2. Why Checkpoint?
• Specialized Vendor
– Only Firewall Creators
• More Granularity
– Connection based Granularity
• More Open
– Multiple hardware platforms
– Multiple OS platforms for Management Server
3. Why Checkpoint?
• Better management tools
– SMARTConsole
• Simpler GUI
– More User friendly GUI (My view)
– Easy to troubleshoot
• No java incompatibility issue
– ASA faces this more often
4. Where Checkpoint?
• Everywhere… mostly in enterprise where there are
– Multiple DMZ zones
– Web servers
– Variety of applications
– Numerous client requirements
5. SMART Architecture
• Check Point Three-Tier Architecture
– SmartConsole Client on the admin machine
– SmartCenter Server Security Management Server
– Security Gateway Enforcement Unit The real FW
6. Deployment
• Stand-alone Deployment
– Secure Platform + Management Server Enforcement Unit
– Client Software on Client Machine
• Distributed Deployment
– Secure Platform Enforcement Module
– Management Server Another Hardware
– Client Software on Client Machine
8. Traffic Control Methods
• Packet Filtering
– Specific Rules for Allowing/Denying Traffic
– Explicit Deny at the end of the policy
• Stateful Filtering
– Maintaining state table
– Makes environment more secured
– Stale out old entries to protect FW from running out of memory space
• Application Aware Filtering
– More granular
– Datagram inspection
9. Secure Platform
• IPSO: FreeBSD
– Ipsilon company 1997 NOKIA acquired 2009 Check Point acquired NOKIA
Security Appliances
• Secured Platform (SPLAT)
• GAIA: FreeBSD
– Same command line as in IPSO
– Beginning of Virtualization (Virtual System eXtension)
– More concurrent connections (210 million)
10. Real World of Check Point
• Network Design from FW point of view
• Installing GAiA OS using Image
• Basic configuration of Check Point Enforcement Module using
GUI (GAiA)
• Adding Security Gateway to Management Server using R77
DashBoard
13. Why Distributed Deployment
• Installing Policy simultaneously in Multiple FW
• Easy to manage similar Firewalls
• What if two different purpose FW are in same Management
Server
– Policy Package
19. Important Commands
• Cpinfo show tech-support (Cisco)
• Set interface eth0 ipv4 address192.168.10.1 subnet-mask 255.255.255.0
• Show interfaces all
• Fw stat
• Fw unloadlocal
• Fw monitor
37. Best Practices
• Adding a Stealth Rule (relatively above most of the rules)
– Deny Access to FW
– Add access rule above for management IP(s) to allow access
• Drop Noisy Traffic
– Bootp, bootps, sstp, UPMP etc. are rarely used protocols
• Add Drop Rule at the bottom of the List
– Drop Everything else!
38. Some Other Best Practices
• By default DNS, RIP and ICMP are unrestricted…Block them!
– Trojans such as BackOrafice use port 53/UDP (DNS)
– ICMP is used in Traceroute and Ping
– Man in the middle and DoS is possible with Poisoned RIP
• Maintain your FW
– Check for updates as new vulnerabilities are always discovered
• Know your Network
– Understand the requirement and place the FW
– Don’t place it where you need to allow almost everything
• Add only Specific Rules
39. …and a few more
• Relevant and consistence FW and Object Naming.
• Use Group management- Policy Packaging and Section creation.
• Use comments while making changes to existing config and rule base.
• Take Regular Backups of config and Rules
• Generate an alert in your management systems (HPoV) for monitoring FW
environment.t and regular backup procedures