Check Point R80.

10 Training Bootcamp

Module 5: Introduction to SmartConsole

R80.10
 Module 5 Agenda
§ Sections covered in this Module:

§ 5.1 Secure Internal Communication (SIC)

§ 5.2 Install Check Point SmartConsole R80.10 on MGMT Station
§ 5.3 Introduction to Check Point SmartConsole R80.10
§ 5.4 Embedded Applications in SmartConsole Overview
§ 5.5 Add NY-FW-1 Security Gateway to NY-SMS-1 Security Mgmt Server
§ 5.6 How to Reset SIC between SGs and SMS

Check Point R80.10 Training Bootcamp

Check Point R80.10 Training Bootcamp

5.1 Secure Internal Communication (SIC)

 Basic Components of Perimeter Security
§ Security Gateway – The Firewall
§ Appliance is placed at the perimeter of the network topology
§ Protects the organization through enforcement of security policies

§ Security Management Server (SMS)

§ Manage Security Gateways, define security policies and push
policies to Security Gateways
§ Monitors security events in the network, logs events, correlates
events and provides meaningful info to administrator
§
§ SmartConsole – GUI for management of SMS(s)
Check Point R80.10 Training Bootcamp
Basic Components of Perimeter Security

Internet

HQ

Check Point R80.10 Training Bootcamp

 Q&A - Secure Internal Communication (SIC)
§ What is SIC and Why do we need it ?
§ SIC is an authentication method used between Check Point
products and platforms
§ Communication between Check Point devices should be secure and
we should be able to authenticate the source (Are you really who
you are saying you are ? )

§ SIC methods:
§ Certificates
§ Standards-based TLS for secure channel creation
§ 3DES or AES (encryption); AES128 used for code >R71.x

Check Point R80.10 Training Bootcamp

 Q&A - Secure Internal Communication (SIC)
§ Where is SIC used ?
§ SIC is used in order to secure connections between security
gateways and security management servers
§ Once SIC creates a trusted connection between SG and SMS, we say
that they are in TRUST state

§ How is TRUST important or relevant ?

§ SMS will be able to install policies on SGs
§ SGs will be able to send logs to SMS

§ SGs and SMS first need to establish TRUST !!!

Check Point R80.10 Training Bootcamp
 Internal Certificate Authority (ICA)
§ The ICA (or just CA) is created on the SMS when you
configure it for the first time;
§ The SMS will act just as a Microsoft CA and will handover certs

§ ICA issues certs for authentication:

§ SIC – for authentication between SMSs and between SMS and SGs
§ VPN certificates for SGs – auth. VPN community members
§ Users – users authentication based on certificates

Check Point R80.10 Training Bootcamp

 SIC Status
§ ICA provides certificate to SG

§ SIC status highlights if SMS is communicating with SG

§ Different SIC Statuses are possible:

§ Communicating – secure communication is up
§ Unknown – no communication exists
§ Not Communicating – SMS can communicate with SG, but SIC is
not UP; further troubleshooting is needed

Check Point R80.10 Training Bootcamp

 Resetting the TRUST State
§ Trust is not secure anymore ? Reset Trust state !

§ Reset has to be performed both on SMS and SG

§ When you reset the Trust, the SIC certificate is revoked

§ Certificate Revocation List(CRL) is updated with the SN

of the revoked certificate

Check Point R80.10 Training Bootcamp

 Resetting the TRUST State – part 2
§ The ICA signs the updated CRL and issues it to all
gateways during the next SIC connection.

§ If two gateways have different CRLs, they will NOT

authenticate !

Check Point R80.10 Training Bootcamp

Check Point R80.10 Training Bootcamp

Thank you