Friday, January 9, 2015

Checkpoint Lab - 2 (Lab setup details) Tutorial

General discussion - 

When you have multiple firewalls/sites it make more sense to access and control them from a central location. That is the reason distributed model is preferred in large environments. In our lab example we use management server to connect to main office fw and branch office firewall.
In the distributed model the components involved talk to each other in a hierarchy model. 
  • SmartConsole ==> Manager ==> Firewall (create policy, rules, user id's)
  • Firewall ==> Manager ==> SmartConsole/View/Tracker (Logs, session info, license info ect.)
Any firewall should and will support the below 3 functionalities.
  • Packet Filtering
  • Stateful Inspection
  • Application Awareness
Packet Filtering is pretty straight fw. You can define what ports can come in and go out. Used to control access to and within your internal network.
Stateful Inspection is a method when the return /reply traffic is allowed to flow back. Example - Behind the firewall you access google.com assuming firewall allows port 80 and 443 outbound your request is sent to google server. The google server responds back to your request. Now you don't have to allow or create to accept the traffic from google since you initiated the connection in the first place. Firewall tracks that you make the request and will allow the traffic from google back in, it dynamically allows the traffic flow back in.
Application Awareness is gaining more prominence now a days. Consider the scenario, you allow traffic on port 443 outbound but deny ftp port 21 outbound. One way this rule can be circumvented is when you encapsulate the ftp traffic with https traffic and send it out. Firewall will honour that rule which defeats the purpose of having the firewall in the first place. So application awareness feature inspects the traffic at Layer 7 level of OSI model and will figure out that its actually ftp traffic and deny it. (Which is pretty cool)
Does not matter which firewall you choose (Sonicwall, Fortigate, WatchGuard, Barracuda) the above 3 would remain same or better vendor to vendor. NextGen firewall, UTM (Unified threat machines) lot of jargon thrown out there now a days but basically they are all same in my personal opinion. new bell's and whistle's, redesigned GUI, graphs....(Again I am not an expert but that is my take)

OS version info for checkpoint - 
Checkpoint website is the best place to get the latest firmware/OS information duuh..But just for information sake
IPSO was initial OS that checkpoint offered. (Never saw it or worked on it, if interested pls google)
SPLAT - Secure Platform was the first OS I saw from checkpoint.
GAiA - was released on 2011-2012 is basically hardened version of the above 2 OS combined with ipv6 and other improvements. For lab set up I am using GAiA R76.

No comments: