Check Point for Check Point Security Settings
Relatively recently, we published an open-access mini-course "3r3-39. Check Point for a maximum of 3r3-3209.". There we tried briefly and with examples to consider the most frequent errors in the Check Point configuration from the point of view of information security. In fact, we told you what the default settings are bad for and how to tighten the screws. The course (unexpectedly for us) received pretty good reviews. After that, we received several requests for a brief “squeeze” of this material - 3r3144. security checklist [/b] . We decided that this is a good idea, and therefore we publish this article.
Before starting, I would like to focus on two things: 3r3204.
This checklist is not a self-contained document or manual. This is just the necessary minimum of checks that are desirable to do. Additional (extended) recommendations can be obtained only after a detailed examination of the infrastructure.
The checklist will be relevant not only for the owners of 3r3144. Check Point 3r3145. . Similar problems with default settings are observed in other vendors: 3r3144. Fortigate [/b] , 3r3144. PaloAlto [/b] , 3r3144. Cisco FirePower 3r31414. , 3r3144. Kerio 3r3145. , 3r3144. Sophos [/b] etc.
And now the checklist itself, with a few comments on each item: 3r3342.
3r3196. 1) Enabled HTTPS inspection 3r3197.
I talked about the importance of HTTPS inspections in 3r3352. second lesson
"Check Point for maximum." Without this option, your expensive NGFW turns into a big hole in the perimeter of the network.
3r3196. 2) Unwanted resources and applications are blocked (App & URL filtering) 3r3197.
In Check Point, two blades are responsible for this - Application Control and URL Filtering. Practically the same is with other vendors with a few differences. The main task of these functions is to reduce the attack area by blocking access to potentially dangerous resources or applications. For some reason, despite the presence of pre-configured categories (Anonymizer, Botnets, Critical Risk, Hacking, High Risk, Phishing, Remote Administration, Sospicious Content, Spyware /Malicious Sites, Stealth Tactics, etc.), these features are not used . It is better to block such things at the network level and not to bring to the test of traffic more severe means of protection (IPS, Antivirus, Anti-Bot, Threat Emulation). This will avoid false positives and save your gateway performance. Examine what categories of sites and applications allows you to block your gateway, then review your access policy again. A good help here is SmartEvent, which can generate a report on user traffic.
3r3196. 3) Downloading unwanted files (Content Awareness)
I told about this in 3r370. the third lesson
. In Check Point, Content Awareness is responsible for this feature. Other vendors may be able to do this either with Anti-Virus or with the DLP module. The meaning of this action is to deliberately block unwanted file types. Do your users need to download .exe files? And the scripts? Why check these files and hope for the reliability of your gateway, if you can block them as unwanted content? Lower load on NGFW and higher level of security. Sometimes the user may not even know that he has started downloading something (background download). Review your policy, block at least executable files.
3r3196. 4) Antivirus performs a full scan of files (Antivirus - Deep scan) 3r3197.
Absolutely all vendors sin with this. In the default settings, the streaming antivirus checks either the file hash or the first few bytes. For adequate protection this is not enough. Modifying the virus is easy. To catch them, you need a deep check. In Check Point, option 3r3144 is responsible for this. deep inspection [/b] . But be careful. It is not necessary to include this feature absolutely for all files. If you have a “weak” gateway, then the load may increase too much. Use deep inspection for the most dangerous (and frequently downloaded) files: pdf, docx, xlsx, rtf, zip, rar, exe (if you allow them to download), etc. See 3r3104 for more details. third lesson
3r3196. 5) Archives are scanned, password-protected are blocked (Antivirus - archive scan)
Surprisingly, many people forget about this option. I think everyone obviously need to check the archives. And it should be obvious to everyone that archives with a password should be blocked. I see no reason to paint something more here. Just check that you have it configured.
3r3196. 6) Additional scanning mechanisms are included (Antivirus - Protections)
In the default profile of Threat Prevention (Optimized), additional check mechanisms are disabled, such as: 3r3144. Malicious Activity - Signatures [/b] , 3r3144. Unusual Activity - Behavioral Patterns [/b] . Do not neglect these settings. How to include them, I showed in 3r3104. third lesson
3r3196. 7) IPS is updated at least once a week, 3r3197.
