- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Hi,
From what I understand there are (at least) two ways to restrict/allow access to specific sites with DNS names:
1. Domain objects
2. Custom applications/sites.
Please note that I am excluding sites where we could use updateable objects and also sites where we could define a static IP address (or several) to an object.
If we want to allow access only to e.g. http://www.example.com, which one is better?
I have tried to list a few pros and cons with both solutions as of my understanding (let me know if something is incorrect). There might be other aspects that also influence the choice (CPU load, SecureXL, etc.) and it would be great to hear your recommendations.
Custom applications/sites:
Pros:
Can use wild cards and regular expressions
Cons:
Requires URL Filtering or Application Control license
Only for web traffic
Can only use ports that are marked for URL filtering
Access to "invalid" IP is allowed if host header is valid for HTTP traffic. (SNI check prevents this from happening for HTTPS).
Domain objects:
Pros:
Does not require URL Filtering or Application Control license
Can be used also for sources
Can use any port number
Can be used for more than web traffic (e.g. telnet, SSH)
Cons:
Does not allow wild cards or regular expressions
Requires that client and firewall resolves DNS to the same IP address
My current thinking is that "Custom applications/sites" should be used to restrict web traffic (if URL filtering license is available) and domain objects for other protocols (telnet, SSH etc.).
Please note that we are currently running R80.20 on open servers. Some of the firewalls are running on VSX.
Thanks for your help!
Harry
Dear PhoneBoy,
Thanks for the information! I have updated the post to also include application control.
I was not aware of the related thread, which was very useful. I have a couple of additional questions about "Custom Applications/Sites" and I hope it is ok to ask them here:
Thanks for your help!
Best regards,
Harry
Thanks for the information!
If I understand correctly "Custom Applications/Sites" will not prevent HTTP (unencrypted) access to a malicious IP address if the host header has a DNS name that is allowed, even if we are running R80.40. Could you please confirm that this is the case also if we are using the built-in URL filtering categories?
Also, my understanding is that we could use domain objects to block this kind of access, since the firewall itself will do the DNS lookup and only allow traffic to that IP address. An alternative way to mitigate this would be to use a web proxy in front of the firewall, since the proxy would do the DNS lookup and should thus only send the HTTP request to valid IP addresses.
Does Check Point have any other way to prevent this kind of circumvention, e.g. using IPS or anti-bot?
Thanks for your help!
Best regards,
Harry
Thanks for the confirmation and information. That makes sense. I have updated the original post to also include this limitation of Custom Applications/Sites.
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY