Check Point Security Check List

Relatively recently, we published an open access mini-course " Check Point for Maximum ". There we tried briefly and with examples to consider the most frequent errors in the Check Point configuration from the point of view of information security. In fact, we told you what the default settings are bad for and how to tighten the screws. The course (unexpectedly for us) received pretty good reviews. After that, we received several requests for a brief “squeeze” of this material - a checklist for security settings . We decided that this is a good idea, and therefore we publish this article.

Before starting, I would like to focus on two things:
')

1. This checklist is not a self-contained document or manual. This is just the necessary minimum of checks that are desirable to do. Additional (extended) recommendations can be obtained only after a detailed examination of the infrastructure.
2. The checklist will be relevant not only for Check Point owners. Other vendors have similar problems with default settings: Fortigate , PaloAlto , Cisco FirePower , Kerio , Sophos , etc.

And now the checklist itself with a few comments on each item:

1) HTTPS Inspection Enabled

I talked about the importance of HTTPS inspections in the second lesson “Check Point for Maximum”. Without this option, your expensive NGFW turns into a big hole in the perimeter of the network.

2) Unwanted resources and applications are blocked (App & URL filtering)

In Check Point, two blades are responsible for this - Application Control and URL Filtering. Practically the same is with other vendors with a few differences. The main task of these functions is to reduce the attack area by blocking access to potentially dangerous resources or applications. For some reason, despite the presence of pre-configured categories (Anonymizer, Botnets, Critical Risk, Hacking, High Risk, Phishing, Remote Administration, Sospicious Content, Spyware / Malicious Sites, Stealth Tactics, etc.), people do not use these limitations. . It is better to block such things at the network level and not to bring to the traffic check more difficult means of protection (IPS, Antivirus, Anti-Bot, Threat Emulation). This will avoid false positives and save your gateway performance. Examine what categories of sites and applications allows you to block your gateway, then review your access policy again. A good help here is SmartEvent, which can generate a report on user traffic.

3) Blocking downloading unwanted files (Content Awareness)

I talked about this in the third lesson . In Check Point, Content Awareness is responsible for this feature. Other vendors may be able to do this either with Anti-Virus or with the DLP module. The meaning of this action is to deliberately block unwanted file types. Do your users need to download .exe files? And the scripts? Why check these files and hope for the reliability of your gateway, if you can block them as unwanted content? Lower load on NGFW and higher level of security. Sometimes the user may not even know that he has started downloading something (background download). Review your policy, block at least executable files.

4) Antivirus performs full file scan (Antivirus - Deep scan)

Absolutely all vendors sin with this. In the default settings, the streaming antivirus checks either the file hash or the first few bytes. For adequate protection this is not enough. Modifying the virus is easy. To catch them, you need a deep check. In Check Point, the deep inspection option is responsible for this. But be careful. It is not necessary to include this feature absolutely for all files. If you have a “weak” gateway, then the load may increase too much. Use deep inspection for the most dangerous (and frequently downloaded) files: pdf, docx, xlsx, rtf, zip, rar, exe (if allowed to download them), etc. See the fourth lesson for more details.

5) Archives are scanned, password-protected are blocked (Antivirus - archive scan)

Surprisingly, many people forget about this option. I think everyone obviously need to check the archives. And it should be obvious to everyone that archives with a password should be blocked. I see no reason to paint something more here. Just check that you have it configured.

6) Additional scanning mechanisms are enabled (Antivirus - Protections)

In the default Threat Prevention (Optimized) profile, additional check mechanisms are disabled, such as: Malicious Activity - Signatures , Unusual Activity - Behavioral Patterns . Do not neglect these settings. How to include them, I showed in the fourth lesson .

7) IPS is updated at least once a week.

In the fifth lesson, I tried to show how important IPS is to protect the network. And one of the key conditions for efficiency is the “fresh” database of signatures. Make sure your IPS is updated often enough. My recommendation is at least once every three days. As a rule, the default values ​​are much higher (from a week to a month) for almost all vendors.

8) IPS rendered in a separate Layer

Another important point. Be sure to make the IPS in a separate Layer. Only in this way can you get the most out of it. I explained in some detail why and how to do this in the sixth lesson of the course.

9) Different Threat Prevention policies for different network segments.

Threat Prevention policies include blades such as: Antivirus, Anti-Bot, IPS, Threat Emulation, Threat Extraction. As we already defined above, IPS should be rendered in a separate Layer. There you should have at least two policies - one for the client device, the other for the server. At the same time, ideally, politics should break up even more, because in each segment there can be different types of devices and different types of services. The key task is to include only the necessary protection mechanisms. It makes no sense to check the windows-signatures traffic that is intended for Linux host. The same applies to other blades. Threat Prevention's segmented policy is the key to adequate protection.

10) Use Hold mode

The default for Threat Prevention is background mode. This means that if the file is new and there is no required signature, then it can pass as long as there is an “in-depth” check in the background. This is not exactly what is usually required of remedies. Therefore, make sure that the Hold mode is enabled in the Threat Prevention properties (in global and profile settings).

11) Geo Policy Formed

This function is also undeservedly forgotten. This option will allow blocking any traffic (both incoming and outgoing) of any country for your network. Do your users need to visit the resources of Bangladesh or the Congo? But the attackers love to use the servers of countries where the legislation in terms of cybercrime is rather poorly developed. A competent Geo-policy will not only increase the level of security, but also reduce the load on the gateway, because the latter will not have to check everything.

12) Threat Emulation Enabled

It does not do one point. For good, you need to make a separate checklist for Threat Emulation settings. With your permission, I will not do this :) I will dwell on one main recommendation - the blade should be turned on. For some reason, many more administrators consider this feature unnecessary exotic. Turn on at least Detect mode and see the report after a week. You will be surprised. If the current subscription level does not allow using this blade, then you can request a demo license for 30 days.

13) False Positive Missing

Last but not least. I have repeated many times (and I’m not tired of repeating) that security is a continuous process, not a result. Therefore, even if you are well tuned, you should at least check the effectiveness and results. Does the protection work and there are no errors? The simplest example to do this is to periodically check security logs. Check logs for Threat Prevention Blades. Whether there are no detect on events with Severity level High or Critical and Confidence Level with value High. Filter example by logs:

product_family: (Threat OR Endpoint OR Mobile) AND action: Detect AND severity: (Critical OR High) AND confidence_level: (Medium-High OR High)

If you saw logs that fall under this filter, it means that you missed what you should have blocked into the network. Either you have configured something wrong, or your remedy does not work as it should. Periodically check for such events, or set up notifications (SmartEvent functionality).

Best Practice

Most of the points can be found in the official Check Point documentation. We have already published a whole collection in the article " Check Point Instructions and Useful Documentation ". In our case, the main source of information will be a selection of articles - Best Practice and ATRG . If you are a happy owner of Check Point products, then these topics are required to read.

Conclusion

This concludes our “damn dozen” checks. If you put in order the settings of your gateway in accordance with this list, then your level of security will be higher than that of 80% of companies (statistics from personal experience). I repeat that these are only basic checks. For advanced and more specific recommendations, a comprehensive analysis of the current settings and network architecture is needed. Here you can find a sample report ( Check Point Security Audit ) on the results of such an audit of settings. If you wish, you can get a report with specific recommendations and instructions for corrections.

Additional training materials can be found in our group or telegram channel .