Defining an Internet Access Policy
Managing URL Filtering and Application Control
Today there are many challenges for businesses to keep up with security requirements of social media and Web 2.0 applications. It is necessary for system administrators to use the security policy to overcome these challenges. For example:
- Malware threats - Popular applications like Twitter, Facebook, and YouTube can cause users to download viruses unintentionally. When users download files and use torrents, they can also let malware into your network.
- Bandwidth hogging - Applications that use a lot of bandwidth can reduce the performance for important business applications.
- Loss of productivity - Employees can spend time on social networking and other applications that can decrease business productivity.
- Content control - Prevent Internet access to websites with inappropriate content, such as sex and violence.
For more about using Application Control and URL Filtering, see the R77 Application Control and URL Filtering Administration Guide.
The Check Point Solution for Internet Browsing
The Check Point Firewall can use the URL Filtering and Application Control Software Blades to monitor and control how organizations of all sizes use the Internet. You can easily create policies which identify or block thousands of applications and Internet sites. These Software Blades help complete the security policy for your organization.
Use URL Filtering and Application Control to:
- Create a Granular Policy - Make rules to allow or block applications and Internet sites for individual applications, categories, and risk levels. You can also create an HTTPS policy that enables the Security Gateway to inspect HTTPS traffic to prevent security risks related to the SSL protocol.
- Manage Bandwidth Consumption - Configure the rules to limit the available network bandwidth for specified users or groups. You can make separate limits for uploading and downloading.
- Keep Your Policies Updated - The Application Database is updated regularly and makes sure that your Internet security policy has the newest applications and website categories. The Security Gateway connects to the Check Point Online Web Service to identify new social networking widgets and website categories for URLs.
- Communicate with Users - UserCheck objects add flexibility to URL Filtering and Application Control and let the Security Gateway communicate with users. UserCheck helps users understand that certain websites are against the company's security policy. It also tells users about the changing Internet policy for websites and applications.
- Create Custom Objects - In addition to the hundreds of default objects, create new objects to manage Internet use for your network. You can create objects for applications, websites, categories and groups. Use these custom objects in rules to meet your organization's requirements.
UserCheck
UserCheck works with the URL Filtering and Application Control Software Blades and lets the Security Gateway send messages to users about possible non-compliant or dangerous Internet browsing. Create rules and UserCheck objects in the URL Filtering and Application Control Rule Base to communicate with the users. These actions use UserCheck objects:
UserCheck on a Security Gateway
You can enable UserCheck on Security Gateways that use URL Filtering and Application Control Software Blades. When UserCheck is enabled, the user's Internet browser shows the UserCheck messages in a new window.
UserCheck on a computer
The UserCheck client is installed on endpoint computers. This client:
- Sends messages for applications that are not based on Internet browsers. For example: Skype, iTunes, and Internet browser add-ons and plug-ins.
- Shows a message on the computer when it cannot be shown in the Internet browser.
Enabling URL Filtering and Application Control
You can enable Application Control and URL Filtering Software Blades from the page in SmartDashboard.
To enable URL Filtering and Application Control:
- In SmartDashboard, double-click the Security Gateway.
The window opens.
- From the navigation tree, click .
- From the tab, select , or both.
- Click and install the policy.
Using the URL Filtering and Application Control Rule Base
A strong security policy uses firewall rules to inspect packets, and URL Filtering and Application Control rules to control Internet browsing. SmartDashboard has a different Rule Base that manages URL Filtering and Application Control for a Security Gateway.
These are the fields that manage the rules for the URL Filtering and Application Control security policy.
Field
|
Description
|
No.
|
Rule number in the URL Filtering and Application Control Rule Base.
|
Hits
|
Number of connections that match this rule.
|
Name
|
Name that the system administrator gives this rule.
|
Source
|
Network object that defines where the traffic starts.
|
Destination
|
Network object that defines the destination of the traffic.
|
Applications/
Sites
|
Applications or web sites that are allowed or blocked.
|
Action
|
Action that is done when traffic matches the rule. Options include: , , (control the bandwidth) and (UserCheck message).
|
Track
|
Tracking and logging action that is done when traffic matches the rule.
|
Install On
|
Network objects that will get the rule(s) of the policy.
|
Time
|
Time period that this rule is enforced.
|
Comment
|
An optional field that lets you summarize the rule.
|
Order of Rule Enforcement
The Security Gateway applies all the rules in Firewall Rule Base and then applies the URL Filtering and Application Control rules. The rules in the URL Filtering and Application Control Rule Base are sequentially applied to packets. The first rule that matches a packet is applied. There is no Cleanup rule in the URL Filtering and Application Control Rule Base: packets that do not match the rules are allowed.
