StormCenter questions. 1

[wysiwyg21]

I bought the Syngress book "Check Point NG/AI" but StormCenter is not mentioned at all. Pathetic.

If anyone know where I can get details on StormCenter funtion and setup please let me know. I do not have access to Check Point Web site documentation.

Are the updates from StormCenter (block list) automatically distributed to enforcement modules or do you have to re-install the policy(s)?

How do I see the updates that StormCenter has sent and are in effect?

 

[moonlight1]

if you read about the storm center you probly saw that its consist of two modes:

1) uploading your fw logs for analysis.
2) downloading black-list contaning hosts and network
segments that your fw shold block.

i assume that you refer to the second usage so if you
would like to review the downloaded black-list you should
login to the fw console in expert mode and use this cmd:
dynamic_objects -o (object name) -l (list)

the dynamic object should be pre-defined (in the smartDashboard) as part of the
storm center configuration in your system.

CCSA CCSE Certified.

 

[wysiwyg21]

Thanks for the info. Can StormCenter automatically distribute the downloaded black-list to enforcement modules, or is it necessary to do a policy install?

 

[ixus]

I have sat my CCSA NG/AI and unfortunately failed due to my lasck of knowledge on the Internet Storm Center (among other things).

I have endeavoured to find info on the storm center but is always contradictory. checkpoint says smart defense can automatically communicate with the storm center, and SANS says that u manually have to email them your logs. There is no help information on how to do this.

i do not know whether i am supposed to create a rule to allow SANS access to my logs, or to get the block list.

An indepth answer would be most appreciated, or a link.

 

[JoeBloggssss]

Hi,

Check Point SmartDefense integrates with the SANS DShield.org Storm Center in two ways:

• The DShield.org Storm Center produces a Block List report, which is a list of address ranges that are worth blocking. This Block List is frequently updated. The
SmartDefense Storm Center Module retrieves and adds this list to the Security Policy in a way that makes every update immediately effective.

• You can decide to send logs to the Storm Center in order to help other organizations combat the threats that were directed at your own network. You can decide which logs to send by selecting the rules for which you want to send logs.

How the Block List is Received

The Security Administrator defines a Dynamic Object called CPDShield (the name is fixed) in the SmartDashboard, and places it in a Rule that defines what to do with the
communication from the addresses in the Dynamic Object (typically, the traffic will be dropped), and installs the Policy on the FireWall-1 Gateways. An agent (daemon) on each FireWall-1 Gateway on which the Storm Center Module is
installed receives the Block List of malicious IP addresses from

http://secure.dshield.org/block_list_info.html

via HTTPS. Every refresh interval (the default is three hours), the agent takes the Block List, and “populates” the Dynamic
Object with the IP address ranges in the Block List. This process is logged in the SmartView Tracker.

How to send log files

A log submitting agent (daemon) on the SmartCenter Server generates two kinds of logs. As well as regular logs, a compact log digest is created. The digest includes only
the number of Drops and Rejects per port. The Storm Center tells the log submitting agent to send either regular logs, or digests, or both kinds of log. The log submitting agent sends to the Storm Center the logs chosen by the Security
Administrator, of the type requested by the Storm Center. Log submission is done via HTTPS POST. The log submitting agent is an OPSEC compliant LEA client. The logs are compressed into a database.

What a Submitted Log Contains
The logs that are submitted to the Storm Center contain the following information:
• Connection parameters: Source IP Address, Destination IP Address, Source Port,
Destination Port (that is, the Service), IP protocol (such as UDP, TCP or ICMP).
• Rule Base Parameters: Time, action
A detailed description of the log.
For HTTP Worm patterns, the log contains the same connection parameters, the same
Rule Base parameters, and also the name of attack and the detected URL pattern.

Removing Identifying Information from the Submitted Log
It is possible to delete identifying information from the destination IP address in the
submitted log, by specifying a designated number of bits to mask. The destination IP
addresses identify your organizations IP addresses because the logs are typically collected
from attacks that come from outside the organization and are directed towards internal
IP addresses.
The mask can be used to delete as many bits as desired from the internal IP addresses.
A zero bit mask obscures the whole of the IP address. A 32 bit mask reveals the whole
of the internal IP address. An 8 bit mask reveals 8 valid bits, and converts an IP address
such as 192.168.46.88 to 0.0.0.88

The Block List and the Submitted logs are securely transferred and authenticated via
SSL. The Certificate of the Storm Center Certificate Authority comes with the Storm
Center Module, and is stored locally. The locally stored certificate is used for two
purposes:
1 To check the authenticity of the origin of the received Block List, by verifying the
validity of the certificate received with the Block List.
2 To establish an SSL connection with the Storm Center when submitting logs, while
assuring that the logs are indeed sent to the Storm Center and to no one else.

The Certificate Authority of SANS DShield.org is Equifax. The file name of the locally
stored certificate is equifax.cer, and it is stored in the conf directory of the Storm
Center Module installation.
To send logs to DShield.org, you must register with them. DShield.org authenticate the
submitters of logs with a username and password that submitters obtain when
registering.

Size of Logs and Effect on FireWall-1 Performance
Receiving the Block List has no effect on FireWall-1 performance because only a very
small amount of data is received.
The submitted log is only a small subset of the full SmartDefense log, and is
compressed. The size of the log depends on the log interval, and the maximum size of
the log database. As a rough guide, 10,000 lines of logs take up 200 KB.

Planning Considerations
Where to Place the Block List Rule
Correct placement of the Block List Rule is crucial for effective operation of the Storm
Center Module. Place the Block List rule as high as possible in the Security Rule Base,
but below all authentication rules, and any other rules you are absolutely certain have a
reputable Source. If the Rule is placed too low it will have limited effect. If it is placed
too high, valid users may be blocked.
Which Logs to send to the Storm Center
Storm Centers have a special interest in receiving logging information about:
1 Unwanted port 80 traffic reaching the organization.
2 The Drop All rule (the last Rule in the Rule Base, that drops any traffic not
explicitly allowed in previous rules).
3 The Rule containing the Dynamic Object, which drops all traffic from any location
in the Block List.
4 HTTP Worms, caught by the SmartDefense General HTTP Worm Catcher.
Which Logs NOT to send to the Storm Center
Do not send logs from rules that log internal traffic.

Which Identifying Information to Remove from Submitted Logs
Decide on what part of your organizations IP addresses to block from the submitted
logs. If all your internal addresses are private, non-routable addresses, you may not feel
it is necessary to mask the addresses. On the other hand, even non-routable addresses
can reveal information about your internal network topology.

 

[DColcl]

Thank you, Chris for taking the time to write out this detailed information on Storm Center and how it operates.

And...here's your star.

Nice work!

Danny