Install Checkpoint Gaia Virtualbox Ubuntu
Security Management Architecture (SMART)
Checkpoint deployment have basically two types of Security Management Architecture(called SMART)
Distributed
Standalone
SMART Components
Console (SMART Console PC)
Security Management Servers
Firewall Gateway
In this above scenario, the SMART is consisting of 3 components.
Smart Console – A host computer is the SMART topology taht runs the smart console software modules(smart dashboard, smart tracker, smart monitor and so on). It create the policies and store it into the management server.
Security Management Server –All the policies of the SMART network stored in management server/smart security server. The management server push the policies over the Firewall Gateways. In a SMART topology there could be a several numbers of gateways, but a single management server itself is enough to manage them, can be able to manage all tghe FW-GW in a centralized manner.
Security Gateway – The checkpoint appliance that implement the policies and enforce policies and access control mechanism over packet traversing rules.
Deployment Methods
Now that you know what is what, the architecture of Check Point firewalls should be a little easier to understand. Check Point firewalls can be deployed in a standalone fashion or a distributed one. Lets look at the difference between the two
Standalone Deployment
In a stand-alone deployment, your Security Management Server and Security Gateway is installed on the same platform and your smart console will most probably be installed on a separate platform with which you will access the Security Management server to create policies and push it to the Security Gateway (which is the same device in this case). However, this deployment defeats the whole purpose of Check Point’s three-tiered architecture and is not recommended by Check Point, except for small businesses.
Distributed Deployment
A distributed deployment is more commonly known as a Three-Tired architecture, wherein each component is installed on a separate platform and this type of deployment is highly recommended by Check Point. Smart Console is usually installed on Windows for its ease of use. Security Management Server can be installed on Windows/Linux/FreeBSD platform depending on the requirement. And the Security Gateway too can be installed on a Windows/Linux/FreeBSD platform as per the requirements.
The command chain between SMART components
Noet: The SMART console never interact with FW-GW directly. The SMART will always follow the command chain whenever any management action require.
Active Model (Hybride)
The Checkpoint(Almost all security appliances in this era) works in Hybrid Model
(a strip-down version of OSI Reference Model and TCP-IP Suite) .
Traffic Control Mechanisms
1. Packet Filtering :
In packet filtering the the policies are explicitly defined that what packet should be accepted and what should be dropped. These policies are based on Transport and Network Layer and decisions are taken using IP and Port addresses.
Packet filtering lets you control (allow or disallow) data transfer based on:
The address the data is (supposedly) coming from
The address the data is going to
The session and application protocols being used to transfer the data
Vulnerabilities: Using packet filtering we can filter and manage outside traffic. But a user from the inside network trying to access a non legitimate outside resource cant be managed as the response come from outside.
2. Stateful Filtering :
In stateful filtering the FW inspects the packets and remember the port numbers during a session(TCP/UDP). These inbound and outbound port numbers of a TCP/UDP sessions are stored in a lookup table(called state table) . The firewall is having an inspect engine that make it possible to filter any non legitimate traffic during a TCP/UDP session.
Bellow here two example of stateful filtering based on TCP and UDP sessions respectively.
Vulnerabilities: Stateful filtering also raise the possibility that individual hosts can be tricked into soliciting outside connections.
Suppose a user BOB wants to telnet a resource. However he can use a proxy server to encapsulate Telnet(Port-23) traffic over HTTP(Port-80) as a payload of HTTP and overcome the policy obstacles.
The stateful packet filter firewall provides no protection whatsoever from an application layer attack. In order to be effective and address today’s application layer attacks, firewalls must inspect the application layer traffic. This is the reason why today many stateful packet filter firewall vendors are adopting some form of application layer filtering. Also, recent statistics show that stateful packet filter firewalls are prone to denial-of-service attacks.
3. Application Awareness:
It is a type of traffic control method actually take a look into the Application Layer. It inspects the content of the data.
Checkponit scope
Detects and controls application usage
- Identify, allow, block or limit usage of applications, and features within them
- Enable safe Internet use while protecting against threats and malware
- Leverage the world’s largest application library with more than 6,600 web 2.0 applications
Supports advanced identity awareness for stress-free policy enforcement
- Create granular policy definitions per user and group
- Integrate seamlessly with Active Directory
- Protect environments with social media and Internet applications
Provides proven gateway security in a single, dedicated appliance
- Rely on 24/7 advanced protection
- Reap the benefits of application control and intrusion protection (IPS), as well as extensibility support for additional security capabilities
- Get greater understanding into security events with integrated, easy-to-use centralized management
- Join more than 170,000 customers, including 100 percent of Fortune 100 companies
Identity awareness
Great security involves limiting and tracking access to sensitive data and resources. With the Next Generation Firewall, your administrators get detailed visibility into the users, groups, applications, machines and connection types on your network so they can assign permissions to the right users and devices. The firewall makes it easy and cost-effective to enforce security policy, giving granular permission control over these entities; this results in superior protection across the entire security gateway.
Seamless and agent-less integration with Active Directory provides complete user identification, enabling simple, application-based policy definition per user or group directly from the firewall. Users’ identification may be acquired in one of three simple methods:
- Querying the Active Directory
- Through a captive portal
- Installing a one-time, thin client-side agent
Application controlEmployees are using more apps than ever, and you’re on the hook to protect them regardless of what they use. Check Point Next Generation Firewall has the industry’s largest application coverage, with more than 6,600 applications and 260,000 social network widgets included. You can create granular security policies based on users or groups to identify, block or limit usage of web applications and widgets like instant messaging, social networking, video streaming, VoIP, games and more.
Logging and statusTo help you make sense out of your security event data, we included SmartLog, an advanced log analyzer that delivers split-second search results providing real-time visibility into billions of log records over multiple time periods and domains
Integrated security management
Our unified security management simplifies the monumental task of managing your security environment. You’ll see and control threats, devices and users with a highly intuitive graphical interface providing views, details and reports on your security health. Manage all your Check Point gateways and software blades from one comprehensive, centralized security dashboard.
Intrusion prevention
Next Generation Firewall includes the Check Point IPS Software Blade, which secures your network by inspecting packets traversing through the gateway. It is a full-featured IPS, providing geo-protections and frequent, automated threat definition updates. Because the IPS is part of the integrated Software Blade Architecture, you’ll get all the deployment and management advantages of a unified and extensible solution.
Problem with App Awareness
Every-time the FW needs to dig into the content of the Application Layer that will further impact on the response of the hardware appliance.
Actually not everytime , but a one time inspection of Application Layer data facilitates the App Awareness. The FW checks the legitimacy of the content for the first time when the connection(TCP/UDP) going to establish. Then firewall remember the session and give the control to the L2.5 Kernel. From here the rest of the packet forwarding(inward/outward) responsibility goes to the Kernel itself and the Kernel continue to do so until the session terminates.
Underlying Platforms to Implement the Checkpoint Security Management Software
IPSO
Secure Platform(SPLAT)
GAiA
Network Diagram
Before move on to the Installation part, take a look into the SMART network diagram.
We will provision a portion of this topology in the following discussion.