Creating a Basic Access Control Policy
A Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. controls access to computers, clients, servers, and applications using a set of rules that make up an Access Control Rule Base All rules configured in a given Security Policy. Synonym: Rulebase.. You need to configure a Rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. Base with secure Access Control and optimized network performance.
A strong Access Control Rule Base:
-
Allows only authorized connections and prevents vulnerabilities in a network.
-
Gives authorized users access to the correct internal resources.
-
Efficiently inspects connections.
Basic Rules
|
Best Practice - These are basic Access Control rules we recommend for all Rule Bases:
|
Use Case - Basic Access Control
This use case shows a Rule Base for a simple Access Control security policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection.. (The Hits, VPN and Content columns are not shown.)
Explanations for rules:
Rule |
Explanation |
---|---|
1 |
Admin Access to Gateways - SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. administrators are allowed to connect to the Security Gateways. |
2 |
Stealth - All internal traffic that is NOT from the SmartConsole administrators to one of the Security Gateways is dropped. When a connection matches the Stealth rule, an alert window opens in SmartView Monitor. |
3 |
Critical subnet - Traffic from the internal network to the specified resources is logged. This rule defines three subnets as critical resources: Finance, HR, and R&D. |
4 |
Tech support - Allows the Technical Support server to access the Remote-1 web server which is behind the Remote-1 Security Gateway. Only HTTP traffic is allowed. When a packet matches the Tech support rule, the Alert action is done. |
5 |
DNS server - Allows UDP traffic to the external DNS server. This traffic is not logged. |
6 |
Mail and Web servers - Allows incoming traffic to the mail and web servers that are located in the DMZ. HTTP, HTTPS, and SMTP traffic is allowed. |
7 |
SMTP - Allows outgoing SMTP connections to the mail server. Does not allow SMTP connections to the internal network, to protect against a compromised mail server. |
8 |
DMZ and Internet - Allows traffic from the internal network to the DMZ and Internet. |
9 |
Cleanup rule - Drops all traffic that does not match one of the earlier rules. |
Use Case -
for Each DepartmentThis use case shows a basic Access Control Policy with a sub-policy for each department. The rules for each department are in an . An is independent of the rest of the Rule Base. You can delegate ownership of different Layers to different administrators.
Explanations for rules:
Rules |
Explanation |
---|---|
1 2 |
General rules for the whole organization. |
3 3.1 |
An for the R&D department.Rule 3 is the parent rules of the Action is the name of the . . TheIf a packet does not match on parent rule 3: Matching continues to the next rule outside the (rule 4).If a packet matches on parent rule 3: Matching continues to 3.1, first rule inside the . If a packet matches on this rule, the rule action is done on the packet.If a packet does not match on rule 3.1, continue to the next rule inside the , rule 3.2. If there is no match, continue to the remaining rules in the . --- means one or more rules.The packet is matched only inside the inline layer. It never leaves the inline layer, because the inline layer has an implicit cleanup rule. It is not matched on rules 4, 5 and the other rules in the Ordered Layer. Rule 3.X is a cleanup rule. It drops all traffic that does not match one of the earlier rules in the . This is a default explicit rule. You can change or delete it. Best Practice - Have an explicit cleanup rule as the last rule in each Layer. and Ordered |
4 4.1 --- |
Another , for the QA department. |
5 |
More general rules for the whole organization. |
-- |
One or more rules. |
9 |
Cleanup rule - Drop all traffic that does not match one of the earlier rules in the Ordered Layer. This is a default explicit rule. You can change or delete it. Best Practice - Have an explicit cleanup rule as the last rule in each Layer. and Ordered |