Understanding Check Point FireWall Part 2

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

Shalom and welcome everyone I want to welcome you once again in joining me checkpoint training bunts checkpoint training bytes is where we're going to advance training on checkpoint products features in the loop in this module we're gonna discuss what the firewall is and we'll talk about the different components that make up the farm and so now before we get started let's take a few moments to discuss the agenda of this module first we're gonna start this module by talking about our checkpoint firewall software specifically we will discuss your firewall code and how it functions then we will discuss how a firewall code will be installed how its installed in various operating systems kernels and amongst the different hardware appliances and here we will discuss how the firewall works in routing mode now we'll show you where in a kernel the firewall inspection engine is injected and where in between OSI layers the packets are being processed and then finally we'll clip all these concepts together and discuss how checkpoint packet filtering firewall works and how a pack of this process and maps according to the firewalls rule base this training module we'll continue with our firewall discussion discussing the checkpoint firewall as you know the company name is called checkpoints after technologies and so we are a software company even though we make our own hardware our software can run a multiple versions of operating systems and run on multiple third-party hardware and so in this module I want to start off by talking about a firewall code which is also called the inspection engine checkpoint is a software firewall code that can be installed on multiple operating systems in the past this firewall code has run on multiple operating systems such as IBM and Sun Solaris and many other obsoleted operating systems of the past but today we can install our multiple flavors of Windows operating systems Red Hat Linux and crossbeam OS and in addition the check points fully owned and developed operating systems Check Point currently has three operating systems - a linux-based and one is UNIX based the Linux based we have Splatt and Gaia for UNIX based we have hips opening system but both episo-- and Splatt operating systems are end-of-life and so in the future checkpoint will only continue to support the Gaia flavor but regardless of which operating system you have the point I'm trying to make is that you need to have some kind of operating system running on some hardware and when you install the firewall code the inspection engine will get installed into the kernel component of the operating system and so to help clarify this point let me use three examples first you have Windows running on the Dell hardware second you have RedHat operating system running on IBM appliance and third you have gaia running on checkpoints owned four thousand appliances and so first you need to install the operating system on some kind of hardware and on top of these operating systems you want to install the checkpoint firewall code and so during the installation process the final code the inspection engine gets installed into the kernel into the operating system component of the kernel and so this firewall code this inspection engine gets installed the deep down into the operating systems kernel and so it actually modifies how the windows and Red Hat kernels operating system behaves and functions and so the spiral code will be injected into the kernel just above the NIC drivers and before the routing engine of the operating systems kernel and so it's important to fully understand where the firewall code is running in the kernel it is running between the layer 2 and layer 3 of the protocol stack and so no packets will get passed to the network layer on the firewall unless the firewall rule base accepts it first and only then after it has been inspected by the firewall kernel module will the packet be forwarded to any higher layer to be routed if need be or to be processed by the firewall application layer if the packet was destined to the firewall application processes and so let me explain this in another way before talking about the firewall let's take a look at a packet as it's being processed by a router let's look at what happens to a whole packet from layer 1 to layer 7 as it's being processed by a router and then afterwards we'll look at how a packet is being processed by the firewall and so here we have a router right at the firewall code you see our firewall under the hood is really a router and so once you have properly configured a router then you can install the checkpoint firewall code in fact many times I will disable the firewall code so that that appliance well act just like a router just to be sure and to confirm that the IP addresses and then interfaces are configured correctly and that I have properly configured the routes and this routing is working properly then and only then well i renamed a firewall code so first i just want to be clear that we have a full understanding of how a router works just to be sure we have a full understanding of all the routers capabilities and features before we install the checkpoint firewall code and so here we have a router and a packet is coming in on the wire towards the router layer one is the electronic bits pulse aiming on a wire and so the router does not see this layer these bits need to be assembled by the hardware NIC drivers into what we call the payload and so the payload contains the whole packet from there to all the way up to layer seven and so the electronic signal is moved from the physical air up to the data link layer and the data link layer contains the letter to NIC co-drivers which will need to process the bits into a frame and so then the datalink layer will need to process the payload by reading the letter to frame header and trailer information and so if the MAC address matches the routers MAC address then a router will need to process the packet but if the MAC address does not match the routers MAC address then you will need to drop the packet unless of course it's a broadcast MAC address in which case all machines will need to process this packet and so in our example the packet does match the routers MAC address and so the router will need to process the pack it the rather will need to capsulate the packet which means it strips out though there are two information and it moves up the packet up to the mix there