Threat Prevention

Summary

The goal of this project is to use CheckPoint in implementing threat prevention measures while following industry best practices. Features being utilized within CheckPoint will range from Antivirus, Anti-Bot to IPS and more. This documentation will keep track of the learning outcomes of this project while also explaining the different components that were in use.

Key Components

  • Anti-Virus

    • Signature based detection systems that detect malware through comparing code in one program to code that’s kept on a database that keeps track of currently known viruses that have already been analyzed and recorded in a database.

  • Anti-Bot

    • Anti-Bot is a key component that works in conjecture to Anti-Virus as it detects and prevents bot activity that could threaten the network by means of weakening defenses already in place by the anti-virus, or deactivating them altogether.

  • IPS

    • The purpose of an IPS (Intrusion Prevention System) is to detect and prevent network attacks such as brute forcing or DoS (Denial of Service) attacks that aim to exploit vulnerabilities in a network. The way an IPS will normally work is based on two factors, anomaly-based or signature-based. Signature-based methods will work similar to an Anti-Virus in comparing potential attacks to existing databases that can be cross-referenced. Anomaly-based methods will compare ingress traffic to what the network is expected, blocking traffic that would normally not come in.

Network Diagram

IP addresses

Device Name

IP Address

Checkpoint LAN

192.168.2.0/24

Management Ip

192.168.2.1/24

Steps

1. Setup admin details

2. Setup Date and Time

3. Setup the Checkpoint name

4. Select local management

5. The WAN port will have DHCP configured to receive ip address from DHCP server

6. Setup LAN network: 192.168.2.0/24 and Management Ip address: 192.168.2.1/24

7. Select LAN and VPN and Specify the IP address of the LAN network: 192.168.2.0/24

8. Wait for Appliance Registration

9. Select all the software blades to enable for the Checkpoint.

9.

10. Update the following threat prevention

You can configure the IPS and malware policies on this page. For threat prevention you can activate/deactivate IPS, Anti-virus, Anti-bot and Threat Emulation.

The updates for these can be scheduled to update automatically or updated manually. The policy can be configured as Strict (security focused), Recommended (mix of security and performance) or Custom (however the user wants it).

You can also choose whether or not you would want the traffic to create a log, log as an alert or nothing.

On this page you can create new Threat Prevention exception rules to allow traffic to pass through without being scanned by the IPS and malware engines.

The table will display the following information: the source and destination/target networks, the type of IPS protection, the type of network service, the action that will be taken against the traffic, and finally whether this traffic will be shown as a log or an alert.

This page will display any devices in the internal network infected with malware.

The Protection browser shows the Threat Prevention Software Blades protection types and a summary of important information and usage indicators.

This section explains how to configure advanced Threat Prevention settings that are in the engine settings window, including: inspection, the Check Point Online Web Service ( ThreatCloud repository), internal email whitelist, file type support for Threat Extraction and Threat Emulation.

You can set policy overrides to override the general policy settings defined on the Threat Prevention Blade Control page. For each of the below protection type options, you can set the applicable override action: Ask, Prevent, Detect, Inactive, or According to policy (no override). See the Threat Prevention > Threat Prevention Blade Control page for a description of the action types.

  • Malicious activity - Protections related to unique communication patterns of botnet and malware specified families.

  • Reputation domains - Protections related to Command & Control (C&C) servers. Each host is checked against the Check Point ThreatCloud reputation database.

  • Reputation IPs - Protections related to Command & Control (C&C) servers. Each IP is checked against the Check Point ThreatCloud reputation database.

  • Reputation URLs - Protections related to Command & Control (C&C) servers. Each URL is checked against the Check Point ThreatCloud reputation database.

  • Unusual activity - Protections related to the behavioral patterns common to botnet and malware activity.

Anti-Spam is on by default in order to block or flag emails that contain known or suspected spam content.

Detect Only Mode shows only logs and does not block any emails.

You can further configure the Anti-Spam Policy by applying filters based on Sender's IP address, and Email Content (most secure). Email Content can be further configured to block spam emails, flag spam emails subject with defined text from user to add to the subject, flag spam email headers. You can also handle suspected spam separately with the same settings as mentioned before.

You can whitelist or blacklist email addresses, and/or domains, or IP addresses for emails.

11. Firewall Blade Control where we can adjust how much freedom the firewall will allow coming in and out. This is where we can set the default Access Policy for incoming, internal, and outgoing traffic, set the default applications and URLs to block and allow secure browsing, and configure User Awareness. Here we adjusted the firewall to be stricter in Applications and URL Filtering by selecting everything.

The fire policy defines how to inspect the packets, whereas Applications & URL Filtering defines how to control the freedom of Internet browsing and application usage.

According to Checkpoint documentation,

Strict:

“Blocks all traffic, in all directions, by default. In this mode, your policy can only be defined through the Servers page and by manually defining access policy rules in the Access Policy > Firewall Policy page.”

Standard:

“Allows outgoing traffic to the Internet on configured services. You can click the services link to configure all or only specified services that are allowed.

  • Allows traffic between internal networks and trusted wireless networks (in applicable devices).

  • Blocks incoming unencrypted traffic from the Internet (traffic from outside your organization to it). The Standard policy option is the default level and is recommended for most cases. Keep it unless you have a specified need for a higher or lower security level.”

Off:

“Allows all traffic. When the firewall is deactivated, your network is not secured. Manually defined rules are not applied.”

Checkpoint recommends “block blocking to security risk categories and applications”.

URL Filtering Only mode is an option where only URLS and custom applications defined by URLs are blocked, however computers with predefined applications installed initially, or added with automatic updates are not blocked.

You can limit the bandwidth (upload, download) coming in and out of the firewall.

User Awareness allows you to use the organization Active Directory server for user recognition. The Active Directory acts as the user database and authentication. User Awareness allows one to configure user based Access Policy rules and show user based logs. Users can also be defined locally in “Users & Objects > Users page” and configure browser-based authentication and “the specific destinations to which they must be identified first before accessing.”

Resources

  1. CheckPoint home website

  2. Checkpoint 1500 Appliance Documentation

  3. CCSA textbook slides

Team: Rahul Prasad, Dylan Somers, Brian Tran, Muammar Kaudeer

PreviousDDOS ProtectionNextL2TP VPN

Last updated