An Introduction to Checkpoint Firewall

 

This paper is an introduction to Checkpoint’s Firewall version 4.1.  In this paper you will learn the basics of what Checkpoint is and how it works.  You will also see a graphical installation of Checkpoint on an NT 4 server as well as creating a generic set of rules that would apply to a small business or home user.  Through out my years of using Checkpoint, I have never seen “HowTo’ instructions on Checkpoint like this other than what is taught in the Checkpoint classes.  At the very end of this document, you will find some useful links to sites I have found helpful over the years.  Please keep in mind that this is not meant to be a comprehensive, all-inclusive tutorial on Checkpoint, but simply a quick get up to speed small business paper.

 

A brief overview of Firewalls

There are 3 basic types of Firewall systems used today:

 

A Packet Filtering Firewall examines each packet that passes through it up to the network layer.  This means that the upper four layers (Application, Presentation, Session, and Transport) are allowed into an internal network.  The Packet Filtering Firewall looks at each packet and determines what to do with it based on a rulebase you define.  This type of Firewall technique is popular because it’s inexpensive, transparent to applications and is quicker than most application layer gateways.  However, it provides low security, has a limited ability to manipulate information, is difficult to configure, and is subject to IP Spoofing.  The types of Firewalls can usually be found on routers.

 

  Application Layer Gateway, or better known as Proxies, function on the application level.  Proxies are being challenged today in that outside networks are continually growing and introducing new protocols, services and applications all the time.  As this happens, the Proxy has a difficult time handling these extreme communications on networks. 

 

Proxy Firewalls remain popular today because they offer a decent level of security, are relatively inexpensive and provide full application-layer awareness.  However, each service requires its own application layer gateway, meaning scalability is horrible.  Running at the application level is critical to performance and they are vulnerable to operating system and application level bugs and exploits.

 

Stateful Inspection is the third type of firewall used today.  Stateful Inspection gathers, stores, and manipulates information pertaining to all communication layers and from other applications.  In other words, imagine a giant spreadsheet.  Every packet that is allowed through the firewall is entered into that spreadsheet and kept there for a pre-determined amount of time, creating a ‘Stateful Inspection Table.’   The benefits of this are excellent security, full application-layer awareness, high performance and scalability.

 

 

 What is Checkpoint?

Checkpoint Firewall-1 uses the stateful inspection technology.  Checkpoint analyzes all packet communication layers and extracts the relevant communication and application state information.  Firewall-1 has an inspection module that lives in the operating system kernel.  This is below the network layer at the lowest software level.  This is the most ideal location because, by analyzing all traffic at this level, the Inspection Module inspects all traffic before they reach the OS.  This saves the OS’s processing time and resources.  Also, a final note, by placing its kernel module between the Network Interface Cards and the TCP/IP stack itself, Firewall-1 protects the TCP/IP stack.

Preparing an NT 4.0 server

For this paper, I focus on installing the Checkpoint Firewall-1 software on an NT 4 server.  I do this because most small businesses have NT.  When using Checkpoint software on an NT server, I recommend you make two different drives, for example a C: drive and D: drive.  The reason for this is to maintain the firewall logs.  One of the most important features of a firewall is the logs it generates.  These logs will grow and grow as traffic is accepted, denied or rejected on you firewall.  As these logs grow, they take up more and more space, and can fill up your entire drive.  This would crash your Windows NT box and cause the firewall to fail.  The end result here being no more connectivity through that firewall.

 

After you have created two drives, I recommend formatting both with the NT File System (NTFS).  This brings a level of security on the box up and allows you to look it down even tighter.  Not only do you have to consider the rulebase to protect your network, you should consider the physical location of the firewall.  Who will have access to it?  Who will know the Administrator’s password?  NTFS will help you secure the box from a casual employee or friend from coming over and ‘playing’ with your configurations.

 

I recommend installing your Operating System (OS), on the C: drive.  Then install Checkpoint on the D: drive.

 

Make the Checkpoint Firewall server a standalone server.  It should not be part of a domain.

 

Installing Checkpoint

When installing Checkpoint, it is important to have a clear understanding of what you need first, before you begin.  I have created a small checklist of items I used to create this paper:

 

I also recommend that you create a network diagram before making any rules.  This helps in creating a rulebase.  Below is the network we will configure for:

 

 

In this example, we will connect a small home/office to the internet using Checkpoint Firewall-1.  The network will connect to a hub, which connects to an internal Network Interface Card (NIC) on the Firewall server.  The second NIC on the Firewall will be our external NIC and will connect to our Cable modem and that in turn connects to the internet.

