02 Security 101 Gaia 2022

SBT v1.
1 (MAJ 2023)
©2022 Check Point Software Technologies Ltd. 1

CHECK POINT
ARCHITECTURE
COMPONENTS

Check Point Security 101
▪ The Check Point Security Management Architecture is the core component of
the Check Point unified security architecture
▪ The Check Point core systems:
– SmartConsole
– Security Management Server
– Security Gateway Stores and distributes security
policy to Security Gateways and
receives security logs from them
Integrated network security

Windows client that enforcing access control and
manages security policy threat prevention policies in
and events on the Security physical and virtual
Management server environments

Distributed Deployment
The Security Management Server (1) and the Security Gateway (3) are installed on
different computers, with a network connection (2).

Management High Availability
A Primary Security Management Server (1) has a direct or indirect connection (2)
to a Secondary Security Management Server (3).
The databases of the Security Management Servers are synchronized, manually or

on a schedule, to back up one another.
The administrator makes one Security Management Server Active and the others
Standby.
If the Active Security Management Server is down, the administrator can promote
the Standby server to be Active.

Standalone Deployment
The Security Management Server (1) and the Security Gateway (3) are
installed on the same computer (2).
Full High Availability

In a Full High Availability Cluster on two Check Point Appliances, each
appliance runs both as a ClusterXL Cluster Member and as a Security
Management Server, in High Availability mode.
This deployment lets you reduce the maintenance required for your
systems.
The two appliances are connected with a direct synchronization connection (2) and
work in High Availability mode

Bridge Mode
A bridge mode deployment adds a Security Gateway to an existing environment without changing IP Routing.
▪ sk101371 Bridge Mode on Gaia OS and SecurePlatform OS

CHECK POINT
GAiA

GAiA Overview
In Greek mythology, Gaia is the mother of all
• GAiA is the Check Point’s Operating System (“O.S.”) since 2012
• GAiA is an hardened Linux

• Least number of applications, hardened web portal (aka « WebUI »)
• Restricted Shell, Kernel Changes

GAiA: un GNU/Linux endurci
1. Introduction to the Command Line Interface (lien)

2. sk101878 cpview
• History
• 1er outil à utiliser!
3. sk97638 Check Point Processes and Daemons
4. /var/log/message*
• Liste la plupart des évènements GAiA

CHECK POINT
R81 > R81.10 > R81.20

VERSION ACTUELLES

Une version et son contexte
sk173903 Check Point R81.20

Release What’s new? Documentation Jumbo Hotfix Known Resolved
notes Accumulator limitation Issues
lien lien lien lien sk174965 sk174966
sk95746 Check Point Default Version and Release Terminology

Major/Minor releases – EA/GA – Ongoing/GA JHF - FAQ
sk152052 Check Point Release Map

Releases information – upgrade map – backward compatibility – upgrade/download wizard
Support life cycle policy

Latest announcements – software & hardware supports

[Confidential] For designated groups and individuals ©2022 Check Point Software Technologies Ltd. 13
CHECK POINT
SECURITY
MANAGEMENT
SERVER

Security Management Server
▪ The Security Management Server (SMS) is used to manage the security policy.
▪ The Security Management Server maintains the database of objects and policies.
▪ Policies and objects are defined using SmartConsole or the web services API.
▪ Security Gateways send logs to the Security Management Server.
▪ Policies, objects and logs are indexed to facilitate lookups.
▪ The Internal Certificate Authority (ICA) on the SMS establishes trusted relations.

Security Management Server
R81 Management Architecture Overview

Secure Internal Communications (SIC)
▪ Communication must be encrypted

▪ Communication must be authenticated
▪ Transmitted communication should have data integrity
▪ SIC setup process allowing the intercommunication to take place must be
user friendly

SIC Between Management and Components

Security Management Platform Data Centers
6000-XL
Large Enterprise
Midsize Enterprise 6000-L

