CHECKPOINT ADVANCED FIREWALL #1 – INFRASTRUCTURE, KERNEL & PROCESSES


A Quick Recap

CheckPoint security revolves around 3 key components
  • GUI Clients – This is is mainly SmartConsole and it’s contained applications such as Update, Tracker and Dashboard. All release candidates for this are a separate track to the main product suite and HFAs for this set are independent of the main software release. These are effectively the software configuration and interaction between the user and the SMS/Gateways/Reporting
  • Security Management – Responsible for all management of the CheckPoint system. It interacts in User-Mode Processes (Explained later) in order to configure all product suites and relies on the following (most significant) processes
    • FWM
    • FWD
    • CPD
    • FWSSD
    • CPWD
  • Gateway – The gateway is the device that enforces your security policy. It is really just a computer running software including an OS as normal (IPSO, SPLAT,GAIA etc.) and as such is technically vulnerable. To get around this the firewall runs in the Kernel of the system, separating the hardware from the OS and protecting itself. The above listed processes run as User-Mode processes in the OS. Traffic flow is therefore NIC -> Kernel -> OS (Including IP stack) -> User-Mode features

User and Kernel Mode Processes

So what’s the difference between the two? The Kernel is in effect the binder for the Hardware to Software traffic flow. It intercepts all traffic and provides the interaction between the Modules and Drivers. Modules here (in the Firewall-1 Kernel) would included processes for NAT, Security Enforcement, Encryption and Decryption. Pretty much the things we think of that make it a firewall. Every bit of data (or packet) that arrives at the firewall will hit the Kernel and be inspected. the inspection decides what happens to it, whether it be dropped, forwarded or some other operation applied such as crypto functions.
On top of this (almost literally!) resides the User-Mode. These processes allow the Gateway to utilise functions of the underlying operating system in a protected environment. An example of these are the processes listed earlier such as FWM and FWD.
Communication is handled from the Kernel to User-Mode using traps (Think SNMP) and from User-Mode to Kernel using IOctl, allowing the entity to call a function in the Kernel and write to it.
This entire segregation here is necessary and understanding it allows you to debug effectively. For example, if your log server is no longer receiving logs, why? The Security Policy (In the Kernel) looks fine and you have enough disk space. Start debugging the right User-Mode process and it will usually direct you where to look – FWD. This can save a lot of time.

By Process of Elimination

The core process we find on every CheckPoint product is CPD. This is the life of the devices and handles many things. The primary features we may see it handling are:
  • SIC
  • Status (AMON status pulled from GW/SMS and sent to SmartEvent)
  • Message handling between Firewall-1 processes
  • Policy installation on Gateways
I suppose you could think of it as a conductor, it calls and controls how other parts of the system interact.
FWM is a management process that exists on all management products such as the SMS. Some of the functions it does are:
  • Talking between the GUI and SMS (SmartConsole)
  • Database Editing; adding objects, users rules etc.
  • Security Policy Compilation
  • Log display
  • Management HA Sync between SMSs
Logging to internal and external servers including the management server is handled by FWD(TCP/257). It also handles calling some child processes such as VPND and interacts with policy installation. FW commands in the shell such as fw ctl chain are also handled here
FWSSD is spawned by FWD as a child process and runs the Security Servers. There are multiples of these that run, one for each service and are labelled as in.xxx or out.xxx where xxx = service (such as DLP or SMTP). Some examples are:
  • in.asmtpd = SMTP Security Server
  • in.ahttpd = HTTP Security Server
  • in.emaild.smtp
  • in.emaild.pop3
You can view these by entering Expert mode and running
cat $FWDIR/conf/fwauthd.conf

Comments

  1. very informative blog! blessed to see it,it is about my field. great learning about networking.i have learned a lot of new thing from it,appericiated! keep it up.

    ReplyDelete
  2. Sir please you creat a troubleshooting video with all command use and steps by step

    ReplyDelete

Post a Comment

Popular posts from this blog

Download IOS Image for Router

tcpdumps in Checkpoint Firewall