Skip to main content

Introduction To Checkpoint Firewall

A Check Point Security Gateway at the network boundary inspects and provides access control for all gateway traffic. Traffic that does not pass though the gateway is not controlled.

 

A security administrator is responsible for implementing company security policy. Check Point Security Gateway allows administrators to enforce security policies consistently across multiple gateways. To do this, the administrator defines a company-wide security policy Rule Base using SmartDashboard and installs it to the Security Management server.

SmartDashboard is a SmartConsole client application that administrators use to define and apply security policies to gateways.  Granular security policy control is possible by applying specific rules to specific gateways.

Check Point Security Gateway provides secure access control because of its granular understanding of all underlying services and applications traveling on the network. Stateful Inspection technology provides full application level awareness and comprehensive access control for more than 150 predefined applications, services and protocols as well as the ability to specify and define custom services.
Stateful Inspection extracts state-related information required for security decisions from all application levels and maintains this information in dynamic state tables that are used to evaluate subsequent connection attempts.

Mechanisms for Controlling Network Traffic:
Any firewall must deny or permit traffic based on explicitly defined rules. Check Point utilizes the following technologies to grant or deny network traffic:

·   Packet filtering
·   Stateful Inspection
·   Application Intelligence

Packet Filtering

Fundamentally, messages are divided into packets that include the destination address and data. Packets are transmitted individually and often by different routes. Once the packets reach their destination, they are recompiled into the original message.

Packet filtering is a firewall in its most basic form. Primarily, the purpose is to control access to specific network segments as directed by a pre configured set of rules, or rule base, which defines the traffic permitted access. Packet filters usually function at layers 3 (network) and 4 (transport) of the OSI model. In general, a typical rule base will include the following elements:

·   Source address
·   Destination address
·   Source port
·   Destination port
·   Protocol

Packet-filter firewalls are the least secure type of firewall, because they cannot understand the context of a given communication, making them easier for intruders to attack.

Stateful Inspection

Stateful Inspection, a technology developed and patented by Check Point, incorporates layer 4 awareness into the standard packet-filter firewall architecture. Stateful Inspection differs from static packet filtering, in that it examines a packet not only in its header, but also the contents of the packet up through the application layer, to determine more about the packet than just information about its source and destination. 

The state of the connection is monitored and a state table is created to compile the information. As a result, filtering includes context that has been established by previous packets passed through the firewall. For example, stateful-inspection firewalls provide a security measure against port scanning, by closing all ports until the specific port is requested.

There are many state tables that hold useful information in regards to monitoring performance through a Security Gateway. State tables are used to keep state information needed to correctly inspect packets.

Check Point’s INSPECT Engine is the mechanism used for extracting the state-related information from all application layers, and maintains this information in these dynamic state tables needed for evaluating subsequent connections.
The INSPECT Engine enforces Security Policies on the Security Gateway on which they reside.
  
Application Intelligence
A growing number of attacks attempt to exploit vulnerabilities in network applications, rather than targeting firewalls directly. Application Intelligence is a set of advanced capabilities, integrated into the firewall and IPS, which detect and prevent application-level attacks. This section describes how to protect against application-level attacks for each application protocol.

Application Intelligence works primarily with application-layer defenses. In practice however, many attacks aimed at network applications actually target the network and transport layers.

Labels:

Comments

Post a Comment

Popular posts from this blog

Basic Rules of Checkpoint Firewall

Managing the Firewall Rule Base: Explicit and Implied Rules These are the types of rules in the Rule Base: Explicit rules - Rules that you create to configure which connections the Firewall allows Implied rules - Rules that are based on settings in the Global Properties menu Implied rules allow connections for different services that the Security Gateway uses. For example, the Accept Control Connections option allows packets that control these services: ·          Installing the security policy on a Security Gateway ·          Sending logs from a Security Gateway to the Security Management server ·          Connecting to third party applications, such as RADIUS and TACACS authentication servers Order of Rule Enforcement: Make sure that you understand the importance of the order of rule enforcement to maximize the security of t...
Post a Comment
Read more

ASA TCP Connection Flags

When troubleshooting TCP connections through the ASA, the connection flags shown for each TCP connection provide a wealth of information about the state of TCP connections to the ASA. This information can be used to troubleshoot problems with the ASA, as well as problems elsewhere in the network. Here is the output of the show conn protocol tcp command, which shows the state of all TCP connections through the ASA. These connections can also be seen with the show conn command. ASA# show conn protocol tcp 101 in use, 5589 most used TCP outside 10.23.232.59:5223 inside 192.168.1.3:52419, idle 0:00:11, bytes 0, flags saA TCP outside 192.168.3.5:80 dmz 172.16.103.221:57646, idle 0:00:29, bytes 2176, flags UIO TCP outside 10.23.232.217:443 inside 192.168.1.3:52427, idle 0:01:02, bytes 4504, flags TCP outside 10.23.232.217:5223 inside 192.168.1.3:52425, idle 0:00:10, bytes 0, flags saAUIO TCP outside 10.23.232.57:5223 inside 192.168.1.3:52412, idle 0:0...
Post a Comment
Read more

How to Set Up an IPSec Tunnel On PAN-OS - Palo Alto Firewalls

Set Up an IPSec Tunnel  The IPSec tunnel configuration allows you to authenticate and/or encrypt the data (IP packet) as it traverses across the tunnel.  If you are setting up the Palo Alto Networks firewall to work with a peer that supports policy-based VPN, you must define Proxy IDs. Devices that support policy-based VPN use specific security rules/policies or access-lists (source addresses, destination addresses and ports) for permitting interesting traffic through an IPSec tunnel. These rules are referenced during quick mode/IKE phase 2 negotiation, and are exchanged as Proxy-IDs in the first or the second message of the process. So, if you are configuring the Palo Alto Networks firewall to work with a policy-based VPN peer, for a successful phase 2 negotiation you must define the Proxy-ID so that the setting on both peers is identical. If the Proxy-ID is not configured, because the Palo Alto Networks firewall supports route-based VPN, the default values used as Proxy-ID a...
Post a Comment
Read more