Time
4 hours 44 minutes
Difficulty
Beginner
CEU/CPE
4

Video Transcription

00:00
Hello and welcome again to check point jump start training in this module,
00:06
we will cover deploying a checkpoint Security Gateway
00:11
a
00:12
firewall.
00:13
So we are going to look at
00:16
network models. But this is not a networking class, so we're not going to spend a lot of time on the various models.
00:24
But we will talk about
00:26
packet filtering firewalls
00:28
versus state, full inspection firewalls
00:32
versus an application layer firewall.
00:35
We'll also briefly cover how the firewall product
00:40
can be deployed.
00:43
Well, look at anti spoofing, which is, and
00:47
integral feature of checkpoint security gateways
00:53
also security zones. And then we'll demonstrate the set up
00:59
of a
01:00
security gateway
01:02
and
01:03
adding that security gateway as an object
01:07
into your checkpoint configuration using Smart Consul.
01:12
So the OS I model open systems interconnect
01:15
has been around for a few decades,
01:19
and I'm again not going to spend a lot of time on this. I want to note that
01:26
on a security gateway, which again is just
01:30
a Lennox host.
01:34
The firewall functionality is
01:37
mostly implemented as a kernel module,
01:42
and that kernel module, when it's loaded,
01:47
essentially hooks itself between layer to
01:51
which we've received packets
01:53
from the wire or or the fiber.
01:57
We've done some
01:59
leak level
02:00
decoding as necessary,
02:04
and later to would normally hand the packet upto layer three for routing. What's the next
02:09
hop that this pack it needs to be sent to to get to its final destination.
02:15
But the firewall colonel sits between layer two and layer three.
02:19
So as the packet is being passed up from layer to
02:23
to layer three firewall, Colonel receives the packet
02:27
and
02:28
implements the functionality of the firewall or most of it. There's
02:32
some functionality that's implemented elsewhere.
02:37
And when the firewall colonel is done with the packet,
02:42
assuming that your security policy
02:46
says forward this packet, allow this packet. Except this connection,
02:53
the firewall colonel will hand the pack it up to layer three and perhaps the pack it's been modified. Perhaps it's been encrypted for a VPN, or perhaps network address Translation has occurred.
03:06
Layer three will then route the packet
03:08
and
03:09
send it down toe layer to
03:13
to be transmitted out the physical interface that's connected to the next hop.
03:19
But the firewall colonel is hooked between layer three and later, too, So
03:23
the outbound packet is also
03:27
processed by the firewall Colonel
03:29
and again At this point, we may need to do network address translation or
03:34
something else with the packet.
03:37
Once the firewall colonel has completed processing of the outbound traffic,
03:43
that packet is then passed down to layer two and transmitted to the next top.
03:49
But in the overtime model, we have
03:52
three distinct layers the top session presentation and application.
03:58
And that's not really how the Internet works.
04:00
Internet uses a simplified sometimes referred to as T C P I. P model
04:08
and this model. There are four layers
04:13
we've combined the top three layers
04:15
the session, the presentation and the application into just one the application layer and that reflects reality.
04:23
Your Web browser, for instance, implements session controls. It implements
04:30
presentation where we decide what kind of data and my sending, What kind of data am I receiving? How do I interpret that data?
04:38
Also, how doe I
04:39
encode this data so that it can survive a trip through, perhaps, and a text on Lee Connection.
04:48
And then again, the up again the application layer layer seven in the or side model, where we implement the functionality of whatever protocol this is
04:59
if you're doing
05:00
http, we implement the http protocol. If you're sending email,
05:05
we implement probably the S and M s TMP Protocol.
05:12
Also, we simplify the bottom layers a little bit. We just combine layer one and layer to the physical layer and the data link layer into
05:21
a network interface layer.
05:24
And the job of that network interface layer is to talk to directly connected local area network hosts.
05:31
But from the OS I model, we do use the Internet layer.
05:35
That's
05:36
the Internet protocol version four or version six.
05:41
And the transport layer,
05:43
which is typically TCP or UDP, could be other protocols.
05:49
The Internet layer gives a source I p address destination I P address
05:55
transport layer gives us generally with most transport protocols the source port and the destination port
06:03
and the protocol itself Are we sending us as a UDP packet or a TCP packet
06:11
and
06:13
destination port plus protocol
06:16
or 43 TCP
06:19
equals service.
06:21
This is the service that I want to
06:26
communicate to.
06:28
I'm going to connect out do whatever destination I p address
06:31
destination, Port 443 and I'm gonna use the TCP Protocol.
06:36
Those two things for 43 TCP indicates this is an https connection.
06:46
It's a checkpoint, uses various technologies to enforce your security policy and make decisions about
06:54
incoming and outgoing traffic. Should this be permitted
06:58
should it not be permitted? Should I
07:00
alter the traffic somehow?
07:03
And it starts with packet Phil. Tree packet filtering is the basic firewall functionality where
07:12
we operate it layer three and layer four. So again, layer three, we're looking at source I p. Address Destination I, P. Address of the packet
07:20
layer four. We're looking at
07:23
Destination port and protocol
07:27
or service.
