Check Point Security CheckUP - Free network security audit. Part 1

To be honest, I do not understand why this topic has not yet been covered on Habré. Correct this misunderstanding. In the last article we covered the topic of testing the effectiveness of existing remedies. This tool is very useful, but we all understand that this is a weak test. In addition, this test is synthetic. How to evaluate a real network with real traffic? What threats are really relevant to you, are there infected computers on the network, which applications are started by users and who “deflates” all traffic? As a rule, you have to use a bunch of different tools for this:

1. Means for checking mail and their attachments;
2. Means for analyzing visited sites and traffic volumes;
3. Means performing the functions of a streaming antivirus;
4. Traffic Analysis Tools (IDS);
5. And much more.

It is very difficult to find a serious (not open source) integrated solution combining these functions. Plus, there is a problem of how to integrate these tools into your current infrastructure, so much so that you do not have to redo the floor of the network (we just want to test).
Oddly enough, Check Point provides this opportunity - a FREE security audit of your network. In one of the past posts, we briefly described what Check Point is . Now we describe how it can be tested, and even for the benefit of ourselves. I hasten to warn you that this post is of a marketing nature in order to tell about Check Point Security CheckUP and how it can be useful to you. And in the next posts we will look at exactly the technical issues - installation and configuration.

What can Check Point Security CheckUP do?
Check Point Security Checkup is a tool to detect risks and threats to your entire network. Almost all security risks are covered:

1. Definition of Web applications and Web sites of questionable nature used by employees: peer-to-peer networks, cloud file storage, proxies and anonymizers, malicious sites and much more.
2. Threat analysis, including computers infected with bots, viruses, unknown malware (zero-day attacks and attacks that are not detected by traditional anti-virus solutions).
3. Evaluation of vulnerabilities of servers and computers of the company, which are the target of possible attacks.
4. Monitor sensitive data sent out of the organization by email or via the Web.
5. Bandwidth analysis and identification of the most demanding applications and websites: who and how most downloaded the network.
6. For existing Check Point customers using centralized management: Checking security policies for regulatory compliance and best practices, including industry standards PCI, HIPAA, ISO, and others.

The Security Checkup report includes recommendations to help you understand the risks and how to protect against them. We will talk about the reports below.

How does the network audit happen?
Inspection of the network through Security Checkup provides for the installation of a Check Point Security Gateway within the network to inspect the passing traffic. At the same time, the gateway is not installed “into the gap”, which does not require changing the network configuration and allows you to avoid failures and downtime in the company. Instead, a copy of traffic is inspected by connecting to the appropriate Test Access Point (TAP) device or mirror port (Mirror Port, also known as Span Port) on the network switch. Such an approach completely eliminates the problems typical for a “break” connection, since only a copy of the traffic is inspected. Below is the connection diagram:

If the internal rules of the company strictly prohibit the connection to the corporate network of any other equipment, then the audit can be performed using a virtual machine . To do this, you need to create on the server (where the VMware ESXi hypervisor or Hyper-V hypervisor is running) a virtual machine with a Check Point software gateway. Virtual machine parameters are highly dependent on traffic volumes, but the minimum requirements are 6 GB of RAM and 4 CPU cores. I think this option is most interesting for Habr readers, because This can be done independently, without requesting a piece of hardware from distributors or integrators. It is this method (with a virtual machine) that we will consider in the next article.
')
What blades can I use?
In the last post I briefly described the Check Point software blades (functions). Almost all of us can use within the framework of an audit:

• Firewall
• IPS
• DLP
• Application control
• Identity Awareness
• URL Filtering
• Anti-bot
• Antivirus
• Threat emulation

At the end of the audit, a detailed comprehensive report will be available.

What does the report include?
We give as an example the report that is generated on the version of Gaia R77.30. It is already considered obsolete, since There is a newer version in the form of R80. However, at the time of this writing, it was not possible to deploy a standalone solution for R80 (gateway + management server). Those. instead of one virtual machine, you would have to raise two, and it takes longer and you need more resources. Therefore, I will show a report for R77.30.
The report is obtained in PDF file format and the first thing we will see is general statistics on information security:

Then you can see more detailed statistics. For example, “Applications and high risk sites”:

We see used applications, to which category they belong and traffic volumes. The report also includes a description of these applications (and in Russian).

Then you can see the most active users:

And data leakage incidents:

The report below will provide information on which files were transferred, by whom and where.

You can also get acquainted with the bot-activity in your network:

Types of bots, who is infected and where the bot is “knocking”.

There are statistics on incidents with viruses:

And information on zero-day malware (including a description of malicious activity):

There is a report on the work of IPS and that it revealed:

Rating of end stations where high-risk applications run:

Sample report for R77.30 can be downloaded here .

Reports generated using the R80 are more colorful and detailed:

Sample report for R80 can be downloaded here .

Duration of the audit
As a rule, two weeks is enough. Configure Check Point in a virtual machine, wrap a copy of traffic there and after two weeks, see the finished report. In our practice (and we have already conducted about hundreds of similar audits), things are always found that administrators never expected: using a VPN, downloading viruses, having bot-s inside the network and much more.

Conclusion
Thus, using Check Point Security CheckUP, you can conduct a completely free security audit of your network. This test requires a minimum of effort from the administrator, and you will use a professional solution. Using the report, it will be possible to draw a conclusion about the effectiveness of network protection and whether this protection is required in principle. In the following articles we will examine this process in detail. Or you can request this audit for your network for free .

PS Here you can download the image that we will unwrap in the following articles.