 

Now insert your media and we are ready to begin.  There are 2 pieces that you need to install: The Firewall and the Management Console.  For this installation, we will install both on the same machine.  However, if the firewall is in an inconvenient location, or you will be monitoring it often or making rule changes, it may make more sense to install the management console closer to you.  The management console allows you to configure, add, remove rules, create objects, examine the logs, and check the status of the Logs.   

 

We will first install the Firewall Module.  When we launch the setup program for this, the first screen we see is the License agreement as shown in Figure 1.

 

 

Figure 1:License Agreement

 

We click ‘Yes’ to accept the agreement and we are presented with a ‘Welcome to Checkpoint’ screen.

 

The next screen we see is ‘Welcome to Checkpoint’ screen.  I will not show you this screen here but it is very important you read and understand these pages.  In this screen, Checkpoint advises you to close all programs that may be running in the background.  It is recommended that you close all applications, especially Antivirus programs, System Utilities and etc. 

 

Clicking the next button brings up the first setup page where we begin to select and tell the software what we want, and where we want it.  In this screen, we are presented with two options as shown in figure 2.  This is where we tell the software where we plan on installing the modules.  For example, in this exercise, we are installing both, the Management Software and the Firewall on the same server, also known as ‘Stand Alone’.  However, if we wanted to install those two pieces on separate servers, then we would select the ‘Distributed’ option.

Figure 2:Setup Screen

 

After making the selection, our next screen is where we specify which VPN/Firewall/Server module we wish to install.  In this version, we have 3 options as shown in Figure 3.  Here, you have to look at the license you have from Checkpoint and select the option you are licensed for.  If you select an option you do not have a license for, it will not work.  Make your selection and click next.

 

Figure 3:Module Selection

 

 

The next screen is asks us if we have older Checkpoint Firewalls we will want to inter-operate with.  If you have a Checkpoint Firewall-1 version 4.0 or 3.x, and you want this firewall and management software to work with those, then you would select the backwards compatibility option.  For this exercise, we will select no backwards compatibility as we have no previous firewalls to manage.

 

If we click the next button, we are taken to the ‘Choose Destination Location’ screen.  Here is where we select a directory to install the Firewall module on.  This is where we change the option from the C: drive to the D: drive for our demonstration.  Remember the logging can fill up your partition, so choose a partition that does not contain your OS.

 

Finally, after selecting our directory in which we want Checkpoint installed in, we click next, and the software begins its installation process.  You will see a status bar showing you the installation and when it is finished, you are presented with a configuration screen.

 

In this screen, you will input your license that you received from Checkpoint.  This screen can be seen in Figure 4.

 

 

Figure 4:License

 

After installing you license, you will be prompted to tell the Firewall who the Administrators are that will access it.  You must add at least one administrator here.  You may also add users and assign limited rights to them.  For example, if you have a helpdesk and you want them to only be able to view logs, but not add or modify rules, this is where you will identify these users.

 

After completing this step, the next screen asks you for the IP address found in the system hosts file.  Input that in here and click next.  Gui client configuration is the next screen.  Here you will assign IP addresses that will connect to this Firewall Module and manage it or monitor it.  Please note, even if you install both, the Firewall Module and the Management Client on the same system, you must include the IP address of this system here, or you will not be able to connect to the Firewall with the Management tool.  After completing this, click next.

 

On the next screen, you define ‘Enforcement Modules’.  Because this is a sample for you to follow, and I consider Enforcement Modules advanced, I will not cover this here.  However, for further information, please see www.phoneboy.com for additional information.  Click next.

 

This screen is critical to a secure Firewall Module.  Here we are asked if we want to control IP forwarding.  You should allow Checkpoint to handle this.  What this means is that when a security policy is not installed, or active, like when you are booting the system or pushing a new policy through, no packets will be allowed through the network interfaces.  Not having this checked, makes your system vulnerable to attacks when a policy is not loaded.  Please note that that some programs and applications will fail if you have this enabled and you push a new policy.  The next screen is the SMTP settings screen that I will not cover and the key creation screen, where you are asked to type random numbers and letters to create a unique string.  Finally, when you are complete, you will be prompted to reboot your firewall and it is now complete.

 

Installing the Management Client

 

Now that you have installed the Firewall on your server, you must install a management client to manage the Firewall.  The first screen you see after launching the setup executable is the Welcome screen.  Click next.  The next screen is where you choose a destination to install the Management Gui.  The next screen provides you with the management modules you can install.  In figure 5, we can see the choices we have.