In 3r3114. the fifth lesson
I tried to show how important IPS is to protect the network. And one of the key conditions for efficiency is the “fresh” database of signatures. Make sure your IPS is updated often enough. My recommendation is at least once every three days. As a rule, the default values are much higher (from a week to a month) for almost all vendors.
3r3196. 8) IPS delivered in a separate Layer
Another important point. Be sure to make the IPS in a separate Layer. Only in this way can you get the most out of it. I explained in some detail why and how to do this in 3r3124. sixth lesson
3r3196. 9) Different Threat Prevention policies for different network segments 3r3197.
Threat Prevention policies include blades such as: Antivirus, Anti-Bot, IPS, Threat Emulation, Threat Extraction. As we already defined above, IPS should be rendered in a separate Layer. There you should have at least two policies - one for the client device, the other for the server. At the same time, ideally, politics should break up even more, because in each segment there can be different types of devices and different types of services. The key task is to include only the necessary protection mechanisms. It makes no sense to check the windows-signatures traffic that is intended for Linux host. The same goes for other blades. Threat Prevention's segmented policy is the key to adequate protection.
3r3196. 10) Use the
The default for Threat Prevention is 3r3144 mode. background [/b] . This means that if the file is new and there is no required signature, then it can pass as long as there is an “in-depth” check in the background. This is not exactly what is usually required of remedies. Therefore, make sure that 3r3144 is enabled in the Threat Prevention properties (in global and profile settings). Hold [/b] mode.
3r3196. 11) Geo Policy
This function is also undeservedly forgotten. This option will block all traffic for your network (both incoming and outgoing) of any country. Do your users need to visit the resources of Bangladesh or the Congo? But the attackers love to use the servers of countries where the legislation is rather weak in terms of cybercrime. A competent Geo-policy will not only increase the level of security, but also reduce the load on the gateway, because the latter will not have to check everything.
3r3196. 12) Included Threat Emulation
It does not do one point. For good, you need to make a separate checklist for Threat Emulation settings. With your permission, I will not do this :) I will dwell on one main recommendation - the blade should be included. For some reason, many more administrators consider this feature unnecessary exotic. Turn on at least Detect mode and see the report after a week. You will be surprised. If the current subscription level does not allow using this blade, then it is possible request a demo license 3r3209. for 30 days.
3r3196. 13) False Positive
Last but not least. I have repeated many times (and I’m not tired of repeating) that security is a continuous process, not a result. Therefore, even if you are well tuned, you should at least check the effectiveness and results. Does the protection work and there are no errors? The simplest example to do this is to periodically check security logs. Check logs for Threat Prevention Blades. Whether there are no detect on events with Severity level High or Critical and Confidence Level with value High. Example filter by logs:
3r3174. product_family: (Threat OR Endpoint OR Mobile) AND action: Detect AND severity: (Critical OR High) AND confidence_level: (Medium-High OR High)
If you see logs that fall under this filter, it means that you missed what you should have blocked into the network. Either you misconfigured something, or your remedy does not work as it should. Periodically check for such events, or set up notifications (SmartEvent functionality).
3r3196. Best Practice 3r3197.
Most of the points can be found in the official Check Point documentation. We have already published a whole selection in the article "3r3186. Check Point instructions and helpful documentation ". In our case, the main source of information will be a selection of articles - 3-33188. Best Practice 3r3209. and 3r3190. ATRG
. If you are a happy owner of Check Point products, then these topics are required to read.
3r3196. Conclusion 3r3197.
This concludes our “damn dozen” of checks. If you put in order the settings of your gateway in accordance with this list, then your level of security will be higher than that of 80% of companies (statistics from personal experience). I repeat that these are only basic checks. For advanced and more specific recommendations, a comprehensive analysis of the current settings and network architecture is needed. 3r3r2202. Here is
You can view the sample report (3r3202. Check Point Security Audit 3r3209.) based on the results of such an audit of settings. If you wish, you can get a report with specific recommendations and instructions for corrections.
Additional tutorials can be found in our 3r3r206. group
telegram channel 3r3209. .
It may be interesting
Situs QQ Online
Situs QQ Online