Network Segregation

Security Challenge

Networks consist of different network segments and subnets where your internal users reside. Users that connect to the network can potentially spread viruses and malware across the network. It can infect other computers and servers on the network. Your purpose:

  • Make sure that only compliant users and computers pass and connect across multiple network segments.

  • Authenticate users who connect to the servers and to the Internet.

>

Best Practice - We recommend that you configure Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. close to the access networks before the core switch.

  • Access between the segments is controlled by the Security Gateway.

  • Access between the LAN and Data Center is controlled by the Security Gateway.

  • Access between the LAN and the Internet is controlled by the Security Gateway either at each segment or at the perimeter Security Gateway.

>

Best Practice - We recommend that you configure the Security Gateway in Bridge ModeClosed Security Gateway or Virtual System that works as a Layer 2 bridge device for easy deployment in an existing topology. to avoid network and routing changes.

  • Each Security Gateway of a particular segment authenticates users with the selected method.

  • Each Security Gateway of a particular segment authenticates users with the selected method.

Configuration

  1. Configure Security Gateway in each segment in Bridge Mode.

  2. Make sure that there is no proxy or NAT device between the Security Gateway and the LAN.

  3. Make sure that the Security Gateway can communicate with the Active Directory domain controller configured in each segment (replicated domain controllers).

    If there is a general domain controller that serves all users across the segments, make sure that all Security Gateway can connect to this domain controller.

  4. Enable Identity AwarenessClosed Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. on each Security Gateway and select an appropriate identity source method.

  5. In the Identity Awareness tab, clear the Share local identities with other gateways option.

    If you want to share identities with one Security Gateway, for example, the perimeter Security Gateway, keep this option selected and disable Get identities from other gateways in the segment Security Gateway. Then go to the perimeter Security Gateway and select Get identities from other gateways.

  6. If you want to use Identity Agents, then make the particular Security Gateway DNS/IP in the agent Security Gateway configuration per access segment.