Secure Web Gateway

Best Practices

30 July 2014

Classification: [Protected]
 2014 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under
licensing restricting their use, copying, distribution, and decompilation. No part of this product or related
documentation may be reproduced in any form or by any means without prior written authorization of Check
Point. While every precaution has been taken in the preparation of this book, Check Point assumes no
responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.
TRADEMARKS:
Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.
Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of
relevant copyrights and third-party licenses.
 Contents

Implementing your Secure Web Gateway ............................................................................ 4

Actionable Enforcement ...................................................................................................... 5
Administrators Need a Better Way....................................................................................... 5
Secure Web Gateway Components ..................................................................................... 5
Controlling Access ............................................................................................................... 5
Application Control and URL Filtering ................................................................................. 7
Unified Approach ................................................................................................................. 7
Recommended Default Policy ............................................................................................. 7
Spectrum of Use ............................................................................................................. 7
Business ......................................................................................................................... 8
Business Restrictive........................................................................................................ 8
Education........................................................................................................................ 9
SafeSearch Enforcement ................................................................................................ 9
Optimizing your Rule Base ................................................................................................. 10
Allow Approach ................................................................................................................. 10
Deny Approach.................................................................................................................. 10
Policy Optimization ............................................................................................................ 10
Avoiding Regular Expressions ...................................................................................... 11
Bandwidth Optimization ................................................................................................ 11
Using Categories .......................................................................................................... 11
Application Controls............................................................................................................ 12
Preventing Data Leakage .................................................................................................. 12
Check Point Signature Tool ............................................................................................... 12
Examples .......................................................................................................................... 12
Securing Downloads ........................................................................................................... 13
Downloading Executable Content ...................................................................................... 13
From Detect to Prevent ..................................................................................................... 13
Education with UserCheck .................................................................................................. 15
Customizing Look and Feel ............................................................................................... 15
Visibility with SmartEvent ................................................................................................... 16
Dividing Report Data ......................................................................................................... 16
Customizing Your View ..................................................................................................... 17
Scheduling ........................................................................................................................ 17
SmartEvent ....................................................................................................................... 17
Case Study: Advocate Law Firm ................................................................................... 17
Chapter 1
Implementing your Secure Web
Gateway
In This Section:
Actionable Enforcement ............................................................................................ 5
Administrators Need a Better Way............................................................................ 5
Secure Web Gateway Components ......................................................................... 5
Controlling Access .................................................................................................... 5

Businesses are moving faster than ever. Security needs are growing and organizations today must
continually find new tools to meet the latest demands. Adopting multi-layer protection challenges companies
to efficiently use those tools and to help make sure the best results are achieved.
The biggest operation challenges today include:
Correlating between the different security layers
Making sure the security policy is efficient and serves the organization's needs
This document offers practices and policies to help you better utilize your web security solution based on
Check Point knowledge and practices. For maximum ease of use and relevance, the document is organized
according to the applicable solutions.

Secure Web Gateway Best Practices | 4

 Implementing your Secure Web Gateway

Actionable Enforcement
Convert your policy into actionable enforcement, while optimizing your workforce productivity and maintain
full visibility throughout your organization.

Administrators Need a Better Way

As your policy is continually updated, it keeps growing and evolving in order to accommodate your business
needs. As a result, it can become complex and difficult to maintain. Maintenance can become easier if the
logic for each aspect of a policy is separate and distinct. Convert your policy into actionable enforcement,
while optimizing your workforce productivity and maintaining full visibility throughout the organization.
Web policy is different from the restrictive approach administrators are used to in firewall management.
When implementing the Allow approach, the administrator needs to understand the most common scenario
for each business entity. These common scenarios are placed among the first rules.
Check Point products are fully integrated with LDAP. We highly recommend managing a policy that is based
on real life entities and objects rather than IP addresses and subnets.

Secure Web Gateway Components

Secure Web Gateway is an all-in-one solution that enables:
Secure use of Web 2.0 with real time multi-layered protection against web-borne malware
Largest application coverage and granular application control
Centralized intuitive management
End-user education

Controlling Access
With an effective web policy, you can:
Control access to millions of web sites by category, users, groups and machines with cloud-based
technology that is constantly updated with new websites to support employee productivity and security
policy.
Block access to entire websites or only specified web pages, and set enforcements by time allocation or
bandwidth limitations.
Maintain a list of accepted and blocked website URLs to fine-tune security policies.
Control access to over 5,000 applications with the industrys largest application coverage.