07:29
We don't normally care about the source port because that's usually randomly chosen by whatever client operating system is initiating the connection.
07:41
But in some circumstances, we do care about the source port.
07:46
So packet filtering firewalls,
07:49
they allow you to control network traffic based on layer three and layer for information.
07:58
However, they have some flaws, including the fact that
08:01
well, in early packet filtering firewall so you had to have two sets of rules to allow, Say, uh, http traffic
08:09
I would have to have one rule for the outgoing traffic that permitted destination port or 43 protocol TCP
08:16
and a second rule for the incoming traffic
08:20
that permits
08:22
source port or 43 TCP return traffic from the Web server
08:30
Now, later packet filtering firewalls did away with that. It was sort of a pain to manage these pairs of rules. So okay, the A rule imply a rule that allows traffic out implies that the return traffic is also allowed. Well, we can do that.
08:45
But another limitation of packet filtering firewalls is they have to examine the rule set. They have to run the rules for each packet in every connection
08:56
and
08:58
that can take some C p a time.
09:01
Also, packet filtering firewalls don't look at the higher layers. They don't have any
09:07
intelligence to determine. Is this a dangerous
09:11
http requests that might be encoding some sort of SQL injection attack.
09:18
Can't do that.
09:20
Check point
09:22
developed state ful inspection,
09:26
which,
09:26
when a
09:28
pack it arrives on the security gateway. We first of all determined Is this the start of a new connection?
09:35
And if it's a TCP packet,
09:37
that's easy to determine with the TCP packet,
09:43
a connection is always begun by sending a TCP packet with no data, and the TCP header has one flag turned on the sin flag.
09:56
And so if I get a packet and it is a TCP packet and Onley the sin flag in that packet is turned on. Then this is the start of a new TCP connection.
10:07
If not, then this is not the start of Ah, new TCP connection with UDP. You don't have the three way handshake that involves the syn packet.
10:16
So with UDP, we just sort of have toe. If has I. Have I seen this traffic before?
10:24
If I haven't
10:26
seen this traffic, then I'm gonna call it a new connection.
10:31
And when we receive traffic that's
10:33
initiating a new connection,
10:35
we run the rules.
10:37
We go through our firewall policy doing packet filtering layer in our level inspection
10:46
and determine Is there a rule
10:50
that matches the properties of this traffic? If so, what's the action of the rule?
10:58
And in checkpoint, the typical actions are
11:01
drop which
11:03
we're done with the traffic
11:05
or accept which case
11:07
the traffic is going to be allowed pending other
11:11
analysis.
11:13
And
11:16
if we decide to accept the connection,
11:18
we create a state table entry which is essentially a hash table
11:24
inside of the firewall colonel
11:26
that
11:26
allows us to quickly match
11:31
subsequent traffic
11:33
and not have to rerun our rule set.
11:37
So
11:39
we we hash the source and destination I p address the source and destination port. In this
11:45
a specific instance, sore sport is important,
11:48
and the protocol is a TCP UDP or what
11:50
we hash that five pieces of information. Together, we get essentially a memory location in this hash table, and there we put a note
12:01
at that position. In the hash table. We make a note saying this connection is permitted.
12:07
And so when we proceed through the establishment of a TCP connection,
12:13
subsequent packets that arrive on the security gateway that are part of this connection well, it's not a new connection because thes packets will not have on Lee the sin flag set.
12:26
So this must be an existing connection. Hash. Those five values
12:33
and the resulting
12:35
table location will tell us if
12:39
this is a known approved connection. If we don't have a state table entry
12:45
or the packet that has arrived, that is apparently part of an existing connection
12:50
now we're gonna drop the packet for being out of state.
12:54
And that helps
12:56
protect against some forms of network scanning techniques
13:01
that abused the TCP protocol or other protocols
13:05
and
13:05
allow the attacker to fool some firewalls. And to think you know this, this traffic must be OK because it's not the start of a connection. It's the middle of the connection. I can pass it through.
13:18
Another thing that state full inspection allows is
13:22
when we have
13:24
run our firewall policy starting at the first rule working our way down until a rule matches the properties of the packet
13:33
and that rules action is. Except so we created the state table entry. We're gonna allow this traffic through.
13:39
We can then
13:41
allow other types of policy to examine the traffic.
13:46
For instance, network address translation policy
13:50
can decide that we need to
13:52
modify the source i p address of this outgoing packet to be,
13:56
say, the firewalls external I p address
14:01
because we are doing network address translation of internal hosts.
14:05
But more than that,
14:07
we have layer seven policy
14:11
that
14:13
and
14:13
examine what we have now and at the start of a connection beginning of a TCP
14:18
or you dp connection.
14:20
We don't have any layer seven data yet, so the layer seven protections
14:24
they can't really do their job, but what they can do is say this looks like an http connection.
14:30
I have protections that
14:33
work on http traffic.
