Check Point NG[s]AI

While the brunt of your security policy will reside in the rule base, there are other places you have to pay attention to. In order to fully secure your enterprise, you will need to be familiar with the Global Properties, and most likely you will need to alter them to fit your needs. You do this by accessing the Global Properties from the Policy menu. The next few sections discuss these properties. Figure 3.32 displays the initial panel of the Global Properties.

FireWall-1 Implied Rules

FW-1 has a feature called the implied rule base. This rule base is made up of settings in the Global Properties, as opposed to the one explicitly created by the firewall administrator, and is shown in Figure 3.32. What you select is up to your security policy, but we highly recommend that you enable the logging of these rules.

Figure 3.32: Global Properties

One important thing to understand is the implication of the option values. If you select a rule to be included within the implied rule base, you need to decide where to place that rule. You have three choices:

• First

• Last

• Before Last

You will need to select the location in the rule base where the selected rule will be placed. This is a critical decision, and you should understand how a packet passes through the rule base in order to assist your decision. Furthermore, not all implied rules are as simple as they may seem. The first implied rule, Accept VPN-1 and FW-1 control connections, for example, enables 32 services required for administrative tasks . Examples of connections allowed via the Accept VPN-1 and FW-1 control connections option include allowing a management station to push a policy to a firewall and allowing a firewall to query a RADIUS server to authenticate users. You probably do not need to worry about this too much, but it is a good thing to be aware of.

The reason for Last and Before Last is that it is a best practice for the last rule in your rule base to be a rule (referred to as The Cleanup Rule ) that drops all traffic if it has not been accepted by a previous rule. The Before Last option allows you to specify that this rule would be applied just before this rule. If you do not do this, the Last option would be appropriate to have applied at the end of your rule base.

Viewing Implied Rules

There are two methods of viewing implied rules. You can view them within the Global Properties window, but this is often cumbersome and difficult to do in a cohesive flow. When you want access to these rules while editing the rest of your rule base, the easiest way is to select the View menu and then select Implied Rules . You will see something like what is displayed in Figure 3.33. Note that the implied rules are unnumbered and are highlighted by their different color .

Figure 3.33: Implied Rules

Other Global Properties

The following is a list of other Global Properties with brief descriptions.

• Security Server The Security Server panel allows the entry of welcome messages for many of the most common Internet services. This is accomplished by pointing to the appropriate file containing the message. You can also configure the HTTP Next Proxy, although this is better done in the workstation object, assuming a version of FW-1 of NG. Earlier versions still require entry in this field.

• Voice over IP Protocols (VoIP) The VoIP panel allows you to granularly define specifics of how VoIP will be inspected. This includes what you want to allow in regards to H.323 and SIP connections as well as whether to log VoIP-specific information such as phone numbers .

• NAT The NAT panel configures some general NAT behavior such as the Automatic NAT rules and NAT pools for SecuRemote connections. NAT is covered in Chapters 5 and 12.

• Authentication The Authentication panel enables you to specify the tolerance for failed login attempts. There are parameters for rlogin, telnet, client authentication and session authentication. There is also a section for configuring session timeout, wait mode, and logging/alerting for earlier version modules.

• VPN-1 Pro The VPN-1 Pro panel controls the behavior of SmartDashboard when creating new security policies with regard to whether they will be created as simplified mode, traditional mode, or to give an administrator the option.

• Earlier Versions Compatibility The Earlier Versions Compatibility panel controls the timeout configuration of IKE negotiations for pre-NG modules.

• Advanced This panel controls the multiple entry points and backup gateway functionalities for site-to-site VPNs as well as the CRL grace periods. Within this pane you will able be able to configure how gateways choose interfaces on other hosts to send VPN connections. The IKE denial of service protection is also defined on this panel.

• VPN-1 Net For gateways which only function as VPN endpoints and do not enforce specific firewalling rules, VPN-1 Net may be used. Because the administrator does not have granular control over the policy, the pre-defined policies for security, address translation, and logging are defined globally here. There are also options whether to allow Hypertext Transfer Protocol Secure (HTTPS) and Secure Shell (SSH) connections to the VPN-1 Net device within this panel.

• Remote Access The Remote Access panel contains information regarding the behavior of your firewall with regard to SecuRemote and SecureClient connections. The settings you select here are highly dependant on your own security policy, but it is strongly recommend that you log violation notifications and not respond to unauthenticated topology requests . Desktop security is covered in depth in Chapter 11.

• Extranet Management Interface In the event that you purchased Extranet Manager, there are two configuration parameters within this panel regarding how often to check the partner for updates and the grace period for Secure Sockets Layer (SSL) certificates from the partner. You also have the ability to view the local digital fingerprint .

• LDAP Account Management The LDAP account management panel allows the enabling of LDAP for account management. Here you can also set some session timeouts and password rules. LDAP is covered in depth in Chapter 6.

FloodGate-1

Though outside the scope of this book, specific configuration for what will be available in the QoS rule base is configured from the FloodGate-1 panel.

• SmartMap The SmartMap provides a very slick interface to view your objects and their interrelations. This panel enables you to display the SmartMap or conceal it from view. Note that if you disable the SmartMap, no topology calculations will take place within the firewall inner-workings.

• FireWall-1 GX FW-1 GX is used for firewalling GSM and GPRS networks. Configurations related specifically to GTP and other cellular networking options are able to be set globally here.

• Management High Availability Management High Availability is similar to that for gateways, except that it allows the management modules to exhibit some redundancy. This panel allows for you to select the synchronization time of the management servers participating in the High Availability configuration or what events trigger a synchronization, if any.

• ConnectControl The ConnectControl panel allows the configuration of this very handy feature. On this panel, you can set the interval that VPN-1/FW-1 will wait between server checks (commonly known as heartbeat checks) and the number of retries before a server is considered unreachable. You can also set the persistency timeout. This is the time within all connections from the same source IP will be forwarded to the same server. Finally, you can configure the listening address of the server agent used to measure server load and the pooling interval for that.

• OSE The OSE panel allows an administrator to define implied rules for rule bases installed on OSE-compatible devices.

• Stateful Inspection Stateful Inspection is the heart of FW-1. This panel enables you to specify some timeout settings for the TCP sessions and to configure stateful UDP and ICMP behavior as well as define how to handle Out-of-State TCP, UDP, and ICMP packets.

• Log and Alert This panel enables you to configure the responses taken when a packet matches a rule. This topic is covered in depth in Chapter 9.

• Alert Commands This panel enables you to configure the actual actions which happen behind the scenes for Mail, Alert, User Defined Alerts, and SNMP Trap operations. This topic is covered in depth in Chapter 9.

• OPSEC This panel defines whether to allow an OPSEC Roaming Administrator to complete the registration process without having to access SmartDashboard again.

• SmartCenter Access This panel defines how administrators are locked out based on failed logon attempts.

• Non Unique IP Address Ranges This panel defines any networks which may be used in multiple places in your security policy. This is important for VPN topology calculations and SmartMap. By default, it lists the RFC 1918 addresses.

• SmartDashboard Customization This defines how SmartDashboard itself will operate . For administrators managing a large number of firewalls or making a large number of changes, certain configuration changes such as defaulting to Classic Mode when creating new gateways or automatically selecting all gateways to install a policy on rather than having to check each check box, can have significant increases in productivity. There is also a button for Advanced Configuration, but it is highly recommended to not make changes in the Advanced area unless directed to by Check Point Technical Support.