Special URL Filtering and Application Control Fields
Internet browsing is not easily defined into allowed and prohibited categories. Many websites and applications can be used for legitimate business reasons. The rules that control Internet access must be flexible and granular. The URL Filtering and Application Control Rule Base uses these fields to create a strong and flexible security policy:
Applications/Sites
Use the field to define the web applications and sites that are included in the rule. This field can use one or more of these options:
- Web applications
- Web sites
- Internet widgets
- Default categories of Internet traffic
- Custom group or category that you create
To add an application or site to a rule:
- Click > .
- Right-click the cell for the rule and select one of these options:
The Application viewer window opens.
- From the list, select the applications and sites for the rule.
- Click .
To create a new application or site:
- Click > .
- Click > .
- Select .
- Enter a URL and click .
Do this step again for all the URLs.
- Click .
To create a custom category:
- Click > .
- Click > .
The window opens.
- Enter a for the group.
- Click .
The Application viewer window opens.
- From the list, select the applications and sites for the group.
- Click and then click .
Action
Use the field to define what occurs to traffic that matches the URL Filtering and Application Control rule. These are the options:
Action
|
Description
|
Allow
|
Allows the traffic.
|
Block
|
Blocks the traffic. Shows a UserCheck message.
If no UserCheck object is defined for this action, no message is displayed.
|
Limit
|
Defines the maximum bandwidth that is allowed for this rule. Select or create a object that defines the bandwidth limits.
|
Captive Portal
|
Redirects HTTP traffic to an authentication (captive) portal. Once the user is authenticated, new connections from this source are inspected but are not redirected.
|
Rule Actions
|
- New Rule - Creates a new rule Above or Below the selected rule.
- Delete Rule - Deletes the selected rule or rules.
- Disable Rule - The rule stays in the Rule Base but is not active.
- Select All Rules
- View rule logs in SmartView Tracker - Opens SmartView Tracker and shows logs related to the rule.
- View rule logs in SmartEvent - Opens SmartEvent and shows logs related to the rule.
|
UserCheck Actions
These are the options that work with the UserCheck feature:
Action
|
Description
|
Ask
|
Shows a UserCheck message. The message asks users to confirm that it is necessary that they go to the application or site.
|
Block
|
Blocks the traffic. Shows a UserCheck message.
If no UserCheck object is defined for this action, no message is displayed.
|
UserCheck Frequency
|
Defines how often users see the UserCheck message for Ask, Inform, or Block actions.
|
UserCheck Scope
|
Defines if the UserCheck message is shown for a category, application, or all traffic that matches the rule.
|
Edit UserCheck Message
|
Opens the UserCheck message in a new window.
|
Sample URL Filtering and Application Control Rule Base
This table shows a sample URL Filtering and Application Control Rule Base for a typical policy that monitors and controls Internet browsing. (The and columns are not shown.)
No.
|
Name
|
Source
|
Destination
|
Applications/
Sites
|
Action
|
Track
|
Time
|
1
|
Liability sites
|
Any
|
Internet
|
Potential
liability
|
Blocked Message
|
Log
|
Any
|
2
|
High risk applications
|
Any
|
Internet
|
High Risk
iTunes
|
High Risk Block
|
Log
|
Any
|
3
|
Allow IT department Remote Admin
|
IT
|
Any
|
Radmin
|
Allow
|
Log
|
Work-
Hours
|
4
|
Allow Facebook for HR
|
HR
|
Internet
|
Facebook
|
Allow
Download_1Gbps
Down: 1 Gbps
|
Log
|
Any
|
5
|
Block these categories
|
Any
|
Internet
|
Streaming Media
Social Networking
P2P File Sharing
Remote Administration
|
Blocked Message
|
Log
|
Any
|
6
|
Log all applications
|
Any
|
Internet
|
Any Recognized
|
Allow
|
Log
|
Any
|
- - Blocks traffic to sites and applications in the Potential_liability category. The UserCheck Blocked Message is shown to users and explains why their traffic is blocked.
- - Blocks traffic to sites and applications in the High Risk category and blocks the iTunes application. The UserCheck High Risk Block Message is shown to users and tells why their traffic is blocked.