Figure 3:Component installation

 

Policy Editor is where you will create objects and services.  You will then create rules and manage the objects and services.  The Log Viewer is where you will view the Checkpoint Logs.  Finally System Status.  Here you can view the status of your firewall, the time and date of the last policy installation and packet counts that have hit the Firewall.  The Real Time Monitor will not be covered here.

 

We select the three main components and click next.  The management module installs and will prompt you when complete.  Now you have successfully installed Checkpoint on a Windows NT server.

 

Creating Objects

Checkpoint works in 3’s like I said earlier.  When you create a rule, there are 3 key pieces of information you need to know:  The source IP, the Destination IP and the port or service that needs to be opened for the application that the rule applies to.  We will get more specific on this, but let’s start with the object management.  Objects are anything physical, like a workstation or server, or non-physical like a network IP address range.  In order to create a rule specific to them, you need to create them.

Lets launch the GUI to manage our rulebase.  It can be launched by the example in Figure 6.

Figure 6:Start menu

 

We will select the Policy Editor option.  The Policy Editor will open up with a deny all policy as shown in figure 7.

Figure 7:Blank Policy

 

Here we see a policy with no rules.  However, it is important that Checkpoint, by default denies everything, even if there are no rules.  How do I know this?  Simple, click on the ‘View’ option at the top and select ‘Implied Rules’.  You will see that there is a rule present that enforces the following: Any Source to Any Destination using any Service is to be dropped.  Therefore, when we create our policy, we will have to create rules that ALLOW communication through the Firewall, versus denying traffic.

 

Referring to the network that I outlined above, we will want to make 4 rules in the policy and 4 NAT rules.  First, I need to create objects for the following: The Firewall, The MAIL-WEB Server, and the Internal LAN.  I have included snapshots of the Firewall object (Figure 8) and the Internal Lan object(Figure 9).

Figure 8:Firewall Object                                  Figure 9:Internal LAN Object

 

With the internal LAN, I had to NAT it using a technique called HIDE.  To do this, you select the object, and click on the tab that says NAT at the top.  Then you choose the option HIDE and input your routable Internet IP address.  Checkpoint will then automatically create NAT rules for you.  It’s that easy!

 

The final object is the Mail-Web server.  For this project, I have 2 IP addresses from my ISP.  The first one I gave to my Mail-Web server and the second I gave to my Firewall.  Then I created an object called ‘mail_web’.  I gave it an assigned it an internal IP address.  Then I selected the NAT tab and assigned it a static NAT hidden behind my Public IP from my ISP.   This helps ensure that attackers can’t directly access my email_web server.  It’s NATed for extra security. 

 

Creating a Rulebase

Now that we have created objects, let’s assign them in rules.  In the Policy Editor, you can add rules by clicking ‘Edit’ and ‘Add Rule’.  In most Checkpoint Firewall Rulebases, there are 2 common rules.  Let’s add them first.  The first rule is called a Stealth Rule.  Its purpose is to hide the Firewall.  It does this by not allowing ANY traffic to it specifically.  The other rule that is in should be in every Checkpoint Firewall Rulebase is a rule at the end that says: drop all traffic that did not meet any of the other rules.  Earlier I mentioned that Checkpoint has an Implied rule that does this same thing, a deny all policy.  But the reason we add this rule, and the only reason, is that the implied rule does not log.  We create this rule, with logging enabled, so that we can see attacks or traffic that did not meet our rules and was dropped.  Another point I want to make here is that it is recommended that you DROP as opposed to DENY traffic.  If you DROP traffic, then an attacker won’t see you and think that IP is not operational.  However, if you DENY traffic, then the attackers will get a notice back from you saying you are up. 

 

Now that we have created the 2 most basic rules, we will create our next rule that will allow any IP address on my internal network, 192.168.0.0 network, to use NAT and the external IP address of our Firewall.  We do this by creating a rule as in Figure 10.

Figure 10:Internal Lan Rule

 

In figure 10, we see that the Internal Lan can go anywhere, using any service. 

 

Finally, the last rule we will create is one for our Web_Mail server.  This can go out to the internet but we also want people to be able to browse our web site and send us email.  So we create a rule that allows outside people to connect to it using pre-defined services. 

 

An entire rule set is shown in Figure 11 and the corresponding NAT table can be seen in Figure 12.

 

Figure 11:rulebase

 

 

Figure 12:NAT Table