Basics of Checkpoint Firewall, Creating Access Rules, Network Address Translations (NAT), VPN

1. Security- Checkpoint
NetworKraft Consultancy

2. Why Checkpoint?
• Specialized Vendor
– Only Firewall Creators
• More Granularity
– Connection based Granularity
• More Open
– Multiple hardware platforms
– Multiple OS platforms for Management Server

3. Why Checkpoint?
• Better management tools
– SMARTConsole
• Simpler GUI
– More User friendly GUI (My view)
– Easy to troubleshoot
• No java incompatibility issue
– ASA faces this more often

4. Where Checkpoint?
• Everywhere… mostly in enterprise where there are
– Multiple DMZ zones
– Web servers
– Variety of applications
– Numerous client requirements

5. SMART Architecture
• Check Point Three-Tier Architecture
– SmartConsole  Client on the admin machine
– SmartCenter Server  Security Management Server
– Security Gateway  Enforcement Unit  The real FW

6. Deployment
• Stand-alone Deployment
– Secure Platform + Management Server  Enforcement Unit
– Client Software on Client Machine
• Distributed Deployment
– Secure Platform  Enforcement Module
– Management Server  Another Hardware
– Client Software on Client Machine

7. Deployment
Distributed Deployment:
Stand-Alone Deployment:
Security
Gateway
(Physical
Hardware)
Security
Mgmt
Server
Security
Smartview
Tracker
Security
Gateway
(Physical
Hardware) +
Security Mgmt
Server
Security
Smartview
Tracker

8. Traffic Control Methods
• Packet Filtering
– Specific Rules for Allowing/Denying Traffic
– Explicit Deny at the end of the policy
• Stateful Filtering
– Maintaining state table
– Makes environment more secured
– Stale out old entries to protect FW from running out of memory space
• Application Aware Filtering
– More granular
– Datagram inspection

9. Secure Platform
• IPSO: FreeBSD
– Ipsilon company  1997  NOKIA acquired  2009  Check Point acquired NOKIA
Security Appliances
• Secured Platform (SPLAT)
• GAIA: FreeBSD
– Same command line as in IPSO
– Beginning of Virtualization (Virtual System eXtension)
– More concurrent connections (210 million)

10. Real World of Check Point
• Network Design from FW point of view
• Installing GAiA OS using Image
• Basic configuration of Check Point Enforcement Module using
GUI (GAiA)
• Adding Security Gateway to Management Server using R77
DashBoard

11. Design
Tire X
Metal
X
YOUR
NETWORK-DC
(Ferrari)
Internet

12. Design- iDMZ and xDMZ
Internet
Internal Network
idmz xdmz

13. Why Distributed Deployment
• Installing Policy simultaneously in Multiple FW
• Easy to manage similar Firewalls
• What if two different purpose FW are in same Management
Server
– Policy Package

14. Features
• Anti-spoofing
• Anti-bot
• Identity Awareness

15. Lab Topology
Internet192.168.10.4
.2
.3
.5 192.168.1.1
.40
.30
.20
.7

16. GAiA
• Interface configuration
• Routing
– Static
– Dynamic (RIP,OSPF)
• System Management
– Proxy Server
– Core dump
– System Logging

17. GAiA Continued…
• High Availability
-VRRP (Virtual Router Redundancy Protocol)
• User Management
• Back-up/Restore
• Upgrade and licensing

18. Checkpoint SmartConsole
• Adding Rules in Firewalls
• Adding NAT rules in Firewall
• Policy package
• Network Monitoring

19. Important Commands
• Cpinfo  show tech-support (Cisco)
• Set interface eth0 ipv4 address192.168.10.1 subnet-mask 255.255.255.0
• Show interfaces all
• Fw stat
• Fw unloadlocal
• Fw monitor

20. Check Point Installation
- Start Virtual Machine
- Select Install Gaia on this system

21. Check Point Installation

22. Check Point Installation
Checking HCL

23. Check Point Installation
- Check Machine Info (Opt)
- Select OK

24. Check Point Installation
Select the Keyboard type

25. Check Point Installation
- Partition Configuration
- View/Change
- OK

26. Check Point Installation
- Type in the password
- Use this password
while logging in
through Gaia

27. Check Point Installation
- Select the interface
- Recheck (Opt)

28. Check Point Installation
- Give IP address to eth0
- Netmask
- Default Gateway
- This is the IP using
which we can login the
Gaia

29. Check Point Installation

30. Check Point Installation

31. Check Point Installation

32. Check Point Installation

33. Check Point Installation

34. Check Point Installation
- Reboot

35. Check Point Configuration
- Enter User Name and Password

36. Check Point Configuration
- Entering Gaia

37. Best Practices
• Adding a Stealth Rule (relatively above most of the rules)
– Deny Access to FW
– Add access rule above for management IP(s) to allow access
• Drop Noisy Traffic
– Bootp, bootps, sstp, UPMP etc. are rarely used protocols
• Add Drop Rule at the bottom of the List
– Drop Everything else!

38. Some Other Best Practices
• By default DNS, RIP and ICMP are unrestricted…Block them!
– Trojans such as BackOrafice use port 53/UDP (DNS)
– ICMP is used in Traceroute and Ping
– Man in the middle and DoS is possible with Poisoned RIP
• Maintain your FW
– Check for updates as new vulnerabilities are always discovered
• Know your Network
– Understand the requirement and place the FW
– Don’t place it where you need to allow almost everything
• Add only Specific Rules

39. …and a few more
• Relevant and consistence FW and Object Naming.
• Use Group management- Policy Packaging and Section creation.
• Use comments while making changes to existing config and rule base.
• Take Regular Backups of config and Rules
• Generate an alert in your management systems (HPoV) for monitoring FW
environment.t and regular backup procedures