Best Practice 3D Security Report R76 v4.1

[Protected] For public distribution

Best Practice 3D Security Report Version 4.0 15.05.2013

Changelog

Date Name Changes

2012 Matthias Schungel (Master of 3D Report) Initial document

17.05.2013 Thomas Werner Added Performance and troubleshooting section

17.05.2013 Matthias Schungel (Master of 3D Report) Bugfixes

27.05.2013 Henning Ermert Updated to reflect v.1.16

Please send any comments or questions to [email protected].

Contents Best Practice 3D Security Report ................................................................................................ 1 1. Install from Image ............................................................................................................... 2 2. Mirror Port configuration ...................................................................................................... 2

a. Configure Mirror Ports ..................................................................................................................... 2 b. Enable DLP for Mirror Port Setup .................................................................................................... 3 c. Configure Mirror Port Topology ....................................................................................................... 3 d. install policy ..................................................................................................................................... 3

3. Configure the Gateway ....................................................................................................... 4 a. Active software blades ..................................................................................................................... 4 b. Configure -> Global properties ........................................................................................................ 4 c. Configure -> Firewall Blade ............................................................................................................. 4 d. Configure -> IPS Blade .................................................................................................................... 5 e. Configure -> Application Control & URL Filtering blade .................................................................. 7 f. Configure -> DLP blade ................................................................................................................... 7 g. Configure -> Anti-Bot and Anti-Virus Blade ..................................................................................... 8 h. Install Policy ..................................................................................................................................... 9

4. Configure the Management ............................................................................................... 10 a. Configure -> SmartEvent ............................................................................................................... 10

5. Sample Switch Configurations for Mirror Port .................................................................... 11 6. Example setup & how to start at customer side ................................................................. 13

a. Appliance ....................................................................................................................................... 13 b. Checks ........................................................................................................................................... 13 c. Connecting the mirror port interface ............................................................................................. 13

7. Observing and troubleshooting performance ..................................................................... 15 a. CPU ................................................................................................................................................ 15 b. Memory .......................................................................................................................................... 15 c. Network ........................................................................................................................................ 15 d. Cores ............................................................................................................................................ 15

8. Fine tuning performance ................................................................................................... 16 a. Reducing CPU Utilization .............................................................................................................. 16 b. Reducing Logs (Relevant for R75.40 and above) ......................................................................... 17 c. Reducing Memory Consumption ................................................................................................... 17

©2012 Check Point Software Technologies Ltd. All rights reserved. [Protected] For public distribution

1. Install from Image

R76 GAiA

R76 Gaia Fresh Install/Upgrade Package for Open Servers/Power-1/UTM-1/2012 Models/IP/Smart-1 5,25,50,150

- Install & First-time configuration of R76 GAiA - Install 30 Days Eval License + Contract

Download R76 3D REPORT TOOL Ver1.16

a. Install Smart Event Supplement 1. SmartEvent supplement file is located in the tool’s package and named: R75.45_REPORT_TOOL-SME-PACK-<ver>. Tgz 2. Make a new directory on the SmartEvent Server, under /var, named install. 3. Copy the .tgz file to the server /var/install directory (copy the file in binary mode). 4. Verify that the file transferred correctly by comparing the file’s MD5: a. Verify the MD5 by running md5sum *.* command b. In the install directory on the server, run: > tar xvzf R76_REPORT_TOOL-SME-PACK-<ver>.tgz > chmod 777 se_script > ./se_script

b. Install 3D Report Ver.1.16 Smart Console Version Install the 3D Security Analysis Report Tool SmartConsole on a Windows computer with MS Office 2003 or 2010. Although it is a special R76 SmartConsole, it works with any R76 Security Management Server. To install the GUI of this tool: 1. Copy the SmartConsole file to the Windows computer. 2. Double-click the executable and follow the wizard.

2. Mirror Port configuration

a. Configure Mirror Ports (If needed, you can define more than 1)

o Create Monitor Interface Via Clish:

clish> set interface eth0 monitor-mode on (eth0 is an example)

OR via in WebUI:

Go to "Network Interfaces" tab. Select the required interface and click "Edit". Go to "Ethernet" tab. Check the "Monitor Mode" checkbox and click "OK".

https://supportcenter.checkpoint.com/supportcenter/portal/user/anon/page/default.psml/media-type/html?action=portlets.DCFileAction&eventSubmit_doGetdcdetails=&fileid=23163

https://supportcenter.checkpoint.com/supportcenter/portal/user/anon/page/default.psml/media-type/html?action=portlets.DCFileAction&eventSubmit_doGetdcdetails=&fileid=23163

http://supportcontent.checkpoint.com/file_download?id=24867


b. Enable DLP for Mirror Port Setup

If needed enable DLP for SMTP Monitoring

via CLI: expert> dlp_smtp_mirror_port enable

c. Configure Mirror Port Topology

After initial GW setup, open Security Gateway object in SmartDashboard > Topology >Get > Interfaces with Topology… > Yes > Accept. Configure the Mirror Port interface Network Type as Internal and Topology as Not Defined. Remove Anti-Spoofing configuration from all other interfaces In the below example, eth1 is the Mirror Port.

