Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
64 views32 pages

10 Security Management Lab

checkpoint

Uploaded by

charlyv3
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
64 views32 pages

10 Security Management Lab

checkpoint

Uploaded by

charlyv3
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 32

R80 SECURITY

MANAGEMENT LAB
R80 Training

Updated Nov. 5, 2020 ©2020 Check Point Software Technologies Ltd. 1


• We’ve created a policy that reduces risk
for our organization and employees and
controls and educates our users on safe
Internet use.
• We’ve also discussed some security best
practices.
• In this lab we’ll explore ways to optimize
our policy using R80 security management
layers.

©2020 Check Point Software Technologies Ltd. 2


R80 Security Management Lab
Policy Review
At a high level our policy:
 Inbound from the Internet
 Blocks all (clean up rule 13)
 Outbound to the Internet
 Blacklists access to risky sites from the 192.168.101.0 network (rules 4 - 10)
 Allows all else from the 192.168.101.0 network (rule 11)
 Allows all from the 192.168.102.0 network (rule 12)
 Internal
 Allows all between the Internal zone and the DMZ (rule 11 and rule 12)

©2020 Check Point Software Technologies Ltd. 3


R80 Security Management Lab
Policy Review
 What if we want to download EXE files from the DMZ? Does our policy allow
it?

 The Destination of Any in rule 9 will block it. This may be difficult to see in a
complex policy with multiple sections and lots of rules.

 In the rule search bar, search for EXE and only the rules matching the search
are shown with the search object highlighted.

 Click x to delete the query. Notice that you can also search by token like
Action:Drop or packet. Click ? to learn more about the search options.
Packet Mode matches rules in the same way a packet with an IP address
arriving at the gateway would.

©2020 Check Point Software Technologies Ltd. 4


R80 Security Management Lab
Policy Review
 Our intent for rules 4 – 10 is to control access to the Internet and not the
DMZ. There are a number of ways to fix this.

 Click + in the Destination column of rule 4.

 Type internet and we see two options (add both)

 All Internet address range (0.0.0.0 to 255.255.255.255)

 Internet object (double click to open, click ? for more info)

 Notice both include traffic to the DMZ. Not what we want.

©2020 Check Point Software Technologies Ltd. 5


R80 Security Management Lab
Policy Review
 Right click to remove both Internet objects.

 We have more options.

 Add the Net_192.168.102.0 network object to the rule 4 destination column,


then right click and select Negate Cell.

 In our simple 3 legged network this works, but requires 14 steps to add to
rules 4 – 10.

©2020 Check Point Software Technologies Ltd. 6


R80 Security Management Lab
Policy Review
 Right click to remove the Net_192.168.102.0 network object
from rule 4.
 Security Zones is a nice option. Using the interface topology our
rule will match packets going to the Internet and not to the DMZ
zone.
 Add the ExternalZone object to rule 4. Then drag and drop to
add it to rules 4 -10.
 Install the policy.

©2020 Check Point Software Technologies Ltd. 7


R80 Security Management Lab
Policy Review

 In addition to having a policy that matches our intent:

 our policy will be easier to apply to other R80.x gateways as a shared


layer

 provides better performance

 To understand this last point, press the F1 key to open the SmartConsole
online help.

©2020 Check Point Software Technologies Ltd. 8


R80 Security Management Lab
Policy Review
Search for performance, click Best Practices for Access Control Rules.

©2020 Check Point Software Technologies Ltd. 9


R80 Policy
Layers

©2020 Check Point Software Technologies Ltd. 10


R80 Security Management Lab
Policy Layers
One way to improve performance is to add layers to a policy.

The first connection traverses the rule base from the top to the bottom until a match is found.

In our policy this means that packets from the DMZ traverse rules 1 – 11 first before a match is
found.

Typically the DMZ includes servers accessible from the Internet such as web servers. These may
have a high hit count.

Over time we can use rule hit counts to move rules with higher hit counts up to optimize our policy.
We can also use layers; inline and ordered.

©2020 Check Point Software Technologies Ltd. 11


R80 Security Management Lab
Inline Layer

Inline policies have a parent rule.

Connections matching the parent rule are then


inspected by rules in the inline layer.

Connections that do not match the parent rule


skip the inline layer and then are checked
against the next rule in the policy.

©2020 Check Point Software Technologies Ltd. 12


R80 Security Management Lab
Packet Flow: Inline and Ordered Mode
Access Layer Content Layer Data Layer

Web Control Layer

Rule 5.3 Accept Rule 8: Accept

Rule 10: Accept

Inline Layer

Ordered Layers
©2020 Check Point Software Technologies Ltd. 13
R80 Security Management Lab
Inline Layer
Rules 4 – 8 can be moved to an inline layer.

 Add a rule above rule 4.

 Drag the Source and Destination objects from rule 5 to rule 4.

 Click in the Action column and select Inline Layer -> New Layer.

New layer

©2020 Check Point Software Technologies Ltd. 14


R80 Security Management Lab
Inline Layer
 Name the layer Web Control

 Select only Applications & URL Filtering for the


blades.

 Enable Sharing: Multiple policies and rules can


use this layer.

 Click Advanced and change the Implicit


Cleanup Action to Accept.

 Click on Permissions and notice we can restrict


access to specific profiles to limit access to this
section of the rulebase.

©2020 Check Point Software Technologies Ltd. 15


R80 Security Management Lab
Inline Layer
 Click OK and this creates the Inline layer.