Secure Web Gateway Best Practices | 5

 Implementing your Secure Web Gateway

Create granular security policies based on users or groups to identify, block, or limit usage of web
applications and widgets. For example, instant messaging, social networking, video streaming, VoIP,
games and more.
Give the ability to balance security and business needs.
Stop incoming malicious files at the gateway before the internal network is affected. ThreatCloud uses
real-time virus signatures and anomaly-based protections and is the first collaborative network to fight
cybercrime.
Identify over 4.5 million malware signatures and 400,000 constantly-updated per day from a worldwide
network of sensors that provide ongoing malware intelligence.

Secure Web Gateway Best Practices | 6

Chapter 2
Application Control and URL Filtering
In This Section:
Unified Approach....................................................................................................... 7
Recommended Default Policy................................................................................... 7

Check Points Secure Web Gateway Appliances utilize proven security expertise and the industrys most
complete portfolio of security innovations to provide superior real time protection against web-borne
malware. It protects against the most sophisticated malware, prevents infections and streamlines security
management.

Unified Approach
Traditional Internet security requires establishing policies for each element of securing the web. Check
Points Web Security Solution is the only solution to offer unified control over all websites, web applications,
users and machines. This significantly reduces the complexity of securing the Internet and enables
organizations to more easily and cost-effectively implement and enforce corporate security policies.

Recommended Default Policy

Spectrum of Use
Business Restrictive Business Education
The Business Restrictive policy The business policy is aimed This policy can serve as a good
expands the Business regular toward the default "getting starting point for K-12 schools
policy by adding two more rules. started." Once the policy is in and universities or libraries who
The additional rules should help place, the organization needs to wish to control the content on
administrators to continually continually optimize and update their LAN or student WiFi
monitor network activity and based on its specific needs. network.
optimize the policy.
Administrators are informed
about access to specific sites or
categories. They can also
leverage the last rule of Any
Allow and Log to get full
coverage of all traffic that passes
through the gateway.

If you enable Identity Awareness on your gateways, you can also use Access Role objects as the source in
a rule. This lets you easily set rules for individuals or different groups of users.

Secure Web Gateway Best Practices | 7

 Application Control and URL Filtering

Business
This is a sample default policy for a business.

Business Restrictive
This is a sample default restrictive policy for a business.

Secure Web Gateway Best Practices | 8

 Application Control and URL Filtering

Education
This is a sample policy for an educational institution.

The last rule (Any Recognized - Allow) is optional.

Check Point Firewall includes an implicit rule that allows Internet access. We recommend that during the
first period of deployment, you use this rule to generate logs. Use the logs for additional policy optimization.
After you finish optimizing the rule base, we recommend that you remove this rule.

SafeSearch Enforcement
The Check Point URL Filtering Software Blade enables an organization to efficiently control access to
millions of web sites by category, user or group.
Administrators can block web traffic by category, such as adult content, child abuse, pornography, hate
groups or gambling sites. Select the Safe Search option from the SmartDashboard, and search requests
are filtered as safe-searches.

Check Point URL Filtering condenses multiple sources. For example, the "child abuse" category is found in
both Check Point's content filtering repository as well as the Internet Watch Foundation's membership feeds.

Secure Web Gateway Best Practices | 9

Chapter 3
Optimizing your Rule Base
In This Section:
Allow Approach ....................................................................................................... 10
Deny Approach ....................................................................................................... 10
Policy Optimization ................................................................................................. 10

In the next few pages we give a few examples and tips on how to optimize policy performance and also
make it easier to manage.
In a rule base, the request continues until a condition match occurs. You might be tempted to place the
more specific rules at the top section, followed by the more general rules. However, this approach makes
maintenance more difficult. Performance is less optimal as well, since most traffic will be examined against
the specific rules at the top of the list.