14:35
So when you get subsequent traffic for this connection, let me take a look at it. Add an entry to the state table
14:45
or this connection
14:46
that we need to do this sort of nat rewriting. But we also need to pass the traffic to our intrusion prevention
14:54
blade so it can examine it
14:56
once we have layer seven data being transmitted.
15:03
So state full inspection
15:05
really improved throughput. But I think more importantly, it allowed later seven inspection of traffic and so were not confined to just looking at source port
15:16
our sorry source I p destination. I'd be destination port and protocol.
15:22
And so
15:22
that led to the development of the application layer firewall where we have
15:28
protections at
15:31
really almost all of these layers.
15:33
The I p layer. We have protections against dangerous I P options and others
15:41
we have at the layer for TCP level the ability to determine that this is a TCP resource starvation attack,
15:52
not normal DCP traffic. So I'm not going to allow this
15:58
and then at the higher layers, we have
16:03
hundreds of layer seven protocols, which various software blades implement protections for.
16:14
And those software blades, if enabled,
16:18
can examine the later seven data of a connection Once we actually get to the point where we're transmitting Layer seven
16:26
and make decisions of whether or not this traffic should be allowed
16:30
to be dropped. Should re modify the traffic somehow for safety.
16:36
And so that gives us the ability to implement intrusion prevention but also recognized
16:41
dot net traffic. Do you are l filtering and anti virus and more
16:49
so early? Application layer Firewalls used various techniques, including proxy servers,
16:56
but in checkpoint
17:00
the bulk of the layer seven protections are implemented in the firewall. Colonel.
17:06
So they're very fast.
17:10
Now we'll talk a little bit about how you deploy
17:12
a checkpoint. Security gateway.
17:15
A security gateway
17:18
requires a management server to manage it,
17:22
and we've already talked about deploying a management server appliance.
17:26
So that's sort of implies that we have a management server appliance and at least one security gateway appliance in a very small shop, a very small deployment
17:36
that may not be necessary and cost maybe in issues, so
17:41
I only want to buy one appliance.
17:42
Well, you can do that. And the appliance congee both the security gateway and the Security Management server
17:52
on the same appliance that's that's known as a standalone deployment,
17:56
and it works. But there are some limitations.
18:02
If you have a security gateway that's in a standalone deployment, it can't be clustered, so you can't do high availability with that security Gateway.
18:12
Also,
18:14
being a management server requires a decent amount of memory and CPU time and disk I O,
18:22
which is
18:25
robbing resource, is from the security gateway, which needs CPU to examine traffic. It needs memory toe hold stuff
18:33
so it can limit throughput.
18:37
The most common deployment that
18:41
check point is
18:42
deployed, as
18:44
is a distributed deployment, and in a distributed deployment you have
18:48
a management server
18:49
somewhere else
18:52
on another appliance.
18:52
So the security gateway is not managed locally by a local management server. That would be a standalone
19:00
security gateway has managed over the network from a management server.
19:06
We already discussed secure internal communications in a standalone deployment management server. Communications
19:12
to and from the security gateway
19:15
are
19:17
inside of the same host, so a simplified form of secure internal communications is used.
19:22
But across a network in a distributed deployment.
19:26
We use the full secure internal communication protocol to secure that traffic
19:34
now on a security gateway. And I will demonstrate this
19:38
you have to configure
19:41
the various interfaces that will be
19:45
dealing with network traffic. I have an internal interface. I have a D M Z interface.
19:51
I have an Internet facing external interface, and I have a management interface on this security gateway appliance.
19:59
Each of those interfaces
20:00
needs to be configured at the operating system level. And then when you have a new security gateway that you're adding to your deployment,
20:11
you need to create an object in the smart consul application that represents that security Gateway
20:17
established sick to that security gateway
20:22
and
20:22
as part of the initialization of that object,
20:27
the
20:29
network topology, the list of network interfaces
20:33
and i p address sub net information
20:37
or those network interfaces
20:40
default gateway information will all be imported over sick, from the security gate weight to the smart Consul application.
20:48
To populate this new
20:51
security gateway object,
20:52
the security gateway object will
20:56
have a list of interfaces the I P addresses of each interface sub net mask of each interface,
21:03
and
21:04
typically one of the interfaces,
21:07
the one that connects out to the Internet will be on the same subject
21:12
as the default gateway of this security gateway.
21:17
Because that's how routing works. I need an interface on the same sub net as the next hop. Might my default gateway
21:23
be able to communicate with it?
21:26
So the interface
21:27
that is on the same sub net as the security gateways default
21:33
Browder. The default next top
21:36
is designated
21:37
the external interface.
21:41
Every other interface
21:42
is designated an internal interface,
21:47
and
21:48
this is used by anti spoofing, and I spoofing is protection
21:52
that is on by default.
21:56
It does not allow traffic
21:57
from the wrong sub net
22:00
in from a specific interface. So perhaps my internal network is a 192.168 dot one dot whatever slash 24 network.
22:12
That interface,
22:14
with an eye spoofing protection enabled,
22:17
will drop any traffic that arrives on that interface from a different subject.
