Module 2 Security Policy

Authorized Distributor in Vietnam

Nguyễn Như Bằng

Module 2: Security Policy

Check Point Security
Administration

Module 1: VPN
VPN--1 NGX Architecture
Module 2: Security Policy
Module 3: Network Address Translation
Module 4: Monitoring
Module 5: Disaster Recovery

Course Map

Security Administration


Explain the function and operation of a Security
Policy.

Create and modify policy, rules, objects…

Modify Globale Properties

Use command –line

Use objects cloning to create and clone objects

Configure antianti-spoofing on the firewall
firewall..

Use Database Revision Control

Use Policy Package Management.

Objectives

Introduction

Module 2: Security Policy

what kind of services, including
customised services and sessions are
allowed across the network
what users’ permissions and
authentication schemes are needed
what objects are in the network e.g.
gateways, hosts, networks, routers and
domains

Considerations

a set of rules that defines network security

What is a Security Policy?

Security Policy Defined

Launching the SmartDashboard

Start \ Programs \ Check Point SmartConsole R65 \ SmartDashboard

enables administrators to define security policy
only one administrator with read/write
permissions can be logged in at any one time

Check Point SmartDashboard

Launching the SmartDashboard
SmartDashboard…
…

Defining Basic Objects

Defining Basic Objects…

Defining Basic Objects…

Defining Node Object

Defining Network Object

Defining Address range Object

Defining Group Object

i.e. packets claiming to originate in the
internal network, actually DO come from
that network

Anti-spoofing verifies that packets are
Anticoming from, and going to, the correct
interfaces on the gateway

a packet’s source IP address is altered to
appear to come from a part of the network
with higher privileges

Spoofing is a technique used by
intruders attempting to gain
unauthorised access

Anti--spoofing
Anti

Anti--Spoofing…
Anti

Networks reachable from an interface
need to be defined appropriately
Should be configured on all interfaces
Spoof tracking is recommended
Anti--spoofing rules are enforced
Anti
before any rule in the Security Policy
rule base

Configuring AntiAnti-Spoofing

Configuring AntiAnti-Spoofing

Configuring AntiAnti-Spoofing

- No.
- Source
- Destination
- VPN
- Services

Rule Base Elements

Rule Base Defined
- Action
- Track
- Install on
- Time
- Comment

added when you add a rule to the Rule
Base

The default rule

Creating the Rule Base

CP follows the principle “that which is not
expressly permitted, is prohibited”
all communication attempts not matching a
rule will be dropped
the cleanup rule drops all the communication
but allows specific logging

Cleanup Rule

The Basic Rules

prevents users from connecting directly to
the firewall

The Stealth Rule

The Basic Rules

VPN-1 NGX creates a group of implicit
VPNrules that it places first, last or before
last…

NGX creates implicit rules from
Global Properties
Explicit rule created by Administrator
in the SmartDashboard
Control Conections

Implicit, Explicit Rules and …

IP spoofing
NAT
Security Policy “First” rule
Administrator defined rule base
Security Policy “before last” rule
Cleanup rule or Security Policy “last” rule

VPN-1 NGX enforces the rule base in
VPNfollowing order:

Rule Base Order

Defining basic policy

Create new policy

Add new rule into policy

Add object into rule

Basic Policy


Select Policy \ Install (or Uninstall) from the
SmartDashboard

Click Select All to select all items on the
screen (specific items may be deselected)

Click OK

Install/Uninstall a Security Policy


Select Policy \ Verify from the SmartDashboard

Click OK

Verify a Security Policy

Verify / Install and Uninstall a
Security Policy

Install Policy

Hide/Unhide rule
Enable/Disable rule
Add section title
Object Cloning

Advanced Security Policy

32

select Unhide All from the Rules>hide menu

Unhiding Hidden Rules

if View Hidden in the Rules>Hide menu is
checked, all rules set as hidden are displayed

Rules in a rule base can be hidden to allow
easier reading of a complex rulebase
(masking rules)
All other rules will be visible however their
numbers wont change
Hidden rules are still enforced on the
gateway
Viewing Hidden Rules

Masking Rules

Hide/Unhide rule

select the disabled rule and right click
select Disable Rule to deselect
remember to reinstall the policy

Enabling a Disabled Rule

a disabled rule will only take effect after
the security policy is reinstalled
the rule will still be displayed in the
rulebase

Disabling Rules

Disabling Rules

Enable/Disable rule

Add section title

Add section title (continue…)

Object Cloning

Object Cloning

cpstart/cpstop starts and stops all CP
cpstart/
applications running on the machine
cprestart issues a cpstop and a cpstart
cplic print displays the details of the NGX
licenses
fw ver
ver,, fwm ver:
ver: displays version
fw unloadlocal
unloadlocal:: uninstalls current policy of
local Gateway

Basic Options

Command Line Options for the
Security Policy


/etc/hosts (Solaris)

\winnt
winnt\\system32
system32\\drivers
drivers\\hosts (Windows)

listing machine names and IP addresses
in a hosts file will decrease installation
time for created network objects

SmartCenter

Improving Performance

Keep the rulebase simple
Position the most frequently used rules at
the top of the rulebase
Don’t log unnecessary connections
Limit the use Reject action in rules
Use a network object in place of many
node objects
Use IP address ranges in rules instead of
a set of nodes

Security Gateway

Improving Performance…

PPM gives the admin to create multiple
versions of a Security Policy but the
objects needs to stay the same

Policy package management

DRC gives the admin to create fallback
configurations when implementing new
objects or rules

Database revision control

Database revision control and Policy
package management

Using Database Revision Control

Using Database Revision Control