Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
KandarpDesai
Contributor
Jump to solution

Enabling web server security

Hi guys,
I have a checkpoint firewall with ngtx. I want to enable web security for my web servers (sql injection, cross site scripting etc.). I did this by creating a host of web server and enabled the protections.

Is that all or do I need to add something else somehwere too. In the guide it mentions the following "Enforcement of these protections are dependent on IPS profile" What does that mean?

Also how can I test that these protections are working via some testing method?

0 Kudos
2 Solutions

Accepted Solutions
Lari_Luoma
Ambassador Ambassador
Ambassador

Hi Vladimir,

1. Open a Core Protection

2. In General Tab double click  a profile (e.g. Optimized)

3. Go to Advanced Tab

coreprotect1.PNG

View solution in original post

_Val_
Admin
Admin

Uh, that one. Drop obviously means, the connection will be terminated once this particual IPS protection is triggered. Accept here means it will be doing "monitor only" for this specific defence. You will get a log, but the connection will persist anyway. Good only for tuning.

View solution in original post

26 Replies
PhoneBoy
Admin
Admin

Protections can be enabled/disabled in your IPS profile and/or your Threat Prevention policy, depending on management and gateway version.
It would be helpful if you specified the exact steps you followed and provided some screenshots of exactly what you did.
Also, anytime you make changes to IPS, you need to push the Threat Prevention policy (Access Policy for R77.x Gateways).

As far as testing some of these protections, you can use a tool like Burp Suite.

KandarpDesai
Contributor

Hi Phoneboy,

Thanks for suggesting BurpSuite, I have applied for a trial.

As for the steps, I did the following

- Created a new host
- Clicked on Servers>Web server>Protections
- Protections were enabled already.
- Pushed the Threat Policy ( exisiting Policy is Scope=Any and Action=Optimized )

 

Webserver.png

 

0 Kudos
KandarpDesai
Contributor

Hi Guys,

Kindly help me to know if this is correct. Appreciate the help.

0 Kudos
PhoneBoy
Admin
Admin

What does your Threat Prevention rulebase look like?

0 Kudos
KandarpDesai
Contributor

Dear PB,
My threat policy is "ANY" and "OPTIMIZED"

0 Kudos
Cyber_Serge
Collaborator
I am curious about this as well. I thought we just need to configure the Profile protection and it will apply; This looks very specific to web server; do we need to configure all the web server object this way?
0 Kudos
Wolfgang
Authority
Authority

Frank_Yao1,

to enable the Webserver-protections you have to enable the servertype Webserver and the protections on all your webservers host objects.

Wolfgang

0 Kudos
KandarpDesai
Contributor

Dear Wolfgang,

I want to confirm if my config is right or not.

0 Kudos
PhoneBoy
Admin
Admin
Your configuration is correct (assuming gateway is R80.x).
Wolfgang
Authority
Authority

Yes Kandarp, you config looks good. 

Wolfgang

PhoneBoy
Admin
Admin
This was required pre-R80.x, but I don't believe this is no longer required.
0 Kudos
Vladimir
Champion
Champion

@PhoneBoy , please clarify:

Are we still required to configure the Web Server objects and their protections individually, or is the "Optimized" profile taking care of that irrespective to the target server?

Thank you,

Vladimir

 

P.S. It is really difficult to track which response is relevant to which thread in the forum unless person is mentioned by name and the excerpt from their post is included in the reply. 

0 Kudos
Wolfgang
Authority
Authority

 @Vladimir and @PhoneBoy 

I follow Vladimir, there should be a statement for the web security configuration.

I think it is too needed in R80.xx, there are no protections like „SQL injections, cross site scripting, etc. „ in the normal IPS protections. 

Dameon, please can you clarify if needed or not.

Wolfgang

0 Kudos
PhoneBoy
Admin
Admin
I'm checking this, but I don't believe it's required.
0 Kudos
PhoneBoy
Admin
Admin
Checking on all of it 🙂
And yes, I'm aware we need to add indents in threads, but that's turning out to be a bigger problem to solve than it should be.
0 Kudos
Lari_Luoma
Ambassador Ambassador
Ambassador

Yes you are still required to do that. Those protections have moved to so called core protections that are installed with Access Control Policy. See my full response to this thread.

 

EDIT: I thought this response would have shown under Vladimir's question. Hmmm... 

Lari_Luoma
Ambassador Ambassador
Ambassador

Hi!

 

There two types of protections (or actually three if you count also inspection settings):

Threat Cloud Protections that are the actual IPS Protections updated from Check Point Threat Cloud. These protections are installed with the Threat Prevention Policy.

Core Protections are protections that require IPS blade, but are there by default (there are 39 of them or so). These protections are installed with the Access Control Policy. 

Core Protections are assigned directly to the gateways with their profile. You can then select whether you want this specific protection to be assigned to a selected web server or not (if it's a web server related protection). If you know your web servers and have configured them, make sure "Apply to Selected Web Servers" is selected. Otherwise select "Apply to all HTTP Traffic". By clicking View you can view the web servers that you have configured in the host object as a web server.

coreprotect3.PNG

 

Vladimir
Champion
Champion

@Lari_Luoma , how on earth did you get to see the screen from your post above 🙂 ?

I am pocking in both, R80.20 and R80.30 in Core Protections and all I am seeing is:

image.png

 

and when editing the selected "HTTP Header Patterns", I am seeing:

image.png

 

Which, IMHO, got to mean that the entire scope is protected and that there is no need to cherry-pick the Web Servers.

Am I looking at this wrong?

Lari_Luoma
Ambassador Ambassador
Ambassador

Hi Vladimir,

1. Open a Core Protection

2. In General Tab double click  a profile (e.g. Optimized)

3. Go to Advanced Tab

coreprotect1.PNG

Vladimir
Champion
Champion

Thank you @Lari_Luoma !  I am looking at it now.

One comment for Check Point developers: If you have a protection that is not really being enforced until additional settings are configured, perhaps another icon and action should be defined for it (i.e. gear with "config required").

0 Kudos
alex1972
Explorer

Hello Lary,

can you clarify the difference between Accept and Drop in IPS core protection Action?

thank you

0 Kudos
CheckPointerXL
Advisor
Advisor

Hello Vladimir,

can you clarify the difference between Accept and Drop in action field?

thank you

0 Kudos
_Val_
Admin
Admin

There is no Accept in IPS, AFAIK. What are you trying to figure out?

0 Kudos
CheckPointerXL
Advisor
Advisor

Hello Val,

thank you for your quick answer.

Please take a look to attached image.

I can't figure out the meaning of active/drop.

Inactive i guess that the ips core protection is never triggered... but what about Accept/Drop?

 

thanks!

0 Kudos
_Val_
Admin
Admin

Uh, that one. Drop obviously means, the connection will be terminated once this particual IPS protection is triggered. Accept here means it will be doing "monitor only" for this specific defence. You will get a log, but the connection will persist anyway. Good only for tuning.

CheckPointerXL
Advisor
Advisor

Great, thank you! So, basically, "accept" in IPS core protection is considered a kind of "detect" for IPS ThreatCloud protection, very confusing.
This information is not documented nowhere! Very helpful

Kind regards

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events