22:25
Oh, any traffic from 19 to tow 168.1 that arrives on this internal interface. Okay, we pass and I spoofing,
22:33
but if it comes from, say, 1 72.16 dot 12.1.
22:37
That's a different sub net
22:40
doesn't match the sub net. That this interface is connected to its a spoofed packets.
22:47
Somebody is forging the source i p. Address of outgoing traffic. For some reason,
22:52
now,
22:53
sometimes and I spoofing breaks valid traffic, it drops valid traffic. And when that happens, it's almost always
23:03
because you have a more complicated network infrastructure
23:08
connected to this
23:11
interface. Then
23:12
Checkpoint knows about.
23:15
For instance, you may have
23:18
another internal network 1 72.16 dot 12 slash 24
23:23
that routes through the 192.168 that one sub net.
23:30
To get
23:32
to the firewall,
23:33
you have to configure the interface for the firewall
23:38
to reflect the reality of your network topology that
23:45
this interface
23:47
we'll see traffic from 192.168 dot one, but it will also see traffic from 1 72.16 dot 12
23:55
and the way you do that is you create
23:57
network object that represents the 19 to 1681 sub net.
24:02
Another network object that represents the 1 72
24:06
0.16 dot 12 sub net
24:10
you create a network group object that has as its members
24:15
both of these network objects
24:18
and then in the leads to field at the top of the security gateway interface apology settings.
24:27
You override the default this network,
24:32
and that simply means whatever the network interface that that we're configuring its sub net.
24:38
We should only see traffic from its sub net.
24:42
That's a very simplified view, but it's the default view.
24:45
Instead, we want override it and say, I have a specific network topology that you need to be aware of. And then you would select the network group
24:56
that contains both the 192.1681 network and the 1 72 Dots 16 12 network.
25:03
It's currently great out because
25:06
we have it set to the default of just used the interfaces sub net.
25:11
I want to point out that great out button interface leads to DMC. The demilitarized zone
25:18
Demilitarized zone is sort of a
25:22
widely accepted best practice where if you have servers that must accept
25:27
incoming connections from the Internet,
25:30
you segregate. You isolate those servers
25:33
on a restricted network
25:37
with its own hardware,
25:40
and
25:41
you then lock down security policies on Lee, the traffic that must be allowed in from the Internet is permitted
25:48
Onley. The traffic that must be allowed out to the Internet is permitted,
25:52
and
25:55
s case would be No. Traffic is permitted from the D M Z to my internal networks
26:03
because since the hosts, the servers and the D. M Z are directly exposed to the Internet there at a higher level of risk for
26:11
being compromised.
26:14
And let's make it harder for an attacker to jump from a D M Z server host to an internal server by blocking traffic that's not always possible.
26:22
But allow Onley what must be allowed. This interface leads to D M Z Button.
26:30
What it actually does is inform some of the protections that
26:36
traffic that comes in on this interface is from the D M Z,
26:38
and so could be treated differently.
26:41
And that's used, for instance, by the anti virus software blade.
26:45
You can configure it to examine traffic
26:49
that's coming into your internal network, but not traffic that's coming into the DMC network
26:56
because that's low risk and we don't need the overhead
27:00
things like that.
27:03
Also in this dialog box is the security zone.
27:07
The security zone allows you to match traffic in your policy based on
27:15
the type of interface the traffic arrived on
27:18
and by default.
27:21
Internal interfaces are assigned to the Internal Zone Security Zone
27:26
and your external interface, the interface that is connected to the sub net, that your default gateway is on
27:33
that interfaces assigned to the
27:37
external zone security zone. And then these are objects that you can use to match rules in your policy.
27:44
If the sources internal zone in the destination is external zone and the services https allow will accept that traffic.
27:56
So I'm gonna demonstrate finishing the configuration of a firewall host,
28:00
then
28:02
adding that firewall host as a checkpoint object
28:07
and setting up that object.
28:11
At this point, I have
28:14
my Web browser connecting to the Web user interface
28:18
of the security Gateway appliance
28:22
and again recall that
28:25
you're going to get an SSL warning because you're talking to a Web server on a Lennox host that initialized itself created Ah, it's own internal certificate authority, which is distinct
28:37
from the checkpoint management servers, Internal certificate authority
28:42
and I'm presented with a website certificate digitally signed by the Security Gateways
28:51
Web Server Certificate authority, which
28:53
I don't trust.
28:56
And again, best practice would be. Do not
28:59
permit this sort of situation indefinitely. You should
29:03
never be doing sensitive administration tasks like entering credentials over an SSL connection. That's not secure.
29:14
You're probably gonna be okay. Yeah, probably. But ah, why not be sure?
29:21
So I did what everybody does. I clicked through the SSL warning
29:25
and
29:26
I have the log in screen
29:30
where The Web user interface.
29:36
And like the management server, this security gateway appliance has not yet had the first time wizard run.
29:42
So when I log in to the Web user interface, it presents the first time wizard
29:49
and
29:52
I mentioned in our 80 thea images are distinct between the
30:00
installation image for a management server and an installation image
30:03
or a security gateway.
30:07
This is the security gateway appliance. So it's running the security gateway operating system image.
