Creating a Basic Access Control Policy

A Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. controls access to computers, clients, servers, and applications using a set of rules that make up an Access Control Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase.. You need to configure a RuleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. Base with secure Access Control and optimized network performance.

A strong Access Control Rule Base:

  • Allows only authorized connections and prevents vulnerabilities in a network.

  • Gives authorized users access to the correct internal resources.

  • Efficiently inspects connections.

Basic Rules

Best Practice - These are basic Access Control rules we recommend for all Rule Bases:

  • Stealth rule that prevents direct access to the Security Gateway

  • Cleanup rule that drops all traffic that is not matched by the earlier rules in the policy

Use Case - Basic Access Control

This use case shows a Rule Base for a simple Access Control security policyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection.. (The Hits, VPN and Content columns are not shown.)

No

Name

Source

Destination

Services & Applications

Action

Track

Install On

1

Admin Access to Security Gateways

Admins (Access Role)

Group of Security Gateways

Any

Accept

Log

Policy Targets

2

Stealth

Any

Group of Security Gateways

Any

Drop

Alert

Policy Targets

3

Critical subnet

Internal

Finance
HR
R&D

Any

Accept

Log

CorpGW

4

Tech support

TechSupport

Remote1-web

HTTP

Accept

Alert

Remote1GW

5

DNS server

Any

DNS

Domain UDP

Accept

None

Policy Targets

6

Mail and Web servers

Any

DMZ

HTTP
HTTPS
SMTP

Accept

Log

Policy Targets

7

SMTP

Mail

NOT Internal
net group

SMTP

Accept

Log

Policy Targets

8

DMZ & Internet

IntGroup

Any

Any

Accept

Log

Policy Targets

9

Cleanup rule

Any

Any

Any

Drop

Log

Policy Targets

Explanations for rules:

Rule

Explanation

1

Admin Access to Gateways - SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. administrators are allowed to connect to the Security Gateways.

2

Stealth - All internal traffic that is NOT from the SmartConsole administrators to one of the Security Gateways is dropped. When a connection matches the Stealth rule, an alert window opens in SmartView Monitor.

3

Critical subnet - Traffic from the internal network to the specified resources is logged. This rule defines three subnets as critical resources: Finance, HR, and R&D.

4

Tech support - Allows the Technical Support server to access the Remote-1 web server which is behind the Remote-1 Security Gateway. Only HTTP traffic is allowed. When a packet matches the Tech support rule, the Alert action is done.

5

DNS server - Allows UDP traffic to the external DNS server. This traffic is not logged.

6

Mail and Web servers - Allows incoming traffic to the mail and web servers that are located in the DMZ. HTTP, HTTPS, and SMTP traffic is allowed.

7

SMTP - Allows outgoing SMTP connections to the mail server. Does not allow SMTP connections to the internal network, to protect against a compromised mail server.

8

DMZ and Internet - Allows traffic from the internal network to the DMZ and Internet.

9

Cleanup rule - Drops all traffic that does not match one of the earlier rules.

Use Case - Inline Layer for Each Department

This use case shows a basic Access Control Policy with a sub-policy for each department. The rules for each department are in an Inline LayerClosed Set of rules used in another rule in Security Policy.. An Inline Layer is independent of the rest of the Rule Base. You can delegate ownership of different Layers to different administrators.

No

Name

Source

Destination

Services & Applications

Content

Action

Track

1

Critical subnet

Internal

Finance

HR

Any

Any

Accept

Log

2

SMTP

Mail

NOT internal network (Group)

smtp

Any

Accept

Log

3

R&D department

R&D Roles

Any

Any

Any

TechSupport Layer

N/A

3.1

R&D servers

Any

R&D servers (Group)

QA network

Any

Any

Accept

 

Log

3.2

R&D source control

InternalZone

Source control servers (Group)

ssh

http

https

Any

Accept

Log

---

---

---

---

---

---

---

---

3.X

Cleanup rule

Any

Any

Any

Any

Drop

Log

4

QA department

QA network

Any

Any

Any

QA Layer

N/A

4.1

Allow access to R&D servers

Any

R&D Servers (Group)

Web Services

Any

Accept

Log

---

---

---

---

---

---

---

---

4.Y

Cleanup rule

Any

Any

Any

Any

Drop

Log

5

Allow all users to access employee portal

Any

Employee portal

Web Services

Any

Accept

None

---

---

---

---

---

---

---

---

9

Cleanup rule

Any

Any

Any

Any

Drop

Log

Explanations for rules:

Rules

Explanation

1

2

General rules for the whole organization.

3

3.1
3.2
---
3.X

An Inline Layer for the R&D department.

Rule 3 is the parent rules of the Inline Layer. The Action is the name of the Inline Layer.

If a packet does not match on parent rule 3:

Matching continues to the next rule outside the Inline Layer (rule 4).

If a packet matches on parent rule 3:

Matching continues to 3.1, first rule inside the Inline Layer. If a packet matches on this rule, the rule action is done on the packet.

If a packet does not match on rule 3.1, continue to the next rule inside the Inline Layer, rule 3.2. If there is no match, continue to the remaining rules in the Inline Layer. --- means one or more rules.

The packet is matched only inside the inline layer. It never leaves the inline layer, because the inline layer has an implicit cleanup rule. It is not matched on rules 4, 5 and the other rules in the Ordered Layer.

Rule 3.X is a cleanup rule. It drops all traffic that does not match one of the earlier rules in the Inline Layer. This is a default explicit rule. You can change or delete it.

Best Practice - Have an explicit cleanup rule as the last rule in each Inline Layer and Ordered Layer.

4

4.1

---
4.Y

Another Inline Layer, for the QA department.

5

More general rules for the whole organization.

--

One or more rules.

9

Cleanup rule - Drop all traffic that does not match one of the earlier rules in the Ordered Layer. This is a default explicit rule. You can change or delete it.

Best Practice - Have an explicit cleanup rule as the last rule in each Inline Layer and Ordered Layer.