topic Re: Suspicious activity monitoring in Firewall and Security Management

Suspicious activity monitoring

Sangeeth_N — Mon, 30 Dec 2019 09:29:05 GMT

1. Where does the Suspicious Activity Monitoring Module comes in to picture in the packet flow diagram of Gaia R80.30?

2. How is the packet analysed & blocked based on the SAM Rules?

3. How will the gateways get updated to block the suspicious packet, once the SAM rules are specified in the Smart Console ?

Please explain.. 🙂

Re: Suspicious activity monitoring

Timothy_Hall — Mon, 30 Dec 2019 14:31:35 GMT

Based on my experience the enforcement of SAM rules is very early in the F2F path, right around the antispoofing and Geo Policy checks and long before any policy layer lookups commence.

SAM rules can specify the typical "5-tuple" matching criteria such as src IP, dst IP, src port (I think), dst port and IP protocol. SAM rules long predate APCL, IA, and many other newer features so SAM rules cannot leverage identities or applications.

The update on the gateway when a SAM rule is applied is immediate via service 18183 (FW1_sam). The whole SAM rule thing (fw sam) is a holdover from the Intrusion Detection System (IDS) days, where an IDS was not inline and could not actively block threats. However through a process called "Intruder Shunning", the IDS could contact the firewall and tell it to block all traffic from an attacking IP address for a certain length of time. The various user interfaces into adding Suspicious Activity Rules is just performing Intruder Shunning manually.

Re: Suspicious activity monitoring

Sangeeth_N — Tue, 31 Dec 2019 05:50:27 GMT

Hi @Timothy_Hall

Thanks for your reply..

Is there a diagram or any 'fw ctl chain' output representing the enforcement of SAM rules and anti-spoofing?

Because i am not able to find any anti-spoofing or SAM rules in the R80.x Security Gateway Architecture (Logical Packet Flow) diagram mentioned in the below links :

https://community.checkpoint.com/t5/General-Topics/R80-x-Security-Gateway-Architecture-Logical-Packet-Flow/td-p/41747

https://community.checkpoint.com/t5/General-Topics/Security-Gateway-Packet-Flow-and-Acceleration-with-Diagrams/td-p/40244

Re: Suspicious activity monitoring

_Val_ — Tue, 31 Dec 2019 08:15:49 GMT

It is in the slow path / FW Policy. SAM rules are enforced on top of everything else.

Re: Suspicious activity monitoring

Eric_Dale — Tue, 31 Dec 2019 17:16:14 GMT

Referring to R80.20 and newer, there are 3 closely related, but different mechanisms that are often referred to as “SAM” or “fw samp”:

Suspicious Activity Monitor V1 (aka Suspicious Activity Monitoring Server): this is configured in SmartConsole or via “fw sam” command line and is enforced by the firewall blade. See sections 1 thru 6 of sk112061 for more details.

Suspicious Activity Monitor V2 (aka SAM Policy Editor): this is configured via the command line (“fw sam_policy”) and is also enforced by the firewall blade. See section 7 of sk112061.

DOS/Rate limiting: this is configured via the “fw samp” command line. This is enforced in SecureXL, which is more efficient since it is earlier in the packet flow. See sk112454 for details.

Also, be aware of “fwaccel dos rate blacklist” which can block specific IP addresses more efficiently than any of the above mechanisms.

Re: Suspicious activity monitoring

Timothy_Hall — Wed, 01 Jan 2020 15:03:29 GMT

> Suspicious Activity Monitor V2 (aka SAM Policy Editor): this is configured via the command line (“fw sam_policy”) and is also enforced by the firewall blade. See section 7 of sk112061.

I do not believe this statement is correct, fw samp and fw sam_policy appear to be the same thing and enforced by SecureXL, not the firewall blade. Please see the screenshot below which was taken on R80.30 Gaia 3.10 JHFA Take 111:

Re: Suspicious activity monitoring

Eric_Dale — Thu, 02 Jan 2020 11:07:36 GMT

Hi,

fw samp and fw sam_policy are indeed interchangeable. However, fw_samp is intended to be used for DOS/Rate limiting and fw sam_policy is intended to be used for SAMv2. Notice the different help text output for the "add" command:

[Expert@edale-b1:0]# fw samp add
add: subcommand is missing
NAME: fw samp add - add a new DOS/Rate Limiting policy rule
USAGE:
fw samp add [-t <timeout>] {[-a <d|n|b>]} [-l <r |a>] [-n <name>] [-c <comment>] [-o <originator>] quota <quota limits>
OPTIONS:
-t: expiration timeout (seconds)
-a: action: either d/rop, n/otify, or b/ypass
-l: log: either r/egular or a/lert
-n: name
-c: comment
-o: originator

[Expert@edale-b1:0]# fw sam_policy add
add: subcommand is missing
NAME: fw sam_policy add - add a new SAM policy rule
USAGE:
fw sam_policy add [-u] [-f <target>] [-t <timeout>] {[-a <d|r|n|b|q|i>]} [-l <r |a>] [-n <name>] [-c <comment>] [-o <originator>] ip <ip filter arguments>

The similarities in the command lines for SAM versus DOS/Rate limiting are unfortunate. This will be addressed starting with R80.40

Regarding SecureXL versus FW enforcement:

"fw samp ... quota" rules are DOS/Rate limiting rules and are enforced in SecureXL

"fw sam_policy ... ip" rules are SamV2 rules and are enforced in FW

Re: Suspicious activity monitoring

_Val_ — Fri, 03 Jan 2020 07:54:14 GMT

@Eric_Dale exactly right.

@Timothy_Hall enforcing early drops in SXL is rather risky, so it is limited for very specific functions, such as drop templates, where original drop decision is made by FW anyway.

SAM blocking rules are still in fw/UP kernel modules

Re: Suspicious activity monitoring

Timothy_Hall — Mon, 06 Jan 2020 19:14:53 GMT

@Eric_Dale please clarify what kernel and code version you ran commands fw samp add and fw sam_policy add to get that usage output, on R80.30 Jumbo HFA Take 111 kernel versions 2.6.18 and 3.10 I am not seeing the same as what you posted. I see what I posted earlier and the two commands are exactly the same thing as far as I can tell. I get that "ip" is F2F path and "quota" is SXL path, but I don't understand where those usage statements you posted are coming from.

I'm suspecting you ran those commands on R80.40? Or perhaps a scalable platform?

Re: Suspicious activity monitoring

Eric_Dale — Tue, 07 Jan 2020 10:47:06 GMT

Hi,

I tested with R80.20 + JHF T118. It looks like that help text is in R80.20 and R80.40, but missed R80.30. I'll see that it gets into R80.30 jumbo.