Date post: | 25-Oct-2015 |
Category: |
Documents |
Upload: | christiankurta |
View: | 226 times |
Download: | 9 times |
[Protected] For public distribution
Best Practice 3D Security Report Version 4.0 15.05.2013
Changelog
Date Name Changes
2012 Matthias Schungel (Master of 3D Report) Initial document
17.05.2013 Thomas Werner Added Performance and troubleshooting section
17.05.2013 Matthias Schungel (Master of 3D Report) Bugfixes
27.05.2013 Henning Ermert Updated to reflect v.1.16
Please send any comments or questions to [email protected].
Contents Best Practice 3D Security Report ................................................................................................ 1 1. Install from Image ............................................................................................................... 2 2. Mirror Port configuration ...................................................................................................... 2
a. Configure Mirror Ports ..................................................................................................................... 2 b. Enable DLP for Mirror Port Setup .................................................................................................... 3 c. Configure Mirror Port Topology ....................................................................................................... 3 d. install policy ..................................................................................................................................... 3
3. Configure the Gateway ....................................................................................................... 4 a. Active software blades ..................................................................................................................... 4 b. Configure -> Global properties ........................................................................................................ 4 c. Configure -> Firewall Blade ............................................................................................................. 4 d. Configure -> IPS Blade .................................................................................................................... 5 e. Configure -> Application Control & URL Filtering blade .................................................................. 7 f. Configure -> DLP blade ................................................................................................................... 7 g. Configure -> Anti-Bot and Anti-Virus Blade ..................................................................................... 8 h. Install Policy ..................................................................................................................................... 9
4. Configure the Management ............................................................................................... 10 a. Configure -> SmartEvent ............................................................................................................... 10
5. Sample Switch Configurations for Mirror Port .................................................................... 11 6. Example setup & how to start at customer side ................................................................. 13
a. Appliance ....................................................................................................................................... 13 b. Checks ........................................................................................................................................... 13 c. Connecting the mirror port interface ............................................................................................. 13
7. Observing and troubleshooting performance ..................................................................... 15 a. CPU ................................................................................................................................................ 15 b. Memory .......................................................................................................................................... 15 c. Network ........................................................................................................................................ 15 d. Cores ............................................................................................................................................ 15
8. Fine tuning performance ................................................................................................... 16 a. Reducing CPU Utilization .............................................................................................................. 16 b. Reducing Logs (Relevant for R75.40 and above) ......................................................................... 17 c. Reducing Memory Consumption ................................................................................................... 17
©2012 Check Point Software Technologies Ltd. All rights reserved. [Protected] For public distribution
1. Install from Image
R76 GAiA
R76 Gaia Fresh Install/Upgrade Package for Open Servers/Power-1/UTM-1/2012 Models/IP/Smart-1 5,25,50,150
- Install & First-time configuration of R76 GAiA - Install 30 Days Eval License + Contract
Download R76 3D REPORT TOOL Ver1.16
a. Install Smart Event Supplement 1. SmartEvent supplement file is located in the tool’s package and named: R75.45_REPORT_TOOL-SME-PACK-<ver>. Tgz 2. Make a new directory on the SmartEvent Server, under /var, named install. 3. Copy the .tgz file to the server /var/install directory (copy the file in binary mode). 4. Verify that the file transferred correctly by comparing the file’s MD5: a. Verify the MD5 by running md5sum *.* command b. In the install directory on the server, run: > tar xvzf R76_REPORT_TOOL-SME-PACK-<ver>.tgz > chmod 777 se_script > ./se_script
b. Install 3D Report Ver.1.16 Smart Console Version Install the 3D Security Analysis Report Tool SmartConsole on a Windows computer with MS Office 2003 or 2010. Although it is a special R76 SmartConsole, it works with any R76 Security Management Server. To install the GUI of this tool: 1. Copy the SmartConsole file to the Windows computer. 2. Double-click the executable and follow the wizard.
2. Mirror Port configuration
a. Configure Mirror Ports (If needed, you can define more than 1)
o Create Monitor Interface Via Clish:
clish> set interface eth0 monitor-mode on (eth0 is an example)
OR via in WebUI:
Go to "Network Interfaces" tab. Select the required interface and click "Edit". Go to "Ethernet" tab. Check the "Monitor Mode" checkbox and click "OK".
