An Introduction to Checkpoint Firewall

This paper is an introduction to Checkpoint¶s Firewall version 4.1. In this paper you will learn the basics of what Checkpoint is and how it works. You will also see a graphical installation of Checkpoint on an NT 4 server as well as creating a generic set of rules that would apply to a small business or home user. Through out my years of using Checkpoint, I have never seen ³HowTo¶ instructions on Checkpoint like this other than what is taught in the Checkpoint classes. At the very end of this document, you will find some useful links to sites I have found helpful over the years. Please keep in mind that this is not meant to be a comprehensive, all-inclusive tutorial on Checkpoint, but simply a quick get up to speed small business paper.

A brief overview of Firewalls
There are 3 basic types of Firewall systems used today: y Packet Filtering y Application Gateway Proxy y Stateful Inspection A Packet Filtering Firewall examines each packet that passes through it up to the network layer. This means that the upper four layers (Application, Presentation, Session, and Transport) are allowed into an internal network. The Packet Filtering Firewall looks at each packet and determines what to do with it based on a rulebase you define. This type of Firewall technique is popular because it¶s inexpensive, transparent to applications and is quicker than most application layer gateways. However, it provides low security, has a limited ability to manipulate information, is difficult to configure, and is subject to IP Spoofing. The types of Firewalls can usually be found on routers. Application Layer Gateway, or better known as Proxies, function on the application level. Proxies are being challenged today in that outside networks are continually growing and introducing new protocols, services and applications all the time. As this happens, the Proxy has a difficult time handling these extreme communications on networks. Proxy Firewalls remain popular today because they offer a decent level of security, are relatively inexpensive and provide full application-layer awareness. However, each service requires its own application layer gateway, meaning scalability is horrible. Running at the application level is critical to performance and they are vulnerable to operating system and application level bugs and exploits. Stateful Inspection is the third type of firewall used today. Stateful Inspection gathers, stores, and manipulates information pertaining to all communication layers and from other applications. In other words, imagine a giant spreadsheet. Every packet that is allowed through the firewall is entered into that spreadsheet and kept there for a pre-

determined amount of time. Not only do you have to consider the rulebase to protect your network. Installing Checkpoint When installing Checkpoint. The end result here being no more connectivity through that firewall. I focus on installing the Checkpoint Firewall-1 software on an NT 4 server. it is important to have a clear understanding of what you need first. on the C: drive. you should consider the physical location of the firewall. I have created a small checklist of items I used to create this paper: y Checkpoint 4. Then install Checkpoint on the D: drive.¶ The benefits of this are excellent security. high performance and scalability. for example a C: drive and D: drive. Checkpoint analyzes all packet communication layers and extracts the relevant communication and application state information. Firewall-1 protects the TCP/IP stack. by analyzing all traffic at this level. What is Checkpoint? Checkpoint Firewall-1 uses the stateful inspection technology. and can fill up your entire drive. I do this because most small businesses have NT. Who will have access to it? Who will know the Administrator¶s password? NTFS will help you secure the box from a casual employee or friend from coming over and µplaying¶ with your configurations. This brings a level of security on the box up and allows you to look it down even tighter. I recommend formatting both with the NT File System (NTFS). One of the most important features of a firewall is the logs it generates. Also. I recommend you make two different drives. After you have created two drives. the Inspection Module inspects all traffic before they reach the OS. This is below the network layer at the lowest software level.0 server For this paper. Firewall-1 has an inspection module that lives in the operating system kernel. a final note. before you begin. As these logs grow. The reason for this is to maintain the firewall logs. I recommend installing your Operating System (OS). These logs will grow and grow as traffic is accepted. This saves the OS¶s processing time and resources. This is the most ideal location because. Preparing an NT 4. This would crash your Windows NT box and cause the firewall to fail. by placing its kernel module between the Network Interface Cards and the TCP/IP stack itself. It should not be part of a domain.1 media y Checkpoint License from Checkpoint . When using Checkpoint software on an NT server. creating a µStateful Inspection Table. full application-layer awareness. denied or rejected on you firewall. Make the Checkpoint Firewall server a standalone server. they take up more and more space.