30:14
But it looks just like the management server. First time wizard, At least to begin with,
30:19
it allows me to configure the interface that will be used to manage this security gateway
30:29
and the I P address and sub net information for this
30:33
first eat zero interface
30:37
was entered when I did the installation of the appliance.
30:41
You have a checkpoint appliance.
30:44
You may probably don't have to install the operating system, but you have to do some set up.
30:48
This is not a checkpoint appliance, so I had to install the operating system. And just like on the management server, it wants some operating system level configuration.
30:59
And again, you want to choose the host name wisely.
31:03
You don't wanna have to change that. It's possible to change it, but
31:07
it's a pain
31:12
and you need an I peed. Sorry. Ah DNS server
31:18
i p address
31:18
so that
31:19
the security gateway host can resolve things like
31:25
checkpoints update servers
31:27
so that it can download
31:30
i p s signature updates. If you have that and I vier signature updates if you have that. But also I talked about the
31:37
checkpoint update Service engine CP use
31:41
and that will automatically check if there are any guy a updates that are relevant for this host
31:48
need to be able to resolve the update servers.
31:53
Correct time is important between the security gateway in the management server because secure internal communications
32:00
uses
32:02
the time stamp to prevent replay attacks and and other things Also, certificates have ah limited
32:10
validity. And so we have to have the agreement about time between the management server and the security Gateway.
32:19
Best practice would be set up
32:22
your appliances to use network time protocol
32:25
to sink against a common set of NTP servers, which may be
32:30
associated with your active directory deployment
32:35
of nothing else. You can use publicly available NTP servers
32:40
for this demonstration. I'm not going to set up NTP,
32:45
but I do want to make sure the time zone is correct.
32:51
And
32:52
here, uh,
32:53
it offers to be a security gateway
32:58
and or security management server.
33:00
You recall when I was running the first time wizard on the security Management server, it had no option to be a security gateway. That was great out against because of that
33:10
different image.
33:13
It also has an option to be a multi domain server
33:16
that is great up cannot be selected
33:20
because this is a security gateway image.
33:24
But you may want to do a standalone deployment, so it does offer the option of installing a security management server as well. So this could be a standalone deployment,
33:37
and that option is selected by default. So
33:42
important, safety note.
33:44
Uncheck the security management product option
33:47
on a security gateway unless you intend to do a standalone installation.
33:53
If you don't uncheck that it will be installed as a standalone installation, and then you will not be able to correctly established
34:04
management sink from your actual management appliance.
34:09
Here, I can also designate whether or not this appliance is going to be used as part of a cluster. And they're currently two options for the clustering protocol Buster Excel and Virtual Router Redundancy Protocol. I'm not going to set up clustering here and you can leave. This turned off not part of a cluster and then later enable it,
34:30
so you don't have to make the decision yet.
34:38
A security gateway may have a d HCP assigned external i p address.
34:45
You may not have a static i p address,
34:47
and so it's asking. Is this a dynamically assigned I P address D A. I p.
34:57
Normally not but possible in this case not.
35:01
And now I need to provide an activation key. You bootstrap, the secure internal communications.
35:09
This activation key, which I have managed to type in wrong,
35:15
is used
35:17
when
35:19
you are creating the checkpoint security gateway object
35:23
in smart dashboard.
35:25
You provide the same activation key there.
35:30
Meanwhile, as I installed this security gateway and it completes the first time Wizard
35:37
finishes its configuration and it will restart the operating system
35:43
because now we know where. Security Gateway. We're going to install the firewall kernel module and so on.
35:51
When that is done, the security gateway will be a firewall, and it will have what's what's called the initial policy.
35:58
In effect,
35:59
I haven't yet
36:00
sent a policy to the security gateway. It comes with an initial policy
36:06
that initial policy is very simple. It essentially says any network connections that this appliance wants to initiate out are allowed.
36:15
And pretty much the only incoming connections that are permitted are the Web user interface, secure shell
36:22
and secure internal communications.
36:25
We don't know who are management server's gonna be yet, so we accept incoming
36:31
secure internal communication
36:34
initiation connections
36:36
for many i p address.
36:37
Oh, okay. That could be dangerous. So
36:42
we protect it by a shared secret. This activation key.
36:46
And when I create the object in smart Consul, provide the activation key and I tell smart Consul to tell the management server
36:55
initialize secure internal communications.
36:59
There will be a challenge response exchange, where
37:02
the management server has to prove it's the correct bonified Genuine management server
37:09
I
37:10
demonstrating that it knows the activation key.
37:14
And so if it knows the correct activation key, you're my management server.
37:19
I will trust you, and we'll import the internal certificate, authority, information and so on.
37:29
So
37:30
this device is going to be a security gateway, not standalone installation. So it's not going to be a security gate. Weight and Security Management server
37:44
confirmed that I want the first time wizard to start the configuration process, and this is going to run for a while. So all pause and come back when it's completed.
37:53
But this point, the first time wizard has completed successfully.
38:00
And as part of the first time wizard configuring a security gateway,
38:06
it restarted the operating system.
