Embed Size (px)
Citation preview
SmartDashboardTerms you’ll need to understand:✓ Network object✓ Cleanup rule✓ Stealth rule✓ Anti-spoofing
Concepts you’ll need to master:✓ Creating an object✓ Creating a rule✓ Understanding the behavior of a simple rule base✓ Using the command line✓ Installing and uninstalling a policy from the GUI
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3
03 1096 ch03 4/22/05 3:35 PM Page 39
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 340
Out of all the SmartConsole utilities, you’ll be spending the most time inSmartDashboard. This is where the security policy is defined and pushed outto the enforcement points.
Before we continue, though, some terms have to be explained. They help younot only at exam time, but in your everyday job as well.
The security policy is a combination of rules and system properties thatcome together to define how the firewalls protect your network.
In the real world, a security policy is usually associated with a document thatdefines in plain language which activities are permitted, which are denied, and whatprocedures exist for monitoring. This is where you’ll find things such as youracceptable use policy and incident handling procedures. As a security guy (or gal),you have the job of implementing solutions that follow and enforce the policy,which includes firewalls.
However, in Check Point land, a security policy refers to the configuration of thefirewalls (which should be in accordance with your company security policy). Keepthem straight, for both the exam and the auditors.
The rules themselves are individual statements that permit or deny traffic.When you collect all the rules in an ordered list, it’s called the rule base. Therule base is processed from top to bottom, stopping at the first match. Inconformance with the “that which is not permitted is prohibited” philoso-phy of Check Point, any unmatched packets are silently dropped.
The rule base is only half of the security policy. The other half is the prop-erties of the policy, which affect the generated INSPECT code by implicit-ly adding extra rules, changing timing values, and turning on additionalsecurity checks.
It is the whole security policy that is enforced by each enforcement point,not just the rule base.
Working Within SmartDashboardFigure 3.1 shows the SmartDashboard interface. It is divided into severalpanes that can be turned on and off through the View menu.
The leftmost pane in the example is the objects tree. The upper-right paneis the rule base, and the lower-right pane is the objects list. Through theView menu, you can turn on other options such as SmartMap, which showsa graphical representation of your network.
03 1096 ch03 4/22/05 3:35 PM Page 40
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .SmartDashboard 41
Figure 3.1 SmartDashboard view showing the various panes.
One important thing to note is that only one person can have a security pol-icy open for writing at a given time. Anyone connecting in while this personhas the policy locked has the choice of connecting back later or opening aread-only version of the policy. This is to ensure that two people do notmake changes that adversely impact each other. The status of the policy islocated in the lower-right part of the SmartDashboard frame.
Objects TreeThe leftmost pane is called the objects tree. Objects are the basis of allFireWall-1 configurations because they represent everything from a hostthat gets protected to a time of day at which rules are enforced. Even theenforcement points themselves are represented by objects.
When creating rules, one selects the necessary objects (creating new ones ifneeded) and drags them into the rule base. If the object is edited later, thechange carries over into the rule base.
Across the top of the objects tree are tabs to select the various sections:
➤ Network Objects—Matches objects representing an IP address, such ashosts, networks, and groups.
➤ Services—Matches the layer 4 port, or the layer 3 protocol.
03 1096 ch03 4/22/05 3:35 PM Page 41
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 342
➤ Resources—Matches upper-layer protocols, such as http URLs (outsidethe scope of the CCSA).
➤ Servers and OPSEC Applications—Defines hosts that will be integratedinto the system, such as antivirus servers and other OPSEC devices (out-side the scope of the CCSA).
➤ Users and Administrators—Defines users and groups that will be used inauthentication rules.
➤ VPN Communities—Defines sites that communicate over Virtual PrivateNetworks (outside the scope of the CCSA).
Although you can manage these objects from the objects tree, each compo-nent has an identical menu option under the Manage menu. For example, tocreate a new network object you could right-click on the network branch inthe objects tree, or select Manage, Network Objects, New.
Network ObjectsNetwork objects represent such things as hosts, firewalls, address ranges, andnetworks. Under the network objects tree you will find the objects brokendown in a similar fashion:
➤ Check Point—A Check Point firewall product running on some device. Itmay or may not be under your control.
➤ Node—A host, or in the case of a multihomed host, a gateway.
➤ Interoperable Device—A non–Check Point firewall that will be involved ina VPN connection.
➤ Network—An object representing a network and network mask.
➤ Group—A collection of other objects, including other groups.
➤ Address Range—A contiguous list of network addresses, similar to a net-work, but not necessarily defined by a network and netmask combina-tion (for example, 192.168.0.1 to .99).
➤ Dynamic Object—An object whose address is not fixed but is resolved oneach enforcement point.
There exist several other types of network objects, such as domains and voice-over-IP objects, but they are outside the scope of the CCSA exam.
03 1096 ch03 4/22/05 3:35 PM Page 42
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .SmartDashboard 43
Simple objects such as nodes, networks, and address ranges represent theirreal-life counterparts. For example, if you have a main server that is onlyallowed to talk to one network, you are going to need an object representingthe mail server, and one representing the network. Later, you’ll drag theseobjects into a rule in order to make it enforce your policy. In these simpleobjects, there is very little to configure other than a name and the IP infor-mation, except for perhaps Network Address Translation (NAT), which isexamined later in the book.
More complex objects, such as Check Points, bring with them more optionsto configure depending on the type of device. Check Points are firewallobjects that run software, such as FireWall-1. Although there are severaltypes of Check Points that can be configured, it really comes down towhether the device is managed by the SmartCenter Server you are logged into. If so, it is a regular gateway; otherwise, it is an externally managed gate-way.
An externally managed gateway looks similar to a regular Check Point, though thereis no SIC connection. No SIC connection means you can’t push a security policy to it.
