An Introduction to Checkpoint Firewall

This paper is an introduction to Checkpoint’s Firewall version 4.1. In this paper you will
learn the basics of what Checkpoint is and how it works. You will also see a graphical
installation of Checkpoint on an NT 4 server as well as creating a generic set of rules that
would apply to a small business or home user. Through out my years of using
Checkpoint, I have never seen “HowTo’ instructions on Checkpoint like this other than
what is taught in the Checkpoint classes. At the very end of this document, you will find
some useful links to sites I have found helpful over the years. Please keep in mind that
this is not meant to be a comprehensive, all-inclusive tutorial on Checkpoint, but simply a
quick get up to speed small business paper.

A brief overview of Firewalls

There are 3 basic types of Firewall systems used today:
• Packet Filtering
• Application Gateway Proxy
• Stateful Inspection

A Packet Filtering Firewall examines each packet that passes through it up to the network
layer. This means that the upper four layers (Application, Presentation, Session, and
Transport) are allowed into an internal network. The Packet Filtering Firewall looks at
each packet and determines what to do with it based on a rulebaseyou define. This type
of Firewall technique is popular because it’s inexpensive, transparent to applications and
is quicker than most application layer gateways. However, it provides low security, has a
limited ability to manipulate information, is difficult to configure, and is subject to IP
Spoofing. The types of Firewalls can usually be found on routers.

Application Layer Gateway, or better known as Proxies, function on the application

level. Proxies are being challenged today in that outside networks are continually
growing and introducing new protocols, services and applications all the time. As this
happens, the Proxy has a difficult time handling these extreme communications on
networks.

Proxy Firewalls remain popular today because they offer a decent level of security, are
relatively inexpensive and provide full application-layer awareness. However, each
service requires its own application layer gateway, meaning scalability is horrible.
Running at the application level is critical to performance and they are vulnerable to
operating system and application level bugs and exploits.

StatefulInspection is the third type of firewall used today. StatefulInspection gathers,

stores, and manipulates information pertaining to all communication layers and from
other applications. In other words, imagine a giant spreadsheet. Every packet that is
allowed through the firewall is entered into that spreadsheet and kept there for a pre-
determined amount of time, creating a ‘StatefulInspection Table.’ The benefits of this
are excellent security, full application-layer awareness, high performance and scalability.
What is Checkpoint?
Checkpoint Firewall-1 uses the statefulinspection technology. Checkpoint analyzes all
packet communication layers and extracts the relevant communication and application
state information. Firewall-1 has an inspection module that lives in the operating system
kernel. This is below the network layer at the lowest software level. This is the most
ideal location because, by analyzing all traffic at this level, the Inspection Module
inspects all traffic before they reach the OS. This saves the OS’s processing time and
resources. Also, a final note, by placing its kernel module between the Network Interface
Cards and the TCP/IP stack itself, Firewall-1 protects the TCP/IP stack.

Preparing an NT 4.0 server

For this paper, I focus on installing the Checkpoint Firewall-1 software on an NT 4
server. I do this because most small businesses have NT. When using Checkpoint
software on an NT server, I recommend you make two different drives, for example a C:
drive and D: drive. The reason for this is to maintain the firewall logs. One of the most
important features of a firewall is the logs it generates. These logs will grow and grow as
traffic is accepted, denied or rejected on you firewall. As these logs grow, they take up
more and more space, and can fill up your entire drive. This would crash your Windows
NT box and cause the firewall to fail. The end result here being no more connectivity
through that firewall.

After you have created two drives, I recommend formatting both with the NT File System
(NTFS). This brings a level of security on the box up and allows you to look it down
even tighter. Not only do you have to consider the rulebaseto protect your network, you
should consider the physical location of the firewall. Who will have access to it? Who
will know the Administrator’s password? NTFS will help you secure the box from a
casual employee or friend from coming over and ‘playing’ with your configurations.

I recommend installing your Operating System (OS), on the C: drive. Then install
Checkpoint on the D: drive.

Make the Checkpoint Firewall server a standalone server. It should not be part of a
domain.

Installing Checkpoint
When installing Checkpoint, it is important to have a clear understanding of what you
need first, before you begin. I have created a small checklist of items I used to create this
paper:
• Checkpoint 4.1 media
• Checkpoint License from Checkpoint
• Legal IP address for external interface
• 2 or more Network cards
 • An NT server
• An internet connection
• Four port hub

I also recommend that you create a network diagram before making any rules. This helps
in creating a rulebase. Below is the network we will configure for:

In this
example, we
will connect a
small
home/office
to the internet using Checkpoint Firewall-1. The network will connect to a hub, which
connects to an internal Network Interface Card (NIC) on the Firewall server. The second
NIC on the Firewall will be our external NIC and will connect to our Cable modem and
that in turn connects to the internet.