Allow Approach
In Allow approach, the default is allow and in most cases the last rule specifies what is blocked.
This approach is common in firewall policy. In web security, a Deny approach is recommended and is easier
to implement and maintain.

Deny Approach
In Deny approach, the policy is constructed to filter the match. Allowing unfiltered traffic to get through is the
last rule.

Policy Optimization
Placing rules that are most likely to match at the beginning of the layer helps your performance. They key is
how to identify those rules. Use the hit counter column from your SmartDashboard policy tab.

Secure Web Gateway Best Practices | 10

 Optimizing your Rule Base

The display shows the real-time behavior of your traffic so you can understand which rule gets higher
exposure. When changing your policy order, make sure you do not change the intended behavior.

Avoiding Regular Expressions

Sometimes the administrator creates rules using regular expression. This practice should be avoided. The
complexity of regular expression is known to be error prone. In many cases a small syntax mistake can
break the policy or match other unintended URLs.

Bandwidth Optimization
Using such a technique (throttling) can influence the end user experience since it depends on the given
bandwidth status during the download process. As a result, users might become frustrated due to
inconsistent surfing experiences, which leads to increased overhead on the IT department. Limiting the
bandwidth for streaming applications during business hours is a good approach for many verticals. Use
bandwidth control for background processes such as software updates which are not seen by the end users.

Using Categories
Check Point URL Filtering includes more than 150 different categories. The categories are updated on a
daily basis to match the current web status. Using specific URLs makes it harder to maintain over a
prolonged period as website content tends to change over time. Categories can reduce the number of rules
and maintenance effort.

Secure Web Gateway Best Practices | 11

Chapter 4
Application Controls
In This Section:
Preventing Data Leakage ....................................................................................... 12
Check Point Signature Tool .................................................................................... 12
Examples ................................................................................................................ 12

Application controls can leverage your web security solution by controlling port evasive apps and propriety
protocols. This chapter provides some useful techniques to leverage application controls in the Web 2.0
reality.

Preventing Data Leakage

Cloud storage applications can let important data can leave the internal network for your organization. You
can block file uploads from specific sites (such as DropBox, 4Sync, Box, and Evernote). However, this
configuration prevents file uploads, but it does not block download of files from those applications.

Check Point Signature Tool

The Signature tool lets any customer create his own custom application signature. Custom apps can identify
HTTP and non-HTTP traffic.

Examples
These are examples of scenarios for Application Control:
1. The customer wants to allow access to site www.customersite.com only if the user agent is Mozilla
5.0 (kukuriku 11.4)
2. The customer wants to block all HTTP traffic that has in the response the following <name of pirated
ebook>
3. The customer wants to identify a certain SSL stream as app MySSL
4. Allow detection based on DN
5. Identify UDP traffic to 192.168.12.58:2025 as app InternalApp

Secure Web Gateway Best Practices | 12

Chapter 5
Securing Downloads
In This Section:
Downloading Executable Content ........................................................................... 13
From Detect to Prevent ........................................................................................... 13

Downloading Executable Content

Organizations need to control their executable supply chain, both to avoid malware execution and to enforce
licensing restrictions.
Most users should not be able to download any executable content from outside the organization. Only
specific authorized users should be allowed to download executables, perhaps to a restricted set of
sandboxed hosts.
We recommend combining these three methods:
1. Setting up a wiki page with a whitelist of several "most popular" download sites from which people can
download free or licensed software.
2. Downloading software updates to a local server and distributing them from there.
3. Setting up a set of trusted code signers and allowing only signed executables.

From Detect to Prevent

The Threat Prevention policy determines how the system inspects connections for bots and viruses. The
primary component of the policy is the Rule Base. The rules use the malware database and network objects.
When you enable a Threat Prevention Software Blade, a predefined rule is added to the Rule Base. The rule
defines that all traffic for all network objects, regardless of who opened the connection (the protected scope
value equals any), is inspected for all protections according to the recommended profile. By default, logs are
generated and the rule is installed on all Security Gateways that use a Threat Prevention Software Blade.
Some administrators prefer to start with using detect only mode. This special operating mode is especially
helpful when deploying Web Intelligence for the first time:
To evaluate its effectiveness without interrupting connectivity
Or
When troubleshooting a problem that is related to the blocking of Web traffic.

