Large Scale Enterprise Environment

Security Challenge

In complex large-scale enterprise networks, you must control access from the local network to the Internet and to multiple Data Center resources. The Data Center contains sensitive corporate resources and information that must be securely protected from unauthorized access. Grant access only to policy-compliant users and computers. Protect your network and Data Center from malware, bots, and viruses.

Users in the internal networks access Internet resources and applications daily. Not all Internet applications and web sites are secure, and some are restricted by the corporate policy. If you block all internal access, it affects productivity of employees who must have access in the context of their daily work definition. You can control access to the allowed applications with the Application Control Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI. blade. If you require a granular Access Control Policy works because of user and computer identity, use Access Roles with Application Control.

Configuration Scenario

1. Configure or use current Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. at the perimeter and in front of the Data Center.

2. Install the Security Gateway at the perimeter in routing mode, and use at least one external interface to the Internet and one to the internal network (make it an internal interface).

   Best Practice -We recommend that you configure the Security Gateway as an inline device in front of the Data Center in Bridge Mode Security Gateway or Virtual System that works as a Layer 2 bridge device for easy deployment in an existing topology. to avoid network changes.

3. Make sure that all Security Gateway in the Data Centers and perimeter can communicate directly with each other.

   Best Practice - We recommend that you manage the Security Gateway from one Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. and SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

4. Make sure that there is connectivity from each Security Gateway to the Active Directory internal domain controllers.

5. Make sure that in an "Any Any Any Accept" Policy, users from the LAN can connect to the applicable resources.

6. Make sure there are no NAT or Proxy servers between the gateway and your network.

   Best Practice - We recommend that you put your Proxy server in the DMZ network.

Configuration Procedure

1. Enable Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. on the Security Gateway.

2. Select the identity source method for each Security Gateway, at the perimeter and at the Data Center.

3. Create Access Roles for users, and apply Access Roles to the applicable Firewall security rules.

4. Add Access Roles to the Policy.

5. On the Gateway Properties > Identity Awareness tab, select Share local identities with other gateways.

6. Install the Policy on the perimeter Security Gateway.

Best Practice: AD Query Recommended Configuration: When you enable AD Query Check Point clientless identity acquisition tool. It is based on Active Directory integration and it is completely transparent to the user. The technology is based on querying the Active Directory Security Event Logs and extracting the user and computer mapping to the network address from them. It is based on Windows Management Instrumentation (WMI), a standard Microsoft protocol. The Check Point Security Gateway communicates directly with the Active Directory domain controllers and does not require a separate server. No installation is necessary on the clients, or on the Active Directory server. to get user and computer identity, we recommend that you enable the feature on all Security Gateway that participate in the network environment. All Security Gateway should have the Active Directory domain defined with the list of all applicable domain controllers in the internal network. Identity Agents Recommended Configuration: If you use Identity Agents to authenticate users and computers, you must select the Security Gateway to maintain Identity Agents. For a single Data Center and perimeter Security Gateway, we recommend you to configure Identity Agents that connect to a single Security Gateway. Then the Security Gateway gets the identity and shares it with the other Security Gateways in the network. Select a high capacity / performance Security Gateway that in addition can behave as an authentication server, and configure this Security Gateway's IP / DNS on the Identity Agents (for more information, see Identity Agents for a User Endpoint Computer). For complex environments with many Data Centers, with more than one Security Gateways that protect different Data Centers and the perimeter, we recommend that you balance Identity Agents authentication through different Security Gateway. You can configure a list of Security Gateways in the Identity Agent Check Point dedicated client agent installed on Windows-based user endpoint computers. This Identity Agent acquires and reports identities to the Check Point Identity Awareness Security Gateway. The administrator configures the Identity Agents (not the end users). There are two types of Identity Agents - Full and Light. You can download the Full and Light Identity Agent package from the Captive Portal - 'https://<Gateway_IP_Address>/connect' or from Support Center. settings, where the Identity Agent connects to different Security Gateways. This provides load balancing across the Security Gateways. All Security Gateways share between them the identities learned from the agents in the network.

To make a specified list of Security Gateways that share between them identity information:

1. Open Gateway Properties > Identity Awareness.

2. Select Get identities from other gateways.

3. Select the Security Gateway with the identities.