DDOS Protection

Learning Outcomes

  • Set up initial Configuration of CheckPoint

  • Configure Dynamic NAT and manually specify NAT Policy Rules

  • Specify destination and source IP addresses

  • Defining a server in Checkpoint

  • Edit Protections Action in Threat Protection

Device Name

IP Address

WebServer1

192.168.1.225

Attacker Machine

172.16.1.2

Introduction

In this project we are performing a DoS attack on a Checkpoint firewall, then editing protection in IPS along with DDoS protection to mitigate this attack. DDoS attacks are detected on monitoring services through a spike in traffic patterns. As best practice, DMZs are often configured using Destination NAT in order to reach a specific service and we are using a web server that runs DVWA.

The objective is to show how we can configure our Checkpoint firewall to mitigate DDoS attacks. Additional information has been included to show the difference on how the firewall performs when protection is enforced and if it is disabled.

Part1: Hardware Configuration Steps

CheckPoint 1500 Configuration Appliance Wizard

  1. Configure the admin password for login

  1. Configure the System Time

  1. Name the device

  1. Security Policy Management: Select Local Management

  1. Internet Connection: Configure Internet Connection later

Note: Choosing to configure the internet connection at a later time will result in the WAN port not being activated - no status lights will show and the WAN connection process will be skipped.

  1. Local Network Configuration:

LAN Settings

Network Name: LAN Switch

IP address: 192.168.1.1

Subnet Mask: 255.255.255.0

DHCP Settings

DHCP Server - Enabled

DHCP Range:

192.168.1.1 - 192.168.1.254

  1. Configuring the Administrator Access

  • Sources from which to allow administrator access: Check LAN

  • Allow access to the source from Any IP address only

  1. Appliance Registration: Click next to continue with Trial License

  1. Confirm Trial License selection by clicking OK

  1. Software Blades Activation

Note: Software blades come with a 30 day trial by default.

  1. Review the First Time Configuration Wizard before clicking Finish

Adding a Web Server

The following steps specify the settings used to define a server in the New Server Wizard on the firewall. This is a Web Server that will be accessible from the internet.

  1. In Access Policy > Firewall > Servers > Select New

Server Definitions - Step 2

Name: WebServer1

IP Address: 192.168.1.225

Comments: DVVA JuiceShop

  1. Access - Step 3

  • Allow the server to be accessible from All zones (including the internet)

  • Allow access to the server using ICMP (ping)

  • Log traffic: block and accepted connections

3. NAT - Step 4

The server’s IP address needs to be accessible from the internet: select No NAT

4. Allow the server to have all the ports open for scalability soon.

Access Policy > Servers > Server Properties: Server Type

5. Clicking apply will confirm your choices and show you a snapshot as shown below:

Part 2: Destination NAT Configuration

Configuring Destination NAT

  1. Destination NAT will be configured on LAN5 on Local Network Network > Local Network > Right click LAN5 to Edit

  1. LAN5 Configuration

Interface Configuration

Assigned to: Separate Network

IP address: 172.16.1.1

Subnet Mask: 255.255.255.0

DHCPv4 Server

Enabled

IP Address Range:

172.16.1.1 - 172.16.1.254

IP Address Exclude Range:

172.16.2.16 - 72.16.1.254

  1. Define the NAT Rule

Access Policy > NAT > Click on: Add NAT manual Rule

  1. Define the Original Destination by creating a Network Object

  1. Define the network object (Destination IP Address)

Note: 172.16.1.5/32 acts like a bastion IP Address

  1. Create the Translated Destination by creating a new Network Object. Below Translated Destination click on Original > New > Network Object

  1. Define the New Network Object

  1. Review the manually configured NAT Rule and click Apply

Note: Creating the Destination NAT rule will automatically generate a Firewall Policy Rule.

  1. Check to ensure that the Firewall Policy has been generated Access Policy > Firewall > Policy

Testing the Destination NAT Configuration

With the limited visibility of the security appliance, we can use wireshark to see the NAT Translation

  1. Pinging and tracing our route to the provided IP Address 172.16.1.5.

  1. Viewing how the packets were translated

Additional Information - Manually creating a firewall policy

Create a new rule for incoming data by going to Access Policy> Firewall > Policy Under Incoming, internal and VPN traffic, create a new rule.

Define the Source and Destination of the Firewall Policy

Destination: WebServer1

Service: Any

Action: Accept

Part 3: DDoS Attack

This section demonstrates a DDoS attack performed on PC1.The attack is detected and monitored in the Security Logs of the Checkpoint Console. Once the attack has occurred the Intrusion Prevention System (IPS) will display the statistics of the attack. Afterwards, the necessary actions are taken for threat prevention.

Before the Attack

  1. There should be no logs detected in the security logs.

Logs & Monitoring > Logs > Security Logs

Note: The Security Logs were intentionally cleared to have a better representation of the activity.

  1. View the current protections that are currently Inactive and Active on CheckPoint Threat Protection > Protections > IPS Protections

Note: Having Threat Prevention IPS activated sets Denial of Service attacks to Prevent status by default.

  1. Using PRTG - Monitor the current activity of the network

  1. Attack preparation

During the Attack

  1. Viewing the Security Logs when the Attack is happening results in a System Error and it takes time for the firewall to respond on real-time feeds

  1. Logs were generated during the actual attack so PRTG is used to monitor the change in activity can be seen below.

Post Attack

  1. View the Attack Statistics in IPS after the attack to view malicious packets that were dropped. Home > Overview > Security Dashboard

  1. View the logs via Logs & Monitoring > Security Logs

Configuring Protection

  1. Change the action status of SYN Attack from Inactive to Prevent. Threat Protection > Protections > IPS Protections > Edit SYN Attack > Override IPS Policy Agent: Prevent > Apply

Note: The attacks are categorized on the third column under Denial of Service. All actions have been set to Prevent as an Override to enforce the protection.

  1. Close all ports that are not used by the server to reduce the point of entry via Access Policy > Server and unchecking the ports that aren’t needed. For our case it’s just a web server so we had to leave ports 80, 443 and 8080 open.

The Second Wave and Performance Comparison

For a better understanding on how the firewall performs under a DDoS attack, the next scenarios will consist of gathering the results if the IPS Protection is turned off compared to when it is activated.

IPS Protection can be easily disabled by turning the feature off by going to:

Home > Security Dashboard > Threat Prevention

Performing the Second Attack

Checkpoint Logs

Checkpoint Performance with IPS Protection

Checkpoint Performance Without IPS Protection

Performance Comparison

The picture on the left shows the performance if the IPS feature is disabled whereas the picture on the right shows a huge difference when IPS is enabled.

Team: Dan Magno, Maegan Hermosa, Marc Locquiao, Htoo Aung Khant, Han Sol J

PreviousFile BlockingNextThreat Prevention

Last updated