Beruflich Dokumente
Kultur Dokumente
Best Practices
30 July 2014
Classification: [Protected]
2014 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under
licensing restricting their use, copying, distribution, and decompilation. No part of this product or related
documentation may be reproduced in any form or by any means without prior written authorization of Check
Point. While every precaution has been taken in the preparation of this book, Check Point assumes no
responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.
TRADEMARKS:
Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.
Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of
relevant copyrights and third-party licenses.
Contents
Businesses are moving faster than ever. Security needs are growing and organizations today must
continually find new tools to meet the latest demands. Adopting multi-layer protection challenges companies
to efficiently use those tools and to help make sure the best results are achieved.
The biggest operation challenges today include:
Correlating between the different security layers
Making sure the security policy is efficient and serves the organization's needs
This document offers practices and policies to help you better utilize your web security solution based on
Check Point knowledge and practices. For maximum ease of use and relevance, the document is organized
according to the applicable solutions.
Actionable Enforcement
Convert your policy into actionable enforcement, while optimizing your workforce productivity and maintain
full visibility throughout your organization.
Controlling Access
With an effective web policy, you can:
Control access to millions of web sites by category, users, groups and machines with cloud-based
technology that is constantly updated with new websites to support employee productivity and security
policy.
Block access to entire websites or only specified web pages, and set enforcements by time allocation or
bandwidth limitations.
Maintain a list of accepted and blocked website URLs to fine-tune security policies.
Control access to over 5,000 applications with the industrys largest application coverage.
Create granular security policies based on users or groups to identify, block, or limit usage of web
applications and widgets. For example, instant messaging, social networking, video streaming, VoIP,
games and more.
Give the ability to balance security and business needs.
Stop incoming malicious files at the gateway before the internal network is affected. ThreatCloud uses
real-time virus signatures and anomaly-based protections and is the first collaborative network to fight
cybercrime.
Identify over 4.5 million malware signatures and 400,000 constantly-updated per day from a worldwide
network of sensors that provide ongoing malware intelligence.
Check Points Secure Web Gateway Appliances utilize proven security expertise and the industrys most
complete portfolio of security innovations to provide superior real time protection against web-borne
malware. It protects against the most sophisticated malware, prevents infections and streamlines security
management.
Unified Approach
Traditional Internet security requires establishing policies for each element of securing the web. Check
Points Web Security Solution is the only solution to offer unified control over all websites, web applications,
users and machines. This significantly reduces the complexity of securing the Internet and enables
organizations to more easily and cost-effectively implement and enforce corporate security policies.
If you enable Identity Awareness on your gateways, you can also use Access Role objects as the source in
a rule. This lets you easily set rules for individuals or different groups of users.
Business
This is a sample default policy for a business.
Business Restrictive
This is a sample default restrictive policy for a business.
Education
This is a sample policy for an educational institution.
SafeSearch Enforcement
The Check Point URL Filtering Software Blade enables an organization to efficiently control access to
millions of web sites by category, user or group.
Administrators can block web traffic by category, such as adult content, child abuse, pornography, hate
groups or gambling sites. Select the Safe Search option from the SmartDashboard, and search requests
are filtered as safe-searches.
Check Point URL Filtering condenses multiple sources. For example, the "child abuse" category is found in
both Check Point's content filtering repository as well as the Internet Watch Foundation's membership feeds.
In the next few pages we give a few examples and tips on how to optimize policy performance and also
make it easier to manage.
In a rule base, the request continues until a condition match occurs. You might be tempted to place the
more specific rules at the top section, followed by the more general rules. However, this approach makes
maintenance more difficult. Performance is less optimal as well, since most traffic will be examined against
the specific rules at the top of the list.
Allow Approach
In Allow approach, the default is allow and in most cases the last rule specifies what is blocked.
This approach is common in firewall policy. In web security, a Deny approach is recommended and is easier
to implement and maintain.
Deny Approach
In Deny approach, the policy is constructed to filter the match. Allowing unfiltered traffic to get through is the
last rule.