Now insert your media and we are ready to begin. The network will connect to a hub. it may make more sense to install the management console closer to you. which connects to an internal Network Interface Card (NIC) on the Firewall server. create objects. or you will be monitoring it often or making rule changes. Below is the network we will configure for: Email and Web Internet Modem Firewall Hub Work station In this example. we will install both on the same machine. examine the logs. The second NIC on the Firewall will be our external NIC and will connect to our Cable modem and that in turn connects to the internet. . This helps in creating a rulebase. remove rules. add. When we launch the setup program for this. For this installation. if the firewall is in an inconvenient location. and check the status of the Logs. we will connect a small home/office to the internet using Checkpoint Firewall-1. However. The management console allows you to configure. There are 2 pieces that you need to install: The Firewall and the Management Console. the first screen we see is the License agreement as shown in Figure 1. We will first install the Firewall Module.y y y y y Legal IP address for external interface 2 or more Network cards An NT server An internet connection Four port hub I also recommend that you create a network diagram before making any rules.

It is recommended that you close all applications. we are presented with two options as shown in figure 2. In this screen. especially Antivirus programs. The next screen we see is µWelcome to Checkpoint¶ screen. in this exercise. and where we want it. . In this screen. Checkpoint advises you to close all programs that may be running in the background. For example. the Management Software and the Firewall on the same server. I will not show you this screen here but it is very important you read and understand these pages. However. then we would select the µDistributed¶ option. This is where we tell the software where we plan on installing the modules. Clicking the next button brings up the first setup page where we begin to select and tell the software what we want. we are installing both. also known as µStand Alone¶.Figure 1:License Agreement We click µYes¶ to accept the agreement and we are presented with a µWelcome to Checkpoint¶ screen. System Utilities and etc. if we wanted to install those two pieces on separate servers.

. you have to look at the license you have from Checkpoint and select the option you are licensed for. it will not work. If you select an option you do not have a license for. Make your selection and click next. In this version. we have 3 options as shown in Figure 3. our next screen is where we specify which VPN/Firewall/Server module we wish to install.Figure 2:Setup Screen After making the selection. Here.

we will select no backwards compatibility as we have no previous firewalls to manage. If we click the next button. we are taken to the µChoose Destination Location¶ screen.x.0 or 3. we click next. then you would select the backwards compatibility option. In this screen. This screen can be seen in Figure 4. . you are presented with a configuration screen. This is where we change the option from the C: drive to the D: drive for our demonstration. If you have a Checkpoint Firewall-1 version 4. You will see a status bar showing you the installation and when it is finished. Here is where we select a directory to install the Firewall module on. so choose a partition that does not contain your OS. and you want this firewall and management software to work with those. you will input your license that you received from Checkpoint. and the software begins its installation process. Remember the logging can fill up your partition. after selecting our directory in which we want Checkpoint installed in. Finally.Figure 3:Module Selection The next screen is asks us if we have older Checkpoint Firewalls we will want to interoperate with. For this exercise.

For example. However. Here you will assign IP addresses that will connect to this Firewall Module and manage it or monitor it. What this means is . Click next. On the next screen.com for additional information. I will not cover this here. you define µEnforcement Modules¶. You should allow Checkpoint to handle this. Please note. After completing this step. if you have a helpdesk and you want them to only be able to view logs. this is where you will identify these users. the Firewall Module and the Management Client on the same system. you must include the IP address of this system here. This screen is critical to a secure Firewall Module. Here we are asked if we want to control IP forwarding. After completing this. You must add at least one administrator here. Input that in here and click next. even if you install both. Because this is a sample for you to follow. but not add or modify rules. Gui client configuration is the next screen. the next screen asks you for the IP address found in the system hosts file. please see www. or you will not be able to connect to the Firewall with the Management tool. for further information.Figure 4:License After installing you license. you will be prompted to tell the Firewall who the Administrators are that will access it. click next. You may also add users and assign limited rights to them. and I consider Enforcement Modules advanced.phoneboy.

