Adding Rules


The SmartDashboard is the main interface for all of your firewall needs. This is where you have been working to add objects, but it is also the interface to define rules. The next few sections briefly show how the SmartDashboard can be used to put your network objects into play in the form of firewall rules.

Rules

FW-1 is designed to enforce a set of rules, known as a rule base. This rule base defines the behavior of the firewall, and is configured by the firewall administrator. It is important that you carefully consider the underlying needs, related to both security and functionality, and make a measured application of both. You will probably never be able to strike a perfect balance, but the closer you come, the easier your life will be. Fundamentally, there are two models of firewall configuration. The first considers all traffic to be suspect, and only allows what is necessary (blocking all not explicitly allowed). This is commonly referred to as the Least Privilege Principle or Principle of least privilege and is considered a best practice when it comes to security. The second model is far more permissive, allowing all traffic that has not proven to be risky (allowing everything except what is explicitly denied ). This model is typically seen when applying firewalling inside the network rather than at the edge. Which model you subscribe to is a decision that must be made at the policy level. Your firewall should be a technical implementation of the written corporate security policy.

A rule is made up by the combination of source, destination, action, tracking information, enforcement location, enforcement time, and an optional (but highly recommended) time fields. These fields are explained in the next few sections, along with the methods used to create them. Rule Base creation is covered in detail in Chapter 4.

Adding rules in FW-1 is very straightforward. There are a few choices about rule placement you have to decide upon when adding a new rule. When you select Rules Add Rule you will see a submenu with the following choices.

Bottom After the last rule in the rule base.

Top Before the first rule in the rule base.

After After the currently selected rule.

Before Before the currently selected rule.

After you insert the new rule, it will resemble the one shown in Figure 3.30. You will need to configure the specifics of each rule. In each field of the new rule, right-click to enter the necessary information.

Source

The Source field defines the IP address or hostname that is initiating the data stream. For the sake of your rule base, the source can be any of the properly defined network objects, as well as groups of users. When adding a source, you have the choice of adding an object or adding user access. You are not restricted in the number of sources for a rule, though it is a best practice to place numerous objects in a group and then use the group if they will be used together and have a logical grouping. This helps an administrator more easily understand the purpose of the rule and its need in the rulebase.

click to expand
Figure 3.30: New Rule

Destination

The destination can be any defined network object. When you right-click in the Destination field and select Add , you will see a window similar to that shown in Figure 3.31. Note that a rule can support multiple destinations.

VPN

The VPN field is new in NG (previous to NG AI it was named If Via ). This field is useful when using simplified mode VPNs. Simplified mode VPNs remove the Encrypt and Client Encrypt options (which are still available in traditional mode VPN policies) from the Action field and allow you to restrict this rule to only applying to traffic through a VPN community. VPN communities are covered more in Chapter 10.

Service

The Service field defines the service that must be present in order to generate a match. To add a service, right-click in the Service field and select Add. You will have the choice of adding a service or a service with a resource. You can define any number of services for a rule.


Figure 3.31: Add Object

Action

The action is the way that FW-1 reacts when a rule is matched. You have a couple of choices when selecting an action, but only one selection is allowed. The available options are the following:

  • Accept Accept the packet; allow the connection.

  • Reject Reject the connection and notify the sender of the condition.

  • Drop Reject the connection, but do not notify the sender.

  • User Authentication Use User Authentication to authenticate users for this connection.

  • Client Authentication Use Client Authentication to authenticate users for this connection.

  • Session Authentication Use Session Authentication to authenticate users for this connection.

  • Encrypt Encrypt outgoing packets; decrypt incoming packets. (Only available in Traditional Mode VPN policies.)

  • Client Encryption Accept only if this connection originates from a remote access VPN client such as SecuRemote or SecureClient. (Only available in traditional mode VPN policies.)

Track

The Track column defines how information about this session will be recorded. There are several options in the menu when you right-click on this field. With the exception of the first two options which are pre-defined, the rest of these actions are actually defined in the Alert Commands section of the Policy Global Properties .

  • Log Write a log entry regarding this connection. This will be viewed with all the other logs in SmartView Tracker.

  • Account Write an accounting log entry regarding this connection. This is similar to Log, but also includes the bytes transferred over the duration of the connection and the duration time itself.

  • Alert Generate a pop-up alert in the SmartView Status GUI regarding this connection.

Mail Send an e-mail regarding this connection.

SnmpTrap Generate an SNMP trap based on this connection.

User-Defined Execute the user-defined script as a result of this connection.

User-Defined 2 Execute the user-defined script as a result of this connection.

User-Defined 3 Execute the user-defined script as a result of this connection.

Install On

The Install On field defines which defined objects will have this policy installed on them. Although the entire policy is installed on each selected object, these objects only enforce the part of the policy that is relevant to them. If no rules are relevant, the system will not allow the policy to be installed.

  • Policy Targets Enforce on all objects which will have this policy installed on them. This can be defined in the Policy Policy Installation Targets

  • Gateways Enforce on all network objects defined as gateways.

  • Targets Enforce on the specified target object(s) only, in the inbound and outbound directions.

  • Dst Enforce in the inbound direction on the firewalled network objects defined as Destination in this rule.

  • Src Enforce in the outbound direction on the firewalled network objects defined as Source in this rule.

  • OSE Devices Enforce on all OSE devices.

  • Embedded Devices Enforce on all embedded devices.

Time

In this field, use a time object to restrict the connection to certain specified intervals, or leave the default of Any .

Comment

This field is used to describe the rule, its purpose, and its functionality. It is highly recommended that you utilize this field to enable others (and yourself) to understand the purpose of this rule. Auditors typically also like to see this column utilized.




Check Point NG[s]AI
Check Point NG[s]AI
ISBN: 735623015
EAN: N/A
Year: 2004
Pages: 149

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net