to the letter three which is an outing there and then a networking Lehrer we need to process the layer three packet header information and so if the destination IP address is not the routers IP address then you will need to look in a surrounding table to see where to send the packet does it send it to the next hop router or to send it to the default gateway well that depends on what is found in the routing table if it has a route you will need to forward it to the next hop if it does not have a route then you will need to forward to the default router which is the path of last resort what if it finds a route in the round table then the routing engine will forward a packet to the interface that leads to the next hop router and if it does not find a route in the routing table then they need to forward a packet to the default router the only other exception is if their destination IP address is the firewalls IP address and so if that destination IP address is the firewalls IP address then the networking layer will need to decap salaita packet and move it up to the next layer which is that transport layer the layer for which will check the segment's header information to identify if it's a tcp or UDP protocol and also verify the port to identify what application to send the packet to and so in our example let's say that the payload is a TCP packet which is destined for port 80 which is the routers HTTP webserver process and so the transport layer will again be capsulate the segment header and send the payload to the session layer and then the session layer will again be capsulate the payload and send it next to the presentation layer which will again be capsulate the presentation header and finally it will send the payload to layer 7 which is the web servers application layer and then the web server application will need to read the data contained in the final payload and obviously the web server application we also need to process the data and possibly reply to the packet he received and so thereby will need to be re encapsulated once again and the packet is moved back down the OSI layer and so the web servers reply we'll need to re-inflate the data back down the OSI layer and so first the web server will send the reply packet to the layer seven which will add the application header and then move to packet down to layer six to the presentation layer which will add the presentation header and then the payload is moved down to layer five which will add the session header information and then it's encapsulated again down to layer 4 which will add the transport header information like the source port and destination port information thereby creating the TCP segment and then a segment is then encapsulated began down to layer three to create the packets network layer information by adding the source and destination IP address and so at this point it will need to check the routing table to see what interface to for to pack it through and depending on the routes you will need to resolve the MAC address information in order to create a frame to be forwarded to the next hop and so before moving the packet down to the layer 2 it will need to resolve the MAC address information for the frame and so it either has the MAC address information that's ARP table or if it does not the most former natan ARP request for the next hop and once it receives an ARP reply it will add the MAC address information into the layer 2 frame and then sends it out the interface onto the wire into electronic bits and then this packet is forward on its way to its final destination and so at each hop the router will D capsulate the packet up to the network layer and then recap slate the packet down to the physical layer and for the packet on its way and so up until now but I just described is just basic TCP IP routing class 101 and so there's really basically nothing new so far and this recap slating the capsule ating process is repeated on every router along the top until the packet reaches the final destination but now let's add the firewall code that's how the firewall code back into the kernel as I mentioned the firewall code sits in between layer two and the layer 3 the layer two is where we have the network device driver code and the layer 3 this is where the routing engine sits and now the firewall code by default will drop all packets it's the firewalls job to drop everything unless you specifically allow it in a rule base and so if there is no rule allowing a traffic the traffic will be dropped only if you allow the traffic in a rule base well the traffic be allowed through the firewall and then forward it up to the layer three stack for routing and so now let's take a look at a packet filtering firewall first let's take a look at the same packet as it's being processed by a packet filtering firewall and so when a packet arrives on the wire it arrives in electronic bits and these electronic bits are assembled into a frame after layer to the daily link there and then a fire will match as the frames MAC address with the firewalls MAC address and if it matches then it moves the packet up to the next layer but look at this the firewall sits in between layer 2 and layer 3 so the router can now route it process it before it is allowed by the firewall rule base and so first thing that the firewall does it looks in the rule base to see if there's a rule that matches this traffic if there is no rule to allow the traffic and the firewall wants to drop the packet because that's what the firewall does the firewall must drop everything that's not explicitly allowed in a rule base and so let's assume in this case that the firewall does have a rule to allow this traffic and so if there is a matching rule base then the packet is accepted and then he moves the packet up to the next layer to the layer 3 layer and then again the layer 3 will need to route the packet or forward a packet up though wasai layer whatever the case may be but note and an important point that I need to stress is that if the packet that is d capsulated and moved up to the OSI layer to the application layer then the reply must come down again and then we're moving the packet from the networking layer down to the daily link layer it must again match the firewalls rule base to see if there is a rule allowing reply and so there must be a rule in the rule base allowing the reply with the source being the firewall and the destination to be the original clients IP address but in the other case if the packet needs to be forward out