Академический Документы
Профессиональный Документы
Культура Документы
HLD 1.0
Version
Date 15/04/2010
Network Diagram:
• Insert New Policy Package Name, and Tick the box Security and Address
Translation. You can also choose QOS, and Desktop Security options.
• Click OK. The empty Rule base appears, and the new Policy Package name
appears in the smartDashboard title bar. The Desktop and QOS tabs should
not be present.
Define Basic Rules
There are two basic rules that must be used by all Check Point Security
Administrators: The Cleanup Rule and Stealth Rule. Both Rules are imperative for
creating security measures, and tracking important information in SmartView
Tracker.
Cleanup Rule
VPN-1 drops all communication attempts that do not match a rule. The only way
to monitor the dropped packets is to create a Cleanup Rule that logs all dropped
traffic. The Cleanup Rule, also known as the “None of the Above” rule, drops all
communication not described by any other rule, and allows you to specify
logging for everything being dropped by this rule.
Note: For the Cleanup Rule to be effective, add all other rules above the
Cleanup Rule. The last rule in the Rule Base should always be the Cleanup Rule.
• Right Click the Name field of the rule and select Edit, or Double-Click the
Name filed. Enter Cleanup Rule in the Rule Name field, and click OK.
• Right Click the Track column of the rule, and choose the Log option from the
Track drop-down menu
• Right Click INSTALL ON > Add > Targets
• Right Click the Track column of the rule, and choose the Log option from the
Track drop-down menu
• Right Click INSTALL ON > Add > Targets
• Select the Security Gateway and Click OK
• The Stealth rule appears as follow:
• Right Click the number column of the Cleanup Rule > Add Rule > Above
• A new default rule is added above the Cleanup Rule
• Right Click the Name field of the rule and select Edit, or Double-Click the
Name filed. Enter Internal Network Traffic Rule in the Rule Name field,
and click OK.
• Right Click the Source field, select Add, and choose Internal_Network
object. Click OK
• Right Click the Track column of the rule, and choose the Log option from the
Track drop-down menu
• Right Click INSTALL ON > Add > Targets
• Select the Security Gateway and Click OK
• The Stealth rule appears as follow:
• Right Click the number column of the Internet Network Traffic Rule > Add
Rule > Above
• A new default rule is added above the Internet Network Traffic Rule
• Right Click the Name field of the rule and select Edit, or Double-Click the
Name filed. Enter WEB Server Rule in the Rule Name field, and click OK.
• SOURCE > Any
• Right Click the DESTINATION field, select Add, and choose Web_Server
object. Click OK
• Right Click the Service column, select Add, and choose HTTP, and FTP.
Click OK
• Right Click the Action column, and select accept
• Right Click the Track column of the rule, and choose the Log option from the
Track drop-down menu
• Right Click INSTALL ON > Add > Targets
• Select the Security Gateway and Click OK
• The NetBIOS rule appears as follow:
The Global Properties section for NAT contains an option called "Automatic
ARP configuration". Automatic ARP configuration ensures that ARP requests
for a translated (NATed) machine, network or address range are answered by
the Security Gateway. You no longer have to manually add a route on a
Security Gateway to ensure proper routing of Static NAT devices. In addition,
there is no longer a need for manual ARP configuration via the local.arp
file.
Enabling Hide NAT on the network object will add the appropriate rule to the
NAT Rule Base. Perform the following steps to enable Hide NAT for your
internal network:
1. Login to SmartDashboard.
2. Create the network object for the internal network.
3. Define the following fields:
o Name
o Network Address
o Net Mask
o Comments
o Color
4. Select the NAT tab, and enable the option "Add Automatic
Address Translation rules".
5. Select the Translation method "Hide".
6. Select "Hide behind gateway". This NAT configuration
hides the real address behind the IP address of the
Security Gateway interface, through which the packet is
routed out.
7. Click 'OK'.
8. Install the Security Policy.
Configuring Static NAT
Static NAT is used for Web, email, and other application servers that require
routable IP addresses. These servers will be routable to the Internet, but will
also retain their internal IP addresses for internal access.
Perform the following steps to enable Static NAT for your Web or email server:
1. Login to SmartDashboard.
2. Create a Host Node object for the server.
3. Define the following fields:
o Name
o IP address
o Comment
o Color
4. Select the NAT tab, and enable "Add Automatic Address
Translation rules".
5. Select the Translation method "Static".
6. Enter the desired IP address in the "Translate to IP
address" field. The Translate to IP Address value for Static
NAT is a virtual IP address, which is a public (routable) IP
address that does not belong to any real machine.
7. Click 'OK'.
8. Install the Security Policy.