Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
100 views35 pages

08 Safe Internet Use Lab PDF

Uploaded by

hung
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
100 views35 pages

08 Safe Internet Use Lab PDF

Uploaded by

hung
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 35

SAFE INTERNET USE

R80.10 Training
(revised: September 14, 2018)

©2017
©2016 Check Point Software Technologies Ltd.
©2015 1
Lab

With HTTPS and Identity Awareness


configured, we now know the websites
users are visiting and the applications
they are using.

Now, you can deploy the Application


Control and URL Filtering and use that
information to develop a secure access
control policy for the organization.

Plus, you can also control data use with


R80.10 Content Awareness.

©2017 Check Point Software Technologies Ltd. 2


Gateway IP: 192.168.103.1

External Network
IP: 192.168.103.x VMware:
suspend
Kali
Pen Test Tool
Internal Client

Kali
Win-Victim IP: 192.168.103.100
User: root/Cpwins1!
IP: 192.168.101.100
Default Gtwy: 192.168.103.254
User: jroberts/Cpwins1!
Default Gtwy: 192.168.101.254
DNS: 192.168.102.2 Internal Network DMZ Network
DNS: 8.8.8.8 IP: 192.168.101.x IP: 192.168.102.x
Management
&
Gateway
VMware: VMware:
suspend R80 suspend
Endpoint
Endpoint Eth0: 192.168.101.254 Ubuntu Active Directory
Management Eth1: 192.168.102.254 Web Server
Eth2: 192.168.103.254
User: admin / Cpwins1!
GUI : admin / Cpwins1! Ubuntu Win-DC
EndpointServer
Default Gtwy: 192.168.103.2
IP: 192.168.101.165 DNS: 8.8.8.8 IP: 192.168.102.5 IP: 192.168.102.2
User: admin/Cpwins1! User: admin/Cpwins1! User: Administrator /Cpwins1!
Default Gtwy: 192.168.101.254 Default Gtwy: 192.168.102.254 Domain: LAB.TEST
DNS: 192.168.102.2 Default Gtwy: 192.168.102.254
DNS: 8.8.8.8 DNS: 127.0.1.1
DNS: 192.168.103.2
DNS: 8.8.8.8
©2017 Check Point Software Technologies Ltd. 3
Safe Internet Use Lab

Test Internet Connectivity


We will create a corporate policy.
• Log in as Joe to the Win-
Victim virtual machine.
• Test Internet connectivity by
browsing to the following sites:
• www.cnn.com
• www.facebook.com

• Verify that both sites are


accessible.

©2017 Check Point Software Technologies Ltd. 4


Safe Internet Use Lab

Configure App Control and URLF


• From SmartConsole, edit
the R80 object.

• Verify in the Network


Security tab that the
following are enabled from
the HTTPS lab.
̶ Application Control
̶ URL Filtering
• Enable
̶ Content Awareness
Content Awareness
controls how data is used
in our organization.

Note: we’ve now enabled Content Awareness in the gateway object and the policy.
©2017 Check Point Software Technologies Ltd. 5
Safe Internet Use Lab

Configure App Control and URLF


• Click on the Management
tab.

• Enable Compliance.

• Click OK.

• Install the policy.

The Compliance Blade


includes security best
practices and will help us to
analyze our policy and
configuration.

©2017 Check Point Software Technologies Ltd. 6


Safe Internet Use Lab

Configure App Control and URLF


• Select SECURITY
POLICIES, right click
Access Control and select
Edit Policy.

• Edit the Access Control


Layer.

• Verify these blades are


enabled.
̶ Firewall
̶ Application Control &
URLF
̶ Content Awareness

©2017 Check Point Software Technologies Ltd. 7


Safe Internet Use Lab

Configure App Control and URLF


• Select Advanced.

• Verify the Implicit


Cleanup Action is drop. Implicit Rule

• Click OK twice to exit.

• We recommend having
an Explicit Drop in your
policy that matches the
Implicit Cleanup Action in
the policy layer. Explicit Rule

©2017 Check Point Software Technologies Ltd. 8


Safe Internet Use Lab

Database Updates
• The Application and URL Filtering database is automatically
updated.
• Select SECURITY POLICIES -> Access Control, then Updates
(lower left).
• Verify that the Management server is up to date. If not up to date,
click Update Now.

©2017 Check Point Software Technologies Ltd. 9


Safe Internet Use Lab

Policy Best Practices


• Our policy blocks all inbound and allows all outbound except for
critical risk applications and sites from the Internal 192.168.101.0
network. How do we create a more secure policy?

• There are two ways to enforce application control & URL Filtering.

̶ Blacklist: Block any undesired traffic and allow everything else. This is
the most common and the easiest to manage.

̶ Whitelist: Allow only the applications you want and block all else. This is
more difficult to manage as you have to define the “good” list.

• In this lab we’ll adopt a blacklist approach.

©2017 Check Point Software Technologies Ltd. 10


Safe Internet Use Lab

Policy Best Practices


• In sk112249: Best Practices Application Control we recommend blocking these
categories:

̶ Critical Risk

̶ Anonymizers

̶ P2P File Sharing

̶ Spyware

̶ Remote Admin

• Using the picker add these categories to our Internal Access section rule 4.

• Install the policy.

©2017 Check Point Software Technologies Ltd. 11


Safe Internet Use Lab

Policy Best Practices


What’s in a category?
• Double click Spyware to
open it.
• Notice it covers
applications and URLs.
• Notice it contains over 20
applications.
• Mouse over Services and
notice the services used
to match this category.
Not all ports are allowed.

©2017 Check Point Software Technologies Ltd. 12


Safe Internet Use Lab

Policy Best Practices


Which applications are in
the Spyware category?

• Click Cancel to close


the spyware object.

• In the lower left click


Application Wiki.

• This opens a browser Application Wiki


to the App Wiki.

©2017 Check Point Software Technologies Ltd. 13


Safe Internet Use Lab

Policy Best Practices


• In the search bar type Spyware or select Spyware in the drop
down filter to see the applications in this category.
• Browse other categories like SCADA as you like.

©2017 Check Point Software Technologies Ltd. 14


Safe Internet Use Lab

Policy Best Practices


How does our policy compare with security best practices?

• In SmartConsole click LOGS & MONITORS, click + to open a new tab.

• Select Open Compliance View.

• If you like, press F11 to close the objects right sidebar.

• In the Overview we can see how we fair. Click Poor to see how we can improve our
policy.

Poor

Note: after enabling the Compliance blade you may have to wait 2 to 3 minutes for the scan.15
©2017 Check Point Software Technologies Ltd.
Safe Internet Use Lab

Policy Best Practices


• Scroll through the list and notice there are recommendations for each
blade including the Gaia OS.

• If we want to we can modify our policy to comply with regulatory


requirements. In the lower right click on Show relevant regulatory
requirements to see which ones apply. As we make changes the
compliance blade monitors the changes and updates the report.

• When done click the green back arrow in the upper right to return to the
Overview.

Back Arrow

©2017 Check Point Software Technologies Ltd. 16


Safe Internet Use Lab

Policy Best Practices


• In the lower right click the gear
icon to open the summary list of
regulations.

• If PCI DSS 3.0 is not already


selected, then deselect PCI DSS
2.0 or another regulation and
select PCI DSS 3.0.

• Click OK Gear Icon

• Click PCI DSS 3.0 to see the


requirements that match the
regulation.

• Search for state and notice in the


lower right panel that multiple
security best practices may
match this one requirement.
©2017 Check Point Software Technologies Ltd. 17
Safe Internet Use Lab

Policy Creation
• Your organization has identified URL categories and commonly used applications that
you want to prevent access to by company employees.

• From the employee’s perspective they’ll see a block page.

• From Win-Victim search for express vpn, try connecting to https://www.expressvpn.com/

• You should see a block page where the IP is that of the gateway.

Note: if needed
©2017 Check Point Software accept the browser warning to go to the gateway portal UserCheck page.
Technologies Ltd. 18
Safe Internet Use Lab

Policy Creation
• In addition to the Drop • Change the Action to Ask.
Action, the actions Ask and
Inform are available. • Notice the options available
include frequency, confirm
and download/upload limits.
• In SmartConsole SECURITY
POLICIES -> Access Control • Click the pencil next to
click Drop in the Action UserCheck …Company
Policy.
column and select More.

©2017 Check Point Software Technologies Ltd. 19


Safe Internet Use Lab

Policy Creation

• This lets you edit the


UserCheck message.

• Notice you can customize


the message as you like,
select other languages and
use your own logo.

• Click Cancel twice to exit.

©2017 Check Point Software Technologies Ltd. 20


Safe Internet Use Lab

Policy Creation
• We’ll add rules to show the use of these different actions.

• Add a new rule below rule 4 to limit bandwidth to Media Streaming.