Not having this checked. Figure 3:Component installation Policy Editor is where you will create objects and services. The next screen provides you with the management modules you can install. Please note that that some programs and applications will fail if you have this enabled and you push a new policy. The Log Viewer is where you will view the Checkpoint Logs. Finally. . In figure 5. Installing the Management Client Now that you have installed the Firewall on your server. The next screen is the SMTP settings screen that I will not cover and the key creation screen. like when you are booting the system or pushing a new policy through. The first screen you see after launching the setup executable is the Welcome screen. The next screen is where you choose a destination to install the Management Gui. we can see the choices we have. Click next. you must install a management client to manage the Firewall. no packets will be allowed through the network interfaces. or active. You will then create rules and manage the objects and services. when you are complete. where you are asked to type random numbers and letters to create a unique string. Here you can view the status of your firewall. Finally System Status.that when a security policy is not installed. you will be prompted to reboot your firewall and it is now complete. makes your system vulnerable to attacks when a policy is not loaded.

like a workstation or server. you need to create them. The Policy Editor will open up with a deny all policy as shown in figure 7. Figure 6:Start menu We will select the Policy Editor option. but let¶s start with the object management. Now you have successfully installed Checkpoint on a Windows NT server. The Real Time Monitor will not be covered here. When you create a rule. We will get more specific on this. there are 3 key pieces of information you need to know: The source IP. We select the three main components and click next. Lets launch the GUI to manage our rulebase. It can be launched by the example in Figure 6. Creating Objects Checkpoint works in 3¶s like I said earlier. or non-physical like a network IP address range. In order to create a rule specific to them. .the time and date of the last policy installation and packet counts that have hit the Firewall. The management module installs and will prompt you when complete. the Destination IP and the port or service that needs to be opened for the application that the rule applies to. Objects are anything physical.

by default denies everything. . we will have to create rules that ALLOW communication through the Firewall. I have included snapshots of the Firewall object (Figure 8) and the Internal Lanobject(Figure 9). First. click on the µView¶ option at the top and select µImplied Rules¶. it is important that Checkpoint. I need to create objects for the following: The Firewall. You will see that there is a rule present that enforces the following: Any Source to Any Destination using any Service is to be dropped. However. Referring to the network that I outlined above. even if there are no rules. versus denying traffic. we will want to make 4 rules in the policy and 4 NAT rules.Figure 7:Blank Policy Here we see a policy with no rules. and the Internal LAN. when we create our policy. The MAIL-WEB Server. How do I know this? Simple. Therefore.

I have 2 IP addresses from my ISP. Creating a Rulebase Now that we have created objects. with logging enabled. The first rule is called a Stealth Rule. It does this by not allowing ANY traffic to it specifically. Then I created an object called µmail_web¶. I had to NAT it using a technique called HIDE. and click on the tab that says NAT at the top. The first one I gave to my Mail-Web server and the second I gave to my Firewall. Then I selected the NAT tab and assigned it a static NAT hidden behind my Public IP from my ISP. and the only reason. In most Checkpoint Firewall Rulebases. Checkpoint will then automatically create NAT rules for you.Figure 8:Firewall Object Figure 9:Internal LAN Object With the internal LAN. I gave it an assigned it an internal IP address. To do this. This helps ensure that attackers can¶t directly access my email_web server. let¶s assign them in rules. you can add rules by clicking µEdit¶ and µAdd Rule¶. It¶s NATed for extra security. then an attacker won¶t see you and think that IP is not operational. so that we can see attacks or traffic that did not meet our rules and was dropped. Let¶s add them first. there are 2 common rules. It¶s that easy! The final object is the Mail-Web server. We create this rule. Another point I want to make here is that it is recommended that you DROP as opposed to DENY traffic. In the Policy Editor. But the reason we add this rule. is that the implied rule does not log. a deny all policy. . If you DROP traffic. However. Earlier I mentioned that Checkpoint has an Implied rule that does this same thing. The other rule that is in should be in every Checkpoint Firewall Rulebase is a rule at the end that says: drop all traffic that did not meet any of the other rules. you select the object. then the attackers will get a notice back from you saying you are up. Then you choose the option HIDE and input your routable Internet IP address. if you DENY traffic. For this project. Its purpose is to hide the Firewall.

using any service. we see that the Internal Lan can go anywhere. This can go out to the internet but we also want people to be able to browse our web site and send us email. An entire rule set is shown in Figure 11 and the corresponding NAT table can be seen in Figure 12.Now that we have created the 2 most basic rules. Figure 10:InternalLan Rule In figure 10. Finally.0. we will create our next rule that will allow any IP address on my internal network. We do this by creating a rule as in Figure 10. the last rule we will create is one for our Web_Mail server. to use NAT and the external IP address of our Firewall.0 network. Figure 11:rulebase . 192.168. So we create a rule that allows outside people to connect to it using pre-defined services.

Figure 12:NAT Table .

Sign up to vote on this title
UsefulNot useful