Perform security checkup using OpenServer or Appliance

From Notes_Wiki
Revision as of 02:16, 25 April 2016 by Saurabh (talk | contribs) (Created page with "<yambe:breadcrumb>Checkpoint_Gaia_OS|Checkpoint Gaia OS</yambe:breadcrumb> =Perform security checkup using openserver or appliance= # Ensure that device is flashed/freshly in...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

<yambe:breadcrumb>Checkpoint_Gaia_OS|Checkpoint Gaia OS</yambe:breadcrumb>

Perform security checkup using openserver or appliance

  1. Ensure that device is flashed/freshly installed/reset to factory settings. In case of OpenServer Gaia can be reinstalled. For OpenServer ensure that there are at least two interfaces: one for management and other for monitor mode.
    In case of device connect usb with R77.30 created with help of isomorphic tool. External USB CD Drive would also work. Reboot appliance after connecting to hyperterminal (9600 8N1, no flow control) and after connecting USB. Type 'serial' at boot prompt for flashing.
  2. In first time configuration WebUI wizard (at https://<IP> given) during installation (default 192.168.1.1 on management port), choose 'Quick Standalone setup' instead of default 'continue with Gaia R77.30 configuration'. On R77.30 on openserver 'Quick standlone setup' option is not present.
  3. Create a user for winscp/bash login. Go to https://<IP> and login as admin. Go to User Management -> Users. Create a user with default shell as /bin/bash. Assign both adminRole and monitorRole. Leave UID to 0 for root access.
  4. Download latest Security checkup tools from http://supportcontent.checkpoint.com/file_download?id=24867
  5. Extract the downloaded file. Copy 'Security_Checkup_R77.30_Ver1.204/SmartEventSupplement/Security_Checkup_Supp_R77.30_Ver01.tgz' to '/var/install' on appliance using winscp etc. using user with bash shell. Note rsync wont work, only scp can be used. /var/install may have to be created.
  6. Extract tar and run security checkup installer using: 
    tar xzf Security_Checkup_Supp_R77.30_Ver01.tgz
    

    chmod +x security_checkup
    

    ./security_checkup
    This terminal will hang after some time. Then it can be closed.
    We can use "ps eax | grep sec" on another terminal to verify that "./security_checkup" program has terminated.
    Typical lines near end are: 
    SVN Foundation: cpWatchDog stopped
    

    SVN Foundation: Stopping PostgreSQL Database
    

    SVN Foundation stopped
    

    Backup configuration files
    

    dos2unix: converting file /opt/CPsuite-R77/fw1/log/Checkup_Uploader to UNIX format ...
    

