspicious network activity. ‘SmartView Monitor Benefits — Administrators can use SmartView Monitor to: © Centrally monitor Check Point and OPSEC devices. * Present a complete picture of changes to Gateways, tunnels, remote users, and security activities. Immediately identify changes in network-traffic flow pattems thet may signify malicious activity. © Maintain high network availability * Improve efficiency of bandwidth use © Track SLA compliance. Student Manual 105Tonitoring Tralfle and Connections Practice and Review Practice Lab Lab 6: Monitoring with SmartView Tracker Review 4. Discuss the benefits of using SmartView Monitor instead of SmartView ‘Tracker in monitoring network activity. 2, Why is there a warning message when switching to Active mode in Smart- View Tracker? 106 Check Point Security Administrationciapters Network Address Translation Check Point Security Administration 107‘Network Address Translation Network Address Translation Learning Objectives: In computer networking, network address translation (NAT) is the process of ‘modifying IP address information in IP packet headers while in transit across @ ‘uaffic outing device | * Configure NAT rules on Web and Gateway servers, 108Introduction to NAT Introduction to NAT Student Marat Network Address Translation (NAT) allows Security Administrators to overeome IP addressing limitations, allowing private IP-address allocation and unregistered. internal-addressing schemes. Enterprises employ NAT for a variety of reasons, including * Private IP addresses used in intemal networks. * Limiting external network access, + Ease and flexibility of network administration. Network Address Translation (NAT) can be used to translate either IP address in ‘connection. When translating the IP of the machine initiating the connection (typically the “client” of the connection) this is referred to as Source NAT. When. ‘translating the IP address of the machine receiving the connection this is referred 10 as Destination NAT, The Security Gateway supports two types of NAT where the source and/or the destination are translated Hide NAT - Hide NAT is @ many-to-one relationship, where multiple ‘computers on the internal network are represented by a single unique address, This enhances security because connections can only be initiated from the protected side of the Security Gateway. This type of NAT is also referred to as Dynamic NAT. * Static NAT - Static NAT is a one-to-one relationship, where each host is translated to a unique address. This allows connections to be initiated internally and externally. An example would be a Web server or a mail server that needs (0 allow connections initiated externally. NAT can be configured on Check Point hosts, nodes, networks, address ranges ‘and dynamic objects. NAT can be configured automatically or by creating ‘manual NAT rules. Manual NAT rules offer flexibility because it can allow the ‘translation of both the source and destination of the packet and allow the translation of services, 109Notwork Address Translation IP Addressing Hide NAT Inan IP network, each computer is assigned a unique IP address. Because public IP addresses are scarce and expensive, many enterprises choose to use private addresses for their intemal networks. The following blocks of IP addresses were set aside for internal-network use in RFC 1918, “Address Allocation for Private Networks”: © Class A network numbers: 10.0.0.0-10.255.255.255 ‘© Class B network numbers: 172.16.0.0-172,31.255.255 © Class C network numbers: 192.168.0,0-192.168,.255.255 Best practices recommend using only these address ranges for intranets. RFC. 1918 addresses cannot traverse public networks. In Hide NAT, the source is translated, the sourve port is modified and translation ‘occurs on the server side. As shown in the illustration below, notice the source packet with address 10.1.1.101 going to destination x.x.x.x. As the packet hits the interface on pre-in, ‘itis processed by the firewall kernel and forwarded to post-in, I” where itis then routed to the extemal interface. It arrives, pre-out, ‘o', and is then processed by the NAT rule base. The firewall modifies the source port and adds the port information to a state table. The packet translates on post-out, ‘0’ as it leaves the Gateway. For protocols where the port number cannot be changed, Hide NAT cannot be used. 6-2-2 ply Packet (Translated) naan Figure 47 — Hide NAT 110 ‘Check Point Security Administrationees introduction to NAT Choosing the Hide Address in Hide NAT Static NAT Siudent Maral ‘The Hide Address is the address behind which the network, address range, or node is hidden. Itis possible to hide behind either the interface of the Gateway or a specified IP address. Choosing a fixed public IP address is a good option if you want to hide the address of the Security Gateway. However, it means you have to use an extra publicly outabte IP address. Choosing to hide behind the address of the Gateway § 2 good option for administrative purposes. For example, ifthe external IP address ofthe Gateway changes, there is no need to change the NATT settings, A static translation is assigned to a server that needs to be accessed directly from outside the Security Gateway, So, the packet is typically initiated from a host outside the firewall. When the client initiates traffic to the static NAT address, the destination of the packet is translated. Criginal Packet Original Packet Translated) ep Packet Figure 48 — Stavle NAT TiNetwork Address Translation Original Packet Reply Packet In the past, all destination NAT occurred at the “server side” of the kemel, ie., on the outbound side of the kernel closest to the server. When NAT occurs in this configuration, a host route is required on the Security Gateway to route to the destination server, As of VPN-1 NGX, the default method for Destination NAT is “client side”, where NAT occurs on the inbound interface closest to the client Assume the client is outside the Gateway, and the server is inside the Gateway with automatic Static NAT configured. When the client starts a connection fo access the server's NAT IP address, the following happens to the original packet in a client-side NAT: 1. The packet from outside the Gateway arrives atthe inbound interface, ‘i’, des- tined for the Web server, and passes Security Policy and NAT rules. 2. If accepted, the packet information is added to the connections table and the destination is translated on the post-in side of the interface, ‘T’ before it is routed. 3. ‘The packet arrives at the TCPIIP stack of the Gateway, and is routed tothe outbound interface, ‘o" 4. The packet is then forwarded through the kemel, “O° and routed to the Web 1. The Web server replies and hits the inbound interface, ‘i’, of the Gateway. 2. The packet is passed by the Policy, since it is found in the connections table and arrives at the post-in side of the kernel, ‘I’. 3. The packet arrives at the TCP/IP stack of the Gateway, and is routed to the ‘outbound interface, ‘0’. 4. ‘The packet goes through the outbound interface and is translated to the static NAT IP address as it leaves the Security Gateway, ‘O”. The source port does not change. ‘When the external server must distinguish between clients based on their IP ‘addresses, Hide NAT cannot be used, because all clients share the same IP address under Hide NAT, ‘To allow connections from the extemal network to the intemal network, only Static NAT can be used. 112 ‘Check Point Security Administration iSe Thiroduction to NAT NAT - Global Properties Several Global Properties influence how NAT is handled by a Secutity Gateway. ‘The figure shows the default Global Properties for NAT. tx Tins Shes rn Ti ecabosy lie deren Cree Adem i Hix Tae tetmenain et sihcditmis Pheist Figure 49 ~ NAT Settings In most cases, the Security Gateway automatically creates NAT rules, based on information derived from object properties. The following three Global Properties can be modified to adjust the behavior of Automatic NAT rules on a ¢lobal level: + Allow bi-directional NAT — If more than one Automatic NAT rule matches connection, both rules are matched. If Allow bidirectional NAT is selected, the Gateway will check all NAT rules to see if there is a source match in one rule, and a destination match in another rule. The Gateway will use the first matches found, and apply both rules concurrently. + Translate Destination on client side — For packets from an external host that are to be translated according to Static NAT rules, select this option to ttanslate destination IP addresses in the kernel nearest the client. Student Manuat 113