To create a new Check Point gateway, select the Manage, Network Objectsmenu item, click the New button, and then select Gateway. Next, give it aname and an IP address that your SmartCenter Server can contact it on. Youmust then initialize SIC by selecting Communication, and then entering thepassword you submitted during the enforcement point installation.
If you forgot the password already, or things just aren’t working, you can reset SICon the enforcement point by going into the Check Point configuration utility (orcpconfig on Unix platforms), entering the Secure Internal Communications menu,and selecting the Reset option.
After initializing SIC, you should set the product information so that theproper options are shown. First, click the Get Version button to set the prod-uct versions. Then, check the boxes under the version that correspond withthe role of the firewall, such as Firewall and VPN. Note that SVNFoundation is already checked, because you have established SIC connectiv-ity. As you click products, more items appear in the left pane of the window.
The detailed configurations of the items relevant to the CCSA exam areinvestigated throughout the rest of the book.
03 1096 ch03 4/22/05 3:35 PM Page 43
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 344
Network objects can be combined with other network objects through theuse of groups. Groups act merely as a container to hold multiple objects, sothey do not have any configurable properties themselves other than theirname, appearance, and members.
Groups can also include other groups. When including a group inside anoth-er group, you have the choice of adding the members separately or addingthe group object itself. For instance, if the Servers group has five nodeobjects inside of it and you want to add it to the ImportantNodes group,adding the members separately will add the five node objects intoImportantNodes. If you add the group instead, only the one group objectshows up. Functionally, they are the same because the INSPECT compilerhas to check for all hosts, but they have different management implications.If you were to add a new node to the Servers group, it would show up onlyin ImportantNodes if you chose to add the group object. If you added themembers separately, the connection to the Servers group would be lost, andno changes would be propagated from one group to the other.
It is of extreme importance to understand that only other network objectscan be placed inside a network group. Adding a user or a service is forbidden.It is correct to have different network objects, such as nodes and networks,within the same group, because they are all network objects.
Network groups can only contain network objects.
By using the groups in the rule base, you can manage part of your securitypolicy through group membership rather than constantly modifying the rulebase. For example, you may have a rule that controls access to all the fire-walls. By creating a group object containing all the firewalls and using thatin the rule, you make your rule base simpler. As you add more firewalls, sim-ply drop the Check Point object into the group object and push your policyout to the devices. This saves the complexity of finding all the rules that needto be changed.
As with so many other things, changes in group memberships don’t actually takeeffect until you push the policy to the enforcement point.
03 1096 ch03 4/22/05 3:35 PM Page 44
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .SmartDashboard 45
ServicesServices represent layer 3–7 protocols. When building your rule base, youwill on many occasions want to match certain protocols, such as SMTP orHTTP, which is where services come into play.
Services are not limited to the traditional TCP and UDP ports. ICMP types canalso be matched, permitting you to block only echo-request type packets whileallowing destination-unreachable packets to be passed through. Furthermore, IPprotocols themselves can be matched, such as OSPF routing and GRE tunnels.
Depending on the service, it may specify more than simply a port number.FTP, for example, has several different objects that represent passive FTP orthe normal PORT mode. Depending on the method chosen, FireWall-1 alsohas to keep state of the data connections that will be generated in response tocommands. Secure Shell (SSH) has different objects, some of which matchspecific protocol versions.
Services under the Other branch not only can represent IP protocols such asOSPF and GRE, but also can have INSPECT code attached to the rule tofurther qualify traffic.
The RPC branch of the tree contains services related to Remote ProcedureCalls, a Unix method of communicating between applications. Rather thanfixed port numbers, RPCs use program numbers which are dynamicallymapped to TCP and UDP ports by a service called the portmapper.FireWall-1’s Stateful Inspection can watch for the portmapper packets andread the TCP or UDP port that must be opened to allow the RPC if it hasbeen permitted by the security policy.
Although hundreds of services are predefined, the administrator can createnew ones as needed through the Manage, Services, New menu options.
Similar to network groups, service groups can also be created. Service groupscan contain only other services, so mixing them with users and networks isnot allowed. Service groups are very helpful because applications oftenrequire several ports to be opened for proper operation. Service groups letthe administrator collect these ports into one object, ensuring consistency inconfiguration, and easier understanding for others.
Users and AdministratorsUsers and administrators are used to identify people rather than machines.Accounts can be defined locally, pulled off an existing directory, or a combi-nation of both.
A more detailed look at this tab will happen when we look at authenticationin general in Chapter 7, “Authentication and Users.”
03 1096 ch03 4/22/05 3:35 PM Page 45
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 346
The Rule BaseAs mentioned before, the rule base is composed of multiple rules. Figure 3.2shows a sample rule base.
Figure 3.2 A sample rule base.
Each rule is independent of the others and is processed in sequence, mean-ing that the whole rule must match and that a lower numbered rule couldpotentially negate the effects of a higher numbered rule.
This last point could use some more explanation. Take for instance the fol-lowing plain-English rules:
1. HostA can connect to any web server using HTTP.
2. No one can connect to WebServer1.
HostA is able to connect to WebServer1 via HTTP by virtue of rule 1, eventhough rule 2 says that no one can connect to WebServer1. Because rules areprocessed in order, stopping with the first match, rule 1 is matched and rule2 is never considered.
Examining a RuleUnderstanding the individual components of a rule is important to under-standing the function of the whole rule. One of the things you’ll be expectedto do on both the exam and in real life is to look at a rule base and determinewhat traffic is matched, and what actions will be performed.
03 1096 ch03 4/22/05 3:35 PM Page 46
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .SmartDashboard 47
These are the fields of a rule:
➤ Number—The rule’s position in the rule base.
➤ Source—A set of network objects representing the origin of the traffic.
➤ Destination—A set of network objects representing the recipient of thetraffic.
➤ VPN—If desired, can specify that the traffic is to be encrypted.
➤ Service—A set of service objects indicating which protocols are to bematched.
➤ Action—A set of predefined items telling the gateway what to do withthe packet if this rule is matched.
