Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
JordanHsu
Explorer

About SMB 1600 bridge mode

Hello Sirs, 

I've received a requirement where the current network architecture consists of an external firewall, CoreSwitch, LAN DHCP, and various devices such as PCs, ESXi servers, and other servers. During vulnerability scanning, it was discovered that certain ports on the internal servers are potential attack targets.

To enhance security and compliance, I'm considering adding a SMB CheckPoint firewall to the network and enabling IPS functionality without disrupting the existing network architecture. I've thought about using CP's Bridge Mode for this purpose, but I have some questions.

In my proposed architecture, I plan to make ESXi and problematic servers part of the Bridge Mode setup. Would it be possible to control traffic rules using this CheckPoint firewall? For instance, can I set up rules to restrict specific IP traffic through this configuration?

such as :

  1. Oracle Database Server Vulnerabilities (Port 0):

    • Restrict access to this port to specific IPs that need access.
    • Implement IP whitelisting for authorized connections.
  2. PCI DSS Compliance: Detected Remote Access Software (Ports 139 and 445):

    • Limit access to these ports to specific IP addresses (privileged computers) that require remote access.
    • Utilize IP whitelisting to control access.
  3. Oracle Database Vulnerabilities (Port 1521):

    • Apply IP restrictions to limit connections to this port.
    • Ensure that only relevant hosts (e.g., AP and CP) are allowed access.
  4. PCI DSS Compliance: Detected Remote Access Software (Ports 21 and 22):

    • Restrict access to these ports by specifying authorized IP addresses (privileged computers).
    • Employ IP whitelisting to enforce the restriction.
  5. Unsupported Linux Kernel Version Detected (Port 23):

    • Implement IP-based access control to this port.
    • Limit connections to privileged computers.
  6. SSL/TLS Vulnerabilities (Ports 443 and 8081):

    • Apply IP restrictions to these ports to allow access only to authorized IP addresses.
    • Consider disabling older SSL/TLS versions and weak cipher suites if feasible for security

 

 
 

圖01.jpg

 

 

Does it work?

Thanks kindly support 

0 Kudos
23 Replies
G_W_Albrecht
Legend Legend
Legend

Read here: sk101371: Bridge Mode on Gaia OS and SecurePlatform OS

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
JordanHsu
Explorer

Hello Sir 

I just read the document, but I don't quite understand it

Regrettably I don't have physical machines in my company. 

Just want to make sure, in my architecture if i want to release 2 server under to Brige mode SMB FW1600 , does that function were make same of the traditional firewall as we know, to install policy setup the rule , Source ,Destination , VPN action ?

The purpose of this is to eliminate changes to the current architecture and to control traffic and IPS functions.

Thanks your time.

Jordan

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Legend:

  • G_W_Albrecht_0-1694763560480.png = Supported
  • G_W_Albrecht_2-1694763560473.png = Supported, but requires a software package, or limitations exist
  • G_W_Albrecht_3-1694763560534.png = Not supported
Software Blade /
Feature
Supported in
Gateway mode?
Supported in
VSX mode?
Firewall G_W_Albrecht_4-1694763560565.png

 

G_W_Albrecht_5-1694763560476.png

 

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin

You realize you can also run a virtual security gateway inside your ESXi environment, right?
Also, it's not clear how the traffic will flow here or be restricted to going through the bridge, or might flow through the bridge more than once.
Having traffic traverse the bridge more than once is not supported (i.e. double inspection).

0 Kudos
JordanHsu
Explorer

Hello Sir, 

We have two ESXi virtual machines in our environment, and we need to implement IPS and security protection for the VMs within them. If we connect both ESXi hosts to a CheckPoint 1600 in Bridge mode, will the traffic flow be sufficient?

However , According to my CheckPoint distributor partner in Taiwan, the recommendation is to add an additional switch in this scenario. However, I don't fully understand the purpose of adding a switch without making changes to the network environment and IP settings. Additionally, I'm unsure about where this switch should be placed...:(

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Ask the CP TAC engineers !

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin

What is the physical connectivity between the ESXi server and the 1800 and how will that map to the VMs in question?
And why not run a Quantum Security Gateway as a VM instead?

0 Kudos
JordanHsu
Explorer

Hello Sir, 

That is my new writed layout as below, 

If i don't want to change my current service IP address, where is the CP1600 good for this case

  2023-09-20_15-48-07.png

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Where is the CP1600 ?

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
JordanHsu
Explorer

We are not deiced where is the locale of CP1600

As regarding of support team recommend 

I am really confuse why we need to added a new switch between the CoreSwitch  

2023-09-21_12-04-17.png

0 Kudos
G_W_Albrecht
Legend Legend
Legend

This looks wrong, i see a loop !

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
JordanHsu
Explorer

How about that ? 

Could you please let me know why be setting to the loop ?

 

 

2023-09-21_12-04-17.png

0 Kudos
Tom_Hinoue
Advisor
Advisor

Can you explain to us in detail what servers and its IP needs to be in the protected scope...like the direction of the connections?
Note that if the servers IP that's running on ESXi is in the same network segment, typically IPS would not be enforced in the first place, or can only protect a certain asset and not both at the same time.

0 Kudos
JordanHsu
Explorer

Hello Sir, 

We would like to protected these VM segment of 192.168.2.X 

0 Kudos
Tom_Hinoue
Advisor
Advisor

Are you referring to North-South traffic to different segments or, East-West traffic to protect traffic from/to servers in the same segment? 

<e.g.>
192.168.2.0 <-> 192.168.2.0     : do you want security inspection to be enforced on inbound/outbound traffic between servers in the same segment?

192.168.2.0 <-> 192.168.1.0     : Or between other networks that traverses through the core switch? or both patterns?

just to make things clear.

0 Kudos
JordanHsu
Explorer

Hello Sir, 

We just to define and protect 192.168.2.X segment , Because we have going to vulnerability scan had 1433 port issue in that DB server. 

So we just to confirmed Intranet traffic, actually in customer layout that have set the policy on that outside firewall.

 All intranet segments can access 192.168.2.X

0 Kudos
G_W_Albrecht
Legend Legend
Legend

What about this:

1600.png:

 

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
JordanHsu
Explorer

Hello Sir, 

According of your graphic your mean is that all ESXI to connected to new deploy switch DSV2 vswitch0 , 1 ? 

That is my our expectations, but we afraid will the traffic be insufficient.. does it cause a loop if I keep my layout ? Vswitch0 to core switch ?

Thanks

 

0 Kudos
G_W_Albrecht
Legend Legend
Legend

All traffic that has to be inspected must pass thru the 1600.

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend

we afraid will the traffic be insufficient - do you need more than 2,5 GB ?

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
JordanHsu
Explorer

Unfortunately  , we encountered a failure after last week's testing. We have an Esxi host that, after migrating through a Vswitch, is unable to successfully obtain the Gateway. We suspect that the issue may be related to the Edge Switch, which might require a Layer 2 switch that can be configured as a trunk. It's worth noting that even though our company environment doesn't utilize VLANs for control, everything is currently operating on VLAN 1.

0 Kudos
PhoneBoy
Admin
Admin

Even when you do not explicitly use VLANs, VLAN 1 always "exists" as it is the default LAN.

0 Kudos
JordanHsu
Explorer

Is a Layer 2 Switch behind the firewall necessary? In CheckPoint, using Bridge mode,

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events