https://community.checkpoint.com/t5/General-Topics/Layers-of-Defense/m-p/123593#M22873 <P><STRONG>** Work in progress **</STRONG></P> <P>Configuring a firewall to defend attacks and protect your network/assets means taking several layers of defense into account. It's not just the rulebase that makes up a firewall security. In fact there are many more layers of protection and defense that together build up a strong level of firewall security.</P> <P>These layers are often easy to deploy and set active, one just needs to know that they are available and ready to form your shield of protection.</P> <P>So let's start to list them all up.</P> <TABLE border="1" width="100%"> <TBODY> <TR bgcolor="lightgray"> <TD height="25px"><STRONG>Layers of defense</STRONG></TD> <TD height="25px"><STRONG>Field of security</STRONG></TD> <TD height="25px"><STRONG>Description</STRONG></TD> <TD height="25px"><STRONG>Protection</STRONG></TD> <TD height="25px"><STRONG>Method of validation</STRONG></TD> </TR> <TR> <TD width="25%" height="69px" bgcolor="lightgreen">Layer 1</TD> <TD width="25%" height="69px">Physical security</TD> <TD width="25%" height="69px">secure space within a 19" rack in a secured spot only accessible to firewall admins</TD> <TD width="12.5%" height="69px">&nbsp;</TD> <TD width="12.5%" height="69px">&nbsp;</TD> </TR> <TR> <TD width="25%" height="478px" bgcolor="lightgreen">Layer 2</TD> <TD width="25%" height="478px">Network security</TD> <TD width="25%" height="478px"> <UL> <LI>access to firewall management is controlled and secured by firewalls managed by this management (<EM>firewall self-protection</EM>)</LI> <LI>firewall management's default gateway is the firewall cluster operated by this firewall management</LI> <LI>firewall management is defined as host and not as gateway</LI> <LI>firewall management is not connections to any other networks and has only only interface to it's own firewall cluster</LI> <LI>secure VPN configuration</LI> </UL> </TD> <TD width="12.5%" height="478px">&nbsp;</TD> <TD width="12.5%" height="478px">&nbsp;</TD> </TR> <TR> <TD width="25%" height="346px" bgcolor="lightgreen">Layer 3</TD> <TD width="25%" height="346px">Gaia OS security</TD> <TD width="25%" height="346px"> <UL> <LI>allowed hosts</LI> <LI>personalized user accounts</LI> <LI>limited Clish shell as default Login shell</LI> <LI>password security controls</LI> <LI>strong cipher suites</LI> <LI>separate scp account</LI> <LI>login message</LI> <LI>session timeout</LI> <LI>backups /&nbsp;snapshots</LI> <LI>ntp v4</LI> <LI>snmp v3-only</LI> <LI>etc.</LI> </UL> </TD> <TD width="12.5%" height="346px">Ransomware</TD> <TD width="12.5%" height="346px"> <UL> <LI>cat /etc/hosts.allow</LI> <LI>&nbsp;</LI> </UL> </TD> </TR> <TR> <TD width="25%" height="346px" bgcolor="lightgreen">Layer 4</TD> <TD width="25%" height="346px">Firewall security</TD> <TD width="25%" height="346px"> <UL> <LI>IP address spoofing protection</LI> <LI>block blacklisted IPs (<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk103154" target="_self"><EM>sk103154</EM></A>)</LI> <LI>block GEO locations (<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk126172" target="_self"><EM>sk126172</EM></A>)</LI> <LI>firewall rulebase security</LI> <LI>inspection of encrypted protocols (<EM>such als HTTPS</EM>)</LI> <LI>use of available security blades for deep packet inspection etc.</LI> <LI>IPS (with Snort)</LI> <LI>Content Security</LI> <LI>App. Control &amp; URLF</LI> <LI>Anti-Bot, AV, etc.</LI> <LI>DLP</LI> <LI>TE, TX</LI> <LI>rulebase policy installation free of warnings and errors</LI> <LI>logfiles free of warnings and errors</LI> </UL> </TD> <TD width="12.5%" height="346px">&nbsp;</TD> <TD width="12.5%" height="346px"> <UL> <LI>check for "spoof" entries in log</LI> <LI>check for "<EM>DOS/Rate Limiting Policy</EM>" entries in log</LI> <LI>enable session logging and check for "<EM>source country</EM>" or "<EM>destination country</EM>"</LI> </UL> </TD> </TR> <TR> <TD width="25%" height="25px" bgcolor="lightgreen">Layer 5</TD> <TD width="25%" height="25px">Admin security</TD> <TD width="25%" height="25px"> <UL> <LI>organizes regular firewall security reviews</LI> <LI>regularly reports to management</LI> <LI>maintains an up-to-date firewall documentation</LI> </UL> </TD> <TD width="12.5%" height="25px"> <UL> <LI>relics of configuration</LI> <LI>inconsistencies</LI> <LI>instabilities</LI> </UL> </TD> <TD width="12.5%" height="25px">&nbsp;</TD> </TR> <TR> <TD width="25%" height="25px" bgcolor="lightgreen">Layer 6</TD> <TD width="25%" height="25px">End user security</TD> <TD width="25%" height="25px"> <UL> <LI>regularly receives IT-security awareness trainings</LI> <LI>is protected by a proper Endpoint security corp policy</LI> </UL> </TD> <TD width="12.5%" height="25px">social engineering</TD> <TD width="12.5%" height="25px">&nbsp;</TD> </TR> </TBODY> </TABLE> Mon, 12 Jul 2021 11:38:34 GMT Danny 2021-07-12T11:38:34Z https://community.checkpoint.com/t5/General-Topics/Layers-of-Defense/m-p/123593#M22873 <P><STRONG>** Work in progress **</STRONG></P> <P>Configuring a firewall to defend attacks and protect your network/assets means taking several layers of defense into account. It's not just the rulebase that makes up a firewall security. In fact there are many more layers of protection and defense that together build up a strong level of firewall security.