Small Enterprise 600-M
400 Managed Gateways
600-S 384 GB RAM | 12 x 4TB SSD
384 GB RAM | 6 x 1TB SSD
150 Managed Gateways
50 Managed Gateways 192 GB RAM | 12 x 4TB HDD
10 Managed Gateways 64 GB RAM | 2 x 4TB HDD
32 GB RAM | 1 x 2TB HDD
200% increase in managed 70% increase in peak 1080 GB of logs

gateway capacity index log rates per day

Manage all Check Point
Products from the Cloud
Always the latest On-demand Zero
security management Expansion Maintenance
Newest features Seamlessly support more No installation, backups,

automatically updated gateways and storage monitoring or upgrades

CHECK POINT
SECURITY
GATEWAYS

Telco and High-End
Quantum Security GatewaysTM Data Center

Maestro 140 | 170
A new lineup for businesses of all sizes

Large Enterprise 28000
16000
Midsize Enterprise Turbo Hyperscale Up to 1.5 Tera bps
Up to 30 Gbps
6900 Up to 17.6 Gbps

Small Enterprise 6600 +700%
16000
64000
6200
Branch Office Up to 7.4 Gbps
+50%
3600 Up to 2,500 Mbps +75% 44000
1500 23000
+25%
15000
Up to 1500 Mbps +75% 20 Gbps
5600 - 5900 Up to 190 Gbps
+180% 5100 - 5400
10 Gbps
3100 - 3200 6.1 Gbps
1,460 Mbps
T H R E AT P R E V E N T I O N T H R O U G H P U T
585 Mbps

Quantum Lightspeed+ Maestro Hyperscale Orchestrator
Scale throughput 7.5x to 3 Tbps
3.0 Tbps
MHO175
Maestro
Hyperscale Span
from 2 to 15
400 Gbps
Maestro Span
MLS200
Beginning
2x MLS200
2x MLS200
400 Gbps
400 Gbps
Maestro Base Configuration Scale from 400 Gbps to 3 Tbps with Maestro*
* Or achieve the same 3 Tbps with 8x MLS400 + Maestro

OpenServers?!?
• HCL pour Hardware Compatibility List lien: https://www.checkpoint.com/support-services/hcl/
• Bandwidth comparison? => per physical cores
• Some consideration:
• Two support vendors
• Higher cost for support
• No trade-in

Security Gateway Packages
Next Generation Firewall (NGFW)

❑ Includes Firewall, Application Control, and IPS.
Next Generation Threat Prevention (NGTP)

❑ Includes Firewall, Application Control, URL Filtering, IPS, Anti-Bot, Antivirus, and Anti-Spam
and Email Security.
Threat Prevention + SandBlast Zero-Day Protection (aka NGTX)

❑ Includes NGTP + SandBlast Threat Emulation, CPU-level and OS-level sandboxing to detect
and block unknown malware. While the file is run in a sandbox, Threat Extraction
reconstructs incoming documents to deliver safe content to the user.

CHECK POINT
SmartConsole

Check Point SmartConsole Client
SmartConsole is a single client, used to

manage the network security policy and
view all security events.
▪ The SmartEndpoint client manages

endpoint security policy.

Check Point SmartConsole R81.20
SmartConsole provides access to:
▪ Gateways & Services

▪ Security Policies
▪ Logs & Monitoring
▪ Infinity Services
▪ Manage & Settings
©2022 Check
[Confidential] For designated Pointand
groups Software Technologies Ltd. 28
individuals

▪ Security Policies
[Confidential] For designated groups and individuals ©2022 Check Point Software Technologies Ltd. 29

▪ Security Policy
©2022 Check
individuals

▪ Security Policy
©2022 Check
individuals

▪ Security Policy
©2022 Check
individuals
CHECK POINT
POLICIES: BASICS

Objects Explorer
▪ Networks
▪ Hosts
▪ Groups
▪ Services
▪ Resources
▪ Servers and OPSEC Applications
▪ Users and Access Roles
▪ VPN Communities

Creating Objects
▪ When creating objects, consider organizational needs:

– What are the physical components in the network?
– What are the logical components: services, applications?
– What components access the firewall?
– Who are the users, how should they be grouped?
– Who are the administrators, what are their roles?
– Will VPN be used, will it allow remote users

Detecting IP Spoofing
▪ Spoofing is where an intruder attempts

to gain unauthorized access by altering a
packet’s IP address.

Creating the Rule Base
▪ Each rule defines the packets that match the rule.