F5 201 Notes
No ratings yet
F5 201 Notes
13 pages
Ccse R81.40
No ratings yet
Ccse R81.40
1 page
Gartner Report 2022dec - Network Firewall
No ratings yet
Gartner Report 2022dec - Network Firewall
36 pages
NSE 8 Immersion: Course Description
No ratings yet
NSE 8 Immersion: Course Description
2 pages
201-Essentials 1 - Firewall Installation Configuration and Management-5
No ratings yet
201-Essentials 1 - Firewall Installation Configuration and Management-5
1 page
r80 System Administrator Study Guide
100% (1)
r80 System Administrator Study Guide
13 pages
Ccsar80 Theory
No ratings yet
Ccsar80 Theory
271 pages
Ccsa - 156-215.80 V18.75
No ratings yet
Ccsa - 156-215.80 V18.75
142 pages
CheckPoint End Security
No ratings yet
CheckPoint End Security
2 pages
CP R81.10 QoS AdminGuide
No ratings yet
CP R81.10 QoS AdminGuide
111 pages
Reference Solution For Checkpoint - Certkiller.156-215.80.v2020-06-04.by - Venla.131q.vce
No ratings yet
Reference Solution For Checkpoint - Certkiller.156-215.80.v2020-06-04.by - Venla.131q.vce
4 pages
FortiGate Security 7.0 Study Guide-Online H
No ratings yet
FortiGate Security 7.0 Study Guide-Online H
628 pages
FortiGate Security Study Guide For FortiOS5.6.2
No ratings yet
FortiGate Security Study Guide For FortiOS5.6.2
666 pages
Palo Alto 1 Sample Resumes 2
No ratings yet
Palo Alto 1 Sample Resumes 2
4 pages
FPDLP Lab Guide 2
100% (1)
FPDLP Lab Guide 2
32 pages
Resume Network and Security
No ratings yet
Resume Network and Security
3 pages
FTD Install Guide
No ratings yet
FTD Install Guide
37 pages
Security Management R80.10 (Part of Check Point Infinity) : Administration Guide
No ratings yet
Security Management R80.10 (Part of Check Point Infinity) : Administration Guide
305 pages
Imperva DBF
No ratings yet
Imperva DBF
11 pages
Advanced Firepower IPS Deployment
No ratings yet
Advanced Firepower IPS Deployment
219 pages
PacketFence Network Devices Configuration Guide-4.0.6
No ratings yet
PacketFence Network Devices Configuration Guide-4.0.6
82 pages
zoo4q4jy03y1-DLPAdmin10 0StudentGuide
No ratings yet
zoo4q4jy03y1-DLPAdmin10 0StudentGuide
368 pages
Prisma Access Cloud Managed Admin
No ratings yet
Prisma Access Cloud Managed Admin
180 pages
FGSP Configuration Guide
No ratings yet
FGSP Configuration Guide
12 pages
FortiGate Security 7.0 Course Description-Online
No ratings yet
FortiGate Security 7.0 Course Description-Online
2 pages
Check Point Cyber Security Engineering (Ccse) : Course Topics Course Objectives
No ratings yet
Check Point Cyber Security Engineering (Ccse) : Course Topics Course Objectives
1 page
Lab 12 Configuring HIP For Global Protect
No ratings yet
Lab 12 Configuring HIP For Global Protect
35 pages
Delinea Advanced Training Course Contents - Cyber Technology
No ratings yet
Delinea Advanced Training Course Contents - Cyber Technology
13 pages
FCP - WCS - AD-7.4 (35 Questions)
0% (1)
FCP - WCS - AD-7.4 (35 Questions)
5 pages
FortiGate VPN Guide
100% (1)
FortiGate VPN Guide
116 pages
Customer Deck - NGFW - Cloud NGFW For Azure - External (May 2025)
100% (1)
Customer Deck - NGFW - Cloud NGFW For Azure - External (May 2025)
39 pages
201 Certification
No ratings yet
201 Certification
