Checkpoint CCSA 4.XCramsession

Definition of Firewall

Device that enforces security policy regarding communication between internal and/or external networks
Controls what machines or network users can connect from to reach external elements through thefirewall
Cannot protect against malicious authorized users or connections that do not go through the firewall itself
Even with a firewall there is NO 100% safety guarantee
Checkpoints Firewall-1 module sits between the Network and the Datalink Layers of the packet flow path

Comparing Different Firewall Technologies

Packet Filtering

Works at the Network Layer
Purely examines the packet header
In many cases, the entire range of upper ports (port number > 1023) is opened for allowed session, which exposes security holes
Pros: low cost; low overhead; application transparency
Cons: not secure enough; not scalable; difficult to manage ACL; subject to IP spoofing

Application Layer Gateway

Works at the Application Layer
Uses complicated application logic to determine intruder attempts
Pros: very secure; full Application awareness
Cons: slow, as it is CPU intensive; non-transparent; poor scalability

Stateful Inspection

Uses context to determine if a communication request should be allowed
Understands the intent of a given communication by learning from previous communication sessions, and allows it through for the duration of the session
Builds up a dynamic state table to store state information
When the client session concludes, the needed port is closed
The BEST firewall technology, fast, secure and scalable
Used by Firewall-1

6 Major Modules of Firewall-1

Checkpoint uses OPSEC Open Platform for Secure Enterprise Connectivity architecture, which provides a scalable framework for security implementation by means of separating the firewall product into different modules.

Inspection Module enforces security by providing the following capabilities:

Access Control
Client Authentication
Session Authentication
Network Address Translation
Auditing

Firewall Module enforces security by providing the following capabilities:

Access Control
Client Authentication
Session Authentication
User Authentication
Network Address Translation
Auditing
Content Security
Firewall Synchronization

Encryption Module supports Firewall to Firewall / Client to Firewall encryption using thefollowing encryption schemes:

FWZ
SKIP
Manual IPSec

The Encryption module can be classified into DES Encryption Module, which is for use in North America, and FWZ1 Module, which is for world wide export

Connect Control Modules provide automatic server load balancing

Router Security Module uses Access Control List to control 3com, Bay and Cisco Routers

The Complete Firewall-1 Architecture

A 3-tier architecture: there can be many different firewall modules running in different locations (security enforcement points) controlled by a central Management Console. Administrators can administer the security system either directly via the console, or by running GUI clients connected to the Management Console through the network from another desktop
For Single Gateway Product, there is only one Firewall Module controlled by one Management Console, and both must be installed on the same machine, which means that there is only one security enforcement point. However, you can still run the GUI client form another desktop. For multiple gateway products there could be multiple enforcement points, for example, Firewall Internet Gateway/25 means you can have up to 25 Firewall modules controlled by one Management Console.
GUI is available only for Win95/98/NT and Motif. The exam focuses on the GUI, not the command line. The 3 different GUIs are: Security Policy Editor for setting up the security settings, Log Viewer for viewing the logs, and System Status tool for viewing the current statistics of different firewall components. Network Object Manager is a function within the Policy Editor, which is for creating objects so that we can place the objects in the rule base and set up corresponding security rules.
FWD Firewall Daemon is the process responsible for moving data between the components.
Firewall V 1 are installed as services. When the server is started and the Firewall V 1 services have not finished loading, servers IP forwarding function can provide hackers with security holes to get in. This is the specific vulnerable time we need to pay attention to. The best way is to let Firewall V 1 control the servers IP forwarding function.

Figure 0 - Firewall - 1 as a service in Control Panel - Services

Administrator Access

You can set up as many administrator accounts as you like.
When logging on, you must supply the user name, password and the name of the managementserver

Figure 1 - Log in

The administrator can have 4 different levels of access rights:

Monitor Only - Read Only access to the log viewer and system status tool
Read Only - includes Monitor Only rights, plus Read Only rights to the Security Policy Editor
User Access - administrator can modify user information, but nothing else
Read/Write Access - administrator can do everything. Only one administrator at at time can log in using this mode