➤ Track—A set of predefined items indicating whether any log entries orother notifications are to be made if this rule is matched.
➤ Install On—Specifies which enforcement points will enforce this rule.
➤ Time—Optionally specifies the time at which this rule will be enforced.
➤ Comment—For administrative purposes, allows you to make a commentabout who put in the rule, what it does, and any other pertinent infor-mation.
The Source, Destination, and Service fields use objects from the object tree.By double-clicking, or right-clicking and selecting Edit, you can see thespecifics of the object. If multiple objects are within the same column, thisforms an OR relationship. If no objects are placed in the column, it defaultsto Any, meaning any value will match.
If the icon for the cell has an × through it, like the source address in Figure3.3, the selection is negated. That is, a match will occur only if the cell’s valueis not matched. With multiple objects in the column, none of the objects canmatch for the rule itself to be considered a match. For instance, the rule inthe example will match any HTTP packets that don’t come from Network1or Network2.
Figure 3.3 A rule with a negated source address.
03 1096 ch03 4/22/05 3:35 PM Page 47
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 348
When you’re reading a rule, it is important to understand that a rule repre-sents the conversation, not the individual packets. Allowing traffic for a par-ticular source to a given destination implicitly allows packets in the returndirection after the connection has been established.
The action of the rule tells FireWall-1 what to do when a match is found.These are the possible actions:
➤ Accept—Permit this packet for further processing.
➤ Drop—Discard the packet with no notification to the sender.
➤ Reject—Discard the packet, sending an ICMP unreachable message tothe sender.
➤ User Auth—Require user authentication to allow this connection.
➤ Client Auth—Require client authentication to allow this connection.
➤ Session Auth—Require session authentication to allow this connection.
The authentication rules are covered in Chapter 7.
Most often, you will be using Accept and Drop. Firewall administrators often prefer tomake protected machines invisible, except for what needs to be exposed. Rejecting apacket sends notice back to the sender, making it visible to the attacker even thoughit is not accepting the packets.
In addition to deciding the action, the firewall must also decide whether anylogging is needed. The Track column dictates what logging will happen, andmay take one of the following options:
➤ None—Does nothing.
➤ Log—Sends a logging entry to the logging server.
➤ Account—Logs more information about the flow, including number ofpackets and size.
➤ Alert—Logs the event, but also sends a pop-up message to theSmartConsole.
➤ SNMP Trap—Sends an SNMP trap to a management station.
➤ Mail—Emails the details about the event.
➤ User Defined—Runs a user-supplied script.
The Install On column allows you to select which firewalls are to enforce therule. For instance, if you have a mail server in a DMZ in Winnipeg, there’s
03 1096 ch03 4/22/05 3:35 PM Page 48
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .SmartDashboard 49
little point in having the same rule enforced in Calgary. Either networkobjects representing the enforcement points will be here (Check Points orGroups), or the phrase “Policy Targets,” meaning all firewalls.
The Time column allows you to dictate when the rule is valid. Within thecell are time objects, available through Manage, Time, that specify a time ordate range.
Finally, comments are necessary for administrative sanity. The commentfield should contain a description of why the rule is there, or any other spe-cial notes (including “Don’t delete this or Oracle will break!”).
Creating and Deleting RulesTo create a new rule, first determine where it is to be inserted. The Rules,Add Rule menu option then gives you four choices:
➤ Bottom
➤ Top
➤ Below
➤ Above
The first two options—Bottom and Top—place the new rule at the bottomor top of the policy, respectively. Below and Above place the new rule next tothe currently highlighted rule, either above or below, depending on whichyou chose.
The rule that is created, called the default rule, is shown in Table 3.1.
Table 3.1 The Default Rule
Source Destination Service Action Track Install On Time
Any Any Any Drop None Policy Targets Any
As the default rule shows, it specifies that all packets are to be dropped on allfirewalls. You must change the relevant fields to do what you want.
All cells can be configured by right-clicking within the cell. The Action andTrack columns give you a menu with the available options; the rest of the fieldsrequire you to select Add and then select the objects you want from the menu.If it turns out you forgot to create an object, this menu also has the option tocreate a new object. You can also populate cells by dragging objects from theobjects tree, or dragging objects from other cells.
03 1096 ch03 4/22/05 3:35 PM Page 49
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 350
One of the options available when you right-click one of the Source,Destination, or Service cells is Negate Cell. As discussed previously, thiscauses a red × to be displayed through the icon, and has the effect of match-ing anything except for the contents of the cell.
To remove a rule from service, you have two options. One is to highlight therule and press the Delete key; the other is to select the Rules, Delete menuitem. This removes the rule completely from the rule base. If you just wantto disable it temporarily, right-clicking on the rule’s number will give you theDisable Rule(s) option (or select Rules, Disable Rule). The rule will have ared × through the rule’s number, and will not be enforced. To re-enable therule, do the same thing again.
Deleting all the objects in a cell returns it to the default of Any.
When you add, delete, change, or disable a rule, it doesn’t take effect until you pushthe security policy to the enforcement points.
Hiding and Unhiding RulesWhen working on a large rule base, you may be distracted by extra rules.SmartDashboard allows you to hide the rules from viewing, while stillenforcing them. Contrast this with disabling or deleting a rule, which stopsthe rule from being processed.
You can hide a rule from view by highlighting it and selecting Rules, Hide,Hide. Rules can be unhidden through Rules, Hide, Unhide. Note that whena rule is hidden, the numbering remains unchanged, and a small white spac-er appears, letting you know that there are hidden rules there.
A rule is enforced even if it is hidden. It’s still compiled into the security policy evenif it doesn’t show in SmartDashboard. You’ll get a warning message informing youof this if you push a policy with hidden rules.
Querying the Rule BaseSometimes hiding rules isn’t enough to do what you want. Often, you wantto ask questions like “What rules apply to HTTP traffic?” This is wherequeries come in.