- - Allows the computers in the IT_Department network to use the Radmin application. Traffic that uses Radmin is allowed only during these hours, 8:00 - 18:30.
- - Allows computers in the HR network to use Facebook. The total traffic downloaded from Facebook is limited to 1 Gbps, there is no upload limit.
- - Blocks traffic to these categories: Streaming Media, Social Networking, P2P File Sharing, and Remote Administration. The UserCheck Blocked Message is shown to users and explains why their traffic is blocked.
The Remote Administration category blocks traffic that uses the Radmin application. If this rule is placed before rule 3, then this rule can also block Radmin for the IT department.
- - Logs all traffic that matches any of the URL Filtering and Application Control categories.
HTTPS Inspection
HTTPS Internet traffic uses the SSL (Secure Sockets Layer) protocol and is encrypted to give data privacy and integrity. However, HTTPS traffic has a possible security risk and can hide illegal user activity and malicious traffic. The Firewall cannot inspect HTTPS traffic because it is encrypted. You can enable the HTTPS Inspection feature to let the Firewall create new SSL connections with the external site or server. The Firewall is then able to decrypt and inspect HTTPS traffic that uses the new SSL connections.
There are two types of HTTPS Inspection:
- - To protect against malicious traffic that is sent from an internal client to an external site or server.
- - To protect internal servers from malicious requests that start from the Internet or an external network.
The Security Gateway uses certificates and becomes an intermediary between the client computer and the secure web site. All data is kept private in HTTPS Inspection logs. Only administrators with HTTPS Inspection permissions can see all the fields in a log.
For more about configuring HTTPS Inspection, see the R77 Application Control and URL Filtering Administration Guide.
Inspecting HTTPS Packets
Outbound Connections
Outbound connections are HTTPS connections that start from an internal client and connect to the Internet. The Firewall compares the HTTPS request to the HTTPS Inspection Rule Base. If the request does not match a rule, the packet is not inspected and the connection is allowed.
If the request matches an inspection rule, the Firewall makes sure that the certificate from the server (in the Internet) is valid. The Security Gateway creates a new certificate and uses it for a new HTTPS connection to the server. There are two HTTPS connections, one to the internal client and one to the server. It can then decrypt and inspect the packets according to the Firewall and other Rule Bases. The packets are encrypted again and sent to the destination.
|
|
|
|
Connection is not inspected
|
|
|
|
|
|
|
 No
|
|
|
HTTPS request
|
|
Firewall inspects request
|
|
Matches a rule?
|
Yes
|
Firewall validates certificate
|
|
|
|
|
|
|
|
|
|
Firewall inspects unencrypted connection and then encrypts it
|
|
Decrypts the connection
|
|
Creates new certificate for client and server
|
Inbound Connections
Inbound connections are HTTPS connections that start from an external client and connect to an internal server in the DMZ or the network. The Firewall compares the HTTPS request to the HTTPS Inspection Rule Base. If the request does not match a rule, the packet is not inspected and the connection is allowed.
If the request matches an inspection rule, the Firewall uses the certificate for the internal server to create a HTTPS connection with the external client. The Security Gateway creates a new HTTPS connection with the internal server. Since the Firewall has a secure connection with the external client, it can decrypt the HTTPS traffic. The decrypted traffic is inspected according to the Firewall and other Rule Bases.
|
|
|
|
Connection is not inspected
|
|
|
|
|
|
|
No
|
|
|
HTTPS request
|
|
Firewall inspects request
|
|
Matches a rule?
|
Yes
|
Uses server certificate and connects to the client
|
|
|
|
|
|
|
|
|
|
Firewall inspects unencrypted connection
|
|
Decrypts the connection
|
|
Creates a new connection to server
|
Using the HTTPS Inspection Rule Base
The HTTPS Inspection Rule Base defines how the Firewall inspects HTTPS traffic. The HTTPS Inspection rules can use the Application Database objects to identify traffic for different websites and applications. For example, to protect the privacy of your users, you can use a rule to ignore HTTPS traffic to banks and financial institutions.
The HTTPS Inspection Rule Base is applied to all the Software Blades that have HTTPS Inspection enabled. Software Blades that can support HTTPS Inspection are:
- Application Control
- URL Filtering
- IPS
- DLP
- Anti-Virus
- Anti-Bot
HTTPS Inspection Rule Base in SmartDashboard
These are the fields that manage the rules for the HTTPS Inspection security policy.