• Use the information below to configure the High Risk rule:

̶ Name: Media Streaming


̶ Source: Net_192.168.101.0
̶ Destination: Any
̶ Sites: Media Streams, Media Sharing
̶ Action: Accept, Limit… Download_10Mbps
̶ Track: Log

Note: to simplify adding objects to rules try searching in the right objects side bar and
dragging and dropping the object into the relevant rule Services & Applications column. First
select the Applications/Categories or Categories only.
©2017 Check Point Software Technologies Ltd. 21
Safe Internet Use Lab

Policy Creation
• Use the information below to inform users about using social network sites:

̶ Name: Social Networking

̶ Source: Net_192.168.101.0

̶ Destination: Any

̶ Applications/Sites: Facebook

̶ Action: Inform, Access Notification

̶ Track: Log

Note: to simplify adding the Net_192.168.101.0 object into the Source column select the
object in another rule and drop it into the Source column of the rule you want to add it to.
©2017 Check Point Software Technologies Ltd. 22
Safe Internet Use Lab

Policy Creation
• Use the information below to inform users about inappropriate
content:
̶ Name: Inappropriate content

̶ Source: Net_192.168.101.0

̶ Destination: Any

̶ Applications/Sites: Category: Gambling, Alcohol, Pornography

̶ Action: Drop, Blocked Message

̶ Track: Log

©2017 Check Point Software Technologies Ltd. 23


Safe Internet Use Lab

Policy Creation
• As with the firewall policy, rule order is important. Suppose we want to allow access
to www.budweiser.com and block access to other Alcohol related sites.

• Add a rule above this rule.

 In the add Application/Site window,


click New -> Application/Site.
 Enter the name Allow-Budweiser,
Click + to add a URL.
 Enter the URL www.budweiser.com,
OK to add the Custom App.
 Set the Action to Ask and Track to
Log.
©2017 Check Point Software Technologies Ltd. 24
Safe Internet Use Lab
Policy Creation
The policy will look similar to this policy. If needed, change rule positions by clicking in
the rule No. and dragging to another position.
Install the policy.
Notice the last rule accepts Any traffic from the 192.168.101.0 network and is consistent
with our blacklist approach.

©2017 Check Point Software Technologies Ltd. 25


Safe Internet Use Lab

Policy Validation

• Now that you have started to implement corporate policies


by prohibiting access to certain sites and applications, it’s
time to test the new user experience.

• From the Win-Victim VM browse to the following sites:


̶ • www.cnn.com
̶ • www.facebook.com

• Verify that the user may access the budweiser site, but not
other sites in the Alcohol category.
̶ www.budweiser.com
̶ www.liquor.com/

©2017 Check Point Software Technologies Ltd. 26


Safe Internet Use Lab

Content Awareness
• Another threat to our users is the • Right Click on Executable File.
download of malware.

• Add a rule below the Inappropriate • Select Down for the data
Content rule. direction.

• Click + in the Content column,


search for exe and add the
Executable File type.

©2017 Check Point Software Technologies Ltd. 27


Safe Internet Use Lab

Content Awareness

• Set the Action to Drop with a Blocked Message and the


Track option to Extended Log.
• Add another rule to Drop the upload of PCI – Credit Card
Numbers via HTTP.
• Install the policy.

©2017 Check Point Software Technologies Ltd. 28


Safe Internet Use Lab

Advanced Track Options


• To understand the differences in the track options, click in the
Track column and select More.
• Click the ? to open the online help.

©2017 Check Point Software Technologies Ltd. 29


Safe Internet Use Lab

Policy Verification
• Search for putty or browse to https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html.

• Try downloading some of the files.

• Are all of the files caught by our rule?

• Does the protocol used matter from the user’s view, e.g. HTTPS or FTP?

©2017 Check Point Software Technologies Ltd. 30


Safe Internet Use Lab

Policy Verification

• Navigate to LOGS &


MONITOR

• Click in the query bar


and select blade.

• Select Content
Awareness. Press
Enter.

• Notice in the Files tab


the File Name.

©2017 Check Point Software Technologies Ltd. 31


Safe Internet Use Lab

Policy Best Practices


How does our policy compare with security best practices?
• Check Compliance View again.
• In the Overview we can see if we’ve improved.
• Edit the R80 object and disable Compliance for the rest of the
labs. Install the policy.

©2017 Check Point Software Technologies Ltd. 32


ADVANCED TOPICS

©2017 Check Point Software Technologies Ltd. [Confidential] For designated groups and individuals
Application Control Best Practices
SecureKnowledge sk112249

©2017 Check Point Software Technologies Ltd. 34


End of Lab

©2017
©2016 Check Point Software Technologies Ltd.
©2015 [Confidential] For designated groups and individuals 35

You might also like