    nohup: appending output to `nohup.out'
  7. Remove existing SmartConsole (and SmartDashboard) and install the version which came with SecurityCheckup zip file.
  8. Go to usercenter at usercenter.checkpoint.com and from "Winning the Security market" -> Production Evaluation choose "All-in-one evaluation".
  9. TODO Some steps related to license
  10. Login into GAIA portal and go to "Network Managemet" -> "Network interfaces". Choose the non-management interface and edit it. Click enable. Write comment 'SPAN'. Leave IPv4 address and subnet mask blank. In the 'Ethernet tab' select monitor mode. In CLI an interface can be configured for monitor mode using: 
    set interface eth0 monitor-mode on
  11. In "Network management" -> "IPv4 static routes" ensure that correct route is set which can access Internet.
  12. Open Gateway in SmartDashboard and follow further steps
  13. Open SmartEvent from SmartConsole Drop Down from Smart Dashboard.
  14. Go to top-left menu (File menu) and choose View -> Security Checkup
  15. Close and Re-open SmartEvent from Smart Dashboard.
  16. Double click firewall in Dashboard to see its properties
    1. In "Network Security" enable Firewall, IPS, Anti-bot, Anti-Virus (Detect), Monitoring, Application Control, URL Filtering, DLP
    2. In "Management" enabe Logging & Status, Monitoring, Management Portal, Smart Reporter, SmartEvent Server, SmartEvent Correlation Unit and Compliance. Note that enabling SmartEvent Intro disables SmartEvent Server, which is not desired.
    3. After General properties in Topology ensure:
      • Management interface (eg eth0) is external with external topology and correct IP
      • Mirror port is internal with 0.0.0.0/0.0.0.0 IP and "Network defined by IP/mask"
      • Disable anti-spoofing on all interfaces
  17. Configure firewall software blades
    • In Policy add any to any with accept without logging
    • Click on "Install Policy" at top to install this policy. Ignore any warnings for anti-spoofing being disabled.
  18. Using putty login into expert mode. Try
    • ping www.google.co.in.
      Edit /etc/resolv.conf to supply correct DNS, if necessary. Permanent configuration can be done via Gaia web interface "Network Management" -> "Hosts and DNS" option by giving correct Primary and Secondary DNS, as applicable.
    • curl_cli cws.checkpoint.com
  19. Other optimizations:
    • Ensure anti-spoofing is disabled for all interfaces
    • In Firewall -> Policy. Click on "Edit Global Properties" option at top. In SmartDashboard Customisation, click on the Configure button. Then in FireWall-1 -> Stateful Inspection, uncheck "reject_x11_in_any"
    • In "Global Properties" -> Stateful Inspection
      • Set "TCP session timeout" to 60 seconds
      • Set "TCP end timeout" to 5 seconds
      • Turn off Drop out of state TCP and ICMP packets
  20. Install the new policy before proceeding. Ignore any warnings for anti-spoofing being disabled.
  21. Configure "IPS" software blade
    • Edit gateway properties and under IPS ensure that
      • IPS profile is "Default protection"
      • Perform IPS inspection on all traffic
      • Bypass IPS inspection when gateway in under heavy load.
    • Go to IPS tab. Go to Protections -> By Protocol -> IPS Software Blade -> Network Security -> Denial of Service. Select Aggresive aging and set following values:
      • TCP Start Timeout: 5
      • TCP Session Timeout: 55
      • TCP End Timeout: 3
      • Set tracking for the protection to None for both "Default Protection" and "Recommended Protection"
    • In IPS tab select Policies. Double click "Recommended_Policy" and change IPS mode from prevent to detect.
  22. To prevent some false positives connect to firewall via ssh for expert mode.
    • Open "vi $FWDIR/modules/fwkern.conf" and paste 
      psl_tap_enable=1
      

      fw_tap_enable=1
      Exit from expert mode
  23. Install the new policy and then reboot the security gateway. Ignore any warnings for anti-spoofing being disabled.
  24. After reboot there might be some delay before firewall is accessible. Now activate "Application control and URL filtering blade" as follows:
    • Under policy ensure there is only one rule (delete child protection policy) with destionation any (not Internet) and track log (not extended or complete).
    • Go to Advanced -> Engine settings. Enable
      • Categorize HTTPS sites
      • Enfore safe search in search enginers
      Leave other settings as it is.
  25. Install policy
  26. Enable DLP blade as follows:
    • Use this procedure if users at customer site browse the internet viaproxy:
      1. In SmartDashboard, go to the Objects Tree and select the Services tab.
      2. Edit the TCP service: HTTP_and_HTTPS_proxy.
      3. Click Advanced.
      4. Select Protocol Type, and choose HTTP.
      5. Enable Match for ‘Any’
      6. Click OK
      7. Install Policy
    • IN DLP Blade go to "Advanced Settings" -> "Advanced" and uncomment "Log all sent messages" option.
  27. Install policy
  28. Enable "Threat Prevention" as follows:
    • In Threat Prevention blade to profiles and edit "Recommended_profile". Change all protection activation to "Detect".
    • In the same property box go to "Anti-virus settings".
      • Select "Inspect incoming and outgoing files"
      • Choose to process all file types without deep-inspection
      • Enable archive scanning
    • Then "Threat Emulation Settings" change protected scope to "inspect incoming and outgoing files"
  29. Install Policy
  30. Connect the monitor port to mirror/span port and monitor events in SmartEvent


<yambe:breadcrumb>Checkpoint_Gaia_OS|Checkpoint Gaia OS</yambe:breadcrumb>

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Perform_security_checkup_using_OpenServer_or_Appliance&oldid=2455"