Figure 2 - Administrators access mode

Security Policy

Definition: a set of rules that collectively determine what traffic is allowed and what is not
Enforcement Directions V there are 3 different types of directions, the default Inbound, Outbound and Eitherbound. When we say applying rules to inbound traffic we mean checking traffic that goes into the firewall. When we check traffic in outbound direction security is applied when the traffic is leaving the firewall. Eitherbound means checking traffic both ways, which is not recommended as it is CPU intensive.
The effective security settings are a combination of settings found in Security Policy Properties and the Rule Base
Packets are matched in the following order:

Anti Spoofing
Any properties marked FIRST in the Security Policy Properties
Rule base order (except for the last rule)
Any properties marked BEFORE LAST in the SecurityPolicy Properties
Rule Bases last rule
Any properties marked LAST in the SecurityPolicy Properties
Implicit Drop Rule (drop everything not mentioned above)

Figure 3 - Sample Rule Base

To define a rule in the Rule base, you must specify at least the Source, the Destination, the Service involved, the Action, and where to install the policy on (the enforcement point, most of the time the default Gateway is fine).
The implicit drop rule cleans up everything without logging. Only traffic dropped by your settings will be logged, so you may want to define a clean-up rule yourself and place it as the last rule in the rule base. e.g., ANY - ANY - ANY - DROP
The Stealth rule is the first rule in the rule base that prevents traffic from directly accessing the firewall itself.
The order of the rules is important, as the firewall will implement the rules in a Top Down manner
Once you finish, press the VERIFY button to make sure that your rule base settings are runnable, and then press the INSTALL button so that Firewall-1 will compile the rule base, generate the corresponding script, and make it run in the enforcement point.

Figure 4 - Security Policy Properties

FASTPATH will speed up inspection, but will disable accounting, encryption and authentication
In the Log and Alert properties window, you can specify Firewall-1 to notify you in case of problems through Popup window, email, SNMP trap or user defined external commands

Figure 5 - Possible Rule Base Actions

Possible Rule Base actions include:

Accept
Reject - reject the packet and inform thesender
Drop - reject without informing the sender
User Auth - use User Authentication on this packet
Session Auth - use Session Authentication on this packet
Client Auth - use Client Authentication on this packet
Encrypt - encrypt outgoing and decrypt incoming traffic used with the extra VPN module not covered in this exam
Client Encrypt - encrypt outgoing and decrypt incoming traffic with the help of a secure remote client

Sample Rule Base

Source	Destination	Service	Action	Comment
any	firewall.mysite.com	any	drop	external users cannot access the firewalldirectly, which is the stealth rule
any	email.mysite.com	smtp	accept	external users can send email to theinternal mail server
any	www.mysite.com	http	drop	external users cannot visit the internalweb server
mylocalnet	any	any	accept	our internal users can access whateveroutside services they like
any	any	any	drop	clean up rule

Authentication

Definition: a secure mechanism for authenticating users at the firewall before letting them in
To set up authentication, you need to first define the user and assign him/her to a group, specify the authentication scheme for this user, and then add the authentication rule to the rule base.
Different Password Schemes:
- Firewall-1 Password - fixed password, no need to have user account in Firewall-1. Password is encrypted and stored in a proprietary database
- OS Password - uses the Operating System password. Not recommended.
- S/Key - one time password generated based on seed value, secret key and length. Need separate public domain S/Key client software in order to function. Very secure, but complicated
- SecurID - uses a secured card to generate a unique unpredictable access code every 30 to 90 seconds. User needs to supply a PIN number and match it with the token displayed on the card. An expensive but secure method
- AXENT Pathway Defender - token based authentication, requires separate server software and token cards for every user
- RADIUS - uses a third party RADIUS server in the network to authenticate. A corresponding RADIUS server object is needed in the rule base
Different Authentication Methods:
- User Authentication - for FTP, HTTP, telnet and RLOGIN users only, password is requested through clients GUI.
- Client Authentication - for any service, requires user to telnet to port 259 first
- Session Authentication - the most transparent way of authenticating users, support all services, no need to telnet first. However, client must have the authentication agent software provided by Checkpoint installed

System Status Tool

Tells the number of packets dropped/rejected/inspected/logged
Tells whether or not a security policy is installed on the firewall, the name of the policy installed, and the date the security policy was installed on the firewall
The most important display shows the status of the Firewall-1 Daemon, whether it is INSTALLED (daemon is running, and security policy is installed), NOT INSTALLED (daemon is running, but no security policy is installed), and DISCONNECTED (no response from the daemon at all)

