Security Policy Management

Concept

Multiple Security Gateways. Traffic will always pass through the Firewall coming into and leaving the network. Once the traffic hits the Firewall, it will check its rule set from the SMS (Management Server) and makes a decision off that.

Traffic Types

  1. Going to the Firewall

    1. Traffic directly hitting the Firewall's IP address (e.g. pinging the internal Firewall IP)

    2. RESTRICTIVE

  2. Inside -> Outside

    1. Traffic that is trying to reach an external network(e.g. pinging 1.1.1.1).

    2. More allowance with this

  3. Outside -> Inside

    1. Traffic that is trying to reach an internal network(e.g. Public facing websites)

    2. Less allowances

Security Policies

There will always be an implicit DROP at the end of the security policy list. This is called the Clenup rule

A Security Policy is a collection of rules and settings that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection

These rules are read from top down. Rule Shadowing can occur when broader rules are at the top with a higher priority than more specific rules

  • Policies are created and managed in the SmartCOnsole

  • They are stored in the Security Management Server

  • Then enforced by the Security Gateway

Basic Policy Types

  • Access Control Policy

    • Firewall, application & url filtering, content awareness, IPsec VPN and mobile access, identity awareness

  • Desktop Security Policy

    • Check Point clients that include Desktop Security such as Endpoint security VPN, enforce it on the client to give it firewall protection

  • QoS Policy

    • Prioritize certain traffic over others (e.g. VoIP over Roblox). Guaranteed access/priority can be given to employees

  • Threat Prevention Policy

    • IPS, Anti-Bot, AV, Sandblast

Multiple policies can be made for specific sites if there are multiple sites.

This can be done with Unified Policies. This groups multiple basic policy types together which then can be assigned to a specific firewall (wpg site & mtl site)

Log entries can be set up to generate when a rule has been hit

Shared Policies

These can be created so the same policy doesn't have to be created multiple times if multiple security gateways are being administered

Stealth Rule

For an effective Security Policy, Check Point recommends that rule bases contain Cleanup and Stealth rules. These rules are added first.

The stealth rule drops any traffic destined for the Firewall that is not otherwise explicitly allowed.

The management rule makes sure that only the management server can reach the firewall via https and ssl_version_2

  • Explicit rules

    • Created by the admin

    • configured to allow or block traffic based of specific cretirea

  • Implied rules

    • Created by the SGW (Check Point)

    • Configured to allow connections for different services that the SGW uses

    • Placed first, last, or before last in the Firewall Rule Base

Rule Examples

  • Accept: Allowed to pass

  • Drop: Drops the traffic without telling the source what's up

  • Reject: Drop the traffic AND tell the source we did it

Order of Operations

Anti-Spoofing is usually only applied to the internal interfaces.

Security Zones

Interfaces on the Firewall can be placed into a Security Zone. This simplifies rulebase creation and policy management

Predefined Security Zones:

  • InternalZone

  • ExternalZone

  • DMZZone

  • WirelessZone

Policy Packages

These are logical groupings of one or more of the Basic Policy types. This lets you install different combinations of policies on a Firewall

Practice Questions

PreviousLicensing and ContractsNextPolicy Layers

Last updated

Was this helpful?