Check Point Architecture

By | 26/10/2015

Technology Architecture

Components

SMART – Check Point Security Management Architecture

Core systems:

  • SmartConsole – Windows based GUI
  • Security Management Server (SMS) (aka Smart Center Server) – Configuration and log storage
  • Security Gateway – Security Device (SGW)

Deployment modes

  • Stand alone – Security Management Server + Security Gateway in the same device
  • Distributed – Security Management and Security Gateway installed in different devices
  • Standalone Full HA Deployment – Cluster of devices acting as a Security Manager Server and Security Gateway

During the installation, it’s decided the mode of the device (SMS, SG or both). It’s not possible to change afterwards easily.

Bridge mode – No IP routing is involved. Analyze packets from the L2 point of view. Not common. Som features are not available on that mode.

OS

Gaia – 64 bits OS based on Secure Platform SPLAT and IPSO. Current version R77.30

  • Kernel
  • Security server – Handles http app security

Folders / Variables:

$CPDIR – Software and configuration to provide secure communication (SIC)  between the CP components CPshrd-R77

$FWDIR – Contains path for the checkpoint files. Actual CP software is installed: CPsuite-R77

/log

/conf

Packet inspection

  • Permit
  • Deny  – Answer with a NACK – Provides information to a possible attacker
  • Drop – No answer

Traffic is analyzed with method eitherbound, not inbound+outbound. It analyzes the traffic twice, in the inbound interface and in the outbound interface.

SmartConsole

Components:

  • SmartDashboard – Objects, NAT, Policy, Applications (IPS, DLP, Threat Prevention)
  • SmartUpdate – Software packages & contract and license management
  • SmartView Tracker – Log management
  • Smartview Monitor – Device status and monitoring, with license, tunnel VPN monitoring, SSLVPN and live traffic
  • Smart Log – Generates a index from all the historical logs. Not only recent logs.
  • Smart Event  – (SIEM) Event correlation for IPS, Firewall, DLP, …
  • Smart Endpoint – Client for endpoints: fw, vpn client, 802.1x…
  • Smart Reporter – generate reports
  • Smart Provisioning – Central admin and provisioning of devices in large scale
  • Smart Domain Manager
  • Smart Event Intro

Security Management Server

Secure communication between components

  • SIC – Secure Internal Communications (aka SVN Foundation)
  • ICA – Internal Certificate Authority

To add a firewall to the SMS, only-one-use activation key needs to be used as a PSK.

Deployment Platforms

GAIA OS is the evolution of the OS Secure Platform and Nokia IPSO

Checkpoint software could run on other OS (Windows) and Hardware appliances. There are specific hardware management appliances – Smart-1 and Smart-1 SmartEvent.  Other hardware providers also provides appliances for Checkpoint software.

SPU Security Power Unit – Measure from Checkpoint to select security appliances. Appliance Selection Tool on CP website allows to calculate the required SPU for a given specifications.

Software Blade

  • Apply to SGW
    • Firewall
    • IPSec VPN
    • Mobile Access – VPN SSL
    • Identity Awarness – LDAP integration
    • Application Control – Web
    • IPS
    • DLP – Protect sensitive information
    • Web security – protect web infrastructure
    • URL Filtering
    • Anti-Bot – detect botnets
    • Threat Emulation – prevents infections from zero-days. Analyze behavioir in a sandbox
    • Antivirus & Anti-Malware
    • AntiSpam & Email Security
    • Advance Networking & Clustering (BGP, OSPF,…)
    • Voice over IP
    • Security Gateway Virtual Edition (VE) – protects virtual environment
  • Apply to SMS
    • Network Policy Management – Smart Dashboard
    • Endpoint Policy Management – User features
    • Logging and Status – SmartLog – Security intelligence
    • SmartWorkflow – Change management
    • Monitoring – Live monitoring
    • Management Portal – Web access to the firewall policy
    • User Directory – LDAP
    • SmartProvisioning – Large scale deployments
    • SmartReporter
    • SmartEvent
    • Multi-Domain Security Management

Software consist of different Software Blades (Firewall, Antispam, VPN, IPS, Antivirus,…)

Bundles

  • Next Generation Firewall – FW, VPN, IPS
  • Next Generation Threat Prevention –
  • Next Generation Secure Web Gateway
  • Next Generation Data Protection – DLP

Policy

Policy and objects are stored at $FWDIR/conf of SMS
Installed policy is stored at $FWDIR/state/local/fw1

Order of execution of the rule base:

  • IP Spoofing / IP Options
  • First
  • Explicit
  • Before Last
  • Last
  • Implicit Drop

Backup

Policy Package – Doesn’t include objects. It’s only the rule config and order

Data Base Revision Control – Contains Policy and Objects

Snapshots image management at the Gaia OS level. It creates a image of the disk and it can be exported to another devices. It includes a copy of the OS. Done from the CLI and from the HTTP GUI
Recommended to be done before major changes. Only to be used in the same exact software.

Backup to be done every few months. Save the OS configuration and the Software configuration.  Not all the data of the OS. Hardware dependent but not in the same level than a snapshot.

Upgrade_export/migrate export -> Only available in the SMS. Can be moved to another new different device ( with a different hardware and a OS or checkpoint version). It includes only the Configuration at the software level. To be done very month, and before any migration

NAT

Source NAT – Access computers going to internet
Destination NAT – external devices going to a internal server

Hide NAT (Dynamic NAT) – Many to one. Outbound connections only. Limited connections per IP becasue it depends on ports per IP
Static NAT – One to one. Bidirectional.

Manual NAT – NAT for specific ports only – It requires manual setup of the ARP table (local.arp)

Upgrade

Upfgrade tools

  • migrate.conf
  • Migrate
  • upgrade export
  • cp_merge

Upgrade process:

  • Verify the contracts
  • Upgrade the SMS
  • Upgrade the client GUIs
  • Upgrade the GWs (usually locally but also can be done with the SmartUpdate)

SMS Upgrade process

  • Backup of the current config – upgrade_export from current SMS configuration
  • Verify path upgrade – pre_upgrade_verifier using new version CD tools
  • Export of the current config – upgade_export from the CD tools
  • Perform a new version SMS installation
  • Import the the upgrade configuration

Core

  • FWM – Only on SMS. Handles the clients GUIs , DB manipulation, Policy compilation and Management HA
  • FWD – Both SMS and SG. Daemon that communicate SMS <-> SG – Allows other processes to forward logs. Policy installation. FW commands fwd.
  • FWSSD child process of FWD. Maintains the Security Servers in.ahttpd, in.aftpd,… similar to xinetd. Forwards the traffic to each security server.
  • CPD – Both SMS and SG. Daemon that communicate SMS <-> SG – Handles SIC, Policy installation, Status, Transfering messages between processes
  • CPW – Both SMS and SG – CheckPoint Watchdog daemon. Monitor the other processes.