Now insert your media and we are ready to begin. There are 2 pieces that you need to
install: The Firewall and the Management Console. For this installation, we will install
both on the same machine. However, if the firewall is in an inconvenient location, or you
will be monitoring it often or making rule changes, it may make more sense to install the
management console closer to you. The management console allows you to configure,
add, remove rules, create objects, examine the logs, and check the status of the Logs.

We will first install the Firewall Module. When we launch the setup program for this, the
first screen we see is the License agreement as shown in Figure 1.
Figure 1:License Agreement

We click ‘Yes’ to accept the agreement and we are presented with a ‘Welcome to
Checkpoint’ screen.

The next screen we see is ‘Welcome to Checkpoint’ screen. I will not show you this
screen here but it is very important you read and understand these pages. In this screen,
Checkpoint advises you to close all programs that may be running in the background. It
is recommended that you close all applications, especially Antivirus programs, System
Utilities and etc.

Clicking the next button brings up the first setup page where we begin to select and tell
the software what we want, and where we want it. In this screen, we are presented with
two options as shown in figure 2. This is where we tell the software where we plan on
installing the modules. For example, in this exercise, we are installing both, the
Management Software and the Firewall on the same server, also known as ‘Stand Alone’.
However, if we wanted to install those two pieces on separate servers, then we would
select the ‘Distributed’ option.
Figure 2:Setup Screen

After making the selection, our next screen is where we specify which
VPN/Firewall/Server module we wish to install. In this version, we have 3 options as
shown in Figure 3. Here, you have to look at the license you have from Checkpoint and
select the option you are licensed for. If you select an option you do not have a license
for, it will not work. Make your selection and click next.
Figure 3:Module Selection

The next screen is asks us if we have older Checkpoint Firewalls we will want to inter-
operate with. If you have a Checkpoint Firewall-1 version 4.0 or 3.x, and you want this
firewall and management software to work with those, then you would select the
backwards compatibility option. For this exercise, we will select no backwards
compatibility as we have no previous firewalls to manage.

If we click the next button, we are taken to the ‘Choose Destination Location’ screen.
Here is where we select a directory to install the Firewall module on. This is where we
change the option from the C: drive to the D: drive for our demonstration. Remember the
logging can fill up your partition, so choose a partition that does not contain your OS.

Finally, after selecting our directory in which we want Checkpoint installed in, we click
next, and the software begins its installation process. You will see a status bar showing
you the installation and when it is finished, you are presented with a configuration screen.

In this screen, you will input your license that you received from Checkpoint. This
screen can be seen in Figure 4.
Figure 4:License

After installing you license, you will be prompted to tell the Firewall who the
Administrators are that will access it. You must add at least one administrator here. You
may also add users and assign limited rights to them. For example, if you have a
helpdesk and you want them to only be able to view logs, but not add or modify rules,
this is where you will identify these users.

After completing this step, the next screen asks you for the IP address found in the system
hosts file. Input that in here and click next. Guiclient configuration is the next screen.
Here you will assign IP addresses that will connect to this Firewall Module and manage it
or monitor it. Please note, even if you install both, the Firewall Module and the
Management Client on the same system, you must include the IP address of this system
here, or you will not be able to connect to the Firewall with the Management tool. After
completing this, click next.

On the next screen, you define ‘Enforcement Modules’. Because this is a sample for you
to follow, and I consider Enforcement Modules advanced, I will not cover this here.
However, for further information, please see www.phoneboy.comfor additional
information. Click next.

This screen is critical to a secure Firewall Module. Here we are asked if we want to
control IP forwarding. You should allow Checkpoint to handle this. What this means is
that when a security policy is not installed, or active, like when you are booting the
system or pushing a new policy through, no packets will be allowed through the network
interfaces. Not having this checked, makes your system vulnerable to attacks when a
policy is not loaded. Please note that that some programs and applications will fail if you
have this enabled and you push a new policy. The next screen is the SMTP settings
screen that I will not cover and the key creation screen, where you are asked to type
random numbers and letters to create a unique string. Finally, when you are complete,
you will be prompted to reboot your firewall and it is now complete.