©2012 Check Point Software Technologies Ltd. All rights reserved. [Protected] For public distribution
b. Enable DLP for Mirror Port Setup
If needed enable DLP for SMTP Monitoring
via CLI: expert> dlp_smtp_mirror_port enable
c. Configure Mirror Port Topology
After initial GW setup, open Security Gateway object in SmartDashboard > Topology >Get > Interfaces with Topology… > Yes > Accept. Configure the Mirror Port interface Network Type as Internal and Topology as Not Defined. Remove Anti-Spoofing configuration from all other interfaces In the below example, eth1 is the Mirror Port.
d. install policy ignore the topology warning regarding missing Anti-spoofing
©2012 Check Point Software Technologies Ltd. All rights reserved. [Protected] For public distribution
3. Configure the Gateway
a. Active software blades
b. Configure -> Global properties
i. In Policy > Global Properties > SmartDashboard Customization -> Advanced
Configuration -> Configure, click on the Configure button:
In FireWall-1 > Stateful Inspection, uncheck "reject_x11_in_any"
ii. In Policy > Global Properties > Stateful Inspection
Change the TCP Session Timeout to 60 Seconds
Change the TCP end timeout to 5 Seconds
c. Configure -> Firewall Blade
Activate logging only if needed for troubleshooting
©2012 Check Point Software Technologies Ltd. All rights reserved. [Protected] For public distribution
d. Configure -> IPS Blade Edit the Gateway properties and change Protect Scope to “Perform IPS inspection on all traffic” with the “Recommended_Protection” IPS Profile.
Also in IPS Tab edit the Aggressive Aging Protection is (IPS signature) enabled with the
following settings:
TCP Start Timeout: 5
TCP Session Timeout: 55
TCP End Timeout: 3
Set tracking for the protection to None
©2012 Check Point Software Technologies Ltd. All rights reserved. [Protected] For public distribution
Eliminating some IPS False Positives
Enabling PSL Tap Mode
Edit $FWDIR/modules/fwkern.conf (create if it doesn't exist) and add the following lines:
psl_tap_enable=1
fw_tap_enable=1
Reboot the Security Gateway Do not forget to update IPS protection signatures :
©2012 Check Point Software Technologies Ltd. All rights reserved. [Protected] For public distribution
e. Configure -> Application Control & URL Filtering blade
Ensure the destination is Any (and not Internet as defined by default)
If you have a 3D Report with a huge bandwidth and you are monitoring several Days or weeks, it is recommended to use only Log and not extended Log in der Track field. It decreased the time for generating the 3D Report Word Document. Go to the Engine`s settings and enable following options.
f. Configure -> DLP blade
i. Define the E-Mail domains
ii. Do NOT enable DLP on FTP (it is off by default)
iii. Enable SMTP only if you are using R75.40 and have applied the patch (see above).
iv. Proxy - Use this procedure if the proxy or proxies for HTTP traffic are used at the
customer.
1. In SmartDashboard, go to the Objects Tree and select the Services tab.
2. Edit the TCP service: HTTP_and_HTTPS_proxy.
3. Click Advanced.
4. Select Protocol Type, and choose HTTP.
5. Enable Match for ‘Any’
6. Click OK
v. Define customer rules
©2012 Check Point Software Technologies Ltd. All rights reserved. [Protected] For public distribution
g. Configure -> Anti-Bot and Anti-Virus Blade
Define the Protected Scope (internal networks)
Ensure you are using a detect-only policy similar to:
And make sure the profile specifies that all file types/directions are scanned:
©2012 Check Point Software Technologies Ltd. All rights reserved. [Protected] For public distribution
h. Install Policy
Install the new policy Note: For testing with EICAR test virus see SK44781
©2012 Check Point Software Technologies Ltd. All rights reserved. [Protected] For public distribution
4. Configure the Management
a. Configure -> SmartEvent
i. Define the internal network (same object used in the AntiBot policy) ii. Install SmartEvent policy
©2012 Check Point Software Technologies Ltd. All rights reserved. [Protected] For public distribution
5. Sample Switch Configurations for Mirror Port
Switch type CLI commands comments
Extreme Summit 200-24 enable mirroring to port 23 untagged
configure mirror add port 1
configure mirror add port 2
configure mirror add port 3
configure mirror add port 16
configure mirror add port 14
Make sure the relevant port (23 in this
example) is not tagged
Cisco Catalyst 2850, 2940, 2950, 2955,
2960, 2970, 3550, 3560,
3560-E, 3750, 3750-E 4500/4000 and
C6500/6000 Series Switches That
Run Cisco IOS System Software
and
Cisco Nexus Series Switches That
Runs
NX-OS Software
conf t
monitor session 1 source interface
gigabitEthernet 0/17 both
monitor session 1 destination interface
gigabitEthernet 0/15
exit
write mem
Syntax:
monitor session session_number source
interface interface-id [, | -] [both | rx | tx]
monitor session session_number destination
interface interface-id
Source interface is the interface connected to
the router leading to the internet,
and destination interface is the mirror port.
both - Monitor both received and sent traffic.
rx - Monitor received traffic.
tx - Monitor sent traffic.
