Download Complete PDF Send Feedback Print This Page

Previous

Synchronize Contents

Next

Defining an Internet Access Policy

Related Topics

Managing URL Filtering and Application Control

HTTPS Inspection

Managing URL Filtering and Application Control

Today there are many challenges for businesses to keep up with security requirements of social media and Web 2.0 applications. It is necessary for system administrators to use the security policy to overcome these challenges. For example:

  • Malware threats - Popular applications like Twitter, Facebook, and YouTube can cause users to download viruses unintentionally. When users download files and use torrents, they can also let malware into your network.
  • Bandwidth hogging - Applications that use a lot of bandwidth can reduce the performance for important business applications.
  • Loss of productivity - Employees can spend time on social networking and other applications that can decrease business productivity.
  • Content control - Prevent Internet access to websites with inappropriate content, such as sex, violence, and alcohol.

For more about using Application Control and URL Filtering, see the R76 Application Control and URL Filtering Administration Guide.

The Check Point Solution for Internet Browsing

The Check Point Firewall can use the URL Filtering and Application Control Software Blades to monitor and control how organizations of all sizes use the Internet. You can easily create policies which identify or block thousands of applications and Internet sites. These Software Blades help complete the security policy for your organization.

Use URL Filtering and Application Control to:

  • Create a Granular Policy - Make rules to allow or block applications and Internet sites for individual applications, categories, and risk levels. You can also create an HTTPS policy that enables the Security Gateway to inspect HTTPS traffic to prevent security risks related to the SSL protocol.
  • Manage Bandwidth Consumption - Configure the rules to limit the available network bandwidth for specified users or groups. You can make separate limits for uploading and downloading.
  • Keep Your Policies Updated - The Application Database is updated regularly and makes sure that your Internet security policy has the newest applications and website categories. The Security Gateway connects to the Check Point Online Web Service to identify new social networking widgets and website categories for URLs.
  • Communicate with Users - UserCheck objects add flexibility to URL Filtering and Application Control and let the Security Gateway communicate with users. UserCheck helps users understand that certain websites are against the company's security policy. It also tells users about the changing Internet policy for websites and applications.
  • Create Custom Objects - In addition to the hundreds of default objects, create new objects to manage Internet use for your network. You can create objects for applications, websites, categories and groups. Use these custom objects in rules to meet your organization's requirements.

UserCheck

UserCheck works with the URL Filtering and Application Control Software Blades and lets the Security Gateway send messages to users about possible non-compliant or dangerous Internet browsing. Create rules and UserCheck objects in the URL Filtering and Application Control Rule Base to communicate with the users. These actions use UserCheck objects:

  • Inform
  • Ask
  • Block

UserCheck on a Security Gateway

You can enable UserCheck on Security Gateways that use URL Filtering and Application Control Software Blades. When UserCheck is enabled, the user's Internet browser shows the UserCheck messages in a new window.

UserCheck on a computer

The UserCheck client is installed on endpoint computers. This client:

  • Sends messages for applications that are not based on Internet browsers. For example: Skype, iTunes, and Internet browser add-ons and plug-ins.
  • Shows a message on the computer when it cannot be shown in the Internet browser.

Enabling URL Filtering and Application Control

You can enable Application Control and URL Filtering Software Blades from the General Properties page in SmartDashboard.

To enable URL Filtering and Application Control:

  1. In SmartDashboard, double-click the Security Gateway.

    The Gateway Properties window opens.

  2. From the navigation tree, click General Properties.
  3. From the Network Security tab, select URL Filtering, Application Control or both.
  4. Click OK and install the policy.

Using the URL Filtering and Application Control Rule Base

A strong security policy uses firewall rules to inspect packets, and URL Filtering and Application Control rules to control Internet browsing. SmartDashboard has a different Rule Base that manages URL Filtering and Application Control for a Security Gateway.

These are the fields that manage the rules for the URL Filtering and Application Control security policy.

Field

Description

No.

Rule number in the URL Filtering and Application Control Rule Base.

Hits

Number of connections that match this rule.

Name

Name that the system administrator gives this rule.

Source

Network object that defines where the traffic starts.

Destination

Network object that defines the destination of the traffic.

Applications/
Sites

Applications or web sites that are allowed or blocked.

Action

Action that is done when traffic matches the rule. Options include: Allow, Block, Limit (control the bandwidth) and Inform (UserCheck message).

Track

Tracking and logging action that is done when traffic matches the rule.

Install On

Network objects that will get the rule(s) of the policy.

Time

Time period that this rule is enforced.

Comment

An optional field that lets you summarize the rule.