 Change the default explicit Cleanup rule 4.1 Action to Accept


and the Track to Log.
 Select rules 5 – 9. Right click in the No. column, select Copy.

Copy

©2020 Check Point Software Technologies Ltd. 16


R80 Security Management Lab
Inline Layer
 Select rule 4.1.

 Right click in the No. column and select Paste above.

Paste above

©2020 Check Point Software Technologies Ltd. 17


R80 Security Management Lab
Inline Layer
 This adds the rules to our inline layer. To make our layer more general remove Net_192.168.101.0 from the
Source column of rules 4.1 through 4.5. Ensure the 4.6 cleanup rule Action is Accept.

 Select rule 5 – 9, right click in the No. column, select Delete. Click OK to confirm. Install the policy.

©2020 Check Point Software Technologies Ltd. 18


R80 Security Management Lab
Inline Layer
 Monitor the Policy Installation by expanding tasks (lower left) and notice that it fails to install.

• Click Details. This means rules 5 and 6 will never be matched. The service Any in rule 4 will
always be matched first.

Note: Rules 4, 5, 6 source and


destination are the same

©2020 Check Point Software Technologies Ltd. 19


R80 Security Management Lab
Inline Layer
Lets try to solve this by creating and inline
data control layer for rules 5 and 6 and
specifying the services that Content
Awareness matches.

 Click Close to exit the policy install Details.

 Navigate to MANAGE & SETTINGS ->


Blades -> Content Awareness Advanced
Settings

 Notice this blade matches ftp, http/s,


HTTP/S_proxy, and smtp.

©2020 Check Point Software Technologies Ltd. 20


R80 Security Management Lab
Inline Layer
 Navigate back to the security policy and add a rule above rule 4.

 Add the ftp, http, https, HTTP_proxy, HTTPS_proxy, smtp to the Services &
Applications column.

 Click in the Action column and select Inline layer -> New Layer.

©2020 Check Point Software Technologies Ltd. 21


R80 Security Management Lab
Inline Layer
 Name the layer Data Control.

 Enable Content Awareness only.

 Enable Sharing: Multiple policies and


rules can use this layer.

 Select Advanced and change the


Implicit Cleanup Action to Accept.

 Click OK.

©2020 Check Point Software Technologies Ltd. 22


R80 Security Management Lab
Ordered Layer
 The policy installs now, but is not optimized. A better policy has content inspection lower in the rule order

 To fix this we could include the content awareness rules in the Web Control layer as before, but R77.x gateways
don’t support content awareness and we’d like the option of using the web control layer in our R77.x policies.

 When we review the packet flow in slide 14 we notice that we can use layers in order instead of inline.

 Select rule 4. Right click in the No. column and select Delete.

 Click Yes to confirm the deletion.

Delete

©2020 Check Point Software Technologies Ltd. 23


R80 Security Management Lab
Ordered Layer
 Right Click on Policy and select Edit policy.

 Click + and add the Data Control layer to our


Access Control policy.

 Click OK.

Click +

©2020 Check Point Software Technologies Ltd. 24


R80 Security Management Lab
Ordered Layer
 This adds Data Control to our Access Control policy after
the Network layer.

 Click OK.

Ordered layers
 Notice that our 2 layers now show in the Access Control
policy.

 If we wanted to we could change the order in Edit


Policy.

 Click Data Control to see the Data Control policy. Ordered layers

 Install the policy.

©2020 Check Point Software Technologies Ltd. 25


R80 Security Management Lab
Ordered Layer
 Test the policy by browsing to www.torproject.org and sites that fall into the alcohol category.

 Search for putty or browse to https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html.

 Try downloading some of the files to verify our policy works as expected.

 Select the Data Control rule 1 and double click to open one of the logs.

 Notice the Matched Rules include the Web Control and the Data Control layers.

©2020 Check Point Software Technologies Ltd. 26


R80 Security Management Lab
Ordered Layer
 Navigate to Menu -> Manage policies and layers.

 Click Layers and notice the mode of the Data Control and Web Control layers
in the Standard policy. One is inline and the other is ordered.

©2020 Check Point Software Technologies Ltd. 27


1. Extra Credit: Do we need to modify the
Web Control layer to be compatible
with R77.x gateways?
2. Can we delete the Net_192.168.101.0
Review object from the source column in the
Questions Data Control layer?
3. Do we need to delete the
ExternalZone object in the Data
Control layer to make it compatible
with R77.x gateways?

©2020 Check Point Software Technologies Ltd. 28


1. Extra Credit: Do we need to modify the Web
Control layer to be compatible with R77.x
gateways?
1. Yes, security zones are not supported in R77.x
gateways. We can change it to Internet. Our
Standard parent rule will match the External
Zone.

2. Can we delete the Net_192.168.101.0 object from


Review the source column in the Data Control layer?
Answers 2. Yes, the Web Control parent rule in the
Standard policy will match Source
192.168.101.0 packets and then the packets will
be inspected by our Data Control layer.

3. Do we need to delete the ExternalZone object in


the Data Control layer to make it compatible with
R77.x gateways?
3. No, this layer can only be used in R80.x
gateways.

©2020 Check Point Software Technologies Ltd. 29


Advanced Topics

©2020 Check Point Software Technologies Ltd. 30


Check Point Community
CheckMates Community

©2020 Check Point Software Technologies Ltd. 31


End of Security
Management Lab

©2020 Check Point Software Technologies Ltd. 32

You might also like