Introduction to checkpoint.

By ShunmugaPriya
 What is Firewall?

A firewall is a system of
hardware and/or software
that controls access between
two or more networks.

Firewall sits at the junction point or gateway

between the two networks, usually a private
network and a public network such as the
Internet.
 Why do we need a Firewall
• Security is an extensive and serious issue in
today's environment. From privacy policies to
corporate espionage, the threats are from
both internal and external sources
• With a firewall , you can ensure
–Protection of network environment
–Protection of data
 Types of Firewalls
• Categories of firewalls
– Hardware Firewalls
– Software Firewalls
Hardware Firewall
Software Firewall
Where is it deployed in the N/W
DMZ Interface
• A firewall needs a minimum number of two
interfaces to connect to two different networks.
• A third interface can be added to the firewall , to
separate the public servers from the private LAN.
• This interface is referred as Demilitarized Zone (
DMZ).
• This is done so that, even if the public servers are
attacked , the private LAN still remains secure.
Types of Firewalls (based on features)

• Packet filtering firewalls

• Application Gateways
• Stateful firewalls
 Packet filtering firewalls
• The firewall keeps no state. The filtering
decision is made separately for every packet,
and does not take into account any earlier
decisions made on related packets.

Example :100 packets ,It will filter out every

single packet
 Filtering based on 5 options
 Source IP address (IP header)
Allowing or disallowing packets on the basis of the source IP address
 Destination IP address (IP header)
Allowing or disallowing packets on the basis of their destination port
 Protocol Type
Allowing or disallowing packets according to protocol.
 Source port (TCP or UDP header)

 Destination port (TCP or UDP header)

Port numbers example
Advantages:
1. Application independence.
2. High performance
3. Scalability.
Dis Advantage's
1. Low security.
2. No screening above the Network layer .
Proxy Server or Application Gateway Firewalls

• These Firewalls filter services at the Application level. They

will terminate the session at their interface and initiate a
separate connection with the internal server, thus taking a
little more time in establishing the session. They are by
nature slow in processing as they are more application
based.
Advantages:
• Good security.
• Full application-layer awareness.
Dis Advantages :
• Poor performance.
• Limited application support.
• Poor scalability (breaks the client/server model)
Stateful Inspection Firewalls/Checkpoint

• Stateful multilayer inspection firewalls

combine the aspects of the other two types of
firewalls. They’re Stateful because firewall can
remember prior connection states and
continuously keeps on updating the state of a
connection in its Dynamic connection table.
• Whenever a Firewall receives a SYN packet initiating a TCP
connection, this SYN packet is reviewed against the Firewall
Rulebase. If the packet matches a rule its allowed
otherwise its denied.

• However, if the packet is accepted, the session is entered in

the Firewalls’ Stateful connection table, which is located in
Kernel Memory. Every packet that follows (that does not
have a SYN) is then compared to the Stateful Inspection
table. If the session is in the table then it means the packet
is a part of an existing session and it is allowed through the
firewall. If it does not matches an existing session in the
table then it is dropped.
• Today, there very less difference between these two
firewall technologies as more and more state packet
inspection firewall vendors take on a Hybrid approach by
combining both the concepts.

• The main engine of the Stateful firewall is implemented for

maintaining connection states and then the features such
as Virus Scanning, URL filtering, Java/Activex filtering etc
are superimposed over it to get the best of both worlds.
 Advantage
• This improves the performance as every packet is not
compared with the rule base, just the packets which are
SYN packets are compared with the Rulebase. All other
packets are compared to the state table in Kernel memory
(which happens Very fast).
 What does a Firewall do?
 Define security boundaries to block/permit
untrusted/trusted access to internal resources =>
protecting networks and hosts.

 Restrict external access.

 Log network activities.

 Intrusion detection.

 Restrict information transfer to/from the net

Contd…

 Address Translation
 Authentication
 Content Security
 Logging network activity
 VPN Termination
 What a Firewall cannot do
• It cannot protect against traffic not passing
through the firewall
• Firewall policies must be realistic and reflect
the level of security in the entire network
• It cannot prevent attacks through already
open holes (i.e permitted ports like telnet and
http)
Checkpoint Power-1 Appliance
 Checkpoint Firewall
• This is a software firewall and one of the
earliest firewalls to use Stateful inspection.
• It is modular in nature, with separate
functions incorporated in each module.
 Packet Inspection and decision making process

Inspection Module Flow

 Checkpoint Firewall Components
• Management Server
• Firewall Security Gateway
• Smart Console /Dashboard (GUI)
Management Server

