Sie sind auf Seite 1von 18

Introduction:

Welcome to Check Point vSEC for Google Cloud Platform!


This test drive will allow you to experience the capabilities of the vSEC gateway in
action.
Follow the instructions below to begin your test drive.

Overview
The test drive environment includes the following components:

A Network consisting of:


- A Gateway subnet (10.10.0.0/24)
- An Admin subnet (10.10.1.0/24)
- A Web subnet (10.10.2.0/24)

The network has 3 virtual machines:


- A Windows machine
- A Check Point vSEC gateway
- A Linux Server

The Windows machine is pre-installed with the Check Point SmartConsole (R77.30)
Graphical User Interface clients.
The Linux server is pre-configured with a web server.

The Windows machine is attached to the Admin subnet.


The Check Point vSEC gateway is attached to the Gateway subnet.
The Web Server is attached to the Web subnet.

In addition, a Google Compute Engine forwarding rule, is set up to receive HTTP traffic
on a dedicated public address and forward it to the Check Point gateway.

2017 Check Point Software Technologies Ltd. All rights reserved | P. 1


The Check Point vSEC Security gateway is pre-configured with a security and Network
Address Translation (NAT) policies to receive and forward this traffic.
A Google Compute Engine Network load balancer with a private address of 10.10.2.20
is set up to receive this traffic, after it was inspected by the Check Point gateway and
forward it to one or more Web Servers.

Step 1 - Accessing the environment:

When you launch the test drive you will receive an email containing information about
the test drive environment.
This email will include:
- The password needed to authenticate to the Windows and Check Point vSEC
Gateway
- The public address of the gateway
- The public address of the Windows machine
- The URL of the protected web application

In this test drive we will be using SmartConsole, a group of Windows based graphical
user interface (GUI) clients, to manage and monitor the security policy of the Check
Point vSEC gateway.
If you already have the clients installed on your computer you can use them to directly
connect to the public address of the Check Point vSEC gateway.
Alternatively, you can use the Windows machine with the pre-installed clients.

Step 1.1a
If you do not have the clients installed, you can use the Windows machine in the test
drive environment where the clients are already pre-installed.

Open a remote desktop client.


Connect to the Windows machine using the IP address you have received over email.
Under username select \admin (note the leading \ to avoid the use of your corporate
domain)
Under password enter the password you have received over email.

2017 Check Point Software Technologies Ltd. All rights reserved | P. 2


After you login to the Windows machine, locate and launch the SmartDashboard R77.30
client:

2017 Check Point Software Technologies Ltd. All rights reserved | P. 3


Under Username, enter: admin
Under Password, enter the password you have received over email
Under Address, enter 10.10.0.2
Click on Login, and Approve the fingerprint:

Proceed to step 2.

Step 1.1b:
If you already have the SmartConsole clients pre-installed, you can use them to directly
connect to the Check Point vSEC Gateway.
Open SmartDashbaord.

2017 Check Point Software Technologies Ltd. All rights reserved | P. 4


Under Username, enter: admin
Under Password, enter the password you have received over email
Under Address, enter the Check Point public IP address you have received over email.
Click on Login, and accept the fingerprint.
Proceed to step 2.

Step 2 review the security policy:


Go to the Firewall Tab, Policy:

Review the firewall security policy:

2017 Check Point Software Technologies Ltd. All rights reserved | P. 5


With reference to the above:
Rule Purpose
1 Allow HTTP connections to the web server
2 Allow any connection originating from the web subnet
3 Allow SSH connections to the gateway
4 Allow SmartConsole connections to the gateway
5 Allot HTTPS connections to the gateway
6 Allow pings
7 Drop all other traffic
All rules have logs enabled.

Go to the Firewall tab, NAT:

Review the firewall Network Address Translation (NAT) policy:

2017 Check Point Software Technologies Ltd. All rights reserved | P. 6


With reference to the above:
Rules Purpose
1-2 Translate connections arriving to the public address attached to the
Google Compute Engine forwarding rule to the private address of
the internal load balancer
3-4 Automatic rules, can be ignored
5-6 Hide connections originating from the web subnet behind the
gateways address

Optionally review the automatically created network objects:

Open the SmartViewTracker client application. We will be using this application to see
logs.
You can do this directly from the SmartDashboard application thus:

2017 Check Point Software Technologies Ltd. All rights reserved | P. 7


Step 3 test normal web traffic:
Use a browser to connect to the URL you have received over email:

Click on the first Test button.


This will create a standard web request by going to:
http://[WEB-SERVER-ADDRESS]/vsec.jpg
This connection should be allowed and the status should change to Success.

Step 4 block an SQL injection attack


Click on the 2nd Test button.

2017 Check Point Software Technologies Ltd. All rights reserved | P. 8


This will simulate an SQL injection attack by going to:
http://[WEB-SERVER-ADDRESS]/cgi-bin/sql-injection/id=concat
Since we have not set up the Intrusion Prevention (IPS) blade, this attack will not be
blocked:

In Smart Dashboard, locate and open the gateways object.

Navigate to the IPS tab and change the assigned IPS profile from the
Default_Protection to the Recommended_Protection.

2017 Check Point Software Technologies Ltd. All rights reserved | P. 9


Click on OK

Click on Yes to proceed without Anti-Spoofing configured.

Click on Install Policy:

2017 Check Point Software Technologies Ltd. All rights reserved | P. 10


Click on OK

Wait for the policy installation to complete:

Click on the 2nd Test button again.

2017 Check Point Software Technologies Ltd. All rights reserved | P. 11


This time, the attack should be blocked:

View the generated log by navigating to the IPS blade (All) view in SmartViewTracker:

You should see an SQL attack log similar to this:

Double click on the log record to see more information:

2017 Check Point Software Technologies Ltd. All rights reserved | P. 12


Step 5 Block access to social networks
Click on the 3rd Test button.
This will cause the web server to communicate with various social networks web sites.
Since we have not yet set up the Application Control and URL Filtering blade, this traffic
will not be blocked:

2017 Check Point Software Technologies Ltd. All rights reserved | P. 13


Go to Application and URL Filtering tab, go to Policy:

Add a new rule by clicking on the Add bottom button:

Edit the automatically created rule:


In the Destination column, replace the Internet object with the All_Internet object.
In the Application/Sites column, use the widget to select the Social Networking
category:

2017 Check Point Software Technologies Ltd. All rights reserved | P. 14


Change in the Track option to to Complete Log
The final rule should look thus:

Click on Install Policy:

Click on OK

2017 Check Point Software Technologies Ltd. All rights reserved | P. 15


Wait for the policy installation to complete:

Click on the 3rd Test button again.


This time, access to social networks should be blocked:

2017 Check Point Software Technologies Ltd. All rights reserved | P. 16


View the generated log by navigating to the Application and URL Filtering blade view
(All) in SmartViewTracker:

You should see several logs indicating that a connection was opened from the web
subnet to social network web sites similar to this:

Double click on one of these log record to see more information:

2017 Check Point Software Technologies Ltd. All rights reserved | P. 17


Congratulations!
You have completed the Check Point test drive for Google Cloud Platform.
Feel free to keep exploring this environment.
When you are done, please free up the used resources by stopping the test drive.

Thank you!

2017 Check Point Software Technologies Ltd. All rights reserved | P. 18

Das könnte Ihnen auch gefallen