Cisco Catalyst 2900, 4500/4000,
5500/5000,
and 6500/6000 Series Switches That
Run CatOS
Syntax:
set span source_port destination_port [rx | tx
| both]
Juniper EX-2200 root@switch# edit
root@switch# set ethernet-switching-options
analyzer mirror-3d input egress interface ge-
0/0/6.0
root@switch# set ethernet-switching-options
analyzer mirror-3d input ingress interface
ge-0/0/6.0
root@switch# set ethernet-switching-options
analyzer mirror-3d output interface ge-
0/0/13.0
root@switch# commit
Input port is ge-0/0/6.0
Output / Mirrored port is ge-0/0/13.0
mirror-3d is the name given to the "analyzer"
instance
Input needs both ingress and egress in order to
see entire connection setup
HP Procurve Switches Some HP Procurve Switch models only provide
ingress traffic only when configured in monitor
mode.
See following HP knowledge base article (a
bit outdated)
©2012 Check Point Software Technologies Ltd. All rights reserved. [Protected] For public distribution
RouterBoard 250GS A great, cheap switch to use in situations where
the customer is unable to provide a mirror port!
Important!
Check switch statistics and if the port you want to monitor has a utilization of more than 50% of the in peaks (1Gbps ports can do 2Gbps -
1Gbps TX and 1Gbps RX) one should split the monitor port and sent TX packets to one port and RX packets to another port (this is what
TAPs are doing). This will avoid over subscription of the switch monitor/SPAN port and make sure all packets are sent to the PoC device.
The PoC device must then be configured in bridge mode and connect the TX and RX monitor/SPAN ports to each side of the bridge.
In most cases a setup with separated TX and RX span port in bridge mode will give you better performance on the device since you can
configure a topology. This will let the inspection engine better understand what traffic is outbound and what traffic is inbound and be
more efficient.
©2012 Check Point Software Technologies Ltd. All rights reserved. [Protected] For public distribution
6. Example setup & how to start at customer side
a. Appliance
Management interface (can be used for updates)
OR Separate Interface for Updates Proxy could be used, but the GW is not able to authenticate with username & password
Monitor Interfaces
b. Checks
Check the setting with the customer (IP Addresses & GW configuration)
Check DNS & Routing (for the update interface)
Check updates & contract enforcement (IPS, APPC, AntiBot & Antivirus)
c. Connecting the mirror port interface
Check that the monitor interface only receiving packets (tcpdump & show interface)
Check system health (CPU`s, interface queue etc.)
Check SmartViewTracker and SmartEvent
! Important ! From any client that is “seen” via the Mirror port interface open
http://www.google.co.il one time (this is needed to determine the traffic flow)
©2012 Check Point Software Technologies Ltd. All rights reserved. [Protected] For public distribution
After collecting the logs, enable the 3D Report in Smart Event.
And generate the Report.
Good luck!
©2012 Check Point Software Technologies Ltd. All rights reserved. [Protected] For public distribution
7. Observing and troubleshooting performance
a. CPU
i. cpstat -f cpu os
ii. cpstat -f multi_cpu os
iii. top (press “1” to see all cores)
iv. cat /proc/interrupts
b. Memory
i. cpstat -f memory os
ii. fw ctl pstat
iii. cat /proc/meminfo
c. Network
i. netstat –ni
ii. ifconfig eth1 (=> look for dropped packages on mirror port)
iii. netstat –s
iv. ethtool -S eth1
d. Cores
i. fw ctl multik stat
©2012 Check Point Software Technologies Ltd. All rights reserved. [Protected] For public distribution
8. Fine tuning performance
a. Reducing CPU Utilization
1. Tweak some settings in GuiDBedit
<SmartConsole installation directory>\PROGRAM\GuiDBedit.exe
For each of the following attributes, search for all the queries (might be more than one, use
‘find next’ option) of the attributes in the DB and change them to the specified value:
Attribute Value
fw_trust_suspicious_rst true
fw_trust_suspicious_estab true
fw_rst_expired_conn false
log_local_inf_addr_spoofing
(Relevant in R75.40)
none
Save and close GuiDBedit.
2. Turn off Sequence Verifier in IPS:
In SmartDashboard: IPS > Protections > By Protocol > IPS Software Blade > Network
Security > TCP > Sequence Verifier.
Make protection inactive for all profiles.
3. Disable Out of State Protections
1. In SmartDashboard: Policy > Global Properties > Stateful Inspection
2. Uncheck Drop out of state TCP packets
3. Uncheck Drop out of state ICMP packets
4. Install Policy
©2012 Check Point Software Technologies Ltd. All rights reserved. [Protected] For public distribution
b. Reducing Logs (Relevant for R75.40 and above)
Reducing excessive streaming engine logs
1. Edit $FWDIR/modules/fwkern.conf (create if it doesn't exist) and add the following line:
fwpslglue_seg_limit_enforce=0
2. Reboot the Security Gateway
Eliminating Local Interface Address Spoofing messages
In GuiDBedit, set log_local_inf_addr_spoofing to none, push policy.
c. Reducing Memory Consumption
To be used only in case of high memory consumption
Reducing streaming engine windows to 256 KB
1. Edit $FWDIR/modules/fwkern.conf (create if doesn't exist) and add the following line:
psl_max_dynamic_window=262144
1. Reboot the Security Gateway