Secure Web Gateway Best Practices | 13

 Securing Downloads

Mode Configuration Instruction

Default Prevent Policy All protections that can identify an attack with a high or medium
confidence level and have a medium or lower performance impact are
set to Prevent mode.
All protections that can identify an attack with a low confidence level
and have a medium or lower performance impact are set to Detect
mode.
Recommended: use Alert option in the Track column, to tog the event
and execute a command (i.e. email, SNMP alert or run a script)
Note - ALERT can be defined in Policy > Global Properties >
Log and Alert > Alert Commands

Detect Policy All protections that can identify an attack with a high or medium
confidence level and have a medium or lower performance impact are
set to Detect mode.
Use Log in the Track column to record an event's details in SmartView
Tracker. This option is useful for obtaining general information on your
network's traffic.

Secure Web Gateway Best Practices | 14

Chapter 6
Education with UserCheck
In This Section:
Customizing Look and Feel .................................................................................... 15

UserCheck is an integrated tool to inform users and at the same time educate them on the company policy.
Customers can leverage that technology to achieve additional tasks.

Customizing Look and Feel

UserCheck is easy to customize. You can learn more about the customization option by looking at an
example like sk83700 (http://supportcontent.checkpoint.com/solutions?id=sk83700).

One retailers' implementation is to customize the first page that users see when roaming in the store WiFi.
On this page, the retailer can present the latest deals and sales promotions within the store. He can also
show a map of the store and any additional information that he wants to share with his customers.
Once the custom message is ready, go to the Policy tab and add Rule to Capture All Traffic. In the action
column add "inform" and choose the custom template.

Note - By default, the display frequency will be set for one day and can be easily
changed.

Secure Web Gateway Best Practices | 15

Chapter 7
Visibility with SmartEvent
In This Section:
Dividing Report Data ............................................................................................... 16
Customizing Your View ........................................................................................... 17
Scheduling .............................................................................................................. 17
SmartEvent ............................................................................................................. 17

SmartEvent is a management Software Blade that clearly shows security information with real-time security
event correlation and management for Check Point Security Gateways and third-party devices.
SmartEvent's unified event analysis identifies critical security events from the information clutter while
correlating events across all security systems. Its automated aggregation and coordination of data
minimizes the time spent analyzing log data while isolating and prioritizing the real security threats. With
SmartEvent, you can customize reports and views to best fit each stakeholder in the organization.

Dividing Report Data

Dividing report data between departments can be a tedious task if manual steps are involved. SmartEvent
can automate this process. The administrator first needs to make sure that:
1. The Identity Awareness blade is activated

2. An Access Role is created and includes all relevant users/groups

Use LDAP queries to configure SmartEvent reports to segregate the relevant data per each group or AD
branch and represent real department views without disclosing data between groups/departments in the
organization.

Secure Web Gateway Best Practices | 16

 Visibility with SmartEvent

Customizing Your View

Start by interviewing the data stakeholders. In many cases, they will have similar needs which can be
represented in a single report. For example, one law firms mentioned that they need to investigate lost
productivity. Once you recognize that a need exists across many departments, you can generate a report
and save it as a template.

Scheduling
Once you have the right template set up, you can schedule recurring reporting processes.
This is an example from SmartEvent default/built-in reports. As you start analyzing the different business
unit needs, you can find some of the default templates ideal for your needs.

SmartEvent
SmartEvent supplies advanced analysis tools with:
Filtering
Charts
Reporting
Statistics
And more information about all events that travel through the applicable Security Gateways

Case Study: Advocate Law Firm

In this company, it is important to measure the employees' net working hours. The managers would like to
measure how much time each employee spends on different websites. It is also critical that each manager
will have access to his own department/employees only.
Start by creating a custom report, and configure the list of user groups to include all relevant groups. This
can be done from the User Filter dialog.

Secure Web Gateway Best Practices | 17

 Visibility with SmartEvent

Define the right scheduling, and set the relevant emails in the Email Settings to make sure each manager
receives only his own report (filter by his own department tree).

Note - Run-Time Filters let users enter filter criteria each time they run the report.

Secure Web Gateway Best Practices | 18