• The Management module maintains the FireWall-1

databases, including network object definitions, user
definitions, the Security Policy, and log files for any
number of Firewalled enforcement points.
• Once the security policy is configured on the
management module, it is pushed into the
enforcement module, which actually implements the
policy.
Firewall Module (Enforcement Module)

• The Firewall Module is at the junction between the

protected network and the public network
• It is the module which actually implements the
security policy by examining each and every packet
that flows in or out of the network
• The Management Server downloads the Security
Policy to the Firewall Module.
• Firewall Module can be installed on a broad range of
platforms.
Checkpoint GUI (Smart console)

• An enterprise-wide Security Policy is defined and

managed using a graphical user interface.
• The Security Policy is defined in terms of network
objects (for example, hosts, networks, gateways, etc.)
and security rules.
• The FireWall-1 GUI also includes a Log Viewer and
System Status Viewer.
Check Point Three-Tier Architecture
Firewall Models
– Single Gateway product

– Enterprise Gateway product (Distributed Setup)

Single vs Enterprise Gateway
• In the Single gateway product, the Management
module and firewall module reside on the same
machine.
– This is suitable for small organizations with only one
office.
• In the Enterprise gateway product, the management
module and the firewall module reside on different
machines.
– This is suitable for large enterprises with several
branch offices.
– The management module can be located at the
central office and at the branch offices , you can have
only the firewall modules.
– The security policy can be pushed from the central
management module to all the branch offices’
firewall modules.
Enterprise Gateway Setup (Distributed setup)
Licensing
• The Checkpoint Firewall needs to be licensed
before it can be used.
• Licenses primarily specify the number of IP
addresses that will be protected by Firewall-1,
that is, the number of hosts behind the
firewall.
• The License will also decide which features are
enabled on the firewall.
• The license is bound to
– The IP address of the firewall machine
–The operating system
–The hardware platform
• Any time these three parameters change, a
new license should be requested.
Types of Licensing
• Central License
• Local License
Central License
• Here the Module License is bound to the IP
address of the Management Server.
• That is, the Management Server IP address is
used for issuing the license.
• The advantage is that, even if the IP address of
the local module (to which the license is
issued) changes, there is no need to re-issue
the license.
Local license.
• Here the Module License is bound to the IP
address of the module to which license is
issued. If the IP address of the local module
changes, the license need to be re-validated.
• This means that separate license should be
issued for the management module as well as
the firewall module.
• Any changes in either module imply that the
licenses should be changed
Checkpoint Firewall Rulebase
Firewall-1 Rulebase
Firewall-1 Rulebase

• The Rule base is where you actually define

which traffic can be allowed and which traffic
has to be dropped when passing through the
firewall.
• It consists of a set of rules defining the
security policy of the organization
• The rule base is processed in a top down
fashion
• This means that when a packet is received it is
compared with the first rule in the rule base .
If there is a match, the corresponding action is
taken.
• If there is no match, the next rule is checked
and so on, till the end of the rule base.
• If no match is found, the packet is dropped.
• This is known as “ implicit deny” at the end of
the rule base.
 Firewall-1 Implied Rules
• All other traffic through the firewall, including
ICMP, is blocked.
• If you want to permit any traffic, you have to
add rules explicitly in the rule base
• Implied Rules can be modified through the
Policy Editor from Policy Global properties
Format of a rule
 Stealth and Cleanup Rule
• Before creating any rules to implement the
security policy of your organization, it is
recommended that you create a “stealth rule”
and a “cleanup rule” and sandwich all the
other rules between these two rules.
• The stealth rule should be the first rule in the
Rule base.
• This rule is defined to protect the firewall itself
and it will drop all traffic which is destined to
the firewall itself.
• This means that the source should be set to
ANY, destination to the firewall object, service
ANY and the action should be DROP. Also
make sure that you log this rule.
Cleanup Rule

• By default, anything that is not explicitly

permitted is dropped and no log is maintained for
dropped packets.
• To see which packets did not match any rule in
the rule base, you have to define an explicit drop
rule in the policy and enable tracking.
• The cleanup rule will have Source ANY,
Destination ANY, Service ANY , Action DROP and
Track will be LOG.
• The cleanup rule should be the last rule in the
rule base.
• The cleanup rule will have Source ANY,
Destination ANY, Service ANY , Action DROP
and Track will be LOG.
• The cleanup rule should be the last rule in the
rule base.
Accept Rule example
Drop Rule Example
Sample Rules
 Thank You.
M Shanmugapriya.