Begin With Checkpoint

Get started with most powerful network security appliance Checkpooint and most popular security management system GAiA

Prepare Downloads

Direct Download GAiA R76 ➡ 
Torrent Direct Download(GAiA_76)

Note: This version of the GAiA is Vmware based. So you need to have Vmware in your system.


Network Security Fundamentals

Before we move on to the Checkpoint, have a look at the Network Security Architecture, Data Filtering and Access Control Mechanism. You can skip this, if you already have the idea.

[showhide type=”post” more_text=”show more>>>” less_text=”<<<show less”]


Security Management Architecture (SMART)

Checkpoint deployment have basically two types of Security Management Architecture(called SMART)

  1. Distributed
  2. Standalone
SMART Components
  • Console (SMART Console PC)
  • Security Management Servers
  • Firewall Gateway

Untitled Diagram(19) In this above scenario, the SMART is consisting of 3 components.

Smart Console – A host computer is the SMART topology taht runs the smart console software modules(smart dashboard, smart tracker, smart monitor and so on). It create the policies and store it into the management server.

Security Management Server –All the policies of the SMART network stored in management server/smart security server. The management server push the policies over the Firewall Gateways. In a SMART topology there could be a several numbers of gateways, but a single management server itself is enough to manage them, can be able to manage all tghe FW-GW in a centralized manner.

Security Gateway – The checkpoint appliance that implement the policies and enforce policies and access control mechanism over packet traversing rules.


Deployment Methods

Now that you know what is what, the architecture of Check Point firewalls should be a little easier to understand. Check Point firewalls can be deployed in a standalone fashion or a distributed one. Lets look at the difference between the two

Standalone Deployment

stand-alone4

In a stand-alone deployment, your Security Management Server and Security Gateway is installed on the same platform and your smart console will most probably be installed on a separate platform with which you will access the Security Management server to create policies and push it to the Security Gateway (which is the same device in this case). However, this deployment defeats the whole purpose of Check Point’s three-tiered architecture and is not recommended by Check Point, except for small businesses.

Distributed Deployment

distributed1

A distributed deployment is more commonly known as a Three-Tired architecture, wherein each component is installed on a separate platform and this type of deployment is highly recommended by Check Point. Smart Console is usually installed on Windows for its ease of use. Security Management Server can be installed on Windows/Linux/FreeBSD platform depending on the requirement. And the Security Gateway too can be installed on a Windows/Linux/FreeBSD platform as per the requirements.


The command chain between SMART components

Untitled Diagram(20)

Noet: The SMART console never interact with FW-GW directly. The SMART will always follow the command chain whenever any management action require.


Active Model (Hybride)

The Checkpoint(Almost all security appliances in this era) works in Hybrid Model

(a strip-down version of OSI Reference Model and TCP-IP Suite) .

hybridmodel-160x93


 

Traffic Control Mechanisms
1. Packet Filtering :

In packet filtering the the policies are explicitly defined that what packet should be accepted and what should be dropped. These policies are based on Transport and Network Layer and decisions are taken using IP and Port addresses.

Packet filtering lets you control (allow or disallow) data transfer based on:

  • The address the data is (supposedly) coming from

  • The address the data is going to

  • The session and application protocols being used to transfer the data

bssl_0206

Vulnerabilities:  Using packet filtering we can filter and manage outside traffic. But a user from the inside network trying to access a non legitimate outside resource cant be managed as the response come from outside.

2. Stateful Filtering : 

In stateful filtering the FW inspects the packets and remember the port numbers during a session(TCP/UDP). These inbound and outbound port numbers of a TCP/UDP sessions are stored in a lookup table(called state table) . The firewall is having an inspect engine that make it possible to filter any non legitimate traffic during a TCP/UDP session.

clip_image001

Bellow here two example of stateful filtering based on TCP and UDP sessions respectively.

What-is-Stateful-Packet-Inspection-Firewall

fire2.0802

Vulnerabilities: Stateful filtering also raise the possibility that individual hosts can be tricked into soliciting outside connections.

Untitled Diagram(21) - Copy

Suppose a user BOB wants to telnet a resource. However he can use a proxy server to encapsulate Telnet(Port-23) traffic over HTTP(Port-80)  as a payload of HTTP and overcome the policy obstacles.

The stateful packet filter firewall provides no protection whatsoever from an application layer attack. In order to be effective and address today’s application layer attacks, firewalls must inspect the application layer traffic. This is the reason why today many stateful packet filter firewall vendors are adopting some form of application layer filtering. Also, recent statistics show that stateful packet filter firewalls are prone to denial-of-service attacks.

3. Application Awareness:

It is a type of  traffic control method actually take a look into the Application Layer. It inspects the content of the data. 

Checkponit scope
Benefits
Detects and controls application usage
  • Identify, allow, block or limit usage of applications, and features within them
  • Enable safe Internet use while protecting against threats and malware
  • Leverage the world’s largest application library with more than 6,600 web 2.0 applications
Supports advanced identity awareness for stress-free policy enforcement
  • Create granular policy definitions per user and group
  • Integrate seamlessly with Active Directory
  • Protect environments with social media and Internet applications
Provides proven gateway security in a single, dedicated appliance
  • Rely on 24/7 advanced protection
  • Reap the benefits of application control and intrusion protection (IPS), as well as extensibility support for additional security capabilities
  • Get greater understanding into security events with integrated, easy-to-use centralized management
  • Join more than 170,000 customers, including 100 percent of Fortune 100 companies
Features
Identity awareness

Great security involves limiting and tracking access to sensitive data and resources. With the Next Generation Firewall, your administrators get detailed visibility into the users, groups, applications, machines and connection types on your network so they can assign permissions to the right users and devices. The firewall makes it easy and cost-effective to enforce security policy, giving granular permission control over these entities; this results in superior protection across the entire security gateway. Seamless and agent-less integration with Active Directory provides complete user identification, enabling simple, application-based policy definition per user or group directly from the firewall. Users’ identification may be acquired in one of three simple methods:

  • Querying the Active Directory
  • Through a captive portal
  • Installing a one-time, thin client-side agent

Application controlEmployees are using more apps than ever, and you’re on the hook to protect them regardless of what they use. Check Point Next Generation Firewall has the industry’s largest application coverage, with more than 6,600 applications and 260,000 social network widgets included. You can create granular security policies based on users or groups to identify, block or limit usage of web applications and widgets like instant messaging, social networking, video streaming, VoIP, games and more. Logging and statusTo help you make sense out of your security event data, we included SmartLog, an advanced log analyzer that delivers split-second search results providing real-time visibility into billions of log records over multiple time periods and domains

Integrated security management

Our unified security management simplifies the monumental task of managing your security environment. You’ll see and control threats, devices and users with a highly intuitive graphical interface providing views, details and reports on your security health. Manage all your Check Point gateways and software blades from one comprehensive, centralized security dashboard.

Intrusion prevention

Next Generation Firewall includes the Check Point IPS Software Blade, which secures your network by inspecting packets traversing through the gateway. It is a full-featured IPS, providing geo-protections and frequent, automated threat definition updates. Because the IPS is part of the integrated Software Blade Architecture, you’ll get all the deployment and management advantages of a unified and extensible solution.

check-point-ngfw-13-638


Problem with App Awareness

Every-time the FW needs to dig into the content of the Application Layer that will further  impact on the response of the hardware appliance.

Actually not everytime , but a one time inspection of Application Layer data facilitates the App Awareness. The FW checks the legitimacy of the content for the first time when the connection(TCP/UDP) going to establish. Then firewall remember the session and give the control to the L2.5 Kernel. From here the rest of the packet forwarding(inward/outward) responsibility goes to the Kernel itself and the Kernel continue to do so until the session terminates.


Underlying Platforms to Implement the Checkpoint Security Management Software
  • IPSO
  • Secure Platform(SPLAT)
  • GAiA

Network Diagram

Before move on to the Installation part, take a look into the SMART network diagram. Untitled Diagram(18) We will provision a portion of this topology in the following discussion.   [/showhide]


Started Installing Checkpoint(GAiA R-76 in VMware)

Installation

Open VMware, go to File > New Virtual Machine and create a new virtual machine. 1

Typical configuration setup

2

Mount the GAiA .iso file into VMware

3

Select Redhat Linux as the base operating platform

4

Set the VM name

5

Default in disk management portion

6

Customize Hardware

Before you finish > go to the Customize Hardware settings and do the changes to the Memory Requirement and Network Settings as your topology requires. 7

RAM

Set the RAM memory to 512MB 8

Extra Hardware Modules

Before you add the extra hardware modules, have a look at the actual topology we are going to implement, and then analyze the Hardware Module requirement.


Topology

This is the network diagram diagram bellow, we will analyze, implement and verify in this course of discussion.

Untitled Diagram(11)

Network Components

We have 4 coordinates in our network diagram those represent 4 unique networks/subnets.

+--------------------+-----------------+-----------------+------------------+ | Network Name | VMware Network | Components | Subnets | +--------------------+-----------------+-----------------+------------------+ | SMART Mgmt Network | VMnet 0 | Smart Console | 192.168.0.0/24 | +--------------------+-----------------+-----------------+------------------+ | DMZ | VMnet 1 | Web Servers | 192.168.1.0/24 | +--------------------+-----------------+-----------------+------------------+ | Office Network | VMnet 2 | SOHO Components | 192.168.2.0/24 | +--------------------+-----------------+-----------------+------------------+ | Internet | VMnet 8 | NAT Engine, | 192.168.137.0/24 | | | | Public Network | | +--------------------+-----------------+-----------------+------------------+
+----------+-----------------+----------------------------------+------------------+ | Category | Components | Virtual Components | Subnets | +----------+-----------------+----------------------------------+------------------+ | VMnet 0 | Smart Console | Virtual Nerwork 8 | 192.168.0.0/24 | | | | Connected with Physical Computer | | +----------+-----------------+----------------------------------+------------------+ | VMnet 1 | Web Servers | DSL VM | 192.168.1.0/24 | | | | Connected to Virtual Network 1 | | | | | Act as a Web Server | | +----------+-----------------+----------------------------------+------------------+ | VMnet 2 | SOHO Components | DSL VM | 192.168.2.0/24 | | | | Connected to Virtual Network 2 | | | | | Act as a client computer | | +----------+-----------------+----------------------------------+------------------+ | VMnet8 | NAT Engine, | Virtual Nerwork 8 | 192.168.137.0/24 | | | Public Network | Connected to Physical Computer | | | | | Nated and shared witjh internet | | +----------+-----------------+----------------------------------+------------------+

Click next to add a Virtual Network Adapter. Here I have added 4 VMnetwork prior to my topology. To select the unique features of these virtual networks, we have defined the properties from Virtual Network Editor bellow.


  Now we are ready to fire up the GAiA. Please find the tutorial on GaiA Installation   ➡  Checkpoint Part 2 – Installing GAiA – Smart Console  


   

  Previous Next  

Comments ( 2 )

  1. Checkpoint Part 2 – Installing GAiA – Smart Console – NetworkLab
    […] We have ended up with the VMware setup to launch the Checkpoint (GAiA Virtual Edition) 💡  Begin With Checkpoint. […]
  2. Checkpoint Part 2 – NetworkLab
    […] We have ended up with the VMware setup to launch the Checkpoint (GAiA Virtual Edition) 💡  Begin With Checkpoint. […]

Leave a Reply