Basic Rules
▪ Two rules used by nearly all administrators
– Stealth Rule
– Cleanup rule
©2022 Check
individuals
Implied Rules
©2022 Check
individuals
Rule Base Management
Before creating a rulebase:
▪ Which objects are in the network?

▪ Which user permissions and authentication schemes are needed?
▪ Which services, including customized services and sessions, are allowed across the network?
©2022 Check
individuals
Rule Base Order – Access Control
▪ IP spoofing / IP options
▪ First Implied Rule[s] - No explicit rules can be placed before it.
▪ Explicit Rules - These are the rules that you create.
▪ Before Last Implied Rule[s] - Applied before the last explicit rule.
▪ Last Explicit Rule - We recommend using a Cleanup rule as the last explicit rule.
– Note - If you use the Cleanup rule as the last explicit rule, the Last Implied Rule and the Implicit
Cleanup Rule are not enforced.
▪ Last Implied Rule[s] - Although this rule is applied after all other explicit and implied rules, the
Implicit Cleanup Rule is still applied last.
▪ Implicit Cleanup Rule - The default rule that is applied if none of the rules in the Policy Layer match.
©2022 Check
individuals

02 Security 101 Gaia 2022

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

02 Security 101 Gaia 2022

Uploaded by

Copyright:

Available Formats

SBT v1.

©2022 Check Point Software Technologies Ltd. 1

©2022 Check Point Software Technologies Ltd. 2

Integrated network security

©2022 Check Point Software Technologies Ltd. 3

©2022 Check Point Software Technologies Ltd. 4

The databases of the Security Management Servers are synchronized, manually or

©2022 Check Point Software Technologies Ltd. 5

Full High Availability

©2022 Check Point Software Technologies Ltd. 6

▪ sk101371 Bridge Mode on Gaia OS and SecurePlatform OS

©2022 Check Point Software Technologies Ltd. 7

©2022 Check Point Software Technologies Ltd. 8

In Greek mythology, Gaia is the mother of all

• GAiA is the Check Point’s Operating System (“O.S.”) since 2012

• GAiA is an hardened Linux

©2022 Check Point Software Technologies Ltd. 9

1. Introduction to the Command Line Interface (lien)

©2022 Check Point Software Technologies Ltd. 10

R81 > R81.10 > R81.20

©2022 Check Point Software Technologies Ltd. 11

sk173903 Check Point R81.20

sk95746 Check Point Default Version and Release Terminology

sk152052 Check Point Release Map

Support life cycle policy

©2022 Check Point Software Technologies Ltd. 12

©2022 Check Point Software Technologies Ltd. 14

©2022 Check Point Software Technologies Ltd. 15

R81 Management Architecture Overview

▪ Communication must be encrypted

©2022 Check Point Software Technologies Ltd. 17

©2022 Check Point Software Technologies Ltd. 18

Midsize Enterprise 6000-L

10 Managed Gateways 64 GB RAM | 2 x 4TB HDD

32 GB RAM | 1 x 2TB HDD

200% increase in managed 70% increase in peak 1080 GB of logs

©2022 Check Point Software Technologies Ltd. 19

Newest features Seamlessly support more No installation, backups,

©2022 Check Point Software Technologies Ltd. 20

©2022 Check Point Software Technologies Ltd. 21

Quantum Security GatewaysTM Data Center

A new lineup for businesses of all sizes

6900 Up to 17.6 Gbps

©2022 Check Point Software Technologies Ltd. 22

©2022 Check Point Software Technologies Ltd. 23

• HCL pour Hardware Compatibility List lien: https://www.checkpoint.com/support-services/hcl/

• Bandwidth comparison? => per physical cores

©2022 Check Point Software Technologies Ltd. 24

Next Generation Firewall (NGFW)

Next Generation Threat Prevention (NGTP)

Threat Prevention + SandBlast Zero-Day Protection (aka NGTX)

©2022 Check Point Software Technologies Ltd. 25

©2022 Check Point Software Technologies Ltd. 26

SmartConsole is a single client, used to

▪ The SmartEndpoint client manages

©2022 Check Point Software Technologies Ltd. 27

▪ Gateways & Services

▪ Gateways & Services

▪ Gateways & Services

▪ Gateways & Services

▪ Gateways & Services

©2022 Check Point Software Technologies Ltd. 33

©2022 Check Point Software Technologies Ltd. 34