Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Checkpoint Firewall for Dummies

Download as PPTX, PDF
S
sushmil123

Checkpoint provides specialized firewall capabilities through its focus on connection-based inspection and granular traffic control methods like packet filtering, stateful filtering, and application aware filtering. It uses a three-tier architecture with a management server, security gateway enforcement units, and client software. Checkpoint firewalls can be deployed in standalone or distributed configurations to securely manage networks with multiple DMZ zones, applications, and client requirements.

1 of 39
Security- Checkpoint NetworKraft Consultancy
Why Checkpoint? • Specialized Vendor – Only Firewall Creators • More Granularity – Connection based Granularity • More Open – Multiple hardware platforms – Multiple OS platforms for Management Server
Why Checkpoint? • Better management tools – SMARTConsole • Simpler GUI – More User friendly GUI (My view) – Easy to troubleshoot • No java incompatibility issue – ASA faces this more often
Where Checkpoint? • Everywhere… mostly in enterprise where there are – Multiple DMZ zones – Web servers – Variety of applications – Numerous client requirements
SMART Architecture • Check Point Three-Tier Architecture – SmartConsole  Client on the admin machine – SmartCenter Server  Security Management Server – Security Gateway  Enforcement Unit  The real FW
Deployment • Stand-alone Deployment – Secure Platform + Management Server  Enforcement Unit – Client Software on Client Machine • Distributed Deployment – Secure Platform  Enforcement Module – Management Server  Another Hardware – Client Software on Client Machine
Deployment Distributed Deployment: Stand-Alone Deployment: Security Gateway (Physical Hardware) Security Mgmt Server Security Smartview Tracker Security Gateway (Physical Hardware) + Security Mgmt Server Security Smartview Tracker
Traffic Control Methods • Packet Filtering – Specific Rules for Allowing/Denying Traffic – Explicit Deny at the end of the policy • Stateful Filtering – Maintaining state table – Makes environment more secured – Stale out old entries to protect FW from running out of memory space • Application Aware Filtering – More granular – Datagram inspection
Secure Platform • IPSO: FreeBSD – Ipsilon company  1997  NOKIA acquired  2009  Check Point acquired NOKIA Security Appliances • Secured Platform (SPLAT) • GAIA: FreeBSD – Same command line as in IPSO – Beginning of Virtualization (Virtual System eXtension) – More concurrent connections (210 million)
Real World of Check Point • Network Design from FW point of view • Installing GAiA OS using Image • Basic configuration of Check Point Enforcement Module using GUI (GAiA) • Adding Security Gateway to Management Server using R77 DashBoard
Design Tire X Metal X YOUR NETWORK-DC (Ferrari) Internet
Design- iDMZ and xDMZ Internet Internal Network idmz xdmz
Why Distributed Deployment • Installing Policy simultaneously in Multiple FW • Easy to manage similar Firewalls • What if two different purpose FW are in same Management Server – Policy Package
Features • Anti-spoofing • Anti-bot • Identity Awareness
Lab Topology Internet192.168.10.4 .2 .3 .5 192.168.1.1 .40 .30 .20 .7
GAiA • Interface configuration • Routing – Static – Dynamic (RIP,OSPF) • System Management – Proxy Server – Core dump – System Logging
GAiA Continued… • High Availability -VRRP (Virtual Router Redundancy Protocol) • User Management • Back-up/Restore • Upgrade and licensing
Checkpoint SmartConsole • Adding Rules in Firewalls • Adding NAT rules in Firewall • Policy package • Network Monitoring
Important Commands • Cpinfo  show tech-support (Cisco) • Set interface eth0 ipv4 address192.168.10.1 subnet-mask 255.255.255.0 • Show interfaces all • Fw stat • Fw unloadlocal • Fw monitor
Check Point Installation - Start Virtual Machine - Select Install Gaia on this system
Check Point Installation
Check Point Installation Checking HCL
Check Point Installation - Check Machine Info (Opt) - Select OK
Check Point Installation Select the Keyboard type
Check Point Installation - Partition Configuration - View/Change - OK
Check Point Installation - Type in the password - Use this password while logging in through Gaia
Check Point Installation - Select the interface - Recheck (Opt)
Check Point Installation - Give IP address to eth0 - Netmask - Default Gateway - This is the IP using which we can login the Gaia
Check Point Installation
Check Point Installation
Check Point Installation
Check Point Installation
Check Point Installation
Check Point Installation - Reboot
Check Point Configuration - Enter User Name and Password
Check Point Configuration - Entering Gaia
Best Practices • Adding a Stealth Rule (relatively above most of the rules) – Deny Access to FW – Add access rule above for management IP(s) to allow access • Drop Noisy Traffic – Bootp, bootps, sstp, UPMP etc. are rarely used protocols • Add Drop Rule at the bottom of the List – Drop Everything else!
Some Other Best Practices • By default DNS, RIP and ICMP are unrestricted…Block them! – Trojans such as BackOrafice use port 53/UDP (DNS) – ICMP is used in Traceroute and Ping – Man in the middle and DoS is possible with Poisoned RIP • Maintain your FW – Check for updates as new vulnerabilities are always discovered • Know your Network – Understand the requirement and place the FW – Don’t place it where you need to allow almost everything • Add only Specific Rules
…and a few more • Relevant and consistence FW and Object Naming. • Use Group management- Policy Packaging and Section creation. • Use comments while making changes to existing config and rule base. • Take Regular Backups of config and Rules • Generate an alert in your management systems (HPoV) for monitoring FW environment.t and regular backup procedures

More Related Content

Checkpoint Firewall for Dummies