38:09
And when that happened, my Web user interface session was lost.
38:14
Doesn't survive. A reboot may recall with the management server.
38:17
When the initial configuration completed their it just took me into the Web user interface
38:24
that you normally see on a guy. A host.
38:27
I didn't have to log back in because there was no restart when the management server was configured.
38:32
But there is a restart with security Gateway,
38:36
and you can see the
38:37
Web user interface
38:39
looks the same on a security gateway versus of management server. Because it's an operating system level thing,
38:45
though, the specific options on the left hand menu
38:52
they differ a little bit.
38:53
This doesn't offer me any options related to a management server.
39:00
Well, the next thing I want to do is configure the other network interfaces. So this
39:06
device has three physical interfaces. Eat zero, which is my management interface,
39:12
and that's already set up. That's how I'm communicating with the guy, a host,
39:19
and next, I want to configure the internal network interface.
39:23
Heath won
39:24
important to select that enable box
39:30
that actually brings the link up when you apply the new configuration Comment Field is entirely optional. It's really just displayed here in the Web user interface, and
39:42
if you use the CLI is displayed there,
39:49
then I'm gonna go ahead and
39:52
use the 192.168 network for this example
40:07
and a sub net mask of 2 55 to 55
40:10
2 55 0 which is equivalent to a slash 24.
40:17
And when I click OK,
40:20
that configuration change is applied and you can see scrolling off to the right a little bit.
40:28
It has the comment
40:30
really squished down there.
40:31
I also want to configure the external interface
40:37
again. I want to make sure it's enabled.
40:58
You know, my interfaces are configured.
41:00
Another thing I should do is set up at least one default gateway.
41:06
Add routes as needed.
41:09
So there is this default. Get Gateway object here in the Web user interface, but it doesn't have any I p addresses
41:19
or interfaces assigned to it.
41:22
I'm gonna add
41:25
and i p address for the next hop the default gateway.
41:36
This is going to be
41:38
on the same sub net
41:39
as my external interfaces i p address,
41:53
and now
41:54
I have a default route out to the Internet.
42:01
Next,
42:02
I'll bring up Smart Consul,
42:07
and I'm going to create
42:09
a security gateway object. So up here, this allows you to create a new object,
42:15
and
42:16
it's going to be a gateway object.
42:19
I have two options for how I want to proceed in the Smart council, gooey, I can use wizard mode, which is simplified,
42:28
but I'm going to go ahead and choose classic mode so you can see more of the options.
42:35
The right now it's busy creating this
42:38
security gateway object. Initializing it. And since we're on a virtual environment,
42:45
it's slow.
42:51
You, ah, want to use. You want to name the object the same host name as you configure it in the operating system.
43:00
Don't
43:00
in the operating system, I used a dash gateway.
43:05
I'll use that here,
43:07
then provide the I P address that
43:10
this management server should use to communicate with security. Gateway.
43:20
I'm going to use the management interfaces i p address on the security gateway.
43:27
Next,
43:28
secure internal communications.
43:35
I have to provide the same
43:37
one time shared secret the activation key
43:42
that I provided during the
43:44
initial configuration wizard
43:51
and
43:52
don't click OK, that's a trap.
43:54
You need to click the initialized button here,
43:59
which
44:00
transmits the activation key. Did the management server, the management server, than establishes a connection to the security Gateway
44:08
proves its identity
44:10
by proving it knows the same activation key
44:15
and then
44:17
the internal certificate authority information from the management server is
44:22
sent to the security gateway. This is your trusted certificate authority. Also certificate for the security gateway is digitally signed by the management server.
44:35
So when the security gateway participates in future secure internal communications,
44:43
it proves its identity
44:45
by presenting a certificate that is digitally signed by the internal certificate authority that
44:52
all of my checkpoint components trust.
44:57
So once I
44:59
okay out of that secure internal communications dialogue,
45:05
the
45:06
gateways
45:07
topology is fetched, and the gateways topology is just a list of its
45:13
network interfaces, their I P addresses and subject masks
45:17
and the default gateway.
45:21
So the default gateway is
45:22
on the same subject it as ether to the teeth to is automatically designated the external interface
45:32
and anything that doesn't have a default gateway on the same sub net is automatically designated an internal interface.
45:44
I'll go ahead and dismiss that. If I then select
45:47
the
45:49
network management
45:52
screen,
45:53
you can see that the interfaces have been populated in this
46:00
security gateway object,
46:01
and if I added a specific interface,
46:07
I can see the properties of this interface,
46:09
including
46:12
the fact that the topology for this interface is just the interfaces sub net.
46:17
I haven't said anything. Mawr,
46:20
uh,
46:22
or complicated security zone by default is not set, but you could do that by editing,
46:29
and
46:30
you can specify a specific security zone. For instance, there is a
46:35
wireless is owned for your guest WiFi
46:38
uh,
46:39
TMZ zone, which is another way of designating this interface is used for DMC. The interface leads to DMC Radio Button. That's great. Out
46:50
essentially informs Layer seven protections that
46:54
this is the D. M Z interface.
