Monday, May 16, 2016

Check Point Firewall: Rulebase Audit

So I'm at my new job, and I'm really liking it so far. One of the tasks I've been given is to audit a company's check point firewalls, to see what security items need to be looked at.

Here is a good copy and paste from the best practices sk106597.
  • The Business related rules section contains the rules that regulate your business traffic.
    Business related rules should be grouped together in logical sub-sections to make the format of the rulebase easy to understand. The sub-sections that are most heavily used should be placed highest in the rulebase (so long as doing this does not compromise SecureXL tuning).
  • The blue coded rules are the Implied Rules (Policy > Global Properties > Firewall Implied Rules).
    The enabled default Implied rules can be selectively turned off if not required or if the administrator has created specific rules to replace them. This is often done to harden or 'nail-down' the rulebase.
  • The green coded rules are VPN, management and noise rules.
    The admin and management rules control access to the firewall e.g. SSH, HTTPS etc. If the implied rules have been disabled then specific rules to permit all required connections to and from the firewalls will be required.
  • The purpose of the Noise rule is to drop unwanted traffic such as NetBIOS traffic as high up in the rulebase as possible.
    The use of a Noise rule helps to make the firewall more efficient by dropping unwanted traffic high up in the rulebase instead of at the bottom of the rulebase (clean-up rule).
    If the 'noise' traffic is mixed with 'useful' traffic then additional noise rules can be placed within the Business related rules section to drop the unwanted noise traffic once the useful traffic has been matched.
  • The Stealth rule should be located as early as possible in the policy, typically placed immediately after the management rules.
    The purpose of the Stealth rule is to drop unauthorized connections destined to the firewall; protecting the firewall from being scanned and attacked.
    The rulebase is likely to be constantly evolving so the effectiveness of the Stealth rule should be periodically tested; it may need to be re-positioned to maintain effectiveness.
  • The clean-up rule is the last rule in the rulebase and is used to drop and log explicitly unmatched traffic.
    To improve the rulebase performance, noise traffic that is logged in the Clean-up rule should be included in the Noise rule so it is matched and dropped higher up in the rulebase.

1 comment:

Your comment will be reviewed for approval. Thank you for submitting your comments.