Suspicious Activities Monitoring Protocol (SAMP)
Check Point, along with their OPSEC alliance partners, has introduced a very powerful feature into CP VPN-1/FW-1. This feature, known as Suspicious Activity Monitoring, or SAM, enables the firewall to interact and block traffic as specified by other network devices. Most notable among these OPSEC partners is ForeScout Technologies, with their ActiveScout product. Using the Suspicious Activity Monitoring Protocol (SAMP) a scout can dynamically update VPN-1/FW-1 rules. These changes can be either permanent or time-based.
For you, as a firewall administrator, the most interesting element of SAMP is not the ability of other devices to restrict connections, but your own ability to block, or inhibit , a connection. This can be a very powerful reactive measure, and, if properly employed, can greatly enhance your site security. Imagine the ability to block a connection for five or ten minutes while you do some quick research on the nature of the suspicious connection. Teamed with a user -defined alert script, this can even be done in an automated way.
 |
Intrusion Detection?
While this book is about CP VPN-1/FW-1, you probably also have Intrusion Detection Systems / Intrusion Prevention Systems (IDS/IPS) on your mind as well. When coupled with SmartDefense, an IDS/IPS greatly adds to the overall effectiveness of a firewall when deployed properly. But what if you can t deploy an IDS/IPS suite because of something such as budget limitations?
The usual solution is to cross one s fingers and hope for fair weather, but with CP VPN-1/FW-1, you have better solutions. As we ll detail in Chapter 13, you can use Check Point SmartDefense to alert you to the presence of some simple probes and attacks, but this feature isn t all that extendable. Another solution is to use user-defined alerts.
Lance Spitzner maintains a guide on how to use user-defined alerts to create a lightweight IDS and honeypot based on the data collected by CP VPN-1/FW1 alerts, and even has a script that will do the trick for you. You can visit this guide and download the script (it s distributed under terms of the GPL license, free of charge) by pointing your Web browser to http://secinf.net/ info /unix/lance/intrusion.html.
| |
Connection inhibiting is enabled using the fw sam command. This command has some very useful options, most of which are detailed in Table 9.3. The usage of the fw sam command is as follows :
fw sam [-v] [-s sam-server] [-S server-sic-name] [-t timeout] [-l log] [-f fw-host] [-C] -((niIjJ) <criteria> fw sam [-v] [-s sam-server] [-S server-sic-name] [-f fw-host] -M -ijn <criteria> fw sam [-v] [-s sam-server] [-S server-sic-name] [-f fw-host] -D
| Option | Explanation |
|---|---|
| -v | Enable verbose mode. In this mode of operation, SAM writes a message to STDERR on each firewall module that is enforcing the action. The message indicates the success or failure. |
| -s server | The address or registered name of the VPN-1/FW-1 system that will enforce the action. The default is localhost. This should be your management station, which will contact one, multiple, or all firewalls to actually block connections. |
| -S server_sic_name | The SIC name for the SAM server to be contacted. It expects that the system being contacted will have this SIC name. If it does not, the connection will fail. If this option is not used, it will proceed without comparing the name to the certificate that is presented to it. |
| -f <fw host> | The firewall that will actually block the connection(s). By default, your SAM server will contact all firewalls it manages . The < fw host > can be localhost, the internal object name (that is, ExternalFW), Gateways (only systems defined as Check Point Gateways, not hosts ), or All. |
| -t timeout | The time period during which the action will be blocked, specified in seconds. If no value is specified, the action will be in effect indefinitely, or until canceled by you. |
| -C | Cancel the blocking of the connection specified by the parameters. |
| -D | Cancel all inhibit and notify directives. |
| -n | Notify (by recording a log entry) and alert (but do not block) based on the specified criteria. |
| -I | Inhibit the connection meeting the specified criteria. Connections will be rejected . |
| -I | Inhibit the connection meeting the specified criteria. Also close all existing connections that match the criteria. Connections will be rejected . |
| -j | Inhibit the connection meeting the specified criteria. Connections will be dropped . |
| -J | Inhibit the connection meeting the specified criteria. Also close all existing connections that match the criteria. Connections will be dropped . |
| -l | Specifies the log format to use when recording an event. Options are nolog , long_noalert and long_alert , with the latter being the default. |
| <criteria> | Used to match connections with a combination of various parameters. Criteria may be one of the following: |
src <ip> dst <ip> any <ip> subsrc <ip> <net mask> subdst <ip> <net-mask> subany <ip> <net-mask> srv <src-ip> <dst-ip> <service> <protocol> subsrv <src-ip> <net mask> <dst-ip> <net-mask> <service> <protocol> subsrvs <src-ip> <net-mask> <dst-ip> <service>_ <protocol> subsrvd <src-ip> <dst-ip> <net-mask> <service> <protocol> dstsrv <dst-ip> <service> <protocol> subdstsrv <dst-ip> <net-mask> <service> <protocol> srcpr <ip> <protocol> dstpr <ip> <protocol> subsrcpr <ip> <net mask> <protocol> subdstpr <ip> <net mask> <protocol> |
This command is very useful if you are writing user-defined scripts, and you should really become comfortable with that process if you intend on writing user-defined scripts and being proactive.
Another way to interface with SAM is via the SmartView Tracker GUI. From SmartView Tracker, select the Active tab. You will then see entries representing the active connections for the firewall. Each connection will be assigned a Connection ID, as indicated in Figure 9.7.
Figure 9.7: Active Connections ”Connection ID
Once you have noted the connection that you wish to remove, select the connection and then choose Tools Block Intruder from the menu. You will then see a screen as illustrated in Figure 9.8.
Figure 9.8: Specify the Connection ID
This is the panel used to block the connection. You have a couple of options to select from on this screen, and they are shown in Figure 9.9.
-
Blocking Scope Enables you to block this specific connection, all connections from the source noted in the log, or all connections to the destination noted in the log.
-
Blocking Timeout Enables you to specify either indefinite blocking or a time period for this block.
-
Force this blocking Enables you to enforce blocking this connection on all firewalls or just the firewall that has recorded the event.
You see that the command-line arguments, while a bit more complicated, do allow a greater degree of flexibility. The ease of use of the GUI makes up for this, as scripted execution can be used when you want to be very specific.
So, what do you do when you ve blocked a connection that shouldn t be blocked, or wish to unblock an existing block? Here s where it gets odd. The GUI only enables you to unblock en masse . It s an all-or-nothing proposition. From the menu bar, select Tools Clear Blocking . You will be presented with a pop-up message, like the one in Figure 9.9, telling you that ALL the connections that were blocked via SAM are no longer blocked. If you ve made a mistake and blocked the wrong connection ( assuming you have other, valid blocks in place) your only real recourse is to use the command-line syntax to clear a specific block using the “C option with the fw sam command.
Figure 9.9: Clear Blocking Confirmation
![Check Point NG[s]AI](/icons/blank_book.jpg "Check Point NG[s]AI"){kind=icon}
- Understanding SQL Basics and Creating Database Files
- Using SQL Data Definition Language (DDL) to Create Data Tables and Other Database Objects
- Working with Queries, Expressions, and Aggregate Functions
- Performing Multiple-table Queries and Creating SQL Data Views
- Working with Functions, Parameters, and Data Types
- Key #3: Work Together for Maximum Gain
- Beyond the Basics: The Five Laws of Lean Six Sigma
- When Companies Start Using Lean Six Sigma
- Making Improvements That Last: An Illustrated Guide to DMAIC and the Lean Six Sigma Toolkit
- The Experience of Making Improvements: What Its Like to Work on Lean Six Sigma Projects