Configuration guideline for Check Point Gaia - Mitigate Instant Security Check Tests
High Level Test Overview - Matching Features
High Level View of Licensing and Required Features for Mitigation:
Browser Security - Local Browser Configuration - https://support.google.com/chrome/answer/95472?co=GENIE.Platform%3DDesktop&hl=en
Network Access Protection - NGFW
Block access to adult website - URL Filtering
Block websites in embargoed countries - Geo IP
Block access to anonymizing websites - URL Filtering
Cross-Site Scripting Scanning Attempt via http, get - IPS
Cross-Site Scripting Scanning Attempt via https, get - IPS
JS Cryptojacking via http, get - IPS
JS Cryptojacking via https, get - IPS
SQL Injection in GET request via http - IPS
SQL Injection in GET request via https - IPS
Data Encryption - Local Browser Configuration and HTTPS Inspection
Certificate Validation
Broken Cryptography
Domain Security Policies
SSL Inspection
Online Privacy - Local Browser Configuration - Do Not track Option -https://support.google.com/chrome/answer/114836?co=GENIE.Platform%3DDesktop&hl=en
Malware Protection - NGTP
Download EICAR file via http - Anti-Virus
Download EICAR file via https - Anti-Virus + SSLi
Download EICAR text file via http - Anti-Virus
Download EICAR text file via https - Anti-Virus + SSLi
Download EICAR text file inside zip via http - Anti-Virus
Download EICAR text file inside zip via https - Anti-Virus + SSLi
Download EICAR file zipped 2 times via http - Anti-Virus
Download EICAR file zipped 2 times via https - Anti-Virus + SSLi
Download EICAR file zipped 5 times via http - Anti-Virus
Download EICAR file zipped 5 times via https - Anti-Virus + SSLi
Download EICAR file zipped with '123456' password via http - Anti-Virus
Download EICAR file zipped with '123456' password via https - Anti-Virus + SSLi
Download EICAR file zipped with 'password' password via http - Anti-Virus
Download EICAR file zipped with 'password' password via https - Anti-Virus + SSLi
Data Protection - DLP
SSN codes leak via https - DLP +SSLi
SSN codes leak via http - DLP
Local Country SSN code leak via https - DLP +SSLi
Local Country SSN code leak via http - DLP
Credit card numbers leak via https - DLP +SSLi
Credit card numbers leak via http - DLP
Source code (C) leak via https - DLP +SSLi
Source code (C) leak via http - DLP
SSH private key leak via https - DLP +SSLi
SSH private key leak via http - DLP
Not all protections are covered by default configuration or signatures!
For SSL/HTTPS tests you would need to have HTTPS Inspection configured
Configuration for Check Point
Set-up a basic installation following the documentation here.
Make sure to activate the blades according to the mapping at the beginning of the article, as follows:
You would need to have an NGTX license with DLP for complete coverage.
In order to have the checks for HTTPS websites we would need to first configure HTTPS Inspection
References:
Best Practices - https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk108202
HTTPSi FAQ - https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk65123
Select the Gateway and Navigate to the HTTPS Inspection tab. Here make sure that you enable the HTTPS Inspection check box and that you export the certificate. This certificate needs to be imported into either “AD” Trusted Root or each local host Trusted Root certificate store. For Chrome/Mozilla the procedure is a bit different and will be discussed in a dedicated article.
Once HTTPS Inspection is active you can check any HTTPS Site’s certificate when passing the Security Gateway. It should look like it was signed by the CA of the Check Point Gateway.
Inspection Certificate versus Original Certificate.
Mitigation for Specific Tests
Network Access Protection - NGFW
Data Encryption
Online Privacy
Malware Protection
Data Protection
Data Loss Prevention Blade - Prerequisite
Go to Gateway Properties and make sure Data Loss Prevention is active and enabled.
Note: DLP license is not part of basic NGTP/NGTX packages and needs to be acquired separately
Make sure DLP is active for HTTP/HTTPS
Note: It may be needed to also check Smart Dashboard → Additional Settings → Protocols to make sure HTTP is enabled
SSN codes leak via https
SSN codes leak via http
Go to Security Policies > Shared Policies > DLP > Open DLP Policy in Smart Console
Local Country SSN code leak via https
Local Country SSN code leak via http
Go to Security Policies > Shared Policies > DLP > Open DLP Policy in Smart Console
Also edit the Data Type
Make sure to add 3 times as Number of occurences
Credit card numbers leak via https
Credit card numbers leak via http
Go to Security Policies > Shared Policies > DLP > Open DLP Policy in Smart Console
Source code (C) leak via https
Source code (C) leak via http
Go to Security Policies > Shared Policies > DLP > Open DLP Policy in Smart Console
SSH private key leak via https
SSH private key leak via http
Go to Security Policies > Shared Policies > DLP > Open DLP Policy in Smart Console
You may also need to define a REGEX to match RSA keys not in files
Exported Data Type File:
Comments
0 comments
Please sign in to leave a comment.