Installing the Management Client

Now that you have installed the Firewall on your server, you must install a management
client to manage the Firewall. The first screen you see after launching the setup
executable is the Welcome screen. Click next. The next screen is where you choose a
destination to install the Management Gui. The next screen provides you with the
management modules you can install. In figure 5, we can see the choices we have.

Figure 3:Component installation

Policy Editor is where you will create objects and services. You will then create rules and
manage the objects and services. The Log Viewer is where you will view the Checkpoint
Logs. Finally System Status. Here you can view the status of your firewall, the time and
date of the last policy installation and packet counts that have hit the Firewall. The Real
Time Monitor will not be covered here.

We select the three main components and click next. The management module installs
and will prompt you when complete. Now you have successfully installed Checkpoint on
a Windows NT server.

Creating Objects
Checkpoint works in 3’s like I said earlier. When you create a rule, there are 3 key pieces
of information you need to know: The source IP, the Destination IP and the port or
service that needs to be opened for the application that the rule applies to. We will get
more specific on this, but let’s start with the object management. Objects are anything
physical, like a workstation or server, or non-physical like a network IP address range. In
order to create a rule specific to them, you need to create them.
Lets launch the GUI to manage our rulebase. It can be launched by the example in Figure
6.

Figure 6:Start menu

We will select the Policy Editor option. The Policy Editor will open up with a deny all
policy as shown in figure 7.
Figure 7:Blank Policy

Here we see a policy with no rules. However, it is important that Checkpoint, by default
denies everything, even if there are no rules. How do I know this? Simple, click on the
‘View’ option at the top and select ‘Implied Rules’. You will see that there is a rule
present that enforces the following: Any Source to Any Destination using any Service is
to be dropped. Therefore, when we create our policy, we will have to create rules that
ALLOW communication through the Firewall, versus denying traffic.

Referring to the network that I outlined above, we will want to make 4 rules in the policy
and 4 NAT rules. First, I need to create objects for the following: The Firewall, The
MAIL-WEB Server, and the Internal LAN. I have included snapshots of the Firewall
object (Figure 8) and the Internal Lan object(Figure 9).
Figure 8:Firewall Object Figure 9:Internal LAN Object

With the internal LAN, I had to NAT it using a technique called HIDE. To do this, you
select the object, and click on the tab that says NAT at the top. Then you choose the
option HIDE and input your routable Internet IP address. Checkpoint will then
automatically create NAT rules for you. It’s that easy!

The final object is the Mail-Web server. For this project, I have 2 IP addresses from my
ISP. The first one I gave to my Mail-Web server and the second I gave to my Firewall.
Then I created an object called ‘mail_web’. I gave it an assigned it an internal IP address.
Then I selected the NAT tab and assigned it a static NAT hidden behind my Public IP
from my ISP. This helps ensure that attackers can’t directly access my email_webserver.
It’s NATedfor extra security.

Creating a Rulebase
Now that we have created objects, let’s assign them in rules. In the Policy Editor, you
can add rules by clicking ‘Edit’ and ‘Add Rule’. In most Checkpoint Firewall Rulebases,
there are 2 common rules. Let’s add them first. The first rule is called a Stealth Rule. Its
purpose is to hide the Firewall. It does this by not allowing ANY traffic to it specifically.
The other rule that is in should be in every Checkpoint Firewall Rulebaseis a rule at the
end that says: drop all traffic that did not meet any of the other rules. Earlier I mentioned
that Checkpoint has an Implied rule that does this same thing, a denyall policy. But the
reason we add this rule, and the only reason, is that the implied rule does not log. We
create this rule, with logging enabled, so that we can see attacks or traffic that did not
meet our rules and was dropped. Another point I want to make here is that it is
recommended that you DROP as opposed to DENY traffic. If you DROP traffic, then an
attacker won’t see you and think that IP is not operational. However, if you DENY
traffic, then the attackers will get a notice back from you saying you are up.

Now that we have created the 2 most basic rules, we will create our next rule that will
allow any IP address on my internal network, 192.168.0.0 network, to use NAT and the
external IP address of our Firewall. We do this by creating a rule as in Figure 10.

Figure 10:Internal Lan Rule

In figure 10, we see that the Internal Lancan go anywhere, using any service.

Finally, the last rule we will create is one for our Web_Mailserver. This can go out to the
internet but we also want people to be able to browse our web site and send us email. So
we create a rule that allows outside people to connect to it using pre-defined services.

An entire rule set is shown in Figure 11 and the corresponding NAT table can be seen in
Figure 12.
Figure 11:rulebase
Figure 12:NAT Table