Security-CheckUP-Report-requirements-v1.docx

Requirements document Security CheckUP Threat Analysis Report Overview A Check Point Security CheckUP report is a comprehensive security analysis report based on data within your organisation. It automatically integrates security events from different Software Blades: Application Control, URL Filtering, IPS, Anti-Virus, Anti-Bot, DLP and Threat Emulation. The Security CheckUP Report accentuates Check Point Added Value, exposing security risks and suggesting remediation. When a Check Point Security Gateway runs in a PoC environment, inline or Mirror Port, we gain an insight into the activity on the network and will generate logs and security events for the activated Software Blades. The report gives a comprehensive security analysis that summarizes security events, their risks, and their remediation actions. Further information can be found here - Technical Overview From a technical perspective there are two elements in the architecture which are required to generate a Security CheckUP report. The first is the security gateway, which receives a copy of the traffic and generates logs, and the second is the management server which correlates the logs and produces the report. These functions can be consolidated on the same hardware for smaller implementations, or separated out on multiple platforms for larger implementations. These appliances are provided by Check Point or their partners. The gateway can be set up ‘in-line’ but is more commonly connected to a mirror port in the infrastructure and such will receive a copy of the live production traffic. In this way we can guarantee that live traffic is not interfered with and there are no changes that need to be made to the network topology. Security CheckUP Report Software Blade Options Check Point have the capability of running the Security CheckUP report against the following software blade technologies. Anti-Bot - detects bot-infected machines, prevents bot damages by blocking bot C&C communications, and is continually updated from ThreatCloud™ Anti-Virus - uses real-time virus signatures and anomaly-based protections to detect and block malware at the gateway. Application Control - provides the industry's strongest application security and identity control to organizations of all sizes. URL filtering - provides optimized web security through full integration in the gateway. Intrusion Prevention System - delivers complete and proactive intrusion prevention. Data Loss Prevention - combines technology and processes to revolutionize Data Loss Prevention (DLP), helping businesses to pre-emptively protect sensitive information. Threat Emulation - prevents infections from undiscovered exploits, zero-day and targeted attacks. We can also use identity logging to capture user account and identity information that can then be correlated with logged activity. We will also be running the following management functions. Smart Management Smart Event Smart Reporter Confidentiality Check Point will ensure that no data pertaining to your environment will leave your site. Check Point do use an external internet connection for cloud based lookups, security and URL categorization and for downloading updates to various treat and application databases associated with the next generation features of the security gateway. The Security CheckUP Report is usually generated on site by Check Point or their partners and then the device can be wiped before leaving site ensuring no data leaves site. If stricter controls on the data are required then this can usually be accommodated. Check Point will discuss the findings of the report with the customer at a later date and for this purpose Check Point would keep a copy of the report. This information would not be shared with anyone outside of Check Point and the relevant partner. Another option, in place of the on premise report, Check Point can also offer a cloud based report service. In this scenario the onsite gateway appliance would send it’s logs via an encrypted channel to the Check Point cloud, and after a pre-determined period of time the report would be generated offsite. Technical Requirements For the Security CheckUP report to operate properly in the environment, the following technical requirements need to be met. Contactable external DNS addresses and external DNS resolution To properly classify traffic with Application Control, URL Filtering, and Anti-Bot, the Security Gateway will need access (either directly or via proxy) to the following hosts, which are hosted at Akamai: The IP of the hostnames will vary depending on location so both the gateway and the gateway management should be able to resolve DNS. Hostname  (IP Varies based on location) Protocol From Used For (Version) http Gateway 1. Social Media Widget Detection (R75+) 2. URL Filtering Cloud Categorization (R75.20+) 3. Bot Detection (R75.40+) 4. Virus Detection (R75.40+) https Gateway All Services / Updates (R75+) https Gateway Management Contract Entitlement for all services (R75+) Download Service Updates (R70+) https Gateway Contract Entitlement for IPS (R70+) https Gateway Management Download Service Updates (R70+) http Gateway Suspicious Mail Outbreaks (R75.40+) WMI Subscription to the DC If you require the visibility of having usernames attributed to tracked actions in the logs instead of IP addresses, the gateway management server will need to subscribe to WMI logs on the domain controller. In order to do so connectivity to the DC will need to be established and authentication credentials provided to the management server. Check Point do not require an agent installation on the AD server and do not continuously request data. After WMI subscription, AD will send WMI events to the CheckUP appliance Gateway and Management Communications In order for the management server to be able to receive logs from the gateway, the gateway needs to be able to communicate with the management server on port 257. This does not need to be built into the gateway firewall policy but needs to be considered if there are other firewalls between the gateway and management. Diagram Below is a typical on site, standalone deployment layout. Check Point Responsibilities Check Point will be responsible for; · Delivery and collections of the hardware to and from site. · Providing the hardware for the Security CheckUP report. · Configuring the Check Point appliance software and building the necessary policies. · Generating the report. · Destruction of confidential data on the appliances. · Work with you to establish where on the network the appliance should sit for maximum results and which port in your environment should be mirrored. This is generally the egress interface of the main external switch so we would see outgoing SMTP and HTTP traffic. Customer responsibilities The customer would be responsible for; · Complete customer agreement form and return to Check Point · Provisioning of a mirror port in an appropriate point in the network. · Provision a switch port, IP address and routing info (such as default gw) for each Check Point appliance in order that they are able to connect to the internet and receive updates. · Assist with establishing communication between the Check Point appliances if for example there is a NAT device or firewall in between them. · Racking and cabling the Check Point appliances at the appropriate locations. · If ID awareness is required, entering AD admin credentials into the management appliance. · Provide information on internal domains and networks for DLP policy. · Attend a follow up meeting where we can discuss the findings of the report with Check Point representatives. Technical Requirements to be completed by the customer Management (or Mgmt/GW in standalone) Gateway (not required in standalone) IP Address / DHCP Default route Network Link speed – 10/100/1000/Auto Primary DNS Secondary DNS Proxy IP and Port External DNS Access confirmed Mirror port provisioned Software Blade Select blades for Security CheckUP report Additional information required Required information Anti Bot None required Anti-Virus None required App Control None required URL filtering None required IPS None required DLP Please provide all internal network subnet IPs and internal email domain names Identity Logging Please provide • AD Server IP addresses • Domain • AD Account Name • AD Account Password ©2014 Check Point Software Technologies Ltd. All rights reserved. Classification: [Confidential] For Check Point users and approved third parties | P. 5