03 1096 ch03 4/22/05 3:35 PM Page 50
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .SmartDashboard 51
Queries are handled through the Search menu, or by a right-click on the col-umn heading in the rule base. For example, right-clicking on the Service head-ing and selecting Query Column brings up the dialog shown in Figure 3.4.
Figure 3.4 The Rule Base Query Clause dialog showing the available options.
The pull-down at the upper left called Column lets you select the column tosearch from. All the relevant objects then appear in the left side of the dia-log. If you highlight the objects you are interested in, and click Add, they aremoved to the right side of the screen. If there is more than one object on theright side, the radio buttons at the top become enabled, and can be used todetermine whether all the objects need to appear in the rule.
There is also a check box at the bottom of the dialog that negates the selec-tion.
From here, you can click Apply to hide all the rules except those that matchyour query, or save your query with the Save button.
The Search, Manage Rule Queries menu option brings up a dialog showingyour saved queries. By highlighting a saved query and clicking And, you canfurther refine your query to handle multiple columns. The Or button showsrules that match either query.
Finally, Search, Clear Rules Query unhides all the rules and shows the entirerule base.
03 1096 ch03 4/22/05 3:35 PM Page 51
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 352
The Security PolicyAs mentioned before, the security policy encompasses both the rule base thatdictates what traffic is allowed, and the global properties that introduce addi-tional behavior into the firewall.
A firewall administrator should understand how to develop a rule base, andhow to manage the global properties to effectively secure the network.
A Skeleton Rule BaseCheck Point recommends that there be a few standard rules in your rulebase, for both security reasons and ease of management.
The first recommended rule is the stealth rule. The purpose of the stealthrule is to disallow any communication to the firewall itself, protecting it fromattacks. This rule should be placed near the top of the rule base, with theonly rules above it being those that permit or require access to the firewall.
A stealth rule looks like the one shown in Table 3.2.
Table 3.2 The Stealth Rule
Source Destination Service Action Track Install On Time
Any Firewalls Any Drop Log Policy Targets Any
Here, the stealth rule matches anything pointed at the firewall itself anddrops it with a log entry. The Firewalls object is assumed to be a group con-taining all the Check Point objects under management.
Check Point also recommends the use of a cleanup rule, which drops andlogs all traffic not caught by other rules. Recall that the default behavior ofFireWall-1 is to drop any packet that is not explicitly permitted, without log-ging it. From a security and troubleshooting standpoint, having a log ofdropped packets is extremely beneficial. Table 3.3 shows the cleanup rule.
Table 3.3 The Cleanup Rule
Source Destination Service Action Track Install On Time
Any Any Any Drop Log Policy Targets Any
Note that the rule specifies Any for the Source, Destination, and Servicefields. Any packet that doesn’t get matched by a previous rule will bematched by this one. Because the action is set to Log, you will have a recordof the packet details.
03 1096 ch03 4/22/05 3:35 PM Page 52
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .SmartDashboard 53
Implicit and Explicit RulesNormally only the rules you enter are shown in the rule base. These arecalled explicit rules, because they were created explicitly. However, there aremany rules that are also enforced by the firewall that you do not see. Theseare called implicit rules (or implied rules), and they either are a part of everypolicy or are added and removed as part of features and options that you con-figure in other parts of the interface.
To view the implicit rules, pull down the View menu and select ImpliedRules.
You’re viewing the implicit rules, but the menu option says Implied.
Whether or not you are viewing the implicit rules has no bearing on whatgets pushed out to the enforcement points. All enforcement points receivethe implied rules, and they cannot be disabled.
Global PropertiesThe global properties of the policy can be accessed from the Policy, GlobalProperties menu. This brings up a dialog showing all the property sections,along with their values. The important ones will be examined in more detail.
None of the changes to the global properties takes effect until the policy is pushed tothe enforcement point.
FireWall-1 Implied RulesThe options under the FireWall-1 Implied Rules section are shown inFigure 3.5.
The changes to these settings add implicit rules into the rule base. If an optionis enabled, you have three choices of where it will be placed in the rule base:
➤ First—The rule will be placed before the explicit rules.
➤ Last—The rule will be placed after the explicit rules.
➤ Before Last—The rule will be placed before the last explicit rule.
03 1096 ch03 4/22/05 3:35 PM Page 53
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 354
Figure 3.5 The FireWall-1 global properties—defaults shown.
The significance of the Before Last option is that it doesn’t interfere with thecleanup rule, which drops all traffic. If you have a cleanup rule and place theimplicit rule in the last position, it will never be consulted.
The choice of First versus Last/Before Last has to do with your rule base.Again, an incorrect choice may cause your stealth rules to block packets thatthe implicit rule would otherwise allow.
Rules that govern packets coming in to the firewall (for example, RIP and DHCP)are probably best placed first in the rule base. The other rules should probably gothrough the rule base first, and thus be placed before last. The exception to thiswould be if you want the behavior to occur regardless of your rule base. Becauseyou will almost always have a cleanup rule, you will rarely select Last.
The options in the FireWall-1 implied rules cover basic behavior of the fire-wall itself:
➤ Accept VPN-1 & FireWall-1 Control Connections—Allows required com-munications between SmartConsole clients, the SmartCenter manage-ment server, and enforcement points.
➤ Accept Outgoing Packets Originating from Gateway—Lets the enforcementpoint itself send packets to other destinations.
➤ Accept RIP—Accepts Routing Information Protocol packets (UDP port 520).
03 1096 ch03 4/22/05 3:35 PM Page 54
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .SmartDashboard 55
➤ Accept Domain Name over UDP (Queries)—Allows DNS requests to tra-verse the firewall.
➤ Accept Domain Name over TCP (Zone Transfer)—Allows DNS zone trans-fers (such as secondary DNS servers pulling a zone from the primary),and large TCP responses to DNS queries.
➤ Accept ICMP Requests—Allows all ICMP messages, including echo-response and echo-reply packets.