46:58
The DMC Zone security zone
47:00
is just a *** jek that you can use in your security policy to say, Hey, if the traffic is coming from this DMC zone and the destination is my internal zone,
47:10
deny that
47:14
I'm gonna leave it
47:15
the
47:17
leave it to the checkpoint software to determine what the appropriate security zone is. Since this is an internal interface, it
47:27
chooses by default Internal zone. And so I'll just select that,
47:31
and the anti spoofing checks
47:35
by default
47:37
are enabled. You can disable, and I spoofing checks on a given interface.
47:43
But if you do that,
47:45
you will get warned incessantly. Every time you install policy,
47:50
there will be warnings about
47:52
this object has an interface that
47:55
doesn't have an eye spoofing protection enabled.
48:00
You can ignore the warnings
48:01
is really
48:02
in my opinion, no compelling reason to disable the anti spoofing protections. If traffic is being dropped for being spoofed,
48:12
that probably means is you need to go in and change the network topology settings from the default. Hey, it's just whatever sub net this interfaces on
48:21
and describe to checkpoint what the actual network topology is behind that interface
48:27
and that will
48:30
usually almost always cure. Your traffic is being dropped for being spoofed.
48:36
You can also disable it another way by setting the protections action to detect instead of prevent, settle, log when it sees spoofed traffic. But it won't drop it for being spoofed.
48:47
Not a best practice,
48:54
though I've configured my management interface,
49:00
be the Internal Zone security zone
49:05
or my
49:07
internal network interface
49:12
being slow to edit.
49:15
I want to do a little bit more
49:17
this interface.
49:20
I do want to set it to be the internal zone security zone as well,
49:29
but I also want to describe a more complex
49:32
internal network topology.
49:35
Then it's
49:37
simply the sub net of this interface,
49:40
though I'm going to tell it, I have a specific topology
49:45
to give you,
49:47
and
49:50
there are some redefined objects.
49:52
Those aren't
49:53
appropriate for this. I'm going to create a new network object
49:59
that represents the primary internal network that is interfaces on.
50:10
So this network
50:13
as
50:15
the i p address range of 192.168
50:20
0.1 dot whatever.
50:24
That's ah to 55 to 35 to 55.0 sub net
50:30
and the broadcast address option here. Really? Just if somebody sends traffic toe 192.168 dot 1.2 55
50:37
which would be the broadcast address for this specific sub net.
50:40
Should that be matched in this group,
50:44
or should it not match a script?
50:46
And the default is
50:47
let a match,
50:57
I'm going to create another network object to represent a different internal network that is routed through my internal 192.168 that one network.
51:28
Now I have these two network objects.
51:30
I can only
51:31
list one object here for the topology. So what I need to do is create a network group, object
51:49
and
51:51
ad,
51:53
the
51:54
internal network object that I created
51:58
and the other internal network object that I created.
52:09
Now that these two objects
52:13
are in this
52:14
network, group object.
52:16
I
52:17
select the network group object as the topology for the network that this interface is connected to
52:27
and now and I spoofing
52:29
for this interface will accept incoming traffic from the 192.168 about one subject, but also from the 1 72.16 12 subjects.
52:43
For my third interface, the external interface,
52:49
I want to set the security zone
52:52
to be appropriate for the external interface.
52:55
And again, Checkpoint knows that this is the extra interface because the sub net of this interface
53:01
is on. This is the same sub net as the default gateway for this host,
53:07
but this must be the
53:08
interface that
53:10
leads to the default gateway. That's the interface that gets us out to the Internet
53:14
that by default is our
53:15
external interface.
53:20
So for the external interface,
53:22
check point will automatically select the external zone security zone object
53:30
and and I spoofing is a little bit different on an external interface
53:35
when traffic is received on an external interface we look to see is the source I. P address of this traffic
53:42
on any internal sub nets
53:45
did
53:45
behind any of my internal interfaces. If So why is the Internet
53:51
sending me traffic?
53:52
That says it's from one of my internal networks.
53:55
That's spoofed and I'll drop the traffic.
54:00
So in an extra interface,
54:01
and I spoofing checks to make sure that you aren't sending traffic for many internal network
54:07
on an internal interface and I spoofing checks. Is the traffic appropriate
54:13
to this interface? And by default,
54:15
is it the same sub net as this interface?
54:22
I've configured the
54:24
network object of the network interfaces
54:28
for this security gateway object.
54:31
I wanted Teoh just briefly point out
54:37
the log option here
54:38
by default. Logs are sent to the Security Gateways management server
54:45
in a small deployment that's fine.
54:50
In a
54:51
larger deployment,
54:52
I may want to override the default log destination, and instead of sending it to my normal management server, I have a dedicated log server.
55:04
That log should go to
55:13
a lot of the bulk of network traffic that processes from the Internet to your internal networks, and back is https.
55:22
There's http as well, but more more websites are deploying https because certificates air now free
55:31
from certain certificate authorities
55:36
and
55:37
there have been practical demonstrations of attacks on, for instance, session cookies
55:44
that, if you're using http, are being transmitted in plain text and our sub septa ble to sniffing and copying.
