Workshop Avril 2015 Benoit Buonassera benoitb@checkpoint.com 06 72 94 19 98
BE YOUR CUSTOMER S BEST ADVISOR By using the Security Checkup tool you will increase your business opportunities while bringing added value to your customers
EXPOSE SECURITY RISKS ORGANIZATIONS ARE NOT AWARE OF
ENHANCE THE VALUE TO CUSTOMERS
THE REPORT RISKY WEB APPLICATIONS AND SITES DATA LOSS INCIDENTS MALWARE INFECTED COMPUTERS EXPLOITED VULNERABILITIES BANDWIDTH ANALYSIS COMPLIANCE & SECURITY POLICY CHECK
PROTECTION RECOMMENDATIONS RISKY WEB APPLICATIONS AND SITES DATA LOSS INCIDENTS MALWARE INFECTED COMPUTERS EXPLOITED VULNERABILITIES BANDWIDTH ANALYSIS COMPLIANCE & SECURITY POLICY CHECK
ONE ASSESSMENT FOUR STEPS CONFIGURE A CONNECT SECURITY GATEWAY TO NETWORK and activate security Software blades to inspect customer s traffic GENERATE REPORT PRESENT THE FINDINGS to analyze events and summarize findings and advise them how to enhance their security
GET DISCOUNT DEMO UNIT USE OPEN SERVER OR VIRTUAL MACHINE
FORMULAIRE CLIENT PRÉSENTATIONS GUIDE DE PRÉPARATION EXEMPLE DE RAPPORT LOGOS CLOUD SERVICE PACKAGE checkpointfrance.fr/index.php/securitycheckup
MORE INFORMATION ON PARTNERMAP
GENERATE MORE BUSINESS OPPORTUNITIES WHILE BRINGING ADDED VALUE TO YOUR CUSTOMERS
70% OF SECURITY CHECKUPS BECOME VALID BUSINESS OPPORTUNITIES * Worldwide, based on internal data, January 2012 to July 2014
BE YOUR CUSTOMER S BEST ADVISOR
Agenda 1. Présentation (45min) Architecture Qualification Configuration 2. Lab (1h30) 2015 Check Point Software Technologies Ltd. 14
Architecture BEST PRACTICES 2015 Check Point Software Technologies Ltd.
Mirror port architecture Firewall in production DC 16
Feature Limitations in Mirror Port Deployment IPS Blade (Detect Only. A few protections won't work.) URL Filtering (no UserCheck) App Control (no UserCheck) DLP (no FTP, no UserCheck, Prevent and Ask actions will be automatically demoted to 'Inform' action) Identity Awareness (no Captive Portal or Identity Agent) AV (Detect Only, can't use Proactive Mode or FTP) Antibot (Detect Only) HTTPS Inspection NOT supported 2015 Check Point Software Technologies Ltd. 17
Feature Limitations without Internet Access IPS Blade: No Updates Application Control: No Widgets detection URLF: No categorization AV: Partial (No Threat-Cloud usage) only local signature and no updates Anti-Bot: Partial 2015 Check Point Software Technologies Ltd. 18
Customer QUALIFICATION AND PREPARATION 2015 Check Point Software Technologies Ltd.
Ask customer to Fill the localized form Paramètres Adresse IP pour le boîtier avec masque de sous réseau Default Gateway (adresses IP) Serveur(s) DNS (adresses IP) Liste des réseaux internes (adresses IP et masques) Noms de Domaine des emails Compte administrateur du domaine AD Renseignement Celui-ci vous sera demandé pendant le PoC Choose location wisely Do not mirror an entire switch to one mirror port For example, only mirror Rx/Tx from the router or firewall external interface Configure the SPAN port on their switch 20
Configuration HOW-TO 2015 Check Point Software Technologies Ltd.