➤ Accept CPRID Connections (SmartUpdate)—Accepts connections to theCheck Point Remote Installation Daemon for FireWall-1 upgrades.
➤ Accept Dynamic Address Modules’ DHCP Traffic—Allows modules config-ured as dynamically addressed to accept DHCP packets.
By default, control connections, CPRID, DHCP, and packets originatingfrom the gateway itself are accepted.
Note that it is possible to lock yourself out of the firewall by pushing controlconnections to the end of the policy, or disallowing them entirely. After thispoint, you will not be able to push a policy to fix it!
Security ServersCheck Point security servers provide deeper inspection of some protocols bytaking over part of the connection for popular services. The properties herecontrol the welcome messages that the services provide, any upstreamHTTP proxies, and HTTP servers to protect.
Much of the functionality is now available under SmartDefense, but you willbe expected to know where this configuration is.
Stateful Inspection PropertiesStateful Inspection relies heavily on tracking connections that pass throughthe firewall. To avoid running out of memory from too many connections,the firewall must know when to stale out older ones. Also, the firewall mustknow how to deal with protocols that don’t have intrinsic state, such as UDPand other IP protocols.
Figure 3.6 shows the default settings for the Stateful Inspection properties.
The Default Session Timeouts control how long state table entries will beheld. Those called “virtual sessions” do not have intrinsic state in the proto-col, but Stateful Inspection tracks state nonetheless. For example, if a host
03 1096 ch03 4/22/05 3:35 PM Page 55
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 356
Figure 3.6 Stateful Inspection default timeouts and other properties.
Likewise, with UDP protocols, replies are tracked based on source and desti-nation address and ports, called Stateful UDP. Where a UDP protocol isdefined as a service in the objects tree, replies can be accepted by checking theAccept Replies option in the advanced properties of the service itself. Wherethere is no service defined, this global property sets the behavior. If the reply ison a different port, the Any Port option must be checked to accept the packet.
For Stateful ICMP, replies to echo-requests are accepted if the Replies boxis checked. The Errors box controls whether ICMP error messages areallowed. If an upper-layer connection was permitted by the rule base butresulted in an ICMP error message from the remote host, this option willallow it through.
As with the Stateful UDP options, you have the option of allowing responsepackets in unknown services to be accepted.
One of the benefits of tracking every facet of the conversations flowingthrough the firewall is that you know the state of the connection on bothends, and can drop anything that is out of the ordinary. For example, in aTCP connection, if the firewall sees a packet for an established connection,but knows the connection doesn’t exist, it will drop it if the Drop Out ofState TCP Packets option is checked.
sends an ICMP packet to another host, Stateful Inspection will open a statetable entry watching for reply packets.
03 1096 ch03 4/22/05 3:35 PM Page 56
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .SmartDashboard 57
Log and AlertThe Log and Alert properties control the tracking type of some internalevents. For example, the VPN Successful Key Exchange property dictateshow you are notified when a VPN connection is made. The options you havein this page are the same tracking options you have in the rule base.
Alert Commands is a related set of properties that controls how some of theevents are actually run. For example, if an alert is set to email, this pagedefines how the email is sent. This is also where the user-defined alerts aredefined.
Anti-SpoofingSpoofing refers to an attacker forging the source address of a packet to makeit look as though it comes from a higher security network. Because the rulebase looks at IP addresses, among other things, if someone could spoof thesource address of a connection, it could be used to allow a connection thatwould otherwise not be allowed.
Check Point implements anti-spoofing measures by checking the sourceaddress of every packet against a predefined view of the network layout(called the topology). Figure 3.7 shows a case in which spoofing is happen-ing. The BadGuy host is attempting to send a packet to Host2 that looks asthough it is from Host1. Because the packet is being received on interface 1,but the source address belongs to a network on interface 2, it is beingspoofed.
Firewall
BadGuy Host1 Host2
Spoofed!SRC = Host1DST = Host2
Figure 3.7 A network in which spoofing is happening.
To properly protect yourself against IP spoofing, you must define the topol-ogy of your network within each gateway’s topology property. Figure 3.8shows the topology properties of a sample enforcement point.
03 1096 ch03 4/22/05 3:35 PM Page 57
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 358
Figure 3.8 General topology properties of a gateway.
Each interface and its corresponding IP address is listed in the topology. Thename of the interface must be the same as it is in the underlying OS. Usingthe Get button, you can populate these entries automatically through SVNFoundation. When clicking Get, you have the option of simply pulling downthe interface name and network information, or also calculating the per-interface topology, which is shown in Figure 3.9.
Figure 3.9 Detailed topology configuration of an interface.
03 1096 ch03 4/22/05 3:35 PM Page 58
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .SmartDashboard 59
To properly implement anti-spoofing, the enforcement point must know allthe possible addresses that can come from a particular interface. There arethree options, not including “undefined”:
➤ Internal, defined by interface IP and netmask
➤ Internal, defined by a specific network object
➤ External
Internal topologies are used for your internal network, in which you under-stand all the networks. If there are no networks beyond the locally connect-ed interface, you can choose to use the interface’s IP and netmask to definethe topology (such as a stub network). If there are networks beyond the inter-face, such as those connected by a router or another firewall, then you shouldcreate a group object containing all the network objects, and choose theSpecific option, selecting your group object.
An external interface includes all the networks that are not covered by theinternal interfaces. Put another way, a network is valid on an external inter-face if it is not defined as part of an internal interface. Figure 3.10 shows asample network that uses the three types.
Internet
192.168.1.0/24
192.168.2.0/24 192.168.3.0/24
Figure 3.10 A network making use of the three types of topology settings.
