This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
CPArk
Participant
Wednesday

Force one-way inspection

Experts,

Is it possible to force a security gateway to behave like a Cisco ASA firewall for a limited use case and only allow traffic one way? For example, opening up https and another non-standard port outbound from a DMZ at one location and this system talks outbound to a cloud service for monitoring. There are capabilities of the system to connect inbound from the cloud service but we only want the system in the DMZ to connect outbound to transfer data. No inbound even if it's a reverse tunnel from an existing https outbound connection.

0 Kudos
2 Replies
the_rock
Legend
Legend
Wednesday

Let me take a "crack" at this, though there are way smarter people on here than myself, so Im sure they will give you correct answer.

Some ways I can think of doing what you asked:

-define rules to allow ONLY outbound connections, you can use zones in the policy for this and create rules to block inbound connections

-define anti spoofing for specific interface just to reflect that specific network

-stateless inspection, ie disable statefull inspection (not 100% sure though if that is a must here)

-policy based routing

-NAT (for example define static nat only where required)

Hope that helps.

Best,

Andy

0 Kudos
emmap
Employee
Employee
Wednesday

For UDP it's easy, you can turn off 'accept replies for unknown UDP' and make sure 'accept replies' is not enabled on the custom UDP service object. 

Normal inbound connections are already blocked simply by not putting a rule in to allow them.

Using an open outbound HTTPS connection to prevent data transfer inbound I don't know that we can, we have to accept reply packets for the session to establish else you won't get anything. In order to be able understand the nature of the HTTPS stream once the session is up, we'd have to decrypt it so that we can see what's going on in there, which may already break things due to cert stuff etc. At a basic layer 3/4 level I don't know that anything could accomplish what you're asking for.

We need to better understand the connections that are established and in what direction to be able to properly determine the course of action here.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top