d. install policy ignore the topology warning regarding missing Anti-spoofing


3. Configure the Gateway

a. Active software blades

b. Configure -> Global properties

i. In Policy > Global Properties > SmartDashboard Customization -> Advanced

Configuration -> Configure, click on the Configure button:

In FireWall-1 > Stateful Inspection, uncheck "reject_x11_in_any"

ii. In Policy > Global Properties > Stateful Inspection

Change the TCP Session Timeout to 60 Seconds

Change the TCP end timeout to 5 Seconds

c. Configure -> Firewall Blade

Activate logging only if needed for troubleshooting


d. Configure -> IPS Blade Edit the Gateway properties and change Protect Scope to “Perform IPS inspection on all traffic” with the “Recommended_Protection” IPS Profile.

Also in IPS Tab edit the Aggressive Aging Protection is (IPS signature) enabled with the

following settings:

TCP Start Timeout: 5

TCP Session Timeout: 55

TCP End Timeout: 3

Set tracking for the protection to None


Eliminating some IPS False Positives

Enabling PSL Tap Mode

Edit $FWDIR/modules/fwkern.conf (create if it doesn't exist) and add the following lines:

psl_tap_enable=1

fw_tap_enable=1

Reboot the Security Gateway Do not forget to update IPS protection signatures :


e. Configure -> Application Control & URL Filtering blade

Ensure the destination is Any (and not Internet as defined by default)

If you have a 3D Report with a huge bandwidth and you are monitoring several Days or weeks, it is recommended to use only Log and not extended Log in der Track field. It decreased the time for generating the 3D Report Word Document. Go to the Engine`s settings and enable following options.

f. Configure -> DLP blade

i. Define the E-Mail domains

ii. Do NOT enable DLP on FTP (it is off by default)

iii. Enable SMTP only if you are using R75.40 and have applied the patch (see above).

iv. Proxy - Use this procedure if the proxy or proxies for HTTP traffic are used at the

customer.

1. In SmartDashboard, go to the Objects Tree and select the Services tab.

2. Edit the TCP service: HTTP_and_HTTPS_proxy.

3. Click Advanced.

4. Select Protocol Type, and choose HTTP.

5. Enable Match for ‘Any’

6. Click OK

v. Define customer rules


g. Configure -> Anti-Bot and Anti-Virus Blade

Define the Protected Scope (internal networks)

Ensure you are using a detect-only policy similar to:

And make sure the profile specifies that all file types/directions are scanned:


h. Install Policy

Install the new policy Note: For testing with EICAR test virus see SK44781

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk44781


4. Configure the Management

a. Configure -> SmartEvent

i. Define the internal network (same object used in the AntiBot policy) ii. Install SmartEvent policy


5. Sample Switch Configurations for Mirror Port

Switch type CLI commands comments

Extreme Summit 200-24 enable mirroring to port 23 untagged

configure mirror add port 1





Make sure the relevant port (23 in this

example) is not tagged

Cisco Catalyst 2850, 2940, 2950, 2955,

2960, 2970, 3550, 3560,

3560-E, 3750, 3750-E 4500/4000 and

C6500/6000 Series Switches That

Run Cisco IOS System Software

and

Cisco Nexus Series Switches That

Runs

NX-OS Software

conf t

monitor session 1 source interface

gigabitEthernet 0/17 both

monitor session 1 destination interface

gigabitEthernet 0/15

exit

write mem

Syntax:

monitor session session_number source

interface interface-id [, | -] [both | rx | tx]

monitor session session_number destination

interface interface-id

Source interface is the interface connected to

the router leading to the internet,

and destination interface is the mirror port.

both - Monitor both received and sent traffic.

rx - Monitor received traffic.

tx - Monitor sent traffic.

Cisco Catalyst 2900, 4500/4000,

5500/5000,

and 6500/6000 Series Switches That

Run CatOS

Syntax:

set span source_port destination_port [rx | tx

| both]

Juniper EX-2200 root@switch# edit

root@switch# set ethernet-switching-options

analyzer mirror-3d input egress interface ge-

0/0/6.0


analyzer mirror-3d input ingress interface

ge-0/0/6.0


analyzer mirror-3d output interface ge-

0/0/13.0

root@switch# commit

Input port is ge-0/0/6.0

Output / Mirrored port is ge-0/0/13.0

mirror-3d is the name given to the "analyzer"

instance

Input needs both ingress and egress in order to

see entire connection setup

HP Procurve Switches Some HP Procurve Switch models only provide

ingress traffic only when configured in monitor

mode.

See following HP knowledge base article (a

bit outdated)

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&taskId=125&prodSeriesId=50982&prodTypeId=12883&objectID=c02609221

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&taskId=125&prodSeriesId=50982&prodTypeId=12883&objectID=c02609221


RouterBoard 250GS A great, cheap switch to use in situations where

the customer is unable to provide a mirror port!

Important!

Check switch statistics and if the port you want to monitor has a utilization of more than 50% of the in peaks (1Gbps ports can do 2Gbps -

1Gbps TX and 1Gbps RX) one should split the monitor port and sent TX packets to one port and RX packets to another port (this is what

TAPs are doing). This will avoid over subscription of the switch monitor/SPAN port and make sure all packets are sent to the PoC device.

The PoC device must then be configured in bridge mode and connect the TX and RX monitor/SPAN ports to each side of the bridge.

In most cases a setup with separated TX and RX span port in bridge mode will give you better performance on the device since you can

configure a topology. This will let the inspection engine better understand what traffic is outbound and what traffic is inbound and be

more efficient.

http://routerboard.com/RB250GS

http://routerboard.com/RB250GS


6. Example setup & how to start at customer side

a. Appliance

Management interface (can be used for updates)

OR Separate Interface for Updates Proxy could be used, but the GW is not able to authenticate with username & password

Monitor Interfaces

b. Checks

Check the setting with the customer (IP Addresses & GW configuration)

Check DNS & Routing (for the update interface)

Check updates & contract enforcement (IPS, APPC, AntiBot & Antivirus)

c. Connecting the mirror port interface

Check that the monitor interface only receiving packets (tcpdump & show interface)

Check system health (CPU`s, interface queue etc.)

Check SmartViewTracker and SmartEvent

! Important ! From any client that is “seen” via the Mirror port interface open

http://www.google.co.il one time (this is needed to determine the traffic flow)

http://www.google.co.il/


After collecting the logs, enable the 3D Report in Smart Event.

And generate the Report.

Good luck!


7. Observing and troubleshooting performance

a. CPU

i. cpstat -f cpu os

ii. cpstat -f multi_cpu os

iii. top (press “1” to see all cores)

iv. cat /proc/interrupts

b. Memory

i. cpstat -f memory os

ii. fw ctl pstat

iii. cat /proc/meminfo

c. Network

i. netstat –ni

ii. ifconfig eth1 (=> look for dropped packages on mirror port)

iii. netstat –s

iv. ethtool -S eth1

d. Cores

i. fw ctl multik stat


8. Fine tuning performance

a. Reducing CPU Utilization

1. Tweak some settings in GuiDBedit

<SmartConsole installation directory>\PROGRAM\GuiDBedit.exe

For each of the following attributes, search for all the queries (might be more than one, use

‘find next’ option) of the attributes in the DB and change them to the specified value:

Attribute Value

fw_trust_suspicious_rst true

fw_trust_suspicious_estab true

fw_rst_expired_conn false

log_local_inf_addr_spoofing

(Relevant in R75.40)

none

Save and close GuiDBedit.

2. Turn off Sequence Verifier in IPS:

In SmartDashboard: IPS > Protections > By Protocol > IPS Software Blade > Network

Security > TCP > Sequence Verifier.

Make protection inactive for all profiles.

3. Disable Out of State Protections

1. In SmartDashboard: Policy > Global Properties > Stateful Inspection

2. Uncheck Drop out of state TCP packets

3. Uncheck Drop out of state ICMP packets

4. Install Policy


b. Reducing Logs (Relevant for R75.40 and above)

Reducing excessive streaming engine logs

1. Edit $FWDIR/modules/fwkern.conf (create if it doesn't exist) and add the following line:

fwpslglue_seg_limit_enforce=0

2. Reboot the Security Gateway

Eliminating Local Interface Address Spoofing messages

In GuiDBedit, set log_local_inf_addr_spoofing to none, push policy.

c. Reducing Memory Consumption

To be used only in case of high memory consumption

Reducing streaming engine windows to 256 KB

1. Edit $FWDIR/modules/fwkern.conf (create if doesn't exist) and add the following line:

psl_max_dynamic_window=262144

1. Reboot the Security Gateway

Date post:	25-Oct-2015
Category:	Documents
Upload:	christiankurta
View:	226 times
Download:	9 times

Best Practice 3D Security Report R76 v4.1

Documents