Friday, January 28, 2011

Checkpoint- Best practice

Level: - Intermediate
: - checkpoint R61, R62, UTM, VPN-1, Nokia IP60,Nokia IP260,Nokia IP290,Nokia IP390,Nokia IP560,Nokia IP690,Nokia IP1220,Nokia IP1260,Nokia IP1280,Nokia IP2255,Nokia IP2450
: -
: - Dinesh Aggarwal

Here we are going to discuss some best practices to be followed while creating a rule base in checkpoint firewall. By following these best practices you can expect a better performance and easy management from checkpoint firewall.Let’s start by identifying some of the general best practices that should be followed for creating an powerful rulebase

Best practices for good Rulebase

1) The firewall rulebase should be as simple as possible. The fewer rules you have, the more efficient and less error prone the rulebase will be.
2) Avoid using "Any" in the service field.
3) Use a network object instead of many workstation node objects.
4) Use groups to gather source, destination or services.
5) Anti spoofing should be configured for all the firewall interfaces.
6) Place the most commonly accessed rules on top of the rulebase. This will improve performance and make the firewall more efficient. Firewall-1 searches the rulebase in sequential order. The first rule matching a connection is applied, not the rule that matches best.

This checkpoint best practices rules is surely going to result in better firewall performance. This rule is application to any firewall weather its cisco ASA, PIX, checkpoint, Netscreen or any other firewall.

7) Use good naming conventions to represent network objects (hostname_ip address is a good naming scheme) and services.

8) Implement the "Stealth rule" to block and track connection attempts to the firewall module.

9) Prefer "Reject" to "Drop" for some services. Services such as "ident" should be rejected to allow better application performance.
10) Implement the "Cleanup" rule at the bottom of the rulebase to block and log all traffic. Firewall-1 by default does not log traffic that is dropped. By having the "Cleanup" rule, logging can be turned on for blocked connections.

Note: - When a Drop action is taken, the sender is not notified.

Following table describes what happens when a Reject action is taken.

Difference between Reject and Drop
service Reject
TCP The sender is notified.
UDP Sends an ICMP port unreachable error to the sender.
other Same as Drop.

11) Do NOT use the domain object in the rulebase. Domain objects may cause performance bottlenecks.
12) To avoid being flooded by logging of broadcast traffic such as bootp and NBT, create a rule to drop the packets without logging. Ident is a service used by SMTP protocol to try to identify the email clients. By "reject" the service but not "drop" it, the SMTP application will gain performance since it doesn't have to wait for the ident connection to timeout.
13) Disable Decrypt on accept property if not using VPN

That’s it, these are the basic rules for managing an effective rulesbase in checkpoint

No comments:

Post a Comment