Download links Isomorphic R77_QuickSetup_Package Security Checkup tool package Link to generate an evaluation license 22
Restore to a factory default image Reboot the Appliance and use the boot menu to restore Or use ISOMorphic for a fresh installation 23
Gaia Quick Setup for Security Checkup Gaia R77.20 Quick Setup is intended for quick deployment preconfigured settings 2 methods with Check Point Upgrade Service Engine (CPUSE) Online Offline 24
Check Point Upgrade Service Engine (CPUSE) 25
Topology Remove Anti-Spoofing configuration from all interfaces Mgmt & Mirror Ports eth0, eth2, eth3 Internet eth1 [Restricted] ONLY for designated groups and individuals 2015 Check Point Software Technologies Ltd. 26
Blade Firewall Only one rule without logs 27
Blade Firewall TCP End Timeout Disable Out of State Protections 28
Blade Firewall Disable "reject_x11_in_any" 29
IPS Blade Update IPS Recommended Policy Set Policy to Detect only mode Activate «Perform IPS inspection on all traffic» 30
Application Control Ensure destination is Any (and not Internet) Update Applications and URLs Database Categorize HTTPS sites 31
DLP Blade Use the following command dlp_smtp_mirror_port enable DLP Wizard Configure My Organization object Internal Network object All Users Email Domain Name 32
Threat Prevention Blades Recommended profile in Detect Mode Activate «Inspect inspection on all traffic» 33
Threat Emulation Cloud Services ThreatCloud Emulation Service needs an EVAL license and a CONTRACT file to work Both need to be from the same UserCenter Account 34
SmartLog 35
Log Settings Activate SmartLog & configure Log Storage 36
SmartEvent Activate Select internal networks Install SmartEvent Policy 37
Customer Site PLUG AND PLAY 2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals
39
Mirror port Switch Configuration Commentaire Cisco configure terminal monitor session 1 source interface fa0/1,fa0/2,fa0/11 monitor session 1 destination interface fa0/12 HP mirror-port 8 interface 1-4 monitor show monitor Enterasys set port mirroring create ge.1.4 ge.1.11 show port mirroring Alcatel port mirroring 6 source 2/3 destination 2/4 show port monitoring status Extreme Networks config mirroring add ports 1,2,5,8 enable mirroring to port 9 untagged show mirroring copier tout ce qui entre ou sort du port 1,2 et 11 vers l'interface fa0/12 copier tout ce qui entre ou sort du port 1 à 4 vers l'interface 8 copier tout ce qui entre ou sort du port ge.1.4 vers l'interface ge.1.11 copier tout ce qui entre ou sort du port 2/3 vers l'interface 2/4 copier tout ce qui entre ou sort du port 1,2,5,8 vers l'interface 9 Use tcpdump to test the mirror tcpdump i [eth2, Lan2] 40
Dashboard Install Dashboard on the customer s computer Take a tour with him Policy (Dashboard) Logs (SmartLog) Events / Reports (SmartEvent) 41
Identity Awareness Activate AD Query You need Administrator Credentials 42
Testing AD Connectivity SmartView Monitor adlog a dc test_ad_connectivity 2015 Check Point Software Technologies Ltd. 43
Windows Audit Policy & WMI gpupdate /force 2015 Check Point Software Technologies Ltd. 44
Reports Schedule some predefined reports and automatically send them by email 45
Before you leave CPSIZEME 2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals
Launch CPSIZEME Lightweight shell script Measures resources utilization on Security Gateway CPU Memory consumption Throughput Etc sk88160: The Check Point Performance Sizing Utility 47
After the PoC TO DO LIST 2015 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals
Checkup Report 49
Post PoC C:\Program Files (x86)\checkpoint\ SmartConsole\R77.xx\PROGRAM\data\ ClientGeneratedReports\Output Generate Security Checkup Report Personalize it and send it to customer Anonymize it and send it to your Check Point representative + Excel File Upload 'cpsizeme' results to the Appliance sizing tool Generate cpsizeme report Use CPLogInvestigator (sk87263) to analyze log sizes Reset to factory default 50
Lab 51
Lab Network Host machine.2 (default route) VMNet8 (NAT) 192.168.80.0 / 24 VMNet1 192.168.1.0 / 24.80.90 MIRROR-2 MIRROR-1.100.1 eth3 eth2 eth1 eth0 192.168.1.1 Win2K3 AD Win7 Dashboard R77.20 Security Checkup 2015 Check Point Software Technologies Ltd. 52
Paramètres du clients Paramètres Renseignements Adresse IP pour le boîtier avec masque de sous réseau 192.168.80.100 / 24 Default Gateway (adresses IP) 192.168.80.2 Serveur(s) DNS (adresses IP) 192.168.80.80 Liste des réseaux internes (adresses IP et masques) Noms de Domaine des emails Compte administrateur du domaine AD 192.168.80.0 / 24 checkpoint.test.com Administrator / vpn123 53
Keyboard US FR Le Package QuickSetup met Gaia en clavier US Procédure pour le remettre en FR # dbset keyboard:mapping fr # dbset :save # /bin/kbd_map_xlate keyboard:mapping < /config/db/initial_db 54
Génération de trafic Depuis la VM Windows 7, répertoire My Documents Lock/unlock la session Windows pour tester IA test-urlf.bat pour tester URLF ubuntu.torrent pour tester APPCL ab-av-demo-tool.exe pour AV/AB 192.168.80.80/te pour threat emulation Télécharger quelques fichiers sur la VM Attention ce sont de vrais Virus dl.free.fr pour tester DLP cards.txt, source-code.c Faire les tests avec jlennon / vpn123 rstarr / vpn123 wmozart / vpn123 55