The interface on 192.168.1.0/24 has no networks attached, so it can bedefined by using the configured IP and netmask. Only packets with a sourceIP in that network will be accepted on that interface. The adjacent interfacehas 192.168.2.0/24 connected locally, but also 192.168.3.0/24 on a locallyattached router. Thus, a group object will have to be created with the twonetwork objects inside of it. The remaining interface, connected to theInternet, is an external interface, so the networks on it are irrelevant.Anything except for 192.168.1.0/24, 192.168.2.0/24, and 192.168.3.0/24 willbe considered valid.
The network guys in the crowd might be thinking, Why not create a network objectof 192.168.2.0/23 to cover both networks on the second interface? You could, butusing a group allows for easier changes later when you add more networks, and it’sclearer to those who are looking at the configuration.
03 1096 ch03 4/22/05 3:35 PM Page 59
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 360
There are two more rules that might come in handy:
➤ The same network can appear on multiple internal interfaces.
➤ You can have multiple interfaces defined as external.
In the first case, it is possible for a network to be valid on multiple internalinterfaces, such as having multiple paths to the same destination. However,it cannot appear to be coming from any external interfaces (by definition ofan external interface). In the second case, the same behavior of calculatingexternal topology applies to all externally defined interfaces—that is, anynetwork not included on any of the internal interfaces is valid on all externalinterfaces.
Verifying and Installing a SecurityPolicyNone of your hard work in defining the security policy would be of any use ifyou didn’t push it out to the enforcement points. This approach also has thebenefit of allowing you to make all your changes at once, making them activein one action, and letting you revert to a previous configuration if necessary.
If you want to check your policy for correctness, you can also verify it with-out having to install. The act of installing also forces verification before theactual push. Verifying a policy checks for errors such as conflicting rules,shown in Table 3.4, and contradicting NAT rules (for example, a single stat-ic NAT for several hosts).
Table 3.4 Two Rules That Will Cause a Verification Failure
Source Destination Service Action Track Install On Time
Any Any HTTP Drop None Policy Targets Any
Any Host1 HTTP Accept None Policy Targets Any
Here, the second rule can never be reached because all HTTP traffic isdenied in the first rule. Verification will fail with Rule 1 Conflicts with Rule2 for services http.
The actual installation of the policy is done through the Policy, Install menuoption. You then are prompted to specify which gateways receive the policy.By default, all are selected. After you click OK, the policy is verified and sentto the gateways. If there are any problems, you will receive an error tellingyou what the problem is.
03 1096 ch03 4/22/05 3:35 PM Page 60
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .SmartDashboard 61
To only verify the policy, select Policy, Verify. This will run the verificationstage and give you a report on any errors.
To remove the policy from the enforcement point, select Policy, Uninstall.This removes the policy, placing the firewall in a state in which it is open tothe world, but will not pass packets.
When you unload a policy, you’re dropping your pants to the world! This is usuallyused only if something goes wrong and you need to start over with your policy.
Rule Processing OrderAs said earlier, the rule base is processed in order. However, other thingshappen in the security policy besides checking your defined rules. This is theorder of operations:
1. Anti-spoofing checks
2. Rule base
3. Network Address Translation
When you take into account the FireWall-1 global properties, you end upwith the following order:
1. Anti-spoofing checks
2. “First” Implicit Rules
3. Explicit Rules (except for the final rule)
4. “Before Last” Implicit Rules
5. Last Explicit Rule (should be cleanup rule)
6. “Last” Implicit Rules
7. Network Address Translation
When we look at Network Address Translation (NAT) in Chapter 8,“Network Address Translation,” you’ll see how it changes the source and/ordestination addresses of the packet. Because NAT happens after the rule baseis consulted, your rules will refer to the translated address in many cases. Ifyou are using the NAT properties of the network object to implement NAT(also called automatic NAT), this is taken care of for you.
03 1096 ch03 4/22/05 3:35 PM Page 61
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 362
Because anti-spoofing checks are done before anything else, you will findthat if the topology is defined incorrectly, no conversation will occur regard-less of the rule base. A log entry will be made to this effect.
Command-Line UtilitiesA significant amount of administration can be done from the command lineon both the SmartCenter Server and the FireWall-1 enforcement points.The command line provides a low-bandwidth and efficient way of gettinginformation and performing emergency and maintenance actions.
Most commands are actually options to either the fw or the fwm executables—that is, they take the form of fw command options. The fw executable is for theFireWall-1 enforcement module, and fwm is for the SmartCenter Server.
Getting Basic InformationThe first thing you want to know about a device is the version of software itis running. fw ver and fwm ver give this information:C:\WINNT\FW1\R55\conf>fw verThis is Check Point VPN-1(TM) & FireWall-1(R) NG with➥Application Intelligence (R55) HFA_04, Hotfix 093 - Build 003
C:\WINNT\FW1\R55\conf>fwm verThis is Check Point SmartCenter Server NG with➥Application Intelligence (R55) HFA_04, Hotfix 093 - Build 001
As you can see, the major version (NG with Application Intelligence), therelease (R55), and any hotfixes (Hotfix Accumulator 04 and Hotfix 093) arelisted, along with the build number.
If you ever open a case with Check Point support, you will likely have to pro-vide a cpinfo dump to them. Running cpinfo dumps an incredible amount ofinformation, so redirecting it to a file (for example, cpinfo > Winnipeg.cpinfo)is suggested. With your file, support can view your entire policy, includingrules and options, so be cautious about sending it out!
To get a snapshot of what policy is installed, and which interfaces are beingprotected, fw stat is used. With a policy loaded and active, you will see some-thing like this:C:\WINNT\FW1\R55\conf>fw statHOST POLICY DATElocalhost Standard 15Dec2004 22:10:41 : [>PCnet0] [<PCnet0]➥[>PCnet2] [<PCnet2]
03 1096 ch03 4/22/05 3:35 PM Page 62
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .SmartDashboard 63
Here you can see that the Standard policy is loaded, and was installed ataround 10 p.m. on December 15, 2004. Three interfaces are protected, withthe arrows showing the direction of packets.