</P> <P>These layers are often easy to deploy and set active, one just needs to know that they are available and ready to form your shield of protection.</P> <P>So let's start to list them all up.</P> <TABLE border="1" width="100%"> <TBODY> <TR bgcolor="lightgray"> <TD height="25px"><STRONG>Layers of defense</STRONG></TD> <TD height="25px"><STRONG>Field of security</STRONG></TD> <TD height="25px"><STRONG>Description</STRONG></TD> <TD height="25px"><STRONG>Protection</STRONG></TD> <TD height="25px"><STRONG>Method of validation</STRONG></TD> </TR> <TR> <TD width="25%" height="69px" bgcolor="lightgreen">Layer 1</TD> <TD width="25%" height="69px">Physical security</TD> <TD width="25%" height="69px">secure space within a 19" rack in a secured spot only accessible to firewall admins</TD> <TD width="12.5%" height="69px">&nbsp;</TD> <TD width="12.5%" height="69px">&nbsp;</TD> </TR> <TR> <TD width="25%" height="478px" bgcolor="lightgreen">Layer 2</TD> <TD width="25%" height="478px">Network security</TD> <TD width="25%" height="478px"> <UL> <LI>access to firewall management is controlled and secured by firewalls managed by this management (<EM>firewall self-protection</EM>)</LI> <LI>firewall management's default gateway is the firewall cluster operated by this firewall management</LI> <LI>firewall management is defined as host and not as gateway</LI> <LI>firewall management is not connections to any other networks and has only only interface to it's own firewall cluster</LI> <LI>secure VPN configuration</LI> </UL> </TD> <TD width="12.5%" height="478px">&nbsp;</TD> <TD width="12.5%" height="478px">&nbsp;</TD> </TR> <TR> <TD width="25%" height="346px" bgcolor="lightgreen">Layer 3</TD> <TD width="25%" height="346px">Gaia OS security</TD> <TD width="25%" height="346px"> <UL> <LI>allowed hosts</LI> <LI>personalized user accounts</LI> <LI>limited Clish shell as default Login shell</LI> <LI>password security controls</LI> <LI>strong cipher suites</LI> <LI>separate scp account</LI> <LI>login message</LI> <LI>session timeout</LI> <LI>backups /&nbsp;snapshots</LI> <LI>ntp v4</LI> <LI>snmp v3-only</LI> <LI>etc.</LI> </UL> </TD> <TD width="12.5%" height="346px">Ransomware</TD> <TD width="12.5%" height="346px"> <UL> <LI>cat /etc/hosts.allow</LI> <LI>&nbsp;</LI> </UL> </TD> </TR> <TR> <TD width="25%" height="346px" bgcolor="lightgreen">Layer 4</TD> <TD width="25%" height="346px">Firewall security</TD> <TD width="25%" height="346px"> <UL> <LI>IP address spoofing protection</LI> <LI>block blacklisted IPs (<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk103154" target="_self"><EM>sk103154</EM></A>)</LI> <LI>block GEO locations (<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk126172" target="_self"><EM>sk126172</EM></A>)</LI> <LI>firewall rulebase security</LI> <LI>inspection of encrypted protocols (<EM>such als HTTPS</EM>)</LI> <LI>use of available security blades for deep packet inspection etc.</LI> <LI>IPS (with Snort)</LI> <LI>Content Security</LI> <LI>App. Control &amp; URLF</LI> <LI>Anti-Bot, AV, etc.</LI> <LI>DLP</LI> <LI>TE, TX</LI> <LI>rulebase policy installation free of warnings and errors</LI> <LI>logfiles free of warnings and errors</LI> </UL> </TD> <TD width="12.5%" height="346px">&nbsp;</TD> <TD width="12.5%" height="346px"> <UL> <LI>check for "spoof" entries in log</LI> <LI>check for "<EM>DOS/Rate Limiting Policy</EM>" entries in log</LI> <LI>enable session logging and check for "<EM>source country</EM>" or "<EM>destination country</EM>"</LI> </UL> </TD> </TR> <TR> <TD width="25%" height="25px" bgcolor="lightgreen">Layer 5</TD> <TD width="25%" height="25px">Admin security</TD> <TD width="25%" height="25px"> <UL> <LI>organizes regular firewall security reviews</LI> <LI>regularly reports to management</LI> <LI>maintains an up-to-date firewall documentation</LI> </UL> </TD> <TD width="12.5%" height="25px"> <UL> <LI>relics of configuration</LI> <LI>inconsistencies</LI> <LI>instabilities</LI> </UL> </TD> <TD width="12.5%" height="25px">&nbsp;</TD> </TR> <TR> <TD width="25%" height="25px" bgcolor="lightgreen">Layer 6</TD> <TD width="25%" height="25px">End user security</TD> <TD width="25%" height="25px"> <UL> <LI>regularly receives IT-security awareness trainings</LI> <LI>is protected by a proper Endpoint security corp policy</LI> </UL> </TD> <TD width="12.5%" height="25px">social engineering</TD> <TD width="12.5%" height="25px">&nbsp;</TD> </TR> </TBODY> </TABLE> Mon, 12 Jul 2021 11:38:34 GMT https://community.checkpoint.com/t5/General-Topics/Layers-of-Defense/m-p/123593#M22873 Danny 2021-07-12T11:38:34Z