Policy Optimization
Placing rules that are most likely to match at the beginning of the layer helps your performance. They key is
how to identify those rules. Use the hit counter column from your SmartDashboard policy tab.
The display shows the real-time behavior of your traffic so you can understand which rule gets higher
exposure. When changing your policy order, make sure you do not change the intended behavior.
Bandwidth Optimization
Using such a technique (throttling) can influence the end user experience since it depends on the given
bandwidth status during the download process. As a result, users might become frustrated due to
inconsistent surfing experiences, which leads to increased overhead on the IT department. Limiting the
bandwidth for streaming applications during business hours is a good approach for many verticals. Use
bandwidth control for background processes such as software updates which are not seen by the end users.
Using Categories
Check Point URL Filtering includes more than 150 different categories. The categories are updated on a
daily basis to match the current web status. Using specific URLs makes it harder to maintain over a
prolonged period as website content tends to change over time. Categories can reduce the number of rules
and maintenance effort.
Application controls can leverage your web security solution by controlling port evasive apps and propriety
protocols. This chapter provides some useful techniques to leverage application controls in the Web 2.0
reality.
Examples
These are examples of scenarios for Application Control:
1. The customer wants to allow access to site www.customersite.com only if the user agent is Mozilla
5.0 (kukuriku 11.4)
2. The customer wants to block all HTTP traffic that has in the response the following <name of pirated
ebook>
3. The customer wants to identify a certain SSL stream as app MySSL
4. Allow detection based on DN
5. Identify UDP traffic to 192.168.12.58:2025 as app InternalApp
Default Prevent Policy All protections that can identify an attack with a high or medium
confidence level and have a medium or lower performance impact are
set to Prevent mode.
All protections that can identify an attack with a low confidence level
and have a medium or lower performance impact are set to Detect
mode.
Recommended: use Alert option in the Track column, to tog the event
and execute a command (i.e. email, SNMP alert or run a script)
Note - ALERT can be defined in Policy > Global Properties >
Log and Alert > Alert Commands
Detect Policy All protections that can identify an attack with a high or medium
confidence level and have a medium or lower performance impact are
set to Detect mode.
Use Log in the Track column to record an event's details in SmartView
Tracker. This option is useful for obtaining general information on your
network's traffic.
UserCheck is an integrated tool to inform users and at the same time educate them on the company policy.
Customers can leverage that technology to achieve additional tasks.
One retailers' implementation is to customize the first page that users see when roaming in the store WiFi.
On this page, the retailer can present the latest deals and sales promotions within the store. He can also
show a map of the store and any additional information that he wants to share with his customers.
Once the custom message is ready, go to the Policy tab and add Rule to Capture All Traffic. In the action
column add "inform" and choose the custom template.
Note - By default, the display frequency will be set for one day and can be easily
changed.
SmartEvent is a management Software Blade that clearly shows security information with real-time security
event correlation and management for Check Point Security Gateways and third-party devices.
SmartEvent's unified event analysis identifies critical security events from the information clutter while
correlating events across all security systems. Its automated aggregation and coordination of data
minimizes the time spent analyzing log data while isolating and prioritizing the real security threats. With
SmartEvent, you can customize reports and views to best fit each stakeholder in the organization.
Use LDAP queries to configure SmartEvent reports to segregate the relevant data per each group or AD
branch and represent real department views without disclosing data between groups/departments in the
organization.
Scheduling
Once you have the right template set up, you can schedule recurring reporting processes.
This is an example from SmartEvent default/built-in reports. As you start analyzing the different business
unit needs, you can find some of the default templates ideal for your needs.
SmartEvent
SmartEvent supplies advanced analysis tools with:
Filtering
Charts
Reporting
Statistics
And more information about all events that travel through the applicable Security Gateways
Define the right scheduling, and set the relevant emails in the Email Settings to make sure each manager
receives only his own report (filter by his own department tree).
Note - Run-Time Filters let users enter filter criteria each time they run the report.