After the policy has been uninstalled, the output changes:C:\WINNT\FW1\R55\conf>fw statHOST POLICY DATElocalhost - - : >PCnet0 <PCnet0➥>PCnet2 <PCnet2
There is no policy installed, and the interfaces are no longer protected.
To get a list of the interfaces on the gateway, use fw ctl iflist:C:\WINNT\FW1\R55\conf>fw ctl iflist0 : PCnet01 : PCnet12 : PCnet23 : NDISWANIP
fw stat does not show inactive interfaces by default (use the –inactive flag toshow the inactive interfaces), but iflist shows all.
Managing ServicesAll the Check Point services on the machine can be managed through thecommand line. To completely restart all Check Point processes, except forCPRID (the remote installation daemon), use cprestart. Likewise, to onlystart or stop the services, use cpstart and cpstop.
If you just need to start and stop the basic services, such as the firewall dae-mon, management station, and SNMP, use the fwstart and fwstop commands.This leaves both CPRID and cpshared running.
To manage CPRID services, use cpridstop and cpridstart to stop and start theservice.
Managing the PolicyAlthough you can’t easily edit the policy from the command line, you canpush, pull, and unload a policy.
From the management station, you can push a policy to an enforcementpoint using fwm load. This command requires you to supply the name of apolicy script (*.W, located in %FWDIR%\conf on Windows platforms, or$FWDIR/conf on Unix platforms) and optionally the name of an enforcementpoint to send it to. This operation compiles the script and sends it off to the
03 1096 ch03 4/22/05 3:35 PM Page 63
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 364
enforcement point. In this example, the Standard policy is sent to the local-host:C:\WINNT\FW1\R55\conf>fwm load Standard.WStandard.W: Security Policy Script generated into Standard.pfStandard:Compiled OK.
Installing CPMAD Policy On: localhost
CPMAD policy installed successfully on winnipeg...
CPMAD policy installation complete
CPMAD policy installation succeeded for:winnipeg
Installing VPN-1/FireWall-1 policy on: localhost ...
VPN-1/FireWall-1 policy installed successfully on winnipeg...
VPN-1/FireWall-1 policy installation complete
VPN-1/FireWall-1 policy installation succeeded for:winnipeg
The messages here show that the policy installed successfully on the combi-nation SmartCenter Server/VPN-1 Gateway.
If you are on a gateway, and want to pull down a policy, you execute fw fetch
master, where master is the SIC name of your management station:C:\WINNT\FW1\R55\conf>fw fetch localhost
Installing Security Policy Standard on all.all@winnipegFetching Security Policy from localhost succeeded
Here, the Standard policy was retrieved and installed.
Finally, to unload the policy, use fw unloadlocal:C:\WINNT\FW1\R55\conf>fw unloadlocal
Uninstalling Security Policy from all.all@winnipegDone.
C:\WINNT\FW1\R55\conf>fw statHOST POLICY DATElocalhost - - : >PCnet0 <PCnet0➥<PCnet1 >PCnet2 <PCnet2
03 1096 ch03 4/22/05 3:35 PM Page 64
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .SmartDashboard 65
LogsAlthough SmartView Tracker is normally used to manage logs, it is possibleto perform some actions at the command line. These commands are helpfulfor automating maintenance tasks or when scripting reports:
➤ fw log –a—Shows the log of accounting data.
➤ fw logswitch—Rotates the logs.
➤ fwm logexport—Dumps the logs to the screen or a file.
Performance ConsiderationsBecause a good deal of the packet delay through the firewall is due to evalu-ating your security policy, it stands to reason that there are things you can doto make the process more efficient.
On the SmartCenter Server itself, defining the name to IP mapping in the localhosts file rather than through DNS can help performance. On Unix systems,this is /etc/hosts. In Windows, it is %SystemRoot%\system32\drivers\etc\hosts.
For the gateways, the following changes in your rule base will increase per-formance:
➤ Log connections sparingly—Logging takes time to process, so don’t logwhat you don’t intend to read.
➤ Minimize your rule base’s complexity—The more rules, the longer it takesto process. Complex rules, such as those with many objects inside, com-pile into a larger security policy too.
➤ Use network objects or address ranges instead of multiple host objects—It’s easi-er to check whether an address falls within a network boundary than it isto check it against multiple host entries.
➤ Put your high-traffic rules at the beginning—Rules are checked one by one,stopping at the first match, so make sure that the match happens earlyfor frequently used rules.
In general, simplicity equals better performance, not to mention better security.
03 1096 ch03 4/22/05 3:35 PM Page 65
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 366
Exam Prep Questions1. You have hidden rule 13, which drops all HTTP packets to a particular
web server, but packets are still being dropped. What is the likely causeof this problem?❍ A. You did not push the policy to the enforcement point(s).❍ B. A rule after rule 13 also blocks access.❍ C. Hiding a rule does not remove it from the security policy.❍ D. The server has a network problem.❍ E. You must save the policy to the SmartCenter Server.Answer: C. A is not correct because a hidden rule is still compiled intothe security policy. B is not correct because rule 13 is still valid and itwill therefore block the packet regardless of a successive rule. C is cor-rect because the rule will still be enforced by the gateway, even thoughit’s hidden from view to SmartDashboard. D is not correct because it isthe rule causing the drops, not a network problem. E is not correctbecause saving the policy to the SmartCenter Server has no effect onthe enforcement points.
2. Trying to gain privileges by making a packet that is received on oneinterface look as though it is from a network connected to a differentinterface is called what?❍ A. Network Address Translation (NAT)❍ B. Anti-spoofing❍ C. Buffer overflow❍ D. Spoofing❍ E. Remote Procedure Call (RPC)Answer: D. A is not correct because NAT is used on the gateway, andis not for gaining privileges. B is not correct because anti-spoofing isused to protect against this attack, not the attack itself. C is not correctbecause a buffer overflow works by getting a host to execute maliciouscode by filling unchecked buffers, not by faking addresses. D is correctbecause spoofing involves manipulating addresses to make a packetlook as though it comes from another interface. E is not correctbecause RPCs are used by applications and operating systems to com-municate.