another interface then as mentioned before the firewall sits in between layer 2 and layer 3 and so it will again need to be processed by the firewall code on that outbound interface and so the firewall is always inspecting the packet twice once on the inbound interface and again on the outbound interface I know this seems extreme but this is how checkpoint fire inspection engine works one other point that I want to stress is that this is the same firewall this is the same fire inspection engine but it's inspecting on both interfaces its inspecting on the internal interface and it's also inspecting on external interface using the same policy the same inspection engine in checkpoints older days you can choose if you want at the inspection to be done either on the inbound interface or to be done on the outbound interface or you could have it inspected on both interfaces just to clarify this needs to be an option is smart dashboard to inspect either on the internal interface or external interface or both interfaces that option no longer exists today and so the request packet must be inspected twice both inbound and outbound and so the reply must also be inspected twice both inbound and also outbound back to the client and so let me now take a moment to recap packet filtering inspection fire there are two main points to remember first you need to have two rules one rule is to allow traffic from the source to the destination and the second rule must allow the traffic from their destination back to the original source and the second point is that the packet must be inspected twice in both directions first the request packet is inspected on the inbound on the internal or face and then an inspection is again done outbound on the external interface and then the reply must also be inspected twice first the replies inspected inbound on the external face and then again it's inspected outbound on the internal interface and then one final point that I need to mention now I have been talking about the fact that you need to have a rule to match the packet in order for it to be accepted but what exactly is being matched what does matching the packet mean and so when a client sends a packet to the server it is going to encapsulate the packet through its own OSI layer from the data all the way down to the electronic bits and signals and so these bits on the physical wire contain all the information for the OSI payload like the MAC address in a frame payload and like the IP address of the packet payload and also the ports in a segment payload and so since this packet is not destined for a firewall but it's destined to a web server and so the client will need to send it to its default gateway and so the frame contains the MAC address of the firewall which is the clients default gateway and so since the frame contains the firewalls MAC address the firewall will need to pass it up to the layer 3 but it cannot do that unless there is a rule that matches and accepts the packet and so first the firewall needs to read the packets IP address the layer 3 information of the packet before it even sends it to its own OSI layer 3 layer and so it's viewing the packet layer 3 header information their source IP address the destination IP address of the packet and then it needs to compare it to a rule that it has in its the final rule in the rule base with the same source IP address the same destination IP address and that matches this packet but not only that it also needs to read the letter for information he needs to see the source port and destination port and he needs to match a rule that also matches the destination port and so all three tuple information needs to be matched the source IP address the destination IP address and the destination port but we don't need to match the source port because the source port is ethereal which means it is dynamic and always changing and if all the three tuple information matches a rule and an action is to accept the packet then the packet is forward up Toa Siler to three which then needs to route it because the destination IP address is a remote server and not the firewalls IP address and finally the final point I want to make is obviously if the rule matches but the action is to drop the firewall inspection engine will drop the packet and not forward a packet to the networking layer then we repeat that if the action is to drop the packet the packet is not forward up though aside later but instead an inspection engine will drop the packet I hope this helps clarify this firewall matching process and so before ending the session let's take a few moments to review the topics discussed in this module first we talked about checkpoint being a software company we make software that can run on many different kinds of operating systems and also on open platforms open platforms are various supported through party hardware and then we talked about the checkpoint firewall code just called the inspection engine and the inspection engine gets installed deep into the kernel and it's shims itself in between there - and layer 3 and next we discussed that the firewall is basically a router that's running the firewall software and that nothing gets routed unless it's specifically allowed by the firewalls rule base and finally we talked about the first generation of firewall just packet filtering firewall and now packet filtering firewall needs to have two rules one rule to allow outbound traffic and the second rule to allow inbound traffic and we also discussed that packet filtering firewall only checks the back of the layer 3 and lower for header information and then compares it and matches the to rule in a rule base pane we also mentioned that all traffic is dropped unless it's specifically allowed by the firewalls rule base I hope you found this video informative I hope to see you in the next video until then Shalom and bye for now dang boy wait secure the future

Info

Channel: Check Point Training Bytes

Views: 33,702

Rating: undefined out of 5

Keywords: ccsa, ccse, check point certified security administrator, check point certified security expert, packet filtering firewall, stateful packet inspection firewall, statefull filtering firewall, check point cyber secuity administrator, check point cyber security expert, application intelligence, application awareness, next generation firewall, history of firewall, evolution of firewall, application layer firewall

Id: Xhifzrk61jw

Channel Id: undefined

Length: 19min 54sec (1194 seconds)

Published: Fri Sep 01 2017