Authorized Distributor in Vietnam

Nguyn Nh Bng

Module 2: Security Policy

Check Point Security

Administration

Module 1: VPN
VPN--1 NGX Architecture
Module 2: Security Policy
Module 3: Network Address Translation
Module 4: Monitoring
Module 5: Disaster Recovery

Course Map

Security Administration


Explain the function and operation of a Security

Policy.

Create and modify policy, rules, objects

Modify Globale Properties

Use command line

Use objects cloning to create and clone objects

Configure antianti-spoofing on the firewall
firewall..

Use Database Revision Control

Use Policy Package Management.

Objectives

Introduction

Module 2: Security Policy

what kind of services, including

customised services and sessions are
allowed across the network
what users permissions and
authentication schemes are needed
what objects are in the network e.g.
gateways, hosts, networks, routers and
domains

Considerations

a set of rules that defines network security

What is a Security Policy?

Security Policy Defined

Launching the SmartDashboard

Start \ Programs \ Check Point SmartConsole R65 \ SmartDashboard

enables administrators to define security policy

only one administrator with read/write
permissions can be logged in at any one time

Check Point SmartDashboard

Launching the SmartDashboard

SmartDashboard

Defining Basic Objects

Defining Basic Objects

Defining Basic Objects

Defining Node Object

Defining Network Object

Defining Address range Object

Defining Group Object

i.e. packets claiming to originate in the

internal network, actually DO come from
that network

Anti-spoofing verifies that packets are

Anticoming from, and going to, the correct
interfaces on the gateway

a packets source IP address is altered to

appear to come from a part of the network
with higher privileges

Spoofing is a technique used by

intruders attempting to gain
unauthorised access

Anti--spoofing
Anti

Anti--Spoofing
Anti

Networks reachable from an interface

need to be defined appropriately
Should be configured on all interfaces
Spoof tracking is recommended
Anti--spoofing rules are enforced
Anti
before any rule in the Security Policy
rule base

Configuring AntiAnti-Spoofing

Configuring AntiAnti-Spoofing

Configuring AntiAnti-Spoofing

- No.
- Source
- Destination
- VPN
- Services

Rule Base Elements

Rule Base Defined

- Action
- Track
- Install on
- Time
- Comment

added when you add a rule to the Rule

Base

The default rule

Creating the Rule Base

CP follows the principle that which is not

expressly permitted, is prohibited
all communication attempts not matching a
rule will be dropped
the cleanup rule drops all the communication
but allows specific logging

Cleanup Rule

The Basic Rules

prevents users from connecting directly to

the firewall

The Stealth Rule

The Basic Rules

VPN-1 NGX creates a group of implicit

VPNrules that it places first, last or before
last

NGX creates implicit rules from

Global Properties
Explicit rule created by Administrator
in the SmartDashboard
Control Conections

Implicit, Explicit Rules and

IP spoofing
NAT
Security Policy First rule
Administrator defined rule base
Security Policy before last rule
Cleanup rule or Security Policy last rule

VPN-1 NGX enforces the rule base in

VPNfollowing order:

Rule Base Order

Defining basic policy

Create new policy

Add new rule into policy

Add object into rule

Basic Policy


Select Policy \ Install (or Uninstall) from the

SmartDashboard

Click Select All to select all items on the
screen (specific items may be deselected)

Click OK

Install/Uninstall a Security Policy

Select Policy \ Verify from the SmartDashboard

Click OK

Verify a Security Policy

Verify / Install and Uninstall a

Security Policy

Install Policy

Hide/Unhide rule
Enable/Disable rule
Add section title
Object Cloning

Advanced Security Policy

32

select Unhide All from the Rules>hide menu

Unhiding Hidden Rules

if View Hidden in the Rules>Hide menu is

checked, all rules set as hidden are displayed

Rules in a rule base can be hidden to allow

easier reading of a complex rulebase
(masking rules)
All other rules will be visible however their
numbers wont change
Hidden rules are still enforced on the
gateway
Viewing Hidden Rules

Masking Rules

Hide/Unhide rule

select the disabled rule and right click

select Disable Rule to deselect
remember to reinstall the policy

Enabling a Disabled Rule

a disabled rule will only take effect after

the security policy is reinstalled
the rule will still be displayed in the
rulebase

Disabling Rules

Disabling Rules

Enable/Disable rule

Add section title

Add section title (continue)

Object Cloning

Object Cloning

cpstart/cpstop starts and stops all CP

cpstart/
applications running on the machine
cprestart issues a cpstop and a cpstart
cplic print displays the details of the NGX
licenses
fw ver
ver,, fwm ver:
ver: displays version
fw unloadlocal
unloadlocal:: uninstalls current policy of
local Gateway

Basic Options

Command Line Options for the

Security Policy


/etc/hosts (Solaris)

\winnt
winnt\\system32
system32\\drivers
drivers\\hosts (Windows)

listing machine names and IP addresses

in a hosts file will decrease installation
time for created network objects

SmartCenter

Improving Performance

Keep the rulebase simple

Position the most frequently used rules at
the top of the rulebase
Dont log unnecessary connections
Limit the use Reject action in rules
Use a network object in place of many
node objects
Use IP address ranges in rules instead of
a set of nodes

Security Gateway

Improving Performance

PPM gives the admin to create multiple

versions of a Security Policy but the
objects needs to stay the same

Policy package management

DRC gives the admin to create fallback

configurations when implementing new
objects or rules

Database revision control

Database revision control and Policy

package management

Using Database Revision Control

Using Database Revision Control