Secure Configuration Verification

Use Case

Network and Firewall administrators can use different tools to control computers inside their organization. For example, to disable dangerous components such as Java and ActiveX controls in browsers, install Anti-VirusClosed Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV., and make sure they are run correctly.

For remote users who access the organization from outside of the LAN, the administrator cannot enforce control of the computer with the same tools. For example, suppose the remote user has ActiveX enabled, and connects to a website containing a malicious ActiveX control which infects his or her computer. When the remote user connects to the organization's LAN, the LAN becomes vulnerable as well.

A properly configured Desktop Security PolicyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection., cannot protect against this type of attack, because the attack does not target a vulnerability in the access control to the endpoint computer. Instead it takes advantage of the vulnerable configuration of applications on the endpoint computer.

Introduction to Secure Configuration Verification (SCV)

Secure Configuration Verification (SCV) makes sure that remote access client computers are configured in accordance with the enterprise Security Policy. Use SCV to:

  • Get reports on the configuration of remote clients.

  • Make sure that clients comply with the organization's security policy.

  • Block connectivity from clients that do not comply.

SCV does not replace the Desktop Security Policy, but works with it.

SCV uses SCV checks, which are DLLs (plug-ins) on the client, that are invoked and enforced according to the policy that you configure on the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server.. SCV checks include sets of conditions that define a securely configured client system. Checks can include, for example, the user's browser configuration, the version of the Anti-Virus software installed on the desktop computer, and the operation of the personal firewall policy. These security checks are performed at pre-defined intervals by the remote access client. Based on the results of the SCV checks, the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. decides whether to allow or block connections from the client to the LAN.

  • If the client passes all of the SCV checks, the client is compliant. The Security Gateway allows the connection.

  • If the client fails one of the SCV checks, it is not compliant. You can configure the Security Gateway to reject connections from non-compliant endpoint computers, or to accept such connections and create a log entry.

Check Point's SCV solution comes with many predefined SCV checks for the operating system and user's browser, and also allows OPSEC partners, such as Anti-Virus software manufacturers, to add SCV checks for their own products.

Introduction to the local.scv file

You configure an SCV policy in the local.scv file on the Management Server. The file path is $FWDIR/conf/local.scv. This section describes the format and syntax of the file.

SCV Configuration on the Management Server

SCV Configuration on the Endpoint Computer

  1. Optional - If you intend to use an OPSEC SCV third-party application, install the application on the client and enable the application's integration with SCV (see the application's documentation for information on how to do this).

  2. Start the client and connect to the Security Gateway to receive the SCV

Example of WindowsSecurityMonitor configuration

Copy
: SCVEpsNames (
                : (WindowsSecurityMonitor
                :type (plugin)
                :parameters (
                :VirusProtectionRequired (true)
                :VirusProtectionRequiredMismatchMessage ("Please see that your AntiVirus is updated and active")
                :VirusProtectionInstalledPrograms ("Trend Micro OfficeScan Antivirus;Kaspersky Anti-Virus")
                :VirusProtectionInstalledProgramsMismatchMessage ("Please see that your AntiVirus is Trend Micro or Kaspersky")
                :WindowsUpdateRequired (true)
                :WindowsUpdateRequiredMismatchMessage ("Please turn on Windows automatic Updates")
                :SpywareProtectionRequired (true)
                :SpywareProtectionRequiredMismatchMessage ("AntiMalware is not updated or active")
                :SpywareProtectionInstalledPrograms ("none")
                :SpywareProtectionInstalledProgramsMismatchMessage ("")
                :NetworkFirewallRequired (true)
                :NetworkFirewallRequiredMismatchMessage ("Please check the your network firewall is turned on")
                :NetworkFirewallInstalledPrograms ("Kaspersky Anti-Virus")
                :NetworkFirewallInstalledProgramsMismatchMessage ("Please check that Kaspersky Anti-Virus firewall is installed on your machine")
                )
                )
                )
            

The "SCVNames" section

In this section the administrator specifies the names and different checks for the SCV products. Here is a general definition of an SCV check subset of SCVNames:

: (SCVCheckName1
    :type (plugin)
    :parameters (
        :Expression1 (value)
        :Expression2 (value)
        :begin_admin (admin)
        :send_log (alert)
        :mismatchmessage ("Failure Message")
        :end (admin)
    )
)

The test section begins with the name of the SCV check (SCVCheckName1). SCVCheckName1 defines the name of the set of tests. It is defined in the SCV application and should be provided by the SCV manufacturer. The type (plugin) expression specifies that the test is performed by an SCV DLL plugin. The parameters subset is where the SCV rules and actions are defined. The type (plugin) expression and the parameters subset should always be specified when defining a subset of SCV checks (such as SCVCheckName1).

The "SCVPolicy" section

This section defines the names of the SCV checks that should be enforced (the names are part of the SCV check names specified in SCVNames). This section's general structure is:

						:SCVPolicy (
						:(SCVCheckName1)
						:(SCVCheckName2)
						)
					

SCVGlobalParams

This section includes global parameters for SCV.

:SCVGlobalParams (
    :disconnect_when_not_verified (false)
    :block_connections_on_unverified (false)
    :not_verified_script ("myscript.bat")
    :not_verified_script_run_show (true)
    :not_verified_script_run_admin (false)
    :not_verified_script_run_always (false)
    :allow_non_scv_clients (false)
)