Log Viewer

Active Connection Mode (Life Mode) - views current connections going through the firewall, and uses separate log files for connection start and end
Accounting Mode - collected data is updated cumulatively, and you can create charge back or progressive billing reports out of it
When you start a new log file, the current log file is saved automatically with the current date appended to the file name
To display specific information from a column, apply a selection criteria in the logviewer
You do not need to keep the Log Viewer opened in order to view pop-up alerts as they occur

Content Security

Uses CVP (Content Vectoring Protocol), a TCP based protocol developed by Checkpoint that uses port 18181 to transparently reroute the data stream to an external content scanning server. A CVP server object needs to be created for content security to work
Supports SMTP, HTTP and FTP; each has a corresponding resource object type that can be defined in the rulebase
SMTP security functions: hides outgoing emails FROM field, redirects email sent to given TO or CC addresses, drops emails from particular senders or messages above a particular size, strips MIME attachments, strips the RECEIVED field, and transparently relays email to a third party anti-virus server
FTP security functions: controls the GET and PUT operations, and transparently relays data stream to third party anti-virus server
HTTP security functions: URL screening, blocks Java code, strips all the script/applet/ActiveX tags in the HTML code (known as HTML weeding), and anti-virus using third party server
URI (Uniform Resource Identifier) is the resource object type for HTTP

Anti - Spoofing

Configuration done in Firewall's Interface properties - Valid Addresses section
Possible options:
- Any - the default choice, no anti-spoof config in place
- No Security Policy - nothing at all
- Others - all packets are allowed except those with source IP addresses from networks listed under Valid Addresses for this object's other interfaces
- Others+ - same as Others, but packets from addresses listed under the Others+ section are allowed
- This Net - only packets from network attached to this interface are allowed
- Specific - only packets from a specifically defined object we define are allowed

Network Address Translation NAT

Definition: replaces an IP address with a different one. Used to conceal our internal network structure, or if illegal IP addresses in our internal network are being used. Options include:
- Source Static Mode - one to one translation, translates illegal IP to legal IP
- Destination Static Mode - one to one translation, translates legal IP to illegal IP
- Hide Mode - Many to one automatic translation used for connection initiated by internal network, hides a range of illegal IP addresses behind a single legal IP addres; uses port number to distinguish between traffic heading towards different workstations.
Hide Mode is not suitable if there are servers for outside access in our internal network. For example, when implementing hide mode network address translation, an internal server behind the firewall would NOT be able to act as an FTP server.
For Source Static and Hide mode, the legal addresses must be published manually with an ARP entry so that replies can be routed back. For Unix systems, use the ARP command, but for NT systems (since ARP does not create permanent entries) place a local.arp file (with the format: IP <TAB> MAC) in \winnt\fw\state\ and restart the firewall service.
For Destination Static Mode, address translation takes place after internal routing but before transmission. Move the packet to the firewall by publishing the IP address to the firewall interface using the Route Add command for both UNIX and NT.
A matching rule in the Rule Base must be created for NAT to take place

Figure 6 - Defining NAT

Figure 7 - NAT in the Rule Base

Solving SYN Flood Problem

Definition: a simple type of denial of service attack which can halt a mission critical service
the Normal Handshake process of TCP:
1. SYN - the client makes a request to the server, asking for a chance to talk
2. SYN/ACK - the server replies by sayingOK
3. ACK - the client confirms with the server and establish a connection
Attacker uses SYN Flood to send the target server a large volume of SYN packets with spoofed source IP addresses
Server is busy replying to unreachable hosts
Firewall - 1 uses SYNDefender to protect against SYN Flood attack:

SYN Relay

have the firewall validate every connection before passing it to the original destination
safest from servers' point of view
connection is validated only if validated by the firewall

SYN Gateway

have the firewall open a connection to the original destination first, but wait for the ACK from the source before allowing the connection to actually start

Passive SYN Gateway

have the firewall open a connection to the original destination first, but without the ACK from the source, direct connection will not be allowed
the firewall keeps track of the handshake state
if the timer expires, use a reset packet that closes the connection on the server
Timeout value is critical as it determines how long the firewall should wait for an ACK before assuming that the connection is a SYN attack

Special Thanks to Michael Yu for contributing material for this Cramsession.