Order of Rule Enforcement

The Security Gateway applies all the rules in Firewall Rule Base and then applies the URL Filtering and Application Control rules. The rules in the URL Filtering and Application Control Rule Base are sequentially applied to packets. The first rule that matches a packet is applied. There is no Cleanup rule in the URL Filtering and Application Control Rule Base: packets that do not match the rules are allowed.

Special URL Filtering and Application Control Fields

Internet browsing is not easily defined into allowed and prohibited categories. Many websites and applications can be used for legitimate business reasons. The rules that control Internet access must be flexible and granular. The URL Filtering and Application Control Rule Base uses these fields to create a strong and flexible security policy:

  • Applications/Sites
  • Action

Applications/Sites

Use the Applications/Sites field to define the web applications and sites that are included in the rule. This field can use one or more of these options:

  • Web applications
  • Web sites
  • Internet widgets
  • Default categories of Internet traffic
  • Custom group or category that you create

To add an application or site to a rule:

  1. Click Application and URL Filtering > Policy.
  2. Right-click the Applications/Sites cell for the rule and select one of these options:
    • Add Applications/Sites
    • Add Category

    The Application viewer window opens.

  3. From the Available list, select the applications and sites for the rule.
  4. Click OK.

To create a new application or site:

  1. Click Application and URL Filtering > Applications/Sites.

  2. Click New > Application/Site.
  3. Select Application/Sites URLs.
  4. Enter a URL and click Add.

    Do this step again for all the URLs.

  5. Click Next.

To create a custom category:

  1. Click Application and URL Filtering > Applications/Sites.
  2. Click New > Application/Site Group.

    The Applications/Sites Group window opens.

  3. Enter a Name for the group.
  4. Click Add.

    The Application viewer window opens.

  5. From the Available list, select the applications and sites for the group.
  6. Click OK and then click OK.

Action

Use the Action field to define what occurs to traffic that matches the URL Filtering and Application Control rule. These are the Action options:

Action

Description

Allow

Allows the traffic.

Block

Blocks the traffic. Shows a UserCheck Block message.

If no UserCheck object is defined for this action, no message is displayed.

Limit

Defines the maximum bandwidth that is allowed for this rule. Select or create a Limit object that defines the bandwidth limits.

Captive Portal

Redirects HTTP traffic to an authentication (captive) portal. Once the user is authenticated, new connections from this source are inspected but are not redirected.

Rule Actions

  • New Rule - Creates a new rule Above or Below the selected rule.
  • Delete Rule - Deletes the selected rule or rules.
  • Disable Rule - The rule stays in the Rule Base but is not active.
  • Select All Rules
  • View rule logs in SmartView Tracker - Opens SmartView Tracker and shows logs related to the rule.
  • View rule logs in SmartEvent - Opens SmartEvent and shows logs related to the rule.

UserCheck Actions

These are the Action options work with the UserCheck feature:

Action

Description

Ask

Shows a UserCheck Ask message. The message asks users to confirm that it is necessary that they to the application or site.

Block

Blocks the traffic. Shows a UserCheck Block message.

If no UserCheck object is defined for this action, no message is displayed.

UserCheck Frequency

Defines how often users see the UserCheck message for Ask, Inform, or Block actions.

UserCheck Scope

Defines if the UserCheck message is shown for a category, application or all traffic that matches the rule.

Edit UserCheck Message

Opens the UserCheck message in a new window.

Sample URL Filtering and Application Control Rule Base

This table shows a sample URL Filtering and Application Control Rule Base for a typical policy that monitors and controls Internet browsing. (The Hits and Install On columns are not shown.)

No.

Name

Source

Destination

Applications/
Sites

Action

Track

Time

1

Liability sites

Any

Internet

Potential_liability

Blocked Message

Log

Any

2

High risk applications

Any

Internet

High Risk

iTunes

High Risk Block

Log

Any

3

Allow IT department Remote Admin

IT_Department

Any

Radmin

Allow

Log

Work-
Hours

4

Allow Facebook for HR

HR

Internet

Facebook

Allow

Download_1Gbps

Down: 1 Gbps

Log

Any

5

Block these categories

Any

Internet

Streaming Media

Social Networking

P2P File Sharing

Remote Administration

Blocked Message

Log

Any

6

Log all applications

Any

Internet

Any Recognized

Allow

Log

Any

  1. Liability sites- Blocks traffic to sites and applications in the Potential_liability category. The UserCheck Blocked Message is shown to users and explains why their traffic is blocked.
  2. High risk applications - Blocks traffic to sites and applications in the High Risk category and blocks the iTunes application. The UserCheck High Risk Block Message is shown to users and tells why their traffic is blocked.
  3. Allow IT department Remote Admin - Allows the computers in the IT_Department network to use the Radmin application. Traffic that uses Radmin is allowed only during these hours, 8:00 - 18:30.
  4. Allow Facebook for HR - Allows computers in the HR network to use Facebook. The total traffic downloaded from Facebook is limited to 1 Gbps, there is no upload limit.
  5. Block these categories - Blocks traffic to these categories: Streaming Media, Social Networking, P2P File Sharing, and Remote Administration. The UserCheck Blocked Message is shown to users and explains why their traffic is blocked.

