Re: About SMB 1600 bridge mode

JordanHsu · ‎2023-09-14

Hello Sirs,

I've received a requirement where the current network architecture consists of an external firewall, CoreSwitch, LAN DHCP, and various devices such as PCs, ESXi servers, and other servers. During vulnerability scanning, it was discovered that certain ports on the internal servers are potential attack targets.

To enhance security and compliance, I'm considering adding a SMB CheckPoint firewall to the network and enabling IPS functionality without disrupting the existing network architecture. I've thought about using CP's Bridge Mode for this purpose, but I have some questions.

In my proposed architecture, I plan to make ESXi and problematic servers part of the Bridge Mode setup. Would it be possible to control traffic rules using this CheckPoint firewall? For instance, can I set up rules to restrict specific IP traffic through this configuration?

such as :

Oracle Database Server Vulnerabilities (Port 0):
- Restrict access to this port to specific IPs that need access.
- Implement IP whitelisting for authorized connections.
PCI DSS Compliance: Detected Remote Access Software (Ports 139 and 445):
- Limit access to these ports to specific IP addresses (privileged computers) that require remote access.
- Utilize IP whitelisting to control access.
Oracle Database Vulnerabilities (Port 1521):
- Apply IP restrictions to limit connections to this port.
- Ensure that only relevant hosts (e.g., AP and CP) are allowed access.
PCI DSS Compliance: Detected Remote Access Software (Ports 21 and 22):
- Restrict access to these ports by specifying authorized IP addresses (privileged computers).
- Employ IP whitelisting to enforce the restriction.
Unsupported Linux Kernel Version Detected (Port 23):
- Implement IP-based access control to this port.
- Limit connections to privileged computers.
SSL/TLS Vulnerabilities (Ports 443 and 8081):
- Apply IP restrictions to these ports to allow access only to authorized IP addresses.
- Consider disabling older SSL/TLS versions and weak cipher suites if feasible for security

Does it work?

Thanks kindly support

G_W_Albrecht · ‎2023-09-14

Read here: sk101371: Bridge Mode on Gaia OS and SecurePlatform OS

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

JordanHsu · ‎2023-09-15

Hello Sir

I just read the document, but I don't quite understand it

Regrettably I don't have physical machines in my company.

Just want to make sure, in my architecture if i want to release 2 server under to Brige mode SMB FW1600 , does that function were make same of the traditional firewall as we know, to install policy setup the rule , Source ,Destination , VPN action ?

The purpose of this is to eliminate changes to the current architecture and to control traffic and IPS functions.

Thanks your time.

Jordan

G_W_Albrecht · ‎2023-09-15

Legend:

= Supported
= Supported, but requires a software package, or limitations exist
= Not supported

Software Blade /
Feature Supported in
Gateway mode? Supported in
VSX mode?

Firewall

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

PhoneBoy · ‎2023-09-15

You realize you can also run a virtual security gateway inside your ESXi environment, right?
Also, it's not clear how the traffic will flow here or be restricted to going through the bridge, or might flow through the bridge more than once.
Having traffic traverse the bridge more than once is not supported (i.e. double inspection).

JordanHsu · ‎2023-09-18

Hello Sir,

We have two ESXi virtual machines in our environment, and we need to implement IPS and security protection for the VMs within them. If we connect both ESXi hosts to a CheckPoint 1600 in Bridge mode, will the traffic flow be sufficient?

However , According to my CheckPoint distributor partner in Taiwan, the recommendation is to add an additional switch in this scenario. However, I don't fully understand the purpose of adding a switch without making changes to the network environment and IP settings. Additionally, I'm unsure about where this switch should be placed...:(

G_W_Albrecht · ‎2023-09-18

Ask the CP TAC engineers !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

PhoneBoy · ‎2023-09-19

What is the physical connectivity between the ESXi server and the 1800 and how will that map to the VMs in question?
And why not run a Quantum Security Gateway as a VM instead?

JordanHsu · ‎2023-09-20

Hello Sir,

That is my new writed layout as below,

If i don't want to change my current service IP address, where is the CP1600 good for this case

G_W_Albrecht · ‎2023-09-20

Where is the CP1600 ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

JordanHsu · ‎2023-09-20

We are not deiced where is the locale of CP1600

As regarding of support team recommend

I am really confuse why we need to added a new switch between the CoreSwitch

G_W_Albrecht · ‎2023-09-21

This looks wrong, i see a loop !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

JordanHsu · ‎2023-09-21

How about that ?

Could you please let me know why be setting to the loop ?

Tom_Hinoue · ‎2023-09-21

Can you explain to us in detail what servers and its IP needs to be in the protected scope...like the direction of the connections?
Note that if the servers IP that's running on ESXi is in the same network segment, typically IPS would not be enforced in the first place, or can only protect a certain asset and not both at the same time.

JordanHsu · ‎2023-09-21

Hello Sir,

We would like to protected these VM segment of 192.168.2.X

Tom_Hinoue · ‎2023-09-21

Are you referring to North-South traffic to different segments or, East-West traffic to protect traffic from/to servers in the same segment?

<e.g.>
192.168.2.0 <-> 192.168.2.0 : do you want security inspection to be enforced on inbound/outbound traffic between servers in the same segment?

192.168.2.0 <-> 192.168.1.0 : Or between other networks that traverses through the core switch? or both patterns?

just to make things clear.

JordanHsu · ‎2023-09-21

Hello Sir,

We just to define and protect 192.168.2.X segment , Because we have going to vulnerability scan had 1433 port issue in that DB server.

So we just to confirmed Intranet traffic, actually in customer layout that have set the policy on that outside firewall.

All intranet segments can access 192.168.2.X

G_W_Albrecht · ‎2023-09-21

What about this:

:

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

JordanHsu · ‎2023-09-21

Hello Sir,

According of your graphic your mean is that all ESXI to connected to new deploy switch DSV2 vswitch0 , 1 ?

That is my our expectations, but we afraid will the traffic be insufficient.. does it cause a loop if I keep my layout ? Vswitch0 to core switch ?

Thanks

G_W_Albrecht · ‎2023-09-21

All traffic that has to be inspected must pass thru the 1600.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

G_W_Albrecht · ‎2023-09-22

we afraid will the traffic be insufficient - do you need more than 2,5 GB ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

JordanHsu · ‎2023-09-27

Unfortunately , we encountered a failure after last week's testing. We have an Esxi host that, after migrating through a Vswitch, is unable to successfully obtain the Gateway. We suspect that the issue may be related to the Edge Switch, which might require a Layer 2 switch that can be configured as a trunk. It's worth noting that even though our company environment doesn't utilize VLANs for control, everything is currently operating on VLAN 1.

PhoneBoy · ‎2023-09-28

Even when you do not explicitly use VLANs, VLAN 1 always "exists" as it is the default LAN.

JordanHsu · ‎2023-10-01

Is a Layer 2 Switch behind the firewall necessary? In CheckPoint, using Bridge mode,

Software Blade / Feature	Supported in Gateway mode?	Supported in VSX mode?
Firewall

Are you a member of CheckMates?

About SMB 1600 bridge mode