43 pages
Information Security Policies - TEMPLATE
No ratings yet
Information Security Policies - TEMPLATE
659 pages
Junos OS Network Management Admin Guide
No ratings yet
Junos OS Network Management Admin Guide
922 pages
Checkpoint (CCSA-NGX) Course Details
No ratings yet
Checkpoint (CCSA-NGX) Course Details
16 pages
Re-Establishing SIC SecureInternalCommunications For CheckPoint
No ratings yet
Re-Establishing SIC SecureInternalCommunications For CheckPoint
3 pages
FortiGate Troubleshooting IPsec Connectivity
No ratings yet
FortiGate Troubleshooting IPsec Connectivity
10 pages
Student Guide FortiADC 4.8.0OAC
100% (1)
Student Guide FortiADC 4.8.0OAC
69 pages
Multi-Domain Security Management R80.10: Administration Guide
No ratings yet
Multi-Domain Security Management R80.10: Administration Guide
76 pages
IBM QRadar SIEM V7.3.2 Deployment C1000-055 Dumps
No ratings yet
IBM QRadar SIEM V7.3.2 Deployment C1000-055 Dumps
11 pages
CP R81.10 Installation and Upgrade Guide
No ratings yet
CP R81.10 Installation and Upgrade Guide
614 pages
F5 ASM Training
No ratings yet
F5 ASM Training
3 pages
Fortigate Troubleshooting Tips: Windows Ad Sso
No ratings yet
Fortigate Troubleshooting Tips: Windows Ad Sso
8 pages
Configuring BIG IP ASM ApplicationSecurityManager1
No ratings yet
Configuring BIG IP ASM ApplicationSecurityManager1
7 pages
BIG-IP AFM Operations Guide
No ratings yet
BIG-IP AFM Operations Guide
115 pages
Forcepoint Web Security Administrator Student Guide
100% (1)
Forcepoint Web Security Administrator Student Guide
378 pages
Forcepoint ESG Admin Training Manual
No ratings yet
Forcepoint ESG Admin Training Manual
330 pages
Trend Micro Endpoint Cheat Sheet
No ratings yet
Trend Micro Endpoint Cheat Sheet
2 pages
CyberArk UseCase 3
No ratings yet
CyberArk UseCase 3
1 page
FortiNAC Local RADIUS Server v94
No ratings yet
FortiNAC Local RADIUS Server v94
16 pages
Checkpoint 4.1 Advanced Technical Reference
No ratings yet
Checkpoint 4.1 Advanced Technical Reference
197 pages
SSL Intercept F5
No ratings yet
SSL Intercept F5
58 pages
Big-Ip Virtual Edition and Vmware Esxi: Setup
No ratings yet
Big-Ip Virtual Edition and Vmware Esxi: Setup
26 pages
Day1-01-CCSBA-Introduction and Overview-V7.3-169
No ratings yet
Day1-01-CCSBA-Introduction and Overview-V7.3-169
56 pages
FortiOS-7.4.4-SSL VPN To IPsec VPN Migration
No ratings yet
FortiOS-7.4.4-SSL VPN To IPsec VPN Migration
38 pages
Websense ESGA v76 201 Student Guide
No ratings yet
Websense ESGA v76 201 Student Guide
202 pages
Check Point Security Administration Student Manual
100% (10)
Check Point Security Administration Student Manual
240 pages
Checkpoint Certified Security Administrator: 1. Introduction To Check Point Technology
No ratings yet
Checkpoint Certified Security Administrator: 1. Introduction To Check Point Technology
2 pages
Administrator Study Guide
No ratings yet
Administrator Study Guide
20 pages
Study Guide: Check Point Security Administration
100% (2)
Study Guide: Check Point Security Administration
20 pages

Check Point Security Administration Student Manual R77.30

Uploaded by

Check Point Security Administration Student Manual R77.30

Uploaded by

You might also like