    The Remote Administration category blocks traffic that uses the Radmin application. If this rule is placed before rule 3, then this rule can also block Radmin for the IT department.

  6. Log all applications- Logs all traffic that matches any of the URL Filtering and Application Control categories.

HTTPS Inspection

HTTPS Internet traffic uses the SSL (Secure Sockets Layer) protocol and is encrypted to give data privacy and integrity. However, HTTPS traffic has a possible security risk and can hide illegal user activity and malicious traffic. The Firewall cannot inspect HTTPS traffic because it is encrypted. You can enable the HTTPS Inspection feature to let the Firewall create new SSL connections with the external site or server. The Firewall is then able to decrypt and inspect HTTPS traffic that uses the new SSL connections.

There are two types of HTTPS Inspection:

  • Outbound HTTPS Inspection - To protect against malicious traffic that is sent from an internal client to an external site or server.
  • Inbound HTTPS Inspection - To protect internal servers from malicious requests that start from the Internet or an external network.

The Security Gateway uses certificates and becomes an intermediary between the client computer and the secure web site. All data is kept private in HTTPS Inspection logs. Only administrators with HTTPS Inspection permissions can see all the fields in a log.

For more about configuring HTTPS Inspection, see the R76 Application Control and URL Filtering Administration Guide.

Inspecting HTTPS Packets

Outbound Connections

Outbound connections are HTTPS connections that start from an internal client and connect to the Internet. The Firewall compares the HTTPS request to the HTTPS Inspection Rule Base. If the request does not match a rule, the packet is not inspected and the connection is allowed.

If the request matches an inspection rule, the Firewall makes sure that the certificate from the server (in the Internet) is valid. The Security Gateway creates a new certificate and uses it for a new HTTPS connection to the server. There are two HTTPS connections, one to the internal client and one to the server. It can then decrypt and inspect the packets according to the Firewall and other Rule Bases. The packets are encrypted again and sent to the destination.

 

 

 

 

Connection is not inspected

 

 

 

 

 

 

é No

 

 

HTTPS request

è

Firewall inspects request

è

Matches a rule?

Yes
è

Firewall validates certificate

 

 

 

 

 

 

ê

 

 

Firewall inspects unencrypted connection and then encrypts it

ç

Decrypts the connection

ç

Creates new certificate for client and server

Inbound Connections

Inbound connections are HTTPS connections that start from an external client and connect to an internal server in the DMZ or the network. The Firewall compares the HTTPS request to the HTTPS Inspection Rule Base. If the request does not match a rule, the packet is not inspected and the connection is allowed.

If the request matches an inspection rule, the Firewall uses the certificate for the internal server to create a HTTPS connection with the external client. The Security Gateway creates a new HTTPS connection with the internal server. Since the Firewall has a secure connection with the external client, it can decrypt the HTTPS traffic. The decrypted traffic is inspected according to the Firewall and other Rule Bases.

 

 

 

 

Connection is not inspected

 

 

 

 

 

 

é No

 

 

HTTPS request

è

Firewall inspects request

è

Matches a rule?

Yes
è

Uses server certificate and connects to the client

 

 

 

 

 

 

ê

 

 

Firewall inspects unencrypted connection

ç

Decrypts the connection

ç

Creates a new connection to server

Using the HTTPS Inspection Rule Base

The HTTPS Inspection Rule Base defines how the Firewall inspects HTTPS traffic. The HTTPS Inspection rules can use the Application Database objects to identify traffic for different websites and applications. For example, to protect the privacy of your users, you can use a rule to ignore HTTPS traffic to banks and financial institutions.

The HTTPS Inspection Rule Base is applied to all the Software Blades that have HTTPS Inspection enabled. Software Blades that can support HTTPS Inspection are:

  • Application Control
  • URL Filtering
  • IPS
  • DLP
  • Anti-Virus
  • Anti-Bot

HTTPS Inspection Rule Base in SmartDashboard

These are the fields that manage the rules for the HTTPS Inspection security policy.

Field

Description

No.

Rule number in the HTTPS Inspection Rule Base.

Name

Name that the system administrator gives this rule.