Field
|
Description
|
No.
|
Rule number in the HTTPS Inspection Rule Base.
|
Name
|
Name that the system administrator gives this rule.
|
Source
|
Network object that defines where the traffic starts.
|
Destination
|
Network object that defines the destination of the traffic.
|
Services
|
Type of network service that is inspected or bypassed.
|
Site Category
|
Categories for applications or web sites that are inspected or bypassed.
|
Action
|
Action that is done when HTTPS traffic matches the rule. The traffic is inspected or ignored ().
|
Track
|
Tracking and logging action that is done when traffic matches the rule.
|
Install On
|
Network objects that will get the HTTPS Inspection rule. You can only select Security Gateways that have HTTPS Inspection enabled.
|
Certificate
|
The certificate that is used for this rule.
- Inbound HTTPS inspection - Select the certificate that the internal server uses.
- Outbound HTTPS inspection - Select the Outbound Certificate object that you are using for the computers in the network.
|
Comment
|
An optional field that lets you summarize the rule.
|
Configuring Security Gateways
This section gives an example of how to configure a Security Gateway to inspect outbound and inbound HTTPS traffic.
Workflow overview
- Enable HTTPS Inspection on the Security Gateway.
- Configure the Security Gateway to use the certificate.
- Outbound Inspection - Generate a new certificate for the Security Gateway.
- Inbound Inspection - Import the certificate for the internal server.
- Configure the HTTPS Inspection Rule Base.
- Install the policy.
Enabling HTTPS Inspection
To enable HTTPS Inspection:
- In SmartDashboard, double-click the Security Gateway.
The window opens.
- From the navigation tree, click .
- From , select .
Generating a New Certificate
The Firewall uses a certificate to inspect outbound HTTPS traffic. You can use SmartDashboard to generate a new certificate with a password for the private key. Make sure that you export and distribute the new certificate to the endpoint computers in the network. Computers that do not have the new certificate will show SSL error messages.
To generate a new certificate for outbound HTTPS Inspection:
- Double-click the Security Gateway.
The window opens.
- From the navigation tree, click .
- From , click .
- Enter the necessary information:
- - Enter the domain name of your organization.
- - Enter the password that is used to encrypt the private key of the CA certificate.
- - Retype the password.
- - Select the date range for which the CA certificate is valid.
- Click .
- Export and deploy the certificate to the endpoint computers.
Adding a Certificate
The Firewall uses the internal server certificate to inspect inbound HTTPS traffic to the internal server. Make sure that you have a copy of the internal server certificate and the private key password before you configure inbound HTTPS inspection. The file for the certificate must have a P12 extension.
To add a server certificate for inbound HTTPS inspection:
- Click the tab > .
- Click > .
The page opens.
- Click .
The window opens.
- Enter the .
- Click and select the certificate file.
- Enter the .
- Click .
Configuring HTTPS Inspection Rules
Create different HTTPS Inspection rules for outbound and inbound traffic. The outbound rules use the certificate that was generated for the Security Gateway. The inbound rules use a different certificate for each internal server. You can also create bypass rules for traffic that is sensitive and is not inspected. Make sure that the bypass rules are at the top of the HTTPS Inspection Rule Base.
Sample Inspection Rule Base
This table shows a sample HTTPS Inspection Rule Base for a typical policy. (The and columns are not shown. is set to and is set to .)
No
|
Name
|
Source
|
Destination
|
Services
|
Site Category
|
Action
|
Blade
|
Certificate
|
1
|
Financial sites
|
Any
|
Internet
|
HTTPS
HTTP_HTTPS_proxy
|
Financial Services
|
Bypass
|
Any
|
Outbound CA
|
2
|
Outbound traffic
|
Any
|
Internet
|
HTTPS
HTTP_HTTPS_proxy
|
Any
|
Inspect
|
Any
|
Outbound CA
|
3
|
Inbound traffic
|
Any
|
WebCalendar
Server
|
HTTPS
|
Any
|
Inspect
|
Any
|
WebCalendarServer CA
|
- - Does not inspect HTTPS traffic to websites that are defined in the Financial Services category. This rule uses the Outbound CA certificate.
- - Inspects HTTPS traffic to the Internet. This rule uses the Outbound CA certificate.
- - Inspects HTTPS traffic to the network object WebCalendarServer. This rule uses the WebCalendarServer certificate.
|