3. Which three of the following are FireWall-1 global properties?❑ A. Accept RIP❑ B. Accept HTTPS❑ C. Accept Control Connections❑ D. Anti-spoofing❑ E. Accept Outgoing Packets Originating from Gateway
03 1096 ch03 4/22/05 3:35 PM Page 66
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .SmartDashboard 67
Answer: A, C, and E. A is correct because there is a FireWall-1 globalproperty that enables the gateway to accept RIP. B is not correctbecause there is no such option. C is correct because by default, controlconnections are enabled in the global properties. D is not correctbecause anti-spoofing is configured at the Check Point level, not theglobal level. E is correct because there is an option to accept packetsoriginating from the gateway.
4. With reference to the sample policy below, what is the function of rule 1?
Rule # Source Destination Service Action Track
1 Any Firewall Any Drop Log
2 Any HTTPServer HTTP Accept None
❍ A. Is the cleanup rule❍ B. Is the stealth rule❍ C. Prevents firewalls from sending packets❍ D. Prevents spoofing attacks against the firewall❍ E. Works with rule 2 to protect HTTPServerAnswer: B. A is not correct because the cleanup rule is the final rule, anddrops everything. B is correct because the stealth rule drops packets sentto the firewall. C is not correct because this rule blocks packets into thefirewall but does not specify what happens to packets with a source of thefirewall. D is not correct because spoofing is not handled through the rulebase. E is not correct because rules 1 and 2 are independent.
5. With reference to the sample policy shown here, who can access port 80on HTTPServer?
Rule # Source Destination Service Action Track
1 Any Firewall Any Drop Log
2 Net1 HTTPServer HTTP Drop None
3 Net2 HTTPServer HTTPS Accept None
4 Any HTTPServer HTTP Accept Log
❍ A. Net1❍ B. Net2❍ C. Net1 and Net2❍ D. Anyone except Net1❍ E. Invalid policy; rule 2 masks rule 4Answer: D. A is not correct because rule 2 explicitly drops any packets fromNet1 to HTTPServer on port 80. B is not the correct answer because eventhough Net2 can access HTTPServer on port 80, it is not the best answer.C is not correct because Net1 cannot connect to the HTTP server. D iscorrect because rule 2 blocks Net1, and rule 4 allows everyone else. E isnot correct because rule 2 does not mask rule 4—it is more specific.
03 1096 ch03 4/22/05 3:35 PM Page 67
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chapter 368
6. Which of the following will have a negative impact on a gateway’sthroughput? (Choose two.)❑ A. Small rule base❑ B. Groups of hosts used instead of network objects❑ C. Tracking option on all rules set to Log❑ D. High-traffic rules near the top of the rule base❑ E. Multiple administrators logged in to SmartConsoleAnswer: B and C. A is not correct because a smaller rule base is goodfor performance, because fewer rules need to be checked on average. Bis correct because network objects are more efficient than a group ofhosts. C is correct because logging decreases FireWall-1 performance.D is not correct because high-traffic rules should be near the top of therule base so that fewer rules need to checked on average. E is not cor-rect because the number of administrators logged in to a SmartConsoledoes not affect the performance of the gateways.
7. Which of the following commands changes the installed security policyto one that will certainly accept control connections?❍ A. cpstop❍ B. fw fetch localhost❍ C. fw unloadlocal❍ D. fwm unloadlocal❍ E. fwstop
Answer: C. A is not correct because cpstop will stop all the CheckPoint services, and no one will be able to connect. B is not correctbecause it will fetch the latest policy from the management server,which is not guaranteed to allow control connections. C is correctbecause fw unloadlocal removes the policy from the gateway and allowsmanagement connections. D is not correct because unloading the poli-cy is done on the enforcement point through fw, not on the manage-ment server through fwm. E is not correct because fwstop will stop thefirewall service and will not allow anyone to connect.
8. Where are the global properties located?❍ A. Global Properties under Management Station Properties❍ B. View, Global Properties❍ C. Manage, Global Properties❍ D. Manage, Policy, Global Properties❍ E. Policy, Global PropertiesAnswer: E. A is not correct because the global properties are not aproperty of the management station. B is not correct because the Viewmenu is for changing the look and feel of the SmartDashboard. C isnot correct because the Manage menu is for managing objects. D is notcorrect for the same reasons as C. E is correct because that is wherethe Global Properties menu item is found.
03 1096 ch03 4/22/05 3:35 PM Page 68
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .SmartDashboard 69
9. Which of the following objects may appear in a group together?(Choose three.)❑ A. Check Points❑ B. Other groups❑ C. Time objects❑ D. Nodes configured as a gateway❑ E. ServicesAnswer: A, B, and D. A is correct because a Check Point is anothertype of network object, and can share a group with other networkobjects. B is correct because groups can be nested. C is not correctbecause time objects are not network objects, and thus cannot begrouped with other network objects. D is correct because nodes,whether configured as a host or a gateway, are network objects. E isnot correct because services cannot be grouped with network objects.
10. Which of the following have a SIC connection to the SmartCenterServer? (Choose two.)❑ A. Check Point, Gateway❑ B. Check Point, Externally Managed Gateway❑ C. Check Point, Host❑ D. Nodes, Gateway❑ E. Nodes, HostAnswer: A and C. A is correct because a Check Point gateway is man-aged by the SmartCenter Server and has a SIC connection. B is notcorrect because an externally managed gateway is not managed by theSmartCenter Server, and thus does not have a SIC connection. C iscorrect because a Check Point host is the same as a Check Point gate-way in terms of management. D is not correct because a node does nothave a policy and is not managed. E is not correct for the same reasonsas D.
03 1096 ch03 4/22/05 3:35 PM Page 69
03 1096 ch03 4/22/05 3:35 PM Page 70