Source

Network object that defines where the traffic starts.

Destination

Network object that defines the destination of the traffic.

Services

Type of network service that is inspected or bypassed.

Site Category

Categories for applications or web sites that are inspected or bypassed.

Action

Action that is done when HTTPS traffic matches the rule. The traffic is inspected or ignored (Bypass).

Track

Tracking and logging action that is done when traffic matches the rule.

Install On

Network objects that will get the HTTPS Inspection rule. You can only select Security Gateways that have HTTPS Inspection enabled.

Certificate

The certificate that is used for this rule.

  • Inbound HTTPS inspection - Select the certificate that the internal server uses.
  • Outbound HTTPS inspection - Select the Outbound Certificate object that you are using for the computers in the network.

Comment

An optional field that lets you summarize the rule.

Configuring Security Gateways

This section gives an example of how to configure a Security Gateway to inspect outbound and inbound HTTPS traffic.

Overview

  1. From the Global Properties window for the Security Gateway, enable HTTPS Inspection.
  2. Configure the Security Gateway to use the certificate.
    • Outbound Inspection - Generate a new certificate for the Security Gateway.
    • Inbound Inspection - Import the certificate for the internal server.
  3. Configure the HTTPS Inspection Rule Base.
  4. Install the policy.

Enabling HTTPS Inspection

To enable HTTPS Inspection:

  1. In SmartDashboard, double-click the Security Gateway.

    The Gateway Properties window opens.

  2. From the navigation tree, click HTTPS Inspection.
  3. From Step 3, select Enable HTTP Inspection.

Generating a New Certificate

The Firewall uses a certificate to inspect outbound HTTPS traffic. You can use SmartDashboard to generate a new certificate with a password for the private key. Make sure that you export and distribute the new certificate to the endpoint computers in the network. Computers that do not have the new certificate will show SSL error messages.

To generate a new certificate for outbound HTTPS Inspection:

  1. Double-click the Security Gateway.

    The Gateway Properties window opens.

  2. From the navigation tree, click HTTPS Inspection.
  3. From Step 1, click Create certificate.
  4. Enter the necessary information:
    • Issued by (DN) - Enter the domain name of your organization.
    • Private key password - Enter the password that is used to encrypt the private key of the CA certificate.
    • Retype private key password - Retype the password.
    • Valid from - Select the date range for which the CA certificate is valid.
  5. Click OK.
  6. Export and deploy the certificate to the endpoint computers.

Adding a Certificate

The Firewall uses the internal server certificate to inspect inbound HTTPS traffic to the internal server. Make sure that you have a copy of the internal server certificate and the private key password before you configure inbound HTTPS inspection. The file for the certificate must have a P12 extension.

To add a server certificate for inbound HTTPS inspection:

  1. Click the Application and URL Filtering tab > Advanced.
  2. Click HTTPS Inspection > Server Certificates.

    The Server Certificates page opens.

  3. Click Add.

    The Import Outbound Certificate window opens.

  4. Enter the Certificate name.
  5. Click Browse and select the certificate file.
  6. Enter the Private key password.
  7. Click OK.

Configuring HTTPS Inspection Rules

Create different HTTPS Inspection rules for outbound and inbound traffic. The outbound rules use the certificate that was generated for the Security Gateway. The inbound rules use a different certificate for each internal server. You can also create bypass rules for traffic that is sensitive and is not inspected. Make sure that the bypass rules are at the top of the HTTPS Inspection Rule Base.

Sample Inspection Rule Base

This table shows a sample HTTPS Inspection Rule Base for a typical policy. (The Track and Install On columns are not shown. Track is set to None and Install On is set to Any.)

No.

Name

Source

Destination

Services

Site Category

Action

Blade

Certificate

1

Financial sites

Any

Internet

HTTPS

HTTP_HTTPS_
proxy

Financial Services

Bypass

Any

Outbound CA

2

Outbound traffic

Any

Internet

HTTPS

HTTP_HTTPS_
proxy

Any

Inspect

Any

Outbound CA

3

Inbound traffic

Any

WebCalendar
Server

HTTPS

Any

Inspect

Any

WebCalendarServer CA

  1. Financial sites - Does not inspect HTTPS traffic to websites that are defined in the Financial Services category. This rule uses the Outbound CA certificate.
  2. Outbound traffic - Inspects HTTPS traffic to the Internet. This rule uses the Outbound CA certificate.
  3. Inbound traffic - Inspects HTTPS traffic to the network object WebCalendarServer. This rule uses the WebCalendarServer certificate.
 
Top of Page ©2013 Check Point Software Technologies Ltd. All rights reserved. Download Complete PDF Send Feedback Print