55:51
So more and more websites are just
55:53
doing https all the time,
55:58
which is good. That's secure, but
56:00
the layer seven inspection protections They lose visibility into https traffic because it's encrypted inside of a TLS tunnel,
56:13
the checkpoint can intercept and decrypt
56:15
https. It can decrypt the TLS, and it does that by essentially launching a man in the middle attack
56:23
and as part of the man in the middle attack,
56:28
the https inspection will create
56:30
a fake certificate
56:34
for the destination website you were going to facebook dot com will create a fake certificate that says It's for facebook dot com,
56:44
and it will be digitally signed by a certificate authority that your Web browsers don't trust by default.
56:51
So if you want to enable https inspection,
56:54
you either create a certificate authority
57:00
on the security gateway,
57:02
or you can create a certificate authority somewhere else, like active directory.
57:08
Then create a certificate for the gateway
57:13
that's digitally signed by your
57:16
active directory certificate authority
57:19
and import that
57:21
into the security gateway. So it's not using its own certificate authority. It's using a trusted
57:25
internal certificate authority, which is again, is not the Checkpoint Management Server Internal certificate authority
57:32
that's only used for sick.
57:35
It's used for other things, such as VPNs, but I digress.
57:39
Then activate the https inspection module
57:45
service on this security gateway, and now
57:51
https inspection policy will decide if given https. Connection out to some destination website
57:59
should be decrypted or not,
58:02
but we're not going to set that up now.
58:07
I also want to just briefly point out the software blades here.
58:12
All of these checked boxes are software blades, which are really just additional functionality
58:16
additional features that can be enabled on the security gateway.
58:21
Every security gateway must have the firewall software blade
58:25
enable because that provides the packet filtering and state full inspection, which are required to be a security gateway.
58:34
Other protections
58:36
depends on what you've licensed,
58:43
so I save this object by clicking OK
58:47
and what I've done actually has made changes to my checkpoint configuration in this smart consul session.
58:54
And those changes
58:57
have yet to be published
59:00
to the master if you will Smart management server database.
59:07
So if you have multiple administrators who are signed in via Smart consul to the same management server. They can work
59:15
simultaneously concurrently,
59:16
but change is that I make are not available to other administrators until I publish
59:23
so I can publish my clicking on this button here.
59:30
Best practice would be to include a description of what changes your publishing.
59:40
Though it's in the audit logs
59:44
and then publishing operation,
59:46
it should not take long. I'm on a virtual environment, so we'll take longer than normal
59:52
once the publishing operation is completed. Then
59:57
up in the top of Smart Consul, you'll see the number of unpublished changes
60:00
goes away is I published the changes.
60:04
Also, my changes air now visible and accessible,
60:08
two other administrators.
60:12
Any changes that they make that they publish become visible to my smart consul.
60:19
It's down the gateway and servers view.
60:22
There are two checkpoint objects listed. The management server,
60:27
which it created the object as part of its initialization. It knows about itself and the gateway.
60:34
We don't yet have status for the gateway.
60:37
Among other things, the gateway isn't properly licensed, nor is the management server. There's a
60:44
15 day trial period
60:45
where you don't need a license after the first time wizard complete.
60:51
Ah, When the 15 day trial is done, you need a license.
60:57
So I demonstrated
60:59
the
61:00
first time wizard final configuration of a security gateway
61:06
and then
61:07
yes, and as part of that
61:08
giving an activation key, which is used to bootstrap secure internal communications with Security Management Server.
61:20
We also looked at
61:22
creating the security gateway object in smart dashboard
61:27
and configuring that object.
61:30
Uh huh.
61:30
Verifying that the topology is correct, that it's in the correct security zone,
61:38
and we'll also We also looked at
61:42
creating a group of network objects
61:45
to facilitate a more complicated internal network structure
61:50
so that
61:51
this more complicated network infrastructure network structure doesn't have traffic dropped by the anti spoofing protections.
62:00
And
62:01
that's it for this module. We looked at the firewall colonel just briefly
62:07
and network models.
62:10
We discussed
62:13
packet filtering, which is layer three layer four vs state full inspection,
62:17
which is layer three layer for. But we can also designate traffic to be examined at higher layers,
62:23
which leads to the application layer firewall, which has layer seven awareness of protocols and can provide protections that are specific to a protocol.
62:34
We looked at the two major deployment options. Standalone, where the management server is on the same host as the security gateway
62:42
and distributed, which is the most common where the management server is its own appliance Security Gateway is its own appliance,
62:50
and I spoofing protection, which is on by default, and security zones, which you can use in your policy.
62:57
Demonstrated this.
62:59
Thank you for attending this module of jump start training.

Up Next

Check Point Jump Start

In this course brought to you by industry leader Check Point, they will cover cybersecurity threats and elements of Check Point's Security Management architecture. This course will prepare you for their exam, #156-411, at Pearson Vue.

Instructed By

Instructor Profile Image
CheckPoint
Instructor